Shared Services is a component of the “foundation services”.  It is the mechanism that provides a common framework for user security and administration.  It is the first component that is installed in an installation.  Once up and running, all Hyperion products and modules “plug-in” to this base.  Shared Services provides a single interface to:

1. Define Eternal Authentication providers (ie – corporate LDAP, MSAD, etc)
2. Provision Users and Groups
3. Life Cycle Management (promotion of artifacts between DEV and PROD)

Products communicate with Shared services though a common API which allows all the products to employ true single sign-on between the products.

Shared Services components

There are 4 major components of what we collectively call Shared Services:

1. Shared Services web server.  The Web Server for the Shared Services communication and interface.  Default URL and port is http://<server>:58080/interop
2. Native Directory.  A small file-based OpenLDAP directory that comes with Shared Services to store provisioning information
3. Relational Repository.  A small relational database (ie Oracle, SQL Server, etc) that stores location information
4. Corporate External Authentication (optional).  Your (already existing) corporate external authentication mechanism.

If you do not have a corporate external authentication provider you can use the provided Native Directory to create users and passwords to provision.  However, doing this puts you into the password and account maintenance business. If you do have one, you will want to use it, as that will be taken care of for you. Shared Services will not store passwords of externally authenticated users, it simply forwards on the ID/Password combination to the provider for a thumbs-up or thumbs-down. You can have multiple user directories configured and set a search order for them.

The Native directory holds user IDs and Passwords of Natively authenticated users, provisioning information for all users, and tracks user-group relationships.  Again, this is stored in the OpenLDAP repository that comes with Shared Services. The OpenLDAP that comes with HSS  is a simple file-based database that is in LDAP format which runs on port 58089.  You can actually use an LDAP browser and connect to OpenLDAP and browse around using a base DN of dc=css,dc=hyperion,dc=com.

The relational component is a separate database (or schema in Oracle) that holds registration information about the products in the environment.

The following diagram summarizes the components.  Again, the corporate LDAP authenticates the user (are they who they say they are), the relational holds product registration information (can they access this particular product), and the native directory handles authorization (do they have permission to do what they are requesting to do in this product).

Provisioning users and Groups

The User Management console using the URL http://<server>:58080/interop is used to provision users.  Provisioning is the process of granting access to users to certain products and services.  Here we browse through the users, and provision Henry for the BBB Essbase Application and the Finsrvs FDM application, and the TotPlan Planning Application.

The Process of Authentication

Once a product is registered with Shared Services, it receives and stores location of the user directories.  So when a user logs into a product, the process is as follows:

1. The user enters the ID and Password into the product log-in screen
2. The product queries all the configured user directories to verify the credentials.  Upon success, the user is authenticated.
3. Once authenticated, the product contacts Shared Services to lookup the provisioning information of the user to see if the user has been given the access to the product and service.
4. SSO is enabled for this user now for the rest of the products they are provisioned for.

What This Means for our System Administrator Brethren

1. Shared Services must be the first to be installed and configured
2. Shared Services must be the first to be started (along with OpenLDAP).  Note:  it can take a while for Shared Services to come up.  Make sure you wait a while and check that HSS is all the way up by going to the URL before starting the other services)
3. Shared Services is a single point of failure for all Hyperion Products.
4. You must be diligent in backing up Shared Services, including
   • Shared Services relational database
   • OpenLDAP (see the backup/recovery guide ....there is a utility that backs up the OpenLDAP directory)

I expect you know JMS so the following code excerpts are not complete compilable examples. Client has some initialization code:

queueConnection = queueConnectionFactory
  .createQueueConnection("mqm", "mqm");
queueSession = queueConnection
  .createQueueSession(false, Session.AUTO_ACKNOWLEDGE);
queueSender = queueSession
  .createSender(requestQueue);

Request queue is looked up in the JNDI - in my case it was the LDAP with following object for the queue (LDIF):

dn: cn=request.q, ...
objectClass: javaContainer
objectClass: javaObject
objectClass: javaNamingReference
objectClass: top
javaReferenceAddress: #0#VER#1
javaReferenceAddress: #1#DESC#Request Q
javaReferenceAddress: #2#EXP#0
javaReferenceAddress: #3#PRI#-1
javaReferenceAddress: #4#PER#-1
javaReferenceAddress: #5#CCS#1250
javaReferenceAddress: #6#TC#1
javaReferenceAddress: #7#ENC#273
javaReferenceAddress: #8#QU#SERVICE_REQ
javaReferenceAddress: #9#QMGR#
javaClassName: com.ibm.mq.jms.MQQueue
javaFactory: com.ibm.mq.jms.MQQueueFactory
cn: request.q

Message is sent in the following code:

queueSender.setTimeToLive(MAX_RETAIL_TIMEOUT / 2);
queueSender.getTimeToLive();
queueSender.send(jmsMsg);
jmsMsg.getJMSExpiration();

The trouble is that while getTimeToLive really returns some number (in ms), getJMSExpiration that should return the timestamp when the message expires returns zero instead. And really - the message never expires. Something is wrong when sender claims the time-to-live is set but it actually is not. It was funny to find out that the same code works perfectly fine in EJB container - getJMSExpiration returns real timestamp and the message is removed from the queue as expected. It took me some time to find out the difference in the debug process.

