Re: Configuring Centrify LDAP Proxy with OneFS 8.0.0.1; HOW TO?

Has anybody successfully setup Centrify LDAP proxy with OneFS?

# isi auth status

ID Active Server Status

——————————————————————————————-

lsa-activedirectory-provider:mycompany.COM mycompanydc99.mycompany.com online

lsa-local-provider:System – active

lsa-local-provider:Private – active

lsa-file-provider:System – active

lsa-ldap-provider:centrifylinux-ldap-proxy.mycompany.com – offline

lsa-ldap-provider:test-proxy – offline

lsa-nis-provider:rhelnis-master.mycompany.com – online

——————————————————————————————-

Total: 7

The LDAP proxy is responding to ldapsearches but the Isilon fails to online for more than a few seconds.

-D

Related:

LDAP Authentication returning “bad user” error

I need a solution

I’m trying to get LDAP authentication to AzureAD set up with a proxysg server, but I can’t get passed a bad user name errors. 

Using the 6.2 admin guide for my steps.  I’ve added, taken down, re-added the details multiple times at this point and not sure what I’m missing.  Are there any known issues connection to an AzureAD?

0

Related:

What actions are associated with the operations “updateUser”?

I need a solution

A user’s account has an operation entry for “updateUser” with a Status Code of “0” and Status Message of “Success”.

  1. Is this operation caused by end user or an administrator?
  2. Is this operation caused by an automated process within VIP Access Manager and its LDAP connectivity?
  3. What actions cause the “updateUser” operation entry?

I am unable to find documentation on VIP Access Manager that defines operation messages or terminology used by the application.

  • If this exists, please share with me so I don’t have to ask these inane questions.
  • If this doesn’t exist, come on Symantec….
0

Related:

How to Use sAMAccountName and userPrincipalName at Same Time for User Logon with Active Directory

Make two LDAP server profiles pointing to the same LDAP server IP. All the values should be same in the configuration except one. The Server logon name attribute is different for both the profiles. One has ‘sAMAccountName’ and the other one will be ‘userPrincipalName’.

Now when the user tries to login with ‘domainusername’, they will be authenticated by the LDAP profile using ‘sAMAccountName’. And when they uses their email id, they will be allowed by the other LDAP profile.

To know how to create and bind LDAP authentication profiles please follow the instructions of this article: https://support.citrix.com/article/CTX108876

Related:

Data Protection Advisor 6.4 : Unable to use 2 Factor authentication with LDAP in DPA

Article Number: 502102 Article Version: 3 Article Type: Break Fix



Data Protection Advisor 6.2,Data Protection Advisor 6.2 SP1,Data Protection Advisor 6.2 SP2,Data Protection Advisor 6.2 SP3,Data Protection Advisor 6.3,Data Protection Advisor 6.4

LDAP login to DPA fails when using 2 Factor Authentication.

LDAP 2 Factor Authentication is not supported in DPA.

This is not currently supported feature in DPA and there is no resolution at this time for this issue.

If this feature is required the environment then a Request For Enhancement (RFE) will need to be filed in order to have this feature added to DPA in the future. Please contact the local Dell EMC account team to file the RFE and provide updates on it’s status.

Please contact Dell EMC Technical Support for further details or information.

Related:

7023371: Unable to change AD password if using restricted (non-domain Admin) rights

This document (7023371) is provided subject to the disclaimer at the end of this document.

Environment

Identity Manager Driver – Active Directory

Situation

Error when changing a user’s password in Active Directory when using a user with only limited rights in Active Directory. When using a user with Domain Admin rights in Active Directory, the password is changed successfully.
Error is as follows:
<output>
<status level=”error” type=”driver-general” event-id=”….”>
<message>Password set failed.</message>
<ldap-err ldap-rc=”50″ ldap-rc-name=”LDAP_INSUFFICIENT_RIGHTS”>
<client-err ldap-rc=”50″ ldap-rc-name=”LDAP_INSUFFICIENT_RIGHTS”>Insufficient Rights</client-err>
<server-err>00000005: SecErr: DSID-031A11D7, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
</server-err>
<server-err-ex win32-rc=”5″/>
</ldap-err>
</status>
</output>

