SharePoint 2010 with LDAP authentication, using NOVELL eDirectory

Similar Messages

• Prepare sharepoint 2010 with sp2 environment on windows server 2012 R2

  HOw  prepare sharepoint 2010 with sp2 environment how i  install sharepoint 2010 with sp2 in a windows server 2012 
  i mean
  from scratch  i just prepared a windows server 2012 R2 vm
  and i set all required  roels (Appserver,webserver etc) according to this link
  http://social.technet.microsoft.com/wiki/contents/articles/12502.how-to-install-and-configure-windows-server-2012-for-sharepoint-2010.aspx
  and i have sharepoint 2010 set up, and i downloaded sharepoint 2010 sp2
  from this link
  http://www.microsoft.com/en-us/download/details.aspx?id=39672
  now should i install sp2 and install sharepoint 2010 binaries?
  adil

  SharePoint 2010 has no supportability statement for Server 2012 R2.  I would not use it until Microsoft releases a supportability statement.
  Even it  has no supportability for server 2012, but sharepoint 2010 running fine in my server 2012 test environment
  adil
  You indicated you were using 2012 R2.  SharePoint 2010 supports Server 2012 (non-R2) with SP2 media, but has no supportability statement for Server 2012 R2.
  Trevor Seward, MCC
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• UC - LDAP integration to Novell eDirectory

  Hi,
  Looks UC version 8 not support Novell eDirectory. Any road map?
  Thanks in advance,

  I had a similar potential requirement a few months ago and my Cisco SE was able to dig out details of a customer that was using Novell eDirectory. There is an appnote published at the link below:
  http://www.novell.com/communities/node/3028/integrating-cisco-unified-call-manager-versions-5-and-6-edirectory
  Usual caveats - not supported by TAC etc.
  Please rate if helpful.

• Issue using SharePoint 2010 with IE10 with MS Office Excel Viewer

  Hello,
  We are experiencing an issue with MS SharePoint 2010 Foundation and computers who have Internet Explorer 10 and the Microsoft Office Word Viewer 2003.  When opening Word documents from SharePoint, the Word Viewer opens, but no document is displayed.
   The MS Excel Viewer 2007 works and does open the Excel documents.
  Computers with MS Word Viewer 2003 and IE 9 works fine, it's just the IE10 PCs.  PCs that have the full version of Office it works fine with both IE9 and IE10.
  We have a segment of our PCs that need only read-only access to the Word and Excel files.  We tried Office Web App but found functionality issues (printing, etc.) and issues where the other segment of our PCs that have MS Office had to open the files
  in a specific way to manipulate them.
  Does anyone know of something that would be affecting the MS Word Viewer with IE10 with SharePoint?  Or know of an alternate viewer? 
  Thanks in advance.

  Hello Anthony,
  In IE10, please click F12 to open the DEV toolbar.
  Now search for Browser- and Document Mode.
  Set Browser Mode to Internet Explorer 8, that should work.
  This setting can be edited in your Masterpage.
  This is what you should put in:
  <meta
  http-equiv="X-UA-Compatible" content="IE=8" />

