Samba/cifs shares using AD for Authentication

Similar Messages

• MacAir using AD for authentication. In AD, there is a network home assigned to that user. When logging into that account on the Mac, it takes 1-2 minutes after entering credentials, before displaying an error that it could not connect to it, every time.

  In our AD, all users have a network home that is set (smb://home for example). For some of our Mac users using AD for authentication, there is a 1-2 minute delay between entering their credentials and the OS being presented. The OS does not present itself until the user dismisses the alert: "There was a problem connecting to server home".Local users on the same machines do not have that problem.
  It remains in the dock as User's Network Home as a ? that I am unable to remove, and there is also a 'Unknown' in the log-in items for the user as well (that I am also unable to remove).
  Is there anyway to disable this share? Or to stop the Mac from trying to connect to it before loading the OS?

  In our AD, all users have a network home that is set (smb://home for example). For some of our Mac users using AD for authentication, there is a 1-2 minute delay between entering their credentials and the OS being presented. The OS does not present itself until the user dismisses the alert: "There was a problem connecting to server home".Local users on the same machines do not have that problem.
  It remains in the dock as User's Network Home as a ? that I am unable to remove, and there is also a 'Unknown' in the log-in items for the user as well (that I am also unable to remove).
  Is there anyway to disable this share? Or to stop the Mac from trying to connect to it before loading the OS?

• Problem configuring SOA suite to use OID for authentication

  We are in the process of rebuilding our environment to use the full SOA suite with our OID server for authentication (was previously just BPEL using AD directly), and have encountered several problems (below). We have rebuilt the OID server, and reinstalled the SOA suite into a clean ORACLE_HOME to no avail.
  We first rebuilt the OID server using the following steps (derived from Oracle® Internet Directory Administrator's Guide):
  1)     Create the Import and Export profiles for AD synchronization. We did this using the Directory Integration and Provisioning Server Administration tool under “Active Directory Configuration”
  2)     Modify the map file to specify the correct OU mappings between AD and OID.
  3)     Update the profile with the new map file using “dipassistant.bat mp”
  4)     Bootstrap the import profile using “dipassistant.bat bootstrap”
  5)     Start a new instance of the Integration server (odisrv) running on config set 1 (the config set containing the Active Directory import/export profiles) using “oidctl”
  6)     Set the Import profile to Enable. The OID server does not export changes to AD in our current configuration, so the Export profile is left on disable (and not bootstrapped)
  At this point it appears that the AD synchronizes correctly into our new OID server.
  Next we installed the SOA suite:
  1)     We ran “irca.bat” on our database server to create the ORABPEL, ORAESB, and ORAWSM schemas and associated integration repository structure.
  2)     After launching the SOA suite installer, we selected Advanced Install.
  3)     On the next screen, we selected J2EE Server, Web Server, and SOA Suite.
  4)     We then provided the credentials for our Oracle database, and the passwords for ORABPEL, ORAESB, and ORAWSM.
  5)     We configured our new AS instance as an administration instance, but did not opt to use from a separate HTTP server, and did not make this instance part of an OAS cluster topology.
  And finally, we configured our new SOA suite instance to use OID for authentication (using the instructions in Oracle® BPEL Process Manager Administrator's Guide section 2.1.3):
  1)     Used the configure_oid.bat command to seed OID with required users only.
  2)     Logged into the OracleAS Control Console
  3)     Chose the oc4j_soa instance, then Administration->Security->Identity Management
  4)     Configured the OID server using a non-ssl connection and the cn=orcladmin account.
  5)     When prompted, chose to reconfigure all applications in the oc4j_soa instance to OID, but not to use SSO for any of them.
  6)     Copied the contents of ORACLE_HOME\j2ee\home\config\jazn.xml to ORACLE_HOME\j2ee\oc4j_soa\config\jazn.xml
  7)     Restarted the application server.
  After this procedure, we encountered the following issues:
  1)     The BPEL console appears to authenticate users correctly out of OID, but no users have access to the default domain, including bpeladmin and oc4jadmin. All users receive a similar access denied message when attempting to log into the BPEL Admin Console.
  2)     We cannot upload a BPEL process to our new server via JDeveloper’s standard BPEL deployment mechanisms. The connection appears to be working properly and passes all tests, but on uploading a process we get a Java AccessDeniedException. ESB appears to be functioning properly, and accepts uploaded projects without issue.

