LDAP Authorization Example

Hello;
Does anyone have a good example of an LDAP authorization script? The examples on the Cisco website don't provide enough detail. This version of LDAP is Windows 2003 Active Directory.
Thank You

Refer this document to Configuring an LDAP Server for VPN Concentrator User Authorization
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_0/config/ldapapp.htm#1533072

Similar Messages

Using OWSM for SAML verification and LDAP authorization

I can verify SAML tokens by using EM security (verifying SAML tokens) but when I use OWSM I get this error at the proxy (by adding the step : SAML - Verify WSS 1.0 Token to the policy of a server agent)
Exception in thread "main" java.lang.NoSuchMethodError: oracle.security.wss.saml.SAMLAssertionIssuer.<init>(Ljavax/xml/rpc/handler/soap/SOAPMessageContext;Lorg/w3c/dom/Document;Loracle/security/wss/config/SamlTokenConfigType;Z)V
Also I need to LDAP authorize the subject of SAML after verification of SAML token. Is it just enough to put the LDAP authorize step after SAML verification?
Won't I need any EXTRACT CREDENTIAL step?
Regards
Farbod

When we were asked to combine OBIEE 10g with Active Directory, we chose external Table Authorization to get information on the groups, a user is part of.
In general, one could follow these articles to achieve AD Authentication:
[http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/|http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/]
[http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/|http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/]
To sum it up: Read User-information from AD. Knowing a user's login-name then, one could query an external table, which consists of user and group information. Everything is setup within initializationBlocks, which could be created in the administration tool.
Problem: As you already said, the problem is, that this external user--group table has to be filled and updated "manually". That is, someone has to input new users or at least assign them to the existing groups.
In our case, there's an admin who knows what sql is and how to work with it.
Another solution could be, to prepare a xml-file, containing user and group information and add it to your repository. The tables could then be queried, too. Although, xml files can become quite unhandy, if a lot of information is held within it, they can be edited via external tools or at least with a standard text editor.

LDAP authorization for VPN

I am having problems getting the LDAP authorization to work. None of the instructions I find seem to coincide with my version of ASDM 5.0(7) and ASA 7.0(7).
SO if anyone has the right instructions for these version can you send me a link?
I get as far of testing it and it fails. When I test it asks for a user name but never a password. so I am not sure what I am doing wrong.
Any help appreciated.

Post your AAA & VPN profile config from the device please?

LDAP authorization problem in OC4J 10.1.3. using OID

I'm attempting to secure a j2ee application using OID and SSO. I'm using the standard OID Security Provider.As long as my user in ldap is located within a group that is part of the cn=groups everything works fine. However, if the user is defined in a nested group authentication fails.
Scenario 1 (working):
cn=mse-se-staff,cn=groups,dc=global,dc=mycompany,dc=net
Scenario 2 (not working):
cn=mse-se-staff,cn=exchange,cn=groups,dc=global,dc=mycompany,dc=net
I know that when using a third party ldap provider one can change the searchscope to search nested groups. Is there a way to set this in the standard OID security provider as well?
I have tried pre-pending the security-role-mapping with the additional group like so:
 <security-role-mapping name="USERS">
 <group name="exchange/mse-se-staff" />
 </security-role-mapping>
This did not work however. Can I use nested groups with OID? Again this works fine if the user is defined in a group that is part of cn=groups.
Here are all the important configuration pieces:
web.xml:
<security-constraint>
 <web-resource-collection>
 <web-resource-name>access to the application</web-resource-name>
 <url-pattern>/svc</url-pattern>
 </web-resource-collection>
 
 <auth-constraint>
 <role-name>USERS</role-name>
 </auth-constraint>
</security-constraint>
orion-application.xml:
 <security-role-mapping name="USERS">
 <group name="mse-se-staff" />
 </security-role-mapping>
 <jazn provider="LDAP" location="*my ldap here*">
 <jazn-web-app auth-method="SSO" jaas-mode="doAsPrivileged" />
</jazn>
Thanks,
Marc

Could you try settings java.naming.referral jndi env referral and re try.

