PAM config for LDAP and ssh

Similar Messages

• [svn] 3662: + add throttle configs for new and improved policy and other throttle features

  Revision: 3662
  Author: [email protected]
  Date: 2008-10-15 13:01:21 -0700 (Wed, 15 Oct 2008)
  Log Message:
  + add throttle configs for new and improved policy and other throttle features
  Modified Paths:
  blazeds/trunk/qa/apps/qa-regress/WEB-INF/flex/messaging-config.mods.xml

  How about the random pausing when streaming a movie from itunes that was converted from a DVD? I know myself, and, a few others from what i can see are experiencing this same issue. Anyone else?

• Screen configs for DFP and TV

  Does anyone know how I can get Gnome to recognise my DFP as the primary screen and the TV out as the secondary?
  At the moment my login and mounted drives are showing up on my TV.
  Here is my xorg.conf.
  # File generated by xorgconfig.
  # Copyright 2004 The X.Org Foundation
  # Permission is hereby granted, free of charge, to any person obtaining a
  # copy of this software and associated documentation files (the "Software"),
  # to deal in the Software without restriction, including without limitation
  # the rights to use, copy, modify, merge, publish, distribute, sublicense,
  # and/or sell copies of the Software, and to permit persons to whom the
  # Software is furnished to do so, subject to the following conditions:
  # The above copyright notice and this permission notice shall be included in
  # all copies or substantial portions of the Software.
  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
  # The X.Org Foundation BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
  # WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
  # OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  # SOFTWARE.
  # Except as contained in this notice, the name of The X.Org Foundation shall
  # not be used in advertising or otherwise to promote the sale, use or other
  # dealings in this Software without prior written authorization from
  # The X.Org Foundation.
  # Refer to the xorg.conf(5x) man page for details about the format of
  # this file.
  # Module section -- this  section  is used to specify
  # which dynamically loadable modules to load.
  Section "Module"
  # This loads the DBE extension module.
      Load        "dbe"      # Double buffer extension
  # This loads the miscellaneous extensions module, and disables
  # initialisation of the XFree86-DGA extension within that module.
      SubSection  "extmod"
        Option    "omit xfree86-dga"   # don't initialise the DGA extension
      EndSubSection
  # This loads the font modules
      Load        "type1"
  #    Load        "speedo"
      Load        "freetype"
  #    Load        "xtt"
  # This loads the GLX module
      Load       "glx"
  # This loads the DRI module
  #    Load       "dri"
  EndSection
  # Files section.  This allows default font and rgb paths to be set
  Section "Files"
  # The location of the RGB database.  Note, this is the name of the
  # file minus the extension (like ".txt" or ".db").  There is normally
  # no need to change the default.
      RgbPath    "/usr/X11R6/lib/X11/rgb"
  # Multiple FontPath entries are allowed (which are concatenated together),
  # as well as specifying multiple comma-separated entries in one FontPath
  # command (or a combination of both methods)
      FontPath   "/usr/X11R6/lib/X11/fonts/misc/"
      FontPath   "/usr/X11R6/lib/X11/fonts/TTF/"
      FontPath   "/usr/X11R6/lib/X11/fonts/Type1/"
      FontPath   "/usr/X11R6/lib/X11/fonts/CID/"
      FontPath   "/usr/X11R6/lib/X11/fonts/75dpi/"
      FontPath   "/usr/X11R6/lib/X11/fonts/100dpi/"
      FontPath   "/usr/X11R6/lib/X11/fonts/local/"
  #    FontPath   "/usr/X11R6/lib/X11/fonts/Speedo/"
  #    FontPath   "/usr/X11R6/lib/X11/fonts/TrueType/"
  #    FontPath   "/usr/X11R6/lib/X11/fonts/freefont/"
  # The module search path.  The default path is shown here.
  #    ModulePath "/usr/X11R6/lib/modules"
  EndSection
  # Server flags section.
  Section "ServerFlags"