  Bassman,
  We recently configured our SOA Suite to use OID and SSO. We had the same issues you are having, and we found the resolutions in a blog from Jaas Poot (http://blog.jpoot.com/category/oracle-appserver/oid-ldap/). For the BPEL domain access, this involved going to the data-sources.xml file and changing the database passwords from using ->pwForOrabpel for the orabpel schema and ->pwForOraesb for the oraesb schema to the real passwords; the blog explains more about this.
  The blog also covers the JDeveloper deployment issue, and another issue we encountered, where we couldn't access the BPEL Admin console. All of these were resolved following the steps in the blog.
  Hope this helps
  Candace

• How do I know WinRM uses Kerberos for authentication, and does not fall-back to NTLM?

  Hi,
  How do I know WinRM uses Kerberos for authentication, and does not fall-back to NTLM?
  /SaiTech

  Hi SaiTech,
  Kerberos will be selected by default in an AD domain, The default (assuming the client is in a domain, and is not connecting to itself via 127.0.0.1 or ::1 addresses) is to use Kerberos authentication, and not to fall back to NTLM.
  Please also Note that you may have to take some other steps as well to get non-Kerberos authentication working.  Specifically, you'd have to set up an HTTPS listener on the remote host, or modify the client's TrustedHosts list.
  Refer to:
  WINRM kerberos & Negotiate
  Authentication for Remote Connections
  In addition, you can also use Network Monitor to check the authentication method.
  If there is anything else regarding this issue, please feel free to post back.
  If you have any feedback on our support, please click here.
  Best Regards,
  Anna Wang
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Unable to access CIFS shares using SSL Web portal

  Hello,
  i have deployed Cisco Clientless Web VPN on my ASA5515.
  I'm having an issue when I try to browse a file server (access CIFS shares) from the WEB VPN portal.   I am prompted for login, and after logging in  I get the "Error contacting host" immediately. it's seem like a bug on ASA ? i saw that on Cisco Web site : bug CSCsl94183
  I already DONE those things :
  1- reload the ASA
  2- upgrade to the latest software release
  3- test different web browser ( Firefox, IE, Chrome)
  1- ASA Platform is 5515 running  latest software release (9.1.4)
  2- File  server running Windows 2008 R2
  3- Clients is using Firefox.
  4- When I establish SSL VPN connection using Cisco AnyConnect I  have no problems accessing files or folders on the same server.
  NOTE :  I have 2 other CIFS server running  Window 2003 and there is no issue.  the issue is happening ONLY  with the server running Window 2008 R2

  I've also seen this exact problem. We have several Windows 2008 R2 servers, one of our Domain controllers has been migrated to 2008 R2. I can access shares on the Windows 2008 R2 domain controller, but not a deicated (member) file share server. 

• [SOLVED] SLiM will not use thinkfinger for authentication

  As the title of the post says, I can't get SLiM to utilize thinkfinger for authentication.
  I've setup PAM to try to use thinkfinger.so first
  from /etc/pam.d/login:
  auth sufficient pam_thinkfinger.so
  auth required pam_unix.so nullok try_first_pass
  However, when I go to login via SLiM it won't prompt for the "password or swipe finger", it just asks for a password (which does work). I'm also able to use thinkfinger to authenticate sudo and su just fine... (I edited the respective pam.d/ files).
  Any one able to help?
  Last edited by Rnicholson (2008-02-17 15:35:45)

