LDAP client auth
I've searched the internet but the examples I've found use certificates or web auth. I'm trying to get users to authenticate using their LDAP credentials on a new SSID.
I have the LDAP server set up on the controller but I'm still having troubles getting authentication to work.
I'd like to bypass using ACS and have the controller talk directly to the LDAP server.
In our environment we have the following:
Two WiSM controllers in separate data centers
4402 guest controller (in production now)
5508 guest controller (being installed now)
All controllers running 7.0.235.3
ACS 4.2
NCS 1.1.1.24
They were unchecked...
Here is what I have:
L2 security
WPA+WPA2 selected.
Checkbox for WPA2 policy WPA2 encryption AES
Auth Key MGmT 802.1x
AAA Sever tab
LDAP server selected
Local EAP Authentication checked
EAP Profile Name - Test
Local EAP Profile - Test
PEAP checked, nothing else
Authentication Priority - LDAP
Is there anything else I'm missing?
Similar Messages
-
Proxy agent in solaris ldap client
Since ldap service provides naming service, that is supposed to be accessed by anyone who needs it, I don't know why we need a proxy agent when we set up solaris ldap client. The anoymous credential level is enough.
Also in order to use proxy agent, this agent needs to have at least read access to all naming entries, including userPassword, encrypted or clear-text. This adds some sort of in-security. While service authentication method "simple" will simply bind to the ldap server using provided password. Of course, you can still add another layer of security by using TLS.
So, can anyone explain this design a little more?
Thanks.My input on this subject may seem a bit paranoid, but that's what I get paid for, so take this with a gain of salt 8-)
The proxy agent does not need to have read access to the userPassword attribute if you configure your clients to use pam_ldap instead of pam_unix. pam_unix retrieves the userPassword attribute by making a call to getspnam. With pam_ldap, the user dn and password are sent to the directory server in an auth structure, and the directory server will return success or failure to the client for that login attempt. More info on this can be found at http://docs.sun.com, or in the book "LDAP in the Solaris Operating Environment, Deploying Secure Directory Services" by Michael Hains and Tom Bialaski (ISBN 0-13-145693-8) pgs 177-179.
Use of the proxy agent can actually increase the level of security for your directory server. With the proper ACI's in place not allowing anonymous binds to view the data in the tree (or only view a small subset of the tree), you can prevent anyone from dropping a laptop or other device on your network and data mining your LDAP tree for information (ie vendors, guests, etc). That won't stop those same people from snooping the traffic on your network, so the use of secure protocols are the other side of that, but implementing tls:simple authentication for the directory server and clients is not that difficult, and should be considered for any deployment of LDAP for use as a naming server.
I do agree with your assessment that in an environment where anonymous binds are accecptable the use of the proxyagent is probably not warrented, but in my experience having the proxyagent has allowed me to tighten the security of my directory implementation . -
Solaris ldap client problem (tls:simple + anonymous)
Hi All,
I've installed Directory Server 6.3.1 and it works just fine,
but I have a problem regarding connecting Solaris 10 ldap client to it through SSL using anonymous credential level.
Both SSL with proxy credential level or anonymous without SSL work fine but as you know these configurations are not pretty secure.
More detail.
Profile:
dn: cn=sslnoproxyuser,ou=profile,dc=domain,dc=com
authenticationmethod: tls:simple
bindtimelimit: 10
cn: sslnoproxyuser
credentiallevel: anonymous
defaultsearchbase: dc=domain,dc=com
defaultsearchscope: one
defaultserverlist: servername.domain.com
followreferrals: TRUE
objectclass: top
objectclass: DUAConfigProfile
preferredserverlist: servername.domain.com
profilettl: 43200
searchtimelimit: 30
Ldapclient output:
bash-3.00# ldapclient init -v -a profileName=sslnoproxyuser servername.domain.com
Parsing profileName=sslnoproxyuser
Arguments parsed:
profileName: sslnoproxyuser
defaultServerList: servername.domain.com
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: ldap not running
findBaseDN: calling __ns_ldap_default_config()
found 2 namingcontexts
findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=domain.com))"
rootDN[0] dc=domain,dc=com
found baseDN dc=domain,dc=com for domain domain.com
Proxy DN: NULL
Proxy password: NULL
Credential level: 0
Authentication method: 3
No proxyDN/proxyPassword required
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: network/smtp:sendmail... success
Stopping nscd
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: system/name-service-cache:default... success
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: system/filesystem/autofs:default... success
ldap not running
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "domain.com"
file_backup: stat(/var/yp/binding/domain.com)=-1
file_backup: No /var/yp/binding/domain.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname domain.com... success
start: sleep 100000 microseconds
start: network/ldap/client:default... maintenance
start: sleep 100000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: sleep 200000 microseconds
restart: milestone/name-services:default... success
Error resetting system.
Recovering old system settings.
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: network/smtp:sendmail... success
Stopping nscd
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: system/name-service-cache:default... success
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: system/filesystem/autofs:default... success
Stopping ldap
stop: network/ldap/client:default... restoring from maintenance state
stop: sleep 100000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "domain.com"
recover: stat(/var/ldap/restore/ldap_client_file)=-1
recover: stat(/var/ldap/restore/ldap_client_cred)=-1
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/domain.com)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname domain.com... success
start: sleep 100000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
*/var/ldap/cachemgr.log*
Tue Jun 30 10:50:51.4330 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
Tue Jun 30 10:50:51.4355 Error: Unable to read '/var/ldap/ldap_client_file': Configuration Error: No entry for 'NS_LDAP_BINDDN' found
Tue Jun 30 10:50:51.4368 detachfromtty(): child failed (rc = 255).
