LDAP...cn/ or... .a another possibilitiy
Hello
I have a question for all LDAP specialists.
Our users are in different "groups".
Example:
User 1 (distinguishedName): CN = 999999, OU = users, OU = V-HOME-LW, OR = Basemant, OU = branches, DC = HANS WURST, DC = local
or
User 2 (distinguishedName): CN = 888888, CN = Users, DC = HANS WURST, DC = local
In Apex (distinguished name (DN) string): CN = % LDAP_USER %, CN is Users, DC = HANS WURST, DC = local
2 the user can, user 1 cannot. Of course :-) But... How can I change my channel of distinguished name (DN) in the APEX, because the user can not delete another group.
Any idea?
René
Hello
I solved the problem like this:
%LDAP_USER%@Hans-WURST.local
and it works very well.
BG
René
Tags: Database
Similar Questions
-
Hello Experts!
First of all, until I opened this topic I tried to search for similar positions that can hold at least part of the necessary information for me. This topic is that most related to the architecture of the whole system in the sense of the application that contains a part of database (oracle with data models database), the operational part (unix scripts called from the web interface), weblogic server where MS Java application runs and the last part is LDAP Setup for supported LDAP grups.
Currently confirmed architecture is for me unacceptable from the point of view of dorsal because everything would be installed on the same physical server (physical machine). From my point of view, there should be at least 3 physical separate servers:
(1) Server database where the Oracle database is installed (say ommit backup and disaster at this stage recovery)
(2) operation of servers shared between several applications to manage operational tasks and application configurations
(3) separate server for Weblogic server, the LDAP server and Java application is
Given that 2 points are obvious to me and I provided them with really simplified form then 3. is not entirely clear to me mainly due to the fact that I am the architect of solution for datawarehausing, not for applications based on J2EE. Under the following link:
webloic Oracle server needs a server infrastructure
I just read to support failover and balancing I should have two different boxes physical and Weblogic software installed on each of them. I know not so so many separate for the 3rd point above mentioned how boxes I need. I would appreciate if you can share your thoughts on this subject by considering the following points:
-scalability (1000 users at the same time)
-further development
-maintenance
-installation costs
If you can guide also links to cover this topic, I'd be more than happy
Thanks in advance!
Kind regards
Bolo
Hi Bolo
Here's WDM of Oracle Identity management includes the installation of OID:
I'm sorry for the confusion.
I meant "General guidelines of architecture of say that you should keep the boxes", for example: LDAP must be in another box of WLS, also database must be in a different area, this isn't really something related to Oracle products, it is only related to the definitions of architecture.
WebLogic Server at the end being that a java application is running in the virtual machine JAVA, WLS should run in the same box as the JVM as it comes to a unit in terms of functionality.
Best regards
Luz
-
Get the email of the user via LDAP
I would like to send an email via APEX whenever a request is rejected. I want to send to the user who made the request through the system. This user has been authenticated via LDAP (Active Directory) in another application, when he sent this request. Therefore, his e-mail address is located in the sound profile AD with that it authenticates. All applications are listed in a report in another application (which uses the same LDAP authentication scheme) where they can be reviewed, rejected or accepted. When the user clicks the button refuse, it updates the status of the query in the database and sends an e-mail message to a hardcoded email address. I want to send to the user who made the request.
Is it possible to use this LDAP session (because I'm connected to the application via LDAP, I take for granted that there must be an LDAP session valid in use), or what I need to connect to the server again? If it's the latter, then how can I do? I can't hard-code just my own credentials of the service, that would be nuts.
I thought I could use a script like this and call it in a process page, but I know I'm missing something.
