AnyConnect and nested LDAP memberof

Similar Messages

• Retrieve nested LDAP groups independent from the network env. (five different approaches)

  Hi all,
  I want to retrieve a list of nested LDAP groups per user from the Active Directory. I have been searching google for half a day now, but I'm still not sure what approach to use. I have the following requirements:
  * The script/program must run in different network environments (I can't be sure if there is a global catelog or AD DS or AD LDS, etc). I will write my own program.
  * The membership info will be used in combination with directory ACL's and must be as complete as possible (global groups, universal groups, local groups, perhaps different domains). Distribution groups are not really necessary, because they are not used in
  the directory ACL's.
  * It would be nice to support other LDAP implementations than Active Directory using the same code, but that not a hard requirement. I could use another approach to support a different LDAP.
  Now I have figured out five possible approaches (info comes from different sites, please correct me if I'm wrong):
  1) tokengroups attribute:
  - The attribute contains Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine.
  - Returns a list of SIDs which will have to be translated to group names
  - The tokenGroups attribute exists on both AD DS and AD LDS
  - For AD DS, the tokenGroups attribute is not present if no GC server is available to evaluate the transitive reverse memberships.
  - quote from site "Now that I have had a chance to test it though I can definitely say that tokenGroups WILL get the Universal groups from the other domains even if is NOT a GC. I just did it in my test lab."
  - Token Groups cannot be retrieved if no Global Catalog is present to retrieve the transitive reverse memberships.
  2) tokenGroupsGlobalAndUniversal
  - A subset of the tokenGroups attribute. Only the global and universal group SIDs are included.
  - If you want consistent results, read tokenGroupsGlobalAndUniversal that will return the same result no matter which DC you are connected to. However, it will not include local groups.
  - other source says "tokenGroups will give you all the security groups this user belongs to, including nested groups and domain users, users, etc tokenGroupsGlobalAndUniversal will include everything from tokenGroups AND distribution groups". Not
  sure if this is correct, I think it doesn't contain local groups.
  - The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS.
  3) LDAP_MATCHING_RULE_IN_CHAIN / 1.2.840.113556.1.4.1941
  - Use a recursive search query which returns all nested groups for user at once.
  - Returns all groups except for the primary group
  - It's a fast approach, see performance test from Richard Mueller:
  http://social.technet.microsoft.com/Forums/fr-FR/f238d2b0-a1d7-48e8-8a60-542e7ccfa2e8/recursive-retrieval-of-all-ad-group-memberships-of-a-user?forum=ITCG
  - It only works on Active Directory, not for other LDAP implementations
  4) Recursive retrieval of the memberOf attribute
  - Retrieves all groups except the primary group. (also local groups from other domains??)
  - works for all LDAP implementations
  - executes a lot of queries to the LDAP, especially if you want to scan all users/groups (perhaps limited on OU, but still)
  5) Store memberOf attribute in local database and calculate the nested groups using recursive queries to the local database
  - No heavy load to the LDAP
  - Needs space to store the user/group info locally (embedded Derby database perhaps)
  - Performs fast since the queries are executed locally
  - Works for all LDAP implementations
  My thoughts on these different approaches:
  * appreach 1) I understand that the tokengroups attribute is not present if no GC server is available. In how many network environments is this the case? This option won't work because I want to support different network environments.
  * approach 2) The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS. Same here, in how many network environments is this the case? I don't think I can rely on this approach.
  * approach 3) Seems to be a good option. How will it perform compared to approach 5 (local recursive queries)? Won't work for other LDAP implementations
  * approach 4) I don't think I want to execute that many queries to the LDAP. I can limit the scan on OU, but still companies can have thousands of users and groups.
  * approach 5) Perhaps the best approach. I want to store user/group info locally for fast filtering / reporting (only group DNs, user names, databse id's and membership info as id-id pairs). I only need the memberOf attribute of users and groups, recursive
  loops are done locally. It will work for all LDAP implementations.
  What do you guys think? I'm not a network admin, but a programmer, so I'm no expert in network setups and when to use AD DS or AD LDS. The thing is I want to use this code at different customers without knowing their network setup (except for the domain name(s),
  LDAP host/port and bind user to connect to LDAP).
  Thanks a lot!
  Paul