  nightmorph wrote:
  It's okay that it doesn't ask to swipe your finger. Swipe your finger anyway. You can actually edit the text prompt in your SLiM theme. It's hardcoded into each SLiM theme config file -- if you want the text to be different, you have to change it; pam_thinkfinger won't change it for you.
  I use SLiM on my laptop and it works just fine with thinkfinger. All I did was edit the appropriate config file line to say "Enter password/Scan finger". Give it a shot.
  Oh, sorry... I should have mentioned that I did try swiping my finger anyway at the "password" prompt. No dice.
  I tried turning on logging in pam.d/login and I don't see anything (in /usr/var/log/auth.log) for when I login with SLiM. I don't see any options in /etc/slim.conf about pam, just settings for xauth. So, what does SLiM use? I guess I should also mention that I installed SLiM via pacman, perhaps there is a source config option that I need? ...Cause it appears SLiM isn't using pam.
  @Sigi - Do you find that the thinkfinger-svn version is better than the 0.3 release? Is there better support, other features? I have a T61p and find 0.3 works well (obviously other than this SLiM issue I'm having; which probably unrelated).
  Last edited by Rnicholson (2008-02-11 14:12:42)

• Using useBean for authentication

  Hi,
  I am creating a login page for personalization, After the login the user can access his/her information, so in my authentication.jsp I am making all the properties available to the user. However I have the properties stored in two different beans, so I am using two useBean statements for each bean and for each of the beans properties. So when I try to compile the page I get the following error:
  jsp.error.useBean.duplicate
  Is it not allowed to use two <jsp:useBean> in the same jsp page?
  I have two databases user and education.
  snips of my code:
  <sql:query var="dbInfo">
  Select * from user, education where user_id= ? AND password =? AND user.user_id = education.userid
  <sql:param value="${param.userid}" />
  <sql:param value="${param.password}" />
  </sql:query>
  <c:set var="EducationDb" value="{dbInfo.rows[0]}" />
  <jsp:useBean id="validUser" class="EducationBean" scope="session" >
  <c:set target="${validUser}" property="userid" value="${EducationDb.userid}"
  <!-- same for the rest of the properties in the bean and database columns -->
  <c:set var="UserDb" value="${dbInfo.rows[0]}" />
  <jsp:useBean id="validUser" class="UserBean" scope="session">
  <c:set target="${validUser}" property="name" value="${UserDb.name}"/>
  <!-- same for all the other properties in the bean and database columns -->
  Thanks

  Hi,
  In my web application i have written a bean correctly,i have tried to comple it and it's ok.
  But when i use in my JSP this tag:<jsp:usebean id=" myIdBean" ....>
  <jsp:setProperty ....................../>
  </jsp:usebean>
  after run it i have a message error:jsp.error.usebean.notBoth
  If somebody can help me ?

• Using OID for authentication in APEX and PL/SQL apps

  Hi,
  One of my colleagues (much more skilled in APEX than me) has written a PL/SQL package that makes it easy to use Oracle Internet Directory (OID) groups to control access to pages and items in APEX. It assumes that you are already using Oracle Single Sign-On (which he also set up for us).
  Being a package, it's easy to use in any PL/SQL application.
  He's given me permission to add his work to my web page but prefers to remain anonymous. You can see how to do it here:
  http://www.patrickhaston.co.uk/plsql/oid_authorisation.html
  The source code is available for download.
  Hope this is useful.
  Patrick.

  Nothing new - all documented with APEX.

