LDAP for users / RPD for Groups.  How?

Similar Messages

• Problem with LDAP authentication for users in a group

  I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.
  I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:
  [6707]  memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
  [6707]          mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
  [6707]          mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN
  [6707]  msNPAllowDialin: value = TRUE
  I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.
  ldap attribute-map AuthUsers
    map-name  memberOf IETF-Radius-Class
    map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN
  aaa-server LDAP protocol ldap
  aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
   ldap-base-dn DC=COMPANY,DC=com
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
   server-type microsoft
   ldap-attribute-map AuthUsers
  group-policy NOACCESS internal
  group-policy NOACCESS attributes
   vpn-simultaneous-logins 0
   vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
   webvpn
    anyconnect ask none default anyconnect
  group-policy GroupPolicy_COMPANY_SSL_VPN internal
  group-policy GroupPolicy_COMPANY_SSL_VPN attributes
   wins-server none
   dns-server value 10.10.100.102
   vpn-tunnel-protocol ikev1 ikev2 ssl-client
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value SPLIT-TUNNEL
   default-domain value net.COMPANY.com
   webvpn
    anyconnect profiles value COMPANY_SSL_VPN_client_profile type user
  tunnel-group COMPANY_SSL_VPN type remote-access
  tunnel-group COMPANY_SSL_VPN general-attributes
   address-pool COMPANY-SSL-VPN-POOL
   authentication-server-group LDAP
   authorization-server-group LDAP
   authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
   default-group-policy NOACCESS
   authorization-required
  tunnel-group COMPANY_SSL_VPN webvpn-attributes
   group-alias COMPANY_SSL_VPN enable
  tunnel-group COMPANY_SSL_VPN ipsec-attributes
   ikev1 pre-shared-key *****

  I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.

• LDAP: apple-user-homeurl for 10.6.7

  Hi all,
  I have a problem with Portable Home Directories through LDAP and AFP. The file server is running 10.6.6, and I never experienced any issues until I upgraded my client to 10.6.7. Now the HomeSync fails to sync the data.
  @ FileSyncAgent-verbose.log:
  EXCEPTION: Permissions Error <-[SPeerFSPHD mountPeerVolume] (Peer-FS-PHD.m:157): "'((afpAccessDenied))' error -5000"
  The problem seems to be that HomeSync tries to write to a directory, without having the correct permission. I traced the problem back to the "apple-user-homeurl" entry in LDAP. Changing it from
  <home_dir><url>afp://fileserver/home</url><path></path></homedir>
  to
  <home_dir><url>afp://fileserver</url><path>home/</path></homedir>
  solved the problem.
  Can anyone confirm that one has to make this change for clients running 10.6.7? How could this affect clients running older versions, like 10.5? Will updating the server to 10.6.7 change anything? Is there any Apple resource documenting this change in 10.6.7?
  Thanks in advance
  ++

  In my case LDAP is running on a Linux Server, and the homes are AFP shares through a Mac OS 10.6.6 server. I simply edited the LDAP entry "apple-user-homeurl" for my user, as explained above.
  In the meanwhile I tested to log on to 10.6.6 and 10.5.8 - and in both cases PHD were working with my changed LDAP account. But I haven't yet dared to update the server to 10.6.7.
  Somehow 10.6.7 seems to read the path to the home directory in a different way... I would appreciate if anyone could confirm this, and maybe add more details.

• How to force sql developer to prompt for user input for every execution ?

  Hi Folks,
  Environment: Oracle 11g (on Windows 7)
  SQL Developer: *3.1.07*
  I am executing a PL/SQL code off Sql Developer. The code uses substitution variables to prompt user for input. However,I am only prompted for the user input for the very first run of the code. For the subsequent executions, the code simply picks up the user input from the very first run. This behavior persists for all subsequent runs of the code.
  I have executed the same piece of code from SQL*PLUS and the behavior seems normal (i.e. I am prompted for fresh input for every execution)
  How can flush out the old user input so I can be prompted for new user input for every run of the code in sql developer?
  Thanks in advance
  rogers42

  Hi Rogers42,
  1/try
  undefine
  undefine fred
  select '&&fred' from dual;
  [run this multiple times]
  [prompts gere]
  old:select '&&fred' from dual
  new:select 'a' from dual
  'A'
  a
  [prompts here]
  old:select '&&fred' from dual
  new:select 'b' from dual
  'B'
  b
  2/try
  exit (requires recent version of sql developer: tools->preferences->Database->worksheet->Re-initialize on script exit command)
  select '&&fred' from dual;
  exit
  run this multiple times
  [prompts here]
  old:select '&&fred' from dual
  new:select 'x' from dual
  'X'
  x
  Commit
  [prompts here]
  old:select '&&fred' from dual
  new:select 'y' from dual
  'Y'
  y
  Commit
  3/use &fred instead of &&fred
  For background see
  http://totierne.blogspot.co.uk/2010/04/substitution-and-bind-variables.html
  -Turloch
  SQLDeveloper team

