ACS 4.x LDAP Group Order

Hello there.
A customer of mine is complaining about the LDAP groups order. When he  needs to make group mappings to one of the many groups he have in his database, he face  problems to find them, because they're not in alphabetical order. Is  that a way to get it in this way?
There's a screenshot to illustrate what's going on.

Hi,
The LDAP Group set will populate the groups as defined in the AD.
I don't think it does take the pain to arrange them in an alphabetical order.
Regards,
Anisha
P.S.: please mark this thread resolved if you think your query is answered.

Similar Messages

  • RSA authentication with LDAP group mapping

    Greetings,
    I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
    The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
    As far as I know, you can only use one LDAP configuration with RSA.
    Any thoughts on this?

    @Tarik
    I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
    I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
    Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
    I would still prefer to do this dynamically.
    Scott

  • Webcenter dicussion forum - Ldap Group Integration with JSSO

    Hi,
    We want to implement LDAP Group integration for the authorization purposes in
    webcenter Jive Disucussions deployed in our IAS 10.1.3.2 application server.
    Though jive provides support for the same, yet the JIve documentation says
    that we need to implement the JIve's LDAP User authentication steps in order
    to leverage LDAP Groups integration. In case of Webcenter if we use Java SSO
    for the authentication purpose, we need opt for the 'Default' in the Jive
    Admin's authentication page instead of LDAP settings. Opting for 'Default'
    scheme doesn't allow us to configure the LDAP group settings. We are not able
    find any documentation for LDAP Group Integration along with Java SSO. Could
    provide us the steps required for the same? Or has anyone tried the same?
    Thanks and Regards,
    ABhijit

    Hi Abhijit,
    You can ignore 'Default', and implement your own user authentication mechanism, which can include LDAP group settings. You will have to follow:
    - OC4J security documentation for using Java SSO in your own implementation (I think this is the right link - confirm the version numbers - http://download.oracle.com/docs/cd/B32110_01/web.1013/b28957/javasso.htm#BABEJFDI)
    - Jive documentation for implementing user authentication
    Navneet.

  • Portal Roles added to the LDAP group is not showing up for users

    Hello expert,
    I have implemented SSO for Enterprise Portal and MS LDAP.  It is working fine but when I assigned roles to the LDAP group instead of UME group, they are not taking effect when I refresh the browser.  My service account that I set up in the keytab file is a read only account for the LDAP.  Is there some permission issue that I have to do to be able to add Portal roles or groups to LDAP groups?

    Hi,
    By default the LDAP integration configuration file is readonly.
    In this case, is not possible to modify data in LDAP.
    You must to connect in read-write mode; and I think that, furthermore, you need to configure SSL between Portal and LDAP in order to use read-write mode.
    regards,

  • Loading LDAP groups into WLS JAAS Subject

    Hi,
    I have a 10.1.4.3 OAM webgate+OHS setup to protect weblogic 10.3.2 as described ('1st best option') in this blog below.
    http://fusionsecurity.blogspot.com/2010/01/integrating-oracle-access-manager-oam.html
    In the weblogic security realm, I have the OAM Identity Asserter (REQUIRED), OID Authentication Provider (SUFFICIENT), Default Authenticator (SUFFICIENT), Default Identity Asserter configured in that order.
    A simple JSP app with CLIENT-CERT is deployed to the WLS. After the user is authenticated at OHS Webgate, the OAM Identity asserter is correctly asserting the user (and the obSSOCookie) as can be seen from the logs. The JSP app is getting a valid (non-anoymous) JAAS Subject with a single JAAS principal (of the user).
    But I 'm not sure it is loading the LDAP groups correctly using the OID provider. Are the LDAP groups supposed to be loaded as principals into the JAAS Subject? The user is part of many LDAP groups but only one principal (user itself) is in the JAAS Subject. Are there any additional steps to 'pair' the OAM Identity Asserter with the OID authentication provider as described in the above blog?
    I 'm using weblogic.security.Security.getCurrentSubject() to get the Subject and subject.getPrincipals() to get the principals in the JSP app.
    Thanks.

