LDAP Authenticated Bind

I have been looking for documentation on LDAP authenticated bind, except there is very little and the stuff that is there doesn't go into any detail. I was able to get authenticated binds to work properly but I wanted to ensure that it was all done correctly.
I found that the users that you are authenticating have to be in the same OU as the service account that you are using to perform the authenticated bind. For example you have an OU called Wireless. users1, user2 and a service account called WiSA are all in this OU. You can authenticate users1 and user2, but no users out of any other OU.
Is this really all there is? There appears to be no ability to do memberOf which really limits what you can do with this.
I am running 6.0.182.0. Any thoughts??

You can use users in another location for authenticated binding of LDAP, in that case while writing the the username you should mention entire path instead of username.
for eg: you should specify the username as cn=user,ou=cisco,ou=wireless,dc=com.
If both your client authentication username and bind username in same location then you can just specify the username controller will pick the path from the LDAP config.
I hope i answerd your question.

Similar Messages

SharePoint 2010 with LDAP authentication, using NOVELL eDirectory

One of my customers needs a SharePoint application that allows people to authenticate with either an Active Directory account (internal staff) or a Novell eDirectory account (external customers).
Using the following article as a base guide (http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx)
I configured a claims-based test application that had Windows authentication enabled and Forms based authentication (FBA) enabled (this is on a Windows 2008 server and not a domain controller)
In the Membership provider name text box I entered "LdapMember"
In the Role provider name text box I entered "LdapRole"
In the web.config for the SharePoint Central Admin, I modified/added the following details right before </system.web>
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="((ObjectClass=group)"
userFilter="((ObjectClass=person)"
scope="Subtree" />
</providers>
</roleManager>
I modified the SecurityTokenServiceApplication web.config with these details
<system.web>
<membership>
<providers>
<add name="LdapMemebr"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
</system.web>
I modified the web.config of the test application I created with these details
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="cn"
dnAttribute="dn"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
useDNAttribute="true"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
With all of this configured, I can go to the new test site, I do see the form where I can choose either Windows authentication or Forms authentication. I can successfully login with Windows authentication, but forms authentication gives me me an error.
The server could not sign you in. Make sure your user name and password are correct, and then try again.
I can successfully login to a LDAP management tool, using the same credentials I entered on the form, so I know the username and password being submitted are correct. I get the following items in the event viewer
8306 - SharePoint Foundation - The security token username and password could not be validated.
in the SharePoint trace logs - Password check on 'testuser' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. and
then this:
Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
I monitored the LDAP server and did a packet-trace on the communication happening between the SharePoint server and the LDAP server and it is a bit odd. It goes like this:
The SharePoint server successfully connects to the LDAP server, binding the ldapserviceid+password
The LDAP server tells the SharePoint server it is ready to communicate
the SharePoint server sends an LDAP query to the LDAP server, asking if the name entered in the form authentication page can be found.
The LDAP server does the query, successfully finds the entered name and sends a success message back to SharePoint
The LDAP server sends notification that it is done and is closing the connection that was bound to theldapserviceid+password
The SharePoint server acknowledges the connection is closing
... and then nothing happens, except the error on SharePoint
What I understand is that the SharePoint server, once it gets confirmation that the submitted username exists in LDAP, should attempt to make a new LDAP connection, bound to the username and password submitted in the form (rather than the LDAP service account
specified in the web.config). That part does not seem to be happening.
I am at a standstill on this and any help would be greatly appreciated.

OK, our problem was resolved by removing any information about the ASP.NET role manager. Initially, we had information about a role manager defined in three different web.config files, as well as in the SharePoint Central Administration site, where there
is the checkbox to Enable Forms Based Authentication (you see this when you first create the new SharePoint app, or afterwards by modifying the Authentication Provider for the app.) In either case, you will see two text boxes, underneath the checkbox item
for enabling Forms Based Authentication:
"ASP.NET Membership provider name"
"ASP.NET Role manager name"
We entered a name for Membership provider, and left Role manager blank.
In the web.config for the SharePoint Central Administration site, the SecurityTokenServiceApplication app, and the web app we created with FBA enabled, we entered the following:
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword="validpassword"
useDNAttribute="false"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager>
<providers>
</providers>
</roleManager>
useDNAttribute="false" turned out to be important as well.
So, for us to get LDAP authentication working between SharePoint 2010 and Novel eDirectory, we had to:
leave anything related to the role provider blank
configure the web.config in three different applications, with the proper connection information to reach our Novel eDir
Ensure that useDNAttribute="false" was used in all three on the modified web.config files.
Since our eDir is flat and used pretty much exclusively for external users, we had never done any sort of advanced role management configuration in eDir. So, by having role manager details in the web.config files, SharePoint was waiting for information from
a non-existent role manager.

