LDAP Authentication with sub-contexts?

Is it possible to authenticate to an ldap server with a user that belongs under different sub contexts?
We have one LDAP JAAS login module that we want to use to authenticate ANY user under the LDAP ROOT Context. Which means if a we have:
O=COMPANY
|
|-> OU = DIVISION ONE
        |
        |-> USER1
|
|-> OU = DIVISION TWO
       |
       |-> USER2I'd want to set up my login module to always build the DN for the user as:
cn=<username>,O=COMPANY and have the server itself look in the sub contexts (OU=DIVISION ONE and OU=DIVISION TWO) below when trying to make the initial context.
Is this possible?
Thanks,
- Tim

The problem with that is that the AD GPO will not let me set the
password i am using...
So change your non-LDAP account password in UCM to a password that AD will accept, test that it works for login on CCX, and then do the LDAP integration.
Besides when i removed LDAP authentication i logged into the UCCX again
and added the Administrator rights to my LDAP account but it wont
autheticate me.
No idea, but one guess would be that changes to the account may not hold when the account is marked as inactive in UCM. Just a guess though.

Similar Messages

LDAP authentication with MD5 passwords

Hi,
in one of our Linux servers we have MD5 passwords stored in /etc/shadow. We want to implement pam_ldap on that machine, and move passwords to an LDAP database.
I know it is to be done with {crypt} storage scheme.
This works with DS 5.2 running on a Linux box, but under Solaris 8 I couldn't get it working. I know that Solaris 8 doesn't support MD5 passwords in its crypt(3) function, and I suppose Directory Server uses that. Somewhere I read that, however crypt() in Solaris 9 does support MD5.
Can you confirm that after upgrading to Solaris 9, authentication with MD5-hashed passwords will be possible? Has anyone tried it?
Thanks in advance,
Kristof

Thanks you for your reply.
Our openldap version is openldap-2.3.39
And all passwords are encrypted with : Base 64 encoded md5
Below is a sample password:
{md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help..

LDAP multidirectory with sub-domains

Hi,
i have some difficulties using LDAP COM object that comes with the IP phone Services SDK. I would like to search the whole AD, which has multiple subdomains. I would like to search the whole directory structure, with the base: DC=company, DC=country, without specifying any particular OU. However, the connection with this kind of directory base configuration fails (the COM object is not created), so i can not search the whole directory, only specific OUs. Is there any way to achieve searching the whole directory structure?
Regards
Marko

Originally Posted by hwoess
Hello to the commmunity!
I have been done with our it-partners a DSfW-Setup. There are two OES2 Domain-Controllers which holds the "main-domain". Connected to this "main-domain" were two configured sub-domains (OES2, too). They have been setup virtually (VMWare). And there is the problem with our DSfW-Installation. If the VPN-tunnel (the sub-domains are connected through) is broken or I reboot the first "main-domain"-Controller, all the sub's didn't work. I mean, the don't reboot, but they have no "domain-functionality". I have seen, that the all the controllers make a (I guess) LDAP-connection to the first installed OES2 Domain-Controller. I don't know why. Is this normal? Can I change this?
What I have to say is, that we connected to each (Sub-)Domain through a trust or a forrest a real MS AD. We put our workstations into the real AD and through the trust or forrest we get the users from eDir or DSfW.
As I know no one has a construct like our company here in Austria, so nobody could help me. Maybe the community does!
With kindest regards
Hans-Christian Wssner
Hi,
When the VPN tunnel is broken or the first domain controller of the DSfW parent (first) domain is down, is the complete of eDirectory tree (all the partitions) still available (reachable)to the domain controllers of the DSfW sub-domains (child domains). You can place additional read-write replicas on the other DCs (for the partitions that are missing) if the complete eDirectory tree is not available when one of the above two conditions occur.
Thanks,
Praveen Kumar

Crystal Report LDAP authentication with SSL to Business Objects XI 3.1 SP3

Hi,
Here is the issue
Business Objects XI 3.1 SP3
Crystal report 2008
LDAP is configured with SSL and working great within BO.
In Crystal report 2008, enterprise authentication worked, but not LDAP with SSL, I got "Security plugin error: Failed to set parameters on plugin.
If I try with LDAP with no SSL, everythingu2019s fine. Do I have to setup something on the "workstation" side to be able to user LDAP with SSL ?
*I already tried to disable firewall
Thanks for your help

Hi,
check SAP Notes 1320510 and 1272536
Hope that helps.
Regards
-Seb.

