ACS 5.2 LDAP authentication through groupMembership
Hi all,
I've succesfully configured ACS to authenticate users against our Novell DB through LDAP External Identity Store . With this setup all users having Novell account are authenticated.
There's an extra requirement that only users belong to group "Internet Access Users" can be authenticated. Running debugging on the ACS (5.2), I've been able to see that ACS can extract the user's group properties as bellow:
LDAP-response-search-entry-attr-value=groupMembership=cn=Internet Access Users\,ou=App Groups\,ou=ZENINTH\,o=Company
but I unable to create mapping/rules that filter this extra value. What I did is :
- Under External Identity Stores --> LDAP --> LDAP_Connection --> Directory Attributes, I added Attribute Name = "groupMembership", Type: "String", Policy Condition Name: "LDAP_Connection:groupMembership"
- Under Access Policies --> Internet Access --> Authorization, I create Rule-1 stated that "LDAP-LDAP_Connection:groupMembership contains cn=Internet Access Users", it will permitAccess. The default rules is denyAccess
But it seems it didn't work (never hit Rule-1)
Could anybody shed some lights ?
Thank you very much,
Ok All is working, consider this as solved.
A restart of the ACS service magically fixed whatever was going on.
Cheers
Similar Messages
-
PL SQL Web Service Authentication through LDAP
I have created one PL SQL Web Service and I would like to provide token security through LDAP.
I have configured LDAP for deployed webservice in oracle IAS 10.1.3 Service.
Problem Description: <?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://dbconnection1/MobileWebService.wsdl/types/"><env:Body><env:Fault><faultcode>env:MustUnderstand</faultcode><faultstring>SOAP must understand error: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security</faultstring></env:Fault></env:Body></env:Envelope>
I have provided LDAP authentication through oracle iAS Setup.
Please helpHi I am looking out for a good friend of mine, Rajeev Dave from Vijaywada, if your the one, please email me [email protected]
thanks, -
ACS user authenticating through Windows Database
Hello,
Please, i need a document/ guideline on how to configure ACS 4.2 user authenticating through Windows Database and the ACS server is running on an appliance.
Please, help.
Regards,
EthelbertHi,
If you delete the user in AD, then it would not authenticate the user even if the dynamic mapped user exists in the ACS database, as the password would not be verified from the AD for the user.
The dynamically mapped user entry would still exist in ACS and would not get deleted if the user is deleted from AD.
tnx
somishra -
How to do .1x port based network access authentication through ACS
How to do .1x port based network access authentication through ACS.
Hi,
802.1x can authenticate hosts either through the username/password or either via the MAC address of the clients (PC's, Printers etc.). This process is called Agentless Network Access which can be done through Mac Auth Bypass.
In this process the 802.1x switchport would send the MAC address of the connected PC to the radius server for authentication. If the radius server has the MAC address in it's database, the authentication would be successful and the PC would be granted network access.
To check the configuration on the ACS 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/noagent.html
To check the configuration on an ACS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1053005
Regards,
Kush -
ACS 4.2 - LDAP TCP Keepalive
Hello
I have an ACS 4.2.1.15 patch 3 and Novell Netware LDAP Server separated by a Firewall. The Firewall's default tcp session timeout is 3600 seconds.
When no LDAP-Request is made for over one hour, the Firewall drops the connection from its table. The Problem is, that the ACS-Server thinks the connection is still open. When it tries to send an LDAP-Query this results in retransmissions and finally a RST... On the User side the Authentication attempt fails (timeout).
I tried to enable TCP Keepalives on the Windows-Server side, but this has no effect on the LDAP-Connections used by ACS.
Is there any possibility to enable Keepalives in ACS?
Thanks in advance for any help!I'm seeing this issue too on 5.2.0.26.1, running LDAP auth through a F5 Load Balancer to a pair of Sun directory servers.
Did you make any progress with your TAC case?
