Wwv_flow_security.authenticate
I am using custom authentication scheme for my application - user names/passwords stored in a custom table and it all works fine. There is now a need for me to let a "workspace user" access this application i.e there is no such username in my custom table. There is only one such user and the username is fixed. I just need to do something like this in my custom authentication function :-
if the username = my known workspace user then
call wwv_flow_security.authenticate(p_username,p_password)
else
check the username and password in my custom tables
end
Question 1: Is calling the authenticate function the correct way of authenticating workspace users ?
Question 2: Even though I pass the correct username and password, I still get invalid credentials. The password passed in is clear text, do I have to hash it before passing in ? If yes, then how ?
thanks in advance
You don't have access to the wwv_flow_security package. I suggest that you use an approach as described here: Re: Database account and custom authentication mix .
Scott
Similar Messages
-
New version - can no longer authenticate with BT
I've been syncing my 6230 with my Windows XP (SP2) workstation for ages. Until I recently installed 6.80.20.
Now as soon as I get a connection, it then says "Cannot authenticate the phone". Other posts made me suspect the driver, but I dont know what my alternatives are. I'm using the standard MS drivers that come with SP2 - as I said it WAS working fine.
My bluetooth hardware is: Blutonium BCM2035 Bluetooth 2.4GHz Single Chip Transceiver. Driver is by MS, version 5.1.2600.2180.
Any ideas?
Thanks in advance.What if you simply untick and tick again the Bluetooth option in Nokia Connection Manager ?
BTW, were you able to unpair the phone with get connected wizard ? (I guess not, because to my understanding it requires connection first so that you can unpair...)
What do you have visible in Connection Manager, do you have Microsoft Bluetooth option there ?
If you choose NOkia PC Suite about box and system info, what does that say ?
If you have a separate Bluetooth USB Dongle, if you move it to another USB port, will that help ?
Also disabling and enabling the Bluetooth hardware rom the PC ?
Edit: one more question, it seems that the Bluetooth ship is from Broadcomm, but it still has Microsoft drivers ?Message Edited by manta on 05-May-2006
10:30 AM -
Unable to authenticate users using Custom plugins in OAM 11g
We are working on a requirement in which we have to write a custom authentication plugin in OAM 11g.
we were able to import and activate the plugin
we created a new authentication module with steps in the following order
1)UserIdentificationPlugin
2)UserAuthenticationPlugin
3)Our custom plugin to create custom responses(We just created the class with mandatory methods and process method returning success)
but finally when we try to authenticate,authentication fails resulting in OAM-2 error.We had entered valid credentials
Can somebody please help me on resolving this issue.
The plugin code,manifest file and Metadata XML is shared below.
Plugin Code
public class NewPlugin extends AbstractAuthenticationPlugIn {
private static final String CLASS_NAME = "FirstTestClass";
public ExecutionStatus initialize (PluginConfig config){
super.initialize(config);
if(LOGGER.isLoggable(Level.FINE)){
LOGGER.logp(Level.FINE,CLASS_NAME,"initialize","Entering initialize");
return ExecutionStatus.SUCCESS;
@Override
public String getDescription() {
// TODO Auto-generated method stub
return null;
@Override
public Map<String, MonitoringData> getMonitoringData() {
// TODO Auto-generated method stub
return null;
@Override
public String getPluginName() {
// TODO Auto-generated method stub
return null;
@Override
public int getRevision() {
// TODO Auto-generated method stub
return 0;
@Override
public ExecutionStatus process(AuthenticationContext context)
throws AuthenticationException {
if(LOGGER.isLoggable(Level.FINE)){
LOGGER.logp(Level.FINE,CLASS_NAME,"initialize","Entering process");
return ExecutionStatus.SUCCESS;
@Override
public void setMonitoringStatus(boolean arg0) {
// TODO Auto-generated method stub
@Override
public boolean getMonitoringStatus() {
// TODO Auto-generated method stub
return false;
MANIFEST.MF
Manifest-Version: 1.0
Bundle-ManifestVersion: 2
Bundle-Name: NewPlugin Plug-in
Bundle-SymbolicName: NewPlugin
Bundle-Version: 1.0.0
ImportPackage:org.osgi.framework;version="1.3.0",oracle.security.am.plugin,oracle.security.am.plugin.authn,oracle.security.am.plugin.api,oracle.security.am.common.utilities.principal,oracle.security.idm,javax.naming,javax.sql,javax.security.auth
Bundle-RequiredExecutionEnvironment: JavaSE-1.6
METADATA XML
<?xml version="1.0" encoding="UTF-8" ?>
<Plugin name="NewPlugin" type="Authentication">
<author>me</author>
<email>[email protected]</email>
<creationDate>11:40:20,2012-13-02</creationDate>
<version>1</version>
<description>Custom User Authentication Plugin</description>
<interface>oracle.security.am.plugin.authn.AbstractAuthenticationPlugIn</interface>
<implementation>newplugin.NewPlugin</implementation>
<configuration>
<AttributeValuePair>
<Attribute type="String" length="20">DataSource</Attribute>
<mandatory>true</mandatory>
<instanceOverride>false</instanceOverride>
<globalUIOverride>true</globalUIOverride>
<value>jdbc/CISCO</value>
</AttributeValuePair>
</configuration>
</Plugin>Your search results show that the user "collini" was not found (nentries=0). This could be caused by a number of reasons.
1) The user doesn't exist under "ou=people,dc=our,dc=domain"
2) The user doesn't contain the posixAccount objectclass
3) The user account that performed the search doesn't have access rights to read/search that user account
What user account was used to BIND on the connection that the search was done on?
Try performing the same exact search with an account you know can retrieve the entry. For example:
ldapsearch -D "cn=Directory Manager" -w - -b ou=people,dc=our,dc=domain -s one "(&(objectClass=posixAccount)(uid=collini))"
If the entry doesn't return as a result of the search then either #1 or #2 above is the problem. If the entry does return then #3 is your problem. -
Unable to authenticate with Ticket Toolkit
I'm having trouble with the Ticketing Toolkit.