LDAP Authentication with 2106 5.2

I have talked with TAC and gone through all the configuration examples. I have LDAP working under the anonymous logon setting in the latest (pre 6) version of the software. However, I'm not getting the desired result, because it would require me to add Anonymous logon to each and every account that could possibly logon to the wireless network (1000's). I really don't want to make that security change to all of them let alone remember it in the future when I or someone else adds a network account. So is there a better way to accomplish this? I did try the Authenticated option, and typed in a domain admin username /password, but when debugging it displayed "server not found". Am I to assume that's what the authenticated option is, rather than anonymous?
Sorry if that was confusing, I need help!

Hi Alpesh,
We are implementing CUP password self-services and have similar scenario where the user id's in LDAP and SAP are different.
I understand we need to create a attribute in ADS. But, I would like to clarify, whether we can use an existing unused attribute in ADS. For e.g, in our LDAP, streetAddress attribute is unused. Can i specify my SAP ID in this field and map the field in CUP as 'SAP User ID' to LDAP attribute 'streetAddress. Could you please suggest if this mapping will work. If not could you please let us know the procedure to create the attribute SAPID, and map it in CUP.
Thanks for your help.
Regards,
Junaid

Solaris 10 openldap authentication with md5 passwords

Hello to everyone,
We are trying to enable ldap authentication with pam_ldap and md5 passwords on a Solaris 10 system to an openldap server. If passwords are stored using crypt, everything works correctly. But if the password in openldap is in md5, then authentication fails.
We have installed openldap client along with pam_ldap and nss_ldap from padl (http://www.padl.com/pam_ldap.html)
The error messages when trying to 'su -' to the ldap user are:
Jun 1 18:35:23 servername su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:35:23 servername su: [ID 810491 auth.crit] 'su ldapuser' failed for mike on /dev/pts/4and for ssh:
Jun 1 18:35:54 servername sshd[14197]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:35:54 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:00 servername sshd[14224]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:00 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:02 servername sshd[14278]: [ID 800047 auth.info] Accepted publickey for scponly from 10.24.4.52 port 35390 ssh2
Jun 1 18:36:04 servername sshd[14270]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.info] Failed keyboard-interactive/pam for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:08 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:08 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:12 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:12 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:17 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:17 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2Below are the configuration files (pam.conf, nsswitch.conf, ldap.conf) and anything else that I imagine could help (comments of the files have been removed).
Please feel free to ask for any other configuration file:
*/etc/pam.conf*
login   auth requisite        pam_authtok_get.so.1
login   auth required         pam_dhkeys.so.1
login   auth required         pam_unix_cred.so.1
login   auth required         pam_dial_auth.so.1
login   auth sufficient       pam_unix_auth.so.1 server_policy debug
login   auth required           /usr/lib/security/pam_ldap.so.1 debug
rlogin auth sufficient       pam_rhosts_auth.so.1
rlogin auth requisite        pam_authtok_get.so.1
rlogin auth required         pam_dhkeys.so.1
rlogin auth required         pam_unix_cred.so.1
rlogin auth required          pam_unix_auth.so.1 use_first_pass
rsh    auth sufficient       pam_rhosts_auth.so.1
rsh    auth required         pam_unix_cred.so.1
rsh    auth required         pam_unix_auth.so.1
ppp     auth requisite        pam_authtok_get.so.1
ppp     auth required         pam_dhkeys.so.1
ppp     auth required         pam_dial_auth.so.1
ppp     auth sufficient       pam_unix_auth.so.1 server_policy
other   auth sufficient         /usr/lib/security/pam_ldap.so.1 debug
other   auth required           pam_unix_auth.so.1 use_first_pass debug
passwd auth sufficient          pam_passwd_auth.so.1 server_policy
passwd auth required           /usr/lib/security/pam_ldap.so.1 debug
cron    account required      pam_unix_account.so.1
other   account requisite     pam_roles.so.1
other   account sufficient       pam_unix_account.so.1 server_policy
other   account required        /usr/lib/security/pam_ldap.so.1 debug
other   session required      pam_unix_session.so.1
other   password required     pam_dhkeys.so.1
other   password requisite    pam_authtok_get.so.1
other   password requisite    pam_authtok_check.so.1
other   password required     pam_authtok_store.so.1 server_policy*/etc/ldap.conf*
base ou=users,ou=Example,dc=staff,dc=example
ldap_version 3
scope sub
pam_groupdn [email protected],ou=groups,ou=Example,dc=staff,dc=example
pam_member_attribute memberUid
nss_map_attribute uid displayName
nss_map_attribute cn sn
pam_password_prohibit_message Please visit https://changepass.exapmle.int/ to change your password.
uri ldap://ldapserver01/
ssl no
bind_timelimit 1
bind_policy soft
timelimit 10
nss_reconnect_tries 3
host klnsds01
nss_base_group         ou=system_groups,ou=Example,dc=staff,dc=example?sub
pam_password md5*/etc/nsswitch.conf*
passwd:     files ldap
group:      files ldap
hosts:      files dns
ipnodes:   files dns
networks:   files
protocols: files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey: files
netgroup:   files
automount: files
aliases:    files
services:   files
printers:       user files
auth_attr: files
prof_attr: files
project:    files
tnrhtp:     files
tnrhdb:     files*/etc/security/policy.conf*
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User
CRYPT_ALGORITHMS_DEPRECATE=__unix__
LOCK_AFTER_RETRIES=YES
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
CRYPT_DEFAULT=1Thanks in advance for any response...!!

