LDAP user authentication and database standard version

Similar Questions

• Mix of custom authentication and database account

  We have a client-server application (let's call it app_1) with the database authentication account. To be able to connect to the new APEX (app_2), the user application must be if the user of app_1 (so having an account of DB) or app_2 user (authentication customized table of users with uid and password hash).
  
  Separately, I can implement each of these authentication schemes. However, I could not imagine how combine them (to include authentication account DB in my custom schema).
  
  Any idea?
  
  Igor

  Igor,

  I wrote on this subject some time ago... See if this helps:
  http://www.danielmcghan.us/2008/08/custom-authentication-via-DB.html

  Kind regards
  Dan

  http://danielmcghan.us
  http://sourceforge.NET/projects/tapigen

  You can reward this answer by marking as being useful or correct ;-)

• Oracle UCM CIS - user authentication and connection to the virtual computer

  Hello
  
  I have a few questions. I'm trying to integrate the University Complutense of MADRID with my custom web application.
  
  (1) is it possible to authenticate users (password validation) if we use CIS to integrate. If this isn't the case, then if the server of the University Complutense of MADRID uses its own database backend and not no matter what LDAP for user management, must make us a call to the database table directly? Any idea on the table?
  
  (2) if I am trying to connect to a server of the University Complutense of MADRID that runs on a virtual machine, but in the local network, I always get an error like this.
  Failed to retrieve the configuration information for the content Terminal item. Permission denied. Address < < ip address > > ' is not an authorized remote socket address.
  However, if I connect to an instance of the AAU runs on a server instance, the same code is running.
  The server within the virtual machine console is accessible from my m/c through browser. So should I give access to this port to the socket connection 4444. Couldn't find anything on it. Any help will be appreciated.
  
  Thank you
  In depth.

  Hi deep,

  You can restrict access to the content server port 4444 using a filer of ip address in the /config/config.cfg file of

  There is a property called SocketHostAddressSecurityFilter

  You can for example set
  SocketHostAddressSecurityFilter = 192.168.1. * | 10.102.3.3 | localhost
  the list is led separate

  connections from addresses other than these raise the error that you have demonstrated

  Please consider maring this thread as answered if that solves the problem to help others facing the same

  Tim

  Please consider maring this thread as answered if that solves the problem to help others facing the same

  Published by: Tim Snell on December 15, 2010 07:57

• Difference between the educational version and the standard version?

  I am a student. I am currently under the creative cloud regular (I used the upgrade of special prices), but I think go to the educational version after the expiration of my membership in the month of August. Is there a difference between these two versions of feature? I free work, it is a conflict with the educational version of CC licensing?

  Thank you!

  There is no functionality or licensing of differences with the educational subscription for creative cloud.

• order of the authentication and authorization air ISE

  Hello

  I am looking to configure ISE to authenticate joined AD PC (Anyconnect NAM help for user authentication and the machine with the EAP chaining) and profile Cisco IP phones. The Pc and phones connect on the same switchport. The switchport configuration was:

  switchport
  switchport access vlan 102
  switchport mode access
  switchport voice vlan 101
  authentication event fail following action method
  multi-domain of host-mode authentication
  authentication order dot1x mab
  authentication priority dot1x mab
  Auto control of the port of authentication
  MAB
  added mac-SNMP trap notification change
  deleted mac-SNMP trap notification change
  dot1x EAP authenticator

  The configuration above worked well with authentication sessions 'show' of the switch showing dot1x as the method to the field of DATA and mab for VOICE. I decided to reverse the order of authentication/priority on the interface of the switch so that the phone would be authenticated first by mab. As a result, the authentication sessions 'show' of the switch showing mab as a method for both VOICE and DATA.

  To avoid this I created a permission policy on ISE to respond with an "Access-Reject" when the "UseCase = Lookup host" and the endpoint identity group was unknown (the group that contains the PC AD). This worked well worked - the switch would attempt to authenticate the PC and phone with mab. When an "Access-Reject" has been received for the PC, the switch would pass to the next method and the PC would be authenticated using dot1x.

