Radius authentication for the enable password

Similar Messages

• Radius authentication for the browser-based webtop

  Hiya all,
  With help of the radius-authentication module for apache (http://www.freeradius.org/mod_auth_radius/) and web-authentication it is possible to use radius-authentication for the classic-webtop. Has anyone got Radius authentication working for the browser-basedwebtop?
  SSGD version:
  Sun Secure Global Desktop Software for Intel Solaris 10+ (4.30.915)
  Architecture code: i3so0510
  This host: SunOS sgd1.<removed> 5.10 Generic_118855-36 i86pc i386 i86pc
  I have the radius-module running for authentication of a single directory with the apache-config-lines:
  SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
  <LocationMatch "/secure">
  Order Allow,Deny
  Allow from env=sgd_noauth_ok
  AuthName "Radius authentication for SGD"
  Authtype Basic
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 540
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  When changing the line <LocationMatch "/secure"> to <LocationMatch "/sgd"> the browser asks for a authentication and then a 'Not Found' page is being displayed.
  When using the config-lines from http://docs.sun.com/source/819-6255/webauth_config_browser.html the login-page is being displayed normally and SSGD works.
  The main difference I can find between the location /secure and /sgd is: /secure is a simple directory and /sgd is a JkMount to Tomcat.
  Changing the JkLogLevel to debug gives the following info in the JkLogFile:
  Radius authentication:
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd' from 5 maps
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (486): Found an exact match tta -> /sgd
  With the password-authentication file:
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd/' from 5 maps
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (475): Found a wildchar match tta -> /sgd/*
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_get_worker_for_name::jk_worker.c (111): found a worker tta
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker axis
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker tta
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker examples
  It seems that the JkMount is not being evaluated correctly after using the radius-authentication.
  Any help will be usefull since I am allready stuck on this problem for a couple of days :(
  Thanks,
  Remold | Everett

  I got response from the Fat Bloke on the mailing list.
  Adding the following line in the apache httpd.conf seams to help and resolved my problem:
  Alias /sgd "/opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
  Thanks The Fat Bloke !!
  - Remold
  These instructions are for a 4.2 SGD installation using SGD's third
  party web authentication with mod_auth_radius.so (www.freeradius.org).
  With 4.2 Sun didn't distribute enough of the Apache configured tree
  to enable the use of axps to build the mod_auth_radius module, 4.3 is
  better - Sun now install a modified axps and include files, I haven't
  tried this with 4.3 yet though.
  I built the mod_auth_radius module for Apache 1.3.33 (shipped with 4.2)
  So, this is how we got this working with Radius (tested with SBR
  server and freeradius.org server.)
  Install SGD in the usual way.
  Enable 3rd party authentication:
  According to:
  http://docs.sun.com/source/819-4309-10/en-us/base/standard/
  webauth_config_browser.html
  Configure the Tomcat component of the Secure Global Desktop Web
  Server to
  trust the web server authentication. On each array member, edit the
  /opt/tarantella/webserver/tomcat/version/conf/server.xml file. Add the
  following attribute to the connector element (<Connector>) for the
  Coyote/JK2 AJP 1.3 Connector:
  tomcatAuthentication="false"
  # cat /opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/
  conf/server.xml
  <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
  <Connector port="8009" minProcessors="5" maxProcessors="75"
  tomcatAuthentication="false"
  enableLookups="true" redirectPort="8443"
  acceptCount="10" debug="0" connectionTimeout="0"
  useURIValidationHack="false"
  protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
  "By default, for security reasons, Secure Global Desktop
  Administrators can't
  log in to the browser-based webtop with web server authentication.
  The standard
  login page always displays for these users even if they have been
  authenticated
  by the web server. To change this behavior, run the following command:"
  # tarantella config edit --tarantella-config-login-thirdparty-
  allowadmins 1
  Without this, after authenticating via webauth, the user will be
  prompted for a
  second username and password combination.
  # /opt/tarantella/bin/tarantella objectmanager &
  # /opt/tarantella/bin/tarantella arraymanager &
  In Array Manager:
  Select "Secure Global Desktop Login" on left side and click
  "Properites" at bottom
  Under "Secure Global Desktop Login Properties"
  cd /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/conf
  edit httpd.conf:
  ### For SGD Apache based authentication
  Include conf/httpd4radius.conf
  at the end of httpd.conf add:
  Alias /sgd "/opt/tarantella/webserver/tomcat/
  5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
  # cat httpd4radius.conf
  LoadModule radius_auth_module libexec/mod_auth_radius.so
  AddModule mod_auth_radius.c
  # Add to the BOTTOM of httpd.conf
  # If we're using mod_auth_radius, then add it's specific
  # configuration options.
  <IfModule mod_auth_radius.c>
  # AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]]
  # Use localhost, the old RADIUS port, secret 'testing123',
  # time out after 5 seconds, and retry 3 times.
  AddRadiusAuth radiusserver:1812 testing123 5:3
  # AuthRadiusBindAddress <hostname/ip-address>
  # Bind client (local) socket to this local IP address.
  # The server will then see RADIUS client requests will come from
  # the given IP address.
  # By default, the module does not bind to any particular address,
  # and the operating system chooses the address to use.
  # AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
  # the special value of 0 (zero) means the cookie is valid forever.
  AddRadiusCookieValid 5
  </IfModule>
  <LocationMatch /radius >
  Order Allow,Deny
  AuthType Basic
  AuthName "RADIUS Authentication"
  AuthAuthoritative off
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 5
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
  <LocationMatch /sgd >
  Order Allow,Deny
  Allow from env=sgd_noauth_ok
  AuthType Basic
  AuthName "RADIUS Authentication"
  AuthAuthoritative off
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 5
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  Put appropriate mod_auth_radius.so into
  /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/libexec
  # mkdir /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/radius/
  # cat /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/htpasswd/index.html
  <HTML>
  <HEAD>
  <TITLE> Test Page for RADIUS authentication </TITLE>
  </HEAD>
  <BODY>
  <B> You have reached the test page for RADIUS authentication.
  </BODY>
  </HTML>
  I hope this helps!
  -FB

