CUBAC Enable external LDAP integration

Hi,
I've client where Attendant is seeing the User's Home Phone number. Customer's requirement is to show the Mobile and IP Phone extension.
To me it seems they aren't synchronizing with CUCM but directly with Microsoft AD. Enable external LDAP integration is checked and greyed out.
Is my doubt correct, the client is pulling the Phone information from AD directly?
How can I uncheck the External LDAP Integration checkbox, do I need to rerun the setup or LDAPServer.exe to do it? Would there be any loss of configuration?
If Customer wants to continue pulling the info from MS AD directly, can I add some kind of filters in CUBAC not to pick up Home phone field but Mobile Phone and IP Phone extension if those fields are populated?
CUBAC version is 3.1.8
Thanks,
inner_silence

Hi Madhav,
See inline COMMENTS (below)
Bala
"madhav" <[email protected]> wrote:
>
Hi,
Context:
I'm using SunOne Directory server as the External LDAP server for my
application.
Q1 ) My understanding is that the default providers provided by Weblogic
communicate
ONLY with the embedded LDAP server. Is this understanding correct? That
means
if I'm integrating with the external LDAP server, I need to have custom
implementation
for ALL the providers ( i.e Authentication Provider, Authorization provider,
IDentity
Assertion Provider, RoleMapper , Credential Mapper etc). COMMENTS :
Your understading is correct. (for Authentication, Autherization, RoleMapper,
CredentialMapper). But you dont need to create custom implementation for all providers.
You can plug and play OR stack providers in the default realm (myrealm). Or you
can create your own realm and still can add the weblogic OOTB providers, wherever
you dont want to implement custom providers. OOTB BEA provides an Authentication
provider which can integrate with 3rd party Directory Servers (see http://e-docs.bea.com/wls/docs81/secmanage/providers.html#1172008
for more info). But if you wish to perform other services like Authorization,
CredentialMapping, RoleMapping with external LDAP providers, then YES you have
to write custom providers.
>
Q2) Or is there a way I can configure the weblogic to communicate with
an External
LDAP server so that I can use the default providers i.e when I invoke
request.isUserInRole(....),
the look up should be on the external LDAP NOT the internal LDAP.COMMENTS :
No the default providers are written to look up the Embeded LDAP. But writing
a provider is well documented (see http://e-docs.bea.com/wls/docs81/dvspisec/index.html
more info)
>
Regards,
Madhav

Similar Messages

  • Issue while integrating external LDAP with weblogic

    Hi,
    i am trying integrating external LDAP (OpenLdap) with weblogic 10.3. I created a provider and provided required credentials and able to see users and group of the LDAP into the weblogic console. I am also able to login in the weblogic console with the users available in the LDAP after assigning the admin role to the ldap group. But i when i see the user's property (by clicking on the user in the admin console) it only shows the tabs for General, Password and Group only. on the other hand if i see the users from DefaultAuthenticator, it shows the Attribute tab apart from the General, Password and Group.
    Can anyone let me knwo how can we get the Attribute tab for the Ldap users.
    thx,
    Ajay

    Hi Ajay
    By default Weblogic has READ ONLY adapters for any External Security Providers that are configured like any AD Providers. READ ONLY means, you can only read the data from the ldap but not modify it, hence may be its not showing the Attributes tag. For Default Authenticator, see the first paragraph note in Attributes tab, that says the same thing. NOW, may be WLS can atleast show Attributes in READ only format, but it needs some sort of mappings to be defined. Say on Weblogic side, we have like firstName, lastName which on any typical AD will be like sn (surname = lastname), givenname (firstname) etc etc. This mapping is tough to generalize.
    One thing for sure is, from Weblogic you cannot modify or edit any attributes for any user in external AD. If you really want to get those attributes, you may need to use some javax.ldap apis or some 3rd party ready to use tools/apis. I remember Weblogic Portal has a facility to configure a xml file that defines attributes mapping and get all attributes for any user. But again thats in Weblogic Portal product and not part of weblogic server.
    If you have any SOA Software, they have some utilities for the same.
    Thanks
    Ravi Jegga

