[ SOLVED] Authentication against two openldap servers.
Hi everyone.
Here is the deal. I have two openldap servers, used for user authentication (master and slave). I have all the clients to be able to authenticate users against the master openldap server, and that is working fine. I want to make them to be able to authenticate against the slave server, if the master is down for any reasons. Is there a way to configure the clients, and is that the way to manage this, or I have to use another software as heartbeat or something like heartbeat.
Regards.
PS: Sorry. I found it. It is written in the /etc/ldap.conf file. If you want authentication against several ldap servers, you have to specify them in the 'uri' row, separated by spaces.
Last edited by Gruntz (2009-03-10 08:57:31)
Hi,
Is there a possibility to configure somewhere an external LDAP just for authentication purposes (possibly PKI), leaving everything else in OID?
Yes, in our project we are using a third party LDAP server for authentication, whereas the rest of the user information is stored in the OID. I don't know the details about the implementation but we used DIP (Directory Integration Platform) to create and register a plugin. The plugin replaces the default 'ldapcompare' method that the SSO uses with our own method that makes a call to a third party ldap. Our code was written in PL/SQL and used the DBMS_LDAP package.
You should be able to find more info from OID developers guide. http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/manage.902/a95193.pdf
Good luck!
/Rikard
Similar Messages
-
Cisco ACS 5.2 authentication against multiple LDAP servers
Hi Folks,
I have a wireless network that uses ACS 5.2 to handle authentication. The ACS is integrated with an Active Directory LDAP server (my_ldap) and is working correctly at the moment. The authentication flow looks like this:
- User tries to associate to WLAN
- Authentication request is sent to ACS
- Service selection rule chooses an access-policy (wireless_access_policy)
- wireless_access_policy is configured to use my_ldap as identity source.
A sister company is about to move into our offices, and will need access to the same WLAN. Users in the sister company are members of a separate AD domain (sister_company_ldap). I would like to modify the wireless_access_policy so that when it receives an authentication request it will query both my_ldap and sister_company_ldap, and return a passed authentication if either attempt is successful. Is this possible?Assuming you're already authenticating using your AD binding and AD1 as your identity source, you can add a further LDAP server as another identity source and add this to your identity store sequence in your access policy to authenticate against both.
You can also add multiple LDAP servers and add them both to the identity store sequence (if you're not using AD1). -
Authentication against two user lists and knowing the difference?
I have a security realm that is the standard out-of-the-box security realm with one modification. I created an authentication provider to validate users and groups defined in a 3rd party data store. The control flag for each authentication provider (the default one and mine) is set to 'sufficient' so that there is one user account that allows me to log into the WebLogic console that is not defined in the 3rd party data store.
If I run my application and log in with the WebLogic admin userid, the security realm successfully authenticates the user (it passes the default authentication provider) and permits entry to my application. Unfortunately, this is not good for me. The application, at startup, goes to the 3rd party data store and retrieves more information about the user that just logged in. For the WebLogic admin account, it will not find the user.
Is there a way to configure WebLogic security such that a particular application can ensure authentication by a specific provider?
Another environment I need to handle is having two applications deployed, each needing to authenticate its users with two different data sources containing valid users and groups.
Thanks! Any help is much appreciated!Hi,
I have found the fnd_web_sec returns a boolean for a valid username / password combination but I'm still not sue how I can integrate this.
Sorry for being thick but this is what I'm trying to do.
I have an application built in htmldb that I want to be accessable from the e-business suite applications main menu. I've set this up and a user can select it how ever I have no authentication so even though its not assigned to you you can still goto the app by just entering the url. So when a user goes to that htmldb app I want to check that they have that resp assigned to them, this can be done with the following
select 1 from apps.fnd_user_resp_groups ur, apps.fnd_user u
where u.user_name = :APP_USER and u.user_id = ur.user_id
and ur.responsibility_id = XXXX
The two problems I have are:-
If a user goings straight to the htmldb url I need to get them to log in and use the e-business suite login (we dont have SSO)
Or if they are already in e-business suite and go to the htmldb app via the main menu page I need to pass that authentication across.
I hope this makes sense. -
ACS 5.1 Authentication against AD problem
I have a pair of ACS 5.1 virtual appliances in a master/slave configuration, running build 5.1.0.44. We have it configured to authenticate TACACS against Active Directory, but have run into a problem with the account of one my colleagues. His account password recently expired and since changing it he is no longer able to authenticate on devices pointing to the master ACS server, but has no issue with devices pointing to the slave ACS server. Several other users have changed their passwords in AD and have not encountered this problem.
