Using LDAP group to autenticate users from inside network to Internet

Similar Messages

• Security - using LDAP groups

  I want to protect my EJB using LDAP groups. WLS is recognizing WLS users but unable
  to recogniz groups. Here is my weblogic-ejb-jar.xml
  <security-role-assignment>
  <role-name>channel-role</role-name>
  <principal-name>system</principal-name>
  <principal-name>mygroup</principal-name>
  <principal-name>cn=mygroup,ou=groups,o=mycompany</principal-name>
  </security-role-assignment>
  It recognizes user system but not the group. LDAP group is cn=mygroup,ou=groups,o=mycompany.
  When I pass the credentials from the client of a uniquemember, WLS generates a
  security exception. It won't recognise mygroups or cn=mygroup,ou=groups,o=mycompany
  either.
  Any suggestions?
  Thanks
  -Surya

  Yes, It has impact. You create groups in the Repository & Answers and assign the object level permissions.
  You Populate Group Variable during authentication via LDAP server. Once you login with X name you see the authorized groups in the my account.
  For dashboard A - For group Executive - User X - You have given full access.
  Now you have changed the Group name to AD_Executive. When You Login variable values would be
  User - X
  Group - Ad_Executive
  Dashboard A - No permissions.
  If you have a scenario of changing the group names then get Groups from database using Init block after authorization.

• Problem using a group which has a space in it's DN when using LDAP Group mappings in UCS 1.4

  Hey,
  We've been implementing LDAP authentication (Active Directory) using LDAP group mapping in UCS 1.4, and we've noticed that when using a group which has a DN with a space in it (such as "UCS Admins") it wouldn't authenticate the user with the appropriate role.
  Using a DN without spaces (such as "UCSAdmins"), works just fine.
  I should mention that having a base DN with spaces works just fine as well, it's just the group mappings that doesn't work.
  I should also mention that Cisco's "Quick guide to configuring ldap for ucs 1.4" shows an example in which the group's DN doesn't include a space.
  Is there a workaround available which can make it possible using a group which has a space in it's name?
  Thanks,
  Dor

  Hey Roman,
  Thanks for your prompt reply.
  We've tried putting quotes using UCSM which is not possible at all - not for the entire entry nor for the part with spaces.
  We've also tried using CLI ("scope security/ldap/ldap-group") where you have to put quotes if you use a DN with spaces, and it still doesn't work. Furthermore, we tried adding quotes only to the part with the spaces, i.e. - CN="UCS Admins",OU=TEST,DC=TEST. It adds the entry without an error, but shows like we would use "CN=UCS Admins,OU=TEST,DC=TEST". Anyway, it doesn't work either.
  Thanks again,
  Dor

• LDAP Group is empty while the LDAP group have 150 users

  Hi,
  My BOE is mapped to the corporate LDAP, and the LDAP group is already mapped to a BO group.
  The problem is that the LDAP Group is empty while the LDAP group have 150 users.
  Currently, just after each user login at the first time the user is created under the BO Group.
  Is there any way to populate the BO Group automatically?
  Best Regards,
  DoronS

  Hi,
  yes there is. Check your LDAP Authentication Tab and select "Create new aliases when the Alias Update occurs"
  It should be under your Alias settings.
  But please note that you than require 150 licenses. So each users gets a license even if he doesnt use the BOE System but is part of the LDAP Group.
  Regards
  -Seb.

• I would like to use my iPhone 6's wifi hotspot to provide Internet at home (I do not have home internet) via a Time Capsule which I currently use the TC simply as a home wifi network without Internet to enable things like printing wirelessly and back

  I would like to use my iPhone 6's wifi hotspot to provide Internet at home (I do not have home internet) via a Time Capsule which I currently use the TC simply as a home wifi network without Internet to enable things like printing wirelessly and backing up data wirelessly via time machine.
  I have a Mac Pro, iPhone 6, iPad, Apple TV and Time Capsule. No home Internet.
  Is is possible to have my iPhone 6's wifi hotspot used to provide Internet to my wifi network on time capsule? Has anyone else had success doing this? I'm not a tech head and really know very little about things like this. Thanks. Jen 