  • Server App not seeing external LDAP users & groups

    I have a clean 10.8.2 + Server install set up with our standard external LDAP directory (Novell's eDirectory in our case) configuration that is known to support Lion & Mountain Lion client LDAP authentication. With this same configuration on OS X 10.8.2 Server both Directory Utility and WGM can see all the LDAP users and groups as expected.
    When I look for the external users & groups in the LDAP domain under the Server App "Accounts" heading I cannot see any entries in either users or groups lists. Should I be able to or is this a Server App quirk?
    I can add individual LDAP users to a local group and enable access to individual services. How can I give access to services to all LDAP users without having to build & maintain a massive "All LDAP Users" local group?
    Is there a published list of required LDAP attributes for users & groups for Mountain Lion Server? I suspect there are new requirements over and above those for 10.6 server but I have failed to find a good reference. I've noticed I get different behaviours for LDAP templates that includes a mapping for GeneratedUID to one which does not for example.
    This is all so much more opaque than our superbly reliable Snow Leopard servers!
    TIA

    Ok, and again:
    You want to see Users and Groups , which are stored in an third Party directory service like OpenLDAP, in your Server.app? This is what you have to do:
    Connect the third party ldap to your server
    Have all your external LDAP entries made so you can see them in the Workgroup Manager and are able to Login with them
    When you see your LDAP-entry in the Directory Manager, change it from "From Server" to "RFC2307"
    Edit the entry, add the following mapping to it:GeneratedUUID maps to apple-generateduuid
    To your group and user entries in the external LDAP add the follwing attribute:apple-generateduuid gets the value taken from the output of "uuidgen"
    Feel lucky
    And there ist ist; now you are able to use The accounts taken from an external LDAP.

  • Steps to connect an external LDAP

    Dear Gurus,
    What are the steps to connect an external LDAP like ADS.
    Pls let me know the step by step procedure e.g.
    creating the admin,guest and ??? users in Portal.Deleting the same from the LDAPs and so on.
    Thanks for the help.
    Nirmal

    Hi,
      Check the below link for LDAP connectivity...
    Integrated Windows Authentication with SAP EP 6.0 SP 3 and higher Part 1 of 2
    Regards
    Vasu

  • External LDAP for UCM

    Hi.
    Is it possible to use external LDAP server for my UCM server without using external LDAP server for my admin server?
    That is I have a domain with admin server and UCM server.
    My admin server doesn't have external LDAP.
    So is it possible to use external LDAP server for my UCM server in such situation?
    And if it is possible, could you give me some information about it?
    (sorry for my english)

    First of all, thank you for links.
    But I have a problem: I configured my own LDAP provider and I can see that 'Connection State' is good (5 out of 5 connections are good), but I can not log in into UCM with users in my LDAP (Invalid Credentials. Please try entering your user name and password again.).
    Here is my LDAP provider configuration:
    Provider Name:      MyLDAP
    Provider Description:      MyLDAP
    Connection State:      5 out of 5 connections are good
    Last Activity Date:      12/17/12 4:23 PM
    Provider Type:      ldapuser
    Provider Class:      intradoc.provider.LdapUserProvider
    Provider Connection:      intradoc.provider.LdapConnection
    Source Path:      MyLDAP
    LDAP Server:      localhost
    LDAP Suffix:      dc=example,dc=com
    LDAP Port:      10389
    Number of connections:      5
    Connection timeout:      10
    Priority:      1
    Credential Map:      
    SSL Enabled:      No
    Attribute Map:      uid:dFullName
    Role Prefix:      ou=groups
    Default Network Roles:      guest
    Filter Groups:      Yes
    Use Full Group Name:      No
    LDAP Admin DN:      uid=admin,ou=system
    And my LDAP structure:
    "dc=example,dc=com"
    _____"ou=groups,dc=example,dc=com"
    __________"cn=Administrators,ou=groups,dc=example,dc=com"
    __________"cn=admin,ou=groups,dc=example,dc=com"
    _____"ou=people,dc=example,dc=com"
    __________"uid=asdasd,ou=people,dc=example,dc=com"
    __________"uid=qweqwe,ou=people,dc=example,dc=com"
    In 'cn=Administrators' entry I have 'uniqueMember:uid=asdasd,ou=people,dc=example,dc=com' property
    In 'cn=admin' entry I have 'uniqueMember:uid=qweqwe,ou=people,dc=example,dc=com' property
    Nevertheless I can't log in into UCM with users in my LDAP (Invalid Credentials. Please try entering your user name and password again.).
    Could you show me my mistake?
    Edited by: Michael Baygeldin on Dec 17, 2012 5:34 AM

