Policy Studio to LDAP Repository with WSS Password Digest for Authn

Similar Messages

• LDAP authentication with MD5 passwords

  Hi,
  in one of our Linux servers we have MD5 passwords stored in /etc/shadow. We want to implement pam_ldap on that machine, and move passwords to an LDAP database.
  I know it is to be done with {crypt} storage scheme.
  This works with DS 5.2 running on a Linux box, but under Solaris 8 I couldn't get it working. I know that Solaris 8 doesn't support MD5 passwords in its crypt(3) function, and I suppose Directory Server uses that. Somewhere I read that, however crypt() in Solaris 9 does support MD5.
  Can you confirm that after upgrading to Solaris 9, authentication with MD5-hashed passwords will be possible? Has anyone tried it?
  Thanks in advance,
  Kristof

  Thanks you for your reply.
  Our openldap version is openldap-2.3.39
  And all passwords are encrypted with : Base 64 encoded md5
  Below is a sample password:
  {md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help..

• Site Studio Publishing Utility fails with  HTTP rsponse 403 for URL

  Just installed Publisher with Subscription Client. The two pieces seem to work together until I start a replication. Then I get the following a number of times and it stops.
  [1]IOException: Server returned HTTP response code: 403 for URL: http://localhost:9180/MTKRSite/groups/public/documents/web_content/002310.htm http://localhost:9180/MTKRSite/groups/public/documents/web_content/002310.htm
  It the Publisher is trying to get content item 002310 there isn't one there.
  In the Publisher directory offers I see the web site but no content.
  I am really confused because I cannot figure out why it would try to get content 002310.
  Thanks for any help.
  Art

  The problem is now solved. For those that are using the product here is a hint of where to look.
  In the Oracle Site Studio Publishing Utility\offers\31 directory there is a file urlmap.txt. urlmap.txt has all the URL's that are going to be retrieved. If the publishing utility cannot get a file then look into this file and see why it is trying to retrieve it. If necessary a filterset that excludes the missing file can be coded in the sitestudo.config file.

• FTP for Guest with no password asks for password

  Greetings,
  I have File Sharing turned on and FTP on, and Guest login and sharing on in Accounts.
  When I enter ftp:// and my IP in a browser, I get prompted for a User Name and Password. I enter Guest and no password, and it says Password Required, but there is no password.
  How do I connect as Guest?
  Thanks

  what is your router model number?
  so all this time you never set a password for your wireless network? @_@

• How to ZIP a PDF File with a Password Protection

  Hi,
  i've a pdf file with created smartforms and i want to assign a password to that pdf file but the SAP doesn't let doing that protection. So i want to create a zip file with a password protection for PDF file.
  How can i create a zip file with a password protection? Can somebody help me please?
  Thanks.

  Hello,
  Check this links
  Take a look to the class CL_ABAP_GZIP
  open (top-)zip-archive
  CALL METHOD lo_zip->load
      EXPORTING
        zip             = lv_zip_file_head
      EXCEPTIONS
        zip_parse_error = 1
        OTHERS          = 2.
  create sub-zip-archives which contain the files you would assign to a folder
  add sub-zip-archive to top-zip-archive
  CALL METHOD lo_zip->add
       EXPORTING
          name    = lv_zip_filename
          content = lv_zip_file.
  save zip-archive
  CALL METHOD lo_zip->save
      RECEIVING
        zip = ev_zip_file.
  ABAP Development
  How to ZIP a PDF file email attachment
  Re: How to ZIP a PDF file email attachment

• How to retrieve all the users along with their password from LDAP

  Hello,
  Can anyone let me know how to retrieve and list all the user along with their password from LDAP.
  Thanks

  Hi Prashant,
  I have limited experience with Synchronization, but I agree with you - if you need to synchronize Passwords, you need to have the Password in clear Text.
  If you trying to build your own Synchronization Solution using any of the avaliable LDAP APIs, I don't think you can ever retrieve a user's Password in clear text.
  However, I did come across an interesting article & I hope you find it useful :-
  http://www.oracle.com/technology/obe/obe_as_10g/im/configssl/configssl.htm
  I am not sure if SSL is necessary - If you have a look at Metalink Note 277382.1 ( How to Configure OID External Authentication Plug-In for Authentication Via Microsoft Active Directory (MS AD) ), teh question asked by oidspadi.sh for the same is asnwered as "N".
  Regards,
  Sandeep