Resolution

This may be caused if the user does not have all the rights needed to change the password.
With Windows server 2016, you may find that additional rights are needed.
Also based on your security policies changes may be needed.
Below is one possible configuration that may work depending on the setup of the domain. Because of the countless ways a domain may be configured and the ways a driver may be configured, only suggestions may be made.
Grant the user the following permissions:
Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes in Filtered Set
Replication synchronization
Also the following delegation:
Create, delete, and manage user accounts
Reset user passwords and force password change at next logon
Read all user information
It may also be caused if the user had ever been a member of a domain admin group or other security group that caused the user to receive the attribute admincount=1 in active directory. Even if the user is later removed from the security group, the attribute will often remain on the user.
Here is a command to check the user from a powershell prompt.
get -aduser <username> -Properties admincount
If admincount is set to 1, unless the driver is using a domain admin account, you will not be able to change the password.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7023291: SSPR Users locked out after LDAP certificates are updated

This document (7023291) is provided subject to the disclaimer at the end of this document.

Environment

Self Service Password Reset
SSPR 4.x

Situation

Error 5017 authenticating to SSPR
Error 5059 – A certificate error has been encountered
Directory unavailable after certificates on the LDAP server were updated
Users unable to login after updating certs on LDAP server

Resolution

Reset the LDAP certificates by deleting and re-importing them through SSPR Config Editor
Steps if using SSPR Appliance:
  1. Open the SSPR Appliance (port 9443) https://server.whatever.com:9443
  2. Open Administrative Commands
  3. Select Unlock configuration
  4. Open SSPR Configuration Editor by going direrectly to https://server.whatever.com/sspr/private/config/editor (you might need to use a browser other than IE)
  5. In Config Editor, select LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection, LDAP Certificates
  6. Select Clear
  7. Select Import from server
  8. Save Changes
  9. Go back to the appliance (port 9443) https://server.whatever.com:9443
  10. Open Administrative Commands
  11. Select Lock configuration
Steps if using Linux (.war) or Windows (.msi) implementations of SSPR:
  1. Edit SSPRConfiguration.xml and set “configIsEditable” to true. It should look like this: <property key=”configIsEditable”>true</property> (for more detail see TID 7014954, “SSPR config manager not available” at https://www.novell.com/support/kb/doc.php?id=7014954
  2. Open SSPR Configuration Editor by going direrectly to https://server.whatever.com/sspr/private/config/editor (you might need to use a browser other than IE)
  3. In Config Editor, select LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection, LDAP Certificates
  4. Select Clear
  5. Select Import from server
  6. Save Changes

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

How to Configure NetScaler Gateway to use RADIUS and LDAP Authentication with Mobile/Tablet Devices

  • On the Secondary Authentication Policies, add the LDAP_Mobile policy as top priority, followed by the RSA_NonMobile policy as secondary priority:

    User-added image

    Important! The session policy must have the correct Single Sign-on Credential Index, that is, it must be the LDAP credentials. For mobile devices, Credential Index under Session Profile > Client Experience should be set to Secondary which is LDAP.

    Therefore you need two session policies, one for mobile devices and the other for non-mobile devices.

    For mobile devices session policy and session profile will look as shown in the following screenshot.

    To create session policy, navigate to required virtual server and, click Edit, go to policy section and click + sign:

    User-added image

    User-added image

    Choose Session option from the drop-down.

    User-added image

    Enter the desired Session Policy name and click + to create a new profile. For mobile devices, Credential Index under Session Profile > Client Experience should be set to Secondary which is LDAP.

    User-added image

    User-added image

    User-added image

    For non-mobile device follow the same steps. Credential Index under Session Profile > Client Experience should be set to Primary which is LDAP.

    The expression should be changed to:

    REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

    User-added image

    To create new profile for non-mobile user,click + sign.

    User-added image

    User-added image

  • Related: