LDAP realm for authentication and ACL in Database

We are thinking of using LDAP realm for authentication and we want to use ACL from a Database. But the documentation says: "WebLogic Server defers to the LDAP realm for authentication, but not for authorization. Authorization is accomplished with access control lists (ACLs), which are defined in the weblogic.properties file"
Can we use LDAP realm for authentication and manage our ACL from a Database? or do we have to use the weblogic.properties file? Do the weblogic security API help in the above scenario? Thanks Ram

Unfortunately, there is no easy way to do this in wls 6.0.
The only way to handle it is to write your own custom realm
that uses ldap for users and groups and a database for acls -
probably not a viable alternative.
-Tom
"kevin doherty" <[email protected]> wrote:
>
Jeffrey Hirsch <[email protected]> wrote:
You should be able to use the DelegatedRealm interface to utilize the authentication methods from LDAP and the authorization methods from RDBMSRealm...
I'm trying to do this too, but we are using WL6 and I see that the DelegatedRealm interface has been deprecated in this version. I'd greatly appreciate more information on doing this in WL6.
Thanks!
-kd

Similar Messages

Shell Script for Startup and Shutdown the database

Hi,
i want Shell Script for Startup and Shutdown the database in Solaries.
could any one can hep me where i can get this script. or send to me to [email protected]
Thanks & Regards,
Gangi reddy

SHUTDOWN
SHUTDOWN ABORT]
Shuts down a currently running Oracle instance, optionally closing and dismounting a database.
Terms
Refer to the following list for a description of each term or clause:
ABORT
Proceeds with the fastest possible shutdown of the database without waiting for calls to complete or users to disconnect.
Uncommitted transactions are not rolled back. Client SQL statements currently being processed are terminated. All users currently connected to the database are implicitly disconnected and the next database startup will require instance recovery.
You must use this option if a background process terminates abnormally.
IMMEDIATE
Does not wait for current calls to complete or users to disconnect from the database.
Further connects are prohibited. The database is closed and dismounted. The instance is shutdown and no instance recovery is required on the next database startup.
NORMAL
NORMAL is the default option which waits for users to disconnect from the database.
Further connects are prohibited. The database is closed and dismounted. The instance is shutdown and no instance recovery is required on the next database startup.
TRANSACTIONAL [LOCAL]
Performs a planned shutdown of an instance while allowing active transactions to complete first. It prevents clients from losing work without requiring all users to log off.
No client can start a new transaction on this instance. Attempting to start a new transaction results in disconnection. After completion of all transactions, any client still connected to the instance is disconnected. Now the instance shuts down just as it would if a SHUTDOWN IMMEDIATE statement was submitted. The next startup of the database will not require any instance recovery procedures.
The LOCAL mode specifies a transactional shutdown on the local instance only, so that it only waits on local transactions to complete, not all transactions. This is useful, for example, for scheduled outage maintenance.
Usage
SHUTDOWN with no arguments is equivalent to SHUTDOWN NORMAL.
You must be connected to a database as SYSOPER, or SYSDBA. You cannot connect via a multi-threaded server. For more information about connecting to a database, see the CONNECT command earlier in this chapter.
http://download-west.oracle.com/docs/cd/B10501_01/server.920/a90842/ch13.htm#1013607
Joel Pérez

How do I know WinRM uses Kerberos for authentication, and does not fall-back to NTLM?

Hi,
How do I know WinRM uses Kerberos for authentication, and does not fall-back to NTLM?
/SaiTech

Hi SaiTech,
Kerberos will be selected by default in an AD domain, The default (assuming the client is in a domain, and is not connecting to itself via 127.0.0.1 or ::1 addresses) is to use Kerberos authentication, and not to fall back to NTLM.
Please also Note that you may have to take some other steps as well to get non-Kerberos authentication working. Specifically, you'd have to set up an HTTPS listener on the remote host, or modify the client's TrustedHosts list.
Refer to:
WINRM kerberos & Negotiate
Authentication for Remote Connections
In addition, you can also use Network Monitor to check the authentication method.
If there is anything else regarding this issue, please feel free to post back.
If you have any feedback on our support, please click here.
Best Regards,
Anna Wang
TechNet Community Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

How do you use an external MIT Kerberos realm for authentication in 10.4?

