AppSync ldap password changes

I have been required to change the password for the ldap account on the AppSync server.

Configure a AP server to allow user to log into AppSync using their LDAP crwedentials.

Under AppSync > Setting User administration the Distinguished Name

If I change this password is there any other change I need to make?

Also,

I have been instructed to change the account password that was used to configure the Host plug-ins on the Exchange server and the mount hosts. This account is an LDAP account.

Can I just change the password and then perform a rediscovery on the host servers.

My concerns are losing access for the snapshots or worse corrupting the database on the AppSync server.

Any help would be greatly appreciated.

Thanks,

Fred

Related:

  • No Related Posts

7002943: How to configure GroupWise Clients to send and receive Encrypted and Signed E-Mails using eDirectory User Certificates

Prior to implement the solution have a look into the Notes: section

1. Create User Certificates

By default, only a user having “Admin” privileges can create User Certificates for users in an eDirectory Tree. So perform following steps as “Admin”.

1.1 Login as Admin using Novell Client from the administration workstation

1.2 Launch ConsoleOne, preferably one from a NetWare server with latest Support Pack (Sys:publicmgmtConsoleOne1.2binConsoleOne.exe)

1.3 Create couple of test user in the desired eDirectory container (Create “Michael Owen” and “John Terry”)

1.4 Create a GroupWise Mailbox for both users and set a GroupWise password for both of them (Use “novell” as password)

1.5 Take properties of the user object “Michael” in NDS View and select Security|Certificates page

1.6 Click on the button Create and create the User Certificate with following parameters as you proceed with the wizard

  • Certificate name: First Name of the User
  • Creation Method: Custom
  • Certificate Authority: Organizational Certificate Authority
  • Key Size: 2048 Bits
  • Key Type: Custom (Once “Custom” is selected enable all Check boxes which get highlighted)
  • E-Mail Address: Specify the E-Mail Address of the user (This field will be automatically filled for a user with mailbox)

1.7 Select the Certificate, click on “Validate” and make sure that Certificate is “Valid”

1.8 Repeat steps 1.5 to 1.7 and create a User certificate for John.

2. Export User Certificates

Even though a user with “Admin” privileges can create User Certificates for regular users, only the corresponding user can export the Certificate with Private Key. So login as test users using iManager from workstations and export User Certificate with Private Key as follows.

2.1 Launch iManager and login as Michael

2.2 Expand the Role “Directory Administration” and select the Task “Modify Object”

2.3 Browse and select the user Object “Michael” and click on “OK”

2.4 Click on “Certificates” tab, select the certificate and export the certificate along with Private Key

2.5 Save the file as “Michael.pfx” into the workstation

2.6 Repeat steps 2.1 to 2.5 by logging in as John and export the certificate for John as “John.pfx



3. Setup an eDirectory LDAP server

Select an eDirectory server with Master or Read/Write replicas of all main partition as an LDAP Server. It’s recommended that the LDAP server should have a replica of Tree [Root] partition for best performance. GroupWise Client by default use query the LDAP server on port 389 (Default non-secure LDAP port). Make sure that LDAP is listening on port 389 as follows

3.1 From Administration workstation, login as Admin using Novell Client and launch ConsoleOne (Launch ConsoleOne from the server to have all necessary snap-ins for LDAP)

3.2 Browse to the server context of the desired LDAP server

3.3 Take properties of the LDAP Group – <Server_Name> Object for the desired LDAP server

3.4 On the General | LDAP Group General tab, disable the Check Box “Require TLS for Simple binds with password”, apply the change and close the properties page.

3.5 Open a server console and reload NLDAP as follows

A. On NetWare

unload nldap

nldap

B. On Linux

nldap -u

nldap -l

3.6 Ensure that LDAP is listening port 389 using Novell Import Convert Export (ICE) utility or other commonly used LDAP tool like LDAP Browser 2.8.2

4. Add the eDirectory LDAP Server in Novell Address Book of GroupWise Client

From here onwards use separate workstations for Michael and John. Wherever it is mentioned to login as John or Michael using Novell Client or GroupWise Client, use the workstation for the user. Using separate workstations helps to differentiate configuration needed for encryption and signing.

4.1 Login as Michael using Novell Client

4.2 Login as Michael using GroupWise Client

4.3 Click on Address Book | Novell LDAP Address Book | Directories

4.4 Click on Add and add an entry called “eDirectory” by providing details of the desired LDAP Server as follows,

  • Server Address: IP Address of the LDAP server
  • Port: 389 (Default non-secure LDAP port)
  • Server Requires log in: Leave unchecked

4.5 Select “eDirectory”, click on the button “Set as Default” and click on “Close”

4.6 Check you are able to query user “John” by typing John’s E-Mail Address in the field “E-Mail Address” and by clicking the button “Retrieve”

4.7 If successful, close the Address Book

Don’t define the LDAP server in the GroupWise Client on John’s workstation at this point.

5. Configure GroupWise Client to search eDirectory for encryption Certificate

GroupWise Client of the sender uses the Public Key of the recipientuser to encrypt the E-Mail. Configure the GroupWise Client of Michael(Sender) to search the eDirectory LDAP server for the Public Key of John as follows.

