LDAP Connector: SSL support and de-provisioning

Similar Messages

• Is there any way to config iws6.0 to connect to LDAP directory using SSL client and server authentication.  Only SSL server authentication worked when I tried.

  As my previous question, I followed the following instructions to setup up connection between iws and an LDAP server.
  "Using SSL to Communicate with LDAP
  You should require your Administration Server to communicate with LDAP using SSL. To enable SSL on your Administration Server, perform the following steps:
  1.Access the Administration Server and choose the Global Settings tab.
  2.Click the Configure Directory Service link.
  3.Select Yes to use Secure Sockets Layer (SSL) for connections.
  4.Click Save Changes.
  5.Click OK to change your port to the standard port for LDAP over SSL. "
  Q1. Any other steps needed to setup client authentication (or mutual authentication)?
  Q2. Do I need to enable security for connection groups in order to have this setup to work?

  Check out:
  http://docs.iplanet.com/docs/manuals/enterprise/60sp1/ag/esecurty.htm#1008113
  You will need to turn on Client Auth as described above. Hope it helps.

• SAP LDAP Connector / UME LDAP and Global Site Selector (GSS)

  Hi,
  I'm wondering if SAP LDAP Connector / UME LDAP will work with Global Site Selector service, such as  CISCO GSS 4400 Series, so that GSS can provide load-balancing for LDAP access.
  If it works, is there a specific configuration on the SAP side?
  Thanks in advance.
  -denny-

  Hey Denny,
    Wondering if you ever sorted this out. I'm trying the same thing right now and UME is failing (and portal won't start) when I use the FQDN of the GSS. Behavior is strikingly similar to using the FQDN of the Active Directory domain. The only way I found to use AD as an LDAP source is to list individual DCs in the UME config. I'm hoping to use GSS instead.
  -Kevin

• LabVIEW network library with support for SSL, Ping and IPv6

  I have posted on LAVA
  an OpenG package that will install a LabVIEW network library with
  support for SSL, Ping and IPv6.
   Please go there if you are
  interested to look it up.
  Rolf Kalbermatter
  CIT Engineering Netherlands
  a division of Test & Measurement Solutions

  Bob Y. wrote:
  OK,  but what is it and why should I use it?  What need does it fulfill?  I have been unable to find much documentation for this at the wiki page and maybe a couple of paragraphs here would help.
  Thanks,
  Bob Young
  Hi Bob,
  Yes, this info got burried.  Basically, it's a tool for building LabVIEW-based software products.  It is highly flexible/extensible and tries to fill the holes left by LabVIEW's built-in Application Builder.  Here are some good links to more info:
  OpenG Builder Homepage
  OpenG Builder 1.0 Documentation
  Thanks,
  -Jim

• LDAP Connector in CUP . No LDAPS? Surely not?

  Hi all,
  I have the LDAP Connector in CUP sucessfully binding to an Active Directory over port 389. It's now time to switch to LDAPS/SSl over port 636..but I have read on this forum that CUP does not support LDAPS connections. Surely this cannot be true???? No company in their right mind would allow an unencrypted connection to their Production AD/LDAP.
  And I can't use the UME to connect to AD over LDAPS as this is already configured as an ABAP dataSource so cannot be switched (according to SAP and the customer).
  Regards
  Daniel

  Found the OSS note saying it is not supported. Hard to believe.

• LC + ActiveDirectory + LDAP over SSL = doesn't work

  Hi,
  I installed Active Directory Certificate Services. Now I want setup LDAP over SSL. Unfortunatelly it doesn't work. I pressed "Test" and always get "Invalid username or invalid password" (
  German: "Ungültiger Benutzername oder ungültiges Kennwort"). I'm pretty sure username and password are fine (it worked before I installed Active Directory Certificate Services and used LDAP without SSL).
  On server.log, I got this:
  2011-11-12 00:51:28,202 INFO  [com.adobe.idp.um.businesslogic.synch.LdapHelper] Following stacktrace is generated due to the Test LDAP Server Configuration action
  javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
          at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
          at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
          at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
          at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
          at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
          at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
          at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
          at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
          at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
          at javax.naming.InitialContext.init(InitialContext.java:223)
          at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
          at com.adobe.idp.um.businesslogic.synch.LdapHelper.createContext(LdapHelper.java:663)
          at com.adobe.idp.um.businesslogic.synch.LdapHelper.testServerConfig(LdapHelper.java:682)
          at com.adobe.idp.um.ui.config.ConfigDirectoryEditAction.testServerSettings_onClick(ConfigDirectoryEditAction.java:215)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:597)
          at com.cc.framework.adapter.struts.ActionUtil.handleFormAction(Unknown Source)
          at com.cc.framework.adapter.struts.FWAction.handleFormAction(Unknown Source)
          at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)
          at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
          at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
          at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
          at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
          at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
          at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:173)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:91)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.idp.um.auth.filter.CSRFFilter.doFilter(CSRFFilter.java:41)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
          at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
          at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
          at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
          at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:543)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
          at java.lang.Thread.run(Thread.java:619)
  Do you have some Idea?
  cu Floh