  You can have a go using a wireless bridge.. eg the airport express will do this.. you can join it to the iphone wireless running as a hotspot.. and then plugged into the TC wan port.. the TC has to be setup in router mode.. so this is going to give you double NAT errors.. and of course errors for all the time the hotspot is turned off.. but it can work. However you might find it requires you to manually connect up each time.. If you are really going to try and do this you will manage it.. but how fiddly it becomes might put you off after a week.
  You will chew up your 5GB very fast using any streaming media even radio. So be very careful to track the usage.
  Apple should have built in the TC the ability to plug in a wireless 3G modem.. via the USB but Apple have ceased to do adventurous stuff.
  If you give up the TC as main router there are plenty of better products on the market that will handle multiple wan connections.. !!

• AD Group Membership with User From Domain Outside of Forest

  Here's one to twist your brain around -
  I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
  I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
  Approach #1
  Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
  Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
  Approach #2
  Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
  Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
  adTHANKSvance
  Eric

  You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
  This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
  If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
  Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
  http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
  Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
  You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
  objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
  String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
  //Specify the Base for the search
  String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
  ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
  Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
  System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
  Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
  BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
  Good luck.

• LDAP authentication in AD (users from other trusted domain)

  Hi
  I have two domain: my - DOMAINA.LOCAL and other trusted - DOMAINB.LOCAL
  I use LDAP authentication in AD for authentication users (AnyConnect).
  Now, I need to authenticate few users from other trusted domain (DOMAINB.LOCAL).
  I do not want direct connect with the domain contoller in the trusted domain.
  My domain controller (DOMAINA.LOCAL), can authenticate users from other trusted domain (if I use username "DOMAINB\userindomainb"), if I try to connect by RDP client to some server (for example, to my domain controller).
  But if I try to test aaa-server authentication from ASA
  I get error.
  I think, I must use username like "DOMAINB\userindomainb" but this not work.
  Help me please.
  Thanks!
  My config:
  aaa-server ADA protocol ldap
  aaa-server ADA (inside) host 10.0.0.1
   ldap-base-dn dc=domaina, dc=local
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn cn=Cisco ASA, ou=ServiceAccounts, ou=Services, dc=domaina, dc=local
   server-type microsoft

  Hello!
  I see in console (debug LDAP):
  Request for [email protected] returned code (10) Referral
  Does ASA support authentication via LDAP referrals?
  I read old thread:
  https://supportforums.cisco.com/discussion/11132591/cisco-asa-and-ldap-authentification
  And see: CSCsj32153  Symptom:the ASA/PIX doesn't currently support LDAP Referall searches. 
  But I use:
  Cisco Adaptive Security Appliance Software Version 9.2(3)
  Device Manager Version 7.3(3)
  Compiled on Mon 15-Dec-14 05:10 PST by builders
  System image file is "disk0:/asa923-smp-k8.bin"
  Thanks!

• LDAP query to fetch users from Two different OU

  I am looking for an AD query to get AD enabled users from two different OU Stores & ServiceOffice under root domain.
  Using below syntax to fetch it simultaneously but not succeeding. Please help me.
  (&(objectCategory=person)(|(ou=Stores)(ou=ServiceOffice)))

  Hi Thanks for the revert. Actly i am setting this syntax in application not running powershell script to fetch users.
  So i need query in Ldap filter format only...
  i.e.
  (&(objectCategory=person)(|(OU=Stores,DC=Mumbai,DC=Users,DC=ABC,DC=com)(ou=ServiceOffice,DC=Chennai,DC=users,DC=ABC,DC=com)))
  Please correct my above query.

• OIM OES Integration to use LDAP groups for policy making

  Hi ,
  I am trying to make policy for the OIM application using OES. i want to use my LDAP groups as principals to control the access in OIM. How it can be achieved
  Thanks
  Edited by: user10660448 on May 21, 2013 1:35 AM

  Note that you can use the internal LDAP that comes with WebLogic, for your users and groups if you want.
  When you have multiple domains, you have a problem with this set-up as the internal LDAP is coupled to
  a specific domain. This means that users you created in one domain are not visible in the other. When using
  a separate LDAP that contains the users. You can configure in each domain an authenticator that points
  to the LDAP. In this way you can share to user accross multiple domains.
  When you are planning to use one domain you can stick with the internal LDAP if you want.
  An example set-up (that uses access manager not identity manager) can be found here: http://middlewaremagic.com/weblogic/?p=7819,
  which might help you in how to proceed.