LDAP authorization with ADF

Hi,
I am in the earlier stage of developing a web application with Jdev 10.3 using ADF BC. I authorize the users against LDAP in my application. I got some help about orion.application.xml file and jazn. But I need some thing more to start up with.
I was trying the option that is available in jdev under tools->ADF Security wizard. But I am not sure about how to use it. Is there anyone who can help me in this?
Thanks,
Haripriya.S

Hi,
Thanks for the suggestion and I have put up my question in jdeveloper forum. but I havent got any replies upto now. Let me inform you once I get the answer.

LDAP Authorization (not authentication)

Hi everybody,
There is a Linux server with Oracle 10g and Apex 3.0.1.
And there is a Microsoft Windows server having an active directory.
The first step was to authenticate against the AD using the LDAP authentication scheme in shared components. I have entered the necassary information and the authentication is going through successfully.
My second step is now the authorization of the users, so I can restrict access pages to some users. I have searched the internet and everything I found and tried didn't work. As far as I am aware I have to do the check (e.g. whether the user is a member of the AD) in PLSQL code. I have tried to use: apex_ldap.is_member, and other functions in dbms_ldap. But I can't get any of them to work. In fact when using then in a PLSQL in SQL PLUS there is not even an error given, no messages at all, although I have set serveroutput on.
So perhaps someone could give me a hint, in what I am doing wrong, or what else I have to keep in mind in order to get it to work (perhaps I have to install something)
My actual goal is to have a single sign on. That is why I have to authorize the user to restrict some access.
Every help is highly appreciated.
Thanks,
Regards,
Denise

Hi John,
 
--AD stores the user/group information in a different way
 
Does that mean that I only have to change see string within the function?
 
htmldb_ldap.is_member 
('uname', 
'pword', 
'cn=Users,dc=aatestdom,dc=com', 
'AA1MS101', 
'389', 
'APEX_USER', 
'cn=Groups,dc=aatestdom,dc=com') 
 
Or doesn't that have anything to do with it?
 
To my code. I have tried so many things so I think it is of no use to post it here as I have figured out that it is the main thing (see function above) which is not working properly. If I take the main part out the rest of my code will work fine.
 
But could you please explain to me what the following of the dbms_ldap.compare_s function means?: 
attr => 'uniquemember' 
value => 'cn=test\, greg (etsa)...' 
And what I have to put into it (i think 'test' will be the username)?
 
Regards and thanks for your tips so far, 
Denise

LDAP Authorization for OBIEE 10.1.3

Hello,
We have setup LDAP authentication (ADSI LDAP) using OBIEE standalone.
I'm trying to figure out the best way to manage Authorization - user to group assignment in OBIEE.
Options:
1. Using external table
Challange: The client doesn't have other application that manages user to group assignment. If I am using external table authorization, how will they manage changes to user to group or add new user to group?? This will require IT admin to modify table directly in production. They would like to have business super user to handle new user to group assignment.
2. Import user to LDAP
This is unfortunately doesn't work with ADSI LDAP. I got error message: This function is not supported for all LDAP type..
3. I read something about using database DBMS_LDAP package. Basically: Define user to group assignment in LDAP. Define a db function to get db to group assignment. Call this db function in OBIEE.
I am not sure if this DBMS_LDAP package will work with DB2. Any comments will be helpful.
4. I thought about using Microsoft Excel to maintain user to group assignment and use the excel connection pool in Authorization init block. However, the OBIEE server is configured in AIX environment, and there is no excel driver for UNIX that's available...
Has anyone seen this scenario before? Any suggestions will be greatly appreciated..

When we were asked to combine OBIEE 10g with Active Directory, we chose external Table Authorization to get information on the groups, a user is part of.
In general, one could follow these articles to achieve AD Authentication:
[http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/|http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/]
[http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/|http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/]
To sum it up: Read User-information from AD. Knowing a user's login-name then, one could query an external table, which consists of user and group information. Everything is setup within initializationBlocks, which could be created in the administration tool.
Problem: As you already said, the problem is, that this external user--group table has to be filled and updated "manually". That is, someone has to input new users or at least assign them to the existing groups.
In our case, there's an admin who knows what sql is and how to work with it.
Another solution could be, to prepare a xml-file, containing user and group information and add it to your repository. The tables could then be queried, too. Although, xml files can become quite unhandy, if a lot of information is held within it, they can be edited via external tools or at least with a standard text editor.