  # Uncomment this to cause a core dump at the spot where a signal is
  # received.  This may leave the console in an unusable state, but may
  # provide a better stack trace in the core dump to aid in debugging
  #    Option "NoTrapSignals"
  # Uncomment this to disable the <Crtl><Alt><Fn> VT switch sequence
  # (where n is 1 through 12).  This allows clients to receive these key
  # events.
  #    Option "DontVTSwitch"
  # Uncomment this to disable the <Crtl><Alt><BS> server abort sequence
  # This allows clients to receive this key event.
  #    Option "DontZap"
  # Uncomment this to disable the <Crtl><Alt><KP_+>/<KP_-> mode switching
  # sequences.  This allows clients to receive these key events.
  #    Option "Dont Zoom"
  # Uncomment this to disable tuning with the xvidtune client. With
  # it the client can still run and fetch card and monitor attributes,
  # but it will not be allowed to change them. If it tries it will
  # receive a protocol error.
  #    Option "DisableVidModeExtension"
  # Uncomment this to enable the use of a non-local xvidtune client.
  #    Option "AllowNonLocalXvidtune"
  # Uncomment this to disable dynamically modifying the input device
  # (mouse and keyboard) settings.
  #    Option "DisableModInDev"
  # Uncomment this to enable the use of a non-local client to
  # change the keyboard or mouse settings (currently only xset).
  #    Option "AllowNonLocalModInDev"
     Option      "DefaultServerLayout"   "MonitorTV"
     Option      "AllowMouseOpenFail"   "true"
     Option      "BlankTime"      "0"      # I don't like it
     Option      "NoPM"         "true"   # I don't like it too :-)
  EndSection
  # Input devices
  # Core keyboard's InputDevice section
  Section "InputDevice"
      Identifier    "Keyboard1"
      Driver    "kbd"
  # For most OSs the protocol can be omitted (it defaults to "Standard").
  # When using XQUEUE (only for SVR3 and SVR4, but not Solaris),
  # uncomment the following line.
  #    Option     "Protocol"      "Xqueue"
      Option "AutoRepeat" "500 30"
  # Specify which keyboard LEDs can be user-controlled (eg, with xset(1))
  #    Option    "Xleds"      "1 2 3"
  #    Option "LeftAlt"     "Meta"
  #    Option "RightAlt"    "ModeShift"
  # To customise the XKB settings to suit your keyboard, modify the
  # lines below (which are the defaults).  For example, for a non-U.S.
  # keyboard, you will probably want to use:
  #    Option "XkbModel"    "pc102"
  # If you have a US Microsoft Natural keyboard, you can use:
  #    Option "XkbModel"    "microsoft"
  # Then to change the language, change the Layout setting.
  # For example, a german layout can be obtained with:
  #    Option "XkbLayout"   "de"
  # or:
  #    Option "XkbLayout"   "de"
  #    Option "XkbVariant"  "nodeadkeys"
  # If you'd like to switch the positions of your capslock and
  # control keys, use:
  #    Option "XkbOptions"  "ctrl:swapcaps"
  # These are the default XKB settings for Xorg
  #    Option "XkbRules"    "xorg"
  #    Option "XkbModel"    "pc101"
  #    Option "XkbLayout"   "us"
  #    Option "XkbVariant"  ""
  #    Option "XkbOptions"  ""
  #    Option "XkbDisable"
      Option "XkbRules"    "xorg"
      Option "XkbModel"    "microsoft"
      Option "XkbLayout"    "us"
  EndSection
  # Core Pointer's InputDevice section
  Section "InputDevice"
  # Identifier and driver
      Identifier    "Mouse1"
      Driver    "mouse"
      Option "Protocol"    "IMPS/2"
      Option "Device"      "/dev/input/mice"
      Option         "Buttons" "5"
      Option         "ZAxisMapping" "4 5"
      Option         "Emulate3Buttons" "no"
  # Mouse-speed setting for PS/2 mouse.
  #    Option "Resolution"    "256"
  # When using XQUEUE, comment out the above two lines, and uncomment
  # the following line.
  #    Option "Protocol"    "Xqueue"
  # Baudrate and SampleRate are only for some Logitech mice. In
  # almost every case these lines should be omitted.
  #    Option "BaudRate"    "9600"
  #    Option "SampleRate"    "150"
  # Emulate3Buttons is an option for 2-button Microsoft mice
  # Emulate3Timeout is the timeout in milliseconds (default is 50ms)
  #    Option "Emulate3Buttons"
  #    Option "Emulate3Timeout"    "50"
  # ChordMiddle is an option for some 3-button Logitech mice
  #    Option "ChordMiddle"
  EndSection