Does anyone have experience with OS X Server 10.4.x Open Directory and using a "third-party" KDCs for authentication?
I have four 10.4.5 XServes that form a SAN (Xsan). I am using a common Open Directory domain that consists of about 100 users to manage access to the SAN file space. I have one of the servers set up as OD master and a second as a failover.
My university has a kerberos realm that includes all university staff and students. I would like to use that KDC for authentication, not create my own KDC on the OD Master.
The SAN is only being used to support network file services, not as work stations. The users are going to mount file space on their local machines through AFP, Samba, or via ssh at the command line.
All of the users' short names are identical to their principle names in the University kerberos realm.
All of the Apple documentation assumes that in the OD Master will be the KDC for the OD, and part of the setup involves starting up the Kerberos KDC on the OD master system. There is mention of using any MIT Kerberos KDC, but I cannot for the life of me find where that is documented.
I have tried using the Server Admin interface and the "Join Kerberos . . . " tool, but when I enter the principle and password, the realm name and the DNS of the KDC it always fails with "error creating the keytab file."
I have also tried just putting a valid edu.mit.kerberos file /Library/ Preferences and creating a keytab file in the realm I want to join, and putting that at /etc/krb5.keytab in each of the servers in OD domain, but that doesn't seem to work, either.
Has anyone else been successful doing this with OS X Server 10.4.x?

Leland,
Thanks for your suggestions. I need a little more
guidance though. Can you explain how to do step one?
1) on your OD Master, using workgroup manager edit
the KerberosClient record and add the correct kdc
info to the XMLPlist attribute.
Is this done on the "Inspector" tab of the Work Group
manager for the user record for the principle that is
in the KDC? Exactly which key value pair do I need to
edit?
No, use the "Inspector" tab to look at config records, you will find the KerberosClient & KerberosKDC records in that list.
Select the XMLPlist attribute and edit it.
Look for the realms dictionary and either replace the existing entry with the correct realm info or add a new entry for the realm.
The important keys are KADM_List & KDC_List.
You should also look at the domain_realm dictionary and make sure that
also has the correct info.
Look at the kerberos admin guide at
<http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.3/doc/krb5-admin/krb5.conf.ht ml#krb5.conf>
for an idea of what the sections mean.
2) from the command line on a server run (as
root):
sso_util configure -r FOO.EDU -a kdcadmin -p
kdcadmin_pw -v 4 all
I would do this on each server in the OD, correct?
yes, this step creates the service principals for the servers in the kdc, exports the info to the local keytab, and configures the services to use kerberos (so that they know their service principals)
you might need to modify the
AuthenticationAuthority
entry for each user to point at the proper realm.
Is this also done in the "Inspector" tab for each
user's record in Work Group Manager?
yes
Thanks again for the suggestions.
Glad to be able to help
- Leland
DP G4 Mac OS X (10.4.2)

Use different portals for authentication and collaboration

Hello,
I would like to request your help on a portal issue.
I have installed a dual stack(ABAP+Java) Enterprise Portal (EP 6 - NW 7).
The ABAP stack is required in order to implement user collaboration.
However, another requirement is that the users be authenticated through
an LDAP server (Microsoft Active Directory 2008).
Because of the ABAP stack, it is not possible to connect the portal to the LDAP.
In order to implement LDAP authentication, another EP instance was installed on the
same machine which has only Java stack and not ABAP.
This Java-only EP was successfully connected to the LDAP directory.
My question is IF and HOW it is possible to have the users login to the ABAP+Java portal
using the Java-only portal to authenticate.
Regards,
Kontogianni Eleni

Hi Craig,
this is not really our case. What we want to achieve is to be able to use one portal (Java only) for user authentication using the LDAP directory and the other one for all other portal services.
We tried to implement a solution similar to the one that you mentioned but there were some problems. We would have to redirect the login page of the ABAP+Java portal to the login page of the Java-only portal. Also the Java only portal logon page would have to redirect to the other portal after successfull login.
It would require a great deal of programming in order for the users to be able to work in one portal and be redirected to the other portal and back only for authentication.
The solution of federated portals seams more feasible.
Regards,
Eleni