Any ideas?
Edited by: ffffffffff356dfd on 30 ???? 2009 12:07
Edited by: ffffffffff356dfd on 30 ???? 2009 12:07Hi ,
yes I use it.
Here is my pam.conf:
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
# rlogin service (explicit because of pam_rhost_auth)
# rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
# rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1
other account required pam_ldap.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
# -
Client Auth and SSL with Seeburger AS2 adapter
Hello All,
We are using the Seeburger AS2 adapter in our landscape and I am in the process of setting the same up and have made quite some progress in all my issues.
and I hope that you will be able to help me out.
1. Server SSL on Receiver AS2 adapter
I am sending a message from XI using the Receiver AS2 adapter to my AS2 test tool using Server SSL.
This is working perfectly fine. In my AS2 adapter I have selected HTTPS as the protocol and the message goes via SSL to the target test tool, is processed and the MDN comes back to XI perfectly.
The issue here is :
Irrespective of what is provided in the Server Certificate ( Keystore) , the message goes to my target test tool. I even left this field blank with no certificate entry and still the SSL connection was established and the message went to the target system.
Is there no validation that XI does here? I am lost what is the use of this entry Server Certificate if XI blindly accepts all SSL connections.
I am using a Decentral Adapter Engine with LoadBalancer.
2. Client Auth on Receiver AS2 Adapter
I tried to perform Client Authentication by proving my Server's private key in the AS2 adapter. The corresponding public key is loaded in my partner's Keystore.
XI error's with the error "SSL handshake failed - Bad Certificate" .
I am not sure why XI is erroring out here and I have a feeling that I have misunderstood the use of the fields in the AS2 adapter,
Server Certificate ( Keystore) and Private Key for Client Authentication.
Has anyone tried this? If further details are needed, I will be able to furnish the same.
Regards,
BhaveshHello Jens,
Thanks for your reply.
1. The Encryption and Signature part of the Interface is working absolutely fine and I use the same concept highlighted by you - The Sender always signs the message with his private key and encrypts with message with the partner's public key in the corresponding agreement.
2. Server SSL is also working perfectly fine, i.e, when XI initiates the connection the SSL connection is established to the partner.
3. Mutual Auth was the issue where I was getting the bad certificate issue.
To investigate further I moved the same setup to my Central Adapter Engine and all the issues I had described above seem to have vanished and things work exactly as I was expecting, ie.
The field : Server Certificate (Keystore) is used to provide the Target System's Server SSL's public Certificate.
The field : Private Key for Client Authentication is used where XI provides its own Server SSL's private key for Mutual / Client Authentication.
The problem seems to be with my Decentral Adapter engine and not my central adapter engine and so I guess,
1. I either have the incorrect certificates on my Decentral Adapter Engine.
2. I also have 2 instances of a Decentral Adapter Engine with a Webdispatcher and so maybe the 2 Visual Admin's of the 2 Decentral AE are inconsistent.
3. Maybe it was just a long day and I did something wrong
Will investigate further for the root cause but I am glad that my concepts remain intact and things do work as I expected them to work.
A blog on all this is on the cards sometime soon.
Cheers,
Bhavesh -
Problem while creating an OU from LDAP client, in Oracle Virtual Directory
Hi,
1. I have created a Custom Adapter with root (i.e. dc=mycompany,dc=co,dc=in)
2. Trying to create an "OU" under these above root (i.e. ou=test,dc=mycompany,dc=co,dc=in) using the LDAP client.
I have given following inputs for the second step:
Dn: ou=test,dc=mycompany,dc=co,dc=in
ou=test
objectClass: top
objectClass: organizationalunit
When I try to perform second step with above inputs its gives following error
"LDAP Error 32 : No Such Object"
Same inputs is valid for SunONE directory server.
Is the above approach is valid for Oracle Virtual Directory?
Does any one faced same problem before?
Regards,
HardewYou're going to have to install the Oracle client on the Win2000 box before doing anything else. Once you've done that, simply add a TNS name that points to the database on the Solaris box (the Net8 Configuration Assistant) can walk you through this. Finally, you'll go to the ODBC Data Source Administrator and create a new DSN.
Note that if you install the latest ODBC driver, the 'service name' text box that you have to fill in when you actually create the DSN has been replaced with a combo box, which should make the process a little easier.
Justin -
Native ldap client doesn't work with an openldap Server : No root DSE data
Hello!
My configuration :
- an openldap 2.2.23 server (linux debian) (server name = serv_annu)
- a ldap client (solaris 10) (server name = client_annu)
I want to configure my client by using Solaris Native ldap and I follow the excellent doc of gary tay (http://web.singnet.com.sg/~garyttt)
I use TLS and I had generated a certificate by using Mozilla . TLS works because ldapsearch from my solaris client works:
FROM CLIENT_ANNU:
+# ldapsearch -h server_annu -p 636 -b"dc=mydomain,dc=fr" -s base -Z -P /var/ldap/cert8.db "objectclass=*"+
version: 1
dn: dc=mydomain,dc=fr
dc: mydomain
objectClass: top
objectClass: dcObject
objectClass: organization
objectClass: nisDomainObject
nisDomain: mydomain.fr
o: mydomain
LOG FROM SERVER_ANNU:
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 fd=10 ACCEPT from IP=172.30.69.216:36020 (IP=0.0.0.0:636)
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=0 SRCH base="dc=mydomain,dc=fr" scope=0 deref=0 filter="(objectClass=*)"
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=1 UNBIND
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 fd=10 closed
1) I add DUAConfigProfile.schema and solaris.schema on my openldap server.