• Security Refresh for Users in the Group

  Hi John,
  I assigned an user with Analytic services admin privileges in the shared services. After the refresh security from shared services through EAS console, I clicked on security and clicked on users. I could able to see that user as an administrator(user type).
  But when i assigned the same analytic services admin privileges at the group level, all the users in that group are
  not showing as administrators in the EAS console after security refresh.(showing as user instead of administrator).
  Can you explain why?
  Thanks.

  Hi,
  If you look at the group in EAS then it should be displayed as administrator, then all the users assigned to that group will take on the administrator privileges.
  It will not show each user as as administrator just as a user that is the way it works.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Search help for user field for WBS element

  Hi,
  how can I add a search help to one of the user fields for WBS elements without modification? Is there an exit which I can use? I want to have a search help for field PRPS-USR02.
  Thanks for your help.

  Hi
  Create an elementary serach help using the Table USR01 or USR03
  see the steps
  1) Elementary search helps describe a search path. The elementary search help must define where the data of the hit list should be read from (selection method), how the exchange of values between the screen template and selection method is implemented (interface of the search help) and how the online input help should be defined (online behavior of the search help).
  2) Collective search helps combine several elementary search helps. A collective search help thus can offer several alternative search paths.
  3)An elementary search help defines the standard flow of an input help.
  4) A collective search help combines several elementary search helps. The user can thus choose one of several alternative search paths with a collective search help.
  5)A collective search help comprises several elementary search helps. It combines all the search paths that are meaningful for a field.
  6)Both elementary search helps and other search helps can be included in a collective search help. If other collective search helps are contained in a collective search help, they are expanded to the level of the elementary search helps when the input help is called.
  CREATION:
  Go to SE11  Tcode
  select search help
  give the 'z' search help name and create
  select the selection method ur table name eg : 'mara'
  dialog module 'display value immediately'.
  add the field whatever u want and lpos = 1 and spos = 1 and check import and export parameter.
  where left position when displaying and spos = search position
  and then save and activate ..
  See the links:
  http://help.sap.com/saphelp_nw04/helpdata/en/cf/21ee38446011d189700000e8322d00/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/cf/21ee45446011d189700000e8322d00/content.htm
  https://forums.sdn.sap.com/click.jspa?searchID=3173469&messageID=2176485
  https://forums.sdn.sap.com/click.jspa?searchID=3173469&messageID=3601619
  pls go through this for search help creation
  http://help.sap.com/saphelp_nw2004s/helpdata/en/41/f6b237fec48c67e10000009b38f8cf/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/cf/21ee2b446011d189700000e8322d00/content.htm
  Search Help Exits:
  Re: dynamic values for search help
  Re: Dynamic search  help
  http://help.sap.com/saphelp_nw04/helpdata/en/cf/21ee52446011d189700000e8322d00/content.htm
  http://www.sapdevelopment.co.uk/dictionary/shelp/shelp_exit.htm
  https://forums.sdn.sap.com/click.jspa?searchID=4390517&messageID=1712818
  Regards
  Anji

• Funtion Module for user exits for variables used in BEx Queries.

  Hi,
  This is for BW Query customer exit variable (zvar2) for include ZXRSRU01 and exit :EXIT_SAPLRRS0_001.
  Can anyone please suggest the function modules that can be used to do the following.
  1)Read value of zvar1 from selection screen whatever
  user enters at run time.
  2)How to define the zvar2 in the include. zvar2 is the
  variable created in BEx to be populated from this
  customer exit.
  3)How to use case statment where once the value for zvar1
  is determined then,
  Case zvar1.
  when zvar1 = 0 , then zvar2 = 10
  when zvar1 = 1 , then zvar2 = 20
  3) Assign zvar2 value as computed in the case statement.
  Can anyone please help with the code to achieve this.
  Any information regarding function modules that can help write user exits for variable reading and input will be greatly helpful.
  Thanks
  Sarah.

