Login to LDAP

Hallo,
i'm developping a simple login servlet to autenticate my user on ldap active directory; this is my code:
env.putContext.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://" + [ip address]:389);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, req.getParameter("username"));
env.put(Context.SECURITY_CREDENTIALS, req.getParameter("password"));
DirContext ctx = new InitialDirContext(env);
ctx.close();
The problem is that this code works correctly (and i can autenticate my user) only if the username has the rights to logon on server with ldap installed on; otherwise i get :
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893
Is it possible to autenticate without having all user granted to logon on server ldap?
Thanks a lot
Matteo

Your alternative would be to logon to LDAP with SECURITY_PRINCIPAL set to the administrative user (and ditto for the password). Then you would have to read the entry for the user and compare the password field from LDAP to the input parameter.

Similar Messages

How to create a user that can login the LDAP?

I want to create a user that can login the OID/LDAP. I know how to create a user, it is allowed to login OIDDAS, but I also want the user to grant access to ldap directly. How do i do that?
And how can I give it read rights and or update/delete rights on a specific tree?
Regards
Eelco

Eelco,
did you see the OiD developers guide? Here you find some examples how to create users in OiD using pl/sql or java.
http://download-west.oracle.com/docs/cd/A97329_03/manage.902/a95193/smplcode.htm#637294
how to use directory access control can be found in
http://download-west.oracle.com/docs/cd/A97329_03/manage.902/a95192/access.htm#1054232
--Olaf

After Security Update, NFS automount hangs login over LDAP

We currently have a laptop lab in the process of being set up. We have 45 MacBook Pro systems with Snow Leopard 10.6.4 installed. We had set up LDAP authentication for users to log in to our directory server and it worked great over both wired and wireless (WPA2). After installing security update 2010-005, systems hang upon logging in over wireless. We believe the problem is with an NFS automount we set up, because removing the automount allows users to log in successfully over wireless. The NFS is crucial so that users can save data to the server, however, so this is not a solution. Are there any configuration tweaks to undo whats been blocked by the security update?

After installing update 2010-005, I am having issues with my system hanging during startup (stays indefinitely on the grey 'apple' screen, with a spinning icon, and no status or message stating what it is trying to do).
I am able to restart, hold SHIFT, and boot into safe mode, with limited functionality, but have not been able to resolve the issue.
How did you determine that it was hanging on wireless login? (I have not found a log file that states what the system is doing during startup, or why its hanging)
I have searched for issues like this, and most posts recommend removing entries from /Library/Caches and other similar items, but I'm concerned that I might be starting out with a small problem, and then cause a much bigger problem by removing system entries without really knowing what's broken in the first place.
Is there a debug screen during startup, that would tell me what steps its taking? (or a log file?)
I've looked through all of the entries available to the console log review app (apps/utilities/console.app), and was hoping that 'system.log' would tell me what's going on, but so far I'm not seeing anything useful. (there are errors in there, and it looked like there was a crash around the same time as the update was happening, but I'm not seeing any entry during startup that shows what its trying to do, and reveals that its just stuck on that task)
I've run some of the tasks in the 'Snow Leopard cache cleaner' and onyx utilities, but that hasn't fixed my login problem.
Any info you have on further diagnosis, rolling back the update, or anything I should try next, would be greatly appreciated!

Using accuont other than amldapuser to login to ldap via access maanger ?

Hi,
We have multi-domain setup with about 70 subdomains (JES2005Q4). when we try to view the accounts in a domain, it takes us up to 3 minutes to display maybe 200 users in one specific domain.
We had to increase "timeout for search' to 180 secons to allow for the largest domain all users to be returned.
I suspect this is caused by amldapuser which is now used for the ldap login and the amount of ACI's installed.
Is it possible to login to the ldap with another user that would return results more quickly (directory manager ?)
If so, is this a low risk operation, and what must we change exactly ?
current config:
DN for Root user bind: cn=amldapuser,ou=DSAME Users,o=jes.xxxxx.be
kind regards,
Tom.