Thanks you for your reply.
Our openldap version is openldap-2.3.39
And all passwords are encrypted with : Base 64 encoded md5
Below is a sample password:
{md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help..

Solaris 10 and LDAP Authentication

Were trying to use LDAP authentication with Solaris 10 accounts and Sun One Java Systems Directory Server 5.2, where there won't be no /etc/passwd or /etc/group user entries, ( only entries for system accounts). The Sun One Java Systems Directory Server 5.2 is on a separate machine from the accounts. Both machines are using Solaris 10.
I first ran the "idsconfig" utility to setup the VLV indexes, but I received an error on the "automountKey" when it was doing the index processing. It showed that the index processing had failed. All the other indexes were configured successfully. What would cause this?
My next step is initializing the LDAP Client . Then configure the pam.conf file to use pam_ldap. Finally import all the users into LDAP with the required ObjectClasses and attributes for the authentication process, (posixAccount, shadowAccounts etc.). This also includes adding the automount entries into LDAP, which I'm really not sure how to do that. All of our users paths will be under /export/home/username.
I'am missing any steps?
Doese anyone have a step by step guide to use LDAP authentication for Solaris 10 accounts, where LDAP will manage the groups, passwords, automounts for each user?
Message was edited by:
automount
Message was edited by:
automount

You may follow:
http://web.singnet.com.sg/~garyttt/
http://projects.alkaloid.net/content/view/15/26/
http://blogs.sun.com/roller/resources/raja/ldap-psd.html
http://jnester.lunarpages.com/howtos/solaris/howToSolarisLDAPAuth.html
http://www.thebergerbits.com/unix.shtml
http://blogs.sun.com/roller/page/baban?entry=steps_to_setup_ssl_using (SSL/TLS steps)
http://blogs.sun.com/roller/page/rohanpinto?entry=nis_to_ldap_migration_guide (NIS to LDAP migration)
http://blogs.sun.com/roller/page/anupcs?entry=ldap_related_documentation_at_sun
(LDAP related docs)
Gary

XI 3.1 Client Tools and LDAP Authentication

I have Business Objects XI 3.1 SP2 installed. For the web clients (InfoView) single sign on and LDAP authentication are working correctly. However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?

Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
Take a look at note 1272536 (http://service.sap.com/notes)
Regards,
Stratos

SharePoint 2010 with LDAP authentication, using NOVELL eDirectory

One of my customers needs a SharePoint application that allows people to authenticate with either an Active Directory account (internal staff) or a Novell eDirectory account (external customers).
Using the following article as a base guide (http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx)
I configured a claims-based test application that had Windows authentication enabled and Forms based authentication (FBA) enabled (this is on a Windows 2008 server and not a domain controller)
In the Membership provider name text box I entered "LdapMember"
In the Role provider name text box I entered "LdapRole"
In the web.config for the SharePoint Central Admin, I modified/added the following details right before </system.web>
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="((ObjectClass=group)"
userFilter="((ObjectClass=person)"
scope="Subtree" />
</providers>
</roleManager>
I modified the SecurityTokenServiceApplication web.config with these details
<system.web>
<membership>
<providers>
<add name="LdapMemebr"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
</system.web>
I modified the web.config of the test application I created with these details
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="cn"
dnAttribute="dn"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
useDNAttribute="true"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
With all of this configured, I can go to the new test site, I do see the form where I can choose either Windows authentication or Forms authentication. I can successfully login with Windows authentication, but forms authentication gives me me an error.
The server could not sign you in. Make sure your user name and password are correct, and then try again.
I can successfully login to a LDAP management tool, using the same credentials I entered on the form, so I know the username and password being submitted are correct. I get the following items in the event viewer
8306 - SharePoint Foundation - The security token username and password could not be validated.
in the SharePoint trace logs - Password check on 'testuser' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. and
then this:
Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
I monitored the LDAP server and did a packet-trace on the communication happening between the SharePoint server and the LDAP server and it is a bit odd. It goes like this:
The SharePoint server successfully connects to the LDAP server, binding the ldapserviceid+password
The LDAP server tells the SharePoint server it is ready to communicate
the SharePoint server sends an LDAP query to the LDAP server, asking if the name entered in the form authentication page can be found.
The LDAP server does the query, successfully finds the entered name and sends a success message back to SharePoint
The LDAP server sends notification that it is done and is closing the connection that was bound to theldapserviceid+password
The SharePoint server acknowledges the connection is closing
... and then nothing happens, except the error on SharePoint
What I understand is that the SharePoint server, once it gets confirmation that the submitted username exists in LDAP, should attempt to make a new LDAP connection, bound to the username and password submitted in the form (rather than the LDAP service account
specified in the web.config). That part does not seem to be happening.
I am at a standstill on this and any help would be greatly appreciated.