    Like I said in my post, subject.getPrincipals() has only one entry, the user id. The LDAP groups aren't in the Set returned. I 'm wondering how to debug this or fix it. I 'm wondering if I need to re-associate the domain policy store with LDAP as described here before the LDAP groups will be loaded into the subject.
    http://download.oracle.com/docs/cd/E14571_01/core.1111/e10043/cfgauthr.htm#CHDIIJDB

  • WLC and LDAP Groups

    Is there any way on an LDAP server to create an LDAP group that can be tied to the WLC for LDAP authentication.  I have this url that explains local authentication and LDAP...  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml .  That helps with local authentication but one thing I don't see is any guidance on how to create a group in a DC to communicate with anything on WLC.  Any ideas?

    You are right. You need a radius server overall that integrates with AD and do AD-to-radius group mapping. This way authentication is allowed/denied from radius, not WLC itself.
    If the user can get a radius server to achieve this that will be great (especially if the user is using 802.1x/EAP authenticaion). If not, what I described about OU mapping is the only solution to get the users classified as per what I understood from users requirements.
    The user is not only limited to Microsoft RADIUS (IAS or NPS). However, any radius server that supports AD group mapping can be used. with cisco ACS for example this is supported as well. I am not sure if this is also supported with open-source radius (openRadius for example). But if it is then openRadius can also be used.

  • Retrieve nested LDAP groups independent from the network env. (five different approaches)

    Hi all,
    I want to retrieve a list of nested LDAP groups per user from the Active Directory. I have been searching google for half a day now, but I'm still not sure what approach to use. I have the following requirements:
    * The script/program must run in different network environments (I can't be sure if there is a global catelog or AD DS or AD LDS, etc). I will write my own program.
    * The membership info will be used in combination with directory ACL's and must be as complete as possible (global groups, universal groups, local groups, perhaps different domains). Distribution groups are not really necessary, because they are not used in
    the directory ACL's.
    * It would be nice to support other LDAP implementations than Active Directory using the same code, but that not a hard requirement. I could use another approach to support a different LDAP.
    Now I have figured out five possible approaches (info comes from different sites, please correct me if I'm wrong):
    1) tokengroups attribute:
    - The attribute contains Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine.
    - Returns a list of SIDs which will have to be translated to group names
    - The tokenGroups attribute exists on both AD DS and AD LDS
    - For AD DS, the tokenGroups attribute is not present if no GC server is available to evaluate the transitive reverse memberships.
    - quote from site "Now that I have had a chance to test it though I can definitely say that tokenGroups WILL get the Universal groups from the other domains even if is NOT a GC. I just did it in my test lab."
    - Token Groups cannot be retrieved if no Global Catalog is present to retrieve the transitive reverse memberships.
    2) tokenGroupsGlobalAndUniversal
    - A subset of the tokenGroups attribute. Only the global and universal group SIDs are included.
    - If you want consistent results, read tokenGroupsGlobalAndUniversal that will return the same result no matter which DC you are connected to. However, it will not include local groups.
    - other source says "tokenGroups will give you all the security groups this user belongs to, including nested groups and domain users, users, etc tokenGroupsGlobalAndUniversal will include everything from tokenGroups AND distribution groups". Not
    sure if this is correct, I think it doesn't contain local groups.
    - The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS.
    3) LDAP_MATCHING_RULE_IN_CHAIN / 1.2.840.113556.1.4.1941
    - Use a recursive search query which returns all nested groups for user at once.
    - Returns all groups except for the primary group
    - It's a fast approach, see performance test from Richard Mueller:
    http://social.technet.microsoft.com/Forums/fr-FR/f238d2b0-a1d7-48e8-8a60-542e7ccfa2e8/recursive-retrieval-of-all-ad-group-memberships-of-a-user?forum=ITCG
    - It only works on Active Directory, not for other LDAP implementations
    4) Recursive retrieval of the memberOf attribute
    - Retrieves all groups except the primary group. (also local groups from other domains??)
    - works for all LDAP implementations
    - executes a lot of queries to the LDAP, especially if you want to scan all users/groups (perhaps limited on OU, but still)
    5) Store memberOf attribute in local database and calculate the nested groups using recursive queries to the local database
    - No heavy load to the LDAP
    - Needs space to store the user/group info locally (embedded Derby database perhaps)
    - Performs fast since the queries are executed locally
    - Works for all LDAP implementations
    My thoughts on these different approaches:
    * appreach 1) I understand that the tokengroups attribute is not present if no GC server is available. In how many network environments is this the case? This option won't work because I want to support different network environments.
    * approach 2) The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS. Same here, in how many network environments is this the case? I don't think I can rely on this approach.
    * approach 3) Seems to be a good option. How will it perform compared to approach 5 (local recursive queries)? Won't work for other LDAP implementations
    * approach 4) I don't think I want to execute that many queries to the LDAP. I can limit the scan on OU, but still companies can have thousands of users and groups.
    * approach 5) Perhaps the best approach. I want to store user/group info locally for fast filtering / reporting (only group DNs, user names, databse id's and membership info as id-id pairs). I only need the memberOf attribute of users and groups, recursive
    loops are done locally. It will work for all LDAP implementations.
    What do you guys think? I'm not a network admin, but a programmer, so I'm no expert in network setups and when to use AD DS or AD LDS. The thing is I want to use this code at different customers without knowing their network setup (except for the domain name(s),
    LDAP host/port and bind user to connect to LDAP).
    Thanks a lot!
    Paul