• Client app using WSSE for authentication, WSSEClientHandler not found

  Hi,
  I'm trying to build a stand alone java client that uses login/password to connect to a webservice using WSSE.
  I thought that
  soapProxy = proxy.getCCSoap(username,password);
  would do the job. CC is the name of the web service.
  Now I've found on http://e-docs.bea.com/wls/docs81/webserv/security.html#1073530
  that I should use WSSEClientHandler from weblogic.webservice.core.handler and UserInfo from weblogic.xml.security do get the job done.
  Problem is now that neather of these classes are included in the support Jar i've downloaded from my web service's console.
  The error I get is this:
  java.rmi.RemoteException: SOAP Fault:javax.xml.rpc.soap.SOAPFaultException: EJB Exception: ; nested exception is:
       com.bea.wlw.runtime.jws.wssecurity.exception.WLWWSSEException: Policy requires Message to contain UsernameToken, UsernameToken not found in the Message.
  Can somebody help me out? I'm realy stuck on this :-(
  Kristof Taveirne

  Well yeah, i've read that post.
  But I don't understand the error since the soapheader realy does contain the UsernameToken! But weblogic can't find it for some strange reason.
  This is what i get in TestXML when i look at the logs:
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <env:Header>
  <wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:UsernameToken wsu:Id="Id-1Sle_jmBkVTCRbF0KUXcN2BG" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:Username>Dr_Taveirne</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">ktaveirn</wsse:Password>
  </wsse:UsernameToken>
  </wsse:Security>
  </env:Header>
  <env:Body>
  <n1:getConfig xmlns:n1="http://www.openuri.org/">
  <n1:login>Dr_Taveirne</n1:login>
  </n1:getConfig>
  </env:Body>
  </env:Envelope>
  Exception
  Submitted at donderdag 7 april 2005 14.58 u. CEST
  java.rmi.RemoteException: EJB Exception: ; nested exception is:
  com.bea.wlw.runtime.jws.wssecurity.exception.WLWWSSEException: Policy requires Message to contain UsernameToken, UsernameToken not found in the Message.
  You see? really strange behaviour if you ask me.
  Greetings,
  Kristof Taveirne

• Samba (smb) share and FSevents for Back-up

  I want to make a backup using FSevents from a mounted Samba volume to a mounted AFP volume using an OSX server.
  Is this possible?

  You can have one icloud account and a different itunes account on the phone. I have my icloud account and a shared itunes account. He does not have to use the new icloud account as is ID in itunes and app store. He can keep using the old one.

• Which clients are using my Sun One server for authentication?

  We use Sun One ver. 5.2 .
  Our LDAP clients use it for authentication.
  How can I list which clients recently used the Sun One server to authenticate?
  The reason I need that is because I want to upgrade the Sun One server and I want to notify the clients that I'm about to do it.
  Thanks.

  https://www.redhat.com/archives/fedora-directory-users/2005-September/msg00010.html
  Useful script to extract LDAP based user posixGroup memberships information
  ===
  Assuming you are using posixGroup objectclass and memberUid attribute to
  store your membership information, you may find my shell script useful
  and handy.
  It works on Solaris LDAP Client with "ldapaddent" and "ldaplist"
  commands, and works against FDS, SUN DS or OpenLDAP.
  ===
  Gary

