Teaming VS LDAP Attributes
Hello Teaming Enthusiasts,
Lot's of us want to have more eDir user attributes on the Profile Page. Now that I am Beta testing 2.0 I have made some time available to do some research on this topic. With an LDAP Browser I've made an inventory of all the fields I would like to use on a Profile Page.
Find below the mappings of the internal Teaming identifiers to Ldap attributes I used:
mobile=mobile *
city=physicalDeliveryOfficeName *
phone=telephoneNumber *
organization=company *
description=description
postalCode=postalCode *
country=co *
userTitle=title *
firstName=gn
firstName=givenName
lastName=surname
street=street *
faxnumber=facsimileTelephoneNumber *
lastName=sn
emailAddress=mail
zonName=uid *
company, country and mobile are attributes added by, in my case, eGuide. As an alternative they can be accessed trough the 'Other' page in C1. When not there you can create the attributes to the User class yourself.
The ones marked with an * are added. Look at the internal identifiers as if they were database fields (which they actually are). So when editing the Profile View (_user) use these fields to the Profile Form Definition > Form.
When you have finished and are satisfied with the results you can add them as business cards elements.
Have a look at the attachments (in the 3 following reply's) to see where I put them and how the results look.
Have FUN -:)
Marcel.
Originally Posted by mramaker
Hello Teaming Enthusiasts,
Lot's of us want to have more eDir user attributes on the Profile Page. Now that I am Beta testing 2.0 I have made some time available to do some research on this topic. With an LDAP Browser I've made an inventory of all the fields I would like to use on a Profile Page.
Find below the mappings of the internal Teaming identifiers to Ldap attributes I used:
mobile=mobile *
city=physicalDeliveryOfficeName *
phone=telephoneNumber *
organization=company *
description=description
postalCode=postalCode *
country=co *
userTitle=title *
firstName=gn
firstName=givenName
lastName=surname
street=street *
faxnumber=facsimileTelephoneNumber *
lastName=sn
emailAddress=mail
zonName=uid *
company, country and mobile are attributes added by, in my case, eGuide. As an alternative they can be accessed trough the 'Other' page in C1. When not there you can create the attributes to the User class yourself.
The ones marked with an * are added. Look at the internal identifiers as if they were database fields (which they actually are). So when editing the Profile View (_user) use these fields to the Profile Form Definition > Form.
When you have finished and are satisfied with the results you can add them as business cards elements.
Have a look at the attachments (in the 3 following reply's) to see where I put them and how the results look.
Have FUN -:)
Marcel.
In the kablink3.2 can not found "organization":
"organization=company * "
Can your help me ?
Serg
Similar Messages
-
GroupWise ldap attributes names
Hi,
I'm using Novell Identity Manager to synchronize users accounts to GroupWise. What are ldap attributes used to store information about email address, distribution lists and license type (full and limited)?
Thanksmoularbi,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://forums.novell.com/ -
Inbound mail routing based on LDAP attribute mailsystem
Hi gents and ladies,
i have a small question ...
is it possible to route an email to a recipient based on an LDAP attribute like mailsystem or ldap attribute domain ?
We have an infrastructure with domino and Xchange. All users have a - so called - maindomain.net SMTP Address.
Is it possible to manage such routing via mail policies or message filters ?
Or is it just easy to realize this jjust with SMTP routing list ? e.g. maindomain.net gets an entry in SMTP routing pointing to the domino gateway ... if no delivery is possible the default gateway (Xchange gateway) would be used instead ?
Thanks in advance for your help and hints.Hello HPGroh2013,
I think I answered your question in the previous entry, at least it looks the same to me.
Regards,
Andreas -
Problem with getting LDAP attributes on ISE when EAPChaining is enabled
Hi All,
has anybody and idea how to set LDAP attributes retrieval with EAPChaining enabled?
My scenarios is:
- user with AnyConnect (EAP-FAST) connects to WLAN and sends it's credentials
- ISE authenticates username and password against Active Directory
- ISE should check if the same userid contains in LDAP Directory (not AD, different store) special attribute which controls access to our WLAN
- If the attribute is found, then authorization profile is matched.
This works when I disable EAP-Chaining Policy -> Policy Elements -> Results -> Authentication -> Allowed Protocols ...