  Hi Sarah,
  You don't need any FM for your issue.
  Please try thie sample code :
  DATA: VAR_INPIUT LIKE RRRANGEEXIT.
  CASE I_VNAM.
    WHEN 'ZVAR2'.
     CLEAR L_S_RANGE.
     IF I_STEP = 2."PROCESSED AFTER VARIABLE INPUT
  *Reading value of ZVAR1
      LOOP AT I_T_VAR_RANGE INTO VAR_INPIUT
        WHERE VNAM = 'ZVAR1'.
        CASE VAR_INPIUT-LOW.
  *FILLING ZVAR2
         WHEN 0.
            L_S_RANGE-LOW     = 10.
         WHEN 1.
            L_S_RANGE-LOW     = 20.
        ENDCASE.
        L_S_RANGE-SIGN     = 'I'.
        L_S_RANGE-OPT      = 'EQ'.
        APPEND L_S_RANGE TO E_T_RANGE.
        EXIT.
      ENDLOOP.
    ENDIF.
  ENDCASE.
  Hope this helps
  Joe

• Authorization for User Creation for Admin user

  Dear All,
  We have Cronacle 6.0.2.
  We have a requirement where in we want to create an admin user with all access to Redwood (in order to avoid using SYSJCS). We have and created an admin role with which our criteria is almost met. After assigning this admin role to our newly created admin user, everything work except user & role authorization. I am not able to create, delete or alter any user or role with this user.
  I have seen that we have the oracle system privileges related to user and role authorization (create user, alter role, etc), but when we are trying to assign the same to the admin user, its not allowing us to do so. We have tried the assignment using sysjcs from both RWE and from the shell using the SYJCS, RSI users.
  How can I achieve this? with which user?
  Any pointers on this would be highly appreciated.
  Thanks in advance for your help.
  Warm Regards
  Rajeet

  Hi Rajeet,
  This is because SYSJCS has the privileges to create users and roles in the database, but not the right to actually give out these privileges to other users.
  For that, you need a user with the DBA role in the database, or with the "create user" and "create role" privileges "with admin option". A user with the admin option on a privilege can hand out this privilege to other users.
  If you don't have any own users with these privileges yet, the SYSTEM user will work as well.
  Regards,
  Anton.

• Journalct works for user, not for root, or anyone in adm [WORKAROUND]

  Here's a fun one...
  If I'm not in adm and use my user acount, journalctl works as expected... However if I use sudo, root, or if I'm in adm group I get this...
  root@oa ~ > journalctl
  Failed to get cutoff: Bad message
  google comes up with diddly that's relevant, same here.
  (WORKAROUND)
  Also of note, (i've been busy at work, and now xfce doesn't wanna work so i'm doing this in twm) while "journalctl" doesnt work as root, "journalctl -q" does. So that's at least a workaround till that patch gets pushed through.
  Last edited by HalJordan (2012-07-21 23:29:47)

  Just for comparison, what you should get from calling journal as a user is:
  journalctl
  Showing user generated messages only. Users in the group 'adm' can see all messages. Pass -q to turn this message off.
  Maybe  "man systemd-journald.service" can help You.

• Security Right 'Resource' id for 'User Impersonation For Seller' right

  Hi,
  Can someone tell me whats the RESOURCE id for security right 'User Impersonation For Seller'?
  I need this to populate the workbook. None of the standard roles have this in E-Sourcing 5.1, so the standard workbook doesnt contain this right.
  Manually this right can be set in the security profile in drop down 'Users and sercurity'.
  Thanks & Regards,
  Srivatsan

  Hi
  RESOURCE ID for security right "user impersonation" is usermgmt.impersonation
  Regards
  Mudit Saini

• $LS_COLORS stopped working (for user, not for root)

  Good day.
  Some time ago,  "ls" stopped paying attention to my color settings when coloring output for my user, while still working for root. For both root and my user, I set $LS_COLORS through ~/.bashrc as "eval $(dircolors -b)" but while this works fine for root, it at some point stopped working for my user, simply since the "eval" doesn't seem to work anymore. That is, what could be the reason for the below behavior?
  (note: I also have colored ls output without $LS_COLORS; just not the colors that I want, and which root does have).
  ===
  [rene@e600 ~]$ echo $LS_COLORS
  [rene@e600 ~]$ dircolors -b
  LS_COLORS='rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:';
  export LS_COLORS
  [rene@e600 ~]$ eval $(dircolors -b)
  [rene@e600 ~]$ echo $LS_COLORS
  [rene@e600 ~]$
  ===
  bash is 4.2.045-5 (coreutils is 8.21-2)
  Regards,
  Rene

  I happens to have the same problem of yours after logging in to Gnome but i didn't test for root.
  I've followed what comment #40 says at
  https://bugs.launchpad.net/ubuntu/+sour … bug/549727 and the problem
  seems to gone.
  try removing ~/.gconf/desktop/gnome/peripherals/touchpad ?

