Profile Manager - webauthd LDAP authentication

Similar Messages

• Custom ldap authenticator to retrieve user bean ldap profile

  Hi,
  Wondering if we could use a custom ldap authenticator to get the user profile from Ldap and put the data bean into session.
  This will allow to use the same connection to Ldap and to benefit from Bea security authentication configuration.
  Any input on this ?
  Thank you

  Increasing the search limit is the only practical solution. Really, ~2000 entries is not that many.

• Use Profile Manager to configure 802.1x authentication to Active Directory

  I have an OS X Lion Server running profile manager, and I want to authenticate Macs against Active Directory. My test machine is running Lion as well.
  If I configure the profile to for WPA/WPA2 Enterprise security type and PEAP protocol with a generic user name and password with explicit access on the RADIUS server, the machine can get on the 802.1x network
  If I configure the profile to "Use as a Login Window configuration", the machine can get on the 802.1x network after entering the user name and password of an authorized RADIUS user.
  Here's my problem:
  I want to enable authentication for machines that are members of the Active Directory domain, but when I use the "Use Directory Authentication" option to authenticate with the target machine's directory credentials, the machine does not connect to my 802.1x network.
  Any thoughts?
  Thanks!!!!

  I'm trying to do the same thing, but I'm using Mountain Lion Profile Manager.  If I can't get this to work I'm going to try SCEP and certificate authentication.

• LDAP Authentication Failed :user is not a member in any of the mapped group

  Hi,
  I tried to set up the LDAP Authentication but I failed.
  LDAP Server Configuration Summary seems to be well filled.
  I managed to add a Mapped LDAP member Group: This group appears correctly in the Group list. 
  But itu2019s impossible to create a User. Although this user is a member of the mapped group (checked with LDAP Brower) , an error message is displayed when I tried to create it (There was an error while writing data back to the server: Creation of the user User cannot complete because the user is not a member in any of the mapped groups)
  LDAP Hosts: ldapserverip:389
  LDAP Server Type: Custom
  Base LDAP Distinguished Name: dc=vds,dc=enterprise
  LDAP Server Administration Distinguished Name: CN=myAdminUser,OU=System Accounts,OU=ZZ Group Global,ou=domain1,dc=vds,dc=enterprise
  LDAP Referral Distinguished Name:
  Maximum Referral Hops: 0
  SSL Type: Basic (no SSL)
  Single Sign On Type: None
  CMS Log :
  trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
  trace message: LDAP: LdapQueryForEntries: QUERY base: dc=vds, dc=enterprise, scope: 2, filter: (samaccountname=KR50162), attribute: dn objectclass
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 2453 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
  trace message: GetParents from plugin for cn=huh\,chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise.
  trace message: LDAP: De-activating query cache
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
  trace message: LDAP: query for DSE root returned 89
  trace message: LdapQueryForEntries: incr. retries to 1
  trace message: LDAP: Updating the graph
  trace message: LDAP: Starting Graph Update...
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
  trace message: LDAP: query for DSE root returned 89
  trace message: LdapQueryForEntries: incr. retries to 1
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
  assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
  trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
  trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (&(cn=gp-asia)(objectclass=group)(member=cn=huh
  , chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise)), attribute: objectclass
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
  assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
  trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
  trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (cn=gp-asia), attribute: member objectclass samaccountname cn
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 3109 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
  trace message: LDAP: query for DSE root returned 0
  trace message: Failed to commit user 'KR50162'. Reason: user is not a member in any of the mapped groups.
  trace message: [UID=0;USID=0;ID=79243] Update object in database failed
  trace message: Commit failed.+
  Can you please help?
  Joffrey

  Please do this after you verify all permission settings for all the groups the account is associated with. Also, make sure you check the NTFS folder permissions before doing this as well.
  Since the same result happens on multiple computers, it is not the profile.
  I am recommending you delete the AD account (or rename to backup the account).
  It will not effect the users Exchange account, but you will need to link it back to the new AD user account. 
  You can also delete her profile just to remove it, for the "just in case" scenario.
  Don't forget to mark the post that solved your issue as "Answered." By marking the Answer you are enabling users with similar issues to find what helped you. Lewis Renwick - IT Professional

• Why we use the LDAP Authentication over the DB authentication?

  Hi All,
  Why we use the LDAP Authentication over the DB authentication?
  Any specific region is for that?
  When we use LDAP do we need DB authentication again or it will be optional?
  In same case in ADSI do the DB authentication is optional or compulsory .
  Thanks in advance
  Tusar

  LDAP / AD authentication is useful if you already use it in your organisation and you'll find that most orgs have some form of user authentication already in place.
  Do users in your company have to log into to their machines every morning? If so, why not use those credentials to control access to Siebel? It's a way of providing a single directory of employee authentication information available across applications, keeping maintenance and change costs down.
  When you use LDAP authentication, you specify an AD object that contains a set of DB authentication details so that the component can access the Siebel database. In Siebel 8, you can directly specify those details in the security profile. As such, you only then have to maintain a single set of DB specific authentication details: much easier to manage. You can always switch back to DB authentication if you want to, but you'd have to go through all users accounts and create them with the same login and password specified in AD.

