WCAP - Calendar search using LDAP ?
Hi,
Calendar 6.3 (WCAP) allows to search/subscribe other users calendars.
There is this configuration setting in the ics.conf
! Calendar searches are done using LDAP or UserPreferene plugin
service.calendarsearch.ldap = "yes"
When i set this to yes, i have the following behaviour :
- lightning : the service sometimes returns entries 3 times
- Convergence : i can't search for secondary calendars.
I made a simple test page to run "search_calprops.wcap" tests, and the server is really returning entries 3 times (it's not a lightning bug).
For Convergence, there is an exception in the Error console, due to Convergence trying to create an object this an id that already exists (this can easily be fixed).
When i comment the configuration setting, everything works fine.
The question is :
Is it harmful not to rely on the LDAP for calendar subscription ? Will it decrease the server's performance ?
Thank you.
For the Convergence "this can easily be fixed", here is an example of customization :
Class:
iwc.widget.calendar.Subscribe
Method : showCals
Body :
Replace
this.currentCalIds.push(calid);
this._makeRow({id:calid, n:cal[c.NAME], p:perm}, cnt);
With
// BEGIN PATCH
//this.currentCalIds.push(calid);
//this._makeRow({id:calid, n:cal[c.NAME], p:perm}, cnt);
// No, the calendar may (and DOES) return duplicates, so check if the calid has
// already been added
var exists = false;
dojo.forEach(this.currentCalIds, function(nm){
if(calid == nm){ exists = true; }
if(!exists){
this.currentCalIds.push(calid);
this._makeRow({id:calid, n:cal[c.NAME], p:perm}, cnt);
// END PATCH
Edited by: diesmo on 29 mars 2012 08:47
Well, Either :
- i enable this, and my front-end server runs searches on the LDAP server, meaning that my back-end server is less loaded
- i disable this, and my front-end server relies on the back-end server (using DWP) for calendar searches, which may (or may not) result in slower responses and/or heavier load on both my front-end and back-end server
Anyway, we'll try to disable it, and monitor the service during some time to see what happen.
Similar Messages
-
How can I use LDAP searching from OSX Lion Server to Mozilla Thunderbird?
How can I use LDAP searching from OSX Lion Server to Mozilla Thunderbird? We have a super awesome contacts server that works great for our Mac users. About 30% of our company are on PCs, and I would like to use the Mozilla Thunderbird mail client for them. I see that in Thunderbird I can set up LDAP searching, and would like to have this feature point to our contacts server. I've tried several different settings, and looked all over the web, but could not find the proper way to configure this. Does anyone know if this can be done, or if not, would have a better suggestion? Thank you for your time!!
try double clicking keychain acces should launch and ask if you want to install login, system, System roots
A dialog box will launch asking where to install the cert since your configuring a vpn I would put the certificate it in system. -
How to use the UME api in order to search the LDAP?
Hello,
I have an application which connects to the LDAP the portal is connecting to and search users according to a certain search criteria.
Here is the relevant piece of code:
Hashtable env = new Hashtable();
DirContext ctx = new InitialDirContext(env);
SearchControls controls = new SearchControls();
String filter = "firstName=..."
NamingEnumeration results = ctx.search("OU=OUs", filter, controls);
I would like to do this same search using the UME API.
Can someone please show me the equivalent code to it using the UME API?Hi Roy,
you find the Configuration File you are using in your portal via System Administration -> System Configuration -> UM Configuration -> Data Sources
or in sapume.properties where you can find
##xml file that configures the persistence except roles
ume.persistence.data_source_configuration=YOUR_DATASOURCE_CONFIG_FILE.xml
In this xml file, there is the entry
<principal type="user">:
<principal type="user">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="firstname" populateInitially="true"/><attribute name="displayname" populateInitially="true"/> <attribute name="lastname" populateInitially="true"/> <attribute name="fax"/> <attribute name="email"/> <attribute name="title"/> <attribute name="department"/> <attribute name="extensionAttribute2"/> <attribute name="mobile"/> <attribute name="telephone"/> <attribute name="streetaddress"/> <attribute name="pobox"/> <attribute name="location"/> <attribute name="telephoneShort"/> </attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
According to your company LDAP attributes, you will have to extend the above attributes, telephoneShort for example is an attribute within our company.
