Authenticate OID against external LDAP v3 Directory

Similar Messages

• How to authenticate CXF-Webservice against external LDAP in WebLogic?

  Hi there,
  I'm trying to integrate our Camel-application into WebLogic 12c. All the incoming endpoints are CXF-based webservices. These are secured by "UsernameToken Timestamp" with the WSS4JInInterceptor configured like this:
  <bean id="wss4jInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
            <constructor-arg>
                 <map>
                      <entry key="action" value="UsernameToken Timestamp" />
                      <entry key="passwordType" value="PasswordDigest" />
                      <entry key="passwordCallbackClass"
                           value="de.mycompany.camel.cxf.UserTokenCallbackHandler" />
                 </map>
            </constructor-arg>     
  </bean>
  My problem is: WSS4JInInterceptor expects the UserTokenCallbackHandler to return the password of the user delivered in the header <wsse:Username>. Is there any way to retrieve this from an external LDAP configured in WebLogic? I've already managed to retrieve the users, groups etc with JMX (javax.management.MBeanServerConnection and weblogic.security.providers.authentication.LDAPAuthenticatorMBean), but I can't figure out how to authenticate the user against the LDAP, i. e. retrieve the password.
  Or am I heading in a completely wrong direction and this is not the way to achieve authentication for CXF-Webservices in WebLogic?
  Please give me a hint (code-snippets preferred ;-) ) how to solve this.
  Regards,
  Frank

  I have run into the exact same situation ? Did you ever get around this ? If so, how ? Please let me know.

• Authenticate Users against external RADIUS-Server

  Hi,
  i have some users in the local LDAP database of an 10.5 Server.
  Is there a way to store their passwords on an external RADIUS-Server?
  Thank you very much,
  macservo
  Message was edited by: macservo

  CryptoCard does this.
  We use it at one customer for L2TP VPN authentication.
  This way the VPN user get's a yes or no to use the VPN server and then has to give his credentials: name and VPN shared secret or certificate (support for CryptoCard is in the OS X VPN client) to get on the network. The password is in 2 halves, one half is static and the rest is added to it from the Token.
  You then have to authenticate to any service you want to use (Kerberos?).
  We only had to alter a PPP config file on the OS X server and add a small file to both server (and client) to make it contact their Radius server instead of it using Apples regular internal VPN authentication (not the Radius one). And we had to add a shared secret corresponding to what was setup for the customer at CryptoCard (in the server only) for the OS X Server (Radius client) to CryptoCard server (Radius server) communication. You can't use Server Admin to alter VPN settings afterwards without messing up the PPP settings file.
  Maybe possible to us it for Ethernet/Wireless 802.1X authentication too?
  For just AFP server auth I don't know.

• Anyone configured OID with weblogic as external LDAP

  Hey,
  I need help from someone who configured Oracle Internet Directory with weblogic 7 or any version to us as external LDAP server.
  Your Help is greatly appreciated.
  Thanks & Best Regards,
  Nagendra

  I was able to use OID as external LDAP for my Weblogic. I was able to move the stuff from Weblogic Embedded LDAP to Oracle Internet Directory Server, I have done it by myself
  Thanks
  Nagendra

• Not authenticated from external ldap in a cluster

  I am having trouble getting authenticated from an Iplanet LDAP, when the weblogic is configured in a Cluster.
  -I can authenticate with Embedded LDAP domain wide
  -I can authenticate on the external LDAP if I send the request to Admin server
  Here is my cluster configuration (all with Weblogic 7.0 SP4)
  *Admin Server Port: 9209
  *Cluster server 1 : 7209
  *Cluster server 2 : 8209
  *Proxy server     : 9090 (configured with HttpClusteredServlet)
  http://myserver.com:9090/j_security_check fails
  http://myserver.com:9209/j_security_check works
  Please let me know what is wrong?

  "Bob" <[email protected]> wrote in message
  news:3f9fd466$[email protected]..
  I am having trouble getting authenticated from an Iplanet LDAP, when theweblogic is configured in a Cluster.
  -I can authenticate with Embedded LDAP domain wide
  -I can authenticate on the external LDAP if I send the request to Adminserver
  Here is my cluster configuration (all with Weblogic 7.0 SP4)
  *Admin Server Port: 9209
  *Cluster server 1 : 7209
  *Cluster server 2 : 8209
  *Proxy server     : 9090 (configured with HttpClusteredServlet)
  http://myserver.com:9090/j_security_check fails
  http://myserver.com:9209/j_security_check works
  Please let me know what is wrong?Are you sure that the ldap authentication is actually occuring? I would
  define the
  DebugSecurityAtn="true" attribute on the ServerDebug mbean for the cluster
  server members and then look at the log and the ldap_trace.log files to see
  what is happening with LDAP.

