Solaris 10 Ldap Client user authentication against edirectory

Similar Messages

• Proxy agent in solaris ldap client

  Since ldap service provides naming service, that is supposed to be accessed by anyone who needs it, I don't know why we need a proxy agent when we set up solaris ldap client. The anoymous credential level is enough.
  Also in order to use proxy agent, this agent needs to have at least read access to all naming entries, including userPassword, encrypted or clear-text. This adds some sort of in-security. While service authentication method "simple" will simply bind to the ldap server using provided password. Of course, you can still add another layer of security by using TLS.
  So, can anyone explain this design a little more?
  Thanks.

  My input on this subject may seem a bit paranoid, but that's what I get paid for, so take this with a gain of salt 8-)
  The proxy agent does not need to have read access to the userPassword attribute if you configure your clients to use pam_ldap instead of pam_unix. pam_unix retrieves the userPassword attribute by making a call to getspnam. With pam_ldap, the user dn and password are sent to the directory server in an auth structure, and the directory server will return success or failure to the client for that login attempt. More info on this can be found at http://docs.sun.com, or in the book "LDAP in the Solaris Operating Environment, Deploying Secure Directory Services" by Michael Hains and Tom Bialaski (ISBN 0-13-145693-8) pgs 177-179.
  Use of the proxy agent can actually increase the level of security for your directory server. With the proper ACI's in place not allowing anonymous binds to view the data in the tree (or only view a small subset of the tree), you can prevent anyone from dropping a laptop or other device on your network and data mining your LDAP tree for information (ie vendors, guests, etc). That won't stop those same people from snooping the traffic on your network, so the use of secure protocols are the other side of that, but implementing tls:simple authentication for the directory server and clients is not that difficult, and should be considered for any deployment of LDAP for use as a naming server.
  I do agree with your assessment that in an environment where anonymous binds are accecptable the use of the proxyagent is probably not warrented, but in my experience having the proxyagent has allowed me to tighten the security of my directory implementation .

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• Patching solaris LDAP client

  i will have to patch a solaris LDAP client box. What do I expect for that? Do I have to rel-initialize the client using ldapclient command after patching?
  solaris 8 + LDAP server 5.2 unbundled version.
  Thanks

  From previous experience if your slapd is not running on your LDAP server then your clients will not boot if they are setup for ldap domain authentication. This is the same in NIS and NIS+. The only way to bring them up is to boot -s and change the nsswitch.conf file back to standalone i.e files and reboot machine.
  In short if ldap server goes down clients are too, multi ldap servers are required to prevent single point failure.

• Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

  Hi,
  I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
  Error is enclosed & here is the port configuration.
  Port Configuration.
  interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30
  Please help.

  The error message means that Active Directory server Reject the authentication attempt
  as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
  Event Logs why did the user account got locked.
  Under Even Viewers, You can find it out
  Regards
  Minakshi (Do rate the helpful posts)

• User authentication against LDAP - Non-AD

  Hi,
  We are trying to setup LDAP authentication against an LDAP, Oracle Unified Directory and below are the parameters of ldap.properties file:
  ldapAuthentication.defaultRole = ROLE_AUTHENTICATED_PRINCIPAL
  ldapAuthentication.enabled = true
  ldapAuthentication.tryNextProviderIfNoAuthenticated = true
  ldapAuthentication.stopIfCommunicationError = true
  ldapAuthentication.url=ldap\://localhost:389/
  ldapAuthentication.rootContext=DC=test,DC=com
  ldapAuthentication.securityPrincipal=CN=Directory Manager
  ldapAuthentication.securityCredential.encrypted=password
  ldapAuthentication.keepContextPrefix=false
  ldapAuthentication.isAD=false
  ldapAuthentication.userAccountSearchKey=CN
  ldapAuthentication.firstNameSearchKey=givenName
  ldapAuthentication.lastNameSearchKey=sn
  Still I am getting while I try to login to OIA as an OUD user:
  WARN [UserManagerImpl] RbacxUser with username: 'cn=oiaadmin' not found
  Please help

