Pass-thru authentication against AD

Hellos,
When using pass-thru authentication against the AD resource, the manual suggests that the user enters the complete DN of his/her AD account as the IDM login ID!!
Can it be arranged so that the user only needs to enter the samaccountname and not the complete DN.
I mean, samaccountnames are as unique as DNs. A simple lookup to get DN (if samaccountname is found) is all that is needed.
When shown to customers, they express horror when it is suggested that to login to IDM they have to type 50 odd characters!
Does any customer willingly USE pass-thru where they have to (correctly) type in such a lengthy string.

The answer is yes, you can use samaccountname. Your deployment may necessitate additional configuration to make this happen.
In our case, the samaccountname is the same as the IDM accountId. When the user logs in, IDM finds the user object and then uses the password against the AD account linked to the user.
If the accountId and samaccountname are not the same, then you could use a Login correlation rule to find the IDM user which has that samaccountname.
As far as anyone using the full DN to login with, I've never seen anyone do it. Our users certainly wouldn't stand for it, and I think that's the case most places.
Jason

Similar Messages

  • Pass thru authentication error message customization

    Dear All,
    I'm trying to customize the error messages displayed during the authentication failure.
    Users are authenticated against the AD i.e. pass thru authentication.
    I'm not able to customize the error messages.
    I have searched in WPmessgaes and RAMessages file. no success.
    following is error:
    AD (Windows Active Directory):Error: missing required authentication information: 'password'
    new error msg that I want to display:
    Error: Invalid login credential, please try again.
    Kindly share your ideas and experience on same.
    Thanks in advance.
    Cheers:
    Amar

    We've had that problem. We opened a ticket with Sun and they confirm it as bug in 7.1.

  • Pass-Thru Authentication OIM 11g

    Is there any documentation on configuring pass-thru authentication in OIM to an AD or LDAP instance?
    Thanks

    Apparently, this does not exists for OIM. I need to put a OAM instance in front of OIM in order to authenticate against AD

  • PAss thru authentication from solaris 2.9 proxy 36sp2 - iws 6 sp5

    hi,
    we have a scenario where user's are authenticated at the proxy, then when they access a protected web dir they are authenticated again (the auth window pops up etc)..
    given that both these authneticate from the same directory is it possible to pass thru the authentication so that the window does not pop up twice?
    thanks

    Hi
    This as per the HTTP/1.1 RFC (RFC2616)
    The Connection general-header field allows the sender to specify options that are desired for that particular connection and MUST NOT be communicated by proxies over further connections.
    The Connection header has the following grammar:
    Connection = "Connection" ":" 1#(connection-token)
    connection-token = token
    HTTP/1.1 proxies MUST parse the Connection header field before a message is forwarded and, for each connection-token in this field, remove any header field(s) from the message with the same name as the connection-token. Connection options are signaled by the presence of a connection-token in the Connection header field, not by any corresponding additional header field(s), since the additional header field may not be sent if there are no parameters associated with that connection option.
    Read the following at
    http://www.w3.org/Protocols/rfc2616/rfc2616-sec8.html#sec8.1.3
    and
    http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.10
    Regards
    Nagendra HK

  • OIM - pass thru authentication?? Possible?

    Hi all,
    While I am intending to use OIM 9.0.3 for provisioning/de-provisioning. I am thinking of some sort of pass through authentication to the existing AD, thus, my users do not have to remember another set of username/pw.
    Is that at all possible? If not, what would be your approach? Having OID running behind (that is not in the plan right now)? Does even OID have pass through type capability like Sun Java DS?

    Thanks kevinp.
    If I understand your suggestion correctly, rather than passing the authentication responsibility to AD, it is indeed staying within OIM. The only difference is that pwd sync just saves the users from remembering two sets of username/pwd. Correct?

