OpenLdap with ldap backend... / Authentication against another ldap

Similar Messages

• SQL Developer 4.0 EA2 -- Cannot use OpenLDAP with LDAP connect option

  Hi,
  I've got OpenLDAP setup to work with my Oracle clients, to serve up TNS connect strings, in lieu of having tnsnames.ora files scattered about hundreds of servers.
  This is working fine with 10g/11g, both full and instant clients, no problem.
  Now, I'm trying to configure SQL Developer 4.0 EA2 working with it, as well.
  When I attempt to do so, I'm able to select the "LDAP" option in "Connection Type", and the "LDAP Server" drop down list is correctly populated with my LDAP server, from ldap.ora.
  However, when I select it, I get the following error:
  Status : Failure -[LDAP: error code 32 - No Such Object]
  Now, I've done some research, and I monitored the slapd.log file, which shows me the following:
  Sep 18 02:43:35 einstein slapd[2779]: conn=1034 fd=16 ACCEPT from IP=192.168.125.1:63781 (IP=0.0.0.0:389)
  Sep 18 02:43:35 einstein slapd[2779]: conn=1034 op=0 BIND dn="" method=128
  Sep 18 02:43:35 einstein slapd[2779]: conn=1034 op=0 RESULT tag=97 err=0 text=
  Sep 18 02:43:35 einstein slapd[2779]: conn=1034 op=1 SRCH base="" scope=2 deref=0 filter="(objectClass=orclContext)"
  Sep 18 02:43:35 einstein slapd[2779]: conn=1034 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
  Sep 18 02:43:35 einstein slapd[2779]: conn=1034 op=2 UNBIND
  Sep 18 02:43:35 einstein slapd[2779]: conn=1034 fd=16 closed
  Which is a lot more detail, but reflects the corresponding error code, (32 - No Such Object).
  After doing some testing with ldapsearch, I've been able to replicate what SQL Developer is doing, and get the exact same error.
  That ldapsearch command is:
  ldapsearch -h einstein -p 389 -c -x -D "" -b "" "(objectClass=orclContext)"
  Looking in the slapd.log file, I find an identical error to what is produced from SQL Developer.
  Further, the query that SQL Developer wants to do can be successfully done with the following ldapsearch:
  ldapsearch -h einstein -p 389 -c -x -D "" -b "dc=proquest,dc=com" "(objectClass=orclContext)"
  So, it seems the problem is with the fact that SQL Developer is not supplying a search base.
  I'm no LDAP expert, and I'm really not sure where to turn next....
  Is there a SQL Developer option that allows me to set that search base?  Is there a configuration I'm missing on the LDAP server configuration?
  Thanks,
  -Mark

  Well, that didn't take long.  I managed to find a solution to the problem.
  It comes down to the fact that SQL Developer doesn't supply a search base, and my LDAP server didn't have a default search base defined.
  When I edited slapd.conf (the OpenLDAP config file) and added a "defaultsearchbase" parameter, and bounced the LDAP server, everything started to work.
  I now have a working configuration with OpenLDAP and SQL Developer.
  I'll mark this discussion as closed.
  -Mark

• ActiveSync with Certificate-Based Authentication

  We are trying to setup ActiveSync with certificate-based authentication against Exchange 2010 SP2, but with no luck.
  What has been done so far:
  OWA over https works fine. A public, trusted certificate is in place.
  Setup ActiveSync against this Exchange server: works fine, using user name/password.
  Issued a user cert, signed with an internal CA, CA-cert successfully imported into al client devices.
  Created a new OWA-site with cert-based authentication (just to make sure it works), imported user certificate into a mac, visit this OWA site - cert-based authentication works fine.
  Now, with the configuration utility, created configuration profile with that user cert and an ActiveSync account, left password blank and chose the imported cert (p12) as authentication means.
  After installing that last profile the device keeps asking for a password and refuses to synchronize. Logs on the server show error 401.2, so I assume iPhone is ignoring the cert and is trying to use password-authentication instead.
  The devices tested were iPhone 3G with IOS 4 and iPad 2 with IOS 5.
  Any help will be greatly appreciated.
  Roman.

  No-one with this experience?
  We've done some network analysis (as much as was possible to decrypt) and could see, that the server sends an SSL-Alert (rejection?) to the client after the client presents the certificate.
  That explains why the client falls back to password-authentication, but it does not tell us why the server rejects the cert (that is accepted perfectly when accessed from a browser) in first place.