  Hi Jcorker,
  According to your description, you need to access the SQL Serve Analysis Services database which is configured as cluster for SQL & SSAS from another domain, right?
  In SSAS we can use the solution below achieve the requirement.
  1.Create new domain account and impersonate the web site with that.
  2.Create local user account on the analysis service with same exact username/password as like domain account created in the previous step.
  However, you cannot create a local account with the same name on both servers. I have tested it on my local environemnt, we can create the same local account with the same name on both servers. In your scenario, if DB1 and DB2 on different server, you can
  create a local account with the same name on both servers. Please post the detail errors, so that we can make further analysis.
  Besides, SSAS only allows users of the same domain or trusted domains and it does not allow users from any domain except from these two. You can configure the trust relationship between the domains.
  http://technet.microsoft.com/en-us/library/cc961481.aspx
  Regards,
  Charlie Liao
  If you have any feedback on our support, please click
  here.
  Charlie Liao
  TechNet Community Support

• Solaris ldap client problem (tls:simple + anonymous)

  Hi All,
  I've installed Directory Server 6.3.1 and it works just fine,
  but I have a problem regarding connecting Solaris 10 ldap client to it through SSL using anonymous credential level.
  Both SSL with proxy credential level or anonymous without SSL work fine but as you know these configurations are not pretty secure.
  More detail.
  Profile:
  dn: cn=sslnoproxyuser,ou=profile,dc=domain,dc=com
  authenticationmethod: tls:simple
  bindtimelimit: 10
  cn: sslnoproxyuser
  credentiallevel: anonymous
  defaultsearchbase: dc=domain,dc=com
  defaultsearchscope: one
  defaultserverlist: servername.domain.com
  followreferrals: TRUE
  objectclass: top
  objectclass: DUAConfigProfile
  preferredserverlist: servername.domain.com
  profilettl: 43200
  searchtimelimit: 30
  Ldapclient output:
  bash-3.00# ldapclient init -v -a profileName=sslnoproxyuser servername.domain.com
  Parsing profileName=sslnoproxyuser
  Arguments parsed:
  profileName: sslnoproxyuser
  defaultServerList: servername.domain.com
  Handling init option
  About to configure machine by downloading a profile
  findBaseDN: begins
  findBaseDN: ldap not running
  findBaseDN: calling __ns_ldap_default_config()
  found 2 namingcontexts
  findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=domain.com))"
  rootDN[0] dc=domain,dc=com
  found baseDN dc=domain,dc=com for domain domain.com
  Proxy DN: NULL
  Proxy password: NULL
  Credential level: 0
  Authentication method: 3
  No proxyDN/proxyPassword required
  About to modify this machines configuration by writing the files
  Stopping network services
  Stopping sendmail
  stop: sleep 100000 microseconds
  stop: network/smtp:sendmail... success
  Stopping nscd
  stop: sleep 100000 microseconds
  stop: sleep 200000 microseconds
  stop: system/name-service-cache:default... success
  Stopping autofs
  stop: sleep 100000 microseconds
  stop: sleep 200000 microseconds
  stop: sleep 400000 microseconds
  stop: sleep 800000 microseconds
  stop: sleep 1600000 microseconds
  stop: sleep 3200000 microseconds
  stop: system/filesystem/autofs:default... success
  ldap not running
  nisd not running
  nis(yp) not running
  file_backup: stat(/etc/nsswitch.conf)=0
  file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
  file_backup: stat(/etc/defaultdomain)=0
  file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
  file_backup: stat(/var/nis/NIS_COLD_START)=-1
  file_backup: No /var/nis/NIS_COLD_START file.
  file_backup: nis domain is "domain.com"
  file_backup: stat(/var/yp/binding/domain.com)=-1
  file_backup: No /var/yp/binding/domain.com directory.
  file_backup: stat(/var/ldap/ldap_client_file)=-1
  file_backup: No /var/ldap/ldap_client_file file.
  Starting network services
  start: /usr/bin/domainname domain.com... success
  start: sleep 100000 microseconds
  start: network/ldap/client:default... maintenance
  start: sleep 100000 microseconds
  start: system/filesystem/autofs:default... success
  start: sleep 100000 microseconds
  start: system/name-service-cache:default... success
  start: sleep 100000 microseconds
  start: network/smtp:sendmail... success
  restart: sleep 100000 microseconds
  restart: sleep 200000 microseconds
  restart: milestone/name-services:default... success
  Error resetting system.
  Recovering old system settings.
  Stopping network services
  Stopping sendmail
  stop: sleep 100000 microseconds
  stop: network/smtp:sendmail... success
  Stopping nscd
  stop: sleep 100000 microseconds
  stop: sleep 200000 microseconds
  stop: system/name-service-cache:default... success
  Stopping autofs
  stop: sleep 100000 microseconds
  stop: sleep 200000 microseconds
  stop: sleep 400000 microseconds
  stop: sleep 800000 microseconds
  stop: sleep 1600000 microseconds
  stop: sleep 3200000 microseconds
  stop: system/filesystem/autofs:default... success
  Stopping ldap
  stop: network/ldap/client:default... restoring from maintenance state
  stop: sleep 100000 microseconds
  stop: network/ldap/client:default... success
  nisd not running
  nis(yp) not running
  recover: stat(/var/ldap/restore/defaultdomain)=0
  recover: open(/var/ldap/restore/defaultdomain)
  recover: read(/var/ldap/restore/defaultdomain)
  recover: old domainname "domain.com"
  recover: stat(/var/ldap/restore/ldap_client_file)=-1
  recover: stat(/var/ldap/restore/ldap_client_cred)=-1
  recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
  recover: stat(/var/ldap/restore/domain.com)=-1
  recover: stat(/var/ldap/restore/nsswitch.conf)=0
  recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
  recover: stat(/var/ldap/restore/defaultdomain)=0
  recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
  Starting network services
  start: /usr/bin/domainname domain.com... success
  start: sleep 100000 microseconds
  start: system/filesystem/autofs:default... success
  start: sleep 100000 microseconds
  start: system/name-service-cache:default... success
  start: sleep 100000 microseconds
  start: network/smtp:sendmail... success
  restart: sleep 100000 microseconds
  restart: milestone/name-services:default... success
  */var/ldap/cachemgr.log*
  Tue Jun 30 10:50:51.4330 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
  Tue Jun 30 10:50:51.4355 Error: Unable to read '/var/ldap/ldap_client_file': Configuration Error: No entry for 'NS_LDAP_BINDDN' found
  Tue Jun 30 10:50:51.4368 detachfromtty(): child failed (rc = 255).
  Any ideas?
  Edited by: ffffffffff356dfd on 30 ???? 2009 12:07
  Edited by: ffffffffff356dfd on 30 ???? 2009 12:07