• Replacing Certificates of Solaris Studio IPS Repository with New Ones

  Hi Steve,
  When I accessed the IPS Package Repository just now at https://pkg-register.oracle.com/, I did not see the solarisstudio repository. Before the website revamp, I was still able to access the Installation Instructions for Key and Certificates needed to set up Solaris Studio IPS Repository (I have previously requested access to solarisstudio IPS Repository). My SSL Certificate for solarisstudio will expire in less than 1 month's time.
  Hence, I have some questions:
  1. How can I re-install the new certificates for solarisstudio IPS Repository to replace the old ones?
  2. Will the upcoming version 12.4 be made available in the solarisstudio IPS Repository? Will patches be supported for Solaris Studio packages installed via IPS Repository?
  Regards,
  Brian

  Hi Darryl Gove,
  My current view at https://pkg-register.oracle.com/ does not have Oracle Solaris Studio (see screenshot below), which is strange considering that I have already requested access to Oracle Solaris Studio IPS Repository from the same website before. Right now, I can only see Oracle Solaris Cluster 4 Repository. The Certificate only shows my renewed certificate and from there, I only have the Download Key and Download Certificate buttons. Could you help me to check on this issue? Thanks.
  Regards,
  Brian

• Solaris 10 openldap authentication with md5 passwords

  Hello to everyone,
  We are trying to enable ldap authentication with pam_ldap and md5 passwords on a Solaris 10 system to an openldap server. If passwords are stored using crypt, everything works correctly. But if the password in openldap is in md5, then authentication fails.
  We have installed openldap client along with pam_ldap and nss_ldap from padl (http://www.padl.com/pam_ldap.html)
  The error messages when trying to 'su -' to the ldap user are:
  Jun  1 18:35:23 servername su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:35:23 servername su: [ID 810491 auth.crit] 'su ldapuser' failed for mike on /dev/pts/4and for ssh:
  Jun  1 18:35:54 servername sshd[14197]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:35:54 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
  Jun  1 18:36:00 servername sshd[14224]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:00 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
  Jun  1 18:36:02 servername sshd[14278]: [ID 800047 auth.info] Accepted publickey for scponly from 10.24.4.52 port 35390 ssh2
  Jun  1 18:36:04 servername sshd[14270]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:04 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
  Jun  1 18:36:04 servername sshd[14191]: [ID 800047 auth.info] Failed keyboard-interactive/pam for ldapuser from 192.168.1.25 port 41075 ssh2
  Jun  1 18:36:08 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:08 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
  Jun  1 18:36:12 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:12 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
  Jun  1 18:36:17 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:17 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2Below are the configuration files (pam.conf, nsswitch.conf, ldap.conf) and anything else that I imagine could help (comments of the files have been removed).
  Please feel free to ask for any other configuration file:
  */etc/pam.conf*
  login   auth requisite        pam_authtok_get.so.1
  login   auth required         pam_dhkeys.so.1
  login   auth required         pam_unix_cred.so.1
  login   auth required         pam_dial_auth.so.1
  login   auth sufficient       pam_unix_auth.so.1  server_policy debug
  login   auth required           /usr/lib/security/pam_ldap.so.1 debug
  rlogin auth sufficient       pam_rhosts_auth.so.1
  rlogin auth requisite        pam_authtok_get.so.1
  rlogin auth required         pam_dhkeys.so.1
  rlogin auth required         pam_unix_cred.so.1
  rlogin  auth required          pam_unix_auth.so.1 use_first_pass
  rsh    auth sufficient       pam_rhosts_auth.so.1
  rsh    auth required         pam_unix_cred.so.1
  rsh    auth required         pam_unix_auth.so.1
  ppp     auth requisite        pam_authtok_get.so.1
  ppp     auth required         pam_dhkeys.so.1
  ppp     auth required         pam_dial_auth.so.1
  ppp     auth sufficient       pam_unix_auth.so.1 server_policy
  other   auth sufficient         /usr/lib/security/pam_ldap.so.1 debug
  other   auth required           pam_unix_auth.so.1 use_first_pass debug
  passwd  auth sufficient          pam_passwd_auth.so.1 server_policy
  passwd  auth required           /usr/lib/security/pam_ldap.so.1 debug
  cron    account required      pam_unix_account.so.1
  other   account requisite     pam_roles.so.1
  other   account sufficient       pam_unix_account.so.1 server_policy
  other   account required        /usr/lib/security/pam_ldap.so.1 debug
  other   session required      pam_unix_session.so.1
  other   password required     pam_dhkeys.so.1
  other   password requisite    pam_authtok_get.so.1
  other   password requisite    pam_authtok_check.so.1
  other   password required     pam_authtok_store.so.1 server_policy*/etc/ldap.conf*
  base ou=users,ou=Example,dc=staff,dc=example
  ldap_version 3
  scope sub
  pam_groupdn [email protected],ou=groups,ou=Example,dc=staff,dc=example
  pam_member_attribute memberUid
  nss_map_attribute uid displayName
  nss_map_attribute cn sn
  pam_password_prohibit_message Please visit https://changepass.exapmle.int/ to change your password.
  uri ldap://ldapserver01/
  ssl no
  bind_timelimit 1
  bind_policy soft
  timelimit 10
  nss_reconnect_tries 3
  host klnsds01
  nss_base_group         ou=system_groups,ou=Example,dc=staff,dc=example?sub
  pam_password md5*/etc/nsswitch.conf*
  passwd:     files ldap
  group:      files ldap
  hosts:      files dns
  ipnodes:   files dns
  networks:   files
  protocols:  files
  rpc:        files
  ethers:     files
  netmasks:   files
  bootparams: files
  publickey:  files
  netgroup:   files
  automount:  files
  aliases:    files
  services:   files
  printers:       user files
  auth_attr:  files
  prof_attr:  files
  project:    files
  tnrhtp:     files
  tnrhdb:     files*/etc/security/policy.conf*
  AUTHS_GRANTED=solaris.device.cdrw
  PROFS_GRANTED=Basic Solaris User
  CRYPT_ALGORITHMS_DEPRECATE=__unix__
  LOCK_AFTER_RETRIES=YES
  CRYPT_ALGORITHMS_ALLOW=1,2a,md5
  CRYPT_DEFAULT=1Thanks in advance for any response...!!