• SharePoint 2010 with OAM 11g

  We are currently trying to integrate SharePoint 2010 server with OAM 11g with 10g webgate. In our environment SharePoint site is configured with Claims based authentication with LDAP provider for membership. We have performed all the configurations based on the Oracle documentation with validation mode as OAMHttp.
  We are seeing the following behavior after this integration.
  1)     The user requests access to an SharePoint Site
  2)     Webgate protecting the site intercepts the request, determines if the resource is protected, and challenges the user.
  3)     The user enters their OAM credentials; Webgate contacts the OAM Server, which verifies the credentials from user store and authenticates the user. Webgate generates the OAM native SSO cookie (ObSSOCookie), which enables single sign-on and sets the User ID (to username) header variable in the HTTP request and redirects the user to SharePoint site.
  Here, instead of taking user to the home page of the site, the SharePoint login page is displayed again.
  =================================================================================================
  Looking into the debug logs i found the following error.
  Date ProcessId ThreadID ManagesThreadId ClassName MethodName Message
  =================================================================================================
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider Initialize validationMode^OAMHttp
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor Method Entered
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor ValidationURL configured validationUrl^http://wtv-sea-spapp01.chemd.net:8086/ValidateCookie.html
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor validationHost^wtv-sea-spapp01.chemd.net
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor OAMAuthUserCookieName^OAMAuthCookie
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor Method Exited
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider Initialize Setting Validation Type OAMHttp
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider ValidateUser Entering ValidateUser : username^IDG2M
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator ValidateUser Method Entered
  Exception Caught InValidateUser
  The remote server returned an error: (403) Forbidden. at System.Net.HttpWebRequest.GetResponse()
  at Oracle.OAMHttpValidator.ValidateUser(Dictionary`2 creds)5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator ValidateUser Exiting AuthStatus^AuthZFail
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider ValidateUser OAMauthStatus^AuthZFail
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider ValidateUser Method Exited returnCode^False
  If anyone have integrated OAM 11g with SharePoint 2010 earlier, appreciate your inputs in this regard.

  Each license is platform specific, you can't backwards apply or forwards apply licenses from one version of SharePoint to another.
  If you do have MSDN access, you'll have access to all current versions of SharePoint, across the current and retired server products.
  Steven Andrews
  SharePoint Business Analyst: LiveNation Entertainment
  Blog: baron72.wordpress.com
  Twitter: Follow @backpackerd00d
  My Wiki Articles:
  CodePlex Corner Series
  Please remember to mark your question as "answered" if this solves (or helps) your problem.

• Pass Through Auth Not Using Novell eDirectory Over RDP - Virtual Desktop

  Hi,
  I have installed and configured SGD and the Virtual Desktop Adapter to a Virtual Center server. So far that whole side of things is working great. Machines are cloned, prepped and connected to by users through the My Desktop link in SGD. Now that I am attempting to perfect the master template I have encountered some issues. The network here is Novell eDirectory and at the moment when the desktop is launched the username and password used to authenticate to the SGD webtop are passed through to the Virtual Machine, but it seems that they are passed through to the Windows Authentication System/GINA even though the Novell client is in place.
  The virtual machines are Windows XP and by default none of the user accounts exist locally, so of course the login fails. This drops the user back to the login box where it can be seen that the Workstation Only tick box is checked. Settings in the Novell client to always default to eDirectory authentication, forget last setting used etc has all been set properly. Even when hiding the Workstation Only tickbox the username and password are passed to local system authentication still.
  I need to get the username and password sent to the Novell eDirectory authentication system/GINA in order for Zenworks to create the user on the local system. When dropping back to the login box and manually unticking the Workstation Only box login proceeds normally. Drives are mapped and the local user account is created by the Zenworks agent.
  Is SGD specifically targeting an authentication subsystem within the virtual machine, regardless of your installed authentication handler/GINA preference order? Can I get SGD to pass the details to the Novell client? Barring that is there some way I can prevent SGD passing the details? I tried turning off some of the authentication details caching etc but some of that is needed to rename the virtual machines after the user connecting. For the time being having users authenticate twice would be acceptable, having them login in, then get an error message, then manually unticking Workstation Only then relogging in is not acceptable.
  I have been searching these forums, Novell forums, Terminal Server forums for answers but so far nothing has been of any help. Please note that the login box is not the cut down/windows only login box that users are seen when they connect over RDP to a machine that already has a user logged in locally. There is no user logged in locally and the full login box is presented once the login failed message is cleared.
  Any help, or even a nudge in the right direction would be great.
  Thanks
  Russ

