Secure External LDAP with local user provisioning in a org.

To all:
I'm working with 05Q1 or as some say v3. I was able to successfully set up user authentication with external ldap and dynamic creation of users with in local org and ldap and map over attributes for storage into local ldap. Now I need to try and make it a secure external ldap authentication. Without disturbing any of the other orgs with in the local system.
Is it possible without turning on security for all? Where would the certs be stored for the secure external LDAP that I am authenticating against?
Help would be appreciated.
If anyone is trying to do the same thing let me know if your having trouble. I sure did, just getting to the point that I am right now.
Thanks,
- Milo

Hi,
Check following forum thread.
Re: custome role maper example
Regards,
Kal

Similar Messages

  • Issue while integrating external LDAP with weblogic

    Hi,
    i am trying integrating external LDAP (OpenLdap) with weblogic 10.3. I created a provider and provided required credentials and able to see users and group of the LDAP into the weblogic console. I am also able to login in the weblogic console with the users available in the LDAP after assigning the admin role to the ldap group. But i when i see the user's property (by clicking on the user in the admin console) it only shows the tabs for General, Password and Group only. on the other hand if i see the users from DefaultAuthenticator, it shows the Attribute tab apart from the General, Password and Group.
    Can anyone let me knwo how can we get the Attribute tab for the Ldap users.
    thx,
    Ajay

    Hi Ajay
    By default Weblogic has READ ONLY adapters for any External Security Providers that are configured like any AD Providers. READ ONLY means, you can only read the data from the ldap but not modify it, hence may be its not showing the Attributes tag. For Default Authenticator, see the first paragraph note in Attributes tab, that says the same thing. NOW, may be WLS can atleast show Attributes in READ only format, but it needs some sort of mappings to be defined. Say on Weblogic side, we have like firstName, lastName which on any typical AD will be like sn (surname = lastname), givenname (firstname) etc etc. This mapping is tough to generalize.
    One thing for sure is, from Weblogic you cannot modify or edit any attributes for any user in external AD. If you really want to get those attributes, you may need to use some javax.ldap apis or some 3rd party ready to use tools/apis. I remember Weblogic Portal has a facility to configure a xml file that defines attributes mapping and get all attributes for any user. But again thats in Weblogic Portal product and not part of weblogic server.
    If you have any SOA Software, they have some utilities for the same.
    Thanks
    Ravi Jegga

  • SSO for application systems with local users?

    Hi all,  I'm new to Oracle Identity Management.  My company is going to implement SSO for inhouse applications.  However, some applications have their own local users (e.g. admin, guest, etc.) who have to login to the application system through the same interface.  We put all organization users in an Oracle enterprise Directory server, which is the authentication backend of the Access Manager.   After implementing webgate, such local users can't get authenticated.  I'd like to know if it's possible to configure particular users/applications to bypass SSO and use local authentication?     Thanks.
    Rgds
    /ST wong

    Possible solution is to create a new entry point for local users. Create two proxies one for actual user entry and another for local user. You can restrict n/w access to proxy with local login so that only few hosts based on your requirement who needs to access system with local accounts. This way you will have two web sites for single application.

  • No file locking in office 2004 with local user

    A user shares his home folder on Mac OS X 10.5.8. This user has a Excel file open in Office 2004. When an other user opens the same file using AFP file sharing there is no message warning the user the file is being modified by the local user.
    All software is up-to-date. Does anyone know how to solve this problem?
    This problem does not occur in Office 2008 with 10.6 clients.

    A user shares his home folder on Mac OS X 10.5.8. This user has a Excel file open in Office 2004. When an other user opens the same file using AFP file sharing there is no message warning the user the file is being modified by the local user.
    All software is up-to-date. Does anyone know how to solve this problem?
    This problem does not occur in Office 2008 with 10.6 clients.

  • LDAP with local home directory?

    Greetings.
    I'm trying to configure the Macs to authenticate based off of the LDAP server. I'm pretty sure I've got that part working, but I'm running into difficulty figuring out how to specify using a local home directory template rather than an NFS / AFP portable home directory. All the guides on the internet out there seem to want to use NFS, which we don't have setup (and don't intend to).
    Based on instructions of various texts, manuals, and blogs, I've created a user account called "labuser", and a group called "users", and then given any member of the group "users" write-access to the folder /Users/labuser. This way they login to a default home directory (at least for now). What information do i specify for LDAP's "apple-user-homeDirectory" entry to make it look for this /Users/labuser folder rather than an NFS share?

