LDAP...cn/ or... .a another possibilitiy

Hello

I have a question for all LDAP specialists.

Our users are in different "groups".

Example:

User 1 (distinguishedName): CN = 999999, OU = users, OU = V-HOME-LW, OR = Basemant, OU = branches, DC = HANS WURST, DC = local

User 2 (distinguishedName): CN = 888888, CN = Users, DC = HANS WURST, DC = local

In Apex (distinguished name (DN) string): CN = % LDAP_USER %, CN is Users, DC = HANS WURST, DC = local

2 the user can, user 1 cannot. Of course :-) But... How can I change my channel of distinguished name (DN) in the APEX, because the user can not delete another group.

Any idea?

René

Hello

I solved the problem like this:

%LDAP_USER%@Hans-WURST.local

and it works very well.

René

Tags: Database

Similar Questions

Proposal Setup infrastructure - Oracle database, LDAP, Weblogic Server, part operational

Hello Experts!
First of all, until I opened this topic I tried to search for similar positions that can hold at least part of the necessary information for me. This topic is that most related to the architecture of the whole system in the sense of the application that contains a part of database (oracle with data models database), the operational part (unix scripts called from the web interface), weblogic server where MS Java application runs and the last part is LDAP Setup for supported LDAP grups.
Currently confirmed architecture is for me unacceptable from the point of view of dorsal because everything would be installed on the same physical server (physical machine). From my point of view, there should be at least 3 physical separate servers:
(1) Server database where the Oracle database is installed (say ommit backup and disaster at this stage recovery)
(2) operation of servers shared between several applications to manage operational tasks and application configurations
(3) separate server for Weblogic server, the LDAP server and Java application is
Given that 2 points are obvious to me and I provided them with really simplified form then 3. is not entirely clear to me mainly due to the fact that I am the architect of solution for datawarehausing, not for applications based on J2EE. Under the following link:
webloic Oracle server needs a server infrastructure
I just read to support failover and balancing I should have two different boxes physical and Weblogic software installed on each of them. I know not so so many separate for the 3rd point above mentioned how boxes I need. I would appreciate if you can share your thoughts on this subject by considering the following points:
-scalability (1000 users at the same time)
-further development
-maintenance
-installation costs
If you can guide also links to cover this topic, I'd be more than happy
Thanks in advance!
Kind regards
Bolo

Hi Bolo

Here's WDM of Oracle Identity management includes the installation of OID:

Content

I'm sorry for the confusion.

I meant "General guidelines of architecture of say that you should keep the boxes", for example: LDAP must be in another box of WLS, also database must be in a different area, this isn't really something related to Oracle products, it is only related to the definitions of architecture.

WebLogic Server at the end being that a java application is running in the virtual machine JAVA, WLS should run in the same box as the JVM as it comes to a unit in terms of functionality.

Best regards

Luz

Get the email of the user via LDAP

I would like to send an email via APEX whenever a request is rejected. I want to send to the user who made the request through the system. This user has been authenticated via LDAP (Active Directory) in another application, when he sent this request. Therefore, his e-mail address is located in the sound profile AD with that it authenticates. All applications are listed in a report in another application (which uses the same LDAP authentication scheme) where they can be reviewed, rejected or accepted. When the user clicks the button refuse, it updates the status of the query in the database and sends an e-mail message to a hardcoded email address. I want to send to the user who made the request.

Is it possible to use this LDAP session (because I'm connected to the application via LDAP, I take for granted that there must be an LDAP session valid in use), or what I need to connect to the server again? If it's the latter, then how can I do? I can't hard-code just my own credentials of the service, that would be nuts.