• IPSEC VPN Settings via Profile Manager

  It is not possible to set the following lines via GUI in Apples ProfileManager or via Apple Configurator in the IPSec section:
  <key>XAuthPassword</key>
  <string>myVPNuserPassword</string>
  You can set the lines via GUI in the old iPhone Configuration Program on Windows.
  If you can't set the "XAuthPassword", you have to type in the password every time you want to establish the VPN.
  We use certificates for device authentication.
  Anyone a solution ?
  greetings
  robin

  klatuu wrote:
  It is not possible to set the following lines via GUI in Apples ProfileManager or via Apple Configurator in the IPSec section:
  <key>XAuthPassword</key>
  <string>myVPNuserPassword</string>
  You can set the lines via GUI in the old iPhone Configuration Program on Windows.
  If you can't set the "XAuthPassword", you have to type in the password every time you want to establish the VPN.
  We use certificates for device authentication.
  Anyone a solution ?
  greetings
  robin
  Yes, there are two possible solutions.
  1. As per my article here http://jelockwood.blogspot.co.uk/2014/03/how-to-do-vpn-on-demand-for-ios-at-zero .html you would use a StrongSwan VPN server and as per my article use the xauth-noauth plugin to prevent it asking for a username and password, it will then only use the client certificate for device authentication.
  2. You can use the two keys listed above but you will have to manually edit the mobileconfig file and add them. Therefore you cannot use Profile Manager or Apple Configurator. For this I used iPhone Configuration Utility to create the initial mobileconfig file, and then I used TextWrangler to add the two keys. With a manually produced mobileconfig file I do not believe there is anyway to send it via Profile Manager but you can either email it to the device or make it available via a web server. Other MDM solutions than Profile Manager do allow pushing uploaded mobileconfig files, I used Meraki Systems Manager and pushed my hand edited mobileconfig files 'over the air' to the devices.
  It should be noted that if you are authenticating usernames and password against a directory server e.g. Active-Directory, Open Directory or LDAP, then if you enforce password ageing and changes you are going to have to hand edit and resend an updated mobileconfig file with the new password in it. This is why I chose option 1 above for my own situation. It is in theory less secure as it only uses a single basis for authentication - the certificate but I felt this an acceptable trade-off.

• SharePoint 2010 with LDAP authentication, using NOVELL eDirectory

  One of my customers needs a SharePoint application that allows people to authenticate with either an Active Directory account (internal staff) or a Novell eDirectory account (external customers).
  Using the following article as a base guide (http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx)
  I configured a claims-based test application that had Windows authentication enabled and Forms based authentication (FBA) enabled (this is on a Windows 2008 server and not a domain controller)
  In the Membership provider name text box I entered "LdapMember"
  In the Role provider name  text box I entered "LdapRole"
  In the web.config for the SharePoint Central Admin, I modified/added the following details right before </system.web>
  <membership>
  <providers>
  <add name="LdapMember"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
  <providers>
  <add name="LdapRole"
  type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="sAMAccountName"
  dnAttribute="distinguishedName"
  groupFilter="((ObjectClass=group)"
  userFilter="((ObjectClass=person)"
  scope="Subtree" />
  </providers>
  </roleManager>
  I modified the SecurityTokenServiceApplication web.config with these details
  <system.web>
  <membership>
  <providers>
  <add name="LdapMemebr"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager enabled="true">
  <providers>
  <add name="LdapRole"
  type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="sAMAccountName"
  dnAttribute="distinguishedName"
  groupFilter="(&amp;(ObjectClass=group))"
  userFilter="(&amp;(ObjectClass=person))"
  scope="Subtree" />
  </providers>
  </roleManager>
  </system.web>
  I modified the web.config of the test application I created with these details
  <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
  <providers>
  <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
  <add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="cn"
  dnAttribute="dn"
  groupFilter="(&amp;(ObjectClass=group))"
  userFilter="(&amp;(ObjectClass=person))"
  scope="Subtree" />
  </providers>
  </roleManager>
  <membership defaultProvider="i">
  <providers>
  <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
  <add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  useDNAttribute="true"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  With all of this configured, I can go to the new test site, I do see the form where I can choose either Windows authentication or Forms authentication. I can successfully login with Windows authentication, but forms authentication gives me me an error.
  The server could not sign you in. Make sure your user name and password are correct, and then try again.
  I can successfully login to a LDAP management tool, using the same credentials I entered on the form, so I know the username and password being submitted are correct. I get the following items in the event viewer
  8306 - SharePoint Foundation - The security token username and password could not be validated.
  in the SharePoint trace logs - Password check on 'testuser' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. and
  then this:
  Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
  at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
  I monitored the LDAP server and did a packet-trace on the communication happening between the SharePoint server and the LDAP server and it is a bit odd. It goes like this:
  The SharePoint server successfully connects to the LDAP server, binding the ldapserviceid+password
  The LDAP server tells the SharePoint server it is ready to communicate
  the SharePoint server sends an LDAP query to the LDAP server, asking if the name entered in the form authentication page can be found.
  The LDAP server does the query, successfully finds the entered name and sends a success message back to SharePoint
  The LDAP server sends notification that it is done and is closing the connection that was bound to theldapserviceid+password
  The SharePoint server acknowledges the connection is closing
  ... and then nothing happens, except the error on SharePoint
  What I understand is that the SharePoint server, once it gets confirmation that the submitted username exists in LDAP, should attempt to make a new LDAP connection, bound to the username and password submitted in the form (rather than the LDAP service account
  specified in the web.config). That part does not seem to be happening.
  I am at a standstill on this and any help would be greatly appreciated.