(in a previous thread I was having trouble obtaining the MYSAPSSO2 cookie ... that is thankfully resolved)
I am now able to see the cookie but for some reason the IsAuthenticated flag isn't set when I run the app by clicking "Preview" from the associated iview. Consiquently Identity.Name isn't set + The Authentication Type is blank as well.
I've played around with the web.config as well as the virtual directory on IIS; changing the Authentication Mode from "Windows" to "None", enabling Windows authentication and disabling anonymous user authentication .... and every permutation you can think of .... nothing seems to work.
One interesting note is that the wpsso_v3.dll doesn't seem to be called ... I tried renaming it just to see if it generated an error and it didn't make any difference.
Also, I had to physically make a reference to the assembly SAP.web.security for the app to build. The artcle on the toolkit didn't indicate that I would need to do that and I would have thought the registration in the web.config would have taken care of that.
My web.config is as follows:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<configSections>
<sectionGroup name="system.web">
<section name="MySAPSSO2"
type="SAP.Web.Security.MySapSso2SectionHandler, SAP.Web.Security, Culture=neutral, PublicKeyToken=50436dca5c7f7d23, Version=1.0.0.0"/>
</sectionGroup>
</configSections>
<system.web>
<httpModules>
<add type="SAP.Web.Security.MySapSso2AuthenticationModule, SAP.Web.Security, Culture=neutral, PublicKeyToken=50436dca5c7f7d23, Version=1.0.0.0" name="MySAPSSO2"/>
</httpModules>
<MySAPSSO2 PseFilePath="C:InetpubwwwrootSSO Ticket TestpseFilesverify.pse" />
<!-- DYNAMIC DEBUG COMPILATION
Set compilation debug="true" to enable ASPX debugging. Otherwise, setting this value to
false will improve runtime performance of this application.
Set compilation debug="true" to insert debugging symbols (.pdb information)
into the compiled page. Because this creates a larger file that executes
more slowly, you should set this value to true only when debugging and to
false at all other times. For more information, refer to the documentation about
debugging ASP.NET files.
-->
<compilation
defaultLanguage="c#"
debug="true"
/>
<!-- CUSTOM ERROR MESSAGES
Set customErrors mode="On" or "RemoteOnly" to enable custom error messages, "Off" to disable.
Add <error> tags for each of the errors you want to handle.
"On" Always display custom (friendly) messages.
"Off" Always display detailed ASP.NET error information.
"RemoteOnly" Display custom (friendly) messages only to users not running
on the local Web server. This setting is recommended for security purposes, so
that you do not display application detail information to remote clients.
-->
<customErrors
mode="RemoteOnly"
/>
<!-- AUTHENTICATION
This section sets the authentication policies of the application. Possible modes are "Windows",
"Forms", "Passport" and "None"
"None" No authentication is performed.
"Windows" IIS performs authentication (Basic, Digest, or Integrated Windows) according to
its settings for the application. Anonymous access must be disabled in IIS.
"Forms" You provide a custom form (Web page) for users to enter their credentials, and then
you authenticate them in your application. A user credential token is stored in a cookie.
"Passport" Authentication is performed via a centralized authentication service provided
by Microsoft that offers a single logon and core profile services for member sites.
-->
<authentication mode="Windows" />
<!-- AUTHORIZATION
This section sets the authorization policies of the application. You can allow or deny access
to application resources by user or role. Wildcards: "*" mean everyone, "?" means anonymous
(unauthenticated) users.
-->
<authorization>
<allow users="*" /> <!-- Allow all users -->
<!-- <allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
-->
<!-- <deny users="?" /> -->
</authorization>
<!-- APPLICATION-LEVEL TRACE LOGGING
Application-level tracing enables trace log output for every page within an application.
Set trace enabled="true" to enable application trace logging. If pageOutput="true", the
trace information will be displayed at the bottom of each page. Otherwise, you can view the
application trace log by browsing the "trace.axd" page from your web application
root.
-->
<trace
enabled="false"
requestLimit="10"
pageOutput="false"
traceMode="SortByTime"
localOnly="true"
/>
<!-- SESSION STATE SETTINGS
By default ASP.NET uses cookies to identify which requests belong to a particular session.
If cookies are not available, a session can be tracked by adding a session identifier to the URL.
To disable cookies, set sessionState cookieless="true".
-->
<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
cookieless="false"
timeout="20"
/>
<!-- GLOBALIZATION
This section sets the globalization settings of the application.
-->
<globalization
requestEncoding="utf-8"
responseEncoding="utf-8"
/>
</system.web>
</configuration>
I am afraid that I am running out of ideas ... anyone have some suggestions?
-SheldonTurns out that this was another variation on on Mark Dohrmann's post "Problem's known with NW2004s SP11 and Ticket Toolkit"
Problems known with NW2004s SP11 and Ticket Toolkit?
just had to convert the ticket string and feed it back into the cookie before passing to the toolkit.
ie.
this.Request.Cookies["MYSAPSSO2"].Value = HttpUtility.UrlDecode(this.Request.Cookies["MYSAPSSO2"].Value); -
ADFS Web Application Proxy - Automatically authenticate another federation
I am setting up a Web Application Proxy as a reverse proxy to publish some of our internal websites to the internet. I am going to publish
https://portal.workplace.example as the "hub" site which will link off to various other websites hosted internally. These sites are hosted on various different servers so I want to use the WAP to take
advantage of the SSO facility. This works nicely.
One of the links will be to Office 365. We are using IAMCloud's Federate 365 service (which is essentially a hosted ADFS service) to authenticate our users. Using this means that users away from the workplace
are not dependant on our internet connection being active to access O365 and that they will still be able to authenticate should our internet connection die. However, it also means that when the user clicks on the link on the portal page to Office 365 they
are forced to re-authenticate. What I'd like to is to pass on the credentials that the Web Application Proxy collects onto the external federation service automatically. I just can't see how you'd do it.