• User authentication against LDAP - Non-AD

  Hi,
  We are trying to setup LDAP authentication against an LDAP, Oracle Unified Directory and below are the parameters of ldap.properties file:
  ldapAuthentication.defaultRole = ROLE_AUTHENTICATED_PRINCIPAL
  ldapAuthentication.enabled = true
  ldapAuthentication.tryNextProviderIfNoAuthenticated = true
  ldapAuthentication.stopIfCommunicationError = true
  ldapAuthentication.url=ldap\://localhost:389/
  ldapAuthentication.rootContext=DC=test,DC=com
  ldapAuthentication.securityPrincipal=CN=Directory Manager
  ldapAuthentication.securityCredential.encrypted=password
  ldapAuthentication.keepContextPrefix=false
  ldapAuthentication.isAD=false
  ldapAuthentication.userAccountSearchKey=CN
  ldapAuthentication.firstNameSearchKey=givenName
  ldapAuthentication.lastNameSearchKey=sn
  Still I am getting while I try to login to OIA as an OUD user:
  WARN [UserManagerImpl] RbacxUser with username: 'cn=oiaadmin' not found
  Please help

  Hi Jcorker,
  According to your description, you need to access the SQL Serve Analysis Services database which is configured as cluster for SQL & SSAS from another domain, right?
  In SSAS we can use the solution below achieve the requirement.
  1.Create new domain account and impersonate the web site with that.
  2.Create local user account on the analysis service with same exact username/password as like domain account created in the previous step.
  However, you cannot create a local account with the same name on both servers. I have tested it on my local environemnt, we can create the same local account with the same name on both servers. In your scenario, if DB1 and DB2 on different server, you can
  create a local account with the same name on both servers. Please post the detail errors, so that we can make further analysis.
  Besides, SSAS only allows users of the same domain or trusted domains and it does not allow users from any domain except from these two. You can configure the trust relationship between the domains.
  http://technet.microsoft.com/en-us/library/cc961481.aspx
  Regards,
  Charlie Liao
  If you have any feedback on our support, please click
  here.
  Charlie Liao
  TechNet Community Support

• Authenticating against both RDBMS and LDAP in WL6.0

  Hi,
  We are designing a webapp that will be accessible to both internal and
  external users. For internal users, we would like to authenticate via LDAP;
  for external users we would like to use RDBMS. In WL5.1, this looked to be
  possible with the DelegatingRealm, however this has been removed in WL6.0.
  Two questions:
  1) Why was it removed?
  2) How can we get this functionality in WL6.0?
  Thanks much for your help,
  -jt

  We are currently deployed on WL5.1 with a similar situation as you and in
  the process of migrating to WL6. We are Authenticating against LDAP and
  Authorizing against RDBMS. But I can't see how you could tell it to go
  one way for certain users and another for other users.
  The delegatingrealm in WL5 was intended to split the responsibility of
  Authenticating to one source and Authorization to another. To make this
  work for your Application of splitting internal and external users
  security, I suppose you can do it if you can somehow pass the information
  to the Security Realm the type of the user that is logging in. Maybe you
  can make this code a part of the userid such as ext_uersID or int_userID.
  Doing this will allow you to filter the where the users are coming from
  and Direct them to the appropriate security realm.
  As far as WL6 goes, the Delegating realm class is no longer available
  since the security model for WL6 is different from WL5. But you can take
  a look at what they did with the RDBMSrealm example and use that. This is
  what we did to make our Security work in WL6. However, you can no longer
  store ACLs in the RDBMS realm in WL6.
  Hopes this helps.
  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  You will need to create a Custom Realm which delegates to both your RDBMS
  and LDAP perhaps using the Weblogic supplied RDBMS and LDAP realms
  "Jonathan Thompson" <[email protected]> wrote in message
  news:3accf1a3$[email protected]..
  Hi,
  We are designing a webapp that will be accessible to both internal and
  external users. For internal users, we would like to authenticate viaLDAP;
  for external users we would like to use RDBMS. In WL5.1, this looked tobe
  possible with the DelegatingRealm, however this has been removed in WL6.0.
  >
  Two questions:
  1) Why was it removed?
  2) How can we get this functionality in WL6.0?
  Thanks much for your help,
  -jt
  [att1.html]

• ASA VPN with LDAP authentication

  We currently use a Cisco ASA (5510, 8.2) IPsec VPN client with RADIUS as a backend authentication service. We have configured IAS on one of our domain controllers to issue a RADIUS Accept/Deny based on the users' group membership within a "VPN Users" group. The IAS policy rules makes this very easy (it understands Windows group membership), and we like using groups because it is easy to send mail to all VPN users.
  The things we don't like about using RADIUS is the idea that IAS has to be configured as a middleman service, and sometimes IAS does not always successfully start after a system reboot (we are not sure why).
  We were wondering if it was possible to skip the middleman and use LDAP directly, pointing to our pool of domain controllers. There are many LDAP examples out on the net, but they consist of using an LDAP Attribute map to either use the "Remote Access Permission" of the user's DialIn profile, or by associating an AD group to a Cisco policy.
  The former does not fit our model because it bypasses the group membership concept and requires VPN control via profile. The latter does not fit because, while we do have a "VPN Users" group to map in the affirmative, we do not have an inverse to map to a Deny policy. There is no "NOT" logical operator in the LDAP Attribute mapping.
  Does anyone know a way to accomplish what we are after, using LDAP rather than RADIUS, where a single group can determine Accept (and more importantly, absence equals Deny)?