• RADIUS Authentication for Enable PW

  Hi Everyone,
  I have my RADIUS authentication working for login passwords but not for the enable password. My config is below;
  aaa new-model
  aaa authentication login default group radius local
  aaa accounting network default start-stop group radius
  When I add the command;
  aaa authentication enable default group radius enable
  I would expect it to allow me to enter my RADIUS pw for the enable one to, but it doesnt. Nor does it allow me to enter the locally configured one?
  Any help would be great,
  Thanks,
  Dan

  Thanks for your reply Rick,
  The debug output is below;
  L2-SW01>
  00:03:02: RADIUS: Authenticating using $enab15$
  00:03:02: RADIUS: ustruct sharecount=1
  00:03:02: RADIUS: Initial Transmit tty0 id 3 x.x.x.x:1812, Access-Request,
  len 72
  00:03:02: Attribute 4 6 AC14024F
  00:03:02: Attribute 5 6 00000000
  00:03:02: Attribute 61 6 00000000
  00:03:02: Attribute 1 10 24656E61
  00:03:02: Attribute 2 18 524FB069
  00:03:02: Attribute 6 6 00000006
  00:03:02: RADIUS: Received from id 3
  x.x.x.x:1812, Access-Reject, len 20
  00:03:02: RADIUS: saved authorization data for user E49424 at 93C6DC
  L2-SW01>
  L2-SW01>
  I am using IAS for RADIUS authentication and I cannot find any option to say "allow enable access".
  Any ideas?
  Cheers,
  Dan

