Using LDAP to search attribute bit flags using attribute OID values
Hello everyone,
My question stems from trying to understand the OID and syntax behind this classic LDAP search to find disabled users:
"(useraccountcontrol:1.2.840.113556.1.4.803:=2)"
What I am interested in is the value 1.2.840.113556.1.4.803, specifically how it differentiates from the value 1.2.840.113556.1.4.8, which is the OID of the useraccountcontrol attribute:
http://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx
Now, this website below says that the 03 and 04 are designators of the AND and OR operations, respectively, and are added on to the end of the OID:
https://www.appliedtrust.com/blog/2011/04/keeping-your-active-directory-pantry-order
However, using this logic, I can't get these 03 and 04 operators to work with other attribute OID's that use flags as values, such as the "searchflags" attribute, e.g. a LDAP search of "(searchflags:=1.2.840.113556.1.2.33404:=0)
returns nothing, using the OR (04) operation at the end of the "searchflags" OID of 1.2.840.113556.1.2.334.
So back to my original question, for the useraccountcontrol OID of 1.2.840.113556.1.4.8, is this OID at all related to the bitwise AND extensible match of 1.2.840.113556.1.4.803 (like just adding a 03 to designate an AND operation), or is this
extensible match
value of 1.2.840.113556.1.4.803 completely separate from the useraccountcontrol OID of 1.2.840.113556.1.4.8?
If I have my terms mixed up, please feel free to correct me on what the proper terms are.
Thanks!
Hmm yeah I posted that link above in my OP as well, and I was hoping that the OID values of these bitwise filters were somehow related to the shorter OID of the "useraccountcontrol" attribute, but it looks like it's just a coincidence.
So I wonder if the "useraccountcontrol" section of
this article from my OP is a little misleading when it says:
To make a comparison, we either need to use the LDAP_MATCHING_RULE_BIT_AND rule (1.2.840.113556.1.4.803), or the LDAP_MATCHING_RULE_BIT_OR rule (1.2.840.113556.1.4.804) for our attribute OID (the AND rule adds a 03 suffix to denote the AND operation,
and the OR rule adds a 04 suffix).
Following this logic, I should be able to use the "03" and "04" in other bitwise operations with different OID's to search "AND" or "OR", but as I pointed out in my OP above, I can't seem to make this work with adding the
"03" and "04" onto the end of other OID's. So I will go with Christoffer that these bitwise OID's (1.2.840.113556.1.4.803 and 1.2.840.113556.1.4.804) are unique in themselves, and the fact that they are 2 characters away from the OID of the "useraccountcontrol"
attribute (1.2.840.113556.1.4.8) is just coincidence.
This does seem strange however, and it seems like there should be some correlation here....
If anyone has any more info, I would love to hear it!
Similar Messages
-
The Firefox URL address bar defaults to a search feature if the browser does not recognize the entry as a valid http, https, ftp etc URL.
Until recently, it used Google. It is now using Yahoo search and I want to switch it back.
Efforts to use Time Machine backups of my library files have not fixed the problem.Hey Shewmaker,
You should take a look at [https://support.mozilla.com/en-US/kb/Location%20bar%20search?s=location+bar&r=2&as=s#w_changing-the-internet-keyword-service this article] on the Location Bar. It will show you how to change the provider for the location bar search.
Hopefully this helps! -
What are attributes we can use in LDAP query in server derivation rules
Q: What are attributes we can use in LDAP query in server derivation rules
A: Server derivation rules can be defined for an LDAP server in the same way as that for a Radius server. As opposed to a Radius server, where the list of attributes that are defined for a server are standard, for an LDAP server, the attributes depend on the type of the server.
The following table contains the list of attributes that are available for an Active Directory implementation. The server may maintain only a subset of these attributes, depending on how the user entries have been configured.