Without using the root patch, this command is useful for finding out what is going on (it's just netstat):
# show tech-support | i ldap | i tcp
ldap 389/tcp
ldaps 636/tcp # LDAP over SSL
tcp 0 0 exc2-acscor-1401:53892 acs.ldapunix.co:ldap ESTABLISHED
tcp 0 0 exc2-acscor-1401:53893 acs.ldapunix.co:ldap ESTABLISHED
tcp 0 0 exc2-acscor-1401:53890 acs.ldapunix.co:ldap ESTABLISHED
tcp 0 0 exc2-acscor-1401:53891 acs.ldapunix.co:ldap ESTABLISHED
tcp 0 0 exc2-acscor-1401:53889 acs.ldapunix..co:ldap ESTABLISHED
Also try adjusting "Max. Admin Connections" for LDAP.
From the admin guide:
LDAP Connection Management
ACS 5.1 supports multiple concurrent LDAP connections. Connections are opened on demand at the time of the first LDAP authentication. The maximum number of connections is configured for each LDAP server. Opening connections in advance shortens the authentication time. You can set the maximum number of connections to use for concurrent binding connections. The number of opened connections can be different for each LDAP server (primary or secondary) and is determined according to the maximum number of administration connections configured for each server.
ACS retains a list of open LDAP connections (including the bind information) for each LDAP server that is configured in ACS. During the authentication process, the connection manager attempts to find an open connection from the pool. If an open connection does not exist, a new one is opened.
If the LDAP server closed the connection, the connection manager reports an error during the first call to search the directory, and tries to renew the connection.
After the authentication process is complete, the connection manager releases the connection to the connection manager.
I'd be interested to hear if you have fixed your issue, or if anyone else is facing similar problems load balancing LDAP servers for the ACS.
Cheers
R. -
How to get user attributes from LDAP authenticator
I am using an LDAP authenticator and identity asserter to get user / group information.
I would like to access LDAP attributes for the user in my ADF Taskflow (Deployed into webcenter spaces).
Is there an available api to get all the user attributes through the established weblogic authenticator provider or do i have to directly connect to the LDAP server again?
Any help would be appreciatedHi Julián,
in fact, I've never worked with BSP iViews and so I don't know if there is a direct way to achieve what you want. Maybe you should ask within BSP forum...
A possibility would be to create a proxy iView around the BSP iView (in fact: before the BSP AppIntegrator component) which reads the user names and passes this as application params to the BSP component. But this is
Beginner
Medium
Advanced
Also see http://help.sap.com/saphelp_nw04/helpdata/en/16/1e0541a407f06fe10000000a1550b0/frameset.htm
Hope it helps
Detlev -
Cannot use SASL Authentication Through GSSAPI on DS 6.3
I try to kerberized DS 6.3. I do step by step instruction from "Sun Java System Directory Server Enterprise Edition 6.3" and it doesn't work.
When I try to configure the Directory Server to Enable GSSAPI I get an error:
modifying entry cn=SASL,cn=security,cn=config
ldap_modify: DSA is unwilling to perform
ldap_modify: additional info: Modification not allowed on attribute dsSaslPluginsPath
After all when I try to authenticate to the Directory Server i get response:
ldap_sasl_interactive_bind_s: Authentication method not supported
ldap_sasl_interactive_bind_s: additional info: sasl mechanism not supported
Logs file:
+[22/Sep/2008:10:28:11 +0200] conn=2 op=-1 msgId=-1 - fd=22 slot=22 LDAP connection from 10.3.233.4:33054 to 10.3.233.4+
+[22/Sep/2008:10:28:11 +0200] conn=2 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=GSSAPI+
+[22/Sep/2008:10:28:11 +0200] conn=2 op=0 msgId=1 - RESULT err=7 tag=97 nentries=0 etime=0, sasl mechanism not supported+
+[22/Sep/2008:10:28:11 +0200] conn=2 op=1 msgId=2 - UNBIND+
+[22/Sep/2008:10:28:11 +0200] conn=2 op=1 msgId=-1 - closing from 10.3.233.4:33054 - U1 - Connection closed by unbind client -+
+[22/Sep/2008:10:28:12 +0200] conn=2 op=-1 msgId=-1 - closed.+
system specyfication:
Solaris 10 x86 64-bit
DS 6.3 B2008.0311.0212 NATSee http://forums.sun.com/thread.jspa?forumID=761&threadID=5202246 for a description of the problem and a workaround.
If you have a Sun support contract, you can request an escalation of CR 6637404.
