LDAP auth with short usernames?

Similar Messages

• Sgd + ldap auth + ssh and numeric usernames

  Hi there, sorry if there is a well known answer to my problem, bu tI have not found it.
  anyway, We have a problem where our customer wants to use purelly numeric usernames to logg in to secure global desktop
  From the point of secure global desktop we don't have any problems with this, the problem happens later on with the ssh to solaris (which is set up with ldap authentication) in that I have not been able to get purely numerical logins to work with solaris pam_ldap. Now some of you think that this is not an SGD problem, and that is true, but I was wondering if SGD could help me solve this.
  My question is simple, can SGD use a "different" username taken from ldap after it has logged in the user instead of the username tha tthe user provided.
  ex.
  the user loggs in to SGD with the username 173651
  when starting the application , instead of logging in to the application server (via ssh) with username 173651 it should take an other field from ldap that holds the solaris username.
  thanks for any answers and hints.

  Sorry, but you missunderstood my question a bit :-)
  What you suggest is a way for the users to type in an other username after logged in to Secure Global desktop, tha tis now what we want
  We want this to be done automaticly for us.
  First we have changed a bit how the login procedure works, when the user surfs to the SGD server they will not be presented with any choices, they wil be presented with a single login screen, when they have logged in SGD will automaticly start our application.
  the problem we have is that we want to use only digits as the login name in SGD, but unforutunally Solaris have some problems with using digits alone in usernames (and especially usernames longer then 8 characters)
  so I was hoping that SGD could read from LDAP (we are using LDAP user store, not UNIX) another value that it would use to login to the app server thorugh SSH
  for example, when logging in to SGD it loggs in towards the LDAP uid field, but when it starts the application SGD reads some other property from LDAP and sends that to ssh. Solaris is then also authenticating towards SSH and uses the second property to authenticate.
  If this cannot be done in Secure global Desktop, I think we will look at using a third party authenticator that can do what we want (hopefully OpenSSO can do this)

• Solaris 10 sshd + GSSAPI auth appears to fail with long usernames.

  Solaris 10 sshd using GSSAPI mode appears to fail with long usernames.
  We have recently jumbo-patched solaris 10 server and windows 2k3 kerberos kdc. We wish to provide the single sign on thing for our Windows users, as written up in http://220-245-28-18.static.tpgi.com.au/~irvinee/gssapi-sol10/gssapi-howto.html
  Everything is fine, until a user with a ten character username comes along. The ten character username does not get the single sign on experience
  However, he can kinit fine on Solaris 10 server and also on other unix clients.
  If I switch from the stock solaris 10 sshd to a self-compiled OpenSSH linked against MIT Kerberos, the 10 char username gets single-sign-on and all is well..
  I note I have no problem when the server is FreeBSD 6.2 and the client is stock solaris 10 ssh.
  It seems to be the Solaris 10 sshd only that is affected. Before I write up a bug report, has anyone else come across the same problem?

  I finally got it working. I think my problem was that I was coping and pasting the /etc/pam.conf from Gary's guide into the pam.conf file.
  There was unseen carriage returns mucking things up. So following a combination of the two docs worked. Starting with:
  http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native%20LDAP%20Client%20for%20Fedora%20Directory%20Server.htm
  Then following the steps at "Authentication Option #1: LDAP PAM configuration " from this doc:
  http://docs.lucidinteractive.ca/index.php/Solaris_LDAP_client_with_OpenLDAP_server
  for the pam.conf, got things working.
  Note: ensure that your user has the shadowAccount value set in the objectClass

• LDAP setup with SSL - Can't use tls auth type

  I'm trying to configure Solaris 10 to use ldap against my OpenLDAP server with SSL but whenever I try to set the authentication as tls:simple, it gives me an error :
  # ldapclient mod -a authenticationMethod=tls:simple
  Cannot specify LDAP port with tls
  # ldapclient mod -a authenticationMethod=tls
  Unable to set value: invalid authenticationMethod (tls)
  Any ideas how to get this to work - I can do an ldapsearch if I supply a -H ldaps://ldapserver:636 so my certs in /var/ldap are good.
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_BINDDN= cn=srv_login,ou=LDAPusers,dc=unix_srv,dc=energy.ge.com
  NS_LDAP_BINDPASSWD= {NS1}c53708877bc6
  NS_LDAP_SERVERS= 10.10.1.14:636
  NS_LDAP_SEARCH_BASEDN= dc=unix_srv,dc=energy.ge.com
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SERVER_PREF= 10.10.1.14:636
  NS_LDAP_CACHETTL= 0
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=unix_srv,dc=energy.ge.com?sub
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=unix_srv,dc=energy.ge.com?sub
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=unix_srv,dc=energy.ge.com?one
  Thanks,
  Jay

  When using TLS you have to specify the FQN for the LDAP server and the port is ALWAYS 636.
  Also, you need to setup up your client to use FQN as well (/etc/hosts).

