UltraSearch and ACLs

Hi @all!
Does anyone know how to use the ACLHelper class?
I have implemented my own CrawlerAgent and I want to protect the fetched data with ACLs, but I have no idea how it works.
I have tested the addPrincipal and addDenyPrincipal methods with some differnet options e.g.:
aclHelper.addPrincipal("orcladmin",AclHelper.GUID,AclHelper.USER);
aclHelper.addPrincipal("orcladmin",AclHelper.DN,AclHelper.USER);
aclHelper.addPrincipal("myrealm/orcladmin",AclHelper.GUID,AclHelper.USER);
aclHelper.addPrincipal("myrealm/orcladmin",AclHelper.DN,AclHelper.USER);
aclHelper.addPrincipal("cn=orcladmin,cn=users,dc=mydomain,dc=at",AclHelper.GUID,AclHelper.USER);
aclHelper.addPrincipal("cn=orcladmin,cn=users,dc=mydomain,dc=at",AclHelper.DN,AclHelper.USER);
aclHelper.addPrincipal("EEF514BBA65E1536E0340003BA5D0D8B",AclHelper.GUID,AclHelper.USER); // this hash value is the GUID of orcladmin.
Adding the acl to the url:
urlNode.setProperty(UrlData.ACL,aclHelper.getAclString());
After indexing all url data with ultra search admin interface and starting ultra search sample query application (/ultrasearch/query/usearch.jsp) I got the followqing errors:
java.sql.SQLException: ORA-20000: Oracle Ultra Search-Error
ORA-01017: invalid username/password; logon denied
about to fetch row 1
ORA-06512: in "WKSYS.WK_ERR", line 179
ORA-06512: in "WKSYS.WK_QRY", line 1009
ORA-06512: in line 1
Note: ultra search backend (DB) is configured for secure search and is reqistered against LDAP (OID).
Please, can someone help me?
regards,
Dorian.