2) I add a nisDomainObject at the root DN (see the result of the ldapsearch above)
3) I Add ACL in slapd.conf to allow reading of rootDSE.
access to dn.base="" by ssf=128 * read
4) I launch on my solaris client
crle -u -s /usr/lib/mps
crle -64 -u -s /usr/lib/mps/64
5) I can't apply result.c patch on my openldap server (production server!) then I can't create /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred by using ldapclient command. Then I create manually /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred : the syntax is correct because the "ldapclient list" command works :
+# ldapclient list+
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=toto,ou=People,dc=people1,dc=mydomain,dc=fr
+NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411+
NS_LDAP_SERVERS= server_annu
NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=fr
NS_LDAP_AUTH= tls:simple
NS_LDAP_CREDENTIAL_LEVEL= anonymous
NOTE : I've had to add NS_LDAP_BINDDN and NS_LDAP_BINDPASSWD even if I use anonymous credential level because I get an error when I launch ldap client process.
Then here, everything is apparently OK but when I enable ldap client process the cachemgr process is running about 30s then it crashes:
FROM CLIENT_ANNU:
svcadm disable /network/ldap/client;svcadm enable /network/ldap/client
+/etc/init.d/nscd stop;/etc/init.d/nscd start+
LOG FROM SERVER_ANNU:
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 fd=10 ACCEPT from IP=172.30.69.216:36021 (IP=0.0.0.0:389)
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SRCH attr=supportedControl supportedsaslmechanisms
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=1 UNBIND
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 fd=10 closed
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 fd=10 ACCEPT from IP=172.30.69.216:36022 (IP=0.0.0.0:389)
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SRCH attr=supportedControl supportedsaslmechanisms
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=1 UNBIND
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 fd=10 closed...
FROM CLIENT ANNU :
+# /usr/lib/ldap/ldap_cachemgr -g+
cachemgr configuration:
server debug level 0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr 2
cachemgr cache data statistics:
Configuration refresh information:
Previous refresh time: 2008/04/02 09:58:12
Next refresh time: 2008/04/02 21:58:12
Server information:
Previous refresh time: 2008/04/02 09:58:32
Next refresh time: 2008/04/02 09:58:33
server: server_annu, status: ERROR
error message: No root DSE data returned.*
Cache data information:
Maximum cache entries: 256
Number of cache entries: 0
My problem is why I get the following error message : No root DSE data returned.
Thanks in advance for your help!Hi
Is your OpenLDAP server configured to allow anonymous read of the rootDSE attributes ?
Regards,
Ludovic. -
LDAP Client Configuration in Non Global Zone
I have configured 3 non global zones (different ip addresses and different names from global zone), installed LDAP client 2 on each, which worked fine, until the zones were rebooted. The ldapcachemgr was running, but authentication does not work--have to reinstall ldapclient each time.
Does anyone have any suggestions?Here are a few things to check:
1. /var/ldap/ldap_client_file - Does it have the info you're expecting? If not, it could be the config profile in the Direcotry Server is incorrect.
2. /etc/nsswitch.conf - Is it configured correctly?
3. /etc/pam.conf - Is that configured correctly?
4. If the above files appear OK, check the access logs on the Directory Server.
HTH,
Roger S. -
Hello , I am working on a scenario to implement Client Authentication with HTTPS , i got to a blog where its mentioed of steps of implementing HTTPS with Client auth on XI system , in order to test it i would also require a webservice client that works for this purpose. i got to SAP Soap client , but whatz the way to generate the certificate request so that i can send it to CA and get it signed any ideas pl?
Hi together,
i have the same problem? is anybody out there who could give us some hints?
many thanks
alex schramm -
Probelm client auth from jsse client with open ssl server
I tried to connect jsse client with a openssl server.. with clientAuth
This is what i did ..
Using openssl req comand i created a X509 certificate for server and imported the same to java keystore..
The communication works fine without client authentication.
To enable client auth i create client private/public key pair using keytool and exported the public key to a file client.public. and used it in open ssl server .
This is how i invoke the client ..
java
-Djavax.net.debug=all
-Djavax.net.ssl.trustStore=cacerts
-Djavax.net.ssl.trustStorePassword=changeit
-Djavax.net.private -Djavax.net.ssl.keyStorePassword=password EchoClient
After which i get following error in server
SSL3 alert write:fatal:handshake failure
SSL_accept:error in SSLv3 read client certificate B
SSL_accept:error in SSLv3 read client certificate B
ERROR
17246:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:1666:
shutting down SSL
CONNECTION CLOSED
The client debug says it is recieving a certificate request.. what could be the problem.. can anybody help...i also have that problem. I was trying to configure SSL in apache in Win XP machine, but this error occurs. Is there anyone, who can help on it?
-
WS security, SSL and client auth
Hello all,
I need to secure a web service using SSL with client auth (client has a certificat issued by the web service provider wich he can use to access it... i suppose).
Being a newbie i have no idea what are the options and how to implement them.
If good tutos are available on the subject it would be nice.
I also had another question: with a web service, what guarantee do i have that the client has consumed the web service and received the information he wants etc., it is critical for me to know that everything went ok...
CheersHi
One of the best books I found that covers security is located at:
http://www.lulu.com/content/214643
You will, or get you company to :), buy it (it's not expensive). It covers axis1.3, note that axis2 is out, but since your just starting with web services this will be a very good start on many of the concepts and how to implement them.
