ShadowAccount and LDAP logins

Similar Messages

• Profile server and ldap server login

  To enable my portal to have anonymous login and skip the login menu, from the admin console, i've added "Membership" and "Ldap" under the interactive mode section. This is to allow Ldap or Membership authentication methods enabled at the anonymous page. I tried to use the default login channel to log into the portal using LDAP authentication, but it doesn't work. I can log into the portal via the login channel using "Membership" authentication method. But somehow i have no idea how to "integrate" my membership (profile) authentication with Ldap authentication. (Syncs between profile server and LDAP Server for user name and password). Anyone out there have any idea what went wrong here? Thanks a lot.

  The sp3a release notes shows how you can modify the login channel to work with other authentication modules.
  The sample given is for unix authentication to make that sample work for ldap authentication take a copy of that sample
  cp display_iwtAuthUnix.html display_iwtAuthLdap.html
  now look for form action and replace the form action from /login/Unix to /login/Ldap, now follow the instructions given in the sp3a release notes, replace unix with ldap everywhere and it should work ..

• Best Practice in maintaining multiple apps and user logins

  Hi,
  My company is just starting to use APEX, and none of us (the developers) have worked on this before either. It is greatly appreciated if we can get some help here.
  We have developed quite a few applications in the same workspace. Now, we are going to setup UAT and PRD environments and also trying to understand what the best practice is to maintain multiple apps and user logins.
  Many of you have already worked on APEX environment for sometime, can you please provide some input?
  Should we create multiple apps(projects) for one department or should we create one app for one department?
  Currently we have created multiple apps for one department, but, we are not sure if a user can login once and be able to access to all the authenticated apps.
  Thank you,
  LC

  LC,
  I am not sure how much of this applies to your situation - but I will share what I have done.
  I built a single 700+ page application for my department - other areas create separate smaller applications.
  The approach I chose is flexible enough to accomdate both.
  I built a separate access control application(Control) in its own schema.
  We use database authenication fo this app - an oracle account is required.
  We prefer to use LDAP for authentication for the user applications.
  For users that LDAP is not option - an encrypted password is stored - reset via email.
  We use position based security - priviliges are based on job functions.
  We have applications, appilcations have roles , roles have access to components(tabs,buttons,unmasked card numbers,etc.)
  We have positions that are granted application roles - they inherit access to the role components.
  Users have a name, a login, a position, and a site.
  We have users on both the East Coast and the West Coast, we use the site in a sys_context
  and views to emulate VPD. We also use the role components,sys_contexts and views to mask/unmask
  card numbers without rewriting the dependent objects(querys,reports,views,etc.)
  The position based security has worked well, when someone moves,
  we change the position they are assigned to and they immediately have the privileges they need.
  If you are interested I can rpovide more detail.
  Bill

• Issue with LDAP login authentication in CMC console

  We have a existing issues with Business Objects BOE XIR2 SP2 and LDAP authentication with the BOE CMC Console.
  We use websphere as the application server and it is installed on the same machine (Solaris) as BOE.
  We have this issue on both our production and our recently rebuilt development environment to duplicate the issue.
  Both environment have configured LDAP over SSL and we can login to BOE Infoview Reports with LDAP and we can map groups and users if we login to CMC but we can not login to CMC with secLDAP.
  The specific error still being shown is "Security plugin error: Failed to set parameters on plugin".
  Both environments (DEV and PROD) are fresh installs of BOE XIR2 SP2.
  Any ideas are much appreciated
  Thankyou

  The CMC in XIR2 used com components for the SSL (rather than java like infoview) and I'm betting the WAS deployment is not finding them. Is WAS on a seperate server or is BOE installed there as well?
  I'm not familiar with any regular fixes for an issue like this. If no other replies I'd recommend opening a case with either deployment(WAS on "nix") or authentication(WAS on windows) to see if they can trace down the problem.
  Regards,
  Tim

• I'm getting a ServletException and cannot login on iPortal anymore. What's going on ?