I had the same error, after applying patch 4163362 it worked

Similar Messages

Errors found when using tar and ACL's

Having difficulties with TAR and ACLs, and wondering if anyone had seen this before.
Here's the scenario: create a few directories and a few files. Tar it up and extract the files. Now assign some ACL's to them (some default for directories), tar it up, and extract the files. Permissions should remain the same. Under most circumstances they are.
Now repeat the procedure, but put a default directory ACL on the parent directory where the TAR is created. What happens is that the group permissions for anything un-tared gets trashed.
Here's a script to test it out.
Create a dummy user (I called mine foobar) -- required for setting ACL's. Run the script with the "-d" option at first. Things appear good. You can compare the permissions on the bottom for each file/directory.
Run the script with the "-s" option setting default ACL's on the parent.
#!/usr/bin/sh
ROOTDIR=/export/home/christian/config
TESTDIR=/export/home/christian
USER_X="oam"
# Run the script once with normal permissions (no ACL's) in the test directory (where tar is located)
# --> ./test.sh -d
# look at the result (ls -l) of .../sub1dir, .../sub1dir_acl, and /sub1dir_orig
# They should be relatively the same:
# --> rwxrwxrwx permissions on directories
# --> rw-rw-rw- on files
# Now run the script but set the parent directory of the script (where the TAR's are located) to have default ACL's
# --> /opt/MMSsyscnf/sub2dir/test/test.sh -s
# Now look at the result (ls -l) of .../sub1dir, .../sub1dir_acl, and /sub1dir_orig
# They are COMPLETELY skewed. Both times we tried to untar the files, ACL's wound up
# all over the place and permissions were not set correctly.
# --> rwxrwxrwx permissions ONLY on original directory (not the product of an UNTAR)
# --> rwxr--rwx permissions on directories created by untar
# --> rw-rw-rw- on files ONLY on original directory (not the product of an UNTAR)
# --> rw-r--rw- on files created by untar
# ****** Why is group affected by this, but "other" is not?! It's gotta be a bug!
# MAIN
ACTION="NOPREP"
while [ -n "$1" ]
do
if [ "ABC$1" = "ABC-d" ]; then
#flag set to try and remove default directory ACL's
setfacl -d u:$USER_X $TESTDIR
setfacl -d d:u:$USER_X $TESTDIR
setfacl -d d:u::,d:g::,d:m:,d:o: $TESTDIR
elif [ "ABC$1" = "ABC-s" ]; then
setfacl -r -m d:u::rw-,d:g::r--,d:o:---,d:m:rwx $TESTDIR
setfacl -r -m d:u:$USER_X:rw- $TESTDIR
setfacl -r -m u:$USER_X:r-x $TESTDIR
fi
shift;
done
# clean up previous run of the test
rm -r $ROOTDIR
# create files/directories
mkdir $ROOTDIR
mkdir $ROOTDIR/sub1dir
mkdir $ROOTDIR/sub1dir/sub2dir
mkdir $ROOTDIR/sub1dir/sub2dir/sub3dir
#set permissions
chmod 777 $ROOTDIR
chmod 777 $ROOTDIR/sub1dir
chmod 777 $ROOTDIR/sub1dir/sub2dir
chmod 777 $ROOTDIR/sub1dir/sub2dir/sub3dir
# create files
echo "" > $ROOTDIR/sub1dir/sub2dir/file1.txt
echo "" > $ROOTDIR/sub1dir/sub2dir/sub3dir/file2.txt
chmod 666 $ROOTDIR/sub1dir/sub2dir/file1.txt
chmod 666 $ROOTDIR/sub1dir/sub2dir/sub3dir/file2.txt
# tar/zip the files:
/usr/bin/tar -cvf $ROOTDIR/tarBeforeACLs.tar $ROOTDIR/sub1dir
/usr/bin/gzip $ROOTDIR/tarBeforeACLs.tar
# move the directory (so we keep the original as a template of what things should look like)
mv $ROOTDIR/sub1dir $ROOTDIR/sub1dir_orig
# untar/zip the files:
/usr/bin/gunzip $ROOTDIR/tarBeforeACLs.tar
/usr/bin/tar -xvf $ROOTDIR/tarBeforeACLs.tar
ls -lR $ROOTDIR
# Ok. These have been tested to be the exact same.
echo "********************************************************************************"
echo "********************************************************************************"
echo "********************************************************************************"
# Let's try using ACL's now
# --> directories (owned by root) must be acessible to OAM user.
# --> files (owned by root) must be read/writable by user OAM when created in the directories
setfacl -r -m u:$USER_X:r-x $ROOTDIR/sub1dir
setfacl -r -m u:$USER_X:r-x $ROOTDIR/sub1dir/sub2dir
setfacl -r -m u:$USER_X:r-x $ROOTDIR/sub1dir/sub2dir/sub3dir
setfacl -r -m u:$USER_X:rw- $ROOTDIR/sub1dir/sub2dir/file1.txt
setfacl -r -m u:$USER_X:rw- $ROOTDIR/sub1dir/sub2dir/sub3dir/file2.txt
setfacl -r -m d:u::rw-,d:g::r--,d:o:---,d:m:rwx $ROOTDIR/sub1dir
setfacl -r -m d:u:$USER_X:rw- $ROOTDIR/sub1dir
setfacl -r -m d:u::rw-,d:g::r--,d:o:---,d:m:rwx $ROOTDIR/sub1dir/sub2dir
setfacl -r -m d:u:$USER_X:rw- $ROOTDIR/sub1dir/sub2dir
setfacl -r -m d:u::rw-,d:g::r--,d:o:---,d:m:rwx $ROOTDIR/sub1dir/sub2dir/sub3dir
setfacl -r -m d:u:$USER_X:rw- $ROOTDIR/sub1dir/sub2dir/sub3dir
# here are things as they stand
ls -lR $ROOTDIR
echo "********************************************************************************"
echo "********************************************************************************"
echo "********************************************************************************"
# tar/zip the files:
/usr/bin/tar -cvfp $ROOTDIR/tarAfterACLs.tar $ROOTDIR/sub1dir
/usr/bin/gzip $ROOTDIR/tarAfterACLs.tar
# move the directory (so we keep the directory that was applied ACL's)
mv $ROOTDIR/sub1dir $ROOTDIR/sub1dir_acl
# untar/zip the files:
/usr/bin/gunzip $ROOTDIR/tarAfterACLs.tar
/usr/bin/tar -xvfp $ROOTDIR/tarAfterACLs.tar
# here are things after we've untared them
ls -lR $ROOTDIR
echo "********************************************************************************"
echo "********************************************************************************"
echo "********************************************************************************"
getfacl $ROOTDIR/sub1dir_orig $ROOTDIR/sub1dir_acl $ROOTDIR/sub1dir
echo "********************************************************************************"
getfacl $ROOTDIR/sub1dir_orig/sub2dir $ROOTDIR/sub1dir_acl/sub2dir $ROOTDIR/sub1dir/sub2dir
echo "********************************************************************************"
getfacl $ROOTDIR/sub1dir_orig/sub2dir/sub3dir $ROOTDIR/sub1dir_acl/sub2dir/sub3dir $ROOTDIR/sub1dir/sub2dir/sub3dir
echo "********************************************************************************"
getfacl $ROOTDIR/sub1dir_orig/sub2dir/file1.txt $ROOTDIR/sub1dir_acl/sub2dir/file1.txt $ROOTDIR/sub1dir/sub2dir/file1.txt
echo "********************************************************************************"
getfacl $ROOTDIR/sub1dir_orig/sub2dir/sub3dir/file2.txt $ROOTDIR/sub1dir_acl/sub2dir/sub3dir/file2.txt $ROOTDIR/sub1dir/sub2dir/sub3dir/file2.txt
echo "********************************************************************************"
Any ideas?