LDAP failing for iPrint and iFolder after new CA created

Last week we replaced our Certificate Authority as it was due to expire yesterday (Monday). It was currently running on a fully patches Netware 6.5 server and we took the decision to move it to a SLES 11 SP 2 OES 11 server and re-create all the certificates - following Option 2 for TID 3618399.
We re-ran PKIDIAG on the Novell server and tckeygen, and restarted and everything seemed fine - Groupwise (8) webaccess and the PO using ldap auth were working. But this morning we've discovered that ldap is failing to do secure binds for iprint secure printers and iFolder. We see this error message in the log screen:
>11:45:44 11:45:44 ldap *MASTER[xxxx.our-domain.com] connection restored
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][-1] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][0] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][1] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][2] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][3] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][4] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][5] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][6] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][7] ldap_simple_bind : Can't contact LDAP server(81)
>11:45:44 11:45:44 ldap iFolder_ldap01[xxxx.our-domain.com] connection restored
>11:46:41 11:46:41 iFolder_ldap01[xxxx.our-domain.com][-1] ldap_simple_bind: Can't contact LDAP server(81)
>11:46:41 11:46:41 ldap iFolder_ldap01[xxxx.our-domain.com] down
>11:46:41 11:46:41 ldap *MASTER[xxxx.our-domain.com] down
and in the apache error log we see:
[Tue Aug 27 11:30:08 2013] [error] [client 10.0.0.43] no acceptable variant: SYS:/apache2/error/HTTP_UNAUTHORIZED.html.var
[Tue Aug 27 11:30:08 2013] [warn] [client 10.0.0.43] [10] auth_ldapdn authenticate: user bob authentication failed; URI /ipps/Ricoh [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
Nothing else was charged other than creating a new CA (on a new server), removing the old one from eDirectory and generating the new certificates. If we use a web browser to the server to check the certificate we see that the CA cannot be validated as it is internal and not a publicly trusted one, but IIRC the old CA did the same.
PKIDiag and SDIDiag report no issues. The only thing I can imagine that could be causing the issue is the fact the CA is no longer on the same server hosting iFolder and iPrint. Both server host eDirectory and are part of the same replica ring, they can communicate and also time is synchronised.
Any ideas?
Mark.

