ACS LDAP authenication - restrict to only certain LDAP users?

Similar Messages

• Condition types restriction at only certain combination like Country/Tax

  Dear All
  In FV11/12, with object V_KONH_VKS we can restrict users accessing certain condition types (field - KSCHL). My query is that I have few condition types accessed by various Plants i.e. common across Plants/Company Codes. Hence would like to restrict users at Key combination level.
  For eg.
  Condition Type JMOP - Key combination u2018Country/Tax Codeu2019 and u2018Tax Classificationu2019. Certain users should be allowed to change this combination and other users can change other key combinations i.e u2018Plant/Vendor/Materialu2019, Plant/Material Groupu2019 etc.
  Request your help asap.
  Regards & Thanks
  Guru Prasad

  >
  P Arpan wrote:
  > Hi
  >
  > Shekar wrote :
  >
  I dont think it is possible to restrict on specific key combinations
  >
  > I have checked and found that authorization check is not getting done by key combination. It is checking for condition type only.
  >
  > Arpan
  >
  > Edited by: P Arpan on Mar 29, 2010 12:54 PM
  Hi Arpan,
  wasnt that what i mentioned in the previous post? You cannot make a restrcition on the access of the pricing procedure (key combination as all of us refer it to). You can make restrictions on the condition table and the condition type but not on the different accesses of the condition table itself

• How to only synchronize one specific LDAP user group with SAP?

  Hi,
  Hopefully this is the correct forum to post this in. I want to have continuous one-way synchronization of users from my LDAP server to my SAP central system. I've started configure in SAP using transaction SM59 and LDAP. Can I somewhere set that only one specific LDAP user group shall be transferred to SAP (they do not need to be assigned to any specific group, profile, role in SAP) - or should this be done on the LDAP server side (or is it at all possible)?
  Correct me if I'm wrong, but the User Group field in the report RSLDAPSYNC_USER only concerns SAP user groups right? This would therefore not be sufficient since I want to select the users to synchronize based on user groups in the directory.
  Thanks, Oscar

  We've used a repository constant to specify the LDAP filter for reading users / groups from the LDAP target.
  E.g. LDAP_FILTER_USERS (&(objectCategory=person)(objectClass=user))
  Then we also have a constant for the LDAP_STARTING_POINT
  For our AD Group Initial Load we filter according to these settings:
  LDAP_FILTER_GROUPS = (objectclass=group)
  LDAP_STARTING_POINT_GROUPS = ou=IDMManagedGroups,ou=Groups,dc=cfstest,dc=le,dc=ac,dc=uk
  The above example only reads AD groups starting at the specified OU
  Then in a Job From LDAP Pass the LDAP URL looks like this:
  LDAP://%$rep.LDAP_HOST%:%$rep.LDAP_PORT%/%$rep.LDAP_STARTING_POINT_GROUPS%?*?SUB?%$rep.LDAP_FILTER_GROUPS%
  I hope this helps
  Paul

• External LDAP user only has search priviledge in UCM

  After I have configed external LDAP successfully in weblogic console, I can see all user from external LDAP. And external LDAP user can login UCM successfully, but these users only has search priviledge. I want external LDAP user has Admin priviledge as weblogic(Default in embed LDAP). How to solve it. Any help will be appreciated greatly! Otherwise, I refer to Oracle's ducument,
  51.1.14 LDAP Users Not Receiving Some Administrator Privileges
  UCM inspects for the group "Administrators" on each user's login to grant UCM roles. If a user should have access to the UCM admin server, the UCM server requires that the user be a member in a group named "Administrators."
  How to add external LDAP user to the group of Administrators.

  Hi ,
  You can use Credential Maps to be achieve the requirement:
  Steps for the same are :
  1. Login to UCM - Administration - Credential Maps .
  2. Create the map name and the following mapping :
  <ldap role> , admin
  3. Save the changes
  4. Navigate to <domain_home>/ucm/cs/data/providers/jpsuserprovider/provider.hda
  add the following variable there :
  ProviderCredentialsMap=<map name created in step 2>
  5. Save the changes and restart ucm server .
  After that login with the user who has the ldap role that is mapped in stpe 2 , this user will have the ucm admin role .
  Hope this helps .
  Thanks
  Srinath