• Issue with Authentication using JAAS for coherence

  Hi,
  I have configured security frame work using JAAS for storage enabled node,
  I am using keystore for authenticating the users, Below is the code used for authentication,
      Subject subject;
          try{ subject = Security.login(sUsername, sPassword.toCharArray()); }
          catch (Throwable t){
              subject = null;
              log("Authentication error:");
              log(t); }
          if (subject != null)
              for (Iterator iter = subject.getPrincipals().iterator(); iter.hasNext(); )
                  Principal principal = (Principal) iter.next();
                  log("Principal: " + principal.getName());
          Security.runAs(subject, new PrivilegedAction()
              public Object run()
                  NamedCache cache = CacheFactory.getCache(CACHE_NAME);
                  boolean flag = true;
                  while (flag) {}
                  return null;
              });and i am calling the above class in the callback handler which is defined in coherence operation descriptor.
          <security-config>
                  <enabled system-property="tangosol.coherence.security">true</enabled>
                  <login-module-name>TestCoherence</login-module-name>
                   <access-controller>
                  <class-name>com.tangosol.net.security.DefaultController</class-name>
                          <init-params>
                          <init-param id="1">
                          <param-type>java.io.File</param-type>
                          <param-value>config/keystore.jks</param-value>
                          </init-param>
                          <init-param id="2">
                          <param-type>java.io.File</param-type>
                          <param-value>config/permissions.xml</param-value>
                          </init-param>
                          </init-params>
                   </access-controller>
                   <callback-handler>
                          <class-name>Test</class-name>
                   </callback-handler>
           </security-config>I am using the following command line parameters for bringing up the storage enabled node.
  -Dtangosol.coherence.security.permissions="$CONFIG_PATH/permissions.xml" 
  -Dtangosol.coherence.security.keystore="$CONFIG_PATH/keystore.jks" 
  -Djava.security.auth.login.config="$CONFIG_PATH/login.config" 
  -Dtangosol.coherence.security=trueNow till the callback handler thread is alive, storage enabled node will be up. As soon as the call back handler thread dies. Storage enabled node stops with the following error,
  Exception in thread "main" java.lang.SecurityException: Authentication failed: Error initializing keystore
  at com.tangosol.coherence.component.net.security.Standard.loginSecure(Standard.CDB:36)
  at com.tangosol.coherence.component.net.security.Standard.getTempSubject(Standard.CDB:11)
  at com.tangosol.coherence.component.net.security.Standard.checkPermission(Standard.CDB:18)
  at com.tangosol.coherence.component.net.Security.checkPermission(Security.CDB:11)
  at com.tangosol.coherence.component.util.SafeCluster.ensureService(SafeCluster.CDB:6)
  at com.tangosol.coherence.component.net.management.Connector.startService(Connector.CDB:25)
  at com.tangosol.coherence.component.net.management.gateway.Remote.registerLocalModel(Remote.CDB:8)
  at com.tangosol.coherence.component.net.management.gateway.Local.registerLocalModel(Local.CDB:8)
  at com.tangosol.coherence.component.net.management.Gateway.register(Gateway.CDB:1)
  at com.tangosol.coherence.component.util.SafeCluster.ensureRunningCluster(SafeCluster.CDB:50)
  at com.tangosol.coherence.component.util.SafeCluster.start(SafeCluster.CDB:2)
  at com.tangosol.net.CacheFactory.ensureCluster(CacheFactory.java:948)
  at com.tangosol.net.DefaultConfigurableCacheFactory.ensureService(DefaultConfigurableCacheFactory.java:748)
  at com.tangosol.net.DefaultCacheServer.start(DefaultCacheServer.java:140)
  at com.tangosol.net.DefaultCacheServer.main(DefaultCacheServer.java:61)
  Please let me know where should i pass the credentials to the default cache server for authentication or should i change the any implementation of authentication here.
  Thanks in advance,
  Bhargav

  Bhargav,
  Rather than trying to loop forever in a callback handler try this
  import com.tangosol.net.CacheFactory;
  import com.tangosol.net.DefaultCacheServer;
  import com.tangosol.net.security.Security;
  import javax.security.auth.Subject;
  import java.security.PrivilegedExceptionAction;
  public class SecureCacheServer {
      public static void main(final String[] args) throws Exception {
          LoginContext lc = new LoginContext("Coherence");
          lc.login();      
          Subject subject = lc.getSubject();
          Security.runAs(subject, new PrivilegedExceptionAction() {
              public Object run() throws Exception {
                  DefaultCacheServer.main(args);
                  return null;
  }Then when you start your cache server just use the SecureCacheServer class above rather than DefaultCacheServer
  As the main method of DefaultCacheServer is running in a PrivilegedExceptionAction Coherence will use this identity anywhere it needs to do anything secured.
  I hope the code above compiles OK as it is a modified version of the code I really use.
  Hope this helps
  JK