Any ideas?create or replace function Get_Mail(p_user in varchar2) return varchar2 is l_attrs dbms_ldap.string_collection; l_message dbms_ldap.MESSAGE; l_entry dbms_ldap.MESSAGE; l_vals dbms_ldap.string_collection; l_user varchar2(256); l_user2 varchar2(256); l_mail varchar2(256); l_ldap_server varchar2(256) := '****'; l_domain varchar2(256) := '****'; l_ldap_port number := 389; l_retval pls_integer; l_session dbms_ldap.session; l_username varchar2(256) := NULL; l_password varchar2(256) := NULL; begin dbms_ldap.use_exception := TRUE; l_user2 := p_user||'@'||l_domain; l_user := l_username||'@'||l_domain; l_session := dbms_ldap.init (l_ldap_server, l_ldap_port); l_retval := dbms_ldap.simple_bind_s (l_session, l_user, l_password); l_attrs(1) := 'email'; l_retval := dbms_ldap.search_s (ld => l_session, base => '****', scope => dbms_ldap.scope_subtree, filter =>'&(userPrincipalName='|| l_user2 || ')(objectClass=user)', attrs => l_attrs, attronly => 0, res => l_message); l_entry := dbms_ldap.first_entry (ld => l_session, msg => l_message); l_vals := dbms_ldap.get_values (ld => l_session, ldapentry => l_entry, attr => l_attrs(1)); l_mail := l_vals(1); return l_mail; exception when others then begin dbms_output.put_line (' Erreur #' || TO_CHAR (SQLCODE)); dbms_output.put_line (' Message: ' || SQLERRM); l_mail := NULL; return l_mail; end; end Get_Mail;
Best regards
MathieuI found the solution, thanks to the work of John Edward Scott and Scott Spendolini "Pro Oracle Application Express". So, for those who are interested:
I created two types:
create or replace type ty_ldap_query as object( dn varchar2(200), attribute_name varchar2(100), attribute_value varchar2(100));
create or replace type tbl_ty_ldap_query as table of ty_ldap_query;
Next, I created the LDAPQuery routine:
create or replace function LDAPQuery( p_host in varchar2, p_port in varchar2, p_user in varchar2, p_password in varchar2, p_dn_base in varchar2, p_filter in varchar2, p_attributes in varchar2) return tbl_ty_ldap_query PIPELINED is v_result tbl_ty_ldap_query := tbl_ty_ldap_query(ty_ldap_query(NULL, NULL, NULL)); retval PLS_INTEGER; v_session DBMS_LDAP.SESSION; v_attrs DBMS_LDAP.string_collection; v_message DBMS_LDAP.MESSAGE; v_entry DBMS_LDAP.MESSAGE; v_dn VARCHAR2 (256); v_attr_name VARCHAR2 (256); v_ber_elmt DBMS_LDAP.ber_element; v_vals DBMS_LDAP.string_collection; b_first BOOLEAN := TRUE; v_dn_identifier VARCHAR2(200); v_attributes apex_application_global.vc_arr2; BEGIN retval := -1; DBMS_LDAP.use_exception := TRUE; v_session := DBMS_LDAP.init (p_host, p_port); retval := DBMS_LDAP.simple_bind_s (v_session, p_user, p_password); v_attributes := apex_util.STRING_TO_TABLE(p_attributes, ','); for i in (v_attributes.first)..(v_attributes.last) loop v_attrs(i) := v_attributes(i); end loop; retval := DBMS_LDAP.search_s (v_session, p_dn_base, DBMS_LDAP.scope_subtree, p_Filter, v_attrs, 0, v_message); retval := DBMS_LDAP.count_entries (v_session, v_message); v_entry := DBMS_LDAP.first_entry (v_session, v_message); WHILE v_entry IS NOT NULL LOOP v_attr_name := DBMS_LDAP.first_attribute (v_session, v_entry, v_ber_elmt); WHILE v_attr_name IS NOT NULL LOOP v_vals := DBMS_LDAP.get_values(v_session, v_entry, v_attr_name); IF v_vals.COUNT > 0 THEN FOR i IN v_vals.FIRST .. v_vals.LAST LOOP v_dn_identifier := dbms_ldap.GET_DN(v_session, v_entry); pipe row (ty_ldap_query(v_dn_identifier, v_attr_name, v_vals(i))); END LOOP; END IF; v_attr_name := DBMS_LDAP.next_attribute (v_session, v_entry, v_ber_elmt); END LOOP; v_entry := DBMS_LDAP.next_entry(v_session, v_entry); END LOOP; retval := DBMS_LDAP.unbind_s(v_session); END LDAPQuery;
And I asked it in this way:
select attribute_value from table(LDAPQuery('
', ' ', ' ', ' ', ' ', '&(!(logonCount=0)(objectClass=User)(sAMAccountName= ))', 'mail')) In the book he said I could do it (instead of using LDAP filters):
where dn = 'CN=jes,CN=Users,DC=domain,DC=localdomain'
But it wouldn't work for some reason any. In any case, it's working now.