• How to enable only a subset of LDAP users to be able to login to OBIEE

  We have enabled LDAP authentication. Now every single LDAP user can login to Presentation server. That is an issue. Not all LDAP users are OBIEE users. Only a small subset of the LDAP users should be able to access OBIEE. We have a database table that lists all OBIEE users. This table however does not have user password information. User Password information is stored in the LDAP.
  so question is how do we limit OBIEE access to only OBIEE users and not all LDAP users.
  Thank you

  Thanks for your suggestion. If i understand it correctly, user will still be able to login to Presentation server but will not have access to any content using your solution approach. Did i get it right?
  In my current setup, user gets authenticated against LDAP, then i extract user group for that user and assign it to GROUP. Only those users gets assigned to GROUP who have access to OBIEE. We have secured RPD and Catalogs so that user must be a member of at least one GROUP to be able to access content.
  Right now, a LDAP user who is not present in OBIEE user table, is able to login to BI Presentation server but is not able to see any thing. Because user gets authenticated, but does not have any authorization rights. So far so good.
  I would like to take next step, where use login to BI Presentation server is denied if user id does not exist in the OBIEE user table ( but exists in the LDAP).
  Thank you

• Restrict regular users to use only certain ldm command options

  I would like to restrict regular users to use only certain ldm command options, for example only list, bind/unbind, stop/start
  What is the best practice to do it?
  Thanks

  Solution provided by one of my colleagues:
  Installing sudo and configure sudoers file "User privilege specification" section similar to the following example:
  # User privilege specification
  root ALL=(ALL) ALL
  user1 host1 = /opt/SUNWldm/bin/ldm ls *
  user1 host1 = /opt/SUNWldm/bin/ldm stop *
  user1 host1 = /opt/SUNWldm/bin/ldm stop -f *
  user1 host1 = /opt/SUNWldm/bin/ldm start *
  user1 host1 = /opt/SUNWldm/bin/ldm bind *
  user1 host1 = /opt/SUNWldm/bin/ldm unbind *
  **Note*: asterisk should be at the end of each row. They are not displayed in the posted message...*

• How can I restrict Lion to only allow certain network users to login when bound to an Active Directory?

  Hi,
  I'm trying to find a way to configure which network users can login to a lab of iMacs running 10.7.4. They're being deployed using DeployStudio, and the Macs are bound to an MS Active Directory by a script that runs as part of the workflow. I'd like to have another script run after the AD binding to permit only users in certain AD groups to be able login to them.
  I'm halfway there, in that using dseditgroup I can easily add AD groups or individual users to the relevant group (deseditgroup -o edit -a <domain\\group name> -t group com.apple.loginwindow.netaccounts. After running this I can see the desired groups added to the list in Sys Prefs -> Users & Groups -> Login Options -> Options. However, membership of this group is deemed irrelevant by the fact the radio button above this list for 'Allow these users to log in at login window' is still set to 'All network users' and not 'Only these network users'.
  Does anyone know of a way to enable the 'Only these network users' option via the Terminal/a shell script?
  Thanks,
  Chris

  I tried that, thinking it was exactly what I wanted, but it still sends stuff as SMS (green bubble).

• OES 2 SP3+Samba+LDAP users

  Hello everyone,
  Wondering if someone might be able to help with a Samba issue that I don't know how to fix. I've researched it quite a bit online but can't seem to find a solution. I did have a couple certs that needed renewed but even after the cert replacement that didn't seem to fix the overall issue. Also made sure the LDAP users are listed in the Samba User list in iManager. Even tried removing a user and and adding them back in the group. Any help would be appreciated, thanks.
  Goal
  LDAP user trying to connect to a samba share on the OES file server from a Mac.
  Enviornment
  Server
  OES SP3
  samba-3.0.36-0.13.28.1
  Client
  Mac OS X 10.9.5
  /var/log/messages
  pdb_get_group_sid: Failed to find Unix account for user1
  Oct 15 14:46:24 server1 smbd[20328]: [2014/10/15 14:46:24, 0] auth/auth_sam.c:check_sam_security(353)
  Oct 15 14:46:24 server1 smbd[20328]: check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
  Oct 15 14:46:24 server1 smbd[20328]: [2014/10/15 14:46:24, 0] passdb/pdb_get_set.c:pdb_get_group_sid(211)
  /var/log/samba/log.smbd
  [2014/10/15 14:46:24, 1] auth/auth_util.c:make_server_info_sam(589)
  User user1 in passdb, but getpwnam() fails!
  [2014/10/15 14:46:24, 0] auth/auth_sam.c:check_sam_security(353)
  check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
  [2014/10/15 14:46:24, 0] passdb/pdb_get_set.c:pdb_get_group_sid(211)
  pdb_get_group_sid: Failed to find Unix account for user1
  [2014/10/15 14:46:25, 1] auth/auth_util.c:make_server_info_sam(589)
  User user1 in passdb, but getpwnam() fails!