The UME API does the rest.
All you have to do, is request the right attribute (in my above example it was the last name).
(Sorry for the format, but it is quite cumbersome to format it properly with the available editor )
Kind regards,
Rebecca -
LDAP Search using an input User Name returning context
I'm trying to find a way to search the LDAP tree, using only an input UserID and return the context. For example (ou=ISD,ou=CAMP,o=DIV).
This is what I have thus far:
....an anymous bind has already been established with the server...
String sFilter = ("cn=" + sUserid);
int searchScope = LDAPConnection.SCOPE_BASE;
String searchFilter = "Objectclass=user";
LDAPSearchResults searchResults =
conn.search( sFilter,
searchScope,
searchFilter,
null, // return all attributes
false); // return attrs and values
any help would be greatly appreciated.From looking at the API
http://docs.sun.com/source/816-5618-10/netscape/ldap/LDAPSearchResults.html
http://docs.sun.com/source/816-5618-10/netscape/ldap/LDAPEntry.html
while(searchResults.hasMoreElements()) {
LDAPEntry next = searchResults.next();
String contextDN = next.getDN();
} -
How do I use LDAP with iMQ 2.0?
I am looking for an example to see how to use LDAP with iMQ 2.0.
I was able to set up the config settings to access a local LDAP,
but iMQ authentication still rejects valid logins.
Let me know if I can find more info someplace.You can also find an example I put togther in the Sun One knowledge base.
If you go here:
http://knowledgebase.iplanet.com/NASApp/ikb/index.jsp
Search for article 7772
Alternatively here is the direct link
http://knowledgebase.iplanet.com/ikb/kb/articles/7772.html -
ASA WebVPN. How do you restrict access to users in an AD group using LDAP?
Hi All,
I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership. This has been very difficult, even though I beleive it should be easy.
The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
There are two other portals that I would like to restrict access to based on AD group membership. I have set these up to be selected by URL.
The biggest problem is, I have no way of knowing how to go about this. The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
I can only do an all or nothing scenario.
It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use. So how do I go about using them in this scenario? Turning off the aliases or URLs is not really an option right now.
Scenario 1 would work the best for me. Restrict access to profiles/groups based on AD group membership using LDAP.
Scenario 2 would be an ideal longer term solution.
Any thoughts, ideas or assitance would be greatly appreciated.
CheersThis is exactly what i was looking for, and Nelson is correct. When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression. The guide (ther is a button to access this) is really helpful, with a couple of examples. This is what i used:
assert(function()
if ( (type(aaa.ldap.distinguishedName) == "string") and
(string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
then
return true
end
return false
end)()
from the debug dap you can see what Users relates to;
DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
My admin account fails to get me in to the same profile:
DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
Thanks
Andrew -
Outlook 2013 crashes when opening Calendar search result
I have a user who uses her Outlook 2013 calendar extensively, mainly to note for herself when she has spoken to a customer, and creating appointments for when she needs to speak to them again. (This is outside of our policy to note the contact in
MS CRM.) She can have scores of such Calendar items each day.
When seraching for these appointments in her Calendar, she gets the list of results, but Oulook crashes when she tries to open any of them. Sometimes Outlook restarts on its own, sometimes she must relaunch it herself.
Related threads reference a wwlib.dll error, but she is not getting that. It is Outlook.exe itself that is crashing. There are other threads that reference other open windows, or items containing webpages or tables, but these do not apply to her, either.