Best regards
Mathieu -
Utilities TSETUP and Other (?)
I have a Portege 7020 portable computer, but do not have the original CD or manual (I downloaded this last). The manual mentions a TSETUP BACK. EXE utility and said that it is in the Windows directory, but as I don't have the original O.S. (Win 2000 Pro), I can not find. Can not find anywhere on the Toshiba site, either. Also, how in the BIOS settings? I would be grateful for any help, please.
Howard
Hi Howard,.
You can go to https://eu.computers.toshiba-europe.com then driver & support and choose your model!
There are all the drivers available and downloadable tools.
If the Portege 7020 has installed an unsupported operating system, you have another possibilitiy to see the BIOS settings.
When you press the power button / stop the boot sequence, you must press ESC during the red logo Toshiba appears!
Then, you could see the BIOS!
Happy new year!
Antoni
-
Hello
We have ACS 4.0 on a windows 2003 sp1.
The server is a member of a domain.
I have to configure an LDAP to auth to another AD server in my network?
Is this the only way trust between the AD withour?
Jan
As far as I've seen if you plan with the external ad server authentication LDAP must be configured for the authentication of users to work.
-
Problems at the start of the managed servers
Hi all
When starting servers managed his giving the below error. Please suggest as to what can be done.
The events that led to this error.
1) while starting the managed server has received the error "< 2 September 2014 3:15:35 AM PDT > < error > < EmbeddedLDAP > < BEA-171519 > < could not obtain an exclusive lock for the embedded LDAP data files directory: / scratch/aime1/WCP_PS7/user_projects/domains/wc_domain/servers/WC_Spaces_1/data/ldap/ldapfiles as an another WebLogic Server is already using this directory." Ensure that the first WebLogic Server is completely shut down and restart the server. ' > '.
(2) to resolve the error deleted files under the directory data/ldap/ldapfiles. From there, on this error.
< 2 MS, 2014 4:23:33 AM PDT > < Info > < WorkManager > < BEA-002900 > < self-adjusting Initializing of thread pool >
Sep 2, 2014 04:23:41 oracle.security.jps.internal.idstore.util.LibOvdUtil pushLdapNamesToLibOvd
INFO: Pushed ldap name and types of information to libOvd. LDAPS: OIDAuthenticator:idstore.ldap.provideridstore.ldap.
< 2 MS, 2014 4:23:43 AM PDT > < critical > < security > < BEA-090402 > < authentication refused: Boot identity not valid; The user name and/or password in the identity of startup file (boot.properties) is not valid. The identity of start-up may have changed since the identity of boot file was created. Please edit and update the identity file to start with the correct values of username and password. The first time that the identity of starting update file is used to start the server, these new values are encrypted. >
< 2 MS, 2014 4:23:43 AM PDT > < critical > < WebLogicServer > < BEA-000386 > < server subsystem failed. Reason: weblogic.security.SecurityInitializationException: authentication refused: Boot identity not valid; The user name and/or password in the identity of startup file (boot.properties) is not valid. The identity of start-up may have changed since the identity of boot file was created. Please edit and update the identity file to start with the correct values of username and password. The first time that the identity of starting update file is used to start the server, these new values are encrypted.
weblogic.security.SecurityInitializationException: authentication refused: Boot identity not valid; The user name and/or password in the identity of startup file (boot.properties) is not valid. The identity of start-up may have changed since the identity of boot file was created. Please edit and update the identity file to start with the correct values of username and password. The first time that the identity of starting update file is used to start the server, these new values are encrypted.