UFSDUMP has some limitations, including being on a file system that is read-only. Yes, I could force it on a read-write FS, but I normally stay away from big sticker labels found in man pages when I encounter them. :-(
What I was originally after was a script that makes a backup of application configuration files before I modify them. Thus, I tar/zip the directory.
These config files/directores have ACL's attached to them to allow various roles to access them (group permissions are not fine-grain enough). However, when I ran through a couple of tests, I came across a scenario that overwrote the original permissions. Tested it on Solaris 10 and Solaris 9, and both fail.
So now (very late into the feature design) I'm VERY concerned about using ACL's on Solaris, and wonder what other side-effects there are that I'm not aware of. Can't seem to find a bug report on it, so I thought I'd ask around to see if it was just the behaviour of the TAR/ACL that I'm not quite getting, or if it really is a bug.
/chris

Role based security and ACLs

Hello,
I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
So:
1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
Your response is appreciated.

Hello,
I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
So:
1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
Your response is appreciated.

Document browser and ACL Authorization

Dear friends,
We are working on ECC 6.0 and required to implement SAP DMS. As of with every ERP 2005 default two features are coming, document browser and ACL Authroization. These features are not required by users, so we need to de-activate these. We have a note for these wherein it is mentioned that one of the component is required to upgrade. We dont want to go with this. If any note is there by applying which we can de-activate those features will be well and good, instead of upgrading component.
Regards,

Dear Tushar,
This t-code will be enable only after support pack SAPKGPAD11 or greater version is implemented. Our client is not in the position to upgrade, by implementing support packs. Alternate solution if any, pls suggest. By applying any notes if we can de-activate these features, let us know.
Regards,
Punam

Activate Document Browser and ACLs

Hi all,
I want to activate the Document Browser and ACLs tab in the DIR.
I have followed CAC--> Document Management --> Control Data --> Activate Document Browser and ACLs and then I've maintained "X" for each tab, but in the DIR nothing appear.
Have you any suggestions?
Thanks,
Marco.

Hi,
In this activity, you can activate the document browser and ACLs independently of one another.
When you select the indicators, the tab pages Document Browser and Authorizations are available in document editing.
The document browser contains the folder structure of SAP Easy Document Management, which you can use to edit documents. For more information about the document browser, see SAP Library under SAP ERP Central Component -> Cross-Application Components -> Document Management -> Document Browser.
You use ACLs to pass on access rights that you created for a particular folder to other folders in the same structure. For more information about ACLs, see SAP Library under SAP ERP Central Component -> Cross-Application Components -> SAP Easy Document Management -> Work with SAP Easy Document Management -> Authorizations in SAP Easy Document Management
Also check ,
As of SAP ERP 2005, all ACLs are automatically available in SAP Easy Document Management and the back-end system. As of SAP R/3 4.7, it is possible to implement ACLs and you have to implement ACLs up to SAP ERP 2005 (see SAP Note 798504).
http://help.sap.com/saphelp_erp60_sp/helpdata/en/7c/4ca9429888b111e10000000a155106/frameset.htm
https://www.sdn.sap.com/irj/scn/wiki?path=/display/plm/newFunctionalitiesinERP2005
Benakaraja ES
Edited by: benaka rajes on Jun 11, 2009 10:48 AM

Using UltraSearch and Apache to implement Desktop Search on Linux/Windows

Hi all:
I made this howto for implementing Desktop Search on Linux/Windows using UltraSearch and Apache.
Here the link:
http://www1.exa.unicen.edu.ar/~mochoa/Miscellaneous/My_Desktop_Search-5.pdf
Hope this hack, Marcelo.