I thought I could use a script like this and call it in a process page, but I know I'm missing something.

create or replace function Get_Mail(p_user in varchar2)
return varchar2 
is
        l_attrs         dbms_ldap.string_collection;
        l_message       dbms_ldap.MESSAGE;
        l_entry         dbms_ldap.MESSAGE;
        l_vals          dbms_ldap.string_collection;
        l_user     varchar2(256);
        l_user2      varchar2(256);
        l_mail          varchar2(256);
        l_ldap_server     varchar2(256)         := '****';
        l_domain     varchar2(256)         := '****';
        l_ldap_port     number              := 389;
        l_retval     pls_integer;
        l_session     dbms_ldap.session;
        l_username      varchar2(256)         := NULL;
        l_password      varchar2(256)         := NULL;
begin

dbms_ldap.use_exception := TRUE;

l_user2       := p_user||'@'||l_domain;

l_user       := l_username||'@'||l_domain;
l_session := dbms_ldap.init (l_ldap_server, l_ldap_port);
l_retval  := dbms_ldap.simple_bind_s (l_session, l_user, l_password);

l_attrs(1) := 'email';
l_retval   := dbms_ldap.search_s (ld => l_session, base => '****', scope => dbms_ldap.scope_subtree, 
filter =>'&(userPrincipalName='|| l_user2 || ')(objectClass=user)', attrs => l_attrs, attronly => 0, res => l_message);

l_entry := dbms_ldap.first_entry (ld => l_session, msg => l_message);
l_vals  := dbms_ldap.get_values (ld => l_session, ldapentry => l_entry, attr => l_attrs(1));

l_mail := l_vals(1);
return l_mail;

exception
  when others then
  begin
    dbms_output.put_line (' Erreur #' || TO_CHAR (SQLCODE));
    dbms_output.put_line (' Message: ' || SQLERRM);
    l_mail := NULL;
    return l_mail;
  end;
end Get_Mail;

Any ideas?

Best regards
Mathieu

I found the solution, thanks to the work of John Edward Scott and Scott Spendolini "Pro Oracle Application Express". So, for those who are interested:

I created two types:

create or replace type
ty_ldap_query as object(
dn varchar2(200),
attribute_name varchar2(100),
attribute_value varchar2(100));

create or replace type tbl_ty_ldap_query
as table of ty_ldap_query;

Next, I created the LDAPQuery routine:

create or replace function LDAPQuery(
 p_host in varchar2,
 p_port in varchar2,
 p_user in varchar2,
 p_password in varchar2,
 p_dn_base in varchar2,
 p_filter in varchar2,
 p_attributes in varchar2)
 return tbl_ty_ldap_query PIPELINED is

 v_result tbl_ty_ldap_query := tbl_ty_ldap_query(ty_ldap_query(NULL, NULL, NULL));

 retval PLS_INTEGER;
 v_session DBMS_LDAP.SESSION;
 v_attrs DBMS_LDAP.string_collection;
 v_message DBMS_LDAP.MESSAGE;
 v_entry DBMS_LDAP.MESSAGE;
 v_dn VARCHAR2 (256);
 v_attr_name VARCHAR2 (256);
 v_ber_elmt DBMS_LDAP.ber_element;
 v_vals DBMS_LDAP.string_collection;
 b_first BOOLEAN := TRUE;
 v_dn_identifier VARCHAR2(200);
 v_attributes apex_application_global.vc_arr2;

 BEGIN
  retval := -1;
  DBMS_LDAP.use_exception := TRUE;
  v_session := DBMS_LDAP.init (p_host, p_port);
  retval := DBMS_LDAP.simple_bind_s (v_session, p_user, p_password);

  v_attributes := apex_util.STRING_TO_TABLE(p_attributes, ',');
  for i in (v_attributes.first)..(v_attributes.last)
  loop
   v_attrs(i) := v_attributes(i);
  end loop;