Thanks for the quick response, I followed your trace settings above arnd here are the results:
LDAP: [2013/08/27 12:42:12.701] Monitor 0x1ba terminating
LDAP: [2013/08/27 12:42:12.798] Listener closing cleartext port 389
LDAP: [2013/08/27 12:42:12.798] Listener closing TLS port 636
LDAP: [2013/08/27 12:42:12.798] Listener closing connectionless port 389
LDAP: [2013/08/27 12:42:12.802] Removing TLS module dependencies
LDAP: [2013/08/27 12:42:12.802] Removing SASL module dependencies
LDAP: [2013/08/27 12:42:12.907] LDAP Agent for Novell eDirectory 8.8 SP5 (20506.06) stopped
LDAP: [2013/08/27 12:42:18.17] NDS attribute "staticMember" does not exist, mapping ignored
LDAP: [2013/08/27 12:42:18.21] Duplicate LDAP class name: "alias" (ignored)
LDAP: [2013/08/27 12:42:18.98] LDAP Agent for Novell eDirectory 8.8 SP5 (20506.06) started
LDAP: [2013/08/27 12:42:18.98] Updating server configuration
LDAP: [2013/08/27 12:42:18.98] Work info status: Total:2 Peak:2 Busy:0
LDAP: [2013/08/27 12:42:18.98] Thread pool status: Total:2 Peak:2 Busy:2
LDAP: [2013/08/27 12:42:18.218] Listener applying new configuration
LDAP: [2013/08/27 12:42:18.218] LDAPURL: ldap://:389
LDAP: [2013/08/27 12:42:18.218] Listener setting up cleartext port 389
LDAP: [2013/08/27 12:42:18.218] LDAPURL: ldaps://:636
LDAP: [2013/08/27 12:42:18.218] Listener setting up TLS port 636
LDAP: [2013/08/27 12:42:18.218] LDAPURL: cldap://:389
LDAP: [2013/08/27 12:42:18.218] Listener setting up connectionless port 389
LDAP: [2013/08/27 12:42:18.218] TLS EXPORT ciphers or higher required for TLS connections
LDAP: [2013/08/27 12:42:18.219] TLS initialization sucessfully completed
LDAP: [2013/08/27 12:42:18.315] TLS configured successfully
LDAP: [2013/08/27 12:42:18.327] Adding SASL module dependencies
LDAP: [2013/08/27 12:42:18.329] SASL initialized successfully
LDAP: [2013/08/27 12:42:18.329] SASL configured successfully
LDAP: [2013/08/27 12:42:22.286] Created new monitor 0x0
LDAP: [2013/08/27 12:42:22.286] Monitor 0x20b started
LDAP: [2013/08/27 12:42:22.287] TLS accept failure 1 on connection 0xa284e160, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
LDAP: [2013/08/27 12:42:22.287] TLS handshake failed on connection 0xa284e160, err = -5875
LDAP: [2013/08/27 12:42:22.287] BIO ctrl called with unknown cmd 7
LDAP: [2013/08/27 12:43:17.861] BIO ctrl called with unknown cmd 7
LDAP: [2013/08/27 12:43:17.861] DoBind on connection 0xa284e160
LDAP: [2013/08/27 12:43:17.861] Bind name:cn=admin,o=xxx, version:3, authentication:simple
LDAP: [2013/08/27 12:43:17.863] Sending operation result 0:"":"" to connection 0xa284e160
LDAP: [2013/08/27 12:43:18.921] DoUnbind on connection 0xa284e160
LDAP: [2013/08/27 12:43:18.921] Preempting operation 0x0:0x0 on connection 0xa284e160 before processing because connection is closing
LDAP: [2013/08/27 12:43:19.904] DoBind on connection 0xa284e160
LDAP: [2013/08/27 12:43:19.905] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
LDAP: [2013/08/27 12:43:19.905] Sending operation result 0:"":"" to connection 0xa284e160
LDAP: [2013/08/27 12:43:19.906] DoUnbind on connection 0xa284e160
LDAP: [2013/08/27 12:43:19.906] DoBind on connection 0xa284e160
LDAP: [2013/08/27 12:43:19.906] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
LDAP: [2013/08/27 12:43:19.907] Sending operation result 0:"":"" to connection 0xa284e160
LDAP: [2013/08/27 12:43:19.907] DoBind on connection 0xa284e2c0
LDAP: [2013/08/27 12:43:19.907] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
LDAP: [2013/08/27 12:43:19.908] Sending operation result 0:"":"" to connection 0xa284e2c0
LDAP: [2013/08/27 12:43:19.908] DoBind on connection 0xa284e420
LDAP: [2013/08/27 12:43:19.908] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
LDAP: [2013/08/27 12:43:19.909] Sending operation result 0:"":"" to connection 0xa284e420
LDAP: [2013/08/27 12:43:19.909] DoBind on connection 0xa284e580
LDAP: [2013/08/27 12:43:19.909] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
LDAP: [2013/08/27 12:43:19.910] Sending operation result 0:"":"" to connection 0xa284e580
LDAP: [2013/08/27 12:43:19.910] DoBind on connection 0xa284e6e0
LDAP: [2013/08/27 12:43:19.910] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
LDAP: [2013/08/27 12:43:19.910] Sending operation result 0:"":"" to connection 0xa284e6e0
LDAP: [2013/08/27 12:43:19.911] DoBind on connection 0xa284e840
LDAP: [2013/08/27 12:43:19.911] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
LDAP: [2013/08/27 12:43:19.911] Sending operation result 0:"":"" to connection 0xa284e840
LDAP: [2013/08/27 12:43:19.912] DoBind on connection 0xa284e9a0
LDAP: [2013/08/27 12:43:19.912] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
LDAP: [2013/08/27 12:43:19.912] Sending operation result 0:"":"" to connection 0xa284e9a0
LDAP: [2013/08/27 12:43:19.913] DoBind on connection 0xa284eb00
LDAP: [2013/08/27 12:43:19.913] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
LDAP: [2013/08/27 12:43:19.913] Sending operation result 0:"":"" to connection 0xa284eb00
LDAP: [2013/08/27 12:43:19.923] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
LDAP: [2013/08/27 12:43:19.923] TLS handshake failed on connection 0xa284ec60, err = -5875
LDAP: [2013/08/27 12:43:19.923] BIO ctrl called with unknown cmd 7
LDAP: [2013/08/27 12:43:19.925] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
LDAP: [2013/08/27 12:43:19.925] TLS handshake failed on connection 0xa284ec60, err = -5875
LDAP: [2013/08/27 12:43:19.925] BIO ctrl called with unknown cmd 7
LDAP: [2013/08/27 12:43:19.926] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
LDAP: [2013/08/27 12:43:19.926] TLS handshake failed on connection 0xa284ec60, err = -5875
LDAP: [2013/08/27 12:43:19.926] BIO ctrl called with unknown cmd 7
LDAP: [2013/08/27 12:43:19.927] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
LDAP: [2013/08/27 12:43:19.927] TLS handshake failed on connection 0xa284ec60, err = -5875
LDAP: [2013/08/27 12:43:19.927] BIO ctrl called with unknown cmd 7
LDAP: [2013/08/27 12:43:19.929] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
LDAP: [2013/08/27 12:43:19.929] TLS handshake failed on connection 0xa284ec60, err = -5875
LDAP: [2013/08/27 12:43:19.929] BIO ctrl called with unknown cmd 7
LDAP: [2013/08/27 12:43:19.930] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
LDAP: [2013/08/27 12:43:19.930] TLS handshake failed on connection 0xa284ec60, err = -5875
LDAP: [2013/08/27 12:43:19.930] BIO ctrl called with unknown cmd 7
LDAP: [2013/08/27 12:43:19.932] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
LDAP: [2013/08/27 12:43:19.932] TLS handshake failed on connection 0xa284ec60, err = -5875
LDAP: [2013/08/27 12:43:19.932] BIO ctrl called with unknown cmd 7
LDAP: [2013/08/27 12:43:19.933] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
LDAP: [2013/08/27 12:43:19.933] TLS handshake failed on connection 0xa284ec60, err = -5875
LDAP: [2013/08/27 12:43:19.933] BIO ctrl called with unknown cmd 7
LDAP: [2013/08/27 12:43:19.934] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
LDAP: [2013/08/27 12:43:19.934] TLS handshake failed on connection 0xa284ec60, err = -5875
LDAP: [2013/08/27 12:43:19.934] BIO ctrl called with unknown cmd 7
I'm now pretty sure that the cert is being invalidated because the new CA is not trusted by the old server. Strange that PKIDiag has no problems with it. So really looking for a way to authorise a CA for ldap secure I think.
I can connect to the server over ldaps (port 636) using Softerra Ldap browser from my PC, again I get the certificate not valid as we have the internal CA authorising it, but you can accept the certificate and authenticate fine and use LDAP.
BR,
Mark.