  I want to write a tool that can answer questions like "what users from group ABC have delete permission in all the (sub)directories of server MyDataServer?". This results in a list of directories and users and includes nested group membership. So it's about
  effective permissions. That's why I want all information in a SQL database so I can answer these questions with a single query in milliseconds. Otherwise, in order to answer these questions, I would have to get all members from group ABC and determine the
  nested groups for all these members (which can be thousands) for every report. Using a SQL database I can retrieve this information once a night for all the members.
  But I guess I will use the LDAP_MATCHING_RULE_IN_CHAIN syntax which gives me all nested groups for a member and should work for all AD installations from W2K3 SP2 and higher. When I want to support other LDAPs I will use another method for that specific
  LDAP.
  Again - note that this question has nothing to do with LDAP or AD.  It just asks what group has permissions on what resources.
  I really think you would do well to spend time understanding the NTFS and its security along with how we sue security in Windows.  By assuming this has something to do with AD you are making it a bigger issue than needed.  AD is a repository for
  accounts and trusts and manages authentication and security group membership.  All file security is managed by the OS that hosts the files and not by AD.  Users are not normally granted access to resources through direct inclusion in the DACL but
  are given access through membership in one or more groups.  Loading AD into a SQLL database will not help you.
  ¯\_(ツ)_/¯

• OAM 10g - obmygroups and nested dynamic groups

  I've run into an issue with the obmygroups header action in OAM 10g, and I'm not sure whether this is by design or not.
  The obmygroups will return static and dynamic group names for which the user is a member, and it will return static groups that contain nested static groups where the user is a member of the nested group. However, it doesn't seem to static groups with nested dynamic groups where the user is a member of the nested dynamic group.
  Is that by design? Is there any way to nest dynamic groups so that obmygroups will return the parent group name? I'd like to have a group that contains both nested static and nested dynamic groups, and have the obmygroups action return the name of the parent group.
  Thanks,
  Matt

  Return Attribute Action in authentication or authorization rules
  obmygroups:<ldap_url> special attribute returns those groups to which the user belongs that also satisfy the criteria <ldap_url> filter specifies.
  EX: "obmygroups:ldap:///cn=Groups,dc=myorg,dc=com??sub(group_type=role) returns all the groups in cn=Groups,dc=myorg,dc=com tree for which the logged-in user is a member and the group_type is role.
  For more information check OAM Access Administration Guide

• Problem with generating xml and nested cursor (ora-600)

  I have a problem with generating xml (with dbms_xmlquery or xmlgen) and nested cursors.
  When I execute the following command, I get a ORA-600 error:
  select dbms_xmlquery.getxml('select mst_id
  , mst_source
  , cursor(select per.*
  , cursor(select ftm_fdf_number
  , ftm_value
  from t_feature_master
  where ftm_mstr_id = pers_master_id ) as features
  from t_person per
  where pers_master_id = mst_id ) as persons
  from f_master
  where mst_id = 3059435')
  from dual;
  <?xml version = '1.0'?>
  <ERROR>oracle.xml.sql.OracleXMLSQLException: ORA-00600: internal error code, arguments: [kokbnp2], [1731], [], [], [], [], [], []
  </ERROR>
  The problem is the second cursor (t_feature_master).
  I want to generate this:
  <master>
  <..>
  <persons>
  <..>
  <features>
  <..>
  </features>
  </persons>
  <persons>
  <..>
  <features>
  <..>
  </features>
  </persons>
  </master>
  If i execute the select-statement in sql-plus, then I get the next result.
  MST_ID MST_SOURCE PERSONS
  3059435 GG CURSOR STATEMENT : 3
  CURSOR STATEMENT : 3
  PERS_MASTER_ID PERS_TITLE PERS_INITI PERS_FIRSTNAME PERS_MIDDL PERS_LASTNAME
  3059435 W. Name
  CURSOR STATEMENT : 15
  FTM_FDF_NUMBER FTM_VALUE
  1 [email protected]
  10 ....
  I use Oracle 8.1.7.4 with Oracle XDK v9.2.0.5.0.
  Is this a bug and do somebody know a workaround?