  retval := DBMS_LDAP.search_s (v_session, p_dn_base, DBMS_LDAP.scope_subtree, p_Filter, v_attrs, 0, v_message);
  retval := DBMS_LDAP.count_entries (v_session, v_message);
  v_entry := DBMS_LDAP.first_entry (v_session, v_message);
  WHILE v_entry IS NOT NULL
  LOOP
   v_attr_name := DBMS_LDAP.first_attribute (v_session, v_entry, v_ber_elmt);
   WHILE v_attr_name IS NOT NULL
   LOOP
    v_vals := DBMS_LDAP.get_values(v_session, v_entry, v_attr_name);
   IF v_vals.COUNT > 0
   THEN
    FOR i IN v_vals.FIRST .. v_vals.LAST
    LOOP
     v_dn_identifier := dbms_ldap.GET_DN(v_session, v_entry);
     pipe row (ty_ldap_query(v_dn_identifier, v_attr_name, v_vals(i)));
    END LOOP;
   END IF;
   v_attr_name := DBMS_LDAP.next_attribute (v_session, v_entry, v_ber_elmt);
  END LOOP;
  v_entry := DBMS_LDAP.next_entry(v_session, v_entry);
 END LOOP;
 retval := DBMS_LDAP.unbind_s(v_session);
END LDAPQuery;

And I asked it in this way:

select
 attribute_value
from
 table(LDAPQuery('', '', '', '', '', '&(!(logonCount=0)(objectClass=User)(sAMAccountName=))', 'mail'))

In the book he said I could do it (instead of using LDAP filters):

where
dn = 'CN=jes,CN=Users,DC=domain,DC=localdomain'

But it wouldn't work for some reason any. In any case, it's working now.

Best regards
Mathieu

Utilities TSETUP and Other (?)

I have a Portege 7020 portable computer, but do not have the original CD or manual (I downloaded this last). The manual mentions a TSETUP BACK. EXE utility and said that it is in the Windows directory, but as I don't have the original O.S. (Win 2000 Pro), I can not find. Can not find anywhere on the Toshiba site, either. Also, how in the BIOS settings? I would be grateful for any help, please.

Howard

Hi Howard,.

You can go to https://eu.computers.toshiba-europe.com then driver & support and choose your model!

There are all the drivers available and downloadable tools.

If the Portege 7020 has installed an unsupported operating system, you have another possibilitiy to see the BIOS settings.

When you press the power button / stop the boot sequence, you must press ESC during the red logo Toshiba appears!

Then, you could see the BIOS!

Happy new year!

Antoni

List ACS 4.0 and area

Hello

We have ACS 4.0 on a windows 2003 sp1.

The server is a member of a domain.

I have to configure an LDAP to auth to another AD server in my network?

Is this the only way trust between the AD withour?

Jan

As far as I've seen if you plan with the external ad server authentication LDAP must be configured for the authentication of users to work.

Problems at the start of the managed servers

Hi all
When starting servers managed his giving the below error. Please suggest as to what can be done.
The events that led to this error.
1) while starting the managed server has received the error "< 2 September 2014 3:15:35 AM PDT > < error > < EmbeddedLDAP > < BEA-171519 > < could not obtain an exclusive lock for the embedded LDAP data files directory: / scratch/aime1/WCP_PS7/user_projects/domains/wc_domain/servers/WC_Spaces_1/data/ldap/ldapfiles as an another WebLogic Server is already using this directory." Ensure that the first WebLogic Server is completely shut down and restart the server. ' > '.
(2) to resolve the error deleted files under the directory data/ldap/ldapfiles. From there, on this error.
< 2 MS, 2014 4:23:33 AM PDT > < Info > < WorkManager > < BEA-002900 > < self-adjusting Initializing of thread pool >
Sep 2, 2014 04:23:41 oracle.security.jps.internal.idstore.util.LibOvdUtil pushLdapNamesToLibOvd
INFO: Pushed ldap name and types of information to libOvd. LDAPS: OIDAuthenticator:idstore.ldap.provideridstore.ldap.
< 2 MS, 2014 4:23:43 AM PDT > < critical > < security > < BEA-090402 > < authentication refused: Boot identity not valid; The user name and/or password in the identity of startup file (boot.properties) is not valid. The identity of start-up may have changed since the identity of boot file was created. Please edit and update the identity file to start with the correct values of username and password. The first time that the identity of starting update file is used to start the server, these new values are encrypted. >
< 2 MS, 2014 4:23:43 AM PDT > < critical > < WebLogicServer > < BEA-000386 > < server subsystem failed. Reason: weblogic.security.SecurityInitializationException: authentication refused: Boot identity not valid; The user name and/or password in the identity of startup file (boot.properties) is not valid. The identity of start-up may have changed since the identity of boot file was created. Please edit and update the identity file to start with the correct values of username and password. The first time that the identity of starting update file is used to start the server, these new values are encrypted.
weblogic.security.SecurityInitializationException: authentication refused: Boot identity not valid; The user name and/or password in the identity of startup file (boot.properties) is not valid. The identity of start-up may have changed since the identity of boot file was created. Please edit and update the identity file to start with the correct values of username and password. The first time that the identity of starting update file is used to start the server, these new values are encrypted.
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
Truncated. check the log file full stacktrace
Caused by: javax.security.auth.login.FailedLoginException: [Security: 090304] authentication failed: user weblogic javax.security.auth.login.FailedLoginException: [Security: 090302] authentication failed: user weblogic denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
to com.bea.common.security.internal.service.LoginModuleWrapper$ 1.run(LoginModuleWrapper.java:110)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Truncated. check the log file full stacktrace
>
< 2 MS, 2014 4:23:43 AM PDT > < error > < WebLogicServer > < BEA-000383 > < is not an essential service. The server will shut down >
Please suggest as to what can be done (username pwd is correct, I can still sign in to the administration console).
Thank you
Pradeep