  • Authentication against users in a table

    I am somewhat familiar with JAZN authentication but here is what I need to do and would GREATLY appreciate as much details as you can provide:
    Say, I have a table USERS(USER_ID, NAME, ...) and several other tables in the DB. Let's say I have another table ADDRESS(ID, USER_ID, ADDRESS, ...). Several things needs to be done:
    1. When user attempts to access a Input Form page to add new record in ADDRESS, a login screen should appear. I KNOW how to do this with either basic or form based authentication. However in this case user credentials will be stored using jazn tool.
    2. Since I need USER_ID to be passed to my Input Form page I believe that I cannot use jazn for this, but rather to authenticate against my USERS table. How?
    3. In this case (authentication against my USERS table) where the paswords are kept?
    4. Also in this case, is it possible to provide several levels of access, ie all to managers, some to data enter people etc.
    We are new to Oracle and JDev so any help is appreciated. The more the better...
    Cheers!
    Rade

    Here is what I did and it does not work:
    I have 'login.uix' page with username and password entries:
    <form name="form0" method="post">
      <contents>
       <pageLayout>
        <pageButtons>
         <pageButtonBar>
          <contents>
           <submitButton text="Sign In" event="verifySignin"/>
           <submitButton text="Login" event="login"/>
          </contents>
         </pageButtonBar>
        </pageButtons>
       <contents>
      <tableLayout>
       <contents>
        <rowLayout>
         <contents>
          <messageTextInput name="username" prompt="Enter Name"/>
         </contents>
        </rowLayout>
        <rowLayout>
         <contents>
          <messageTextInput name="password" prompt="Enter Password" secret="true"/>
         </contents>
        </rowLayout>
       </contents>
       </tableLayout>
      </contents>
      </pageLayout>
    </contents>
    </form>
    ...Then in its Action class I have:
    public void onLogin(DataActionContext ctx)
        //ctx.getBindingContainer();
        HttpServletRequest r = ctx.getHttpServletRequest();
        String userName = r.getParameter("username");
        String password = r.getParameter("password");
        // username and password required
        if (userName.length()==0 || password.length()==0)
          ctx.setActionForward("loginFailed");
          return;
    try
          // Get handle to Application Module that "carries" Staff View
          DCDataControl dc = ctx.getBindingContext().findDataControl("AppModuleDataControl");
          ApplicationModule am = dc.getApplicationModule();
          // find the Staff view object that holds username and password
          ViewObject vo = am.findViewObject("StaffView1");
          //find user
          Row[] userRow = vo.getRowSet().getFilteredRows("StaffId",userName.toUpperCase());
          System.out.println(" I never get here!?!?!!!!!");
      catch (Exception ex)
          //Set Main Error Page here
          System.out.println(ex.toString());
          ctx.setActionForward("loginFailed");
          return;
    }Seems like Row[] userRow = vo.getRowSet().getFilteredRows("StaffId",userName.toUpperCase());
    is not properly executed?!?
    Anybody know what the problem is??? This is based on Frank's code sample that I found on forum.

  • Oracle 10g Reports Server - problem authenticating against DB

    I have a problem with Oracle 10g Reports server authenticating against an Oracle RDBMS.
    When I try to run reports, an authentication form screen is presented, with the password field empty (the URL in explorer that loads this page contains the username and DB instance, but is missing the password) and the following error message:
    REP-51018: Need database user authentication
    When the password is entered into the empty field in the form and submitted, another 2 authentication errors are given.
    REP-51018: Need database user authentication
    REP-12545: java.sql.SQLException: ORA-12545: Connect failed because target host or object does not exist
    When the URL in the browser location field is manually altered to include the DB password, the reports are authenticated fine.
    Any ideas which config file I should be looking in?
    Any pointers would, of course, be much appreciated.
    thanks,
    Brian

    Hello, i finally have discovered what was happening, it has to be with the way FreeBSD passes the password field. By default FreeBSD passes the password field with a '*' while Oracle Linux (and Red Hat clones) expect an 'x' to look into shadow maps (Linux uses the '*' character in the password file to not allow login to that user).
    To solve it the password field served by the NIS server must be substituted, which is accomplished with nsswitch.conf and adding a line to the /etc/password file on the NIS Client, so the final files will look this way:
    # nsswitch.conf (compat directive allows us to use the '+' sintaxis in /etc/passwd file)
    passwd files compat
    # /etc/passwd (just add at the end of file)
    +:x:::::

  • External Authentication Against FND_USER Table

    About a month ago Paul Encarnation posted a question concerning external authentication. One to the methods being used was against the FND_USER table in Oracle Apps. I can see looking up the user account in FND_USER but what about the password? So if you are authenticating against the FND_USER table, please share how you are dealing with the password.
    Thanks.

