Integration of Active Directory (AD)

Similar Questions

• OEDQ integration with Active Directory - disable SSL

  Hi mates,

  I just installed OEDQ (latest version) on a Unix machine (deployed on WebLogic Server 10.3.6) but I have a few concerns:

  • SSL communications -> is mandatory? I mean, I tried to expose dndirector via a Server Web Apache OHS admin page. I am able to access the page from admin in raw mode, but every time I try to access a specific feature (dashboard, user management, server configuration, etc.) I am redirected to https://< web-server-hostname >: < wls-server-ssl-port > / dndirector, if this is not what I expect. What's wrong? Moreover, if SSL is required, is there a way to expose the console via apache (avoiding any redirect)?
  • OEDQ with Active Directory -> documentation- OEDQ integration with Active Directory - covers just Single Sign-on configuration (on the two Windows/Unix os). What about a simple configuration pointing to an external ldap? The documentation States the following statement:

  It is also possible to configure OEDQ to work with servers of different directory for authentication of users and the identification of the user. For more information on the alternative configurations, "see"contact us" "

  So, how can I achieve this?

  Pointers?

  Thanks in advance,

  Marco

  Marco

  Here is an example configuration that can be used to integrate with AD.  Create a folder called Security in your Disqualification configuration directory, and save the file in this folder as login.properties.  There are a few supporinting of documentation online this process in aid of the Disqualification.

  Here is the file, I'll add a few notes below:

  realms                        = internal, adgss                           = false
  
  ad.realm                      = EXAMPLE.COMad.auth                       = ldapad.auth.bindmethod            = digest-md5ad.auth.binddn                = search: sAMAccountNamead.ldap.server                = dc.example.comad.ldap.auth                  = simplead.ldap.user                  = [email protected]                    = testad.ldap.profile               = adsldapad.ldap.prof.defaultusergroup = testgroupad.ldap.prof.useprimarygroup  = false
  

  The kingdoms line indicates that the 'internal' (Disqualification internal users such as dnadmin) Kingdom and the Kingdom of AD should be used.  Once you are satisfied with the integration of ads you can remove the internal domain and use AD exclusively.  The domain property sets the name of the field AD - here I used EXAMPLE.COM.

  The server property sets the DNS name of the AD server.  If omitted, it is looked up in the DNS.

  The lines of the user and pw are used to connect to AD Disqualification.

  The defaultusergroup line is the name of a LDAP group that contains all users who will use the Disqualification.  The default value for this is domain users that contains usually much too many users.

  Once it is setup and working, you can go to Setup user Disqualification and see a link to external groups that attach ad with Disqualification groups groups to assign permissions to users.

  I hope this helps.

  Richard

• Integration with Active Directory OraHome92?

  Let me first say that I have absolutely zero knowledge of all Oracle products, I don't know if I'm posting in the right forum, but I'm here, if I need to ask another forum please let me know.

  Question:
  We are Microsoft System administrators. We have a client that is running a very old application to the database on a Windows 2003 server. Currently they use a new database (Oracle, not), but the oracle database must accessible for research in history.

  The application works very well.

  We plan to migrate the domain existing (Active Directory) to a couple of servers R2 2012.

  The 2003 with oracle server is also a domain controller, and we do not want in our field of 2012R2 2003 domain controllers.

  Our question is can demote us this domain controller and Orahome92 will work after the demotion?

  Server 2003 is not the FSMO, the FSMO is a Windows Server 2008.

  In other words, how Orahome92 integrates with Active Directory? Or isn't there any Active Directory integration and may us just demote the server and leave it to run as a member of the domain server?

  Maybe you need more information about oracle, all I can say that the following services are running:

  OracleMTSRecoveryService
  OracleOraHome92TNListener

  OracleServiceORCL

  Oracle installed, but NOT running services:
  OracleOraHome92Agent
  OracleOraHome92ClientCache
  OracleOraHome92HTTPServer

  OracleOraHome92PAgingServer

  OracleOraHome92SNMPPeerEncapsulator

  OracleOraHome92SNMPPeerMasterAgent

  
  

  I hope sombody can give treatment of this or point us in the right direction.

