Using LDAP
I was looking for a way to use LDAP, basically to get a ServiceConnectionPoint (a single ldap query).
I found two libraries, libldap and OpenLDAP , have someone use one of them before and gathered with success for bb10?
Or could you do a simple query without a library?
I've seen used OpenLDAP before, but I have not actually used myself.
For what it's worth I built the client libraries by running these commands of tar of the Nations United had distribution directory:
make clean
QNX_TARGET="/Applications/Momentics2.app/target_10_3_1_1949/qnx6" \
QNX_HOST="/Applications/Momentics2.app/host_10_3_1_24/darwin/x86" \
LDFLAGS="-L${QNX_TARGET}/armle-v7/lib -L/lib -lscreen -lasound -lpps -lm -lpng14 -lbps -lEGL -lGLESv2 -Wl,-z,relro -Wl,-z,now -pie" \
CPPFLAGS="-D__PLAYBOOK__ -D__QNXNTO__" \
CPP="${QNX_HOST}/usr/bin/qcc -V4.6.3,gcc_ntoarmv7le -E" \
LD="${QNX_HOST}/usr/bin/ntoarmv7-ld" \
CXX="${QNX_HOST}/usr/bin/qcc -Vgcc_ntoarmv7le -lang-c++ -fPIC" \
CFLAGS="-g -fPIC -fstack-protector-strong" \
RANLIB="${QNX_HOST}/usr/bin/ntoarmv7-ranlib" \
CC="${QNX_HOST}/usr/bin/qcc -Vgcc_ntoarmv7le -fPIC" \
./configure \
--host=arm-unknown-nto-qnx8.0.0eabi \
--enable-slapd=no \
--with-threads=no \
--prefix=${HOME}/openldap_install_target \
make depend
make
Choose QNX_TARGET and QNX_HOST appropriate to your SDK. I removed slapd (server support) ran into issues with son build so disabled them as well - probably ok for the side customer liebrary.
"If you get a clean build running ' make install ' to put the headers, libs etc in ${HOME} / openldap_install_target rather than have it try to install in/usr/local.
Tags: BlackBerry Developers
Similar Questions
-
Double authentication using LDAP and RSA
I would use LDAP and RSA (double authentication) for my SSL VPN clients. Can I authenticated users if my logon page requires users to enter a second username. If I have the configuration so that they have to enter their username once, no authentication attempt is passed on to the authentication servers. I'm under debug on LDAP and RADIUS (for RSA), which is what I know that authentication is never over if they are to enter their user name once on the login page.
If I don't specify "use-primary-username" at the end of the 'secondary-authentication-server-group' command, users must enter their username twice and the authentication is successful.
Does anyone know how to configure the ASA so that they have to enter their username once while using the LDAP (as principal) and RSA (RADIUS) (secondary)?
Thanks in advance.
Matt
Hi Matt,
I just tried on 8.3 (2) and it works as expected. I suspect that you are running in this bug:
CSCte66568 Double authentication broken in 8.2.2 during use-primary-username is CONF.
If you are running 8.2, upgrade to 8.2 (3) and you shoud be fine.
HTH
Herbert
-
ACS 5.2 - authentication user 802. 1 x and MSCHAPv2 using LDAP Source identity
Hello community,
I use the ACS 5.2 as the solution of authentication in my network. I configured two situations: access with network access policies and peripheral Administration.
Currently, I have a few configured devices: 1 ASA (using RADIUS), WLC-5508 (using RADIUS) 1, 1 2960 S (with GANYMEDE +). And I set up an external identity store, using LDAP (I can see and select all groups without problem).
Everything works fine. My next step was to configure users to use 802. 1 x to authenticate using ACS with my LDAP database.