In logs I've found that the user was not found in LDAP, but the user exists.
Maybe the workaround can be if just user from EAPChaining is used and not also the hostname, then it could match. But I cannot find any similar parameter which returns only user.
Does anybody have an idea how to solve this?
Thanks!
K.Hi,
This seems like a corner issue, because eap-fast with ldap is not supported. LDAP as the protocol doest support hash based authentication hence the reason ISE is failing to hit the ldap database.
Referencing acs material since ise docs are not complete:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html
Sent from Cisco Technical Support Android App -
ISE 1.1.1. and additional LDAP attribute retrieval
Hello All,
I'm authenticating users against Active Directory and want to also check additionals attributes from LDAP. In ACS 5.3. it was possible to set this up via External Identity Sequence, but in ISE I don't see this possibility. I can set sequence only for authentication, but not for additional attribute retrieval.
When I set a condition in a policy that an LDAP attribute must match with some value, the attribute is not retrieved and autorization ends on default Deny Access.
Can anyone help me how this can be set on ISE?
Thanks!
Regards
Karel NavratilYes that's what I've tried as I wrote in my first post, but the ISE does not retrieve the attribute from LDAP
Here are some screenshots:
authorization rule:
ldap attribute in external identity source:
and the logs:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11105 Request received from a device that is configured with KeyWrap in ISE.
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12100 Prepared EAP-Request proposing EAP-FAST with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12102 Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12810 Prepared TLS ServerDone message
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12812 Extracted TLS ClientKeyExchange message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12149 EAP-FAST built authenticated tunnel for purpose of PAC provisioning
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12209 Starting EAP chaining
12218 Selected identity type 'User'
12125 EAP-FAST inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12212 Identity type provided by client is equal to requested
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Endpoints
22043 Current Identity Store does not support the authentication method; Skipping it
24210 Looking up User in Internal Users IDStore - test,host/test-pc
24216 The user is not found in the internal users identity store
24430 Authenticating user against Active Directory
24402 User authentication against Active Directory succeeded
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12128 EAP-FAST inner method finished successfully
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12126 EAP-FAST cryptobinding verification passed
12200 Approved EAP-FAST client Tunnel PAC request
12219 Selected identity type 'Machine'
12125 EAP-FAST inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12212 Identity type provided by client is equal to requested
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
11055 User name change detected for the session. Attributes for the session will be removed from the cache
15006 Matched Default Rule
15013 Selected Identity Store - Internal Endpoints
22043 Current Identity Store does not support the authentication method; Skipping it
24210 Looking up User in Internal Users IDStore - test,host/test-pc
24216 The user is not found in the internal users identity store
24431 Authenticating machine against Active Directory
24470 Machine authentication against Active Directory is successful
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12128 EAP-FAST inner method finished successfully
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12126 EAP-FAST cryptobinding verification passed
12201 Approved EAP-FAST client Machine PAC request
Evaluating Authorization Policy
15004 Matched rule
15016 Selected Authorization Profile - DenyAccess
15039 Rejected per authorization profile
12855 PAC was not sent due to authorization failure
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11514 Unexpectedly received empty TLS message; treating as a rejection by the client
12512 Treat the unexpected TLS acknowledge message as a rejection from the client
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
So no any information that ISE tries to retrieve something from LDAP.
Regards
Karel -
Address Book now showing all LDAP attributes
The Address Book does not provide access to all LDAP attributes. For example
homePhone
homePostalAddress
labeledURI
are some of the fields currently left out. It would be nice if it was possible to configure the schema mapping, similar to thunderbird which allows the mapping off all the field it know about to corresponding LDAP attributes. Also inetOrgPerson, even though it is the defacto standard is rather due for redesign.
I am just wondering if anybody else if having this problem and if they found a solution?the script did not work for me
python fixBirthdays
Traceback (most recent call last):
File "fixBirthdays", line 6, in <module>
import AddressBook
ImportError: No module named AddressBook
further, the particular one vcard that is misbehaving - i exported it, and opened in Tedit.
this is what isee for the date field.
item1.X-ABDATE;type=pref:2003-06-17
year is not negative either.
i unchecked and checked birthday calendar in iCal. exited iCal after uncheck, relaunched iCal and checked that option.
no show of the birthdate.
stumped. -
LDAP attribute for user's last login time?