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
Truncated. check the log file full stacktrace
Caused by: javax.security.auth.login.FailedLoginException: [Security: 090304] authentication failed: user weblogic javax.security.auth.login.FailedLoginException: [Security: 090302] authentication failed: user weblogic denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
to com.bea.common.security.internal.service.LoginModuleWrapper$ 1.run(LoginModuleWrapper.java:110)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Truncated. check the log file full stacktrace
>
< 2 MS, 2014 4:23:43 AM PDT > < error > < WebLogicServer > < BEA-000383 > < is not an essential service. The server will shut down >
Please suggest as to what can be done (username pwd is correct, I can still sign in to the administration console).
Thank you
Pradeep
Hi all
We had this resolved error by deleting the ldapfiles in... / data / ldap directory.
Thank you
Pradeep
-
OAM / IOM - conceptual question
Hi all
I am trying to understand the OAM and IOM overlapping identities management. I am going through the manuals OAM and we're talking identity system OAM in a way that closely resembles many of IOM, IE. management of users, groups, Managing Director, free admin, etc...
I'm trying to understand how these two fit. I know that IOM does much more in terms of commissioning to other resources... OAM is IOM provisions resources to? If you have any IOM and OAM, it seems that there is now 2 repositories of user data...
Can you explain (or point me to a doc that is) the relationship between IOM and OAM, how they fit together, that pushes the other, etc...?
Thank you very much
AlexYou are right. Directory of the OAM user (LDAP/AD) is just another resource target provided by IOM. Don't forget that only the IOM is configured to store authoritative data (HR systems) to pull the user news/modified records and synchronize the information with other systems (LDAP/AD/Exchange). When as in just OAM uses LDAP/AD to authenticate users and provide Single Sign-On functionality. OAM will never be configured to talk to HR Systems/PeopleSoft and not supported by OAM.
-
Of the group as the owner of another group - error LDAP 50
I installed some groups within the IOM and for some of these members of the group, I would like to be able to manage membership in another group.
I have:
Group1 with owner User1, User2, user3 and user4, User5, Utilisateur6 members
With owner User1 and User2 Group1 group2.
In the bosom of the DAS should user4, User5 and Utilisateur6 now be able to assign members to Group2 right?
User4 becomes a "LDAP: error code 50 - insufficient access rights" error when you try to assign members within Group 2.
I completely understand you how spread the rights or is something wrong?
Thank you.You must be an administrator of the group in order to manage a group.
-
Another failure of the LDAP authentication
I'm trying to setup LDAP authentication for my ASA, as well as the AD Agent. Currently my authentication fails with the following debug output...
[- 2147483610] Starting a session
[- 2147483610] New Session request, the 0xcc854d8c, reqType = authentication context
[- 2147483610] Fiber has started
[- 2147483610] Create LDAP context with uri = ldap://10.11.1.15:389
[- 2147483610] Connect to the LDAP server:
status = success
supportedLDAPVersion [-2147483610]: value = 3
supportedLDAPVersion [-2147483610]: value = 2
[- 2147483610] Liaison as a Sargent\
[- 2147483610] Authentication Simple for Sargent\ to 10.11.1.15
[- 2147483610] LDAP search:
Base DN = [DC = City, DC = charlottesville, DC = org]
Filter = [sAMAccount = sargentm]
Range = [subtree]
[- 2147483610] The analysis of returned search results State failure
[- 2147483610] Fiber output Tx = 308 bytes Rx = 677 bytes, status =-1
[- 2147483610] End of the session
ERROR: Authentication rejected: not specified
I can however run successful AD etc., queries using the following commands.
show the identity of the user ad-users city.charlottesville.org filter sargentm
Ideas?
Replace the below listed command within the parameters of the server:
sAMAccount name-attribute LDAP
With
LDAP-naming-attribute sAMAccountName
Note: the sAMAccountName is configured correctly.
