MS Active Directory LDAP Authentication/Locking Issue.

Similar Messages

• ActiveSync mail/contacts/calendars removed after Active Directory account is locked out?

  Hey guys,
  Wondering if anybody has seen an issue like this.  This is a new Exchange 2010 deployment (8+ CAS servers) and the devices are all iPhones/iPads running the latest version of iOS (7.1.2).  The CAS servers are behind a load-balancer.
  Basically when a users' Active Directory account is Locked in AD (either manually or by entering the wrong password) their ActiveSync Contacts, Calendars and all Mail folders (except the Inbox strangely!) will be removed from the iOS device within a few hours.  So an account might get locked out at say 6pm, if left locked out by the next morning the ActiveSync account will still be setup on the device as normal, but everything is gone except the mail in the Inbox.  If a user has an iPad and iPhone both will be blanked.
  The behaviour is similar to what is documented here - iOS: How to mitigate a full sync or reload of Exchange account data - however the Exchange servers are not issuing HTTP500 errors as we have captured logging during the window where the device blanks itself.
  Any thoughts would be appreciated!
  Thanks!

  Hello,
  which event ids are shown in the event viewer from the DCs? Or maybe locally also some errors are locked that give some more details.
  If this happens it sounds personally for me that Java is the problem. Have you already opened a call at
  https://community.oracle.com/welcome ?
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

• Integrating Active Directory LDAP in OBIEE 11g

  Hi All,
  I Have Configured Active Directory LDAP in OBIEE.
  Steps i have Followed are,
  1) configured Active Directory in providers under Scurity Releam.
  2) Restarted BI Services to Load the Ldap Users.
  3) login to the EM under bifoundation domain selected securitues->security configuration provider.created user.login.attr and username.attr.
  4) under Credentials->oracle.bi.system map->system.user->deleted BISystemUser and Created key with the Existing name in Active Directory.
  5) assigned System user to BISystem role in em.
  6) in Console Roles and Polocies->Global Roles->Roles->Admin->view Role Condition (User = Active Directory User or Group=Administrators).
  7) Restarted BI Server and Presentation Services.
  Now I am Unable to Login to Presentation Services.
  Please Reply ASAP.
  Thanks and Regards
  Kiran Kumar

  Kiran, Is there a specific reason for using RPD for LDAP authentication? From 11g onwards, the best practice is to use Weblogic (or external Authentication providers). Is it correct to say that for "Authentication' without proper RPD LDAP config for "USER" variable, users cannot login via presentation layer?
  Cheers!
  BK

• Invoking 'active directory external authentication plug-in'  from login.jsp

  Hi
  I am using the Oracle AS 10g on Unix. We have a web application in JAVA based on OC4J Framework.
  Currently user use application url for accessing the login page, enters credentials and then the authentication is done through LDAP.
  Now we have to remove the login page from application. i.e. once user is successfully logged in Windows on his pc, and tries to access our application through it's url, he must be automatically authenticated using the credentials entered in windows and display the welcome page of application. Same as any intranet application.
  For this requirement, we have 'active directory external authentication plug-in' installed on server.
  What we need to know is how this process will work and changes required in our jsp page to invoke this plug-in and authenticate user by accessing windows-credentials automatically.
  kindly let me know

  Hi
  I am currently using NTLM to fetch the windows username and then creating an anonymous connection with the LDAP Server.
  Then i serach using the user name in ldap directory.
  NTLM is no longer required , instead we have 'active directory external authentication plug-in' installed on LDAP.
  as far as i know the plug-in will process the kerberos ticket generated by windows to automatically authenticate.

• Getting User Attributes from an Active Directory LDAP

  Hello all.
  I want to extract attributes assigned to a user in the Active Directory LDAP and make them available through the getPropertyValue property in Javascript. I know that a user's System Attributes can be accessed with getPropertyValue but I have not found a way to get specific attributes from the LDAP and make them available as specific attributes in xMII. System attributes like "EmailAddress1" seem to transfer from the LDAP but others don't. Anyone have any ideas?
  Thanks.
  ...Sparks

  Sparks,
  If you're using 11.5 or 12 actually they should all map into the system as session properties.  You can use the following URL to verify your session properties:
  http://<xMIIServer>/Lighthammer/PropertyAccessServlet?Mode=List
  If you are not seeing the attributes you expect then your Attribute Query for User or Role is incorrect for your LDAP system and you need to change the LDAP configuration queries.
  -Sam

• SJSAS7 - Access to Active Directory LDAP

  Hi All
  Is it possible to connect SJSAS7 to Active Directory via LDAP. I know that this can be done with other app servers like WebSphere 4 & 5.
  I would like to use our existing Active Directory infrastructure for authentication of Admin and Application users.
  Does anyone have information how to configure this or can point me to some documents with this info.
  Any help would be much appreciated.
  TIA
  Tony Hawes

