User Account Authentication across multiple Solaris servers - Best Practice

Similar Messages

• Using one user account table across multiple databases but account used as a foreign key

  I want to use one user account table from one database and use it across a couple other databases. The problem is that I want some tables to use the primary key from the user account table as a foreign key to access the data when the user logs in. Is this
  the right way of going about it? Do I have to create a user account table in all my databases? What is the best practice to handle this problem? Thanks in advance.

  You can use Triggers or using replication. 
  more info: 
  Add Foreign Key relationship between two Databases
  SQL Server Replication
  Saeid Hasani [sqldevelop]

• Authentication across multiple applications

  Hi,
  I'm having trouble with authentication across multiple applications.
  Ideally I would like to log in to one application and have my credentials survive across the session for the other applications when they run.
  What is the best approach to do this?
  Thanks,
  Mark

  Thanks for your reply Frank.
  We've decided to switch to JAVA SSO but I'm having trouble getting to the configuration page in the 11g OC4J.
  I've posted a new thread with these questions:
  Configuring JAVA SSO with 11g OC4J
  Thanks,
  Mark

• Provisioning multiple Solaris servers, need consistient uid

  I will be provisioning users to a number of Solaris servers using Identity Manager. However in order to accomodate some internal applications the user must have the same numeric uid for a particular user on all Solaris servers. The only way I can think of doing this is to create a database table and whenever I create a new user get the next value and use that as the uid.
  Anyone else with any suggestions on how to do this? I would have liked to have the first server in the provisioning order simply assign the uid and then use that same uid for the other servres, but I can't find a way to use a value from one provisioned server on another server when they're both being provisioned in the same Identity Manager Save operation.

  We had some help setting this up .. this is a rule which returns a unique uid:
  <Rule name='UidDBRule' createDate='1195697964630' lastModifier='Configurator' lastModDate='1195701542165' lastMod='26'>
      <block>
          <defvar name='value'/>
          <defvar name='type'>
              <s>mysql</s>
          </defvar>
          <defvar name='driverClass'>
              <s>org.gjt.mm.mysql.Driver</s>
          </defvar>
          <defvar name='url'>
              <s>jdbc:mysql://%h:%p/%d</s>
          </defvar>
          <defvar name='host'>
              <s>localhost</s>
          </defvar>
          <defvar name='port'>
              <s>3306</s>
          </defvar>
          <defvar name='db'>
              <s>dbname ..</s>
          </defvar>
          <defvar name='userName'>
              <s>dbuser ..</s>
          </defvar>
          <defvar name='passwd'>
              <s>dbpass ..</s>
          </defvar>
          <setvar name='value'>
              <add>
                  <invoke name='queryString' class='com.waveset.util.JdbcUtil'>
                      <map>
                          <s>type</s>
                          <ref>type</ref>
                          <s>driverClass</s>
                          <ref>driverClass</ref>
                          <s>url</s>
                          <ref>url</ref>
                          <s>host</s>
                          <ref>host</ref>
                          <s>port</s>
                          <ref>port</ref>
                          <s>database</s>
                          <ref>db</ref>
                          <s>user</s>
                          <ref>userName</ref>
                          <s>password</s>
                          <ref>passwd</ref>
                          <s>sql</s>
                          <s>Select uidNumber from user</s>
                      </map>
                  </invoke>
                  <s>1</s>
              </add>
          </setvar>
          <invoke name='sql' class='com.waveset.util.JdbcUtil'>
              <map>
                  <s>type</s>
                  <ref>type</ref>
                  <s>driverClass</s>
                  <ref>driverClass</ref>
                  <s>url</s>
                  <ref>url</ref>
                  <s>host</s>
                  <ref>host</ref>
                  <s>port</s>
                  <ref>port</ref>
                  <s>database</s>
                  <ref>db</ref>
                  <s>user</s>
                  <ref>userName</ref>
                  <s>password</s>
                  <ref>passwd</ref>
                  <s>sql</s>
                  <concat>
                      <s>update user set uidNumber=</s>
                      <ref>value</ref>
                  </concat>
              </map>
          </invoke>
          <ref>value</ref>
      </block>
      <MemberObjectGroups>
          <ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
      </MemberObjectGroups>
  </Rule>The dbtable has one single attribute, called uidNumber, and I initially set it to 15000, to make sure that sim-users would not get uidnumbers allready in use on our redhat servers.
  I ended up using the rule in the Redhat Linux User Form, like this:
        <Field name='global.unixId'>
          <Display class='Label'>
            <Property name='title' value='unixId: '/>
          </Display>
          <Default>
            <rule name='UidDBRule'/>
          </Default>
        </Field>