Jatin kone
-Does the rate of useful messages-
-
Clientless VPN SSL - policy of another LDAP authentication group
Hi all
I am currently working with Clientless SSL VPN. I have a problem with the creation of access to the different or blocking of users.
I created tunnel/connection-profile (WEB-VPN-TEST-Profil2) and create group WEB-VPN-TEST2. I joined with the LDAP server. I also create a map LDAP attribute to provide only specific users to access. I havn't create an address pool
What I'm trying to do is give access to the 'IL DBA' team and stop access to all the others in my organization. But to the login page when I give my password, I am able to connected even if I'm in the team "IT Network". Here's what I've done, (think I work for abcxyz.com)
=======================================================
AAA-server BL_AD protocol ldap
AAA-server BL_AD (inside) host 172.16.1.1
OR base LDAP-dn = abcxyz, DC = abcxyz, DC = com
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn [email protected] / * /
microsoft server type
LDAP-attribute-map CL-SSL-ATT-map
=======================================================
LDAP attribute-map CL-SSL-ATT-map
name of the memberOf IETF-Radius-class card
map-value memberOf 'CN = IT s/n, OU = abcxyz, DC = abcxyz, DC = com' WEB-VPN-TEST2
========================================================
WebVPN
allow inside
tunnel-group-list activate
internal-password enable
========================================================
internal strategy group WEB-VPN-TEST2
Group WEB-VPN-TEST2 policy attributes
VPN-tunnel-Protocol webvpn
group-lock value WEB-VPN-TEST-Profil2
WebVPN
value of the URL-list WEB-VPN-TEST-BOOKMARK
value of personalization WEB-VPN-TEST2
========================================================
remote access of tunnel-group WEB-VPN-TEST-Profil2 type
attributes global-tunnel-group WEB-VPN-TEST-Profil2
authentication-server-group abcxyz_AD
Group Policy - by default-WEB-VPN-TEST2
tunnel-group WEB-VPN-TEST-Profil2 webvpn-attributes
enable WEB-VPN-TEST-Profil2 group-alias
=========================================================
Please let me know if there is a question or let me know why I am still able to access the same if I did my attribure to match only with "IT"DBA ".
Thanks in advance.
BR.
Adnan
Hello Adnan,
That's what you do:
internal group WITHOUT ACCESS strategy
attributes of non-group policy
VPN - concurrent connections 0
attributes global-tunnel-group WEB-VPN-TEST-Profil2
Group Policy - by default-NO-ACCESS
Group WEB-VPN-TEST2 policy attributes
VPN - connections 3
Kind regards
-
Is there another of MSAD PL/SQL package, regarding the DBMS_LDAP LDAP
I want to connect to MSAD of DB Oracle using PL/SQL.
Let me rephrase my question, I want to connect and search querry on MSAD sever in PL/SQL Oracle DB. Is this possible? I am able to do similar for "Sun One LDAP" by loading the DBMS_LDAP package in Oracle DB. In seeking a similar link with MSAD, I get errors for Invalid Credentials. So, I wanted to confirm whether what I'm doing is correct. Weather using the DBMS_LDAP package I can connect and perform searches MSAD also.
Published by: user784520 on December 2, 2009 05:13user784520 wrote:
Let me rephrase my question, I want to connect and search querry on MSAD sever in PL/SQL Oracle DB. Is this possible?Yes. We use DBMS_LDAP widely enough in interface with the domain controllers Microsoft Active Directory (for both authentication and querying data DN) running.
LDAP is also pretty much a standard protocol - which means on the client side is should not really matter if the LDAP server is a product of the ABC vendor or seller + 123 +.
-
I read through the other posts on the LDAP configs, but none of them solved my problem. I tried several combinations but am unable to connect. Is there something special that needs to be done after LDAP configs have been changed (restart a service or whatever it is)? Picture below is the last attempt.
Greetings Alain,
Insofar as "Extended to search for groups", we recommend some best practices I can go on if you create a pension however affair that should have no impact with your sense of logon process, all that would happen is when you login successfully he would lift an error message saying "account successfully connected. , but you do not all assigned roles. Please contact administrator... "etc".