QueueSender in application server (Glassfish was used) is implemented by the com.sun.genericra.outbound.MessageProducerProxy and this object holds actual com.ibm.mq.jms.MQQueueSender while in outside of the container there is no genericjmsra proxy in the way - but this wasn't the problem. IBM's class holds something called queueSpec. In appserver it was:

queue:///SERVICE_REQ?targetClient=1

While in the standalone JVM:

queue:///SERVICE_REQ?expiry=0&priority=-1&persistence=-1&CCSID=1250&targetClient=1

I was suddenly very suspicious whether parameters in that URL don't override my programmatic settings on the queue sender. And where they come from? Yeah, you can guess - they are part of the queue object reference in the LDAP. Queue for appserver was stored in its JNDI and it was configured some other way. So I tried to modify my LDAP object to remove values with EXP (and some other along the way) of the attribute javaReferenceAddress:

dn: cn=reqest.q, ...
objectClass: javaContainer
objectClass: javaObject
objectClass: javaNamingReference
objectClass: top
javaReferenceAddress: #0#VER#1
javaReferenceAddress: #1#DESC#Request Q
javaReferenceAddress: #2#PER#-1
javaReferenceAddress: #3#CCS#1250
javaReferenceAddress: #4#TC#1
javaReferenceAddress: #5#QU#SERVICE_REQ
javaReferenceAddress: #6#QMGR#
javaFactory: com.ibm.mq.jms.MQQueueFactory
javaClassName: com.ibm.mq.jms.MQQueue
cn: request.q

Yup, my code started to work. In case you want some command to check the Websphere MQ as well, you can try this one from samples (here on Solaris, should work on other UNIX too):

$ cd /opt/mqm/samp/bin
$ ./amqsbcg AS4_DOMPAY_REQ

AMQSBCG0 - starts here
**********************

  MQOPEN - 'AS4_DOMPAY_REQ'

  MQGET of message number 1

****Message descriptor****
  StrucId  : 'MD  '  Version : 2
  Report   : 0  MsgType : 1
  Expiry   : 15  Feedback : 0

... the rest is not important

Expiry value -1 means "never expire". This message also disappeared after another few seconds. That was what I wanted. What is the point behind my unlucky LDAP configuration? First - I don't know if it's correct when queue sender returns some time-to-live but it actually doesn't work in the end. I don't know how this works with another JMS providers. I don't care. I just googled the whole damned Internet to finally get to the result on my own. If you have searched for the problem, found this and it would helped, be my guest.

via IBM - Configuring SSO between WebSphere Portal and Lotus Sametime when each use a different user directory.

I would like to throw my two cents in as the developer backstopping both the sales engineer doing the POC and the SI putting together the production system.

IdM POCs and the following rollout are very difficult for two main reasons. First the customer is often already in a bad way and is looking for a magic bullet. The IdM salesman has sold him on the IdM product as a most magical bullet that will make their problems go away. Solve all your identity problems! Out of the box! Easy as pie! The winner of the POC is often the sales engineering who makes their demo closest to this fantasy as possible. Then the brunt of making that fantasy a reality falls on the SI, and depending on the size and motivation of the vendor, the product development team.

This is a very bad way for an enterprise to solve their identity problems. Lost is the trade-off analysis that should be happening. For example when the POC focuses on provisioning Unix accounts, there is never any discussion about externalizing the identity (via a PAM or similar framework) rather than synchronizing it. This kind of logic leads to deployments that are difficult to maintain, don't scale, and need major follow on investments as the IT infrastructure changes. Instead of doing a POC of who has "The Most Magical Bullet", enterprise would be better suited to craft a long term IdM strategy and chose a vendor whose product best aligns with it.

The second reason IdM POCs are so difficult is that so few IT systems support externalized identity. This is an old hobby-horse of mine, but everyone who has done IdM POCs knows the pain I am talking about. And of course there are little in the way of identity standards deployed in most enterprise system, with the exception of LDAP (or at least the AD flavor of it).

Until those two thing change, IdM POCs will continue to be difficult. And the vendor with the Most Magical Bullet will continue to win, often to the long-term detriment of the customer.

This article assumes you already have a functioning Windows 2003 server running AD.What is Ubuntu?

Ubuntu is a community driven distribution of Linux, with flavors suitable for both Desktops and Servers. It's based on Debian, and uses the same .deb package system. In most cases, any Debian package will work on Ubuntu.

Download & Install Ubuntu

Download the server edition of Ubuntu from the official site. The site offers a selection of mirrors ot choose from. Once downloaded, assuming you are on a windows machine, burn the ISO to CD using something like the lightweight and free ISO Recorder.

Installing Ubuntu is pretty painless. It's all basic options such as country, keyboard layout, and finally you are presented with a short list of generic server environments to choose from such as LAMP, Mail, DNS, etc. Out of these, the only one you should choose is OpenSSH Server.

What is Likewise Open?

Likewise Open allows you to integrate Linux, UNIX and Mac computers with Active Directory, without having to change your LDAP schema or mess around with NIS.

Download and Install Likewise Open

You can get the latest copy of Likewise Open from their site. Make sure you get the latest Debian package (32 bit or 64 bit to match your install). the package is self executing. After downloading, add execute permissions (chmod +x filename) and run it. It needs root privileges, so it will need to be run with sudo or as root. Once you've installed, a simple one line command will join you to the domain:

/opt/likewise/bin/domainjoin-cli join domainName ADjoinAccount

Configuring Likewise

Most configuration variables are set in the file "/etc/likewise/lsassd.conf&quot;. You can customise the login shell, the home directory template, set a character to replace spaces. Example:

login-shell-template = /bin/bash
homedir-template = /home/%D/%U
separator-character = ^

Login

And finally, you can login to your machine as a domain user. Remember to use the &quot;DOMAIN\user&quot; syntax, in the same way you would on a Windows machine. If you are connecting to it from a Linux command prompt remotely (eg via SSH), you will need to escape the backslash eg: &quot;DOMAIN\\user&quot;.

Full guides are produced by Likewise in PDF form. There is a 10-minute setup guide and an Installation and Admin guide.

I call these subroutines when opening and closing ADODB Sessions.

Note: The Strings 'oRoot,sBase,sDepth,Conn,Comm,sDomain' need to be PUBLIC Strings. (Declared at the top of the script.)

E.g.

Dim oRoot,sDomain,Conn,Comm,sBase,sDepth

When opening the session/connection you need to pass the "Context" of the container required.
Once completed you just need to call the 'ADODisconnect' to clean up the connection.