  OK, our problem was resolved by removing any information about the ASP.NET role manager. Initially, we had information about a role manager defined in three different web.config files, as well as in the SharePoint Central Administration site, where there
  is the checkbox to Enable Forms Based Authentication (you see this when you first create the new SharePoint app, or afterwards by modifying the Authentication Provider for the app.) In either case, you will see two text boxes, underneath the checkbox item
  for enabling Forms Based Authentication:
  "ASP.NET Membership provider name"
  "ASP.NET Role manager name"
  We entered a name for Membership provider, and left Role manager blank.
  In the web.config for the SharePoint Central Administration site, the SecurityTokenServiceApplication app, and the web app we created with FBA enabled, we entered the following:
  <membership>
  <providers>
  <add name="LdapMember"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword="validpassword"
  useDNAttribute="false"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager>
  <providers>
  </providers>
  </roleManager>
  useDNAttribute="false" turned out to be important as well.
  So, for us to get LDAP authentication working between SharePoint 2010 and Novel eDirectory, we had to:
  leave anything related to the role provider blank
  configure the web.config in three different applications, with the proper connection information to reach our Novel eDir
  Ensure that useDNAttribute="false" was used in all three on the modified web.config files.
  Since our eDir is flat and used pretty much exclusively for external users, we had never done any sort of advanced role management configuration in eDir. So, by having role manager details in the web.config files, SharePoint was waiting for information from
  a non-existent role manager.

• Lion Server Profile Manager Configuration

  Hi Guys,
  Currently have been testing Lion Server and Profile Manager Configuration.
  So Far Have setup
  Lion with Server App and Server Admin Tools
  Configured Open Directory Master and enabled SSL on LDAP
  Once Configured OD has created a CA Certificate can use for Profile Manager
  Have Enabled in Server.app Web and Profile manager
  In SSL Certificate Configuration have set CA Certificate for Web and Enabled Apple push notifications with my apple ID
  In Profile Manager Enabled Device Management and Enabled Sign configuration profiles and selected CA Open Directory Certificate Created when setting up OD Master.
  On Server Originally could install Trust Profile OK and Enroll Server OK with no issues, but on any other 10.7 Devices could install Trust Profile OK but would always say unsigned and Enroll would never work or just hang.
  Now Since Played around with settings on 10.7 Server can no longer enroll but trust OK.
  Questions have is
  For SSL and Profile Manager to work properly as well as Certificates do you require to purchase a proper SSL Certificate or can we use the OD Master Certificate that gets created. All we are testing is on the Local LAN so don't want to get a SSL certificate from the internet.
  Also why cannot 10.7 clients trust profile and enroll Devices Properly? How do I get this working properly?
  Any ideas?
  Regards,
  Shane

  taubmas wrote:
  Not sure if its that as finally got Lion Server working on a VM setup so network shouldn't be an issue...
  Had 1 OSX Lion Server VM and 1 OSX Lion Client VM and OSX Lion Server VM gets profile and enrolls device fine but again OSX client doesn't get enroll just sits again at installing..... even if set keychain to trust and make trust profile verified..
  any other ideas? I think need to somehow get the server to trust trust profile by default instead of going to keychain all the time.
  Shane
  Did you get this to work in an ESXI envrionment? If so, which version are you running?