  # Other input device sections
  # this is optional and is required only if you
  # are using extended input devices.  This is for example only.  Refer
  # to the xorg.conf man page for a description of the options.
  # Section "InputDevice"
  #    Identifier  "Mouse2"
  #    Driver      "mouse"
  #    Option      "Protocol"      "MouseMan"
  #    Option      "Device"        "/dev/mouse2"
  # EndSection
  # Section "InputDevice"
  #    Identifier "spaceball"
  #    Driver     "magellan"
  #    Option     "Device"        "/dev/cua0"
  # EndSection
  # Section "InputDevice"
  #    Identifier "spaceball2"
  #    Driver     "spaceorb"
  #    Option     "Device"        "/dev/cua0"
  # EndSection
  # Section "InputDevice"
  #    Identifier "touchscreen0"
  #    Driver     "microtouch"
  #    Option     "Device"        "/dev/ttyS0"
  #    Option     "MinX"          "1412"
  #    Option     "MaxX"          "15184"
  #    Option     "MinY"          "15372"
  #    Option     "MaxY"          "1230"
  #    Option     "ScreenNumber"  "0"
  #    Option     "ReportingMode" "Scaled"
  #    Option     "ButtonNumber"  "1"
  #    Option     "SendCoreEvents"
  # EndSection
  # Section "InputDevice"
  #    Identifier "touchscreen1"
  #    Driver     "elo2300"
  #    Option     "Device"        "/dev/ttyS0"
  #    Option     "MinX"          "231"
  #    Option     "MaxX"          "3868"
  #    Option     "MinY"          "3858"
  #    Option     "MaxY"          "272"
  #    Option     "ScreenNumber"  "0"
  #    Option     "ReportingMode" "Scaled"
  #    Option     "ButtonThreshold"       "17"
  #    Option     "ButtonNumber"  "1"
  #    Option     "SendCoreEvents"
  # EndSection
  # Monitor section
  # Any number of monitor sections may be present
  Section "Monitor"
      Identifier  "Hitachi CML174"
      HorizSync   24-80
      VertRefresh 56-75
  EndSection
  Section "Monitor"
      Identifier   "Teac TV"
      HorizSync   30-50
      VertRefresh   60
  EndSection
  # Graphics device section
  Section "Device"
      Identifier  "Nvidia Ti4400"
      Driver "nvidia"
      Option      "NoLogo"          "true"
      Screen      0
      BusID       "PCI:01:05:0"       
  EndSection
  Section "Device"
      Identifier  "Nvidia Ti4400TvOut"
      Driver "nvidia"
      Option      "NoLogo"          "true"
      Screen      1
      BusID       "PCI:01:05:0"       
  EndSection
  # Screen sections
  # Any number of screen sections may be present.  Each describes
  # the configuration of a single screen.  A single specific screen section
  # may be specified from the X server command line with the "-screen"
  # option.
  Section "Screen"
      Identifier  "DFP"
      Device      "Nvidia Ti4400"
      Monitor     "Hitachi CML174"
      DefaultDepth 24
      Subsection "Display"
          Depth       8
          Modes       "1280x1024" "1024x768" "800x600" "640x480"
      ViewPort    0 0     
      EndSubsection
      Subsection "Display"
          Depth       16
          Modes       "1280x1024" "1024x768" "800x600" "640x480"
      ViewPort    0 0
      EndSubsection
      Subsection "Display"
          Depth       24
          Modes       "1280x1024" "1024x768" "800x600" "640x480"
      ViewPort    0 0
      EndSubsection
  EndSection
  Section "Screen"
      Identifier   "TV"
      Device       "Nvidia Ti4400TvOut"
      Monitor      "Teac TV"
      DefaultDepth  24
      Subsection "Display"
          Depth       24
          Modes       "1024x768" "800x600" "640x480"
     EndSubsection
  EndSection
  # ServerLayout sections.
  Section "ServerLayout"
      Identifier  "MonitorTV"
      Screen 0 "TV"
      Screen 1 "DFP" LeftOf "TV"
      InputDevice "Mouse1" "CorePointer"
      InputDevice "Keyboard1" "CoreKeyboard"
  EndSection
  # Section "DRI"
  #    Mode 0666
  # EndSection
  I have TVout and DFP running but need to get the screens around the other way and am stuck on how.  Wish Nvidia would get a nice version of Nview going with their Linux Driver.   :cry:

  Thanks for the reply dp but alas, no go on swaping the server config around.  As per you instructions I still get the DFP as the 0.1 display device but with the resolution of the tv.  I have tried a few combinations but no go.
  Is there a way I can tell gnome to use the other screen instead?  The screens aside work fine other than the TV being my primary.

• Cisco Prime 2.1.2 auto sync config for switches and Routers

  hello Support,
  how to configure auto sync config in CPI? when the customer make a changes in the switches and Routers, the customer expect a new version of the configuration in CPI immediately. but we are getting the new version after 10 minutes. if we not configure in the switches and Routers to send syslog we are not getting anything.
  where we have to configure in CPI to get the new versions immediately?
  thanks!

  Make sure you have completed the recommended preparation steps given in Before You Begin Installing the Patch.
  If you are not using the Prime Infrastructure High Availability (HA) feature, follow the steps in Installing the Patch instead of the steps below.
  If your current Prime Infrastructure implementation has High Availability enabled, follow the steps below to install the patch. You must start the patch installation with the primary server in “Primary Active” state and the secondary server in “Secondary Syncing” state.
  Patching of the primary and secondary servers takes approximately one hour. During that period, both servers will be down. If you have trouble at any point, see Troubleshooting Patch Installs in HA Implementations.
  Step 1 Ensure that your HA implementation is enabled and ready for update:
  a. Log in to the primary server using an ID with Administrator privileges.
  b. Select Administration > System Settings > High Availability , The primary server state displayed on the HA Status page should be “Primary Active”.
  c. Select HA Configuration . The current Configuration Mode should show “HA Enabled”.
  d. The Failover Type must be set to “Manual” throughout the patch installation. If Failover Type is currently set to “Automatic”, select “Manual” and then click Save .
  e. Access the secondary server’s Health Monitor (HM) web page by pointing your browser to the following URL:
  https:// <ServerIP> :8082
  where ServerIP is the IP address or host name of the secondary server.
  f. You will be prompted for the authentication key entered when HA was enabled. Enter it and click Login .
  g. Verify that the secondary server state displayed on the HM web page is “Secondary Syncing”.
  Step 2 Download the patch:
  a. Point your browser to the software patches listing for Cisco Prime Infrastructure 2.1.
  b. Click the Download button for the Release 2.1.2 patch file (pi212_20141118_01.ubf), and save the file locally.
  Step 3 Install the patch on the secondary server:
  a. Access the secondary server’s HM web page by pointing your browser to the following URL:
  https:// <ServerIP> :8082
  where ServerIP is the IP address or host name of the secondary server.
  b. You will be prompted for the authentication key entered when HA was enabled. Enter it and click Login .
  c. Choose the HM web page’s Software Update link. You will be prompted for the authentication key a second time. Enter it and click Login again.
  d. Click Upload Update File and browse to the location where you saved the patch file.
  e. Click OK to upload the patch file.
  f. When the upload is complete: On the Software Upload page, verify that the Name, Published Date and Description of the patch file are correct.
  g. Select the patch file and click Install . When the installation is complete, you will see a popup message confirming this.
  h. After the installation is complete on the secondary server, verify that the Software Updates page shows:
  – In the “Installed” column: A “Yes” opposite the listing for this patch.
  – In the “Pending Restart” column: A “Yes” for the secondary server. Do not restart the secondary server at this point.
  Step 4 Install the patch on the primary server:
  a. Log in to the primary server using an ID with administrator privileges and choose Administration > Software Update .
  b. Click Upload Update File and browse to the location where you saved the patch file.
  c. Click OK to upload the patch file.
  d. When the upload is complete: On the Software Upload page, verify that the Name, Published Date and Description of the patch file are correct.
  e. Select the patch file and click Install . When the installation is complete, you will see a popup message confirming this.
  f. After the installation is complete on the primary server, verify that the Software Update page shows:
  – In the “Installed” column: A “Yes” opposite the listing for this patch.
  – In the “Pending Restart” column: A “Yes” for the primary server. Do not restart the primary server at this point.
  Step 5 Stop the servers in the following sequence, using the commands explained in Running Commands:
  a. On the secondary server, run the ncs stop command.
  b. On the primary server, run the ncs stop command.
  Step 6 Re-start and monitor the servers in the following sequence, using the commands explained in Running Commands:
  a. On the secondary server, run:
  – The ncs start command to restart the secondary server. Wait for the processes on the secondary to restart.
  – The ncs status command to verify that the processes on the secondary have re-started.
  – The ncs ha status command to verify that the secondary state is “Secondary Lost Primary”.
  b. Once the secondary server is in “Secondary Lost Primary” state: On the primary server, run:
  – The ncs start command to restart the primary server. Wait for the processes on the primary to restart.
  – The ncs status command to verify that the primary’s Health Monitor and other processes have re-started.
  Once all the processes on the primary are up and running, automatic HA registration will be triggered. This normally completes after a few minutes.
  Step 7 Once registration completes, verify the patch installation as follows:
  a. Run the ncs ha status command on both the primary and secondary servers. You should see the primary server state change from “HA Initializing” to “Primary Active”. You should see the secondary server state change from “Secondary Lost Primary” to “Secondary Syncing”.
  b. Log in to the primary server and access its Software Update page as you did earlier. The “Installed” column should show “Yes” and the “Pending Restart” column should show “No” for the installed patch.
  c. Access the secondary server’s Health Monitor page as you did earlier. The “Installed” column should show “Yes” and the “Pending Restart” column should show “No” for the installed patch.