Also, note that it looks like part of the documentation went missing. In DS5.2 the docs included an additional step
Chapter 11 Implementing Security
Configuring Client Authentication
SASL Authentication Through GSSAPI (Solaris Only)
http://docs.sun.com/source/816-6698-10/ssl.html#18500
ldapmodify -D 'cn=directory manager'
dn: cn=SASL,cn=security,cn=config
changetype: modify
add: dsSaslPluginsEnable
dsSaslPluginsEnable: GSSAPI
replace: dsSaslPluginsPath
dsSaslPluginsPath: /usr/lib/mps/sasl2/libsasl.so
modifying entry cn=SASL,cn=security,cn=config
ldap_modify: DSA is unwilling to perform
ldap_modify: additional info: Adding attributes is not allowed
------------------------------------------------------------- -
LDAP Authentication Scheme - Multiple LDAP Servers?
How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.
How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.
-
LDAP AUTHENTICATION- PLEASE HELP
My client wants me use LDAP for authentication. I new to this: I have written a Authentication bean. As follows.
//Used to authenticate user from LDAP directry.
import javax.naming.*;
import javax.naming.directory.*;
import java.util.*;
import java.lang.*;
public class AuthBean {
private boolean attempted;
private String userName;
private String password;
public AuthBean() {
attempted = false;
userName = "";
password = "";
//Getter methods.
public String getUserName() {
return this.userName;
public String getPassword() {
return this.password;
//Setter methods.
public void setUserName (String userName) {
this.userName = userName;
if (!this.userName.equals("") && !this.password.equals(""))
attempted = true;
else
attempted = false;
public void setPassword(String password) {
this.password = password;
if (!this.userName.equals("") && !this.password.equals(""))
attempted = true;
else
attempted = false;
//Checks to see if attempted.
public boolean isAttempted() {
return this.attempted;
* Given a username and password, authenticates to the directory
* Takes a String for username, String for password.
* Calls getDn for the method.
public boolean ldapAuthenticate (String username, String pass) {
if ( username == null || pass == null ) {
System.out.println(" im here in the method");
System.out.println(" user" + username);
System.out.println(" pass" + pass);
return false;
String dn = getDN(username);
System.out.println(" dn" + dn);
if ( dn == null)
return false;
dn = dn + ",o=hcfhe";
//dn = dn + ",o=mu";
System.out.println(dn);
String ldap_url = "ldap://10.1.1.199:389/ou=it,o=hcfhe";
//set variables for context
Hashtable env = new Hashtable();
env.put("com.sun.naming.ldap.trace.ber", System.err);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldap_url);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, dn);
env.put(Context.SECURITY_CREDENTIALS, pass);
DirContext ctx;
//make connection, catch errors thrown
try {
ctx = new InitialDirContext(env);
} catch (AuthenticationException e) {
System.out.println("Authentication Exception");
return false;
} catch (NamingException e) {
e.printStackTrace();
return false;
//close connection
try {
ctx.close();
} catch (NamingException ne) {
System.out.println(ne);
return true;
* This methods cheks for the username from the LDAP directory.
* Takes a String.
public String getDN(String username) {
String dn = "";
String ldap_url = "ldap://10.1.1.199:389/ou=it,o=hcfhe";
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldap_url);
DirContext ctx;
try {
ctx = new InitialDirContext(env);
SearchControls ctls = new SearchControls();
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String filter = "(uid=" + username + ")"; // Search for objects with these matching attributes
NamingEnumeration results = ctx.search("",filter,ctls);
if ( results != null && results.hasMoreElements()) {
SearchResult sr = (SearchResult)results.nextElement();
dn = sr.getName();
} else dn = null;
ctx.close();
} catch (AuthenticationException e) {
System.out.println("Authentication Exception");
return null;
} catch (NamingException e) {
e.printStackTrace();
return null;
return dn;
I also done a validate. jsp as follows.