Hi all,
Is there an LDAP attribute that I could return (via an "ldapsearch" query) that would contain the user's last login time?
We have:
Directory Server Version: 5.2_Patch_2 ; Build number: 2004.107.0034
other...
Identity Server 2004Q2
sparc-sun-solaris2.9
Thanks in advance!Hello,
If you need this info, you will have to create a password policy that log last logon time.
But be carefull with this function, it can create a lot of cpu load.
<http://docs.sun.com/app/docs/doc/820-4809/fhkrj?l=en&n=1&a=view>
Regards
Eric. -
Hi Friends,
Is it possible to read an LDAP attribute of a logged user from WD application running in portal? How and where to see all the available attributes in LDAP?
Thanks in advance
Nathan.Hi Nathan,
Right now i am also working on using attribute value of LDAP users in webdynpro application. You need to work on UME API.which is availabel on SDN.
you will get the values in webdynpro application through these API.
Thanks,
sahu -
Windows LDAP attributes match for the Synology LDAP client profile filter.
I am having Windows server 2012 domain controller with LDAP enabled. I wish to enable LDAP client on Synology Diskstation to search for users and enable them access of shared folders of Synology. Hence, I have enabled the client which shows connected to the Windows LDAP service, but not populating any users.
Anybody figured out this? It requires profile settings. I'm finding difficult to identify the LDAP attributes match for the Synology profile filter attributes.
Refer following image.
This topic first appeared in the Spiceworks CommunitySpecify a Dynamic Access Profile with:
Criteria: User has ALL of the following AAA attribute values...
ldap.memberOf != GroupName
cisco.tunnelgroup = TunnelGruopName
Should work
/K -
Getting operational ldap attributes using amSDK
Is there any way to get operational ldap attributes of a user? I am trying to get "passwordexpirationtime" attribute.
amUser.getStringAttribute("passwordexpirationtime");
does not return anything.. no exceptions.
tried getAttributesFromDataStore, that too does not return anything..
Set attr = new HashSet();
attr.add("passwordexpirationtime");
Map exptime = amUser.getAttributesFromDataStore(attr);
is this supported?
Using JES2005Q4 with AM patch - 120954-04
Regards,
Pradeep.Hi Bill,
First I like to state that I'm not an expert on CUEAC. Have you looked at this post,
https://supportforums.cisco.com/message/4071453#4071453
I don't knoiw if it's realted or not, but the guy answering seems to be well versed in CUEAC.
Please remember to rate helpful responses and identify helpful or correct answers. -
Access LDAP attribute from Webmail
Hi there,
We need to do some customizations on webmail.
One of the things we want to do is to be able to read and write an ldap attribute outside the multivalue attribute NSWMEXTENDEDUSERPREFS.
I've seen on "Webmail Express Customization Guide" that we can load on http startup other external attributes using a command like:
configutil -l -o service.http.extrauserldapattrs -v myattribute:w
on which the :w at the end means that webmail could have write access to the attribute. (Pag 71 of W.E.C. Guide)
I've done that, but the problem is that if I try to write a new value on the attribute, the value is created on the NSWMEXTENDEDUSERPREFS as myattribute=value
So .. It reads from one side but write to another! Any ideas how to write on the myattribute directly from webmail interface?!
Thanks,
Sergio SousaHi,
have you allready tryed to read the attribute directly from the BOL in the implementation class of the view, without creating any new context node? Maybe this coding might help you:
DATA: lr_entity TYPE REF TO cl_crm_bol_entity,
DATA: lv_collection TYPE REF TO if_bol_bo_col.
DATA: lv_cat type string.
lr_entity ?= me->typed_context->BTAdminH->collection_wrapper->get_current( ).
TRY.
lv_collection = lr_entity->get_related_entities( iv_relation_name = 'BTHeaderActivityExt' ).
CATCH cx_sy_ref_is_initial.
ENDTRY.
lr_entity ?= lv_collection->get_current( ).
CALL METHOD lr_entity->if_bol_bo_property_access~get_property_as_string
EXPORTING
iv_attr_name = 'CATEGORY'
RECEIVING
rv_result = lv_cat.
