LDAP Authentication - Multiple Domains

Similar Messages

• Cisco support LDAP Authentication - Multiple Domains

  Hi,
  I want to change the LDAP authentication as the multiple domains and my Windows AD environment is the child trust, that mean the root DC is the "abc.com", which have the two child DCs, e.g. "us.abc.com ", "uk.abc.com"
  Is it possible I just changed the LDAP auth. with user search space as the root DC is fine?
  OR
  I must use the "userPrincipalName" ?

  But it had the collision SAMAccountName, that would have the same account name between the us.abc.com and uk.abc.com. 
  If I changed the "userPrincipalName" LDAP sync to CM, how about the Jabber login?

• LDAP and multiple domains

  Currently migrating to a new domain and is there anyway to configure LDAP to use both during the migration?... We've been able to use one or the other via redirecting the LDAP Configuration Wizard and our test users but they only work for a short time then fail.  I'm thinking there is a keep live period that expires, so is that a possiblity? reset the how long LDAP keeps currently populated users.

  It is not possible to configure Contract Management to connect \ integrate with more than one LDAP authentication server.
  This is an existing Enhancement Request:
  Bug 9724986         15    ABILITY TO ENTER MULTIPLE LDAP SERVERS FOR CONTRACT MANAGEMENT
  The Primavera Administrator only supports variables for a single authentication mode and authentication server.
  Reference: Note 913872.1 How To: Configure / Enable LDAP Authentication using the Primavera Administrator (admincm.cmd)
  This sounds like short term requirement, however, if you would like to be included on the related Enhancement Request, please create an SR to request your organization be added to the Enhancement Request.

• LDAP Configuration - Multiple domains

  I have a domain called SA and I have subdomains called IL,NY,TX with corresponding users in the subdomain.It is a deep hierarchy.I want to bring all the users from all these subdomains.
  Below is my environment,
  User path: ou=users,ou=test,dc=IL,dc=SA
  User path: ou=users,ou=map,dc=NY,dc=SA
  User path: ou=users,ou=temp,dc=TX,dc=SA
  If I give a single path, I am able to bring all the LDAP users. What do I need to do to bring all the users from all the subdomains in EP60.

  Dear Anonymous User -
  Have you tried configuring the connection to the LDAP to use port 3268 instead of 389?  Also, you may need to point to the domain controller instead of one of the sub-domains.
  Additionally, you'll want to ensure that the users are unique amongst all of the sub-domains.  If not, you'll find that users may experience intermittant behaviour.
  Finally, you could also configure the portal to use multiple LDAPs, and treat each of th sub-domains as a seperate LDAP even though they physically exist on the same server.
  Regards,
  Kyle

• Authentication - multiple domains with multiple accounts

  Dear All,
  Consider an environment where a user, Joe Bloggs, has an account on two Windows domains:  DOMA and DOMB.  DOMA is a domain that all users in the organisation are members of.  DOMB is a domain used by a smaller subset of users.  The user's
  machine is part of the DOMB domain.
  I'd like to deploy SharePoint 2013 on DOMA and have the user, logged on to their DOMB machine, seamlessly authenticate (through IWA) with SharePoint 2013.  
  So far, I've thought of the following solutions:
  1.  Build a trust between the two domains.  Possible, but the AD information in DOMA is more up-to-date than that in DOMB and I'd like to use that to populate SharePoint user profiles.  Also, DOMB is likely to be deprecated in the future.
  2.  Use WorkPlace Join.  Unfortunately, devices are running Windows 7 and WorkPlace Join only works for devices running Windows 8.
  I've wondered whether it's possible to map two accounts on separate domains together so that a user on DOMB can effectively masquerade as their corresponding user on DOMA when authenticating with SharePoint, but haven't come across a way of doing this, yet.
  Any ideas?  Or, am I completely mad?!
  Thanks in advance.