  Hi ,
  yes I use it.
  Here is my pam.conf:
  # Authentication management
  # login service (explicit because of pam_dial_auth)
  login auth requisite pam_authtok_get.so.1
  login auth required pam_dhkeys.so.1
  login auth required pam_unix_cred.so.1
  login auth required pam_dial_auth.so.1
  login auth binding pam_unix_auth.so.1 server_policy
  login auth required pam_ldap.so.1
  # rlogin service (explicit because of pam_rhost_auth)
  # rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth required pam_unix_cred.so.1
  rlogin auth binding pam_unix_auth.so.1 server_policy
  rlogin auth required pam_ldap.so.1
  # rsh service (explicit because of pam_rhost_auth,
  # and pam_unix_auth for meaningful pam_setcred)
  # rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth required pam_unix_cred.so.1
  rsh auth binding pam_unix_auth.so.1 server_policy
  rsh auth required pam_ldap.so.1
  # PPP service (explicit because of pam_dial_auth)
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_dial_auth.so.1
  ppp auth binding pam_unix_auth.so.1 server_policy
  ppp auth required pam_ldap.so.1
  # Default definitions for Authentication management
  # Used when service name is not explicitly mentioned for authentication
  other auth requisite pam_authtok_get.so.1
  other auth required pam_dhkeys.so.1
  other auth required pam_unix_cred.so.1
  other auth binding pam_unix_auth.so.1 server_policy
  other auth required pam_ldap.so.1
  # passwd command (explicit because of a different authentication module)
  passwd auth binding pam_passwd_auth.so.1 server_policy
  passwd auth required pam_ldap.so.1
  # cron service (explicit because of non-usage of pam_roles.so.1)
  cron account required pam_unix_account.so.1
  # Default definition for Account management
  # Used when service name is not explicitly mentioned for account management
  other account requisite pam_roles.so.1
  other account binding pam_unix_account.so.1
  other account required pam_ldap.so.1
  # Default definition for Session management
  # Used when service name is not explicitly mentioned for session management
  other session required pam_unix_session.so.1
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  other password required pam_dhkeys.so.1
  other password requisite pam_authtok_get.so.1
  other password requisite pam_authtok_check.so.1
  other password required pam_authtok_store.so.1 server_policy
  # Support for Kerberos V5 authentication and example configurations can
  # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
  #