• Using Powershell to delete all users from the Portal

  Summary
  This script will delete all users from the Portal except for Administrator and the Built-In Sync account.
  Based on Markus's "Delete a User" script.
  Useful when developing your system if you want to quickly clear out the data and start again.
  set-variable -name URI -value "http://localhost:5725/resourcemanagementservice' " -option constant
  function DeleteObject
  PARAM($objectType, $objectId)
  END
  $importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
  $importObject.ObjectType = $objectType
  $importObject.TargetObjectIdentifier = $objectId
  $importObject.SourceObjectIdentifier = $objectId
  $importObject.State = 2
  $importObject | Import-FIMConfig -uri $URI
  if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}
  $allobjects = export-fimconfig -uri $URI `
  –onlyBaseResources `
  -customconfig "/Person"
  $allobjects | Foreach-Object {
  $displayName = $_.ResourceManagementObject.ResourceManagementAttributes | `
  Where-Object {$_.AttributeName -eq "DisplayName"}
  if([string]::Compare($displayName.Value, "Administrator", $True) -eq 0)
  {write-host "Administrator NOT deleted"}
  elseif([string]::Compare($displayName.Value, "Built-in Synchronization Account", $True) -eq 0)
  {write-host "Built-in Synchronization Account NOT deleted"}
  else {
  $objectId = (($_.ResourceManagementObject.ObjectIdentifier).split(":"))[2]
  DeleteObject -objectType "Person" `
  -objectId $objectId
  write-host "`nObject deleted`n" $displayName.Value }
  Go to the FIM ScriptBox
  http://www.wapshere.com/missmiis

  The DeleteObject function opens and closes a connection for each object.  This approach is faster:
  http://social.technet.microsoft.com/wiki/contents/articles/23570.how-to-use-powershell-to-delete-fim-users-that-have-a-null-attribute-name.aspx
  Mike Crowley | MVP
  My Blog --
  Planet Technologies

• How to manage c877(outside) in RFC1483 mode through ASA5505 from (inside)network