ACS View shows the following error in the TACACS+ authentication log: "24421 Change password against Active Directory failed since it is disabled in configuration". The account we use to connect to active directory does not have permission to send password changes, so I have disabled changing passwords in the AD identity store configuration. As a test, I enabled password changing and instead saw this error: "24407 User authentication against AD failed since user is required to change his password".
I've had him change passwords numerous times, try different SSH clients, and different PCs. I also had him lock his account out, and then try logging on and instead was presented with this error: "24415 User authentication against AD failed since user's account is locked out". So it seems that ACS is correctly querying AD but seems to be caching the fact that his account has expired.
The only difference between the two ACS servers are that they are querying different AD servers. I've gotten our AD team to reset his password, check that his account is not locked on a particular AD server, and that replication is functioning. I've also restarted the services and cold started the ACS virtual machine to no effect. I have yet to try clearing the AD configuration and re-entering it.
show logging application acs reveals the following:
ActiveDirectoryClient,19/10/2011,08:46:25:307,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
ying to reconnect.,ActiveDirectoryClient.cpp:2429
ActiveDirectoryClient,19/10/2011,08:46:25:311,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
ActiveDirectoryClient,19/10/2011,08:49:27:468,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
ying to reconnect.,ActiveDirectoryClient.cpp:2429
ActiveDirectoryClient,19/10/2011,08:49:27:475,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
ActiveDirectoryIDStore,19/10/2011,08:49:27:475,ERROR,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,ActiveDirectoryIDStore::onPlainAuthenticateAndQueryEvent - User password expired but change
password configuration is disabled - authentication failed,ActiveDirectoryIDStore.cpp:525
I am aware that I can upgrade to 5.1.0.44.6 and intend to do so (although CSCsr81297 concerns me as we make extensive use of AD for authentication), but I don't know that there is any guarantee that this will fix it.
Any ideas on what might be the cause, and how I can fix this?
Thanks!Hello,
It is complicated to explain this rule but hopelly you will understand.
I suggest you to do an identity store sequence that will point to the AD and RSA. this is like the user unknow policy in ACS 4.x
Once this is done you can create 2 authorization policies 1 based on RSA authentication and another based on AD authentication.
To give you a better clear example is there any difference between AD and RSA authentication? Do they have the same rights? Please detail what you need to configure besides AD and RSA simultanuos authentication.
Regards,
Sebastian Aguirre -
User authentication against LDAP - Non-AD
Hi,
We are trying to setup LDAP authentication against an LDAP, Oracle Unified Directory and below are the parameters of ldap.properties file:
ldapAuthentication.defaultRole = ROLE_AUTHENTICATED_PRINCIPAL
ldapAuthentication.enabled = true
ldapAuthentication.tryNextProviderIfNoAuthenticated = true
ldapAuthentication.stopIfCommunicationError = true
ldapAuthentication.url=ldap\://localhost:389/
ldapAuthentication.rootContext=DC=test,DC=com
ldapAuthentication.securityPrincipal=CN=Directory Manager
ldapAuthentication.securityCredential.encrypted=password
ldapAuthentication.keepContextPrefix=false
ldapAuthentication.isAD=false
ldapAuthentication.userAccountSearchKey=CN
ldapAuthentication.firstNameSearchKey=givenName
ldapAuthentication.lastNameSearchKey=sn
Still I am getting while I try to login to OIA as an OUD user:
WARN [UserManagerImpl] RbacxUser with username: 'cn=oiaadmin' not found
Please helpHi Jcorker,
According to your description, you need to access the SQL Serve Analysis Services database which is configured as cluster for SQL & SSAS from another domain, right?
In SSAS we can use the solution below achieve the requirement.
1.Create new domain account and impersonate the web site with that.
2.Create local user account on the analysis service with same exact username/password as like domain account created in the previous step.
However, you cannot create a local account with the same name on both servers. I have tested it on my local environemnt, we can create the same local account with the same name on both servers. In your scenario, if DB1 and DB2 on different server, you can
create a local account with the same name on both servers. Please post the detail errors, so that we can make further analysis.
Besides, SSAS only allows users of the same domain or trusted domains and it does not allow users from any domain except from these two. You can configure the trust relationship between the domains.
http://technet.microsoft.com/en-us/library/cc961481.aspx
Regards,
Charlie Liao
If you have any feedback on our support, please click
here.