ERROR: Ldap Authentication failed for dap during installation of iAS 6.0 SP3

I am attempting to install ias Enterprise Edition (6.0 SP3) on solaris 2.8 using typical in basesetup. I am trying to install new Directory server as I don't have an existing one.
During the installation I got the following error.
ERROR: Ldap Authentication failed for url ldap://hostname:389/o=NetScape Root user id admin (151: Unknown Error)
Fatal Slapd did not add Directory server information to config Server.
Warning slapd could'nt populate with ldif file Yes error code 151.
ERROR:Failure installing iPlanet Directory Server.
Do you want to continue: ( I entered yes )
Configuring Administration Server Segmentation fault core dumped.
Error: Failure installing Netscape Administration Server.
Do you want to continue:( I responded with yes).
And during the Extraction I got the following
ERROR:mple_bind: Can't connect to the LDAP server - No route to host
ERROR: Unable to connect to LDAP Directory Server
Hostname: hostname
Port: 389
User: cn=Directory Manager
Password: <password-for-cn=Directory Manager
Please make sure this Directory Server is currently running.
You might need to run 'stop-slapd' and then
'start-slapd' in the Directory Server home directory, in order to restart
LDAP. When finished, press ENTER to continue, or S to skip this step:
Start registering Bootstrap EJB...
javax.naming.NameNotFoundException
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.fillInStackTrace(Compiled Code)
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.Exception.<init>(Compiled > Code)
at javax.naming.NamingException.<init>(NamingException.java:114)
at javax.naming.NameNotFoundException.<init>(NameNotFoundException.java: 48)
at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
"ldaperror" 76 lines, 2944 characters
at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
at com.netscape.server.jndi.RootContext.bind(Unknown Source)
at com.netscape.server.jndi.RootContext.bind(Unknown Source)
at javax.naming.InitialContext.bind(InitialContext.java:371)
at com.netscape.server.deployment.EjbReg.deployToNaming(Unknown Source)
at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
at com.netscape.server.deployment.EjbReg.run(Compiled Code)
at com.netscape.server.deployment.EjbReg.main(Unknown Source)
Start registering iAS 60 Fortune Application...
Start iPlanet Application Server
Start iPlanet Application Server
Start Web Server iPlanet-WebServer-Enterprise/6.0SP1 B08/20/200100:58
warning: daemon is running as super-user
[LS ls1] http://gedemo1.plateau.com, port 80 ready
to accept requests
startup: server started successfully.
After completion of installation, I tried to start the console. But I got the following error;
"Cant connect ot the admin server. The url is not correct or the server is not running.
Finally,when I started the admintool(iASTT),it shows the iAS1
was registered( marked with a red cross mark) and says "cant login. make sure the user
name & passwdord are correct" when i click on it.
Thanks in advance for any help
Madhavi

