LDAP Group Lookup Policy
I would like to know if it is possible to set up a Inbound filter that will stop media files from being delivered unless the receipant is a member of a LDAP group.
I don't want media files (mpeg, avi, Divx, PPS, MOV) being delivered to everyone but the members of a Distribution group called Media_Access.
Does this need to be a distribution group or an mail enabled security group.
We are using Active Directory.
Thanks
Though you could accomplish this with message filters, my vote would be for using ldap group query with the incoming mail policy. You can have the Media-policy that checks if the recipients are a member of the Media group. If recipients aren't members of the group, they will use the Default policy. This is called message splintering by the way.
Then, once things have splintered into their appropriate incoming mail policies, you can have incoming content filters that drop the media attachments for the default policy while the Media policy allows them through.
Have you tried to create a policy allowing these file types and checking the recipients using LDAP group query ?
Then, insert a policy below this (the mentioned above) not allowing these file type for non-group members.
Similar Messages
-
We are currently testing Solaris 11 on one of our servers. We are encountering the problem that
ldap group lookups are very slow. This didn't occur under Solaris 10. The ldap information is held
in Active Directory with all unix information held in a relatively small separate branch, except for passwd information,
which is held in the main very large part of AD (using the same user object for unix as used for the equivalent Windows user but
with the added unix posixAccount attributes). What appears to be happening is that the first search is very
quick when it accesses posixGroup information from the unix branch but it then tries to perform a memberOf
search which must be using the passwd search base which then searches the whole of the AD and it is this
part which is extremely slow. Is there any way of disabling the memberOf search ?
The following snoop information is an example of the problem search ....
LDAP: Operation *[APPL 3: Search Request]
LDAP: [Base Object]
LDAP: ou=uol,dc=livad,dc=liv,dc=ac,dc=
LDAP: uk
LDAP: [Scope]
LDAP: wholeSubtree
LDAP: [DerefAliases]
LDAP: derefAlways
LDAP: [SizeLimit]
LDAP: [TimeLimit]
LDAP: [TypesOnly]
LDAP: Extensible Match *[9]
LDAP: MatchingRule [1]
LDAP: 1.2.840.113556.1.4.1941
LDAP: Type [2]
LDAP: memberOf
LDAP: MatchValue [3]
LDAP: CN=eme,OU=Group,OU=Unix,OU=UOL
LDAP: ,DC=livad,DC=liv,DC=ac,DC=uk
LDAP: dnAttributes [4]
LDAP: *[Sequence]
LDAP: [OctetString]
LDAP: sAMAccountName
LDAP: [OctetString]
LDAP: objectClass
LDAP: Controls List *[0]
LDAP: *[Control]
LDAP: [LDAP OID]
LDAP: 1.2.840.113556.1.4.473
LDAP: [Criticality]
LDAP: [Control value]
LDAP: *[Control]
LDAP: [LDAP OID]
LDAP: 2.16.840.1.113730.3.4.9
LDAP: [Criticality]
LDAP: [Control value]
This is our ldap_client_file
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_AUTH= simple
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
NS_LDAP_SEARCH_BASEDN= ou=unix,ou=uol,dc=livad,dc=liv,dc=ac,dc=uk
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=uol,dc=livad,dc=liv,dc=ac,dc=uk?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,ou=unix,ou=uol,dc=livad,dc=liv,dc=ac,dc=uk?sub
NS_LDAP_BIND_TIME= 5
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SERVERS= bhdc01.livad.liv.ac.uk
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn
NS_LDAP_ATTRIBUTEMAP= passwd:uid=sAMAccountName
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
NS_LDAP_ATTRIBUTEMAP= shadow:uid=sAMAccountName
NS_LDAP_SEARCH_TIME= 8
NS_LDAP_CACHETTL= 0Are you testing on the same machine?? or you're testing the SQL*Plus on the database machine directly??
Tony -
OIM OES Integration to use LDAP groups for policy making
Hi ,
I am trying to make policy for the OIM application using OES. i want to use my LDAP groups as principals to control the access in OIM. How it can be achieved
Thanks
Edited by: user10660448 on May 21, 2013 1:35 AMNote that you can use the internal LDAP that comes with WebLogic, for your users and groups if you want.
