Sgd + ldap auth + ssh and numeric usernames

Hi there, sorry if there is a well known answer to my problem, bu tI have not found it.
anyway, We have a problem where our customer wants to use purelly numeric usernames to logg in to secure global desktop
From the point of secure global desktop we don't have any problems with this, the problem happens later on with the ssh to solaris (which is set up with ldap authentication) in that I have not been able to get purely numerical logins to work with solaris pam_ldap. Now some of you think that this is not an SGD problem, and that is true, but I was wondering if SGD could help me solve this.
My question is simple, can SGD use a "different" username taken from ldap after it has logged in the user instead of the username tha tthe user provided.
ex.
the user loggs in to SGD with the username 173651
when starting the application , instead of logging in to the application server (via ssh) with username 173651 it should take an other field from ldap that holds the solaris username.
thanks for any answers and hints.

Sorry, but you missunderstood my question a bit :-)
What you suggest is a way for the users to type in an other username after logged in to Secure Global desktop, tha tis now what we want
We want this to be done automaticly for us.
First we have changed a bit how the login procedure works, when the user surfs to the SGD server they will not be presented with any choices, they wil be presented with a single login screen, when they have logged in SGD will automaticly start our application.
the problem we have is that we want to use only digits as the login name in SGD, but unforutunally Solaris have some problems with using digits alone in usernames (and especially usernames longer then 8 characters)
so I was hoping that SGD could read from LDAP (we are using LDAP user store, not UNIX) another value that it would use to login to the app server thorugh SSH
for example, when logging in to SGD it loggs in towards the LDAP uid field, but when it starts the application SGD reads some other property from LDAP and sends that to ssh. Solaris is then also authenticating towards SSH and uses the second property to authenticate.
If this cannot be done in Secure global Desktop, I think we will look at using a third party authenticator that can do what we want (hopefully OpenSSO can do this)

Similar Messages

  • SSH local database username and password not working

    I have a weird issue. I recently setup an ASA 5510 and had SSH working. To make it easier on my VPN users I then decided I wanted to setup a Windows 2008 Network Policy Server for RADIUS authentication. Ever since I added the RADIUS part to aaa authentication, when I use SSH to connect to the ASA it will not take the local user name and password I have setup. I can however get in using a Domain user name and password. Below is the SSH and AAA configuration. Am I missing something here? The username and password in the ASA is not on the domain and it's like the ASA is not even trying LOCAL when it tries to authenticate. I want it to use the local username and password if possible. I'm kind of new to ASA's..
    On another note, I have never been able to SSH in on the internal interface. I always get a "The remote system refused the connection" error message. I can only use the outside interface.
    Site-ASA# sh run | in ssh
    aaa authentication ssh console SERVER_RADIUS LOCAL
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 60
    ssh version 2
    Site-ASA# sh run | in aaa
    aaa-server SERVER_RADIUS protocol radius
    aaa-server SERVER_RADIUS (inside) host 10.0.0.6
    aaa authentication ssh console SERVER_RADIUS LOCAL
    aaa authentication http console SERVER_RADIUS LOCAL
    Site-ASA#
    If there are any other config that would help I would be more than happy to display them
    Thanks!

    Thanks for the reply. I was just coming in to update this because you are exactly correct. For some reason I kept thinking that if the authentication failed via RADIUS it would use local which is not the case.
    Problem (or no problem) resolved.

  • Tell me about LDAP Monitor Constitution Page's username and password

    Hi! all
    Now target LDAP is stoping on Grid Console(on AS Console is start) and I discovered couse(Metric Collection Error ORA-0107:invalid user name/password;login denided).
    I was updated user name and password(cn=orcladmin/[ias_admin's password]) on
    LDAP Monitor Cobstitution Page .
    But LDAP status was not changed.
    Tell me about LDAP Monitor Constitution Page's username and password.