  Hi All
  Here is a quick summary of my network setup.
  ISP ADSL2 -- C877 Router(RFC1483) -- ASA5505(PPPoE) -- Internal network(s).
  I am trying to figure out how to correctly configure my C877 & my ASA so I can telnet and manage the C877 from one of the inside networks on the ASA5505.
  With the current configuration I can ping the C877 but only from the outside (PPPoE) interface of my ASA5505. I cannot connect to it from any other inside network.
  Interface connectivity is as follows:
  ISP <-> C877 PoTS
  C877 FA/0 <-> ASA Eth0/0[outside_public] [Zone SEC=0]
  ASA Eth0/1[inside_private][Zone SEC=100] <-> HP L2 Switch
  HP L2 Switch <-> Home PC.
  Device IPs:
  Cisco ASA [inside_private] gateway IP = 192.168.50.1 / 24
  Home PC = 192.168.50.81 / 24
  Router C877 IP = 192.168.50.2 / 24
  Everything is working as expected, except I want to be able to manage the C877 from the Home PC, but currently I am not able to establish any connectivity to the C877 from the [inside_private] network.
  Here is what I have tried so far but without luck:
  Connected (a 2nd) network cable from the C877 to the L2 switch. No connectivity from the Home PC.
  Connected (a 2nd) network cable from the C877 to ASA on another interface added to the [inside_private] network. No connectivity from the Home PC.
  Any help much appreciated!
  C877 config below:
  Current configuration : 1422 bytes
  version 15.1
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname c877
  boot-start-marker
  boot-end-marker
  no aaa new-model
  clock timezone UTC 11 0
  crypto pki token default removal timeout 0
  dot11 syslog
  ip source-route
  ip cef
  ip domain name --CUT--
  no ipv6 cef
  multilink bundle-name authenticated
  username --CUT-- privilege 15 password 7 --CUT--
  bridge irb
  interface ATM0
   no ip address
   no atm ilmi-keepalive
   bridge-group 1
   pvc 8/35
    encapsulation aal5snap
  interface FastEthernet0
   no ip address
  interface FastEthernet1
   no ip address
  interface FastEthernet2
   no ip address
  interface FastEthernet3
   no ip address
  interface Dot11Radio0
   no ip address
   shutdown
   speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
   station-role root
  interface Vlan1
   no ip address
   bridge-group 1
  interface BVI1
   ip address 192.168.50.2 255.255.255.0
  ip default-gateway 192.168.50.1
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  snmp-server community public RO
  snmp-server ifindex persist
  control-plane
  bridge 1 protocol ieee
  line con 0
   exec-timeout 0 0
   logging synchronous
   no modem enable
  line aux 0
  line vty 0 4
   exec-timeout 0 0
   logging synchronous
   login local
   transport input all
  end
  ASA5505 config below:
  ASA Version 9.1(3)
  hostname asa5505
  enable password --CUT-- encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd --CUT-- encrypted
  names
  interface Ethernet0/0
   switchport access vlan 10
  interface Ethernet0/1
  interface Ethernet0/2
   switchport access vlan 20
  interface Ethernet0/3
   switchport access vlan 30
  interface Ethernet0/4
   switchport access vlan 40
  interface Ethernet0/5
  interface Ethernet0/6
   switchport access vlan 70
  interface Ethernet0/7
   switchport access vlan 70
  interface Vlan1
   nameif inside_private
   security-level 100
   ip address 192.168.50.1 255.255.255.0
  interface Vlan10
   nameif outside_public
   security-level 0
   pppoe client vpdn group ADSL2
   ip address pppoe setroute
  interface Vlan20
   nameif inside_dmz
   security-level 70
   ip address 192.168.60.1 255.255.255.0
  interface Vlan30
   nameif inside_guest
   security-level 50
   ip address 192.168.70.1 255.255.255.0
  interface Vlan40
   nameif inside_experimental
   security-level 60
   ip address 10.0.0.1 255.255.0.0
  interface Vlan70
   nameif inside_phone
   security-level 10
   ip address 192.168.80.1 255.255.255.192
  boot system disk0:/asa913-k8.bin
  ftp mode passive
  clock timezone EST 10
  clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
  dns domain-lookup inside_dmz
  dns server-group DefaultDNS
   name-server 192.168.60.2
  same-security-traffic permit intra-interface
  object network LAN_private
   subnet 192.168.50.0 255.255.255.0
  object network LAN_dmz
   subnet 192.168.60.0 255.255.255.0
  object network LAN_guest
   subnet 192.168.70.0 255.255.255.0
  object network LAN_experimental
   subnet 10.0.0.0 255.255.0.0
  object network QNAP_host
   host 192.168.50.9
  object network INTELNUC_host
   host 192.168.60.2
  object network INTELNUC_prtgservice
   host 192.168.60.2
  object network INTELNUC_webservice
   host 192.168.60.2
  object network QNAP_management
   host 192.168.50.9
  object network QNAP_transmission
   host 192.168.50.9
  object network LAN_guest_wireless
   range 192.168.70.31 192.168.70.50
  object network QNAP_t51413
   host 192.168.50.9
  object network QNAP_u51413
   host 192.168.50.9
  object service 9000-9049
   service udp destination range 9000 9049
  object network C7940_u10000-20000
   host 192.168.80.11
  object network C7940_t5060
   host 192.168.80.11
  object network LAN_phone
   subnet 192.168.80.0 255.255.255.192
  object network SPINTEL_host
   host --CUT--
  object service 16384-32766
   service udp source range 16384 32766
  object network C7940_host
   host 192.168.80.11
  object service 10000-20000
   service udp destination range 10000 20000
  object network C7940_u5060
   host 192.168.80.11
  object-group network LAN_all
   network-object object LAN_dmz
   network-object object LAN_experimental
   network-object object LAN_guest
   network-object object LAN_private
   network-object object LAN_phone
  object-group protocol TCPUDP
   protocol-object udp
   protocol-object tcp
  object-group service 5060 tcp-udp
   port-object eq sip
  object-group service 53 tcp-udp
   port-object eq domain
  access-list public_ACL extended permit tcp any object QNAP_host eq 8080
  access-list public_ACL extended permit tcp any object QNAP_host eq 51413
  access-list public_ACL extended permit udp any object QNAP_host eq 51413
  access-list public_ACL extended permit tcp any object QNAP_host eq 9091
  access-list public_ACL extended permit tcp any object INTELNUC_host eq 444