Charlie Liao
TechNet Community Support -
How to configure time synchronization for two NTP servers
We have IOSXR 4.2.1 on routers CRS3 and ASR9K with all recomended SMUs; we need to configure the time synchronization for two NTP servers with the configuration below, but the routers became unstable; synchronize with one NTP servers for some time, then switch to other NTP server, and keep doing this. Anyone know why this behavior?
ntp
authentication-key 1 md5 encrypted 01070F074F0A05
authenticate
trusted-key 1
server 10.192.32.32 prefer
server 10.192.32.33
source Loopback50
update-calendar
RP/0/RP0/CPU0:DFCRSDTC1#sh log | i ntp
Wed Jul 10 09:37:04.621 BRSPO
RP/0/RP0/CPU0:Jul 4 21:29:18 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.32 : Peer unreachable or clock selection failed
RP/0/RP0/CPU0:Jul 4 21:29:18 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->15.
RP/0/RP0/CPU0:Jul 4 21:29:18 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.
RP/0/RP0/CPU0:Jul 4 21:29:27 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 15->2.
RP/0/RP0/CPU0:Jul 4 21:30:21 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.32 : Peer unreachable or clock selection failed
RP/0/RP0/CPU0:Jul 4 21:30:21 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->15.
RP/0/RP0/CPU0:Jul 4 21:30:21 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.
RP/0/RP0/CPU0:Jul 4 21:31:36 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 15->2.
RP/0/RP0/CPU0:Jul 4 21:35:56 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : Peer unreachable or clock selection failed
RP/0/RP0/CPU0:Jul 4 21:35:56 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->15.
RP/0/RP0/CPU0:Jul 4 21:35:56 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.
RP/0/RP0/CPU0:Jul 4 21:40:11 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 15->2.
RP/0/RP0/CPU0:Jul 4 21:50:52 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : System clock selection failed
RP/0/RP0/CPU0:Jul 4 21:50:52 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->6.
RP/0/RP0/CPU0:Jul 4 21:59:26 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 6->2.
RP/0/RP0/CPU0:Jul 4 22:25:07 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : System clock selection failed
RP/0/RP0/CPU0:Jul 4 22:25:07 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->6.
RP/0/RP0/CPU0:Jul 4 22:56:16 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : Peer unreachable or clock selection failed
RP/0/RP0/CPU0:Jul 4 22:56:16 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.Hi Claudio, that ddts is pretty generic to be honest but yes it is filed to address sync issues in the XR NTP algo.
The thing is that XR ntp clock selection is a bit different then iOS and follows the specs very closely which results in this erroneous loss behavior.
For instance, you could also see this issue with a sync loss if the update time is only 500msec off what it was before and that will result in a ntp sync loss rather then adjusting to it.
Also I wanted to mention that the ntp prefer is a bit of a misnomer in XR (since it follows the specs differently then IOS) and this knob was taken over from IOS really.
You might get some joy if you set it to one server only and see if that helps?
regards
xander -
How to set two radius servers one is window NPS another is cisco radius server
how to set two radius servers one is window NPS another is cisco radius server
when i try the following command, once window priority is first , i type cisco radius user name, it authenticated fail
i can not use both at the same time
radius-server host 192.168.1.3 is window NPS
radius-server host 192.168.1.1 is cisco radius
http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/
conf t
no aaa authentication login default line
no aaa authentication login local group radius
no aaa authorization exec default group radius if-authenticated
no aaa authorization network default group radius
no aaa accounting connection default start-stop group radius
aaa new-model
aaa group server radius IAS
server 192.168.1.1 auth-port 1812 acct-port 1813
server 192.168.1.3 auth-port 1812 acct-port 1813
aaa authentication login userAuthentication local group IAS
aaa authorization exec userAuthorization local group IAS if-authenticated
aaa authorization network userAuthorization local group IAS
aaa accounting exec default start-stop group IAS
aaa accounting system default start-stop group IAS
aaa session-id common
radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
radius-server host 192.168.1.2 auth-port 1812 acct-port 1813
radius-server host 192.168.1.3 auth-port 1645 acct-port 1646
radius-server host 192.168.1.3 auth-port 1812 acct-port 1813
privilege exec level 1 show config
ip radius source-interface Gi0/1
line vty 0 4
authorization exec userAuthorization
login authentication userAuthentication
transport input telnet
line vty 5 15
authorization exec userAuthorization
login authentication userAuthentication
transport input telnet
end
conf t
aaa group server radius IAS
server 192.168.1.3 auth-port 1812 acct-port 1813
server 192.168.1.1 auth-port 1812 acct-port 1813
endThe first AAA server listed in your config will always be used unless/until it becomes unavailable. At that point the NAD would move down to the next AAA server defined on the list and use that one until it becomes unavailable and then move to third one, and so on.