5.1 Login as Michael using GroupWise Client

5.2 Click on Tools | Options | Send | Security | Advanced Options

5.3 Enable the Check box “Search recipient encryption certificates in the default LDAP directory defined in LDAP Address Book”

5.4 Click on “OK” and close the “Options” Page

6. Install User Certificate with Private Key in GroupWise Client

Perform following steps as John (Not as Michael). Copy over the User Certificate for John to John’s workstation.

6.1 Copy the User Certificate for John, John.Pfx, to John’s workstation

6.2 Login as John using GroupWise Client

6.3 Click on Tools | Options | Certificates

6.4 Click on Import and install the User Certificate for John, ignoring the “Security Warning”

  • Certificate file to import: Point to John.Pfx
  • Enter password: The password specified while exported the certificate with Private Key
  • Security Warning: Ignore the message (Wizard throws out a Security Warning as the certificate is issued by Organizational Certificate Authority (CA) which is not trusted as VeriSign, a popular Public CA)

6.5 Select the Certificate and click on “Set as Default”

6.6 Click on “OK” and close the “Options” page.

Don’t import the user certificate for Michael into the GroupWise Client on Michael’s workstation at this point.

7. Test Encrypted E-Mail

GroupWise Client of Michael will be able to find out the Public Key for John using configurations done as per Steps 4 and 5.

7.1 Send Encrypted E-Mail

7.1.1 Login as Michael using GroupWise Client

7.1.2 Open a “New Mail” and select John using Address Book (Not LDAP Address Book)

7.1.3 On the “Mail To:” window click on the tab Send Options | Security and enable the Check box “Enable for recipients”

7.1.4 Type a few words / a sentence on the Message Body and /or attach a file and send the E-Mail

7.1.5 Switch to the folder “Sent Items” and make sure that you can differentiate the encrypted E-Mail using a “Lock” icon

7.2 Open and verify the Encrypted E-Mail

GroupWise Client of recipient uses the Private Key of the recipient to decrypt incoming encrypted E-Mails. John’s GroupWise Client will be able to open the encrypted E-Mail sentby Michael as the certificate with Private Key for John, is alreadyimported as per step 6.

7.2.1 Login as John using GroupWise Client

7.2.2 Open the encrypted E-Mail Michael sent and make sure that you are able to see contents of the E-Mail, sentence on the Message Body or attached file.

7.2.3 Close the encrypted E-Mail

Trying to send an encrypted reply E-Mail as John will fail as an entry for the eDirectory LDAP server is not yet added in to the Novell LDAP Address Book of John’s GroupWise Client. Similarly, Michael will not be able to view the message body contents or attached file of an encrypted E-Mail from John, until the user certificate with Private Key (Michael.Pfx) is imported into Michael’s GroupWise Client.

8.Test Signed E-Mail

GroupWise client uses the Private Key of the sender to send a Signed E-Mail. GroupWise client of the recipient searches the LDAP Server defined in the LDAP Address Book for the Public Key of the sender to “Validate” the Signature on the incoming Signed E-Mail. Based on configuration done so far, attempt to send Signed E-Mail as Michael will fail as the Private Key for Michael is not yet imported into his GroupWise Client. Try to send a Signed E-Mail as John as the Private Key for John is already imported into GroupWise Client. Proceed as follows.

8.1 Send a Signed E-Mail

8.1.1 Login as John using GroupWise Client

8.1.2 Open a “New Mail” and select Michael using Address Book (Not LDAP Address Book)

8.1.3 On the “Mail To:” window click on the tab Send Options | Security and enable the Check box “Sign Digitally”

8.1.4 Type a few words/sentence on the Message Body and/or attach a file and send the E-Mail

8.1.5 Switch to the folder “Send Items” and make sure that you can differentiate the Signed E-Mail

8.2 Open and Verify the Signed E-Mail

8.2.1 Login as Michael using GroupWise Client

8.2.2 Open the Signed E-Mail John sent and make sure that contents on the message body is visible.

8.2.3 Close the Signed E-Mail

Michael will not be able to send a Signed E-Mail to John as the User Certificate with Private Key for Michael is not yet imported into the GroupWise Client for Michael. Similarly, John will not be able to “Validate” the Signature on Signed E-Mails from Michael, until the eDirectory LDAP server is added to the Novell LDAP Address Book of John’s GroupWise Client.

Related:

  • No Related Posts

Auto logout by IP address

I need a solution

I am trying to have entries in the user login table removed.   We have a virtual desktop environment and when a person logouts out (gracefully or not) the entry in the proxy table remains.  It is easy for someone else to login to the same machine and if the entry remains in the proxy they have access to the Internet under someone elses ID.   We are using LDAPS.

This article is close, but I want to send a request to logout all entries from a particular IP address.

https://support.symantec.com/en_US/article.TECH242…

Is there a way to do this?

0

Related:

  • No Related Posts

LDAP Lookup Plugins

I need a solution

Hello All,

I’m having a problem configuring LDAP lookup Plugin.