• Which Mac Pro config for PShop (and others)

  Which processor config is best for Pshop multitaskers? Looking to choose a (new) Mac Pro. I am primarily a photo retoucher & photographer (in that order) But I also push my system doing 3D renderings, and often streaming Pandora while I work. Another forum offered suggestions to get the Quad core -and choose the 3.33Ghz 6 core "Westmere" (+ $1200) --as opposed to my first choice, which was the 8 Core w/two 2.4 Ghz "Westmere" processors. My goal is to keep the total cost under $4K -including additional RAM + ATI Radeon HD 5870. I chose the 8 core unit for the added RAM capability, and I thought that 8 cores would help when running multiple apps. But other posters had opined that since most apps -including Pshop (CS5) DON'T take advantage of multiprocessing the faster single processor w/6 cores would take the lead. I am a pro retoucher, and am often working multiple VERY large layered files. I do NOT do animation or video. I am also thinking of waiting for the next Mac Pro update -which past history suggests a possible late spring (2011) rollout. ( I wouldn't want a laptop as I work exclusively at my own studio, and want as much horsepower + longevity as I can afford)
  Opinions appreciated -esp. real world tests using CURRENT Mac Pros. Thanks!

  Yes, for best memory bandwidth performance, use 8 DIMMs, and it doesn't matter much what your mix and match is (other than certified of course for Mac Pro).
  http://www.barefeats.com/harper3.html
  No need to every discard the Apple memory until you get the urge to go to more than 8GB. Buying a full set of same and same time insures that they are less likely to deviate or have enough difference to cause trouble (even Crucial batches vary a bit).
  I prefer TechWorks as a cut above, quality is good as it gets, comparable to Micron.
  http://eshop.macsales.com/search/MatchedSets:+800Mhz+MacPro
  The older Mac Pro was more trouble to get an ideal setup.

• Advice needed on backup config. for Mac and Windows XP

  I'm trying to work out my best options for configuring a way to backup both my Mac and XP machines and at the same time use a hard-drive as a type of media server (or at least somewhere to hold shared photos etc).
  Current hardware is:
  - MacBook connected to wireless router
  - XP laptop connected to wireless router
  - XP desktop connected to router via ethernet
  - PS3 connected to wireless router
  - iPod touch connected to wireless router
  Am I right in thinking that Time Machine with Time Capsule will back-up my Mac but not in a way that makes the files on it accessible to other devices on the network. If that's the case then would I also need to copy any shared media separately? I guess I would also need separate software to back-up the XP machines.
  What format would I need to use to hold files accessible to both systems?
  Could I use TC to hold a shared iTunes library? Even if the music is currently held separately on XP and Mac?
  All advice/bright ideas welcome. Obvious alternative is just to get hold of an external USB2 hard drive and move it around.