• CE 7.2 NWDS wdp ws client user authentication error

  Hello CE 7.2  experts !
  I am running a CE 7.2 sp 01 env with NWDS. In my landscape I have some webservices running on PI 7.1.
  I am trying to develop a webdynpro webservice client. When run gets user authentication errors.
  I have configured the Service Groups, provider systems, http destinations etc for this webservice.
  After I have successfully build and deployed the wdp app I am getting error on the wdp gui screen like this:
  Exception on execution of web service with WSDL URL 'http://xxxxxxx.lxx.xxxx.xxx:50000/dir/wsdl?p=sa/595aaad7bedb3cf89546e4651ea9954d' with operation 'GetBudgetRequest_out' in interface 'GetBudgetRequest_out'
  And in log trace:
  Invalid Response code (401). Server <http://xxxxxxx.lxx.xxxx.xxx:50000/XISOAPAdapter/MessageServlet?senderParty=&senderService=SLF&receiverParty=&receiverService=&interface=GetBudgetRequest_out&interfaceNamespace=http%3A%2F%2Fsfso.no%2Fagresso%2Fslf> returned message <Unauthorized>. Http proxy info:  none
  [EXCEPTION]
  com.sap.engine.services.webservices.espbase.client.bindings.exceptions.TransportBindingException: Invalid Response code (401). Server <http://xxxxxxx.lxx.xxxx.xxx:50000/XISOAPAdapter/MessageServlet?senderParty=&senderService=SLF&receiverParty=&receiverService=&interface=GetBudgetRequest_out&interfaceNamespace=http%3A%2F%2Fsfso.no%2Fagresso%2Fslf> returned message <Unauthorized>. Http proxy info:  none
  at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.handleSOAPResponseMessage(SOAPTransportBinding.java:561)
  at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.call_SOAP(SOAPTransportBinding.java:1316)
  at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.callWOLogging(SOAPTransportBinding.java:952)
  at com.sap.engine.services.webservices.espbase.client.bindings.impl.SOAPTransportBinding.call(SOAPTransportBinding.java:907)
  at com.sap.engine.services.webservices.espbase.client.dynamic.impl.DInterfaceInvokerImpl.invokeOperation(DInterfaceInvokerImpl.java:76)
  at com.sap.tc.webdynpro.model.webservice.model.WSGenericModelClassExecutable.execute(WSGenericModelClassExecutable.java:73)
  at com.sap.tc.webdynpro.model.webservice.gci.WSTypedModelClassExecutable.execute(WSTypedModelClassExecutable.java:49)
  at com.sap.demo.wd_slf_proj.wd.comp.slf_getbalancecomp.SLF_GetBalanceCustom.executeRequest_GetBudgetRequest_Out(SLF_GetBalanceCustom.java:189)
  at com.sap.demo.wd_slf_proj.wd.comp.slf_getbalancecomp.wdp.InternalSLF_GetBalanceCustom.executeRequest_GetBudgetRequest_Out(InternalSLF_GetBalanceCustom.java:153)
  at com.sap.demo.wd_slf_proj.wd.comp.slf_getbalancecomp.SLF_GetBalanceCompView.onActionSendReq(SLF_GetBalanceCompView.java:187)
  at com.sap.demo.wd_slf_proj.wd.comp.slf_getbalancecomp.wdp.InternalSLF_GetBalanceCompView.wdInvokeEventHandler(InternalSLF_GetBalanceCompView.java:165)
  at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.invokeEventHandler(DelegatingView.java:142)
  at com.sap.tc.webdynpro.progmodel.controller.Action.fire(Action.java:75)
  at com.sap.tc.webdynpro.clientserver.phases.ProcessingEventPhase.doHandleActionEvent(ProcessingEventPhase.java:159)
  at com.sap.tc.webdynpro.clientserver.phases.ProcessingEventPhase.execute(ProcessingEventPhase.java:94)
  at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequestPartly(WindowPhaseModel.java:162)
  at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doProcessRequest(WindowPhaseModel.java:110)
  at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:97)
  at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:514)
  at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:55)
  at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.doExecute(ClientApplication.java:1652)
