Login Restriction
Hello,
How to restrict login,
/ as sysdba
Please advice...
I am on the machine where the DB is installed.
I have checked remote_login_passwordfile parameter & it is set to Exclusive BUT it still alllows me to login
/ as sysdba
Please advice.
Similar Messages
-
Hello
I'm working on xMII 11.5
Is it possible to restrict a specific log in to a specific computer?
And is it possible to let only one session opened per log in. For example, log in name xmii001, if i have xmii001 logged in and then tried to open an other window with the same username, it should, or say it was already opened and don't let that log in to be opened again, or, it would allow the new log in but the previous log in would log off automatically.
is it possible?
where can i find some information to let me do this, or is this possible to be made inside xMII?
Best regards.The licensing model is based upon engines(plants) and named users not concurrent users, so nothing like this is available for 11.5 and the LHSecurity engine for logging in. There is no action to kill off a user session on the server if someone just hits the X and closes a browser window, so the session just continues to get stale and once the timeout is met it is deleted. No workstation IP address based restriction can be imposed either.
MII version 12.0 which runs on NetWeaver 7.0 and uses UME for logins might have additional capabilities for login restrictions, but you'd have to look into the http://help.sap.com website for more details.
Regards,
Jeremy -
Filr & eDirectory login restrictions.
Hi,
I stumbled across something today that seems quite obvious now but did have me scratching my head for a while.
We were experiencing issues with some users when they tried to upload files/create folders in their home folder using Filr. It would fail returning an "Unknown Error". Our user's home directories are on an NSS volume on an OES Linux server.
After digging around for a while I found that the logs seemed to indicate an authentication failure. At first I looked at the proxy user but that wasn't the problem.
It turns out that the problem is caused by account restrictions we have set in eDirectory that limit each user to one login. This is to prevent users from leaving themselves logged in all over the place.
I lifted the restriction on one of the users and the problem went away. The users were logged in to a workstation as well as trying to use Filr.
My question is can I enforce a login restriction and still allow users to use Filr at the same time?
I can probably guess what the answer will be but I just thought I'd ask in case anyone has any ideas.
Cheers.
Iain.reddragon27284,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://www.novell.com/support and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Forums Team
http://forums.novell.com -
Can I have two separate logins/restricted directories in the same web site?
Hi,
I want to have an admin area where I go against a user table to see if the user has admin rights and a separate area of the web site where regular users need a username and password that is validated against a different table.
All the pages in the admin area are in the admin directory.
All the pages in the other restricted area are in a consumers directory.
Both these directories are off the root.
Will this work ok? It seems to be, but I just wanted to check.
Many thanks!No, I have two separate tables. It seems to be working, and I am hoping it is because I've kept all the pages that use one table in one directory, and all the pages that use the other table in another directory. Just wondering if I am asking for trouble. They are two different functions. One is for site administration, and one is for a number of users.
-
Have a requirement where we are using db authentication and we have the login with a special character i.e @. Now am struggling to make the application authenticate using this login even though the user gets authenticated at the db level using double quotes around the username.
Tried to use the quotes in the application, however that did not work either. Any suggestions, please advise.Thanks for the reply Christopher
1. The employee pictures are in a .TGA format. I wonder if you have heard about it. Anyway, i tried linking the picture to an employee and it shows it in the PA30 transaction. However, I found out that the document class doesn't really matter when uploading the photos as I tried uploading the .TGA picture under document class JPG, GIF, BMP and they all worked. Can you tell me the reason for this inconsistency? Should I expect any other problems while uploading .TGA pics under a different document class?
2. You said that there isnt any limit viz configuration. Can you tell me where this configuration can be done?
Thanks -
Mountain lion - remote login - RESTRICTING SFTP use
i have a 10.8.2 server installation with remote login turned on for all users.
i have just discovered that this means that SFTP login is available for all users, even though file sharing is OFF and ftp is OFF.
and, all users can navigate EVERYWHERE on the HDD.
this seems a bit odd to me.
how can we make it so admin users can access the whole HDD, but normal users can only see their home directory?
thanks, James.Use Workgroup Manager to change each user's login shell to None or /usr/bin/false should do it for you. This may hamper one's ability to use a network user account though so you should check it out on one account first. If they're just using services then disabling their shell login will work fine. After that, enable the FTP server to limit your users' ability to navigate.
FWIW, SFTP doesn't actually give anyone anything more than they don't already have through an SSH login. -
Help with Note 761637 - Login restrictions prevent TMSADM logon
Hello all,
I'm receviing a large number of logon prompts in STMS. I'm having trouble understanding how to implement SAP note 761637 and was hoping someone that had implemented it already could guide me.
The note says
If you now add an entry with sysnam=,ADMPWD and the Routestring=USER to the TMSCROUTE table
The fields in the table are sysnam & RFCRoute (This has description of RouteString)
When I attempt to add a entry using SE16, SYSNAM as a selecting list on only the systems I have, why does the note tell me to enter the admpwd which I assume is short for admin password.
routestring=USER. So I enter the word USER?
I have implemented the following corrections
Note 713622 - Password rules prevent TMSADM logon
Note 749977 - Remote logons using standard client in the TMS
Thank you for your help.OK, I'm having the same problems understanding this note as the original poster did. I can't figure out if table TMSCROUTE is supposed to contain an entry like:
,ADMPWD USER
-or--
,<TheActualPassword> TMSADM@<sid>.<domain>
-or--
some other weird variant?