Hi,
Make sure that the directory server is installed first. If it is running
ok, then you can try adding an admin user, please check the following
technote.
http://knowledgebase.iplanet.com/ikb/kb/articles/4106.html
regards
Swami
madhavi korupolu wrote:
I am attempting to install ias Enterprise Edition (6.0 SP3) on
solaris 2.8 using typical in basesetup. I am trying to install new
Directory server as I don't have an existing one.
During the installation I got the following error.
ERROR: Ldap Authentication failed for url
ldap://hostname:389/o=NetScape Root user id admin (151: Unknown
Error)
Fatal Slapd did not add Directory server information to config
Server.
Warning slapd could'nt populate with ldif file Yes error code 151.
ERROR:Failure installing iPlanet Directory Server.
Do you want to continue: ( I entered yes )
Configuring Administration Server Segmentation fault core dumped.
Error: Failure installing Netscape Administration Server.
Do you want to continue:( I responded with yes).
And during the Extraction I got the following
ERROR:mple_bind: Can't connect to the LDAP server - No route to host
ERROR: Unable to connect to LDAP Directory Server
Hostname: hostname
Port: 389
User: cn=Directory Manager
Password: <password-for-cn=Directory Manager
Please make sure this Directory Server is currently running.
You might need to run 'stop-slapd' and then
'start-slapd' in the Directory Server home directory, in order to
restart
LDAP. When finished, press ENTER to continue, or S to skip this
step:
Start registering Bootstrap EJB...
javax.naming.NameNotFoundException
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.fillInStackTrace(Compiled Code)
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.Exception.<init>(Compiled > Code)
at javax.naming.NamingException.<init>(NamingException.java:114)
at
javax.naming.NameNotFoundException.<init>(NameNotFoundException.java:
48)
at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
"ldaperror" 76 lines, 2944 characters
at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
at com.netscape.server.jndi.RootContext.bind(Unknown Source)
at com.netscape.server.jndi.RootContext.bind(Unknown Source)
at javax.naming.InitialContext.bind(InitialContext.java:371)
at com.netscape.server.deployment.EjbReg.deployToNaming(Unknown
Source)
at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled
Code)
at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled
Code)
at com.netscape.server.deployment.EjbReg.run(Compiled Code)
at com.netscape.server.deployment.EjbReg.main(Unknown Source)
Start registering iAS 60 Fortune Application...
Start iPlanet Application Server
Start iPlanet Application Server
Start Web Server iPlanet-WebServer-Enterprise/6.0SP1 B08/20/200100:58
warning: daemon is running as super-user
[LS ls1] http://gedemo1.plateau.com, port 80 ready
to accept requests
startup: server started successfully.
After completion of installation, I tried to start the console. But I
got the following error;
"Cant connect ot the admin server. The url is not correct or the
server is not running.
Finally,when I started the admintool(iASTT),it shows the iAS1
was registered( marked with a red cross mark) and says "cant login.
make sure the user
name & passwdord are correct" when i click on it.
Thanks in advance for any help
Madhavi
Try our New Web Based Forum at http://softwareforum.sun.com
Includes Access to our Product Knowledge Base!