  1) Is your only option for seamless logon with IWA. It is not possible to map accounts "together" so-to-speak. SharePoint stores a reference to the user's SID, which must match the user making the request.
  An ADFS trust might be another option, although that increases your deployment footprint and complexity.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• ACS Authentication, multiple domains

  Hi all,
  I have the following problem
  I have a Win 2003 domain (A) and a trust established with another Win
  2003 domain (B). Domain A is the one with the CiscoSecure software.
  We have many trusts with other domains (mostly Win 2000) and have
  configured the mappings by using CiscoSecure.
  But when trying to "add mappings" for this new 2003 Domain (B), I
  continually am getting "failed to enumerate Windows groups. If you are
  using Active Directory consult the installation guide for information."
  I am not able to see domain B's users and groups from within the Cisco
  Secure software.
  However, if I use Active Directory Users and Computers from Domain A,
  and "connect to domain" and choose Domain B, I am able to view all
  users and groups just fine.
  Do you know if there is a problem with configuring two 2003 domains in
  this software? Do you have any other areas that I should investigate?
  Some local policy on Domain B?

  If ACS is installed on a DC of DOM1 and DOM1 has trust relationship to a remote domain DOM2
  1) ACS Services (on DOM1 DC) run under a DOM1 Domain User (and Local Machine Administrator) - "acsacct"
  2) This account (acsacct) has "Act as part of the OS" permission in Domain Security Policy and Domain Controller Security Policy
  3) On DOM2 (The Remote Domain) , we Delegated Control to the acsacct User to the Custom Task of "Group Objects" and "User Objects".

• Authentication, Multiple domain,different forest lowercase domain.

  We have succesfully configured a BOXI 3.1 SP3 to use SSO using vintela,tomcat for our domain that is on 2000 native mode.
  Let's call this one Domain1.
  In our domain there is another separate domain sitting on a 2003 domain level. (Let's call this one Domain2). They have a 2 way trust, but not transitive.
  Here is the deal:
  1- Users from domain1, where the server is configured are able to access using SSO without issues.  Users from domain2 needs to do manual logon, but using the following format:
  useraccount at DOMAIN2.COM
  If we use the domain as lowercase, login does not work even if we use the domain_realm on krb5.ini  Why?
  2- Do you think that we have to move to domain1 to 2003 native mode and configure 2 way trust in order to have SSO working on both domain that are from different forest?
  Any help would be appreciated.

  Note 1206522 seems to answer my questions, but anyway still not satisfied.

• LDAP Authentication Scheme - Multiple LDAP Servers?

  How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.

  How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.

• LDAP External Authentication Multiple Search Base DNs question

  hi,
  im trying two add two LDAP search DNs to a portal 6.2 organisation.
  with one search base dn it works fine.
  when i add another, all ldap auth for that org stops working.
  the docs confusingly state that if you have multiple search dns (not talking about multiple ldap servers here - just the search base dns) that you should prefix each entry with the local server name. the docs however provide no examples of the syntax.
  can anyone provide an example for multiple search dns? e.g. is it <server:port>:o=<etc> (doesn't seem to work).
  thanks