See below.

Sub ADOConnect(Context)
Set oRoot = GetObject("LDAP://rootDSE")
sDomain = oRoot.Get(Context)
Set oDomain = GetObject("LDAP://" & sDomain)
Set Conn = CreateObject("ADODB.Connection")
Set Comm = CreateObject("ADODB.Command")
sBase = "<" & oDomain.ADsPath & ">"
sDepth = "subTree"
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
Comm.ActiveConnection = Conn
Comm.Properties("searchscope") = 100
Comm.Properties("Page Size") = 1000
Comm.Properties("Cache Results") = False
Comm.CommandTimeout = 15
End Sub
Sub ADODisconnect()
Set oRoot = Nothing
Set oDomain = Nothing
Set Conn = Nothing
Set Comm = Nothing
sDomain = ""
sBase = ""
sDepth = ""
End Sub

An example of using these subroutines would be to connect to AD by passing the correct context to the ADOConnect Sub and then using an LDAP filter pull the displayName attribute from a user object.

Note: Replace "UserCN" with a valid user object 'common name'.

See Below.

Dim oRoot,sDomain,Conn,Comm,sBase,sDepth
sFilter = "(cn=UserCN)"
Call ADOConnect("defaultNamingContext")
sAttribs = "distinguishedName"
sQuery = sBase & ";" & sFilter &  ";" & sAttribs & ";" & sDepth
Comm.CommandText = sQuery
 Set rs = Comm.Execute
  If Not rs.eof Then
   rs.MoveFirst
   Set oUser = GetObject("LDAP://" & rs("distinguishedName") )
   WScript.Echo "User: " & oUser.displayName
  Else
   Wscript.Echo "User Not Found"
  End If
Set oUser = Nothing
rs.close
ADODisconnect()
WScript.Quit

Sub ADOConnect(Context)
Set oRoot = GetObject("LDAP://rootDSE")
sDomain = oRoot.Get(Context)
Set oDomain = GetObject("LDAP://" & sDomain)
Set Conn = CreateObject("ADODB.Connection")
Set Comm = CreateObject("ADODB.Command")
sBase = "<" & oDomain.ADsPath & ">"
sDepth = "subTree"
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
Comm.ActiveConnection = Conn
Comm.Properties("searchscope") = 100
Comm.Properties("Page Size") = 1000
Comm.Properties("Cache Results") = False
Comm.CommandTimeout = 15
End Sub

Sub ADODisconnect()
Set oRoot = Nothing
Set oDomain = Nothing
Set Conn = Nothing
Set Comm = Nothing
sDomain = ""
sBase = ""
sDepth = ""
End Sub

Hope this helps.

I often utilize this technique when I am disabling a users mailbox in Active Directory.  One step during the disablement process is to remove a users mail enabled group memberships; this limits delivery failures while the account is retained in AD for a cool off period.  The XML files created during the disablement process are kept until the account is removed from Active Directory.

To export a users details we use an ADODB connection to AD, and locate the users account using LDAP. Once the account is retained in a 'Record Set', you can save the appropriate properties into a String. The XML formatting is added to the String during the export of properties from the 'Record Set'. Once the String build is completed, the String is written to a file with a .XML extension.

This resultant file can then be parsed in the future using the XML-DOM object.

(I will go over an example of that in another article.)