Please change the prefix of LDAP query to sAMAccountName and yo should be God to go.
Two or three important things though... PLS, make sure you click on the button Edit then make you changes and then retype the password for the service account, and click on the "Save" button. It is essential to ensure that all changes you are able to record properly. Another thing I've met several times is you need to restart your service foglight (or restarting the server) because even if you update all the parameters correctly the old information is always cached, and you continue to get an error message.
If always run you questions after that, please create a support ticket and I help to solve.
Concerning -
LDAP on SAA with the attribute-map
Hi all
I have problems to set up authentication of VPN clients on a LDAP server. The main problem is when the ASA needs to decide a strategy group for users of the non-compliance.
I use the LDAP attribute cards in the SAA to map the parameter memberOf attribute group Cisco-policy, can I associate the ad group that the user must belong to a VPN and rigth memberOf Group Policy access. This method works correctly.
But the problem is when the remote user is not in the correct group AD, I put a group by default-policy - do not have access to this type of users. After that, all users (authorized and unauthorized) fall into the same default - group policy do not have VPN access.
There are the ASA configuration:
LDAP LDAP attribute-map
name of the memberOf Group Policy map
map-value memberOf "cn = ASA_VPN, ou = ASA_VPN, OU = my group, dc = xxx, dc is com" RemoteAccessAAA-Server LDAP protocol ldap
AAA-Server LDAP (inside) host 10.0.0.3
or base LDAP-dn = "My group", dc = xxx, dc is com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = users, ou = "My group", dc = xxx, dc = com
microsoft server type
LDAP-attribute-map LDAPinternal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0internal RemoteAccess group strategy
Group Policy attributes RemoteAccess
value of server DNS 10.0.0.3
Protocol-tunnel-VPN IPSec
field default value xxx.comtunnel-group RemoteAccess type remote access
attributes global-tunnel-group RemoteAccess
address-pool
LDAP authentication group-server
NOACCESS by default-group-policy
tunnel-group ipsec-attributes RemoteAccess
pre-shared key *.As you can see, I followed all of the examples available on the web site to solve the problem, but I can't get a good result.
Does anyone have a solution for this problem?
Kind regards
Guzmán
Guzman,
It should work without a doubt, that is the part to refuse already works well and the user who has the correct memberOf attribute should certainly are mapped to Allow access policy and should therefore be allowed in.
I think that's a bug as well, but I had a quick glance and see nothing correspondent, and if it was a bug in 8.2.3. so I'm not expecting you to be the first customer to discover this, so I'm still more inclined to think that it's something in the config that we neglect (I know frome experience typo can sometimes be very difficult to spot).
Could you get "debug aaa 255 Commons", so please, maybe that will tell us something.
BTW, just to be sure: you don't don't have anything (such as vpn - connections) configured in the DfltGrpPolicy, did you? Just double check since your access policy Allow would inherit that.
Maybe another test, explicitly configure a nonzero value for this parameter in the policy allow access, i.e.
Group Policy allow access attrib
VPN - 10 concurrent connections
Herbert
-
ICPPX 4.05 and/or call Mgr 4.13 multiple LDAP servers for redundancy
We run IPCCX 4.05 to high availability (active / standby) and Call Manager 4.13 Pub/Sub. In this configuration, we use LDAP for authentication AD instead of the directory of DC (not my choice... things you inherit in life).
The call of Bishop and/or the servers IPCCX can be setup to point to multiple LDAP servers for redundancy?
CAN CM 4.13 and/or IPCCX 4.05 LDAPS support (as I have said, things you inherit)?
Our sysadmin team won our main server to the DC, and with him all functins LDAP search broke. Needless to say they will be put in place of LDAP or LDAPS on our main and backup DC in the near future.
Any information/suggestions/recommendatinos are appreciated.
Thank you
-Scott
Hello
This IS possible.