  at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.doProcessing(ClientApplication.java:1466)
  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doApplicationProcessingStandalone(ApplicationSession.java:884)
  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doApplicationProcessing(ApplicationSession.java:856)
  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:343)
  at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:315)
  at com.sap.tc.webdynpro.serverimpl.core.AbstractDispatcherServlet.doContent(AbstractDispatcherServlet.java:87)
  at com.sap.tc.webdynpro.serverimpl.wdc.DispatcherServlet.doContent(DispatcherServlet.java:76)
  at com.sap.tc.webdynpro.serverimpl.core.AbstractDispatcherServlet.doPost(AbstractDispatcherServlet.java:62)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
  at com.sap.engine.services.servlets_jsp.server.Invokable.invoke(Invokable.java:152)
  at com.sap.engine.services.servlets_jsp.server.Invokable.invoke(Invokable.java:38)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:400)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:203)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:438)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:427)
  at com.sap.engine.services.servlets_jsp.filters.DSRWebContainerFilter.process(DSRWebContainerFilter.java:38)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process(ServletSelector.java:80)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.process(ApplicationSelector.java:268)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.WebContainerInvoker.process(WebContainerInvoker.java:81)
  at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.ResponseLogWriter.process(ResponseLogWriter.java:60)
  at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.DefineHostFilter.process(DefineHostFilter.java:27)
  at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.MonitoringFilter.process(MonitoringFilter.java:29)
  at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.MemoryStatisticFilter.process(MemoryStatisticFilter.java:54)
  at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.DSRHttpFilter.process(DSRHttpFilter.java:42)
  at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:447)
  at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.process(Processor.java:264)
  at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:56)
  at com.sap.engine.core.thread.execution.Executable.run(Executable.java:115)
  at com.sap.engine.core.thread.execution.Executable.run(Executable.java:96)
  at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:315)
  Any help / hits are appreciated.
  Hope to get a prompt solution.
  best regards,
  Ajeet Phadnis

  Hi,
  I hope please upgrade SP01 to SP05.
  Please look at these two forums
  [forum1|Error executing webservice in BPM; and [forum2|Call to sr.esworkplace fails;
  Hope this is help full for u
  Regards
  Vijay

• Solaris ldap client + first login problem (with home user)

  hi, i have autenticate my solaris 10 (6/06) clients with a ldap server (sun 1 ds 5.2) withnout TLS (in the future sure).
  I test this communication with ethereal, and i think the communications its ok.
  But, when my user loggin for first time, he havent got a home directory, (in linux clients (fedoras) i configure pam and gdm to do this -with a kde desktop-), but here in solaris i dont know how to made this.
  i have this problem (in a root session with entry "toto1" in dit)
  # su - toto1
  su: No directory!
  I set (for toto1 entry) in attributte homedirectory in objectclass posixAccount a value "/home/toto1".
  �How and how have the responsabilities to make home directories?
  �the solution are like "linux solution", and if this is true, what files i must to touch for java desktop or cde?
  Thanks!!!