Attribute Name:
==============
sAMAccountname
userPrincipalName
givenName
sn
initials
description
physicalDeliveryOfficeName
telephoneNumber
mail
wwwHomePage
url
logonHours
logonWorkstation
userAccountControl
pwdLastSet
userAccountControl
accountExpires
streetAddress
postOfficeBox
postalCode
memberOf
primaryGroupID
title
department
company
manager
directReports
profilePath
scriptPath
homeDrive
homeDirectory
HomeDirDrive
telephoneNumber
otherTelephone
pager
pagerOther
mobile
otherMobile
fascimileTelephoneNumber
otherFascimileTelephoneNumber
ipPhone
otherIpPhone>
praveen.tecnics wrote:
> hi experts
>
> what are mapping rules in sap xi/pi ? how we can use this rules for special charters mapping .
to map special characters you need to use an element called CDATA in your mapping
a special character causes an error....as XI wont be able to read it (as it is not in a proper XML format)...so to parse this character through XI without causing an eror use the CDATA....just make a search on SDN and you will find the proper use of it....
For your info: http://www.w3schools.com/XML/xml_cdata.asp
Regards,
Abhishek.
Edited by: abhishek salvi on May 20, 2009 8:52 AM -
How can I use LDAP searching from OSX Lion Server to Mozilla Thunderbird?
How can I use LDAP searching from OSX Lion Server to Mozilla Thunderbird? We have a super awesome contacts server that works great for our Mac users. About 30% of our company are on PCs, and I would like to use the Mozilla Thunderbird mail client for them. I see that in Thunderbird I can set up LDAP searching, and would like to have this feature point to our contacts server. I've tried several different settings, and looked all over the web, but could not find the proper way to configure this. Does anyone know if this can be done, or if not, would have a better suggestion? Thank you for your time!!
try double clicking keychain acces should launch and ask if you want to install login, system, System roots
A dialog box will launch asking where to install the cert since your configuring a vpn I would put the certificate it in system. -
In OS X Mavericks using Safari, the search bar at the top that i had on the previous system version disappears only reappearing in the full screen. Do i have to go into full screen every time? Bit of a pain but no doubt I'm doing something wrong!
Those are all fine
Here is how to see RAM overloaded…
Reboot to see the system in it's default state.
Open TextEdit for the sake of it
Open Activity Monitor & Terminal from /Applications/Utilities.
Select the Memory tab
In Terminal enter the following command
memory_pressure -l critical
# note that is a lowercase L
RAM usage will climb, compression will begin the VM will become way more than the system has installed.
Eventually the system will start swapping (look for RED) - Watch the 'memory pressure' & 'Swap used' as this happens.
Try switching to TextEdit - the system is still coping !
Switch back to Terminal & hit ctrl+c to stop the process.
Watch the VM & memory pressure return to normal levels.
This OS kicks 4ss !
Your problems may lie elsewhere -
DAP using LDAP and Cisco Attributes
I would like to be able to set up a Dynamic Access Policy with the criteria that if all of the following:
cisco.grouppolicy=Sales
ldap.memberOf=Remote_Access
can have specific set of access. My Connection profile is using a Radius server to authenticate and assign the Group Policy.
Is it possible to accomplish this? since it doesn't seem to work for me.Hi Luis,
if you want to use LDAP attributes in your DAP policy, then you have to use LDAP for authentication or authorization in your tunnel-group.
So you will either have to replace radius with ldap for authentication, OR keep radius for authentication and add ldap for authorization on top.
hth
Herbert -
WCAP - Calendar search using LDAP ?
Hi,
Calendar 6.3 (WCAP) allows to search/subscribe other users calendars.
There is this configuration setting in the ics.conf
! Calendar searches are done using LDAP or UserPreferene plugin
service.calendarsearch.ldap = "yes"
When i set this to yes, i have the following behaviour :
- lightning : the service sometimes returns entries 3 times
- Convergence : i can't search for secondary calendars.
I made a simple test page to run "search_calprops.wcap" tests, and the server is really returning entries 3 times (it's not a lightning bug).
For Convergence, there is an exception in the Error console, due to Convergence trying to create an object this an id that already exists (this can easily be fixed).
When i comment the configuration setting, everything works fine.
The question is :
Is it harmful not to rely on the LDAP for calendar subscription ? Will it decrease the server's performance ?
Thank you.