MAC OS 10.9 some users cannot print to new Ricoh MP C6502 print job is holding for authentication and cannot figure out why

I have a few IMAC and G5 users who have OS10.9 who cannot print to a new Richoh MP C6502, I downloaded and installed the new PS driver and it works on some systems but I have 3 people that goes right to Hold for Authentication. I tried deleting everything associated with this in keychain access and after I did this it comes up to enter a password and it accepts the network login credentials but still holds the print job. I even tried using guest as login and password as someone suggested but still cannot print any ideas on why?

I apologize for the delay in responding to you. I was on the road all day yesterday.
OK. I switched the printer's Ethernet cable to a Linksys Switch (Model EZX S55W) that's part of this local network. That did not work. I swapped out the cable for one that I know works. Still no change. I switched the printer's Ethernet cable directly to a port on the router. No change. I even swapped cables here, too, but no success.
As I was doing all this, I was wondering: When I select the HP P1606dn printer in the Print and Fax "Add" dialog box, (see the image below) and the Print Using pulldown menu displays "Please select a driver or printer model" and the message "Searching for new drivers" appears under it (with the spinning wheel), why is it that the Ethernet connection to printer is critical to "finding" a new (printer) driver?
Isn't the utility searching through my system and libraries looking for a printer driver app for the printer that I identified/selected in the dialog box?
After all, if the dialog box lists the printer among those to choose from, hasn't the utility already discovered the printer via the Ethernet connection?

How to configure Netscape LDAP realm for WLS6.1

I 've installed NDS 3.1 on my machine & created users & groups using Netscape admin
console.
dn='uid=abc,ou=AMITOrg,o=Airius.com'
What information should be entered in the 'Properties' of V2 LDAP realm?
Where should i specify server, port of my NDS?
Please let me know the sample settings.
Thanks & regards,
Amit

Which version of Netscape Directory Server ?
NDS development has stopped several years ago.
Regards,
Ludovic.

Multiple LDAP directories for authentication

Hi,
I just upgraded to GroupWise 2014 (from 2012). In GW2012 I used LDAP authentication against eDir. In GW2014, I associated the GW mailboxes to Active Directory. I tested a few accounts and I can login just fine. However I also have mailboxes that have to authenticate to eDir, because (for now) they don't have AD equivalent accounts.
To achieve this, I also added the eDirectory as a directory in the GW admin console. I then enabled LDAP authentication in the Post Office security settings, without adding the "Available LDAP Servers" to the "Selected LDAP Servers" box.
When I logon to a mailbox that is associated to eDir, it allows me to logon. I do have a mailbox that doesn't allow me to logon, although it is associated to eDir. When I re-associate (remove-add) it, it works for a while only to stop working again. It's not entirely stable.
In the POA log, I see the following message: Alert: Utilize LDAP server which is not in the pool configuration! So it would seem it doesn't particularly like my setup.
Questions:
* Is what I'm trying to achieve not supported or am I configuring it wrong?
* If I add the "Available LDAP Servers" to the "Selected LDAP Servers" box will it use it a failover pool and thus mess up my mixed-directory authentication?
* Is it possible to use GroupWise authentication for some mailboxes and AD authentication for others. If so, it would take away the need to use eDir.
Iwan