• Cisco ACS 5.2 authentication against multiple LDAP servers

  Hi Folks,
  I have a wireless network that uses ACS 5.2 to handle authentication.   The ACS is integrated with an Active Directory LDAP server (my_ldap) and is working correctly at the moment.    The authentication flow looks like this:
   - User tries to associate to WLAN
   - Authentication request is sent to ACS
   - Service selection rule chooses an access-policy (wireless_access_policy)
   - wireless_access_policy is configured to use my_ldap as identity source.
  A sister company is about to move into our offices, and will need access to the same WLAN.    Users in the sister company are members of a separate AD domain (sister_company_ldap).    I would like to modify the wireless_access_policy so that when it receives an authentication request it will query both my_ldap and sister_company_ldap, and return a passed authentication if either attempt is successful.     Is this possible?

  Assuming you're already authenticating using your AD binding and AD1 as your identity source, you can add a further LDAP server as another identity source and add this to your identity store sequence in your access policy to authenticate against both.
  You can also add multiple LDAP servers and add them both to the identity store sequence (if you're not using AD1).

• Why domain users account allowed to logon to servers directly?

  I'm using Windows Server 2008 R2 with ADDS.
  By default, normal user account (domain users) should not be allowed to logon to Server directly, I mean the physical server or via RDP. They should get the message:
  "You cannot log on because the logon method you are using is not allowed on this computer"
  I had checked the GPO, under the Computer Configuration -> Windows Setting -> Local Security Policy -> Local Policy -> User Rights Assignment -> Allow Log on Locally, here only contains:
  Administrators, Account Operators, Backup Operators, Server Operators, Print Operators
  And, nothing set on the Deny Logon Locally.
  But, tested that, those accounts with just Domain User Group are able to logon to Server!?
  How or where should I check, to not allow normal user account to logon to server directly?
  Thank you.

  Hi,
  >>By default, normal user account (domain users) should not be allowed to logon to Server directly, I mean the physical server or via RDP.
  By default, standard domain user accounts can log onto workstations and member servers, and they can’t log onto domain controllers unless we allow them to do so via group
  policy.
  By default, standard domain user accounts can’t remote desktop onto other computers unless they have been added to Remote Desktop User groups of the computers.
  Regarding allowing log on locally, the following article can be referred to for more information.
  Allow log on locally
  http://technet.microsoft.com/en-us/library/cc756809(v=ws.10).aspx
  Regarding remote desktop user groups, the following article can be referred to for more information.
  Configure the Remote Desktop Users Group
  http://technet.microsoft.com/en-in/library/cc743161.aspx
  >>How or where should I check, to not allow normal user account to logon to server directly?
  We can utilize group policy setting
  Deny logon locally to prevent users from locally logging onto the targeted computers.
  Regarding this setting, the following article can be referred to for more information.
  Deny logon locally
  http://technet.microsoft.com/en-us/library/cc957048.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Authentication Across Multiple Web Applications (Revisited)