• Access Mac Mini Server (profile management) through reverse proxy

  Hi,
  Newbie in Mac's world and yet trying to make it more complicated as it is.
  As we recently (last month) decided to equip our sales force with iPads, they were configured through Apple Configurator tool running on a dedicated Mac Mini Mountain Lion.
  Now, I'd be keen in moving this configuration to the Profile Manager, part of the OSx Server plugin. So far so good.
  Problem is the following : another web server is already on the LAN using both 80 and 443 ports. So all incoming traffic on those ports was routed to this other server. As Mac Mini Server default http/s ports may not be altered, I installed a reverse proxy server (Oracle VM - Ubuntu 12.04LTS - pound), configured to deal differently traffic on those ports according to the domain name (host) of the web request (header). Each 'local' server has been allocated a domain name. Just to be clear, traffic is now routed by the WAN/LAN router, for those ports, towards the reverse proxy, configured to reroute the traffic to the correct destination.
  So far so good, it works like a charm, except... as soon as we enter https protocol on Mac Mini Server Profile Manager.
  Access from an iDevice to the Mac Mini Server Profile Manager login page is fine, but as soon as password is confirmed, safari is pending and finally a message 'An internal serer error occured. Please try later again' appears.
  Looking to both reverse proxy system log and Mac Mini profilemanager.log files to trace the problem, the following lines are produced at this particular moment :
  reverse proxy system.log
  Jan 15 14:44:03 reverseproxy pound: 91.... GET /devicemanagement/console/apple_theme_v2/en/da56af0a69e733b259dac3991419fa928b4 94a56/resources/images/sprites/me_controls.png HTTP/1.1 - HTTP/1.1 200 OK
  Jan 15 14:44:03 reverseproxy pound: 91.... GET /auth?redirect=http://osxsrv.fiks.net/devicemanagement/api/authentication/callback HTTP/1.1 - HTTP/1.1 302 Moved Temporarily
  Jan 15 14:44:04 reverseproxy pound: 91.... GET /devicemanagement/api/authentication/callback?auth_token=336952DE-BDDE-4390-82F 7-8475B79FB2D3 HTTP/1.1 - HTTP/1.1 302 Moved Temporarily
  Jan 15 14:44:04 reverseproxy pound: (b7680b40) e500 can't read header
  Jan 15 14:44:04 reverseproxy pound: (b7680b40) e500 response error read from 192.168....:443/GET /profilemanager/ HTTP/1.1: Success (0.007 secs)
  Jan 15 14:44:08 reverseproxy pound: 91.... POST /devicemanagement/api/magic/get_updated HTTP/1.1 - HTTP/1.1 200 OK
  OSx Server profilemanager.log
  Jan 15 14:44:05 osxsrv ProfileManager[1748] <Info>: Processing MagicController#do_magic (for 91.... at 2013-01-15 14:44:05) [POST]Jan 15 14:44:05 osxsrv ProfileManager[1749] <Info>: Processing MagicController#do_magic (for 91.... at 2013-01-15 14:44:05) [POST]
  Jan 15 14:44:06 osxsrv ProfileManager[1748] <Info>: Completed in 492ms (View: 0, DB: 6) | 200 OK [http://osxsrv.../magic/do_magic]
  Jan 15 14:44:06 osxsrv ProfileManager[1749] <Info>: Completed in 687ms (View: 0, DB: 5) | 200 OK [http://osxsrv..../magic/do_magic]
  Jan 15 14:44:07 osxsrv ProfileManager[1750] <Info>: auth_token doesn't exist
  Jan 15 14:44:07 osxsrv ProfileManager[1750] <Info>: Filter chain halted as [:verify_auth_token] rendered_or_redirected.
  Jan 15 14:44:07 osxsrv ProfileManager[1751] <Info>: Processing MagicController#do_magic (for 91.... at 2013-01-15 14:44:07) [POST]
  Jan 15 14:44:07 osxsrv ProfileManager[1751] <Info>: auth_token doesn't exist
  Jan 15 14:44:07 osxsrv ProfileManager[1751] <Info>: Filter chain halted as [:verify_auth_token] rendered_or_redirected.
  Jan 15 14:44:07 osxsrv ProfileManager[1751] <Info>: Completed in 4ms (View: 1, DB: 14) | 403 Forbidden [http://osxsrv..../magic/do_magic]
  Jan 15 14:44:07 osxsrv ProfileManager[1748] <Info>: Processing MagicController#do_magic (for 91.... at 2013-01-15 14:44:07) [POST]
  Jan 15 14:44:07 osxsrv ProfileManager[1748] <Info>: auth_token doesn't exist
  Jan 15 14:44:07 osxsrv ProfileManager[1748] <Info>: Filter chain halted as [:verify_auth_token] rendered_or_redirected.
  Jan 15 14:44:07 osxsrv ProfileManager[1748] <Info>: Completed in 45ms (View: 1, DB: 43) | 403 Forbidden [http://osxsrv..../magic/do_magic]
  Jan 15 14:44:07 osxsrv ProfileManager[1750] <Info>: Processing MagicController#do_magic (for 91.... at 2013-01-15 14:44:07) [POST]
  Jan 15 14:44:07 osxsrv ProfileManager[1750] <Info>: auth_token doesn't exist
  Jan 15 14:44:07 osxsrv ProfileManager[1750] <Info>: Filter chain halted as [:verify_auth_token] rendered_or_redirected.
  Jan 15 14:44:07 osxsrv ProfileManager[1750] <Info>: Completed in 55ms (View: 0, DB: 1) | 403 Forbidden [http://osxsrv..../magic/do_magic]
  Jan 15 14:44:08 osxsrv ProfileManager[1749] <Info>: Processing AuthenticationController#callback (for 91.... at 2013-01-15 14:44:08) [GET]
  Jan 15 14:44:08 osxsrv ProfileManager[1749] <Info>: Redirected to https://osxsrv..../profilemanager/
  Jan 15 14:44:08 osxsrv ProfileManager[1749] <Info>: Completed in 149ms (DB: 5) | 302 Found [http://osxsrv..../authentication/callback?auth_token=[FILTERED]]
  I guess the '302 Found' is causing or explaining the problem.
  I agree this might not be a Mac issue, so I still knock your doors hoping some of you could at least give a hint for what to search for !
  If the pound configuration file is of interest, just ask, but this is pretty trivial, saying basically listen these protocols (http/https) on these ports (80/443) and according to Header content (check destination host) and reroute packet to LAN device (with given LAN IP address).
  As the default port(s) of the Mac Mini Web Services may not be altered (so far I know), I guess I am stuck using 80 and 443 anyway.
  Maybe should I invest time in changing my other apache server ports to some more exotic 8080 or 88 or whatever so Mac Mini Server Profile Manager default ports 80 and 443 are maintained and can be easily and directly rerouted to my Mac server without any reverse proxy along the way.
  Thanks in advance for your help
  Alx

  HI All,
  i'm also using reverse proxy technique to publish my server to the internet. The ip is used by twice domains. The problem is by using the profile manager
  after login it redirects the url to the Local Area network addresse instead to the domain.
  How to configure this on OS X Server and the Profile Manager Service?
  Kind Regards
  Oemer