Hi all

We had this resolved error by deleting the ldapfiles in... / data / ldap directory.

Thank you

Pradeep

OAM / IOM - conceptual question
Hi all

I am trying to understand the OAM and IOM overlapping identities management. I am going through the manuals OAM and we're talking identity system OAM in a way that closely resembles many of IOM, IE. management of users, groups, Managing Director, free admin, etc...

I'm trying to understand how these two fit. I know that IOM does much more in terms of commissioning to other resources... OAM is IOM provisions resources to? If you have any IOM and OAM, it seems that there is now 2 repositories of user data...

Can you explain (or point me to a doc that is) the relationship between IOM and OAM, how they fit together, that pushes the other, etc...?

Thank you very much
Alex
You are right. Directory of the OAM user (LDAP/AD) is just another resource target provided by IOM. Don't forget that only the IOM is configured to store authoritative data (HR systems) to pull the user news/modified records and synchronize the information with other systems (LDAP/AD/Exchange). When as in just OAM uses LDAP/AD to authenticate users and provide Single Sign-On functionality. OAM will never be configured to talk to HR Systems/PeopleSoft and not supported by OAM.

Of the group as the owner of another group - error LDAP 50
I installed some groups within the IOM and for some of these members of the group, I would like to be able to manage membership in another group.

I have:

Group1 with owner User1, User2, user3 and user4, User5, Utilisateur6 members
With owner User1 and User2 Group1 group2.

In the bosom of the DAS should user4, User5 and Utilisateur6 now be able to assign members to Group2 right?

User4 becomes a "LDAP: error code 50 - insufficient access rights" error when you try to assign members within Group 2.

I completely understand you how spread the rights or is something wrong?

Thank you.
You must be an administrator of the group in order to manage a group.

Another failure of the LDAP authentication

I'm trying to setup LDAP authentication for my ASA, as well as the AD Agent. Currently my authentication fails with the following debug output...

[- 2147483610] Starting a session

[- 2147483610] New Session request, the 0xcc854d8c, reqType = authentication context

[- 2147483610] Fiber has started

[- 2147483610] Create LDAP context with uri = ldap://10.11.1.15:389

[- 2147483610] Connect to the LDAP server:

LDAP://10.11.1.15:389

status = success

supportedLDAPVersion [-2147483610]: value = 3

supportedLDAPVersion [-2147483610]: value = 2

[- 2147483610] Liaison as a Sargent\

[- 2147483610] Authentication Simple for Sargent\ to 10.11.1.15

[- 2147483610] LDAP search:

Base DN = [DC = City, DC = charlottesville, DC = org]

Filter = [sAMAccount = sargentm]

Range = [subtree]

[- 2147483610] The analysis of returned search results State failure

[- 2147483610] Fiber output Tx = 308 bytes Rx = 677 bytes, status =-1

[- 2147483610] End of the session

ERROR: Authentication rejected: not specified

I can however run successful AD etc., queries using the following commands.

show the identity of the user ad-users city.charlottesville.org filter sargentm

Ideas?