  Thanks you for your reply.
  Our openldap version is openldap-2.3.39
  And all passwords are encrypted with : Base 64 encoded md5
  Below is a sample password:
  {md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help..

• Setting up LDAP realm with WLI 7

  Any pointer to Step by step instruction on to how to set up LDAP realm for Access Control with Weblogic integration 7

  Pramit Basu <[email protected]> wrote:
  Any pointer to Step by step instruction on to how to set up LDAP realm
  for Access Control with Weblogic integration 7In order to use LDAP realm with WLI 7.0, you need to do the following steps:
  1) In WebLogic server level, you need to create a Caching Realm and a LDAP realm.
  First, please backup your original config.xml file. Then, you can start configure
  the realms. You can do this by modifying the config.xml file, or through WLS console.
  After you have done this, your config.xml file should contain the following:
  <LDAPRealm AuthProtocol="none"
  Credential="{3DES}rYiW/DkUxq4UPwR0XLbM9w=="
  GroupDN="o=beasys.com,ou=Groups" GroupIsContext="false"
  GroupNameAttribute="cn" GroupUsernameAttribute="uniquemember"
  LDAPURL="ldap://jpengdesk:389"
  Name="LDAPRealmForNetscapeDirectoryServer" Principal="cn=admin"
  UserAuthentication="bind" UserDN="o=beasys.com,ou=People"
  UserNameAttribute="uid" UserPasswordAttribute="userpassword"/>
  --- You can also do this in Console. Please make sure the "UserDN" and "GroupDN"
  values are correct according to the groups and users stored on your LDAP server.
  In my example here, "beasys.com" is my root entry, and I have all the users created
  underneath of OU "People", and I have all the groups created in OU "Groups".
  <CachingRealm BasicRealm="LDAPRealmForNetscapeDirectoryServer" Name="MyCaching
  Realm"/>
  --- You can do this in console by clicking on "Caching Realms", then click on
  the link of "Configure a new Caching Realm". Name it as "MyCaching Realm", and
  select "LDAPRealmForNetscapeDirectoryServer" as the BasicRealm.
  <Realm CachingRealm="MyCaching Realm" FileRealm="myFileRealm" Name="myRealm"/>
  --- you can do this in console by clicking on "Compatibility Security", then click
  on the "Filerealm" tab, then, in the "Caching Realm" field, select MyCaching Realm"
  from the pull down comb box.
  Please make sure all the names are related. See above example, the value in blue
  color should match, and the value in red color should match too.
  Please see the attached config.xml file for reference.
  2) Create the users in LDAP server. In my example, I simply created 3 users underneath
  of OU &#8220;People&#8221;, they are:
  weblogic
  wlisystem
  admin
  &#8220;weblogic&#8221; is the user I used as my system administrator user, which
  I used to boot my WLS server and access my WLS console.
  &#8220;wlisystem&#8221; and &#8220;admin&#8221; are the users created for WLI
  component.
  3) Create 11 groups in LDAP server. In my example, as I mentioned above, I create
  all these groups underneath of OU &#8220;Groups&#8221;. These groups are:
  ConfigureComponents
  Administrators
  wlpiUsers
  MonitorInstance
  ExecuteTemplate
  CreateTemplate
  UpdateTemplate
  DeleteTemplate
  AdminsterUser
  ConfigureSystem
  wlpiAdministrators
  Also, add the users created in step 2 into all of these groups.
  4) Clean up the fileRealm.properties file.
  Backup your original fileRealm.properties file. Then, remove all the entries starting
  with &#8220;user.xxx&#8221; and &#8220;group.xxx&#8221;, only leave those entries
  starting with &#8220;acl.xxx&#8221;.
  Please see the attached &#8220;fileRealm.properties&#8221; file for reference.
  5) Restart your WLI server. Verify the users and groups you defined in LDAP server
  are displayed in WLS console correctly. You can see the user and group information
  in &#8220;Compatibility Security&#8221; à &#8220;Users&#8221;, and &#8220;Compatibility
  Security&#8221; à &#8220;Groups&#8221; respectively.
  6) Start your studio to design a simple Workflow. When you login, the authentication
  of your username and password is against the LDAP server, since you don&#8217;t
  have any user entries in your fiel realm any more.
  7) Start your Worklist to execute the workflow. Also, When you login, the authentication
  of your username and password is against the LDAP server, since you don&#8217;t
  have any user entries in your fiel realm any more.
  Once you execute the workflow, you can verify that workflow instance in Studio.
  You can monitor the instance, and delete the instance.

