Teaming VS LDAP Attributes

Similar Messages

• GroupWise ldap attributes names

  Hi,
  I'm using Novell Identity Manager to synchronize users accounts to GroupWise. What are ldap attributes used to store information about email address, distribution lists and license type (full and limited)?
  Thanks

  moularbi,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• Inbound mail routing based on LDAP attribute mailsystem

  Hi gents and ladies,
  i have a small question ...
  is it possible to route an email to a recipient based on an LDAP attribute like mailsystem or ldap attribute domain ?
  We have an infrastructure with domino and Xchange. All users have a - so called - maindomain.net SMTP Address.
  Is it possible to manage such routing via mail policies or message filters ?
  Or is it just easy to realize this jjust with SMTP routing list ? e.g. maindomain.net gets an entry in SMTP routing pointing to the domino gateway ... if no delivery is possible the default gateway (Xchange gateway) would be used instead ?
  Thanks in advance for your help and hints.                

  Hello  HPGroh2013,
  I think I answered your question in the previous entry, at least it looks the same to me.
  Regards,
  Andreas

• Problem with getting LDAP attributes on ISE when EAPChaining is enabled

  Hi All,
  has anybody and idea how to set LDAP attributes retrieval with EAPChaining enabled?
  My scenarios is:
  - user with AnyConnect (EAP-FAST) connects to WLAN and sends it's credentials
  - ISE authenticates username and password against Active Directory
  - ISE should check if the same userid contains in LDAP Directory (not AD, different store) special attribute which controls access to our WLAN
  - If the attribute is found, then authorization profile is matched.
  This works when I disable EAP-Chaining Policy -> Policy Elements -> Results -> Authentication -> Allowed Protocols ...
  In logs I've found that the user was not found in LDAP, but the user exists.
  Maybe the workaround can be if just user from EAPChaining is used and not also the hostname, then it could match. But I cannot find any similar parameter which returns only user.
  Does anybody have an idea how to solve this?
  Thanks!
  K.

  Hi,
  This seems like a corner issue, because eap-fast with ldap is not supported. LDAP as the protocol doest support hash based authentication hence the reason ISE is failing to hit the ldap database.
  Referencing acs material since ise docs are not complete:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html
  Sent from Cisco Technical Support Android App

• ISE 1.1.1. and additional LDAP attribute retrieval

  Hello All,
  I'm authenticating users against Active Directory and want to also check additionals attributes from LDAP. In ACS 5.3. it was possible to set this up via External Identity Sequence, but in ISE I don't see this possibility. I can set sequence only for authentication, but not for additional attribute retrieval.
  When I set a condition in a policy that an LDAP attribute must match with some value, the attribute is not retrieved and autorization ends on default Deny Access.
  Can anyone help me how this can be set on ISE?
  Thanks!
  Regards
  Karel Navratil

  Yes that's what I've tried as I wrote in my first post, but the ISE does not retrieve the attribute from LDAP
  Here are some screenshots:
  authorization rule:
  ldap attribute in external identity source:
  and the logs:
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  11507  Extracted EAP-Response/Identity
  12100  Prepared EAP-Request proposing EAP-FAST with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12102  Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12806  Prepared TLS ServerHello message
  12807  Prepared TLS Certificate message
  12810  Prepared TLS ServerDone message
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  12812  Extracted TLS ClientKeyExchange message
  12804  Extracted TLS Finished message
  12801  Prepared TLS ChangeCipherSpec message
  12802  Prepared TLS Finished message
  12816  TLS handshake succeeded
  12149  EAP-FAST built authenticated tunnel for purpose of PAC provisioning
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  12209  Starting EAP chaining
  12218  Selected identity type 'User'
  12125  EAP-FAST inner method started
  11521  Prepared EAP-Request/Identity for inner EAP method
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  12212  Identity type provided by client is equal to requested
  11522  Extracted EAP-Response/Identity for inner EAP method
  11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - Internal Endpoints
  22043  Current Identity Store does not support the authentication method; Skipping it
  24210  Looking up User in Internal Users IDStore - test,host/test-pc
  24216  The user is not found in the internal users identity store
  24430  Authenticating user against Active Directory
  24402  User authentication against Active Directory succeeded
  22037  Authentication Passed
  11824  EAP-MSCHAP authentication attempt passed
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response
  11814  Inner EAP-MSCHAP authentication succeeded
  11519  Prepared EAP-Success for inner EAP method
  12128  EAP-FAST inner method finished successfully
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  12126  EAP-FAST cryptobinding verification passed
  12200  Approved EAP-FAST client Tunnel PAC request
  12219  Selected identity type 'Machine'
  12125  EAP-FAST inner method started
  11521  Prepared EAP-Request/Identity for inner EAP method
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  12212  Identity type provided by client is equal to requested
  11522  Extracted EAP-Response/Identity for inner EAP method
  11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  Evaluating Identity Policy
  11055  User name change detected for the session. Attributes for the session will be removed from the cache
  15006  Matched Default Rule
  15013  Selected Identity Store - Internal Endpoints
  22043  Current Identity Store does not support the authentication method; Skipping it
  24210  Looking up User in Internal Users IDStore - test,host/test-pc
  24216  The user is not found in the internal users identity store
  24431  Authenticating machine against Active Directory
  24470  Machine authentication against Active Directory is successful
  22037  Authentication Passed
  11824  EAP-MSCHAP authentication attempt passed
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response
  11814  Inner EAP-MSCHAP authentication succeeded
  11519  Prepared EAP-Success for inner EAP method
  12128  EAP-FAST inner method finished successfully
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  12126  EAP-FAST cryptobinding verification passed
  12201  Approved EAP-FAST client Machine PAC request
  Evaluating Authorization Policy
  15004  Matched rule
  15016  Selected Authorization Profile - DenyAccess
  15039  Rejected per authorization profile
  12855  PAC was not sent due to authorization failure
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  11514  Unexpectedly received empty TLS message; treating as a rejection by the client
  12512  Treat the unexpected TLS acknowledge message as a rejection from the client
  11504  Prepared EAP-Failure
  11003  Returned RADIUS Access-Reject
  So no any information that ISE tries to retrieve something from LDAP.
  Regards
  Karel

• Address Book now showing all LDAP attributes

  The Address Book does not provide access to all LDAP attributes. For example
  homePhone
  homePostalAddress
  labeledURI
  are some of the fields currently left out. It would be nice if it was possible to configure the schema mapping, similar to thunderbird which allows the mapping off all the field it know about to corresponding LDAP attributes. Also inetOrgPerson, even though it is the defacto standard is rather due for redesign.
  I am just wondering if anybody else if having this problem and if they found a solution?

  the script did not work for me
  python fixBirthdays
  Traceback (most recent call last):
  File "fixBirthdays", line 6, in <module>
  import AddressBook
  ImportError: No module named AddressBook
  further, the particular one vcard that is misbehaving - i exported it, and opened in Tedit.
  this is what isee for the date field.
  item1.X-ABDATE;type=pref:2003-06-17
  year is not negative either.
  i unchecked and checked birthday calendar in iCal. exited iCal after uncheck, relaunched iCal and checked that option.
  no show of the birthdate.
  stumped.

• LDAP attribute for user's last login time?

  Hi all,
  Is there an LDAP attribute that I could return (via an "ldapsearch" query) that would contain the user's last login time?
  We have:
  Directory Server Version: 5.2_Patch_2 ; Build number: 2004.107.0034
  other...
  Identity Server 2004Q2
  sparc-sun-solaris2.9
  Thanks in advance!

  Hello,
  If you need this info, you will have to create a password policy that log last logon time.
  But be carefull with this function, it can create a lot of cpu load.
  <http://docs.sun.com/app/docs/doc/820-4809/fhkrj?l=en&n=1&a=view>
  Regards
  Eric.

• Read LDAP Attributes

  Hi Friends,
     Is it possible to read an LDAP attribute of a logged user from WD application running in portal? How and where to see all the available attributes in LDAP?
  Thanks in advance
  Nathan.

  Hi Nathan,
    Right now i am also working on using attribute value of LDAP users in webdynpro application. You need to work on UME API.which is availabel on SDN.
  you will get the values in webdynpro application through these API.
  Thanks,
  sahu

• Windows LDAP attributes match for the Synology LDAP client profile filter.

  I am having Windows server 2012 domain controller with LDAP enabled. I wish to enable LDAP client on Synology Diskstation to search for users and enable them access of shared folders of Synology. Hence, I have enabled the client which shows connected to the Windows LDAP service, but not populating any users.
  Anybody figured out this? It requires profile settings. I'm finding difficult to identify the LDAP attributes match for the Synology profile filter attributes.
  Refer following image.
  This topic first appeared in the Spiceworks Community

  Specify a Dynamic Access Profile with:
  Criteria: User has ALL of the following AAA attribute values...
  ldap.memberOf != GroupName
  cisco.tunnelgroup = TunnelGruopName
  Should work
  /K

• Getting operational ldap attributes using amSDK

  Is there any way to get operational ldap attributes of a user? I am trying to get "passwordexpirationtime" attribute.
  amUser.getStringAttribute("passwordexpirationtime");
  does not return anything.. no exceptions.
  tried getAttributesFromDataStore, that too does not return anything..
  Set attr = new HashSet();
  attr.add("passwordexpirationtime");
  Map exptime = amUser.getAttributesFromDataStore(attr);
  is this supported?
  Using JES2005Q4 with AM patch - 120954-04
  Regards,
  Pradeep.

  Hi Bill,
  First I like to state that I'm not an expert on CUEAC. Have you looked at this post,
  https://supportforums.cisco.com/message/4071453#4071453
  I don't knoiw if it's realted or not, but the guy answering seems to be well versed in CUEAC.
  Please remember to rate helpful responses and identify helpful or correct answers.

• Access LDAP attribute from Webmail

  Hi there,
  We need to do some customizations on webmail.
  One of the things we want to do is to be able to read and write an ldap attribute outside the multivalue attribute NSWMEXTENDEDUSERPREFS.
  I've seen on "Webmail Express Customization Guide" that we can load on http startup other external attributes using a command like:
  configutil -l -o service.http.extrauserldapattrs -v myattribute:w
  on which the :w at the end means that webmail could have write access to the attribute. (Pag 71 of W.E.C. Guide)
  I've done that, but the problem is that if I try to write a new value on the attribute, the value is created on the NSWMEXTENDEDUSERPREFS as myattribute=value
  So .. It reads from one side but write to another! Any ideas how to write on the myattribute directly from webmail interface?!
  Thanks,
  Sergio Sousa

  Hi,
  have you allready tryed to read the attribute directly from the BOL in the implementation class of the view, without creating any new context node? Maybe this coding might help you:
  DATA: lr_entity        TYPE REF TO cl_crm_bol_entity,
  DATA: lv_collection TYPE REF TO if_bol_bo_col.
  DATA: lv_cat type string.
  lr_entity ?= me->typed_context->BTAdminH->collection_wrapper->get_current( ).
    TRY.
    lv_collection = lr_entity->get_related_entities( iv_relation_name = 'BTHeaderActivityExt' ).
     CATCH cx_sy_ref_is_initial.
  ENDTRY.
        lr_entity ?= lv_collection->get_current( ).
    CALL METHOD lr_entity->if_bol_bo_property_access~get_property_as_string
      EXPORTING
        iv_attr_name = 'CATEGORY'
      RECEIVING
        rv_result    = lv_cat.
  Best regards,
  Oliver

• Provision user to a resource when a LDAP attribute is set to true by active

  HI,
  I have the following requirement
  When a particular attribute in LDAP is set to true then we have to pick it by the active sync process and provision the user in another resource.
  Can any one let me know how to go about this.

  I'd do it like this:
  Create a business role "SomeRole" that includes an IT-Role that includes the target resource.
  In the activeSync form, assign this role depending on the LDAP attribute:
  <Field name='waveset.roles'>
    <Expansion>
      <cond>
        <eq>
          <ref>accounts[LDAP].thisParticularAttribute</ref>
          <s>true</s>
        </eq>
       <s>SomeRole</s> <!-- you will need to append the role to the list if the user already has roles, otherwise all roles will be overwritten by this single value -->
       <ref>waveset.roles</ref>
      </cond>
    </Expansion>
  </Field>

• How to associate LDAP attributes with the subject?

  I am writing a custom role mapper and want to determine the roles of the subject
  depending on values of LDAP attributes. Is it posssible to associate LDAP attributes
  with the Subject?
  We use iPlanet and hence I have configured iPlanetAuthenticator as the Authentication
  Provider. Is it possible to configure iPlanetAuthenticator so that the LDAP attribute
  values are associated with the subject? Or is it possible to extend iPlanetAuthenticator
  for this purpose?
  Is there a way to do this other than writing my own AuthenticationProvider?
  Thanks in advance.
  Jay

  "Jay" <[email protected]> wrote in message
  news:3f1d77f7$[email protected]..
  >
  I am writing a custom role mapper and want to determine the roles of thesubject
  depending on values of LDAP attributes. Is it posssible to associate LDAPattributes
  with the Subject?
  Which LDAP attributes are you interested in? We can look at adding this
  functionality
  if we have more info.
  We use iPlanet and hence I have configured iPlanetAuthenticator as theAuthentication
  Provider. Is it possible to configure iPlanetAuthenticator so that theLDAP attribute
  values are associated with the subject? Or is it possible to extendiPlanetAuthenticator
  for this purpose?
  There is no way to extend the provider.
  Is there a way to do this other than writing my ownAuthenticationProvider?
  >
  You may be able to write a separate provider that works in conjunction with
  the
  authentication provider. It would add the principals with the ldap
  attributes.
  Thanks in advance.
  Jay

• How to retrieve only LDAP attributes

  Any way to retrieve only the available LDAP attributes?
  I want to display all the available LDAP attributes on the UI (like sn, cn, etc.) and let user select which ones he want to retrieve.
  Thanks.

  This would be a function of building an ldapsearch in your code and stating the attributes you want returned as input from the user. Its better to know up front what attributes are available from the ldap based on access rights, and make that static, instead of retrieving them everytime someone opens a web page. If you run an ldapsearch and state the attributes you want returned you will only get those back.

• Customizing default LDAP attributes. Is it possible?

  Hello,
  Does anybody knows if there is a way to give default LDAP attributes (such mail, mailAlternateAddress, and so on...) write permissions?
  There is some notes explaining how to customize 'extra' LDAP attributes, but nothing about default ones.
  TIA,
  Carlos.

  What are you trying to achieve? The attributes you're talking about are there to be written by the admin user(s) for provisioning users. If you're having problems writing them, what user do you use?