ASA 8.2.5 LDAP authentication by memberof doesn't always work

I've configured LDAP authentication to allow access if members are a member of the "VPN_Users" Group. This configuration is working, but only for some users. For other users it isn't. The output of the 'debug ldap 255' shows an output of memberOf for the users that it's working for, but shows nothing for users it's not working for.   I've not been able to figure out any connection or differences that are the same between those users that work and those that don't. Any idea on what might be causing this problem? Both working and non-working users will authenticate, its just some of them don't pull the memberof data in the ldap query.
Config:
aaa-server AD protocol ldap
aaa-server AD (inside) host btfs2
ldap-base-dn dc=localdomain,dc=com
ldap-scope subtree
ldap-naming-attribute samAccountName
ldap-login-password *****
ldap-login-dn [email protected]
server-type microsoft
ldap-attribute-map VPNGroup
ldap attribute-map VPNGroup
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN_Users,OU=Security Groups,OU=Company OU,DC=localdomain,DC=com" btvpn
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec svc
webvpn
svc ask none default svc
group-policy btvpn internal
group-policy btvpn attributes
banner value This is a private data network. All connections are logged and are subject to
banner value monitoring. Unauthorized access is prohibited and will be prosecuted.
dns-server value 10.0.0.x 10.0.0.y
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittun
default-domain value localdomain.com
webvpn
svc keep-installer installed
svc rekey time 120
svc rekey method ssl
svc ask enable default svc
tunnel-group btvpn type remote-access
tunnel-group btvpn general-attributes
address-pool vpnpool
authentication-server-group AD LOCAL
default-group-policy NOACCESS
tunnel-group btvpn webvpn-attributes
group-alias webvpn enable
tunnel-group btvpn ipsec-attributes
pre-shared-key *****
Non-working user:
[1575] Session Start
[1575] New request Session, context 0xd7fbf210, reqType = Authentication
[1575] Fiber started
[1575] Creating LDAP context with uri=ldap://10.0.0.x:389
[1575] Connect to LDAP server: ldap://10.0.0.x:389, status = Successful
[1575] supportedLDAPVersion: value = 3
[1575] supportedLDAPVersion: value = 2
[1575] Binding as [email protected]
[1575] Performing Simple authentication for [email protected] to 10.0.0.x
[1575] LDAP Search:
        Base DN = [dc=localdomain,dc=com]
        Filter = [samAccountName=cmcbride]
        Scope   = [SUBTREE]
[1575] User DN = [CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com]
[1575] Talking to Active Directory server 10.0.0.x
[1575] Reading password policy for cmcbride, dn:CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com
[1575] Binding as cmcbride
[1575] Performing Simple authentication for cmcbride to 10.0.0.x
[1575] Processing LDAP response for user cmcbride
[1575] Message (cmcbride):
[1575] Authentication successful for cmcbride to 10.0.0.x
[1575] Retrieved User Attributes:
[1575] objectClass: value = top
[1575] objectClass: value = person
[1575] objectClass: value = organizationalPerson
[1575] objectClass: value = user
[1575] cn: value = Chris McBride
[1575] sn: value = McBride
[1575] l: value = Tulsa
[1575] description: value = cmcbride non-admin test account
[1575] givenName: value = Chris
[1575] distinguishedName: value = CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=co
[1575] displayName: value = Chris McBride
[1575] name: value = Chris McBride
[1575] objectGUID: value = ....5..L...[..K.
[1575] codePage: value = 0
[1575] countryCode: value = 0
[1575] primaryGroupID: value = 513
[1575] objectSid: value = ...............1...{C..2....
[1575] sAMAccountName: value = cmcbride
[1575] sAMAccountType: value = 805306368
[1575] userPrincipalName: value = [email protected]
[1575] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=localdomain,DC=com
[1575] Fiber exit Tx=616 bytes Rx=2007 bytes, status=1
[1575] Session End
Working user:
[1585] Session Start
[1585] New request Session, context 0xd7fbf210, reqType = Authentication
[1585] Fiber started
[1585] Creating LDAP context with uri=ldap://10.0.0.x:389
[1585] Connect to LDAP server: ldap://10.0.0.x:389, status = Successful
[1585] supportedLDAPVersion: value = 3
[1585] supportedLDAPVersion: value = 2
[1585] Binding as [email protected]
[1585] Performing Simple authentication for [email protected] to 10.0.0.x
[1585] LDAP Search:
        Base DN = [dc=localdomain,dc=com]
        Filter = [samAccountName=cmcbride_a]
        Scope   = [SUBTREE]
[1585] User DN = [CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com]
[1585] Talking to Active Directory server 10.0.0.x
[1585] Reading password policy for cmcbride_a, dn:CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com
[1585] Read bad password count 0
[1585] Binding as cmcbride_a
[1585] Performing Simple authentication for cmcbride_a to 10.0.0.x
[1585] Processing LDAP response for user cmcbride_a
[1585] Message (cmcbride_a):
[1585] Authentication successful for cmcbride_a to 10.0.0.x
[1585] Retrieved User Attributes:
[1585] objectClass: value = top
[1585] objectClass: value = person
[1585] objectClass: value = organizationalPerson
[1585] objectClass: value = user
[1585] cn: value = Admin Chris McBride
[1585] sn: value = McBride
[1585] description: value = PTC User, cjm 05312011
[1585] givenName: value = Chris
[1585] distinguishedName: value = CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain
[1585] instanceType: value = 4
[1585] whenCreated: value = 20110525173004.0Z
[1585] whenChanged: value = 20110619154158.0Z
[1585] displayName: value = Admin Chris McBride
[1585] uSNCreated: value = 6188062
[1585] memberOf: value = CN=VPN_Users,OU=Security Groups,OU=Company OU,DC=localdomain,DC=com
[1585]          mapped to IETF-Radius-Class: value = btvpn
[1585]          mapped to LDAP-Class: value = btvpn
[1585] memberOf: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=baer-t
[1585]          mapped to IETF-Radius-Class: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=localdomain,DC=com
[1585]          mapped to LDAP-Class: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=localdomain,DC=com
[1585] memberOf: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com
[1585]          mapped to IETF-Radius-Class: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com
[1585]          mapped to LDAP-Class: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com
[1585] memberOf: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to IETF-Radius-Class: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to LDAP-Class: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com
[1585] memberOf: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to IETF-Radius-Class: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to LDAP-Class: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com
[1585] memberOf: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to IETF-Radius-Class: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to LDAP-Class: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com
[1585] uSNChanged: value = 6560745
[1585] name: value = Admin Chris McBride
[1585] objectGUID: value = ..Kj4..E..c.VCHT
[1585] userAccountControl: value = 512
[1585] badPwdCount: value = 0
[1585] codePage: value = 0
[1585] countryCode: value = 0
[1585] badPasswordTime: value = 129531669834218721
[1585] lastLogoff: value = 0
[1585] lastLogon: value = 129532463799841621
[1585] scriptPath: value = SLOGIC.BAT
[1585] pwdLastSet: value = 129508182041981337
[1585] primaryGroupID: value = 513
[1585] objectSid: value = ...............1...{C..2. ..
[1585] adminCount: value = 1
[1585] accountExpires: value = 9223372036854775807
[1585] logonCount: value = 90
[1585] sAMAccountName: value = cmcbride_a
[1585] sAMAccountType: value = 805306368
[1585] userPrincipalName: value = [email protected]
[1585] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=localdomain,DC=com
[1585] dSCorePropagationData: value = 20110525174152.0Z
[1585] dSCorePropagationData: value = 16010101000000.0Z
[1585] lastLogonTimestamp: value = 129529717185508866
[1585] msTSExpireDate: value = 20110803160858.0Z
[1585] msTSLicenseVersion: value = 393216
[1585] msTSManagingLS: value = 92573-029-5868087-27549
[1585] Fiber exit Tx=633 bytes Rx=3420 bytes, status=1
[1585] Session End

