Adding LDAP User store to UME

Similar Messages

• Error while configuring external LDAP user store with weblogic

  Hi,
  I have weblogic 10.3 installed and I can access weblogic admin console using weblogic (admin) user. I want to use external ldap user store to access admin console with users present in external ldap.
  To do this, I have configured authentication provider and provided all the required details to connect to ldap.
  For example:
  Base DN: cn=admin,cn=Administrators,cn=dscc (user with which we will connect to LDAP)
  User DN: ou=People,dc=test,dc=com
  Group DN: ou=Groups,dc=test,dc=com
  This authentication provider is set to SUFFICIENT mode. I have deleted the default authentication provider.
  In the boot.properties file I have given the user name and password of the user with which LDAP instance was created something like below.
  password=xxxxxxx
  username=admin
  Now while starting the admin weblogic server, I am getting the below error:
  <Jul 25, 2012 2:22:28 PM IOT> <Critical> <Security> <BEA-090402> <Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.>
  <Jul 25, 2012 2:22:28 PM IOT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
  weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  Truncated. see log file for complete stacktrace
  Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User admin javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User admin denied
  at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
  at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  Truncated. see log file for complete stacktrace
  >
  <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
  <Jul 25, 2012 2:22:28 PM IOT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
  <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
  Can anyone please suggest how to resolve this problem? If, anyone can suggest the exact steps to configure external ldap store to manage admin console via ldap users.
  Regards,
  Neeraj Tati.

  Hi,
  Please refer the below content that I found for Oracle 11g in the docs.
  "If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. Do one of the following in the LDAP directory:
  By default in WebLogic Server, the Admin role includes the Administrators group. Create an Administrators group in the LDAP directory, if one does not already exist. Make sure the LDAP user who will boot WebLogic Server is included in the group.
  The Active Directory LDAP directory has a default group called Administrators. Add the user who will be booting WebLogic Server to the Administrators group and define Group Base Distinguished Name (DN) so that the Administrators group is found.
  If you do not want to create an Administrators group in the LDAP directory (for example, because the LDAP directory uses the Administrators group for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the Admin role."
  Now in my LDAP directory, setup is in such a way that Administrators is a group created under following heirarchy " cn=Administrators,ou=Groups,dc=test,dc=com" and there is one user added in this Administrators group.
  The problem that I am having is when I modify the Admin role in which Administrators group should be added what exaclty I should give in Admin role. Whether I should give only Administrators or full DN: cn=Administrators,ou=Groups,dc=test,dc=com ???
  When i give full DN, it takes every attribute as different, i mean cn=Administrators as different and ou=Groups as different and shows a message that cn=Administrators does not exist.
  Here not sure what to do.
  Also if external ldap authentication provider is the only provider then I need to give the user information in boot.properties file also for weblogic to boot properly. Now, what should I give there in user? still complete DN ??
  Regards,
  Neeraj Tati.

• Editing LDAP User attributes from UME interface

  Hi Gurus,
  We want to develop a solution with user management screens in WD. These screens will provide password reset and unlock functionality for users. Our users are stored in LDAP. Current connection to LDAP is in Read Only manner.
  I want to know
  1. How to enable the connection from UME to LDAP in read/write manner?
  2. What certificates need to be exchanged for write access? if any?
  3. What changes needs to be done in config file of UME?
  4. Which permissions should be granted for communication user to edit LDAP user attributes?
  Even after performing the change to read LDAP in read/write manner, will it be sure: If we lock user from UME, it will lock LDAP user? please comment.
  regards
  Kedar Kulkarni

  Hi,
  We are half way into our application between UME and LDAP. We have developed screens and tested in our internal server. In internal landscape, UME is connected to LDAP in read only fashion. So when we try to create User, it gets created in UME.
  But when we deploy same application into client landscape, we receive error as below:
  No data source feels responsible for principal. Please check the data source configuration
  Now we are not sure why this error is getting displayed.
  In client landscape there are 2 LDAPs connected to UME, with only one LDAP in read/ write access.
  Is there any way we can check which LDAP is being accessed by our code? Is there any concept of Default LDAP?
  Any code to access LDAP details will help us lot.
  regards
  Kedar Kulkarni

• Messaging server and external LDAP user store

  Is it possible to have an external LDAP application store all user information and then have the messaging server authenticate against it and create a mail profile in it's own LDAP instance, similar to the way portal handles LDAP users? If not, what is the best way to store user information outside of the mail server instance? Create an LDAP instance and extend the schema to support the mail classes and then use replication to push the users into the mail servers directory instance?