<%@page import="register.AuthBean"%>
<jsp:useBean id ="AuthBean" class="register.AuthBean" scope="session"/>
<%
//boolean valid = false;
String username = request.getParameter("user");
//System.out.println("The username" + username);
String password = request.getParameter("password");
//System.out.println("The username" +password);
%>
<jsp:setProperty name="AuthBean" property="userName" param="user" />
<jsp:setProperty name="AuthBean" property="password" param= "password" />
<%
//boolean validate = false;
String nn = AuthBean.getUserName();
System.out.println(nn);
String dn = AuthBean.getDN(username);
System.out.println(dn);
boolean validate = AuthBean.ldapAuthenticate(username, password);
if(validate) {
response.sendRedirect("../admin/Adminindex.jsp");
} else {
response.sendRedirect("Login.html");
%>
At current I keep getting 'false' for validate. But there are no errors. I m using tomcat and apache, do I need to configure any of these to LDAP. If so can you show me some examples.
Many thanks.Hi Irene,
I am posting my LDAP Authentication code for you to look at. If you have any more questions, please respond to this posting. I have just three days ago implemented this for my client. It works on Web Sphere against Microsoft Active Directory.
=====================================================================
import javax.naming.directory.*;
import javax.naming.ldap.*;
import javax.naming.*;
import java.util.*;
import java.io.*;
import java.lang.*;
import java.math.*;
* Insert the type's description here.
* Creation date:
* @author: Sajjad Alam
public final class LDAPConn {
public static java.lang.Object Conn;
* LDAPConn constructor comment.
public LDAPConn() {
super();
* Insert the method's description here.
* @return java.lang.Object
public static DirContext getConn() throws Exception {
//Declarations of variables
Hashtable env = new Hashtable(11);
InitialLdapContext ctx = null;
//==============LDAP Authentication of a given user stored in Active Directory=============
System.out.println("Entered constructor for Ldap Context");
//Initialize the Context Factory.
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://XXX.XXX.XX.XXX:389/dc=domainURL1,dc=domainURL2,dc=com");
try {
The following syntax is a standard way of authenticating users stores in LDAP
when JNDI api is used.
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "password");
System.out.println("Issuing request to authenticate the user and create an LDAP context");
ctx = new InitialLdapContext(env, null);
System.out.println("Got handle on Ldap Context");
//==============Completed Authentication of user=============
//==============Retrieving attribute data about a user stored in Active Directory==========
//Here we will retrieve attributes of one of the users in LDAP ("cn=");
//Declarations of variables
String userInfo = "cn=someUserName ,ou=Users,ou=something,ou=something";
Attributes userAttr = ctx.getAttributes(userInfo);
Attribute orgUnitAttr = null;
//Looping through the enumeration to obtain attribute data
for (NamingEnumeration ae = userAttr.getAll(); ae.hasMore();) {
Attribute attr = (Attribute) ae.next();
if (attr.getID().equals("distinguishedName"))
orgUnitAttr = attr;
System.out.print(" Attribute: " + attr.getID());
//Print each value
for (NamingEnumeration e = attr.getAll(); e.hasMore();) {
System.out.println(" Value: " + e.next());
//============== Done retrieving attribute data about user==========
//==============To find which organizational unit a user belongs provided we pass the user==========
//This section of code uses the value from the "distinguishedName" attribute
System.out.println("");
Object parseOutOrgUnit = (Object) orgUnitAttr;
System.out.println("We can obtain the organizational unit (Role) from the " + parseOutOrgUnit.toString());
//======================================Done=============================
// Close the context when we're done or you can close the connection where you are using this object.
String grInfo = "CN=Sales-Administrator,OU=Java Application Accounts,OU=something,OU=something";
Attributes grAttr = ctx.getAttributes(grInfo);
//Looping through the enumeration to obtain attribute data
for (NamingEnumeration ae = grAttr.getAll(); ae.hasMore();) {
Attribute attr = (Attribute) ae.next();
System.out.print(" Attribute: " + attr.getID());
//Print each value
for (NamingEnumeration e = attr.getAll(); e.hasMore();) {
System.out.println(" Value: " + e.next());
//============== Done retrieving attribute data about user==========
//==============To find which organizational unit a user belongs provided we pass the user==========
//This section of code uses the value from the "distinguishedName" attribute
System.out.println("");
//======================================Done=============================
ctx.close();
catch (Exception e) {
System.out.println(e.getLocalizedMessage());
return ctx; -
Setting up LDAP authentication
Hi guys.