  hi,
  yes i have.. but when you enter more than one it stop working... with only one entry in the gui it will work for that entry but when you add another it stops working...
  i had to use a manual workaround like this to get the second going... :(
  External ldap authentication
  register the LDAP authentication service in the gui and setup the first DN as normal.
  create the first set of entries for the ldap host and the base dn in the gui as normal etc.
  the gui in the admin console is not working (depending on your point of view), so you need to add the second ldap config manually -
  All commands are run from the /apps/jes/SUNWam/bin directory
  1. Get an encrypted value for the bind dns (cn=Directory Manager) password you want to bind to the ldap directory as by using the ampassword utility shipped with Identity Server.
  ./ampassword -e directory_manager password
  More information on this utility can be found in the Sun ONE Identity Server Administration Guide.
  2. Copy the encrypted password as the value for the iplanet-am-auth-ldap-bind-passwd in the XML file (serviceAddMultipleLDAPConfigurationRequests.xml) created in Step 1. The XML file contains a template for creating the second LDAP DN.
  3. Modify the data XML file accordingly so that the relevant details are provided for the 2nd ldap server (bind dn search base etc) and load this into the portal directory using the amadmin command line tool as follows from the /opt/SUNWam/bin directory
  ./amadmin -u amadmin -w administrator_password -v -t serviceAddMultipleLDAPConfigurationRequests.xml
  If the imported xml values are incorrect delete and reload the imported xml data using amadmin command tool. Alternatively you can modify the ldap data directly on the primary identity server (ldap server) using a client browser though this method is not supported .
  You should be able to see new imported values for the second ldap server at dn:ou=subconfig1,ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthLDAP
  Service,ou=services,ou=ORG,o=lgaq.qld.gov.au on the primary ldap server (where ORG is the organisation you wanted to add the second DN).

• How do I get certificate authentication working across multiple domains?

