Restricting 389 to TLS (simple or cert) from specific userDNs

i am configuring an LDAP server to listen on 389 (TLS) and 636 SSL
I have applications that need to use "simple" authenticaiton on 389 and have ldap clients that are configured to use TLS:simple
question i have is
i want to enforce the use of tls if bind is being done by specific userDNs and IP / DNS addresses. I have read documentation and know I can setup ACI to restrict by DNS/IP but not by bind method (none of the bind methods fulfil the transport requirement)
authmethod = ssl requires cert authentication and i dont believe Solaris ldap clients cannot support cert authentication.
what is the best practice in this respect ?

Hi
sounds logical. However, I've seen that the user sl-abde has written a plugin with the needed functionality (http://forum.java.sun.com/thread.jspa?threadID=5062375). Unfortunately the Sun forums do not offer the possibility to contact a user directly, so I cannot ask for the code (can anyone help me?). I possible could be able to write the plugin by myself, but if someone did it already... Is there a community code repository?
Any ideas / suggestions would be highly appreciated.
harry

Similar Messages

Switching from tls:simple to tls:sasl/DIGEST-MD5

How can I do this, and can someone post an example of how? Can DS 5.2 support more than one Authentication Method at a time?
TIA,
Chris

I'm not sure. That's why I asked. :) And I only ask because one of the settings made via
idsconfig is which "Authentication Methods" the DS will support. The choices being:
* none
* simple
* sasl/DIGEST-MD5
* tls:simple
* tls:sasl/DIGEST-MD5
When I set this DS up, I chose only tls:simple. A SunSolve document I read indicated that you
could have chosen more than one at that time, but I didn't. What I need to know is how to add support
for additional Authenticaion Methods after the fact. I assume there is a directory object somewhere and
its a matter of modifying or adding an attribute, but I wanted to make sure there were no gotchas
or caveats I should be aware of beforehand.

Native Solaris 10 with DSEE 6.3.1 (or JSDS) with SSL (tls:simple)