Hi Tom,
Using Dirmanager would not be the best option ...
You could check the following:
1) what is the BASEDN when searching for users?
By default this is o=ROOTORG,ou=PEOPLE since all is copied from the root org by creating the service template, except for the amldapuser password
This should be o=ROOTORG,o=SUBORG,ou=PEOPLE
(or the DC= equivalent)
2) what is the time the actual LDAP query takes (etime)
3) Are there any unindexed searches?
HTH

Oracle BI Server stopped when i tried to login using LDAP

Hi,
My BI server stop suddendly when i tried to login with my LDAP username/pwd, it was working fine when i was using Adminsitrator/SADMIN, and when i tried to start it using ./run-sa.sh start it has the below error in the log:
*[oraclebi@uschilxbit01 setup]$ ./run-sa.sh start*
Oracle BI Server startup initiated.
Please wait for a while for the Oracle BI Server to completely start.
Execute the following command to check the Oracle BI Server logfile and see if it started.
tail -f /data/OracleBI/server/Log/NQServer.log
*[oraclebi@uschilxbit01 setup]$ tail -f /data/OracleBI/server/Log/NQServer.log*
*2010-01-07 15:21:32*
*[nQSError: 13011] Query for Initialization Block 'Web Catalog Group Assignment' has failed.*
*[nQSError: 23006] The session variable, NQ_SESSION.title, has no value definition.*
*2010-01-07 15:21:32*
*[nQSError: 13011] Query for Initialization Block 'Web Catalog Group Assignment' has failed.*
*2010-01-07 15:21:32*
*[nQSError: 13011] Query for Initialization Block 'Site_Map_Key' has failed.*
*[nQSError: 23005] The repository variable, PRES_SERVER_NAME, has no value definition.*
*2010-01-07 15:21:32*
*[nQSError: 13011] Query for Initialization Block 'Site_Map_Key' has failed.*
Anybody has faced a similair situation, what should i do now as i cannot connect online also as the server is down, should i delete the 'Web Catalog Group Assignment' & 'Site_Map_Key' initialization variables and upload the rpd again.
Thanks,
Amit

Hey Amit,
I've encountered that problem in the past before with Oracle REL 5. If I remember correctly it's a bug and required a patch to be applied. Definitely search metalink 3. I'll do the same and see what I can turn up.
-Joe

Integration iLearning login with LDAP?

Hi friends,
Although there exists a Metalink note with this exactly title, (How To Integrate Oracle iLearning and LDAP Note:452425.1) I've searched inside documentation how exactly iLearning does this step. I mean:
I have to install the iLearning Platform (without installing Oracle Portal) in a Windows environment. Due to customer requirements, the iLearning login must be validated with LDAP validation... I've read that it's done with iLearning WebServices.. but I can't find where exactly is described this procedure. (My knowledgements of web services are limited)
I'm reading the "Oracle iLearning 5.0: Web Services API Technical Reference " And it's supposed all lis there.. but.. "LDAP" word is not mentioned so... any ideas?
Thanks a lot.
Jose L.

If is not possible that integration, I've thinked in other solution:
- Create/Publish a WebService in iLearning platform. That webservice woul check in LDAP contents for new users... if there exists new users it would retrieve their information and would create them as iLearning platform users ...
This could be divided in two tasks:
- create/publish web service in iLearning to query in LDAP
- insert the information retrieved as a new user/s into iLearning System.
[This one.. if is not possible to "program" in the webservice.. could be done through direct INSERT into i Learning tables.. I suppose]
Any ideas of how to do this?
Thanks a lot!!!!.
Jose.

Designer takes several minutes for login using LDAP authentication

We have a issue, when we tried to login to the designer using LDAP authentication it takes several minutes and using enterprise account we are able to login to the designer with in seconds.
CMC and infoview all are working fine using LDAP authentication.
We are using BOXIR2,
FP 1.6.
Thank You in Advance.
Thanks & Regards,
Collin.