  Hi!
  Yesterday my iPortal installation was working fine, but today it just crashed. The gateway doesn't start and all logins say I must have a portal profile. Including the portal admin.
  I've checked the profile with and LDAP Browser and "Authentication requires an iPortal Profile" is false....
  This is the exception I'm getting in iwtGateway:
  GWNSSInit: NSSInit initialization done successfully
  5/17/02 11:11:48 AM WEST: Thread[main,5,main]
  Can not get Session SID = 95pwurnjxtaggmfkmkhfjiq580991rs8rn3@[email protected]
  ar.cg@8080@/ibqnsbar.cg
  com.iplanet.portalserver.session.SessionException: Invalid session ID 95pwurnjxt
  aggmfkmkhfjiq580991rs8rn3@[email protected]@8080@/ibqnsbar.cg
  at java.lang.Throwable.fillInStackTrace(Native Method)
  at com.iplanet.portalserver.session.SessionException.<init>(SessionExcep
  tion.java:30)
  at com.iplanet.portalserver.session.Session.refresh(Session.java:682)
  at com.iplanet.portalserver.session.Session.getSession(Session.java:442)
  at com.iplanet.portalserver.gwutils.PropertiesProfile.createDefault(Prop
  ertiesProfile.java:42)
  at com.iplanet.portalserver.gateway.eprox.EProxy.<clinit>(EProxy.java:39
  What's going on ? I'm using a trial version. Has it expired ? I've installed it about 1 month ago.
  I've checked everything. The LDAP is accessible, and the files in /etc/opt/SUNWips/cert/ seem to be OK. It's all installed on the same machine, and it was working before.
  Please help... the only thing I can think of now is reinstalling the portal.

  Are you able to directly log into the portal admin console or into the portal without going through the gateway ?

• 10.7 LDAP login

  10.7 LDAP login shows all workgroups. It should only show the PrimaryGroup. How do I fix?

  Curios...
  Are you working with ROOT enabled or selected in Directory Utility?
  Your LDAP server, what is it? OS etc. Lion?
  What happens when you use ldapsearch? From Lion terminal? From other Client Terminal? Using Directory Utility?
  Does the Lion Client find the users DN but does not drop and then reconnect using the DN?
  Can the loged in user access any other services on the network?
  Do they access
  Are you using mixed authentication methods?
  What is the relationship LDAP has with these if any? (Kerberos authentication of LDAP clients, LDAP Auth supporting kerberos, etc.?)
  I think we have a very simple fix but need to know more...
  Thanks

• Guest Server and LDAPS

  I've recently setup our NAC Guest Server and cannot get Secure LDAP to work. The config guide says you can use ldap://server or ldaps://server. When I use ldap://server it works but doesn't when I change it to ldaps. Our LDAP server has a Verisign cert. Any ideas?
  Thanks,
  -Dusty

  I've some (very) basic questions.
  Let's say guest vlan = x
  1)vlan x should be created on the foreign controllers as on the anchor controller, with the same properties
  2)on the anchor controller a dynamic interface has to be created acting as default gateway for the guest clients.
  3)it's advised to place the guest server in the guest vlan? Eg. Somewhere in the server farm?
  4)Once traffic coming from the guests is arrived at the anchor controller. (I know to less of WLC ;)) Will it forwarded with as source IP, the IP of the anchor controller towards the anchor default gateway (firewall or internet router?)
  4)authentication: user connect to SSID guest and opens a browser. The user is redirected and a login page is displayed. Is this page downloaded from the anchor controller? I think it is and pushed via WCS. So Guest NAC server has nothing to deal with this page? Correct?
  The anchor controller polls the nac guest server with the given credentials. Anchor controller forwards the credentials to the NAC guest server. The NGS replies with authenticated or not. If authenticated. The guest can browse. Probably on regular base, the anchor controller will poll the NAC guest in order to check if he's still authenticated and if enabled pass information to the NAC guest for accounting. Is this somehow ok?
  I've found to open the following ports in the firewall:
  UDP 97 for EoIP
  UDP 16666 for intercontroller traffic
  and 1812/1813 for Radius.
  Thanks in advance

• LDAP Login Help

  I am having a problem here and hope someone is able to help me out - I am banging my head against a wall.
  I am trying to connect my MAC against a LDAP server. The server seems to run fine, and authenticates several linux box. So I assume it's a mac configuration issue. I configured the mac to use RFC 2307 mapping and the listing under "Directory Servers states "responding normally"
  On the MAC I can do an ldapsearch and query the user records, I can even do an su -l and change to the ldap user once I am logged in as a local user, but the main login window doesn't take the exact same user/password combo. The LDAP logs show that the record for the user was found, though, but the logs look different look different from the su-l attempt. The system and secure log on the MAC don't show anything related to the LDAP login attempts when using the login window....
  This is the LDAP log when authenticating using the login window
  Mar 12 14:23:35 www1 slapd[25222]: conn=3 op=28 SRCH base="ou=People,dc=pbd,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=s hadowAccount))(|(|(uid=tuser))(|(cn=tuser))))"
  Mar 12 14:23:35 www1 slapd[25222]: conn=3 op=28 SRCH attr=homeDirectory userPassword gidNumber cn uid cn uidNumber loginShell _guest external uid cn
  Mar 12 14:23:35 www1 slapd[25222]: conn=3 op=28 SEARCH RESULT tag=101 err=0 nentries=1 text=
  Mar 12 14:23:35 www1 slapd[25222]: conn=3 op=29 ABANDON msg=29
  Do you have ANY idea what is going on?
  Thanks a lot!!!
  Maik

  I've got the same issue on my Leopard test machines. I've also posted on AFP548 today. So far 12 views and no replies.