Hello There,
I need some help from DSEE or LDAP experts.
I am trying to configure DSEE 6.3.1 to use SSL(tls:simple).
*{color:#0000ff}I have Simple(non-SSL) method working just fine and*
**Also ldapsearch command works fine with simple and SSL methods*{color}**. So I know my certs are good but I just can not make ldap clien to work*
*I followed this document [http://brandonhutchinson.com/wiki/Soup_To_Nuts_Sun_DSEE#Solaris_10_instructions]*
I am using
ldapclient -v init -a profileName=profile3 -a certificatePath=/var/ldap -a domainName=mydomain.com -a proxyDN="cn=proxyagent,ou=pro*file,dc=mydomain,dc=com" -a proxyPassword=XXXXX ldap200.mydomain.com*
Here is the output
+Parsing profileName=profile3+
+Parsing certificatePath=/var/ldap+
+Parsing domainName=mydomain.com+
+Parsing proxyDN=cn=proxyagent,ou=profile,dc=mydomain,dc=com+
+Parsing proxyPassword=xxxxx+
+Arguments parsed:+
+domainName: mydomain.com+
+proxyDN: cn=proxyagent,ou=profile,dc=mydomain,dc=com+
+profileName: profile3+
+proxyPassword: xxxxx+
+defaultServerList: ldap200.mydomain.com+
+certificatePath: /var/ldap+
+Handling init option+
+About to configure machine by downloading a profile+
+findBaseDN: begins+
+findBaseDN: ldap not running+
+findBaseDN: calling __ns_ldap_default_config()+
+found 1 namingcontexts+
+findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=mydomain.com))"+
+rootDN[0] dc=mydomain,dc=com+
+found baseDN dc=mydomain,dc=com for domain mydomain.com+
+Proxy DN: cn=proxyagent,ou=profile,dc=mydomain,dc=com+
+Proxy password: {NS1}67eb0f447bc0f619+
+Credential level: 1+
+Authentication method: 3+
+About to modify this machines configuration by writing the files+
+Stopping network services+
+sendmail not running+
+nscd not running+
+autofs not running+
+ldap not running+
+nisd not running+
+nis(yp) not running+
+file_backup: stat(/etc/nsswitch.conf)=0+
+file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)+
+file_backup: stat(/etc/defaultdomain)=0+
+file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)+
+file_backup: stat(/var/nis/NIS_COLD_START)=-1+
+file_backup: No /var/nis/NIS_COLD_START file.+
+file_backup: nis domain is "mydomain.com"+
+file_backup: stat(/var/yp/binding/mydomain.com)=-1+
+file_backup: No /var/yp/binding/mydomain.com directory.+
+file_backup: stat(/var/ldap/ldap_client_file)=-1+
+file_backup: No /var/ldap/ldap_client_file file.+
+Starting network services+
+start: /usr/bin/domainname mydomain.com... success+
+start: sleep 100000 microseconds+
+start: sleep 200000 microseconds+
+start: network/ldap/client:default... success+
+restart: sleep 100000 microseconds+
+restart: sleep 200000 microseconds+
+restart: milestone/name-services:default... success+
+System successfully configured+
+When I run+
*It takes long time and then*
*+ldaplist: Object not found (Session error no available conn.+*
*+)+*
{color:#0000ff}The command logins also takes long time and does not show any LDAP users.{color}
*+{color:#ff6600}Here is the output from cachemgr.log on client*+*
*+{color}+*
+Tue Jul 14 12:16:07.8984 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log+
+Tue Jul 14 12:16:07.9391 sig_ok_to_exit(): parent exiting...+
+Tue Jul 14 12:16:17.9511 getldap_set_refresh_ttl:(6) refresh ttl is 300 seconds+
+Tue Jul 14 12:16:38.0741 getldap_set_refresh_ttl:(6) refresh ttl is 150 seconds+
+Tue Jul 14 12:16:38.0755 Error: Unable to refresh profile:profile3:Session error no available conn.+
+Tue Jul 14 12:16:38.0756 Error: Unable to update from profile+
+{color:#ff6600}Here is the out from /var/adm/messages.+
+{color:#000000}Jul 14 12:16:38 ldap300 ldap_cachemgr[19726]: [ID 293258 daemon.warning] libsldap: Status: 81 Mesg: openConnection: simple bind fai{color}+{color:#000000}+led - Can't contact LDAP server+
+Jul 14 12:16:38 ldap300 ldap_cachemgr[19726]: [ID 292100 daemon.warning] libsldap: could not remove 192.168.190.146 from servers list+
+Jul 14 12:16:38 ldap300 ldap_cachemgr[19726]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: Session error no available conn.+
+Jul 14 12:16:38 ldap300 ldap_cachemgr[19726]: [ID 186574 daemon.error] Error: Unable to refresh profile:profile3: Session error no available conn.+
+Jul 14 12:16:38 ldap300 /usr/lib/nfs/nfsmapid[19731]: [ID 293258 daemon.warning] libsldap: Status: 81 Mesg: openConnection: simple+ +bind failed - Can't contact LDAP server+
+Jul 14 12:16:38 ldap300 /usr/lib/nfs/nfsmapid[19731]: [ID 292100 daemon.warning] libsldap: could not remove 192.168.190.146 from servers list+
+Jul 14 12:16:38 ldap300 /usr/lib/nfs/nfsmapid[19731]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: Session error no avaible conn.+
*ANY HELP IS GREATLY APPRECIATED*
*THANKS*
Edited by: PranavPatel on Jul 14, 2009 12:41 PM
Edited by: PranavPatel on Jul 14, 2009 12:46 PM

Here is the the profile from Server
Non-editable attributes
dn: cn=profile3,ou=profile,dc=mydomain,dc=com
authenticationmethod: tls:simple
bindtimelimit: 10
cn: profile3
credentiallevel: proxy
defaultsearchbase: dc=mydomain,dc=com
defaultsearchscope: one
defaultserverlist: 192.168.190.146 192.168.11.221
followreferrals: FALSE
objectclass: top
objectclass: DUAConfigProfile
profilettl: 43200
searchtimelimit: 30
serviceauthenticationmethod: passwd-cmd:tls:simple
serviceauthenticationmethod: keyserv:tls:simple
serviceauthenticationmethod: pam_ldap:tls:simple
Editable attributes:
createtimestamp: 20090714180638Z
creatorsname: cn=directory manager
entrydn: cn=profile3,ou=profile,dc=mydomain,dc=com
entryid: 26
hassubordinates: FALSE
modifiersname: cn=directory manager
modifytimestamp: 20090714180638Z
nsuniqueid: f37fa281-70a011de-80b5f403-069e0ba9
numsubordinates: 0
parentid: 13
subschemasubentry: cn=schema
And here is the output of
*# ldapclient list*
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=mydomain,dc=com
+NS_LDAP_BINDPASSWD= {NS1}67eb0f447bc0f619+
NS_LDAP_SERVERS= 192.168.190.146, 192.168.11.221
NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= profile3
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:tls:simple
NS_LDAP_SERVICE_AUTH_METHOD= keyserv:tls:simple
NS_LDAP_SERVICE_AUTH_METHOD= passwd-cmd:tls:simple
NS_LDAP_HOST_CERTPATH= /var/ldap
Edited by: PranavPatel on Jul 14, 2009 1:08 PM

ISE and 802.1x - Retrieve User Cert from AD for Auth without it being in the Personal Store?