• Mac Mini Server won't load Profile Manager

  My Mac Mini Server has stopped loading Profile Manager in a web browser, and gives me the following message:
  Caught exception "Connection to DB failed" [CSDatabaseError] executing route /auth/?redirect=https://stormforce.no-ip.biz/devicemanagement/api/authentication/callback:
  0 CoreFoundation 0x00007fff8f42d25c __exceptionPreprocess + 172
  1 libobjc.A.dylib 0x00007fff8f5b5e75 objc_exception_throw + 43
  2 CSService 0x0000000101f549bd -[CSConnectionPool openConnection] + 3309
  3 CSService 0x0000000101f5538a -[CSConnectionPool currentConnection] + 98
  4 CSService 0x0000000101fe313c -[CSAuthService _sessionForField:value:] + 96
  5 CSService 0x0000000101fd4bff +[CSHTTPRouteHelper setCurrentSessionForRequest:] + 150
  6 CSService 0x0000000101fdec09 __21-[CSAuthService init]_block_invoke + 367
  7 CSService 0x0000000101fd081a __53-[CSRoutingHTTPConnection httpResponseForMethod:URI:]_block_invoke + 95
  8 CSService 0x0000000101fd3d6c -[CSHTTPBackgroundResponse bounce:] + 286
  9 Foundation 0x00007fff8fa0e76b __NSThread__main__ + 1318
  10 libsystem_pthread.dylib 0x00007fff8d749899 _pthread_body + 138
  11 libsystem_pthread.dylib 0x00007fff8d74972a _pthread_struct_init + 0
  12 libsystem_pthread.dylib 0x00007fff8d74dfc9 thread_start + 13
  Anyone got any ideas how I fix this? My current plan is to try and re-install server.app, but I thought I'd post this to see if anyone had any ideas.

  I'm still trying to trace this fault - if anyone has any ideas they'd be much appreciated.

• ERROR: Ldap Authentication failed for dap during installation of iAS 6.0 SP3

  I am attempting to install ias Enterprise Edition (6.0 SP3) on solaris 2.8 using typical in basesetup. I am trying to install new Directory server as I don't have an existing one.
  During the installation I got the following error.
  ERROR: Ldap Authentication failed for url ldap://hostname:389/o=NetScape Root user id admin (151: Unknown Error)
  Fatal Slapd did not add Directory server information to config Server.
  Warning slapd could'nt populate with ldif file Yes error code 151.
  ERROR:Failure installing iPlanet Directory Server.
  Do you want to continue: ( I entered yes )
  Configuring Administration Server Segmentation fault core dumped.
  Error: Failure installing Netscape Administration Server.
  Do you want to continue:( I responded with yes).
  And during the Extraction I got the following
  ERROR:mple_bind: Can't connect to the LDAP server - No route to host
  ERROR: Unable to connect to LDAP Directory Server
  Hostname: hostname
  Port: 389
  User: cn=Directory Manager
  Password: <password-for-cn=Directory Manager
  Please make sure this Directory Server is currently running.
  You might need to run 'stop-slapd' and then
  'start-slapd' in the Directory Server home directory, in order to restart
  LDAP. When finished, press ENTER to continue, or S to skip this step:
  Start registering Bootstrap EJB...
  javax.naming.NameNotFoundException
  at java.lang.Throwable.fillInStackTrace(Native Method)
  at java.lang.Throwable.fillInStackTrace(Compiled Code)
  at java.lang.Throwable.<init>(Compiled Code)
  at java.lang.Exception.<init>(Compiled > Code)
  at javax.naming.NamingException.<init>(NamingException.java:114)
  at javax.naming.NameNotFoundException.<init>(NameNotFoundException.java: 48)
  at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
  "ldaperror" 76 lines, 2944 characters
  at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
  at com.netscape.server.jndi.RootContext.bind(Unknown Source)
  at com.netscape.server.jndi.RootContext.bind(Unknown Source)
  at javax.naming.InitialContext.bind(InitialContext.java:371)
  at com.netscape.server.deployment.EjbReg.deployToNaming(Unknown Source)
  at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
  at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
  at com.netscape.server.deployment.EjbReg.run(Compiled Code)
  at com.netscape.server.deployment.EjbReg.main(Unknown Source)
  Start registering iAS 60 Fortune Application...
  Start iPlanet Application Server
  Start iPlanet Application Server
  Start Web Server iPlanet-WebServer-Enterprise/6.0SP1 B08/20/200100:58
  warning: daemon is running as super-user
  [LS ls1] http://gedemo1.plateau.com, port 80 ready
  to accept requests
  startup: server started successfully.
  After completion of installation, I tried to start the console. But I got the following error;
  "Cant connect ot the admin server. The url is not correct or the server is not running.
  Finally,when I started the admintool(iASTT),it shows the iAS1
  was registered( marked with a red cross mark) and says "cant login. make sure the user
  name & passwdord are correct" when i click on it.
  Thanks in advance for any help
  Madhavi