Should you decide to use Axis give it's documentation and many tutorials a look, the main site is: http://ws.apache.org/axis2/
Re: getting a guarantee, I might be wrong, but I do not see how this can be done with services and to be honest with any other type of application (especially the "received the information he wants" bit). The only way I can think one to do this is to include it as part of the SOP (standard operating procedure) for specific functionality in your application. The "it" would be an additional step that the user needs to do e.g. click an "accept" button that kicks of another "request" to the web service indicating that the initial request satisfied the users query - logically this request will need to contain some type of identifier that will enable you to map it to a previous request. -
Client-Auth reports: HTTP4030: Timeout while waiting for client certificate
Hello,
I'm having problems with the certificate authentication in my Sun Java System Web Server Enterprise Edition 6.1: I have created an ACL in the SJWS that asks for a client certificate when the user goes to a specific URI:
acl "uri=/server1/myaction.do";
authenticate (user) {
method="ssl";
deny (all)
user = "admin";
It works great and, when the user goes to "/server1/myaction.do" (we are using Internet Explorer 7 as Web browser), the window for selecting the client certificate appears:
- If the user selects a certificate that doesn't require password, everything works fine.
- The problem comes when the certificate is configured in Internet Explorer for asking for a password every time it is accessed. Once the user has selected the password protected certificate, the window for typing the password appears, but if the user doesn't type it and click OK IN LESS THAN 5 SECONDS (I've timed it), the following messages appear in the SJWS logs:
[28/Nov/2007:09:25:05] failure ( 2055): for host 10.0.145.11 trying to GET /server1/myaction.do, Client-Auth reports: HTTP4030: Timeout while waiting for client certificate.
[28/Nov/2007:09:25:05] security ( 2055): HTTP4290: get_auth_user_ssl: client passed no certificate.
I tried to add the following two lines to the magnus.conf file of the SJWS, but nothing changed:
SSLClientAuthTimeout 240
AcceptTimeout 3600
Has anyone experienced something similar? Any little piece of advice would be greatly appreciated.
Thank you very much in advance,
Carlos.This is fixed in Web Server 7.0 update 2. Please migrate/upgrade to Web Server 7.0 update 2. Sorry for the inconvenience.
-
Client-Auth reports: HTTP4031: Unexpected error receiving data: -5938
I am trying to deploy the clientcert sample applcation that comes with the platform edition of SunOne V7.
I have used openssl as a CA and have created client and server certs.
I get the following problem.
Sun ONE Application Server - HTTP Status 403 Error
Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
Type: Status Report
Message: Access to the requested resource has been denied.
As can be seen from the server.log below, some form of authentication succeeds:
[12/Aug/2004:08:56:11] FINE ( 2392): X.500 name login succeeded for : CN=tweekes, O=tester, C=ie
Note, common name is that of my client cert.
However there is a severe error:
[12/Aug/2004:08:56:09] SEVERE ( 2392): for host 169.254.111.12 trying to GET /cert, Client-Auth reports: HTTP4031: Unexpected error receiving data: -5938
Also, HTTPS works with server side authentication and I signed both client and server certs with same private "CA" certification.
Question: Do I need any special extentions in the certs for use with SSL?
Thanks in advance.
server.log fragment:
[12/Aug/2004:08:56:09] FINE ( 2392): for host 169.254.111.12 trying to GET /cert, ntrans-j2ee reports: directory listing for context "/cert"
[12/Aug/2004:08:56:09] FINE ( 2392): Attaching to JVM thread service-j2ee-4
[12/Aug/2004:08:56:09] FINE ( 2392): context = StandardEngine[null].StandardHost[server1].StandardContext[cert]
[12/Aug/2004:08:56:09] FINE ( 2392): contextPath = /cert
[12/Aug/2004:08:56:09] FINE ( 2392): wrapper = null
[12/Aug/2004:08:56:09] FINE ( 2392): servletPath = null
[12/Aug/2004:08:56:09] FINE ( 2392): pathInfo = null
[12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Process request for '/cert'
[12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Checking for SSO cookie
[12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: SSO cookie is not present
[12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Security checking request GET /cert
[12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Checking constraint 'SecurityConstraint[clientcert security test]' against GET --> true
[12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Subject to constraint SecurityConstraint[clientcert security test]
[12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling checkUserData()
[12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: User data constraint has no restrictions
[12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling authenticate()
[12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Looking up certificates
[12/Aug/2004:08:56:09] FINEST ( 2392): Requesting client certificate from core.
[12/Aug/2004:08:56:09] SEVERE ( 2392): for host 169.254.111.12 trying to GET /cert, Client-Auth reports: HTTP4031: Unexpected error receiving data: -5938
[12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: No certificates included with this request
[12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Failed authenticate() test
[12/Aug/2004:08:56:09] FINE ( 2392): for host 169.254.111.12 trying to GET /cert, ntrans-j2ee reports: directory listing for context "/cert"
[12/Aug/2004:08:56:09] FINE ( 2392): Attaching to JVM thread service-j2ee-5
[12/Aug/2004:08:56:09] FINE ( 2392): context = StandardEngine[null].StandardHost[server1].StandardContext[cert]
[12/Aug/2004:08:56:09] FINE ( 2392): contextPath = /cert
[12/Aug/2004:08:56:09] FINE ( 2392): wrapper = null
[12/Aug/2004:08:56:09] FINE ( 2392): servletPath = null
[12/Aug/2004:08:56:09] FINE ( 2392): pathInfo = null
[12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Process request for '/cert'
[12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Checking for SSO cookie
[12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: SSO cookie is not present
[12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Security checking request GET /cert
[12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Checking constraint 'SecurityConstraint[clientcert security test]' against GET --> true
[12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Subject to constraint SecurityConstraint[clientcert security test]
[12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling checkUserData()
[12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: User data constraint has no restrictions
[12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling authenticate()
[12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Looking up certificates
[12/Aug/2004:08:56:09] FINEST ( 2392): Requesting client certificate from core.