Can someone who's implemented 'stringent' passwords post and example of their working TMSCROUTE entry? Meanwhile, I'll file a problem report, and when we get this working I'll post a response here.
bryan
<removed_by_moderator>
Edited by: Julius Bussche on Feb 17, 2008 10:58 PM -
Restricted session & Kill Session
Hello everybody,
1) In which case do I need enabled restricted sessions?
2)Where “ALTER SYSTEM KILL SESSION” command will be useful?
Thanks in advanceSalman Qureshi wrote:
Hi,
1) In which case do I need enabled restricted sessions?Whenever you want to perform some maintenance operations in your database and you don't want anyone to access the database except user SYS, you can enable restricted session.
2)Where “ALTER SYSTEM KILL SESSION” command will be useful?When you want to kill a session which is no longer responding or hung or doing some long running operation which is disturbing your performance or you want to stop that processing etc.
SalmanHi Salman,
I think you'll find that "restricted session mode" does not limit login ability to only the SYS user as you mention.
As an example, consider the following.
Session 1:
SQL*Plus: Release 11.2.0.3.0 Production on Tue Jan 1 22:07:03 2013
Copyright (c) 1982, 2011, Oracle. All rights reserved.
SQL> connect / as sysdba
Connected.
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup restrict;
ORACLE instance started.
Total System Global Area 2137886720 bytes
Fixed Size 2256912 bytes
Variable Size 1258295280 bytes
Database Buffers 872415232 bytes
Redo Buffers 4919296 bytes
Database mounted.
Database opened.
SQL>Session 2:
SQL*Plus: Release 11.2.0.3.0 Production on Tue Jan 1 22:07:51 2013
Copyright (c) 1982, 2011, Oracle. All rights reserved.
SQL> connect markwill
Enter password:
Connected.
SQL> select logins from v$instance;
LOGINS
RESTRICTED
1 row selected.
SQL>As you can see in Session 2 I am clearly not connecting as SYS user, yet I am capable of connecting to an instance started in restricted mode.
Rather than limiting to only user SYS it limits login ability to users with the RESTRICTED SESSION System Privilege (granted directly or via role).
Regards,
Mark -
Created database from cold backup.The data files were moved from a previous release . I had to open the database with the upgrade option. Now can not connect to it over netwrok or using servicenames locally too
Get error
ORA-12526 :TNS LISTENER : all appropriate instances are in restricted mode
lsnrctl status shows
Instance "xxx", status RESTRICTED, has 2 handler(s) for this service..
How can I take this instance out of restricted mode. ..Which version are you on ?
SYS@db102 SQL> startup upgrade
ORACLE instance started.
Total System Global Area 121634816 bytes
Fixed Size 1218052 bytes
Variable Size 104860156 bytes
Database Buffers 12582912 bytes
Redo Buffers 2973696 bytes
Database mounted.
Database opened.
SYS@db102 SQL> select logins from v$instance;
LOGINS
RESTRICTED
SYS@db102 SQL> select * from v$version;
BANNER
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
PL/SQL Release 10.2.0.1.0 - Production
CORE 10.2.0.1.0 Production
TNS for Linux: Version 10.2.0.1.0 - Production
NLSRTL Version 10.2.0.1.0 - Production
SYS@db102 SQL> -
Restricting Log on to Workstation
Good morning All,
I was just asked the following: Is there a method either through Policy/DLU that can restrict access to a computer?Please see the following:
Need some guidance on how to restrict login in the ZCM world. In ZDM7 there was a "restrict login" policy in the workstation package. At the Training Center, they have to be able to restrict the classroom PCs so that users can only log in with the classroom ID not their normal user id. I have tried getting the DLU policy to do this, but it doesn't seem to work that way. In checking Google, the only reference I found to getting this to work was the DLU policy. Need to figure out how to get this to work in the Training Center so they can upgrade the lab to ZCM.
Customer is using ZCM 11.2.4 MU 1, Windows 7 and Windows XP.
Thank you,Originally Posted by dschaldenovell
Good morning All,
I was just asked the following: Is there a method either through Policy/DLU that can restrict access to a computer?Please see the following:
Need some guidance on how to restrict login in the ZCM world. In ZDM7 there was a "restrict login" policy in the workstation package. At the Training Center, they have to be able to restrict the classroom PCs so that users can only log in with the classroom ID not their normal user id. I have tried getting the DLU policy to do this, but it doesn't seem to work that way. In checking Google, the only reference I found to getting this to work was the DLU policy. Need to figure out how to get this to work in the Training Center so they can upgrade the lab to ZCM.
Customer is using ZCM 11.2.4 MU 1, Windows 7 and Windows XP.
Thank you,
There is "Login Restrictions" in the DLU policy in ZCM were you can define workstations/users included/excluded.
Assign the DLU policy to the classroom PCs and then add the users to the included list that are allowed to log in on those classroom workstations, doesn't that work?
Thomas -
I have 20 seconds to login, or I have to reboot and try again...
A few months ago I noticed if I don't login right away after boot up, the mouse will turn into a spinning ball and everything else becomes unresponsive.
I've tested it multiple times now. I have about 20 seconds to click my account name, type in my password, and hit enter.