There have been several changes in LDAP since FP 1.6 but if infoview is ok then hopefully you aren't running into any of them. When logging into client tools the LDAP requests are sent to the LDAP server directly from the client. An issue like this would suggest there is a problem reaching the LDAP server from the client.
Is LDAP SSL being used? If yes try disabling it, if no then you can packet scan the logon attempt on the client and filter the LDAP traffic to see how long it's taking for that communication.
Regards,
Tim

Login via LDAP using "cn" attribute?

Hi,
I work on an LDAP client implementation, and have hit a potential problem using it with the MAC OS X LDAP server. Our device searches for user objects in the LDAP directory, looking for a match of the "uid" attribute against a login name entred by the user. Well we have a customer who is using a MAC OS X LDAP server and says that he has users configured with multiple uids (which we support) but also with a unique "cn", and that it allows login using any of those. For example a user entry would contain:
dn: uid=joecool,cn=users,dc=xxx,dc=local
cn: jcool
sn: Cool
uid: joecool
uid: jc
And this user supposedly can login as joecool, jc or jcool, even though there is no uid attribute with value jcool.
So my question is, is this the case with MAC OS X LDAP server? Does it (or rather a MAC client using it) allow login with a user name that matches the cn but not a uid?
Message was edited by: Ian Puleston
Message was edited by: Ian Puleston

Hi,
The User Management guide says a fullname and 16 shortnames are permitted. However, the first shortname is used to form the LDAP distinguished name (dn). My LDAP connection lets me search for any user records based on 'cn = login name' where login name is any fullname or shortname. However, authentication only occurs when using the (dn, password) combination.
There are significant problems when any names are duplicated. However the most critical is the first shortname which is stored with the password server file along with user id number. Note that to change the first shortname essentially deletes the user account and creates a new one. According to the manual all of the names full and short are kept in the cn listing inside the user record. This allows looking up the user record by any name (cn). During login the record is looked up, the dn retrieved and combined with the password for authentication.
HTH,
Harry

SSL and login form for form based login over ldap

Hello,
i have configured an apache reverse proxy with virtual named host and the the webgate is also running on this server.
On a second server i have configured a webserver with the login form.
Access to the protected ressources is working when i use the following parameters in my Authentication schema
form:/form/login.html
action:/dummy
creds:userid password
ssoCookie:httponly
passthrough:no
SSL Required No
Challenge Redirect http://dummyserver.dummy.org
Changing the SSL required to yes and the url to https has the following result.
After filling out the login form and pressing the submit button "the requested URL /dummy was not found on this server"
Any hints are welcome.
Kind regards

Hi Colin,
Yes the dummy url is protected. Otherwise it should not work when using http.
I assume that i am not redirected back to the origin source. The obSSOCookie should do this in some way, when i remember that correctly.
I can see that the obSSOCokkies are created for both urls but the content is "loggedoutcontinue". Thats the difference to the http communication.
Is there anything else to configure when using SSL with a form based login. Have i missed some basics?
In the documentation it looks really simple - just trning it on - looking for access - and everything works :-)
KR