    Hi,
    I have found the fnd_web_sec returns a boolean for a valid username / password combination but I'm still not sue how I can integrate this.
    Sorry for being thick but this is what I'm trying to do.
    I have an application built in htmldb that I want to be accessable from the e-business suite applications main menu. I've set this up and a user can select it how ever I have no authentication so even though its not assigned to you you can still goto the app by just entering the url. So when a user goes to that htmldb app I want to check that they have that resp assigned to them, this can be done with the following
    select 1 from apps.fnd_user_resp_groups ur, apps.fnd_user u
    where u.user_name = :APP_USER and u.user_id = ur.user_id
    and ur.responsibility_id = XXXX
    The two problems I have are:-
    If a user goings straight to the htmldb url I need to get them to log in and use the e-business suite login (we dont have SSO)
    Or if they are already in e-business suite and go to the htmldb app via the main menu page I need to pass that authentication across.
    I hope this makes sense.

  • Git authentication against proxies

    Hello there:
    Maybe this is not the right place to post this, but, maybe here more interested people will hear of it.
    My situation is this, i found myself behind a proxy trying to make git clone over http protocol, and i wasn't able to do it. My proxy use digest authentiction, and git software doesn't manage http proxy with auth, so i downloaded the code of git (course after i got tired of searching google) and start reading to patch it.
    After a few looks and some advice from my fellow developers i managed to do so, then i made a patch and i thougt about make a PKGBUILD and submit a package to aur, then after reading all the guidelines (aur guildelines, bug report guidelines) i decide the right thing to do was not to upload a package to aur.
    So i submitted the patch to the git's maintainers and now i'll posted here fpor someone else looking for it.
    --- git-1.6.6/http.c 2009-12-23 19:00:22.000000000 -0500
    +++ git-1.6.6/http.c 2010-01-19 11:59:17.000000000 -0500
    @@ -33,6 +33,10 @@
    static long curl_low_speed_time = -1;
    static int curl_ftp_no_epsv;
    static const char *curl_http_proxy;
    +static const char *curl_http_proxy_auth;
    +static const char *curl_http_proxy_user;
    +static const char *curl_http_proxy_pass;
    +
    static char *user_name, *user_pass;
    #if LIBCURL_VERSION_NUM >= 0x071700
    @@ -174,6 +178,15 @@
    if (!strcmp("http.proxy", var))
    return git_config_string(&curl_http_proxy, var, value);
    + if (!strcmp("http.proxy-auth", var))
    + return git_config_string(&curl_http_proxy_auth, var, value);
    +
    + if (!strcmp("http.proxy-user", var))
    + return git_config_string(&curl_http_proxy_user, var, value);
    +
    + if (!strcmp("http.proxy-pass", var))
    + return git_config_string(&curl_http_proxy_pass, var, value);
    +
    if (!strcmp("http.postbuffer", var)) {
    http_post_buffer = git_config_int(var, value);
    if (http_post_buffer < LARGE_PACKET_MAX)
    @@ -267,8 +280,32 @@
    curl_easy_setopt(result, CURLOPT_FTP_USE_EPSV, 0);
    if (curl_http_proxy)
    + {
    curl_easy_setopt(result, CURLOPT_PROXY, curl_http_proxy);
    + if(curl_http_proxy_user && curl_http_proxy_pass)
    + {
    + char* c;
    + c = xstrdup(curl_http_proxy_user);
    + strcpy(c, curl_http_proxy_user);
    + strcat(c, ":");
    + strcat(c, curl_http_proxy_pass);
    + c[strlen(curl_http_proxy_user) + strlen(curl_http_proxy_pass) + 1] = 0;
    + curl_easy_setopt(result, CURLOPT_PROXYUSERPWD, c);
    + free(c);
    + }
    + if(curl_http_proxy_auth)
    + {
    + if(!strcmp(curl_http_proxy_auth, "digest"))
    + curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_DIGEST);
    + else if(!strcmp(curl_http_proxy_auth, "basic"))
    + curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_BASIC);
    + else if(!strcmp(curl_http_proxy_auth, "ntlm"))
    + curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_NTLM);
    + }
    +
    + }
    +
    return result;
    @@ -430,6 +467,21 @@
    curl_http_proxy = NULL;
    + if (curl_http_proxy_auth) {
    + free((void *)curl_http_proxy_auth);
    + curl_http_proxy_auth = NULL;
    + }
    +
    + if (curl_http_proxy_user) {
    + free((void *)curl_http_proxy_user);
    + curl_http_proxy_user = NULL;
    + }
    +
    + if (curl_http_proxy_pass) {
    + free((void *)curl_http_proxy_pass);
    + curl_http_proxy_pass = NULL;
    + }
    +
    if (ssl_cert_password != NULL) {
    memset(ssl_cert_password, 0, strlen(ssl_cert_password));
    free(ssl_cert_password);
    Any suggestion, would be appreciated.