So to the code,

On Error Resume Next
Dim StrXML, XMLFile, OutFile, StrArg
Const ForReading = 1
Const ForWriting = 2
Set oFSO = CreateObject("Scripting.FileSystemObject")
StrXML = ""
StrXML = StrXML & "<?xml version="&Chr(34)&"1.0"&Chr(34)&_
" encoding="&Chr(34)&"UTF-8"&Chr(34)&"?>"&vbNewLine
StrArg = InputBox("Please Enter Users 'Common Name'","Input Request")
If StrArg = "" Then
Call MsgBox("'Common Name' was not entered.",16,"Status")
End If
StrXML = StrXML & "<UserDump Date = '"&Now&"'>"&vbNewLine
StrXML = StrXML & GetUserData(StrArg)
StrXML = StrXML & "</UserDump>"&vbNewLine
XMLFile = "C:\"&StrArg&"_"&Month(Date)&"_"&Day(Date)&"_"&year(Date)&"_"&Hour(Time)&"_"&_
Minute(Time)&".xml"
Set OutFile = oFSO.OpenTextFile(XMLFile,ForWriting,True)
OutFile.write StrXML
Function GetUserData(cn)
On Error Resume Next
Dim oRoot,sDomain,Conn,Comm,sBase,sDepth
Dim sAttribs, sQuery, sFilter, sData
sData = ""
Set oRoot = GetObject("LDAP://rootDSE")
sDomain = oRoot.Get("defaultNamingContext")
Set oDomain = GetObject("LDAP://" & sDomain)
Set Conn = CreateObject("ADODB.Connection")
Set Comm = CreateObject("ADODB.Command")
sBase = "<" & oDomain.ADsPath & ">"
sDepth = "subTree"
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
Comm.ActiveConnection = Conn
Comm.Properties("searchscope") = 100
Comm.Properties("Page Size") = 1000
Comm.Properties("Cache Results") = False
Comm.CommandTimeout = 15
If Err.Number <> 0 Then
Call MsgBox("Failed"&vbNewLine&"Error: "&Err.Number&vbNewLine&"Description: "&Err.Description,16,"Error")
Err.Clear
WScript.Quit
End If
sFilter = "(&(objectCategory=person)(objectClass=user)(cn="&cn&"))"
sAttribs = "adspath" 'LDAP filter return attributes
sQuery = sBase & ";" & sFilter &  ";" & sAttribs & ";" & sDepth
Comm.CommandText = sQuery
Set rs = Comm.Execute 'Returned recordset
If Err.Number <> 0 Then
Call MsgBox("Search Failed.",16,"Error")
Else
End If
 If Not rs.EOF Then
  Do While Not Rs.EOF
  rs.MoveFirst
  Set oUser = GetObject(Rs.Fields("adspath"))
      sData = sData & "<ObjectCategory>"&oUser.objectCategory&_
"</ObjectCategory>"&vbNewLine
      sData = sData & "<DistinguishedName>"&oUser.distinguishedName&_
"</DistinguishedName>"&vbNewLine
      sData = sData & "<UserAccountControl>"&oUser.userAccountControl&_
"</UserAccountControl>"&vbNewLine
      sData = sData & "<USNCreated>"&oUser.whenCreated&_
"</USNCreated>"&vbNewLine
      sData = sData & "<LastChanged>"&oUser.whenChanged&_
"</LastChanged>"&vbNewLine
      sData = sData & "<ADsPath>"&oUser.ADsPath&_
"</ADsPath>"&vbNewLine
      sData = sData & "<CN>"&oUser.cn&_
"</CN>"&vbNewLine
      sData = sData & "<UserPrincipalName>"&oUser.userPrincipalName&_
"</UserPrincipalName>"&vbNewLine
      sData = sData & "<SN>"&oUser.sn&"</SN>"&vbNewLine
      sData = sData & "<Initials>"&oUser.initials&"</Initials>"&vbNewLine
      sData = sData & "<GivenName>"&oUser.givenname&"</GivenName>"&vbNewLine
      sData = sData & "<DisplayName>"&oUser.displayname&"</DisplayName>"&vbNewLine
      sData = sData & "<Description>"&oUser.description&"</Description>"&vbNewLine
      sData = sData & "<LastLogonTimestamp>"&oUser.lastLogonTimestamp&"</LastLogonTimestamp>"&vbNewLine
      sData = sData & "<Country>"&oUser.c&"</Country>"&vbNewLine
      sData = sData & "<City>"&oUser.l&"</City>"&vbNewLine
      sData = sData & "<Office>"&oUser.physicalDeliveryOfficeName&"</Office>"&vbNewLine
      sData = sData & "<Department>"&oUser.department&"</Department>"&vbNewLine
      sData = sData & "<Title>"&oUser.title&"</Title>"&vbNewLine
      sData = sData & "<legacyExchangeDN>"&oUser.legacyExchangeDN&_
"</legacyExchangeDN>"&vbNewLine
      sData = sData & "<msExchALObjectVersion>"&_
oUser.msExchALObjectVersion&_
"</msExchALObjectVersion>"&vbNewLine
      sData = sData & "<msExchUserAccountControl>"&oUser.msExchUserAccountControl&_
"</msExchUserAccountControl>"&vbNewLine
      sData = sData & "<HomeMDB>"&oUser.homeMDB&"</HomeMDB>"&vbNewLine
      sData = sData & "<HomeMTA>"&oUser.homeMTA&"</HomeMTA>"&vbNewLine
      sData = sData & "<msExchHomeServerName>"&oUser.msExchHomeServerName&_
"</msExchHomeServerName>"&vbNewLine
      sData = sData & "<mDBUseDefaults>"&oUser.mDBUseDefaults&_
"</mDBUseDefaults>"&vbNewLine
      sData = sData & "<Warning>"&oUser.mDBStorageQuota&"</Warning>"&vbNewLine
      sData = sData & "<SendLimit>"&oUser.mDBOverQuotaLimit&"</SendLimit>"&vbNewLine
      sData = sData & "<MailNickname>"&oUser.mailNickname&"</MailNickname>"&vbNewLine
      sData = sData & "<Mail>"&oUser.mail&"</Mail>"&vbNewLine
      sData = sData & "<ProxyAddresses>"&vbNewLine 
       If IsArray(oUser.proxyAddresses) Then
        For Each present In oUser.proxyAddresses
        sData = sData & "<ProxyAddress>"&present&"</ProxyAddress>"&vbNewLine
        Next
       Else
        sData = sData & "<ProxyAddress>"&oUser.proxyAddresses&"</ProxyAddress>"&vbNewLine
       End If
      sData = sData & "</ProxyAddresses>"&vbNewLine
      sData = sData & "<Groups>"&vbNewLine
       If IsArray(oUser.memberof) Then
        For Each present In oUser.memberof
        sData = sData & "<Group>"&present&"</Group>"&vbNewLine
        Next
       ElseIf oUser.memberof <> "" Then
        sData = sData & "<Group>"&oUser.memberof&"</Group>"&vbNewLine
       End If
      sData = sData & "</Groups>"&vbNewLine
  Set oUser = Nothing
  rs.MoveNext
  Loop
 Else
 Call MsgBox("No User/s found in AD with those details!",16,"Status")
 End If
rs.Close
Set Rs = Nothing
Set oRoot = Nothing
Set oDomain = Nothing
Set Conn = Nothing
Set Comm = Nothing
sDomain = ""
sBase = ""
sDepth = ""
sData = Replace(sData,"&","&amp;")
GetUserData = sData
End Function

The above code can be copied into a *.vbs file and run from the cmd line or double clicked from the file through windows explorer.

Note: The messages from the script utilize 'MSGBOX' so they are displayed rather than pushed to the command line.

Basicaly the code produces the base XML file in a String "sData" then a function is called that queries the relevant AD domain and using LDAP connects to the users "common name" entered in to the input box at the initiation of the script. The data is added to the sData String and then finaly written to the XML File.

Hope this helps!

Pracuję nad wykorzystaniem LDAP za pośrednictwem PHP. W tej chwili testuję to rozwiązanie, ale za kilka dni będę miał pełen obraz sytuacji i wtedy rozwinę ten post. Na razie trochę...