• Forte Classic and LDAP

  Greetings,
  I am in the process of assessing the amount of effort to have a Forte
  application interface with Netscape's Directory Server. I know that the
  Directory Server has a C SDK so a wrapper is possible. Has anyone else
  attempted this using a C wrapper or otherwise?
  Thanks in advance,
  Phil

  We have used the Netscape Directory SDK for C Version 3.0 and have written
  and compiled some Digital Unix C code that calls out to the Netscape LDAP
  shared library. We then built a Forte wrapper around this code and can now
  call out from Forte to LDAP and get authentication results back etc.
  It was however, something of a mission to get Forte on Digitial Unix 4
  working with the Netscape code :
  Netscape Unix Library is only 32 bit. Forte itself is compiled using 64 bit
  option so the runtime loader cannot link ftexec to Netscape code without
  crashing. So I have altered the way forte compiles partitions / libraries
  on our Unix node using the -taso flag - so now its all running in 32 bit
  address space - but only if we don't use ftexec to run the app. So I'm
  compiling my C code, the forte library and the forte partition as 32 bit.
  Cheers Dave.
  At 04:06 PM 11/19/99 +0100, you wrote:
  We built a Fort&eacute; wrapper for a c API that implements the interface for an
  Ldap client.
  We download the documentation about Ldap c API from the Internet Engineering
  Task Force and the Ldap Libraries from the University of Michigan.
  We use the document rfc1823 that now is considered obsolete but the Ldap
  Libraries delivered by the University of michigan were built using this
  standard.
  Feel free to contact me if you need some more information.
  Hope this help.
  Cheers, Max.
  Massimiliano Delsante
  O.T. Consulting S.r.l - www.otconsulting.com
  Via della Previdenza Sociale N&deg; 11 - 42100 - Reggio Emilia
  Tel. +39 0522 271550 - Fax +39 0522 230710
  -----Messaggio originale-----
  Da: [email protected] <[email protected]>
  A: [email protected] <[email protected]>
  Data: venerd&igrave; 19 novembre 1999 15.52
  Oggetto: (forte-users) Forte Classic and LDAP
  Greetings,
  I am in the process of assessing the amount of effort to have a Forte
  application interface with Netscape's Directory Server. I know that the
  Directory Server has a C SDK so a wrapper is possible. Has anyone else
  attempted this using a C wrapper or otherwise?
  Thanks in advance,
  Phil
  For the archives, go to: http://lists.sageit.com/forte-users and use
  the login: forte and the password: archive. To unsubscribe, send in a new
  email the word: 'Unsubscribe' to: [email protected]
  For the archives, go to: http://lists.sageit.com/forte-users and use
  the login: forte and the password: archive. To unsubscribe, send in a new
  email the word: 'Unsubscribe' to: [email protected]
  Dave Maclaurin
  Database Administrator
  ATS University of Otago
  mailto:[email protected]
  http://www.otago.ac.nz
  Phone: +64 03 479 6545
  Fax : +64 03 479 5080

• Security using both rpd users and ldap

  Hi,
  I need 5 dummy users in rpd. I dont want to give them adminstrator previleges because they are not allowed to see everything in my dashboards. My authentication works using an LDAP server, is there any way I can let these dummy users login along with those in the LDAP server??

  I dont think it is possible to use both BI server default authentication and LDAP. You can always have multiple LDAP servers to authenticate. You can request for 5 service accounts to be created in the LDAP for OBIEE, and assign the privileges accordingly so they will see only required dashboards.
  Please award points if helpful,
  Thanks,
  -Amith.

• EA2 TNSNAMES and LDAP issues

  great to see the long awaited LDAP option available. Some remarks after first try's:
  1. there is no field to set the ldap context.
  We have several contexts for different environment. All are using the same dbname, but different ports and target ip adresses. Now, the loaded list shows all databases several times. I can't see, which is the right entry. If i can set the context, this list should be unique for the instance name.
  Hope, there is not the same problem as explained later in my point 3.
  2. LDAP Admin and LDAP passwords are not needed to retrieve the database list, it's only misleading our security staff which is afraid to use the admin passwords for normal login
  3. in case of normal tnsnames connection entries, the nasty feature(bug?) to show a instance entry several times if you have some ifiles into your tnsnames.ora. This was reported also for the past 1.2 release last year and should be fixed soon. It can't be a problem to unique these list entries.
  Maybe these small issues can be fixed for the release version
  Thomas

  Thomas, We're taking a look.
  Barry

• Hi I do not want iTunes to open up automatically when I turn on my macbook pro.  I tried going to System Preferences Users and Groups Login Items and then I took iTunes off the list but it still opens up automatically when I turn on my laptop.