Assuming that all configurations are correct on all computers (when I use an internal database works very well), these are the following newspapers/configurations in the ACS:
At this point, we can see the error:
22043 current identity store does not support the authentication method; He jumps.Header 1 Request for access received RADIUS 1100111017 RADIUS creates a new session
Assess Service selection strategy
15004 Matched rule
Access Service - access Police selected 1501211507 extract EAP-response/identity12500 prepared EAP-request with EAP - TLS with challenge11006 returned Challenge RADIUS accessRequest for access received RADIUS 1100111018 RADIUS re - use an existing session12301 extract EAP-response/NAK asking instead to use PEAP12300 prepared EAP-request with PEAP with challenge11006 returned Challenge RADIUS accessRequest for access received RADIUS 1100111018 RADIUS re - use an existing session12302 extracted EAP-response containing PEAP challenge-response and accepting as negotiated PEAP12318 has successfully PEAP version 012800 first extract TLS record; TLS handshake has begun.12805 extracted TLS ClientHello message.12806 prepared TLS ServerHello message.12807 prepared the TLS certificate message.12810 prepared TLS ServerDone message.prepared 12305 EAP-request another challenge PEAP11006 returned Challenge RADIUS accessRequest for access received RADIUS 1100111018 RADIUS re - use an existing session12304 extract EAP-response containing PEAP stimulus / response12318 has successfully PEAP version 012812 extracted TLS ClientKeyExchange message.12804 message retrieved over TLS.12801 prepared TLS ChangeCipherSpec message.12802 prepared TLS completed message.12816 TLS handshake succeeded.
12310 full handshake PEAP completed successfullyprepared 12305 EAP-request another challenge PEAP11006 returned Challenge RADIUS accessRequest for access received RADIUS 1100111018 RADIUS re - use an existing session12304 extract EAP-response containing PEAP stimulus / response12313 PEAP inner method started
11521 prepared EAP-request/identity for inner EAP methodprepared 12305 EAP-request another challenge PEAP11006 returned Challenge RADIUS accessRequest for access received RADIUS 1100111018 RADIUS re - use an existing session12304 extract EAP-response containing PEAP stimulus / response11522 extract EAP-Response/Identity for EAP method internal11806 prepared EAP-internal method call offering EAP-MSCHAP VERSION challengeprepared 12305 EAP-request another challenge PEAP11006 returned Challenge RADIUS accessRequest for access received RADIUS 1100111018 RADIUS re - use an existing session12304 extract EAP-response containing PEAP stimulus / response11808 extracted EAP-response containing EAP - MSCHAP VERSION challenge response to the internal method and accepting of EAP - MSCHAP VERSION such as negotiatedEvaluate the politics of identity
15006 set default mapping rule
15013 selected identity store-
22043 current identity store does not support the authentication method; He jumps.22056 object was not found in the identity of the point of sale.22058 advanced option that is configured for a unknown user is used.22061 the option 'Refuse' Advanced is set in the case of a request for authentication has failed.11815 inner EAP-MSCHAP VERSION authentication failed11520 prepared EAP-failure of the inner EAP method22028 authentication failed and advanced options are ignored.prepared 12305 EAP-request another challenge PEAP11006 returned Challenge RADIUS accessRequest for access received RADIUS 1100111018 RADIUS re - use an existing session12304 extract EAP-response containing PEAP stimulus / responseAuthentication PEAP 12307 failure
11504 prepared EAP-failure
11003 returned RADIUS Access-Reject
So, what can be the cause? Compatibility with LDAP?
Plinio,
Watch this doc,
There is a table which indicates that LDAP is not a database compatible with our EAP type (MSCHAP VERSION-2).
LDAP, you can use with TLS, PEAP-GTC, and EAP-FAST-GTC.
TLS uses certificates on both sides, suplicant, and server authentication server.
* GCT if I'm not mistaken is a WBS system to use with the EAP protocol.
Authentication Protocol EAP compatibility of database user and table B-5
Identity storeEAP - MD5PEAP-EAP-MSCHAPv2EAP-FAST MSCHAPv2PEAP-GTCEAP-FAST-GTCACS
Yes
Yes2
Yes
Yes
Yes
Yes
Windows AD
NO.