Event Data (two related entries) contain the following:
OUTLOOK.EXE
15.0.4551.1004
5253ad6f
c0000005
00025b09
19cc
01cef2a610938033
C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE
77f5e493-5e9b-11e3-9ef4-00219b4a7172
And:
3915849571
1
APPCRASH
Not available
0
OUTLOOK.EXE
15.0.4511.1004
5253ad6f
OUTLOOK.EXE
15.0.4551.1004
5253ad6f
c0000005
00025b09
C:\Users\[username]\AppData\Local\Temp\163947659.cvr C:\User\[username]\AppData\Local\Temp\CVR780F.tmp.cvr
C:\Users\[username]\AppData\Local\Temp\WERA546.tmp.WERInternalMetadata.xml
C:\Users\[username]\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_OUTLOOK.EXE_2e80497b46642ed3f64262bb26bbba2f6ecc_02d1bdd5
0
77f5e493-5e9b-11e3-9ef4-00219b4a7172
0
On answers.microsoft.com, Girish M (Support Engineer who eventally directed me here), asked me to run Scanpst.exe. I would paste the results here, but this window does not seem to allow pasting. A summary description of what it found on her .ost file (no
.pst in use) is basically this:
**Beginning NDB recovery
**Attempting to open database
**Attempting to validate header
**Attempting to validate AMap
**Attempting to validate BBT
**Attempting to validate NBT
**Attempting to validate BBT refcounts
??Couldint find BBT entry in the RBT (E025CC)
**Attempting to validate header NID high-water marks
**Beginning PST/OST recovery
**Attempting to recover all top-level objects
**Store created by biuld: 15.4517
**Attempting to walk all folders
Failed to add row to the FLT, RowID = 719
Failed to add row to the FLT, RowID = 6CD
Failed to add row to the FLT, RowID = 6DE
Failed to add row to the FLT, RowID = 6D8
and so on, and so on, with a few hundred more FLT RowID errors, finally ending with:
**Attempting to locate any orphaned folders/messages
**Performing Final HMP validation
**Attempting to check top-level objects for consistency
**Updating folder hierarchy
**Verifying message moves
My understanding of the Scanpst.exe process is that it also disables any addons which might cause crashing, but the issue is still being experienced. Running Scanpst.exe a second time (appending the previous log, although it seemed to actually prepend the
file) only returned a few lines from the top of the result above ending with "Attempting to validate BBT."
Fixes not attempted yet that I have found performing searches include running the Office Repair tool, or checking for KB2817631 (a Word update that is apparently having adverse affects on Outlook, not attempted yet because it seems to be related to the wwlib.dll
error, which is not happening here).
Any thoughts out there? Thanks!Mavis,
Thanks for the reply. Running Outlook using /cleansharing and
/cleanroamedprefs did not have any effect when used individually or in combination with each other.
Running the Search Index Rebuild option also did not seem to do anything, as the pop-up message indicated that it may take a long time to finish, and yet seemed to finish instantaneously, not giving any indication that the indexing took place. The option
window immediately said "Indexing complete" for 23,755 items.
As to the Outlook Forum, they are the ones who directed me to this forum (you can see the thread on the Answers support page under Office - Office 2013 - Microsoft Office Outlook - Office on Windows 7, under the title "Outlook 2013 restarts when
opening Calendar Search result item" first posted on Dec 11, 2013), as Girish M felt that it might be due to Exchange, and not Outlook. (I have no reports of any of our other users on the same Exchange server having the problem with their Outlook, but
they also do not use it the way this user has been.)
I can repost the issue there, or continue the same thread, if you think the issue lies with them. Was the "Answers" site the improper place to post, perhaps? Should it go in a different thread on Technet instead?
Thanks for your assistance!