  Correct, extending the schema on the master directory server and replicating down to the messaging server ldap instance the user info is the way to go.
  This way you do not have to maintain two different sets of user data.
  -Chris

• Issue adding second user store for failover in OAM

  I am attempting to add a second OVD instance to the OAM Directory servers for Access Manager, Access Server & Identity server. I am getting the error
  Unable to contact the DS. This may happen if DS is down or invalid credentials are provided.
  I have verified communication between the OAM and OVD servers, I have imported the certificate into the OIS & AAA databases using certutil, I have used the same cert to connect to the directory with an ldap browser. Any idea why I can not access the server from OAM?

  Hi,
  I assume its OAM 10g -
  Even though you add failover servers through the console, you would need to check if its reflected in the correct xml file.
  Theres a file by name 'failover.xml' (I dont remember the path). Please check if its updated with the correct information.
  -- Pramod Aravind

• Using a User Store different from LDAP to identify users

  Hello everybody,
  I've developed a couple of authentication classes in Access Manager and
  I found the constrain to use a LDAP user store very limitative.
  I have to develop a class that check the credential against a table in
  a database. I've no LDAP user store at all. I find all the relevant
  information in the db. So I can correctly authenticate the user but I
  can't "say" to the Identity Server that the user is also correctly
  identified. In the code I can create a new NIDPPrincipal object with a
  (null UserAuthority) setting its properties for the authenticated user.
  It works but anyway I've to add a "fake" LDAP User store to be able to
  check the "identify user" option in the method definition in the
  Administration Console. And I presume that the Identity Server can
  became unstable because it can not find the User in the user store.
  I've looked at the LDAP Plugin extesion, trying to create a "wrapper"
  to the db, but the documented API is only about the LDAP definition and
  does not expose any interface to catch ldap search or read (or whatever
  else the Indentity Server may ask to the User store) so I guess that the
  LDAP access is hard-wired in the Identity server code. This approach
  seems very strange because the modular architecture of the NAM solution
  could work very well with other type of user stores than LDAP. I
  expected to find an interface to abstract the User Authority.
  I'm missing something or my argumentations are very wrong?
  Thanks
  Giovanni
  cannata_g
  cannata_g's Profile: http://forums.novell.com/member.php?userid=17484
  View this thread: http://forums.novell.com/showthread.php?t=422784

  cannata g wrote:
  >
  > Hello everybody,
  > I've developed a couple of authentication classes in Access Manager
  > and I found the constrain to use a LDAP user store very limitative.
  >
  > I have to develop a class that check the credential against a table in
  > a database. I've no LDAP user store at all. I find all the relevant
  > information in the db. So I can correctly authenticate the user but I
  > can't "say" to the Identity Server that the user is also correctly
  > identified. In the code I can create a new NIDPPrincipal object with a
  > (null UserAuthority) setting its properties for the authenticated
  > user. It works but anyway I've to add a "fake" LDAP User store to be
  > able to check the "identify user" option in the method definition in
  > the Administration Console. And I presume that the Identity Server can
  > became unstable because it can not find the User in the user store.
  >
  > I've looked at the LDAP Plugin extesion, trying to create a "wrapper"
  > to the db, but the documented API is only about the LDAP definition
  > and does not expose any interface to catch ldap search or read (or
  > whatever else the Indentity Server may ask to the User store) so I
  > guess that the LDAP access is hard-wired in the Identity server code.
  > This approach seems very strange because the modular architecture of
  > the NAM solution could work very well with other type of user stores
  > than LDAP. I expected to find an interface to abstract the User
  > Authority.
  >
  > I'm missing something or my argumentations are very wrong?
  I'm probably not really the right person but the way I see it is that
  NAM supports LDAP userstores therefore it kinda makes why the LDAP code
  is so heavily embedded. Maybe log an enhancement request to see if JDBC
  can be supported as an authentication mechanism.
  Cheers,
  Edward