  Hi,
  I've got LC ES2 set up for certificate authentication and when there's only one domain (with a single certificate mapping set up), it works fine.
  However would like to have multiple domains (application specific), with a small set of administrator type users who manage all of the domains.
  To test, I've set up two domains, with the admin users in one and the normal users in the other.
  I've set up two certificate mapping rules (both for the same CA), one for each domain.
  However LC will only authenticate users who are matched using the first certificate mapping rule.
  Has anyone else seen/tried this?  Have I missed something obvious?
  For the moment I'm going to have to work with a single domain, which is a pain, but will have to do for now.
  Thanks
  Craig
  Here's the error I get when LC fails to match (or attempt to match?) on the second cert mapping rule:
  2010-05-11 11:23:41,331 WARN  [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerBean] Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping . Refer to debug level logs for category com.adobe.idp.um.businesslogic.authentication for further details
  2010-05-11 11:36:38,835 WARN  [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerBean] Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping . Refer to debug level logs for category com.adobe.idp.um.businesslogic.authentication for further details
  2010-05-11 11:36:38,885 ERROR [STDERR] 11/05/2010 11:36:38 AM com.adobe.rightsmanagement.webservices.rest.RestServlet doAction
  SEVERE: Unexpected exception in Rest Call
  com.adobe.idp.um.api.UMException| [com.adobe.idp.um.api.impl.AuthenticationManagerImpl] errorCode:16423 errorCodeHEX:0x4027 message:Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mappingcom.adobe.idp.common.errors.exception.IDPException| [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerBean] errorCode:12805 errorCodeHEX:0x3205 message:Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping
  at com.adobe.idp.um.api.impl.ManagerImpl.handleException(ManagerImpl.java:251)
  at com.adobe.idp.um.api.impl.ManagerImpl.handleException(ManagerImpl.java:194)
  at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.authenticate(AuthenticationManagerImp l.java:338)
  at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.authenticate(AuthenticationManagerImp l.java:154)
  at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.authenticate(AuthenticationManagerImp l.java:162)
  at com.adobe.idp.um.dsc.util.dscservice.UserManagerUtilServiceImpl.authenticateWithWSHeaderE lement(UserManagerUtilServiceImpl.java:173)
  at sun.reflect.GeneratedMethodAccessor1065.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  at java.lang.reflect.Method.invoke(Unknown Source)
  at com.adobe.idp.dsc.component.impl.DefaultPOJOInvokerImpl.invoke(DefaultPOJOInvokerImpl.jav a:118)
  at com.adobe.idp.dsc.interceptor.impl.InvocationInterceptor.intercept(InvocationInterceptor. java:140)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.interceptor.impl.DocumentPassivationInterceptor.intercept(DocumentPassi vationInterceptor.java:53)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.transaction.interceptor.TransactionInterceptor$1.doInTransaction(Transa ctionInterceptor.java:74)
  at com.adobe.idp.dsc.transaction.impl.ejb.adapter.EjbTransactionBMTAdapterBean.doRequiresNew (EjbTransactionBMTAdapterBean.java:218)
  at sun.reflect.GeneratedMethodAccessor363.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  at java.lang.reflect.Method.invoke(Unknown Source)
  at org.jboss.invocation.Invocation.performCall(Invocation.java:359)
  at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionConta iner.java:237)
  at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionI nterceptor.java:158)
  at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63)
  at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121)
  at org.jboss.ejb.plugins.AbstractTxInterceptorBMT.invokeNext(AbstractTxInterceptorBMT.java:1 73)
  at org.jboss.ejb.plugins.TxInterceptorBMT.invoke(TxInterceptorBMT.java:77)
  at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstance Interceptor.java:169)
  at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:168)
  at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205)
  at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor. java:138)
  at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:648)
  at org.jboss.ejb.Container.invoke(Container.java:960)
  at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invoke(BaseLocalProxyFactory.java:430)
  at org.jboss.ejb.plugins.local.StatelessSessionProxy.invoke(StatelessSessionProxy.java:103)
  at $Proxy179.doRequiresNew(Unknown Source)
  at com.adobe.idp.dsc.transaction.impl.ejb.EjbTransactionProvider.execute(EjbTransactionProvi der.java:145)
  at com.adobe.idp.dsc.transaction.interceptor.TransactionInterceptor.intercept(TransactionInt erceptor.java:72)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.interceptor.impl.InvocationStrategyInterceptor.intercept(InvocationStra tegyInterceptor.java:55)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.interceptor.impl.InvalidStateInterceptor.intercept(InvalidStateIntercep tor.java:37)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.interceptor.impl.AuthorizationInterceptor.intercept(AuthorizationInterc eptor.java:165)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.interceptor.impl.JMXInterceptor.intercept(JMXInterceptor.java:48)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.engine.impl.ServiceEngineImpl.invoke(ServiceEngineImpl.java:121)
  at com.adobe.idp.dsc.routing.Router.routeRequest(Router.java:129)
  at com.adobe.idp.dsc.provider.impl.base.AbstractMessageReceiver.routeMessage(AbstractMessage Receiver.java:93)
  at com.adobe.idp.dsc.provider.impl.vm.VMMessageDispatcher.doSend(VMMessageDispatcher.java:22 5)
  at com.adobe.idp.dsc.provider.impl.base.AbstractMessageDispatcher.send(AbstractMessageDispat cher.java:66)
  at com.adobe.idp.dsc.clientsdk.ServiceClient.invoke(ServiceClient.java:208)
  at com.adobe.idp.um.dsc.util.client.UserManagerUtilServiceClient.authenticate(UserManagerUti lServiceClient.java:210)
  at com.adobe.edc.server.platform.UMHelper.authenticate(UMHelper.java:549)
  at com.adobe.rightsmanagement.webservices.rest.RestFacade.validateClientAuthenticationHeader (RestFacade.java:161)
  at com.adobe.rightsmanagement.webservices.rest.RestFacade.getBusinessHandler(RestFacade.java :206)
  at com.adobe.rightsmanagement.webservices.rest.RestFacade.getAuthenticationToken(RestFacade. java:226)
  at com.adobe.rightsmanagement.webservices.rest.RestDefaultRequestHandler.handleRequest(RestD efaultRequestHandler.java:29)
  at com.adobe.rightsmanagement.webservices.rest.RestSecureRequestHandler.handleRequest(RestSe cureRequestHandler.java:13)
  at com.adobe.rightsmanagement.webservices.rest.RestRequestRouter.routeRequest(RestRequestRou ter.java:10)
  at com.adobe.rightsmanagement.webservices.rest.RestServlet.doAction(RestServlet.java:50)
  at com.adobe.rightsmanagement.webservices.rest.RestServlet.doGet(RestServlet.java:37)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.ja va:179)
  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
  at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java: 157)
  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
  a
  2010-05-11 11:36:38,886 ERROR [STDERR] t org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.ja va:580)
  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
  at java.lang.Thread.run(Unknown Source)