  The only problem with this is that newspapers soon filled ISE with denys caused by the authorization policy - is possible to realize the scenario above without affecting the newspapers?

  Thank you
  Andy

  Hi Andy -.

  Have you tried to have the config in the following way:

   authentication order mab dot1x authentication priority dot1x mab

  This "order" will tell the switchport always start with mab , but the keyword 'priority' will allow the switchport to accept the authentications of dot1x to dot1x devices.

  For more information see this link:

  http://www.Cisco.com/c/en/us/products/collateral/iOS-NX-OS-software/identity-based-networking-service/application_note_c27-573287.html

  Thank you for evaluating useful messages!

• Invalid user authentication

  Hello
  
  I'm on IOM 9102 + Websphere, I ran the patch_websphere and redeploy the .ear file. But now when I try to connect to the IOM, his throw invalid user authentication and I am not able to connect to the IOM. When I enter the password, its not taking the password and the cursor goes back to the user name text box.
  
  Thank you
  Suren

  This means that it is already disabled. To check, from the command line, run the following:
  wsadmin - port NONE

  This will connect you to the websphere administration tool. Next type:
  securityoff

  This will stop the security that allows you to connect with any username and password. Restart WebSphere.

  From this point you must enable security. Follow these steps:
  -Once WebSphere returns upwards, connect with any what user name and password in the console of websphere.
  -Access security--> user records--> custom
  -Enter the user name "XELSYSADM" and then make sure to ignore case is marked
  -Enter the password xelsysadm for "Server User Password"
  -Click 'OK' and 'Save' in the master configuration.

  I don't have a console of websphere that I have, but this will allow security for the application again. Restart and see what happens.

  -Kevin

• Cisco VCS and LDAP for authentication of users

  I have a question about setting up LDAP for authentication of the user on the VCS. I want to have redundancy in my LDAP link. I believe that this is possible by setting a FULL domain name to the address of the LDAP server, then selecting a type of SRV resolution. What I'm not clear on is what the value for the server address would be if I used actually as SRV type of resolution. I should also add that I am looking to use TLS

  To clarify, if my AD domain name is myad.netcraftsmen.net. I have set the field as server address:

  myad.netcraftsmen.NET: assuming that VCS properly interrogate the DNS for the _service._proto correct parameters?

  or would I need to create an SRV record to that effect and set the field server address with the address (including the fields of _service._proto)

  or I need to specify one of the SRV records formats used by MS AD areas (there are several).

  If the latter, then what SRV record for TLS. I don't see records with port 389 (non-secure).

  My intuition tells me that this is probably the first option, but I could be far away.

  Anyway, thanks in advance for any input.

  Kind regards

  Bill

  Hi William,.

  I just checked it on a X6.1 VCS, and it seems that VCS searches SRV _ldap._tcp.domain (where 'domain' has been entered as the server address), both when the encryption is set to 'None' and 'TLS '.

  Hope this helps,

  Andreas

• Grid below: various UNIX users for grid and databases?

  Hello
  
  I am trying to install 11 GR 2 + (Standard Edition 11.2.0.3) + with the grid Infrastructure (we use ASM) on a brand new RHEL5 (64B).
  When I'm done with this one I'll have to do the 'same' several regional advisory councils of 2 knots and other single-instances.
  
  As stated in the official documentation, I created 2 separate unix, named grid and oracleusers.
  -Grid is the owner of the grid below
  -Oracle is the owner of the RDBMS
  +(They both have oinstall As Primary Group) +.
  
  They both share the same ORACLE_BASE (that is + / oracle + in my case)
  But as this directory was created by the user to the network (with umask 022), the oracle user does not have permission to write to this directory.
  