I’ve tried several syntaxes and still attributes appear empty in incidents like :

attr.LDAP givenName = cn=users:(|(givenName=$endpoint-user-name$)(mail=$sender-email$)
(streetAddress=$discoverserver$)):givenName

Aslo i’d like to know what is the part “sAMAccountName” IN THE Following refers to:

(|(sAMAccountName=$endpoint-user-name$)

I tried all the published on the online help but i couldn’t get it to work, i believe it may be a syntax error but i’m open to your advice.

0

Related:

  • No Related Posts

Re: Configuring Centrify LDAP Proxy with OneFS 8.0.0.1; HOW TO?

Has anybody successfully setup Centrify LDAP proxy with OneFS?

# isi auth status

ID Active Server Status

——————————————————————————————-

lsa-activedirectory-provider:mycompany.COM mycompanydc99.mycompany.com online

lsa-local-provider:System – active

lsa-local-provider:Private – active

lsa-file-provider:System – active

lsa-ldap-provider:centrifylinux-ldap-proxy.mycompany.com – offline

lsa-ldap-provider:test-proxy – offline

lsa-nis-provider:rhelnis-master.mycompany.com – online

——————————————————————————————-

Total: 7

The LDAP proxy is responding to ldapsearches but the Isilon fails to online for more than a few seconds.

-D

Related:

Ldap filter select user 2 group

I need a solution

I want to select user in 2 group 

I using ldap filter 

(&(&(objectClass=user)(objectCategory=Person))(|(mail=%s)(sAMAccountName=*))(|(memberOf=CN=BKK_M_AJINOMOTO COMPANY (THAILAND) L.SSL-VPN TH,CN=Users,DC=local,DC=ajinomoto,DC=com)(memberOf=CN=BKK_M_INFORMATION SYSTEM_HO.SSL-VPN_TH,CN=Users,DC=local,DC=ajinomoto,DC=com)))

I test connect to AD. The symantec show username not match. Please see my image

How to resolve?

0

Related:

  • No Related Posts

Validating security code only

I need a solution

To authenticate users in VIP service, the enteprise gateway will forward the username and password to the AD/Ldap server and the security code will be forwarded to VIP services for validation.

If i wanted to only validate the security code (without username and password) using only the enterprise gateway and validation server, will this work. 

What will be the configuration steps?

0

1542691513

Related:

  • No Related Posts

7023494: iMonitor cache statistics are incorrect if hit count exceeds 4GB

Using LDAP cn=monitor data, wecan see that the values in eDirectory are valid and not rolled at the 4,294,967,296 boundary (32-bit integer); this is just an issue with iMonitors handling ofthe data.

cn=Hits,cn=CacheStatistics,cn=RecordManager,cn=Monitor

cn=CacheFaults,cn=CacheStatistics,cn=RecordManager,cn=Monitor

As a workaround, clear statistics and monitor afresh, it will take some time to reach the 4,294,967,296 limit or retrieve the values using an LDAP browser and perform a manual calculation.

Related:

  • No Related Posts

InsightIQ 4.1: Configuring Active Directory authentication

Article Number: 494592 Article Version: 4 Article Type: How To



Isilon,Isilon InsightIQ

InsightIQ configuration:

  1. Log in to InsightIQ web administration interface.
  2. Click SETTINGS tab.
  3. Click Users on the SETTINGS ribbon.
  4. Click Configure LDAP.
  5. Check Enable LDAP. Enabling LDAP allows you to edit the remaining fields on this page.
  6. Type Active Directory (AD) server (Domeain Controler) URI into the LDAP server field. Server URI should begin with ldap:// or ldaps://. Port is optional
  7. Type the Base Search Entry. Distinguished Name (DN) of the entry to start searches at. If your AD domain is domain.com, your DN would be dc=domain,dc=com.
  8. Type AD server credentials in the Bind entry and Bind password fields. The Bind Entry should have the format of “user@domain”. For example: ldap_service@emc.com
  9. Click link: Show optional setings.
  10. Type user into Object Class for users field. Attribute that defines a user on this server.
  11. Type group into Object Class for groups field. Attribute that defines a group on this server.
  12. Click Submit.

Active Directory server configuration:

**NOTE** InsightIQ 4.1.2 supports logging in via sAMAccountName.

If you are running InsightIQ4.1.2, you do not need to configure gidNumber or uid attributes in your Active Directory server.


On the Active Directory server confirm following attributes for groups and users.

1. Groups have to have a valid, configured gidNumber attribute.

2. Users have to have their uid set and it should be the same as their sAMAccountName attribute

Tools, resources used while reproducing the issue/configuration in a lab environment:

  • IIQ 4.1 vm
  • Windows 2012 AD
  • Wireshark to verify IIQ LDAP requests and responses from AD
  • Softerra LDAP Browser to verify LDAP / AD servers Distinguished Names and users and groups attributes

To verify groups and users attributes in the Active Directory:

  1. Log in to Domain Controller.
  2. Go to Active Directory Users and Computers.
  3. Click Viewtab.
  4. Click/check Advanced Features.
  5. Navigate to Users and open Properties window of related group or user.
  6. Navigate to and click on the Attribute Editor.

Related:

  • No Related Posts