Yes
Yes
Yes
Yes
Yes
LDAP
NO.
Yes
NO.
NO.
Yes
Yes
RSA identity store
NO.
NO.
NO.
NO.
Yes
Yes
Identity of DEPARTMENT store
NO.
NO.
NO.
NO.
Yes
Yes
-
ACS 5.3 use LDAP. for one SSID and use IS HOST. for a different SSID
I have 2 SSID on WLCs
I wish I had 1 point SSID to the radius of the acs using LDAP store and the 2nd point SSID to the radius of the acs using identity store of the host for mac filtering.
both scenarios are working, but not all.
If I set the order of the rule I can get an SSID, but then the other fails.
Authentication failed :
22056 object was not found in the identity of the point of sale.
Access matched Service selection rule:
Rule-1
Comparative political identity rule:
Rule-1
Some identity stores:
RBLDAP
Evaluate the politics of identity
15004 Matched rule
15013 selected identity store-
24031 sending request to the primary LDAP server
24017 Looking up host in LDAP - 04-xx-xx-xx-xx-xx Server
24009 host not found in the LDAP server
22056 object was not found in the identity of the point of sale.
22058 advanced option that is configured for a unknown user is used.
22061 the option 'Refuse' Advanced is set in the case of a request for authentication has failed.
11003 returned RADIUS Access-Reject
If I move the mac add rule before the rule of ldap, but then the ldap authentication fails
Request for access received RADIUS 11001
11017 RADIUS creates a new session
11027 detected host Lookup UseCase (Service-Type = check call (10))
Assess Service selection strategy
15004 Matched rule
Access to Selected 15012 - MAC filter network access service
Evaluate the politics of identity
15004 Matched rule
15013 selected identity Store - internal hosts
24209 Looking internal host IDStore host - 04-xx-xx-xx-xx-xx
24211 found internal host IDStore host
Authentication 22037 spent
I tried to install the following without result.
It seems to me that there should be a simple process to do what happens. I thought that if the rule does not match it would be to move on to the next rule etc...
I might be able to live with the first ldap control and if it does not pass to the db of the local host, but seemingly ineffective.
https://supportforums.Cisco.com/thread/2133704
You can create a sequence of identity store so that if the end point is not present in the ldap database, then it can check its database of the local host.
Or you can create a condition in your selection of service such as if rule called-station-id ends with (AIDS) then you can have it match the rule that uses the appropriate rule pointing to ldap, another rule when called-station-id ends with (ssidB) match the rule that points to the rule that uses the database of the local host.
Here is the section on the configuration of the sequence of identity store, don't forget to select continue if user not found.
http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_sys...
Thank you
Sent by Cisco Support technique iPad App
-
VCSC & VCSE: device/user using LDAP authentication
Hi all
I configured the VCSC and VCSE for device authentication and the user using LDAP. The issue that I face is my Zone of course does not have connection to VCSE. I am sure that my LDAP works very well because everything works perfectyle (authentication of users, for example) with the exception of this. Status I got STRANDED on the page of the area traversed in VCS C.
Has anyone encountered the same problem?
It's not a problem, it's the behaviour, as the crossing area also uses authentication, then
It will not use the local db but using your ldap server.
You create an additional account with the user name used on the VCS that reflects the
SIPIdentityUserName / h235IdentityEndpointID and the password as well.
Works very well for us.
-
DAP using LDAP and attributes of Cisco
I would like to be able to implement a strategy of dynamic access to the criteria that all the following conditions:
Cisco.GroupPolicy = Sales
ldap.memberOf = Remote_Access
can have a specific set of access. My connection profile uses a Radius Server to authenticate and assign group policy.
Is it possible to do this? Since then, it doesn't seem to work for me.
Hi Luis,.
If you want to use LDAP attributes in your strategy of DAP, you will need to use LDAP for authentication or authorization in your tunnel-group.