            Its been an ongoing battle, but I've made some insight into this situation. The problem stands as it seems impossible to authenticate against one web application deployed as a WAR archive and have that authentication carry across to another web application with the same security constraints. I've been told by BEA that, quote:
            "It seems to me that we are violating section 11.6 of the servlet 2.2 spec which talks about webapps"
            I've also been told that this is fixed in WLS 6.0, reference issue #38732.
            For those of us building production environments using 5.1 instead of 6.0 XML based configuration, this does NOT solve our problem.
            I've dug further into the bowels of 5.1 and found that if you manually set the realm name in the login-config of the security constraint in the web.xml file in each WAR deployment as such:
                 <login-config>
                      <auth-method> [whichever method] </auth-method>
                      <realm-name>WebLogic Server</realm-name>
                 </login-config>
            Authentication will carry across web applications. However, I've noted that the session management then becomes unpredictable. For example:
            I log into the application TESTAPP1 which contains a protected servlet that outputs the session ID and attempts to get the authenticated principal name from the "_wl_authuser_" session variable. Upon first load of the page (after the login dialog box), the session is null [can be fixed with .getSession(true) call instead] and the "_wl_authuser_" object does not exist. Reload the page and the session appears as well as the "_wl_authuser_" object. Strange.
            I then move to TESTAPP2, which does not prompt me for authentication but also is missing the session in the same manner. Upon browser reload, the session is created with a different ID and the "_wl_authuser_" object is now available with the appropriate principal name.
            Upon moving back to TESTAPP1, I am not prompted for authentication however, I am assigned yet another session ID after browser reload, different from the first.
            So it seems that although authentication is carried across web applications, the session IDs as you move from TESTAPP1 to TESTAPP2 change, and then change again but not back to the original when going back to TESTAPP1.
            This is a particular problem since we are using Vignette's V5 as our main client and tracking sessions through V5 - this would quickly become unmanageable if a single page view access three or four different application components with three or four different session ids.
            I'm wondering if we can expect the same behavior from WLS 6.0?
            Ideally, I'd like to see WebLogic use a single session ID to track users across multiple web applications but still have session independence between applications. So if I store something in session in TESTAPP1, its not available in TESTAPP2. Does this outline the behaviour in WLS 6.0? Can anyone verify this?
            Some food for thought. Thanks!
            ./Chris
            Senior Systems Anaylst
            MassMutual Financial Group
            

  Hello! I am searching an answer to this question too!!!
  Did you get some news regarding this item?
  Regards,
  C.M.

• View/Change User Accounts From Across The Network - Do not have Server

  Is there a program or utility that can be run in Mac OS X Tiger or Leopard to manage user accounts on other Macs that are located across the network? Is there anything that will do this that is free, or not too much money?
  Our setup: multiple Macs on a network that is primarily a Windows AD Domain. For various reasons, we do not have the Macs setup as members of AD. We also do not have a Mac OS X Server. I am wondering if there is something that is built-in, free, or on the cheaper-end, to manage user accounts and their permissions from across the network on the Macs?
  Thank you for your help!
  Dan

  If the systems are not bound to a parent domain, then local account policy will need to be set individually. There is a way to get Workgroup Manager working on OS X client, but I do not know of a way for it to see remote NetInfo/DS Local data stores. It will only see the local store. NetInfo in the 10.2 days could pull this off. But Apple removed those features in favor of LDAP and eventually DS Local.
  You will probably need to use a combination of tools. Start with defining base settings in the User Template to ensure that all new home folders are created equal. Then use ARD or ssh to define user policy with pwpolicy and other tools like niutil (Tiger) or dscl. Test with mcxquery. If you get Server Admin Tools, you can use Workgroup Manager to craft the needed xml for mcx values, then inject into the user account.
  But this is only going to get you local policy. If users are connecting to file shares and mail, they are using their network credentials so those policies need to be managed at the domain level.
  I would encourage binding the machines to the domain. While this can, and has (sadly), been done, being part of the domain is so much easier. If you need a system for storing the LDAP schema, get a Mini and do it on the cheap. Otherwise, consider AD schema modification and then practice your xml skills.
  Hope this helps

• LDAP Authentication Scheme - Multiple LDAP Servers?

  How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.

  How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.

• ITunes Accounts - 1 account for multiple iPads?  Best Practices?