I have added the external ADFS farm as a relying party trust but I have no idea what I need to use as a claim rule so I've used a passthrough rule with the UPN as the claim being passed. I've also set up a
publishing rule with the WAP with the external federation's URL and changed the hosts file on a test computer to make the external federation's address resolve to the WAP's IP address but this just results in a blank page. I fully accept that I'm not doing
this right but I'm unsure of where to go from here. Can anyone give me some advice?
Many thanks,
IanHi Lan,
Thank you for your posting!
Regarding claims based issue, I suggest you refer to experts from the following forum to get professional support:
Claims based access platform (CBA), code-named Geneva Forum
http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
Thank you for your understanding and support.
Best Regards,
Amy -
How to use your own database with your users to authenticate in a Web app?
Hello, everybody!
I'm starting to write my first web application and I'm going to use JSF, JPA and EJB3 in this application. One of the first things that I have to do on it is the authentication part where I'll have a page with a user name and a password for the user to login. So, as I'm new to all this in Java (I've already implemented this on .NET in the past), I was studying the Java EE 5 Tutorial, especifically the section "Example: Using Form-Based Authentication with a JSP Page". But I saw that the users that the sample application uses come from the file realm on the Application Server. The users are created there and assigned a name, a password and a group. After the users are in the Application Server we can simply uses forms authentication declaratively in the deployment descriptor (web.xml).
But the problem is that this doesn't work to me as I already have my own database with my users, so I want to use it instead of having to create the users on the Application Server.
So, I'm asking you how to do that. Of course I'm not expecting that you place the code here to me as I know that such a thing could be complicated. Instead, I'm asking if you know about some tutorial, article, book or something that teaches how to do what I want. But I would like to see theses examples using JSF and/or EJB3 because these are the technologies that I'm using to develop. It's a pity that the Java EE 5 Tutorial doesn't have an example using a custom database as I know that this situation is very common in the majority of web sites.
Thank you very much.
MarcosFrom memory, it goes like this... You just create a
raw jdbc connection on your user database using a
special "login" DB user account, which has
permissions only to an "authenticate" stored query,
which accepts two arguments: username & password, and
returns a boolean 0 or 1 rows found.When I implemented this in .NET's ASP.NET I had the same solution. I had an special user created in the database that I used to log in. When the real user entered his username and password I was already logged in and I had just to check his username and password agains the right table in my database.
But that was only possible bacause when I connected to the database using my hidden user, I used the rights APIs in ASP.NET that coordinate the authentication process. This means that before login in, no one could access any resources (pages, atc...). So what I'm saying is that I can't manager this manually in Java. Java has to have some API or whatever to allow me to control the login process programmatically, while letting the Application Server control the access to the resources. -
Problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN c
I met a problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN clients:
1. Background:
We have two WLAN: staff and student, both of them will use PEAP-MSCHAPv2, ACSE will be the Radius server, it will use Windows AD's user database. In AD, they create two groups: staff and student. The testing account for staff is staff1, the testing account for student is student1.
2. Problem:
If student1 try to associate to staff WLAN, since both staff and student WLAN using the same authentication method, the auth request will be send to AD user database, since student1 is a valid user account in AD, then it will pass the authentication, then it will join the staff WLAN. How to prevent this happen?
3. Potential solution and its limitation:
1) Use group mapping in ACSE(Dynamic VLAN Assignment with WLCs based on ACS to Active Directory Group Mapping), but ACS can only support group mapping for those groups that have no more than 500 users. But the student group will definitely exceed 500 users, how to solve it?
2) Use methods like âRestrict WLAN Access based on SSID with WLC and Cisco Secure ACSâ: Configure DNIS with ssid name in NAR of ACSE, but since DNIS/NAR is only configurable in ACSE, don't know if AD support it or not, is there any options in AD like DNIS/NAR in ACSE?
Thanks for any suggestions!I think the documentation for ACS states:
ACS can only support group mapping for users who belong to 500 or fewer Windows groups
I read that as, If a user belongs to >500 Windows Group, ACS can't map it. The group can have over 500 users, its just those users can't belong to more than 500 groups. -
RADIUS in 10.6 to authenticate Cisco ASA 5505 Strange Error
I have followed the steps as discussed: http://discussions.apple.com/thread.jspa?threadID=2177670&tstart=0
It did work for a number of weeks without any problem.
Did not change anything on the Firewall or server, regarding updates etc.
But now something really strange is happening:
If I test the Radius server from the firewall, the test comes back successful and I see a line in the password server log:
Jan 10 2011 12:58:16 AUTH2: {0x4c3c0bfd77981d110000000600000006, <username>} DIGEST-MD5 authentication succeeded.
So I think everything is happy..... Not.
Whenever I try to connect via a vpn client (regardless if using the Mac OS X Cisco client or using Cisco native client), the user is rejected and the following 2 lines appear in the password server log:
Jan 10 2011 12:58:57 AUTH2: {0x4c3c0bfd77981d110000000600000006, <username>} DIGEST-MD5 authentication succeeded.
Jan 10 2011 12:58:57 AUTH2: {0x4c3c0bfd77981d110000000600000006, <username>} DIGEST-MD5 authentication failed, SASL error -13 (password incorrect).
At the same time the process is run twice, and one is always failing....
Tried sofar:
Update to latest versions, ASA and Mac Server.
Removed and added the radius client on the server
Changed the hashing on the IPSec tunnel from SHA to MD5.
Added a new AAA server using LDAP to communicate directly with OD without going trough the RADIUS service. Same kind of error, using LDAP directly I see the following log lines:
Jan 10 2011 13:27:00 AUTH2: {0x4c3c0bfd77981d110000000600000006, <username>} CRAM-MD5 authentication succeeded.
Jan 10 2011 13:27:00 AUTH2: {0x4c3c0bfd77981d110000000600000006, <username>} DIGEST-MD5 authentication failed, SASL error -13 (password incorrect).