  I would not be protected by an export created like this. It is not a full export, is an export of the only pattern and you may need more than that if it is necessary to rebuild the database. In addition, it is not a coherent export which may make it unnecessary. I was running export something like this:

  exp.exe System/sys@oracle_w3 complete file=d:\directory\\file.dmp = compliance = y

  You may think it's all pretty awkward. The problem is that it is generally considered bad practice to install Oracle on a domain controller, unless you install as a member of the domain administrators group. I guess just like you do not have that, you can be able to downgrade the machine without affecting the database. But I don't really know, Windows security is a mystery to me.

• ESX - integration with Active Directory: Kerberos?

  Hi all

  We set up the integration of ads for SSH on ESX 3.5 U3 accounts.

  esxcfg-auth - enablead works very well:

  esxcfg-auth - enablead - addomain = our.domain.com - addc = our.domain.com

  For some reason, there was already an additional line in the configuration script: esxcfg-auth - enablekrb5

  esxcfg-auth--enablekrb5--krb5realm=our.domain.com--krb5kdc=our.domain.com--krb5adminserver=our.domain.com

  Things go awry as soon as the last command entered.

  When you add a local account with this powershell command, we get this error:

  New-VMHostAccount: 12/05/2009-10:17:11 new-VMHostAccount 52976ebb - 2 d 24

  -f493-9aa3-bca7894ef581 a general error has occurred: passwd: Authenticate

  mishandling symbolic ion

  The local account is created, but the equivalent of Active Directory gets locked out, after several of these events:

  Failed prior authentication

  User name: USER-TEST

  ID: DOMAIN\TEST-USER

  Service name: kadmin/changepw

  Pre-authentication type: 0x0

  Error code: 0 x 19

  Customer's address: 10.10.120.16

  Now, I have two questions for you:

  1 - does anyone how to solve the problem of blocking

  2 East - -enablekrb5 necessary? What gives me extra in addition to enablead-

  Thanks for your help!

  Kind regards

  Harold

  enablekrb5 is not necessary.  The enablead will set up your kerberos configuration to talk to ad.  the krb5 option is used when you use a KDC that does not have active directory.  In addition, when you create an account on the side ESX, it's pretty much an account without password.  At least no password in UNIX file perspective shadow.  Authentication works by checking the files local to the user name (since the announcement does not serve for the Pb of the user, only authentication), then check the password in the local files, which do not have a password, so failure, and continuing to the announcement through kerberos, for a successful verification.  If you try to create an account with a password on the ESX system, then this is the problem.  You don't need to put it, in fact, it must be without password, so without posting, the user can connect to the system via ssh not effectively or console.

  -KjB

  VMware vExpert

• Integration with Active Directory or SSO OID?

  We seek in our options of single sign-on integration with OBIEE Oracle EBS 11.5.10 on top. Currently we have MS Active Directory and Oracle Internet Directory with our users synchronized upward in both.
  
  Can anyone recommend which is better for the OBIEE LDAP/SSO integration and provide the pros and cons of each? Thanks in advance

  PTRAN2,

  If you have any OID then use with AD, you also an external table if you want to be able to define groups, CheminPortail etc. Groups and users can currently be imported, ad, only authenticated against it. It works fine but OID should be admin much more straightforward.

  Ed

• Passwords enable ISE device Administration (ACS) integrating with Active Directory

  I'm working on a standalone application ISE and running into a problem where the password to enable for a device is not shoot properly.  I have the original connection related AD and I policy conditions/results/sets all as they should be working.  My test run is a 2960 S.  I tried to set up ' group aaa authentication enable default Activate ', but the only way I could do a login enabled with which was if the user has configured locally in ISE identity management > identity > users.  Is there something that I missed that tie will enable passwords for a group active directory as I work for the initial logon?

  I see just a mistake with your failure to enable aaa authentication enable. You must specify the Group of Ganymede.

  Right now, I don't have access to my lab with ISE.

  Here's my config for switches used with ACS.

  AAA authentication login GANYMEDE-SRV Group Ganymede + local
  local authentication AAA Console connection
  Group AAA dot1x default authentication RADIUS
  AAA authorization exec GANYMEDE-SRV Group Ganymede + local
  AAA authorization commands 15 GANYMEDE-SRV Group Ganymede + local
  Group AAA authorization network default RADIUS
  AAA accounting exec GANYMEDE-SRV arrhythmic group Ganymede +.
  orders accounting AAA 15 GANYMEDE-SRV arrhythmic group Ganymede +.