  I have not done it for Netscape yet but I have done it for Novell and JNDI.. Here is the settings for Novell
  // Dynamically set JSSE as a security provider
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  // Dynamically set the property that JSSE uses to identify
  // the keystore that holds trusted root certificates
  System.setProperty("javax.net.ssl.trustStore", m_connectionData.getLocal("KeyStore").toString());
  ssf = new LDAPJSSESecureSocketFactory();
  // Set the socket factory as the default for all future connections
  LDAPConnection.setSocketFactory(ssf);

• LDAP connector/interface for business partner

  Hi Experts ,
  Our requirement is we have certain applications which are integrated
  with SAP Portal.
  For these applications Data sources are maintained in two different
  LDAPS.
  One LDAP (enterprise directory) is for USER data and the other LDAP for
  Company data(in this senario company data is nothing but business
  partner role oragnization).
  So here the question is, Can we use SAP standard LDAP connectors to
  make connectivity to the enterprise directory(LDAP)and push business
  partners data from CRM to the enterprise directory.
  In Standard SAP CRM system which are standard LDAP connectors support
  this functionality?
  Please advice me and also let me know if we have any SAP notes for this
  senario.
  Best Regards
  Prasad

  Curtis,
  The short answer is that the SAP Business One integration Technology was not built to do what you are asking.  The technology is to be able to move data, and all the ETL that goes with it, between systems such as the Integration Technologies out-of-the-box business scenarios for the integration of data between an R/3 system (headquarters) and it subsidiary(s) using SAP Business One.  The SAP Business One Integration Technology is used to visually create model driven integrations between systems without using code as you do with the DI Server and/or SDK.  You do not have the ability with this tool to build web interfaces as you are asking.  You would use the DI Server for the purpose that you have outlined.  There is a whitepaper that explains in detail the SAP Business One Integration Technology here on SDN at; https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/52b12740-0901-0010-4097-b85d1f5aee2a.
  Hope that helps,
  Eddy

• LDAP  connector for Customer masters With SAP..........

  Hi Experts ,
  Our requirement is we have certain applications which are integrated
  with SAP Portal.
  For these applications Data sources are maintained in two different
  LDAPS.
  One LDAP (enterprise directory) is for USER data and the other LDAP for
  Customer  data(in this senario customer  data is nothing but business
  partner role oragnization).
    MY task is to build an interface for Customer data with LDAP sync.
  So here the question is, Can we use SAP standard LDAP connectors to
  make connectivity to the enterprise directory(LDAP)and push business
  partners data from CRM to the enterprise directory.
  In Standard SAP system which are standard LDAP connectors support
  this functionality?
  Please advice me and also let me know if we have any SAP notes for this
  senario.
  Best Regards
  Prasad

  Thank you very much for the useful link Martin. Anyway, there are some things that I cannot find for NX Unigraphics integration:
  In the wiki you can find
  You can download the CAD-Integration-Software from http://service.sap.com/swdc and then goto
  Installations and Upgrades > Supplementary Components for Cross Industry Solutions > Life-Cycle Data Management > SAP PLM Integrations > select the desired integration
  But that path does not exist in SAP download software page.
  Also, in the availability matrix I can find integration with several systems (catia, solid edge, autocad...) but not unigraphics.
  Could you please provide some more information on the topic?
  Thanks a lot.
  Neil

• LDAP over SSL

  A hosted service wants to authenticate against our AD.  They recommend using LDAPS. 
  What is best practice?  Install a public certificate on a DC. 
  For instance on DC1.contoso.com.  Then would I open up 443 on the firewall to that DC and allow from that IP? How would that affect other local LAN clients authenticating to that DC?

  A hosted service wants to authenticate against our AD.  They recommend using LDAPS. 
  What is best practice?  Install a public certificate on a DC. 
  For instance on DC1.contoso.com.  Then would I open up 443 on the firewall to that DC and allow from that IP? How would that affect other local LAN clients authenticating to that DC?
  If its hosted services & if its supports ADAM/AD LDS, then its much safe to use them instead of RWDC or RODC. Enabling LDAP over SSL enhances the security of the information how information is transmitted when client tries to contact DC for the information(authentication/authorization).
  Normally w/o LDAPs being configured in the environment, when client queries a DC in the domain, the information is transmitted in the plain text which ca be read by the hacker using tools available for free. The reason is simple the information on transit
  is not encrypted, but enabling LDAP over SSL prevent the unencrypted queries & provide more security.
  You can't simple implement LDAP over SSP, but it needs PKI infrastructure, planning & designing which is comprehensively listed into the document URL posted by Justin. You can also use ldap over SSL using AD LDS.
  http://blogs.technet.com/b/pki/archive/2011/06/02/implementing-ldaps-ldap-over-ssl.aspx
  Awinish Vishwakarma - MVP
  My Blog: awinish.wordpress.com
  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

• LDAP Connector ...