Hello,
We are implementing 802.1x EAP-TLS wired at the moment with Cisco ISE, and wireless is to come after that, along with our internal PKI. I set up the PKI, and our network engineer is setting up the ISE. We currently have it set to first authenticate the computers with a computer certificate (allowing access to AD, among some other things), and then further authenticate the users with user certificates.
I don't have much knowledge of Cisco ISE, and plan to learn as we go, but I'm wondering:
Is it possible to authenticate the computer via the computer certificate, getting access to AD, and then have the ISE check AD for the User certificate INSTEAD of the User certificate being in the local Personal store of the client computer? We have autoenrollment going for user certificates, but it seems to be cumbersome (in thought) that once 802.1x is enabled, a new computer/employee coming on the network has to first go to an unauthenticated port to be able to download the User certificate in the Personal store, before then being able to use an 802.1x port?
I guess that makes two questions:
1) Can ISE pull the user cert from AD, without needing it in the local Personal store?
2) What's the easiest way to handle new computers/users that don't already have the User cert in their local Personal store once 802.1x is enabled?

1)No
2)Use EAP-Chaining with EAP-TLS and PEAP
For this scenario, i would go with Cisco AnyConnect NAM, and then use EAP-Chaining, with EAP-TLS for machine auth, and then PEAP for user authentication. This way you can make sure that both the machine and the user is authenticated, and more importantly, that a user can not get on the network with their user identity only and no machine identity. Using windows own supplicant for this, gives no garantee that the user has logged in from an authenticated machine. The feature that used to be used for this before EAP-Chaining was introduced, is called MAR, and has many problems, making it almost useless in a corporate environment. Security wise, the PEAP-MSCHAPV2 is tunneled in EAP-FAST and does not have the same security issues as regular PEAP.

7925g plus EAP-TLS plus wildcard cert

Hi folks,
Has anyone managed to put a wildcard cert on a 7925G (or 9971) to use for client authentication with EAP-TLS? It seems like one is forced to use the MIC or a cert from a csr generated by the phone... but I'd really rather not keep track of a zillion certs.
Thanks for any help.

Hi,
have you read the infos from the deployment guide (page 72 - install certificates) already
http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf

Solaris ldap client problem (tls:simple + anonymous)

Hi All,
I've installed Directory Server 6.3.1 and it works just fine,
but I have a problem regarding connecting Solaris 10 ldap client to it through SSL using anonymous credential level.
Both SSL with proxy credential level or anonymous without SSL work fine but as you know these configurations are not pretty secure.
More detail.
Profile:
dn: cn=sslnoproxyuser,ou=profile,dc=domain,dc=com
authenticationmethod: tls:simple
bindtimelimit: 10
cn: sslnoproxyuser
credentiallevel: anonymous
defaultsearchbase: dc=domain,dc=com
defaultsearchscope: one
defaultserverlist: servername.domain.com
followreferrals: TRUE
objectclass: top
objectclass: DUAConfigProfile
preferredserverlist: servername.domain.com
profilettl: 43200
searchtimelimit: 30
Ldapclient output:
bash-3.00# ldapclient init -v -a profileName=sslnoproxyuser servername.domain.com
Parsing profileName=sslnoproxyuser
Arguments parsed:
profileName: sslnoproxyuser
defaultServerList: servername.domain.com
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: ldap not running
findBaseDN: calling __ns_ldap_default_config()
found 2 namingcontexts
findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=domain.com))"
rootDN[0] dc=domain,dc=com
found baseDN dc=domain,dc=com for domain domain.com
Proxy DN: NULL
Proxy password: NULL
Credential level: 0
Authentication method: 3
No proxyDN/proxyPassword required
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: network/smtp:sendmail... success
Stopping nscd
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: system/name-service-cache:default... success
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: system/filesystem/autofs:default... success
ldap not running
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "domain.com"
file_backup: stat(/var/yp/binding/domain.com)=-1
file_backup: No /var/yp/binding/domain.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname domain.com... success
start: sleep 100000 microseconds
start: network/ldap/client:default... maintenance
start: sleep 100000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: sleep 200000 microseconds
restart: milestone/name-services:default... success
Error resetting system.
Recovering old system settings.
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: network/smtp:sendmail... success
Stopping nscd
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: system/name-service-cache:default... success
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: system/filesystem/autofs:default... success
Stopping ldap
stop: network/ldap/client:default... restoring from maintenance state
stop: sleep 100000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "domain.com"
recover: stat(/var/ldap/restore/ldap_client_file)=-1
recover: stat(/var/ldap/restore/ldap_client_cred)=-1
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/domain.com)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname domain.com... success
start: sleep 100000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
*/var/ldap/cachemgr.log*
Tue Jun 30 10:50:51.4330 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
Tue Jun 30 10:50:51.4355 Error: Unable to read '/var/ldap/ldap_client_file': Configuration Error: No entry for 'NS_LDAP_BINDDN' found
Tue Jun 30 10:50:51.4368 detachfromtty(): child failed (rc = 255).
Any ideas?
Edited by: ffffffffff356dfd on 30 ???? 2009 12:07
Edited by: ffffffffff356dfd on 30 ???? 2009 12:07