The only thing I could think of that might affect it, is startup items. McAfee antivirus was located on my comp at one time, though I could not completely delete it. The script from mcafee that should delete everything was not located on my computer, so after every restart I 'kill' all mcafee processes from terminal. Could these be causing the login issue?All of those links work perfectly fine, +except last page.+ Some schools
are generally open at this point of entry. Perhaps there's an IP block
for certain regions for access, and others denied within a set range?
Sure the actual download site link forbids (in this instance) the actual
access to a file in their servers; so it is held as intellectual property
and to offset unauthorized server access, rightly is it limited in use.
While I did not read into the sites to see if they view information held
there to be in the public domain, subject to intellectual property rights
or available to share without profit, among general non-school public;
it goes to figure copyrighted web pages probably cover most angles.
If they were open, someone could send the transcript in email to OP.
At least there appears to be a direct link without the login restriction.
This gets around the one set of hurdles and lets the cat out of the bag.
The idea of using the suspect application's own uninstaller, if available,
or another such as you've posted links to acquire, are plausible ideas.
To start in SafeBoot may also get past the 'fast log-in problem' mentioned.
{Some apps have an uninstaller, either in the original install folder or CD.}
AppCleaner is free/donationware: http://www.freemacsoft.net/AppCleaner/
{Some of the others offer a Trial version, that may do enough to solve a problem.
Most are relatively inexpensive, and are helpful to ferret out unwanted software.}
• 6 Ways to Correctly Delete Applications (according to mac.appstorm's roundup)
http://mac.appstorm.net/roundups/utilities-roundups/6-ways-to-correctly-delete-a pplications/
Oh well. It's always fun wondering why page links work in only part of the hemisphere.
And have come to expect if something is worth having, it may be limited in access...
Good luck & happy computing!
+{ edited }+ -
Can you 'lock out' a workstation via ZENworks?
Hi,
I was wondering if there was a way to 'lock out' a workstation via
ZENworks so users can no longer log into the workstation temporarily.
This is the scenario - when someone within our company orders a new
workstation, they will many times tell us that the workstation is being
replaced when in reality the old workstation it is replacing is never
taken off the network.
The problem? - we do not charge any new license fees for replacement
workstations PROVIDING the old workstation is disposed of (that way we
are able to transfer the licenses from the old to the new). If the old
workstation is still used, we are in violation of license fees.
Solution? - 'lock out' the old workstation so no one can use it any
longer unless they call our Helpdesk and it is 'unlocked' at which time
we remind them of the license charges.
I am not sure how this can be performed. We currently do something
similar with NEW XP PCs that have no local user accounts on them yet
(basically we enable login restrictions under the DLU policy - if the
workstation can't create a local user account for the user, they can't
log into the network or the PC). That solution would not work in this
case though since the local accounts would already be created on the PC.
We don't want to remove any software from the machine that will need to
be reinstalled in case the site does want to keep the machine on the
network after a new one is purchased. The solution should be designed to
easily enable the machine if the site does decide they want to keep the
machine on the network. Later on we would FDISK the PC for disposal.
Any help would be GREATLY appreciated as ALWAYS!
StevePerhaps a Workstation Associated app that just pushed an invalid value for the
GINA.DLL
Either Remote Regedit or another Force-Run app could restore this to a correct
value.
Needs testing to make sure you can fix what you break, but this would lead
everything intact.
Marcus Breiden wrote:
> On Mon, 23 May 2005 19:05:23 GMT, [email protected] wrote:
>
> > I am not sure how this can be performed. We currently do something
> > similar with NEW XP PCs that have no local user accounts on them yet
> > (basically we enable login restrictions under the DLU policy - if the
> > workstation can't create a local user account for the user, they can't
> > log into the network or the PC). That solution would not work in this
> > case though since the local accounts would already be created on the PC.
>
> hmmm.... I would create an application and associate it to the wks, make it
> force run..
>
> in that app remove / or change the Tree for the workstation manager... this
> will disable all policy management (also DLU)...
>
> in case your accounts are locally on that box you would have to do some
> more stuff to get around your problem...
> --
>
> Marcus Breiden
>
> Please change -- to - to mail me.
> The content of this mail is my private and personal opinion.
> http://www.edu-magic.net
Craig Wilson
CNE3, 4, 5 - MCSE - CCNA
NSC Sysop (http://support.novell.com/forums/)
Tech Writer - http://www.ithowto.com
(I Peter 4:10) -
Hi,
I am trying to lock groups to a specific tunnel group but unfortunitly no matter what I do the group-lock feature doesnt seem to work. Basically here is what I want to do:
1-Users detail is pulled from AD through LDAP
2-AD group is mapped to the appropriate group on the ASA using attribute mapping
3-user should only use the tunnel that he/she is locked to
4-this all should be done without the user needing to select a group the vpn portal
5-we will be using Any connect and VPN portal for communication
All works fine except the group-lock feature. If enabled and set to "group-lock value NET_ADMIN_G" I get the following error on debug webvpn and the user is not allowed in.
webvpn_auth.c:http_webvpn_post_authentication[1503]
WebVPN: user: (test) authenticated.
webvpn_auth.c:http_webvpn_auth_accept[2905]
User came in on group he wasn't supposed to come in on!