  Hi,
  Thanks for taking the time to respond. I tried the full context user name path as well, but its defiantly just being passed to a different GINA. The only credentials that determine if you have RDP access to a server is the local machines credentials, so Microsoft have the service pass authentication straight to the Microsoft GINA non-interactively instead of honouring the installed GINA's. So it will fail no matter what I put in since the account doesn't exist locally yet. People have implemented solutions that depend on Active Directory domains, but that's what I am trying to avoid.
  In that situation the AD Domain would allow access to the local machine based on Windows permissions, and a registry setting TSAutoLogin or something would trigger the Novell log in in parallel to map the Netware shared volumes. With no domain you can't get the initial log in triggered for the Novell client to kick in.
  Connecting to the virtual machine using an RDP client without pre-entering authentication information does show the Novell Login (NWGINA) with all the right settings in place, so I have modified the expect (login) script for SGD not to automatically pass log in information through with the RDP connection it makes. The result is a clean Novell login box without any errors that a user can just enter their details into a second time.
  Russ

• Create SharePoint 2010 Search Service Application Using Powershell

  Hi Team,
  Could you please assist me in completing the search service application for
  two server using powershell. Both the servers will be running all the component
  Version SharePoint 2010
  # 1.Setting up some initial variables.
  write-host 1.Setting up some initial variables.
  $SSAName = "Search Service Application"
  $SVCAcct = "Domain\ServiceAccount"
  $SearchAppPoolName ="DefaultAppPool"
  $SSI = get-spenterprisesearchserviceinstance -local
  $err = $null
  $SSADBName="Search_AdminDB"
  $SSADBServer="DBServer"
  $host1="Server1"
  $host2="Server2"
  # Start Services search services for SSI
  write-host Start Services search services for SSI
  Start-SPEnterpriseSearchServiceInstance -Identity $SSI
  # 2.Create an Application Pool.
  write-host 2.Create an Application Pool.
  #$AppPool = new-SPServiceApplicationPool -name $SSAName"-AppPool" -account $SVCAcct
  $AppPool = Get-SPServiceApplicationPool -Identity $SearchAppPoolName -ErrorAction SilentlyContinue
  # 3.Create the SearchApplication and set it to a variable
  write-host 3.Create the SearchApplication and set it to a variable
  $SearchApp = New-SPEnterpriseSearchServiceApplication -DatabaseServer $SSADBServer -Name $SSAName -applicationpool $AppPool -databasename $SSADBName
  #4 Create search service application proxy
  write-host 4 Create search service application proxy
  $SSAProxy = new-spenterprisesearchserviceapplicationproxy -name $SSAName"ApplicationProxy" -Uri $SearchApp.Uri.AbsoluteURI
  # 5.Provision Search Admin Component.
  write-host 5.Provision Search Admin Component.
  set-SPenterprisesearchadministrationcomponent -searchapplication $SearchApp -searchserviceinstance $SSI
  # 6.Create a new Crawl Topology.
  write-host 6.Create a new Crawl Topology.
  $CrawlTopo = $SearchApp | New-SPEnterpriseSearchCrawlTopology
  New-SPEnterpriseSearchCrawlComponent -SearchTopology $newTopology -SearchServiceInstance $hostA
  Source:blog.MSDN Author- Russ Maxwell
  Thanks Basva

  Could you please assist me in completing the search service application for
  two server using powershell. Both the servers will be running all the component 
  Hi Basva,
  Do you want to provision two search service applications in single farm?
  Commonly, only one search service application is needed in a farm for Search function.
  Here are articles for detail information about how to provision search service application using powershell:
  http://blogs.msdn.com/b/jjameson/archive/2011/02/28/powershell-script-to-configure-search-in-sharepoint-server-2010.aspx
  http://blogs.msdn.com/b/russmax/archive/2009/10/20/sharepoint-2010-configuring-search-service-application-using-powershell.aspx
  Regards,
  Rebecca Tu
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Problems opening PDFs from SharePoint 2010 with Acrobat X Pro

  Is anyone else having problems integrating pdf document support into Sharepoint 2010?
  I now have the icon showing for any pdf documents saved in a Document Lirary, However I don't get the options of Checking out - editing an checking in. There is also no revision control. I think that when I open a pdf document, the servers own copy of Adobe Reader opens, and not my local copy of Reader or Acrobat X pro.
  I've done what it says in the Administrators guide for Sharepoint integration and I'm still unable to get this functionality to work. As we use interactivve pdfs for a lot of our internal documentation the pdf integration features are very important.
  Any help from users who have already been through the pain of sharepoint integration would be really appreciated.
  Regards.