  Hi,
  Make sure that the directory server is installed first. If it is running
  ok, then you can try adding an admin user, please check the following
  technote.
  http://knowledgebase.iplanet.com/ikb/kb/articles/4106.html
  regards
  Swami
  madhavi korupolu wrote:
  I am attempting to install ias Enterprise Edition (6.0 SP3) on
  solaris 2.8 using typical in basesetup. I am trying to install new
  Directory server as I don't have an existing one.
  During the installation I got the following error.
  ERROR: Ldap Authentication failed for url
  ldap://hostname:389/o=NetScape Root user id admin (151: Unknown
  Error)
  Fatal Slapd did not add Directory server information to config
  Server.
  Warning slapd could'nt populate with ldif file Yes error code 151.
  ERROR:Failure installing iPlanet Directory Server.
  Do you want to continue: ( I entered yes )
  Configuring Administration Server Segmentation fault core dumped.
  Error: Failure installing Netscape Administration Server.
  Do you want to continue:( I responded with yes).
  And during the Extraction I got the following
  ERROR:mple_bind: Can't connect to the LDAP server - No route to host
  ERROR: Unable to connect to LDAP Directory Server
  Hostname: hostname
  Port: 389
  User: cn=Directory Manager
  Password: <password-for-cn=Directory Manager
  Please make sure this Directory Server is currently running.
  You might need to run 'stop-slapd' and then
  'start-slapd' in the Directory Server home directory, in order to
  restart
  LDAP. When finished, press ENTER to continue, or S to skip this
  step:
  Start registering Bootstrap EJB...
  javax.naming.NameNotFoundException
  at java.lang.Throwable.fillInStackTrace(Native Method)
  at java.lang.Throwable.fillInStackTrace(Compiled Code)
  at java.lang.Throwable.<init>(Compiled Code)
  at java.lang.Exception.<init>(Compiled > Code)
  at javax.naming.NamingException.<init>(NamingException.java:114)
  at
  javax.naming.NameNotFoundException.<init>(NameNotFoundException.java:
  48)
  at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
  "ldaperror" 76 lines, 2944 characters
  at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
  at com.netscape.server.jndi.RootContext.bind(Unknown Source)
  at com.netscape.server.jndi.RootContext.bind(Unknown Source)
  at javax.naming.InitialContext.bind(InitialContext.java:371)
  at com.netscape.server.deployment.EjbReg.deployToNaming(Unknown
  Source)
  at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled
  Code)
  at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled
  Code)
  at com.netscape.server.deployment.EjbReg.run(Compiled Code)
  at com.netscape.server.deployment.EjbReg.main(Unknown Source)
  Start registering iAS 60 Fortune Application...
  Start iPlanet Application Server
  Start iPlanet Application Server
  Start Web Server iPlanet-WebServer-Enterprise/6.0SP1 B08/20/200100:58
  warning: daemon is running as super-user
  [LS ls1] http://gedemo1.plateau.com, port 80 ready
  to accept requests
  startup: server started successfully.
  After completion of installation, I tried to start the console. But I
  got the following error;
  "Cant connect ot the admin server. The url is not correct or the
  server is not running.
  Finally,when I started the admintool(iASTT),it shows the iAS1
  was registered( marked with a red cross mark) and says "cant login.
  make sure the user
  name & passwdord are correct" when i click on it.
  Thanks in advance for any help
  Madhavi
  Try our New Web Based Forum at http://softwareforum.sun.com
  Includes Access to our Product Knowledge Base!

• Open LDAP Authenticator Configuration on WLSSP5

  I have problems in the open LDAP authenticator configuration on Weblogic Server with Service Pack 5. I have users on OpenLDAP Server that do not belong to any group. My LDIF file contents are as given below.
  dn: dc=my-domain,dc=com
  dc: my-domain
  objectClass: dcObject
  objectClass: organization
  o: MYABC, Inc
  dn: cn=Manager, dc=my-domain,dc=com
  userPassword:: c2VjcmV0
  objectClass: person
  sn: Manager
  cn: Manager
  dn: cn=myabcsystem, dc=my-domain,dc=com
  userPassword:: dmVuZGF2b3N5c3RlbQ==
  objectClass: person
  sn: myabcsystem
  cn: myabcsystem
  dn: cn=Philippe, dc=my-domain,dc=com
  userPassword:: UGhpbGlwcGU=
  objectClass: person
  sn: Philippe
  cn: Philippe
  dn: cn=mlrick, dc=my-domain,dc=com
  userPassword:: bWxyaWNr
  objectClass: person
  sn: mlrick
  cn: mlrick
  All these users appear in the Users tab after configuration on the console only if LDAP Server is up. While I select group tab, I get errors indicating BAD SEARCH Filter.
  Inspite of me not having any groups in the ldap as indicated in ldif contents.
  While I try to login t the application with this LDAP configuration, I do not get any errors. LDAP authentication is not happening with just the LDAP authenticator in place. Even if I stop the LDAP server, I do nto get any exceptions while trying ot login. The config params for the Open LADP are as given below
  <weblogic.security.providers.authentication.OpenLDAPAuthenticator
  AllGroupsFilter="objectclass=*"
  Credential="{3DES}rGCpYmhaIorI99BjZ2u6Fg=="
  GroupBaseDN="dc=my-domain,dc=com"
  GroupFromNameFilter="(cn=%u)"
  Name="Security:Name=MYABCAuthenticationOpenLDAPAuthenticator"
  Principal="cn=myabcsystem,dc=my-domain,dc=com"
  Realm="Security:Name=MYABCAuthentication"
  StaticGroupDNsfromMemberDNFilter=""
  StaticGroupNameAttribute="" StaticGroupObjectClass=""
  StaticMemberDNAttribute="" UserBaseDN="dc=my-domain, dc=com"/>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP ATN LoginModule initialized>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login username: bob>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <authenticate user:bob>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getDNForUser search("ou=people,ou=MYABCAuthentication,dc=myabc", "(&(uid=bob)(objectclass=person))", base DN & below)>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  CAN ANYONE HELP ME IDENTIFY WHAT IS THE ISSUE. Why is the authentication not happening?

  Hi Amol,
  I've seen this happen at least two times in 11.1.1.1 installs. You can safely restart and then add the service back again. Suggest you reboot after you re-add the service back or cycle all the Hyperion services.
  I was not aware you could install the service with that command.
  I used the below command instead:
  sc create OpenLDAP-slapd start= auto binPath= "D:\Hyperion\...\slapd.exe service" DisplayName= "Hyperion Shared Services OpenLAP"
  Regards,
  -John

• Is there a way in 10.8 Profile Manager to assign certain users the sole right of adding/removing users to user groups?

  Hello,
  I want to assign certain network users the ability to login via browser to the profile manager for 10.8.x server and add/remove other users from user groups.  Think teachers managing their class rosters, if the class was a group and the users their students.  I do not want any other admin funtionality beyond that for them.
  Suggestions?