Edited to add:
Here are the KBs installed just before or on the date the problem started (12/6/2013):
12/5/2016 (Office updates, all 32-Bit):
Security Update Office 2013 KB2768005
Office 2013 KB2768016
Office 2013 KB2817640
Office 2013 KB2827228
Security Office 2013 KB2837618
Word 2013 KB2817631
InfoPath 2013 KB2752078
Office 2013 KB2817493
Office 2013 KB2760539
Office 2013 KB2827235
Office 2013 KB2827225
Security Excel 2013 KB2827238
Office 2013 KB2760242
Office 2013 KB2817626
Office 2013 KB2817314
Office 2013 KB2760610
Access 2013 KB2768008
Office 2013 KB2738038
SkyDrive Pro KB2825633
Security Office 2013 KB2817623
Office 2013 KB2760267
Visio Viewer 2013 KB2768338
Office 2013 KB2827230
OneNote 2013 KB2810016
Office 2013 KB2827228
Office 2013 KB2767845
Definition Office 2013 KB2760587
Office 2013 KB2726996
Security Office 2013 KB2810009
Office 2013 KB2817316
Word 2013 KB2817631
Lync 2013 KB2817621
Office 2013 KB2760224
Office 2013 KB2726954
Office 2013 KB2817640
Publisher 2013 KB2752097
PowerPoint 2013 KB2817625
Office 2013 KB2760257
Office 2013 KB2817309
Security Outlook 2013 KB2837618
Visio 2013 KB2752018
Office 2013 KB2817490
Word 2013 KB2827218
Office 2013 KB2760553
12/6/2013 (for Windows, all Security):
KB2900986
KB2888505
KB2876331
KB2868725
KB2868626
KB2862152
I listed all updates because there have been reported instances of a Word update causing Outlook to crash, but she is not getting the wwlib.dll error related to that KB. If you are aware of any issues with these updates, and which ones might be worth uninstalling
in an attempt to fix, please let me know.
Thanks again! -
Pam.conf does not use ldap for password length check when changing passwd
I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
I have dsee 6.0 installed on a solaris 10 server (client).
I have a solaris 9 server (server) set up to use ldap authentication.
bash-2.05# cat /var/ldap/ldap_client_file
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= X, Y
NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_BIND_TIME= 10
bash-2.05# cat /var/ldap/ldap_client_cred
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
bash-2.05# cat /etc/nsswitch.conf
# /etc/nsswitch.ldap:
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
hosts: files dns
ipnodes: files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: ldap [NOTFOUND=return] files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
sendmailvars: files
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
bash-2.05# cat /etc/pam.conf
#ident "@(#)pam.conf 1.20 02/01/23 SMI"
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1 use_first_pass
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
other auth requisite pam_authtok_get.so.1 debug
other auth required pam_dhkeys.so.1 debug
other auth binding pam_unix_auth.so.1 server_policy debug
other auth required pam_ldap.so.1 use_first_pass debug
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy debug
passwd auth required pam_ldap.so.1 use_first_pass debug
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1 debug
other account required pam_projects.so.1 debug
other account binding pam_unix_account.so.1 server_policy debug
other account required pam_ldap.so.1 no_pass debug
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password required pam_authtok_store.so.1 server_policy debug
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
bash-2.05$ passwd
passwd: Changing password for VV
Enter existing login password:
New Password:
passwd: Password too short - must be at least 8 characters.
Please try again
May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
I am using the default policy on the directory server which states a minimum password length of 6 characters.
server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
pwd-accept-hashed-pwd-enabled : N/A
pwd-check-enabled : off
pwd-compat-mode : DS6-mode
pwd-expire-no-warning-enabled : on
pwd-expire-warning-delay : 1d
pwd-failure-count-interval : 10m
pwd-grace-login-limit : disabled
pwd-keep-last-auth-time-enabled : off
pwd-lockout-duration : disabled
pwd-lockout-enabled : off
pwd-lockout-repl-priority-enabled : on
pwd-max-age : disabled
pwd-max-failure-count : 3
pwd-max-history-count : disabled
pwd-min-age : disabled
pwd-min-length : 6
pwd-mod-gen-length : 6
pwd-must-change-enabled : off
pwd-root-dn-bypass-enabled : off
pwd-safe-modify-enabled : off
pwd-storage-scheme : CRYPT
pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
pwd-strong-check-enabled : off
pwd-strong-check-require-charset : lower
pwd-strong-check-require-charset : upper
pwd-strong-check-require-charset : digit
pwd-strong-check-require-charset : special
pwd-supported-storage-scheme : CRYPT
pwd-supported-storage-scheme : SHA
pwd-supported-storage-scheme : SSHA
pwd-supported-storage-scheme : NS-MTA-MD5
pwd-supported-storage-scheme : CLEAR
pwd-user-change-enabled : off
Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
. It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
Edited by: ericduggan on Sep 8, 2008 5:30 AMyou can try passwd -r ldap for changing the ldap passwds...