  An MSDOS formatted drive should not be used for OS X backups. If you need to do PC backups then I would suggest a separate external drive. Otherwise, format the drive for use with OS X (Mac OS Extended.) Get MacDrive (Media Four) for the PC which enables Windows to read/write Mac drives.
  Alternatively if you think you are sufficiently skilled you can try the technique outlined here for creating HFS+ and FAT32 partitions on one drive.

• Cisco ISE protocols for ldap and Windows wireless client

  Only the protocols below are supported by ise in combination with ldap identity sources.
  EAP-GTC, PAP, EAP-TLS, PEAP-TLS.
  Mac OS devices seem to be able to use these but Windows users seem to be having problems. How should windows users connect with ise that only uses ldap?

  Mathieu,
  Take a look at the user guide for NAM -
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html
  You will see the protocols support like GTC that should allow you not to have to deploy certs.
  Thanks.
  Tarik Admani
  *Please rate helpful posts*

• LDAP and OID

  FYI: I am new to Oracle (<1 month), and new to APEX (<3 weeks) so forgive me if I am asking the obvious.
  I would like to have APEX authenticate against LDAP (active directory), and went about trying to set that up. Got all AD settings from our sys admin, and then tried them in the LDAP test tool. I kept getting " Authentication failed!" no matter what I did. Due to the detailed nature of that error message, I started trying to track down every possible avenue so I talked to one of our DBA's about DBMS_LDAP.SIMPLE_BIND_S. The answer I got back was that we don't have access to it because it is part of OIN which we would have to pay outrageous amounts of money for if we wanted to use it. Not likely to happen, so I was hoping that there was another way to authenticate APEX via LDAP.
  Any suggestions would be most helpful.

  John - DBMS_LDAP is not part of OID so you can use it as part of your existing database product installation. Search this forum for LDAP and AD and you'll find lots of discussions about what you are trying to do.
  Also, just to clarify, you're not trying to authenticate Application Express using AD, you'll be authenticating users to your application (essentially a PL/SQL application in the database) using account information stored in AD. The authentication code that gets executed will belong to your application.
  Scott

• Setting up ldap and enabling sso for disussion service

  How to do setup of discussion service site so that user base of the discussion site uses an external ldap like OID? It was very easy with Jive(on which oracle's version si based). It was done at the time of installation.
  I thought of using system properties that were defined for jive and using the same for oracle's disussion service but not sure what values I can provide for UserManager and GroupManager. I tried giving the same values as that we used in Jive but after restarting the WLS_Services the login function was not working at all. Is there a document that helps in doing this setup.
  Also, do we have a document on how to enable SSO with discussion services site?
  -Pratap

  I figured out how to do ldap settings for discussions. It is the same approach as that of jive. Go to C:\OracleMiddlewareHome\user_projects\domains\base_domain\config\fmwconfig\servers\WLS_Services\owc_discussions_11.1.1.2.0 and edit the jiveStartup.xml. Change to contain <setup>true</setup> to <setup>false</setup> . And log in to discussion site using the http://localhost:8890/owc_discussions. This will let you go through setup process where we can give the ldap settings.
  Can someone please help us in working with SSO?
  -Pratap

• Sgd + ldap auth + ssh and numeric usernames

  Hi there, sorry if there is a well known answer to my problem, bu tI have not found it.
  anyway, We have a problem where our customer wants to use purelly numeric usernames to logg in to secure global desktop
  From the point of secure global desktop we don't have any problems with this, the problem happens later on with the ssh to solaris (which is set up with ldap authentication) in that I have not been able to get purely numerical logins to work with solaris pam_ldap. Now some of you think that this is not an SGD problem, and that is true, but I was wondering if SGD could help me solve this.
  My question is simple, can SGD use a "different" username taken from ldap after it has logged in the user instead of the username tha tthe user provided.
  ex.
  the user loggs in to SGD with the username 173651
  when starting the application , instead of logging in to the application server (via ssh) with username 173651 it should take an other field from ldap that holds the solaris username.
  thanks for any answers and hints.