  Hi Bill,
  Looking at your initial problem of not being able to open the SharePoint hosted PDF document from the web browser.
  Could you please verify that as per the "Enterprise Administration Guide", the DocIcon.xml file of your server contains the following line:
  <Mapping Key="pdf" Value="AdobePDF.png" OpenControl="AdobeAcrobat.OpenDocuments"/>
  Please verify that the OpenControl attribute is also mentioned correctly. Without this the Acrobat Active X component would not be invoked.
  thanks,
  Shivani

• Pb with 2nd Authentication using form.jsp (authentication example)

  Hi,
  I am using the example form.jsp to log on to my application. The first
  page (testsecurity.jsp) can be accessed by "everyone" and until this step everything
  goes fine, I manage to log on. From the testsecurity.jsp page there is a link
  to a jsp which can only
  be accessed by some users (I defined that in the policy file).
  Avan if I have identified myself through the form.jsp, before the 2nd page is
  displayed, I must log on again. When I give
  the same login and password as I gave for the first identification
  I can see the proper page.
  Do you have any idea about why I have to log on twice?
  Thanks
  Odile
  PS: I checked that, in the session, the attribute "javax.naming.InitialContext"
  is still present, if this has anything to do with the authentication..

  Hi,
  I am using the example form.jsp to log on to my application. The first
  page (testsecurity.jsp) can be accessed by "everyone" and until this step everything
  goes fine, I manage to log on. From the testsecurity.jsp page there is a link
  to a jsp which can only
  be accessed by some users (I defined that in the policy file).
  Avan if I have identified myself through the form.jsp, before the 2nd page is
  displayed, I must log on again. When I give
  the same login and password as I gave for the first identification
  I can see the proper page.
  Do you have any idea about why I have to log on twice?
  Thanks
  Odile
  PS: I checked that, in the session, the attribute "javax.naming.InitialContext"
  is still present, if this has anything to do with the authentication..

• SharePoint 2010 - Claims Based Authentication - Access Denied for AD Group members

  We're in the process of migrating our SharePoint 2003 system to 2010 and have used Metavis to migrate the data. We had to do the data migration in a lab environment and then move/attach the content database to our production server. The database attached successfully
  and I, as a site collection administrator, can see all sites and the data therein. We are using claims-based auth with ADFS 2.0 as the provider.
  My users, however, get access denied trying to go anywhere on the site. I have added the Active Directory groups to the appropriate SharePoint groups and have confirmed the groups are appearing with the c:0-.t|adfs|group_name syntax. If I add them as individual
  users (i:05.t|adfs|[email protected]) they can authenticate fine, but not by AD group membership.
  I enabled ADFS tracing and I see that the claim being provided includes the SIDs for all the groups the user belongs to. Using ULS Viewer I can see that SharePoint sees the correct number of claims (it doesn't show what those claims are, just the number) but
  it doesn't seem to be connecting the SIDs passed to the group name used in the permissions list. I have also updated the portalsuperreader and portalsuperuser accounts after the database was moved, just in case there was something weird there.
  The ADFS and SharePoint servers are all in the same AD domain, so they should be able to resolve SIDs ok. I suspect the issue is somehow related to the migration of the content database from a separate
  environment (different domain), but I can't figure out for the life of me how to get the group authentication to work.
  Thoughts?

  Brilliant idea. Unfortunately that didn't work - I can get to the new site as the site collection owner, but members of groups to which I assigned permissions still get Access Denied. :-(