• Accessing Windows CIFS Shares via Nautilus

  Hi,
  I've recently installed and configured Solaris 11, am having problems accessing Windows CIFS shares via Nautilus.
  I've installed both samba (needed for CUPS to print to printers connect to a windows pc) and smb/client. The smb/client and samba services are running. The smb/server service is not installed.
  I can print to any printer on the windows PC I'm trying to access via Nautilus, so I know my username/password for accessing the pc are correct.
  I can also manually mount any share on the windows PC via the cli (eg mount -F smfs -o user=elin //elink/users /mnt), and browse the files directly that way, except the file permisssions don't seem to align with any unix user. Again this just shows that the username/password combination is ok.
  For Samba, I'm using the default smb.conf file as /etc/samba/samba.conf. Workgroup is set to WORKGROUP in smb.conf.
  On the Windows pc, in the security event viewer, I can see the auth request, however is failing with bad password (event ID 4776, error code 0x006a). In the default group policy object for networking, I've set to accept "LM & NT, NTLMv2 when neogiatated", as this allows legacy clients to connect. (Legacy meaning NT4, Win95, etc, and also has the benefit of allowing other OSes to connect as well).
  I'm also able to access the WIndows PC CIFS shares from an Arch Linux based setup (running GNOME 3.2 w/ Nautilus 3.2), so I doubt it's the Windows side of things causing the problems. Additionally, when I was running Solaris 10u9 (just before upgrading to Sol11), I was able to access the shares via Nautilus as well.
  So my question is:
  1. Does Nautilus use Samba or the Oracle smb/client service to handle mount windows CIFS shares?
  2. What log files or configuration files do I need to looking at to help with this error?
  As a side question,
  I've found that on a clean installation running the "Print Manager" accesses CUPS fine, but once you install a printer, it'll no longer connect to CUPS, unless run from the cli "sudo system-config-printers". So this is a permissions issue, where's the best place to fix/handle that one.

  Replying to my own thread, as I have a possible but very-hackish solution.
  To add some further details to my original post.
  There are 4 PCs on the LAN.
  1. Hellfire - OS = Solaris 11 11/11
  2. Brimstone - OS = Arch Linux
  3. Elink - OS = Win7 Pro x64 SP1
  4. IsaacPC - OS = WinXP Home SP3
  Attempting to connect to Elink from Hellfire, accessing CIFS shares via Nautulis fails. (Mounting shares via Nautulis fails, but works fine from CLI using 'mount' command which to my understanding uses the smb/client service to work). Elink also hosts all the printers on the LAN, a HP LJ1200 and an Epson Fax/Printer/Scanner.
  Helfire does attempt to authenticate, as listed in the event logs on the Win7 PC (elink), but is returning bad password when using Nautulis. (but printing from hellfire to either printer on elink works fine, as does mounting CIFS shares using 'mount').
  Booting the live CD of Solaris 11, also exhibits the same non-working behaviour when attempting to mount CIFS shares in Nautulis.
  Attempting to access CIFS shares on elink from Brimstone (via Nautulis 3.2 within GNOME 3.2), or from IsaacPC works fine.
  Hellfire configuration.
  Samba is installed, but NOT running (samba is needed for accessing the printers on elink, as CUPS needs smbspool which is part of the samba package), and the native smb/client service is also running.
  smb.conf is a direct copy of the default *.conf file, except the WORKGROUP is set to 'WORKGORUP'. There is a symlink to smb.conf in /etc/sfw/smb.conf -> /etc/samba/smb.conf
  Onto the hackish-fix.
  I've noticed that there are 2 copies of libsmbclient.so installed on the system, one in /usr/sfw/lib (part of the "libsmbclient" package) and another in /usr/lib/samba (part of the "samba" package).
  "libsmbclient" appears to be based on samba 3.5.8 codebase, and is linked to the gvfsd-smb daemon (this is the software that Nautulis uses to talk SMB to access CIFS shares).
  "samba" is based on the samba 3.5.10 codebase, and it's installation has nothing to do with GNOME or Nautulis in any manner.
  Using any of the samba included tools to test SMB/CIFS functions, work with 1 minor exception (which I'll list below). eg, using smbclient I can list all shares on any PC on the LAN, etc.
  So as a hunch, I renamed the libsmbclient.so.0 in /usr/sfw/lib, and symlinked /usr/sfw/lib/libsmbclient.so.0 -> /usr/lib/samba/libsmbclient.so.0 (so that gvfsd-smb is linked against the slightly newer version of the libsmbclient.so as included in the samba package located in /usr/lib/samba).
  I rebooted Hellfire, and now I'm able to access CIFS shares via Nautulis, provided that some form of authentication is needed (that is a username and password is needed - guest access and blanks passwords don't work - but these IMO should be disabled immediately as part of a baseline security package in regards to Windows - so no harm there).
  Now to the minor exception I noted earlier. When using smbclient to actually connect and transfer files, I get:
  ld.so.1: smbclient: fatal: relocation error: file /usr/lib/libreadline.so.5: symbol tgetent: referenced symbol not found
  As far as I know, tgetent is part of libtermcap.so, so I guess when building smbclient or libreadline.so, the link reference to termcap was left out? (or something like that). Anyway, that's another issue...