[12/Aug/2004:08:56:11] FINEST ( 2392): Processing login with credentials of type: class sun.security.x509.X500Name
[12/Aug/2004:08:56:11] FINE ( 2392): Processing X.500 name login.
[12/Aug/2004:08:56:11] FINEST ( 2392): Certificate realm setting up security context for: CN=tweekes, O=tester, C=ie
[12/Aug/2004:08:56:11] FINE ( 2392): X.500 name login succeeded for : CN=tweekes, O=tester, C=ie
[12/Aug/2004:08:56:11] FINE ( 2392): Authenticator[cert]: Authenticated 'CN=tweekes, O=tester, C=ie' with type 'CLIENT-CERT'
[12/Aug/2004:08:56:11] FINE ( 2392): SingleSignOn[server1]: Registering sso id '6264FF86CB3151E572951CB77D0C515F' for user 'CN=tweekes, O=tester, C=ie' with auth type 'CLIENT-CERT'
[12/Aug/2004:08:56:11] FINE ( 2392): Authenticator[cert]: Calling accessControl()
[12/Aug/2004:08:56:11] FINEST ( 2392): PRINCIPAL : CN=tweekes, O=tester, C=ie hasRole?: staffmember
[12/Aug/2004:08:56:11] FINEST ( 2392): PRINCIPAL TABLE: {staff=[staffmember], C=ie, O=tester, CN=tweekes=[staffmember]}The below one is the correct configurations
<If $uri =~ "/my(/passo.*)">
NameTrans fn="restart" from="$uri" uri="/my/jsp$1"
</If>
<Object ppath="/my/jsp/passo/*">
PathCheck fn="get-client-cert" dorequest="1"
</Object> -
I am using iPlanet Web Server 6.0 SP4 on Solaris 2.8 that is enabled for SSL and Client-auth.
In order to validate the client certificate, I configured this server to use my own Plug-in by adding authTrans line in "obj.conf":
<Object name=default>
AuthTrans fn="vsCheckClientCert"
</Object>
During startup, web server fails with following error.
Thanks in advance!!!
[20/Sep/2002:11:50:58] info ( 1984): successful server startup
[20/Sep/2002:11:50:58] info ( 1984): iPlanet-WebServer-Enterprise/6.0SP4 B07/17/2002 14:04
[20/Sep/2002:11:51:00] info ( 1985): Installing a new configuration
[20/Sep/2002:11:51:00] info ( 1985): [LS ls1] https://xx-sun.yy.com, port 444 ready to accept requests
[20/Sep/2002:11:51:00] info ( 1985): A new configuration was successfully installed
[20/Sep/2002:11:51:01] info ( 1985): Using the Solaris VM v1.2.2 from Sun Microsystems Inc.
[20/Sep/2002:11:51:01] info ( 1985): Java VM classpath: /usr/netscape/servers/plugins/servlets/examples/legacy/beans.10/SDKBeans10.jar:/usr/n
etscape/servers/bin/https/jar/NSServletLayer.jar:/usr/netscape/servers/bin/https/jar/NSJavaUtil.jar:/usr/netscape/servers/bin/https/jar/Admin
NativeUtil.jar:/usr/netscape/servers/bin/https/jar/NSJavaMiscUtil.jar:/usr/netscape/servers/bin/https/jar/servlet.jar:/usr/netscape/servers/b
in/https/jar/servlet-2.3-filters-api.jar:/usr/netscape/servers/bin/https/jar/jsp092.jar:/usr/netscape/servers/bin/https/jar/jaxp.jar:/usr/net
scape/servers/bin/https/jar/crimson.jar:/usr/netscape/servers/bin/https/jar/xalan.jar:/usr/netscape/servers/bin/https/jar/jspengine.jar:
[20/Sep/2002:11:51:01] info ( 1985): Loading IWSSessionManager by default.
[20/Sep/2002:11:51:01] info ( 1985): IWSSessionManager: Maximum number of sessions is 1000
[20/Sep/2002:11:51:01] config ( 1985): for host 0.0.0.0 trying to GET /, Client-Auth reports: get-client-cert requires that security and SSL3
be enabled.
[20/Sep/2002:11:51:01] failure ( 1985): for host 0.0.0.0 trying to GET /, vsCheckClientCert reports: Couldn't get a client authentication cer
tificate
[20/Sep/2002:11:51:02] config ( 1985): for host 0.0.0.0 trying to GET /, Client-Auth reports: get-client-cert requires that security and SSL3
be enabled.
[20/Sep/2002:11:51:02] failure ( 1985): for host 0.0.0.0 trying to GET /, vsCheckClientCert reports: Couldn't get a client authentication cer
tificate
[20/Sep/2002:11:51:02] failure ( 1985): vs(https-cvm-test-444)Error getting document-root for this virtual server; please check your server c
onfiguration.
[20/Sep/2002:11:51:02] failure ( 1985): vs(https-cvm-test-444)Cannot create web applications virtual server environment.
[20/Sep/2002:11:51:02] failure ( 1985): Internal Error: Failed to initialize web application environment (web-apps.xml) for virtual server (h
ttps-cvm-test-444)
[20/Sep/2002:11:51:02] info ( 1985): Internal Error: Failed to initialize web application environment (web-apps.xml) for virtual server (http
s-cvm-test-444)
[20/Sep/2002:11:51:02] failure ( 1985): The new configuration was rejected, rolling backThanks for the reply!!