As far as your configuration is concerned it looks perfectly fine. As you mentioned that the difference between the working and non working debugs is that in the non working debugs we do not see memberof attribute being retrieved.
the main reason could be that the username "[email protected]" with which you are performing the LDAP bind does not have sufficient privileges to retreive all the attributes from all the users in the AD. This looks like permission issue at the AD user level.
One thing you can try on the AD is to "Delegate Control" to this user ([email protected]) to "Read all properties" for all users and not just a subset of users. Please get in touch with AD Admin before making such a change on the AD.
Here is an external link just to give an idea about delegation of control to "Read all properties"
http://www.advproxy.net/ldapads.html

Setting up LDAP authentication

Hi guys.
I am a newb when it comes to LDAP so please bear with me.
I installed dbms_ldap for a developer yesterday so they could run directory searches. I have now been asked to set up anonymous authentication on the directory.
I've looked through a few docs and am having trouble trying to figure out how excatly how to do this? I am assuming it is done somewhere from the admin gui.
Any help would be appreciated.
Oracle version 10.2.0.4 on Linux x86_64
Thanks

the name of your (portal) domain and the URL used to
access your portal have nothing to see with the LDAP
authentication server.
The LDAP authentication server is the hostname or FQDN
of the host where your LDAP authentication directory
resides.
When you're logged on the iPS machine, you should be
able to make a request to your LDAP directory using this hostname or FQDN (and port number, base dn,bind dn,.....)

Ldap authentication on solaris 8 client

I have directory server 6.0 set up on solaris 9 system. I convert a Solaris 8 system to be a ldap client. However, I can use ssh to authentication against LDAP server. Here is the output I got:
# ssh -v user@localhost
SSH Version 1.2.27 [sparc-sun-solaris2.8], protocol version 1.5.
Standard version. Does not use RSAREF.
host: Reading configuration data /etc/ssh_config
host: ssh_connect: getuid 0 geteuid 0 anon 0
host: Allocated local port 1023.
host: Connecting to 127.0.0.1 port 22.
host: Connection established.
host: Remote protocol version 1.5, remote software version 1.2.27
host: Waiting for server public key.
host: Received server public key (768 bits) and host key (1024 bits).
host: Forcing accepting of host key for localhost.
host: Host '127.0.0.1' is known and matches the host key.
host: Initializing random; seed file /root/.ssh/random_seed
host: Encryption type: idea
host: Sent encrypted session key.
host: Installing crc compensation attack detector.
host: Received encrypted confirmation.
host: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
host: Server refused our rhosts authentication or host key.
host: No agent.
host: Doing password authentication.
[email protected]'s password:
Permission denied.
This is the pam.conf I use:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
ppp auth required pam_unix_auth.so.1
Not sure why Solaris 8 can't authentication with LDAP server. I have applied the patch 108993-67. Also, su and telnet can work with LDAP but not 'ftp' and 'ssh'.
Any ideas?

No, my problem seems different.
The authentication between ldap client and server is through tls:simple. Also, exact same configuration can work with Solaris 9 client, but not Solaris 8 client. Furthur checks on ssh on Solaris 8, the ssh is 'SSH Version 1.2.27 [sparc-sun-solaris2.8], protocol version 1.5.
Standard version. Does not use RSAREF.'. But on a Solaris 9 client, the ssh is 'SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0.' Not sure why the Solaris 8 ssh can't work with ldap authentication.
Thanks,
--xinhuan

Should I use Authenticated Binding?