• Need Help for User Exit for Pricing

  Dear ABAPers
  I created a user exit for pricing where I am comparing a condition type (manually entered(ZD01)) to another condition type(YD01). If the entered value is more than the other condition type than pricing should not be updated.
  RATE = 0.
  IF KOMP-ZZVBTYP = 'C'.
  IF KOMP-PRSFD = 'X' OR
     KOMP-PRSFD = 'A'.
    IF KOMV-KSCHL = 'ZD01'.
          LOOP AT XKOMV WHERE  KSCHL EQ 'YD01'.
                KOMP-KZWI2 = ( XKOMV-KBETR / 10 ).
          ENDLOOP.
          RATE = KOMV-KBETR / 10.
      IF ( RATE <> 0 ) AND ( RATE < KOMP-KZWI2 ).
          MESSAGE W991. "Maximum Allowed Discount Has Exceeded !!!!
          CLEAR KOMV-KBETR.
          CLEAR KOMV-KWERT.
          MODIFY SCREEN.
      ENDIF.
    ENDIF.
  ENDIF.
  ENDIF.
  It is giving me the message but it is also updating the pricing. I want not to be updated. So in place of modify screen i need to reset pricing procedure.
  I need a function module or a abap key word which can reset the pricing procedure.
  Thanks in Advance.
  regards,
  MAM

  as per i can understand you are coding in user-exits ,.. so if you are giving that
  message 'Maximum Allowed Discount Has Exceeded !!!!' type 'E'.
  i think it will work. I think there is no way to stop the processing without type e.
  regards
  shiba dutta

• OID: How to search for users in nested groups

  Hi All,
  I have three groups:
  cn=ParentGroup
  uniquemember: cn=ChildGroup1
  uniquemember: cn=ChildGroup2
  uniquemember: uid=user1
  cn=ChildGroup1
  uniquemember: uid=user2
  cn=ChildGroup2
  uniquemember: uid=user3
  Now, as per my requirement, I have to do ldapsearch on ParentGroup and all the members(direct & indirect) i.e., user1, user2 and user2 however I am getting only user1.
  My OID version is 11.1.1.6.0
  Please help.
  Regards,
  Sunny

  Hi Sunny,
  A Shell script or a JAVA program can solve this problem.
  Regards,
  SOADreams

• How to get users' login logout time for user IDs for a specific date?

  Dear All,
  There is a case I being requested to retrieve the Userid, User Name,
  User Group, User Dept, Date, Login Time, Logout Time in a specific date, for example, 21.05.2009.
  How should I retrieve the information? The user want to input specific date and user group then return the details that mentioned above.
  I try with SUIM->Users->By Logon Date and Password Change... but I can't specific the date that I want ...
  I try with SM19 (Security Audit Log), but unfortunately in my system this is not activated.
  I've seek for SAP's advise, and they say need to ask abaper to developr a report in order to get such details....
  Do you guys have any other methods?
  Do you guys know which tables will contain the details as mentioned above?
  Best Regards,
  Ken

  Unfortunately without the audit log, you're going have a hard time finding this information.  As mentioned, ST03N will give you some information.  If your systems daily workload aggregation goes back to the date you require then you'll be able to get a list of all users who logged on that day.  ST03N doesn't keep time stamps just response times.
  My only idea is VERY labor intensive.  If your DB admin can retrieve a save of the database from that day then table USR02 will hold a little more information for you.  It will contain last login times for that day.  If your system backup policy happened to have saved the contents of folder "/usr/sap/<SID>/<instance>/data" then you potentially have access to all the data you require.  The stat file will have recorded every transaction that took place during that day.  If that file is restored you could use program RSSTAT20 to query against it.
  Good luck and turn on the audit log as it makes your life much easier!

• How to set NTFS and share permissions for Users share for home directories in Server 2012

  I have a new Server 2012 server, and I want to set up a Users share, that will contain subfolders of each user's username and contain their home directory.  But what do I set the share and NTFS permissions as on the root level, lets call the folder
  Users? Is the following older article the correct permissions I need?
  https://support.microsoft.com/kb/274443

  Hi RJO22,
  You can choose configure the Folder Redirection, Folder Redirection enables you to redirect the location of specific folders within user profiles to a new location, such as
  a shared network location. Folder redirection is used in the process of administering user profiles and roaming user profiles. You can configure Folder Redirection using the Group Policy Management Console to redirect specific user profile folders, as well
  as edit Folder Redirection policy settings.
  The related KB:
  Folder Redirection Overview
  http://technet.microsoft.com/en-us/library/cc732275.aspx
  Specify the Location of Folders in a User Profile
  http://technet.microsoft.com/en-us/library/cc771969.aspx
  I’m glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.