• Install Sun ONE Directory Server 5,2 & how to use it for authenticate user

  Good afternoon, Excuse, are newbie in the scope I am learning and putting desire to him, this in my situation I am trying to install Sun ONE Directory Server 5,2 since I understand that this it is application LDAP for Solaris, ok I want to install it to authenticate user against the system, that is to say, to be able to acces the server entering with a created user from the data base of LDAP and make think user that his created in the system. But the documentation that I finds indicates the installation of Sun ONE Directory Server 5,2 but it not clearly about how to use it for authentication. Some one have any manual step by step of Sun ONE Directory Server 5,2 installation and how to make it for authentication systems users.
  I read the forum seeking for anwser and i get confuse
  Thanks for the help and sorry for any inconvenient
  Message was edited by:
  Aku_28
  Message was edited by:
  Aku_28

  I think that I found the Sun endorsed book locations for using LDAP accounts that don't use authentication besides "crypt". I now can use an account with a "ssha" password. It can be more than 8 characters long.
  Chapter 14 System Administration Guide: Naming and Directory Services
  Read page 201 which is the pam.conf file pam_ldap setups. I edited my "/etc/pam.conf" file to reflect this
  Chapter 7 Directory Server 5.2 2005Q4 - Administration Guide
  Read page 316-318 which has a graphical technique to specify password syntax. I set it up and then tried the password by running "su - brahms". It now requires a longer password than 8 characters and it is set up to use "ssha" for that UID entry "brahms".

• Best way for authentication?

  Hello,
  I'm running Oracle 10g Standard on a linux server and I would like to change the authentication method. The server is in an Active Directory. So users who are allowed to access the server can login using their domain account.
  Until now additionally they all have an oracle user account with its own password. I'd like to change oracle to use their domain account from Active Directory for login.
  I've experimented with the external login using user accounts created by
  CREATE USER ops$alex IDENTIFIED EXTERNALLY;
  So users logged in to the server can log in to oracle using the same account. But I want to allow remote users to login to oracle using the domain account that is verified externally by the operating system.
  There is a parameter remote_os_authent I could set to true and try, but documentation advises not to do this for security issues.
  We don't have the Oracle Advanced Security Option, so it's not possible for us to use kerberos for authentication.
  Is there any other way I can do to setup oracle authenticate domain users (by operating system)?

  Thank you very much. I've read the globally part and tried to create a user identified globally with complete ldap cn and dc names but I get
  ORA-00439: feature not enabled: Enterprise User Security
  So is there still any option available to use ldap Active Directory users with Oracle Standard 10g without oracle advanced security option? Or am I stuck with local users?