    Thanks mnazim!
    But I can't clarify username/password,cause this parameter setting is originally needless(It is set automatically by a grid).
    On this account I tested the following, but was no use.
    - orcladmin/[ias_admin password]
    - cn=orcladmin/[ias_admin password]
    - cn=oracle admin,cn=oracle internet directory/welcome
    - cn=oracle admin,cn=oracle internet directory/[ias_admin password]
    I do not understand a user and a password to be related to other LDAP.
    Do not you know it?

  • Ldap test tool and auth failing after upgrade to 11gR2

    Hi All,
    We have recently upgraded our apex database from 10.2.0.3.0 to 11.2.0.2.0 using apex 3.2. We have been able to confirm that all apex applications work as expected apart from the apex ldap utility. The tool returns "Authentication failed!" even though the ldap server port and DN string have not changed from previously. We can confirm that ldap bind works as well as using the sql directly through the database.
    Has anyone come accross any problems with something similar?
    Thanks in advance,
    Brett

    Got it resolved. Since we are using a custom LDAP application we had to run the script not only for the DB account APEX_030200 but also the DB Account that is associated with the workspace containing the custom application or package.

  • LDAP Auth Error ccmuser web access

    Hi,
    I have a CUCM v9.1 with an issue for access to the ccmuser web page using the AD Credentials, I've configured the LDAP Auth in the CUCM with no error messages and also the web access for my users like this:
    When I access the site http://cucm_ip_add/ccmuser first I get this message:
    After that I try to log into to the web page but I get this error:
    I have no issues importing the users, the problem is with the authentication.
    I've checked the ldap port and I'm not using global catalog so the correct one is 389 (tried 3268 and I got an error message from the cucm ldap authentication config page).
    Any ideas guys??
    Thanks in advance.

    One commone one is that CUCM treats the username field as case sensitive. Does it have any upper case characters? You can see this within /ccmadmin under End User Configuration.
    If that's not it, either a Wireshark of the LDAP bind or a stare/compare between your sync agreement and the auth config to see why one can get the user object but the other cannot bind as that person.
    Please remember to rate helpful responses and identify helpful or correct answers.

  • ASDM Access and local username/PW

    Ok, I happened upon this today and thought it was a bit weird. We have a pair of ASA5520 as our primary firewalls.
    We are using EasyVPN,and the usernames authenticate via the local username / PW configured on the firewall. All of these usernames have Privilege 0, however, these usernames are able to log into the firewall via SSH, AND when I use one of them to log into ASDM, they can go in and make config changes. I don't like that.I'm sure you can see why... How do I make it so that only my level 15 priv username can get logged in via ASDM? I've looked into AAA command authorization, but I don't see how that would apply to ASDM access.
    Firewall setup:
    aaa authentication http console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    username user password password priv 15
    username user1 password password1 priv 0
    username user2 password password2 priv 0
    username user3 password password3 priv 0

    To achieve this you need to enable authorization.
    aaa authorization command LOCAL
    Let me know if you have any questions.
    Regards,
    ~JG
    Do rate helpful posts

  • LDAP Auth Rewrite Rule in Mapping file

    Hi,
    We are trying to set LDAP Auth Rewrite rule in mapping file to get users First Name & Last Name or Display name & Mail Address from LDAP Server instead of users individual client settings.
    In Messaging 5.2 we had the follwoing setting, but it does not work any more for Messaging 6.2:
    LDAP Auth Rewrite Entry in mapping file:
    AUTH_REWRITE
    *|*|*|*@* $]ldap:///dir1.domain.com:389/o=domain.com?cn?sub?(uid=$3)[$ <$]ldap:///dir1.domain.com:389/o=domain.com?mail?sub?(uid=$3)[>$Z
    We are running:
    Sun Java(tm) System Messaging Server 6.2-3.04 (built Jul 15 2005)
    libimta.so 6.2-3.04 (built 01:43:03, Jul 15 2005)
    SunOS mta 5.10 Generic_118833-03 sun4u sparc SUNW,Sun-Fire-V240
    ll appreciate for any help or clue
    Thanks