  If you give me all out maybe we can understand why your GANYMEDE ISE works do not with the AD. I see no reason except a misconfiguration or another issue.

  Just to go to the mode, you need more aaa authentication command activate by default enable. This activation mode is pushed to the user if he gets the privilege 15. Your problem should be on the profile or politics. With the approval journal, we can see whether or not ISE pushes politics and why?

• Integration of Active Directory with telepresence - Jabber video

  Hello

  I would like to have a clarification on the integration of commercials with the existing infrastructure of TP.

  We have A VCS - C 8.x, VCS-E 7.2.2 14.3 TMS with TMSPE.

  We need to have our video Jabber users using their accounts and authentication of the user accounts existing on AD. All the other codecs authentication will be local VCS - c.

  Where can I configure the integration of ads?  The TMS only? VCS - C only? or both?

  Any document that clearly explain this configuration?

  Thank you.

  If you want to check the credentials on the control and Jabber clients video to send their requests for authentication to control VCS, where you have the setup of ADS, you must configure the default and traversal zones to check not the credentials on the highway.

  Regarding your comment on authentication to the highway, just to be clear, before the customer can actually create a record on the freeway, do you want to authenticate, meaning the subzone where they will register to check the credentials, if so, ADS a problem here.  As the video Jabber client will always use NTLM to send its credentials when ADS is used, the highway will be presented with the username/password user name field.  As the highway is not connected to the announcement of check these credentials, it will not allow recording.  Authentication of registration requests always happens on the local server, because that's where the record should be.

  Zac in the discussion below, covers this very well and how to get around it when using ADS and video recording Jabber to Hwy.

  Jabber-video-authentication-vcs-what

• ESX 4.1 integration with Active Directory

  So what this 'buy' you?  I joined my ESX servers to my domain.  I was able to add a domain administrator directly connecting to a host and then connected successfully account.   Something beyond to give permissions of domain directly on a host users?  Am I missing some other features?

  Thanks in advance

  Something beyond to give permissions of domain directly on a host users? Am I missing some other features?

  Then... Hmm... NOPE!  That's all!

  vCenter takes care of this for you... so you don't even have it.

• VCOPS 5.8 - where is the "Active Directory integration"?

  5.8 Notes version is a "novelty".

  Authentication options with the new integration with active directory for authentication.

  Where is this new option? All I see is former "LDAP import', which works, somehow. I was expecting something more easy to AD.

  I understand that it was a typo in the rel notes, because there is no change in the integration of Ops 5.8 vC ads. I think that this excerpt was intended to rel Insight journal notes, that add features more AD.

• vMA 4.1 Active Directory (AD) integration login Restrictions

  Hello

  Recently, I have deployed the vMA 4.1 in our environment through the integration of Active Directory (AD). My question is how to restrict the access of connection? Any domain user can connect to the vMA at the moment.

  Thank you

  Yes, you can control this by taking a peek in the same configuration file located in /etc/likewise/lsassd.conf

  You'll want to pick up the next section and update the list, allowing only certain groups or users to connect, this is how you would limit the access of connection for users/groups that you want to allow:

      # Allow only the following users and groups
      # to login to this system
      #
      # Note: Use a comma-separated list of
      #       { alias, NT4 style name, SID }
      #
      # require-membership-of = ABC\support group, ABC\joe, jane, S-1-5-21-3447809367-3151979076-456401374-513
  

  Uncomment the demand-membership - in and provide your list separated by commas

  =========================================================================

  William Lam

  VMware vExpert 2009,2010

  VMware VCP3, 4

  VMware VCAP4-DCA

  VMware scripts and resources at: http://www.virtuallyghetto.com/

  Twitter: @lamw

  repository scripts vGhetto

  Introduction to the vMA (tips/tricks)

  Getting started with vSphere SDK for Perl

  VMware Code Central - Scripts/code samples for developers and administrators

  VMware developer community

  If you find this information useful, please give points to "correct" or "useful".

• ACS 5.1 using Active Directory to manage the strategy of network device Admin

  Hi guys, we have configured an ACS 5.1 and integrated with active directory Win2K3, we created two AD groups to manage devices network for administrators and one for operators (read-only), so we have configured a device admin strategy and the two groups work very well, but now we are facing a little problem any user that exists in the AD can connect (user exec mode) network devices and we want to cancel the connection with politics, but we do not know how.