I am a newb when it comes to LDAP so please bear with me.
I installed dbms_ldap for a developer yesterday so they could run directory searches. I have now been asked to set up anonymous authentication on the directory.
I've looked through a few docs and am having trouble trying to figure out how excatly how to do this? I am assuming it is done somewhere from the admin gui.
Any help would be appreciated.
Oracle version 10.2.0.4 on Linux x86_64
Thanksthe name of your (portal) domain and the URL used to
access your portal have nothing to see with the LDAP
authentication server.
The LDAP authentication server is the hostname or FQDN
of the host where your LDAP authentication directory
resides.
When you're logged on the iPS machine, you should be
able to make a request to your LDAP directory using this hostname or FQDN (and port number, base dn,bind dn,.....) -
Ldap authentication on solaris 8 client
I have directory server 6.0 set up on solaris 9 system. I convert a Solaris 8 system to be a ldap client. However, I can use ssh to authentication against LDAP server. Here is the output I got:
# ssh -v user@localhost
SSH Version 1.2.27 [sparc-sun-solaris2.8], protocol version 1.5.
Standard version. Does not use RSAREF.
host: Reading configuration data /etc/ssh_config
host: ssh_connect: getuid 0 geteuid 0 anon 0
host: Allocated local port 1023.
host: Connecting to 127.0.0.1 port 22.
host: Connection established.
host: Remote protocol version 1.5, remote software version 1.2.27
host: Waiting for server public key.
host: Received server public key (768 bits) and host key (1024 bits).
host: Forcing accepting of host key for localhost.
host: Host '127.0.0.1' is known and matches the host key.
host: Initializing random; seed file /root/.ssh/random_seed
host: Encryption type: idea
host: Sent encrypted session key.
host: Installing crc compensation attack detector.
host: Received encrypted confirmation.
host: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
host: Server refused our rhosts authentication or host key.
host: No agent.
host: Doing password authentication.
[email protected]'s password:
Permission denied.
This is the pam.conf I use:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
ppp auth required pam_unix_auth.so.1
Not sure why Solaris 8 can't authentication with LDAP server. I have applied the patch 108993-67. Also, su and telnet can work with LDAP but not 'ftp' and 'ssh'.
Any ideas?No, my problem seems different.
The authentication between ldap client and server is through tls:simple. Also, exact same configuration can work with Solaris 9 client, but not Solaris 8 client. Furthur checks on ssh on Solaris 8, the ssh is 'SSH Version 1.2.27 [sparc-sun-solaris2.8], protocol version 1.5.
Standard version. Does not use RSAREF.'. But on a Solaris 9 client, the ssh is 'SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0.' Not sure why the Solaris 8 ssh can't work with ldap authentication.
Thanks,
--xinhuan -
LDAP Authentication "Network Accounts Unavailable" on 10.8
Hello,
We've been successfully authenticating against our LDAP servers on our 10.6.8 machines without any problems. I've setup a test machine running 10.8 to see if we will have any issues when it comes time to upgrade our lab OSs. I setup our LDAP authentication on the machine as per our usual methods. I get the "Green Light" in the Users/Groups preferences pane that our LDAP server is found. I can search through our LDAP users in the Directory Editor and I can access LDAP user accounts through terminal.
My problem is at the login screen it tells me "Network Accounts Unavailable". This seems contradictory as when I'm logged into a local account, I can access our LDAP server. It seems to work everywhere except at the login screen.
I've tried this openLDAP fix: http://iwatts.blogspot.ca/2012/01/osx-1072-openldap-authentication.html
No luck.
Any ideas?I see the same problem as a result of having the same UID number for both my local account and my LDAP account although the account names are different. It appears that upon providing the correct login/password to the LDAP server, 10.8 looks at the returned UID , identifies it as the same as a local UID and then rejects the login.
A security measure I want to work around but perhaps there is a better way of accessing both my local and LDAP accounts but keeping it as easy as it would be if both accounts had the same UID. -
Hi,
Any idea how to get the authentication in OBIEE through Shared Services to work?
We use Native Directory and MSAD in SS, hence we need to get the authentication through Shared Services.