Remarkable is the fact that using radius is a DIGEST-MD5 authentication and using the LDAP is a CRAM-MD5 authentication methods.
Removed the Radius server from the FW and re-added it.
Rebooted the server/fw a number of times.
Does anyone else experience the same issue? Do I need to go deeper into the config of the fw or keep on looking in Mac OS X Server?
I hope someone can help.
Cheers,
ArnoldI think I may have figured out how to get this to work. Can someone else test this?
This is still based on the discussion referenced in the first post.
-Stop RADIUS
-For this test of 10.6 I did not change the default /etc/raddb/users. I think the thing that I have missed in trying to get this to work is that there is no default to "system" in the current file to change to opendirectory.
-One change required to /etc/raddb/clients.conf, same as before:
Add your ASA to the list of accepted clients. Entry should look something like:
client IPaddressof_yourASA {
secret = ServerSecretKey
shortname = Common_Password
ServerSecretKey is contents of "Server Secret Key" in the ASDM for the ASA
Common_Password is contents of "Common Password" in the ASDM for the ASA
-Restart RADIUS
I just tested this change alone and ran the "Test" from the AAA Servers page in the ASA ASDM and was able to authenticate as a OD user. If someone else can get this to happen, I think we have an answer.
-Erich -
Can't authenticate Mac VPN client from RADIUS server
Hello,
I'm a real noob here so please bear with me.
I have been able to configure my PIX 515E to allow VPN connections onto my network, but what I need to do is set up some sort of user authentication to control access at a user level. From what I've read here and in the Configuration Guide I should be able to do this authentication with a RADIUS server. I'm running a Corriente Networks Elektron Security server which has RADIUS server capabilities. It is running on my (inside) interface at IP 192.168.10.26.
I thought that I had everything configured properly but it never seems to authenticate. I connect, the XAUTH window pops up, I add my username and password as it's configured on my RADIUS server, but when I click OK it just cycles the progress bar at the bottom and eventually times out. The client log doesn't show me anything and the log on the RADIUS server shows me nothing. Any ideas? this seems like it should be simple because I can connect until I attempt to authenticate to the RADIUS server.
TIA for any direction you can provide me.
ChristineIf it helps, here is my config with a some of the non-related bits deleted:
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password ********* encrypted
passwd ******* encrypted
hostname pixfirewall
domain-name acme.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol http 80
fixup protocol http 82
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.10.26 192.168.10.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host 192.168.10.69 192.168.10.192 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.10.192 255.255.255.224
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 207.XXX.XXX.130 255.255.255.0
ip address inside 192.168.10.1 255.255.255.0
ip address DMZ 192.168.100.1 255.255.255.0
multicast interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool CBI_VPN_Pool 192.168.10.201-192.168.10.220
pdm location 192.168.10.50 255.255.255.255 inside
pdm group CBI_Servers inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 200 interface
global (DMZ) 200 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 200 192.168.10.0 255.255.255.0 0 0
static (inside,outside) 207.XXX.XXX.150 192.168.10.27 netmask 255.255.255.255 0 0
static (inside,outside) 207.XXX.XXX.132 192.168.10.26 dns netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 207.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1812
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.10.26 ************* timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.3 255.255.255.255 inside
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto map inside_map interface inside
isakmp enable outside
isakmp nat-traversal 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Test_VPN address-pool CBI_VPN_Pool
vpngroup Test_VPN dns-server 142.77.2.101 142.77.2.36
vpngroup Test_VPN default-domain acme.com
vpngroup Test_VPN idle-time 1800
vpngroup Test_VPN authentication-server RADIUS
vpngroup Test_VPN user-authentication
vpngroup Test_VPN user-idle-timeout 1200
vpngroup Test_VPN password ********
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.100-192.168.10.254 inside
dhcpd dns 142.77.2.101 142.77.2.36
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside -
Can I use external APIs to authenticate users?
I have been asked to develop a lightswitch application either as desktop client or HTML client. Now I am confused about the authentication
mechanism in LightSwitch, and it leads a question: Can I authenticate my users from an external website or application?
For the HTML client, I have been thinking that whether I could use external APIs like Facebook Login API to authenticate my users? If I could, the code should be JavaScript, then where should I put it, and how can I configure my LS application?
For the desktop client, same question, if I could identify my users by pulling some user information from an external website, what kind of code/Programming Language shall I use?Hey ConnorTx!
This is not supported out of the box.
For in-browser desktop applications, you can hack around this by setting up the social media credentials, then redirecting to your desktop application while passing the self-encrypted credentials. I explained this workaround in
this article.
I don't have enough production experience with HTML apps yet. However when you use Forms authentication, I suspect you can simply fill in the IPrincipal on the HttpContext.Current, then redirect to your HTML app, and the LightSwitch Forms Auth mechanism
would pick up your principal as valid credentials. I wish I had time to show you some code for this, would make a great blog post :/
Keep rocking LS!
Jan
It's your story - time to switch on the innovation.||About me||LightSwitch blog -
Unable to authenticate with diradmin in Workgroup Manager
This has happened before, and I have no idea how it got fixed - too many independent variables...
Anyway, I cannot authenticate the OD with diradmin even while using Workgroup Manager directly on the server.
The setup:
SLS 10.6.8
Split-brained DNS
Both public and private FQDNs are the same (myserver.mydomain.com). External DNS maps machine record to my static public IP address. Using an AirPort Extreme router, port fowarding services that I want open to the server. The router provides DHCP via NAT to the local network, with a fixed private IP assigned to the server. The server is running DNS with the same zones, machine records, services and aliases that the public IP DNS has, except mapped to the fixed private IP. DNS checks out with changeip, etc.
The server is an OD master. Yesterday I exported it, demoted it, and restored it. All services (mail, web, etc.) seem to work fine (although I admit to not using Kerberos on AFP due to another issue).
I have a wildcard certificate that is generated by GoDaddy (*.<mydomain>.com) which seems to work fine with the hosted websites.