• LDAP Auth Error ccmuser web access

  Hi,
  I have a CUCM v9.1 with an issue for access to the ccmuser web page using the AD Credentials, I've configured the LDAP Auth in the CUCM with no error messages and also the web access for my users like this:
  When I access the site http://cucm_ip_add/ccmuser first I get this message:
  After that I try to log into to the web page but I get this error:
  I have no issues importing the users, the problem is with the authentication.
  I've checked the ldap port and I'm not using global catalog so the correct one is 389 (tried 3268 and I got an error message from the cucm ldap authentication config page).
  Any ideas guys??
  Thanks in advance.

  One commone one is that CUCM treats the username field as case sensitive. Does it have any upper case characters? You can see this within /ccmadmin under End User Configuration.
  If that's not it, either a Wireshark of the LDAP bind or a stare/compare between your sync agreement and the auth config to see why one can get the user object but the other cannot bind as that person.
  Please remember to rate helpful responses and identify helpful or correct answers.

• LDAP AD with SSO XI 31

  Hi everybody
  I´m trying to configure LDAP AD with Single Sign On but in BO documentation only can find that this is possible with SiteMinder.
  Somebody plz can tell me how Configure LDAP SSO with SiteMinder? and if exists another way to do this without SiteMinder.
  Thanks.
  BO: XI 3.1
  SO: Windows Server 2003
  LDAP AD

  siteminder is a 3rd party app and configuration should be sought through their company's docs.
  If you have users that are authenticated with siteminder then we can auto log them into BO by either configuring the LDAP - siteminder plugin to the siteminder web agent. Requires 6x web agent running in 4x compatibility mode with a shared secret enabled.
  We can also pass the usernames using trusted authentication. requires the user parameter that siteminder uses to store the username (usually sm-user).
  If you plan to keep your CMS on windows then SSO is a piece of cake no and no 3rd party programs would be required. With the CMS on "nix" you will need to authenticate prior to accessing the BO system for any type of SSO. Honestly SSO is not the right description in both cases above it's trusted auth (passwords are never negotiated just usernames passed).
  Regards,
  Tim