Login Error from Users machine into BO Desktop Applications With LDAP user

Hi All,
I am getting a strange error and got stucked.I have searched in the forums and tried every possible thing but the problem remains same.
I am not able to login into any Client application using LDAP account.
The setup is:
Machine 1: Webserver
Machine 2: CMS and other servers
Machine 3: Clustered CMS server
LDAP is implemented and SSL is enabled between Machine 2 and LDAP server.
Now when i am into Machine2 and try to login into Client application using LDAP it works for me also for Web Application(CMC, Infoview)
When i am into user machine I am able to login into Client Application (Designer, Desktop Intelligence etc) using enterprise account, but not with LDAP account. However i am able to login to web Application using LDAP account from users machine.
All the ports are open and can connect to CMS machine and database repository connectivity is also OK.
One interesting thing i would like to share that if i am login into Infoview using LDAP account and If i go for editing a report it opens Desktop Intelligence for me (LDAP user) and there is a entry in System name when i login into Deski.That entry in system name is CMS Machine name,Port number, full domain, (J2EE Portal) written in last.
Using this entry in System I can Login using LDAP account but first should do the process (Login to Infoview, Edit The Report) for every user machine.
Please help me out where i am getting wrong.
The error with Client application and LDAP user is USR0013. Can not Access the repository.

My guess would be that client apps don't have access to the SSL directory defined in the LDAP config but the web/app does. When you edit a report it launches deski in 3-tier mode still using the web/app so this isn't surprising behavior. There are SAP notes on this in SMP key words LDAP SSL deski should return the result. The link to SMP is in the forum sticky at the top of the administration forum.
Regards,
Tim

ASA VPN with LDAP authentication

We currently use a Cisco ASA (5510, 8.2) IPsec VPN client with RADIUS as a backend authentication service. We have configured IAS on one of our domain controllers to issue a RADIUS Accept/Deny based on the users' group membership within a "VPN Users" group. The IAS policy rules makes this very easy (it understands Windows group membership), and we like using groups because it is easy to send mail to all VPN users.
The things we don't like about using RADIUS is the idea that IAS has to be configured as a middleman service, and sometimes IAS does not always successfully start after a system reboot (we are not sure why).
We were wondering if it was possible to skip the middleman and use LDAP directly, pointing to our pool of domain controllers. There are many LDAP examples out on the net, but they consist of using an LDAP Attribute map to either use the "Remote Access Permission" of the user's DialIn profile, or by associating an AD group to a Cisco policy.
The former does not fit our model because it bypasses the group membership concept and requires VPN control via profile. The latter does not fit because, while we do have a "VPN Users" group to map in the affirmative, we do not have an inverse to map to a Deny policy. There is no "NOT" logical operator in the LDAP Attribute mapping.
Does anyone know a way to accomplish what we are after, using LDAP rather than RADIUS, where a single group can determine Accept (and more importantly, absence equals Deny)?

Hi,
I believe that second option you've mentioned will work for you. Why? using that if you map single AD group to right cisco policy. then this will work the way you want; where absence means deny to other users.
Here is con fig example you may try:
Configuration for restricting access to a particular windows group on AD/LDAP
group-policy noaccess internal
group-policy noaccess attributes
vpn-simultaneous-logins 0
address-pools none
ldap attribute-map LDAP-MAP
map-name memberOf IETF-Radius-Class
map-value memberOf
aaa-server LDAP-AD protocol ldap
aaa-server LDAP-AD host
server-port 389
ldap-base-dn
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-dn
ldap-login-password
server-type microsoft
ldap-attribute-map LDAP-MAP
group-policy internal
group-policy attributes
vpn-simultaneous-logins 3
vpn-tunnel-protocol IPSec l2tp-ipsec ...
address-pools value
tunnel-group type remote-access
tunnel-group general-attributes
authentication-server-group LDAP-AD
default-group-policy noaccess
HTH
JK
-Plz rate helpful posts-

Login Issue in Portal system using SSO

Dear All,
We have Expressnet system version 7 - windows +SQL DB.
If the user can able to login to EP using SSO.
My question is single user is present in different Data Source in LDAP during this case how the user can able to login.
Ex username: Priyan , It present in CORE_LDAP_DS1 and CORE_LDAP_DS5.
Kindly let us know the how the user is login to LDAP where and how the user name and password is fetching from?
Thanks,
Priyanga G.