It's not an error, just informational. The LDAP AUTH code for the POA has changed somewhat in 2014. Before, it used to only use LDAP servers in a pool, but now, it will first try any LDAP servers/directories in it's "Preferred list", but if it can't not find the user using that list, it will then proceed to try all other LDAP servers that are configured.
--Morris
>>> iwan<[email protected]> 1/9/2015 5:16 AM >>>
Hi,
I am able to authenticate to AD en edir within the same PO. I would like
to phase out edir as maintaining two directories is not ideal. The only
reason I still use edir is for those few GW accounts that do not have AD
counterparts and for which I do not want to create AD accounts. So using
LDAP(AD) together with GW auth would be ideal for me. I'll look into
creating a second PO for this purpose.
I just wonder why the POA log keeps displaying the following message, if
having multiple directories in a single PO is supported: "Utilize LDAP
server which is not in the pool configuration!"
Iwan
iwan
iwan's Profile: https://forums.novell.com/member.php?userid=5639
View this thread: https://forums.novell.com/showthread.php?t=481102

Sample Security realm for OpenLDAP and WLS7

Hello,
I would like to set up WLS 7 so it uses the Oracle implementation of OpenLDAP.
I am looking for a Custom Security Provider for OpenLDAP for WLS7. I can not use
the embedded LDAP as it does not allow me to programatically create new users.
If anyone has a sample implementation, please send it to me. I would really appreciate
it.
Thanks
Gavin

It is possible to create new users programatically in embedded LDAP. Here
is an example
package test.jmx;
import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import weblogic.jndi.Environment;
import weblogic.management.*;
import weblogic.management.security.authentication.*;
import weblogic.security.providers.authentication.*;
import javax.management.*;
import weblogic.management.configuration.*;
import weblogic.management.runtime.*;
import java.util.*;
public class Test {
public static void main(String[] args) {
String url = "t3://localhost:7001"; //URL of the Administration server
String username = "weblogic";
String password = "weblogic";
MBeanHome home = null;
SecurityConfigurationMBean conBean;
weblogic.management.security.RealmMBean realmBean;
AuthenticationProviderMBean authBean;
AuthenticationProviderMBean[] authBeans;
DefaultAuthenticatorMBean defBean;
try {
Environment env = new Environment();
env.setSecurityPrincipal(username);
env.setSecurityCredentials(password);
env.setProviderUrl(url);
Context ctx = env.getInitialContext();
home = (MBeanHome) ctx.lookup(MBeanHome.ADMIN_JNDI_NAME);
System.out.println("Got the MBeanHome: " + home);
System.out.println("\n\n");
WebLogicObjectName objName = new
WebLogicObjectName("mydomain:Name=mydomain,Type=SecurityConfiguration");
conBean = (SecurityConfigurationMBean) home.getMBean(objName);
System.out.println("Security configuration MBean: " + conBean);
System.out.println("\n\n"); realmBean = conBean.findDefaultRealm();
System.out.println("Got the default realm: " + realmBean);
System.out.println("\n\n");
authBeans = realmBean.getAuthenticationProviders(); //is it the
defaultAuthenticationProviderMBean???
defBean = (DefaultAuthenticatorMBean)authBeans[0];
defBean.createUser("test","weblogic","just a test of wls70 security");
System.out.println("\ncreate successfully!");
System.out.println("\n\n");
} catch (Exception e) { e.printStackTrace(); } } }
"Gavin" <[email protected]> wrote in message
news:[email protected]...
>
Hello,
I would like to set up WLS 7 so it uses the Oracle implementation ofOpenLDAP.
I am looking for a Custom Security Provider for OpenLDAP for WLS7. I cannot use
the embedded LDAP as it does not allow me to programatically create newusers.
>
If anyone has a sample implementation, please send it to me. I wouldreally appreciate
it.
Thanks
Gavin

LDAP protection for JSP and Servlets

Environment: WL 5.1 sp 8 on Solaris 7
Question: I want to use LDAP Security on my site. Does Weblogic only utilze LDAP
for servlets. What about my JSP files? And no, I can't protect just a directory
with iPlanet Web Server because my JSP files are all over my directories and my
servlets are in my /servlets directory. I need security on some of the jsp files.
how would I accomplish this?