Resources:

Lightweight Directory Access Protocol

OpenLDAP

RFC2251 - Lightweight Directory Access Protocol (v3)

I've slightly modified the jira-ldap-userimporter script to fit my needs. This script manages the Jira-LDAP integration, by doing a LDAP query to a server and generating a Jelly Script that can run througt the Jira's Jelly Runner. The goal of this modification is accepting some parameters in the ldap.properties to optionally wrap the <jira:createUser> tags with a <jira:Login> tag, this way the resulting Jelly script can be run as a service.

In my scenario there are continuously adding/removing users, so I should run the jira-ldap-userimporter with crontab and executing the output as Jelly service. I found this modification may be useful for other people.

You can download the jar file from the project's page, and set the jelly.service=1, jelly.username and jelly.password in ldap.properties.

We needed to find a way to consistently measure i/o performance on top of the (solaris) OS (and not just a disk read benchmark) so that we could open a case to our server manufacturer. After some searching we came across PostMark, an i/o benchmarking utility originally from NetApp. It seems that the software is not maintained anymore but you can find the source code on Debian. It's only one tiny .c file so you just need to run 'gcc -o postmark postmark.c' to get things going.

This is the configuration i used in order to simulate a directory server instance. In general, create 20 files ranging from 5 - 30 MB's each (common index file size), only run reads and appends on them (with a 4/1 ratio) and no creates/deletes:

set location <your location directory>

set size 5000000 30000000

set number 20

set bias read 2

set bias create -1

The results were a bit... terrifying: Our read-only servers were actually three times faster (while having same disks and almost the same controller). It would be a nice idea to always run Postmark on your servers to see what's happening and how different servers can handle the same i/o load.

Read-Only Replica:
2568.57 megabytes read (91.73 megabytes per second)
572.20 megabytes written (20.44 megabytes per second)

Master Server:
2568.57 megabytes read (25.69 megabytes per second) (1/3!!)
572.20 megabytes written (5.72 megabytes per second) (1/4!!)

# ldapsearch -x -D "cn=Administrator,cn=users,dc=praban,dc=com" -b "dc=praban,dc=com" mail -h 192.168.1.5 -p 389 -W

Hi,

Here the placement for Application Designer.
Req. ID:
Req-AD-04 - Application Designer
Primary Skills:
LDAP,Database systems,Daytona data management,SQL,UNIX and C development and web development,HTML, JavaScript, Perl, UNIX, Linux…
Secondary Skills:
LDAP, Windows, SQL, AWK, C, CGI..

Description:
Dynamic Development Role with Telecom Leader! Project Name Application Designer, Fraud Management Project Description: Global Fraud Management system which is a continuous analytical engine and case manager that uses pattern recognition to detect fraud.

Job Description:

Developer will create new applications and enhance existing application using C, CGI, JavaScript, Perl, Shell, AWK, HTML, and SQL. Only submit extremely technically qualified candidates. Also desired:LDAPDatabase systems Daytona data managementBasic knowledge of database systemsDesign.

SQL Database concept:

Must be expert in all aspects of UNIX and C development and web development.Responsible for development and maintenance of mission-critical applications that support high-visibility client organizations and external customers on a24×7x365 basis. Technical assessment will be done on candidates. Background check will be required before the candidate can start the assignment.

REQUIRED SKILLS:

HTML, JavaScript, Perl, UNIX, Linux

PREFERRED SKILLS:

LDAP, Windows, SQL, AWK, C, CGI

Rate:DOE,

Job Type: Contract,

Total Exp: 6+Yrs,

Duration: 6+ Months,

Number Of Openings: 1,

Location: Florham Park, NJ

Contact Us:

KBS consultants

Flat H,Kulothungan Apts,

No, 5 Natesan Road,

Ashoknagar,

Chennai 600 083

India

Phone: +91-44 2489 5341 / 2371 9622

Visit us:

Email:www.kbsconsultants.com

www.kbsconsultants.org.in/

www.kbsconsultants.net.in/

- Peers realtime utilizando LDAP.
- Call Detail Record armazenado em MySQL e viewer básico em PHP
- Gateway AGI para execucao de dialplan via Adhearsion (Ruby)
(a execucao externa de dialplan é escolha pessoal e torna-se obrigatória dependendo da complexidade do plano de discagem)
- Servidor para envio e recebimento de fax (Hylafax)
- Flash Operator Panel

A primeira etapa compreende a configuração básica do sistema e todo o processo assume que se está logado como root.

Configuração básica do servidor
----------------------------------------------------------------------------
Configuracao de sistema baseado em Debian, especificamente Ubuntu.

- habilitar ssh
# apt-get install openssh-server
# echo "AllowUsers root seuusername" >> /etc/ssh/sshd.conf

- update do server
# apt-get update && apt-get upgrade && reboot

- baixar os headers e compiladores e libs necessárias
# apt-get install linux-headers-`uname -r` build-essential libncurses-dev ldap-utils libldap2-dev libmysqlclient15

Instalacao e configuracao do Asterisk
----------------------------------------------------------------------------
Uma placa Digium será configurada neste sistema e portanto algumas regras básicas devem ser respeitadas. Provavelmente estas regras se aplicam tambem a placas de outros fabricantes, e mesmo que não sejam necessárias, são boas práticas para um sistema em produção.

- Desativar opção de Plug and Play na bios
- Desabilitar saidas seriais, paralelas, som, usb (em alguns casos pode ser necessário manter usb para que o zaptel tenha uma boa fonte de clock).
- Desligar o drive de cd se houver. Desabilitar a controladora do respectivo drive.
- Certificar-se de que o hd está em modo DMA. "hdparm -i"
- Desabilitar ACPI no boot.
- Certificar-se de que a placa digium tem seu proprio IRQ. Verifique com um "cat /proc/interrupts" e caso esteja compartilhado, tente mudar a placa de slot.
- Em casos onde o Moh(music on hold) fica picotado ou metalico, desabilitar hyperthreading pode resolver. Em outros casos, desabilitar SMP tambem pode ajudar.