    Ni Nicolaj,
    why? Because the security team is requesting this. If some went out of the office just for a coffee and leave his PC open everyone is able to connect to any system. If there is needed a re-authentication against LDAP this becomes secure and only an open session with one R/3 can be used.
    The re-authentication against LDAP because in this case the user has ONE password: windows password. No need to remember 20 passwords on 20 systems. And it is not possible to syncronize the password from LDAP to ABAP user store.
    So if the user is successful re-authenticated the portal will use the SAPLogonTicket.
    The question is how to implement this re-authentication for example the portal login itself?
    And yes, ITS with PAS is using LDAP - this we want to have also for the connection from the portal to R/3.
    Best regards,
    Michael

  • Authenticating against both RDBMS and LDAP in WL6.0

    Hi,
    We are designing a webapp that will be accessible to both internal and
    external users. For internal users, we would like to authenticate via LDAP;
    for external users we would like to use RDBMS. In WL5.1, this looked to be
    possible with the DelegatingRealm, however this has been removed in WL6.0.
    Two questions:
    1) Why was it removed?
    2) How can we get this functionality in WL6.0?
    Thanks much for your help,
    -jt

    We are currently deployed on WL5.1 with a similar situation as you and in
    the process of migrating to WL6. We are Authenticating against LDAP and
    Authorizing against RDBMS. But I can't see how you could tell it to go
    one way for certain users and another for other users.
    The delegatingrealm in WL5 was intended to split the responsibility of
    Authenticating to one source and Authorization to another. To make this
    work for your Application of splitting internal and external users
    security, I suppose you can do it if you can somehow pass the information
    to the Security Realm the type of the user that is logging in. Maybe you
    can make this code a part of the userid such as ext_uersID or int_userID.
    Doing this will allow you to filter the where the users are coming from
    and Direct them to the appropriate security realm.
    As far as WL6 goes, the Delegating realm class is no longer available
    since the security model for WL6 is different from WL5. But you can take
    a look at what they did with the RDBMSrealm example and use that. This is
    what we did to make our Security work in WL6. However, you can no longer
    store ACLs in the RDBMS realm in WL6.
    Hopes this helps.
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    You will need to create a Custom Realm which delegates to both your RDBMS
    and LDAP perhaps using the Weblogic supplied RDBMS and LDAP realms
    "Jonathan Thompson" <[email protected]> wrote in message
    news:3accf1a3$[email protected]..
    Hi,
    We are designing a webapp that will be accessible to both internal and
    external users. For internal users, we would like to authenticate viaLDAP;
    for external users we would like to use RDBMS. In WL5.1, this looked tobe
    possible with the DelegatingRealm, however this has been removed in WL6.0.
    >
    Two questions:
    1) Why was it removed?
    2) How can we get this functionality in WL6.0?
    Thanks much for your help,
    -jt
    [att1.html]

  • Pass through authentication (function_)