• Tacacs+ Authenticating the Enable Password

  I have the following configuration on my switch and it works correctly:
  aaa group server tacacs+ tacacs_serv
  server 192.168.70.20
  aaa authentication login tac_auth group tacacs_serv local
  line vty 0 15
  login authentication tac_auth
  transport input ssh
  The configuration above works correctly, my username/pwd are authenticated via Tacacs+ and the "enable" password is confirmed via the local database on the switch.
  When I make the following changes attempeing to have Tacacs validate the username/pwd as well as the "enable" password I cannot log into the switch at all.
  aaa group server tacacs+ tacacs_serv
  server 192.168.70.20
  aaa authentication login default group tacacs_serv local
  aaa authentication enable default group tacacs_serv enable
  line vty 0 15
  login authentication default
  transport input ssh
  The switch is running 12.2(44)SE6. The username/pwd are in the local database of the Linux server. The Enable password is configured in two places within the tac_plus.conf file:
  host = 192.168.70.15 {
          prompt = "Enter your Username and Password. Username: "
          enable = cleartext "password"
  AND
  user = $enab15$ {
          login = cleartext "password"
  Any help would be appreciated.
  Thanks

  I added the priv-lvl to enable15:
  user = $enabl15$ {
          login = cleartext 802.11boingo
          priv-lvl = 15
  It is also in the testuser config:
  user = testuser {
          login = PAM
          member = admin
          service = exec
          priv-lvl = 15
  It is also in the group config:
  group = admin {
          # group members who don't have their own login password will be
          # looked up in /etc/passwd
          #login = file /etc/passwd
          login = PAM
          # group members who have no expiry date set will use this one
          #expires = "Jan 1 1997"
          # only allow access to specific routers
          acl = default
          # Needed for the router to make commands available to user (subject
          # to authorization if so configured on the router
          service = exec {
                  priv-lvl = 15
                  #default service = permit
  Below is the latest debug:
  CCG-WLA-TEST-SWT-1>ena
  Password:
  Dec 10 16:06:45.755: AAA: parse name=tty0 idb type=-1 tty=-1
  Dec 10 16:06:45.755: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
  Dec 10 16:06:45.755: AAA/MEMORY: create_user (0x1F3CB4C) user='testuser' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
  Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): port='tty0' list='' action=LOGIN service=ENABLE
  Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): using "default" list
  Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): Method=tacacs_serv (tacacs+)
  Dec 10 16:06:45.755: TAC+: send AUTHEN/START packet ver=192 id=-1121100826
  Dec 10 16:06:46.057: TAC+: ver=192 id=-1121100826 received AUTHEN status = GETPASS
  Dec 10 16:06:46.057: AAA/AUTHEN (3173866470): status = GETPASS
  % Error in authentication.

• Radius authentication for privileged access

  Hello,
            I have configured Cisco 6513 for radius authentication with following commands.
  aaa new-model
  aaa authentication login authradius group radius line
  aaa accounting exec acctradius start-stop group radius
  radius-server host <radius-ip> auth-port 1812 acct-port 1646 key 6912911
  line vty 0 4
  accounting exec acctradius
  login authentication authradius
       This is working pretty fine. I want to configure radius authentication for priviledged access / for enable access.
       I am using TeKRadius as Radius server.
       Please help.
  Thanks and Regards,
  Pratik

  Hi Pratik
  Sorry I mostly use only TACACS+ for AAA as it provides better granularity of access controls.
  You'll need to make some specific changes to your RADIUS config so that nominated users ( the ones you want to be able to go to enable mode ) get put straight into enable mode upon login.
  There's a guide here http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ which details the steps if you're using the Microsoft IAS radius server - you should be able to figure out that changes you need to make to your own server from there.
  Nick
  Message was edited by: NickNac79 - Spelt the OP's name wrong, sorry.

• RADIUS Authentication for Guest users

  Hi,
  I currently use a 4402 WLC located in our DMZ to authenticate Guest users - local authentication is in place.  I would not like to setup RADIUS authentication via a Cisco NAC server.  In order not to affect current guest users, I created a new WLAN and configured with RADIUS server details under WLANs->Edit->Security.  I can associate to new WLAN and obtain a DHCP address no problem, but when I browse to an external website, I do not get prompted for authentication from the RADIUS server.  I don't see any auth requests hitting our firewal, so am assuming the problem is with the WLC config.
  Can anyone provide any details of what config is required?
  Security Policy - Web-Auth
  Security-> L2 - None
  Security-> L3 - Authentication
  Security-> AAA Servers - Auth and Acc server set
  Many thanks
  Liam

  your setup sounds pretty okay. have you got local user accounts set up on the WLC for the test WLAN? if you do, check to see that the priority order for web authentication for the test WLAN prefers the AAA account. you will have to do it directly on your controller as i do not think you have that option in WCS.
  hope that helps

• NAC guest server with RADIUS authentication for guests issue.