This is what the password service error log says when I try to log in with diradmin in Workgroup Manager:
Jan 10 2012 14:01:32 AUTH2: {0x4bbe71ca6b8b45670000000200000002, diradmin} DHX authentication succeeded.
Jan 10 2012 14:01:32 KERBEROS-LOGIN-CHECK: user {0x4bbe71ca6b8b45670000000200000002, diradmin} is in good standing.
Jan 10 2012 14:01:32 KERBEROS-LOGIN-CHECK: user {0x4bbe71ca6b8b45670000000200000002, diradmin} authentication succeeded.
Looks good to me. But I still get the "Information Not Valid for This Server" followed by stuff about invalid login ID or password.
I did notice in the LDAP log:
Jan 10 14:13:12 <myserver> slapd[52283]: SASL [conn=18] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Key table entry not found)
And at the last bootup in the directory service error log:
2012-01-10 08:52:03 EST - T[0x00007FFF7027ACC0] - DNSServiceProcessResult returned -65563
The other thing I notice when I log into the library in Workgroup Manager FROM THE SERVER, even if I use the FQDN <myserver>.<mydomain>.com that Workgroup Manager says (in the title bar of the window) <myserver>.local.
I have googled the various errors and messages, and I get folks with all sorts of variations ("change the binding options", etc.) none of which either applied or worked.
Help?Continuing on my quest... I found this Technical note from Apple about re-kerberizing:
http://support.apple.com/kb/HT3655
Interestingly, in step 3 where it says to remove realm information from kdc.conf, there wasn't any of my realm information. Argh!
So I completed all of the steps and executed the slapconfig command. This resulted in:
bash-3.2# slapconfig -kerberize -f --allow_local_realm diradmin <MYREALM>
diradmin's Password:
Could not resolve hostname <MYDOMAIN>
Skipping Kerberos configuration
Sounds like a dreaded DNS problem. It had been working correctly, but changeip -checkhostname confirmed a problem. Turns out that there were EXTERNAL DNS servers in the Network preferences in System Preferences as well as on the router. With my Split-brained DNS this caused problems (thank you again MrHoffman). So I changed them both to my DNS server INTERNAL IP address and added the external ones to the Forwarder IP Address in DNS. Now checkhostname -changeip returns a favorable result.
So after rebooting ran the slapconfig command again and got the same result. Argh. Cleared DNS caches. Still nothing.
So I tried nslookup.
nslookup <mydomain>
Server: 10.0.8.2
Address: 10.0.8.2#53
** server can't find <mydomain>: SERVFAIL
Where 10.0.8.2 is the fixed INTERNAL IP address.
However, nslookup on using the fixed IP address yields:
bash-3.2# nslookup 10.0.8.2
Server: 10.0.8.2
Address: 10.0.8.2#53
2.8.0.10.in-addr.arpa name = <mydomain>.
Scratching head here... changeip -checkhostname works, nslookup on the IP address works, but nslookup on the host name fails. -
Can't Authenticate in LDAP directory after upgrade from 10.4.11 to 10.5.1
Hi, all
Yesterday I have tried to upgrade my Xserve Intel from 10.4.11 Tiger to 10.5.1 Leopard Server
In my server there is this service:
-AFP
-DNS
-SMB
-Open Directory Master
- XSAN Primary MDC
All works fine but when I try to acces with worgroup manager to LDAP directory I can't authenticate with "diradmin" this thing appen in local machine and with remote worgroup manager connected to the server.
I have tried with "root" user and I have been able to authenticate for some time, (5-15 min.) after It's impossible to access with all user.
The client still authenticate with user and password in all computer with 10.5.1 and 10.4.11 workstation, but now i wan't to add some new users and I can't do That!!!!!
So for now I have restore my old 10.4.11 Server Tiger, but I wish to know if someone have tried new 10.5.2 server upgrade and maybe there is some kind of fix to this problem.
Thank's In AdvanceAfter posting on numerous message boards, and no one having an exact answer, but several making plenty of great suggestions, I think I've finally figured out the cause of this issue or at least part of the cause.
Within 'Server Admin', select "Open Directory",
under: Settings > Policy > Binding
there are six check boxes under "Security"... for testing kerberos, I have been checking the first four boxes, which are:
1. disable clear text passwords
2. digitally sign all packets (requires Kerberos)
3. encrypt all packets (requires ssl or kerberos)
4. block man-in-the-middle attackes (requires kerberos)
through troubleshooting this myself, and doing each change, followed by a server reboot, then immediately attempting to authenticate to /LDAPv3/127.0.0.1/, it seems that enabling some, or some combination of these Security settings triggers WordGroup Manager to not accept the diradmin password.
referring to the numbers above (1 through 4)...
2 or 4 by themselves fails
1 and 3 together fails
I haven't gone beyond that for testing and don't know what other combinations works or fails.
I don't know if there is something beyond this that is specific to my configuration or environment that plays a part in this failing. All I know is that turning off all Security checkboxes in this section fixes the problem.
I wonder if anyone who has never seen this problem can try this on their 10.5.2 Server and see if they are still able to authenticate as their diradmin to WGM. Regardless, seems that this is a WGM bug to me, right?
if you are having this problem, uncheck all of these boxes and then reboot before trying to authenticate. -
New Mac user can't get dial-up to authenticate
I just acquired an older iBook (version=2.2), OS X 10.2.8(6R73). I've never used a Mac before and am currently learning how to use the system and hardware.
Being stuck with dial-up I set up the internal 56K modem for my ISP (PeoplePC).
It's pretty simple (I thought)--using TCP/IP PPP--account name, password and phone number. The modem dials, connects, and after several seconds disconnects (Failed to authenticate).
I then tried to use the terminal window and after connecting command line says--Account name//login/login/:--I enter my account name.
Then the next command line--Password:--the cursor is one space away from the colon and blinking and doesn't move when I enter my password (normal or not?).
The next line says--**Bad password-- and goes back to the (enter) Account name.