  Craig,
  The certificate mapping works in the following manner,
  First the User's certificate is validated.
  If the certificate is valid, the related Certificate mapping information is fetched.
  From the Certificate Mapping information, the domain is determined.
  Following this, the user is searched in the domain and checked for it's current/deleted status.
  If user exists or is a valid one, then return an AuthResult corresponding to that is returned to the client.
  The error log below says, "Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping"
  1. Please check if the concerned user exists in the domain registered in the second cert mapping.
  2. Also check if the concerned user satisfies the attribute mapping specified in the second cert mapping.
  3. Could you confirm whether the admin Users and the normal users are distinct in both the domains and not duplicate in any of them??
     Because if same user exists in 2 domains, then there is no way to find out which domain you are referring to. In that case the first domain which declares the user as valid will return the AuthResult.
  4. You are using LC ES2, so there is a Test Certificate utlity on the same Certificate Mapping page, which can help you confirm the validity of the user's certificate and then you can proceed.

• LDAP authentication in AD (users from other trusted domain)

  Hi
  I have two domain: my - DOMAINA.LOCAL and other trusted - DOMAINB.LOCAL
  I use LDAP authentication in AD for authentication users (AnyConnect).
  Now, I need to authenticate few users from other trusted domain (DOMAINB.LOCAL).
  I do not want direct connect with the domain contoller in the trusted domain.
  My domain controller (DOMAINA.LOCAL), can authenticate users from other trusted domain (if I use username "DOMAINB\userindomainb"), if I try to connect by RDP client to some server (for example, to my domain controller).
  But if I try to test aaa-server authentication from ASA
  I get error.
  I think, I must use username like "DOMAINB\userindomainb" but this not work.
  Help me please.
  Thanks!
  My config:
  aaa-server ADA protocol ldap
  aaa-server ADA (inside) host 10.0.0.1
   ldap-base-dn dc=domaina, dc=local
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn cn=Cisco ASA, ou=ServiceAccounts, ou=Services, dc=domaina, dc=local
   server-type microsoft

  Hello!
  I see in console (debug LDAP):
  Request for [email protected] returned code (10) Referral
  Does ASA support authentication via LDAP referrals?
  I read old thread:
  https://supportforums.cisco.com/discussion/11132591/cisco-asa-and-ldap-authentification
  And see: CSCsj32153  Symptom:the ASA/PIX doesn't currently support LDAP Referall searches. 
  But I use:
  Cisco Adaptive Security Appliance Software Version 9.2(3)
  Device Manager Version 7.3(3)
  Compiled on Mon 15-Dec-14 05:10 PST by builders
  System image file is "disk0:/asa923-smp-k8.bin"
  Thanks!

• How to include all the child OU groups of a master OU group in LDAP authentication

  Dear All,
  I am using Apex 4.2 on windows server 2012 on internet explorer with database 11g R2 all 64 bit.
  we are using Microsoft Active Directory Authentication in our domain.
  I have created two protals, Staff Portal and Student Portal
  I have two groups, Staff and Students. these two groups coming under HCT group.
  I want to configure LDAP authentication for these groups, so that student cannot login to staff portal and vice versa.
  I had created on authentication schema in apex.
  inititally I configured as below
  for example I have a group ETC, inside ETC I have CSS in active directory,
  DN String=cn=%LDAP_USER%,dc=hct,dc=org
  Use Exact distinguish name=YES
  LDAP Username edit function=
  return apex_escape.ldap_dn (
               p_string => :USERNAME,
               p_escape_non_ascii => false ) || ',ou=users,ou=css,ou=etc,ou=staff,ou=hct'   ;
  Username Escaping=NO ESCAPING
  and it is working,
  now I have another group under ETC, which is ESS. how to include ESS also? I mean how to include all the child groups of a master group?
  because I will then only include the STAFF ou and the rest of the ou which coming under staff will come automatically.
  please refer to this thread for more details.
  Re: Re: Different LDAP authentication for Student and Staff Active directory groups
  Thank you.