when removed no matter what I do the user is mapped to DefaultWEBVPNGroup tunnel group,
SSLVPN(config-group-policy)# sho vpn-sessiondb webvpn
Session Type: WebVPN
Username : test Index : 132
Public IP : 10.1.1.1
Protocol : Clientless
License : AnyConnect Premium
Encryption : Clientless: (1)AES256 Hashing : Clientless: (1)SHA1
Bytes Tx : 252897 Bytes Rx : 48894
Group Policy : NET_ADMIN Tunnel Group : DefaultWEBVPNGroup
Login Time : 11:18:13 EDT Fri Mar 22 2013
Duration : 0h:01m:12s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
Asa is on 9.11.4.
group policy:
group-policy NET_ADMIN internal
group-policy NET_ADMIN attributes
wins-server none
dns-server value 2.2.2.2
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-session-timeout alert-interval 25
vpn-filter value VPN_SPLIT_TUNNEL
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
password-storage disable
ip-comp enable
re-xauth disable
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_SPLIT_TUNNEL
default-domain value brightstarcorp.com
split-dns value brightstarcorp.com
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
client-bypass-protocol disable
gateway-fqdn value svgmelb.au.brightstarcorp.com
leap-bypass disable
nem disable
backup-servers clear-client-config
msie-proxy method no-modify
vlan none
nac-settings none
address-pools value SSL_POOL
ipv6-address-pools none
scep-forwarding-url none
client-firewall none
client-access-rule none
webvpn
url-list value NETADMIN_BOOKMARK
filter value INTERNAL_WEBACL
homepage use-smart-tunnel
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value posture
anyconnect profiles value net_admin_p type user
anyconnect ask none default webvpn
customization value NETADMIN_PORTAL
hidden-shares visible
activex-relay enable
file-entry enable
file-browsing enable
url-entry enable
deny-message value Login was successful, but because certain criteria have not been met, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
anyconnect ssl df-bit-ignore disable
always-on-vpn profile-setting
auto-signon allow uri * auth-type all
Tunnel Group:
tunnel-group NET_ADMIN_G type remote-access
tunnel-group NET_ADMIN_G general-attributes
address-pool SSL_POOL
authentication-server-group LDAP
authorization-server-group LDAP
accounting-server-group RGROUPADMIN
default-group-policy NET_ADMIN
authorization-required
tunnel-group NET_ADMIN_G webvpn-attributes
customization NETADMIN_PORTAL
group-alias infra_network enable
group-url https://x.x.x.x/network enable
dns-group DNSGROUP
Any ideas?
Thanks in advanceHi Portu,
Heres debug Ldap:
SLVPN#
[553] Session Start
[553] New request Session, context 0x00007fff33beb228, reqType = Authentication
[553] Fiber started
[553] Creating LDAP context with uri=ldap://1.1.1.13:389
[553] Connect to LDAP server: ldap://1.1.1.13:389, status = Successful
[553] supportedLDAPVersion: value = 3
[553] supportedLDAPVersion: value = 2
[553] Binding as bind
[553] Performing Simple authentication for test to 1.1.1.13
[553] LDAP Search:
Base DN = [OU=xx ENTERPRISE,DC=xxx,DC=com]
Filter = [sAMAccountName=test]
Scope = [SUBTREE]
[553] User DN = [CN=test,OU=Users,OU=xx,OU=Australia,OU=APAC,OU=ENTERPRISE,DC=xxx,DC=com]
[553] Talking to Active Directory server 1.1.1.13
[553] Reading password policy for test, dn:CN=test,OU=Users,OU=xxx,OU=Australia,OU=APAC,OU=ENTERPRISE,DC=xxx,DC=com
[553] Read bad password count 0
[553] Binding as test
[553] Performing Simple authentication for test to 1.1.1.13
[553] Processing LDAP response for user test
[553] Message (test):
[553] Authentication successful for test to 1.1.1.13
[553] Retrieved User Attributes:
[553] objectClass: value = top
[553] objectClass: value = person
[553] objectClass: value = organizationalPerson
[553] objectClass: value = user
[553] cn: value = test
[553] sn: value =
[553] c: value = AU
[553] l: value = xxx
[553] st: value = xxx
[553] title: value = test user / IT
[553] description: value = Network
[553] postalCode: value = xxx
[553] physicalDeliveryOfficeName: value = xxx
[553] telephoneNumber: value = xxx
[553] givenName: value = test
[553] distinguishedName: value = CN=test,OU=Users,OU=xxx,OU=Australia,OU=APAC,OU=BS ENTERPRISE,DC=br
[553] instanceType: value = 4
[553] whenCreated: value = 20110327224420.0Z
[553] whenChanged: value = 20130319223953.0Z
[553] displayName: value = test
[553] uSNCreated: value = 84454809
[553] memberOf: value = CN=APAC.Cisco.Tel.Users,OU=Security Groups,OU=xxx,OU=Australia,OU=APAC,OU=