  Therefore, the installation of RDBMS is a failure (so I added the write privilege to the user oracle on ORACLE_BASE)
  I also had to give the privilege of writing on c++ / oracle / product + and + / oracle / cfgtoollogs + to go throught RDBMS installation and dbca.
  Now, when Nicole netca, she complains c++ / oracle/cfgtoollogs/netca +...
  
  Just to illustrate, it is that the c++ / oracle + is currently:

  $ ls -l /oracle/
  total 60
  drwxrwx---  5 grid   oinstall  4096 Mar 19 10:45 admin
  drwxrwxr-x  7 grid   oinstall  4096 Mar 15 17:31 cfgtoollogs
  drwxr-xr-x  2 grid   oinstall  4096 Mar  9 18:21 checkpoints
  drwxr-xr-x  2 grid   oinstall  4096 Mar  9 18:16 Clusterware
  drwxrwxr-x 11 grid   oinstall  4096 Mar 12 12:23 diag
  drwxrwxr-x  2 oracle oinstall 16384 Feb 20 15:36 lost+found
  drwxrwx---  6 grid   oinstall  4096 Mar 12 18:55 oraInventory
  drwxrwxr-x  3 grid   oinstall  4096 Mar  9 18:12 product
  drwxr-xr-x  3 grid   oinstall  4096 Mar  9 18:16 sodbdd28
  drwxrwxr-x 10 oracle oinstall  4096 Mar 12 18:00 sources

  Of course, it's no big deal and I might be chmod-ing occur each directory to which this question, but I feel "bad practices."
  We are talking about production machines that I might have to administer for some time and I don't want to "bolt" or "poorly designed" day 1.
  
  I saw him on most of the installation of RAC 11 GR 2, her infra grid and RDBMS have been installed on the same user unix (oracle), which makes administration easier.
  
  What I want to know is:
  -What is the best of a +(by DBA I mean in charge of both ASM and databases) point of view s/n +.
  -There's an official paper which recommends to NOT to serve distinct user grid infra and RDBMS +(or at least something to say wheither it's safe/supported or not to use a single user) +.
  
  Thanks in advance to all who will have on their time to help me.

  Hello

  Wouldn't be safe / smart to opt for a single unix users, always have different home for GridInfra and RDBMS?

  Have different OH (ORACLE_HOME) on the GRID (clusterware) and RDBMS is required. Have different OB (ORACLE_BASE) on the GRID and RDBMS is recommended by Oracle, but you have a possibility to place the GRID and RDBMS on OB. even

  If the issue is users:

  It really depends on how and who will manage your Cluster environment. I believe that for every choice, we have a reason for this choice.

  So, if you have a cluster with many users of OS (operator / DBA / Sysadmin) access to this system... I recommend you to use Job separation of roles, this keep your environment more organized and secure.

  But if the user (Sysadmin/DBA) who will be responsible for administering the Oracle database is the same who will manage the grid... I don't get to use the separation of job roles.

  Although for use separation job roles really made a difference for that access through the BONE Cluster resources and ASM... With respect to the binary installation only root has privileges to change.
  In the Oracle introduced 11.2 security version that protects Network Infrastructure installation binary files. This prevents unnecessary changes or access to the OH.
  Change the binary files of the grid infrastructure, to unlock this ORACLE_HOME with root privileges.
  If this security should not be applied to ORACLE_BASE of Installation of the grid. Because this ORACLE_HOME of the GRID must be off ORACLE_BASE. (The documentation does not explain it, suffice it to say that the OB should stay out of the OH)

  P.S/maisons/Oracle Grid Infrastructure for a stand-alone server (Oracle Restart) can be under the Oracle base.

  {message: id = 10124133}

  http://levipereira.WordPress.com/2011/07/01/modifying-Oracle-clusterwarerestart-binaries/

  Kind regards
  Levi Pereira

  Published by: Levi Pereira on 19 March 2012 18:55

• ACS 4.2 RSA Authentication and LDAP group mapping

  Hello

  I have a firewall, PaloAlto, with overall protection enabled (SSL - VPN) feature

  I use Cisco Secure ACS as a proxy for the RSA SecurID authentication.