I can do this about three times before my modem times out and hangs up.
The PPC people are useless (We don't know anything about Macs- you need to get Mac help). Of course when I had any problems in the past with what always turned out to be THEIR software the first thing they do is tell you that it's YOUR computer, system, browser, Microsoft, phone company, etc.
So I can't get anyone there that's smart enough to at least tell me if there's any particular entries to be made in logging in (scripting or HTML or handshake protocol or whatever). I can set up a manual dialup connection on my Windows PC without their software, no problem.
Incidentally, I love the way this iBook automatically gets itself right into my Windows network and on-line with ICS through an ethernet crossover cable. I'm on right now with it but I don't want to have two computers next to each other online (especially through a single phone connection). Talk about multi-tasking! I've got about 4 tabs open in IE8 on the win PC and a couple more here (Mac) on Firefox. So I never have to wait for a page to load (SLOW); by the time I'm done with one several others have already loaded.
I'm really starting to like this Mac. I don't know whether it's the machine or the Firefox browser (never used anything other than IE) or both but the same pages load really quick and errorlessly compared to my other box, which is sharing the connection.
Well, after making a short story long, does anyone have a clue on helping me get my new (to me) iBook on-line on it's own?
Message was edited by: wired4actionHi, Q Lazarus. Thanks for the reply. That link you included led me to what I needed.
Since I couldn't directly download the Dialguard 1.8.7 zipfile (unless, I guess, I set up an account at the Linux forum site) I decided to just Google and get it off the web.
I found that it was pretty hard to find but in lookong around I found other Linux forum references regarding PeoplePC's dial-up problems.
Rather than using DialGuard others solved the problem by simply adding "@peoplepc.com" to their account name.
So that was the only thing I changed and--HAPPY DAYS ARE HERE AGAIN! My modem dialed right in and connected. And much quicker than PPC's software (dialer) on my Win PC.
After screwing around for several days and pulling my hair out in frustration trying to get my Mac on-line I was done in a few minutes, thanks to your input.
I will mark this thread "Solved" and get on with learning to use my "new" iBook system.
Again, many thanks for the most helpful reply. -
Messages (Jabber) Refuses to Authenticate AD Users after 10.9.2/Server 3.0.3 update
Once again, an update appears to have broken Messages/Jabber's ability to authenticate AD users after the 10.9.2/Server 3.0.3 update even though it was working well before. Hoping someone here has some ideas for how to help!
I can log in just fine as a local user (e.g. [email protected]), but no luck with AD users (e.g. [email protected]). As always, it fails with no intelligible error message whatsoever:
Mar 1 09:46:00 comet.ADdomain.private jabberd/c2s[604]: [9] [::ffff:76.24.227.229, port=58658] connect
Mar 1 09:46:01 comet.ADdomain.private jabberd/c2s[604]: [9] [::ffff:76.24.227.229, port=58658] disconnect jid=unbound, packets: 0
Mar 1 09:48:00 comet.ADdomain.private jabberd/c2s[604]: [9] [::ffff:76.24.227.229, port=58667] connect
Mar 1 09:48:01 comet.ADdomain.private jabberd/c2s[604]: [9] [::ffff:76.24.227.229, port=58667] disconnect jid=unbound, packets: 0
I reset the jabber server configuration as described here to no avail: https://discussions.apple.com/thread/5354428
The DNS configuration looks good:
changeip -checkhostname
Primary address = 10.0.17.15
Current HostName = comet.ADdomain.private
DNS HostName = comet.ADdomain.private
The names match. There is nothing to change.
dirserv:success = "success"
The Jabber status from jabber:
serveradmin fullstatus jabber
jabber:state = "RUNNING"
jabber:roomsState = "RUNNING"
jabber:logPaths:PROXY_LOG = "/private/var/jabberd/log/proxy65.log"
jabber:logPaths:MUC_STD_LOG = "/var/log/system.log"
jabber:logPaths:JABBER_LOG = "/var/log/system.log"
jabber:proxyState = "RUNNING"
jabber:currentConnections = "0"
jabber:currentConnectionsPort1 = "0"
jabber:currentConnectionsPort2 = "0"
jabber:pluginVersion = "10.8.211"
jabber:servicePortsAreRestricted = "NO"
jabber:servicePortsRestrictionInfo = _empty_array
jabber:hostsCommaDelimitedString = "comet.ADdomain.private"
jabber:hosts:_array_index:0 = "comet.ADdomain.private"
jabber:setStateVersion = 1
jabber:startedTime = "2014-03-01 17:39:06 +0000"
jabber:readWriteSettingsVersion = 1
Full jabber server startup log:
Mar 1 09:52:19 comet.ADdomain.private servermgrd[180]: servermgr_jabber[N]: waiting for jabberd to finish startup...
Mar 1 09:52:19 comet.ADdomain.private jabberd/router[1785]: starting up
Mar 1 09:52:19 comet.ADdomain.private jabberd/router[1785]: loaded user table (1 users)
Mar 1 09:52:19 comet.ADdomain.private jabberd/router[1785]: couldn't open filter file /etc/jabberd/router-filter.xml: No such file or directory
Mar 1 09:52:19 comet.ADdomain.private servermgrd[180]: servermgr_jabber[N]: jabberd service startup completed.