OK, our problem was resolved by removing any information about the ASP.NET role manager. Initially, we had information about a role manager defined in three different web.config files, as well as in the SharePoint Central Administration site, where there
is the checkbox to Enable Forms Based Authentication (you see this when you first create the new SharePoint app, or afterwards by modifying the Authentication Provider for the app.) In either case, you will see two text boxes, underneath the checkbox item
for enabling Forms Based Authentication:
"ASP.NET Membership provider name"
"ASP.NET Role manager name"
We entered a name for Membership provider, and left Role manager blank.
In the web.config for the SharePoint Central Administration site, the SecurityTokenServiceApplication app, and the web app we created with FBA enabled, we entered the following:
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword="validpassword"
useDNAttribute="false"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager>
<providers>
</providers>
</roleManager>
useDNAttribute="false" turned out to be important as well.
So, for us to get LDAP authentication working between SharePoint 2010 and Novel eDirectory, we had to:
leave anything related to the role provider blank
configure the web.config in three different applications, with the proper connection information to reach our Novel eDir
Ensure that useDNAttribute="false" was used in all three on the modified web.config files.
Since our eDir is flat and used pretty much exclusively for external users, we had never done any sort of advanced role management configuration in eDir. So, by having role manager details in the web.config files, SharePoint was waiting for information from
a non-existent role manager.

ASA Remote Access Authentication with LDAP Server

Thank you in advance for your help.
I am configuring an ASA to authenticate with a ldap server for ipsec vpn access. My customer has 3 networks that are to be accessed by remote users. However they want to be able to say that one user can get to 2 of the networks and not the 3rd. So basically they want control over what network behind the firewall each user can access. This seems doable from my reading and I had planned to creating a group for each network that needs accessible and either do attribute maps to each group with a separate group created on the ldap server for authentication. Basically a ldap group on the ldap server that will have the users name in the group in order for access. I can restrict access via acl's or filtering to force my group to only be allowed access to a specific network. Here is the problem I am having now.
The ldap server has been created and seems to be working fine. I have created my AAA groups and servers and I have done the ldap test with a test user vpntest and a password on the ldap server. When I run the authentication test from the ADSM or command line I get a good authentication successful message. So I configured a vpn client remotely and attempted to authenticate to this group and it says there is no user by that name. Below is a paste of the debug. The second part is when I did a successful test from the ASDM or CLI and it worked great. The first part is when I attempted from the vpn client. It all looks the same from the search criteria. What am I missing here or does anyone more knowledgeable see anything that I am doing wrong. Can this be done this way or should I try radius. The customer was just adament about using ldap.
extvpnasa5510#
[243] Session Start
[243] New request Session, context 0xd5713fe0, reqType = 1
[243] Fiber started
[243] Creating LDAP context with uri=ldaps://130.18.22.44:636
[243] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
[243] supportedLDAPVersion: value = 2
[243] supportedLDAPVersion: value = 3
[243] No Login DN configured for server 130.18.22.44
[243] Binding as administrator
[243] Performing Simple authentication for to 130.18.22.44
[243] LDAP Search:
        Base DN = [ou=employees,o=msues]
        Filter = [uid=vpntest]
        Scope   = [SUBTREE]
[243] User DN = [uid=vpntest,ou=employees,o=msues]
[243] Talking to iPlanet server 130.18.22.44
[243] No results returned for iPlanet global password policy
[243] Fiber exit Tx=386 bytes Rx=414 bytes, status=-1
[243] Session End
extvpnasa5510#
[244] Session Start
[244] New request Session, context 0xd5713fe0, reqType = 1
[244] Fiber started
[244] Creating LDAP context with uri=ldaps://130.18.22.44:636
[244] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
[244] supportedLDAPVersion: value = 2
[244] supportedLDAPVersion: value = 3
[244] No Login DN configured for server 130.18.22.44
[244] Binding as administrator
[244] Performing Simple authentication for to 130.18.22.44
[244] LDAP Search:
        Base DN = [ou=employees,o=msues]
        Filter = [uid=vpntest]
        Scope   = [SUBTREE]
[244] User DN = [uid=vpntest,ou=employees,o=msues]
[244] Talking to iPlanet server 130.18.22.44
[244] Binding as user
[244] Performing Simple authentication for vpntest to 130.18.22.44
[244] Processing LDAP response for user vpntest
[244] Authentication successful for vpntest to 130.18.22.44
[244] Retrieved User Attributes:
[244]   sn: value = test user
[244]   givenName: value = vpn
[244]   uid: value = vpntest
[244]   cn: value = vpn test user
[244]   objectClass: value = top
[244]   objectClass: value = person
[244]   objectClass: value = organizationalPerson
[244]   objectClass: value = inetOrgPerson
[244] Fiber exit Tx=284 bytes Rx=414 bytes, status=1
[244] Session End