When you have multiple domains, you have a problem with this set-up as the internal LDAP is coupled to
a specific domain. This means that users you created in one domain are not visible in the other. When using
a separate LDAP that contains the users. You can configure in each domain an authenticator that points
to the LDAP. In this way you can share to user accross multiple domains.
When you are planning to use one domain you can stick with the internal LDAP if you want.
An example set-up (that uses access manager not identity manager) can be found here: http://middlewaremagic.com/weblogic/?p=7819,
which might help you in how to proceed. -
Rule to apply ldap group filter to allow access in OAM Policy Manager
This may be pretty basic, but I'm trying to implement a rule in Policy Manager to allow access to a resource based on LDAP group membership. I can't figure out how to construct the ldap query. I'm using OID as the directory server.
Does anybody know how to create an ldap query that will apply a group filter to authenticated?
the format would be something like
ldap:///dc=oracle,dc=com??sub?(......)
thanks for any help!Mark,
Do you by any chance know what we can include in our DBMS_LDAP statement to populate the OID for a new user creation to populate the obpasswordcreationdate as a part of the user creation.
Here is what are running but since we moved to OBLIX, we don't know how to populate a new user?
Here is part of our code using MOD_ADD.
emp_vals(7) := null;
DBMS_LDAP.populate_mod_array(emp_array,DBMS_LDAP.MOD_ADD,'obpasswordcreationdate',emp_vals);
emp_vals(1) := 'top';
emp_vals(2) := 'person';
emp_vals(3) := 'organizationalPerson';
emp_vals(4) := 'inetOrgPerson';
emp_vals(5) := 'orcluser';
emp_vals(6) := 'orcluserv2';
emp_vals(7) := 'oblixPersonPwdPolicy';
After it runs, it send me an error no data found.
Thx so much in advance. Not getting any answers.
KA -
Hi,
I have read some of the forum threads about LDAP Group Authorization - I remain confused. Here's the problem I am trying to solve.
I was successfull in setting my Authentication to "Based on authentication scheme from gallery:Existing Login Page: Use LDAP Directory Credentials" -
That works fine, But I would not like all users in my OID LDAP directory to log into my application- Which is why I have created a group for the user I want to include in my OID directory.
Now at the " Builder->Application...->Security->Authorization Schemes->
I have created an Authorization Scheme as "PL/SQL Function returing a booloean" .
My Scheme Source(Identify Query or PL/SQL) is as follows and is set to "once Per session"
return wwv_flow_ldap.is_member
(:APP_USER,
null,
'cn=users,dc=wellesley,dc=edu',
'jadeland.wellesley.edu',
'389',
'wcd_HTMLDB',
'cn=portal.040323.1220,cn=Groups, dc=wellesley,dc=edu');
where in my LDAP directory, 'wcd_HTMLDB' is the subgroup under group "portal.040323.1220" -
I have included 3 users in the group 'wcd_HTMLDB' .
Still the login page allows all LDAP user ( and not just the 3 from the 'wcd_HTMLDB' group.
Where did I go wrong -?
What 's the proper way to authorise only LDAP users in a group ?
Any help would be really appreciated.
Thanks .Indira,
The public synonym (and grant execute) must be created after that package is compiled which can happen after catldap is run in your database. This is only a problem if catldap has not been run before HTML DB is installed. That's described in the flows/doc/ldap.html file in the distribution directory (not very prominently, we know).
When you initially attached the authorization scheme to your login page and it wouldn't let you in, the reason is that it was using the value of APP_USER to drive your lookup function. But when the login page is rendered, APP_USER is null because you haven't logged in yet. So a user-based authorization scheme on a login page can never work.
When you changed the ldap username edit function the way you did, you achieved the goal of preventing an unauthorized user from using the login page to authenticate. Looks like the way it's set up is to give unauthorized users an authentication error, which is a little misleading (saying their credentials are invalid when in fact they are valid but they aren't authorized to use your application), but if it suits your purpose, great. You should consider that if you change the authentication method to, say Single Sign-On, you'll then want to use authorization schemes to keep unauthorized users out. So the authorization scheme that you first set about using would be fine in that case, so long as you adjust the code to allow for visits to public pages prior to authentication (v('APP_USER') = 'HTMLDB_PUBLIC_USER'). However, you'd want to attach that scheme to the application itself (Edit Application Attributes->Authorization) so it fires on every page. Evaluating a scheme like that on every page view rather that once per session probably works best, even better if you cache the result of the evaluation yourself for performance reasons, e.g., set an application item to some value the first time the authenticated user passes the ldap membership test, then using that item as an 'already passed' flag for subsequent invocations.