  Very simple...Drop all type objects and nested tables and create them again. You will get no error. I'll explain the reason later.

• IKEv2 AnyConnect and Pool allocation via RADIUS

  I am configured a CSR1000V (03.09.00a.S.153-2.S) for AnyConnect with IKEv2. I am storing username and IKEv2 authorization policy on the RADIUS server. Clients are dropped into their own iVRFs through RADIUS attributes passed back to the NAS.
  e.g. in FreeRadius (2.1.12), the following is defined (home is the 'group') in username@group format.
  home                    Cleartext-Password := "cisco"
                               Cisco-AVPair += "ip:interface-config=vrf forwarding CUST-A",
                               Cisco-AVPair += "ip:interface-config=ip unnumbered loopback100",
                                Framed-Pool = "CUST-A-POOL"
  matt@home               Cleartext-Password := "test123"
  Group and user authorization information is then merged and cloned onto the virtual template:
  crypto ikev2 name-mangler EXTRACT-GROUP
  eap suffix delimiter @
  crypto ikev2 profile FlexVPN-IKEv2-Profile-1
  match fvrf IPSEC-FVRF
  match identity remote key-id FlexAnyConnect
  identity local dn
  authentication remote eap query-identity
  authentication local rsa-sig
  pki trustpoint cacert.org
  dpd 60 2 on-demand
  aaa authentication eap FlexVPN-AuthC-List1
  aaa authorization group eap list FlexVPN-AuthZ-List-1 name-mangler EXTRACT-GROUP
  aaa authorization user eap cached
  virtual-template 1
  interface Virtual-Template1 type tunnel
  no ip address
  tunnel mode ipsec ipv4
  tunnel vrf IPSEC-FVRF
  tunnel protection ipsec profile FlexVPN-IPsec-Profile-1
  However, it appears that the RADIUS attribute specifying the pool is ignored; I can see the RADIUS attribute (IETF 88) passed back to the NAS in the RADIUS debugs:
  *Aug 16 21:36:39.384 BST: RADIUS:  Framed-IP-Pool      [88]  13  "CUST-A-POOL"
  However, the crypto debugs state that an IP address cannot be assigned:
  *Aug 16 21:36:39.435 BST: IKEv2:Failed to allocate IP addr
  <snip>
  Payload contents:
  AUTH NOTIFY(INTERNAL_ADDRESS_FAILURE)
  If the Framed-Pool is removed and a Framed-IP-Address defined instead for the user, then the address is assigned. The CUST-A-POOL is defined locally on the NAS. Is there anything I am missing? Can any more detailed debugs be generated?
  Cheers,
  Matt

  Marcin,
  Thank you for your response; sending "ipsec:addr-pool" does work. I did a bug scrape, but didn't find this (if I try to view it in the new Bug Tool, I get "Insufficient Permissions to View Bug"), but it was possible to paste the Bug ID into the old Bug Toolkit to get the detail.
  As an aside, I also found that "include-local-lan" doesn't appear to work with IKEv2 AnyConnect and isn't likely to be fixed; according to CSCud65859, the workaround is to use split-tunneling ("ipsec:route-set=prefix prefix/len").
  Cheers,
  Matt

• Skew, Warp, Resize and Nest a video in Photoshop???