Hi ,
yes I use it.
Here is my pam.conf:
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
# rlogin service (explicit because of pam_rhost_auth)
# rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
# rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1
other account required pam_ldap.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#

Move SSL Cert from one device to another on Cisco ASA

Hello Everyone,
Is it possible to move SSL certificate + Key from one cisco asa to another ? I hope its possible and if someone can guide me towards correct documentation that would be perfect.
thank you
Manish

We have an ASA5550 running 8.2(5) that we're using as a VPN terminator; it died yesterday when we had a power glitch in the data center, and we're temporarily installing a spare 5510 (we don't have a spare 5550) until it's replaced. But the RSA keys on the spare don't match the ones on the old firewall, so when we try to install the old cert it fails:
ERROR: Keypair cannot be found for trustpoint UMVPN3-INCOMMON-MAY2020.
The old ASA is dead, so we can't do a straight export/import - all we have to work with is what's in yesterday's config backup...
I gather there's no way to extract the original keys from this; is there any way to recover in this case? Or must we export the certs from the ASAs with a "crypto ca export" and save copies of these in a secure location?

What is the direct connect method for transfering photos from my macbook pro to my iphone without using iTunes syncronization? (iow: a simple photo copy from mac to iphone?)

I feel like I should know the answer to this. I can't believe it is a hard question.
What is the direct connect method for transfering photos from my macbook pro to my iphone without using iTunes syncronization? (iow: a simple photo copy from mac to iphone?)
Easy? Right?
Just plug my iphone in to a mac and copy a photo from the mac to my iphone.
I don't have internet access - I can't email it, or mobileme it, or dropbox it.

iTunes. Other than that there is no direct method. However, do try the iPhone forums.

How to restrict users working on Windows 7 clients from accessing Windows Explorer and other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2

Dear All,
We are having an infrastructure setup of around 500 client computers managed through group policy.
Recently the domain controllers have been migrated from Windows Server 2003 to Server 2008 R2.
Since this account requires extremely strict environment, we need to figure the solution for restricting the users from access anything locally.
It would be great if you can assist me with the following query.
How to restrict users logged on Windows 7 clients from accessing Windows Explorer and browsing other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2 ?
Can we disable Network Tab on the left hand pane ?
explorer.exe is blocked already, but users are able to enter the Windows Explorer by clicking on the name which is visible on the Start Menu.

>   * explorer.exe is blocked already, but users are able to enter the
>    Windows Explorer by clicking on the name which is visible on the
>    Start Menu.
You cannot block explorer.exe when you do not replace the shell - the
desktop you see effectively IS explorer.exe...
Your requirement sounds like you need a custom shell:
http://gpsearch.azurewebsites.net/#2812
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

Calling simple Java Code from 11g BPM

Hi,
I know this has been round the houses but I cant find a satisfactory solution for my scenario. I would like to call some simple java code from BPM (11.1.1.6). I guess I need to expose it as a service but it seems overkill to be via soap so any advice you can give would be much appreciated. Creating a jar that I can call somehow would be perfect.
This is my scenario:
- I am creating a Security POC for BPM
- The BPM Process is exposed as a web service and authenticated using SAML
- I am testing by calling the WS from OSB
- I want to be able to get the WLS Principal and display the username and the roles for the launching user, from within the BPM process
- This is possible using some simple weblogic client api code shown below
- So all I want to do is call this code from BPM somehow
- Anyone point me in the right direction ?
cheers
Tony
subject = Security.getCurrentSubject();
for(Principal p: subject.getPrincipals()) {
if(p instanceof WLSGroupImpl) {
groupList.add(p.getName());
} else if (p instanceof WLSUser) {
principal = p.getName();
}

The problem to communiate java classes and forms solved !
i have add my .jar file to $OA_JAVA/oracle/apps/fnd/jar and now i can communicate between forms and java.
I can create an object, i can get simple message from class, but when i try to create
ServiceFactory factory = ServiceFactory.newInstance();
ive got ORA-105100...
can anybody help ?