  Ok. So, I've been at Millikin for 12 years as a full-time employee now, and my account has existed for 14 years. Back when my account was first enabled for *nix stuff, we used the Unix tabs in ConsoleOne. This was the case with other coworkers who have been here for a while. We have had no problems logging into LDAP-enabled stuff (Novell Samba, SSH, etc.)
  Some of my more recent coworkers were enabled for *nix stuff using the LUM-enable process in iManager. Ever since we plugged the hole with our ldap proxy account, they have *not* been able to access LDAP-enabled stuff.
  And this has been driving me absolutely nuts, until I figured it out today.
  My clue to this was the LDAP users filter screen in YaST on one of our SLES boxes (it acts the same way on all of the SLES boxes though.)
  Basically, I noticed that when I accessed the screen anonymously, only some users had a username under the "name" column, but everyone had one under the "login" column. However, if I accessed it authenticatedly, everyone had both. Which was very curious to me, I mean - why would someone have a username and not others?
  I ended up playing around with an account, and found that the "Login" column is tied to the "uniqueID" attribute in LDAP, and the "Name" column is tied to the "CN" attribute.
  I accessed our LDAP servers via an anonymous connection in an LDAP browser, and found that for some reason, the "CN" attribute wasn't displayed for some folks, but it was others.
  So, I got to checking the "NDS Rights" tab in C1 for the different accounts, and found something very odd:
  For accounts that were set up for *nix "the old way" (through the Unix tab in C1,) the rights for [Public] were very simple:
  somple.png
  However, for folks who were "LUM-Enable"d through iManager, they were much more complex and odd:
  complex.png
  So, for whatever reason, when we LUM-enabled the accounts via iManager, it also added all of those random NDS ACL's. (I verified this by LUM-enabling an account that hadn't been enabled before, and it went from having the simple ACLs to these crazy complex ones. However, if I re-LUM-enable my account, it doesn't add those ACLs.)
  As soon as I removed the restrictive "CN" permission from an account, LDAP things work properly.
  The reason this went undiscovered for so long was because of the overly-generous ACL for our ldap anonymous proxy account - it had overridden the permissions for the CN attribute. When we fixed that security hole, then things that depended on an anonymous connection to access the CN attribute broke.

• Assigning roles to LDAP users through BIP API

  Hi.
  My customer has BIP 11g and OIM 9.1.0.2 running on the same weblogic server (11g). Both authenticate against the same LDAP server.
  One of our desired next steps is to provision from OIM the BIP roles to each LDAP user so every user gets the correct roles (and access to the correct reports) according to the groups he has on OIM.
  I've been searching for info regarding this without success. The BIP API doc does not show any info about assigning roles to users.
  We don't need to manage LDAP users, BIP roles, etc... through OIM. We only need to assign BIP roles to LDAP users.
  Is it possible to make that assignments through BIP API?
  If not, any other ideas? New ideas or different approaches are welcome.
  Thanks in advance.

  In OBIEE 11g which includes BIP the application roles are applied to LDAP users and groups using the Enterprise Manager Fusion Control.
  During the upgrade process from OBIEE 10g to OBIEE 11g the groups do get assigned to these roles transparently so there must be some API to leverage this functionality.
  I would start there, http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10541/admin_api.htm
  There are no specific instructions on accomplishing what you seek but if you have some WLST or Java Skills you should be able to get something prototyped.
  Let me know if that helps.