Replace the below listed command within the parameters of the server:

sAMAccount name-attribute LDAP

With

LDAP-naming-attribute sAMAccountName

Note: the sAMAccountName is configured correctly.

Jatin kone

-Does the rate of useful messages-

Clientless VPN SSL - policy of another LDAP authentication group

Hi all

I am currently working with Clientless SSL VPN. I have a problem with the creation of access to the different or blocking of users.

I created tunnel/connection-profile (WEB-VPN-TEST-Profil2) and create group WEB-VPN-TEST2. I joined with the LDAP server. I also create a map LDAP attribute to provide only specific users to access. I havn't create an address pool

What I'm trying to do is give access to the 'IL DBA' team and stop access to all the others in my organization. But to the login page when I give my password, I am able to connected even if I'm in the team "IT Network". Here's what I've done, (think I work for abcxyz.com)

=======================================================

AAA-server BL_AD protocol ldap

AAA-server BL_AD (inside) host 172.16.1.1

OR base LDAP-dn = abcxyz, DC = abcxyz, DC = com

LDAP-naming-attribute sAMAccountName

LDAP-login-password *.

LDAP-connection-dn [email protected] / * /

microsoft server type

LDAP-attribute-map CL-SSL-ATT-map

=======================================================

LDAP attribute-map CL-SSL-ATT-map

name of the memberOf IETF-Radius-class card

map-value memberOf 'CN = IT s/n, OU = abcxyz, DC = abcxyz, DC = com' WEB-VPN-TEST2

========================================================

WebVPN

allow inside

tunnel-group-list activate

internal-password enable

========================================================

internal strategy group WEB-VPN-TEST2

Group WEB-VPN-TEST2 policy attributes

VPN-tunnel-Protocol webvpn

group-lock value WEB-VPN-TEST-Profil2

WebVPN

value of the URL-list WEB-VPN-TEST-BOOKMARK

value of personalization WEB-VPN-TEST2

========================================================

remote access of tunnel-group WEB-VPN-TEST-Profil2 type

attributes global-tunnel-group WEB-VPN-TEST-Profil2

authentication-server-group abcxyz_AD

Group Policy - by default-WEB-VPN-TEST2

tunnel-group WEB-VPN-TEST-Profil2 webvpn-attributes

enable WEB-VPN-TEST-Profil2 group-alias

=========================================================

Please let me know if there is a question or let me know why I am still able to access the same if I did my attribure to match only with "IT"DBA ".

Thanks in advance.

BR.

Adnan

Hello Adnan,

That's what you do:

internal group WITHOUT ACCESS strategy

attributes of non-group policy

VPN - concurrent connections 0

attributes global-tunnel-group WEB-VPN-TEST-Profil2

Group Policy - by default-NO-ACCESS

Group WEB-VPN-TEST2 policy attributes

VPN - connections 3

Kind regards

Is there another of MSAD PL/SQL package, regarding the DBMS_LDAP LDAP
I want to connect to MSAD of DB Oracle using PL/SQL.
Let me rephrase my question, I want to connect and search querry on MSAD sever in PL/SQL Oracle DB. Is this possible? I am able to do similar for "Sun One LDAP" by loading the DBMS_LDAP package in Oracle DB. In seeking a similar link with MSAD, I get errors for Invalid Credentials. So, I wanted to confirm whether what I'm doing is correct. Weather using the DBMS_LDAP package I can connect and perform searches MSAD also.

Published by: user784520 on December 2, 2009 05:13
user784520 wrote:
Let me rephrase my question, I want to connect and search querry on MSAD sever in PL/SQL Oracle DB. Is this possible?