    I want to write a tool that can answer questions like "what users from group ABC have delete permission in all the (sub)directories of server MyDataServer?". This results in a list of directories and users and includes nested group membership. So it's about
    effective permissions. That's why I want all information in a SQL database so I can answer these questions with a single query in milliseconds. Otherwise, in order to answer these questions, I would have to get all members from group ABC and determine the
    nested groups for all these members (which can be thousands) for every report. Using a SQL database I can retrieve this information once a night for all the members.
    But I guess I will use the LDAP_MATCHING_RULE_IN_CHAIN syntax which gives me all nested groups for a member and should work for all AD installations from W2K3 SP2 and higher. When I want to support other LDAPs I will use another method for that specific
    LDAP.
    Again - note that this question has nothing to do with LDAP or AD.  It just asks what group has permissions on what resources.
    I really think you would do well to spend time understanding the NTFS and its security along with how we sue security in Windows.  By assuming this has something to do with AD you are making it a bigger issue than needed.  AD is a repository for
    accounts and trusts and manages authentication and security group membership.  All file security is managed by the OS that hosts the files and not by AD.  Users are not normally granted access to resources through direct inclusion in the DACL but
    are given access through membership in one or more groups.  Loading AD into a SQLL database will not help you.
    ¯\_(ツ)_/¯

  • Error while adding LDAP group

    Hi, I configured LDAP authentication on BOXI R2 SP3 on IIS. The settings are as given below.
    To change a setting, click on the value to start the LDAP Configuration Wizard.  I have replaced few entries with XXXX and YYYY due to security.
    LDAP Hosts: nccXXX.XXX.YYYY.XX.YY:636
    LDAP Server Type: Novell eDirectory
    Base LDAP Distinguished Name: ou=XXXXX,dc=YY
    LDAP Server Administration Distinguished Name: cn=XXX,o=YYYYY
    LDAP Referral Distinguished Name: ""
    Maximum Referral Hops: 0
    SSL Type: Server Authentication
    Server Side SSL Strength: Always accept server certificate
    Single Sign On Type: None
    When I add any new group then its not added and I get below error message in the Logging directory  for WCA.
    Error: 2009-08-24 14:56:30, Thread:161, WriteData::_Flush catch unexcepted exception, source: System.Web, message: Specified argument was out of the range of valid values.
    Parameter name: offset, stack:    at System.Web.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 count)
       at BusinessObjects.Enterprise.WebComponentAdapter.WriteData._Flush(IntPtr handle)
    Can anyone help to find if LDAP is configured correctly before adding group?
    Thanks,

    Resolved. It was due to wrong LDAP group given to me.
    Thanks,

  • Can an email address be a member of an LDAP group even if it isn't associated with an object in the Directory Server?

    Can an email address be a member of an LDAP group even if it isn't
    associated with an object in the Directory Server?
    <P>
    General members of a group are the members defined in the
    Directory Server. They are full-fledged members of the group who
    may have a set of permissions associated with their membership,
    a title, or other attributes. Mail-specific users are users who
    are not full-fledged members of the group, but who receive mail
    sent to the group. Mail-specific users need not be identified as
    a user in the Directory Server--an email address is sufficient.
    An example of this is a group of salespeople, all of whom are in
    the group "North American Sales Team." They have access to a
    sales-tracking database, on-line quota information, and
    competitive information. The mail-specific users of this group
    are the admins who support the members of the sales team, who need
    to get the mail that goes out to the group, but don't need access
    to the applications and information that the salespeople do.