For the Convergence "this can easily be fixed", here is an example of customization :
Class:
iwc.widget.calendar.Subscribe
Method : showCals
Body :
Replace
this.currentCalIds.push(calid);
this._makeRow({id:calid, n:cal[c.NAME], p:perm}, cnt);
With
// BEGIN PATCH
//this.currentCalIds.push(calid);
//this._makeRow({id:calid, n:cal[c.NAME], p:perm}, cnt);
// No, the calendar may (and DOES) return duplicates, so check if the calid has
// already been added
var exists = false;
dojo.forEach(this.currentCalIds, function(nm){
if(calid == nm){ exists = true; }
if(!exists){
this.currentCalIds.push(calid);
this._makeRow({id:calid, n:cal[c.NAME], p:perm}, cnt);
// END PATCH
Edited by: diesmo on 29 mars 2012 08:47Well, Either :
- i enable this, and my front-end server runs searches on the LDAP server, meaning that my back-end server is less loaded
- i disable this, and my front-end server relies on the back-end server (using DWP) for calendar searches, which may (or may not) result in slower responses and/or heavier load on both my front-end and back-end server
Anyway, we'll try to disable it, and monitor the service during some time to see what happen. -
Pam.conf does not use ldap for password length check when changing passwd
I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
I have dsee 6.0 installed on a solaris 10 server (client).
I have a solaris 9 server (server) set up to use ldap authentication.
bash-2.05# cat /var/ldap/ldap_client_file
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= X, Y
NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_BIND_TIME= 10
bash-2.05# cat /var/ldap/ldap_client_cred
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
bash-2.05# cat /etc/nsswitch.conf
# /etc/nsswitch.ldap:
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
hosts: files dns
ipnodes: files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: ldap [NOTFOUND=return] files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
sendmailvars: files
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
bash-2.05# cat /etc/pam.conf
#ident "@(#)pam.conf 1.20 02/01/23 SMI"
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1 use_first_pass
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
other auth requisite pam_authtok_get.so.1 debug
other auth required pam_dhkeys.so.1 debug
other auth binding pam_unix_auth.so.1 server_policy debug
other auth required pam_ldap.so.1 use_first_pass debug
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy debug
passwd auth required pam_ldap.so.1 use_first_pass debug
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1 debug
other account required pam_projects.so.1 debug
other account binding pam_unix_account.so.1 server_policy debug
other account required pam_ldap.so.1 no_pass debug
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password required pam_authtok_store.so.1 server_policy debug
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
bash-2.05$ passwd
passwd: Changing password for VV
Enter existing login password:
New Password:
passwd: Password too short - must be at least 8 characters.
Please try again
May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
I am using the default policy on the directory server which states a minimum password length of 6 characters.
server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
pwd-accept-hashed-pwd-enabled : N/A
pwd-check-enabled : off
pwd-compat-mode : DS6-mode
pwd-expire-no-warning-enabled : on
pwd-expire-warning-delay : 1d
pwd-failure-count-interval : 10m
pwd-grace-login-limit : disabled
pwd-keep-last-auth-time-enabled : off
pwd-lockout-duration : disabled
pwd-lockout-enabled : off
pwd-lockout-repl-priority-enabled : on
pwd-max-age : disabled
pwd-max-failure-count : 3
pwd-max-history-count : disabled
pwd-min-age : disabled
pwd-min-length : 6
pwd-mod-gen-length : 6
pwd-must-change-enabled : off
pwd-root-dn-bypass-enabled : off
pwd-safe-modify-enabled : off
pwd-storage-scheme : CRYPT
pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
pwd-strong-check-enabled : off
pwd-strong-check-require-charset : lower
pwd-strong-check-require-charset : upper
pwd-strong-check-require-charset : digit
pwd-strong-check-require-charset : special
pwd-supported-storage-scheme : CRYPT
pwd-supported-storage-scheme : SHA
pwd-supported-storage-scheme : SSHA
pwd-supported-storage-scheme : NS-MTA-MD5
pwd-supported-storage-scheme : CLEAR
pwd-user-change-enabled : off
Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
. It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
Edited by: ericduggan on Sep 8, 2008 5:30 AMyou can try passwd -r ldap for changing the ldap passwds...