  • LDAP Integration with CUCM 9.0

    We would like to use LDAP to sync all of our users from Active Directory.  All of our current CM Users are local, the problem is that they have the same user names as our Active Directory users.  From what I understand this is going to be a problem because:
    "If accounts from LDAP match an existing Unified CM account that is not marked as an LDAP synchronized account, then these accounts are ignored."
    Does that mean we will have to delete all our existing CM users in order to sync the LDAP users correctly?  Is there a best practice for this?  Once we syncronize the LDAP users how to I ensure that the user gets associated with the proper phone?  Or do I have to visit each user individually? 

    I just did a quick test for this, my lab CUCM 9 is already LDAP integrated, but I created a local user, then I created that same local user in my LDAP OU, and performed a full sync.
    The user is no longer showing as a local active user, but as an active LDAP synchronized user.
    Which was my thought, there's only one conversion, from LDAP to local.
    The behavior is just as with any previous release, local users who match an LDAP user after you enable it, are just updated, and kept with all their configurations.
    I checked the option to turn it back again into a local user, did a full sync, and it's again an active LDAP user.
    HTH
    java
    if this helps, please rate
    www.cisco.com/go/pdihelpdesk

  • WLI-8.1 Problem using external LDAP authenticaion provider

    I added a second authentication provider that uses iPlanet DS to authenticate. My external LDAP users show up in the WebLogic Server Admin Console, but they do not show up in the Integration Console's User Management section. I also can't authenticate through the Worklist app as one of the external users. Can anyone help?

    There is a patch available for this. pls. check with bea support.
    Kelly Graves <[email protected]> wrote:
    I added a second authentication provider that uses iPlanet DS to authenticate.
    My external LDAP users show up in the WebLogic Server Admin Console,
    but they do not show up in the Integration Console's User Management
    section. I also can't authenticate through the Worklist app as one
    of the external users. Can anyone help?