  One minute...!! How you made it work?I too have fedora DS Configured and want to configure Solaris Client.The #getent and #-ldaplist is displaying correct but login is now working.I guess PAM issue?how you resolved??

• IMQ 2.0 and LDAP for user authentication

  Using the notes at http://knowledgebase.iplanet.com/ikb/kb/articles/7772.html
  i set up an LDAP with iMQ. The LDAP works OK for storing topics,
  connection factories, etc from jmqadmin
  The LDAP also now contains the 2 users as outlined in article 7772 -
  admin and guest.
  The broker stats up OK, but
  when I try to use
  jmqcmd query bkr -b localhost:7844 -u admin -p admin
  this is what I get:
  ERROR [B3018]: Unable to run the service admin, the broker will no longer accept connections on this service:
  com.sun.messaging.jmq.jmsserver.util.BrokerException: [B4077]: Undefined authentication type basic
  at com.sun.messaging.jmq.jmsserver.auth.AccessController.init(AccessController.java:99)
  at com.sun.messaging.jmq.jmsserver.auth.AccessController.loadProps(AccessController.java:251)
  at com.sun.messaging.jmq.jmsserver.auth.AccessController.getInstance(AccessController.java:206)
  at com.sun.messaging.jmq.jmsserver.service.Connection.<init>(Connection.java:144)
  at com.sun.messaging.jmq.jmsserver.service.standard.StandardConnection.<init>(StandardConnection.java:49)
  at com.sun.messaging.jmq.jmsserver.service.standard.StandardService.run(StandardService.java:547)
  at java.lang.Thread.run(Thread.java:484)

  It's likely caused by trailing space after 'basic' in configuration
  imq.authantication.type=basic
  This has been fixed in MQ 3.0.

• User Authentication against NT Domain

  Hi Expert
  I want to code a program which ask for my user id and password and then
  authenticate it from my NT domain, mean verigy that am I a valid user or not ? If yes then is my password correct ?
  Any one who can give me some help to start ? I believe it can be done but I don't know how and what are the functions and libraries available to do so.
  Any help will be appreciated.
  Thanks
  -- Kashif Ahmed
  [email protected]

  Create an intial context to the Directory Server using Basic Authentication. You will have to pass the username and password (which for ADS is userPrincipalName or domain\username). As long as you do not get an AuthenticationException then your user is "Authenticated". Just remember the security implications, the password is sent in plain text.

• Non-domain user authentication against SSAS on Active/Passive Cluster

  Hello,
  We have an Active/Passive SQL Server setup (DB1 & DB2 Servers) connected to a cluster for SQL & SSAS.  I have a web server not on the same domain that I am trying to authenticate with SSAS.  This works OK if I set the website to impersonate
  myUser and I add local account myUser as an Admin on SSAS for the active server (DB1).  But when this fails over to DB2 then it fails to authenticate.  SSAS won't allow us to add myUser as an admin for local accounts on both DB1 & DB2 as it errors
  adding the second one.  Could anyone advise how such a scenario should be approached?
  We have tried creating a domain user too which DB1 & DB2 can of course both share but I don't think the web server can impersonate this with being not part of the domain.
  Thanks.

  Hi Jcorker,
  According to your description, you need to access the SQL Serve Analysis Services database which is configured as cluster for SQL & SSAS from another domain, right?
  In SSAS we can use the solution below achieve the requirement.
  1.Create new domain account and impersonate the web site with that.
  2.Create local user account on the analysis service with same exact username/password as like domain account created in the previous step.
  However, you cannot create a local account with the same name on both servers. I have tested it on my local environemnt, we can create the same local account with the same name on both servers. In your scenario, if DB1 and DB2 on different server, you can
  create a local account with the same name on both servers. Please post the detail errors, so that we can make further analysis.
  Besides, SSAS only allows users of the same domain or trusted domains and it does not allow users from any domain except from these two. You can configure the trust relationship between the domains.
  http://technet.microsoft.com/en-us/library/cc961481.aspx
  Regards,
  Charlie Liao
  If you have any feedback on our support, please click
  here.
  Charlie Liao
  TechNet Community Support