  Hi all,
  We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
  The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
  https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
  -----START QUOTE-----
  Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
  •Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
  •Self Service—This option allows guest self service. After selection proceed to Step 8.
  •Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
  ----- END QUOTE-----
  Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
  Regards
  Kevin Woodhouse

  Well I will try to answer your 2nd questions.... will it work... yes.  It is like any other radius server (high end:))  But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD.  Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
  Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right.  Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that.  That is my opinion.

• I have two facebook accounts availible when I click the facebook icon in aperture it tries to log into the disabled account. It doesn't give me any option to continue making an album for the enabled account. Why?

  I have two facebook accounts availible when I click the facebook icon in aperture it tries to log into the disabled account. It doesn't give me any option to continue making an album for the enabled account. Why?

  I suppose I could delete it, but the whole point of multiple accounts is so I can post to either. One is mine, one is my wife's. If it is not enabled why would I need to log into it to post to my own account. The system has no problem associating existing albums with my account, I is only failing to allow me to choose only my account to create an new one. It is clearly designed to handle multiple accounts, but seems to have a bug directing it to ask for the password for a disabled account instead of allowing selection of and posting to the enabled one.

• Preview and print a Crystal report prompted for the sa password

  Dear All,
  Our customer has Crystal report add-on to be installed. When we Preview and print a Crystal report, we got a window prompted for the sa password. Even we type in a correct password, it still says wrong password...
  Every time when I open my report in Crystal Basic 2008 on the server, then go database expert >> My connections >> click + in front of the connection name, it asks my sa password. I type in my password then save and close. Next time when I open the report and go my connections, I have to type in my password again. This only happens on one customer.
  Any idea? Thanks a lot.
  Regards,
  Yuka

  Hi Yuka,
  1) All their SAP client workstation, they have to have use SQL2008 CD and install SQL Client on it
  Correct, MS does NOT support MDAC or WDAC when connecting to SQL 2008.
  2) Then go ODBC >> SQL Native Client 10.0 >> Create a new connection to SAP server. Should we use sa user or another use that has the same authorization as sa?
  Correct again if they are also using ODBC to connect, as for using the sa account or creating a new one is up to you. I suggest creating a Crystal account with what ever rights your app needs, this way if tracing it turned on etc. you can confirm who is actually running the report.
  3) Then from MY Crystal report, I have to use ODBC connection as well?
  Just to clarify, if you created your reprots using OLE DB then they can do so also. But you need to update your connection properties. Open each report click on Database, Set Location, scroll down to OLE DB and expand and then choose MS SQL Server Native 10 as your OLE DB provider, fill in all the logon info and then verify the database. Do the same for each subreport also.
  Save your report and either send them the new one or if you are doing this remotely then replace the original report.
  VERIFY your reports to confirm they still return correct data and do work as expected.
  Or if you are using ODBC then yes you do select the MS 10 driver with a new DSN. Then do the above to update the reports to all use ODBC as their data sources.
  Hope this is all clear now....
  Thanks again
  Don

• I have two apple id's and one I cannot remember the password so I made a new one but to update my apps it still asks for the old password... How do I update my apps?

  I have two apple id's and one I cannot remember the password so I made a new one but to update my apps it still asks for the old password... How do I update my apps?

  All content and data is forever associated with the Apple ID you used to download it. You should have reset the password for the original I'd.
  I forgot.apple.com

• HT202157 New apple is not asking for the WIFI password.Home sharing is not working,i am getting Error while streaming videos from Youtube.

