Search Results

Search found 3423 results on 137 pages for 'mod authz ldap'.

Page 9/137 | < Previous Page | 5 6 7 8 9 10 11 12 13 14 15 16  | Next Page >

  • AdPrep logs show an LDAP error

    - by Omar
    What I am trying to do is transition our domain from Server 2003 Enterprise x32 to Server 2008 R2 Enterprise x64. Here is what I have done thus far. The 2003 server is a physical machine, the 2008 server is a virtual machine Built a virtual machine that has Server 2008 R2 Enterprise x64 and joined it to the domain as a domain member On the 2003 DC, Raised Domain Functional Level and Forest Functional Level to Windows Server 2003 On the 2003 DC, went into the registry and navigated to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters and verified that the Schema Version is 30 On the 2003 DC, inserted the Windows Server 2008 Enterprise x32 Edition to copy over the adprep folder. This version is the only one that seemed to work On the 2003 DC, opened command prompt and went to adprep directory and ran adprep /forestprep , adprep /domainprep , and adprep /domainprep /gpprep On the 2008 server, Installed the Active Directory Domain Services role from Server Manager On the 2003 DC, went into the registry and navigated to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters and verified that the Schema Version is now 44 When I go to run dcpromo on the 2008 server, I get a message that says: "To install a domain controller into this Active Directory forest, you must first prepare using adprep /forestprep" I went back to the 2003 DC server and went through the adprep logs and I came across this: Adprep was unable to modify the security descriptor on object CN=DomainControllerAuthentication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=xeroxtoledo,DC=com. [Status/Consequence] ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE). [User Action] Check the log file ADPrep.log in the C:\WINDOWS\debug\adprep\logs\20100327143517 directory for more information. Adprep encountered an LDAP error. *Error code: 0x20. Server extended error code: 0x208d, Server error message: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=xeroxtoledo,DC=com* In fact, I got three of these errors. The LDAP error is consistent with all three, but the top part where it says "Adprep was unable to modify the security descriptor on object" are different. They are the following: CN=DomainControllerAuthentication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=xeroxtoledo,DC=com. CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=xeroxtoledo,DC=com. CN=KerberosAuthentication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=xeroxtoledo,DC=com. The credentials I am using on the 2008 server when running dcpromo is my domain account. My account is part of the domain and enterprise admin groups. I've tried various quick fixes that I've came across through Google searches that include: Disabling AntiVirus on current DCs Pointing DNS on PDC to point to itself Changing the Schema Update Allowed key to 1 and tried rerunning adprep - when rerunning adprep, told me that Forest-wide information has already been updated Disabled Windows Firewall on the Server 2008 box On the 2003 DC, went to Domain Controller Security Policy Local Policies User Rights Assignment and added Domain Admins to the Enable computer and user accounts to be trusted for delegation policy setting Both our PDC and BDC are Global Catalog Servers. Not sure if this matters or not I ran the command netdom query fsmo and verified that the FSMO role holder is the current 2003 PDC I ran dcdiag /v on the 2003 PDC and the only thing that failed was Services. Dnscache Service is stopped on the PDC I even went as far as deleting the virtual machine and recreating it from scratch - no avail... Help :(

    Read the article

  • Setup mod-rewrite

    - by Publiccert
    I'm trying to setup mod-rewrite for a few servers. The code lives in /home/jeff/www/upload/application/ However, this is what's happening. It appears to be a problem with mod-rewrite since it's appending code.py to the beginning of the directory: The requested URL /code.py/home/jeff/www/upload/application/ was not found on this server. Here are the rules. Which one is the culprit? WSGIScriptAlias / /home/jeff/www/upload/application Alias /static /home/jeff/www/upload/public_html <Directory /home/jeff/www/upload/application> SetHandler wsgi-script Options ExecCGI FollowSymLinks </Directory> AddType text/html .py <Location /> RewriteEngine on RewriteBase / RewriteCond %{REQUEST_URI} !^/static RewriteCond %{REQUEST_URI} !^(/.*)+code.py/ RewriteRule ^(.*)$ code.py/$1 [PT] </Location> </VirtualHost>

    Read the article

  • How to authenticate users in nested groups in Apache LDAP?