  Although I haven't tried it, I would guess that this is possible. We are using the LDAP realm with Sun's directory server and a few years ago I used the standard LDAP provider in the JDK to connect to Active Directory. The only problem I had was that I had to connect with a user that had the form "domain/user" instead of a common name. The online help in the admin console describes the properties you can use.
  HTH,
  Gunnar

• Active Directory Ghost Object replication issue

  I have a Windows 2003, Single Forest with nearly 50 Domains. This is a constantly changing, deployable system where not all Domains are connected and online at all times.
  Some months ago 2 of these domains were held up in transit and tombstoned. Before they were connected to the Forest again they went to our Hardware support department to be "cleaned" meaning remove dust etc, instead they wiped the arrays on all
  servers.
  Our Level 4 Support team reanimated these node after restoring them from a really old backup.
  This backup did not refelect the AD as it was when it was deleted, therefore we have several orphaned objects form those domains. The Domains are functioning correctly and replicating, however, the GC in the forest is inconsistent and the orphaned/ghost
  objects are still being replicated.
  We have rehosted the directory partitions from the problem nodes to online domains which works fine, but as soon as another domain comes online the orphaned objects are again replicated into the Global Catalog. The nature of our system means that we cannot
  control when the other domains are coming back online to rehost them before replicating the object items back into the GC.
  I have made several LDAP queries and can see that the items no longer exist on the problem domain, the only reference to the objects is in the GC directory partitions of those domains.
  The biggest issue I have is that these objects were mail enabled users and when the GAL queries the GC it is repopulating them. 
  I've hit a bit of a wall now and do not know how we can remove these ghost objects without having all domains online at the same time and rehosting the problem domains partitions forest wide. I'd appreciate any assistnce.
  I have asked this question before but with less detail so I'm having another go!

  An AD backup is as good as the Tombstone lifetime. By default the TSL of a 2003 forest functional level is 60. So if you haven't done this already you should probably configure a higher value for the TSL. By default Strict Replication
  Consistency is also enabled to prevent DC that have been disconnected for a long time to propagate lingering objects into the AD topology, check to see if you have this enabled. You should use "repadmin" to remove the lingering objects.
  "When a domain controller in your Active Directory environment is disconnected from the replication topology for an extended period of time, all objects that are deleted from AD DS on all other domain controllers might remain on the disconnected
  domain controller. Such objects are called lingering objects. When this domain controller is reconnected to the replication topology, it acts as a source replication partner that has one or more objects that its destination replication partners no longer have.
  Problems occur when these lingering objects on the source domain controller are updated and these updates are sent by replication to the destination domain controllers. A destination domain controller can respond in one of two ways:
  If the destination domain controller has strict replication consistency enabled, it recognizes that it cannot update the object (because the object does not exist), and it locally halts inbound replication of the directory partition from that source
  domain controller.
  If the destination domain controller does not have strict replication consistency enabled, it requests the full replica of the updated object, which introduces a lingering object into the directory."
  Also keep in mind that the Infrastructure Master role handles the cross-domain references and phantoms from the global catalog in its domain. Make sure that you either have all DCs as Global Catalogs or do not place the GC on the DC with the IM role.
  Here are some useful links:
  Determine the tombstone lifetime for the forest
  Event ID 1388 or 1988: A lingering object is detected
  Use Repadmin to remove lingering objects
  Enable strict replication consistency
  FSMO placement and optimization on Active Directory domain controllers
  Phantoms, tombstones and the infrastructure master
  http://mariusene.wordpress.com/

• ISE - Active Directory - LDAPS

  I think I understood the customer concern. This is quoted from Microsofthttp://support.microsoft.com/kb/321051
  "The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology."
  So the question now is how can we be sure the ISE communication is secure? ... I understand port 636 is used to transport LDAP-Secure ...
  The ISE User Gude indicates that one of the ports required to be open in the case a firewall exists between ISE and ADE is 636 (LDAPS). -(ISE User Guide Page 5-6)
  In my case there is no FW between ISE and AD, so how can I be sure LDAPS is being used?
  ISE User Guide explais a little about security if the external identity source is an LDAP, but nothing about security is indicated in Active Directory configuration.
  Regards.

  Hi,
  The AD join operations allows you to run PEAP protocol and is much more resilient than using ldap because of the way it joins itself to the domain. It uses kerberos and rpc when performing user authentication.
  When using ldaps that is configuration based on when you add the ldap instance.
  Sent from Cisco Technical Support iPad App

• Active Directory LDAP integration; can not see the XMLP_ groups/roles

  We have configured XMLP 10.1.3.3 to use "LDAP" as the Security model. The LDAP server is Active Directory running under Windows Server 2003.
  It is working to a certain extent:
  Users can log on to the XML Publisher using login/password as defined in AD.
  -When logged in as administrator, groups (roles) are visible in Admin/Roles and Permissions and can have assigned folders and data sources.
  Problems/questions:
  The required roles ("XMLP_ADMIN, etc) can not be seen in Admin/Roles and Permissions. Is this as expected or is it an error?
  -When logging in as a user who is member of the group/role XMLP_ADMIN, I do not get any administrator privileges (I have not tested the other XMLP_* roles defined in AD yet). So all administration has to be done as the local superuser.
  Is there any way to monitor the login process to try and see what goes wrong?
  -Roald
  -Roald

  The problem has been solved, it was self inflicted, typo in the config file:
  <property name="LDAP_PROVIDER_USER_DN" value="Cn=Users;dc=company,dc=com"/>
  (semicolon instead of comma after Users).
  It is a little surprising that this typo lead to problems with group matching, though. It took some time before this part of the config got enough attention.
  -Roald

• MS Active Directory (LDAP) and SAP Integration

  Hi all!
  don't know if I'm right here in this forum, but:
  I'm using MS Windows Server 2003 and installed Active Directory as LDAP-System on the one hand side, on the other I'm using a 6.20 ABAP Web AS.
  I'd like to synchronize the User Storage on these two systems.
  Does anyone have experience in doing this? I'm facing a tricky exception in depth of my customizing too complex to explain right now. The problem concerns the mapping of LDAP-Fields and SAP-Fields.
  Thankx,
  Christoph

  Hi Christoph,
  This is the mySAP ERP forum. Perhaps you can post your question in the Web AS forum (SAP NetWeaver Application Server).
  For now: here is a link to a video regarding SAP Active Directory integration:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/sap active directory integration,%20SSO%20and%20User%20Management%20Webinar.wrf
  I found it by searching on Active Directory here on sdn:
  https://www.sdn.sap.com/sdn/search.sdn?contenttype=url&content=/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fSDN!2fiViews!2fFramework!2fcom.sap.sdn.advsearch%3Fprttheme%3DCSIN%26QueryString=active%20directory%26searchDatasource=SDNContent
  Cheers,
  Noel

• OID and MS Active Directory  LDAP information Synchronization

  Do you know have to do the integration between OID and MS active Directory? How to synchronize the LDAP information between two?

  Hi, I have the same question.
  Thanks,
  Malin

• Active Directory FindAll SearchResutlsCollection Performance Issue

  Hi,
  I am trying to get list of users from active directory with query as shown in below code snippet. From below code and after FindAll() statement, getting results (users collection) from active directory. As and when try results.count or any operation on results
  object, taking 7 seconds first time. So every time when try to get users, taking more than 7 seconds. Could you please provide your suggestion to overcome the 7 seconds delay.
  Thanks,
  Janaiah
  Try
  Dim path As String = "LDAP://xxxx/CN=Users,DC=firm,DC=xxxx,DC=com"
  Dim filter As String = "(&(objectCategory=person)(objectClass=user)(Description=test*)(Description=*SampleAcc))" '(!userAccountControl:1.2.840.113556.1.4.803:=2))"
  Dim propertiesToLoad As String() = New String(0) {"name"}
  '(&(objectClass=user)(Description=testaccount*)(Description=*TestAccount))
  Using root As New DirectoryEntry(path, "domain\username", "password", AuthenticationTypes.Secure)
  Using searcher As New DirectorySearcher(root, filter, propertiesToLoad)
  Dim temp As String = DateTime.Now
  Using results As SearchResultCollection = searcher.FindAll()
  temp = temp + " - " + DateTime.Now
  For Each result As SearchResult In results
  temp = temp + " - " + DateTime.Now
  Dim name As String = DirectCast(result.Properties("name")(0), String)
  'ADUsersList.Items.Add(name)
  Next
  End Using
  End Using
  End Using
  Catch
  End Try

  Hi Janaiah Putta,
  I am moving your thread into the
  Visual Basic Forum for dedicated support. Thanks for your understanding.
  Best Regards,
  Jack
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• What is the Point of Active Directory/LDAP Specification?

  My college threw an interesting curve ball today and I couldn't give him a good enough answer. The question was simple 'What is the point of active directory'. Now I don't have a lot of exposure to active directory, but I thought I could easily answer. My argument was; If you have a group of objects its easy to look up attributes for those objects using active directory. For example, if you have a group in AD and you want to verify the users of that group you simply look up the member attribute of that group. However he argued, rightly so, that you can do that with a table in a database, why do that in AD. I couldn't give him a good enough answer and now I'm curious. Given the above example, why use AD over a database?
  To me AD is a way to manage a set of resources, whatever they are, by mapping them to objects that have however many attributes. But we could do that in a database, whats the point of AD? Why do you use AD?