  Hello,
  we use LDAP connector for synchronization of SAP users and users in Active Directory. It works fine except of 3 user accounts. There is 3 users in our R/3 system for that the synchronization doesn't work. I used LDAPLOG transaction to display logs and there are 3 records - one record for each of the users:
  Error while writing object <UserID> to the directory. Message no. LDAPSYNC013
  Do you have any idea where could be problem? Why it occures just for 3 users? Is any possibility to find some detailed logs?
  Thanks in advance for every advice!
  Regards,
  Zbynek

  Hi
  Please try these options:
  LDAPSYNC013
  User names in upper case during LDAP synchronisation
  All the users names are in upper case in WebAS and in the Directory Server.
  (https://websmp104.sap-ag.de/~form/sapnet?_FRAME=C ONTAINER&_OBJECT 2006153200000351502003E)
  LDAPACCESS103
  RSLDAPSYNC_USER : Detailed LDAP errors in the log
  The Support Package proposed is the Basis SP1. It is installed on my SAP Server.
  (https://websmp104.sap-ag.de/~form/sapnet?_FRAME=C ONTAINER&_OBJECT 1000358700000658142002E)
  LDAPRC065
  Error messages from message class LDAPRC
  I extended the schema with the file proposed by WebAS (transaction SE38, report RSLDAPSCHEMAEXT). All the attributs and classes are in the Directory Server. The attribut in transaction LDAPMAP are the same as those of the Directory Server
  (https://websmp104.sap-ag.de/~form/sapnet?_FRAME=C ONTAINER&_OBJECT 2006153200000083782002E)
  LDAP BROWSER
  Have you try to browse the directory with an ldap browser like www.ldapbrowser.com with the same settings as in TX LDAP

• Failed to use LDAP over SSL MUTUAL AUTHENTICATION with some Directory enable SSL.

  In iPlanet Web Server, Enterprise Edition Administration's guide, chapter 5: secure your web server - Using SSL and TLS protocol specifying that the Administrator server camn communicate LDAP over SSL with some Directory enable SSL.
  Is there any way to configure iplanet Administration server to talk ldap/ssl in mutual authentication mode with some directory?

  Hi,
  Sorry, I could not understand what your are trying to do with iWS.
  Could you please berifly explain your question. So that I can help you.
  Regards,
  Dakshin.
  Developer Technical Support
  Sun Microsystems
  http://www.sun.com/developers/support.

• Trying to determine if LDAP over SSL is working using LDP.exe

  Hi,
  I just wanted to confirm that LDAP over SSL is working properly on our domain controller.  When I connect using LDP.exe on my Windows 7 computer, I get the following output:
  ld = ldap_sslinit("dc1.domain.com", 636, 1);
  Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
  Error 0 = ldap_connect(hLdap, NULL);
  Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
  Host supports SSL, SSL cipher strength = 128 bits
  Established connection to dc1.domain.com.
  Retrieving base DSA information...
  Getting 1 entries:
  Dn: (RootDSE)
  <unnecessary details>
  It looks like it is working, but I wasn't sure if the Error 0's mean there is some sort of problem.
  Also, when I run a Simple bind with my credentials, I get the following output:
  res = ldap_simple_bind_s(ld, 'myuseraccount-at-domaindotcom', <unavailable>); // v.3
  Authenticated as: 'DOMAIN\myuseraccount'.
  Finally, when I run a Bind as currently logged on user (with Encrypt traffic after bind checked), I get the following output:
  53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
  res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
  {NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
  Authenticated as: 'DOMAIN\myuseraccount'.
  I followed all the instructions found in Microsoft article KB-321051 to get LDAP over SSL working with a valid 3rd party certificate on one of our Windows 2008 R2 domain controllers.  However, when I test Active Directory Authentication on our
  WatchGuard Management Server after importing the CA certificate, the test fails.  In order to use Active Directory Authentication, LDAPS (LDAP over SSL) must be enabled in the Active Directory domain and I am not 100% sure that it is enabled properly.
  Any advice or additional insight would be greatly appreciated.
  Thanks!