Hi Larry,
You can map AD group memberships to specific group policies on the ASA, you can find that configuration here:
- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
Let me know if further assistance is required!
Please proceed to rate and mark as correct the helpful Post!
David Castro,
Regards,

How to configure ldap.ora with multiple ldap contexts

Hello.
My company has recently taken on another environment with it's own LDAP configuration. It's a bit tedious to have to keep switching my ldap.ora for both ldap configurations. Are there any good suggestions for either allowing me to search both LDAP configurations (2 separate LDAP setups, with 2 default context)? Or is there a smooth way to populate 1 LDAP with the others data? Or perhaps some form of redirect on one LDAP to the other LDAP server for queries?
Some basic info: LDAP is Oracle OID version 10gR2
Please let me know if you have any useful ideas...

Hi,
Here is the of OVD benefits :
1-Easy to setup and manage via our Management client; 2-Unifies multiple directories into a single access point; 3-Normalize and Unify multiple directories; 4-Directly accesses remote repositories;
5-Allows a unified view of an entry using data from multiple repositories;6-Can act as an LDAP proxy and firewall;
Why you can not use OVD to improve these? Read, LDAP to the other LDAP server for queries, allowing you to search both LDAP?
I hope this helps.
Thiago L Guimaraes

Error in authentication with ldap server with certificate

Hi,
i have a problem in authentication with ldap server with certificate.
here i am using java API to authenticate.
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
I issued the new certificate which is having the up to 5 years valid time.
is java will authenticate up to one year only?
Can any body help on this issue...
Regards
Ranga

sorry i am gettting ythe same error
javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
here when i am using the old certificate and changing the system date means i can get the authentication.
can you tell where we can concentrate and solve the issue..
where is the issue
1. need to check with the ldap server only
2. problem in java code only.
thanks in advance

Problem with WLS LDAP Authentication Provider

We have configured WLS LDAP Authentication provider on an Oracle Service Bus domain, which is used to authenticate WS-Security Username Token and SAML Tokens against an external LDAP Directory (Sun Directory Server). After configuring this, we see that the "Users & Groups" page on the WLS Admin console is getting populated with all the user ids available in LDAP. The organization corporate directory has thousands of user ids, and WLS is executing a generic query against LDAP to fetch all the users. This query would have a major performance impact on the LDAP Directory? Is there any way to prevent this generic query from happening? Any suggestions would help.
Edited by: Ramakrishnan Venkataraman on Feb 1, 2011 11:46 AM

Yes, you can apply filters on the Providers configuration, also u can select the DN from where to feth the users, you can fetch users with special attributes.
Whole lot of things can be done, review the options under providers.
Let me know if you have any doubts.
HTH,
-Faisal
http://www.weblogic-wonders.com

RSA authentication with LDAP group mapping

Greetings,
I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
The problem I'm having is that my users are in multiple OU's on our AD tree. When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error. If I add an OU in front of it, then it will work fine.
As far as I know, you can only use one LDAP configuration with RSA.
Any thoughts on this?