LDAP Authorization

I am able to authenticate users via the built in LDAP authentication scheme to Active Directory. OS_USER JDOE logs in and is authenticated.
I am now having issues trying to authorize specific users to this application.
So far i created a user table with os_user format of JDOE. And my authorization scheme does a where exists sql query. When I apply this authorization scheme to a region it disables the user that should be givin authorization.
My where exists sql query
SELECT 1 FROM user_security
WHERE os_user = :APP_USER
Thanks

Setting the authorization scheme to be evaluated "Once per page view" would be prudent, although if it isn't evaluated during the session before the report region is rendered, that shouldn't be a factor. But it could be that you are using a session in which the scheme has already been evaluated and returned false. Once that happens, it's false for the rest of the session, assuming it was set to "Once per session". This attribute is under Evaluation Point on the authorization scheme page.
Scott

ASA & LDAP Authorization

Hello:
I have a LDAP server configured and authentication working just fine. My next goal is to provide SSL VPN services to some employees. Their Tunnel Group membership should depend upon their LDAP 'group' membership.
For example, our LDAP administrator has configured user entries like this:
dn: uid=jdoe,ou=People,o=company.com
givenName: John
sn: Doe
mail: [email protected]
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: inetorgpersonsub1
uid: jdoe
cn: John Doe
description: Employee
description: Information Systems
He seems to like to use 'description' instead of OU for some reason, but that's out of my control. I assume I need to perform some sort of LDAP Attribute mapping to make this happen.
In the above example, I would like to create a Tunnel Group called 'IS' on the ASA, and if a user has 'description: Information Systems' in the ir LDAP, they would be mapped to the 'IS' tunnel group.
Can someone shed some light?
Thanks!
Mark

I just created an LDAP server entry, put in my Base DN, used 'uid' as my Naming Attribute, and applied the LDAP attribute Map.
The LDAP attribute map contains:
Map Name: 'uid' as Customer Name, and 'cVPN-3000-IETF-Radius-Class' as the Cisco Name.
Map Value: 'johndoe' as Customer Value, and a group policy for the Cisco Value.
Hope that helps.
Mark

LDAP authorization and AD

HI!
I am trying to authorize a user wit Active Directory via LDAP, the user logs in as user1 but if I use the uid as principal it doesn't work, I need to specify
principal = "CN=Name Surname(user1),OU=Users ..." -> works
principal = "CN=user1,OU=Users ..." -> does not work
Any help?
Thanks,
Iggy

If that's the way your LDAP is organized that's the only path that's going to work. If you want to find users etc. by some other property you'll need to use a the search function. Each context in the tree has a unique name.

JASS-LDAP example

Did anyone try to deploy JASS-LDAP security example by Oracle. It works fine using the jazn-data.xml but when i try to deploy using LDAP manager it gives
Status: Not Loaded in the Enterprise Manager
How can resolve it ?

let me be more clear about my question. i tried to run the example you have shown in Jdeveloper. I'm trying to run callInfo in Jdeveloper. I dont see index.html loaded into workspace. please see this screenshot to be a better idea of what i'm talking.
now how do i run the index.html( i mean the application)