• WLI-8.1 Problem using external LDAP authenticaion provider

  I added a second authentication provider that uses iPlanet DS to authenticate. My external LDAP users show up in the WebLogic Server Admin Console, but they do not show up in the Integration Console's User Management section. I also can't authenticate through the Worklist app as one of the external users. Can anyone help?

  There is a patch available for this. pls. check with bea support.
  Kelly Graves <[email protected]> wrote:
  I added a second authentication provider that uses iPlanet DS to authenticate.
  My external LDAP users show up in the WebLogic Server Admin Console,
  but they do not show up in the Integration Console's User Management
  section. I also can't authenticate through the Worklist app as one
  of the external users. Can anyone help?

• Two factor authentication ACS 5.x against external Radius and Active Directory

  On ACS 5.x I'd like to authenticate against two external Directories
  Active Directory
  Black Shield Token Server (via RADIUS)
  I found a description the meets mostly my requirements at
       http://blog.pbmit.com/digipass2
  Has somebody an Idea how this has to be implemented on Cisco ACS 5.3?
  In the identity store swwquence there's no way to implement a compound condition (if user authenticated against Directory 1 AND Directory 2 then success)
  Active Directory and Cisco ACS
        This solution attempts to solve the limitation described in Solution 1. Instead of letting the Identikey server communicate directly to the AD, we use the Identikey server only to strip the PIN and OTP from the password and loop the authentication request back to the Cisco ACS to utilize its Identity Store Sequence, which can now be set to both Internal Identity Store and AD.

  just following up to see if there was a solution to this.  I am also interested in setting this type of scenerio out.

• Creating OAAM users and groups in external LDAP i.e. OID

  Hi Experts,
  I am looking for the procedure to create OAAM users and groups in external LDAP i.e. OID.
  I am using 11gR2.
  Any pointers would be appreciated.
  Regards,
  Subin

  Check this link http://docs.oracle.com/cd/E27559_01/dev.1112/e27206/lcm.htm#autoId3

• Authenticate against external windowsdb member server

  I would like to know if anyone has been able to get the ACS appliance version to authenticate users against a Windows Member Server not a DC (no AD).

  My bad, sorry.
  When using the appliance you need to use the Remote Agent for Windows, the appliance will then talk to this agent to authenticate users in its SAM or AD database. You need this since the Appliance is not part of any domain, so it needs to pass off the usernames/passwords to a Windows server that can authenticate users.
  You can read about it here:
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/raig/rawi.htm
  Basically install it on the member server and you should be good to go, it will automatically use the local SAM database to check for usernames/passwords. This is actually easier to set up than if you were trying to authenticate to a domain, since there's really nothing for you to do other than install the agent.

• OCS + authentication external LDAP

  Is there anyone with experiences to use OCS in combination
  with external authentication against an SunONE LDAP server?
  I don't want to synchro the two LDAPs. I just want to use the usernames & passwords of the external LDAP.
  Can you explain to me which procedures must I follow?
  Is is necessary to create all the users of the external LDAP exists in the OID of OCS?
  If not how does this work? For example how do I grant email/files rights to a user which is not in the OCS OID?
  If the users must exists in the OID, which components must I configure within OCS? Must I write a pl/sql package for authentication to the external LDAP?
  Thanks in advantage!

  Hi Elvis!
  What you need to do is to configure an OID plug-in that can be used to authenticate the users against the SUN LDAP. There are some examples in the OID admin guide.
  The users must exist in the OID.
  The users need to be administered in the OID as the CS needs the entries in the users tree as well as the emailservercontainer tree.
  cu
  Andreas

• Messaging server and external LDAP user store

  Is it possible to have an external LDAP application store all user information and then have the messaging server authenticate against it and create a mail profile in it's own LDAP instance, similar to the way portal handles LDAP users? If not, what is the best way to store user information outside of the mail server instance? Create an LDAP instance and extend the schema to support the mail classes and then use replication to push the users into the mail servers directory instance?