  I come from a primarily database centric background. Just like life experience, it casts a certain perspective on problems. Database people solve things with databases. Directory people solve things with directories. Everyone has their perspective. It's not really about who's right and who's wrong. It's about perspective because people are most likely to go with what's familiar when given a problem. It's easy to have this conversation in a educational environment but when you're on the job it's about turf, schedules and careers. My latest job (in which this debate comes up a lot) has been about directories which has been a very enlightening experience because I've been given a gift of perspective. I can put on the directory hat and look at it from another angle.
  To get back to your professor's question. The answer is easy. LDAP (AD or other) is an application above a database. It has a data store behind it, in most cases we can just assume this is a database. So, in short, it's apples to oranges. But if we insist on comparing which makes the better juice, let's look at how we'd make a database like a directory. We could create a data model with an attributes table, an entries table and so on. We can deconstruct what LDAP data structures really are and implement each type as a table with FK/PK relationships and so on. It's sure to work because there are already so many products on the market doing this very thing. But think about the effort now. How are you going to add new users? A front-end? Stored procedures? Scripts? How are you going to keep someone from seeing things they shouldn't? You have to insert an object into all the right tables to ensure that your data is consistent and valid. In a pure database, you're trying to create ACLs on database rows. Now you're writing a full featured application with a lot of complexity. Given enough directory features, the database isn't going to be able to do everything without an external application.
  What is the point of LDAP? It's got hierarchy, ACLs, group of unique names functionality and things that are a layer of abstraction above the data store. I love databases but if you start designing out a directory server from scratch you'll realize it's far beyond comparing a user.ldif to a row in a user table. They are similar in appearance but different types of software.
  Edited by: milkfilk on Dec 16, 2008 11:48 AM
  Edited by: milkfilk on Dec 16, 2008 11:54 AM

• Updating groups in Active Directory LDAP

  Hi,
  We are making use of the LDAPResourceAdapter to manage user information present in AD.
  To manage group membership, the resource schema contains mapping of Identity System user attribute to the 'ldapGroups' resource attribute and the Group Member Attr is set to 'member'.
  A user form with multi-select component is used to manage group membership. There are no issues while associating a user with a new group, however we are not able to de-link users from their existing groups.
  I thought, Identity Manager will perform a difference between old values and new values of group membership and accordingly update the resource groups. But this doesn't happen and the documentation is silent on how group updates are handled.
  Also in the confirmation page that shows up during the update operation, the old values column does not contain existing group DNs. All group DNs appear under the new value column.
  Has anyone encountered this problem?
  What is the recommended approach for resolving this issue and successfully performing group updates?
  TIA,
  Chetan.

  Hi,
  I have done a similar thing (but using iPlanet ldap) and the group
  memberships deleted OK.
  One thought is that the adapter may be configured to ignore delete
  operations. You can check this by running the resource wizard
  and stepping through until the last page. There is an item called
  "Account Feature Configuration".
  By the way, you say
  "de-link", but as I understand it,
  IDM only maintains "linkage" to a resource account,
  for example LDAP. A group membership is a "resource object",
  which is part of a resource account. Resource objects (groups
  in your case) can only be created/deleted, not de-linked.
  Another thought:
  It could be the following is happening.
  1: The user is associated with a group and the group membership is created on the resource.
  2: The Identity System user attribute that maps to ldapGroups
  is NOT being stored.
  3: The next time an update occurs, the old value is empty and the new
  value contains the groups, calculated from the form.
  4: IDM attempts to re-create the group membership on AD.
  So, even if you try to delete them, the just continue to reappear.
  Can you determine if the DNs of the groups are actually being
  stored?
  I had a similar problem. my Identity System user attribute
  that mapped onto ldapGroups was also called ldapGroups.
  I renamed it to myLdapGroups and used global.myLdapGroups
  in my forms (not nice, I know). This solved the problem for me.
  Hope this helps,
  Please post when you find an answer.

• Using Active Directory (LDAP Plugin) Across Multiple AD Servers

  Hi,
  I need to give an existing application the ability to talk to multiple active directories using the AD LDAP interface from a J2EE Applcation running on Apache 2.x/Tomcat 5.x (there are 4 independent AD trees and users from ANY of the trees can access the application)
  Can anyone point me in the right direction with this? I would seem to make sense that I should create a central security servlet that is aware of all the domains and connect to each of the AD servers in turn using LDAP (as often discussed on these forums) to acertain security rights, then turn control back to the application.
  Thoughts? Feedback? General help?
  thanks
  John

  Another thing that would help is any references to sample code where someone has done this before for..
  1. the server.xml file mods required? Web.xml Mods?
  2. Java code to accomplish this?
  Also, am i overthinking the problem? Could I just use some utility class inside the controller servlet that would have one method that would return access level or something? Then in the utility file I can do the looping through LDAP servers (really AD trees) and when I find the information I want, simply return it.