- baixar e descompactar sources do asterisk, libpri, addons e zaptel
# wget http://downloads.digium.com/pub/asterisk/releases/asterisk-1.6.0-beta9.tar.gz
# wget http://downloads.digium.com/pub/asterisk/asterisk-addons-1.6.0-beta4.tar.gz
# wget http://downloads.digium.com/pub/libpri/libpri-1.4.6.tar.gz
# wget http://downloads.digium.com/pub/zaptel/zaptel-1.4.11.tar.gz
# tar -zxvf asterisk-1.6.0-beta9.tar.gz
# tar -zxvf asterisk-addons-1.6.0-beta4.tar.gz
# tar -zxvf libpri-1.4.6.tar.gz
# tar -zxvf zaptel-1.4.11.tar.gz

- compilar e instalar
(para habilitar bloqueio de chamada a cobrar aplique o patch disponivel 3 ou 4 posts atras. Ele é para uma versao mais antiga da libpri mas serve tbm para versoes mais novas)
# cd libpri-1.4.6/
# make && make install
# cd ../zaptel-1.4.11/
# ./configure && make && make install && make config
# cd ../asterisk-1.6.0-beta9/

(se estiver fazendo upgrade não esqueça de apagar os modulos em: /usr/lib/asterisk/modules e suprimir "make samples" pois vai sobreescrever os arquivos de configuração)

# ./configure && make && make install && make samples
# cd ../asterisk-addons-1.6.0-beta4/

inserir "CFLAGS+=-DMYSQL_LOGUNIQUEID" em cdr/Makefile
inserir "#define MYSQL_LOGUNIQUEID" em cdr/cdr_addon_mysql.c

(se estiver fazendo upgrade nao esqueça de suprimir "make samples" pois vai sobreescrever os arquivos de configuração)

# ./configure --with-mysqlclient=/usr/ && make && make install && make samples
# cd ..

- selecionar somente o modulo necessário para sua placa digium em:
/etc/defaults/zaptel

- configurar o hardware
conteudo de /etc/zaptel.conf
(consulte sua operadora para valores compatíveis)

span=1,1,0,ccs,hdb3,crc4
bchan=1-15
dchan=16
loadzone=br
defaultzone=br

Configurar Iaxmodem
----------------------------------------------------------------------------

# wget http://ufpr.dl.sourceforge.net/sourceforge/iaxmodem/iaxmodem-1.1.1.tar.gz
# tar -zxvf iaxmodem-1.1.1.tar.gz
# cd iaxmodem-1.1.1
# ./build static
# cp iaxmodem /usr/bin/iaxmodem
# cd..
# mkdir /etc/iaxmodem

-conteudo do /etc/iaxmodem/ttyIAX

device /dev/ttyIAX
owner root:root
mode 660
port 45699
refresh 300
server 127.0.0.1
peername numerodoramaliax
secret senhaparaoramaliax
cidname IAX Modem 1
cidnumber numerodoramaliax
codec slinear

-servico de iax em /etc/event.d/iax
(em sistemas mais antigos utilizar o /etc/inittab)

start on runlevel 2
start on runlevel 3
start on runlevel 4
start on runlevel 5
stop on runlevel 0
stop on runlevel 1
stop on runlevel 5
stop on runlevel 6
respawn
exec /usr/bin/iaxmodem ttyIAX&> /var/log/iaxmodem-ttyIAX

-servico de fax em /etc/event.d/fax
(em versoes antigas utilizar o /etc/inittab)

start on runlevel 2
start on runlevel 3
start on runlevel 4
start on runlevel 5
stop on runlevel 0
stop on runlevel 1
stop on runlevel 5
stop on runlevel 6
respawn
exec /usr/local/sbin/faxgetty ttyIAX

- conteudo de /etc/asterisk/iax2.conf

[general]
bindaddr=127.0.0.1:4569
allow=all
disallow=g723.1
disallow=gsm
disallow=lpc10
allow=ulaw
allow=alaw
jitterbuffer=no
forcejitterbuffer=no
autokill=yes
codecpriority=host
tos_audio=0xB8
[888]
username=numerodoramaliax
type=friend
secret=senhaparaoramaliax
qualify=no
notransfer=yes
host=dynamic
context=local
callerid="Fax Corporativo"
allow=all
disallow=lpc10 ; Icky sound quality... Mr. Roboto.
disallow=gsm
allow=ulaw
allow=alaw

Configurar Exim e HylaFax
----------------------------------------------------------------------------

- baixar e instalar exim4
# apt-get install exim4

- configure o exim para utilizar seu gateway de email como smarthost
# dpkg-reconfigure exim4-config

- baixar e instalar o Hylafax
# apt-get install libtiff-tools libtiff4 libtiff4-dev gs
# wget ftp://ftp.hylafax.org/source/hylafax-4.2.3.tar.gz
# tar -zxvf hylafax-4.3.1.tar.gz
# cd hylafax-4.3.1
# ./configure && make && make install
# faxsetup
(neste ponto o configurador do hylafax entra em acao e a maioria das configuracoes deve permanecer default)

-configurar OpenLDAP
-configurar asterisk para utilizar ldap
-etcetera, etcetera, etcetera
(este tutorial será atualizado e finalizado em breve)

The main issue had to do with the actual connection to the active directory itself.

All done by the book and still no connection. How do you deal with this? Forget debug... you have to go lower.

I started by using ADSIEDIT, a tool that comes with ADAM. With this tool, you can connect and navigate a remote active directory. It worked, no problem, so there was no network problem. Opening a command prompt in the domain controller machine and executing the netstat -a command, I could see my machine connecting to the LDAP port.

After that I tried to run my web aplication and.. no deal. No ports oppening, no nothing.