[553] mapped to IETF-Radius-Class: value = CN=APAC.Cisco.Tel.Users,OU=Security Groups,OU=xxx,OU=Australia,OU=APAC,OU=BS ENTERPRISE,DC=xxx,DC=com
[553] mapped to LDAP-Class: value = CN=APAC.Cisco.Tel.Users,OU=Security Groups,OU=xxx,OU=Australia,OU=APAC,OU=BS ENTERPRISE,DC=xxx,DC=com
[553] memberOf: value = CN=Networks,OU=Distribution Groups,OU=xxx,OU=Australia,OU=APAC,OU=
[553] mapped to IETF-Radius-Class: value = NET_ADMIN
[553] mapped to LDAP-Class: value = NET_ADMIN
[553] memberOf: value = CN=Email Notify SG10,OU=Distribution Groups,OU=Corporate
[553] mapped to IETF-Radius-Class: value = CN=Email Notify SG10,OU=Distribution Groups,OU=Corporate,OU=US & Canada,OU=BS ENTERPRISE,DC=xxx,DC=com
[553] mapped to LDAP-Class: value = CN=Email Notify SG10,OU=Distribution Groups,OU=Corporate,OU=US & Canada,OU=BS ENTERPRISE,DC=xxx,DC=com
aaa common debug:
AAA API: In aaa_open
AAA session opened: handle = 3
AAA API: In aaa_process_async
aaa_process_async: sending AAA_MSG_PROCESS
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 0
AAA FSM: In AAA_StartAAATransaction
AAA FSM: In AAA_InitTransaction
Initiating authentication to primary server (Svr Grp: LDAP)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server: 1.1.1.13
AAA FSM: In AAA_SendMsg
User: test
Resp:
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Authentication Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = ACCEPT
AAA_NextFunction: authen svr = BSTAR_LDAP, author svr = LDAP, user pol = NET_ADMIN, tunn pol = DfltGrpPolicy
AAA_NextFunction: New i_fsm_state = IFSM_USER_GRP_POLICY,
AAA FSM: In AAA_InitTransaction
aaai_policy_name_to_server_id(NET_ADMIN)
Got server ID 0 for group policy DB
Initiating user group policy lookup (Svr Grp: GROUP_POLICY_DB)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: NET_ADMIN
Resp:
grp_policy_ioctl(0x00000000047eb0e0, 114698, 0x00007fff28d31c90)
grp_policy_ioctl: Looking up NET_ADMIN
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
User Group Policy Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_USER_GRP_POLICY, auth_status = ACCEPT
AAA_NextFunction: New i_fsm_state = IFSM_AUTHORIZE,
AAA FSM: In AAA_InitTransaction
Initiating authorization query (Svr Grp: LDAP)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server: 1.1.1.13
AAA FSM: In AAA_SendMsg
User: test
Resp:
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Authorization Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_AUTHORIZE, auth_status = ACCEPT
AAA_NextFunction: author svr = BSTAR_LDAP, user pol = NET_ADMIN, tunn pol = DfltGrpPolicy
AAA_NextFunction: New i_fsm_state = IFSM_AUTH_GRP_POLICY,
AAA FSM: In AAA_InitTransaction
aaai_policy_name_to_server_id(NET_ADMIN)
Got server ID 0 for group policy DB
Initiating authorization group policy lookup (Svr Grp: GROUP_POLICY_DB)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: NET_ADMIN
Resp:
grp_policy_ioctl(0x00000000047eb0e0, 114698, 0x00007fff28d31c90)
grp_policy_ioctl: Looking up NET_ADMIN
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Authorization Group Policy Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_AUTH_GRP_POLICY, auth_status = ACCEPT
AAA_NextFunction: New i_fsm_state = IFSM_TUNN_GRP_POLICY,
AAA FSM: In AAA_InitTransaction
aaai_policy_name_to_server_id(DfltGrpPolicy)
Got server ID 0 for group policy DB
Initiating tunnel group policy lookup (Svr Grp: GROUP_POLICY_DB)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: DfltGrpPolicy
Resp:
grp_policy_ioctl(0x00000000047eb0e0, 114698, 0x00007fff28d31c90)
grp_policy_ioctl: Looking up DfltGrpPolicy
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Tunnel Group Policy Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_TUNN_GRP_POLICY, auth_status = ACCEPT
Class attribute created from LDAP-Class attribute
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
Checking simultaneous login restriction (max allowance=3) for user test
AAA FSM: In AAA_Callback
user attributes:
1 User-Name(1) 6 "test"
2 User-Password(2) 10 (hidden)
3 Group-Policy(4121) 9 "NET_ADMIN"
4 AAA-AVP-Table(4243) 11268 "[04],[00][00]t[00][00][00][F8][03][00][00][0F][04][00]"
5 LDAP-Class(20520) 10 "NET_ADMIN[00]"
6 LDAP-Class(20520) 11 "USERS[00]"
user policy attributes:
1 Filter-Id(11) 8 "VPN_SPLIT_TUNNEL"
2 Session-Timeout(27) 4 0
3 Idle-Timeout(28) 4 30
4 Access-Hours(4097) 0 0x00007fff35d685e0 ** Unresolved Attribute **