-
Filtering Groups on Windows Active Directory using LDAP Authentication
Hi All,
I have small module that filters the groups from the Windows AD using LDAP attributes and flushes the data into the DB[code below].
This module was developed and tested on weblogic 8.1[on windows]and works fine.
Now the same is moved to another environment- Websphere on Linux Suse. The code fails to retreieve any value from the Windows AD.
Please note no exception is aslo thrown.
env.put(Context.INITIAL_CONTEXT_FACTORY,ldapCtxFactory);
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,authentication);
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//connect to my domain controller
env.put(Context.PROVIDER_URL, domainController);
// Create the initial directory context
try {
dirCtx = new InitialDirContext(env);
// Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"member"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
int totalResults = 0;
int iteration=0;
// Search for objects using the filter
NamingEnumeration results = ctx.search(searchBase, searchFilter, searchCtls);
In the above code the method exits even before the try block[i could detect this using Sysout's]
Below is the property file from which the values are read.
admin=username
password=password
#AD search attributes
searchBase=DC=domainname,DC=domainname
searchFilter=(&(objectClass=group) (CN=value*))
#JNDI context attributes
ldapCtxFactory=com.sun.jndi.ldap.LdapCtxFactory
authentication=simple
domainController=ldap://address
groupPattern=pattern
Please Assit,
Thanks in Advance
Message was edited by:
radiant
Message was edited by:
radiantAssuming it is the same Active Directory environment and only your Java platform has changed, the I can only assume that if no exception is thrown, and no data is returned, then the credentials you are using on the new Java platform are being mapped to an anonymous user (perhaps a blank password ?). By default, Windows Server 2003 domains, do not return any results to anonymous users.
-
Significance of 3 flags used in almost all the tables
Hello everyone,
Please let me know the significance of flags used in almost all the tables in BI/BW.
If the flags are initial, what does that signify ?
CHCKFL : Flag: Value in check tables
DATAFL : Flag: Value in dimension or available as attribute
INCFL : Flag: Value is built into all inclusion tables
If CHCKFL is initial, means this record is not maintained in Check table, and so i wont see it if i search it in its InfoObject (That conatins this table).
How should i retrieve such a record?
Thanks
Edited by: shalaxy s on Nov 19, 2009 5:44 PMHi,
These flags are a kind of "where used" flags.
CHCKFL, DATAFL
Re: Meaning of CHCKFL DATAFL INCFL in sid table of IO
INCFL
Used in inclusion tables of external hierarchies
These fields are also initial when you delete master data of a characteristic with option not to delete related SIDs.
Hope this helps
Joe -
WLS 5.1.0 (sp8) using LDAP on OS390
Help. I'm having a problem booting up WLS 5.1.0 (SP8) using the new
LDAPRealm properties format. Our LDAP server doesn't use the "standard"
attributes (c, o, ou, uid) to define a DN and filter. Does the new way
WLS uses LDAP require that an LDAP server use these standard attributes
for the DN and filter? (It boots up OK with a server that uses these
standard attributes). Do I have the properties correctly formatted to
work with SP8?
# Properties for IBM OS/390 Directory Server (SP5) >>>> OLD <<<<
# Directory Server Properties
weblogic.security.ldaprealm.url=ldap://XXXXXXXXXXXXX
weblogic.security.ldaprealm.authentication=simple
weblogic.security.ldaprealm.ssl=false
weblogic.security.ldaprealm.principal=racfid=weblogic,profiletype=user,sysplex=plex1
weblogic.security.ldaprealm.credential=XXXXXXXXXXXXX
# User Schema
weblogic.security.ldaprealm.userDN=sysplex=plex1,profiletype=user
weblogic.security.ldaprealm.userNameAttribute=racfid
weblogic.security.ldaprealm.userPasswordAttribute=racfpassword
# Group Schema
weblogic.security.ldaprealm.groupDN=o=City of San Diego,ou=Groups
weblogic.security.ldaprealm.groupNameAttribute=cn
weblogic.security.ldaprealm.groupUsernameAttribute=member
# Properties for IBM OS/390 Directory Server (SP8) >>>> NEW <<<<
server.alias=os390
# Directory Server Properties
os390.server.host=XXXXXXXXXXX
os390.server.port=XXXXX
os390.server.principal=racfid=weblogic,profiletype=user,sysplex=plex1
os390.server.credential=XXXXXXXXXXXX
# User Schema
os390.user.dn=profiletype=user,sysplex=plex1
os390.user.filter=(&(racfid=%u)(objectclass=racfuser))
# Group Schema
os390.group.dn=ou=Groups,o=City of San Diego
os390.group.filter=(&(cn=%g)(objectclass=groupofnames))
os390.membership.filter=(&(member=%M)(objectclass=groupofnames))
Here's the error...