Hi,
The problem is in the BEx Web configuration.
Check whether the the Mime repository has the images or not in BI 7 server.
If Mime has the images then the BI and portal configuration is not done properly using the BI template installer.
You need to set the set the BWMANDT in table RSADMINA to current used default client.
Also try to set the BEx web,
The problem might get resolved after setting BEx Web.
Required Steps
You can perform an initial check of the automatic configuration with the
following steps:
Note 917950 - SAP NetWeaver 2004s: Setting Up BEx Web
1. Execute the report RSPOR_SETUP with transaction SE38 (or SA38; or you
can execute the report from the SAP Reference IMG, see Documentation
below)
2. Use value help of entry field Program ID (or RFC Destination) to
choose <BI_SID>_<J2EE_HOSTNAME>_<J2EE_SID> as RFC Destination (this
destination is created by the Template Installer)
3. Enter Portal SID (required to check step 10)
4. Press button Execute
Placeholder <BI_SID> correspond to the field BACKEND_SID of the Template
Installer's Data Entry. <J2EE_HOSTNAME> correspond to the field J2EE HOST
and <J2EE_SID> to J2EE SID.

Problem with LDAP authentication for users in a group

I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.
I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:
[6707] memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
[6707] mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707] mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707] msNPAllowDialin: value = TRUE
I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.
ldap attribute-map AuthUsers
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN
aaa-server LDAP protocol ldap
aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
ldap-base-dn DC=COMPANY,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
server-type microsoft
ldap-attribute-map AuthUsers
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
webvpn
anyconnect ask none default anyconnect
group-policy GroupPolicy_COMPANY_SSL_VPN internal
group-policy GroupPolicy_COMPANY_SSL_VPN attributes
wins-server none
dns-server value 10.10.100.102
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value net.COMPANY.com
webvpn
anyconnect profiles value COMPANY_SSL_VPN_client_profile type user
tunnel-group COMPANY_SSL_VPN type remote-access
tunnel-group COMPANY_SSL_VPN general-attributes
address-pool COMPANY-SSL-VPN-POOL
authentication-server-group LDAP
authorization-server-group LDAP
authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
default-group-policy NOACCESS
authorization-required
tunnel-group COMPANY_SSL_VPN webvpn-attributes
group-alias COMPANY_SSL_VPN enable
tunnel-group COMPANY_SSL_VPN ipsec-attributes
ikev1 pre-shared-key *****

I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.

LDAP security authentication in weblogic sp4 (URGENT)