    I wrote many functions before, but NEVER a function to pass through authentication
    Here are some of the specs
    In this example, an institution will be accepting tuition and fee payments against bills that are stored in the our system. In addition to the minimum ebill authentication parameters, the institution would like to pass us a full name to display when welcoming the user, control the users primary e-mail address, and restrict the payment method on a per user basis.
    URL     url     This will be issued to you by your project manager. It should be of the form https://pleasepay.com/schoolname/payer.do
    User Id     user_id     The unique identifier for the user within the institution. This is typically a student ID. (in our database)     
    Full Name     full_name     Users full name. Example “John Smith”. (in our database)
    Email Address     email     Primary email address.     in (our database)
    Payment Method     paymentMethod     Payment methods allowed for this user.
    Allowed values:
    “none” :no payments accepted
    “ach” :ach is the only accepted
    “cc” :credit cards only accepted
    “ach_cc” :credit card and ach      16
    Key     key     The shared key that is issued to you by your project manager.
    Time Zone     tz     The time zone you are located in. Valid values are:
    “E” :Eastern time zone
    “C” :Central time zone
    “M” :Mountain time zone
    “P” :Pacific time zone     1
    function get_payment_url_test(
            url         in varchar2,
            user_id     in varchar2,
            full_name   in varchar2,
            email       in varchar2,
            pay_method  in varchar2,
            key         in varchar2,
            tz          in varchar2
        ) return varchar2. Here is my questions: I know I need to have cursor to check on the user_id, full name, email (those values are store in our DATABASE. The URL and the key are giving to me. Do I have to hard code the url in the cursor and stored in a variable so I can check that the url coming in (url in varchar2) is equal to the url in my cursor? The same with the key?

    I saved the url the user_id and the full_name in a custom table, it is workinng, but I would like
    to pass a message like
    if user_id is null then
    raise_application_error(-20101, 'User ID is missing.');
    what is doing now if that it checks on the cursor and if any of the paramters if false
    it will return the first message in the --- return mesages that is fine the cursor is not retrieving any data, but I want to be more 'friendly' to the user, and if the user
    don't enter the id say something like null id or if is wrong wrong id, invalid id etc...
    wha
    function get_user_url(
            url         in varchar2,
            user_id     in varchar2,
            full_name   in varchar2,
            email       in varchar2,
            pay_method  in varchar2,
            key         in varchar2,
            tz          in varchar2
        ) return varchar2
        is
    Audit Trail:
    10/25/2010
    T
    Change History:
          timestamp  varchar2(20);
          v_pidm      saturn_midd.synelck.synelck_pidm%TYPE;
          v_user_id   saturn_midd.synelck.synelck_id%TYPE;
          v_full_name saturn_midd.synelck.synelck_name%TYPE;
          v_email     saturn_midd.synelck.synelck_email%TYPE;
          v_url       saturn_midd.synelck.synelck_email%TYPE;
          v_key       saturn_midd.synelck.synelck_key%TYPE;
          v_pay_method  varchar2(6);
        /* this table saturn_midd.synelck is inserted with all the students (with bills),
        the url and the key, in the way the function is going to validate the url, the id
        and the key against the values in the table*/
        CURSOR pass_the_test_cur is   
        SELECT
        synelck_pidm,
        synelck_id,
        synelck_name,
        synelck_email,
        synelck_url,
        synelck_key
        from
        saturn_midd.synelck
        where
        synelck_url = url
        and synelck_id = user_id
        and synelck_key = key 
        AND SUBSTR(synelck_name,1,120) = full_name;
         BEGIN
          IF pass_the_test_cur%ISOPEN
          THEN
              CLOSE pass_the_test_cur;
          END IF;
            OPEN pass_the_test_cur;
                 FETCH pass_the_test_cur
                       INTO v_pidm,v_user_id,v_full_name,v_email,v_url,v_key; 
            if pay_method = 'none' then v_pay_method := 'none';
              elsif
                pay_method = 'ach' then v_pay_method := 'ach' ; 
              elsif
                 pay_method = 'cc' then v_pay_method := 'cc';
              elsif           
                  pay_method = 'ach_cc' then v_pay_method := 'ach_cc' ;
           end if;      
              timestamp := get_epoch_timestamp(CURRENT_TIMESTAMP);
            If (v_url is not null and v_user_id is not null and v_key is not null
                and v_full_name is not null and v_key is not null
                and v_email is not null and v_pay_method is not null)  
            then     
                 return url || '?userId=' || escape(v_user_id, TRUE, character_set) ||
                '&' || 'fullName=' || escape(v_full_name, TRUE, character_set) ||
                '&' || 'email=' || escape(v_email, TRUE, character_set) ||
                '&' || 'paymentMethod=' || escape(v_pay_method, TRUE, character_set) ||
                '&' || 'timestamp=' || timestamp ||
                '&' || 'hash=' || get_md5_hash_value(v_user_id || v_full_name || v_email || v_pay_method || timestamp || v_key);
            end if;   
            --- return mesages     
           if v_url is null then
                raise_application_error(-20101, 'Inalid log on chek: Id .');
            end if;
            if v_user_id is null then
                raise_application_error(-20101, 'User ID is missing.');
            end if;
            if key is null then
                raise_application_error(-20101, 'Key is missing.');
            end if;
            if v_full_name is null then
                raise_application_error(-20101, 'Name is missing.');
            end if;
            if v_email is null then
                raise_application_error(-20101, 'eMail address is missing.');
            end if;
            if v_pay_method is null then
                raise_application_error(-20101, 'Payment method is missing.');
            end if;
        end l;Edited by: peace4all on Oct 26, 2010 7:13 AM