>
I have used eclipse to create an executable jar. This is run on the console with commands like
#java -jar myJarFile.jar
Am using linux(OpenSUSE)
How can I create an executable file in search a way that the use just clicks on the icon and the system launches?>There are at least two basic ways you can head.
1) Add a manifest file to the Jar that specifies the main class. The end user can 'double click' it to launch the app.
2) Deploy the Jar using webstart, which can install desktop and menu item shortcuts for a program (plus adding splash screens, automatic update..) while installing it.

Reset Pasword - do I need to reset Directory Permissions and ACLs?

I reset the password as described below on my mom's computer, as she forgot it.
http://support.apple.com/kb/HT1274
I did not reset Directory Permissions and ACLs.
Do i need to do this?
Thanks!

JulieK23 wrote:
I reset the password as described below on my mom's computer, as she forgot it.
http://support.apple.com/kb/HT1274
I did not reset Directory Permissions and ACLs.
Do i need to do this?
only if there was something wrong with them. otherwise this is quite independent of resetting the password and is not necessary if all you need is to reset the password.
Thanks!

Reset Home Folder Permissions and ACLs spinning forever

Hi, all.
The performance of my Intel iMac (circa 2008 or so) had degraded quite a bit, so I decided it was time to reinstall Snow Leopard. Did so, then restored my apps and documents via Time Machine. Suddenly, it was impossible to launch most applications (Chrome, the App Store, etc.) Repairing permissions using Disk Utility did not help.
Upon reading an article on this, I booted from the Snow Leopard disk, entered the Reset Password utility, and attempted to Reset Home Folder Permissions and ACLs. The process has been running for several hours with no end in sight and no error message. Is this normal? And if not, what should my next step be?
Thanks so much!

Do a force shutdown holding the power button and reboto to get into the machine (might have to hold Shift Key) and get a copy of your users files off and onto a external storage drive (not TimeMachine)
Then start all over using this method select the entire drive to zero erase and install, that should clear the bad sector issue it appears your having.
How to erase and install Snow Leopard 10.6
Do not restore anything from TimeMachine, it's corrupted data, reinstall all apps fresh from original sources and only files (you know are good) from the storage drive.
This is known as a "fresh install method" later you can update TM to backup this newer and cleaner configuration.
Why is my computer slow?
For Snow Leopard Speed Freaks
once you get all tweaked, clone it.
Most commonly used backup methods
https://discussions.apple.com/community/notebooks/macbook_pro?view=documents

Anyconnect ssl vpn and acl

Hi Everyone,
I was testing few things at my home lab.
PC---running ssl vpn------------sw------router------------ISP--------------ASA(ssl anyconnect)
anyconnect ssl is working fine and i am also able to access internet.
I am using full tunnel
i have acl on outside interface of ASA
1
True
any
any
ip
Deny
0
Default
i know that ACL is used for traffic passing via ASA.
I need to understand the traffic flow for access to internet via ssl vpn.?
Regards
MAhesh

As you say correctly, the interface-ACL is not important for that as the VPN-traffic is not inspected by that ACL. At least not by default.
You can control the traffic with a different ACL that gets applied to the group-policy with the "vpn-filter" command. And of course you need a NAT-rule that translates your traffic when flowing to the internet. That rule has to work on the interface-pair (outside,outside).

Problem with cp and ACL default entry for mask

I am having a problem with the cp command, copying to a directory with default ACL entries.
I don't think it is creating the ACL's of the resultant files correctly.
I have two users (let's call them mark and john).
As john I create a directory and give it ACL privledges to mark, as well as setting defaults to give john writes to anything mark creates.
john> mkdir for-mark
john> setfacl -rm 'user:mark:rwx,default:user::rwx,default:user:john:rwx,default:group::r-x,default:mask
:rwx,default:other:r-x' for-mark
john> getfacl for-mark
# file: for-mark
# owner: john
# group: john
user::rwx
user:mark:rwx #effective:rwx
group::r-x #effective:r-x
mask:rwx
other:r-x
default:user::rwx
default:user:john:rwx
default:group::r-x
default:mask:rwx
default:other:r-x
As mark I copy files to that directory:
mark> cp myfile /home/john/for-mark
mark> getfacl /home/john/for-mark/myfile
# file: /home/john/for-mark/myfile
# owner: mark
# group: staff
user::rw-
user:john:rwx #effective:r--
group::r-- #effective:r--
mask:r--
other:r--
The mask is incorrectly set to r-- instead of rwx.
This leaves john unable to write to myfile (although, strangely he can delete it).
I am NOT using the -p option on cp. I would expect this behavior if I did.
Mark can create a file with touch or vi and the mask is incorrectly set to rw-, which is a little better. Compiles are definitely created correctly with rwx.
Is this a bug? Or am I doing something wrong.