• LDAP users Faicng Error While Accessing the ESS Iviews in Portal

  Hi,
  My Portal is SAP EP 7.0 SP20 And ECC 6.0 SP16.
  UME users able to access the ESS MSS Iviews.But only one LDAP User only access ESS/MSS Iviews Other getting the Below error.
  Critical Error
  A critical error has occured. Processing of the service had to be terminated. Unsaved data has been lost.     
  Please contact your system administrator     
  Syntax error in program CL_XSS_CAT_BUFFER=============CP        ., error key: RFC_ERROR_SYSTEM_FAILURE     
  Syntax error in program CL_XSS_CAT_BUFFER=============CP        ., error key: RFC_ERROR_SYSTEM_FAILURE:
  com.sap.tc.webdynpro.modelimpl.dynamicrfc.WDDynamicRFCExecuteException: Syntax error in program CL_XSS_CAT_BUFFER=============CP        ., error key: RFC_ERROR_SYSTEM_FAILURE
                  at com.sap.tc.webdynpro.modelimpl.dynamicrfc.DynamicRFCModelClassExecutable.execute(DynamicRFCModelClassExecutable.java:101)
                  at com.sap.xss.ser.xssmenu.fc.ModelHandler.onInit(ModelHandler.java:205)
                  at com.sap.xss.ser.xssmenu.fc.wdp.InternalModelHandler.onInit(InternalModelHandler.java:428)
                  at com.sap.xss.ser.xssmenu.fc.FcXssMenu.setPersonnelNumber(FcXssMenu.java:570)
                  at com.sap.xss.ser.xssmenu.fc.FcXssMenu.onInit(FcXssMenu.java:292)
                  at com.sap.xss.ser.xssmenu.fc.wdp.InternalFcXssMenu.onInit(InternalFcXssMenu.java:455)
                  at com.sap.xss.ser.xssmenu.fc.FcXssMenuInterface.onInit(FcXssMenuInterface.java:165)
                  at com.sap.xss.ser.xssmenu.fc.wdp.InternalFcXssMenuInterface.onInit(InternalFcXssMenuInterface.java:389)
                  at com.sap.xss.ser.xssmenu.fc.wdp.InternalFcXssMenuInterface$External.onInit(InternalFcXssMenuInterface.java:546)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPM.attachComponentToUsage(FPMComponent.java:922)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPM.attachComponentToUsage(FPMComponent.java:891)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPMProxy.attachComponentToUsage(FPMComponent.java:1084)
                  at com.sap.pcuigp.xssutils.navi.FcNavigation.onInit(FcNavigation.java:314)
                  at com.sap.pcuigp.xssutils.navi.wdp.InternalFcNavigation.onInit(InternalFcNavigation.java:358)
                  at com.sap.pcuigp.xssutils.navi.FcNavigationInterface.onInit(FcNavigationInterface.java:145)
                  at com.sap.pcuigp.xssutils.navi.wdp.InternalFcNavigationInterface.onInit(InternalFcNavigationInterface.java:142)
                  at com.sap.pcuigp.xssutils.navi.wdp.InternalFcNavigationInterface$External.onInit(InternalFcNavigationInterface.java:278)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPM.attachComponentToUsage(FPMComponent.java:922)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPM.attachComponentToUsage(FPMComponent.java:891)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPMProxy.attachComponentToUsage(FPMComponent.java:1084)
                  at com.sap.pcuigp.xssutils.roadmap.VcRoadmap.onInit(VcRoadmap.java:188)
                  at com.sap.pcuigp.xssutils.roadmap.wdp.InternalVcRoadmap.onInit(InternalVcRoadmap.java:162)
                  at com.sap.pcuigp.xssutils.roadmap.VcRoadmapInterface.onInit(VcRoadmapInterface.java:153)
                  at com.sap.pcuigp.xssutils.roadmap.wdp.InternalVcRoadmapInterface.onInit(InternalVcRoadmapInterface.java:144)
                  at com.sap.pcuigp.xssutils.roadmap.wdp.InternalVcRoadmapInterface$External.onInit(InternalVcRoadmapInterface.java:220)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent.doProcessEvent(FPMComponent.java:564)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent.doEventLoop(FPMComponent.java:438)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent.wdDoInit(FPMComponent.java:196)
                  at com.sap.pcuigp.xssfpm.wd.wdp.InternalFPMComponent.wdDoInit(InternalFPMComponent.java:110)
                  at com.sap.tc.webdynpro.progmodel.generation.DelegatingComponent.doInit(DelegatingComponent.java:108)
                  at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
                  at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
                  at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.init(ClientComponent.java:430)
                  at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:362)
                  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:782)
                  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:302)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingPortal(ClientSession.java:761)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:696)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
                  at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
                  at com.sap.tc.webdynpro.clientserver.session.core.ApplicationHandle.doProcessing(ApplicationHandle.java:73)
                  at com.sap.tc.webdynpro.portal.pb.impl.AbstractApplicationProxy.sendDataAndProcessActionInternal(AbstractApplicationProxy.java:869)
                  at com.sap.tc.webdynpro.portal.pb.impl.AbstractApplicationProxy.create(AbstractApplicationProxy.java:229)
                  at com.sap.portal.pb.PageBuilder.updateApplications(PageBuilder.java:1344)
                  at com.sap.portal.pb.PageBuilder.createPage(PageBuilder.java:356)
                  at com.sap.portal.pb.PageBuilder.init(PageBuilder.java:549)
                  at com.sap.portal.pb.PageBuilder.wdDoInit(PageBuilder.java:193)
                  at com.sap.portal.pb.wdp.InternalPageBuilder.wdDoInit(InternalPageBuilder.java:150)
                  at com.sap.tc.webdynpro.progmodel.generation.DelegatingComponent.doInit(DelegatingComponent.java:108)
                  at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
                  at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
                  at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.init(ClientComponent.java:430)
                  at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:362)
                  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:782)
                  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:302)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:741)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:694)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
                  at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
                  at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
                  at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doPost(DispatcherServlet.java:53)
                  at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
                  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
                  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
                  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
                  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
                  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
                  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
                  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
                  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
                  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
                  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
                  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
                  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
                  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Caused by: com.sap.aii.proxy.framework.core.BaseProxyException: Syntax error in program CL_XSS_CAT_BUFFER=============CP        ., error key: RFC_ERROR_SYSTEM_FAILURE
                  at com.sap.aii.proxy.framework.core.AbstractProxy.send$(AbstractProxy.java:150)
                  at com.sap.pcuigp.xssutils.xssmenu.model.MenuModel.hrxss_Ser_Getmenudata(MenuModel.java:171)
                  at com.sap.pcuigp.xssutils.xssmenu.model.Hrxss_Ser_Getmenudata_Input.doExecute(Hrxss_Ser_Getmenudata_Input.java:137)
                  at com.sap.tc.webdynpro.modelimpl.dynamicrfc.DynamicRFCModelClassExecutable.execute(DynamicRFCModelClassExecutable.java:92)
                  ... 76 more
  Thanks & Regrads,
  Subba Rao