Hi,
I have a 10.5.6 Xserver configured as and OD master and bound to AD windows 2003 domain. The OD kerberos realm was deleted and I have kerberized the OD services with the command line sudo dsconfigad -enableSSO.
All seems to be working well at the moment but I wanted to know if I should use Authenticated binding for clients. I have read the 10.6 Open Directory Administration Guide which says:
"Also, avoid mixing Authenticated Directory Binding and Active Directory on the same client or server. Authenticated binding makes use of Kerberos as does Active Directory. Using both will cause unexpected behavior or nonfunctioning authentication services unless care is taken as detailed below.
If you want to mix Authenticated Directory Binding and Active Directory, your Active Directory Domain and Open Directory realms and servers must be in a different hierarchy."
Since I have killed off the OD realm and only using the AD realm does the above apply or can I simple enable authenticated binding.
Also there is an option to enable SSL for LDAP. Do I need this with the Binding policy set to Encrypt all packets (requires SLL or Kerberos)?

Hi robfoster34,
Regarding binding, you may have already seen it, but you may find the following doc useful:
OS X Server: How to require authenticated binding between server and clients
http://support.apple.com/kb/HT4068
Regards,
- Brenden

Starting LDAP authentication

I followed the "Configuring Oracle9iAS Portal for LDAP configuration" from the December2000 white paper and I couldn't get the LDAP authentication to work using Oracle's OID. It just won't start.
I get the following errors when I try to login using the sys account:
Server is not up and running: blah.blah.com/389
oracle.ldap.admin.common.SaveChangeException: server is not up and running: blah.blah.com/389
at oracle.ldap.admin.Root.saveChanges(Root.java:805)
at oracle.ldap.admin.Root.saveChanges(root.java:805)
at oracle.ldap.admin.common.AdminPropView.saveChanges(adminPropView.java:710)
at oracle.ldap.admin.client.propEditors.TabView.commit(Compiled Code)
at oracle.ldap.admin.client.AdminUtil$logonCmds.run(AdminUtil.java:727)
at java.lang.Thread.run(Thread.java:466)
And after I try to log back in, it gives me a new set of errors:
Server is not up and running: blah.blah.com/389
oracle.ldap.admin.common.SaveChangeException: server is not up and running: blah.blah.com/389
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.Exception.<init>(Complied Code)
at oracle.ldap.admin.common.PropertyExcetion.<init>(PropertyExcetion.java:78)
at oracle.ldap.admin.common.PropertyExcetion.<init>(PropertyExcetion.java:90)
at oracle.ldap.admin.common.PropertyExcetion.<init>(SaveChangeException.java.java:39)
at oracle.ldap.admin.common.PropertyExcetion.<init>(SaveChangeException.java.java:43)
at oracle.ldap.admin.Root.saveChanges(root.java:805)
at oracle.ldap.admin.common.AdminPropView.saveChanges(adminPropView.java:710)
at oracle.ldap.admin.clientpropEditors.TabView.commit(compiled Code)
at oracle.ldap.admin.client.propEditors.TabView.commit(Compiled Code)
at oracle.ldap.admin.client.AdminUtil$logonCmds.run(AdminUtil.java:727)
at java.lang.Thread.run(Thread.java:466)
Can anyone help me out? I want to get the LDAP work with external authentication.

May be some other LDAP(Directory) server is running on the same port 389, and now this installer could not bind the same port. Hence the error, I guess. Please stop any other Directory servers running on the same port 389. And uninstall/remove the partially installed iAS. Then install again, this should work.
Please get back for any further information. Thanks for using our web forum.
Rakesh.

Configuring Oracle 9iAS for LDAP Authentication

I have installed OID Server on my PC. Now I want to switch my Login Server to External LDAP Authentication mode. For that I run the script ssoldap.sql passing the host, port, search base, etc.. from my login server schema (portal30_sso) The script throws me the following error :
" Bind variable "CN" not declared ".
I even compile the package ssoxldap.pkb before that. But still this error persists.
tnsnames.ora and listener.ora files are fine and the tnsping to the external procedure is also working properly.
Can anyone help me in this.

I got that problem solved. Its little bit funny solution. Instead of running the sql file using the File->open->ssoldap.sql, we should directly write the whole path i.e. @d:\oracle9i\portal30\admin\plsql\sso\ssoldap.sql
And secondly, I also found one small change related to the installation manual. Its related to Adding entries to the LDAP Server. the manual shows this syntax:
ldapadd -h i3dt111 -p 389 -D 'cn=orcladmin'
-w welcome -f d:\oracle\admin\phd\udump\users.ldif
but instead we shoud write this:
ldapadd -h i3dt111 -p 389 -D cn=orcladmin
-w welcome -f d:\oracle\admin\phd\udump\users.ldif
. Just remove the single quotes in the username string.
Anyways, thanks for your suggestions.
null

Interface creation...[LDAP Authentication]

Hi...All SAP Xi friends,
i have to work on an interface creation with the following specifications:
      1. SAP Enterprise Portal gives us an URL which contains UserID
      2.   You have to create an interface to read the URL,
      3. Connect to LDAP server...from there come to know whether it is external or internal user, meaning if it exist in LDAP it is internal otherwise it is external user
      4. If the user id is internal, interface has to create a file and place it at a particular location & create a webservice for this and expose to EP
       5. if not it should give an alert saying it is an external user id
         Please help me out how to start and what to do..!
         Thank you.