LDAP (OID) integration with java appilcation

OID issue Urgent
Currently we are using the OID-LDAP as the repository for storing username, passwds
and other attributes. All applications that need authentication will essentially
be using the OID.
In our effort to do the same we are encountering the following problems
- Creation of an identity corresponding the application
- Giving this identity certain LDAP authorizations (Which authorizations are these)
We have been successful creating LDAP entries for users and getting the initial
JNDI contexts to do the lookups.
When we are creating the user lookup from java code using oracle.ldap.util.User pakage ,
at the run time it's throwing error(no classfound oracle/net/config/ConfigException ).
why and where this is needed and how to resolve that. is that because we haven't added
the application in oid and configured authorizations for it.
Need an urgent answer to this since all applications will be using LDAP(OID).
here is code of java which tries to connect to OID.
================================================================================================
import oracle.ldap.util.*;
import oracle.ldap.util.jndi.*;
import java.io.*;
import java.util.*;
import javax.naming.*;
import java.Exception.*;
import javax.naming.directory.*;
public class hello {
public static void main(String argv[])
throws NamingException {
// Create InitialDirContext
     System.out.println("INSIDE SERVLET");
InitialDirContext ctx = ConnectionUtil.getDefaultDirCtx( "hire11.kmfl.kg","4032","cn=orcladmin", "ias123" );
// Create Subscriber object
     System.out.println("GOT CONTEXT" +ctx);
Subscriber mysub = null;
/* commented for time being -----------------------------
try {
// Creation using DN
System.out.println("CREATING subscriber");
     mysub = new Subscriber( ctx, Util.IDTYPE_DN, "o=oracle,dc=com", false
     System.out.println("GOT subscriber");
catch (UtilException e) {
          System.out.println("error");
// Create User Objects
User myuser = null, myuser1 = null;
try {
// Create User using a subscriber DN and the User DN
     System.out.println("CREATING USERl");
myuser = new User ( ctx,Util.IDTYPE_DN,           "cn=abhishek,cn=users,dc=kmfl,dc=kg",Util.IDTYPE_DN,"dc=kmfl,dc=kg", true );
     System.out.println("GOT USER");
// Create User using a subscriber object and the User
// simple name
// commented for time being -----------------------------
myuser1 = new User ( ctx, Util.IDTYPE_SIMPLE, "abhishek", mysub, true );
catch ( UtilException e ) {
System.out.println("COUDN'T GET USER"+e.toString());
// Authenticate User
try {
     System.out.println("gOING FOR AUTHENTICATION");
myuser.authenticateUser(ctx,User.CREDTYPE_PASSWD,"abhi123");
     System.out.println("AUTHENTICATION SuccessFull");
     System.out.println("AUTHENTICATION SUCCESSfULL");
     System.out.println("AUTHENTICATION sUCCESSfULL");
catch ( UtilException e ) {
System.out.println("AUTHENTICATION FAILED");
// Perform User operations
/* commented for time being -----------------------------
try {
PropertySetCollection result = null;
// Get telephonenumber of user
String[] userAttrList = {"telephonenumber"};
result = myuser1.getProperties(ctx,userAttrList);
Util.printResults(result);
// Set telephonenumber of user
// Create JNDI ModificationItem
ModificationItem[] mods = new ModificationItem[1];
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE,
new BasicAttribute("telephonenumber", "444-6789"));
// Perform modification using User object
myuser.setProperties(ctx, mods);
catch ( UtilException e ) {
} // End of SampleUser.java
==============================================================================================================

What about SSL or LDAPS !
Can't seem to find any java examples which would support services of type:
ldapbind -U 1,2 for java API !

Timeouts while using LDAP and TNSNAMES for names resolving

I use an OID for Oracle Names resolving at the client-side.
I tested some errorcases because there are no HA-features implemented for the OID.
So i have an LDAP.ORA with the adress and the ports of the OID.
My SQLNET.ORA has this content:
NAMES.DEFAULT_DOMAIN = <my_company_domian>
SQLNET.AUTHENTICATION_SERVICES= (NTS)
NAMES.DIRECTORY_PATH= (LDAP, TNSNAMES)So actually there is no problem. But when i turn off the OID-Server there iss a timeout of about 20 second to resolve the name.
So my problem is not the resolving. I only want to know if there is a possibility to minimize the timeout to switch between LDAP-name-resolving to tnsnames.ora-name-resolving?

thanks Oviwan but i think this problem couldn't be solved with a parameter.
@rgoogld:
I already feared that i have to live with that timeout.
But your options are interesting. In the future i will have 2 OIDs and in the first time the TNSNAMES.ORA-names-resolving as backup.
I already can test this because i have a productive OID and one for test-purposes. So at the moment i have two OIDs listet in my LDAP.ORA.
example:
DIRECTORY_SERVERS = (<server_name_oid1>:<Port1>:<Port2>, <server_name_oid2>:<Port1>:<Port2>)
DEFAULT_ADMIN_CONTEXT = ""
DIRECTORY_SERVER_TYPE = OIDThere is already a (about 20 seconds) timeout, when the OID1 is powered down or the services are stopped. The client honestly ask the second OID after the "timeout" and resolve the name.
2 OIDs+TNSNAMS or 1 OID+TNSNAMES in both cases your options could perhaps prevent the timeout. I'm not really a system administrator, but i can discuss it with my colleagues here.
Do you know a smart way to remove or repoint an DNS-entry in a windows enviroment. For such actions i have also to monitor the status of the OID-services or the servers and make the dns-changes if something is crashed.
At this moment i have no idea how to do this but perhaps you or someone else here have some tips for me.