• Difference between UME and LDAP users

  Hi,
  I am facing a strange problem. In my Webdynpro application, I am accessing the portal user properties using the normal user management APIs. IUser object. On my local server, all the users are UME users and it runs fine.
  When I deployed my application on the central server which creates LDAP users by default, the code bombs saying the user is not authorized. When I recreate the user in UME, it is fine again. Are there APIs which I can use which work for both the user stores?
  Thanks in advance,
  Kiran

  Hi Kiran,
  I User object works for both the cases. Just try the below code.
  <%@ page import = "com.sap.security.api.IUser" %>
       private void getUser() {
            user = compRequest.getUser();
            userId = user.getUniqueID();
            userName = user.getUniqueName();
  It worked for me for getting the users from LDAP.
  Regards,
  Santhosh

• How to create a user in J2ee UME, if LDAP configured?

  Hi SAP Gurus,
  I have a question for my J2EE engine. We configured LDAP for user storage, so that our User can use there normal LDAP user ID. Now I want to create an administrative user like J2EE_ADMIN or Administrator, these are standard users and present in the UME of the J2EE engine since the installation of my portal.
  But when I go to the user admin and want to create this new admin user, I got an error message, that Im not able to create it.
  I also try to create the user via the Visual Admin and the J2EE Useradmin.
  So my question is, how can create this new user in the UME and NOT in the LDAP???
  Thanks.

  Hi Marcel Haberland ,
  If your idea is to have single Sign on , I would say the process is to create the user in LDAP itself that will be the single point of entry ,  Since the UME is configured and connected to LDAP normally with read permission your best bet will be to create the user in LDAP.
  SSO with  is configured to all your backend syst ( trusts needs to be configured between Java/Portal to all your backend systems  by Basis team), also the ids needs to exist in all the backends.
  Now to come back to your question:
  If you can login to UME of portal/Java , and create the user do not expect it to appear on your LDAP
  mainly because LDAP will never be configured in a Enterprise project  as bidirectional ( ie Read/Write ), it will be readonly.
  Also if the Basis/Portal team allow you the option to create the user in UME , they will have to restart the machine everytime you need to point to a  different data source , but I dont know if this is the case in EHP4 versions, because SAP claims with EHP4 downtimes are almost nullified.
  Edited by: Franklin Jayasim on Jun 29, 2010 6:59 PM
  Edited by: Franklin Jayasim on Jun 29, 2010 7:02 PM

• Add UME Role to LDAP User

  Hi,
  i'm having a problem with portal user management. We have a LDAP user called charlie81 in an Active Directory Server, which has a set of LDAP groups. We have also a UME Role (a role created in the portal) called "Manutenzione". Our target is to assign "Manutenzione" to charlie81 through the portal. I made it but when charlie81 is logged in, he can see only LDAP Roles; "Manutenzione" is not visible!!!! How can i resolve this problems? Do you help me, please? Thank you in advance, Carlo Paglia

  Hi,
  What kind of role did you assign to the user? A portal role (source = portal role) or a "UME role" (source = UME database)?
  If it's a portal role, is it a standard or a custom role? If it is a custom portal role, make sure an entry point is defined or your role won't be visible. Here's a link to the documentation : [Defining Entry Points|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/4e/3e703e632c7937e10000000a114084/frameset.htm].
  Regards,
  Pierre

• Synchronize users from IDM Idenity Store to UME

  Hi experts
  I would like to synchroznize my users from IDM Identity Store to UME Java, I read this document "User management for the Identity
  Management User Interface" but it is only for version 7.1, I use IDM 7.2 Sp8. I can't find job templates to ume.
  I would like to provide users able to access portal:5000/idm, now only administrator can logon to the portal.
  I looking forward for your reply