We were able to run this on EPM 11.1.1.3 through LDAP server of Shared services port 28089, surely not working now.
I've tried both of the following but still no luck:
http://gerdpee.wordpress.com/2011/06/17/oracle-weblogic-and-hyperion-shared-services-11-1-1-3/
http://gerdpee.wordpress.com/2011/06/17/integration-sort-of-of-obiee-11-1-1-5-and-hyperion-shared-services-11-1-1-3/
Please help. Many thanks!!!
Cheers,
SteveHi Steve,
I have not been through this, but hope this helps you though. While we run the System configurator Wizard (EPM 11.1.1.2), we are now having an option to integrate EPM with OBIEE. Have you given it a shot?
I am just thinking, if we could had it configure for us, we could directly access the Subject Areas from OBIEE, just like what Mark had mentioned here : http://www.rittmanmead.com/2009/01/epm-workspace-111-and-obiee-10134-updated/
You could further look into the "SSO using CSS Token" field in the connection pool, too.
Hope this helps and I will let you know, if I have any other information.
Thank you,
Dhar -
Database Table and LDAP Authentication in the same repository?
I'm wondering if it's possible to authenticate through database tables for some users and LDAP for other users. I can configure each one separately but I'm curious if anyone has ever successfully done both in the same repository.
Thanks,
-MattAnother thing to try is this. I don't have an LDAP server here but it worked for me without LDAP. I think it should also work with LDAP as it is the same idea. I don't think there is a way to have a conditional Init Blocks. Also you can't have two init blocks setting the same variable (USER in our case). But what you can do is to have two Init Blocks, one for LDAP authentication and the other one for table authentication. So you could have this scenario:
1) LDAP "authentication" init block sets custom variable LDAP_USER
2) Table "authentication" init block sets custom variable TABLE_USER
3) Final authentication init block (the real one) sets USER variable using something like this:
SELECT CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END
FROM DUAL
WHERE CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END = ':USER'
Note how I use the CASE statement both to return the user value I want the USER variable to be set and also in the WHERE clause to make sure no rows are returned in case authentication fails (which should return no rows to denote a failed authentication). Obviously you need to set the init block dependancies correctly. I did a quick test with users coming from two separate Oracle tables in 2 init biocks and it worked fine for me. Give it a try and let me know how it goes. -
Why we use the LDAP Authentication over the DB authentication?
Hi All,
Why we use the LDAP Authentication over the DB authentication?
Any specific region is for that?
When we use LDAP do we need DB authentication again or it will be optional?
In same case in ADSI do the DB authentication is optional or compulsory .
Thanks in advance
TusarLDAP / AD authentication is useful if you already use it in your organisation and you'll find that most orgs have some form of user authentication already in place.
Do users in your company have to log into to their machines every morning? If so, why not use those credentials to control access to Siebel? It's a way of providing a single directory of employee authentication information available across applications, keeping maintenance and change costs down.
When you use LDAP authentication, you specify an AD object that contains a set of DB authentication details so that the component can access the Siebel database. In Siebel 8, you can directly specify those details in the security profile. As such, you only then have to maintain a single set of DB specific authentication details: much easier to manage. You can always switch back to DB authentication if you want to, but you'd have to go through all users accounts and create them with the same login and password specified in AD.
Maybe you are looking for
-
when ı update firefox 7 to 8 I can not enter the facebook site, when I try it, it says Uyumsuz bir internet tarayıcısı kullanıyorsun. ( it means in english : you are using an unsuportted web browser) how I can solve this problem?
-
Is it possible to backup photos from IPHONE direct to a external Hard?
I would like to backup my photos within my iphones to an external hardrive directly, is this possible?
-
Hello, I would like to link to a pdf - but instead of opening up full screen and a new browser - is there way to open it up so it stay embedded with in the portlet? I want to constrain the size to the layout - so for a 3 column layout, with the pdf i
-
can i insert or remove sim card when the phone power on?
-
ITunes Podcasting submission error
I created a podcast in iWeb and I'm trying to publish the podcast on iTunes. During the first step of the submissions process I get an error that submissions require a Title. My podcast has a title AND when open the rss.xml file (created by iWeb) it