  Is there a way to get a user authenticated against acs internal or external group, but at the user level, everything as you can make it to GBA 4.X?

  Thanks for your help!

  Best regards

  Oscar

  Yes, you can change that, it's a profile of shell by default. You must create a new one with privilege level "not in use" and select the new profile of the shell (no Directors or Operartors) under Default Device Admin > authorization profile > edit and make changes.

  I hope this helps.

• BI Publisher with Active Directory - slow connection

  Hello, I was wondering if anyone had to set up BI Publisher with Active directory. We are on 11.1.1.1.7 OBIEE - integrated with Active Directory. It takes about 40-50 seconds to connect on:

  http://bnrbidevapp1.es.gwu.edu:9704 / xmlpserver

  
  

  We have a different BEEP workigng insanance, they are also connected to the same ad and the connection is instant. What I can adjust? Checked memory and RAM on the system, doubled the RAM, so its double the system that has instant access. What else can I check? Thank you!

  This followed and it is resolved:

  http://www.peakindicators.com/files/document/33/Oracle%20bi%2011g%20-%20active%20directory%20authentication.PDF

• OEDQ Active Directory

  I installed OEDQ 11.1.1.7.3 (weblogic server) and by following the documentation in the below link for integration with active directory

  http://docs.Oracle.com/CD/E48549_01/doc.11117/e40042/TOC.htm

  I'm confused with the documentation. Do I have to follow both sections or just one of these sections to implement integration active directory?

  (1) integrations using OPSS LDAP on weblogic server

  (2) direct LDAP integration approach.

  Any help is appreciated.

  The mappings in login.propeties are used as the default initial values, so a system of OPSS using will work out of the box.  While the additional mappings can be added, the preferred approach is to use the pages of Directors Disqualification.  You can also the mappings can be configured by a script run outside the Disqualification which connects to the Disqualification JMX MBeans.

  Richard

• upgrade from 5.0 to 5.5 vCenter: DNS domain name to be added as a source of identity, Active directory native

  I intend to upgrade a vCenter 5.0 to 5.5.

  The vShpere environment is used for the test and is not integrated with Active Directory, if users log on the vCenter uses groups and users local vCenter.

  During the upgrade, I have the option to check a box saying "Add < nom_domaine_dns > as a source of identity, Active directory native.

  Please can someone explain what this means?

  What it is supposed to happen if I do not check the box?

  Local users and groups vCenter will be able to log on again after the upgrade?

  Even if it's a test environment I can't create any kind of problems for existing users, so selecting the right answer is essential...

  Concerning

  Marius

  SSO, you have the option to add Sources of identity (like LDAP, Active Directory) where the useres and groups are managed.

  This option has no meaning for you if you vpshere environment is not integrated with active directory. But it makes no difference if you select or deselect it.

  local users will continue to work...

• Best practices for active directory / dns / hostname configuration

  Scenario:

  DNS servers are not integrated with active directory and all hosts of VMS esx virtual environment have host names on the dns comain called inside.contoso.com - such as an esx server called "esx1.inside.contoso.com" and a virtual machine called "linuxvm1.inside.contoso.com".

  We have set up a domain active directory to manage authentication for the vcenter server.  This domain active directory must be a subdomain of the existing - such as dns domain

  'addomain.inside.contoso.com '.

  What is recommended in this scenario?

  In addition, the vcenter server should be designated as a member of the domain such as "vcenter1.addomain.inside.contoso.com".

  or should it be named 'vcenter1.inside.contoso.com '.

  We have currently a scerario, where domain active directory is not a subdomain - i.e. the AD domain is nwtraders.local and dns domain is "inside.contoso.com" when the vcenter server is added to the ad domain, its host name is "vcenter1.nwtraders.local".   When vmware customers to computers outside the domain of advertising then connect to this server vcenter, problems result from this AD/DNS/hostname design and some features of the vmware client do not work correctly as a result, unless the client vmware runs on a computer joined to the domain, nwtraders.local, which is not possible for all computers.

  Any comments or thoughts appreciated - thank you

  You have an AD domain that is used for your server vcenter only - which is pretty safe. Ms. do guides on building server roles such as domain controllers - you may wish to consider looking at these.

  Regarding the DNS to use - there is no right or wrong answer, this is which option is the best solution for your organization, given the technical, commercial, geographical or political demands.