• Native LDAP Auth in PT 5.0.3

  I am attempting to use Native LDAP Authentication with version 5.0.3. In 5.0.2 it worked just fine, but with 5.03., log in fails. The LDAP settings are correct as confirmed by the provider validation. What do these errors mean and how do I fix them? Thanks.
  Validate ProviderSuccessfully connected to the Authentication Source.
  Here are the errors from PTSpy:
  Error Auth Source Providers LDAPProviderAuth.cpp(285) *** ERROR *** CLDAPAuthSourceProvider::LDAPGetHandle: ldap_bind_s failed with error 0x31.
  Warn Auth Source Providers LDAPProviderAuth.cpp(1030) LDAP error 0x31 (#49) description: Invalid credentials
  Warn Plumtree.dll PTSession.cpp(378) *** COM exception caught *** Error info: IDispatch error #16898 (0x80044402): [Invalid password.] (378,PTSession.cpp)
  Warn Portal UI - Infrastructure com.plumtree.uiinfrastructure.login.LoginHelper.InternalAttemptLogin() Unable to log in user Intranet/bottt: The user name, password, or authentication source entered is not recognized. Re-enter your login information below. Passwords are case sensitive._com.plumtree.openfoundation.util.XPException_ at com.plumtree.server.CIPTSession.Connect(String UserNameOrID, String Password, Object SecurityProviderInfo) at com.plumtree.portaluiinfrastructure.login.PTLoginHelper.internalLogin(String sUserName, String sPassword, String sLoginToken, Object token, Boolean bUseNumericConnect, Boolean bGuestLogin, ISessionManager subSession, IApplication application, String sRequestURL) at System.Environment.GetStackTrace(Exception e) at System.Environment.GetStackTrace(Exception e) at System.Environment.get_StackTrace() at com.plumtree.openfoundation.util.XPException.GetInstance(Exception e) at com.plumtree.portaluiinfrastructure.login.PTLoginHelper.internalLogin(String sUserName, String sPassword, String sLoginToken, Object token, Boolean bUseNumericConnect, Boolean bGuestLogin, ISessionManager subSession, IApplication application, String sRequestURL) at com.plumtree.portaluiinfrastructure.login.PTLoginHelper.AttemptLogin(String sUserName, String sPassword, Object token, Boolean bUseNumericConnect, ISessionManager subSession, IApplication application, String sRequestURL) at com.plumtree.uiinfrastructure.login.LoginHelper.InternalAttemptLogin(String strUserName, String strPassword, Object token, Boolean bUseNumericConnect, Boolean bGuestLogin, ISessionManager subSession, IApplication application, String strRequestURL, IXPRequest request, IWebData webData) at com.plumtree.uiinfrastructure.login.LoginHelper.AttemptLogin(String strUserName, String strPassword, Object token, Boolean bUseNumericConnect, ISessionManager subSession, IApplication application, String strRequestURL, IXPRequest request, IWebData webData) at com.plumtree.uiinfrastructure.login.LoginHelper.AttemptLogin(String strUserName, String strPassword, Object token, Boolean bUseNumericConnect, AActivitySpace asOwner, IXPRequest request, IWebData webData) at com.plumtree.portalpages.browsing.login.LoginModel.attemptLogin(IXPRequest request, IWebData webData) at com.plumtree.portalpages.browsing.login.LoginControl.CheckActionSecurityAndExecute(XPHashtable arguments) at com.plumtree.uiinfrastructure.activityspace.Interpreter.HandleRequest(IXPRequest request, IXPResponse response, ISessionManager session, IApplication application) at com.plumtree.uiinfrastructure.activityspace.Interpreter.DoService(IXPRequest request, IXPResponse response, ISessionManager session, IApplication application) at com.plumtree.uiinfrastructure.web.XPPage.Service(HttpRequest httpRequest, HttpResponse httpResponse, HttpSessionState httpSession, HttpApplicationState httpApplication) at com.plumtree.portaluiinfrastructure.activityspace.PlumHandler.ProcessRequest(HttpContext context) at System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) at System.Web.HttpApplication.ResumeSteps(Exception error) at System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData) at System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr) at System.Web.HttpRuntime.ProcessRequest(HttpWorkerRequest wr) at System.Web.Hosting.ISAPIRuntime.ProcessRequest(IntPtr ecb, Int32 iWRType)

  Hey Jennifer,To clarify - there are two different security modes settings being discussed:
  Portal Security Mode - set in x_config.xml in your portal home directory, looks like this:<Security> <SecurityMode value="0"/></Security>This setting allows you to put your portal into HTTP, HTTPS, or SSL Accelerator modes.LDAP Authentication Source security mode - set in the LDAP Authentication Source Editor in the administrative hierarchy. This setting defines how the portal talks to your remote LDAP Server. If it is set to mode 1, we use the LDAP protocol. If set to 2, we use the LDAPS protocol, which uses TLS/SSL to encrypt communication between your LDAP Server and portal. This is a security measure that some customedrs require, while most don't use.The later setting is no longer supported in 5.0.2 and on, we suggest that users that need SSL between their portal and LDAP server use the new LDAP AWS product that was released around the time of 5.0.3. The LDAP AWS uses Java and JNDI technology to interact with remote LDAP servers, where as our native LDAP Authentication Source uses a Netscape library for communication with the remote LDAP server. This netscape library has been found to be unstable and detrimental to Portal performance, hence it was de-supported when the LDAP AWS became available.
  Based on your message, I'm guessing you thought I meant the Netscape browser could not use portalsecurity mode 2. There is no such bug, all portal security modes are supported as far as I know. Your project should work just fine, drop us a line if you have any problems.
  -Akash

• Setting up LDAP realm with WLI 7

  Any pointer to Step by step instruction on to how to set up LDAP realm for Access Control with Weblogic integration 7