Pam.conf does not use ldap for password length check when changing passwd

I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
I have dsee 6.0 installed on a solaris 10 server (client).
I have a solaris 9 server (server) set up to use ldap authentication.
bash-2.05# cat /var/ldap/ldap_client_file
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= X, Y
NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_BIND_TIME= 10
bash-2.05# cat /var/ldap/ldap_client_cred
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
bash-2.05# cat /etc/nsswitch.conf
# /etc/nsswitch.ldap:
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
hosts: files dns
ipnodes: files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: ldap [NOTFOUND=return] files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
sendmailvars: files
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
bash-2.05# cat /etc/pam.conf
#ident "@(#)pam.conf 1.20 02/01/23 SMI"
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1 use_first_pass
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
other auth requisite pam_authtok_get.so.1 debug
other auth required pam_dhkeys.so.1 debug
other auth binding pam_unix_auth.so.1 server_policy debug
other auth required pam_ldap.so.1 use_first_pass debug
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy debug
passwd auth required pam_ldap.so.1 use_first_pass debug
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1 debug
other account required pam_projects.so.1 debug
other account binding pam_unix_account.so.1 server_policy debug
other account required pam_ldap.so.1 no_pass debug
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password required pam_authtok_store.so.1 server_policy debug
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
bash-2.05$ passwd
passwd: Changing password for VV
Enter existing login password:
New Password:
passwd: Password too short - must be at least 8 characters.
Please try again
May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
I am using the default policy on the directory server which states a minimum password length of 6 characters.
server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
pwd-accept-hashed-pwd-enabled : N/A
pwd-check-enabled : off
pwd-compat-mode : DS6-mode
pwd-expire-no-warning-enabled : on
pwd-expire-warning-delay : 1d
pwd-failure-count-interval : 10m
pwd-grace-login-limit : disabled
pwd-keep-last-auth-time-enabled : off
pwd-lockout-duration : disabled
pwd-lockout-enabled : off
pwd-lockout-repl-priority-enabled : on
pwd-max-age : disabled
pwd-max-failure-count : 3
pwd-max-history-count : disabled
pwd-min-age : disabled
pwd-min-length : 6
pwd-mod-gen-length : 6
pwd-must-change-enabled : off
pwd-root-dn-bypass-enabled : off
pwd-safe-modify-enabled : off
pwd-storage-scheme : CRYPT
pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
pwd-strong-check-enabled : off
pwd-strong-check-require-charset : lower
pwd-strong-check-require-charset : upper
pwd-strong-check-require-charset : digit
pwd-strong-check-require-charset : special
pwd-supported-storage-scheme : CRYPT
pwd-supported-storage-scheme : SHA
pwd-supported-storage-scheme : SSHA
pwd-supported-storage-scheme : NS-MTA-MD5
pwd-supported-storage-scheme : CLEAR
pwd-user-change-enabled : off
Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
. It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
Edited by: ericduggan on Sep 8, 2008 5:30 AM

you can try passwd -r ldap for changing the ldap passwds...

Problem with LDAP authentication for users in a group

I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.
I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:
[6707] memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
[6707] mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707] mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707] msNPAllowDialin: value = TRUE
I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.
ldap attribute-map AuthUsers
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN
aaa-server LDAP protocol ldap
aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
ldap-base-dn DC=COMPANY,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
server-type microsoft
ldap-attribute-map AuthUsers
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
webvpn
anyconnect ask none default anyconnect
group-policy GroupPolicy_COMPANY_SSL_VPN internal
group-policy GroupPolicy_COMPANY_SSL_VPN attributes
wins-server none
dns-server value 10.10.100.102
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value net.COMPANY.com
webvpn
anyconnect profiles value COMPANY_SSL_VPN_client_profile type user
tunnel-group COMPANY_SSL_VPN type remote-access
tunnel-group COMPANY_SSL_VPN general-attributes
address-pool COMPANY-SSL-VPN-POOL
authentication-server-group LDAP
authorization-server-group LDAP
authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
default-group-policy NOACCESS
authorization-required
tunnel-group COMPANY_SSL_VPN webvpn-attributes
group-alias COMPANY_SSL_VPN enable
tunnel-group COMPANY_SSL_VPN ipsec-attributes
ikev1 pre-shared-key *****

I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.

LDAP Authorization Example

Similar Messages

Maybe you are looking for