  I would like to know how to skew, warp and resize a video inside of photoshop cs4.  I would also like to know how to nest multiple video files into one file.
  I am new to Photoshop, I am looking for some tutorials but unable to find any.
  Thanks

  Marian, thanks for the advice.
  Thou I understand your point, very well about screwdriver vs hammer, that was not my question in my post.  I asked a straight forward question about how to Skew, Warp, Resize and Nest a video in Photoshop.  Not which is the best software to use for this task.
  If you know the answer, share the knowledge, is this not what this forum is for or am I in the wrong place???  Before suggesting which tool is best for me to use, try understanding what I want to build first.  This makes all the difference. 
  As I have already proven to myself I don’t need a new tool to accomplish the task I had at hand.  If I took your advice, I and my company would have wasted money on a software that we did not need in the first place.
  Understand your client needs first before giving advice.  Sometimes a hammer is all it takes, if you use right.
  I don’t need to study more on video production, this is not my job.  All I wanted to know was how to edit a video in Photoshop.
  I hope we are not off on the wrong foot because I feel I could learn a lot from you but you need to take the time to understand the question before shooting from the hip with an answer.

• SQL Loader Constraints with Column Objects and Nested Tables

  I am working on loading a Table that (god forbid) contains columns, column objects, and nested tables (which contains several depth of column objects). My question is does SQL Loader have a hidding undocumented feature where it states how the column objects must be grouped in refereneced to the nested tables within the loader file? I can load the various column objects, and nested tables fine right now, however, I am loading them all in strange and insane order. Can anyone answer this question? Thanks.
  Peter

  I just noticed that my email is wrong. If you can help, plese send email to [email protected]
  thanks.

• ORA-06502 during a procedure which uses Bulk collect feature and nested tab

  Hello Friends,
  have created one procedure which uses Bulk collect and nested table to hold the bulk data. This procedure was using one cursor and a nested table with the same type as the cursor to hold data fetched from cursor. Bulk collection technique was used to collect data from cursor to nested table. But it is giving ORA-06502 error.
  I reduced code of procedure to following to trace the error point. But still error is comming. Please help us to find the cause and solve it.
  Script which is giving error:
  declare
  v_Errorflag BINARY_INTEGER;
  v_flag number := 1;
  CURSOR cur_terminal_info Is
  SELECT distinct
  'a' SettlementType
  FROM
  dual;
  TYPE typ_cur_terminal IS TABLE OF cur_terminal_info%ROWTYPE;
  Tab_Terminal_info typ_cur_Terminal;
  BEGIN
  v_Errorflag := 2;
  OPEN cur_terminal_info;
  LOOP
  v_Errorflag := 4;
  FETCH cur_terminal_info BULK COLLECT INTO tab_terminal_info LIMIT 300;
  EXIT WHEN cur_terminal_info%rowcount &lt;= 0;
  v_Errorflag := 5;
  FOR Y IN Tab_Terminal_Info.FIRST..tab_terminal_info.LAST
  LOOP
  dbms_output.put_line(v_flag);
  v_flag := v_flag + 1;
  end loop;
  END LOOP;
  v_Errorflag := 13;
  COMMIT;
  END;
  I have updated script as following to change datatype as varchar2 for nested table, but still same error is
  comming..
  declare
  v_Errorflag BINARY_INTEGER;
  v_flag number := 1;
  CURSOR cur_terminal_info Is
  SELECT distinct
  'a' SettlementType
  FROM
  dual;
  TYPE typ_cur_terminal IS TABLE OF varchar2(50);
  Tab_Terminal_info typ_cur_Terminal;
  BEGIN
  v_Errorflag := 2;
  OPEN cur_terminal_info;
  LOOP
  v_Errorflag := 4;
  FETCH cur_terminal_info BULK COLLECT INTO tab_terminal_info LIMIT 300;
  EXIT WHEN cur_terminal_info%rowcount &lt;= 0;
  v_Errorflag := 5;
  FOR Y IN Tab_Terminal_Info.FIRST..tab_terminal_info.LAST
  LOOP
  dbms_output.put_line(v_flag);
  v_flag := v_flag + 1;
  end loop;
  END LOOP;
  v_Errorflag := 13;
  COMMIT;
  I could not find the exact reason of error.
  Please help us to solve this error.
  Thanks and Regards..
  Dipali..

  Hello Friends,
  I got the solution.. :)
  I did one mistake in procedure where the loop should end.
  I used the statemetn: EXIT WHEN cur_terminal_info%rowcount &lt;= 0;
  But it should be: EXIT WHEN Tab_Terminal_Info.COUNT &lt;= 0;
  Now my script is working fine.. :)
  Thanks and Regards,
  Dipali..

