LDAP Authenticator and Password Digest

Similar Messages

• Security Issue - LDAP Authentication and supply of empty passwords

  Security Issue with OC4J and JAZN LDAP Realm
  Product Versions:
  OC4J 9.0.3
  Infrastructure 9.0.2.1
  When using form based authentication or basic authentication in a WebApp, OC4J authenticates any existing user that as a password defined with an empty password.
  Example: If you have a user with the username "user" and password "password". In the login of the WebApp if you supply only the username, OC4J authenticates the user.
  Notes:
  - If we supply a wrong password we are not authenticated
  - If we supply the correct password we are authenticated.
  To reproduce the problem, I have used Oracle callerInfo jazdemo, configured to used the JAZN LDAP Realm named sample_subrealm, that is installed with 9ias infrastructure
  Notes: If I use JAZN XML Realm everything works as expected.
  Bruno Antunes
  Java Software Engineer

  Jeremy - You'd have to use database authentication to achieve that. Create a DAD without specifying a username/password and change the app's current authentication scheme to DATABASE. Then users can login using their database account credentials. LDAP won't be used when you do this so you'll have to keep the database account passwords in sync with LDAP somehow if that's important.
  Scott

• Integrated LDAP authentication and now BAM start page is very slow to load

  Hi, all~
  I have a fresh install of BAM 10.1.3.3 with the 10.1.3.4 patch applied.
  I've reviewed the BAM installation guide and LDAP integration tech note, and have been able to successfully integrate BAM with our LDAP, where "successful" means that I'm able to provide my own LDAP credentials and log in to BAM.
  However, the BAM start screen now consistently takes somewhere on the order of 1-2 minutes to load... so I guess I'm wondering if there's a common cause for this sort of error?
  Any suggestions of things to check would be appreciated.
  Thanks,
  - Nathan

  For whatever it's worth, the solution in our case was to decouple BAM (10g) from LDAP.
  User administration becomes a slightly more manual process in this case, but the BAM pages load almost instantly for users now, whereas before for some users it would take as much as 10 minutes for a page to load following their logging in.
  Another benefit from LDAP decoupling is that IIS is able to do Windows integrated login for users, meaning that the users don't need to provide a login and password any longer.
  The one "gotcha" that was encountered had to do with IIS realms and creating JDeveloper connections to the BAM server following the decoupling. From our testing, under IIS -> Web Sites -> Default Web Site -> Properties -> Directory Security (tab) -> "Authentication and access control" Edit button, the following needs to be specified:
  Check only "Integrated Windows login" and "Basic authentication"
  Specify a "Default domain" by pressing the Select button and choosing an appropriate domain
  From there, in your JDeveloper BAM connection, be sure to include the selected domain in your connection properties.
  - Nathan

• Securing LDAP username and password in Websphere

  Hi all,
  I am new to LDAP and WAS. I want to secure the username and password for my LDAP server. Right now i have two choices for using the username and password for the LDAP
  1. i can put the username and password in a properties file.( but then it makes my application insecure....anybody can read it )
  2. I can put them in a .java file and after compilation it would be converted to the class file.( but in this approach anyone who knows in which file it is residing can use a decompiler to read it)
  I have seen one implementation for DB2 in which they make a datastore in the application server that holds the username and password for the DB2 server. I want to use same kind of facility for my application.
  Can anyone help me with this...?

  The error description is:
  =================================
  TNS-12560 TNS:protocol adapter error
  Cause: A generic protocol adapter error occurred.
  Action: Check addresses used for proper protocol specification. Before
  reporting this error, look at the error stack and check for lower level transport
  errors.For further details, turn on tracing and re-execute the operation. Turn off
  tracing when the operation is complete.
  ===================================
  Did you start your Oracle service before trying to connect?
  Are you able to run your listener successfully?
  did you setup a TNSNAMES entry for your database?
  did you try connecting to the database by using scott/tiger@<tnsnames entry>

• After having the Apple Store erase my HD, now I need authentication and password to move things from a downloads folder to another folder in Finder. WHY? And how can I change this?

  I'm trying to move things from the downloads folder into a folder that is over there on the left in the sidebar. Every time I try to move something, I get this message and then I have to give my password. I didn't have to do that previously and I sure don't want to do it now, either. I've checked and checked and cannot find where I would go to change this setting. Does anyone know where I should look?
  The Apple Store erased my HD on Friday and I had to restore from Time Machine. my OS is Mavericks and I'm on a MacBook Pro.