If you want to use two AAA servers at the same time then you will need to put a load balancer in front of them. Then the virtual IP (vip) will be listed in the NADs vs the individual AAA servers' IPs.
I hope this helps!
Thank you for rating helpful posts! -
ISE 1.2 - 24492 Machine authentication against AD has failed
Currently experiencing a machine authentication problem between ISE 1.2 patch 2 and a customer AD installation.
AuthZ policy is set to match agains /Users/Domain Computers and /Users Domain Users. User authentication works, machine auth doesnt.
Machine authentication box is ticked.
If you try to disable an AD machine, or try a machine not in the domain you get the appropriate different response in the ISE logs which sugests it has the right access into AD to check this info.
This happens on all computers, both WinXP and Win7 corporate builds.
I know its not an ISE policy configuration as I have resorted to testing the same ISE against a vanilla lab AD environment with the same AD domain name (just by changing the DNS servers ISE uses) and the computer lookup works!
Anybody got any ideas?
thanks.24492
External-Active-Directory
Machine authentication against Active Directory has failed
Machine authentication against Active Directory has failed.
Error
Please check NTP is in sync or not ISE -
Oracle 10g Reports Server - problem authenticating against DB
I have a problem with Oracle 10g Reports server authenticating against an Oracle RDBMS.
When I try to run reports, an authentication form screen is presented, with the password field empty (the URL in explorer that loads this page contains the username and DB instance, but is missing the password) and the following error message:
REP-51018: Need database user authentication
When the password is entered into the empty field in the form and submitted, another 2 authentication errors are given.
REP-51018: Need database user authentication
REP-12545: java.sql.SQLException: ORA-12545: Connect failed because target host or object does not exist
When the URL in the browser location field is manually altered to include the DB password, the reports are authenticated fine.
Any ideas which config file I should be looking in?
Any pointers would, of course, be much appreciated.
thanks,
BrianHello, i finally have discovered what was happening, it has to be with the way FreeBSD passes the password field. By default FreeBSD passes the password field with a '*' while Oracle Linux (and Red Hat clones) expect an 'x' to look into shadow maps (Linux uses the '*' character in the password file to not allow login to that user).
To solve it the password field served by the NIS server must be substituted, which is accomplished with nsswitch.conf and adding a line to the /etc/password file on the NIS Client, so the final files will look this way:
# nsswitch.conf (compat directive allows us to use the '+' sintaxis in /etc/passwd file)
passwd files compat
# /etc/passwd (just add at the end of file)
+:x::::: -
VPN Tunnel w/ 802.1X port authentication against remote RADIUS server
I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X. The tunnel works fine and comes up if theirs correct traffic. I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work. I'll see the following. This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone. No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly. In this situation, I can ping the RADIUS servers from VLAN10. If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
Current configuration : 6199 bytes
! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router1
boot-start-marker
boot-end-marker
aaa new-model
aaa local authentication default authorization default
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
ip cef
ip dhcp pool pool
import all
network 192.168.28.0 255.255.255.248
bootfile PXEboot.com
default-router 192.168.28.1
dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
domain-name domain.local
option 66 ip 192.168.23.10
option 67 ascii PXEboot.com
option 150 ip 192.168.23.10
lease 0 2
ip dhcp pool phonepool
network 192.168.28.128 255.255.255.248
default-router 192.168.28.129
dns-server 192.168.26.10 192.168.1.100
option 150 ip 192.168.1.132
domain-name domain.local
lease 0 2
ip dhcp pool guestpool
network 10.254.0.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2
domain-name local
default-router 10.254.0.1
lease 0 2
no ip domain lookup
ip domain name remote.domain.local
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO892-K9
dot1x system-auth-control
username somebody privilege 15 password 0 password
redundancy
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key secretpassword address 123.123.123.123
crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
mode tunnel
crypto map pix 10 ipsec-isakmp
set peer 123.123.123.123
set transform-set pix-set
match address 110
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet1
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet2
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet3
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet4
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet5
switchport access vlan 12
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet6
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet7
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map pix
interface Vlan1
no ip address
interface Vlan10
ip address 192.168.28.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
interface Vlan11
ip address 192.168.28.129 255.255.255.248
interface Vlan12
ip address 10.254.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 101 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip radius source-interface Vlan10
ip sla auto discovery
access-list 101 deny ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.28.0 0.0.0.255 any
access-list 101 permit ip 10.254.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
control-plane
mgcp profile default
line con 0
line aux 0
line vty 0 4
transport input all
ntp source FastEthernet0
ntp server 192.168.26.10
ntp server 192.168.1.100
endI have 802.1X certificate authentication enabled on the computers. As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication. It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.
-
Oracle Database Authentication against Microsoft Active Directory
Hello
Does anyone know if it is possible or can point me in the right direction of some documentation that discuss Oracle database user authentication against and Enterprise Directory Service, in my cases MS AD?
My environment consists of Oracle RDBMS 10.2.0.3 on Linux Red Hat AS 4. Our users connect in from Window clients. I would like to know if there is a way to autheticate users from Windows to the database using LDAP based (AD) authentication. In oters words how do I configure authentication to be done for "identified globally accounts"? I know that the identified by globally accounts require the use of the CN which I have done, but it seems like there is some piece missing. Perhaps an Oracle schema or modification to Active Directory??
So my questions are
1. Is it possible to authenticate users against AD without the implementation of OID?
2. Is there documentation someone has or can point me to that outlines the required steps?
3. Anything I should know?
I appreciate any help. The documentation I have found so far doesn't seem to be what I need... So I am looking for some advice.
Thanks.Sure, two methods to auth from Oracle DB to MSAD:
OID and OVD
I am working on our own proof of concept configuring EUS connect to OVD with an MSAD as auth at the moment. OVD basically is presenting the database with OracleSchema and OracleContext info. And when you connect via netca (ldap.ora), you assign it as OID directory authentication type.
Here's an OVD manual on Integrating with EUS (chapter 7 is for MSAD)http://www.oracle.com/technology/products/id_mgmt/ovds/pdf/e10286.pdf
And this would be what the EUS config should look like:
http://www.oracle.com/technology/deploy/security/database-security/howtos/eus-how-to.html
If you've done everything in the first doc...
Hope this answers your questions. -
External Authentication Against FND_USER Table
About a month ago Paul Encarnation posted a question concerning external authentication. One to the methods being used was against the FND_USER table in Oracle Apps. I can see looking up the user account in FND_USER but what about the password? So if you are authenticating against the FND_USER table, please share how you are dealing with the password.
Thanks.Hi,
I have found the fnd_web_sec returns a boolean for a valid username / password combination but I'm still not sue how I can integrate this.
Sorry for being thick but this is what I'm trying to do.
I have an application built in htmldb that I want to be accessable from the e-business suite applications main menu. I've set this up and a user can select it how ever I have no authentication so even though its not assigned to you you can still goto the app by just entering the url. So when a user goes to that htmldb app I want to check that they have that resp assigned to them, this can be done with the following
select 1 from apps.fnd_user_resp_groups ur, apps.fnd_user u
where u.user_name = :APP_USER and u.user_id = ur.user_id
and ur.responsibility_id = XXXX
The two problems I have are:-
If a user goings straight to the htmldb url I need to get them to log in and use the e-business suite login (we dont have SSO)
Or if they are already in e-business suite and go to the htmldb app via the main menu page I need to pass that authentication across.
I hope this makes sense. -
Authenticating against both RDBMS and LDAP in WL6.0
Hi,
We are designing a webapp that will be accessible to both internal and
external users. For internal users, we would like to authenticate via LDAP;
for external users we would like to use RDBMS. In WL5.1, this looked to be
possible with the DelegatingRealm, however this has been removed in WL6.0.
Two questions:
1) Why was it removed?
2) How can we get this functionality in WL6.0?
Thanks much for your help,
-jtWe are currently deployed on WL5.1 with a similar situation as you and in
the process of migrating to WL6. We are Authenticating against LDAP and
Authorizing against RDBMS. But I can't see how you could tell it to go
one way for certain users and another for other users.
The delegatingrealm in WL5 was intended to split the responsibility of
Authenticating to one source and Authorization to another. To make this
work for your Application of splitting internal and external users
security, I suppose you can do it if you can somehow pass the information
to the Security Realm the type of the user that is logging in. Maybe you
can make this code a part of the userid such as ext_uersID or int_userID.