• Vista clients not authenticating against WPA

  I have an 1100 AP that works fine for XP and 7920 phones using WPS-PSK, but NONE of the Vista machines, whether they are home or business edition can connect. The SSID is not broadcast, the error I get is out of range, yet the AP is less than 10 feet away. When I enable broadcast I get encryption errors, but nothing tells me what kind. Is there a fix for this?
  My conclusion is that Vista plain downright sucks.

  Make sure you don't have CCKM on, as this was a large issue for our wireless deployment. We have 4000+ AP's and some 2000-4900 concurrent users of which a growing number are using Vista. From what I have seen is that any driver from 2006 or the early part of 2007 will not work for WPA/WPA2 reliably. From about May on there have been drivers that have worked pretty well for Atheros, Broadcom, and Intel.

• OEL ldap client setup with SSL against OID using either ldaps or starttls

  Hi, I've got OID 11.1.1.1.0 running with SSL enabled on port 3132. It's running in mode 2, SSL Server Authentication mode (orclsslauthentication is set to 32). I'd like to setup my OEL 5.3 and Solaris 10 ldap clients to connect to OID using SSL for user authentication. I have everything already working on the non-SSL port (3060), but I need to switch over to SSL. So far I can't get it to work on either OEL or Solaris. Does anyone out there know how to configure the client to use SSL?
  Here's my /etc/ldap.conf file on OEL 5.3.
  timelimit 120
  bind_timelimit 120
  idle_timelimit 3600
  nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
  URI ldaps://FQDN:3132/
  port 3132
  ssl yes
  host FQDN
  base dc=DOMAIN,dc=com
  pam_password clear
  tls_cacertdir /etc/oracle-certs
  tls_cacertfile /etc/oracle-certs/oid-test-ca.pem
  tls_ciphers SSLv3
  # filter to AND with uid=%s
  pam_filter objectclass=posixaccount
  #The search scope
  scope sub
  I have /etc/nsswitch.conf set to check for files first, then ldap
  passwd: files ldap
  shadow: files ldap
  group: files ldap
  Here's my /etc/openldap/ldap.conf file
  URI ldaps://FQDN:3132/
  BASE dc=DOMAIN,dc=com
  TLS_CACERT /etc/openldap/cacerts/oid-test-ca.pem
  TLS_CACERTDIR /etc/openldap/cacerts
  TLS_REQCERT allow
  TLS_CIPHERS SSLv3
  The oid-test-ca.pem is a self-signed cert from the OID server. I also have the hash file configured.
  4224de9f.0 -> oid-test-ca.pem
  I can run ldapsearch using ldaps and it works fine.
  ldapsearch -v -d 1 -x -H ldaps://FQDN:3132 -b "dc=DOMAIN,dc=com" -D "cn=user,cn=users,dc=DOMAIN,dc=com" -w somepass -s sub objectclass=* | more
  But when I run the 'getent passwd' command, it only shows me my local user accounts and none of my ldap accounts. I also can't SSH in using a ldap account.
  Solaris 10 is actually a whole other beast...I'm using the native Solaris ldap client (not PADL based) and I don't think it even works with SSL unless you're using the default ports (389/636).
  Does anyone out there know how to setup the client-side for ldap authentication using SSL? Any tips, howto docs, or advice are appreciated. Thanks!