I then added the following lines of code in the .cs file in order to try to undernstand if the connection was established:

        string appName = Membership.ApplicationName;

An exception is then thrown with the text

"System.Configuration.ConfigurationErrorsException was unhandled by user code
  Message="Unable to establish secure connection with the server (C:\\bla\\bla\\WebSites\\DevelopmentWebsite\\web.config line 117)"
  Source="System.Web"
  BareMessage="Unable to establish secure connection with the server"
  Filename="C:\\bla\\bla\\WebSites\\DevelopmentWebsite\\web.config" Line=117
  StackTrace:
       at System.Web.Configuration.ProvidersHelper.InstantiateProvider(ProviderSettings providerSettings, Type providerType)
       at System.Web.Configuration.ProvidersHelper.InstantiateProviders(ProviderSettingsCollection configProviders, ProviderCollection providers, Type providerType)
       at System.Web.Security.Membership.Initialize()
       at System.Web.Security.Membership.get_ApplicationName()
       at _Default.Logon_Click(Object sender, EventArgs e) in c:\bla\bla\WebSites\DevelopmentWebsite\Login.aspx.cs:line 39
       at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
       at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
       at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument)
       at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
       at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
"

By the time I got knocking my head against the walls, I found this information: How to enable LDAP over SSL with a third-party certification authority

That was it... It solved my problem.

Here are a couple of good information on this topic. Hope they help you. They helped me :)

• Active Directory and ASP.NET 2.0 Beta 2
• How To: Use Forms Authentication with Active Directory in ASP.NET 2.0

DirectoryEntry oDE;
oDE = new DirectoryEntry("LDAP://<ldapserver>,"ADusername","ADpassword",AuthenticationTypes.Secure);

DirectoryEntry de = oDE;

DirectorySearcher deSearch = new DirectorySearcher();

deSearch.Filter = "(&(objectClass=user)(SAMAccountName=" + SPContext.Current.Web.CurrentUser.LoginName + "))";

deSearch.SearchScope = SearchScope.Subtree;

SearchResult results = deSearch.FindOne();

if (!(results == null))
{
de = new DirectoryEntry(results.Path,"AD username","AD password",AuthenticationTypes.Secure);

//if you know the propertyname you want to get value from you can use this
de.Properties["propertyname"].ToString();

//this code will loop thru all the properties in active directory
ResultPropertyCollection propertiesCollection;

propertiesCollection = results.Properties;

//loop thru all the properties in AD
foreach (string currentProperty in propertiesCollection.PropertyNames)
{

Response.Write("Property Name: " + currentProperty);

//loop thru all the sub properties
foreach (Object thisCollection in propertiesCollection[currentProperty])
{

Response.Write(thisCollection.ToString() + "<br/>");
}
}
}

The above code reads and writes the values of the properties from the Active directory for the current user.
But to be able to run the above code you need to make sure that you import System.DirectoryServices,
<%@ Import Namespace="System.DirectoryServices" %>
Also you need to make sure Web.config has an entry for the System.DirectoryServices in its Assemblies Section,

<assemblies>
<add assembly="System.DirectoryServices, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</assemblies>

This email address aready exists in this organization.

ID no: XXXXXXX Exchange System Manager

Indeed that's not the most useful of error messages I've ever run across .... can you actually run over error messages? Interesting thought but I digress!

Being the concentious admin cat that you are, you'll not let the rest there but will want to know how to find where it is in use. Doing this manually in your average SME will mean checking hundreds off user accounts and god forbid you are using mail enable public folders! You could be there until the end of time and still not find the darn thing.

Well here's how to track down who'd in possession of that address in a nice and easy step by step guide:

• Open the Active Directory Users and Computers Management Console
• Right Click on the domain > Select Find
• Select Custom Search in the Find field
• Select the Advanced tab
• To find the entity with the email address whatever@yourdomain.com for example, enter the following in the LDAP query field:
(proxyAddresses=smtp:whatever@yourdomain.com)
• This will list the entity containing the email address entered.

If you're lucky and it is assigned to a user account then this will display clearly in the bottom box of the search and  you'll be able to open its properties from there. If you can't find where is hidden in your millions of user accounts, try using a dsquery to produce the info you need as to OU location.

Mail enabled public folders make things a little bit more interesting as is their usual method. Unfortunately the folder will be displayed in the bottom windows as per previously, however if you double click on it you will not get much useful information as to it's location. There should be enough info for you to apply some logic and knowledge of your own systems to find it but if you have thousands of public folders you may well be in for a long search.

As a bonus, I thought I'd mention that wild cards can be used within the email address (*) to return multiple matches. So if you want to view all the email addresses within the results list, select View > Choose Columns... and select Proxy Address - doing this in association with the query (proxyAddresses=smtp:*@yourdomain.com) will give you a list of all entities within the organisation that have an email address, together with all the email addresses they have.

As I have said repeatedly, this single biggest impediment to enterprise identity management is that enterprise software seldom supports the externalization of identity. And it's not really the vendors fault. The vendors are spending their development dollars on the features that their customers are asking for. Until customers start making externalized identity a selection criteria, the vendors are going to just do the minimum, which for many is authentication.

For instance in the product I currently work on, ChangeGear, we support LDAP in three ways. We support authentication and user profiles via either Windows Integrated Authentication or generic LDAP. We also support AD for allowing the users to pick lists of impacted users and groups when creating or processing Change Management Requests (RFCs). Lastly we also support AD as one of the means of discovering assets to populate our CMDB.

There are a lot of other interesting things we could be doing with LDAP, but our customers have not expressed much interest in them.

Go to LDAP Group object for the server (not LDAP server object).  On the General tab, uncheck Require TLS for simple binds with Password > OK

Goto LDAP server object for the server, and on the General tab press Refresh NLDAP Server now. 

During installation, the WebAccess Installation program requires access to eDirectory by way of LDAP authentication. The LDAP Group object includes an option named Require TLS for Simple Binds with Password, which is enabled by default. With this option enabled, you must provide the LDAP server's Trusted Root Certificate, which must be exported from the LDAP server, in order for LDAP authentication to take place (typically on port 636) during installation of the WebAccess.