  Hi,
  I believe that second option you've mentioned will work for you. Why? using that if you map single AD group to right cisco policy. then this will work the way you want; where absence means deny to other users.
  Here is con fig example you may try:
  Configuration for restricting access to a particular windows group on AD/LDAP
  group-policy noaccess internal
  group-policy noaccess attributes
  vpn-simultaneous-logins 0
  address-pools none
  ldap attribute-map LDAP-MAP
  map-name memberOf IETF-Radius-Class
  map-value memberOf
  aaa-server LDAP-AD protocol ldap
  aaa-server LDAP-AD host
  server-port 389
  ldap-base-dn
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-dn
  ldap-login-password
  server-type microsoft
  ldap-attribute-map LDAP-MAP
  group-policy internal
  group-policy attributes
  vpn-simultaneous-logins 3
  vpn-tunnel-protocol IPSec l2tp-ipsec ...
  address-pools value
  tunnel-group type remote-access
  tunnel-group general-attributes
  authentication-server-group LDAP-AD
  default-group-policy noaccess
  HTH
  JK
  -Plz rate helpful posts-

• Authentication against both LDAP and BI repository

  I have a lot of user who are authenticated against LDAP. I need add few users who aren't exist in LDAP. I can create user in BI repository and if this user is in an Administrator group he is able to log in. But if this user isn't in an Administrator group he get error "Succesfull execution of intitializtion block LDAP is required". Is there any way how to authenticate users agains both LDAP and BI repository?

  Hi,
  why dont you create a group in ldap and add the correspondng users to that group.
  You can configure the LDAP server with that group and try...
  Hope it works...
  Regards
  Venkat

• Heimdal with LDAP backend?

  Has anyone gotten the LDAP backend for Heimdal to work? I've recompiled Heimdal with ldap backend support, and I have LDAP all set up, but no matter what I do, when I run kadmin to init the realm, I get this:
  [arew264@Reno src]$ sudo kadmin -l
  kadmin> init LINUXLAB.FHS
  kadmin: hdb_open: ldap_sasl_bind_s: Can't contact LDAP server
  From what I've read, Heimdal connects to LDAP through the unix socket that LDAP creates when you start it with the option "-h ldapi://", but if I start it with this option, it crashes with a file not found error. I think it's trying to create a socket in the directory where it was built because it outputs this:
  [arew264@Reno slapd]$ sudo /usr/sbin/slapd -h ldapi:// -f /etc/openldap/slapd.conf -d 1023
  @(#) $OpenLDAP: slapd 2.3.40 (Jan 17 2008 23:58:45) $
  nobody@tygra:/build/src/openldap-2.3.40/servers/slapd
  daemon_init: ldapi://
  daemon_init: listen on ldapi://
  daemon_init: 1 listeners to open...
  ldap_url_parse_ext(ldapi://)
  daemon: bind(7) failed errno=2 (No such file or directory)
  slap_open_listener: failed on ldapi://
  slapd stopped.
  connections_destroy: nothing to destroy.
  [arew264@Reno slapd]$
  That nobody@tygra line... that must be from the package maintainer's computer because, as you can see, my box is named Reno.

  I answered my own question. Appending LDAPI:// to the server list tells OpenLDAP to create a unix socket at... /var/lib/openldap/run/ldapi. Apparantly it's a strange side effect of the configure options that TomK used.

• Error in authentication with ldap server with certificate

  Hi,
  i have a problem in authentication with ldap server with certificate.
  here i am using java API to authenticate.
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
  I issued the new certificate which is having the up to 5 years valid time.
  is java will authenticate up to one year only?
  Can any body help on this issue...
  Regards
  Ranga

  sorry i am gettting ythe same error
  javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
  here when i am using the old certificate and changing the system date means i can get the authentication.
  can you tell where we can concentrate and solve the issue..
  where is the issue
  1. need to check with the ldap server only
  2. problem in java code only.
  thanks in advance