  access-list public_ACL extended permit tcp any object INTELNUC_host eq www
  access-list public_ACL extended permit object-group TCPUDP any object C7940_host eq domain inactive
  access-list public_ACL extended permit tcp object SPINTEL_host object C7940_host eq sip
  access-list public_ACL extended permit udp object SPINTEL_host object C7940_host eq sip
  access-list public_ACL extended permit icmp object SPINTEL_host object C7940_host
  access-list public_ACL extended permit object 10000-20000 object SPINTEL_host object C7940_host
  access-list public_ACL extended permit ip object SPINTEL_host object C7940_host
  access-list dmz_ACL extended permit icmp any any echo
  access-list dmz_ACL extended permit udp any any eq snmp
  access-list dmz_ACL extended permit ip object INTELNUC_host object-group LAN_all
  access-list dmz_ACL extended deny ip any object LAN_private
  access-list dmz_ACL extended deny ip any object LAN_guest
  access-list dmz_ACL extended deny ip any object LAN_experimental
  access-list dmz_ACL extended deny ip any object LAN_phone
  access-list dmz_ACL extended permit ip any any
  access-list guest_ACL extended permit icmp any any echo
  access-list guest_ACL extended permit udp any any eq snmp
  access-list guest_ACL extended permit object-group TCPUDP object LAN_guest_wireless object INTELNUC_host eq domain
  access-list guest_ACL extended deny ip object LAN_guest_wireless object INTELNUC_host
  access-list guest_ACL extended deny ip object LAN_guest_wireless object QNAP_host
  access-list guest_ACL extended permit ip any object INTELNUC_host
  access-list guest_ACL extended permit ip any object QNAP_host
  access-list guest_ACL extended deny ip any object LAN_private
  access-list guest_ACL extended deny ip any object LAN_dmz
  access-list guest_ACL extended deny ip any object LAN_experimental
  access-list guest_ACL extended deny ip any object LAN_phone
  access-list guest_ACL extended permit ip any any
  access-list phone_ACL extended permit udp object C7940_host object INTELNUC_host eq tftp
  access-list phone_ACL extended permit icmp object C7940_host object SPINTEL_host
  access-list phone_ACL extended permit object 16384-32766 object C7940_host object SPINTEL_host
  access-list phone_ACL extended permit object-group TCPUDP object C7940_host any eq domain
  access-list phone_ACL extended permit udp object C7940_host any eq ntp
  access-list phone_ACL extended permit tcp object C7940_host any eq sip
  access-list phone_ACL extended permit udp object C7940_host any eq sip
  access-list phone_ACL extended permit ip object C7940_host any inactive
  access-list phone_ACL extended permit ip object LAN_phone any inactive
  pager lines 24
  logging enable
  logging asdm notifications
  mtu inside_private 1500
  mtu outside_public 1492
  mtu inside_dmz 1500
  mtu inside_guest 1500
  mtu inside_experimental 1500
  mtu inside_phone 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-714.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside_private,outside_public) source static C7940_u10000-20000 interface service 10000-20000 10000-20000
  object network LAN_private
   nat (inside_private,outside_public) dynamic interface
  object network LAN_dmz
   nat (inside_dmz,outside_public) dynamic interface
  object network LAN_guest
   nat (inside_guest,outside_public) dynamic interface
  object network LAN_experimental
   nat (inside_experimental,outside_public) dynamic interface
  object network INTELNUC_prtgservice
   nat (inside_dmz,outside_public) static interface service tcp 444 444
  object network INTELNUC_webservice
   nat (inside_dmz,outside_public) static interface service tcp www www
  object network QNAP_management
   nat (inside_private,outside_public) static interface service tcp 8080 8080
  object network QNAP_transmission
   nat (inside_private,outside_public) static interface service tcp 9091 9091
  object network QNAP_t51413
   nat (inside_private,outside_public) static interface service tcp 51413 51413
  object network QNAP_u51413
   nat (inside_private,outside_public) static interface service udp 51413 51413
  object network C7940_t5060
   nat (inside_private,outside_public) static interface service tcp sip sip
  object network LAN_phone
   nat (inside_phone,outside_public) dynamic interface
  object network C7940_u5060
   nat (inside_private,outside_public) static interface service udp sip sip
  access-group public_ACL in interface outside_public
  access-group dmz_ACL in interface inside_dmz
  access-group guest_ACL in interface inside_guest
  access-group phone_ACL in interface inside_phone
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 192.168.50.0 255.255.255.0 inside_private
  snmp-server host inside_dmz 192.168.60.2 community *****
  snmp-server location inside_dmz
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpoint localtrust
   enrollment self
   fqdn asa5505.--CUT--
   subject-name CN=sasa5505.--CUT--
   keypair sslvpnkey
   crl configure
  crypto ca trustpool policy
  crypto ca certificate chain localtrust
   certificate --CUT--
  telnet 192.168.50.0 255.255.255.0 inside_private
  telnet timeout 60
  ssh timeout 60
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  vpdn group ADSL2 request dialout pppoe
  vpdn group ADSL2 localname --CUT--
  vpdn group ADSL2 ppp authentication pap
  vpdn username --CUT-- password --CUT-- store-local
  dhcpd auto_config outside_public
  dhcprelay server 192.168.60.2 inside_dmz
  dhcprelay enable inside_private
  dhcprelay enable inside_guest
  dhcprelay enable inside_experimental
  dhcprelay enable inside_phone
  dhcprelay timeout 60
  threat-detection basic-threat
  threat-detection statistics host number-of-rate 3
  threat-detection statistics port number-of-rate 3
  threat-detection statistics protocol number-of-rate 3
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server --CUT-- source inside_private
  ssl encryption aes256-sha1 aes128-sha1 3des-sha1 rc4-sha1
  ssl trust-point localtrust outside_public
  webvpn
   anyconnect-essentials
  username --CUT-- password --CUT-- encrypted privilege 15
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
    inspect icmp
    inspect pptp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  hpm topN enable
  Cryptochecksum:--CUT--