My SAF (vsCheckClientCert) works fine if I disable the servlets. It also works by disabling the Web Application State in server.xml
<VSCLASS id="defaultclass" objectfile="obj.conf" rootobject="default" acceptlanguage="off">
<VS id="https-cvm-test-444" state="on" urlhosts="psingal-sun.verisign.com" mime="mime1" aclids="acl1" connections="group1">
===> <VARS webapps_file="web-apps.xml" webapps_enable="off"/>
</VS>
</VSCLASS>
I am facing the problem only with iPlanet 6.0, the SAF worked fine with "Servlet Enabled" in the previous releases of iPlanet 4.x. Is there any way by which my SAF works with default server settings i.e. Servlet Enabled and Web Application State On? -
Cisco MDS 9513/9509 LDAP/AD Auth via SSH & Fabric Manager
Hello Folks,
I am trying to look for working config with LDAP auth over SSH. I know how to use them over TACACS+ & Radius. But due to other internal issue, currently I am trying to get the Cisco MDS to directly auth using LDAP/AD. Also, I see no option of LDAP/AD in FM(Fabric Manager), but just TACACS+, Radius, LocalFM and MDS. Do using MDS uses default auth(ie whatever AAA authentication is configured for ? or local DB on the switch). Does the new DCNM supports LDAP/AD auth on the GUI ?
Larger goal is SSH(CLI) & FM(GUI) using the same LDAP/AD auth. I understand the snmp-server user issue. But once I have SSH working over LDAP/AD I can figure that out to..
Here's what I need to ensure when using LDAP/AD auth
1) What is the exact config for this LDAP/AD auth
2) How do I ensure that network-admin & network-opertor roles are assigned when certain AD Groups Logins in Like ADMIN-AD-GROUP , OPERATOR-AD-GROUP --> trying to login to the switch
3) Also using SSL port for LDAP, do details are encrypted over the network.
4) Do I need to use the PASSWORD in paintext when BINDING the BaseDN ?, can it be an encrypted password.
Appreciate any info on this. Thanks for your time.As of DCNM 6.1 (aka - Fabric Manager Server) we support LDAP authentication adding to existing Radius, TACACS+, local and switch authentications. You can upgrade from Fabric Manager 5.0 to DCNM 5.2 to DCNM 6.1 if you like to keep current performance, events, config data alive. We do recommend fresh install as we don't know what state your server dabatabase might be in. Including some links for you to help out with deployment and best practices (see release notes).
Resources:
Main Website:
http://www.cisco.com/go/dcnm
How To Video Series: http://www.cisco.com/en/US/prod/netmgtsw/ps6505/ps9369/cisco_dc_nm_video_library.html
Install and Licensing Guide:
http://www.cisco.com/en/US/products/ps9369/prod_installation_guides_list.html
Evaluation Licenses: http://tools.cisco.com/SWIFT/LicensingUI/Home?FormId=65
Download Linux and Windows Executables: http://www.cisco.com/cisco/pub/software/portal/select.html?&i=!m&mdfid=281722751
Data Sheets: http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6505/ps9369/data_sheet_c78-639737.html
Install Guide: http://www.cisco.com/en/US/products/ps9369/prod_installation_guides_list.html
Configure Guide: http://www.cisco.com/en/US/products/ps9369/products_installation_and_configuration_guides_list.html
API Programming Guide:
http://www.cisco.com/en/US/products/ps9369/products_programming_reference_guides_list.html
Reference Guide: http://www.cisco.com/en/US/products/ps9369/prod_technical_reference_list.html
Release Notes: http://www.cisco.com/en/US/products/ps9369/tsd_products_support_general_information.html -
LDAP gurus
I'm having problems to setup LDAP client to use TLS:SIMPLE. SIMPLE and SASL/DIGEST-MD5 are working fine (with or without Proxy).
For some reason, a self-certified certification is not acceptable by the client (TLS certificate verification: Error, self signed certificate).
Certificate is located at /var/ldap/cert8.db
Client is Sun LDAP Native.
[SunOS 5.10/bash] root@wgls01:/root
# /usr/local/bin/ldapsearch -Z -H ldaps://wgtsinf01:1636 -v -d 65535
ldap_initialize( ldaps://wgtsinf01:1636 )
ldap_create
ldap_url_parse_ext(ldaps://wgtsinf01:1636)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP wgtsinf01:1636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 10.64.47.50:1636
ldap_connect_timeout: fd: 4 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
tls_write: want=124, written=124
0000: 80 7a 01 03 01 00 51 00 00 00 20 00 00 39 00 00 .z....Q... ..9..
0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 8..5............
0020: 00 00 33 00 00 32 00 00 2f 00 00 07 05 00 80 03 ..3..2../.......
0030: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 ................
0040: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 ......@.........
0050: 00 00 06 04 00 80 00 00 03 02 00 80 5b ca 46 06 ............[.F.
0060: 60 e0 bc 9e a2 af 25 a2 55 0a 53 e7 f0 1a fc 6e `.....%.U.S....n
0070: c6 7b de f1 79 7e b1 ce 15 14 1a 8e .{..y~......
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
0000: 16 03 01 03 b3 02 00 .......
tls_read: want=945, got=945
0000: 00 46 03 01 46 b2 73 ba 42 d1 b3 35 54 a1 26 f8 .F..F.s.B..5T.&.
0010: 76 87 77 90 c1 92 c3 e4 88 a0 47 bc cc 52 01 bb v.w.......G..R..