  Well thank you for being so polite.  Yes, on looking on my 10.8 server, I have the same thing.  How annoying.  I have no idea how to answer your question.  If the management abilities are no longer in Workgroup Manager then there's a change that the server doesn't pay any attention to the settings, so manually changing settings in LDAP won't have any effect either.
  At least I can verify that it's not just you who gets that result.  I wonder what happened and how we're meant to do this now.

• Ldap authentication not working for Solaris 8 host - Help!

  Greetings folks,
  I just recently migrated a host to use LDAP authentication. The only difference between this host and the rest of the hosts in the environment that I've converted to use LDAP is that this one is running Solaris 8.
  Here's the steps I took to migrate it (though, I used the same steps for another Sol8 host in another environment and it works fine):
  ldapclient -P stg -d mydomain.com -D cn=proxyagent,ou=profile,dc=mydomain,dc=com -w secret 192.168.1.69
  My /etc/nsswitch.conf looks like this:
  passwd: files ldap
  group: files ldap
  My /etc/pam.conf looks like this:
  login auth requisite pam_authtok_get.so.1
  login auth required pam_dhkeys.so.1
  login auth sufficient pam_unix_auth.so.1
  login auth required pam_ldap.so.1
  sshd auth requisite pam_authtok_get.so.1
  sshd auth sufficient pam_unix_auth.so.1
  sshd auth required pam_ldap.so.1
  other auth requisite pam_authtok_get.so.1
  other auth required pam_dhkeys.so.1
  other auth sufficient pam_unix_auth.so.1
  other auth required pam_ldap.so.1
  passwd auth sufficient pam_passwd_auth.so.1
  passwd auth required pam_ldap.so.1
  I've also cleared out the local user accounts for my human users, so there aren't any more passwd or shadow entries (yes, I ran pwconv). I also cleaned out the /etc/group entries for the same users. The machine appears to be configured properly, because I can run various DS commands that indicate this:
  hostname# getent passwd user1
  user1::1001:1001:User 1:/opt/home/user1:/bin/bash
  hostname# ldaplist -l passwd user1
  dn: uid=user1,ou=people,dc=mydomain,dc=com
  shadowFlag: 0
  userPassword: {crypt}(removed)
  uid: user1
  objectClass: posixAccount
  objectClass: shadowAccount
  objectClass: account
  objectClass: top
  cn: user1
  uidNumber: 1001
  gidNumber: 1001
  gecos: User 1
  homeDirectory: /opt/home/user1
  loginShell: /bin/bash
  However, in the end, actual logins to this host fail via ssh. Snooping the traffic reveals that all the right info is being handed back to the client, including the crypt'ed password hash, uid, etc. just like I see with other hosts that work.
  Any ideas?
  Thanks!
  Patrick

  I assume you have applied lastest kernel patch and 108993 to this Solaris8 machine, and its nss_ldap.so.1 and pam_ldap.so.1 are the same as the other Solaris8 LDAP clients that are working for ssh via LDAP auth.
  1) Please replace "objectClass: account" with "objectClass: person", I know SUN ONE DS5.2 likes "person".
  2) Did you test and verify telnet/ftp/su working? but SSH not working?
  3) If telnet/ftp/su all worked, and SSH (SUN-SSH or OpenSSH), make sure you have "UsePAM yes" in sshd_config and restart sshd.
  4) It is not a must I think but normally I will add "shadow: files ldap" to /etc/nsswitch.conf, restart nscd after that.
  5) Whenever ldapclient command is run and ldap_cachemgr is restarted, I usually also restart nscd and sshd after that, if not testing result may not be accurate as nscd is still remembering OLD stuffs cached which could be very misleading.
  6) You may use "ssh -v userid@localhost" to watch the SSH communications, on top of your usual "snoop"ing of network packets.
  7) Use the sample pam.conf that is meant for pam_ldap from Solaris 10 system admin guide with all the pam_unix_cred.so.1 lines commented out. This works for me, there is no sshd defintions as it will follow "other".
  http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
  Gary

• LDAP authenticator setting in Weblogic 10

  Hi there,
  I am a newbie to weblogic. I am migrating an application from OAS to Weblogic 10. The application is using LDAP for login. I am havng a trouble to set up those users in weblogic console.
  Here is what I did:
  in web.xml:
  <security-constraint>
  <display-name>Example Security Constraint</display-name>
  <web-resource-collection>
  <web-resource-name>Protected Area</web-resource-name>
  <url-pattern>*</url-pattern>
  <http-method>*</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>UserRole</role-name>
  </auth-constraint>
  </security-constraint>
  <security-role>
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>RegularUser</realm-name>
  <form-login-config>
  <form-login-page>/login.jsp</form-login-page>
  <form-error-page>/loginerror.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <role-name>UserRole</role-name>
  </security-role>
  In Weblogic.xml
  <?xml version="1.0" encoding="windows-1252"?>
  <weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-web-app http://www.bea.com/ns/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd" xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app">
  <security-role-assignment>
  <role-name>UserRole</role-name>
  <externally-defined/>
  </security-role-assignment>
  </weblogic-web-app>
  In Weblogic console, I created a new realm called RegularUser and setup LDAP authenticator. User Base DN is ou=axxx,dc=bxxx,dc=cxx. I can see those users already in the user list.
  Did I miss any step?
  Thanks