  Ansar,
  A source group or "group" is what you need to configure on the CSS in order for the backend servers to initiate a connection outbound on the CSS. It would be helpful if you could email me directly a piece of your config. Specifically I would need the "service" section in terms of which servers need outbound access as well as the content rules you have configured and the ACL section to confirm you are not blocking anything.
  As an example.
  If you had
  service pete
  ip address 1.1.1.1
  active
  content pete
  add service pete
  protocol tcp
  port 80
  vip address 2.2.2.2
  active
  group pete_out
  vip address 2.2.2.2
  add service pete
  active
  So what happens is when the service makes an outbound connection, the source ip address is now the vip address. When the return packet comes back, the CSS recognizes it and gets it back to the backend server.
  You can also apply a source group via an acl as another option.
  Regards
  Pete..
  [email protected]

• Complex DNS? Cannot reach XServe from inside network

  I'm trying to make DNS work on a XServe with Leopard Server installed.
  I had to migrate (mostly manually) DNS from the old server.
  The server runs DNS for about 50 websites, most of them on the server itself, some on other local machines. All these are configured with their external ip addresses.
  From inside the building i cannot reach the server unless i make a subnet so the xserve acts as a router to. Then I can also use Server Admin e.g., which I cannot use without that subnet.
  From witin the server DNS seems to work while just browsing the domains with Safari.
  sudo changeip -checkhostname
  Primary address = 10.0.2.15
  Current HostName = dns.myserver.com
  The DNS hostname is not available, please repair DNS and re-run this tool.
  So i guess i made a mess..
  host on xserve ip address (also from within xserve)
  odin:~ admin$ host 10.0.2.15
  Host 15.2.0.10.in-addr.arpa not found: 3(NXDOMAIN
  host command on external ip address gave me one of the domains, but not dns.myserver.com.
  $ host 192.xxx.xxx.xxx (of course i used the full external ip address)
  192.xxx.xxx.xxx.in-addr.arpa domain name pointer dns.myserver.com.
  Can anybody help?
  Message was edited by: skipx2