Mar 1 09:52:19 comet.ADdomain.private jabberd/c2s[1786]: starting up
Mar 1 09:52:19 comet.ADdomain.private jabberd/s2s[1787]: starting up (interval=60, queue=60, keepalive=0, idle=86400)
Mar 1 09:52:19 comet.ADdomain.private jabberd/sm[1784]: starting up
Mar 1 09:52:19 comet.ADdomain.private jabberd/c2s[1786]: modules search path: /Applications/Server.app/Contents/ServerRoot/usr/libexec/jabberd/modules
Mar 1 09:52:19 comet.ADdomain.private jabberd/c2s[1786]: initialized auth module 'apple_od'
Mar 1 09:52:19 comet.ADdomain.private jabberd/sm[1784]: initialised storage driver 'sqlite'
Mar 1 09:52:19 comet.ADdomain.private jabberd/sm[1784]: modules search path: /Applications/Server.app/Contents/ServerRoot/usr/libexec/jabberd/modules
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-last' added to chain 'sess-end' (order 0 index 0 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'validate' added to chain 'in-sess' (order 0 index 1 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'privacy' added to chain 'in-sess' (order 1 index 2 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'roster' added to chain 'in-sess' (order 2 index 3 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=5347] listening for incoming connections
Mar 1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: [comet.ADdomain.private] configured; realm=comet.ADdomain.private, registration disabled, using PEM:/etc/certificates/mail.ADdomainbio.com.E41BBC081993E348B26181D9CB334A28137A8D8D.concat.pem
Mar 1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: attempting connection to router at 127.0.0.1, port=5347
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49353] connect
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49353] authenticated as jabberd
Mar 1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: connection to router established
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [c2s] online (bound to 127.0.0.1, port 49353)
Mar 1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: [::, port=5222] listening for connections
Mar 1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: [::, port=5223] listening for SSL connections
Mar 1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: ready for connections
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'vacation' added to chain 'in-sess' (order 3 index 4 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/s2s[1787]: attempting connection to router at 127.0.0.1, port=5347
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49354] connect
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49354] authenticated as jabberd
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-vcard' added to chain 'in-sess' (order 4 index 5 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/s2s[1787]: connection to router established
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [s2s] set as default route
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [s2s] online (bound to 127.0.0.1, port 49354)
Mar 1 09:52:20 comet.ADdomain.private jabberd/s2s[1787]: ready for connections
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-ping' added to chain 'in-sess' (order 5 index 6 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-private' added to chain 'in-sess' (order 6 index 7 seq 0)
Mar 1 09:52:20 comet.ADdomain.private Rooms[1792]: Starting up...
Mar 1 09:52:20 comet.ADdomain.private Rooms[1792]: Loading persistent rooms from disk...
Mar 1 09:52:20 comet.ADdomain.private Rooms[1792]: Finished loading rooms from disk
Mar 1 09:52:20 comet.ADdomain.private Rooms[1792]: Connecting to XMPP server at 'comet.ADdomain.private' as 'rooms.comet.ADdomain.private'...
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'disco' added to chain 'in-sess' (order 7 index 8 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'amp' added to chain 'in-sess' (order 8 index 9 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'offline' added to chain 'in-sess' (order 9 index 10 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'announce' added to chain 'in-sess' (order 10 index 11 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'presence' added to chain 'in-sess' (order 11 index 12 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'deliver' added to chain 'in-sess' (order 12 index 13 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'session' added to chain 'in-router' (order 0 index 14 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'validate' added to chain 'in-router' (order 1 index 1 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'presence' added to chain 'in-router' (order 2 index 12 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'privacy' added to chain 'in-router' (order 3 index 2 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'privacy' added to chain 'out-router' (order 0 index 2 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-last' added to chain 'pkt-sm' (order 0 index 0 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-ping' added to chain 'pkt-sm' (order 1 index 6 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-time' added to chain 'pkt-sm' (order 2 index 15 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-version' added to chain 'pkt-sm' (order 3 index 16 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'amp' added to chain 'pkt-sm' (order 4 index 9 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'disco' added to chain 'pkt-sm' (order 5 index 8 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'announce' added to chain 'pkt-sm' (order 6 index 11 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'help' added to chain 'pkt-sm' (order 7 index 17 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'echo' added to chain 'pkt-sm' (order 8 index 18 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'presence' added to chain 'pkt-sm' (order 9 index 12 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'roster' added to chain 'pkt-user' (order 0 index 3 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'presence' added to chain 'pkt-user' (order 1 index 12 seq 3)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-vcard' added to chain 'pkt-user' (order 2 index 5 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'amp' added to chain 'pkt-user' (order 3 index 9 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'deliver' added to chain 'pkt-user' (order 4 index 13 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'vacation' added to chain 'pkt-user' (order 5 index 4 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'offline' added to chain 'pkt-user' (order 6 index 10 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-last' added to chain 'pkt-user' (order 7 index 0 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'session' added to chain 'pkt-router' (order 0 index 14 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'disco' added to chain 'pkt-router' (order 1 index 8 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'active' added to chain 'user-load' (order 0 index 19 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'autobuddy' added to chain 'user-load' (order 1 index 20 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'roster' added to chain 'user-load' (order 2 index 3 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'roster-publish' added to chain 'user-load' (order 3 index 21 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'privacy' added to chain 'user-load' (order 4 index 2 seq 3)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'vacation' added to chain 'user-load' (order 5 index 4 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'active' added to chain 'user-create' (order 0 index 19 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'template-roster' added to chain 'user-create' (order 1 index 22 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'active' added to chain 'user-delete' (order 0 index 19 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'announce' added to chain 'user-delete' (order 1 index 11 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'offline' added to chain 'user-delete' (order 2 index 10 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'privacy' added to chain 'user-delete' (order 3 index 2 seq 4)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'roster' added to chain 'user-delete' (order 4 index 3 seq 3)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'vacation' added to chain 'user-delete' (order 5 index 4 seq 3)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-last' added to chain 'user-delete' (order 6 index 0 seq 3)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-private' added to chain 'user-delete' (order 7 index 7 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-vcard' added to chain 'user-delete' (order 8 index 5 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-version' added to chain 'disco-extend' (order 0 index 16 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'help' added to chain 'disco-extend' (order 1 index 17 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: version: jabberd sm 2.2.17-409
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: [comet.ADdomain.private] configured
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: attempting connection to router at 127.0.0.1, port=5347
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49355] connect
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49355] authenticated as jabberd
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: connection to router established
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [sm] online (bound to 127.0.0.1, port 49355)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: sm ready for sessions
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [comet.ADdomain.private] online (bound to 127.0.0.1, port 49355)
Mar 1 09:52:22 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49356] connect
Mar 1 09:52:22 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49356] authenticated as proxy65.comet.ADdomain.private
Mar 1 09:52:22 comet.ADdomain.private jabberd/router[1785]: [proxy65.comet.ADdomain.private] online (bound to 127.0.0.1, port 49356)
Mar 1 09:52:23 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49357] connect
Mar 1 09:52:24 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49357] authenticated as rooms.comet.ADdomain.private
Mar 1 09:52:24 comet.ADdomain.private jabberd/router[1785]: [rooms.comet.ADdomain.private] online (bound to 127.0.0.1, port 49357)
Mar 1 09:52:24 comet.ADdomain.private Rooms[1792]: Successfully connected to XMPP server, ready for activity
I am not sure if it's attempting to authenticate to AD or not, and if so, why it might be failing. Any suggestions would be greatly appreciated!uscadvit wrote:
Here is the output without the name of our AD:
Advanced Options - User Experience
Create mobile account at login = Disabled
Require confirmation = Enabled
Force home to startup disk = Enabled
Mount home as sharepoint = Enabled
Use Windows UNC path for home = Enabled
Network protocol to be used = smb
Default user Shell = /bin/bash
Advanced Options - Mappings
Mapping UID to attribute = not set
Mapping user GID to attribute = not set
Mapping group GID to attribute = not set
Generate Kerberos authority = Enabled
Advanced Options - Administrative
Preferred Domain controller = not set
Allowed admin groups = not set
Authentication from any domain = Enabled
Packet signing = allow
Packet encryption = allow
Password change interval = 14
Restrict Dynamic DNS updates = not set
Namespace mode = domain
That looks correct. Lets collect a few more config items.