If the CRS web interface admin (/ appadmin) is available:
1. open a session
2. go to the system > LDAP information
3 type the FQDN / IP addresses (I recommend the latter) for LDAP servers, separated by commas (for example, I have something like in our laboratory: "ldapserver.domain.as, 10.1.1.1" - works like charm)
4. a window will appear asking if the LDAP information must be created or you just want to add another LDAP server (~ configuration already there). Choose wisely :-)
5. restart the server. No, restart the CRS engine is not enough.
If the CRS web administration interface is not available (~ as you said Mr. Sysadmin won DC backend), the there is a chance to get rid of this guy ;-) Anyway, there is always a chance that you can make it work. Of course, the LDAP server must already contain the appropriate configuration.
1. connect to the CRS Server using rdesktop/VNC
2. look for this file: C:\Program Files\wfavvid\properties\directory.properties it's just a plain text file. Look for this CCNIniFile=c:\\winnt\\system32\\ccn\\ccndir.ini
In fact, it can be something else too, this is the default path.
3. this file contains the information that we are looking for: LDAPURL 'ldap://10.1.1.1:389, ldap://10.1.1.2:389' and other important things like passwords and base DN
Change it according to your needs. :-)
4. restart the server.
Good luck.
G.
-
Access to the LDAP VPN ASA group
Hello, I have configured the access remote vpn on asa with ldap authentication. But I can't limit access vpn with specific ldap group.
Here is my config:
AAA-server AZPBTDC01 (DC_Internal) host 192.168.10.250
LDAP-base-dn dc = company, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = Netuser, OU = Services users, or is ASM HQ, dc is company, dc = com
microsoft server type
LDAP-attribute-map AZPBTDC01LDAP attribute-map AZPBTDC01
name of the memberOf Group Policy map
map-value memberOf "CN = VPN_Admin, OU = ASM group, OU = ASM HQ, DC = company, DC = com" RA_ADMIN_GPinternal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0
client ssl-VPN-tunnel-Protocol ikev1
address pools nointernal RA_ADMIN_GP group policy
RA_ADMIN_GP group policy attributes
value of server DNS 192.168.10.251
VPN - connections 3
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list IPSEC_RA_ACL_ADMINattributes global-tunnel-group DefaultRAGroup
NOACCESS by default-group-policytype tunnel-group IPSEC_RA_ADMIN remote access
attributes global-tunnel-group IPSEC_RA_ADMIN
authentication-server-group LOCAL AZPBTDC01
authorization-server-group AZPBTDC01
Group Policy - by default-RA_ADMIN_GPThe problem is all the domen users can connect to the vpn. ASA does not ranking filter in a group, no VPN_Admin group users can connect, but the man should not be able to connect.
If it is possible to make this approach work, I wouldn't do it this way. Use rather DAP (Dynamic Access Policy).
The instructions for this are here:
Search for "Active Directory group" to jump directly to the corresponding section. Note that you may need two policies DAP. One to match users living in VPN_Admin and another default policy to deny access to everyone.
Note for the default "opt-out" policy, that I often make it pop up a message to the end user, saying that they do not have VPN access and contact xxx if they want to fix it.
Maybe you are looking for
-
How can I copy the address book Thunderbird from Windows to Ubuntu?
I use Windows on a Pc 8.1 and 14.04 Ubuntu on the other. Thanks in advance for your help Best regards EP
-
I can't download apps and even updateing my iphone 5 s
I can't download apps or even update my iphone 5 s
-
Problem starting with the Tecra A8 and A9 models
We have about 20 or more, A8 and A9 Tecra notebooks and each has shown signs of the same problem again. If rebotting and netwrok cable is attached, so they will not start. Remove the cable and it is a normal startup.The A8 has a motherboard replaceme
-
Satellite L305. Although at 4 years old, my battery is in good shape. But just started not to load while using the laptop. The icon shows connected and reduced the charge, but the percentage of left. When turned off and power left connected, the batt
-
Access to the content of the memory of instruments remotely
Hi all! I have a problem with Labview contacting an Agilent 33600 function generator. I couldn't handle reading or writing in the internal memory of the instrument. It seems that LabView does not have access to this memory because when I use a functi