    Hey EllyK,
    Welcome to the BlackBerry Support Community Forums.
    Thanks for the question.
    I would suggest performing this workaround and then try to login to BlackBerry Link:
    Open BlackBerry World on the BlackBerry smartphone and sign in using the BlackBerry ID. 
    Connect the BlackBerry 10 smartphone to the computer. 
    Open BlackBerry Link
    Sign in using the BlackBerry ID. 
    Let me know if the issue still persists.
    Cheers.
    -ViciousFerret
    Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
    Be sure to click Like! for those who have helped you.
    Click  Accept as Solution for posts that have solved your issue(s)!

  • Mapping LDAP Groups to SAP Roles

    Hi there,
    i am trying to build up a synchron usermanagement with a LDAP-Server between EP, Web AS Java and Web AS ABAP.
    My thought is to administrate the users in the LDAP-Directory. The users will be assigned to groups.
    In EP and Web AS Java its no problem to assign these groups to roles and then just change the Users in the LDAP-Group and reach a synchron usermanagement.
    In Web AS ABAP it seems impossible to assign roles to groups.
    <b>The question is, is it possible to map ldap groups with the ldap connector of the web AS ABAP to Roles in an ABAP System?</b>
    Or is there another way to administrate users in different systems?
    Thanks alot for your answers,
    stefan

    Hi
    in this case u have to use the concept of central user administration. use the following links
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-biti-03/cua with sap webas, ldap and third party software
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/user management and authorizations overview.pdf
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/integration of sap central user administration into microsoft active directory.pdf
    hope this helps u to get fair bit of idea
    don,t forget to give points
    With regards
    subrato kundu

  • ACS 3.3 Windows group mapping problem

    Hi,
    I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships between all domains are established (AD Domain Controllers are w2k3 srv). I need to add Windows AD group mapping and that's no problem in domains X & Y. But when I'm trying to map some groups from Z domain, the "Failed to enumerate Windows groups. If you are using Active Directory consult the installation guide for information." error appears. In ACS documentation I have found information "ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication." As I understand it's impossible to add mapping from the second forest? Am I right? If problem is solved in newer versions of ACS (4.0, 4.1)? Are there any fixes that can help?
    Thanks,
    Peter

    You need to set up proxy.
    http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
    Look for "Cross-Forest Authentication" in above link. And you get the Idea of what I mean. Though in above link its depicted with IAS server, but same is possible with ACS, as both can act as Radius server.
    There is a known bug, CSCsi04187
    PEAP MS-CHAP machine authentication will fail with machine not found if host/ format is sent from client. This only happens if the machine is autenticating to a domain forest that the ACS is not a member of.
    Conditions:
    The Machine authenticating to ACS is in a different domain forest then the ACS and the supplicant is using host/ as the machine name format. You also have to be using PEAP MS-CHAPv2.
    Workaround:
    If the supplicant has the option you can send the macine name in hos/ format.
    Many supplicants do not have this option.
    It is to be fixed for ACS 4.2 release.
    Regards,
    ~JG

  • LDAP groups and WebLogic Roles - Urgent ( weblogic 6.1 sp1, iPLanet 5.1)

    I have 2 questions and these are very urgent :-
    1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
    2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
    contractactors and employess. How do I map LDAP group contractors to weblogic security
    Role contractors? Similarly for employees ?
    2. I have not defined contarctors and employeees under People container in IPlanet.
    e.g. The RDN for contractor is
    uid=1234,ou=dir,dc=orams,dc=com
    Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
    under People ) OR I have to write my own custom code ?
    3. I am planning to use Roles insetad of groups to manage the logical grouping in
    iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
    parameters ?)
    This is very urgent ....so if any of you can throw any hints that will be greatly
    appreciated.
    --Sunita

    Hi Ariel,
    The driver is bundled with the product in WLS 6.1sp1. you don't have to
    download any additional driver. Use it as you normally would only thing to
    remember is if you are trying to write standalone java code then you have to
    have weblogic.jar in your classpath. For the rest of the info follow the wls
    docs for 6.1
    HTH
    sree
    "Ariel" <[email protected]> wrote in message
    news:3bb4a643$[email protected]..
    We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
    downloaded the JDriver from bea.com, but all the istructions that camewith
    it are for WLserver 5.1.
    What has to be done to do this with 6.1 sp1?
    Thanks,
    Ariel