? Why is the Loginid cn=dsameuser,ou=DSAME, and not the uid the of the user i use?
This is strange you should see the loginid of the user ..
try directly logging in using
http://server:port/amserver/login?org=orgname, this should present a list of the auth modules you have enabled.
?Has anyone else got the same warning at the Loginchannel, using the "display_AuthLDAP.html" instead of the original "display.html" ? i tried it at two different machines, but the same error occurs.
I have used it and worked fine for me.
? What else can I do to make the LDAP Authentication work?
Is bind as Directory Manager absolutely necessary or have you setup your external ldap for anonymous bind. If that is the case then you don't need to bind.
One other thing you can do is enable debug logging. Change the logging level in /opt/SUNWam/lib/AMConfig.properties to message and restart the server. This should give you additonal information.

Authenticated Bind succeeds but "This server is not responding"

Hey everyone,
I have a "from scratch" magic triangle setup. AD has 2 DC's in a domain named domain.priv, 1 Lion (10.7.4) OD server successfully bound to AD and authentication is working flawlessly and fast! There are a handful of clients running SL which have mobile homes. There are also a handful of Lion clients with mobile homes. DNS is running on AD.
Here's the rub. I can bind the SL clients to AD and OD just fine. I do an authenticated bind to OD so that it creates the computer record. On the Lion clients I bind them to AD without a problem and OD without and error message however once I bind Directory Utility has a red light stating "This server is not responding". Search paths are correct, pinging works the server works. Because authentication and mobile homes are working I think it's fairly safe to assume DNS is setup properly.
For clarification, I have a script that does the binding but I promise I've tried every available option in dsconfigldap without success. I've obviously tried using the GUI as well with no luck. I've tried turning on SSL and no SSL. I've tried enabling other security options without success as well. A work around I have found for the Lion clients was first do an authenticated bind to create the computer record and add it to appropriate computer groups then unbind the client and rebind UNauthenticated. Binding without authentication works perfectly and the client never loses contact with the OD server.
The reason I am posting this problem is because I am finally getting around to adding a secondary OD server for replication. I do not have the option to do an unauthenticated bind with OS Server and I have not found a way to successfully setup a replica without binding first, obviously.
I will post log files as needed but I have not found anything that is out of the ordinary except for:
9/20/12 7:34:16.560 PM servermgrd: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
9/20/12 7:34:16.562 PM servermgrd: -[PasswordServerPrefsObject loadXMLData]: Unable to locate passwordserver config record's plist attribute: -1 Can't contact LDAP server
9/20/12 7:34:16.564 PM servermgrd: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
9/20/12 7:34:16.567 PM servermgrd: -[PasswordServerPrefsObject saveXMLData]: ldap_modify_ext_s of the passwordserver config record's plist attribute: -1 Can't contact LDAP server
It goes on like that...
Also, IPv6 is not setup on the AD DNS servers. Not sure that matters but I figured I should put it out there.
Any help or ideas of where to look would be greatly appreciated! Thanks!
Nick.