5 Simultaneous-Logins(4098) 4 3
6 Primary-DNS(4101) 4 IP: 1.1.1.13
7 Secondary-DNS(4102) 4 IP: 1.1.1.30
8 Primary-WINS(4103) 4 IP: 0.0.0.0
9 Secondary-WINS(4104) 4 IP: 0.0.0.0
10 Tunnelling-Protocol(4107) 4 52
11 Banner(4111) 446 "This is a PRIVATE computer system, which may be acces"
12 Store-PW(4112) 4 0
13 Split-Tunnel-Inclusion-List(4123) 8 "VPN_SPLIT_TUNNEL"
14 Default-Domain-Name(4124) 18 "xxxxcorp.com"
15 Secondary-Domain-Name-List(4125) 18 "xxxxcorp.com"
16 Nat-Enabled-IPSec(4130) 4 0
17 IPSec-UDP-Port(4131) 4 10000
18 IPComp(4135) 4 1
19 Authentication-On-Rekey(4138) 4 0
20 Required-Firewall-Vendor-Code(4141) 0 0x0000000002e006b0 ** Unresolved Attribute **
21 Required-Firewall-Product-Code(4142) 0 0x0000000002e006b0 ** Unresolved Attribute **
22 Required-Firewall-Description(4143) 0 0x00007fff35d687fa ** Unresolved Attribute **
23 Secure-unit-config(4144) 4 0
24 Individual-user-auth-config(4145) 4 0
25 User-auth-idle-timeout(4146) 4 0
26 Cisco-IP-telephony-config(4147) 4 0
27 Split-Tunneling-Policy(4151) 4 1
28 Required-Firewall-Capability(4152) 0 0x0000000002e006b0 ** Unresolved Attribute **
29 Client Firewall Optional(4154) 0 0x0000000002e006b0 ** Unresolved Attribute **
30 Backup-Ip-Sec-Peers-Enabled(4155) 4 2
31 Network-Extension-Mode-Allowed(4160) 4 0
32 URL list name(4167) 17 "NETADMIN_BOOKMARK"
33 ACL-like filters(4169) 8 "INTERNAL_WEBACL"
34 Cisco-LEAP-Passthrough-config(4171) 4 0
35 IKE Client Type and Version Limiting policy rules(4173) 0 0x00007fff35d68835 ** Unresolved Attribute **
36 IE-Proxy-Server-Method(4177) 4 1
37 The tunnel group that tunnel must be associated with(4181) 11 "NET_ADMIN_G"
38 User ACL for inbound traffic(4182) 8 ""
39 User ACL for outbound traffic(4183) 8 ""
40 Indicates whether or not PFS is required for IPSec(4184) 4 0
41 WebVPN URL Entry enable(4189) 4 1
42 WebVPN File Server Entry enable(4191) 4 1
43 WebVPN File Server Browsing enable(4192) 4 1
44 WebVPN SVC Keep enable(4201) 4 1
45 WebVPN SVC Keepalive interval(4203) 4 20
46 WebVPN SVC Client DPD period(4204) 4 30
47 WebVPN SVC Gateway DPD period(4205) 4 30
48 WebVPN SVC Rekey period(4206) 4 0
49 WebVPN SVC Rekey method(4207) 4 0
50 WebVPN SVC Compression(4208) 4 2
51 WebVPN Customization(4209) 15 "NETADMIN_PORTAL"
52 WebVPN Deny message(4212) 180 "Login was successful, but because certain criteria ha"
53 WebVPN SVC DTLS Compression(4213) 4 2
54 Extended Authentication-On-Rekey(4218) 4 0
55 WebVPN SVC DTLS enable(4219) 4 1
56 WebVPN SVC MTU(4221) 4 1406
57 CIFS hidden shares(4222) 4 1
58 CVC-Modules(4223) 7 "posture"
59 CVC-Profile(4224) 17 "net_admin_p#user,"
60 CVC-Ask(4227) 4 4
61 CVC-Ask-Timeout(4228) 4 0
62 WebVPN ActiveX Relay(4233) 4 1
63 VLAN ID(4236) 4 0
64 NAC Settings(4237) 0 0x00007fff35d68985 ** Unresolved Attribute **
65 WebVPN Session timeout alert interval(4245) 4 25
66 List of address pools to assign addresses from(4313) 13 "SSL_POOL"
67 List of IPv6 address pools to assign addresses from(4314) 0 0x00007fff35d68998 ** Unresolved Attribute **
68 Smart tunnel on home page enable(4324) 4 1
69 Disable Always-On VPN(4325) 4 0
70 SVC ignore DF bit(4326) 4 0
71 Client Bypass Protocol(4331) 4 0
72 Gateway FQDN(4333) 29 "xxx.xxxxcorp.com"
73 CA URL for SCEP enrollment(20530) 0 0x00007fff35d689c7 ** Unresolved Attribute **
tunnel policy attributes:
1 Filter-Id(11) 8 "VPN_SPLIT_TUNNEL"
2 Session-Timeout(27) 4 0
3 Idle-Timeout(28) 4 30
4 Access-Hours(4097) 0 0x00007fff351cddd0 ** Unresolved Attribute **
5 Simultaneous-Logins(4098) 4 0
6 Primary-DNS(4101) 4 IP: 10.125.3.7
7 Secondary-DNS(4102) 4 IP: 10.125.3.5
8 Primary-WINS(4103) 4 IP: 0.0.0.0
9 Secondary-WINS(4104) 4 IP: 0.0.0.0
10 Tunnelling-Protocol(4107) 4 124
11 Banner(4111) 446 "This is a PRIVATE computer system, which may be acces"
12 Store-PW(4112) 4 0
13 Group-Policy(4121) 13 "DfltGrpPolicy"
14 Split-Tunnel-Inclusion-List(4123) 8 "VPN_SPLIT_TUNNEL"
15 Default-Domain-Name(4124) 18 "xxxxcorp.com"
16 Secondary-Domain-Name-List(4125) 0 0x00007fff351cdfc7 ** Unresolved Attribute **
17 Nat-Enabled-IPSec(4130) 4 0
18 IPSec-UDP-Port(4131) 4 10000
19 IPComp(4135) 4 0
20 Authentication-On-Rekey(4138) 4 0
21 Secure-unit-config(4144) 4 0
22 Individual-user-auth-config(4145) 4 0
23 User-auth-idle-timeout(4146) 4 30
24 Cisco-IP-telephony-config(4147) 4 0
25 Split-Tunneling-Policy(4151) 4 1
26 Client Firewall Optional(4154) 0 0x00007fff351cdfec ** Unresolved Attribute **