• AnyConnect and Pre-Shared Keys

  Hello,
  I am extremely new to AnyConnect and VPN, so I have a few questions for you guys. I am trying to configure an AnyConnect Client on Android to connect to my ASA 5505 via IPSEC. It's configured with (I believe) IKEv1 with pre-shared key and group identifier. I think IKEv2 is certificate based only, and I am not using certificates at this time. I can't seem to find any settings in the app to configure it this way... Can the AnyConnect client connect to this type of connection? If so, what may I be missing? I can configure the default VPN client built into Android and it works fine, but I am being told to use the AnyConnect client. If you need more info, let me know, I'm not sure what to put on here to give the info needed to help. Thanks!

  Believe I found my answer:
  Cisco AnyConnect VPN
  Q. I see that the Cisco AnyConnect Secure Mobility Client supports IPsec. Will Cisco AnyConnect Secure Mobility Client work with Cisco VPN 3000 Series concentrators?
  A. No. Cisco VPN 3000 Series concentrators support IPsec/IKEv1. Cisco AnyConnect Secure Mobility Client Version 3.0 and greater supports IPsec/IKEv2 connectivity but not IPsec/IKEv1.
  From http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5699/ps10884/qa_c67-712937_ns1049_Networking_Solutions_Q_and_A.html
  If there is a workaround or something, please let me know. If not, oh well!

• OCI doc says Cursor and Nested table have the same bind type SQLT_RSET but they don't

  5 Binding and Defining in OCI
  PL/SQL REF CURSORs and Nested Tables in OCI
  says SQLT_RSET is passed for the dty parameter.
  If I use SQLT_RSET for the return value of a function that returns a table and pass a statement handle's address for the OCI parameter data pointer, I expected that the statement handle will be instantiated as a result of executing the function on which I can further perform fetch, similar to a cursor. But it throws exception PLS-00382: expression is of wrong type ORA-06550: line 2, column 3. Is the above documentation wrong?
  From the OCI header file I see that for varray and nested table it mentions to use SQLT_NCO. I could find no example in the OCI documentation on how to pass or receive as return value a nested value when using SQLT_NCO.
  Please help before I shoot myself.

  So the Nested table I quoted in the doc is not actually used to mean a table type below?
  create type t_resultsetdata as object (
  i int, d decimal, c varchar(10)
  create type t_nested_resultsetdata as table of t_resultsetdata;
  create function Blah return t_nested_resultsetdata  is . . .
  For this you are saying to use SQL_NTY and not SQL_NCO. Can you tell where this usage is documented, because ocidfn.h says
  #define SQLT_NTY  108                              
  /* named object type */
  #define SQLT_NCO  122 
  /* named collection type (varray or nested table) */
  Another question - Because of the original document I said I followed, I thought I could treat cursor and nested table similarly in the calling application, i.e. I could repeatedly do a fetch on the OCIStmt* which will be bound for nested table. Now from what you say I understand I can't really bind a OCIStmt* for nested table but have an object type. That means it will get all the data of that collection in one go, right? LIke I said, lack of examples is making this tough. I don't want to look into OCI source code, as that will be too much.

• Weblogic 8.1 and Novell LDAP SSL

  Hi Everyone !
  I'm having problems enabling SSL between Weblogic 8.1 and Novell LDAP. I have
  the non-SSL working. All the BEA documentation I've found indicates that the SSL
  Enabled checkbox needs to be checked and that's all. This can't be all because
  I get the following errors.
  Does anyone know how to solve this ?
  Thanks,
  Eddie
  ####<Oct 1, 2003 12:06:42 PM EDT> <Notice> <Security> <6X19DYSZH1ZV> <mytest>
  <ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-090169>
  <Loading trusted certificates from the jks keystore file C:\bea8.1\WEBLOG~1\server\lib\DemoTrust.jks.>
  ####<Oct 1, 2003 12:06:42 PM EDT> <Notice> <Security> <6X19DYSZH1ZV> <mytest>
  <ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-090169>
  <Loading trusted certificates from the jks keystore file C:\bea8.1\JDK141~1\jre\lib\security\cacerts.>
  ####<Oct 1, 2003 12:06:42 PM EDT> <Warning> <Security> <6X19DYSZH1ZV> <mytest>
  <ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-090476>
  <Invalid/unknown SSL header was received from peer NASTEA02 - 10.4.5.104 during
  SSL handshake.>