  That has been like that since Firefox 3.0 was released in June 2008 - 7 major version releases thus far with it like that and the developers haven't changed it - so I wouldn't count on it.
  When I want to save a duplicate bookmark, I just "grab" the website image in the Location Bar and drag it into the Bookmarks Sidebar, into the folder where I want it placed. On Windows and Linux, { Ctrl + B } opens the sidebar and then just drag.

• Users changing passwords within LDAP authentication

  Hello all,
  I've noticed that if a user uses the 'Membership' authentication to access the portal, they are allowed to change their passwords within the 'user channel' edit section.
  If a user logs in throught the LDAP authentication, this password utility disapears.
  1 - Is there a way to use this password utility when using LADP authentication? Is it just a setting somewhere??
  2 - What are you using to change password if you are using LDAp authentication? i.e. did you create your own password tool??
  Thanks in advance,
  Jason

  Here's how I did it on 6.0:
  I created a bookmark with these properties:
  Bookmark Name: Change Personal Settings
  URL: /amconsole
  When the user clicks on the bookmark, they have to scroll all the way down to the bottom of the window to find the change password option. After changing the password, the user should close the amconsole window WITHOUT clicking on the logout button. Just kill the window.
  If they click "logout" it will log them out of the Portal Server while leaving the desktop window open. It will look like they are still logged in but they are not. They will have to re-login.

• Database Table and LDAP Authentication in the same repository?

  I'm wondering if it's possible to authenticate through database tables for some users and LDAP for other users. I can configure each one separately but I'm curious if anyone has ever successfully done both in the same repository.
  Thanks,
  -Matt

  Another thing to try is this. I don't have an LDAP server here but it worked for me without LDAP. I think it should also work with LDAP as it is the same idea. I don't think there is a way to have a conditional Init Blocks. Also you can't have two init blocks setting the same variable (USER in our case). But what you can do is to have two Init Blocks, one for LDAP authentication and the other one for table authentication. So you could have this scenario:
  1) LDAP "authentication" init block sets custom variable LDAP_USER
  2) Table "authentication" init block sets custom variable TABLE_USER
  3) Final authentication init block (the real one) sets USER variable using something like this:
  SELECT CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
  ELSE ':TABLE_USER'
  END
  FROM DUAL
  WHERE CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
  ELSE ':TABLE_USER'
  END = ':USER'
  Note how I use the CASE statement both to return the user value I want the USER variable to be set and also in the WHERE clause to make sure no rows are returned in case authentication fails (which should return no rows to denote a failed authentication). Obviously you need to set the init block dependancies correctly. I did a quick test with users coming from two separate Oracle tables in 2 init biocks and it worked fine for me. Give it a try and let me know how it goes.

• LDAP Authentication / User-Role in a database (Weblogic Security)

  Hi,
  I would like to configure the Authentication with an LDAP Server (LDAP Authenticator) and the mapping between users and roles in an external database.
  I saw the following post, http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html.
  According to the previous post, I created an LDAP Authenticator (trying to use embedded LDAP) and a SQL Authenticator.
  The problem is that it doesn't uses LDAP Authentication, it only uses SQL Authentication.
  I'm looking for a solution where password would remain in the LDAP Server and the username/role mapping would be in the database tables.
  Consider I'm using WLS 10.3 and JDeveloper 11g.
  Any suggestions?
  Thanks in advance,
  Olga

  Hi,
  Check following forum thread.
  Re: custome role maper example
  Regards,
  Kal

• Web service username and password problems

  Hi,
  I am trying to create a client to consume webservices exposed on a secure .net platform that is SSL protected (https).
  I am using netbeans 6 with WSIT support. When I create the web service and add the WSDL file - it comes up with the certificate that I then approve, but then just displays a IO Exception. When I access the WSDL through a browser, it requests a username and password (which I supply) and it works fine.
  I've tried on Netbeans 5.5 but with no luck - it asks for a username and password (at least) but doesn't accept them.
  How can I connect to an https web service that requires a LDAP username and password?
  Thanks,
  Brendan

  I'm guessing that you are trying to call an EBS API and are using FND_WEB_SEC to test that the user account is valid in FND_USER first before executing the API call. In that instance, you'll likely need to use the Oracle Applications Adapter for EBS if you want to authenticate the user through FND_USER.
  If you've not purchased that adapter, you could use a simple BPEL process, with a regular database adapter to firstly call the FND_WEB_SEC package to authenticate. Pass the response from eBS into a bpel variable, add a bpel switch based on the outcome of that variable either execute the API call or  throw an authentication error if the call failed.
  You can wrap all this up into one web service that then calls this bpel process, taking the username and password as as input parameters.
  Phil