    So basically I should add C:\Documents and Settings instead of /Users for windows accounts?
    Because if I don't specify anything it creates a roaming profile on the windows machine, and puts the user directory both on the windows machine and a copy on the server under /Users/Profiles. Or at least is what is doing now... so I manually have to change the profile to local on the windows machine and delete the folder on the server...

  • Problem with local users printing to the printer queue

    We have just upgraded our servers to 2.8GHz Quad-core Intel Xeon which is running OS X 10.5.6
    I have set up the printer queue to the network printers, through LPD.
    Open directory users are able to print to the network printers without any problem however when a user local user to a machine (all 10.5.6 but different models) are not able to print.
    The printer pauses and does not print.
    Any solutions?

    Hi there,
    I am not quite sure of your setup based on your posting so apologies if my reply is not appropriate.
    Are you saying that when the Mac attempts to print directly to the network printer (rather than via a queue created by selecting an Open Directory printer) the printer queue pauses?
    If yes, then I would ensure that the LPD protocol was selected and the correct queue name was entered - as this can often cause the spooler to pause.
    PaHu

  • Local user provisioning requires local administrator privileges?

    Hello,
    Scenario: User-A needs to provision User-B as a local administrator on a Windows 2008R2 server.
    Is there a way for User-A to do this without User-A being a member of the local Administrators or Domain Admin group on the said server?
    Thanks

    Is it not possible to make user A part of the administrators group?
    If you are trying to work around the fact that user A does not have administrative rights over the box then  your first course of action is to give user A administrative rights. There are several ways to do this.
    Perhaps a more in depth explanation of why user B has to have administrative rights given to him by user A we may be able to come up with a solution or workaround.
    fr0stsp1re

  • Need to login to 125 macs with local user at once - unix command?

    Is there any way to login into the local admin account on all these imacs from ARD using command line

    Assuming the Mac is sitting at the login screen, with cursor blinking in the name field, send the following as Root user:
    osascript <<EndOfMyScript
    tell application "System Events"
    keystroke "username"
    keystroke return
    delay 3.0
    keystroke "password"
    delay 3.0
    keystroke tab
    keystroke return
    keystroke return
    end tell
    EndOfMyScript
    http://www.macos.utah.edu/documentation/miscellaneous/remoteguilogin.html

  • Users stuck with Create User 'provisioning' status

    Gurus
    I have a simple GTC connector which pushes users via SPML to a webservice
    sometimes some of the users got stuck with 'provisioning' status
    The form is pretty straightforward
    Userid
    Container
    objectclass
    If I manually retry the task it succeeds
    How do I trigger automatic retry (i have more than 12000 users)?
    oimlove
    Edited by: user12269871 on May 11, 2010 1:33 AM
    Edited by: user12269871 on May 11, 2010 1:33 AM

    Thank you
    Problem was solved.

  • Secure Website promblems  with Local accounts

    I have been experiencing the following:
    Login to a local account on 10.5.6 machine.
    Open webbrower.
    When I attempt to enter a secure page from the launched site, I get a can not find server message...example we are doing a 5-8 reading assessment online. I can go to the companies website fine, but when I attempt to go to the link for the test (https) site I can not. any suggestions....

    Parental controls in managed preferences is the culprit. It blocks websites based on content, and with HTTPS it can't see inside because it's encrypted, so it blocks it. I have had this issue as well. Apple says to simply allow the domain (ie https://live.com) but this solution works intermittently for me. I'm still waiting for a work around that works consistently.

  • RoleMapper with an external LDAP

    Dear friends,
    We use an external LDAP to store information related to users, groups and roles. We have managed to configure an out of box LDAP Authenticator within our realm for authentication. We wanted some guidance on configuring or writing RoleMapper.
    1) What is good practise in terms of storing and managing roles? Is it a common practise to store roles in an external LDAP or do people use Admin console to created roles within the embedded LDAP? The advantage with the Embedded LDAP is definitely that you could use out of the box RoleMapper and the disadvantage is that we could not extend LDAP schema to store hierarchical roles.
    2) If we store and manage roles in an external LDAP store, the same one where we store users and groups, could we still use the out of the box role mapper? If not, could someone provide a sample role mapper that uses an external LDAP store.
    3) Why WebLogic doesn't provide an out of the box Role Mapper that connects to an external LDAP?