    - by mark
    I've working LDAP authentication with the following setup AuthName "whatever" AuthType Basic AuthBasicProvider ldap AuthLDAPUrl "ldap://server/OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,DC=local?sAMAccountName?sub?(objectClass=*)" Require ldap-group CN=MySpecificGroup,OU=Security Groups,OU=MyBusiness,DC=company,DC=local This works, however I've to put all users I want to authenticate into MySpecificGroup. But on LDAP server I've configured that MySpecificGroup also contains the group MyOtherGroup with another list of users. But those users in MyOtherGroup are not authenticated, I've to manually add them all to MySpecificGroup and basically can't use the nested grouping. I'm using Windows SBS 2003. Is there a way to configure Apache LDAP to do this? Or is there a problem with possible infinite recursion and thus not allowed?

    Read the article

  • warning: dict_ldap_lookup: Search error 1: Operations error

    - by drecute
    Please I need help with ldap search filter to use to retrieve the user email information from ldap. I'm running postfix_ldap of Ubuntu server 12.04. Everything seems to work fine, except getting the values returned from the search. Version 1 server_host = ldap://samba.example.com search_base = dc=company, dc=example, dc=com query_filter = mail=%s bind = no domain = example.com Version 2 server_host = ldap://samba.example.com search_base = dc=company, dc=example, dc=com query_filter = mail=%s bind_dn = cn=Users,dc=company,dc=example,dc=com domain = example.com mail logs Nov 26 11:13:26 mail postfix/smtpd[19662]: match_string: example.com ~? example.com Nov 26 11:13:26 mail postfix/smtpd[19662]: dict_ldap_lookup: No existing connection for LDAP source /etc/postfix/ldap-aliases.cf, reopening Nov 26 11:13:26 mail postfix/smtpd[19662]: dict_ldap_connect: Connecting to server ldap://samba.example.com Nov 26 11:13:26 mail postfix/smtpd[19662]: dict_ldap_connect: Actual Protocol version used is 3. Nov 26 11:13:26 mail postfix/smtpd[19662]: dict_ldap_connect: Binding to server ldap://samba.example.com with dn cn=Users,dc=company,dc=example,dc=com Nov 26 11:13:26 mail postfix/smtpd[19662]: warning: dict_ldap_connect: Unable to bind to server ldap://samba.example.com with dn cn=Users,dc=company,dc=example,dc=com: 49 (Invalid credentials) Nov 26 11:13:26 mail postfix/smtpd[19662]: warning: ldap:/etc/postfix/ldap-aliases.cf lookup error for "[email protected]" Nov 26 11:13:26 mail postfix/smtpd[19662]: maps_find: virtual_alias_maps: [email protected]: search aborted Nov 26 11:13:26 mail postfix/smtpd[19662]: mail_addr_find: [email protected] -> (try again) Nov 26 11:13:26 mail postfix/smtpd[19662]: NOQUEUE: reject: RCPT from col0-omc3-s2.col0.hotmail.com[65.55.34.140]: 451 4.3.0 <[email protected]>: Temporary lookup failure; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<col0-omc3-s2.col0.hotmail.com> Nov 26 11:13:26 mail postfix/smtpd[19662]: > col0-omc3-s2.col0.hotmail.com[65.55.34.140]: 451 4.3.0 <[email protected]>: Temporary lookup failure here's another log with successful search result but fialed to get the values of the result Nov 26 12:04:56 mail postfix/smtpd[20463]: dict_ldap_lookup: Using existing connection for LDAP source /etc/postfix/ldap-aliases.cf Nov 26 12:04:56 mail postfix/smtpd[20463]: dict_ldap_lookup: /etc/postfix/ldap-aliases.cf: Searching with filter [email protected] Nov 26 12:04:56 mail postfix/smtpd[20463]: dict_ldap_get_values[1]: Search found 1 match(es) Nov 26 12:04:56 mail postfix/smtpd[20463]: dict_ldap_get_values[1]: Leaving dict_ldap_get_values Nov 26 12:04:56 mail postfix/smtpd[20463]: dict_ldap_lookup: Search returned nothing Nov 26 12:04:56 mail postfix/smtpd[20463]: maps_find: virtual_alias_maps: [email protected]: not found Nov 26 12:04:56 mail postfix/smtpd[20463]: dict_ldap_lookup: In dict_ldap_lookup Nov 26 12:04:56 mail postfix/smtpd[20463]: dict_ldap_lookup: /etc/postfix/ldap-aliases.cf: Skipping lookup of key 'tola.akintola': domain mismatch Nov 26 12:04:56 mail postfix/smtpd[20463]: maps_find: virtual_alias_maps: tola.akintola: not found Nov 26 12:04:56 mail postfix/smtpd[20463]: dict_ldap_lookup: In dict_ldap_lookup Nov 26 12:04:56 mail postfix/smtpd[20463]: dict_ldap_lookup: /etc/postfix/ldap-aliases.cf: Skipping lookup of key '@example.com': domain mismatch Nov 26 12:04:56 mail postfix/smtpd[20463]: maps_find: virtual_alias_maps: @example.com: not found Nov 26 12:04:56 mail postfix/smtpd[20463]: mail_addr_find: [email protected] -> (not found) My refined ldap-aliases.cf looks like this: server_host = ldap://samba.example.com server_port = 3268 search_base = dc=company, dc=example, dc=com query_filter = mail=%s result_attribute = uid bind_dn = cn=Administrator,cn=Users,dc=company,dc=example,dc=com bind_pw = pass domain = example.com So I'll like to know what ldap filter is appropriate to get this to work. Thanks for helping out.