Best regards,
Oliver -
Provision user to a resource when a LDAP attribute is set to true by active
HI,
I have the following requirement
When a particular attribute in LDAP is set to true then we have to pick it by the active sync process and provision the user in another resource.
Can any one let me know how to go about this.I'd do it like this:
Create a business role "SomeRole" that includes an IT-Role that includes the target resource.
In the activeSync form, assign this role depending on the LDAP attribute:
<Field name='waveset.roles'>
<Expansion>
<cond>
<eq>
<ref>accounts[LDAP].thisParticularAttribute</ref>
<s>true</s>
</eq>
<s>SomeRole</s> <!-- you will need to append the role to the list if the user already has roles, otherwise all roles will be overwritten by this single value -->
<ref>waveset.roles</ref>
</cond>
</Expansion>
</Field> -
How to associate LDAP attributes with the subject?
I am writing a custom role mapper and want to determine the roles of the subject
depending on values of LDAP attributes. Is it posssible to associate LDAP attributes
with the Subject?
We use iPlanet and hence I have configured iPlanetAuthenticator as the Authentication
Provider. Is it possible to configure iPlanetAuthenticator so that the LDAP attribute
values are associated with the subject? Or is it possible to extend iPlanetAuthenticator
for this purpose?
Is there a way to do this other than writing my own AuthenticationProvider?
Thanks in advance.
Jay"Jay" <[email protected]> wrote in message
news:3f1d77f7$[email protected]..
>
I am writing a custom role mapper and want to determine the roles of thesubject
depending on values of LDAP attributes. Is it posssible to associate LDAPattributes
with the Subject?
Which LDAP attributes are you interested in? We can look at adding this
functionality
if we have more info.
We use iPlanet and hence I have configured iPlanetAuthenticator as theAuthentication
Provider. Is it possible to configure iPlanetAuthenticator so that theLDAP attribute
values are associated with the subject? Or is it possible to extendiPlanetAuthenticator
for this purpose?
There is no way to extend the provider.
Is there a way to do this other than writing my ownAuthenticationProvider?
>
You may be able to write a separate provider that works in conjunction with
the
authentication provider. It would add the principals with the ldap
attributes.
Thanks in advance.
Jay -
How to retrieve only LDAP attributes
Any way to retrieve only the available LDAP attributes?
I want to display all the available LDAP attributes on the UI (like sn, cn, etc.) and let user select which ones he want to retrieve.
Thanks.This would be a function of building an ldapsearch in your code and stating the attributes you want returned as input from the user. Its better to know up front what attributes are available from the ldap based on access rights, and make that static, instead of retrieving them everytime someone opens a web page. If you run an ldapsearch and state the attributes you want returned you will only get those back.
-
Customizing default LDAP attributes. Is it possible?
Hello,
Does anybody knows if there is a way to give default LDAP attributes (such mail, mailAlternateAddress, and so on...) write permissions?
There is some notes explaining how to customize 'extra' LDAP attributes, but nothing about default ones.
TIA,
Carlos.What are you trying to achieve? The attributes you're talking about are there to be written by the admin user(s) for provisioning users. If you're having problems writing them, what user do you use?
Maybe you are looking for
-
WLC2106 access via my web browser doesn't work
Pls can someone help. I cannot use my browser to access a wireless lan controller-2106 so i can complete configuration. I have entered the initial configs at startup via console with the wizard. I am running vista, i have made sure my PC is on the sa
-
Where is idvd in OS x Lion?
Where is idvd in OS x Lion?
-
Installation of a 2nd version of FCP X
how do I download a second version of FCP X to MacBook? I bought and downloaded a version to a MacBook Pro 3 months ago, and need it on a small computer
-
RFC_ERROR_COMMUNICATION: Connect to message server host failed
We are trying to create JCO destination and we are getting the below problem com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to message server host failed Connect_PM TYPE=B MSHOST=sappw2ci GROUP=PUBLIC R3NAME=PW2 MSSERV=sap
-
How to get last 5 monthly gross salaries of a particular employee
hi, i have a requirement where i need to get the last 5 monthly gross salaries of a particular employee. how can i get the same . please help me on this. Regards, Shiva.