Yes. We use DBMS_LDAP widely enough in interface with the domain controllers Microsoft Active Directory (for both authentication and querying data DN) running.

LDAP is also pretty much a standard protocol - which means on the client side is should not really matter if the LDAP server is a product of the ABC vendor or seller + 123 +.

Unable to connect with LDAP

I read through the other posts on the LDAP configs, but none of them solved my problem. I tried several combinations but am unable to connect. Is there something special that needs to be done after LDAP configs have been changed (restart a service or whatever it is)? Picture below is the last attempt.

Greetings Alain,
Insofar as "Extended to search for groups", we recommend some best practices I can go on if you create a pension however affair that should have no impact with your sense of logon process, all that would happen is when you login successfully he would lift an error message saying "account successfully connected. , but you do not all assigned roles. Please contact administrator... "etc".
Please change the prefix of LDAP query to sAMAccountName and yo should be God to go.
Two or three important things though... PLS, make sure you click on the button Edit then make you changes and then retype the password for the service account, and click on the "Save" button. It is essential to ensure that all changes you are able to record properly. Another thing I've met several times is you need to restart your service foglight (or restarting the server) because even if you update all the parameters correctly the old information is always cached, and you continue to get an error message.
If always run you questions after that, please create a support ticket and I help to solve.
Concerning

LDAP on SAA with the attribute-map

Hi all

I have problems to set up authentication of VPN clients on a LDAP server. The main problem is when the ASA needs to decide a strategy group for users of the non-compliance.

I use the LDAP attribute cards in the SAA to map the parameter memberOf attribute group Cisco-policy, can I associate the ad group that the user must belong to a VPN and rigth memberOf Group Policy access. This method works correctly.

But the problem is when the remote user is not in the correct group AD, I put a group by default-policy - do not have access to this type of users. After that, all users (authorized and unauthorized) fall into the same default - group policy do not have VPN access.

There are the ASA configuration:

LDAP LDAP attribute-map
name of the memberOf Group Policy map
map-value memberOf "cn = ASA_VPN, ou = ASA_VPN, OU = my group, dc = xxx, dc is com" RemoteAccess

AAA-Server LDAP protocol ldap
AAA-Server LDAP (inside) host 10.0.0.3
or base LDAP-dn = "My group", dc = xxx, dc is com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = users, ou = "My group", dc = xxx, dc = com
microsoft server type
LDAP-attribute-map LDAP

internal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0

internal RemoteAccess group strategy
Group Policy attributes RemoteAccess
value of server DNS 10.0.0.3
Protocol-tunnel-VPN IPSec
field default value xxx.com

tunnel-group RemoteAccess type remote access
attributes global-tunnel-group RemoteAccess
address-pool
LDAP authentication group-server
NOACCESS by default-group-policy
tunnel-group ipsec-attributes RemoteAccess
pre-shared key *.

As you can see, I followed all of the examples available on the web site to solve the problem, but I can't get a good result.

Does anyone have a solution for this problem?

Kind regards

Guzmán

Guzman,

It should work without a doubt, that is the part to refuse already works well and the user who has the correct memberOf attribute should certainly are mapped to Allow access policy and should therefore be allowed in.

I think that's a bug as well, but I had a quick glance and see nothing correspondent, and if it was a bug in 8.2.3. so I'm not expecting you to be the first customer to discover this, so I'm still more inclined to think that it's something in the config that we neglect (I know frome experience typo can sometimes be very difficult to spot).

Could you get "debug aaa 255 Commons", so please, maybe that will tell us something.

BTW, just to be sure: you don't don't have anything (such as vpn - connections) configured in the DfltGrpPolicy, did you? Just double check since your access policy Allow would inherit that.

Maybe another test, explicitly configure a nonzero value for this parameter in the policy allow access, i.e.