@Tarik
I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen. I have resorted to creating a Radius profile on the RSA appliance for each access group I need. Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
Thankfully, I have a small group of users that I am attempting to map. I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create. Likewise, our Account Admin will have to determine who gets assigned a particular access group.
I would still prefer to do this dynamically.
Scott

LDAP PropertySet with Anonymous Authentication

Please,
I would like to know how can I set up ldap property set for WLP 4.0 using MS Exchange
5.5 Ldap Server with anonymous bind. If I put no values at Principal and Password
Principal in LdapPropertyManager EJB, I got several errors as NullPointerExceptions.
There is no admin and the customer does not want using exchange passwords at weblogic
console.
Thanks a lot
Marco Righetti

Marco,
Looks like you have a key with no value in the EJB context, did you try
removing the key as well?
Sincerely,
Daniel Selman
"Marco Righetti" <[email protected]> wrote in message
news:[email protected]...
>
Thanks for your reply. This is the stacktrace...
weblogic.utils.AssertionError: ***** ASSERTION FAILED ***** - with nestedexception:
[java.lang.reflect.InvocationTargetException - with target exception:
[java.lang.NullPointerException]]
atweblogic.ejb20.deployer.EnvironmentBuilder.getValue(EnvironmentBuilder.java:
122)
atweblogic.ejb20.deployer.EnvironmentBuilder.addEnvironmentEntries(Environment
Builder.java:144)
atweblogic.ejb20.deployer.Deployer.setupEnvironmentContext(Deployer.java:200)
at weblogic.ejb20.deployer.Deployer.deployDescriptor(Deployer.java:1228)
at weblogic.ejb20.deployer.Deployer.deploy(Deployer.java:947)
at weblogic.j2ee.EJBComponent.deploy(EJBComponent.java:30)
at weblogic.j2ee.Application.deploy(Application.java:247)
at weblogic.j2ee.J2EEService.deployApplication(J2EEService.java:185)
atweblogic.management.mbeans.custom.Application.setLocalDeployed(Application.j
ava:362)
atweblogic.management.mbeans.custom.Application.setDeployed(Application.java:2
96)
at java.lang.reflect.Method.invoke(Native Method)
atweblogic.management.internal.DynamicMBeanImpl.invokeSetter(DynamicMBeanImpl.
java:1388)
atweblogic.management.internal.DynamicMBeanImpl.setAttribute(DynamicMBeanImpl.
java:881)
atweblogic.management.internal.DynamicMBeanImpl.setAttribute(DynamicMBeanImpl.
java:847)
atweblogic.management.internal.ConfigurationMBeanImpl.setAttribute(Configurati
onMBeanImpl.java:295)
atcom.sun.management.jmx.MBeanServerImpl.setAttribute(MBeanServerImpl.java:135
6)
atcom.sun.management.jmx.MBeanServerImpl.setAttribute(MBeanServerImpl.java:133
1)
atweblogic.management.internal.ConfigurationMBeanImpl.updateConfigMBeans(Confi
gurationMBeanImpl.java:392)
atweblogic.management.internal.ConfigurationMBeanImpl.setAttribute(Configurati
onMBeanImpl.java:298)
atcom.sun.management.jmx.MBeanServerImpl.setAttribute(MBeanServerImpl.java:135
6)
atcom.sun.management.jmx.MBeanServerImpl.setAttribute(MBeanServerImpl.java:133
1)
atweblogic.management.internal.MBeanProxy.setAttribute(MBeanProxy.java:322)
at weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:204)
at $Proxy19.setDeployed(Unknown Source)
at java.lang.reflect.Method.invoke(Native Method)
atweblogic.management.console.info.MBeanAttribute.doSet(MBeanAttribute.java:84
atweblogic.management.console.info.CompositeAttribute.doSet(CompositeAttribute
.java:100)
atweblogic.management.console.actions.mbean.DoEditMBeanAction.perform(DoEditMB
eanAction.java:135)
atweblogic.management.console.actions.internal.ActionServlet.doAction(ActionSe
rvlet.java:171)
atweblogic.management.console.actions.internal.ActionServlet.doPost(ActionServ
let.java:85)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:265)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:200)
atweblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
ntext.java:2495)
atweblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
:2204)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
>
####<May 16, 2002 4:29:17 PM BRT> <Error> <Management> <dctm><portalServer> <ExecuteThread:
'1' for queue: '__weblogic_admin_html_queue'> <system> <> <140002><InvocationTargetException