You are having issues in client 000 rite ?
I dont think login/no_automatic_user_sapstar = 0 will help you , This parameter will help you to login newly created client ( other than 000/001) with sap* and passowrd PASS.
login/failed_user_auto_unlock = 1 , will enable automatic unlock off locked user at <b>midnight</b>
Did you use the correct Maxdb sql command ?
Thanks
Prince Jose

10.4.8 Server, AFP and ACLs

Hello all!
Before escalating I would like to have others take a look a this and confirm.
Setup:
- 10.4.8 Server, OD-master
- AFP Share: "Test"
- Usergroup: standard
AFP-Share "Test":
- Posix: ralph:standard, 644
- ACE: 0: group:standard allow list,addfile,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr, writeextattr,readsecurity,writesecurity,chown,file_inherit,directoryinherit (ie allow all)
- create Testfile in share:
anotheruser@server:/Volumes/Storage/Test$ touch testfile
anotheruser@server:/Volumes/Storage/Test$ ls -ale testfile
-rw-r--r-- + 1 anotheruser standard 0 31 Okt 11:20 testfile
0: group:standard inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,re adsecurity,writesecurity,chown
Ok, here we go:
a) chown testfile for a user of the group standard will succeed when ssh'ed to the server
b) chown testfile fails when working on a client computer that is bound to OD and mounts the share via afp.
a)
testuser@client-comp$ ssh server
testuser@server$ chown testuser:standard /Volumes/Storage/Test/testfile
testuser@server$ ls -al /Volumes/Storage/Test/testfile
-rw-r--r-- + 1 testuser standard 0 31 Okt 11:20 testfile
b)
Computer bound to OD:
- 10.4.8
- testuser is a true OD user, not a local user
- log into client computer as testuser
- mount share via afp with testusers credentials
testuser@client-comp:~$ cd /Volumes/Test
testuser@client-comp:/Volumes/Test$ ls -ale testfile
-rw-r--r-- + 1 anotheruser standard 0 31 Okt 11:20 testfile
0: group:standard inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,re adsecurity,writesecurity,chown
testuser@client-comp:/Volumes/Test$ chown testuser:standard testfile
Permission denied
testuser@client-comp:/Volumes/Test$
Ooops!!!!!
This breaks saving in Freehand MX of opened and edited documents that you want to save and replace (Command-S).
Awaiting thoughts/confirmation before filing bug report.
-Ralph

I've experienced the same problem. My users can chown by ssh'ing to AFP server of file in question but can't in Terminal perform chown on same file logged in to localhost by default.
This subverts ACLs' usefulness in at least the respect that allowing group members to change ownership of files served in accordance with AFP is rendered unduly complex. One might as well not try that setting--for most clients, anyway.
Moreover, my take is that this is no small matter. I've posted more here. http://discussions.apple.com/thread.jspa?threadID=831517
In this thread, though, can anyone comment on this or suggest how my users can invoke their ACL permission as members of a certain group to chown files on AFP shares in a local shell or--imagine this--in the "Get Info" interface?
PS In my search for a workaround, I posted under the topic "Command Line & Terminal":
http://discussions.apple.com/thread.jspa?threadID=830698&tstart=0
PPS Maybe this is an old problem. See this 2004 posting about "a bug lingering somewhere in the afp client code".
http://discussions.apple.com/thread.jspa?messageID=3855261&#3855261
PowerMac Mac OS X (10.4.8)