  Hello Bartosz
  For logging to IDM UI , IDM would match the MX_PESON with the UME user and allow the user to access IDM UI if both matches.
  Please give idm.authenticated action access via any UME Role or group to users, You can add this action to Everyone group in UME.
  For creating users in JAVA UME, You need to create one repository for UME as AS JAVA and choose standard job Create AS JAVA users from SAP Provisioning framework to create users.
  Let me know in case any further information is required, I am also on IDM 7.2 SP8
  Regards
  Deepak Gupta

• Issue on LDAP as a user-store for WebLogic Administrators

  Hi All,
  I have configured a Novell LDAP into WEblogic 10.3.2 successfully. I am able to view all of LDAP users and groups on Weblogic Admin Console, which includes my own account in LDAP.
  Now I am trying to configure my account as a Weblogic administrator so that I can log in the Weblogic Admin Console as my own account in LDAP. I don't want to set up an Administrators group in LDAP. I want to add the user to the Admin global role. As my understanding, all I need to do is
  1. Go to "myrealm"
  2. Click the tab "Roles and Policies"
  3. Click the tab "Realm Roles"
  4. Expand the link "Global Roles"
  5. Click the link "View Role Conditions" coressponding to the name "Admin". Enter the panel "Edit Global Role"
  6. Click the button "Add Conditions"
  7. Select "Predicate List" as "user"
  8. Click the button "Next"
  9. Enter my username (jwang) in LDAP to the field "User Argument Name:"
  10. Click the button "Add"
  11. Click the button "Finish"
  12. Back to the page "Edit Global Role"
  13. Here I can see
  User : jwang
  Or
  Group : Administrators
  14. Click the button "Save"
  15. Restart the server
  16. Log in with the new user jwang. It got denied.
  Can someone help me on this and why I can not log in?
  Thanks a lot.
  John

  Hi Faisal,
  Thank you very much for your prompt reply. With your suggestion, I do figure out where my problem is. I did set the control flag in my ldapAuthenticator "OPTIONAL". However, it appears that the DefaultAuthenticator is given as "REQUIRED" by default.
  Once I changed it to be "OPTIONAL", it works.
  Thanks again.
  John

• Adding object classes when creating ldap user in workflow

  I'm creating ldap users in a workflow and when I assign the object classes in the workflow I get an object class violation. It seems that when I call check in view and when my break point stops in Update User the default object classes on the resource have been removed from the user.accounts[LDAP].objectClass attribute which I just set. Not sure what's going on here. Is there another way to assign more than just the default object classes to a new ldap user through the workflow? Thanks in advance.

  Multiple things I can think of
  1) put all the object classes you may be expecting with the user account in the resource configuration panel. LDAP is smart enough to assign the related object classes to the object based on the attributes assigned to the user.
  2) Check if you have the object class in the schema of LDAP.

• User Store for Portal

  Hello,
  We are implementing a new portal, and having trouble deciding on the user store for the portal.
  Scenario:
  u2022     The main functionality of the Portal is dependent on the SAP Systems (ESS\MSS), and BW System.
  u2022     Currently there is no CUA or SAP Identity management Systems available. 
  u2022     The Usernames in our LDAP and SAP ECC systems are different, so we canu2019t use the LDAP.
  From our preliminary brainstorming, we came up with following decision:
  u2022     Use the ECC ABAP Store for user Base (So we leverage all the ECC users, and their current role assignments in the portal)
  u2022     Later on, once weu2019re ready to install SAP IDM, and then Switch Portalu2019s User Store from ECC ABAP Store to IDM.
  QUESTIONS:
  1.     Is our approach here correct?
  2.     Would it possible to switch portalu2019s user store from ECC ABAP Store to IDM?
  3.     Should we consider installing CUA in the meantime until weu2019re ready to move to IDM?
  Any Help or opinions would be much appreciatedu2026
  Thanks,
  Harman