  Thanks, Faisal.
  Here is my config.xml. Do I need to select Custom Roles at the time of deployment? I manually deployed the application in console.
  <?xml version='1.0' encoding='UTF-8'?>
  <domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
  <name>myTestDomain</name>
  <domain-version>10.3.3.0</domain-version>
  <security-configuration>
  <name>myTestDomain</name>
  <realm>
  <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
  <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
  <sec:active-type>AuthenticatedUser</sec:active-type>
  </sec:authentication-provider>
  <sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
  <sec:name>RegularUsers</sec:name>
  <sec:control-flag>OPTIONAL</sec:control-flag>
  <wls:host>holdap1.abc.org</wls:host>
  <wls:user-object-class>user</wls:user-object-class>
  <wls:user-name-attribute>sAMAccountName</wls:user-name-attribute>
  <wls:principal>ldapviewsd</wls:principal>
  <wls:user-base-dn>ou=a,dc=b,dc=c</wls:user-base-dn>
  <wls:credential-encrypted>{AES}5dVfr76v1nSUvb8iMBO5e1WxZG5BA/M3MWZvNxDVMO4=</wls:credential-encrypted>
  <wls:user-from-name-filter>(&amp;(sAMAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
  <wls:group-base-dn>ou=a,dc=b,dc=c</wls:group-base-dn>
  <wls:group-from-name-filter>(&amp;(cn=%g)(objectclass=group))</wls:group-from-name-filter>
  <wls:static-group-object-class>group</wls:static-group-object-class>
  <wls:static-member-dn-attribute>member</wls:static-member-dn-attribute>
  <wls:static-group-dns-from-member-dn-filter>(&amp;(member=%M)(objectclass=group))</wls:static-group-dns-from-member-dn-filter>
  </sec:authentication-provider>
  <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
  <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
  <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
  <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
  <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
  <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
  <sec:name>myrealm</sec:name>
  <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
  <sec:name>SystemPasswordValidator</sec:name>
  <pas:min-password-length>8</pas:min-password-length>
  <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
  </sec:password-validator>
  </realm>
  <realm>
  <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
  <sec:name>RewardsUser</sec:name>
  <sec:control-flag>SUFFICIENT</sec:control-flag>
  <wls:host>holdap1.abc.org</wls:host>
  <wls:user-name-attribute>sAMAccountName</wls:user-name-attribute>
  <wls:principal>ldapviewsd</wls:principal>
  <wls:user-base-dn>ou=a,dc=b,dc=c</wls:user-base-dn>
  <wls:credential-encrypted>{AES}6mfAIvAqFASMkZ4yHygBe3AODqNyzYyLLePzCI2HTE0=</wls:credential-encrypted>
  <wls:user-from-name-filter>(&amp;(sAMAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
  <wls:group-base-dn>ou=a,dc=bdc=c</wls:group-base-dn>
  <wls:max-sid-to-group-lookups-in-cache>1500</wls:max-sid-to-group-lookups-in-cache>
  </sec:authentication-provider>
  <sec:deploy-role-ignored>false</sec:deploy-role-ignored>
  <sec:deploy-policy-ignored>false</sec:deploy-policy-ignored>
  <sec:deploy-credential-mapping-ignored>false</sec:deploy-credential-mapping-ignored>
  <sec:security-dd-model>CustomRoles</sec:security-dd-model>
  <sec:combined-role-mapping-enabled>true</sec:combined-role-mapping-enabled>
  <sec:name>RewardsUser</sec:name>
  <sec:delegate-m-bean-authorization>false</sec:delegate-m-bean-authorization>
  </realm>
  <default-realm>myrealm</default-realm>
  <credential-encrypted>{AES}AOnncmyo+t9U78VAJHcbv8uiDUVggDlU55WY5xh6NukBIg3m2MK0In76UwCRuKdlVzHp9uWx/4uYZpkVQmq9Hqk3fTRZRx4dIuyU07siwupmYdq1UHttcgTIwqqKoaWn</credential-encrypted>
  <node-manager-username>weblogic</node-manager-username>
  <node-manager-password-encrypted>{AES}Yx0pabvYpXxQr7K7YRVB5B0f3Kyy8Lpn0cu1WQCXve8=</node-manager-password-encrypted>
  </security-configuration>
  <server>
  <name>AdminServer</name>
  <server-debug>
  <debug-scope>
  <name>weblogic.security.atn</name>
  <enabled>true</enabled>
  </debug-scope>
  <debug-scope>
  <name>weblogic.security.atz</name>
  <enabled>true</enabled>
  </debug-scope>
  <debug-security-atn>true</debug-security-atn>
  <debug-security-atz>true</debug-security-atz>
  <debug-security-saml-atn>true</debug-security-saml-atn>
  <debug-security-saml2-atn>true</debug-security-saml2-atn>
  </server-debug>
  <listen-address></listen-address>
  </server>
  <embedded-ldap>
  <name>myTestDomain</name>
  <credential-encrypted>{AES}Iidvc9S3UqScbvwktaeOZMYr4V9BQ4aU/T5z+npeFwiYEzUZi6iLF59pfpCNI0DQ</credential-encrypted>
  </embedded-ldap>
  <configuration-version>10.3.3.0</configuration-version>
  <app-deployment>
  <name>rewards</name>
  <target>AdminServer</target>
  <module-type>ear</module-type>
  <source-path>servers\AdminServer\upload\rewards.ear</source-path>
  <security-dd-model>DDOnly</security-dd-model>
  </app-deployment>
  <admin-server-name>AdminServer</admin-server-name>
  </domain>