  Hello again...
  after some research and work together with Oracle Support I found out how to get it to work:
  1. You have to create your own ConfigSet in OID using
  SSL-Server-Authentication
  (OpenSSL seems not to support SSL-encryption-only).
  The following link shows on how to do that:
  http://otn.oracle.com/products/oid/oidhtml/oidqs/html_masters/a_port01.htm
  2. Add the following lines to your $HOME/ldaprc
  TLS_CACERT /home/frank/oid-caroot.pem
  TLS_REQCERT allow
  TLS_CIPHERS SSLv3
  ssl on
  tls_checkpeer no
  oid-caroot.pem is the CA-Root Certificate you got
  during step 1
  3. you should now be able to use ldapsearch using SSL
  If you still can't connect using SSL you may have run into another issue with OpenSSL which affects systems using OpenSSL version 0.9.6d and above. The problem seems to be caused by an security fix which may not be compliant with the SSL implementation of Oracle.
  I opened an Bug for that problem with RedHat. This Bug Description also includes an proposal for an Patch which solves the problem (but may introduce some security risks). See the Bug at RedHat:
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123849
  Bye
  Frank Berger

• Ldap client in Solaris  using TLS

  I have installed an OpenLap server (version 2.2.13-2) in a Red Hat ES 4.
  My LDAP clients are
  - Linux (redhat and mandriva)
  - Solaris 8 (with the last recommended path and 10893-62 path for ldapv2)
  - Tru64 (5.1B)
  If a use simple authentification all works fine (search in LDAP,
  authentification and automount).
  However, when I use TLS the Solaris LDAP client doesn't seem to work.
  When I run the LDAP client the process freeze
  With my Linux and Tru64 clients all work fine using LS.
  I have downloaded the certificates from my LDAP server using Netscape browser.
  I have copied cert7.db and key3.db in the "/var/ldap/directory" with a
  "chmod 644" in this files.
  I can do a "ldapsearch -x -ZZ objectclass=*" and this returns data.
  The last logs of the ldap_cachemgr are:
  Mon Nov 20 09:34:46.4425 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
  If I do a truss when I launch the client the
  result was this:
  lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
  lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
  lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
  lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
  lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
  lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
  lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
  lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
  lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
  lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
  lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
  door_return(0x00000000, 0, 0x00000000, 0) (sleeping...)
  lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
  This is my ldap_client_file:
  # Do not edit this file manually; your changes will be lost.Please use
  ldapclient (1M) instead.
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_SERVERS= srvldap
  NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
  NS_LDAP_AUTH= tls:simple
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SEARCH_SCOPE= sub
  NS_LDAP_SEARCH_TIME= 30
  NS_LDAP_CACHETTL= 3600
  NS_LDAP_PROFILE= tls_profile
  NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=Users,dc=example,dc=com?one
  NS_LDAP_SERVICE_SEARCH_DESC= group: ou=Groups,dc=example,dc=com?one
  NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=Users,dc=example,dc=com?one
  NS_LDAP_SERVICE_SEARCH_DESC= auto_home:
  automountMapName=auto_home,ou=Sun,ou=AutoFS,dc=example,dc=com?one
  NS_LDAP_SERVICE_SEARCH_DESC= auto_master:
  automountMapName=auto_master,ou=Sun,ou=AutoFS,dc=example,dc=com?one
  NS_LDAP_SERVICE_SEARCH_DESC= auto.home:
  nisMapName=auto.home,ou=Sun,ou=AutoFS,dc=example,dc=com?one
  NS_LDAP_SERVICE_SEARCH_DESC= auto.master:
  nisMapName=auto.master,ou=Sun,ou=AutoFS,dc=example,dc=com?one
  NS_LDAP_BIND_TIME= 10
  I have launched ethereal so see network communications with my Solaris 8 client and the LDAP server.
  And with this configuration the Solaris box only communicates with the LDAP server using LDAP port 389 and not LDAPS port 636.
  I have done the same test with a linux and tru64 box and they use LDAPS port 636 to communicate with my LDAP server.
  Does anyone have an idea on getting Solaris using TLS/SSL?
  Thanks.

  LDAP Setup and Configuration Guide
  Solaris 8 2/04 Update Collection > LDAP Setup and Configuration Guide > 1. Overview > Solaris Name Services
  [http://docs.sun.com/app/docs/doc/806-5580/6jej518ou?l=en&a=view&q=solaris+8+ldap]
  Download this book in PDF (557 KB)
  [http://dlc.sun.com/pdf/806-5580/806-5580.pdf]