Unable to initialize server:
weblogic.security.ldaprealm.LDAPRealmException: caught unexpected
exception - with nested exception:
[netscape.ldap.LDAPException: error result (87)]
fatal initialization exception
weblogic.security.ldaprealm.LDAPRealmException: caught unexpected
exception - with nested exception:
[netscape.ldap.LDAPException: error result (87)]
at
weblogic.security.ldaprealm.LDAPDelegate.handleException(LDAPDelegate.java:865)
at
weblogic.security.ldaprealm.LDAPDelegate.getUser(LDAPDelegate.java:848)
at weblogic.security.ldaprealm.LDAPRealm.getUser(LDAPRealm.java:51)
at
weblogic.security.acl.CachingRealm.getUserEntry(CachingRealm.java:1121)
at
weblogic.security.acl.CachingRealm.getUser(CachingRealm.java:985)
at
weblogic.security.acl.CachingRealm.getPrincipal(CachingRealm.java:1024)
at
weblogic.security.acl.CachingRealm.addPermission(CachingRealm.java:813)
at
weblogic.security.acl.CachingRealm.setupAcls(CachingRealm.java:802)
at weblogic.security.acl.CachingRealm.<init>(CachingRealm.java:706)
at weblogic.security.acl.CachingRealm.<init>(CachingRealm.java:564)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1759)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:1093)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
(Docs for LDAPException don't have an error result 87)
Thanks in advance,
Jeff CabuhatI can't get weblogic 5.1, SP8 to work with the os390 ldap server. I
get the same error as Jeff got below. I can get it to work fine with a
Netsape ldap server, but unfortunately I really need it to work with the
os390 ldap server. Does anyone know the solution to this problem?
Thanks,
Heather
Peter Bower wrote:
>
Jeff wrote:
Does the new way
WLS uses LDAP require that an LDAP server use these standard attributes
for the DN and filter?If you turn on logging, do the dn, filter, and scope look correct ?
-Dweblogic.security.ldaprealm.verbose=true
This should log the dn, filter, and scope that is passed to the
LDAPConnection.search method.
# Properties for IBM OS/390 Directory Server (SP5) >>>> OLD <<<<
# Directory Server Properties
weblogic.security.ldaprealm.url=ldap://XXXXXXXXXXXXX
weblogic.security.ldaprealm.authentication=simple
weblogic.security.ldaprealm.ssl=false
weblogic.security.ldaprealm.principal=racfid=weblogic,profiletype=user,sysplex=plex1
weblogic.security.ldaprealm.credential=XXXXXXXXXXXXX
# User Schema
weblogic.security.ldaprealm.userDN=sysplex=plex1,profiletype=user
weblogic.security.ldaprealm.userNameAttribute=racfid
weblogic.security.ldaprealm.userPasswordAttribute=racfpassword
# Group Schema
weblogic.security.ldaprealm.groupDN=o=City of San Diego,ou=Groups
weblogic.security.ldaprealm.groupNameAttribute=cn
weblogic.security.ldaprealm.groupUsernameAttribute=member
# Properties for IBM OS/390 Directory Server (SP8) >>>> NEW <<<<
server.alias=os390
# Directory Server Properties
os390.server.host=XXXXXXXXXXX
os390.server.port=XXXXX
os390.server.principal=racfid=weblogic,profiletype=user,sysplex=plex1
os390.server.credential=XXXXXXXXXXXX
# User Schema
os390.user.dn=profiletype=user,sysplex=plex1
os390.user.filter=(&(racfid=%u)(objectclass=racfuser))
# Group Schema
os390.group.dn=ou=Groups,o=City of San Diego
os390.group.filter=(&(cn=%g)(objectclass=groupofnames))
os390.membership.filter=(&(member=%M)(objectclass=groupofnames))
Here's the error...