  • I would like to connect my Apple TV to my receiver using an HDMI cable and pass thru dolby digital. I do not have optical inputs on my receiver.

    I want to connect my Apple TV to my receiver using an HDMI cable. This should allow me to pass thru high definition video and simultaneously decode Dolby Digital material with an HDMI connection from my receiver to my TV without the use of an optical cable (my receiver does not have an optical input). I am unable to decode 5.1 material and don't understand why this is not working. In the audio setting I have Dolby Digital output turned on.

    Welcome to the Apple Community.
    Are you sure the content you are playing has Dolby Digital.

  • Ubuntu Karmic authentication against Snow leopard open directory server

    Hi,
    I'm looking for help. I've tried to configure an installation of Karmic to authenticate against our office's open directory server running on an osx snow leopard server. Currently `getent password` show all users including those from the open directory server when running the command as both root and normal users. However authentication against the open directry users fails with the following messages in the /var/log/auth.log:-
    Dec 7 22:42:05 [hostname] getent: nss_ldap: failed to bind to LDAP server ldap://server.domain.com: Invalid credentials
    Dec 7 22:42:05 [hostname] getent: nss_ldap: could not search LDAP server - Server is unavailable
    (I've changed the hostname and ldap url)
    /etc/ldap.conf has:-
    base dc=server,dc=domain,dc=com
    ldap_version 3
    rootbinddn cn=diradmin,dc=server,dc=domain,dc=com
    bind_policy soft
    pam_password md5
    /etc/ldap.secret is set to the password of the diradmin user and has a permission mask of 600
    /etc/pam.d/common-passwd :-
    password sufficient pam_ldap.so md5
    password required pam_unix.so nullok obscure md5
    password optional pam_smbpass.so nullok use_authtok tryfirstpass missingok
    /etc/pam.d/common-auth:-
    auth [success=2 default=ignore] pam_unix.so nullok_secure
    auth [success=1 default=ignore] pam_ldap.so usefirstpass
    auth requisite pam_deny.so
    auth required pam_permit.so
    /etc/pam.d/common-account:-
    account [success=2 newauthtokreqd=done default=ignore] pam_unix.so
    account [success=1 default=ignore] pam_ldap.so
    account requisite pam_deny.so
    account required pam_permit.so
    /etc/pam.d/common-session
    session [default=1] pam_permit.so
    session requisite pam_deny.so
    session required pam_permit.so
    session required pam_unix.so
    session optional pam_ldap.so
    session optional pamckconnector.so nox11
    Does anyone have any ideas where to go from here?
    Message was edited by: zebardy