    Read the article

  • LDAP Structure: dc=example,dc=com vs o=Example

    - by PAS
    I am relatively new to LDAP, and have seen two types of examples of how to set up your structure. One method is to have the base being: dc=example,dc=com while other examples have the base being o=Example. Continuing along, you can have a group looking like: dn: cn=team,ou=Group,dc=example,dc=com cn: team objectClass: posixGroup memberUid: user1 memberUid: user2 ... or using the "O" style: dn: cn=team, o=Example objectClass: posixGroup memberUid: user1 memberUid: user2 My questions are: Are there any best practices that dictate using one method over the other? Is it just a matter of preference which style you use? Are there any advantages to using one over the other? Is one method the old style, and one the new-and-improved version? So far, I have gone with the dc=example,dc=com style. Any advice the community could give on the matter would be greatly appreciated.

    Read the article

  • Getting apache to use ldap group and filesystem group information

    - by Angelo
    We have an Apache server which serves out of a particular directory, and just supplies a listing of files. From this directory, each subdirectory is owned by a certain group of users (at the filesystem level). User groups are determined by a posixGroup in ldap. Is there any simple way I can tell Apache to authorize access based on filesystem permissions, just like if the users were to access the filesystem from a shell? I would like to be able to simply add users/groups/directories without having to add another Directory or Location directive in Apache's conf?

    Read the article

  • Using LDAP to store customer data

    - by mechcow
    We wish to store some data in 389 Directory Server LDAP that doesn't fit that well into the standard set of schema's that come with the product. Nothing too amazing, things like: when the customer joined are they currently active customer certificate[1] which environment they are using My question is this: should we register with OID and start writing up our own custom schema OR is there a standard schema definition not provided by Directory Server that we can download and use that would fit our needs? Should we munge/hack existing attributes and store the data among there (I'm strongly opposed to this, but would be interested in arguments about why its better than extending)? [1] I know there is a field for this userCertificate but we don't want to use it to authenticate the user for the purposes of binding Using CentOS 5.5 with 389 Directory Server 8.1

    Read the article

  • LDAP Bind request failing

    - by Madhur Ahuja
    I have a Windows Server 2008 R2 Active Directory domain controller with domain madhurmoss.com I have a Linux box which is trying to connect to LDAP (389) on above box, which is failing. Upon inspection in Wireshark, I see a bind request with following query sAMAccountName=Administrator,DC=madhurmoss,DC=com and result with invalid Credentials 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0 I want it to connect it through Administrator which lies in CN=Administrator,CN=Users,DC=madhurmoss,DC=com The supplied credentials are correct. I believe the query sAMAccountName=Administrator,DC=madhurmoss,DC=com is wrong. Can anyone guide me what could be wrong ?