  Some ideas:
  DNS Name: KB-321051 says that you need the DNS name in either Subject CN or Subject Alternative Name. Which one did you use? Windows clients are fine with an empty CN and only the SAN populated (there the "either or" statement in the article)
  but third-party tools often look for the DNS name in the Subject CN.
  Even if the WatchGuard Server runs on Windows it might use its own certificate checking logic.
  DC certificate(s): Does the DC have more than this certificate? If yes I'd run a network trace to check which one the machine is actually sending in the SSL handshake.
  Chaining issues at your LDAP client / the WatchGuard Management Server:
  Very often such issues are related to the fact that the certificate chain is not validated properly. Some typical issues:
  It is not clear whether the client uses the Windows certificate store (even if it runs on a Windows server).
  Tools / systems / PKI clients can only deal with a single root CA, not with a hierarchy.
  You need to import both Root and intermediate CAs as the client cannot fetch the intermediates from AIA URLs.
  The client cannot access CRL URLs because of firewalls rules or missing access (e.g.: A CRL URL in AD is used but the client does not have an AD user in whose context it would try to fetch the CRL).
  The client has issues with blanks or special characters in CDP or AIA URLs.
  Having a quick look at
  WatchGuard documentation it seems to me that they are using their own certificate stores you need to import CA certificates to. And they only mention a "Root CA" so if your PKI has two levels you might need to import both CAs to the so-called Root store.
  Elke

• Generic LDAP Connector used against AD

  I am trying to use the generic LDAP connector to provision to a development AD. The only port available is 389 so the AD MA cannot be used because it requires 88 for Kerberos. 
  The generic LDAP hangs during configuration after the Configure Anchors screen.  The release notes say that it will work against 3389 on a GC.
  Is there some special set of choices to configure this to connect to Active Directory?
  Randy

  I let the process run for about an hour and the MA create wizard moved to the next step. It took about an hour on the last property panel of the create wizard as well. The configuration was limited to just the Users container and only the user object type
  and only a handful of attributes.
  Randy

• Generic LDAP Connector

  Hi,
  do we have in OIM such as a Generic LDAP connector to connect
  LDAPs like OpenLdap?
  Thanks.

  The traditional solution to your problem is to take the "Sun Java System Directory" connector and customize it. All the LDAP based connectors are based on JNDI so they will work fine with any LDAP v3 server.
  I seem to remember that there was some talk of LDAP support in the generic technology connector framework but it doesn't look like the support is there in 9.1.
  Best regards
  /M

• Xperia Z3v - Lack of support and synergy with existing Xperia software

  So far I like my Xperia Z3v but don't love it. Among the reasons, the most glaring one is the disconnect from Sony Mobile Support and Verizon Wireless, neither cares about owners of the Z3v...
  I understood that the Z3v was a re-branded and modified Z3 for the Verizon network, so some minor differences (size, battery, etc.) would be present. I was unaware, however, that Sony would basically turn a blind eye to the phone and Verizon wouldn't do more than basic support (if it 'aint broken, we don't care).
  Here's what I mean:
  - No PC companion support (Z3v will not be recognized by the program. I've done a support chat with Sony Care and they said that was because Z3v is only supported by Verizon and not Sony....Imagine if Apple said that about the 'Verizon' version of iphones...no itunes integration, users just had to upload files directly to iphone with no programs or interface... )
  - No Media Go support (same as above)
  - No Wireless connect to computer (it's tied to the PC Companion issues, I believe)
  - No way to transfer contacts or files from previous phone (again, PC Companion) without buying an extra connector
  For a company that is seemingly struggling to stay afloat in anything besides Playstation related stuff, you would think Sony would try a little harder to be there for customers who took a gamble and bought their product.
  I have a few days to decide if I want to keep this phone and if I don't hear any noise about Sony working on a way to get the Z3v to play nicely with their PC Companion and related software, I will likely return it and pay the re-stocking fee to get a phone that is actually supported by the company who made it.

  Thank you Rickard for your response, but the standalone installation did not result in any changes.
  I recognize it was probably Verizon's fault to some extent with their desire to create a custom version of the Xperia Z3 instead of just using the standard model, but I still cannot see why the PC Companion or Media Go cannot be updated to recognize and work with the Z3V system and structures.
  I have been a life-long sony fan and have been happy with the way Sony reacts and supports their users for the most part. That is probably why I feel this slide in support is so discouraging.
  Again, I don't see any other brand of phone makers (that I know of) turning a blind eye to their newest phones just because it's on a different network or a slightly different build (mechanicaly and software wise). My understanding is that all i-phones must be different slightly for Verizon and AT&T networks due to the network and setup requirements, but Apple doesn't limit itunes compatibility with just one network's version of the phone, it works across all Apple products. I made the leap from Apple to Sony because I like Sony, but this is not a good start for my experience with this phone and Sony's software.
  I do appreciate your support and recognize you have limited ability to fix the situation, so I do hope you forward my sentiments to the appropriate internal teams.
  thanks again.