  Pramit Basu <[email protected]> wrote:
  Any pointer to Step by step instruction on to how to set up LDAP realm
  for Access Control with Weblogic integration 7In order to use LDAP realm with WLI 7.0, you need to do the following steps:
  1) In WebLogic server level, you need to create a Caching Realm and a LDAP realm.
  First, please backup your original config.xml file. Then, you can start configure
  the realms. You can do this by modifying the config.xml file, or through WLS console.
  After you have done this, your config.xml file should contain the following:
  <LDAPRealm AuthProtocol="none"
  Credential="{3DES}rYiW/DkUxq4UPwR0XLbM9w=="
  GroupDN="o=beasys.com,ou=Groups" GroupIsContext="false"
  GroupNameAttribute="cn" GroupUsernameAttribute="uniquemember"
  LDAPURL="ldap://jpengdesk:389"
  Name="LDAPRealmForNetscapeDirectoryServer" Principal="cn=admin"
  UserAuthentication="bind" UserDN="o=beasys.com,ou=People"
  UserNameAttribute="uid" UserPasswordAttribute="userpassword"/>
  --- You can also do this in Console. Please make sure the "UserDN" and "GroupDN"
  values are correct according to the groups and users stored on your LDAP server.
  In my example here, "beasys.com" is my root entry, and I have all the users created
  underneath of OU "People", and I have all the groups created in OU "Groups".
  <CachingRealm BasicRealm="LDAPRealmForNetscapeDirectoryServer" Name="MyCaching
  Realm"/>
  --- You can do this in console by clicking on "Caching Realms", then click on
  the link of "Configure a new Caching Realm". Name it as "MyCaching Realm", and
  select "LDAPRealmForNetscapeDirectoryServer" as the BasicRealm.
  <Realm CachingRealm="MyCaching Realm" FileRealm="myFileRealm" Name="myRealm"/>
  --- you can do this in console by clicking on "Compatibility Security", then click
  on the "Filerealm" tab, then, in the "Caching Realm" field, select MyCaching Realm"
  from the pull down comb box.
  Please make sure all the names are related. See above example, the value in blue
  color should match, and the value in red color should match too.
  Please see the attached config.xml file for reference.
  2) Create the users in LDAP server. In my example, I simply created 3 users underneath
  of OU &#8220;People&#8221;, they are:
  weblogic
  wlisystem
  admin
  &#8220;weblogic&#8221; is the user I used as my system administrator user, which
  I used to boot my WLS server and access my WLS console.
  &#8220;wlisystem&#8221; and &#8220;admin&#8221; are the users created for WLI
  component.
  3) Create 11 groups in LDAP server. In my example, as I mentioned above, I create
  all these groups underneath of OU &#8220;Groups&#8221;. These groups are:
  ConfigureComponents
  Administrators
  wlpiUsers
  MonitorInstance
  ExecuteTemplate
  CreateTemplate
  UpdateTemplate
  DeleteTemplate
  AdminsterUser
  ConfigureSystem
  wlpiAdministrators
  Also, add the users created in step 2 into all of these groups.
  4) Clean up the fileRealm.properties file.
  Backup your original fileRealm.properties file. Then, remove all the entries starting
  with &#8220;user.xxx&#8221; and &#8220;group.xxx&#8221;, only leave those entries
  starting with &#8220;acl.xxx&#8221;.
  Please see the attached &#8220;fileRealm.properties&#8221; file for reference.
  5) Restart your WLI server. Verify the users and groups you defined in LDAP server
  are displayed in WLS console correctly. You can see the user and group information
  in &#8220;Compatibility Security&#8221; à &#8220;Users&#8221;, and &#8220;Compatibility
  Security&#8221; à &#8220;Groups&#8221; respectively.
  6) Start your studio to design a simple Workflow. When you login, the authentication
  of your username and password is against the LDAP server, since you don&#8217;t
  have any user entries in your fiel realm any more.
  7) Start your Worklist to execute the workflow. Also, When you login, the authentication
  of your username and password is against the LDAP server, since you don&#8217;t
  have any user entries in your fiel realm any more.
  Once you execute the workflow, you can verify that workflow instance in Studio.
  You can monitor the instance, and delete the instance.