  You need to configure the server SSL to trust the identity certificate it receives
  from nastea02.bankofny.com If you want to use the default configuration you could
  simply import the CA certificate that issued that identity certificate to the
  DemoTrust.jks keystore.
  Also, look at Using Host Name Verification here: http://edocs.bea.com/wls/docs81/secmanage/ssl.html#1187786
  because this might be another reason why the certificate is rejected.
  Pavel.
  "Eddie Baue" <[email protected]> wrote:
  >
  Hi Everyone !
  Please ignore the exceptions from my previous posting. I'm getting
  a new exception,
  which I've list below.
  Thanks,
  Eddie
  ####<Oct 1, 2003 2:47:20 PM EDT> <Warning> <Security> <6X19DYSZH1ZV>
  <mytest>
  <ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>>
  <> <BEA-090477>
  <Certificate chain received from nastea02.bankofny.com - 10.4.5.104 was
  not trusted
  causing SSL handshake failure.>
  "Eddie Baue" <[email protected]> wrote:
  Hi Everyone !
  I'm having problems enabling SSL between Weblogic 8.1 and NovellLDAP.
  I have
  the non-SSL working. All the BEA documentation I've found indicatesthat
  the SSL
  Enabled checkbox needs to be checked and that's all. This can't beall
  because
  I get the following errors.
  Does anyone know how to solve this ?
  Thanks,
  Eddie
  ####<Oct 1, 2003 12:06:42 PM EDT> <Notice> <Security> <6X19DYSZH1ZV>
  <mytest>
  <ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>>
  <> <BEA-090169>
  <Loading trusted certificates from the jks keystore file C:\bea8.1\WEBLOG~1\server\lib\DemoTrust.jks.>
  ####<Oct 1, 2003 12:06:42 PM EDT> <Notice> <Security> <6X19DYSZH1ZV>
  <mytest>
  <ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>>
  <> <BEA-090169>
  <Loading trusted certificates from the jks keystore file C:\bea8.1\JDK141~1\jre\lib\security\cacerts.>
  ####<Oct 1, 2003 12:06:42 PM EDT> <Warning> <Security> <6X19DYSZH1ZV>
  <mytest>
  <ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>>
  <> <BEA-090476>
  <Invalid/unknown SSL header was received from peer NASTEA02 - 10.4.5.104
  during
  SSL handshake.>

• Steps for portal and Microsoft LDAP server integration

  Hi,
  Could any one guide me steps for portal and Microsoft LDAP server integration. Need it urgently.
  Thanks in advance.
  Regards,
  Niraj

  Please don't cross post in multiple forums..

• How do I easily indent iphoto albums by category and nest them?

  how do I easily indent iphoto albums by category and nest them?

  Create folders - File menu ==> new ==> folder  (you can not "indent" them) - folders can contain albums or other folders
  Suggest the "indentation" to apple - iPhoto menu ==> provide iPhoto feedback
  LN

• Force client cert only for anyconnect and not for ssl-clientless?

  I need to configure different authentication for anyconnect clients and clients logging in using the ssl portal in the browser.
  I want both AAA and certificate for anyconnect but i want ONLY aaa for the ssl portal (clientless)
  I tried using two tunnel groups with different authentication settings but i need the same alias available for both clientless and anyconnect and when i tried that it said i cant have two with the same alias.

  Did you ever get an answer to this question?
  It seems you should be able to set up a two different client profiles.  Under Authentication, ssl-client would would specify "Both" and the sslclientless would specify AAA.  You would likely have to duplicate much of the other work but the requirement would be satisfied.