• Issue with LDAP login authentication in CMC console

  We have a existing issues with Business Objects BOE XIR2 SP2 and LDAP authentication with the BOE CMC Console.
  We use websphere as the application server and it is installed on the same machine (Solaris) as BOE.
  We have this issue on both our production and our recently rebuilt development environment to duplicate the issue.
  Both environment have configured LDAP over SSL and we can login to BOE Infoview Reports with LDAP and we can map groups and users if we login to CMC but we can not login to CMC with secLDAP.
  The specific error still being shown is "Security plugin error: Failed to set parameters on plugin".
  Both environments (DEV and PROD) are fresh installs of BOE XIR2 SP2.
  Any ideas are much appreciated
  Thankyou

  The CMC in XIR2 used com components for the SSL (rather than java like infoview) and I'm betting the WAS deployment is not finding them. Is WAS on a seperate server or is BOE installed there as well?
  I'm not familiar with any regular fixes for an issue like this. If no other replies I'd recommend opening a case with either deployment(WAS on "nix") or authentication(WAS on windows) to see if they can trace down the problem.
  Regards,
  Tim

• External Authentication with LDAP

  Has anyone integrated external authentication of Essbase with LDAP? I've searched discussion groups, websites with no luck, and of course, Essbase documentation doesn't help either. Any additional documentation will help.Thanks in advance!

  Thanks for the info. Is this sample code part of the default implementation that comes installed with the product (essldap.dll)? Or is this something completely different.Also, has anyone done anything similar in visual basic? We have a shortage of v c++ skills around here.Thanks again!

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• NzrViewer with LDAP authentication

  Hello,
  is it possible to use the nzrViewer with some other authentication then ZCM Zone of password? We're in transit from Windows 2000 to Windows 7. And from ZEN7 to ZCM11. The Windows 2000 PC's are not in the ZCM zone, so there's no way to authenticate Remote Control sessions. Still all users are in eDir and ZCM has the user source to the same eDir.
  So will it be possible to Remote Control from an Windows 2000 PC to a Windows 7 PC in ZCM with use of eDir authentication.
  To get nzrViewer to work on W2K i just copied the files from a WXP PC. The MSI installer did not function on W2K
  Regards,
  Patrick

  petjez,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://www.novell.com/support and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Forums Team
  http://forums.novell.com

• [ SOLVED] Authentication against two openldap servers.

  Hi everyone.
  Here is the deal. I have two openldap servers, used for user authentication (master and slave). I have all the clients to be able to authenticate users against the master openldap server, and that is working fine. I want to make them to be able to authenticate against the slave server, if the master is down for any reasons. Is there a way to configure the clients, and is that the way to manage this, or I have to use another software as heartbeat or something like heartbeat.
  Regards.
  PS: Sorry. I found it. It is written in the /etc/ldap.conf file. If you want authentication against several ldap servers, you have to specify them in the 'uri' row, separated by spaces.
  Last edited by Gruntz (2009-03-10 08:57:31)

  Hi,
  Is there a possibility to configure somewhere an external LDAP just for authentication purposes (possibly PKI), leaving everything else in OID?
  Yes, in our project we are using a third party LDAP server for authentication, whereas the rest of the user information is stored in the OID. I don't know the details about the implementation but we used DIP (Directory Integration Platform) to create and register a plugin. The plugin replaces the default 'ldapcompare' method that the SSO uses with our own method that makes a call to a third party ldap. Our code was written in PL/SQL and used the DBMS_LDAP package.
  You should be able to find more info from OID developers guide. http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/manage.902/a95193.pdf
  Good luck!
  /Rikard

• EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility

  Hello everyone,
  Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
  Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
  I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
  Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
  However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
  This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
  Here's what happens:
  1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
  2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
  3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
  4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
  5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
  Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
  http://discussions.apple.com/thread.jspa?messageID=5967023
  http://discussions.apple.com/message.jspa?messageID=5982070
  these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
  If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
  Thanks,
  Andrew

  Hard to tell what is happening without looking at the application
  source, knowing what OS & hardware you're using etc. You might want to
  try running with different JVM versions to see if it's actually the VM
  that is the problem. If you have a support contract with BEA you could
  ask support to help you diagnose this.
  Regards,
  /Helena
  Ayub Khan wrote:
  I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
  application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
  seems to happen on loading the machine..the performance progressively gets worse
  and after a couple of seconds, all the threads stop responding. I checked the
  heap, cpu and the idle threads in the execute queue and there is nothing there
  to trigger alarms...there are quite a few idle threads still and the heap and
  the cpu utilization seem OK. On doing a thread dump, Is see that all the other
  threads seem to be in a state where they are waiting for data from LDAP and it
  is basically read only data that they are waiting on.
  Does anyone know what it is going on and help point me in the right direction.
  -Ayub