  Hi I do not want iTunes to open up automatically when I turn on my macbook pro.  I tried going to System Preferences>Users and Groups>Login Items and then I took iTunes off the list but it still opens up automatically when I turn on my laptop. What should I do?

  Hi r,
  Make sure you close iTunes before shutdown.  And you're quite welcome.

• I am trying to stop programs from opening automatically when I turn my computer on.  I tried system preferences users and groups login items...then I deleted them from the list but it did nothing.

  I am trying to stop programs from opening automatically when I turn my computer on.  I tried system preferences>users and groups>login items...then I deleted them itunes and emial from the list but it did nothing.  They continue to open up every time I turn on my Macbook Pro.

  Hi r,
  It sounds like you're running Lion?
  Have you tried running Verify and/or Repair Disk?
  Have you tried running Repair Permissions?
  Do you have at least 15% free space available on your HD?

• Problem with ADS and LDAP

  Problem with ADS and LDAP
  I have installed Win2000 + sp1 and ADS on a computer. This computer is PDC.
  After connection via LDAP I cann't get any object ( users or goups etc. ).
  I try connect to ADS by java ( JNDI ).
  When I use another clients of LDAP ( eg. Maxware Directory Explorer) I have
  the same problem - no objects.
  Can anybody help me?
  Grzegorz Pszona
  my e-mail: [email protected]

  Thanks a lot.
  Softerra's browser is really good.
  Thanks
  Rashmi
  "Anant Kadiyala" <[email protected]> wrote:
  >
  I used Softerra's LDAP browser. The browser is free. There is also a
  java baded
  LDAP browser from Univ of Michigan. I found the Softerra browser to be
  more easier
  to use.
  -anant
  "rashmi" <[email protected]> wrote:
  Hi,
  Can you please let me know which exact ADS tool that you used to examine
  the
  DN. I have Active Directory Users and Computers, Sites and Servicesand
  Domain
  and Trusts installed on my machine but I am not able to figure out how
  to get
  the DN?
  Thanks
  Rashmi
  for Stephen Davies <[email protected]> wrote:
  Grzegorz,
  I have had WLS6.1 & ADS working ok using LDAP V2. Mind you it did take
  a
  fair bit of messing around to get it going. MS does have a few oddities,
  for example the Administrators DN might look something like this:
  cn=Administrator,cn=Users,dc=eglobal,dc=net
  One tool that I found invaluable came with the additional support tools
  for Windows 2000. The 'Active Directory Administration Tool' made it
  easy to list the directory contents and examine the DNs.
  Regards,
  Steve
  Stephen Davies
  Principal Consultant
  eGlobal Services Pty. Ltd.
  Sydney, Australia
  Ph. +61 2 9283 1033
  http://www.eglobal.net/

• Single sign-on using Kerberos and Ldap

  I am currently setting up single sign-on using Kerberos for authentication and Ldap for authorization and information store.
  The setup includes several Solaris 8 & 9 workstations, a couple of SGI's, as well as a M$ terminal server farm, several WinXP desktops and their associated Active Directory.
  I am required to authenticate etc against the AD. (which has M$ SFU3.5 installed)
  I have the Kerberos authentication and part of the Ldap service working via pam & nss.
  ie. I can logon to the solaris worksatations using the AD username and password, mount the home directory from a M$ NFS server.
  BUT...
  id gives:- userID, groupID (primary group only)
  groups :- primary group only. (no secondary groups are listed)
  Question: what additional configuration information do I need in the pam, nss &/or ldap config files, so that I can list the secondary groups.
  Thanks in advance for any help.

  After evaluating (giving up on, and finally throwing out) the Sun Directory server it looks like we are going to endup with a similar solution..
  Sadly enough, the MS AD seems much more stable and easier to handle than Suns DS, kerberos and associated services.
  Anyway, currently we are evaluating a product called vintela ( www.vintela.com ), and it seems very promising; its easy, robust, stable and does what we require it to do, as well as more :) It comes with an additional nss module called 'vas', so you easily can retrieve data like hosts/groups from your AD.
  //M.