  • Cannot start BI services after configuring LDAP integration

    Hi all,
    After configuring LDAP integration with OBIEE , I have stopped all BI services and started again. It throws following error:
    <Nov 24, 2012 2:05:16 PM AST> <Error> <Security> <BEA-090892> <The loading of OPSS java security policy provider failed due to exception, see th
    ption stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to
    ore information. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider>
    <Nov 24, 2012 2:05:16 PM AST> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializatio
    tion: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root c
    If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: oracle.security.jps
    ception: [PolicyUtil] Exception while getting default policy Provider
    weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception
    trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more in
    ion. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
            at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1398)
            at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1018)
            at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
            at weblogic.security.SecurityService.start(SecurityService.java:141)
            at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
            Truncated. see log file for complete stacktrace
    Caused By: oracle.security.jps.JpsRuntimeException: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provid
            at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:293)
            at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:284)
            at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
            at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
            at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
            Truncated. see log file for complete stacktrace
    Caused By: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
            at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:899)
            at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
            at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:284)
            at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
            at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
            Truncated. see log file for complete stacktrace
    Caused By: java.security.PrivilegedActionException: oracle.security.jps.JpsException: [PolicyUtil] Unable to obtain default JPS Context!
            at java.security.AccessController.doPrivileged(Native Method)
            at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:844)
            at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
            at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:284)
            at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
            Truncated. see log file for complete stacktrace
    Caused By: oracle.security.jps.JpsException: [PolicyUtil] Unable to obtain default JPS Context!
            at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:860)
            at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:844)
            at java.security.AccessController.doPrivileged(Native Method)
            at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:844)
            at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
            Truncated. see log file for complete stacktrace
    Caused By: oracle.security.jps.service.idstore.IdentityStoreException: JPS-00056: Failed to create identity store service instance idstore.ldap.
    er:idstore.ldap. Reason: oracle.security.jps.JpsRuntimeException: JPS-00027: internal error You configured a generic WLS LDAPAuthenticator.
    The identity store type cannot be determined. Please choose an LDAP Authentication provider that matches your LDAP server.
            at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getIdStoreConfig(LdapIdentityStoreProvider.java:195)
            at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.access$300(LdapIdentityStoreProvider.java:70)
            at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider$NoLibOvd.getInstance(LdapIdentityStoreProvider.java:242)
            at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getInstance(LdapIdentityStoreProvider.java:114)
            at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getInstance(LdapIdentityStoreProvider.java:70)
            Truncated. see log file for complete stacktrace
    >
    <Nov 24, 2012 2:05:16 PM AST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
    <Nov 24, 2012 2:05:16 PM AST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
    <Nov 24, 2012 2:05:16 PM AST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
    D:\OraHome\Middlleware>I was not able to login to console since admin server not getting started.
    Kindly help me to overcome this issue.
    Thanks,
    Haree

    Thanks for the reply Veeravalli.
    I have stoped the services and delete the config.lok file then edited the config.xml file under *%MW_HOME%\user_projects\domains\bifoundation_domain\config* . Then started the BI services. Now its working fine.
    Thanks,
    Haree

  • UCCX 7.0.1SR5 to 8.0 upgrade while also adding LDAP integration for CUCM - what happens to agents and Historical Reporting data?

    Current State:
    •    I have a customer running CUCM 6.1 and UCCX 7.01SR5.  Currently their CUCM is *NOT* LDAP integrated and using local accounts only.  UCCX is AXL integrated to CUCM as usual and is pulling users from CUCM and using CUCM for login validation for CAD.
    •    The local user accounts in CUCM currently match the naming format in active directory (John Smith in CUCM is jsmith and John Smith is jsmith in AD)
    Goal:
    •    Upgrade software versions and migrate to new hardware for UCCX
    •    LDAP integrate the CUCM users
    Desired Future State and Proposed Upgrade Method
    Using the UCCX Pre Upgrade Tool (PUT), backup the current UCCX 7.01 server. 
    Then during a weekend maintenance window……
    •    Upgrade the CUCM cluster from 6.1 to 8.0 in 2 step process
    •    Integrate the CUCM cluster to corporate active directory (LDAP) - sync the same users that were present before, associate with physical phones, select the same ACD/UCCX line under the users settings as before
    •    Then build UCCX 8.0 server on new hardware and stop at the initial setup stage
    •    Restore the data from the UCCX PUT tool
    •    Continue setup per documentation
    At this point does UCCX see these agents as the same as they were before?
    Is the historical reporting data the same with regards to agent John Smith (local CUCM user) from last week and agent John Smith (LDAP imported CUCM user) from this week ?
    I have the feeling that UCCX will see the agents as different almost as if there is a unique identifier that's used in addition to the simple user name.
    We can simplify this question along these lines
    Starting at the beginning with CUCM 6.1 (local users) and UCCX 7.01.  Let's say the customer decided to LDAP integrate the CUCM users and not upgrade any software. 
    If I follow the same steps with re-associating the users to devices and selecting the ACD/UCCX extension, what happens? 
    I would guess that UCCX would see all the users it knew about get deleted (making them inactive agents) and the see a whole group of new agents get created.
    What would historical reporting show in this case?  A set of old agents and a set of new agents treated differently?
    Has anyone run into this before?
    Is my goal possible while keeping the agent configuration and HR data as it was before?