• WebAccess, ldap authentication, grace logins

  GroupWise 2014 SP1. User only logs in to GroupWise via WebAccess.
  GroupWise is using LDAP authentication and eDirectory has a password
  policy in place. The user's password expired. I reset the password
  in eDirectory. But every time she logs into WebAccess, she still gets
  a notice that she has limited grace logins and she still gets prompted
  to change her password. Any suggestions? Or open an SR?
  Ken

  On Wed, 17 Sep 2014 20:38:04 GMT, KeN Etter
  <[email protected]> wrote:
  >GroupWise 2014 SP1. User only logs in to GroupWise via WebAccess.
  >GroupWise is using LDAP authentication and eDirectory has a password
  >policy in place. The user's password expired. I reset the password
  >in eDirectory. But every time she logs into WebAccess, she still gets
  >a notice that she has limited grace logins and she still gets prompted
  >to change her password. Any suggestions? Or open an SR?
  Just got a reply to this on the GroupWise Discussion List. Bouncing
  the post office fixed the problem.
  Ken

• How to get user attributes from LDAP authenticator

  I am using an LDAP authenticator and identity asserter to get user / group information.
  I would like to access LDAP attributes for the user in my ADF Taskflow (Deployed into webcenter spaces).
  Is there an available api to get all the user attributes through the established weblogic authenticator provider or do i have to directly connect to the LDAP server again?
  Any help would be appreciated

  Hi Julián,
  in fact, I've never worked with BSP iViews and so I don't know if there is a direct way to achieve what you want. Maybe you should ask within BSP forum...
  A possibility would be to create a proxy iView around the BSP iView (in fact: before the BSP AppIntegrator component) which reads the user names and passes this as application params to the BSP component. But this is
  Beginner
  Medium
  Advanced
  Also see http://help.sap.com/saphelp_nw04/helpdata/en/16/1e0541a407f06fe10000000a1550b0/frameset.htm
  Hope it helps
  Detlev

• LDAP authentication in BO XI3.1

  Hi All,
  We are using Bo XI R3.1 with FP 1.6. We are using LDAP authentication and have successfully implemented this in our Production environment. We are in the middle of testing a new LDAP "tree" that will be used in a different environment, and we are finding that the group search is not working correctly.
  It seems that even though we specify the Base LDAP Distinguished Name, BO seems to be ignoring that setting and starting at the LDAP ROOT to search for the group. This is causing an issue because when searching from the root, BO is finding some virtual directories which we don't want it to find.
  We were expecting BO to start searching from the base DN, but it is not. Is that something that should be working?
  For example we have set the Base LDAP Distinguished Name to "ou=mkt,dc=test123,dc=com". But, BO is starting from the top root level instead of searching only in the "mkt" tree
  Thanks in advance for your help.

  When we try to add a new group and run the update, we get this error: "The LDAP server could not complete this action because it requires more than the allowable number of referral hops. Please increase the maximum number of referral hops and click Update. Then, try again"
  I realize there is a setting that controls how many referral hops are used, but even if we set that to a very high number (in the thousands and hundreds of thousands), we still get the same error.
  So, it seems almost like it hits a loop due to the virtual directories.
  I talked with my LDAP team, as they did some tracing when we tried to add a group in. I asked them if what they saw was that BO was "looping". Here is what they are saying:
  "Yes, the BO query is looping. VDS presents a virtual view of the directory that merges in the Top Secret information. The problem is because BO is starting its search at the root of the tree, it is seeing both the original copy of the directory and the virtual copy that VDS presents."
  Thanks,
  V

• Policy Studio to LDAP Repository with WSS Password Digest for Authn

  Hi,
  We are trying to connect to an external LDAP user repository from OEG for authentication. This is configured via Policy Studio.
  Our services are secured with WSS UsernameToken with password digest.
  However, the list of available Repository is only limited to Local Repositories. I can't see the LDAP repository that I've added. But when I select clear password, then I can see all repositories including the LDAP repository. Is digest password not supported?
  Hope someone could help!
  Thanks!