• LDAP Auth Rewrite Rule in Mapping file

  Hi,
  We are trying to set LDAP Auth Rewrite rule in mapping file to get users First Name & Last Name or Display name & Mail Address from LDAP Server instead of users individual client settings.
  In Messaging 5.2 we had the follwoing setting, but it does not work any more for Messaging 6.2:
  LDAP Auth Rewrite Entry in mapping file:
  AUTH_REWRITE
  *|*|*|*@* $]ldap:///dir1.domain.com:389/o=domain.com?cn?sub?(uid=$3)[$ <$]ldap:///dir1.domain.com:389/o=domain.com?mail?sub?(uid=$3)[>$Z
  We are running:
  Sun Java(tm) System Messaging Server 6.2-3.04 (built Jul 15 2005)
  libimta.so 6.2-3.04 (built 01:43:03, Jul 15 2005)
  SunOS mta 5.10 Generic_118833-03 sun4u sparc SUNW,Sun-Fire-V240
  ll appreciate for any help or clue
  Thanks

  Thanks Jay,
  Well, here is what we want to achieve.
  We are looking for re-writing the FROM address of Sender against the LDAP Entry as cn <[email protected]>. This should solve problem of where users have entered wrong FROM information on their clients or trying to spoof FROM address to other users.
  Currently, The system delivers e-mail with FROM headers as per client entry instead of re-writing it against AUTHENTICATED userid.
  Following is the IMTA.CNF and MAPPINGS lines:
  IMTA.CNF
  ! ims-ms
  ims-ms defragment subdirs 20 notices 1 3 backoff "pt5m" "pt10m" "pt30m" "pt1h" "pt2h" "pt4h" maxjobs 2 pool IMS_POOL fileinto
  $U+$S@$D
  ! tcp_local
  tcp_local smtp mx single_sys remotehost inner switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL maytlsserver
  maysaslserver saslswitchchannel tcp_auth missingrecipientpolicy 0 mailfromdnsverify dropblank vrfyhide
  ! tcp_intranet
  tcp_intranet smtp mx single_sys subdirs 20 dequeue_removeroute maxjobs 7 pool SMTP_POOL maytlsserver allowswitchchannel sasls
  witchchannel tcp_auth missingrecipientpolicy 4 mailfromdnsverify dropblank vrfyhide
  ! tcp_extranet
  tcp_extranet smtp mx single_sys subdirs 20 noreverse maxjobs 7 pool SMTP_POOL mustsaslserver allowswitchchannel saslswitchcha
  nnel tcp_auth vrfyhide dropblank mailfromdnsverify dropblank missingrecipientpolicy 4
  ! tcp_submit
  tcp_submit submit smtp mx single_sys mustsaslserver maytlsserver missingrecipientpolicy 4
  ! tcp_auth
  tcp_auth smtp mx single_sys mustsaslserver missingrecipientpolicy 4 authrewrite 3
  MAPPINGS file
  AUTH_REWRITE
  *|*|*|*@* $]ldap:///dir.domain.edu:389/o=domain.edu,dc=domain,dc=edu?cn?sub?(uid=$3)[$ <$]ldap:///dir.domain.edu:389
  /o=domain.edu,dc=domain,dc=edu?mail?sub?(uid=$3)[>$Z
  Thanks for your help

• LDAP Authentication with sub-contexts?

  Is it possible to authenticate to an ldap server with a user that belongs under different sub contexts?
  We have one LDAP JAAS login module that we want to use to authenticate ANY user under the LDAP ROOT Context. Which means if a we have:
  O=COMPANY
  |
  |-> OU = DIVISION ONE
          |
          |-> USER1
  |
  |-> OU = DIVISION TWO
         |
         |-> USER2I'd want to set up my login module to always build the DN for the user as:
  cn=<username>,O=COMPANY and have the server itself look in the sub contexts (OU=DIVISION ONE and OU=DIVISION TWO) below when trying to make the initial context.
  Is this possible?
  Thanks,
  - Tim

  The problem with that is that the AD GPO will not let me set the
  password i am using...
  So change your non-LDAP account password in UCM to a password that AD will accept, test that it works for login on CCX, and then do the LDAP integration.
  Besides when i removed LDAP authentication i logged into the UCCX again
  and added the Administrator rights to my LDAP account but it wont
  autheticate me.
  No idea, but one guess would be that changes to the account may not hold when the account is marked as inactive in UCM. Just a guess though.