  Powershell (or vbscript if you want to be old school).
  You can trigger a powershell script which will remove the offending user(s) easily enough with out resorting to a TOLDAP pass.  Nearly any script type thing would work but powershell is preferred.  It can be triggered separately from the TO AD stuff and will take multiple objects to run in one pass if you can construct the command line (or create a text file and feed it in).
  Otherwise, TOLDAP is the way to write to AD...
  Peter

• Multi-Forest LDAP Authentication

  Hi Guys
  We are trying to implement authentication and import across multiple domains
  We originally tried to build our own custom code but this has failed due to some unforseen errors.
  I have revert back to the inbuilt ciac option for import person and EUA
  The import for one domain is working however, i wish use multiple forests and to add a unique identifier to the login name to avoid login name clashes
  for example
  ASE\#sAMAccountName#
  or
  #userPrincipalName#
  When i try to add this i receive the error that no person fround in the result of the LDAP getperson search
  I have tried the format for EUA as
  uid=#LoginId#,dc=ase,dc=internal
  DomainName\#LoginId#
  #LoginId#
  Any help will be greatly apreciated
  Regards,
  Matt

  If you are logging into java (i.e. tomcat55) and have set up a krb5.ini. All users that are not in the default domain need to logon with username @FQDN.COM where FQDN.COM is their fully qualified domain name in all caps. That FQDN.COM should be entered in the krb5.ini (in all caps) with at least 1 KDC defined.
  Do a search on SMP (look at the forum sticky for the link) for rules for krb5.ini and I have a more in depth explanation for multi forest and multi domain as it pertains to the krb5.ini.
  To verify AD connectivity is ok use a client tool like deski/designer/business views. Since there tools don't use java you can logon with domain\user (no case sensitivity).
  Also to note urgently issues should open cases with support the forums are not the place and it is against the rules of engagement (also in the sticky post )
  Regards,
  Tim

• LDAP authentication to Win2K8 server nightmare.