• ASA VPN with LDAP authentication

  We currently use a Cisco ASA (5510, 8.2) IPsec VPN client with RADIUS as a backend authentication service. We have configured IAS on one of our domain controllers to issue a RADIUS Accept/Deny based on the users' group membership within a "VPN Users" group. The IAS policy rules makes this very easy (it understands Windows group membership), and we like using groups because it is easy to send mail to all VPN users.
  The things we don't like about using RADIUS is the idea that IAS has to be configured as a middleman service, and sometimes IAS does not always successfully start after a system reboot (we are not sure why).
  We were wondering if it was possible to skip the middleman and use LDAP directly, pointing to our pool of domain controllers. There are many LDAP examples out on the net, but they consist of using an LDAP Attribute map to either use the "Remote Access Permission" of the user's DialIn profile, or by associating an AD group to a Cisco policy.
  The former does not fit our model because it bypasses the group membership concept and requires VPN control via profile. The latter does not fit because, while we do have a "VPN Users" group to map in the affirmative, we do not have an inverse to map to a Deny policy. There is no "NOT" logical operator in the LDAP Attribute mapping.
  Does anyone know a way to accomplish what we are after, using LDAP rather than RADIUS, where a single group can determine Accept (and more importantly, absence equals Deny)?

  Hi,
  I believe that second option you've mentioned will work for you. Why? using that if you map single AD group to right cisco policy. then this will work the way you want; where absence means deny to other users.
  Here is con fig example you may try:
  Configuration for restricting access to a particular windows group on AD/LDAP
  group-policy noaccess internal
  group-policy noaccess attributes
  vpn-simultaneous-logins 0
  address-pools none
  ldap attribute-map LDAP-MAP
  map-name memberOf IETF-Radius-Class
  map-value memberOf
  aaa-server LDAP-AD protocol ldap
  aaa-server LDAP-AD host
  server-port 389
  ldap-base-dn
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-dn
  ldap-login-password
  server-type microsoft
  ldap-attribute-map LDAP-MAP
  group-policy internal
  group-policy attributes
  vpn-simultaneous-logins 3
  vpn-tunnel-protocol IPSec l2tp-ipsec ...
  address-pools value
  tunnel-group type remote-access
  tunnel-group general-attributes
  authentication-server-group LDAP-AD
  default-group-policy noaccess
  HTH
  JK
  -Plz rate helpful posts-

• NzrViewer with LDAP authentication

  Hello,
  is it possible to use the nzrViewer with some other authentication then ZCM Zone of password? We're in transit from Windows 2000 to Windows 7. And from ZEN7 to ZCM11. The Windows 2000 PC's are not in the ZCM zone, so there's no way to authenticate Remote Control sessions. Still all users are in eDir and ZCM has the user source to the same eDir.
  So will it be possible to Remote Control from an Windows 2000 PC to a Windows 7 PC in ZCM with use of eDir authentication.
  To get nzrViewer to work on W2K i just copied the files from a WXP PC. The MSI installer did not function on W2K
  Regards,
  Patrick

  petjez,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://www.novell.com/support and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Forums Team
  http://forums.novell.com

• Problem with LDAP authentication for users in a group

  I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.
  I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:
  [6707]  memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
  [6707]          mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
  [6707]          mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN
  [6707]  msNPAllowDialin: value = TRUE
  I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.
  ldap attribute-map AuthUsers
    map-name  memberOf IETF-Radius-Class
    map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN
  aaa-server LDAP protocol ldap
  aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
   ldap-base-dn DC=COMPANY,DC=com
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
   server-type microsoft
   ldap-attribute-map AuthUsers
  group-policy NOACCESS internal
  group-policy NOACCESS attributes
   vpn-simultaneous-logins 0
   vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
   webvpn
    anyconnect ask none default anyconnect
  group-policy GroupPolicy_COMPANY_SSL_VPN internal
  group-policy GroupPolicy_COMPANY_SSL_VPN attributes
   wins-server none
   dns-server value 10.10.100.102
   vpn-tunnel-protocol ikev1 ikev2 ssl-client
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value SPLIT-TUNNEL
   default-domain value net.COMPANY.com
   webvpn
    anyconnect profiles value COMPANY_SSL_VPN_client_profile type user
  tunnel-group COMPANY_SSL_VPN type remote-access
  tunnel-group COMPANY_SSL_VPN general-attributes
   address-pool COMPANY-SSL-VPN-POOL
   authentication-server-group LDAP
   authorization-server-group LDAP
   authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
   default-group-policy NOACCESS
   authorization-required
  tunnel-group COMPANY_SSL_VPN webvpn-attributes
   group-alias COMPANY_SSL_VPN enable
  tunnel-group COMPANY_SSL_VPN ipsec-attributes
   ikev1 pre-shared-key *****

  I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.