I screwed up my permissions and ACLs

In a nutshell:
1. Upgraded from Tiger to Leopard 10.5
2. Did all subsequent upgrades to 10.5.2
3. Problems began with folder access - for example, I couldn't install widgets in the main library widgets folder; I kept getting a message that the folder was write-protected. Also, auto-recovery in MS Word aborted, presumably because I don't have access to the folder where those files are stored.
4. During my attempts to diagnose and cure the problem, I went to "Get Info" for my hard drive option and clicked on the dreaded "Apply to enclosed items". As everyone has warned, that was a bad move.
5. Did an archive and install of 10.5. After reading these discussions, I also reset all ACLs to their orginal settings.
6. None of this solved anything, so I did a second archive and install. That didn't help either. I still have the problems, and now when I repair permissions, I get the following messages:
ACL found but not expected on "private/tmp".
ACL found but not expected on ".vol".
ACL found but not expected on "Volumes".
ACL found but not expected on "cores".
ACL found but not expected on "Network".
ACL found but not expected on "private".
ACL found but not expected on ".".
Is there a solution short of doing an erase and install?
Thanks in advance.
Message was edited by: Dick Young

Here they are:
drwxrwxr-x+ 99 root admin 3366 Apr 17 18:19 /Applications
0: group:everyone deny delete
drwxrwxr-t+ 54 root admin 1836 Apr 17 14:42 /Library
0: group:everyone deny delete
Actually, as I explore this a little more, I see that I may have misunderstood some of what was going on, and I may have been testing access incorrectly. It looks now as if things are working the way they should, but I'd appreciate your looking at the results and letting me know if that's what they should be.
I greatly appreciate your help. This whole Unix permissions thing is terra incognito to me, and that makes it a bit scary.

Which ports and ACL ( servers) need to be opened for Jabber Video

Hi All,
We are Cisco partners ( ODC at Aricent New Delhi India) working for multiple Cisco projects.
We want to use Jabber Video for communication but as partners ACL ( Server/ports ) need to be opened to access the Jabber video servers.
Can somebody list me all the Jabber Server/Ports to which Jabber client need access to.
Can somebody please respond asap as we have opened an EXAM case for opening the ACL and need the list asap.
Thanks
Saurabh

Thanks Hoan for the quick reply it answers part of my question.
I also want to know for succeessful video calls which all servers i need access to for eg first it tries on
https://sjc1-movi-pr-bootproxy-vip.ciscojabbervideo.com/endpoint/configuration
then it goes to another server's for logging in etc.
I want to know the list of all servers so that ACL's can be opened for them.
Thanks
SAurabh

ISE 1.2 and ACL's with multiple ports

When creating a DACL for my groups I used the Syntax " permit tcp any 192.168.20.0 0.0.0.255 eq 22 443" for one of my acl's inside the DACL and the syntax check validated it. When I pushed it to my groups it also worked but I have heard that this type of multiple port ACL in ISE is not supported. Does anyone know if this is accurate?

Thanks for the response but it's wrong. Cisco supports stacked ports in 1.2 for wired users. They carried over 1.1documentation to 1.2 and never updated it. We have it in writing from Cisco tac.

No ACL deny logs for Traffic not matched by Static Object NATs and ACL. Need Help.

I start noticing that I do not see any denied traffic coming in on my ACL. To better explain, lets say I have this config.
### Sample Config ###
object network webserver
host 192.168.1.50
nat (dmz, outside) static X.X.X.X service tcp www www
access-list inbound extended permit ip any4 object webserver eq www
If I generate a traffic from the outside let's say a traffic that is trying to access X.X.X.X via TCP Port 8080 which obviously does not have any NAT entry to it going to my DMZ, I don't see the ACL denies it anymore but instead comes back with a Drop Reason: (nat-no-xlate-to-pat-pool) . On the packet trace I got this. (Below) it seems that does not even hit the ACL as there is no xlate found for it, at least to what the drop reason says.
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
Before, using a regular Static PAT on ASA Versions 8.2(5) below, I could get the deny logs (ASA-4-106023). Generally, I use these logs, and are quite important for us specially during auditing.
My question is how can I generate logs for these type of dropped traffic on the ASA 9.1 Version?
Any comments/suggestions are gladly appreciated :)
Regards,
John

I believe, but am not 100% sure, that the reason you are not seeing the ACL drop but a no NAT matched is because of the changes from 8.2 to 8.3 in the order of how things are done. In 8.3 and later you need to secify the real IP address when allowing packets in, and this is because NAT happens before the ACL is matched. So since there is no match on the NAT the packet is dropped then and there, never reaching the stage where ACLs are checked.
As to seeing drops in the ACL log...You might want to try adding an ACL that matches the NATed IP...but I don't think you will have much success with that either. My guess is that there is no way around this...at least no way I know of.
Please remember to select a correct answer and rate helpful posts

UltraSearch and ACLs

Similar Messages

Maybe you are looking for