  Hello All, I have been trying to get LDAP authentication working on this Solaris 10 server. To this point i've had little success. The domain controller/LDAP server is W2K8. I am able to authenticate successfully using "kinit" so i'm sure kerberos is configures. I have extended the Unix services on 2K8 as well. Here is the /var/ldap/ldap_client_file:
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_SERVERS= parwindom
  NS_LDAP_SEARCH_BASEDN= dc=stcg,dc=net
  NS_LDAP_AUTH= sasl/GSSAPI
  NS_LDAP_CACHETTL= 0
  NS_LDAP_CREDENTIAL_LEVEL= self
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=Unix Services,ou=Service Accounts,dc=stcg,dc=net?one
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Unix Services,ou=Service Accounts,dc=stcg,dc=net?one
  NS_LDAP_ATTRIBUTEMAP= shadow:uid=sAMAccountName
  NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
  NS_LDAP_ATTRIBUTEMAP= shadow:shadowflag=shadowFlag
  NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
  NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
  NS_LDAP_ATTRIBUTEMAP= passwd:uid=sAMAccountName
  NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
  NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
  NS_LDAP_ATTRIBUTEMAP= passwd:gecos=gecos
  NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
  NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid
  NS_LDAP_ATTRIBUTEMAP= group:userpassword=userPassword
  NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
  NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
  NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
  The ldap service is enabled. Here is /etc/nsswitch.conf
  passwd: files ldap [TRYAGAIN=5]
  group: files ldap
  hosts: dns files
  ipnodes: dns files
  networks: files
  protocols: files
  rpc: files
  ethers: files
  netmasks: files
  bootparams: files
  publickey: files
  netgroup: files
  automount: files
  aliases: files
  services: files
  printers: user files
  auth_attr: files
  prof_attr: files
  project: files
  tnrhtp: files
  tnrhdb: files
  And Finally here is /etc/pam.conf
  login auth requisite pam_authtok_get.so.1
  login auth required pam_dhkeys.so.1
  login auth required pam_unix_cred.so.1
  login auth required pam_unix_auth.so.1
  login auth required pam_dial_auth.so.1
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth required pam_unix_cred.so.1
  rlogin auth required pam_unix_auth.so.1
  krlogin auth required pam_unix_cred.so.1
  krlogin auth required pam_krb5.so.1
  rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth required pam_unix_cred.so.1
  krsh auth required pam_unix_cred.so.1
  krsh auth required pam_krb5.so.1
  ktelnet auth required pam_unix_cred.so.1
  ktelnet auth required pam_krb5.so.1
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_unix_cred.so.1
  ppp auth required pam_unix_auth.so.1
  ppp auth required pam_dial_auth.so.1
  other auth requisite pam_authtok_get.so.1
  other auth required pam_dhkeys.so.1
  other auth sufficient pam_krb5.so.1
  other auth required pam_unix_cred.so.1
  other auth required pam_unix_auth.so.1
  passwd auth required pam_passwd_auth.so.1
  cron account required pam_unix_account.so.1
  other account requisite pam_roles.so.1
  other account sufficient pam_unix_account.so.1
  other account required pam_ldap.so.1
  other session required pam_unix_session.so.1
  other password required pam_dhkeys.so.1
  other password requisite pam_authtok_get.so.1
  other password requisite pam_authtok_check.so.1
  other password required pam_authtok_store.so.1
  Here is what happens if i run ldaplist
  # ldaplist
  ldaplist: Object not found (LDAP ERROR (12): Unavailable critical extension.)
  I have been pulling what little hair I have left out on this issue and I'm starting to run out of time on this project. There is nothing in any log file anywhere. Any help would be greatly appreciated.

  Nathalie,
  LDAP authentication against AD is fully supported since AD is LDAP v3 compliant. 
  For the Unix and Linux versions of XIR2 / XI31, LDAP is really your only choice since the Active Directory tab is not displayed unless your CMS is on windows.
  To get LDAP working against AD I would recommend the following::
  1) Use an IP address
  You can use the IP of a Domain Controller or a Global Catalog Server depending on how large your AD domain is.
  2) Use port 3268 over 389 for large AD configurations.
  This port is the Global Catalog server port.  The GC server contains all the information about all objects in an AD Forest.  This is useful when using groups across multiple domains where 389 just contains information in 1 domain.
  3) Change your Application Mappings
  On the LDAP tab, connecting to AD wont work unless you make a few changes.  First, change your Application mappings to "Microsoft Active Directory Application Server" and then choose "Show Application Mappings".
  Change:
  User Name: sAMAccountName
  Default User Search Attribute: sAMAccountName
  These settings should work for you.
  Also note that the group "Domain Users" is not valid when querying AD via LDAP.
  Regards,
  -Brian