  Sorry, but you missunderstood my question a bit :-)
  What you suggest is a way for the users to type in an other username after logged in to Secure Global desktop, tha tis now what we want
  We want this to be done automaticly for us.
  First we have changed a bit how the login procedure works, when the user surfs to the SGD server they will not be presented with any choices, they wil be presented with a single login screen, when they have logged in SGD will automaticly start our application.
  the problem we have is that we want to use only digits as the login name in SGD, but unforutunally Solaris have some problems with using digits alone in usernames (and especially usernames longer then 8 characters)
  so I was hoping that SGD could read from LDAP (we are using LDAP user store, not UNIX) another value that it would use to login to the app server thorugh SSH
  for example, when logging in to SGD it loggs in towards the LDAP uid field, but when it starts the application SGD reads some other property from LDAP and sends that to ssh. Solaris is then also authenticating towards SSH and uses the second property to authenticate.
  If this cannot be done in Secure global Desktop, I think we will look at using a third party authenticator that can do what we want (hopefully OpenSSO can do this)

• How to use the same services-config for the local and remote servers.

  My flex project works fine using the below but when I upload my flash file to the server I doesn't work, all the relative paths and files are the same execpt the remote one is a linux server.
  <?xml version="1.0" encoding="UTF-8"?>
  <services-config>
      <services>
          <service id="amfphp-flashremoting-service"
              class="flex.messaging.services.RemotingService"
              messageTypes="flex.messaging.messages.RemotingMessage">
              <destination id="amfphp">
                  <channels>
                      <channel ref="my-amfphp"/>
                  </channels>
                  <properties>
                      <source>*</source>
                  </properties>
              </destination>
          </service>
      </services>
      <channels>
      <channel-definition id="my-amfphp" class="mx.messaging.channels.AMFChannel">
          <endpoint uri="http://localhost/domainn.org/amfphp/gateway.php" class="flex.messaging.endpoints.AMFEndpoint"/>
      </channel-definition>
      </channels>
  </services-config>
  I think the problem  is the line
          <endpoint uri="http://localhost/domainn.org/amfphp/gateway.php" class="flex.messaging.endpoints.AMFEndpoint"/>
  but I'm not sure how to use the same services-config for the local and remote servers.

  paul.williams wrote:
  You are confusing "served from a web-server" with "compiled on a web-server". Served from a web-server means you are downloading a file from the web-server, it does not necessarily mean that the files has been generated / compiled on the server.
  The server.name and server.port tokens are replaced at runtime (ie. on the client when the swf has been downloaded and is running) not compile time (ie. while mxmlc / ant / wet-tier compiler is running). You do not need to compile on the server to take advantage of this.
  Hi Paul,
  In Flex, there is feature that lets developer to put all service-config.xml file configuration information into swf file. with
  -services=path/to/services-config.xml
  IF
  services-config.xml
  have tokens in it and user have not specified additional
  -context-root
  and this swf file is not served from web-app-server (like tomcat for example) than it will not work,
  Flash player have no possible way to replace token values of service-config.xml file durring runtime if that service-config.xml file have been baked into swf file during compilation,
  for example during development you can launch your swf file from your browser with file// protocol and still be able to access blazeDS services if
  -services=path/to/services-config.xml
  have been specified durring compilation.
  I dont know any better way to exmplain this, but in summary there is two places that you can tell swf  about service confogiration,
  1) pass -services=path/to/services-config.xml  parameter to compiler this way you tell swf file up front about all that good stuff,
  or 2) you put that file on the webserver( in this case, yes you should have replacement tokens in that file) and they will be repaced at runtime .

• [Solved for me]Distinguishing SSH and SFTP (for QoS purposes)

  Hi there,
  I'm thinking about shutting down the FTP on my homeserver and use SFTP instead. There is only one thing I couldn't solve so far: In my router I have QoS-rules that make FTP low priority traffic so my normal activities don't get affected by the file transfers. I would like to have the same setup for the SFTP. Now the problem is this: SFTP and SSH are both coming from the same ssh server, listening on port 22. So there is no way of distinguishing them on a ip/port basis. Is there any way of distinguishing SFTP and SSH? Like using iptables to tag one of them and then doing QoS based on the tag or something along those lines? I don't want to slow down my ssh-connections together with the sftp. If anyone has an idea how to accomplish this I would be really glad to hear about it.
  Thanks in advance
  seiichiro0185
  Last edited by seiichiro0185 (2010-08-22 11:27:32)

  briest wrote:Well, a simple, though definitely not bulletproof solution: define multiple ports in sshd_config, then use one of them for sftp, and another for ssh?
  Thanks for this hint, I didn't know that ssh could listen on multiple ports. Its not totally bulletproof, but good enough for my case. The only people who will have access to the server are trustworthy and won't fiddle with the settings to circumvent my restrictions.
  Thanks to all of you for your suggestions.