-
Filtering Groups on Windows Active Directory using LDAP Authentication
Hi All,
I have small module that filters the groups from the Windows AD using LDAP attributes and flushes the data into the DB[code below].
This module was developed and tested on weblogic 8.1[on windows]and works fine.
Now the same is moved to another environment- Websphere on Linux Suse. The code fails to retreieve any value from the Windows AD.
Please note no exception is aslo thrown.
env.put(Context.INITIAL_CONTEXT_FACTORY,ldapCtxFactory);
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,authentication);
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//connect to my domain controller
env.put(Context.PROVIDER_URL, domainController);
// Create the initial directory context
try {
dirCtx = new InitialDirContext(env);
// Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"member"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
int totalResults = 0;
int iteration=0;
// Search for objects using the filter
NamingEnumeration results = ctx.search(searchBase, searchFilter, searchCtls);
In the above code the method exits even before the try block[i could detect this using Sysout's]
Below is the property file from which the values are read.
admin=username
password=password
#AD search attributes
searchBase=DC=domainname,DC=domainname
searchFilter=(&(objectClass=group) (CN=value*))
#JNDI context attributes
ldapCtxFactory=com.sun.jndi.ldap.LdapCtxFactory
authentication=simple
domainController=ldap://address
groupPattern=pattern
Please Assit,
Thanks in Advance
Message was edited by:
radiant
Message was edited by:
radiantAssuming it is the same Active Directory environment and only your Java platform has changed, the I can only assume that if no exception is thrown, and no data is returned, then the credentials you are using on the new Java platform are being mapped to an anonymous user (perhaps a blank password ?). By default, Windows Server 2003 domains, do not return any results to anonymous users.
-
How can I extend the 2-year search window of Calendar search
How can I extend the 2-year search window of Calendar search in iPhone 5s ? I basically want 'Search' to search everything in the phone, not just restricted to a 2-year window.
See my link above... it's a documented limitation...
Calendar and Reminder search
Spotlight searches for the title of calendar events and reminders in a two-year window—it will reveal results from one year in the past and one year in the future. If an event has recurrences that fall in this range, it will find the event that is closest to the current date.
If multiple events have similar details (title, notes, location, and so on) and you search for these details, Spotlight will show the most recent event. To see more results, use search in Calendar or Reminders. -
Can TREX search extern LDAP?
Hi guys,
I am planning to search an external LDAP with TREX (running on Java Web AS 6.40) and view the result in SAP EP 6.0 SP 14.
But so far I did not find a Repository Manager (=> System Administration => System Configuration => Knowledge Management => Content Management => Repository Managers) which seems to fit.
That comes fairly surprising, considering that TREX can search UME which may be based on a LDAP server. There should be a way to search external LDAP servers as well.
<b>Does anyone know how to search an external LDAP with TREX. Please let me know.</b>
Kind Regards,
MartinHi Rob,
The Who's Who iView uses a TREX index within KM - working on the UME repository within KM.
==> The answer is no.
Also see http://help.sap.com/saphelp_nw04/helpdata/en/21/ac21410bc3ef23e10000000a155106/frameset.htm
Hope it helps
Detlev -
WLS 5.1.0 (sp8) using LDAP on OS390
Help. I'm having a problem booting up WLS 5.1.0 (SP8) using the new
LDAPRealm properties format. Our LDAP server doesn't use the "standard"
attributes (c, o, ou, uid) to define a DN and filter. Does the new way
WLS uses LDAP require that an LDAP server use these standard attributes
for the DN and filter? (It boots up OK with a server that uses these
standard attributes). Do I have the properties correctly formatted to
work with SP8?