• SharePoint 2010 with LDAP authentication, using NOVELL eDirectory

  One of my customers needs a SharePoint application that allows people to authenticate with either an Active Directory account (internal staff) or a Novell eDirectory account (external customers).
  Using the following article as a base guide (http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx)
  I configured a claims-based test application that had Windows authentication enabled and Forms based authentication (FBA) enabled (this is on a Windows 2008 server and not a domain controller)
  In the Membership provider name text box I entered "LdapMember"
  In the Role provider name  text box I entered "LdapRole"
  In the web.config for the SharePoint Central Admin, I modified/added the following details right before </system.web>
  <membership>
  <providers>
  <add name="LdapMember"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
  <providers>
  <add name="LdapRole"
  type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="sAMAccountName"
  dnAttribute="distinguishedName"
  groupFilter="((ObjectClass=group)"
  userFilter="((ObjectClass=person)"
  scope="Subtree" />
  </providers>
  </roleManager>
  I modified the SecurityTokenServiceApplication web.config with these details
  <system.web>
  <membership>
  <providers>
  <add name="LdapMemebr"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager enabled="true">
  <providers>
  <add name="LdapRole"
  type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="sAMAccountName"
  dnAttribute="distinguishedName"
  groupFilter="(&amp;(ObjectClass=group))"
  userFilter="(&amp;(ObjectClass=person))"
  scope="Subtree" />
  </providers>
  </roleManager>
  </system.web>
  I modified the web.config of the test application I created with these details
  <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
  <providers>
  <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
  <add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="cn"
  dnAttribute="dn"
  groupFilter="(&amp;(ObjectClass=group))"
  userFilter="(&amp;(ObjectClass=person))"
  scope="Subtree" />
  </providers>
  </roleManager>
  <membership defaultProvider="i">
  <providers>
  <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
  <add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  useDNAttribute="true"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  With all of this configured, I can go to the new test site, I do see the form where I can choose either Windows authentication or Forms authentication. I can successfully login with Windows authentication, but forms authentication gives me me an error.
  The server could not sign you in. Make sure your user name and password are correct, and then try again.
  I can successfully login to a LDAP management tool, using the same credentials I entered on the form, so I know the username and password being submitted are correct. I get the following items in the event viewer
  8306 - SharePoint Foundation - The security token username and password could not be validated.
  in the SharePoint trace logs - Password check on 'testuser' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. and
  then this:
  Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
  at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
  I monitored the LDAP server and did a packet-trace on the communication happening between the SharePoint server and the LDAP server and it is a bit odd. It goes like this:
  The SharePoint server successfully connects to the LDAP server, binding the ldapserviceid+password
  The LDAP server tells the SharePoint server it is ready to communicate
  the SharePoint server sends an LDAP query to the LDAP server, asking if the name entered in the form authentication page can be found.
  The LDAP server does the query, successfully finds the entered name and sends a success message back to SharePoint
  The LDAP server sends notification that it is done and is closing the connection that was bound to theldapserviceid+password
  The SharePoint server acknowledges the connection is closing
  ... and then nothing happens, except the error on SharePoint
  What I understand is that the SharePoint server, once it gets confirmation that the submitted username exists in LDAP, should attempt to make a new LDAP connection, bound to the username and password submitted in the form (rather than the LDAP service account
  specified in the web.config). That part does not seem to be happening.
  I am at a standstill on this and any help would be greatly appreciated.

  OK, our problem was resolved by removing any information about the ASP.NET role manager. Initially, we had information about a role manager defined in three different web.config files, as well as in the SharePoint Central Administration site, where there
  is the checkbox to Enable Forms Based Authentication (you see this when you first create the new SharePoint app, or afterwards by modifying the Authentication Provider for the app.) In either case, you will see two text boxes, underneath the checkbox item
  for enabling Forms Based Authentication:
  "ASP.NET Membership provider name"
  "ASP.NET Role manager name"
  We entered a name for Membership provider, and left Role manager blank.
  In the web.config for the SharePoint Central Administration site, the SecurityTokenServiceApplication app, and the web app we created with FBA enabled, we entered the following:
  <membership>
  <providers>
  <add name="LdapMember"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword="validpassword"
  useDNAttribute="false"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager>
  <providers>
  </providers>
  </roleManager>
  useDNAttribute="false" turned out to be important as well.
  So, for us to get LDAP authentication working between SharePoint 2010 and Novel eDirectory, we had to:
  leave anything related to the role provider blank
  configure the web.config in three different applications, with the proper connection information to reach our Novel eDir
  Ensure that useDNAttribute="false" was used in all three on the modified web.config files.
  Since our eDir is flat and used pretty much exclusively for external users, we had never done any sort of advanced role management configuration in eDir. So, by having role manager details in the web.config files, SharePoint was waiting for information from
  a non-existent role manager.