    Thanks Jay,
    Well, here is what we want to achieve.
    We are looking for re-writing the FROM address of Sender against the LDAP Entry as cn <[email protected]>. This should solve problem of where users have entered wrong FROM information on their clients or trying to spoof FROM address to other users.
    Currently, The system delivers e-mail with FROM headers as per client entry instead of re-writing it against AUTHENTICATED userid.
    Following is the IMTA.CNF and MAPPINGS lines:
    IMTA.CNF
    ! ims-ms
    ims-ms defragment subdirs 20 notices 1 3 backoff "pt5m" "pt10m" "pt30m" "pt1h" "pt2h" "pt4h" maxjobs 2 pool IMS_POOL fileinto
    $U+$S@$D
    ! tcp_local
    tcp_local smtp mx single_sys remotehost inner switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL maytlsserver
    maysaslserver saslswitchchannel tcp_auth missingrecipientpolicy 0 mailfromdnsverify dropblank vrfyhide
    ! tcp_intranet
    tcp_intranet smtp mx single_sys subdirs 20 dequeue_removeroute maxjobs 7 pool SMTP_POOL maytlsserver allowswitchchannel sasls
    witchchannel tcp_auth missingrecipientpolicy 4 mailfromdnsverify dropblank vrfyhide
    ! tcp_extranet
    tcp_extranet smtp mx single_sys subdirs 20 noreverse maxjobs 7 pool SMTP_POOL mustsaslserver allowswitchchannel saslswitchcha
    nnel tcp_auth vrfyhide dropblank mailfromdnsverify dropblank missingrecipientpolicy 4
    ! tcp_submit
    tcp_submit submit smtp mx single_sys mustsaslserver maytlsserver missingrecipientpolicy 4
    ! tcp_auth
    tcp_auth smtp mx single_sys mustsaslserver missingrecipientpolicy 4 authrewrite 3
    MAPPINGS file
    AUTH_REWRITE
    *|*|*|*@* $]ldap:///dir.domain.edu:389/o=domain.edu,dc=domain,dc=edu?cn?sub?(uid=$3)[$ <$]ldap:///dir.domain.edu:389
    /o=domain.edu,dc=domain,dc=edu?mail?sub?(uid=$3)[>$Z
    Thanks for your help

  • LDAP auth & limit logins per host

    I'm using LDAP auth. using ldapclient init to setup the ldap auth. Have a SunOne LDAP server.
    I'm interested in doing auth filters - like what Linux does with PAM. I've got PAM_LDAP to work, but since Sun does not use the OpenLDAP convention of /etc/ldap.conf - I can't setup the nss_user filters in there or nss_base_passwd dc=....
    does anyone know how to do this in Solaris? Can I enter something into the ldap_cred file? I tried to do a serviceSearchDescriptor and put passwd:dc=x,dc=y?one?(|(uid=x)(uid=y)) in the ldapCredFile but that gave me a search filter error
    I really do not want to use NetGroups.
    Thanks in advance. I have seem a few posts for this questions but no real answers.
    I can't believe that there is no way to do this...

    I actually was able to solve my problem. What I did was the following
    in my profile setup in the LDAP server I set
    servieSearchDescriptor: passwd:dc=x,dc=y,dc=x?sub?|(attribute1=value)(attribute2=value)
    This makes the password lookup look for the user only if a subsearch (sub) matches the attributes above.
    For example - I could limit logins to only the people who have a shell=/bin/bash by saying ...sub?|(loginShell=/bin/bash)(loginShell=/usr/bin/bash)
    I would also want to make a similar serviceSearchDescriptor line for shadow. So I would have two of these in my Profile on the LDAP server , one with passwd: and one with shadow:

  • ASA 5505 + ASA 5540 static VPN, ssh and rdp problems

    Greetings!
    I've recentely set up a VPN between Cisco ASA 5540(8.4) ana 5505(8.3).
    Everything works fine, but there is a small problem that is really annoying me.
    From the inside network behind ASA 5505 I connect via rdp or ssh to a host inside ASA 5540.
    Then I minimize ssh and rdp windows and don't use it for ten minutes. But I still use VPN for downloading some files.
    Then I open ssh window - the session is inactive, open rdp window - I see a black screen (for 10-15 seconds, and then it shows RDP)
    There are no timeouts on ssh or rdp hosts configured, via GRE tunnel it works perfectly without any hangs.
    What can I do to get rid of this problem?
    Thanks in advance.