    All Users Filter: (&(&(uid=*)(objectclass=person))(!(quitdate=*)))
    User From Name Filter: (&(&(uid=%u)(objectclass=person))(!(quitdate=*)))
    User Name Attribute: uid
    Here you're configuring that uid is the key of your users in OID. And in your case user A and B has the same uid, so the webcenter can login using user B, but when realize a search uid=jack ldap returns the first one.
    Make any sense for you?
    Hope that I help you

  • Mail folders after moving user to LDAP from Local

    I originally setup our server with Local users, rather than LDAP.  Now, we need to move everyone over (for a variety of reasons).  I'm basically doing the following for each user:
    Export individual Mail/Contacts/Calendars
    Turn off Mail/Calendars/Contacts in Server app
    Delete Local User
    Create LDAP user with the same UserID in Workgroup Manager
    Check all services for the user under User Access in Server app
    Turn on Mail/Calendars/Contacts
    Import individual Mail/Contacts/Calendars back into the apps on the client machine
    This works up until I try to reimport emails.  I get the error that the "mailbox already exists".  This makes me think it's associating the userID with the old email folder on the Server.  The problem is I don't know how to either reassociate the user with their old emails, or to remove them.  Any help is appreciated, thanks!

    Here is what happened:
    Original User's Document files were NOT stored under the User Name as they should have been. The User Name doc file was almost empty. (Nov 2007 thru Aug 1 2008). The main Documents folder was located in the Macintosh HD folder (not in User folder).
    User Name Account got corrupt and new User Name had to be created. The Documents Folder was moved to this Account. (Aug 1, 2008)
    Time Machine was not backing up the iMac because the New User had to set up TM. On Aug 4, 2008, TM was turned on and began backing up the computer AGAIN (thus process took several hours).
    My solution is:
    Delete the old back-up file (+600GB) and re-back-up iMac. Keychain from the old user will remain intact and there would only be ONE copy of Documents folder in the backup (along with the incremental backups).
    Would this work? Is there a way to remove back-ups prior to Aug4? How can I control TM so it doesn't consume my HD? I use this drive to store iTunes and iPhoto/Aperture libraries.
    Thanks

  • Is possible to import the TR using TP.EXE with local system user

    Hi ,
    Currently I am trying to import the TR using the TP.exe. Could please let me know is mandatory to use <SID>adm user. If yes could please let me know the procedures.
    Because I try with local user but it was failed. Even though  I set same environment variable (Both User and System).
    Regards,
    Vivek