• How to disable SSLv3 and keep only TLS for LDAP connection.

  Hi,
  I'm planning to keep only TLSv1.2 for LDAP connections.
  I tried to set LDAP_OPT_SSL_INFO in LDAP Session Options using a SecPkgContext_ConnectionInfo Structure with dwProtocol SP_PROT_TLS1_2_CLIENT(as described here -  https://social.msdn.microsoft.com/Forums/en-US/7544226d-97e1-4dae-a377-e382c2281e91/how-to-set-up-tls-in-ldap-connection?forum=vcgeneral),
  but it returns LDAP_PARAM_ERROR.
  I tried to call this function directly after ldap_sslinit/ldap_init and before ldap_connect() - without success, I tried to use other parameters with default values, I tried to initialize them by 0/other possible values - and also no success.
  How I can do this?
  Thanks for your advices.

  LDAP_PARAM_ERROR
  https://msdn.microsoft.com/en-us/library/aa367026(v=vs.85).aspx

• How to config the user and role in the runtime for executing in the GP?....

  Hi Experts,
  I am learning GP(Guided processor)according the document
  http://help.sap.com/saphelp_nw70/helpdata/en/44/0d5b8f250d5cfae10000000a155369/frameset.htmneed.
  I meet two question when I learn the GP.
  The first:
  This document don't tell me how to config the member framework of the company.  After I design the GP, I have to config the user and role in the runtime for executing. I hope I can use the WDA(webdynpro for java or webdynpro for java) to implement to config the user for executing in the runtime. Thus, the customer don't config the user when runing the GP. But I don't know how to do this.
  I need a document guide step by step to tell me how to do this.
  The second:
  If I use the workflow in the GP, I have to install and config the NWDI(Netweaver Development Infrastructure). Now I have installed the NWDI, but I don't know config it so that I can download it to my machine for develop the workfolw in the GP.
  Do you give me some hints? Thanks a lot.
  Thank a lot.
  Best regards,
  tao

  Hi, Mithu,
  Thanks a lot for your help in advance.
  I have carefully read the document: https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/6b66d7ea-0c01-0010-14af-b3ee523210b5.
  Now, I think I have to set the processor of every actions in every process if I use the GP for processing the workflow.
  I am better to hope that I can set the processor to the role for every actions in every process in the runtime through get the organizational structure in the WDA(webdynpro for java or webdynpro for java). Thus, the customer don't set the processor to the role for every action in every process when runing in the GP.   I don't know how to do this. 
  Whether the function is not supported in the GP? If so, I have to config two organizational structure: in the R/3 and in the Portal. I don't think our customer don't receipt this solution.
  Do you give me some hints? Thanks a lot.  My email: [email protected]
  Thanks again.
  Thanks & Regards,
  Tao

• LDAP realm for authentication and ACL in Database

  We are thinking of using LDAP realm for authentication and we want to use ACL from a Database. But the documentation says: "WebLogic Server defers to the LDAP realm for authentication, but not for authorization. Authorization is accomplished with access control lists (ACLs), which are defined in the weblogic.properties file"
  Can we use LDAP realm for authentication and manage our ACL from a Database? or do we have to use the weblogic.properties file? Do the weblogic security API help in the above scenario? Thanks Ram

  Unfortunately, there is no easy way to do this in wls 6.0.
  The only way to handle it is to write your own custom realm
  that uses ldap for users and groups and a database for acls -
  probably not a viable alternative.
  -Tom
  "kevin doherty" <[email protected]> wrote:
  >
  Jeffrey Hirsch <[email protected]> wrote:
  You should be able to use the DelegatedRealm interface to utilize the authentication methods from LDAP and the authorization methods from RDBMSRealm...
  I'm trying to do this too, but we are using WL6 and I see that the DelegatedRealm interface has been deprecated in this version. I'd greatly appreciate more information on doing this in WL6.
  Thanks!
  -kd