  I'm setting up a small deployment of 5 iPads for use in my company.  Could anyone share some tips / best practices as far as iTunes accounts are concerned?
  We would like to use one iTunes account to activate all of the iPads and set up / link to each one's AppleCare Protection Plan.  Any apps purchased on any of the 5 iPads need to be billed to one account if possible. 
  Are there any disadvantages to doing it this way, or would setting up an iTunes account (or some other strategy) for each iPad be a more advantageous route?

  One thing comes immediately to mind, if you leave the billing account active on the individual devices ( without, say IPCU restrictions on App or movie Purchases) the device users could bill stuff like movies, apps etc. to the central billing account.  We don't setup the devices with iTunes ( though we don't use Apple Care, so I'm not sure if this is important with Apple Care Protection), and just let the users enter their own iTunes account info.  You could distribute Apps using the new Volume Purchase Program; apps could be centrally deployed to the various devices, billed to one account, and the end user wouldn't be able to individually bill the centralized account.  We also tell users they can put on the device whatever they want, but must perform any iTunes backups on home computers.  If something goes wrong, we just reset the device to factory and start over; the user must restore whatever they had on the device from their backup. This way we also manage to avoid having to manage iTunes stores on work computers.  We do require encryption of iTunes backups via IPCU policy. 

• Syncing App IDs across servers -- Best Practice?

  This is prompted by a comment chrisstephens made in the thread at non-existent applications in non-existent workspaces reserving app id's
  Our developers are convinced that the application id's between our dev + staging
  + production environments need to be synchronized.Our team also keeps our dev, test, and prod server app IDs synchronized -- for instance, the Widget Reporting App is always app # 38 on all three servers. For us, it's not something we see as REQUIRED, but it is convenient, and a general sanity check. If the numbers didn't sync, it seems it would be all too easy to get values mixed up and accidentally field an app to the wrong place (possibly overwriting some other application).
  What is the community's opinions on this? Would you consider this an Apex Best Practice? Just a habit for some groups? Or overly rigid thinking?
  (I personally fall in the Best Practice group.)

  One good reason to keep them the same is so that there are no differences between what is tested in one environment and what is deployed in another. Case in point, just last week someone demonstrated that an application's authentication scheme failed when the application ID was changed from xxx to xxxxxxxxx (a longer string of digits). Of course this was due to a previously unknown bug, but that's what testing should reveal.
  Another good reason is to make it possible to export application components (pages, etc.) from one database (say, dev) and install them into an application in another database (say, prod). This is not possible if the application IDs are different.
  Scott

• How do you span a jta usertransaction across multiple jms servers?

  I have an ejb that connects to multiple jms servers (non-clustered) and
            retrieves messages. Those messages are concatenated together and placed on
            another jms queue. Is it possible to do all of this inside of one
            transaction? I am having trouble pulling this off.
            

  Sure, you can do this. Assuming you're using WLS JMS, you have to make sure that for all the JMS servers you're talking to, you use a connection factory with the "XA Connection Factory Enabled" flag set. You also need to make sure that you use JTA to start a transaction before retrieving the first message, and commit it after you're done with the final send.

• Multiple room management -- best practice -- server side http api update?

  Hi Folks, 
  Some of the forum postings on multiple room management are over year old now.  I have student/tutor chat application which has been in the wild for 5 months now and appears to be working well.  There is a single tutor per room, multiple chats and soon to be a whiteboard per student, which is shared with the tutor in a tabbed UI. 
  It is now time to fill out the multiple tutor functionality, which I considered and researched when building, but did not come to any conclusions.   I'm leaning towards a server side implementation.  Is there an impending update to the http api?
  Here is what I understand to be the flow:
  1) server side management of who is accessing the room
  2) load balance and manage the room access 1 time user and owner session from the server side
  3) for my implementation, a tutor will need to login to the room, in order for it to be available
  4) Any reconnection would in turn need to be managed by the server side, and is really a special case of room load balancing.
  My fear is that at some point I'm going to need access to the number of students in the room or similar and this is not available, so that I'll need client functionality, which will need update the server side manager.
  As well, I'm concerned about delays on the server side access to which might create race conditions in a re-connect situation.  User attempts to reconnect, but server side manager thinks that the user is already connected.
  Surely this simple room management has been built, does anyone have any wisdom they can impart?  Is there any best practice guidance or any samples?
  Thanks,
  Doug