    Read the article

  • The rights needed to change a AD LDAP password

    - by Luuky19
    What are the bare minimum rights you need to change an other persons LDAP password?. I'm working on a tool that allows a user to change his password. as the tool needs to be written in PHP the only problem is that you can't use a user account to change the password. to work around this we want to use an manger/admin account that can only change the passwords of all the other users. now the problem. we could not find the right rights to set so that the account was allowed to change the passwords. the only way it worked for us was if we made him domain-admin and that is something we don't want. So what are the minimum rights that some one needs to change a other person password with PHP? EDIT: Changed the title to fit the question better.

    Read the article

  • Can't make updates with LDAP from Linux box to Windows AD

    - by amburnside
    I have a webapp (built using Zend Framework - PHP) that runs on a Linux environment which needs to authenticate against Active Directory on a Windows server. So far my webapp can authenticate with LDAPS, but cannot perform any kind of write operation (add/update/delete). It can only read. I have configured my server as follows: I have exported the CA Certificate from my Windows AD server to /etc/opendldap/certs I have created a pem file based on this certificate using openssl I have update /etc/openldap/ldap.conf so that it knows where to look for the pem certificate: TLS_CACERT /etc/openldap/certs/xyz.internal.pem When I run my script, I get the following error: 0x35 (Server is unwilling to perform; 0000209A: SvcErr: DSID-031A1021, problem 5003 (WILL_NOT_PERFORM), data 0 ): Have I missed something with my configuration, which is causing the server to reject making updates to AD?

    Read the article

  • LDAP for privilege control?

    - by neoice
    I've been wondering for a while if LDAP can be used to control user privileges. For example, if I have UNIX and web logins, is there an easy way to grant a user access to just or just UNIX (or even both?) My current attempt at solving this very problem was to create 'login' and 'nologin' groups, but this doesn't seem fine-grained enough to meet the ideas I have in my head. I'm also still in the situation where all UNIX users are web users, which isn't a problem so much as an indicator of the limitations. Does anyone have any input on this? Has this problem already been solved?

    Read the article

  • How to make AD highly available for applications that use it as an LDAP service

    - by Beaming Mel-Bin
    Our situation We currently have many web applications that use LDAP for authentication. For this, we point the web application to one of our AD domain controllers using the LDAPS port (636). When we have to update the Domain Controller, this has caused us issues because one more web application could depend on any DC. What we want We would like to point our web applications to a cluster "virtual" IP. This cluster will consist of at least two servers (so that each cluster server could be rotated out and updated). The cluster servers would then proxy LDAPS connections to the DCs and be able to figure out which one is available. Questions For anyone that has had experience with this: What software did you use for the cluster? Any caveats? Or perhaps a completely different architecture to accomplish something similar?

    Read the article

  • Changing LDAP schema casts Confluence AD integration unoperable

    - by Maxim V. Pavlov
    I have had our instance of Atlassian Confluence configured to be integrated with our Active Directory. In AD, all the users were being created under default Users folder in Active Directory Users and Computers. We have decided to introduce cleaner separation and have created an Organizational Units structure in AD. Under root we have created Managed OU, and under it - Users OU and all user accounts were moved under Users OU. Now I though that to let the Confluence AD integration engine "know" where to look for user accounts now, I only need to adjust the BaseDN and prepand it with ou=Managed so it is aware that it is looking for cn=Users but under ou=Managed. That didn't work. How should I adjust LDAP schema root in a client application for it to be able to look for users in OU that then in a default folder.

    Read the article

  • Move samba and ldap config to new machine

    - by Mateusz W
    I'm not advanced administrator so this may be n00b question but I'll be grateful for help. I have following problem: I have to move my server (ubuntu server) from old machine to new. I have samba & ldap on old server, so I've copied the configuration files from the old machine to new machine, made smbldap-populate, and when I use smbldap-userlist on the new machine it lists all users from the old machine. But when I try to log in as any of these users, or show its id (id username) I get no such user error. What more I have to do to use these accounts on the new machnie?