    Dear Fedor,
    You could try adding the following commands to your configuration (on both ASAs) in order to increase the timeout values of the specific TCP sessions:
    access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 22
    access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 3389
    class-map TCP_TIMEOUT
          match access-list rdp_ssh
    policy-map global_policy
         class TCP_TIMEOUT
              set connection timeout idle 0:30:00
              set connection timeout half 0:30:00
    * Please make sure you define the specific RDP and SSH ports in the ACL and avoid the use of "permit ip any any".
    Let me know.
    Portu.
    Please rate any post you find useful.

  • Problem with ssh and bash-completion

    I and a co-worker are having a weird problem with ssh and bash-completion. We have a local config in .ssh/config with hosts we connect everyday. An example:
    host foo
    hostname foo.org
    user foobar
    host foobar
    hostname foobar.org
    user foobar
    When we try to type
    ssh foo<tab><tab>b<tab>
    the console just freeze and we can't type anything, everything we type is ignored, but after about 30 seconds the host is completed.
    This works a some time ago, so some upgrade make this happen. Anyone can reproduce this?

    quigybo wrote:
    Actually thinking about it, rather than using the semi-dodgy fix posted on the bug tracker, we can just test if the daemon is running since we are not on MacOS X. It is cleaner and 250 ms quicker.
    --- bash_completion.orig 2010-09-14 05:33:22.000000000 +0930
    +++ bash_completion 2010-09-14 05:45:04.000000000 +0930
    @@ -1316,10 +1316,12 @@
    # contains ";", it may mistify the result. But on Gentoo (at least),
    # -k isn't available (even if mentioned in the manpage), so...
    if type avahi-browse >&/dev/null; then
    - COMPREPLY=( "${COMPREPLY[@]}" $( \
    - compgen -P "$prefix$user" -S "$suffix" -W \
    - "$( avahi-browse -cpr _workstation._tcp 2>/dev/null | \
    - awk -F';' '/^=/ { print $7 }' | sort -u )" -- "$cur" ) )
    + if [ -n "$(pidof avahi-daemon)" ]; then
    + COMPREPLY=( "${COMPREPLY[@]}" $( \
    + compgen -P "$prefix$user" -S "$suffix" -W \
    + "$( avahi-browse -cpr _workstation._tcp 2>/dev/null | \
    + awk -F';' '/^=/ { print $7 }' | sort -u )" -- "$cur" ) )
    + fi
    fi
    # Add results of normal hostname completion, unless
    This is the same test as was used in bash-completion 1.1.
    Thanks  quigybo, I use your patch, the issue is gone
    Why does so many packages depends on Avahi? Maybe make it optdepends is
    enough?
    my laptop $ pacman -Qi avahi
    Required By : gnome-disk-utility gnome-vfs libcups mpd sane

  • Lion server on Mac mini server stop responding to ssh and VNC (other services like mail, ical works well)

    Lion server on Mac mini server stop responding to ssh and VNC (other services like mail, ical works well)
    Version is Lion server 10.7.4
    When I attach a monitor to it, I saw all the buttons and menus stopped responding too. I can only push and hold the power button on the box to shutdown.
    It only started happening recently.
    Anyone has any clue?
    Thanks for the help in advance!!!

    Found that the second hard drive is broken. I have to go to the apple store to have it replaced.
    I had to press the power button to turn the server off for several times, then the broken hard drive went disappeared. After that, I had to disable the Spotlight. Then the server went back to work normally.
    Now I made a CCC copy of the primary hard drive, and would like to have the server run on the external raid disk (connected through thunderbolt). Does anyone have previous experience with it? Any expectable drawback or issue with this setup?