• Problem with username/password using SQLAuthenticator

  I want to setup SQLAuthenticator but authentication is refused because wrong username/password.
  I am using JDev Studio Edition Version 11.1.2.1.0 with integrated WLS.
  As a base I take this two URLs:
  http://weblogic-wonders.com/weblogic/2010/03/11/configuring-sql-authenticator-with-weblogic-server/ and
  http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html
  1. I create db tables (default table names for SQLAuthenticator), but don't fill users and groups - OK
  2. In WLS I create new SQLAuthenticator Authentication provider inside deafult realm myrealm - OK
  3. I put this provider to the top among all three providers
  4. In JDev I configure ADF Security - define Enterprise Roles to matching to the names in GROUPS table of SQLAuthenticator - ??
  5. I Define Application users and roles and setup Resource grants
  6. I run my application
  7. In database tables USERS, GROUPMEMBERS, GROUPS I can see users and roles from Jdev, that means, at deploy time, this tables are filled too
  8. In WLS I can see Users and Groups under myrealm which are transfered at deploy time and mirrors USERS, GROUPMEMBERS, GROUPS
  9. In USERS table I can see password is encripted by {SHA-1}
  But when try to login I am always rejected with "Invalid username or password".
  Before setting up SQLAuthenticator (only default options) the logins were successful, so application shold be OK.
  I try also with Plaintext Passwords Enabled and put into USERS table unencripted password, but without success.
  I can confirm that SQLAuthenticator mechanism actually get password from USERS table. I replaced default SQL for getting password from
  SELECT U_PASSWORD FROM USERS WHERE U_NAME = ?
  to
  select get_pwd(?) as U_PASSWORD from dual. In my get_pwd PL/SQL function I perform logging in I can see that this function was called.
  So the problem is in WLS when comparing passwords.
  Any suggestions, where to start digging?
  Ragards,
  Sašo
  Edited by: Sašo C. on 5.10.2011 7:26
  Edited by: Sašo C. on 5.10.2011 7:32

  The problem is solved! Crucial was hint from http://biemond.blogspot.com/2008/12/using-weblogic-provider-as.html:
  The Control Flag for my new SQLAuthenticator Authentication provider must be changed from Optional to Sufficient AND
  the Control Flag for existing DefaultAuthenticator must be changed from Required to Sufficient!
  It seems that before SQLAuthenticator took password from USERS table, but didn't use it in the authentication process.
  Regards,
  Sašo