  Hi,
  Q1 You wrote: " The Usernames in our LDAP and SAP ECC systems are different, so we canu2019t use the LDAP."
  This is not 100% true... take a look at this help document as it explains some possibilities for you:
  http://help.sap.com/saphelp_nw70ehp2/helpdata/en/0b/d82c4142aef623e10000000a155106/frameset.htm
  Q2 Not really, see Q1 and in addition IDM is a Management and Provisioning System/Tool. It isn't a userstore on itself.
  In other words IDM contains the single truth but it provisions it to systems (JAVA , ABAP, LDAP etc).
  So it won't be possible to connect your Portal from an ABAP user store to an IDM user store as it doens't exist.
  What theoretically could be possible is to now connect you Portal to an ABAP user store and later Back to its own UME and let this UME be under provisioning by the IDM system. But I can remember that it is not supported to go back from ABAP to UME. See also: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/f5/8fdc3fca21eb06e10000000a1550b0/frameset.htm
  Q3 Personally I think it is a first good step as it helps you to centralize and uniform your users and roles. But If you already decided to go for IDM (lets say next year) then it maybe the Return On Investment for implementing CUA now is nihil.
  Do not hesitate to ask if above answers are unclear.
  Good Luck,
  Benjamin

• User Store

  Everything worked with Access Manager 6.0, but now I'm using AM 7.0. Not in legecy mode. New GUI.
  Creating a sub realm and policy with a referral at the root did not work for protecting multiple applications. I think referrals only give users permissions to manage policies in sub realms. I wanted to create a realm for each application, but that approach does not seem to work. Any suggestions?
  I've given up on sub realms and just created a user store and a normal policy at the root. When I try to authenticate, Access Manager keeps checking the policy server LDAP. I want the user authenticating against the user store I just added.
  In the policy I selected the new user store for the authentication scheme, but that did not seem to work.
  Any suggestions or ideas?

  Thank you for replying. I was wondering if anyone watches this forum.
  Yes, I created an LDAP Authentication Module for the new user store. In the policy I created an "Authentication Scheme" that refers to my new user store.
  No, I have not modied the chain. When tried changing "Default Authentication Chain", I was unable to login to the AM console using the amAdmin user id.
  I thought "Administrator Authentication Chain" applied to amAdmin and I could modify the "Default Authentication Chain" to use my new user store.
  Thanks again!

• LDAP user and group configuration in ADF application

  Hi All,
  I have to use LDAP user and groups in my ADF application. I have configured the LDAP on WLS server successfully and can see all users/groups under tab "User and Groups". I have added the Enterprise Role in jazn-data.xml matching the name of groups. Created Application role in jazn-data.xml and assigned a role of Enterprise Role.
  However not added any user in jazn-data.xml. Which i guess not required because it will picked from LDAP.
  Now how to configure the JDeveloper to use those users ? What changes need to make in jazn-data.xml ? or in jps-config.xml / web.xml/ weblogic-application.xml
  Am i missing nay configuration step. i have referred ADF Security set up - step by step tutorial - quick question but not found useful
  I am using JDeveloper 11.1.1.5.
  Thanking you all in advance.
  Mukesh.

  I have below changes in files
  1] In jps-config.xml
  -- Added identity store and selected it from drop down in Security Context tab.
  2] In weblogic-application.xml
  In Security tab --> Role assignment mapped valid-users to principle name.
  <security>
  <realm-name>myrealm</realm-name>
  <security-role-assignment>
  <role-name>valid-users</role-name>
  <principal-name>DERDev</principal-name>
  </security-role-assignment>
  </security>
  3] Same thing done in weblogic.xml . I do not know the difference between weblogic-application.xml and weblogic.xml configuartion and which will work.
  4] Added security role "DERDev" along with the default/automatically added role "valid users"
  <security-role>
  <role-name>DERDev</role-name>
  </security-role>
  Still no luck ...... i am missing again ? I referred many links but found not a single document mentioning all steps
  Mukesh