    I was doing some more research looking at the DB schema for UCCX 8.
    Looking at the Resource table in UCCX, it looks like there is primary key that represents each user.
    My question, is this key replicated from CUCM or created locally when the user is imported into UCCX?
    How does UCCX determine if user account jsmith in CUCM, when it’s a local account, is different than user account jsmith in CUCM that is LDAP imported?
    Would it be possible (with TAC's help most likely) to edit this field back to the previous values so that AQM and historical reporting would think the user accounts are the same?
    Database table name: Resource
    The Unified CCX system creates a new record in the Resource table when the Unified CCX system retrieves agent information from the Unified CM.
    A Resource record contains information about the resource (agent). One such record exists for each active and inactive resource. When a resource is deleted, the old record is flagged as inactive; when a resource is updated, a new record is created and the old one is flagged as inactive.

  • How to access an External LDAP on a weblogic server using OPSS APIs.

    Hi,
    Can anyone let me know how I can access an External LDAP configured on a weblogic server using OPSS APIs( or alternative APIs).
    I'm currently using the below snippet and I'm getting only the Users and groups from the DefaultAutheticator on the weblogic server and not the external LDAP Server.
    I've verified the providers, users and groups on the weblogic server console and can see that external LDAP server content is being picked, but my below code does not query them.
    import oracle.security.idm.IMException;
    import oracle.security.idm.IdentityStore;
    import oracle.security.idm.Role;
    import oracle.security.jps.JpsContext;
    import oracle.security.jps.JpsContextFactory;
    import oracle.security.jps.JpsException;
    import oracle.security.jps.service.idstore.IdentityStoreService;
    List<Role> rowData = null;
    JpsContextFactory ctxf = JpsContextFactory.getContextFactory();
    JpsContext ctx = ctxf.getContext();
    IdentityStoreService storeService = ctx.getServiceInstance(IdentityStoreService.class);
    IdentityStore idStore = storeService.getIdmStore();
    rowData = this.getRoles(idStore, "*");
    Any help or pointers are highly appreciated.
    Thanks,
    Bhasker

    Can anyone please provide any suggestions. I trying to google around but still not able to find any solution.
    Thanks,
    Bhasker

  • Address Lookup in External LDAP

    I did changes in my $OH/j2ee/OC4J_UM/config/oc4j.properties file in order to Lookup in a external LDAP:
    toolkit.ldap.dir.1.label=Contacts
    toolkit.ldap.dir.1.url=ldap://OtherLinuxHost.mydomain.com:389
    toolkit.ldap.dir.1.searchbase=ou=Contacts,dc=mydomain,dc=com
    toolkit.ldap.dir.1.filter=objectClass=inetOrgPerson
    toolkit.ldap.dir.1.attribute.mail=mail
    toolkit.ldap.dir.1.attribute.lname=sn
    toolkit.ldap.dir.1.attribute.fname=givenName
    toolkit.ldap.dir.1.attribute.alias=uid
    In my Collaboration Suite - Messages when I am creating
    New Message, click in Blue Torch,
    Select from list the "Contactss" directory
    Select "Email Address" "contains" * => Go
    UM shows the contacts from the External Ldap, but when I try to bcc, or cc or to, it is not updating my destination fileds (bcc/ cc/ to). But if instead of select the List "Contacts" I select the Internal Directory (OID) it works fine?
    Which argument I miss ? or how I configure UM for export the email address from the AddrLookup Window to the Message_compose Window in the destination fields (bcc or cc or to) ?
    Thanks alot for any help.

    It is happening to us as well, we have OCS release 2 9.0.4.2 on Linux trying to access an external OpenLDAP linux server for shared contacts.
    After we get the results of the search on the external LDAP, no button works on the Address Lookup window except "Close". It doesn't matter is we select the "Corporate Book" or other Oracle internal address books; we have to close the window and open it again to do a new search.
    Are you seeing the same behavior?
    I will have a phone conference today (5/11/05) with Oracle support to talk about this issue, we have had a TAR open for about 20 days now.
    I'll keep you posted with the results.