  After authentication is try to map ad through LDAP query groups.

  The question I've found, is that the user I get with user authentication has no field:

  Show user ip-user-mapping all | mbm60380 game

  10.240.1.24 vsys1 UIA 2388 2388 domain\mbm60380

  10.240.1.1 vsys1 UIA 2101 2101 domain\mbm60380

  10.240.250.1 mbm60380 2590859 2590859 vsys2 GP

  But the list of users that I receive from the LDAP query includes the domain prefix:

  See the user group name domain\group1 property

  short name: domain\group1

  [1] domain\aag60368

  [2] domain\ced61081

  [3] domain\jas61669

  [4] domain\mbm60380

  [5] domain\pmc61693

  [6] domain\vcm60984

  I would like to create the user with the area of GBA but it must delete the domain before querying the RSA server, as it does not support field stripping.

  I tried to fix this on the Palo Alto firewall without success.

  I'm trying to run Cisco Secure ACS 4.2 changing, but it did not work either:

  RSA servers are configured as an external database.  They are not defined in the groups of network devices.

  Can I set up domain stripping for queries servers RSA?

  Thank you

  Hello

  I think it should work, but it is a bit awkward:

  Create an entry in the Distribution of Proxy in the Network Configuration.

  DOMAIN\\USER *.

  Prefix

  Before returning to the AAA server, from there to authenticate to the server RSA without the domain prefix.

  Make sense?

  Thank you

  Chris

• Trying of authenticating to a LDAP group users - all users authenticated

  ASA successfully authenticates all users if they are in the OKCVPNAccess user group, and the ASA correctly sees the LDAP map attribute. There is that a single policy.

  [54] memberOf: value = CN = VPNAccess-OKC, OR = Groups, OU = OU = xxx, xxx, DC = xxx, DC = local
  [54] mapped to IETF-RADIUS-class: value = LDAPPolicy

  I been through a lot of documentation on the web sites of Cisco but also looked at several forums, but I'm coming up with a blank as to what I can try next. I know that it will work with RADIUS and RADIUS I've used several times in the past, so this isn't an option. I was asked to do with LDAP. Any suggestions? I've included the part of the Setup, and I tried to sanitize it somewhat, so there may be an inconsistency of name here or there.

  Thank you

  LDAP attribute-map LDAPMAP
  name of the memberOf IETF-Radius-class card
  memberOf card-value CN = VPNAccess-OKC, OR = Groups, OU = xxx, OU = xxx, DC = xxx, DC is local LDAPPolicy
  dynamic-access-policy-registration DfltAccessPolicy
  AAA-Server LDAP protocol ldap
  AAA-Server LDAP (inside) host 10.12.34.248
  Server-port 389
  LDAP-scope subtree
  LDAP-naming-attribute sAMAccountName
  LDAP-login-password *.
  LDAP-connection-dn xxx\vpn.auth
  microsoft server type
  LDAP-attribute-map LDAPMAP

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto-map dynamic outside_dyn_map 20 set pfs
  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
  crypto CRYPTO card - card 1000 ipsec-isakmp dynamic outside_dyn_map
  CRYPTO-card interface card crypto outside

  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP disconnect - notify

  internal CRYPTOGP group policy
  CRYPTOGP group policy attributes
  banner value of using this system is... Please log out immediately!
  value of 10.12.34.248 DNS server 10.129.8.136
  Protocol-tunnel-VPN IPSec
  enable PFS
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list SPLITTUNNEL
  xxx.local value by default-field

  type tunnel-group CRYPTO-OKC-VPN remote access
  General-attributes of CRYPTO-OKC-VPN Tunnel-group
  LDAP authentication group-server
  IPPOOL address pool
  Group Policy - by default-CRYPTOGP
  LDAP authentication group-server
  tunnel-group CRYPTOOKC-VPN ipsec-attributes
  pre-shared-key *.