We have a web application which interacts to the D/B to authenticate a user during our login process. Now we are trying to change the login to LDAP authentication. Here is the List I did on weblogic configuration correct me if this is correct or if am missing any thing.
1. Created a Realm
2. Created a NOVELL LDAP Authenticator (configured user, groups, members, Novell LDAP, Details)
3. Created a X.509 certificates ????? Do I need to create this one for authentication. The only question is I am confused by these parameters and help me out in figuring out these:
a. filter attributes = cn=$subj.cn
b. username attribute = cn
c. userCertificate;binary ??? ( I have a certificate idmtree.der where do I add configuration about this certificate in the console)>>>>>>>>
d. certificate mapping : ou=user,ou=$subj.ou,o=$subj.o,c=$subj.c (IS THIS CORRECT)
4. created a new Weblogic Default Authorizer...
5. created a new Weblogic Default Role Mapper...
6. created a new Weblogic Default Credential Mapper ...(Do I need to setup my certificate inside this credential mapper or not.)
7. I made this realm as the DEFAULT realm and started the server
I get the following exception.
Initializing RoleMapper provider using LDIF template file C:\bea\user_projects\domains\mydomain\.\DefaultRoleMapperInit.ldift.>
The RoleMapper provider has had its LDIF information loaded from: C:\bea\user_projects\domains\mydomain\.\DefaultRoleMapperInit.ldift>
Initializing Authorizer provider using LDIF template file C:\bea\user_projects\domains\mydomain\.\DefaultAuthorizerInit.ldift.>
The Authorizer provider has had its LDIF information loaded from: C:\bea\user_projects\domains\mydomain\.\DefaultAuthorizerInit.ldift>
Loading trusted certificates from the jks keystore file C:\bea\weblogic81\server\lib\DemoTrust.jks.>
Loading trusted certificates from the jks keystore file C:\bea\JDK142~1\jre\lib\security\cacerts.>
Loading trusted certificates from the jks keystore file C:\bea\weblogic81\server\lib\DemoTrust.jks.>
Loading trusted certificates from the jks keystore file C:\bea\JDK142~1\jre\lib\security\cacerts.>
Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure.>
Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
[java.lang.reflect.InvocationTargetException - with target exception:
[netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]
weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
[java.lang.reflect.InvocationTargetException - with target exception:
[netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:205)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:262)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.doATN(SecurityServiceManagerDelegateImpl.java:581)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealm(SecurityServiceManagerDelegateImpl.java:420)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.loadRealm(SecurityServiceManagerDelegateImpl.java:700)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealms(SecurityServiceManagerDelegateImpl.java:733)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.initialize(SecurityServiceManagerDelegateImpl.java:876)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:734)
at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java:822)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:670)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:344)
at weblogic.Server.main(Server.java:32)
>
####<Apr 6, 2006 10:42:55 AM CDT> <Emergency> <WebLogicServer> <DXPCHI029398> <myserver> <main> <<WLS Kernel>> <> <BEA-000342> <Unable to initialize the server: weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
[java.lang.reflect.InvocationTargetException - with target exception:
[netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]>
ANY HELP on this would be greatly appreciated am totally exhausted seeing these error messages from morning.
I would like to know if I need a client for connecting to this LDAP authenticator. As am using the Novell API to access the LDAP directory. Let me know, and if so can some one provide me a snippet code.\
Waiting for response.
thanks in advance
kiran

Hi Christoper,
Based on your description, this seems to be more of a security related question than a workshop one.
Please post to the security newsgroup at http://forums.bea.com/bea/category.jspa?categoryID=2011
with information on service pack installed
Thanks
Raj

LDAP Authentcation on Cisco ASA 8.2(1)