Is there any API to add and remove certs from acrobat trusted identities?

Is there any API to add and remove certs from acrobat trusted identities? if this is not possible any work around for this. Please help me

No, there is not – that would be a security concern.

Getting list of cert from browser

Hello,
I would like to get the list of certificate in the different stores of my web browser (internet explorer, firefox, ...). I know how to get the list of certs from a java keystore, but I have no idea about getting list of cert from browser.
Please help!
Thanks

A little tough.
On Windows, you can use Windows-MY and Windows-Root storetypes to access those 2 stores in IE.
For Firefox keystores, you can use the PKCS11 storetype to access the NSS keystore.
Google yourself for details.

Restricting the user to operate DML's from SQL PLUS Environment

how to Restrict the user to operate DML statements from SQL PLUS Environment.

Once you restrict SCOTT user to not be able to do an INSERT command, the SQL*Plus returns an error for user SCOTT when he tries to execute an INSERT statement.
Note however, that this is enforced by SQL*Plus, not the database!
Look into the use of product_user_profile from Oracle documentation for more information.
SQL> insert into product_user_profile values('SQL*Plus', 'SCOTT', 'INSERT', NULL, NULL, 'DISABLED', NULL, NULL) ;
1 row created.
SQL> commit ;
Commit complete.
SQL> disconnect
Disconnected from Oracle9i Enterprise Edition Release 9.2.0.3.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.3.0 - Production
SQL>
SQL> connect scott
Enter password:
Connected.
SQL>
SQL> insert into emp select * from emp ;
SP2-0544: invalid command: insert
SQL>
SQL>

Restrict number of rows to be pulled from PeopleSoft's PS_LEDGER table while importing data in FDMEE

Hi,
We need to know if FDMEE 11.1.2.3.520 product supports restricting number of rows to be pulled from PeopleSoft's PS_LEDGER table.
All the records fetched from PS_LEDGER is getting loaded into TDATASEG table.
Currently, it is trying to pull all the records based on the given "period", "version" and "year" combination. We are looking to restrict rows based on specific account/entity/program/subprogram combination.
If this is can be done, will it be an out-of-the-box functionality or does it require any customization/import scripts/api.
Admin guide does say we can use Jython to filter rows using import scripts. However, it seems to be limited to file not a table as a source.
I have attached a document with the screenshots so that the issue is better understood !
Thanks,
Hari

1)
When you set a column to hidden in a classic report using the method I described, it creates hidden form elements for that column.
<tt><input type="hidden" name="f01" value="" id="f01_0002"></tt>
You should inspect the source to figure out the name value.
Since this belongs to the wwv_flow form, we can therefore get this data with: wwv_flow.f01
Alternatively, you could have used the apex_item API to achieve the same result, which probably gives a bit better control.
http://docs.oracle.com/cd/E37097_01/doc/doc.42/e35127/apex_item.htm#CHDBFHGA
select apex_item.hidden(1, col) || col col
from table
Set that column to a standard report column so it doesn't escape the html.
You can also reference the data in these fields using PL/SQL using the apex_application API:
http://docs.oracle.com/cd/E37097_01/doc/doc.42/e35127/apex_app.htm#CHDGJBAB
2)
As above, setting the column to hidden creates hidden elements on the page. It is simply f01 because that is the only hidden field I would have on my page. With four reports on the page, you would need to be careful not to do the same on the other reports, as you would get inaccurate data. For each report, setting columns to hidden always starts with f01. In that, you would be best to use the apex_item API.
I actually initially ran into this issue when i had a tabular form on the same page as a report with hidden fields, which was causing conflicts in the page processes.
Hope it helps.

Restrict people to see only spool requests from one group of users

I would like to restrict people to see only spool requests from one group of users defined somewhere inside role.
I am playing with S_SPO_ACT authorisation object but with no positive result,
Please help

There is a note Note 119147 - Spool: Authorizations (https://service.sap.com/sap/support/notes/119147)
Object for "Selection authorization for spool requests" is S_ADMI_FC where "Operation authorization" use S_SPO_ACT
Regards

Restricting 389 to TLS (simple or cert) from specific userDNs

Similar Messages

Maybe you are looking for