Thus you will be either have to replace ray with ldap for authentication, OR keep radius for authentication and add ldap for authorization on top.
HTH
Herbert
-
With VMware View Server using LDAPS (port 636)
I've been responsible for something that seems impossible/not supported.
VMware View Server uses port 389 for LDAP. My task is to do view to use instead the port 636 (LDAP over SSL). The accusation is that the replicated servers in VMware View data not encrypted between other on port 389.
So far in my quest, I did no progress in this project. However, I was able to test that manual connections can now be performed (with ADSI Edit) with port port SSL 636 other replicated servers view. Problem is that the view seems to have hard-coded to use port 389 and cannot be moved to use LDAPS.
There are instructions to do something like this in vCenter (http://www.vstable.com/2012/01/27/vcenter-5-active-directory-web-services-error-1209/) (Security Virtual Lab: & amp; nbsp;) Architecture - Blog - proSauce), but nothing related to the sight of the surfaces in a Google search.
Someone at - it have a Yes or whinny if possible?
EDIT: Moved to the correct community.
It is not easy being responsible for something impossible!
Connection view servers have an AD LDS instance, and replication between servers using the AD LDS replication. This is a replication mechanism secure by using the replication RPC, LDAP and Kerberos and secure without having to implement LDAP over SSL on 636.
The articles you refer to are actually on the definition of a port number unused LDAPS access of Web Active Directory Services with vCenter Server to get rid of an event without danger. It does nothing to do with replication between LDAP servers. View prevents remote access Active Directory Web services anyway with a specific firewall rule so that remote users have no access to it.
The only reason why you can use LDAPS with AD LDS is if you support simple LDAP connections. The use of SSL would mean that the simple bind passwords are not sent in the clear. In the case of the view, simple LDAP connections are not enabled in any case.
In summary, what you're trying to do is useless.
Mark
-
Default password for LDAP sync accounts that do not use LDAP authentication
We use CUCM 10.5.1. We have enabled LDAP and installation directories. I can see the previous local users and new users sync ldap. I know that if there was a previous local user with the same user as the new ldap user ID, this account is converted into an ldap account and I guess the password stay the same before ldap integration. But what of the new ldap sync protocol accounts? I see that there is a field of password for them, but what is the default password for these newly created accounts and where I can edit this default password?
I do not have a 10.x here, but on previous versions, "credentials political default" sets the default password.
It was under the management/diploma default user policy. Choose the 'end user' political 'password' and put the default value you want here. It may be in a slightly different place from 10.x
Aaron
-
Using LDAP on ACS 4.1.1 device
I want to configure it to use our LDAP server as opposed to separate Windows - ACS agent devices configuration. Is this possible? Is there a document out there that will allow me to do this and don't recommend it update 4.2 group before you configure this?
Thank you
Dwane
Yups, you can keep the RA for registration only and authentication via the LDAP Protocol separately.
Kind regards
Prem
Please rate if this can help!
-
ASA 5520 - VPN using LDAP access control
I'm setting up an ASA 5520 for VPN access. Authorization & authentication using an LDAP server. I have successfully configured tunnel, and I can access internal resources. What I want to do now is to limit access to a specific ad group membership. In the absence of this belonging to a group, a user cannot access the VPN.
My VPN client software testing is Cisco Systems VPN Client 5.0.05.0290 Version. The Group authentication is configured in a connection entry that identifies the Group of Tunnel. I think I wrote that correctly.
The Version of the software on the SAA is 8.3 (1).
My current challenge is getting the VPN to stop letting each request for access through little matter belonging to a group. I found the thread below to be significantly useful, but there is obviously something which is not entirely mesh with my situation.
https://supportforums.Cisco.com/message/3232649#3232649
Thanking all in advance for everything offered thoughts and advice.
Configuration (AAA LDAP, group policy and group of tunnel) is below.