  In my view, using the map LDAP is just for an LDAP attribute to an appropriate group policy, you can control access user group policy.

  Here is an example.

  http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a008089149d.shtml

  After the user is connected, vpn can you use "show vpn-sessiondb" to check what group policy is used?

  Moreover, I did not see 'LDAPPolicy' has been defined in your configuration.

• External LDAP user not authenticated

  Hello

  Using Weblogic 12.1.2 I created an Active Directory authenticator and can connect to our Windows Active Directory so that it will give the list of users, that I care to see in the 'Users and groups' tab of the Weblogic administration console.  However, when I try to use my Java process authentication, it indicates that the user cannot be authenticated (LoginException java security survey).  This same code works in a different environment with Active Directory configuration.  If I use our weblogic user default ' local' (one who is allowed to start the server), I do not see the exception and the user is authenticated.  Anyone know how I can get my "external LDAP user" to authenticate and why he would be treated differently from a 'local' user or why it would be different depending on the environment?

  Thank you!

  Hello

  Able to connect to the weblogic console you use Active directory users.

  1. check if you are able to see all the users in the Weblogic console.

  Areas of security ===> myrealm ===> users and groups

  2. also did you add the user or group in the global section.

  Take a look at the link for the reference of AD with Weblogic configuration below.

  Configuring Active Directory with Weblogic Server 10.3.6 - weblogicexpert

  3. check control flags what took.

  Defined as "SUFFICIENT".

  It may be useful

• Select a type of user account (for example, standard user, restricted user, and other types) on computer XP pro?

  Hello.

  I have a question about how to select the type of user account for each user account.

  I read that if I type 'control userpasswords2' term, it will bring up a window of hidden user accounts.  In this window, select a name of the user account and click property, click on membership group and it will show all the type of account you can purchase (including the standard user, restricted user, the other who has many other types)

  Here is the link I read

  http://www.exnol.com/globally-control-and-change-all-users-passwords-in-Windows

  Let's say my computer is XP pro and it is in the home (not domain joined ) working group. Am I able to set these types of accounts to my user account using 'control userpasswords2' just as I explained above?

  I was wondering because I read in the microsoft help article or somewhere that it indicates that the computer must be on the field to be able to choose the type of account by using this process, I explained, and one account type you can choose where your computer is located in the Working Group's account admin or limited using the control panel then click on accounts of users... but other said it should not be on the field... I got confused.

  I would like to try it myself, but I don't have XP pro computer with me right now, I'd appreciate it really if someone could help me with the answer.

  Hi greenyy,

  If you are the administrator of the machine Windows XP Professional, you can use the command 'control userpasswords2' and access the list of user accounts and change the type of account.

  You need not necessarily be on a domain, however, it may not work for some types of user accounts on a working group.

  A test, you can try to change the type of account for user accounts & check if it works.

  Reference: To change the type of user account 

  Hope the helps of information. Please post back and we do know.

  Concerning
  Joel S
  Microsoft Answers Support Engineer
  Visit our Microsoft answers feedback Forum and let us know what you think.

• VPN3002 PAT-Mode and individual user authentication

  Hi all

  I have three questions about the VPN3002 connected to a VPN3005 in the PAT mode

  and with authentication of the individual user.

  First of all:

  Is it possible to use this function for several users to the

  private LAN.

  Because I tried this, but when we the second user has been authenticated one could not work more.

  Second:

  When we first meet is YES, can be the users in a group of dispute as the

  VPN3002 Client it self?

  Third:

  That is, when there is a router between the local private network and users?

  Because the field of authentication of user appears only when users

  are directly connected to the private lan.

  I tried with PAT, but this was not possible because the VPN3002 can

  different users.