27 Backup-Ip-Sec-Peers-Enabled(4155) 4 1
28 Group-giaddr(4157) 4 IP: 0.0.0.0
29 Intercept-DHCP-Configure-Msg(4158) 4 0
30 Client-Subnet-Mask(4159) 4 IP: 255.255.255.255
31 Network-Extension-Mode-Allowed(4160) 4 0
32 WebVPN Content Filter Parameters(4165) 4 0
33 WebVPN Parameters configuration(4166) 4 1
34 URL list name(4167) 0 0x00007fff351ce008 ** Unresolved Attribute **
35 Forwarded ports(4168) 0 0x00007fff351ce009 ** Unresolved Attribute **
36 ACL-like filters(4169) 8 "INTERNAL_WEBACL"
37 Cisco-LEAP-Passthrough-config(4171) 4 0
38 Default WebVPN homepage(4172) 0 0x00007fff351ce016 ** Unresolved Attribute **
39 IKE Client Type and Version Limiting policy rules(4173) 0 0x00007fff351ce017 ** Unresolved Attribute **
40 Application Access Name(4175) 18 "Application Access"
41 IE-Proxy-Server(4176) 0 0x00007fff351ce02b ** Unresolved Attribute **
42 IE-Proxy-Server-Method(4177) 4 1
43 IE-Proxy-Server-Exceptions(4178) 0 0x00007fff351ce030 ** Unresolved Attribute **
44 IE-Proxy-Server-Bypass-Local(4179) 4 0
45 The tunnel group that tunnel must be associated with(4181) 0 0x00007fff351ce035 ** Unresolved Attribute **
46 Indicates whether or not PFS is required for IPSec(4184) 4 0
47 NAC Enable/Disable(4185) 4 0
48 NAC Status Query Timer(4186) 4 300
49 NAC Revalidation Timer(4187) 4 36000
50 NAC Default ACL(4188) 8 ""
51 WebVPN URL Entry enable(4189) 4 0
52 WebVPN File Server Entry enable(4191) 4 0
53 WebVPN File Server Browsing enable(4192) 4 0
54 WebVPN Port Forwarding enable(4193) 4 0
55 WebVPN Port Forwarding Exchange Proxy enable(4194) 4 0
56 WebVPN Port Forwarding HTTP Proxy enable(4195) 4 0
57 WebVPN SVC enable(4199) 4 0
58 WebVPN SVC Required enable(4200) 4 0
59 WebVPN SVC Keep enable(4201) 4 0
60 WebVPN SVC Keepalive interval(4203) 4 20
61 WebVPN SVC Client DPD period(4204) 4 30
62 WebVPN SVC Gateway DPD period(4205) 4 30
63 WebVPN SVC Rekey period(4206) 4 0
64 WebVPN SVC Rekey method(4207) 4 0
65 WebVPN SVC Compression(4208) 4 2
66 WebVPN Customization(4209) 0 0x00007fff351ce08a ** Unresolved Attribute **
67 Single Sign On Server Name(4210) 0 0x00007fff351ce08b ** Unresolved Attribute **
68 WebVPN SVC Firewall Rule(4211) 17 "private#,public#,"
69 WebVPN Deny message(4212) 180 "Login was successful, but because certain criteria ha"
70 WebVPN SVC DTLS Compression(4213) 4 2
71 HTTP compression method(4216) 4 0
72 Maximum object size to ignore for updating the session timer(4217) 4 4
73 Extended Authentication-On-Rekey(4218) 4 0
74 WebVPN SVC DTLS enable(4219) 4 1
75 WebVPN SVC MTU(4221) 4 1406
76 CIFS hidden shares(4222) 4 0
77 CVC-Modules(4223) 20 "dart,vpngina,posture"
78 CVC-Profile(4224) 15 "IPSEC_VPN#user,"
79 CVC-IKE-Retry-Timeout(4225) 4 10
80 CVC-IKE-Retry-Count(4226) 4 3
81 CVC-Ask(4227) 4 2
82 CVC-Ask-Timeout(4228) 4 0
83 IE-Proxy-Pac-URL(4229) 0 0x00007fff351ce1a4 ** Unresolved Attribute **
84 IE-Proxy-Lockdown(4230) 4 1
85 WebVPN Smart Tunnel(4232) 0 0x00007fff351ce1a9 ** Unresolved Attribute **
86 WebVPN ActiveX Relay(4233) 4 1
87 WebVPN Smart Tunnel Auto Download enable(4234) 4 0
88 WebVPN Smart Tunnel Auto Sign On enable(4235) 0 0x00007fff351ce1b2 ** Unresolved Attribute **
89 VLAN ID(4236) 4 0
90 NAC Settings(4237) 0 0x00007fff351ce1b7 ** Unresolved Attribute **
91 MemberOf(4241) 0 0x00007fff351ce1b8 ** Unresolved Attribute **
92 WebVPN Idle timeout alert interval(4244) 4 1
93 WebVPN Session timeout alert interval(4245) 4 1
94 Maximum object size for download(4253) 4 2147483647
95 Maximum object size for upload(4254) 4 2147483647
96 Maximum object size for post(4255) 4 2147483647
97 User storage(4256) 0 0x00007fff351ce1cd ** Unresolved Attribute **
98 User storage objects(4257) 19 "cookies,credentials"
99 User storage shared key(4258) 0 0x00007fff351ce1e2 ** Unresolved Attribute **
100 VDI configuration(4259) 0 0x00007fff351ce1e3 ** Unresolved Attribute **
101 NAC Exception List(4312) 4 0
102 List of address pools to assign addresses from(4313) 0 0x00007fff351ce1e8 ** Unresolved Attribute **
103 List of IPv6 address pools to assign addresses from(4314) 0 0x00007fff351ce1e9 ** Unresolved Attribute **
104 IPv6 filter-id(4315) 8 ""
105 WebVPN Unix user ID(4317) 4 65534
106 WebVPN Unix group ID(4318) 4 65534
107 Disconnect VPN tunnel when a Smartcard is removed(4321) 4 1
108 WebVPN Smart Tunnel Tunnel Policy(4323) 0 0x00007fff351ce1fe ** Unresolved Attribute **
109 Disable Always-On VPN(4325) 4 1
110 SVC ignore DF bit(4326) 4 0