  I'm trying to make DNS work on a XServe with Leopard Server installed.
  I had to migrate (mostly manually) DNS from the old server.
  The server runs DNS for about 50 websites, most of them on the server itself, some on other local machines. All these are configured with their external ip addresses.
  From inside the building i cannot reach the server unless i make a subnet so the xserve acts as a router to. Then I can also use Server Admin e.g., which I cannot use without that subnet.
  From witin the server DNS seems to work while just browsing the domains with Safari.
  sudo changeip -checkhostname
  Primary address = 10.0.2.15
  Current HostName = dns.myserver.com
  The DNS hostname is not available, please repair DNS and re-run this tool.
  So i guess i made a mess..
  host on xserve ip address (also from within xserve)
  odin:~ admin$ host 10.0.2.15
  Host 15.2.0.10.in-addr.arpa not found: 3(NXDOMAIN
  host command on external ip address gave me one of the domains, but not dns.myserver.com.
  $ host 192.xxx.xxx.xxx (of course i used the full external ip address)
  192.xxx.xxx.xxx.in-addr.arpa domain name pointer dns.myserver.com.
  Can anybody help?
  Message was edited by: skipx2

• Is there a way to provision FF to multiple users from a network share?

  Rather than deploying FF to 150,000 users, I would like to centrally provision the applicaiton from a network location. Is this possible?

  You can only use one library at a time in an Aperture slideshow, so I'd suggest to simply collect the audio that you want to use in a folder (export the songs from both iTunes Libraries) and then import this folder to Aperture. Now you have a project containing the audio files; you will see it in the Aperture Audio section of the audio Browser, right above the iTunes section.
  You can use the Apperture audio just like the audio in iTunes to drag to the timeline of your slideshow.
  Regards
  Léonie

• Using .htaccess file to block access from certain networks

  Does anybody have any tips on getting a .htaccess file to work to block access to my Web Access server from certain network ranges on SuSE 10 SP3 with GW 8.0.2.
  It does seem like the file does anything? With Web Access I'm not exactly sure where to put the file. I used to accomplish this using iptables, but I was seeing if I could do the same with .htaccess.
  Thanks!

  Originally Posted by bbilut
  Does anybody have any tips on getting a .htaccess file to work to block access to my Web Access server from certain network ranges on SuSE 10 SP3 with GW 8.0.2.
  It does seem like the file does anything? With Web Access I'm not exactly sure where to put the file. I used to accomplish this using iptables, but I was seeing if I could do the same with .htaccess.
  Thanks!
  You can block a range with the .htaccess file, for example by defining the range as
  Code:
  order allow,deny
  deny from 10.0.
  allow from all
  ...that would block all 10.0.0.0 upto 10.0.255.255 addresses
  You cannot use this file in tomcat, so useless I think... but as Apache is used as frontend for the tomcat webacc application and you might be able to edit the gw conf apache files to include the range denies (which by default can be found in /etc/opt/novell/groupwise/webaccess/gw.conf).
  Maybe this thread might help as there are some examples in howto include denies in the .conf files.
  Deny IP Ranges in httpd.conf Apache Web Server forum at WebmasterWorld
  Do make a backup of you current gw.conf in case it blows up :)
  -Willem

• How to get list of groups and the users from OID

  Hi,
  Can someone please tell me how to get the list of GROUPS and all the USERS in each group in OID using Java. Need to recursively get all the Groups and Users in each group using Java any samples.
  Thanks

  use examples from OTN like
  http://www.oracle.com/technology/sample_code/products/jdev/readmes/samples/ldapdatacontrol/ldapapplication/src/dc/ldap/model/LDAPSearch.java
  and modify it to your needs
  Bernhard