  Thanks Patrick! That thread helped. I got the proxy service to use the customized WS-Policy.
  Do you know of any tool to create the password digest given a plain text password? Also, is there any particular algorithm that weblogic uses to store the digest in the authenticator? I am currently using soapUI to act as a client for unit testing purposes. I tried supplying the WSS header with the inbuilt feature of 'Add WSS Username Token' in soapUI. It adds the username, password digest, nonce and created date. However, I get the 'Failed to assert identity with UsernameToken' exception in the log. The request never gets through.
  Edited by: SOAer on Apr 8, 2011 9:07 AM

• Solaris 10 and LDAP Authentication

  Were trying to use LDAP authentication with Solaris 10 accounts and Sun One Java Systems Directory Server 5.2, where there won't be no /etc/passwd or /etc/group user entries, ( only entries for system accounts). The Sun One Java Systems Directory Server 5.2 is on a separate machine from the accounts. Both machines are using Solaris 10.
  I first ran the "idsconfig" utility to setup the VLV indexes, but I received an error on the "automountKey" when it was doing the index processing. It showed that the index processing had failed. All the other indexes were configured successfully. What would cause this?
  My next step is initializing the LDAP Client . Then configure the pam.conf file to use pam_ldap. Finally import all the users into LDAP with the required ObjectClasses and attributes for the authentication process, (posixAccount, shadowAccounts etc.). This also includes adding the automount entries into LDAP, which I'm really not sure how to do that. All of our users paths will be under /export/home/username.
  I'am missing any steps?
  Doese anyone have a step by step guide to use LDAP authentication for Solaris 10 accounts, where LDAP will manage the groups, passwords, automounts for each user?
  Message was edited by:
  automount
  Message was edited by:
  automount

  You may follow:
  http://web.singnet.com.sg/~garyttt/
  http://projects.alkaloid.net/content/view/15/26/
  http://blogs.sun.com/roller/resources/raja/ldap-psd.html
  http://jnester.lunarpages.com/howtos/solaris/howToSolarisLDAPAuth.html
  http://www.thebergerbits.com/unix.shtml
  http://blogs.sun.com/roller/page/baban?entry=steps_to_setup_ssl_using (SSL/TLS steps)
  http://blogs.sun.com/roller/page/rohanpinto?entry=nis_to_ldap_migration_guide (NIS to LDAP migration)
  http://blogs.sun.com/roller/page/anupcs?entry=ldap_related_documentation_at_sun
  (LDAP related docs)
  Gary

• Ical "authentication failed. your username and password were rejected by the server"

  i've a pretty busy server, fully configured with correct DNS.
  running 10.6.8, uptodate. i've stopped the ical service, and removed it from the server settings.
  then i created a folder on my RAID /volumes/raid/ical, set its ownership to _calendar:_calendar (uid 93), rwx,rx,-
  then added the iCal service back, and set the data store to this new folder.
  authentication is set to digest (to reduce potential kerberos errors), with SSL on.
  i then started the service
  an existing user CANNOT connect to the caldav server. i get the error: ical "authentication failed. your username and password were rejected by the server".
  if i create a NEW user, that user can correctly connect to the Caldav server. On first joining, an entry is created in the __uids__ folder and the calender works.
  SO. WHAT IS GOING ON?
  this is 10.6, so i do not have an option in WGM to 'enable calendering'. i've used the inspector to check for differences, but i can't see any.
  help. please. and no comments about DNS. the fact i can get  a new user to function means that is excluded. no comments about SSL. ditto. no comments about kerberos, its turned off. thanks.

  I often think of things in terms of time it takes to figure out the solution to the problem vs time it takes to nuke and pave.
  Dare I ask...  How many users would you have to remake? 
  150 users would probably take 2 hours to recreate?
  ...Have you spent 2 hours on this problem yet?  How about 4 or 6?
  Perhaps you could have typed up 450 remade users so far!
  I have a great idea as to how to change ownership of home folders to users after they're created.
  Thoughts on the problem... (but don't spend too much time on it!)
  What about crypt vs open directory password?
  In WGM, select the user, click the advanced tab, and ensure that your users have OD based passwords? 
  ...sometimes that pull-down menu displays OD, but it's not really.  Try selecting OD, retype the password there, and save.
  See if it works.
  What about in server admin....  Select the server in question, click the access button at the top.
  Ensure that your services are allowed for all users to use the iCal service.
  In the iCal service in Server Admin...
  Host name setting?  It's a stretch as new users seem to work.  Ensure it's correct?
  For the sake of argument...  Change authentication type to Any Method...  If you're running OD on the server, Kerberos is running.  I know that certain services require it even though you have the option.  Perhaps iCal is being finiky without it?
  I apologize if you've tried all these, but as a user forum, you'll typically get users that don't believe that you've tried the basics.  It's honestly the best place to start.  Seeing as we don't know what you've done, it's the best advice you'll get.
  HTH
  -Graham