Unless you already have SSL set up, an easier alternative is to disable Require TLS for Simple Binds with Passwords in ConsoleOne, which allows LDAP authentication to take place using clear text (typically on port 389), during installation of WebAccess. After disabling the option, restart eDirectory, install WebAccess, then re-enable Require TLS for Simple Binds with Password and restart eDirectory again.

The problem:

I'm in the middle of trying to figure out how to install Plone's LDAP support -- not use it, but just install it -- and I've run into similar problems on three different platforms: Linux (RHEL4), OS X (10.5.4), and Windows XP (actually, both 32 and 64-bit versions of XP Professional).

Some of the problems I've had:

• On OS X, I'd installed OpenLDAP (openldap) and python-ldap (py-ldap) via MacPorts (port), as well as Berkeley DB (p5-berkeleydb) but when I ran buildout, I got a Berkeley DB version mismatch error. I've read that setting library environment variables (LD_LIBRARY_PATH and DYLD_LIBRARY_PATH) can help alleviate this, but this didn't help in my case.
• On Linux, I'd installed OpenLDAP and python-ldap via package manager (up2date), but when I ran buildout, I got all kinds of LDAP-related errors. I found this strange, as I could use ldapsearch from the OpenLDAP installation to query LDAP servers.
• On Windows XP, I get the same errors as in Linux.

My results for installing python-ldap via easy_install:

• OS X: success (but this installation didn't seem to find its way into my buildout attempts)
• Linux: failure with errors
• Windows: failure first with time-outs, and then errors similar to those in Linux above.

The solution (Linux version):

I began to work with the problem by downloading source distributions for Linux.  I downloaded the latest 2.3.x of OpenLDAP (2.3.43) to /usr/local/, configured, then ran tests, which failed:

Could not locate slapd(8)

Much searching led me to an OpenLDAP FAQ-O-Matic entry on prerequisites:
http://www.openldap.org/faq/data/cache/196.html

At first glance, I was a bit puzzled by the sheer volume of prereqs listed here.  At any rate: since my buildout traceback experiences indicated that Plone buildouts seem to call for Berkeley DB support, I assumed this option in the list was one that was needed:
SLAPD (with BDB or HDB database)

However, the "Sleepycat" download link given in that FAQ (and elsewhere) now redirects to an Oracle page, which seems to me something of a roadblock: typically, Oracle does not provide open source software; however, according to the licensing information for the Berkeley DB software, it seems the software is provided via a dual licensing model, and it may be distributed as open source if the typical conditions are met.  And then, I assumed the version Plone users would want would be the "Berkeley DB 4.7.25, without encryption" for their platform.  Of course, Oracle uses a tricky JS script to obfuscate the download link, so a simple wget may not be obvious for some users ... that is, without this direct link:
http://download.oracle.com/berkeley-db/db-4.7.25.NC.tar.gz
The package's installation procedure, which would be required reading without instructions like those on this page, is an HTML file buried in a sub-directory.

To install the Berkeley DB software, extract the tar-ball and run:

cd [Berkeley-DB-directory]/build_unix
../dist/configure
make
make install

Once installed, the libraries on my system were stored in:

/usr/local/BerkeleyDB.4.7/lib

Some of the text that flew past during the installation indicated that other applications might require these libraries in the LD_LIBRARY_PATH environment variable.  So I set this with:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/BerkeleyDB.4.7/lib

Then the OpenLDAP installation began:

./configure
make depend
make
make test  #  <-- these tests took a long while to complete: about 45 minutes.
make install

Once that had finished, I downloaded the latest 2.3.x version of python-ldap (2.3.5) from source.  After unpacking the archive, I modified the package's setup.cfg directives for library_dirs and include_dirs to point to the new OpenSSL directories:

library_dirs = /usr/local/openldap-2.3.43/include/lib
include_dirs = /usr/local/openldap-2.3.43/include /usr/include/sasl

Luckily, I already had SASL installed, but I'm sure it could have been installed in much the same way as the other packages.  I then ran:

python setup.py build
python setup.py install

... that is, of course, after ensuring that 'python' pointed to my Python 2.4 installation.

And then, finally, I had a successful installation of python-ldap., which subsequently led to a successful buildout installation of PloneLDAP and plone.app.ldap, using my working (final?) buildout configuration.

That was simple, right? :P  Thanks to Martin Aspeli for convincing me to start from scratch and try installing the necessary packages from source.

The solution (OS X version):

As mentioned above, I had installed all of PloneLDAP's dependencies on OS X via 'port' packages.  I'm not sure how, but I now believe that some Python-related or LDAP-related package must have gotten screwed up, or the wrong version had gotten installed.

Fixing this meant starting my Python 2.4 installation over from scratch: uninstalling it, and all its dependencies, and then re-installing only Python itself and the specific, related ports I needed in order to get Plone and its LDAP support up and running.  For me, the eventual command I found for the uninstall was:

sudo port uninstall py-numeric py-elementtree py-altgraph py-bdist_mpkg \
 py-macholib py-setuptools py-pil py-ldap python24 py-elementtree \
 py-setuptools py-numeric py-game

And the re-install was simply:

sudo port install python24 py-setuptools py-pil py-ldap

I may need to re-install some of the other ports at some point, but I don't need them at the moment.

Once I did this, and once I ensured that my port's version of Python 2.4 was considered the system version, my working (final?) buildout configuration worked nicely.

Thanks to 'DigitalD' (Michael Dunlap) for the inspiration to look into exactly what ports were installed, tear down the related ports, and re-install them from scratch.

The solution (Windows version):

This remains a mystery.  It's simple enough in a *NIX environment to install packages from source, but Windows is an entirely different story: one needs either to rely upon third-party binary installers for important software components (like OpenLDAP), or install a UNIX pseudo-environment in order to compile one's own binaries from source.  And even then, troubleshooting problems is tricky.