AAA-Server LDAP protocol ldap
AAA-Server LDAP (inside) host x.x.y.12
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.10
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.11
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAPAAA-Server LDAP (inside) host x.x.y.10
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
LDAP-attribute-map LDAP_MAP
AAA-Server LDAP (inside) host x.x.y.11
Server-port 636
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn cn = svcacct, or = svcac, or = users, or = svcad, dc = domain, dc = com
enable LDAP over ssl
microsoft server type
LDAP-attribute-map LDAP_MAP
!
internal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0
Protocol-tunnel-VPN IPSec webvpn
address pools no
attributes of Group Policy DfltGrpPolicy
VPN - 10 concurrent connections
Protocol-tunnel-VPN IPSec webvpn
enable IPSec-udp
vpn group policy - pro internal
vpn - pro group policy attributes
value x.x.y.17 x.x.y.27 WINS server
Server DNS value x.x.y.19 x.x.y.29
VPN - 50 simultaneous connections
Protocol-tunnel-VPN IPSec svc
group-lock value vpn - pro
field default value domain.com
value of address ip-vpn-pro pools
WebVPN
client of dpd-interval SVC no
dpd-interval SVC 1800 bridge
!attributes global-tunnel-group DefaultRAGroup
LDAP authentication group-server
LDAP authorization-server-group
Group Policy - by default-vpn-pro
authorization required
type group tunnel vpn - pro remote access
attributes global-tunnel-group-vpn - pro
LDAP authentication group-server
Group-server-authentication (LDAP outside)
LDAP authorization-server-group
Group Policy - by default-vpn-pro
band-Kingdom
password-management
band-band
authorization required
type tunnel-group NOACCESSGROUP remote access
attributes global-tunnel-group NOACCESSGROUP
LDAP authentication group-server
NOACCESS by default-group-policyHello
The configuration of what you are looking for is a feature called DAP (Dynamic Access Policy)
The following link will explain how to set up the same.
http://www.ciscosystems.com/en/us/products/ps6120/products_white_paper09186a00809fcf38.shtml
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.
-
Can OBIEE on UNIX OS - we use LDAP using Microsoft Active Directory for UNIX OS?
We are looking at options to run OBIEE 11 g on a UNIX server.
Can we use authentication using Microsoft Active Directory LDAP for authentication OBIEE?
Short answer: Yes.
Longer answer: Yes you can. Operating system has no influence on that. All you need is the ability to connect to LDAP, and it's pure networking.
-
Can we prevent people sharing PDF using LDAP or similar on a network?
We have a large number (more than 1000) of sensitive documents in PDF format, I was asked if it is possible to stop these files being shared with others outside the Organization and to prevent people copying or e-mail for others to use / view.
The PDF are currently hosted on a secure web site, server with an LDAP based ACL restricting access, internally the real PDF is not protected, so anyone with access to the site can, if they wish, save the PDF file and share with others. What is the method best/correct to ensure that our PDF files is protected?
I realized only a limited amount of research and before leaving that a thought more that it may be better to simply ask the question that I can waste my time or following the wrong track entirely! I guess that some sort of DRM would be necessary? These documents cannot be hosted or encrypted outside the network, so any solution will have to be hosted internally in its entirety.
We are on a Windows domain with 500 users.
Thanks in advance for any helpful comments.
UPDATE
-What is to:
Securing PDFs with Adobe LiveCycle Rights Management ARE
Or is it overkill for our needs?
You can't stop the shared files, PDF or any other type. With the help of DRM you can make shared unnecessary copies. DRM is a complex and controversial. The offer from Adobe is LiveCycle Rights Management. It will cost you to buy, to host and administer. If this is an exaggeration, it's probably a level of Council decision.
-
Security using ldap and the RPD users
Hello
I need 5 dummy users in RPD. I don't want to give them adminstrator privileges because they are not allowed to see everything in my dashboard. My authentication works by using an LDAP server, is it possible that I can leave these fake users login as well as those on the LDAP server?I don't think it's possible to use the default Server BI and LDAP authentication. You can still have multiple LDAP servers for authentication. You can ask 5 service accounts to be created in the LDAP for OBIEE Protocol and assign privileges accordingly so they see only needed dashboards.