• LDAP integration with ISE

  We are doing an LDAP integration with ISE but we are getting following error. We are not able to identiry the problem when we tested the following scenirios.
  1. When we check with Anonymous access we are successful and we get the message “ Bind Successful to gluetest.systems.XXXX:3269”
  2. When we use the user name and password CN=GRHIIISEPOC,OU=,XXXX, DC=YYYY, DC=ADROOTTEST,DC=YYYY. We are not successful and we get the message “ Test Failed: Invalid Admin Credentials or Security Settings: Check Admin Username and Password and make the security settings are compatible with the server:”
  Please confirm is the user id what i am using is not having an admin preveliages or i am entered the parameters correctly.
  Thanks

  Did you use softerra or an ldap browser to pull the dn of this user account.
  Thanks
  Sent from Cisco Technical Support Android App

• LDAP auth & limit logins per host

  I'm using LDAP auth. using ldapclient init to setup the ldap auth. Have a SunOne LDAP server.
  I'm interested in doing auth filters - like what Linux does with PAM. I've got PAM_LDAP to work, but since Sun does not use the OpenLDAP convention of /etc/ldap.conf - I can't setup the nss_user filters in there or nss_base_passwd dc=....
  does anyone know how to do this in Solaris? Can I enter something into the ldap_cred file? I tried to do a serviceSearchDescriptor and put passwd:dc=x,dc=y?one?(|(uid=x)(uid=y)) in the ldapCredFile but that gave me a search filter error
  I really do not want to use NetGroups.
  Thanks in advance. I have seem a few posts for this questions but no real answers.
  I can't believe that there is no way to do this...

  I actually was able to solve my problem. What I did was the following
  in my profile setup in the LDAP server I set
  servieSearchDescriptor: passwd:dc=x,dc=y,dc=x?sub?|(attribute1=value)(attribute2=value)
  This makes the password lookup look for the user only if a subsearch (sub) matches the attributes above.
  For example - I could limit logins to only the people who have a shell=/bin/bash by saying ...sub?|(loginShell=/bin/bash)(loginShell=/usr/bin/bash)
  I would also want to make a similar serviceSearchDescriptor line for shadow. So I would have two of these in my Profile on the LDAP server , one with passwd: and one with shadow:

• How can i disable faronics deep freeze with no username/password?

  how can I disable deepfreeze with no username or password?

  Basically you can't; that's the whole point of the software (or at least a large part of the point), so that unauthorized people can't make changes to the system. As Kappy said, you'll need to contact Faronics for assistance, but I don't remember any sort of "back door" to their software so there may be no solution short of erasing the drive and starting from scratch.
  Regards.

• Deploy authenticate VPN using LDAP AD (with user group)

  Hi,
  I'm stucking in configuration of LDAP Server with authenticate for VPN user using group in Windows Domain. I would like to create a group like "vpn-group" in Domain. If someone want to vpn, I just have to add that user in the group "vpn-group" then I can connect to the company.
  Here is my configuration
  aaa new-model
  aaa authentication login userauthen local group ldap
  aaa authorization network groupauthor local
  ldap attribute-map map1
   map type sAMAccountName username
  ldap server server1
   ipv4 192.168.0.5
   attribute map map1
   bind authenticate root-dn cn=administrator,cn=users,dc=test,dc=local password 7 0235114B0E144E621518
   base-dn cn=vpn-group,cn=users,dc=test,dc=local
  Please advice me.

  I got it working by including the AD security group in the search-filter
  search-filter user-object-type User)(memberOf=CN=vpn-group,OU=Security groups,OU=company,DC=test,DC=local

• Imac stops because of short username

  I've reinstalled my Imac (Intel)/
  When i start it up iget a windows with the geustaccount and my aacount.
  When i click on my account the system says: Short username and won't login to Lion
  Someone a solution for me
  Thanks

  Siilly Apple...
  1. Insert the Mac OS X Install disc, then restart the computer while holding the C key.
  2. When your computer finishes starting up from the disc, choose Utilities from the Installer menu at the top of the screen. (In Mac OS X 10.4 or later, you must select your language first.)
  Important: Do not click Continue in the first screen of the Installer. If you do, you must restart from the disc again to access the Menubar at top.
  1. Insert the Mac OS X Install disc, then restart the computer while holding the C key.
  2. When your computer finishes starting up from the disc, choose Reset Password from the Installer menu at the top of the screen. (In Mac OS X 10.4 or later, you must select your language first.)
  Important: Do not click Continue in the first screen of the Installer. If you do, you must restart from the disc again to access Reset Password.