  • Enable External Load Balancing error

    Hello,
    I'm trying to create a DirectAccess farm with 2 external Load balancers (Step 3.1.1 http://technet.microsoft.com/en-us/library/jj134166.aspx)
    The first server is configured (Behind a Edge with 2 NICs) and working but when trying to enable External Load Balancing, I immediately receive this error when applying the settings:
    Initializing operations before applying configuration
     Backing up GPOs...
    Updating cluster settings
     Retrieving server GPO details...
     Opening the server GPO...
     Error: The configuration data for this product is corrupt. Contact your support personnel.
    Finishing operations after applying configuration
     Information: Attempting to roll back the configuration...
    The DirectAccess dashboard shows that all services are fine, the DC is available and no errors are logged in the Event Viewer.
    I can't find any explanation about a possible corrupted configuration.

    Ok... Found the problem... You can't mix Internet IP and LAN IP to create the VIP...

  • Error while configuring external LDAP user store with weblogic

    Hi,
    I have weblogic 10.3 installed and I can access weblogic admin console using weblogic (admin) user. I want to use external ldap user store to access admin console with users present in external ldap.
    To do this, I have configured authentication provider and provided all the required details to connect to ldap.
    For example:
    Base DN: cn=admin,cn=Administrators,cn=dscc (user with which we will connect to LDAP)
    User DN: ou=People,dc=test,dc=com
    Group DN: ou=Groups,dc=test,dc=com
    This authentication provider is set to SUFFICIENT mode. I have deleted the default authentication provider.
    In the boot.properties file I have given the user name and password of the user with which LDAP instance was created something like below.
    password=xxxxxxx
    username=admin
    Now while starting the admin weblogic server, I am getting the below error:
    <Jul 25, 2012 2:22:28 PM IOT> <Critical> <Security> <BEA-090402> <Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.>
    <Jul 25, 2012 2:22:28 PM IOT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
    weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
    at weblogic.security.SecurityService.start(SecurityService.java:141)
    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
    Truncated. see log file for complete stacktrace
    Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User admin javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User admin denied
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    Truncated. see log file for complete stacktrace
    >
    <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
    <Jul 25, 2012 2:22:28 PM IOT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
    <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
    Can anyone please suggest how to resolve this problem? If, anyone can suggest the exact steps to configure external ldap store to manage admin console via ldap users.
    Regards,
    Neeraj Tati.

    Hi,
    Please refer the below content that I found for Oracle 11g in the docs.
    "If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. Do one of the following in the LDAP directory:
    By default in WebLogic Server, the Admin role includes the Administrators group. Create an Administrators group in the LDAP directory, if one does not already exist. Make sure the LDAP user who will boot WebLogic Server is included in the group.
    The Active Directory LDAP directory has a default group called Administrators. Add the user who will be booting WebLogic Server to the Administrators group and define Group Base Distinguished Name (DN) so that the Administrators group is found.
    If you do not want to create an Administrators group in the LDAP directory (for example, because the LDAP directory uses the Administrators group for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the Admin role."
    Now in my LDAP directory, setup is in such a way that Administrators is a group created under following heirarchy " cn=Administrators,ou=Groups,dc=test,dc=com" and there is one user added in this Administrators group.
    The problem that I am having is when I modify the Admin role in which Administrators group should be added what exaclty I should give in Admin role. Whether I should give only Administrators or full DN: cn=Administrators,ou=Groups,dc=test,dc=com ???
    When i give full DN, it takes every attribute as different, i mean cn=Administrators as different and ou=Groups as different and shows a message that cn=Administrators does not exist.
    Here not sure what to do.
    Also if external ldap authentication provider is the only provider then I need to give the user information in boot.properties file also for weblogic to boot properly. Now, what should I give there in user? still complete DN ??
    Regards,
    Neeraj Tati.