  I think that it will be possible with NAT, but then I ran to my first question.

  concerning

  Karlheinz

  1 > it is the main function of the user authentication feature see here:

  http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/vpn3002/3_5/get_star/gs1under.htm#xtocid13

  2 > users cannot be in the other group. Group is dependent of the what the 3002 cumulates in.

  3 > it wouldn't send other subnets connected to the private sector. The design of the 3002 is such that only the subnet behind it, is what it can do vpn for.

  Kind regards

• XDB user name and password to access the page configuration EPG on a pluggable database APEX

  Hello

  I have a base shared of the Oracle (12.1.0.2) 12.

  I have an APEX PDB 5.0 file. There is no APEX installed on the CDB (root).

  Connected to the PDB, the registry says:

  Name of the ID Version State

  ------------ ----------------------------------- ------------ ----------

  APEX Oracle Application Express 5.0.0.00.31 VALID

  I want to configure the EPG for this PDB.

  I did the following (in this order):

  (1) race: apex_epg_config.sql

  (2) race: exec dbms_xdb.sethttpport (8080) - the firewall is open for this port

  (3) race: change the anonymous user account unlock;

  (4) run:

  Start

  () DBMS_NETWORK_ACL_ADMIN.append_host_ace

  Home = > ' *',

  As = > xs$ ace_type (privilege_list = > xs$ name_list ('connect'),)

  principal_name = > "APEX_050000"

  principal_type = > xs_acl.ptype_db));

  end;

  /

  I find myself with the APEX-based users:

  Account

  Status of user name

  ------------------------- -------------------------

  FLOWS_FILES EXPIRED & LOCKED

  APEX_050000 EXPIRED & LOCKED

  OPEN APEX_REST_PUBLIC_USER

  OPEN ORDS_PUBLIC_USER

  OPEN APEX_PUBLIC_USER

  OPEN APEX_LISTENER

  ORDPLUGINS EXPIRED & LOCKED

  ORDDATA EXPIRED & LOCKED

  ORDSYS EXPIRED & LOCKED

  ANONYMOUS HAS EXPIRED

  ORDS_METADATA EXPIRED & LOCKED

  I used the documentation:

  https://docs.Oracle.com/CD/E59726_01/install.50/e39144/EPG.htm#HTMIG386

  When I run from the browser:

  http:// < IP address of the server >: 8080/apex

  I get the messge:

  "APEX request a user name and password XDB"

  Does someone has encountered this situation in a PDB file?

  Thanks in advance for any information.

  Thanks and greetings

  Hi Patrick,

  Laury wrote:

  I have a base shared of the Oracle (12.1.0.2) 12.

  I have an APEX PDB 5.0 file. There is no APEX installed on the CDB (root).

  I want to configure the EPG for this PDB.

  I find myself with the APEX-based users:

  Account

  Status of user name

  ------------------------- -------------------------

  ANONYMOUS HAS EXPIRED

  The problem is the ANONYMOUS account has expired.

  Reference: Re: XDB username and password

  I think that this issue is addressed in your previous thread so: Oracle APEX server requires a user name and password of the server said XDB?

  And here's the thread where Jason explained the reasons: Re: installation of the Apex (4.2.2 on 12 c)

  Kind regards

  Kiran

• Hi all that I've been a user of cc muse and created 3 versions of storage for office, ipad, phone. Recently I started working with sensitive muse and do not see a possibility to create 3 versions (in one is not good for me). I tried to enter with Fix lent

  Hi all

  I have been a user of cc muse and created 3 versions of storage for office, ipad, phone.

  Recently I started working with sensitive muse and do not see a possibility to create 3 versions (in one is not good for me).

  I tried to enter with Fix lenth (not liquid) but cannot create a version for phone.

  Thanks for help

  Adaptive and Responsive Design are both supported. Please see the discussion here reagent phone or tablet buttons update-no more?