Finally, I assume you are using the built-in ldap_dnprep function because you need to replace '.' with '_' in the username value entered by the user. If that is not your requirement, let's talk.
Scott -
Loading LDAP groups into WLS JAAS Subject
Hi,
I have a 10.1.4.3 OAM webgate+OHS setup to protect weblogic 10.3.2 as described ('1st best option') in this blog below.
http://fusionsecurity.blogspot.com/2010/01/integrating-oracle-access-manager-oam.html
In the weblogic security realm, I have the OAM Identity Asserter (REQUIRED), OID Authentication Provider (SUFFICIENT), Default Authenticator (SUFFICIENT), Default Identity Asserter configured in that order.
A simple JSP app with CLIENT-CERT is deployed to the WLS. After the user is authenticated at OHS Webgate, the OAM Identity asserter is correctly asserting the user (and the obSSOCookie) as can be seen from the logs. The JSP app is getting a valid (non-anoymous) JAAS Subject with a single JAAS principal (of the user).
But I 'm not sure it is loading the LDAP groups correctly using the OID provider. Are the LDAP groups supposed to be loaded as principals into the JAAS Subject? The user is part of many LDAP groups but only one principal (user itself) is in the JAAS Subject. Are there any additional steps to 'pair' the OAM Identity Asserter with the OID authentication provider as described in the above blog?
I 'm using weblogic.security.Security.getCurrentSubject() to get the Subject and subject.getPrincipals() to get the principals in the JSP app.
Thanks.Like I said in my post, subject.getPrincipals() has only one entry, the user id. The LDAP groups aren't in the Set returned. I 'm wondering how to debug this or fix it. I 'm wondering if I need to re-associate the domain policy store with LDAP as described here before the LDAP groups will be loaded into the subject.
http://download.oracle.com/docs/cd/E14571_01/core.1111/e10043/cfgauthr.htm#CHDIIJDB -
Prepopulating users LDAP Group Information
Hi
When i provsion a user using sun connector manually, i am having an option to select from lookup the group to which the user must be a member.
How do i prepoulate this information based on the users' organization
sasrefer to this link for the solution.
Provisioning OIM Users to LDAP Groups
Thank you
sas -
I'm tryin to rebuild our VPN environment with a pair of 5520. WE're going to use Anyconnect mobility exclusively with SSL. No IPSec and no SSL Webvpn.
We have a large number of contractors using the VPN to access specific internal resources so I would like to use different IP subnets for each contractor assigned through group policy. I don't want to have a different URL for each contractor so I want to assign the group policy through LDAP group memebership. However, primary authentication will be via RSA 2 factor.
How do I get the ASA to check group membership and hense assign the right group when primary authentication is through RSA?
Thanks for any help.yes you can do the Authentication to an RSA server and the Authorization to the LDAP server.
Please configure LDAP as an authorization server.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Do let me know how it goes.
~BR
Jatin Katyal
**Do rate helpful posts** -
Is there a way to control the depth TES 6.1 can query AD Groups?
For example, I created AD sec groups TESScheduler, TESMIgrators, TESOperator and TESInquiry.
Inside AD group TESScheduler, I want to add another AD security group instead of an AD Account (user).
When I tried it, TES 6.1 will not recognize the AD security group inside the AD security group, it only works when I put in users.
Also, since moving the security policy to be associated to the LDAP Group, I can no longer impersonate the users. I may have read this somewhere (probably since sec policy is no longer associated with user) does someone remember where this way mentioned?Thanks for the response - I just wanted to check if maybe thre is a configuration setting that can be tweaked currently. I will log a case since this will make it easier for me to get away from managing users.
Did have a followup question to get idea on how everyone else is using the LDAP group capability. We are a very distributed in terms of the teams/workgroups - each team has total autonomy over their jobs and objects they own and job activity functions.
With help of consultants, this is what we have deviced and outline the challenges with it:
First we decided to use team's existing AD sec group to control the functional aspect of security (as in workgroup they have access to). This ensures that Tidal access to workgroups is always up to date - in case someone joins the team or leaves the team.