  Hi Raff, Thanks a ton for the response.
  I wasn't clear on what I was calling load balancing.  What I mean by this is room assignment for student clients.  We have one tutor per room.  There are multiple students per room, but each is in their own one-on-one chat with the tutor.
  I'm very much struggling with where to do the room assignment / room managemnt, on the server side or on the client side (if that is even possible).  In my testing it is taking upwards of 10 seconds minimum to get a list of rooms (4 virtually empty rooms) and to query the users in a single room (also a minimum of users/nodes in the queried room).   If after this point, I 'redirect' the student to the least full room, then the student incurs the cost of creating a new session and logging into the room.  As well I intend to do a bit of xml parsing, and other processing, so that 10 seconds is likely to grow.
  Would I see better performance trying to do this in the client?
  As far as the server side, at what point does a room go to 'not-active'?
  When I'm querying the roomList, I am considered one of the 'OWNER' users in the UserLists.  At what point can it be safe to assume that I have left the room? 
  Is there documentation on the meaning and lifecycle of the different status codes?  not-active,  not-running, and ok?  Are there others?
  How much staleness can I expect from the server-side queries?
  As far as feature set, the only thing that comes to mind is xpath and or wild card support for getNode() but i think this was mentioned in other posts.
  Regarding the reconnection issues, I am timing out the student after inactivity, and this is probably by and large the bulk of my reconnect use cases.  This and any logout interaction from the student presents a use case where I  may want reassign the student return to the same room as before.  I can envision scenarios of a preferred tutor if available etc.  In this case, I'll need to know list of rooms.  In terms of reconnection failover, this is not not a LCCS / FMS issue.
  Thanks again for responding.

• Using Active Directory (LDAP Plugin) Across Multiple AD Servers

  Hi,
  I need to give an existing application the ability to talk to multiple active directories using the AD LDAP interface from a J2EE Applcation running on Apache 2.x/Tomcat 5.x (there are 4 independent AD trees and users from ANY of the trees can access the application)
  Can anyone point me in the right direction with this? I would seem to make sense that I should create a central security servlet that is aware of all the domains and connect to each of the AD servers in turn using LDAP (as often discussed on these forums) to acertain security rights, then turn control back to the application.
  Thoughts? Feedback? General help?
  thanks
  John

  Another thing that would help is any references to sample code where someone has done this before for..
  1. the server.xml file mods required? Web.xml Mods?
  2. Java code to accomplish this?
  Also, am i overthinking the problem? Could I just use some utility class inside the controller servlet that would have one method that would return access level or something? Then in the utility file I can do the looping through LDAP servers (really AD trees) and when I find the information I want, simply return it.

• How to implement Parties/Accounts with across multiple orgs in our company.

  I'm looking for some guidance as to how to configure/setup our clients in TCA for multiple orgs in our company.
  Example:
  We have 2 orgs in defined in our ERP. One is called Interactive, the other is called Traditional.
  We want the general ledgers separate for these orgs
  We want orders placed by clients to roll up to the correct org
  We have clients that place orders for both Interactive products and Traditional Products.
  For a single "client" that does business in both orgs, should we simply create 1 party and 2 customer accounts? Then use the org_id field in hz_cust_accounts to specify the organization code?
  Or should we have a single customer account for that party, with 2 customer sites defined at the org level? Or do separate them at the site_uses level?
  I've heard there are issues with Sales Online being used in 11.5.9 for multi org setup, does anyone know about htis.
  Help.

  Dear,
  I think for each account, you can have 1 bill_to site use. If you want to differentiate between them considering rollup to GL, then i guess defining 2 accounts for each customer would be you best shot.
  regards,