0020: 34 85 b1 2d 20 46 b2 73 ba cd 16 16 a6 e6 9a a3 4..- F.s........
0030: c2 af 1b 60 ed e7 0d ad 32 69 0d c3 41 64 31 4e ...`....2i..Ad1N
0040: 3e ff bd c4 0a 00 16 00 0b 00 01 ae 00 01 ab 00 >...............
0050: 01 a8 30 82 01 a4 30 82 01 0d 02 04 46 ad 48 df ..0...0.....F.H.
0060: 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 0...*.H........0
0070: 19 31 17 30 15 06 03 55 04 03 13 0e 77 67 74 73 .1.0...U....wgts
0080: 69 6e 66 30 31 3a 31 33 38 39 30 1e 17 0d 30 37 inf01:13890...07
0090: 30 37 33 30 30 32 31 31 34 33 5a 17 0d 30 39 30 0730021143Z..090
00a0: 37 32 39 30 32 31 31 34 33 5a 30 19 31 17 30 15 729021143Z0.1.0.
00b0: 06 03 55 04 03 13 0e 77 67 74 73 69 6e 66 30 31 ..U....wgtsinf01
00c0: 3a 31 33 38 39 30 81 9f 30 0d 06 09 2a 86 48 86 :13890..0...*.H.
00d0: f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 ...........0....
00e0: 81 00 a9 f7 de 93 85 50 13 6b a1 18 96 3d 00 2d .......P.k...=.-
00f0: 64 5d a9 65 72 33 c3 44 b6 1e 0e 6b b8 4b e0 a4 d].er3.D...k.K..
0100: 0a 6b 7f 4f 1a ae f3 d7 8e ed 8e fd c7 d0 48 b1 .k.O..........H.
0110: f0 45 2d 74 52 a9 d1 fd d4 89 ad 64 d9 82 6b e9 .E-tR......d..k.
0120: 73 b1 55 cb 38 20 06 e6 4f a3 d3 f2 0b a1 5b 2e s.U.8 ..O.....[.
0130: b4 43 bc 9a 93 e6 b7 47 dd 58 f2 cb 59 17 8a c0 .C.....G.X..Y...
0140: 13 aa 8a 5f ef 11 33 c7 02 53 d8 b1 20 e3 5b 6d ..._..3..S.. .[m
0150: 4f ea 4f a6 9d 02 d2 39 69 ed e0 b9 70 d9 51 50 O.O....9i...p.QP
0160: 4e 2b 02 03 01 00 01 30 0d 06 09 2a 86 48 86 f7 N+.....0...*.H..
0170: 0d 01 01 04 05 00 03 81 81 00 02 d6 e1 3d f7 41 .............=.A
0180: 64 69 c5 f3 b7 77 93 99 10 80 4d aa b9 1f 7a 28 di...w....M...z(
0190: c2 33 4e 42 d2 47 7c 53 00 6e 7d 13 3b e3 56 19 .3NB.G|S.n}.;.V.
01a0: 35 93 4b 6d cd 4c 52 57 aa ba e2 f6 e0 46 a4 f2 5.Km.LRW.....F..
01b0: 5c a7 be be b2 40 6f 9a 33 f0 dc b5 de 55 3c 8e \[email protected]<.
01c0: 2a 19 15 eb 6c 6f 03 ef a5 c1 01 e3 d6 10 b7 64 *...lo.........d
01d0: 7d dd 24 87 60 a7 e3 5f 24 a1 ea 0a 66 fa d4 49 }.$.`.._$...f..I
01e0: 71 65 21 53 94 ad be 0c b9 52 b6 78 67 87 b8 38 qe!S.....R.xg..8
01f0: 11 59 b2 47 b6 c9 23 f8 d8 cc 0c 00 01 89 00 80 .Y.G..#.........
0200: f4 88 fd 58 4e 49 db cd 20 b4 9d e4 91 07 36 6b ...XNI.. .....6k
0210: 33 6c 38 0d 45 1d 0f 7c 88 b3 1c 7c 5b 2d 8e f6 3l8.E..|...|[-..
0220: f3 c9 23 c0 43 f0 a5 5b 18 8d 8e bb 55 8c b8 5d ..#.C..[....U..]
0230: 38 d3 34 fd 7c 17 57 43 a3 1d 18 6c de 33 21 2c 8.4.|.WC...l.3!,
0240: b5 2a ff 3c e1 b1 29 40 18 11 8d 7c 84 a7 0a 72 .*.<..)@...|...r
0250: d6 86 c4 03 19 c8 07 29 7a ca 95 0c d9 96 9f ab .......)z.......
0260: d0 0a 50 9b 02 46 d3 08 3d 66 a4 5d 41 9f 9c 7c ..P..F..=f.]A..|
0270: bd 89 4b 22 19 26 ba ab a2 5e c3 55 e9 2f 78 c7 ..K".&...^.U./x.
0280: 00 01 02 00 80 7c 11 c6 db 8a 23 1b 2d a3 e3 5d .....|....#.-..]
0290: f0 30 4c 20 35 c1 95 fc 71 eb c2 92 00 02 a9 05 .0L 5...q.......
02a0: c5 10 4e 75 ef ca 35 aa bb 38 14 fa 38 c3 71 e4 ..Nu..5..8..8.q.
02b0: 16 a4 87 d5 2f e7 a5 7c b4 b8 a0 ee cf 53 ab c2 ..../..|.....S..
02c0: 6b f4 79 59 d5 f9 07 70 77 97 89 eb b6 c6 74 df k.yY...pw.....t.