  • Use of external LDAP server in Weblogic Commerce Server

    I'm using the following software:
    Iplanet Directory Server v5
    Weblogic Application Server v6
    Weblogic Commerce v3.5
    I need to configure Weblogic Commerce Server to use Iplanet Directory Server directory
    services. How do I do that?
    I have a couple of questions related to this:
    1) As Weblogic Commerce Server runs on top of Weblogic v6, does it mean that to
    use an external LDAP server, I need to configure weblogic v6 to do that and not
    Weblogic Commerce Server?
    2) Whatever may be the case above, how do I do that?
    3) config.xml (weblogic application server v6) contains information that needs
    to be modified to point to an external JNDI source provider but what information
    do I need to modify?
    I'd really appreciate if someone can help me out here. Thanks!

    "JP" <[email protected]> wrote in message news:[email protected]..
    Hi,
    I'm looking for someone who has used the Lotus LDAP server for WLP7
    authentication.
    I connect my portal to the Domino LDAP, User and Groups are working
    fine, but the membership of a user to a group is not.
    I assume that it's related to the parameters I use (especially the
    membership.filter ?):
    "user.filter=(&(uid=%u)(objectclass=person));
    user.dn=O=Apac;
    membership.filter=(&(uniquemember=%M)(objectclass=groupOfNames));
    group.filter=(&(cn=%g)(objectclass=groupOfNames));
    server.host=jpgal01.apac.bea.com;
    group.dn="
    Any help would be appreciate, because I just don't where to look for.
    Try setting the com.netscape.ldap.trace property.
    \* When -D command line option is used, defining the property with
    * no value will send the trace output to the standard error. If the
    * value is defined, it is assumed to be the name of an output file.
    * If the file name is prefixed with a '+' character, the file is
    * opened in append mode.
    This will create a ldap trace file of the requests that WLS is making on the
    LDAP server. You can then see
    where the filters are not returning the correct value for the group
    membership.

  • Enterprise Portal - MDM - LDAP integration

    We are succesfully able to integrate Portal to MDM with a trusted connection and with portal users existing in LDAP and mdm users existing in MDM console.
    We also successfully integrated MDM with LDAP so that we dont have to store users in console, but manage them in LDAP. But once we did the LDAP integration, portal to MDM connection was lost saying mdm user details could not be retrieved.
    Has anybody faced this issue? what key steps to taken care during MDM-LDAP integration.

    Hi goerge,
    When ever we integrate MDM with LDAP, we need to make a setting in MDS.ini file.
    Please check the "User Identifier" setting in MDS.ini file.
    Typically this should be The name of the LDAP id field which will match the value the user provides as the Username at logon.
    Make the entry in MDS.ini like User Identifier = cn or SamAccountName.
    If that is done, please verify other parameters corresponding to LDAP in MDS.ini as per the table 91 in Page no 291 in MDM Console referece guide.
    Or refer to the SAP note 1635338 for reference which is pointing to same issue.
    This should solve your problem.
    Regards,
    Sravan

Maybe you are looking for

  • Sales Orders not to be created for certain customers via legacy

    Hi, We have an inbound interface from legacy into SAP which creates Sales Orders in SAP. But we have a requirement where the business does not want sales orders to be created for certain customers in SAP via the interface. To prevent the sales orders

  • Hi is there any XMLDocument data type available in SOAP libraries

    How to convert string to XML Document data type and is there any XML Document type available in SOAP Libraries&j2ee api?

  • Authorizing iTunes to transfer purchases

    I am kinda freaking out here because we just got a new computer and I want to transfer all my purchases to my new library but it won't let me. It says this once I type in my account name and password to authorize: "You cannot authorize more than 5 co

  • Can Berkeley DB Java Edition read BDB created with C

    Hi, If I use C to create a BDB database and store the values. Can I use Berkeley DB Java Edition to open and read the content? I am trying to do search and reversed order display and it seems like only DB java Edition has that feature. Is that correc

  • Underclocking DDR400 to allow 3 sticks

    From what I understand, the MSI K8T Neo-FIS2R doesn't support 3 sticks of DDR400 RAM.  I'm currently running 2 sticks at DDR400 speeds, and it's fine, but I have an additional stick that I originally purchased with the motherboard, and I want to brin