• Problem with JAAS authentication using jboss client

  I'm trying to make a little compiled application works. It has two parts: a little client(one class) and a server part which runs on a jboss server, and comunicates between them using JAAS + SSL. It works perfectly alone if I run it in a java project, without the messing sap JAAS implementation.
  I followed all the steps in:
  https://websmp101.sap-ag.de/~sapidb/011000358700003517632004E.PDF
  and managed to apply the configuration into the security service of WAS, using <b>jboss-client.jar</b> as the library with the login module, and <b>org.jboss.security.ClientLoginModule</b> as the login module.
  I included the client class into a web service developed for my WAS, packing the class and its library plus jboss-client.jar into my EAR.
  But when it tries to do the authentication, sometimes it uses:
  <b>org.jboss.security.ClientLoginModule</b> (that's the correct class) but throws a "<b>User is locked</b>" exception.
  Have I need to create the user who I use to connect to jboss in my WAS UME ? This has no much sense. Anyway doesn't work either, and the user is not locked.
  Other times (withouth changing anything) it uses:
  <b>com.sap.engine.system.SystemLoginModule</b> and throws this exception:
  <b>com.sap.engine.services.security.exceptions.BaseLoginException</b>: Call logout before login
  I have nightmares trying to integrate things which works in every application server but WAS. Why couldn't they simply follow the standard!?
  I'm thinking in installing a tomcat with the client, and use axis to wrap it with a web service I can consume from my WAS. Not very elegant solution.
  I think it maybe has something to do with specific callback classes from sap implementation.
  Any idea? I can't go forward.

  Did you resolve this problem? Please let me know. I have the same issue now and don;t know what I should be doing next

• Issues with client authentication using certificates

  We have upgraded from sun-one directory server 5.1 sp4 to odsee 11g. We were using client certificates for authenticating connections to the directory server and it is no longer working. We had a certmap.conf that worked fine on 5.1 but it no longer seems to work on 11g. We are getting the following errors in the access log:
  [04/Apr/2011:16:41:17 -0400] conn=1692 op=-1 msgId=-1 - SSL failed to map client certificate to LDAP DN (User's LDAP entry doesn't have any certificates to compare)
  [04/Apr/2011:16:41:17 -0400] conn=1692 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=EXTERNAL
  [04/Apr/2011:16:41:17 -0400] conn=1692 op=0 msgId=1 - RESULT err=49 tag=97 nentries=0 etime=0.099660, client certificate mapping failed
  I checked and there is a usercertificate;binary entry which contains the certificate.
  Also, it does seem to find the entry for the cn, as shown by these two lines:
  [04/Apr/2011:16:41:17 -0400] conn=-1 op=-1 msgId=-1 - ENTRY dn="cn=XXXXXXXX, ou=certs, ou=yyyy,dc=zzzzzzz,dc=net"
  [04/Apr/2011:16:41:17 -0400] conn=-1 op=-1 msgId=-1 - RESULT err=0 tag=101 nentries=1 etime=0.001150
  All we did was to install the upgraded server software and migrate the data. Is there something more required for this version in order to implement client certificate authentication? I thought I saw something about a directory server proxy, which we aren't running. Is that necessary for this to work?
  Any help you can provide would be greatly appreciated.
  Thanks.
  dean

  I am using verifycert set to on. We want to verify the certificate.
  I am not using CmapLdapAttr. I saw a reference in one other post regarding using that attribute. I am hesitant to go there because while it seems to be a fix, I was unsure whether it was something which happened to work but was not part of standard implementation of using client certificates or whether it was a requirement in order for it to work and it was just serendipitous that it wasn't needed in 5.1. I wouldn't want to start using, apply a patch, and have it stop working again because that was a workaround.
  Thanks.