02d0: 26 57 5c 42 1a 95 13 e3 c5 28 b7 6c c2 6f 2e 65 &W\B.....(.l.o.e
02e0: 5d c3 c8 a9 cf 8e 09 cc aa 42 eb f7 a7 3b c3 5d ]........B...;.]
02f0: be cd e3 71 2b 46 a2 80 72 a3 48 ae 52 b4 ce c2 ...q+F..r.H.R...
0300: 69 1f 40 e7 94 00 80 03 b2 a4 66 2f 34 c1 60 46 [email protected]/4.`F
0310: 05 9d 83 7f f9 75 29 07 36 60 8b b0 ae 1c ce e8 .....u).6`......
0320: 5f b4 0e 26 54 1c 31 b7 94 e2 58 6e 33 76 ce 19 _..&T.1...Xn3v..
0330: e0 07 f5 ca cc a9 d3 53 d5 22 4a 3a 31 15 f4 7e .......S."J:1..~
0340: 34 ba 3b 92 c0 ec 75 8e 0f d8 e4 44 23 91 70 cb 4.;...u....D#.p.
0350: d9 f9 40 ac 7c 0e 97 27 1d 24 b5 ff f2 13 bd 64 ..@.|..'.$.....d
0360: aa 10 40 1c 68 6f b2 87 14 c2 ef 88 bb 9c 88 24 [email protected].........$
0370: 5f 6b 9e c5 2b fb c2 d1 b3 ce 6e 8d b7 57 bf 88 _k..+.....n..W..
0380: ee b9 fd d6 f3 a0 f3 0d 00 00 22 02 01 02 00 1d ..........".....
0390: 00 1b 30 19 31 17 30 15 06 03 55 04 03 13 0e 77 ..0.1.0...U....w
03a0: 67 74 73 69 6e 66 30 31 3a 31 33 38 39 0e 00 00 gtsinf01:1389...
03b0: 00 .
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject: /CN=wgtsinf01:1389, issuer: /CN=wgtsinf01:1389
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS:
supportedSASLMechanisms
ldap_send_initial_request
ldap_send_server_request
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failedAny ideas?
AndreasHello David,
Let's follow your suggestion and try to put Solaris 10 use TLS:SIMPLE now. Sorry for the extreme long log entries but I tried to capture everything during the authentication process.
My client has an IP address of 10.64.47.11 and the DS server is using the IP address of 10.64.47.50.
a) Sun native LDAP configurations:
[SunOS 5.10/bash] root@wgls01:/var/ldap
# ls -la *db
-rw-r--r-- 1 root root 65536 Aug 8 14:46 cert8.db
-rw-r--r-- 1 root root 32768 Aug 8 14:46 key3.db
-rw------- 1 root root 32768 Aug 2 16:56 secmod.db
[SunOS 5.10/bash] root@wgls01:/var/ldap
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=nz,dc=thenational,dc=com
NS_LDAP_BINDPASSWD= {NS1}41fa88f3a945c411
NS_LDAP_SERVERS= wgtsinf01.nz.thenational.com
NS_LDAP_SEARCH_BASEDN= dc=nz,dc=thenational,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SERVER_PREF= wgtsinf01.nz.thenational.com
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= anonymous
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:ou=netgroup,dc=nz,dc=thenational,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=nz,dc=thenational,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=nz,dc=thenational,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=group,dc=nz,dc=thenational,dc=com?one
NS_LDAP_BIND_TIME= 30
b) Output from DSEE6.1 error log file:
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=Hosts,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=ipHost)(ipHostNumber=10.64.47.58))" attrs="cn ipHostNumber"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0xb
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2002
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=Hosts,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=ipHost)(ipHostNumber=10.64.47.58))" attrs="cn ipHostNumber"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0xb
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2002
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=group,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixGroup)(memberUid=p642929))" attrs="cn gidNumber userPassword memberUid"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x1000
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2002
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="" scope=0 deref=0 sizelimit=0 timelimit=5 attrsonly=0 filter="(|(objectClass=*)(objectClass=ldapSubEntry))" attrs="1.1"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs=ALL
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - cos_cache_vattr_types: failed to get class of service reference
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="" scope=0 deref=0 sizelimit=0 timelimit=30 attrsonly=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs=ALL
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - cos_cache_vattr_types: failed to get class of service reference
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="" scope=0 deref=0 sizelimit=0 timelimit=30 attrsonly=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms"
[13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13
Maybe you are looking for
-
Update crashes, .dmg files don't work, etc
OK... So I've cleared up a significant amount of memory, roughly 10GB. I've run Disk Utility a few times and still having problems. Software Update Crashes and reads: Date/Time: 2006-09-25 09:55:33.350 -0700 OS Version: 10.4.7 (Build 8J135) Report Ve
-
My 160 classic wil not update the firmware 1.0.1 ?
hi al my 160 classic wil not update the firmware 1.0.1 what do do rong also after sync not al my covers ar on my ipod
-
Has anybody had problems after installing updates recently?
Hello, I installed some updates about an hour ago on my MacbookPro, and now it is unable to start up. I do remember that I got a message saying "was unable to install ... and ..." before I restarted, but honestly, I didn't pay that much attention to
-
Java applets that worked fine under 10.6 don't work under 10.7. What can I do to correct this?
Java applets that worked just fine are no longer working after upgrading to MacOS X 10.7 (Lion). Here is one example: So far, I've found two Java Applets that have become inoperative under 10.7. Here's one example: http://www.vimas.com/videoLarge.
-
Hi All We are going to upgrade our sun servers from v40z to x4600.We are using ASM for our database. We are doing the server migration on our test system. We are copying the binaries from old server to new server all other associated files /var/opt/o