setting attribute Deployed on MBeanavitekDomainOracle:Location=portalServer,Name=avitek,Type=ApplicationConfig
to value true. Method: public voidweblogic.management.mbeans.custom.Application.setDeployed(boolean)
throwsweblogic.management.DeploymentException,weblogic.management.UndeploymentExce
ption>
>
>
>
Unable to deploy EJB: LdapPropertyManager from ldapprofile.jar:
java.lang.reflect.InvocationTargetException:java.lang.NullPointerException
at java.lang.String.<init>(String.java:193)
at java.lang.reflect.Constructor.newInstance(Native Method)
atweblogic.ejb20.deployer.EnvironmentBuilder.getValue(EnvironmentBuilder.java:
119)
atweblogic.ejb20.deployer.EnvironmentBuilder.addEnvironmentEntries(Environment
Builder.java:144)
atweblogic.ejb20.deployer.Deployer.setupEnvironmentContext(Deployer.java:200)
at weblogic.ejb20.deployer.Deployer.deployDescriptor(Deployer.java:1228)
at weblogic.ejb20.deployer.Deployer.deploy(Deployer.java:947)
at weblogic.j2ee.EJBComponent.deploy(EJBComponent.java:30)
at weblogic.j2ee.Application.deploy(Application.java:247)
at weblogic.j2ee.J2EEService.deployApplication(J2EEService.java:185)
atweblogic.management.mbeans.custom.Application.setLocalDeployed(Application.j
ava:362)
atweblogic.management.mbeans.custom.Application.setDeployed(Application.java:2
96)
at java.lang.reflect.Method.invoke(Native Method)
atweblogic.management.internal.DynamicMBeanImpl.invokeSetter(DynamicMBeanImpl.
java:1388)
atweblogic.management.internal.DynamicMBeanImpl.setAttribute(DynamicMBeanImpl.
java:881)
atweblogic.management.internal.DynamicMBeanImpl.setAttribute(DynamicMBeanImpl.
java:847)
atweblogic.management.internal.ConfigurationMBeanImpl.setAttribute(Configurati
onMBeanImpl.java:295)
atcom.sun.management.jmx.MBeanServerImpl.setAttribute(MBeanServerImpl.java:135
6)
atcom.sun.management.jmx.MBeanServerImpl.setAttribute(MBeanServerImpl.java:133
1)
atweblogic.management.internal.ConfigurationMBeanImpl.updateConfigMBeans(Confi
gurationMBeanImpl.java:392)
atweblogic.management.internal.ConfigurationMBeanImpl.setAttribute(Configurati
onMBeanImpl.java:298)
atcom.sun.management.jmx.MBeanServerImpl.setAttribute(MBeanServerImpl.java:135
6)
atcom.sun.management.jmx.MBeanServerImpl.setAttribute(MBeanServerImpl.java:133
1)
atweblogic.management.internal.MBeanProxy.setAttribute(MBeanProxy.java:322)
at weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:204)
at $Proxy19.setDeployed(Unknown Source)
at java.lang.reflect.Method.invoke(Native Method)
atweblogic.management.console.info.MBeanAttribute.doSet(MBeanAttribute.java:84
atweblogic.management.console.info.CompositeAttribute.doSet(CompositeAttribute
.java:100)
atweblogic.management.console.actions.mbean.DoEditMBeanAction.perform(DoEditMB
eanAction.java:135)
atweblogic.management.console.actions.internal.ActionServlet.doAction(ActionSe
rvlet.java:171)
atweblogic.management.console.actions.internal.ActionServlet.doPost(ActionServ
let.java:85)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:265)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:200)
atweblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
ntext.java:2495)
atweblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
:2204)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
--------------- nested within: ------------------
weblogic.utils.AssertionError: ***** ASSERTION FAILED ***** - with nestedexception:
[java.lang.reflect.InvocationTargetException - with target exception:
[java.lang.NullPointerException]]
atweblogic.ejb20.deployer.EnvironmentBuilder.getValue(EnvironmentBuilder.java:
122)
atweblogic.ejb20.deployer.EnvironmentBuilder.addEnvironmentEntries(Environment
Builder.java:144)
atweblogic.ejb20.deployer.Deployer.setupEnvironmentContext(Deployer.java:200)
at weblogic.ejb20.deployer.Deployer.deployDescriptor(Deployer.java:1228)
at weblogic.ejb20.deployer.Deployer.deploy(Deployer.java:947)
at weblogic.j2ee.EJBComponent.deploy(EJBComponent.java:30)
at weblogic.j2ee.Application.deploy(Application.java:247)
at weblogic.j2ee.J2EEService.deployApplication(J2EEService.java:185)
atweblogic.management.mbeans.custom.Application.setLocalDeployed(Application.j
ava:362)
atweblogic.management.mbeans.custom.Application.setDeployed(Application.java:2
96)
at java.lang.reflect.Method.invoke(Native Method)
atweblogic.management.internal.DynamicMBeanImpl.invokeSetter(DynamicMBeanImpl.