• How can i config WLS7 and iPlanet LDAP

  How can i config WLS7 and iPlanet LDAP?
  failed during initialization. Exception:java.lang.SecurityException: Authenticat
  ion for user weblogic denied
  java.lang.SecurityException: Authentication for user weblogic denied
  at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
  SecurityServiceManager.java:978)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
  erviceManager.java:1116)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)
  >

  Yos:
  Series of steps to get WLS working with some external LDAP server follows:
  I. create a new domain /mydomain
  II. start server
  III. open WebLogic console in a browser
  IV. in left frame, go to
  security->realms->myrealm->providers->AuthenticationProviders and click
  V. in right frame, click on “Configure a new iPlanet Authenticator”
  VI. In the new screen, under General, make sure the Control Flag is set to Required,
  select a name for this authenticator, and click Create.
  VII. Select iPlanet LDAP tab and fill in values for Host, Port, Principal where
  these values reflect the settings for your LDAP server. (Note: the default
  principal for an iPlanet LDAP server is uid=admin, ou=Administrators,
  ou=TopologyManagement, o=NetscapeRoot). Click Apply.
  VIII. Click on Credential: Change. At the new screen, enter the credential
  associated with the Principal that you entered in step VII in both boxes. This will
  be the password that is used to do a bind to your LDAP server with the principal.
  Click Apply.
  IX. Select Users tab and make sure these properties accurately reflect the structure
  of your LDAP server. Most of the time the only property that needs to be changed is
  the User Base DN property, from ou=people,o=example.com to
  ou=people,o=myCompany.com. Click Apply.
  X. Select Groups tab and make sure these properties accurately reflect the structure
  of your LDAP server. Most of the time the only property that needs to be changed is
  the Groups Base DN property, from ou=people,o=example.com to
  ou=groups,o=myCompany.com. Click Apply.
  XI. Now, the boot identity of your server absolutely must be a user that exists on
  your LDAP server. You must also have an “Administrators” group on your LDAP server,
  and the boot identity must be a user that exists in this “Administrators” group, or
  the server will not start. So open your LDAP console (this will be a console that
  is specific to the LDAP server you are using) and use the management tools to create
  the “Administrators” group and a user that you place in the “Administrators” group
  that is the boot identity that you use to start WebLogic.
  XII. Make these changes and restart the server.
  XIII. You can verify that the LDAP setup is correct by doing a thread dump. You
  should see a thread like:
  “LDAPConnThread localhost:389" daemon prio=5 tid=0x8d9b308 nid=0x8f8 runnable
  [0x9e2f000..0x9e2fdbc]
  at java.net.SocketInputStream.socketRead(Native Method)
  at java.net.SocketInputStream.read(SocketInputStream.java:86)
  at java.io.BufferedInputStream.fill(BufferedInputStream.java:186)
  at java.io.BufferedInputStream.read(BufferedInputStream.java:204)
  - locked <3281d98> (a java.io.BufferedInputStream)
  at netscape.ldap.ber.stream.BERElement.getElement(BERElement.java:101)
  at netscape.ldap.LDAPConnThread.run(LDAPConnThread.java:420)
  where “localhost:389” is the server name and port of your LDAP
  server. This means that your Authenticator has been set up correctly.
  XIV. Now you can delete your default authenticator. Open the WebLogic console and
  go to security->realms->myrealm->providers->AuthenticationProviders in the left
  frame, and click
  XV. In the right frame, look for DefaultAuthenticator and click on the trash can to
  the far right. Say “Yes” when it asks if you are sure, then click Continue.
  XVI. Restart the WebLogic server. If the server boots correctly, you’re done.
  Everything is working correctly.
  Please note that the "default authenticator" refers to the embedded LDAP server that
  ships with WebLogic.
  Hope this helps.
  Joe Jerry
  Yos wrote:
  How can i config WLS7 and iPlanet LDAP?
  failed during initialization. Exception:java.lang.SecurityException: Authenticat
  ion for user weblogic denied
  java.lang.SecurityException: Authentication for user weblogic denied
  at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
  SecurityServiceManager.java:978)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
  erviceManager.java:1116)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)
  >