Dear Security Experts,
i am facing an issue while trying to configure LDAP integration on Cisco ASA firewall. The requirement is allow the remote access VPN to specific group defined on AD. When i checked the debug logs " debug ldap 255" , it shows that the authenication is sucessfull with the LDAP server , but the ldap attribute is not getting mapped and because of this reason , the tunnel-group default group policy of "NOACCESS" is getting applied ( vpn simultanous set to zero) that results zero connection.
I confirmed this by changing the value of NOACCESS from zero to one and found that the VPN is getting connected
The name of user account is testvendor that belongs to the group of Test-vendor.
Could you kindly advice me what i am missing in this configuration.Highy appreciated the help on this .
The configuration and debug output is shown below.
SHOW RUN
ldap attribute-map ABC-VENDOR
map-name memberOf Group-Policy
map-value memberOf CN=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
aaa-server ldapvend protocol ldap
aaa-server ldapvend (INSIDE) host 10.1.141.7
ldap-base-dn DC=abc,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=ldapvpn,OU=ServiceAccounts,OU=Abc,DC=abc,DC=local
server-type microsoft
ldap attribute-map ABC-VENDOR
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
group-policy Allow-Vendor internal
group-policy Allow-Vendor attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec
dns-server value 10.1.141.7
default-domain value abc.org
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_acl
tunnel-group ABC-AD-VENDOR type remote-access
tunnel-group ABC-AD-VENDOR general-attributes
address-pool vendor_pool
authentication-server-group ldapvend
default-group-policy NOACCESS
tunnel-group ABC-AD-VENDOR ipsec-attributes
pre-shared-key *
Note : I tried the below map-value under the ldap attribute ABC-VENDOR as part of troubleshooting
map-value memberOf CN=Test-vendors,CN=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
map-value memberOf CN=Test-vendors,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
map-value memberOf CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local Allow-Vendor
DEBUG LDAP 255
[454095] Session Start
[454095] New request Session, context 0xb1f296b0, reqType = Authentication
[454095] Fiber started
[454095] Creating LDAP context with uri=ldap://10.1.141.7:389
[454095] Connect to LDAP server: ldap://10.1.141.7:389, status = Successful
[454095] supportedLDAPVersion: value = 3
[454095] supportedLDAPVersion: value = 2
[454095] Binding as ldapvpn
[454095] Performing Simple authentication for ldapvpn to 10.1.141.7
[454095] LDAP Search:
        Base DN = [DC=abc,DC=local]
        Filter = [sAMAccountName=testvendor]
        Scope   = [SUBTREE]
[454095] User DN = [CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local]
[454095] Talking to Active Directory server 10.1.141.7
[454095] Reading password policy for testvendor, dn:CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local
[454095] Read bad password count 0
[454095] Binding as testvendor
[454095] Performing Simple authentication for testvendor to 10.1.141.7
[454095] Processing LDAP response for user testvendor
[454095] Message (testvendor):
[454095] Checking password policy
[454095] Authentication successful for testvendor to 10.1.141.7
[454095] Retrieved User Attributes:
[454095]        objectClass: value = top
[454095]        objectClass: value = person
[454095]        objectClass: value = organizationalPerson
[454095]        objectClass: value = user
[454095]        cn: value = testvendor
[454095]        givenName: value = testvendor
[454095]        distinguishedName: value = CN=testvendor,OU=Test-vendors,OU=Users,OU=Abc,DC=abc,DC=local
[454095]        instanceType: value = 4
[454095]        whenCreated: value = 20111019133739.0Z
[454095]        whenChanged: value = 20111030135415.0Z
[454095]        displayName: value = testvendor
[454095]        uSNCreated: value = 20258545
[454095]        uSNChanged: value = 20899179
[454095]        name: value = testvendor
[454095]        objectGUID: value = ).u>.v.H.6>..u.Z
[454095]        userAccountControl: value = 66048
[454095]        badPwdCount: value = 0
[454095]        codePage: value = 0
[454095]        countryCode: value = 0
[454095]        badPasswordTime: value = 129644550477428806
[454095]        lastLogoff: value = 0
[454095]        lastLogon: value = 129644551251183846
[454095]        pwdLastSet: value = 129635050595360564
[454095]        primaryGroupID: value = 513
[454095]        userParameters: value = m:                    d.
[454095]        objectSid: value = ...............n."J.h.0.....
[454095]        accountExpires: value = 9223372036854775807
[454095]        logonCount: value = 0
[454095]        sAMAccountName: value = testvendor
[454095]        sAMAccountType: value = 805306368
[454095]        userPrincipalName: value = [email protected]
[454095]        objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
[454095]        msNPAllowDialin: value = TRUE
[454095]        dSCorePropagationData: value = 20111026081253.0Z
[454095]        dSCorePropagationData: value = 20111026080938.0Z
[454095]        dSCorePropagationData: value = 16010101000417.0Z
[454095]        lastLogonTimestamp: value = 129638228546025674
[454095] Fiber exit Tx=719 bytes Rx=2851 bytes, status=1
[454095] Session End

Thankyou Jennifer for the responds.
Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
[454095] sAMAccountName: value = testvendor
[454095] sAMAccountType: value = 805306368
[454095] userPrincipalName: value = [email protected]
[454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
[454095] msNPAllowDialin: value = TRUE
[454095] dSCorePropagationData: value = 20111026081253.0Z
[454095] dSCorePropagationData: value = 20111026080938.0Z
[454095] dSCorePropagationData: value = 16010101000417.0Z
Is their any other settings that i need to do it on AD ?
Kindly advice
Regards
Shiji

Login to LDAP

Similar Messages

Maybe you are looking for