We then create an LDAP group for each workgroup (associating runtime users and agents on the LDAP group). We took out any userse and agents out of the workgroups and moved them to LDAP group.
Then we created four new AD sec group to control what users can with the objects they have access to.
- TESScheduler
- TESOperator
- TESMigrator
- TESInquiry
Lastly in Tidal, we create the 4 LDAP groups for the security policy access linking it to the new AD sec groups.
So that for example, if Pete belongs to the Finance team and is a scheduler. He is automatically in the Finance team AD sec group as soon as he is hired. Then someone (TIdal Admind) adds him manually to the TESScheduler AD sec group - then voila he can log into Tidal with the appropriate access.
Challenges with this (aside from the bug I encounter when adding LDAP group to workgroup >_<):
- it wold be nice if I can add the team's AD sec group into TESScheduler (as mentioned in my orignal post)
- I am still having to be in the picture whenevr someone needs Tidal access granted or revoked because a central body needs to make sure that user is not in more than one of the sec policy AD group (TESScheduler, TESOperator, ...) We have sold this LDAP group thing as a way for teams to finally control their own access but that is not the case really.
We have decided to live with this model but wondered if other implementations with distributed user bases have other ways to deal with this. I can obviously open the 4 new sec policies for the teams to edit on their own but I cannot guarantee they will check for duplicates and not accidentally delete other folks etc. Also, some folks who belong to multiple workgroup have to be handled differently since they may want to be schedulers for Finance but Marketing requires them to be operator only - which means they really can't be a scheduler. In this case, they have to be an operator only to belong in both groups or not be in Marketing at all to get Scheduler privs. Kind of goes against the cumulative access model that TIDAL 6 is based on. -
Hi, I configured LDAP authentication on BOXI R2 SP3 on IIS. The settings are as given below.
To change a setting, click on the value to start the LDAP Configuration Wizard. I have replaced few entries with XXXX and YYYY due to security.
LDAP Hosts: nccXXX.XXX.YYYY.XX.YY:636
LDAP Server Type: Novell eDirectory
Base LDAP Distinguished Name: ou=XXXXX,dc=YY
LDAP Server Administration Distinguished Name: cn=XXX,o=YYYYY
LDAP Referral Distinguished Name: ""
Maximum Referral Hops: 0
SSL Type: Server Authentication
Server Side SSL Strength: Always accept server certificate
Single Sign On Type: None
When I add any new group then its not added and I get below error message in the Logging directory for WCA.
Error: 2009-08-24 14:56:30, Thread:161, WriteData::_Flush catch unexcepted exception, source: System.Web, message: Specified argument was out of the range of valid values.
Parameter name: offset, stack: at System.Web.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 count)
at BusinessObjects.Enterprise.WebComponentAdapter.WriteData._Flush(IntPtr handle)
Can anyone help to find if LDAP is configured correctly before adding group?
Thanks,Resolved. It was due to wrong LDAP group given to me.
Thanks, -
Can an email address be a member of an LDAP group even if it isn't
associated with an object in the Directory Server?
<P>
General members of a group are the members defined in the
Directory Server. They are full-fledged members of the group who
may have a set of permissions associated with their membership,
a title, or other attributes. Mail-specific users are users who
are not full-fledged members of the group, but who receive mail
sent to the group. Mail-specific users need not be identified as
a user in the Directory Server--an email address is sufficient.
An example of this is a group of salespeople, all of whom are in
the group "North American Sales Team." They have access to a
sales-tracking database, on-line quota information, and
competitive information. The mail-specific users of this group
are the admins who support the members of the sales team, who need
to get the mail that goes out to the group, but don't need access
to the applications and information that the salespeople do.Hey EllyK,
Welcome to the BlackBerry Support Community Forums.
Thanks for the question.
I would suggest performing this workaround and then try to login to BlackBerry Link:
Open BlackBerry World on the BlackBerry smartphone and sign in using the BlackBerry ID.
Connect the BlackBerry 10 smartphone to the computer.
Open BlackBerry Link
Sign in using the BlackBerry ID.
Let me know if the issue still persists.
Cheers.
-ViciousFerret
Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
Be sure to click Like! for those who have helped you.
Click Accept as Solution for posts that have solved your issue(s)! -
Mapping LDAP Groups to SAP Roles
Hi there,
i am trying to build up a synchron usermanagement with a LDAP-Server between EP, Web AS Java and Web AS ABAP.