java:1388)
atweblogic.management.internal.DynamicMBeanImpl.setAttribute(DynamicMBeanImpl.
java:881)
atweblogic.management.internal.DynamicMBeanImpl.setAttribute(DynamicMBeanImpl.
java:847)
atweblogic.management.internal.ConfigurationMBeanImpl.setAttribute(Configurati
onMBeanImpl.java:295)
atcom.sun.management.jmx.MBeanServerImpl.setAttribute(MBeanServerImpl.java:135
6)
atcom.sun.management.jmx.MBeanServerImpl.setAttribute(MBeanServerImpl.java:133
1)
atweblogic.management.internal.ConfigurationMBeanImpl.updateConfigMBeans(Confi
gurationMBeanImpl.java:392)
atweblogic.management.internal.ConfigurationMBeanImpl.setAttribute(Configurati
onMBeanImpl.java:298)
atcom.sun.management.jmx.MBeanServerImpl.setAttribute(MBeanServerImpl.java:135
6)
atcom.sun.management.jmx.MBeanServerImpl.setAttribute(MBeanServerImpl.java:133
1)
atweblogic.management.internal.MBeanProxy.setAttribute(MBeanProxy.java:322)
at weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:204)
at $Proxy19.setDeployed(Unknown Source)
at java.lang.reflect.Method.invoke(Native Method)
atweblogic.management.console.info.MBeanAttribute.doSet(MBeanAttribute.java:84
atweblogic.management.console.info.CompositeAttribute.doSet(CompositeAttribute
.java:100)
atweblogic.management.console.actions.mbean.DoEditMBeanAction.perform(DoEditMB
eanAction.java:135)
atweblogic.management.console.actions.internal.ActionServlet.doAction(ActionSe
rvlet.java:171)
atweblogic.management.console.actions.internal.ActionServlet.doPost(ActionServ
let.java:85)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:265)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:200)
atweblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
ntext.java:2495)
atweblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
:2204)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
at weblogic.ejb20.deployer.Deployer.deploy(Deployer.java:1029)
at weblogic.j2ee.EJBComponent.deploy(EJBComponent.java:30)
at weblogic.j2ee.Application.deploy(Application.java:247)
at weblogic.j2ee.J2EEService.deployApplication(J2EEService.java:185)
atweblogic.management.mbeans.custom.Application.setLocalDeployed(Application.j
ava:362)
atweblogic.management.mbeans.custom.Application.setDeployed(Application.java:2
96)
at java.lang.reflect.Method.invoke(Native Method)
atweblogic.management.internal.DynamicMBeanImpl.invokeSetter(DynamicMBeanImpl.
java:1388)
atweblogic.management.internal.DynamicMBeanImpl.setAttribute(DynamicMBeanImpl.
java:881)
atweblogic.management.internal.DynamicMBeanImpl.setAttribute(DynamicMBeanImpl.
java:847)
atweblogic.management.internal.ConfigurationMBeanImpl.setAttribute(Configurati
onMBeanImpl.java:295)
atcom.sun.management.jmx.MBeanServerImpl.setAttribute(MBeanServerImpl.java:135
6)
atcom.sun.management.jmx.MBeanServerImpl.setAttribute(MBeanServerImpl.java:133
1)
atweblogic.management.internal.ConfigurationMBeanImpl.updateConfigMBeans(Confi
gurationMBeanImpl.java:392)
atweblogic.management.internal.ConfigurationMBeanImpl.setAttribute(Configurati
onMBeanImpl.java:298)
atcom.sun.management.jmx.MBeanServerImpl.setAttribute(MBeanServerImpl.java:135
6)
atcom.sun.management.jmx.MBeanServerImpl.setAttribute(MBeanServerImpl.java:133
1)
atweblogic.management.internal.MBeanProxy.setAttribute(MBeanProxy.java:322)
at weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:204)
at $Proxy19.setDeployed(Unknown Source)
at java.lang.reflect.Method.invoke(Native Method)
atweblogic.management.console.info.MBeanAttribute.doSet(MBeanAttribute.java:84
atweblogic.management.console.info.CompositeAttribute.doSet(CompositeAttribute
.java:100)
atweblogic.management.console.actions.mbean.DoEditMBeanAction.perform(DoEditMB
eanAction.java:135)
atweblogic.management.console.actions.internal.ActionServlet.doAction(ActionSe
rvlet.java:171)
atweblogic.management.console.actions.internal.ActionServlet.doPost(ActionServ
let.java:85)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:265)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:200)
atweblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
ntext.java:2495)
atweblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
:2204)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
Regards,
Marco

LDAP Authentication with sub-contexts?

Similar Messages

Maybe you are looking for