# Properties for IBM OS/390 Directory Server (SP5) >>>> OLD <<<<
# Directory Server Properties
weblogic.security.ldaprealm.url=ldap://XXXXXXXXXXXXX
weblogic.security.ldaprealm.authentication=simple
weblogic.security.ldaprealm.ssl=false
weblogic.security.ldaprealm.principal=racfid=weblogic,profiletype=user,sysplex=plex1
weblogic.security.ldaprealm.credential=XXXXXXXXXXXXX
# User Schema
weblogic.security.ldaprealm.userDN=sysplex=plex1,profiletype=user
weblogic.security.ldaprealm.userNameAttribute=racfid
weblogic.security.ldaprealm.userPasswordAttribute=racfpassword
# Group Schema
weblogic.security.ldaprealm.groupDN=o=City of San Diego,ou=Groups
weblogic.security.ldaprealm.groupNameAttribute=cn
weblogic.security.ldaprealm.groupUsernameAttribute=member
# Properties for IBM OS/390 Directory Server (SP8) >>>> NEW <<<<
server.alias=os390
# Directory Server Properties
os390.server.host=XXXXXXXXXXX
os390.server.port=XXXXX
os390.server.principal=racfid=weblogic,profiletype=user,sysplex=plex1
os390.server.credential=XXXXXXXXXXXX
# User Schema
os390.user.dn=profiletype=user,sysplex=plex1
os390.user.filter=(&(racfid=%u)(objectclass=racfuser))
# Group Schema
os390.group.dn=ou=Groups,o=City of San Diego
os390.group.filter=(&(cn=%g)(objectclass=groupofnames))
os390.membership.filter=(&(member=%M)(objectclass=groupofnames))
Here's the error...
Unable to initialize server:
weblogic.security.ldaprealm.LDAPRealmException: caught unexpected
exception - with nested exception:
[netscape.ldap.LDAPException: error result (87)]
fatal initialization exception
weblogic.security.ldaprealm.LDAPRealmException: caught unexpected
exception - with nested exception:
[netscape.ldap.LDAPException: error result (87)]
at
weblogic.security.ldaprealm.LDAPDelegate.handleException(LDAPDelegate.java:865)
at
weblogic.security.ldaprealm.LDAPDelegate.getUser(LDAPDelegate.java:848)
at weblogic.security.ldaprealm.LDAPRealm.getUser(LDAPRealm.java:51)
at
weblogic.security.acl.CachingRealm.getUserEntry(CachingRealm.java:1121)
at
weblogic.security.acl.CachingRealm.getUser(CachingRealm.java:985)
at
weblogic.security.acl.CachingRealm.getPrincipal(CachingRealm.java:1024)
at
weblogic.security.acl.CachingRealm.addPermission(CachingRealm.java:813)
at
weblogic.security.acl.CachingRealm.setupAcls(CachingRealm.java:802)
at weblogic.security.acl.CachingRealm.<init>(CachingRealm.java:706)
at weblogic.security.acl.CachingRealm.<init>(CachingRealm.java:564)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1759)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:1093)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
(Docs for LDAPException don't have an error result 87)
Thanks in advance,
Jeff CabuhatI can't get weblogic 5.1, SP8 to work with the os390 ldap server. I
get the same error as Jeff got below. I can get it to work fine with a
Netsape ldap server, but unfortunately I really need it to work with the
os390 ldap server. Does anyone know the solution to this problem?
Thanks,
Heather
Peter Bower wrote:
>
Jeff wrote:
Does the new way
WLS uses LDAP require that an LDAP server use these standard attributes
for the DN and filter?If you turn on logging, do the dn, filter, and scope look correct ?
-Dweblogic.security.ldaprealm.verbose=true
This should log the dn, filter, and scope that is passed to the
LDAPConnection.search method.