  • LDAP Groups Authorization

    Hi,
    I have read some of the forum threads about LDAP Group Authorization - I remain confused. Here's the problem I am trying to solve.
    I was successfull in setting my Authentication to "Based on authentication scheme from gallery:Existing Login Page: Use LDAP Directory Credentials" -
    That works fine, But I would not like all users in my OID LDAP directory to log into my application- Which is why I have created a group for the user I want to include in my OID directory.
    Now at the " Builder->Application...->Security->Authorization Schemes->
    I have created an Authorization Scheme as "PL/SQL Function returing a booloean" .
    My Scheme Source(Identify Query or PL/SQL) is as follows and is set to "once Per session"
    return wwv_flow_ldap.is_member
    (:APP_USER,
    null,
    'cn=users,dc=wellesley,dc=edu',
    'jadeland.wellesley.edu',
    '389',
    'wcd_HTMLDB',
    'cn=portal.040323.1220,cn=Groups, dc=wellesley,dc=edu');
    where in my LDAP directory, 'wcd_HTMLDB' is the subgroup under group "portal.040323.1220" -
    I have included 3 users in the group 'wcd_HTMLDB' .
    Still the login page allows all LDAP user ( and not just the 3 from the 'wcd_HTMLDB' group.
    Where did I go wrong -?
    What 's the proper way to authorise only LDAP users in a group ?
    Any help would be really appreciated.
    Thanks .

    Indira,
    The public synonym (and grant execute) must be created after that package is compiled which can happen after catldap is run in your database. This is only a problem if catldap has not been run before HTML DB is installed. That's described in the flows/doc/ldap.html file in the distribution directory (not very prominently, we know).
    When you initially attached the authorization scheme to your login page and it wouldn't let you in, the reason is that it was using the value of APP_USER to drive your lookup function. But when the login page is rendered, APP_USER is null because you haven't logged in yet. So a user-based authorization scheme on a login page can never work.
    When you changed the ldap username edit function the way you did, you achieved the goal of preventing an unauthorized user from using the login page to authenticate. Looks like the way it's set up is to give unauthorized users an authentication error, which is a little misleading (saying their credentials are invalid when in fact they are valid but they aren't authorized to use your application), but if it suits your purpose, great. You should consider that if you change the authentication method to, say Single Sign-On, you'll then want to use authorization schemes to keep unauthorized users out. So the authorization scheme that you first set about using would be fine in that case, so long as you adjust the code to allow for visits to public pages prior to authentication (v('APP_USER') = 'HTMLDB_PUBLIC_USER'). However, you'd want to attach that scheme to the application itself (Edit Application Attributes->Authorization) so it fires on every page. Evaluating a scheme like that on every page view rather that once per session probably works best, even better if you cache the result of the evaluation yourself for performance reasons, e.g., set an application item to some value the first time the authenticated user passes the ldap membership test, then using that item as an 'already passed' flag for subsequent invocations.
    Finally, I assume you are using the built-in ldap_dnprep function because you need to replace '.' with '_' in the username value entered by the user. If that is not your requirement, let's talk.
    Scott

  • Cannot Add user to CMC Group when they are a member of LDAP group

    On PreProduction Server CMC
    Softerra LDAP browser used to verify user is a member of LDAP group
    User does not show as a member of that group in the CMC
    Cannot add user to LDAP group showing in CMC, the same group shows the member in LDAP browser
    On Production Server CMC
    For kicks I logged into the CMC on Production and I found the user is correctly showing as a member of the Group
    Why doesn't the groups in CMC show what is actually showing in the LDAP browser?

    Hi,
    Check if you have also mapped in both servers the same groups. It might be that there are some groups missing in the Pre-prod.
    Also, try restarting the CMS. I have seen similar issues that are solved after forcing the recreation of the graph.
    If after the restart you still can't see the groups, check the mapping on the LDAP server. It might be that both servers do not use the same attribute mappings.
    Regards,
    Julian

  • Managing LDAP groups and roles through SUN IDM

    Hi Guys,
    We have a requirement to build the following functionality in our Sun IDM tool.
    1.     Ability to create/manage Static LDAP group.
    2.     Ability to create/manage filtered LDAP group.
    3.     Ability to create/manage Static LDAP roles.
    4.     Ability to create/manage filtered LDAP roles.
    Can anyone let us know any pointers as to how to accomplish this or any ideas for the path to follow for this.
    Any reply will be appreciated.

    http://myidm.blogspot.com/2009/06/how-to-create-groups-in-ldap-or-active.html

Maybe you are looking for