I ended up opening a ticket with Apple and the cause has been identified and even a "fix"!
Turns out that I skipped a vital step prior to binding to AD or setting up the OD Master; preparing the server to connect to another directory.
It's necessary to go to Server Admin, select Open Directory, Settings, then Change. Select "Connect to another directory" and then continue. After that the normal steps should be taken; Connect to AD with Directory Utility and then Create Open Directory Master with Server Admin.
Since I have a test enviroment that consists of 1 week old backups of the AD Domain Controllers and OD Master I decided to destroy the current OD and start over and testing this out. Guess what? Everything works as it should. Bount a couple of Lion clients, tested management, and even created a replica with the GUI!
Here's the rub...
In order to keep my current environment in tact (computers and computer groups) I exported all of the computers and computer groups from WGM prior to destroying the Open Directory Master. Once I completed setting everything up and created a new Directory Master I reimported the archive. With this method all currently I was back to square one. SL clients were bound, I could unbind and re-authenticaed bind with no problems. Lion clients however, had the same issue, could not bind with authentication. Fail.
I also tried exporting the computers and computer groups from WGM prior to destroying the Master. Set everything back up, imported the computers and computer groups. Nice part is that new binds both SL and Lion work wonderfully. However, any machines that were already bound don't work. I assume this is because even though the Kerberos realm has the same name, there has to be some differences in hash or whatever else Kerberos is using for encryption. There are log entries telling me about all the computers trying to connect that the server can't find in it's database.
Where to go from here?
Not sure. How do I find out what is broken in the Archive? I know that 10.7 took out the option of -merge in slapconfig which may or may not have worked here. Knowing what the "Connect to another directory" option in Server Admin is doing would help out greatly. Not knowing why that simple step does changes everything is deflating to say the least.
I should be talking to an Apple Engineer tomorrow. I will post back.
Nick.

How to get user attributes from LDAP authenticator

I am using an LDAP authenticator and identity asserter to get user / group information.
I would like to access LDAP attributes for the user in my ADF Taskflow (Deployed into webcenter spaces).
Is there an available api to get all the user attributes through the established weblogic authenticator provider or do i have to directly connect to the LDAP server again?
Any help would be appreciated

Hi Julián,
in fact, I've never worked with BSP iViews and so I don't know if there is a direct way to achieve what you want. Maybe you should ask within BSP forum...
A possibility would be to create a proxy iView around the BSP iView (in fact: before the BSP AppIntegrator component) which reads the user names and passes this as application params to the BSP component. But this is
Beginner
Medium
Advanced
Also see http://help.sap.com/saphelp_nw04/helpdata/en/16/1e0541a407f06fe10000000a1550b0/frameset.htm
Hope it helps
Detlev

How to use two different LDAP authentication for my Apex application login

Hi,
I have 2 user groups defined in the LDAP directory and I provided the DN string for apex authentication something like the below
cn=%LDAP_USER%,ou=usergrp1,dc=oracle,dc=com
cn=%LDAP_USER%,ou=usergrp2,dc=oracle,dc=com
The problem is I couln't pointout both the groups in DN string, I am trying to allow both usergroups to access the application.
Does anyone know how to define both the group in LDAP DN String ?.
Thanx in advance
Vijay.

Vijay,
I don't think you'll be able to use the built-in LDAP authentication scheme. Just create a new authentication scheme that has its own authentication function. In that function code your calls to dbms_ldap however you need. Search the forum for dbms_ldap.simple_bind_s to find examples.
Scott

LDAP Authentication - Multiple Domains

I want to be able to use the built in LDAP Authentication scheme to allow authentication against multiple AD Domains... each with it's own separate Host IP/Server, and LDAP DN String. The User ID is formated the same among all Domains, so that is not a concern. I am currently authenticating against one Domain and it scans the tree successfully.
Host: xx.xx.xx.xx
DN String: %LDAP_USER%@amer.globalco.net
(amer.globalco.net is the domain)
How can this be accomplished? Is it possible all you guru's out there?
I saw one forum thread discussing how to add a drop down list to the login page, then use the value of the page item in the DN String to specify Domain... That makes sense - HOWEVER - I also have to use a different Host Server / IP address for each domain as well.... Now that is 2 fields that need updating based on one select list.
I can build the select list using "IP/Domain" - but how do I separate the two data bits in the ITEM Value into their own field values?
Can I use the ldap_dnprep function to do text editing to create two field values from one ITEM value that I can use in the standard LDAP authentication form fields?
As you can tell - I am not a SQL/PLSQL person... and I want to avoid creating my own LDAP scheme.
Please include example/suggested SQL -
Thanks in advance...
Rich
Apex v3.2.1
Oracle 10G Express

Based on prior post I had similar question and the result was to write custom auth scheme to read the values from the login page, perform auth against appropriate ldap, then return a valid session to proceed with login in apex app. In our case, the issue was having users is different branch nodes on the same ldap server but not being able to search from a common higher-level branch for some reason...
Another option you could try, not recommended as it would mean multiple pages to maintain, would be a separate login page per ldap/domain, maybe would even have to multiple apps with just a login page and then redirect to the main app... been a really long time since i've tried anything like it, just giving some options to try.

LDAP Authentication Scheme - Multiple LDAP Servers?

How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.

How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.

LDAP Authenticated Bind

Similar Messages

Maybe you are looking for