# Properties for IBM OS/390 Directory Server (SP5) >>>> OLD <<<<
# Directory Server Properties
weblogic.security.ldaprealm.url=ldap://XXXXXXXXXXXXX
weblogic.security.ldaprealm.authentication=simple
weblogic.security.ldaprealm.ssl=false
weblogic.security.ldaprealm.principal=racfid=weblogic,profiletype=user,sysplex=plex1
weblogic.security.ldaprealm.credential=XXXXXXXXXXXXX
# User Schema
weblogic.security.ldaprealm.userDN=sysplex=plex1,profiletype=user
weblogic.security.ldaprealm.userNameAttribute=racfid
weblogic.security.ldaprealm.userPasswordAttribute=racfpassword
# Group Schema
weblogic.security.ldaprealm.groupDN=o=City of San Diego,ou=Groups
weblogic.security.ldaprealm.groupNameAttribute=cn
weblogic.security.ldaprealm.groupUsernameAttribute=member
# Properties for IBM OS/390 Directory Server (SP8) >>>> NEW <<<<
server.alias=os390
# Directory Server Properties
os390.server.host=XXXXXXXXXXX
os390.server.port=XXXXX
os390.server.principal=racfid=weblogic,profiletype=user,sysplex=plex1
os390.server.credential=XXXXXXXXXXXX
# User Schema
os390.user.dn=profiletype=user,sysplex=plex1
os390.user.filter=(&(racfid=%u)(objectclass=racfuser))
# Group Schema
os390.group.dn=ou=Groups,o=City of San Diego
os390.group.filter=(&(cn=%g)(objectclass=groupofnames))
os390.membership.filter=(&(member=%M)(objectclass=groupofnames))
Here's the error...
Unable to initialize server:
weblogic.security.ldaprealm.LDAPRealmException: caught unexpected
exception - with nested exception:
[netscape.ldap.LDAPException: error result (87)]
fatal initialization exception
weblogic.security.ldaprealm.LDAPRealmException: caught unexpected
exception - with nested exception:
[netscape.ldap.LDAPException: error result (87)]
at
weblogic.security.ldaprealm.LDAPDelegate.handleException(LDAPDelegate.java:865)
at
weblogic.security.ldaprealm.LDAPDelegate.getUser(LDAPDelegate.java:848)
at weblogic.security.ldaprealm.LDAPRealm.getUser(LDAPRealm.java:51)
at
weblogic.security.acl.CachingRealm.getUserEntry(CachingRealm.java:1121)
at
weblogic.security.acl.CachingRealm.getUser(CachingRealm.java:985)
at
weblogic.security.acl.CachingRealm.getPrincipal(CachingRealm.java:1024)
at
weblogic.security.acl.CachingRealm.addPermission(CachingRealm.java:813)
at
weblogic.security.acl.CachingRealm.setupAcls(CachingRealm.java:802)
at weblogic.security.acl.CachingRealm.<init>(CachingRealm.java:706)
at weblogic.security.acl.CachingRealm.<init>(CachingRealm.java:564)
at weblogic.t3.srvr.T3Srvr.initializeSecurity(T3Srvr.java:1759)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:1093)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
(Docs for LDAPException don't have an error result 87)
Thanks in advance,
Jeff Cabuhat -
Calendar search not finding calendar events older than a year.
Calendar search cannot find events older than a year.
neither does spotlight search.
iphone 4s 16GB ios version 7.1.2
ipad 32GB with retina (purchased on 2012) ios version 7.1.2
Does anybody has the same issue?
Calendar events over one year old are not found when searched on iOS. Neither on the iPhone nor the iPad. Although they are found on a mac running mavericks calendar app.
All events are displayed when going directly to the month and viewing all the events of each day, but she search feature, the one accessed through the little magnifier, simply cannot find any event older than a year.
I have multiple events in my calendar and I tested them and the last I can find is within 365 days of today. after that events cannot be found.
steps to reproduce:
1. go into the calendar app on the iPhone and add an event but use a date date 13 months older than the current date. Save the event.
2. verify the even is created by looking at the day of the event
3. on the top right corner of the calendar app select the magnifying glass and try to search the event by typing any word you used on the title of the event just created
4. search result will display No Results
5. exit the calendar and access spotlight search on the home screen by using the "pull down" gesture from an area outside of the dock, including the top row of app icons. Type any word you used on the title of the event just created
6. search result will not display the event
Thanksthis has already been answered.
please ignore my question. -
Authenticate BSP application using LDAP
Hi,
Thanks to Durai Raja for his earlier inputs in setting up LDAP connector in SAP. We were able to connect to our LDAP from SAP ( We use Novell eDirectory 8.5).