111 SVC client routing/filtering ignore(4327) 4 0
112 Configure the behaviour of DNS queries by the client when Split tunneling is enabled(4328) 4 0
113 Client Bypass Protocol(4331) 4 0
114 IPv6-Split-Tunneling-Policy(4332) 4 0
115 Gateway FQDN(4333) 0 0x00007fff351ce217 ** Unresolved Attribute **
116 CA URL for SCEP enrollment(20530) 0 0x00007fff351ce218 ** Unresolved Attribute **
Auth Status = ACCEPT
AAA API: In aaa_close
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 3
In aaai_close_session (3)
Thanks, -
Can you lock out the Ipad while it is traveling down the road?
I would like to put an Ipad in my trucks, but I can't trust the drivers to not use it while they are driving. Is there a way to lock out the Ipad while the vehicle is moving?
Perhaps a Workstation Associated app that just pushed an invalid value for the
GINA.DLL
Either Remote Regedit or another Force-Run app could restore this to a correct
value.
Needs testing to make sure you can fix what you break, but this would lead
everything intact.
Marcus Breiden wrote:
> On Mon, 23 May 2005 19:05:23 GMT, [email protected] wrote:
>
> > I am not sure how this can be performed. We currently do something
> > similar with NEW XP PCs that have no local user accounts on them yet
> > (basically we enable login restrictions under the DLU policy - if the
> > workstation can't create a local user account for the user, they can't
> > log into the network or the PC). That solution would not work in this
> > case though since the local accounts would already be created on the PC.
>
> hmmm.... I would create an application and associate it to the wks, make it
> force run..
>
> in that app remove / or change the Tree for the workstation manager... this
> will disable all policy management (also DLU)...
>
> in case your accounts are locally on that box you would have to do some
> more stuff to get around your problem...
> --
>
> Marcus Breiden
>
> Please change -- to - to mail me.
> The content of this mail is my private and personal opinion.
> http://www.edu-magic.net
Craig Wilson
CNE3, 4, 5 - MCSE - CCNA
NSC Sysop (http://support.novell.com/forums/)
Tech Writer - http://www.ithowto.com
(I Peter 4:10) -
All,
I am trying to understand the actual risk of allowing users multiple logon in production systems. As of now I believe that should logon credentials be stolen then it's not possible to monitor illegal logons and also a possible data inconsistency.
Please throw some light, have tried searching with the logon profile parameters in the forum and online, but nothing concrete found.
Kind Regards,
AJSHi Avinash,
Production system should not allow multiple logon.
Please have a look at below for restrict multiple logins :-
[Restrict multiple logins for a single user in Portal |/message/6942923#6942923 [original link is broken];
[Limiting Number of Users Logged On |http://wiki.sdn.sap.com/wiki/display/EP/LimitingNumberofUsersLogged+On]
Hope it helps
Regards
Maybe you are looking for
-
How to block the sales order for not creating requirement
Dear All, My client want that whenever a sales order is raise, that should not go create requirement for production unless until account department check whether the prices etc are correctly put or not how can i do this thanks
-
Credit Memo DFF does not contain information from the original invoice line
Hi Customer is facing issue mentioned in Note: 364999.1 Issue: Created a credit memo against the invoice and noticed that the resulting credit memo lines do not contain the DFF information from the original invoice lines. I found through Metalink tha
-
Hi, my X6-00 16GB (SW updated ~20 days ago) plays music VERY distorted when WH701 headset is connected (only way is to move balance to either side, turn off bass-boost, turn off stereo-widening). Also, pressing any of the keys on WH701 makes no effec
-
Hi all, We are currently implementing portal project with EP7.0 (ESS Business package 50.4 and MSS Business package 60.1) connect to R/3 4.6c. The ESS iview and customised WDA iview are working fine without any problem. However, we stuck with the pro
-
Performance Appraisal - Default 2nd level manager as Part Appraiser
Hello Unfortnately, we are not having much success with this. The requirement is to <b>default 2nd level manager</b> as Part Appraiser and <b>not show</b> the Manager and EE as part appraiser. For this we created a implementation for the BADI <b>HRHA