Hello
What do I install in order to create and use .jsp's
and servlets and jdbc connectivity as well? Is it
J2SE or J2EE. The answer is "Yes."
In order to use J2EE, you need J2SE. If you do not feel comfortable with J2SE and programming Java in general (as is suggested by not being able to differentiate between J2SE and J2EE and how to download one/both), J2EE may be a bit complex to get started with.
My suggestion:
1) Start Here: http://java.sun.com/learning/new2java/index.html
2) Download J2SE: http://java.sun.com/j2se/1.5.0/download.jsp choose the JDK 5.0 Update 3
3) Do a beginners Java Tutorial: http://java.sun.com/docs/books/tutorial/index.html
4) Read a book, try a lot, get comfortable doing it.
Then Choose the JDBC:
http://java.sun.com/docs/books/tutorial/jdbc/index.html
Then, only after being compfortable in how Java and JDBC work, move to J2EE
1) Download a Server (examples):
Full J2EE implementation: J2EE Software Development Kits (SDK)
Servlet/JSP Engine (Tomcat): http://jakarta.apache.org/site/downloads/downloads_tomcat-5.cgi
There are others, Tomcat is fairly popular.
2) Read the server's documentation thoroughly
3) Read a J2EE tutorial: http://java.sun.com/j2ee/1.4/docs/tutorial/doc/index.html
Note: depending on your server, the above tutorial may only be partially relevant.
The download section is overwhelming
and confusing to me :(
Thanks for any guidance.

User and group handling in LDAP Realm

Hi,
I'm currently using an LDAP Realm for storing users and groups, which I need to be able to add, amend and remove at runtime.
I understand that in earlier versions of Weblogic, the methods to do the add/remove/modify were not implemented but I was told that this may change in WL6. If so, is there any documentation or examples about these methods ? If not, would I need to extend ManageableRealm to create a custom realm ?
Any help much appreciated.
Dave

Hi Dave:
In our project, we use security realm (LDAP realm) for Users and Groups authentication. We turned the CacheRealm on to optimize performance. To add and amend Users and Groups, we use a stateless EJB to talk to LDAP server. This kind of partition works fine for us to separate the user authentication
logic and user management logic.
Fun
Dave Horner wrote:
Hi,
I'm currently using an LDAP Realm for storing users and groups, which I need to be able to add, amend and remove at runtime.
I understand that in earlier versions of Weblogic, the methods to do the add/remove/modify were not implemented but I was told that this may change in WL6. If so, is there any documentation or examples about these methods ? If not, would I need to extend ManageableRealm to create a custom realm ?
Any help much appreciated.
Dave

LDAP realm in Weblogic

I am using Netscape Directory Service 4.2. I want to use LDAP realm for authentication from Weblogic 5.1. I have created a principal(kevink - username and cambridge - group) in NDS. I have created a servlet and registered in Weblogic giving permission to execute the servlet to the above username and group. I have the following entry in my weblogic properties file weblogic.allow.execute.weblogic.servlet.helloWorld=\ kevink, cambridge
I have also created the LDAPRealm.properties file in my weblogic home directory.
When I start weblogic with the LDAP debug mode on, I get the following messages
Mon May 01 14:38:52 EDT 2000:<W> <CachingRealm> ACL "weblogic.servlet.helloWorld" contains non existent principal "kevink" - ignoring principal ******** Error: ACL "weblogic.servlet.helloWorld" contains non-existent principal "kevink" - i noring principal
Mon May 01 14:38:52 EDT 2000:<W> <CachingRealm> ACL "weblogic.servlet.helloWorld" contains non- existent principal "cambridge" - ignoring principal ******** Error: ACL "weblogic.servlet.helloWorld" contains non-existent principal "cambridge" - ignoring principal
Any ideas to solve this problem are welcome Ram