  Hi,
  Now every user facing the same error while accessing ESS Iviews from Portal.
  in ST22 Dump is created.
  What happened?                                                                                |
  Error in the ABAP Application Program
  The current ABAP program "CL_XSS_CAT_TIME_SHEET=========CP" had to be
  terminated because it has
  come across a statement that unfortunately cannot be executed.
  The following syntax error occurred in program
  "CL_XSS_CAT_BUFFER=============CP " in include
  "CL_XSS_CAT_BUFFER=============CM00C " in
  line 50:
  ""L_CATSDB" and "L_CATSDBCOMM" are not mutually convertible. In Unicode"
  " programs, "L_CATSDB" must have the same structure layout as "L_CATSDB"
  "COMM", independent of the length of a Unicode character."
  The include has been created and last changed by:
  Created by: "SAP "
  Last changed by: "SAP "
  Error in the ABAP Application Program
  The current ABAP program "CL_XSS_CAT_TIME_SHEET=========CP" had to be
  terminated because it has
  |    come across a statement that unfortunately cannot be executed.
  What we need to resolve the above issue.
  Thanks & Regards,
  Subba Rao

• Creation of Public Sector Planning application fails for LDAP user

  The environment is on Windows 2008 R2 & EPM 11.1.2.2.302 of Planning. The creation of "general" planning applications works fine, regardless of the method of creation, Native User/LDAP User or Classic/EPMA. The creation of Public Sector Planning application using Classic Administration fails when using an LDAP user.
  It works when using a Native User. It also works fine if EPMA is used, for both Native as well as LDAP users.
  Our developers are not comfortable with EPMA yet, so want/need the ability to create the applications using Classic Administration.
  Looking at the Planning sysout log, the only error message indicates a timeout with Calculation Manager:
  Calc manager rules initialization failed. Please load and deploy the rules from Calc Manager UI
  ERROR:Error while loading rules in Calc Manager. <HTML><HEAD><TITLE>Weblogic Bridge Message</TITLE></HEAD> <BODY><H2>Failure of server APACHE bridge:</H2><P><hr>No backend server available for connection: timed out after 10 seconds or idempotent set to OFF or method not idempotent.<hr> </BODY></HTML>
  Calculation Manager itself seems to be working fine.
  Any suggestions/thoughts anyone?
  Thanks,
  Andy