    Hi ,
    Please find the log below
    I am using the correct commend. if i try in SIDADM user it working fine.when i try with local user is not working.So i was confused. 
    This is tp version 372.04.40 (release 701, unicode enabled)
    TRACE-INFO: 1:  [dev trc     ,00000]  Thu May 12 00:09:50 2011                                     1042  0.001042
    TRACE-INFO: 2:  [dev trc     ,00000]  load shared library (dbsdbslib.dll), hdl 0, addr 0000000186C80000
    TRACE-INFO: 3:                                                                                5  0.001047
    TRACE-INFO: 4:  [dev trc     ,00000]      using "E:\usr\sap\EC6\SYS\exe\uc\NTAMD64\dbsdbslib.dll"
    TRACE-INFO: 5:                                                                                5  0.001052
    TRACE-INFO: 6:  [dev trc     ,00000]  } DbSlSdbControl(rc=0)                                         81  0.001133
    TRACE-INFO: 7:  [dev trc     ,00000]  { DbSlSdbControl(con_hdl=-1,command=39,arg_p=0000000000000000)
    TRACE-INFO: 8:                                                                                8  0.001141
    TRACE-INFO: 9:  [dev trc     ,00000]  } DbSlSdbControl(rc=0)                                          8  0.001149
    TRACE-INFO: 10:  [dev trc     ,00000]  { DbSlSdbControl(con_hdl=-1,command=10,arg_p=000000000202EBE0)
    TRACE-INFO: 11:                                                                                8  0.001157
    TRACE-INFO: 12:  [dev trc     ,00000]  } DbSlSdbControl(rc=0)                                          4  0.001161
    TRACE-INFO: 13:  [dev trc     ,00000]  { DbSlSdbControl(con_hdl=-1,command=10,arg_p=0000000140E5A1E8)
    TRACE-INFO: 14:                                                                                15  0.001176
    TRACE-INFO: 15:  [dev trc     ,00000]  } DbSlSdbControl(rc=0)                                          5  0.001181
    TRACE-INFO: 16:  [dev trc     ,00000]  { DbSlSdbConnect(con_info_p=0000000000000000)                  18  0.001199
    TRACE-INFO: 17:  [dev trc     ,00000]  DBSDBSLIB : version 700.08, patch 0.024 (Make PL 0.32)         18  0.001217
    TRACE-INFO: 18:  [dev trc     ,00000]  MAXDB shared library (dbsdbslib) patchlevels (last 10)          7  0.001224
    TRACE-INFO: 19:  [dev trc     ,00000]    (0.024) Default value for max. input variables is 2000 (note 655018)
    TRACE-INFO: 20:                                                                                9  0.001233
    TRACE-INFO: 21:  [dev trc     ,00000]    (0.024) Profile parameter to define max. input variables (note 655018)
    TRACE-INFO: 22:                                                                                9  0.001242
    TRACE-INFO: 23:  [dev trc     ,00000]    (0.024) Switch SQLMODE after CREATE INDEX SERIAL (note 1267841)
    TRACE-INFO: 24:                                                                                8  0.001250
    TRACE-INFO: 25:  [dev trc     ,00000]    (0.024) Input parameters for SQL statements increased (note 655018)
    TRACE-INFO: 26:                                                                                7  0.001257
    TRACE-INFO: 27:  [dev trc     ,00000]    (0.018) Create index serial for MaxDB 7.6 (note 1267841)
    TRACE-INFO: 28:                                                                                8  0.001265
    TRACE-INFO: 29:  [dev trc     ,00000]    (0.018) More trace in case of packed to string conversion error (note 1262799)
    TRACE-INFO: 30:                                                                                13  0.001278
    TRACE-INFO: 31:  [dev trc     ,00000]    (0.016) R3trans export aborts with signal 6 (note 1262245)
    TRACE-INFO: 32:                                                                                7  0.001285
    TRACE-INFO: 33:  [dev trc     ,00000]    (0.009) IA64 alignment errors (note 1245982)                  7  0.001292
    TRACE-INFO: 34:  [dev trc     ,00000]    (0.007) Support DB-Type 'SAP DB' by UPDSTAT (note 1225668)
    TRACE-INFO: 35:                                                                                7  0.001299
    TRACE-INFO: 36:  [dev trc     ,00000]                                                                  4  0.001303
    TRACE-INFO: 37:  [dev trc     ,00000]   -> init()                                                      6  0.001309
    TRACE-INFO: 38:  [dev trc     ,00000]   -> sdb_malloc(size=18) : 0000000002810EB0 (34 bytes allocated)
    TRACE-INFO: 39:                                                                                18  0.001327
    TRACE-INFO: 40:  [dev trc     ,00000]    STATEMENT_CACHE_SIZE = 1000                                  46  0.001373
    TRACE-INFO: 41:  [dev trc     ,00000]   -> sdb_malloc(size=152000) : 00000000028B9FA0 (152050 bytes allocated)
    TRACE-INFO: 42:                                                                                16  0.001389
    TRACE-INFO: 43:  [dev trc     ,00000]   -> sdb_malloc(size=656000) : 0000000002C200B0 (808066 bytes allocated)
    TRACE-INFO: 44:                                                                                13  0.001402
    TRACE-INFO: 45:  [dev trc     ,00000]   -> sdb_malloc(size=288000) : 0000000002CC10B0 (1096082 bytes allocated)
    TRACE-INFO: 46:                                                                                11  0.001413
    TRACE-INFO: 47:  [dev trc     ,00000]   -> sdb_malloc(size=16144) : 0000000002D080B0 (1112242 bytes allocated)
    TRACE-INFO: 48:                                                                                11  0.001424
    TRACE-INFO: 49:  [dev trc     ,00000]   -> sdb_malloc(size=32048) : 0000000002D0C020 (1144306 bytes allocated)
    TRACE-INFO: 50:                                                                                11  0.001435
    TRACE-INFO: 51:  [dev trc     ,00000]   -> loadClientRuntime()                                       358  0.001793
    TRACE-INFO: 52:  [dev trc     ,00000]  Loading SQLDBC client runtime ...                               7  0.001800
    TRACE-INFO: 53:  [dev trc     ,00000]  SQLDBC SDK Version : SQLDBC.H  7.6.0    BUILD 007-123-091-175
    TRACE-INFO: 54:                                                                                339  0.002139
    TRACE-INFO: 55:  [dev trc     ,00000]  SQLDBC Library Version : libSQLDBC 7.6.5    BUILD 011-123-196-300
    TRACE-INFO: 56:                                                                                8  0.002147
    TRACE-INFO: 57:  [dev trc     ,00000]  SQLDBC client runtime is MaxDB 7.6.5.011 CL 196300             21  0.002168
    Regards,
    vivek