My thought is to administrate the users in the LDAP-Directory. The users will be assigned to groups.
In EP and Web AS Java its no problem to assign these groups to roles and then just change the Users in the LDAP-Group and reach a synchron usermanagement.
In Web AS ABAP it seems impossible to assign roles to groups.
<b>The question is, is it possible to map ldap groups with the ldap connector of the web AS ABAP to Roles in an ABAP System?</b>
Or is there another way to administrate users in different systems?
Thanks alot for your answers,
stefanHi
in this case u have to use the concept of central user administration. use the following links
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-biti-03/cua with sap webas, ldap and third party software
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/user management and authorizations overview.pdf
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/integration of sap central user administration into microsoft active directory.pdf
hope this helps u to get fair bit of idea
don,t forget to give points
With regards
subrato kundu -
I have 2 questions and these are very urgent :-
1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
contractactors and employess. How do I map LDAP group contractors to weblogic security
Role contractors? Similarly for employees ?
2. I have not defined contarctors and employeees under People container in IPlanet.
e.g. The RDN for contractor is
uid=1234,ou=dir,dc=orams,dc=com
Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
under People ) OR I have to write my own custom code ?
3. I am planning to use Roles insetad of groups to manage the logical grouping in
iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
parameters ?)
This is very urgent ....so if any of you can throw any hints that will be greatly
appreciated.
--SunitaHi Ariel,
The driver is bundled with the product in WLS 6.1sp1. you don't have to
download any additional driver. Use it as you normally would only thing to
remember is if you are trying to write standalone java code then you have to
have weblogic.jar in your classpath. For the rest of the info follow the wls
docs for 6.1
HTH
sree
"Ariel" <[email protected]> wrote in message
news:3bb4a643$[email protected]..
We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
downloaded the JDriver from bea.com, but all the istructions that camewith
it are for WLserver 5.1.
What has to be done to do this with 6.1 sp1?
Thanks,
Ariel -
RSA authentication with LDAP group mapping
Greetings,
I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
The problem I'm having is that my users are in multiple OU's on our AD tree. When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error. If I add an OU in front of it, then it will work fine.
As far as I know, you can only use one LDAP configuration with RSA.
Any thoughts on this?@Tarik
I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen. I have resorted to creating a Radius profile on the RSA appliance for each access group I need. Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
Thankfully, I have a small group of users that I am attempting to map. I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create. Likewise, our Account Admin will have to determine who gets assigned a particular access group.
I would still prefer to do this dynamically.
Scott -
Cannot Add user to CMC Group when they are a member of LDAP group
On PreProduction Server CMC
Softerra LDAP browser used to verify user is a member of LDAP group
User does not show as a member of that group in the CMC
Cannot add user to LDAP group showing in CMC, the same group shows the member in LDAP browser
On Production Server CMC
For kicks I logged into the CMC on Production and I found the user is correctly showing as a member of the Group
Why doesn't the groups in CMC show what is actually showing in the LDAP browser?Hi,
Check if you have also mapped in both servers the same groups. It might be that there are some groups missing in the Pre-prod.
Also, try restarting the CMS. I have seen similar issues that are solved after forcing the recreation of the graph.
If after the restart you still can't see the groups, check the mapping on the LDAP server. It might be that both servers do not use the same attribute mappings.
Regards,
Julian
Maybe you are looking for
-
How to call a rtf template from another rtf template by passing a value
Hi Gurus, Its about calling a rtf template from another rtf template by passing a value. My requirement is like: I got a quote report from Siebel, based on the product PartNumber I need to pull product description or literature from another database
-
Problems opening documents with Adobe Reader XI
I tried to open a file from my email account. I got a message from Adobe Reader XI that it could not open ecause it is either not a supported file type or because the file has been damaged (for example, it was sent as an email attachment and wasn't c
-
I've downloaded the Creative Cloud app but the App tab says there is a download error and to contact support. I have tried uninstalling and reinstalling and am gettting the same message. I'm running OS X 10.9.3.
-
Had to make a new apple id and when I go to enter my credit card it keeps telling me to contact support. It is the same card that I used on my old apple id
-
How to create customer master data for walking customer in retail
hi experts !!!!!! for retail industry e.g books trading industry how to create customer master data for walking customer in retail its dummy or one time customer if i create one time customer then same customer number can i use for every new order an