Group Policy allow access attrib

VPN - 10 concurrent connections

Herbert

ICPPX 4.05 and/or call Mgr 4.13 multiple LDAP servers for redundancy

We run IPCCX 4.05 to high availability (active / standby) and Call Manager 4.13 Pub/Sub. In this configuration, we use LDAP for authentication AD instead of the directory of DC (not my choice... things you inherit in life).

The call of Bishop and/or the servers IPCCX can be setup to point to multiple LDAP servers for redundancy?

CAN CM 4.13 and/or IPCCX 4.05 LDAPS support (as I have said, things you inherit)?

Our sysadmin team won our main server to the DC, and with him all functins LDAP search broke. Needless to say they will be put in place of LDAP or LDAPS on our main and backup DC in the near future.

Any information/suggestions/recommendatinos are appreciated.

Thank you

-Scott

Hello

This IS possible.

If the CRS web interface admin (/ appadmin) is available:

1. open a session

2. go to the system > LDAP information

3 type the FQDN / IP addresses (I recommend the latter) for LDAP servers, separated by commas (for example, I have something like in our laboratory: "ldapserver.domain.as, 10.1.1.1" - works like charm)

4. a window will appear asking if the LDAP information must be created or you just want to add another LDAP server (~ configuration already there). Choose wisely :-)

5. restart the server. No, restart the CRS engine is not enough.

If the CRS web administration interface is not available (~ as you said Mr. Sysadmin won DC backend), the there is a chance to get rid of this guy ;-) Anyway, there is always a chance that you can make it work. Of course, the LDAP server must already contain the appropriate configuration.

1. connect to the CRS Server using rdesktop/VNC

2. look for this file: C:\Program Files\wfavvid\properties\directory.properties it's just a plain text file. Look for this CCNIniFile=c:\\winnt\\system32\\ccn\\ccndir.ini

In fact, it can be something else too, this is the default path.

3. this file contains the information that we are looking for: LDAPURL 'ldap://10.1.1.1:389, ldap://10.1.1.2:389' and other important things like passwords and base DN

Change it according to your needs. :-)

4. restart the server.

Good luck.

G.

Access to the LDAP VPN ASA group

Hello, I have configured the access remote vpn on asa with ldap authentication. But I can't limit access vpn with specific ldap group.

Here is my config:

AAA-server AZPBTDC01 (DC_Internal) host 192.168.10.250
LDAP-base-dn dc = company, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = Netuser, OU = Services users, or is ASM HQ, dc is company, dc = com
microsoft server type
LDAP-attribute-map AZPBTDC01

LDAP attribute-map AZPBTDC01
name of the memberOf Group Policy map
map-value memberOf "CN = VPN_Admin, OU = ASM group, OU = ASM HQ, DC = company, DC = com" RA_ADMIN_GP

internal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0
client ssl-VPN-tunnel-Protocol ikev1
address pools no

internal RA_ADMIN_GP group policy
RA_ADMIN_GP group policy attributes
value of server DNS 192.168.10.251
VPN - connections 3
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list IPSEC_RA_ACL_ADMIN

attributes global-tunnel-group DefaultRAGroup
NOACCESS by default-group-policy

type tunnel-group IPSEC_RA_ADMIN remote access
attributes global-tunnel-group IPSEC_RA_ADMIN
authentication-server-group LOCAL AZPBTDC01
authorization-server-group AZPBTDC01
Group Policy - by default-RA_ADMIN_GP

The problem is all the domen users can connect to the vpn. ASA does not ranking filter in a group, no VPN_Admin group users can connect, but the man should not be able to connect.

If it is possible to make this approach work, I wouldn't do it this way. Use rather DAP (Dynamic Access Policy).

The instructions for this are here:

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/108000-DAP-Deploy-Guide.html

Search for "Active Directory group" to jump directly to the corresponding section. Note that you may need two policies DAP. One to match users living in VPN_Admin and another default policy to deny access to everyone.

Note for the default "opt-out" policy, that I often make it pop up a message to the end user, saying that they do not have VPN access and contact xxx if they want to fix it.

LDAP...cn/ or... .a another possibilitiy

Similar Questions

Maybe you are looking for