  • XID-- Change Local User SAPServiceXID to Domain\SAPServicesXID

    Hi All.
    We have to change local SAPServiceXID User to Domain\SAPServiceXID User
    boths users are administrators into the Administrator Group.
    If we start the three central instances(Database,Abap,JAVA) with local User there is no problem.
    when we replace the local user to Domain\user and tries access to http://Host:50000/rep -->The page cannot be displayed, but in SAP Manage Console, the service green and from TCODE SMICM Java stack is green too.
    any idea??
    Thanks & Regards
    RP.
    Message was edited by:
    Rodrigo Pertierra

    i've found this error
    com.sap.engine.services.rfcengine##com.sap.engine.services.rfcengine.RFCJCOServer.handleRequestInternal()####XID#SAPSYS                          #434CC9A85B334CA891E2E7F351D27B1A#Thread[JCO.ServerThread-2,10,SAPEngine_System_Thread[impl:5]_Group]##0#0#Error##Plain###com.sap.mw.jco.JCO$AbapException: (126) SLD_CLIENT_EXCEPTION: AbapSLDRequestHandler.ping(): server connection *** failed *** on Tue Jan 16 11:37:42 GMT-03:00 2007
         at com.sap.lcrabapapi.util.AbapSLDRequestHandler.raiseAbapException(AbapSLDRequestHandler.java:4203)
         at com.sap.lcrabapapi.util.AbapSLDRequestHandler.raiseAbapException(AbapSLDRequestHandler.java:4212)
         at com.sap.lcrabapapi.util.AbapSLDRequestHandler.execPing(AbapSLDRequestHandler.java:2960)
         at com.sap.lcrabapapi.util.AbapSLDRequestHandler.execute(AbapSLDRequestHandler.java:953)
         at com.sap.lcrabapapi.util.AbapSLDRequestHandler.processRequest(AbapSLDRequestHandler.java:264)
         at com.sap.lcrabapapi.ejb.AbapSLDRequestBean.processFunction(AbapSLDRequestBean.java:48)
         at com.sap.lcrabapapi.ejb.AbapSLDRequestObjectImpl0.processFunction(AbapSLDRequestObjectImpl0.java:259)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:324)
         at com.sap.engine.services.ejb.session.stateless_sp5.ObjectStubProxyImpl.invoke(ObjectStubProxyImpl.java:187)
         at $Proxy193.processFunction(Unknown Source)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:324)
         at com.sap.engine.services.rfcengine.RFCDefaultRequestHandler.handleRequest(RFCDefaultRequestHandler.java:100)
         at com.sap.engine.services.rfcengine.RFCJCOServer.handleRequestInternal(RFCJCOServer.java:113)
         at com.sap.engine.services.rfcengine.RFCJCOServer$ApplicationRunnable.run(RFCJCOServer.java:171)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
    any idea what its means?

  • External LDAP connection for Jive forum webcenter Discussion

    Hi All,
    We could successfully configure external LDAP with Webcenter Discussion forum. In turns Jive forum.
    Problem we are facing : It is authenticating for display name instead of actual userid.
    EX:
    John Paul (display name)
    [email protected] (email id)
    John.paul (userid)
    It is accepting John Paul as username instead of john.paul. This is issue as there can be duplicate display names.
    Which parameter and where to configure to make sure Authentication is done for userid only.

    I think jive is used in webcenter discussions?
    You may have the wrong forum... this is for Webcenter Interaction Products.
    For help with Webcenter Discussion, blogs, and wiki's (part of webcenter services), you want to ask your question here:
    http://forums.oracle.com/forums/forum.jspa?forumID=733

Maybe you are looking for

  • Error while copying Std determinatino rule in CRM

    Hi, I get the following error while trying to copy the existing determination rule. Could you analyse this please. ERROR MSG: Prefix number: entry missing for system CRD client XXX Message no. 5W023 Diagnosis Tasks, rules, and workflow definitions re

  • NO SID value found for 'PR' in 0UNIT

    Hi, When I run a query on a remote multiprovider , though the SID value exists in the SID table, I get this error message. I tired all the options of running the SID conversion for 0UNIT in RSRV. Its fine, no errors. Also ran the consistency check fo

  • Slow laptop that I just can't seem to fix - Mingler issue?

    So my laptop has been intermittently slowing to a crawl. It seems from viewing Activity Monitor that the culprit is Mingler which is related to syncing. At it's worst the machine is unusable taking 10-20 seconds or more to respond to a mouse click an

  • IWeb rollovers not working

    I've created a site in IWeb, when I publish to my local folder or the web, the rollovers in my navigation bar do not work. They used to work fine, until I added a few more pages to complete my site. My nav bar is a text box with my links inserted as

  • N95- I want to reduce the amount of messages store...

    I am sick of my phone taking ages to open tx messages and to reply or move or delete them, I go into my inbox and there is about 1000 or so stored there, I can alter the amount of tx msg that I send that get saved, but nowhere can I find how to reduc