I also wrote a small program as below and I am getting back results from LDAP. We want to build BSP application where users would enter LDAP User ID and password and we want to Authenticate BSP application based on this input. My questions are
1) Is it possible to Authenticate BSP application based on LDAP user ID and password.
2) IF so, what is the function module to use. I searched LDAP_* but did not find anything.
3) If we authenticate using LDAP user ID and password, do we have to provide SAP User id and password in SICF and allow all users to log in using same SAP user ID and password ?
Niranjan
data: dns_out type table of ldap_dnii,
ldapinfo type ldap_dnii,
attrs_io type table of ldap_atii.
call function 'LDAP_SIMPLEBIND'
exporting
serverid = 'HQLDAP'. " Logical Server ID set in LDAP tcode
if sy-subrc eq 0.
call function 'LDAP_SEARCH'
exporting
base = 'o=xxxxxxxx' " Company's Base
filter = 'uid=xxxxxxxx' " Novell User ID or LDAP user ID
tables
dns_out = dns_out
attrs_io = attrs_io.
if sy-subrc eq 0.
loop at dns_out into ldapinfo.
endloop.
endif.
endif.Thanks Raja for your inputs. This is our requirement.
We have about 350 SAP Users and about 700 Novell Users (computers). We want to provide Employee Personnel Information like Vacation details, Savings/Insurance details in BSP application. But half of them cannot access because they don't have access to SAP. We cannot give access to all of them since we have only 400 licenses. So, we were thinking to Authenticate against Novell Used ID and password and show them their personnel details. We have a mapping between Novell Used ID and SAP HR Empl # and so we can easily get their information. So, we want users to authenticate using Novell Used ID and password (each Novell user ID is mapped as LDAP ID) and, if it is successful, show their personnel details.
How can we achieve this ?
Niranjan -
Marketing calendar: How to enhance the marketing calendar search
Hi experts
I working with Marketing calendar enhancement, the requirement is to add the custom fields to marketing search view, but this view is not supporting the AET or EEWB , kindly help what is the alternative approach to enhance the marketing search view.
Thanks & Regards
RajasekharHi Rajasekhar,
It is not possible to enhance the marketing projects search used in marketing calendar directly. However, whenever you add custom fields to object like campaign, these objects become available in the marketing calendar search. So, first add the new field in the corresponding object. Then you can try AET to add this field from available fields list on the marketing calendar page.
Regards,
Shiromani
Maybe you are looking for
-
I have 3 Areas for my DWH The first area is Staging then validation and core Staging is just do load date from the source systems validation is to validate data (every city has to have a countrie ....) core is my DWH shema. The First step in ETL is t
-
How to change the Domain name of portal
Hi All, We've developed an application using the WDA(Web Dynpro for ABAP) on BI 7.0 and in this we are displaying the BI reports as well. This whole appliaction works fine when we run this on the BI portal 7.0. But when we run it from the Enterprise
-
WebLogic 8.1 and Tomcat connection problem
I am using Tomcat 4.0.6 for my JSPs and WebLogic for my EJBs. Everything worked fine under WebLogic 6.1 but I am trying to upgrade to WebLogic 8.1 and it is not working. I can also connect to WebLogic 8.1 from a standalone class but not using Tomcat.
-
FM for checking Available Capacity of Work Center
Dear All, I have trying to find a Function Module to get the latest available date of the Work Center (The Period where no Production Orders has been dispatched to it). It is only when the Work Center is available then we can dispatch the Production
-
STEP 2 - COMPLETE TRAINING for OCP
Hi All, For OCP 11g Certification, I have to appear for 2 exams, SQL & Administration I. After that I have to complete TRAINING and then appear for Administration II exam, My question is, Can i appear for Administration II and attend the Training lat