  Hi Vivek,
  The LDAP port is open to all the servers in the environment. LDAP users have no issues logging in to any of the tools that they have access to.
  I think it has something to do with how Classic Planning passes the security token to Calculation Manager for an LDAP user. For a "general" Planning app, there is no evidence of such a transfer, because the Rules are created after the app has been created. And there the user logs in directly to Calculation Manager to create the rules.
  When using EPM Architect, it would lead to reason that such a token is also passed, however, that mechanism does not seem to have any trouble.
  This is the first time I am using a pre-packaged application like PSB, and have so far worked with only with "general" Planning apps. Wanted to see if anyone else has created PSB apps using external users successfully, so I can trade environment notes and may be come to a cause/solution.
  Thanks,
  Andy

• Error while configuring external LDAP user store with weblogic

  Hi,
  I have weblogic 10.3 installed and I can access weblogic admin console using weblogic (admin) user. I want to use external ldap user store to access admin console with users present in external ldap.
  To do this, I have configured authentication provider and provided all the required details to connect to ldap.
  For example:
  Base DN: cn=admin,cn=Administrators,cn=dscc (user with which we will connect to LDAP)
  User DN: ou=People,dc=test,dc=com
  Group DN: ou=Groups,dc=test,dc=com
  This authentication provider is set to SUFFICIENT mode. I have deleted the default authentication provider.
  In the boot.properties file I have given the user name and password of the user with which LDAP instance was created something like below.
  password=xxxxxxx
  username=admin
  Now while starting the admin weblogic server, I am getting the below error:
  <Jul 25, 2012 2:22:28 PM IOT> <Critical> <Security> <BEA-090402> <Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.>
  <Jul 25, 2012 2:22:28 PM IOT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
  weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  Truncated. see log file for complete stacktrace
  Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User admin javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User admin denied
  at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
  at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  Truncated. see log file for complete stacktrace
  >
  <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
  <Jul 25, 2012 2:22:28 PM IOT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
  <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
  Can anyone please suggest how to resolve this problem? If, anyone can suggest the exact steps to configure external ldap store to manage admin console via ldap users.
  Regards,
  Neeraj Tati.

  Hi,
  Please refer the below content that I found for Oracle 11g in the docs.
  "If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. Do one of the following in the LDAP directory:
  By default in WebLogic Server, the Admin role includes the Administrators group. Create an Administrators group in the LDAP directory, if one does not already exist. Make sure the LDAP user who will boot WebLogic Server is included in the group.
  The Active Directory LDAP directory has a default group called Administrators. Add the user who will be booting WebLogic Server to the Administrators group and define Group Base Distinguished Name (DN) so that the Administrators group is found.
  If you do not want to create an Administrators group in the LDAP directory (for example, because the LDAP directory uses the Administrators group for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the Admin role."
  Now in my LDAP directory, setup is in such a way that Administrators is a group created under following heirarchy " cn=Administrators,ou=Groups,dc=test,dc=com" and there is one user added in this Administrators group.
  The problem that I am having is when I modify the Admin role in which Administrators group should be added what exaclty I should give in Admin role. Whether I should give only Administrators or full DN: cn=Administrators,ou=Groups,dc=test,dc=com ???
  When i give full DN, it takes every attribute as different, i mean cn=Administrators as different and ou=Groups as different and shows a message that cn=Administrators does not exist.
  Here not sure what to do.
  Also if external ldap authentication provider is the only provider then I need to give the user information in boot.properties file also for weblogic to boot properly. Now, what should I give there in user? still complete DN ??
  Regards,
  Neeraj Tati.

• LDAP user password "force reset" compliance.