Copy / paste the output of this command when run against c2s.xml:
sudo grep '<id require-starttls="true" pemfile="' /Library/Server/Messages/Config/jabberd/c2s.xml
Ours looks like this:
<id require-starttls="true" pemfile="/etc/certificates/chat.example.com.1234567890.concat.pem" private-key-password="12345678-1234-1234-12345678" cachain="/etc/certificates/chat.example.com.1234567890.chain.pem" realm="example.com">example.com</id>
Copy / paste the output of this command when run against sm.xml. To give us context, it will display the 6 lines above and below the text:
sudo grep -C 6 'If not set, the SM id is used. -->' /Library/Server/Messages/Config/jabberd/sm.xml
Ours looks like this:
<!-- Local network configuration --> <local> <!-- Who we identify ourselves as. Users will have this as the domain part of their JID. If you want your server to be accessible from other Jabber servers, this IDs must be FQDN resolvable by DNSes. If not set, the SM id is used. --> <id>example.com</id> <!-- <id>vhost1.localdomain</id> <id>vhost2.localdomain</id> --> </local>
Copy / paste the output of this command:
sudo serveradmin settings jabber
Ours looks like this:
jabber:dataLocation = "/Library/Server/Messages"jabber:s2sRestrictDomains = nojabber:jabberdDatabasePath = "/Library/Server/Messages/Data/sqlite/jabberd2.db"jabber:sslCAFile = "/etc/certificates/chat.example.com.1234567890.chain.pem"jabber:jabberdClientPortTLS = 5222jabber:sslKeyFile = "/etc/certificates/chat.example.com.1234567890.concat.pem"jabber:initialized = yesjabber:enableXMPP = nojabber:savedChatsArchiveInterval = 7jabber:authLevel = "STANDARD"jabber:hostsCommaDelimitedString = "example.com"jabber:jabberdClientPortSSL = 5223jabber:requireSecureS2S = nojabber:savedChatsLocation = "/Library/Server/Messages/Data/message_archives"jabber:enableSavedChats = nojabber:enableAutoBuddy = yesjabber:s2sAllowedDomains = _empty_arrayjabber:logLevel = "ALL"jabber:hosts:_array_index:0 = "example.com"jabber:eventLogArchiveInterval = 7jabber:jabberdS2SPort = 0
Also, while you're troubleshooting, I found Adium's debug window to be invaluble for showing errors during logon (even if you plan to use Messages).
You can open it in debug mode by holding option + click Adium.app, select "start in debug mode". Then in Adium menu > Debug window. -
Windows Server 2008 R2: Server unable to authenticate with Domain Controller
Hello, I was wondering what could be the reason for this error if it is certain that there was no other computer on the network using the same name:
This computer could not authenticate with<Domain-controller>, a Windows domain controller for domain <Domain-name>, and therefore this computer might deny logon requests. This
inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized.
What would cause the machine account pw to be 'not recognized'?You can track changes in AD by enabling AD Auditing: https://technet.microsoft.com/en-us/library/cc731764%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
As reading the logs is usually a complicated and time consuming task, it is recommended to use a third party tool for auditing. The one I usually recommend is Lepide Auditor - Active Directory: http://www.lepide.com/lepideauditor/active-directory.html
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile
Maybe you are looking for
-
How do I play a video and audio file at the same time on Apple Tv?
I need to play a video loop (with no audio) on my apple tv and also play some music in the background. Its a video loop with no audio and then I need music to play in the background. The loop needs to repeat all day because its only 5 min long and th
-
Hi recently my MacBook pro has stopped connecting to our office Synology server automatically. I now have to Go > Connect to Server > etc in order to browse the file server. Clearing key chain and then readding everything hasnt made any difference.
-
Dear SDN, I have a interface SOAP(HTTP) -> XI -> R/3. In this interface, 3rd party sending 4 fields and are getting updated in R/3. Now, I need to change in this interface. There are 4 fields in sender side and one field is like primary field. whil
-
hi my iphone 4s will not show in itunes
-
Entourage Calendar Events gone bye-bye
I have the Blackberry 8130 and downloaded PocketMac for Blackberry to sync. (PocketMac v1.2(1.4)). Two annoyances have come up since my first sync: I use only Entourage calendar and want to shut off the ICal options that keep popping up. My last sync