  Correct, extending the schema on the master directory server and replicating down to the messaging server ldap instance the user info is the way to go.
  This way you do not have to maintain two different sets of user data.
  -Chris

• Address Lookup in External LDAP

  I did changes in my $OH/j2ee/OC4J_UM/config/oc4j.properties file in order to Lookup in a external LDAP:
  toolkit.ldap.dir.1.label=Contacts
  toolkit.ldap.dir.1.url=ldap://OtherLinuxHost.mydomain.com:389
  toolkit.ldap.dir.1.searchbase=ou=Contacts,dc=mydomain,dc=com
  toolkit.ldap.dir.1.filter=objectClass=inetOrgPerson
  toolkit.ldap.dir.1.attribute.mail=mail
  toolkit.ldap.dir.1.attribute.lname=sn
  toolkit.ldap.dir.1.attribute.fname=givenName
  toolkit.ldap.dir.1.attribute.alias=uid
  In my Collaboration Suite - Messages when I am creating
  New Message, click in Blue Torch,
  Select from list the "Contactss" directory
  Select "Email Address" "contains" * => Go
  UM shows the contacts from the External Ldap, but when I try to bcc, or cc or to, it is not updating my destination fileds (bcc/ cc/ to). But if instead of select the List "Contacts" I select the Internal Directory (OID) it works fine?
  Which argument I miss ? or how I configure UM for export the email address from the AddrLookup Window to the Message_compose Window in the destination fields (bcc or cc or to) ?
  Thanks alot for any help.

  It is happening to us as well, we have OCS release 2 9.0.4.2 on Linux trying to access an external OpenLDAP linux server for shared contacts.
  After we get the results of the search on the external LDAP, no button works on the Address Lookup window except "Close". It doesn't matter is we select the "Corporate Book" or other Oracle internal address books; we have to close the window and open it again to do a new search.
  Are you seeing the same behavior?
  I will have a phone conference today (5/11/05) with Oracle support to talk about this issue, we have had a TAR open for about 20 days now.
  I'll keep you posted with the results.

• ISE admin access, authentication against external radius

  Please don't ask me why,
  the customer insists and wants to be authenticated on ise (as admin) against an external (microsoft) radius server
  is it possible while retaining internal admin users database in a sequence Internal>external_radius or internal>AD ?
  thank you in advance for whatever may help

  According to Cisco:
  External Authentication AND external Authorisation for Admin acces son the ISE can only be done by using LDAP or AD.
  For Radius Servers there are a solution for external Authentication and internal Authorisation on the ise:
  External Authentication + Internal Authorization
  When configuring Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from External Authentication + External Authorization:
  You do not need to specify any particular external administrator groups for the administrator.
  You must configure the same username in both the external identity store and the local Cisco ISE database.
  To create a new Cisco ISE administrator that authenticates via the external identity store, complete the following steps:
  Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.
  The Administrators window appears, listing all existing locally defined administrators.
  Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.
  Note Remember: you do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.
  Step 3 Click Save .

• Authenticate Users Using an LDAP Server

  Hi,
  I did implement 'Authenticate Users Using an LDAP Server' according the link blow below.
  [http://www.oracle.com/technology/products/database/application_express/howtos/how_to_ldap_authenticate.html]
  It works OK to specific DN String, example 'cn=%LDAP_USER%,OU=Menahel,OU=Cmp,DC=ho,DC=discount'.
  We have a lot of domain rules, mean the users not located at the same DN.
  Is it possibale to use general DN string (base root) like 'cn=%LDAP_USER%,*,*,DC=ho,DC=discount?
  Thanks in advance,
  Shay

  Augusto, one thing to check (since it caught me out) is that your LDAP entries conform to the right format, namely
  "cn=Bob" etc
  When I was integrating HTMLDB LDAP against a Sun One Directory Server, it had me scratching my head for ages, until I realised that the LDAP entries had been created in the format of -
  "uid=bob" rather than "cn=bob"
  This might not be your problem, but it's worth checking anyway ;)

• How can I authenticate a User In Windows Active Directory?

  I need to authenticate a user in Windows Active Directory, but I found use the code below will return true if the user name and password are both correct and false if one of them is wrong. But when I input a user name which is not exist in Active Driectory with a blank password, it will also return true. What shall I do? Ask every user must input a password withnot blank?
  Please give me some help to solve this problem. Thanks a lot.
  Code:
  private Context ctx = null;
  Hashtable env = new Hashtable ();
  boolean isValid = false;
  try {
  this.setEnvironmentProperties();
  String domainName = AuthenticateResources.getString("mydomain.com");
  //set the name of domain with the user name
  String fullName = name + "@" + domainName;
  env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL,"ldap://mydomain:389");
  env.put(Context.SECURITY_AUTHENTICATION,"simple");
  //set user related information
  env.put(Context.SECURITY_PRINCIPAL, fullName);
  //set user password
  env.put(Context.SECURITY_CREDENTIALS, password);
  //validate user
  ctx = new InitialDirContext(env);
  isValid = true;
  }catch (AuthenticationException ex){
  isValid = false;
  catch (NamingException ex) {
  throw ex;
  }finally{
  this.freeContext();
  return isValid;

  This is usually a problem if Anonymous Binding is enabled. I have faced this in other Directory Servers, but I am not familiar with Active Directory.
  I think by default Active Directory disables Anonymous Binding, but you may want to check.