  • Displaying a fraction with a horizontal bar between the denominator and numerator

    Hello guys
    I have a dynamic textfield and am going to display textual content in it dynamically.
    But I have a fraction in that textual part and I want to display that fraction as a "typical fraction with a horizontal bar between the denominator and numerator". Hope you understand what I am asking.
    Please look at the attached image.
    Thanks for your input.
    cheers

    @dmennenoh
    Thanks for your input.
    So its kind of superimposing Sprite or MovieClip that has a fraction.Basically I have to make two textfields and put them together over a horizontal bar so that it looks like a fraction and then place it over a big textfield where the fraction should be.
    Its a very long process.
    OMG, isn't there any other easy way to do this?

  • Port forwarding, NAT, SSH and Transmission.

    A couple of days ago I decided to setup the Transmission daemon, along with automatization for my downloads. Recently, however, to put a layer of security around my laptop, I set up a wireless router I had lying around that is now connected with a wire to my laptop. The reason for this is that I have no idea how iptables work yet, and until then I decided this will suffice for the moment. One of the problems though (yes, problems seems to come in twenty-fold where my luck is concerned), is that when I rewire my laptop directly to the internet, without the router, NetworkManager or Archlinux doesn't reset the ip address, which for some reason jumps to 192.168.1.122, which it never uses otherwise. I haven't yet tried reinstalling networkmanager, but when I did turn it off, dhcpdcd assigned the same address... The problem here being that it shouldn't assign a LAN-address, I'm directly connected to the internet. Sidenote here though; my internet connection is just a plug in the wall, the operators here (I live on a kind of campus), probably only use a network-switch to relay the traffic to the socket.
    That's that, my wired network doesn't work directly, only via the wireless router, wired or wireless. Because of this, I have to use port-forwarding for SSH (to test if the port forwarding works), and the Transmission daemon with an rcmp port of 9091., which was my intention in the first place. I have no idea if logging into my.ip.address.here:9091 in a browser would work, I just used localhost:9091.
    Now for the results:
    $ nmap -sT xx.xxx.xx.xx
    Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-14 19:42 CEST
    Nmap scan report for xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Host is up (0.038s latency).
    Not shown: 996 closed ports
    PORT STATE SERVICE
    22/tcp filtered ssh
    53/tcp open domain
    80/tcp open http
    9091/tcp filtered unknown
    Here it shows that the ports are actually not closed, but they're not exactly opened either, from what I gathered from the internet.
    SSH shows the true problem:
    $ ssh neal@xxxxxxxx
    ssh: connect to host xxxxxxxx port 22: Connection timed out
    SSH-ing to 192.168.0.102 (my internal ip) works, as does to localhost, same for Transmission webGUI. Before I used port-forwarding ssh would correctly say that it couldn't get traffic from the router.
    My router is a cheap solution to another problem I had, but it should work like any router. It's a Sitecom WL-607. I disabled login authentication for the moment. Also, there is no filtering going on in the firewall. Like I said earlier, I don't get iptables, so that's not being used. The hosts file allows all and denies nothing.
    TLDR version; I'm using port-forwarding on my Sitecom WL-607, but all ports except http and the 53 port are being blocked.
    Is there something I'm missing here?
    Thanks in advance,
    Neal van Veen.

    by default, all routers assign there clients an ip address from there internal pool of addresses, your wireless router is assigning you that address and then NAT's the connection with the WAN side, but even after directly plugging in to the wall socket you still dont get a new ip address, use dhcpcd <mydev> in terminal to reresh dhcp lease. if not then your campus/location/etc may also be using NAT on there own side.
    as for the ports, iptables doesnt block any traffic by default, it allows everything. if there is filtering, it is from your wireless router.
    on the above ssh and nmap scans, did u use your lan ip, or your public ip.

  • How dome change my password for my computer and my username apparently it changed because i was moving things from my old mac

    How dome change my password for my computer and my username apparently it changed because i was moving things from my old mac

    If your forgot the administrative PW for the computer reset the PW
    OS X: Changing or resetting an account password
      OS X Lion>: How to Easily Reset the Administrator Password

Maybe you are looking for