    Read the article

  • How to choose which fields are available via LDAP from an Active Directory

    - by Felix Eve
    I'm using PHP to do an ldap search and then pull the attributes out using ldap_get_attributes. This returns an array of data (that can be seen here) however there are some fields that are missing such as Organization Title, department, company, address and telephone number. How to I make these fields available? There is a similar question here: http://www.petri.co.il/forums/showthread.php?t=15227 I've followed the steps outlined there an tried changing some access permissions but am not really sure what I'm doing and can't see any permissions that directly relate to the fields that I can see when I edit a user in the "Active Directory Users Computers" window. I am a PHP developer, not a Windows server administrator so am finding configuring an AD rather challenging so please don't assume any level of knowledge about AD. I've asked the same question on stack exchange but understand this is a more relevant place to ask.

    Read the article

  • LDAP: Need login of application/servers from a certain group only

    - by Geo
    We need to configure LDAP for login to different servers and applications. We have created all users and different groups as follows: dn: dc=ldapserver,dc=local dn: ou=people,dc=ldapserver,dc=local ou: people dn: uid=geo,ou=people,dc=ldapserver,dc=local dn: uid=user,ou=people,dc=ldapserver,dc=local dn: ou=groups,dc=ldapserver,dc=local dn: cn=server,ou=groups,dc=ldapserver,dc=local member: uid=geo,ou=people,dc=ldapserver,dc=local dn: cn=website,ou=groups,dc=ldapserver,dc=local member: uid=user,ou=people,dc=ldapserver,dc=local We need scenario in such a way that the users that are member of server need only login to server (that is geo) and users that are member of website need only login to websites (That is user “user”). Please let me know how we can configure it. For login site we tried by giving DN as cn=website,ou=groups,dc=ldapserver,dc=local and Login Attribute as uid and also member but it is not working. Can anyone please help us on it. Also please let us know is there any other option for accomplish this scenario. Thanks Geo

    Read the article

  • LDAP encrypt attribute that extends userpassword

    - by Foezjie
    In my current LDAP schema I have an objectclass (let's call it group) that has 2 attributes that extend userpassword. Like this: attributeType ( groupAttributes:12 NAME 'groupPassword1' SUP userPassword SINGLE-VALUE ) attributeType ( groupAttributes:13 NAME 'groupPassword2' SUP userPassword SINGLE-VALUE ) group extends organisation so already has a userpassword attribute. If I use that to enter a new group using PHPLDAPAdmin it uses SSHA (by default) and encrypts/hashes the password I entered. But the passwords I entered for groupPassword1 en groupPassword2 don't get encrypted. Is there a way to make it so that those attributes are encrypted too?

    Read the article

  • Super user in LDAP?

    - by John8894
    I am running 10 Linux machines that is doing different types of work. The machines are configured to use LDAP authentication so when one user is configured in slapd he can login on all the machines. To make maintenance easier i want to create a root account in slapd so i can use this instead of the local root accounts when installing applications etc. but i am not sure on how to do this. Is it enough to create a user with the name root and gid/uid 0? should the local root be disabled somehow? I am fully aware that this is normally not a good idea from a security perspective, but as mentioned before this is a special case.

    Read the article

  • Is the sql backend right choice for LDAP?

    - by skomak
    Hi, I have felt some troubles with LDAP dif database after unexpected system reboots. This databse was only read so it is confused why database have had errors. So im searching for replacement of this database. I think SQL would be more reliable. What do you think, is it? I need to know how much performance loss i'll meet then. How many more IOPS(I/O per second) in percentage I loss too. Thanks in advance, skomak

    Read the article

  • RHEL 6.5 and LDAP

    - by zuboje
    I am trying to connect our Active directory server to brand new RHEL 6.5 server. I want to authenticate users using AD credentials, but I want to restrict that only certain users can login, I don't want to allow anybody from AD to connect to it. I would like to use something like this: CN=linuxtest,OU=SecurityGroups,DC=mydomain,DC=local but I am not sure how would I setup OU and CN. I use sssd for authentication and my id_provider = ad. I wanted to use id_provider = ldap, but that did not work at all and RHEL customer service told me to setup this way. But I want to have a little bit more control who can do what. I know I can use this to restrict simple_allow_users = user1, user2, but I have 400+ users, I really don't want to go and type them all. Question is how would I setup OU or CN for my search?

    Read the article

< Previous Page | 5 6 7 8 9 10 11 12 13 14 15 16  | Next Page >