Please allow the useful points,
Thank you
-Laurence. -
Connection to the Service of PAPI process when you use LDAP
We have Oracle BPM 10.3 put in place with the help of LDAP as a directory for the participants. To connect to the service of process PAPI we want to use a system id which is a user but not put in place in LDAP. How can we do this? Y at - it a special group of role or security necessary for this user, i.e. should the privileges of the user Admin process?Hello
Yes, this will definitely need a password, which is the same as the password that you will use to connect to the system (workspace BPM or the external application that makes calls PAPI).The way we have implemented is: we have a J2EE application (app A) external which makes use of calls papi, deployed on weblogic. The BPM engine is also deployed on the same weblogic domain. The BPM application can then be configured to be used in mode Single Sign On and deployed. In such a scenario when a user types in the url for the workspace BPM, the login page for app has will be shown.
The Protocol LDAP that you use to configure the BPM directory also lets you create a security provider in the field of the safety of the weblogic (using the weblogic console). This will ensure that any application (in this case Soft A) deployed on weblogic will use this users/groups to this LDAP for authentication purpose. This completes the installation, and we need A app and BPM application both authenticating to the same LDAP protocol and application of BPM is set up in SSO mode.
When the user comes to the login page of the appA, the corresponding servlet can store the password in the session and then to the app worklist page (if you wish). BPM login page not coming, since BPM can authenticate the user based on the login in the appA. Later (let us say that during the execution of the external task; when the appA servlet is called from BPM), you can use the password stored in the session to create the object papisession for the logged in user.
I recently started a blog, where I have an example of PAPI (as it is one of the issues preferred users BPM). You can check
http://satinderblogs.blogspot.com/2009_11_01_archive.html
HTH
Simart -
BI Server uses LDAP and BI Publisher uses BI server auth - can this work?
Hello
I've set up OBI EE BI Server to use our MS Active Directory LDAP repository for authentication purpose. It works perfectly.
On the other hand BI Publisher is configured to use the BI server authentication. I can see that groups XMLP * here, but obviously there are has no users defined in the BI server to add their!
The reason why I want to use this configuration is that it's another Department who is responsible for the maintenance of the AD and it would make things easier if we could maintain access BI Publisher ourselves, through the BI tool admin server.
Something tells me that's not possible, but I was wondering if there is any workaround or tip for this problem?
Thank you
LuisWith ADSI, you cannot import users and groups. You then create an initialization of variable session with an external table:
See an example here:
http://obieeblog.WordPress.com/2009/06/18/OBIEE-security-enforcement-%E2%80%93-external-database-table-authorization/See you soon
Nico
Maybe you are looking for
-
Diffence between firefox functionality on xp and windows 7
I just want to know the difference between the feature and the dependence on the two bones. and y at - it any thing change setting of Firefox on windows xp or 7 l.
-
Win7 hp pavilion n040se 15 notebook pc driver for win7
Hello I need win7 hp pavilion n040se 15 notebook pc driver for win7! anyone can help me?
-
Satellite P100-286 (PSPAG) cannot connect to the TV via the s-video output
Hello I'm trying to connect my P100 from my TV using the S-video TV output and the TV is never detected. Even if I try to "force the detection" in the nVidia control panel. Any ideas?
-
I have the system test with a cRIO-9068, a cRIO-9024 (w / 9114 chassis) and an expansion chassis 9146. None of them are even near being synchronized, and it's a bit frustrating. How can I synchronize the 9024 grid and the grid 9068? I have NEITHER
-
When to remove windows live it has messed up all my icons on win vista 32 bit computer
went to install/remove and attempted to delete windows live essentials and photo, because none will work on the windows vista 32-bit computer. This alters not and keeps saying wait until it unstalls. and screwed up my whole screen with weird colors.