• HT4864 problems with iCloud mail server on the mail, but it does not fix it when I put the password in, keeps asking me for password. When I go into iCloud to access it from safari, it accesses the icloud fine with my password. I have reset all the settin

  I am running os x 10.7.5, on a macbk, I have been using all the apps fine and not changed anything or run any software updates, suddenly my mail dows not think it can connect with the outgoing server for icloud and requests my password, which I give, but it repeatedly asks again and again. I have tried re-setting all the mail for icloud up again, and it thinks its ok, except the box keeps flagging up can't access outgoing server. I have checked it all a number of times, and I can access the icloud stuff including mail from http when I log in there. Anyone know why my mac will not accept my icloud password? suddenly I cannot get any icloud mail in or out, but I changed nothing. Why does it do this and why can't i fix it?

  No carrier "automatically" unlocks at end of contract - many won't do it at all, even if requested.  I don't know what your carrier's policy is since you didn't say what country you're in.
  However, if I understand you correctly, you didn't change carriers so it doesn't matter if it was unlocked or not. Try the following steps, as needed:
  1. Reset phone - press both home and sleep/wake buttons for at least 19 seconds until the Apple logo appears
  2. Settings > General > Reset > Reset Network Settings
  3. Restore phone in iTunes using a backup
  4. Replace SIM card (don't care what Telstra says)
  5. Restore phone in iTunes as new, without using a backup
  6. Take phone to Apple.

• How to force password policy requirements on password resets for user accounts reset by the Administrator?

  OS: Windows Server 2008 R2 Enterprise
  Domain Level: 2008
  Forest Level: 2000
  We have Domain Administrators in our domain that reset passwords for user accounts, and the passwords the Administrators set them to are not being enforced follow our default domain password policy. For example, I log on the domain controller, as an administrator
  and can reset a password for a user account to be blank. 
  Is there a reason Domain Administrator password resets for user accounts are not enforced by our default domain password policy? Is there a way to enforce this on password resets by Domain Admins? 

  Do you have fine grant password policy? If not ; by default all the usrs are effected by domain level password policy even domain admins,
  Regards~Biswajit
  Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
  MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
  MY BLOG
  Domain Controllers inventory-Quest Powershell
  Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
  Generate a Report for installed Hotfix for Bulk Servers

• SQL LOGIN with weak password

  I need to create a SQL LOGIN with weak password.
  Is there a way to change the password policy or bypass for a specific LOGIN ?
  I've tried this:

  Is there a way to change the password policy or bypass for a specific LOGIN ?
  SQL Azure doesn't allow the CHECK_POLCY clause.  See
  https://msdn.microsoft.com/en-us/library/ms189751.aspx
  Why would you want to create a weak password?  I think the CHECK_POLICY option is intended only for legacy applications.
  Dan Guzman, SQL Server MVP, http://www.dbdelta.com

• How to consume Web Service with Password digest from PLSQL

  We have Oracle 10g (10.2.0.3.0) 64 bit. We have a situation where we need to consume web service whose security header looks like as follow,
  <soapenv:Header>
  <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:UsernameToken wsu:Id="UsernameToken-50">
  <wsse:Username>weblogic</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">d2enK45chjBPVvvukbYU6OX56kI=</wsse:Password>
  <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">YAhEtLJfp4lzycLd3hZYjQ==</wsse:Nonce>
  <wsu:Created>2013-01-22T06:28:38.897Z</wsu:Created>
  </wsse:UsernameToken>
  </wsse:Security>
  </soapenv:Header>
  Here we need passowrd digest, Nonce and Timestamp.
  How to create password digest from PLSQL? or if any other alternatives available please response soon.

  I do not see why it will not be possible to do digest authentication with a web server using PL/SQL.
  As for the digest password - the web server supplies a token (a nonce) which you need to use for creating the hashed authentication token (the digest password). The URL I posted explains this authentication process.
  As for the technical how-to in PL/SQL - as I mentioned, never had to do this (only dealt with Basic and NTLM authentication thus far). But as other auth methods (such as Microsoft's NTLM) can be implemented, I do not see why digest authentication could not.
  Suggest you spend some time googling for technical articles/sample code on the subject - and try to find specific PL/SQL related sample code too.

• Securing a BPEL Process with username/password in 10g

  securing a BPEL Process with username/password in 10g

  use OWSM gateways..
  create a gateway and define your policy in the gateway