Yep. And if your LDAP realm is hooked up correctly, you'll see groups from your ldap realm
in the weblogic console, under the Security->Groups tab on the frame to the left.
Keep in mind that you will not see users from your LDAP server under the Security->Users
tab. This is expected behavior. But if you see the groups, then you've most likely hooked
up the LDAP realm the right way ...
Joe Jerry
Vishwanath Kumar wrote:
Hello Kumar,
I am attaching a small portion of config.xml which contains LDAP settings . Please change
this according to your LDAP server configuration and test it . I hope this should help
you out.
You also need to create a caching realm and then hook up that caching realm to this LDAP
realm .
For more information this URL should be helpful:
http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1071872
here is portion of config.xml
<LDAPRealm AuthProtocol="simple" Credential="dropdead"
GroupDN="o=beasys.com,ou=Groups" GroupIsContext="false"
GroupNameAttribute="cn" GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://mmanson:389"
Name="defaultLDAPRealmForNetscapeDirectoryServer"
Notes="This is provided as an example. Before enabling this Realm, you must edit
the configuration parameters as appropriate for your environment."
Principal="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
UserAuthentication="bind" UserDN="o=beasys.com,ou=People"
UserNameAttribute="uid" UserPasswordAttribute="userpassword"/>
kumar wrote:
Hi,
I have tried to configure LDAP realm in weblogic, but I think it is not configured
correctly. And I don't know how to test it. Can anybody send me the sample config.xml
having LDAP realm configured correctly. Please send me a sample program to access
LDAP realm via weblogic.
Thx--
Vishwanath Kumar
Developer Relations Engineer
BEA Systems, Inc.

Trying to setup a LDAP Realm

I'm runing WLS6.0 SP2 and I'm trying to set up a LDAP realm to talk to a openldap
server. I'm on Win2k and have it installed as a service.
I can connect to the server via a ldap browser, and I have a user in the ldap
tree with a clear text password.
I created a LDAP realm but I can't find where to configure WebLogic to use that
LDAP realm for authentication.
thanks
joe

I guess they don't use the LDAP Realm in Weblogic, you should create your custom
realm that access to AD and return user/group enumerations, acl's, etc...
I'm able to access to AD using jdk1.4, and I have my custom realm, the only
problem is wl uses jdk1.3 (+jaas) and I couldn't connect to AD with the old jaas,
because it didn't support kerberos authentication. A more complete jaas it's included
in jdk1.4
Regards,
Marc
"Roy Cornell" <[email protected]> wrote:
Great news, Scott. I hope you don't mind answering the three questions
below:
1. Which LDAP realm ***version*** did you use : V1 or V2?
2. Which LDAP realm type did you specify during the configuration: "MS
Site
Server" or other ?
3. Did you encounter any problems during the integration?
Thanks a lot.
Roy
"Scott Harger" <[email protected]> wrote in message
news:3b794a7c$[email protected]..
We have been able to get the LDAP realm (6.0 SP1) to work with Active
Directory.
Scott
"Roy Cornell" <[email protected]> wrote in message
news:3b72eb32$[email protected]..
I've got the same question (posted it yesterday). Please, Please,
Please,
could somebody reply.
"Andrew Wallace" <[email protected]> wrote in message
news:3b72ce38$[email protected]..
Somehow my last message got truncated. Here's the full deal:
We're trying to setup an LDAP realm in a microsoft-centric environment
(Windows 2000). All the documentation from BEA that I've found
talks
about MS Site Server, which, as near as I can find, is not an LDAPserver.
So - can I use MS Active Directory on Win2k? Is it functionally
the
same
thing? Does the MS template in LDAP Realm V2 support it? Does anyone
have success or horror stories about using AD?
thanks,
andy

ASA Cut Through (Authentication) Proxy for a Single ACL

I have a customer that wants to authenticate users at the ASA before being allowed access from the outside into a payroll server on the DMZ. I am aware of the cut through proxy feature, but doesn't that affect all traffic entering the DMZ? Is there a way to only authenticate users accessing one server?

Hi,
Seems to me the easiest way to do this is you are connecting to the destination server with either Browser or CLI based connection.
For example if its a browser based connection then you could configure
username password privilege
access-list PROXY-AUTH extended permit tcp any host eq http
access-list PROXY-AUTH extended permit tcp any host eq https
access-list PROXY-AUTH extended deny ip any any
aaa authentication match PROXY-AUTH LAN LOCAL
I don't think you even need the "deny" statement since there is an implicit deny at the end of each ACL
Where "LAN" is my interface "nameif" connect to my LAN network.
To my understanding if you are using some application for this connection that doesnt apply in this situation then you would have to configure this in another way and the user would have to first connect manually to the ASA for authentication and would then be allowed to connect to the resource.
Have a look at this document for some help
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml
Hope this helps
- Jouni

LDAP realm for authentication and ACL in Database

Similar Messages

Maybe you are looking for