    Hi
    It's easy enough to 'connect' any version of OS X Server to any other version of OS X Server. Use the Join button in the Users & Groups Preferences Pane. Alternatively use the Directory Utility itself.
    You seem to be misunderstanding what an Open Directory Master and Replica are? They are not what I think you think they are. They are not a 'back-up' of each other if you're providing more than the shared Directory Service.
    An OD Replica maintains a read-only copy of the LDAP Database (Usernames, Passwords and Policies etc) that's stored on the OD Master and nothing more. If the Master was to go offline for any reason the Replica can be quickly promoted to a Master Role and continue to provide information for the shared directory. This assumes it has easy and quick access to the Volume storing networked home folders? The LDAP Database in that case would then become writable. Later on and whenever you've fixed the problem with the old Master it can quickly be demoted and made a Replica of the now new Master.
    Although this is for 10.6 Server (it is nevertheless still applicable) everything you need to know about Master and Replica relationships is here:
    http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf
    Page 55 onwards.
    From Page 64:
    "The Open Directory master and its replicas must use the same version of Mac OS X Server. . ."
    If your OD Master is also providing Mail, Calendar and Contact Services then none of these will be replicated. You will have to maintain a backup of these databases yourself using whatever method you deem fit for your needs.
    HTH?
    Tony

  • How can I tell if a user has already authenticated against AD?

    Sorry to begin with if this has been dealt with in another thread already. Ive taken a look around and cant see something that answers my questions exactly. If such a thread exists, please point me in that direction.
    We have a product that needs to be installed on a customer site. Its a windows based, web fronted application with a client program on the user's pc and a server side component that handles requests for data. What I need to do is to check if the user has already authenticated against active directory. If so then I dont need to ask for authentication (single sign on).
    This is my first look at jndi so Im in the dark about how this should be done. Is there a way to use the user's credentials (is there a token?) to check or do I need a specific login for my application to access the customer AD?
    Any tips would be very welcome,
    Mark

    You may want to refer to the Java Security forum at http://forum.java.sun.com/forum.jspa?forumID=545 for information on Kerberos & JAAS.
    There is a also a post in this forum, outlining how to utilise Kerberos, JAAS with JNDI to access Active Directory. JNDI, Active Directory and Authentication (Part 1) (Kerberos)
    at http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
    Possibly the part you are looking for is the functionality included in the class that implements java.security.PrivilegedAction
    Good luck.

  • ISE 1.2 - 24492 Machine authentication against AD has failed

    Currently experiencing a machine authentication problem between ISE 1.2 patch 2 and a customer AD installation.
    AuthZ policy is set to match agains /Users/Domain Computers and /Users Domain Users.  User authentication works, machine auth doesnt.
    Machine authentication box is ticked.
    If you try to disable an AD machine, or try a machine not in the domain you get the appropriate different response in the ISE logs which sugests it has the right access into AD to check this info.
    This happens on all computers, both WinXP and Win7 corporate builds.
    I know its not an ISE policy configuration as I have resorted to testing the same ISE against a vanilla lab AD environment with the same AD domain name (just by changing the DNS servers ISE uses) and the computer lookup works!
    Anybody got any ideas?
    thanks.

    24492
    External-Active-Directory
    Machine   authentication against Active Directory has failed
    Machine   authentication against Active Directory has failed.
    Error
    Please check NTP is in sync or not  ISE

Maybe you are looking for

  • Two mobileme accounts on one ipod

    Hi all, what I'm going to ask got an airing here : http://discussions.apple.com/thread.jspa?threadID=2620155&tstart=0 but that was iPad, not iPod. I want to use 2 mobileme accounts on the same iPod. One's mine, the other is my spouse's, which is a -

  • Alternative to f:verbatim to use custom DIV classes?

    I have some pages with panelCustomizable facets containing simple HTML like so: <f:verbatim> <div class="tableClass"> <table cellpadding="0" cellspacing="0"> <tr> <td colspan="2"><h2>TABLE TITLE</h2></td> </tr> </f:verbatim> At runtime, in "*Edit mod

  • How to compress and decompress a pdf file in java

    I have a PDF file , what i want to do is I need a lossless compression technique to compress and decompress that file, Please help me to do so, I am always worried about this topic

  • Allowing Default Values OR typed values in a SSRS Report Parameter

    Hello, I'm able to set a parameter while designing a SSRS report to use a list of values or I can chose to specify no values.  In the latter scenario when actually running the report the value can be typed instead of selected. What seems impossible i

  • Launch Services error (-10810)

    Hello everyone. I am a network admin that switched from 12 years of PC's to Macs. So far, so good, except for this problem. In the last few weeks, I have been getting a -10810 error when I try to launch a program. My mac also seems to be dragging a l