  Sun JSWS 7.0
  Sun JSDS 6.0
  I have ACLs set up with an LDAP authentication database. When a user logs in and their password is in the warn before expire time frame they are redirected to the URL defined by "Redirect URL" in the "Edit Authentication DB" web server GUI menu. This is (from what I can tell) the proper behavior.
  Here is the issue- when we create a new user we have an LDAP password policy which is supposed to force the user to change their password at first log in. However, the web server does not seem to comply with this policy and simply allows the user to log in. Is there a way to to configure the web server to send the user to the change password page in this case?
  Thanks,
  Jess

  Theoretically I think it should work I will have to test it. Can you check LDAP Server logs and tell me what's happening?
  Currently Sun Java System Web Server 7.0 redirects you to a URL provided when passwords
  1) are about to expire (LDAP Server returns LDAP_CONTROL_PWEXPIRING ) or
  2) have expired (LDAP Server sends LDAP_CONTROL_PWEXPIRED).
  This page is set by administrators to either communicate to users that their password will expire soon (and possibly offer ways to renew it). The way to set this is in the auth-db configuration (see server.xml) may have an optional element <auth-expiring-url> its value must be a URL.
  When LDAP server returns LDAP_CONTROL_PWEXPIRED control, user is not authenticated in Web Server (hence will be DENIED access to resources which have ACLs that allows access only to authenticated users).
  However when LDAP server returns LDAP_CONTROL_PWEXPIRING, user is authenticated in Web Server (hence will be ALLOWED access to resources which have ACLs that allows access only to authenticated users).
  According to the documentation LDAP server should return LDAP_CONTROL_PWEXPIRED in case the use is logging in the first time
  http://www.mozilla.org/directory/csdk-docs/controls.htm#use_pwd_policy

• LDAP User Synchronization : Password

  Hi All,
  I have a question about LDAP User Synchronization to SU01 in ABAP. Does it create an initial password for the users being Synced? or It stores the LDAP Password in SU01 password field?
  I have doubt about the second, as LDAP will never return the password in plain text, and Password Hashing schemes can be different between LDAP and ABAP.
  If it doesn't store the password at all in SU01 for Synced users, then how does user login into SAP GUI?
  Please let me know.
  Thanks in Advance,
  Sanjeev

  Hi Tim,
  it's not possible to unhash cryptographic hash function. One of the main properties of each cryptographic hash function is preimage resistance which means that it's not feasible for a given hash h to find a message m that hash(m) = h. Even in case that it is possible to find this message you can't be sure that that was the original message because as we know a hash function maps message of arbitrary length to fixed size string. Obviously, there is more messages with variable length than messages with one fixed sized so there has to be at least one hash where there are two messages m1 and m2 and hash(m1) = hash(m2) (pigeon hole principle). So it could happen that user would choose password m1 but your unhasing algorithm would get m2. Obviously, it's highly improbable that second hash function hash m1 and m2 into same hash. Therefore such a solution will not be never available and the only solution is to get password in clear text and distribute it to each system in clear text form. As Julius mentioned this is supported but it has some disadvantages.
  Cheers

• HOW-TO specify database credentials in LDAP user

  Hi:
  I want to know how can i specify oracle database credentials (oracle database usernname) that one specific user will use to connect to the database for instance when using Oracle Forms.
  I saw in OID some "tags" like orcluserv1, etc... is this ? how can i do it ?
  For instance i want that:
  LDAP user Database user
  user00001 dbuserA
  user00002 dbuserA
  user00003 dbuserA
  user00004 dbuserB
  user00005 dbuserB
  So ldap user00001 will connect to the database with dbuserA ..
  Thanks in advance,
  Ricardo

  Hi Ashish:
  I've succesfully created an user with OIDDAS and assign it a "resource acess information" of type OracleDB.
  So, when creating this user i specified the username in db that this user will use to access database. Until now, it's all perfect. But, where's this information is stored ?
  I've access OID Manager and see that user is create in the Entry Management, but the DB information is not stored in any of the properties of this user.
  This is a problem, because I want to make an APP that will use DBMS_LDAP pack to create user dynamically, so I have to know what attributes/classes/properties that user needs for assign it to a specific DB user.
  Can you help ?
  Thanks The information is stored in an Oracle Specific container called 'cn=oracleContext' in the default subscriber.
  You can use the DBMS_LDAP_UTL package (shipped in iAS 902) to query these Resource Access Descriptors. Directly
  storing these from PL/SQL is not presently supported. OIDDAS is the only interface through which you can get this done.