  I got new Apple TV 10 days back,its not asking for the WIFI password.Home sharing is not working,i am getting Error while streaming videos from Youtube.
  I can only see pics and video saved in my iphone. No other options are working.The worst part is that its not asking wifi passoword.
  Not able to connect istores and itunes.
  I cannot do software update. Can anyone help in this content?

  Thanks Brian- I am not connecting it with iphone teethering. I am using it with my DSL wifi.
  I am using it with ethernet cable then its working fine.If i am trying to use it with WIFI then its giving error.
  I tried using Netwrok testing but its giving same error.

• I changed my primary email and icloud is still set for my old email. I tried deleting my icloud but it aks me for the old password associated with the old email that I don't have anymore. Any other sugestions on how to get icloud to change emails on my i

  I changed my primary email and icloud is still set for my old email. I tried deleting my icloud but it aks me for the old password associated with the old email that I don't have anymore. Any other sugestions on how to get icloud to change emails on my ios?

  I figured it out! I changed my email & password at the icloud site, then when I deleted the icloud account on my iphone - it still showed my old email but when i typed in my current password it went through. I was then able to sign back in with my current email and password. That was too easy for the amount of time I have put into this!  Glad its finally fixed.

• My hp mini 1000 asks me for the current password

  Hi I'm having a problem with my laptop it is blocked and asks me for the current password after attempting for three times it says "password check failed
  fatal error... System halted
  CNU9321ZHJ

  Hi,
  Try entering:       e9lof730zw             ( Note that the 3rd character is a lower case L )
  Regards,
  DP-K
  ****Click the White thumb to say thanks****
  ****Please mark Accept As Solution if it solves your problem****
  ****I don't work for HP****
  Microsoft MVP - Windows Experience

• Preview a Crystal report prompted for the sa password

  Dear All,
  When our customer preview a Crystal report, we got a window prompted for the sa password. Even we type in a correct password, it still says wrong password.
  Only two user computer have this problem.
  How do I solve it?
  Regards,
  Karen

  I install Crystal Reports Designing Software on those computers which canu2019t preview reports.
  Then start the Crystal Reports design software to open the problem report.
  It usually asks to enter the column on the interface u201COLE DB (ADO) u2013 Connect Informationu201D.
  But it gets into the interface u201COLE DB (ADO) u2013 OLE DB Supplieru201D.
  I correct the setup and save the report.
  The problem is solved.
  I try many methods, but only this one can solve my problem.
  If you have another solution, please tell me, thanks!
  Regards,
  Karen

• Configuration settings for the AD Password Sync Connector

  Hi,
  I am looking for information on how do retries work for the OIM Password (Sync) Connector for Active Directory. We are currently using version 9.1.1.5.10. If anyone can help answer any of the below questions, it will be very appreciated. Also, if there is a doc that explains this, please do let me know. The official connector doc on the Oracle site provides a good architectural overview but it does not talk about any of these registry settings.
  a) What does this registry setting "OIMConfig\ConfigSleepTime" control
  b) What does this registry setting "OIMConfig\MAX_RETRIES" control
  c) What does this registry setting "OIMConfig\SleepTime" control
  - In my experience this is the time when the password update thread kicks off. So in other words it represents the max latency between when you change a password in AD and when it will get pushed down to OIM. If you set this to 300 seconds, then you are looking at a worse case scenario of a 300 second lag between the time you changed your AD password and when it was pushed to OIM.
  d) According to this doc, http://docs.oracle.com/cd/E11223_01/doc.910/e11218/overview.htm#CEGHJCJE, bullet #6 states:
  "If Oracle Identity Manager rejects the password change, then the password update thread keeps resending SPML requests until the retry count reaches the maximum number of retries."
  I am trying to understand what is the reasoning behind having the connector retry the password update if OIM has already rejected it once. Is there a possible scenario where OIM would reject a password update the first time and then accept the same password update on a second attempt?
  e) Referring back to question #d above, what is the frequency at which the connector will attempt retries?
  Thanks
  Aspi Engineer
  Putnam Investments

  That is the problem...
  When I installed the connector I didn't get any error and I get a message the connector was installed ok. I think I will reinstall it.
  Thanks,
  Renato