Doing this will allow you to filter the where the users are coming from
and Direct them to the appropriate security realm.
As far as WL6 goes, the Delegating realm class is no longer available
since the security model for WL6 is different from WL5. But you can take
a look at what they did with the RDBMSrealm example and use that. This is
what we did to make our Security work in WL6. However, you can no longer
store ACLs in the RDBMS realm in WL6.
Hopes this helps.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
You will need to create a Custom Realm which delegates to both your RDBMS
and LDAP perhaps using the Weblogic supplied RDBMS and LDAP realms
"Jonathan Thompson" <[email protected]> wrote in message
news:3accf1a3$[email protected]..
Hi,
We are designing a webapp that will be accessible to both internal and
external users. For internal users, we would like to authenticate viaLDAP;
for external users we would like to use RDBMS. In WL5.1, this looked tobe
possible with the DelegatingRealm, however this has been removed in WL6.0.
>
Two questions:
1) Why was it removed?
2) How can we get this functionality in WL6.0?
Thanks much for your help,
-jt
[att1.html] -
Webservices authentication against local vs. directory integration
On version CPSC 10.0 (at least), it appears that if you have Directory Integration enabled, the behavior for authentication for web services are as follows:
-- If calling any Requisition Service web services (that route to Request Center), web service authentication is performed against directory integration, so you are required to use a directory integrated login, and provide the login's LDAP password.
-- If calling any Task Service web services (that route to Service Link), web service authentication is performed against local person record password, so you are required to provide the login's local person record password.
Is there a way to use 'other' type of login/password for either web services? i.e. is there a way for me to use locally defined login to call Requisition Service web services, when Directory Integration is enabled, and vice versa for Task Service web services?
Thank you.I don't think having SSH keys has any effect at all over AFP authentication. Two seperate authentication mechanisms at work here.
For SSH keys to work, each user ID on our local machines would need a matching network user defined on the server, and the authorized keys stored in that user's ~/.ssh folder on the server.
Once you get SSH working, you can use scp and rsync to move files around. -
Using rsync w/ two Essbase servers (Primary & Secondary)
I"m looking for information regarding the use of rsync w/ Essbase. I have two Essbase servers, Primary(Prod), and Secondary(DR) Essbase servers I wish to keep in sync. Essbase is running on Linux OS, and is 931.
any information would be helpful.
ThanksHi Ed,
Thanks very much for your comments...
My Primary is currently the Log Collector anyway, if I upgrade them both at the same time then this would cause downtime for TACACS authentication.
Would you advise breaking the pair, leaving the Primary (Log Collector) active, upgrading the Secondary to become the new Primary after the upgrade, restore the Log Collector to the new Primary. Then upgrading the (old Primary/new secondary) and re-registering them both?
Further input would be appreciated - many thanks...
Maybe you are looking for
-
Headphone Jack No Longer Works
Does anyone know of headphones that may plug into the bottom outlet of the iPod, where it connects usually to stereo equipment. My iPod still works with this connection, to charge it, to listen on my computer, on my stereo but the headphone jack no l
-
QuickTime Pro, DVD & Apple TV format
With QT Pro you can export for Apple TV. I want to do this with some home videos on DVD. But I don't see a way to get the video from the DVD into QT. Am I missing something obvious here? Export seems sort of worthless if you cannot import.
-
Hi, I was suggested by one of the oracle forums member that DELETE FROM PYMT_DTL WHERE CLM_CASE_NO IN (SELECT CLM_CASE_NO FROM TEMP_ARCHIVE1 ); is same as DELETE FROM PYMT_DTL WHERE EXISTS (SELECT CLM_CASE_NO FROM TEMP_ARCHIVE1); I see rows only get
-
Derivation rule CO-PA, number of target fields
Hi all, is there a possibility to have more than 6 target fields in a CO-PA derivation rule or is the only way to handle more fields with a separate rule based on the same source field? thanks for your help kind regards Adrian
-
How to expose Comment & Markup toolbar without Collab.showAnnotToolsWhenNoCollab?
Is there any way to expose the Comment & Markup toolbar from within a plug-in without setting Collab.showAnnotToolsWhenNoCollab = true via AFExecuteThisScript()? I think I have found the correct toolbar and associated menu items using the SDK calls -