Unable to initialize server:
weblogic.security.ldaprealm.LDAPRealmException: caught unexpected
exception - with nested exception:
[netscape.ldap.LDAPException: error result (87)]
fatal initialization exception
weblogic.security.ldaprealm.LDAPRealmException: caught unexpected
exception - with nested exception:
[netscape.ldap.LDAPException: error result (87)]
at
weblogic.security.ldaprealm.LDAPDelegate.handleException(LDAPDelegate.java:865)
at
weblogic.security.ldaprealm.LDAPDelegate.getUser(LDAPDelegate.java:848)
at weblogic.security.ldaprealm.LDAPRealm.getUser(LDAPRealm.java:51)
at
weblogic.security.acl.CachingRealm.getUserEntry(CachingRealm.java:1121)
at
weblogic.security.acl.CachingRealm.getUser(CachingRealm.java:985)
at
weblogic.security.acl.CachingRealm.getPrincipal(CachingRealm.java:1024)
at
weblogic.security.acl.CachingRealm.addPermission(CachingRealm.java:813)
at
weblogic.security.acl.CachingRealm.setupAcls(CachingRealm.java:802)
at weblogic.security.acl.CachingRealm.<init>(CachingRealm.java:706)
at weblogic.security.acl.CachingRealm.<init>(CachingRealm.java:564)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1759)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:1093)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
(Docs for LDAPException don't have an error result 87)
Thanks in advance,
Jeff Cabuhat -
How do I use LDAP with iMQ 2.0?
I am looking for an example to see how to use LDAP with iMQ 2.0.
I was able to set up the config settings to access a local LDAP,
but iMQ authentication still rejects valid logins.
Let me know if I can find more info someplace.You can also find an example I put togther in the Sun One knowledge base.
If you go here:
http://knowledgebase.iplanet.com/NASApp/ikb/index.jsp
Search for article 7772
Alternatively here is the direct link
http://knowledgebase.iplanet.com/ikb/kb/articles/7772.html -
ASA WebVPN. How do you restrict access to users in an AD group using LDAP?
Hi All,
I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership. This has been very difficult, even though I beleive it should be easy.
The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
There are two other portals that I would like to restrict access to based on AD group membership. I have set these up to be selected by URL.
The biggest problem is, I have no way of knowing how to go about this. The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
I can only do an all or nothing scenario.
It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use. So how do I go about using them in this scenario? Turning off the aliases or URLs is not really an option right now.
Scenario 1 would work the best for me. Restrict access to profiles/groups based on AD group membership using LDAP.
Scenario 2 would be an ideal longer term solution.
Any thoughts, ideas or assitance would be greatly appreciated.
CheersThis is exactly what i was looking for, and Nelson is correct. When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression. The guide (ther is a button to access this) is really helpful, with a couple of examples. This is what i used:
assert(function()
if ( (type(aaa.ldap.distinguishedName) == "string") and
(string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
then
return true
end
return false
end)()
from the debug dap you can see what Users relates to;
DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
My admin account fails to get me in to the same profile:
DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
Thanks
Andrew -
Compilation of C program in 64 bit mode using gcc
How do i compile a C program in 64 bit mode using gcc 2.95.2. I am using Sun Os 5.8.
Pls give the commandWhen i use the follwing script
cc -w -v -DSOLARIS -DSOLARIS2 -m64 -c $1.c -I./. -I/usr/lib/sparcv9 -I/usr/include -I/usr/include/sys -I/usr1/soft/smshdr -I/oracle9i/precomp/public -I/oracle9i/sqllib/public
I got the following error .. Pls help
Reading specs from /opt/sfw/lib/gcc-lib/sparc-sun-solaris2.8/2.95.2/specs
gcc version 2.95.2 19991024 (release)
/opt/sfw/lib/gcc-lib/sparc-sun-solaris2.8/2.95.2/cpp -lang-c -v -I./. -I/usr/li
b/sparcv9 -I/usr/include -I/usr/include/sys -I/usr1/soft/smshdr -I/oracle9i/prec
omp/public -I/oracle9i/sqllib/public -D__GNUC__=2 -D__GNUC_MINOR__=95 -Dsparc -D
sun -Dunix -D__svr4__ -D__SVR4 -D__sparc__ -D__sun__ -D__unix__ -D__svr4__ -D__S
VR4 -D__sparc -D__sun -D__unix -Asystem(unix) -Asystem(svr4) -w -D__arch64__ -Ac
pu(sparc64) -Amachine(sparc64) -DSOLARIS -DSOLARIS2 XCupCRC.c /var/tmp/cckMTbiU.
i
GNU CPP version 2.95.2 19991024 (release) (sparc)
#include "..." search starts here:
#include <...> search starts here:
/usr/lib/sparcv9
/usr/include
/usr/include/sys
/usr1/soft/smshdr
/oracle9i/precomp/public
/opt/sfw/include
/opt/sfw/lib/gcc-lib/sparc-sun-solaris2.8/2.95.2/../../../../sparc-sun-solaris2
.8/include
/opt/sfw/lib/gcc-lib/sparc-sun-solaris2.8/2.95.2/include
/usr/include
End of search list.
The following default directories have been omitted from the search path:
/opt/sfw/lib/gcc-lib/sparc-sun-solaris2.8/2.95.2/../../../../include/g++-3
End of omitted list.
/opt/sfw/lib/gcc-lib/sparc-sun-solaris2.8/2.95.2/cc1 /var/tmp/cckMTbiU.i -quiet
-dumpbase XCupCRC.c -m64 -w -version -o /var/tmp/ccqeBknF.s
cc1: -m64 is not supported by this configuration
cc1: -mptr32 not allowed on -m64
GNU C version 2.95.2 19991024 (release) (sparc-sun-solaris2.8) compiled by GNU C
version 2.95.2 19991024 (release).
XCupCRC.c: In function `XCupCRC':
XCupCRC.c:45: internal error--unrecognizable insn:
(insn 208 206 210 (set (reg:DI 10 %o2)
(symbol_ref:DI ("*.LLC0"))) -1 (nil)
(nil)) -
Authentication Problem with ACS 5.2 Using LDAP
HI!
I want to use LDAP for connecting to active directory but I get this Error from ACS 5.2 ( 22056 subject not found in the applicable identity stores).Is there anyone who can HELP me?
I used this configuration in ACS 5.2:
Users and Identity Stores / External identity store / ldap / Directory Organization
Subject ObjectClass : User
Subject Name attribute ; sAMAccountName
Group ObjectClass : Group
Group Map Attribute : MemberOfTwo questions:
- did you press "Test Bind to Server" from LDAP "Server Connection" tab and "Test Configuration" from "Directory Organization" tab?
- did you select the LDAP database as the result in the identity policy?
Maybe you are looking for
-
OWB 10g repository assistants no longer work on 10.3.0.1 win2003
Just posted this to the database forum... oops.... now that I'm in the right spot... I just installed Oracle 10.2.0.1 for win2k3 and OWB 10g. With 10.1.xxx the design and runtime reporitory assistants worked fine building their respective schemas, bu
-
Ever since i downloaded OSX Mountain Lion, Express VPN no longer works properly for me. Even though it says I am connected, webpages refuse to load. However, connection speed is fine when its turned off. I cannot go on many websites without the VPN.
-
Can i use flex components in flash?
hi all, i recently downloaded flex and saw that the components have a much better feel than the components which ship with flash 8 pro. is there a way to use flex components in flash? any help would be appreciated. thanks, gaurav
-
hello i have an extrem music card that i want to connect to my Denon decoder. I have trouble to do it with optical (i bought the plug to put in I/O jack but dont work) so i want to try the 3 connectors of the soundblaster : the front, the rear and ce
-
Hi, i want to create mdm systm in portal . for that what are business packages need to import in portal .plz reply Edited by: ratna kumar on Jul 8, 2008 3:15 PM