Authenticate partial SSO users using LDAP

Similar Messages

• Authenticating R/3 users using LDAP

  Hi,
  We are trying to authenticate SAP R/3 users using an already built Microsoft ADS.
  We have looked into configuration using trx. LDAP.
  But seems like this only helps to synchronize user data between the LDAP and the R/3 system.
  We are more looking for the authentication itself being handled by the ADS system.
  We do not want to go through the portal for authenticating these users.
  Is it possible to do this.?

  Of course, Single Sign-On implies that you are using a portal, or a cunningly-configured BSP. NTLM is only an option if using a Windows-based IIS as a proxy to your Unix box. Otherwise, you need to use the SPNEGO login module, which is not on general release (it is available on a consulting basis only - see Michael Sambeth at SAP).
  Until SAP use UME within the ABAP core, I don't see an elegant solution to this.
  - Darren

• How to authenticate OIM from AD using LDAP sync

  Hi Team,
  We do not want to use password synchronization connector for AD password sync to OIM
  After reading few article' I found two probable ways for it:
  1. Authenticate OIM via AD using libOVD with OIM and LDAP sync enable
  2. Authenticate OIM via AD using libOVD, OID and LDAP sync enable.
  Please suggest whether theses approcahes are practicaly possible or not.
  If yes then please shae related architecture docs.
  Thanks,
  Gaurav

  Here is the one of the doc:
  Configuring LDAP Authentication When LDAP Synchronization is Enabled

• Wireless controller lobby user and LDAP

  Hi team,
  I want to ask you is there any possible way to authenticate lobby ambasador users using LDAP? Our client wants to give lobby ambasador priviledges to users in Microsoft Active Directory, so they will be able to create guest users! Do you know if it is possible?
  Kind regards,
  Dimitar Katrandzhiev

  should be I use that with my NCS but for the WLCs I saw a solution..hope that is also one for you..
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080871921.shtml

• Deploy authenticate VPN using LDAP AD (with user group)

  Hi,
  I'm stucking in configuration of LDAP Server with authenticate for VPN user using group in Windows Domain. I would like to create a group like "vpn-group" in Domain. If someone want to vpn, I just have to add that user in the group "vpn-group" then I can connect to the company.
  Here is my configuration
  aaa new-model
  aaa authentication login userauthen local group ldap
  aaa authorization network groupauthor local
  ldap attribute-map map1
   map type sAMAccountName username
  ldap server server1
   ipv4 192.168.0.5
   attribute map map1
   bind authenticate root-dn cn=administrator,cn=users,dc=test,dc=local password 7 0235114B0E144E621518
   base-dn cn=vpn-group,cn=users,dc=test,dc=local
  Please advice me.

  I got it working by including the AD security group in the search-filter
  search-filter user-object-type User)(memberOf=CN=vpn-group,OU=Security groups,OU=company,DC=test,DC=local

• Authenticate Users Using an LDAP Server

  Hi,
  I did implement 'Authenticate Users Using an LDAP Server' according the link blow below.
  [http://www.oracle.com/technology/products/database/application_express/howtos/how_to_ldap_authenticate.html]
  It works OK to specific DN String, example 'cn=%LDAP_USER%,OU=Menahel,OU=Cmp,DC=ho,DC=discount'.
  We have a lot of domain rules, mean the users not located at the same DN.
  Is it possibale to use general DN string (base root) like 'cn=%LDAP_USER%,*,*,DC=ho,DC=discount?
  Thanks in advance,
  Shay

  Augusto, one thing to check (since it caught me out) is that your LDAP entries conform to the right format, namely
  "cn=Bob" etc
  When I was integrating HTMLDB LDAP against a Sun One Directory Server, it had me scratching my head for ages, until I realised that the LDAP entries had been created in the format of -
  "uid=bob" rather than "cn=bob"
  This might not be your problem, but it's worth checking anyway ;)

• How to let SAP user use SSO to access Application in DMZ?

  Hi All,
  Our J2EE application is running on a system in DMZ which can not be connected with LDAP. So I am wondering if it's possible to let SAP user use SSO to access our application.
  After talking with my colleague I think the only way is to import SSO public key to our WebAS and create user in UME and then assign user to the corresponding public key, but anybody know where to download SSP verification file or is it allowed to download and import into another system at all?
  Regards,
  Bin

  Hi,
  Take a look at this example, it uses property nodes to select tha
  active plot and then changes the color of that plot.
  If you want to make the number of plots dynamic you could use a for
  loop and an array of color boxes.
  I hope this helps.
  Regards,
  Juan Carlos
  N.I.
  Attachments:
  Changing_plot_color.vi ‏38 KB

• Authenticate user by LDAP server

  Environment: WLS6.0 Netscape Directory Server 4.1
  I have successful protect a servlet and authenticate user by "File Realm". But I can't authenticate user by "Security Realm(LDAP). Pls tell me any configure I miss.
  ======weblogic.xml entites========
  <security-rike-assignment>
  <role-name>manager</role-name>
  <principal-name>joan</principal-name>
  <principal-name>awang</principal-name>
  </security-role-assignment>
  (the user joan has defined in "File Realm", and there is a user in LDAP: uid=awang, ou=IT, dc=CMD)
  And why the user "awang" can't access the servlet (the username field enter "awang"; the password filed enter "awang123")
  =====config.xml entities=====
  <LDAPRealm AuthProtocol="simple" Crdential="awang123" GroupDN="dc=CMD" GroupIsContext="false" LDAPURL="ldap://127.0.0.1:389" Name="defaultLDAPRealmForNetscapeDirectoryServer" Principal="uid=awang, ou=IT, dc=CMD" UserAuthentication="local" UserDN="dc=CMD" UserNameAttribute="uid"

  You can use jsp's and servlets.
  Have a .jsp (i.e. login.jsp) that has 2 fields username / password and a submit button i.e.
  <form method="post" action="/servlet/LoginServlet">
  <input type="text" size="15" name="username" value="">
  <input type="password" size="15" name="password" value="">
  <input type="submit" name="Submit" value="Authenticate">
  </form>In your servlet (i.e. LoginServlet) is where you retrieve the username / password by doing something like:
  public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    String username = request.getParameter("username");
    String password = request.getParameter("password"); 
  }You would now do your LDAP authentication. see http://java.sun.com/products/jndi/tutorial/ldap/security/ldap.html
  Depending on whether the authentication was successful or not you would redirect the user to an error page or to the next .jsp (i.e changePassword.jsp) where they can change their password.

• Authenticate BSP application using LDAP

  Hi,
  Thanks to Durai Raja for his earlier inputs in setting up LDAP connector in SAP. We were able to connect to our LDAP from SAP ( We use Novell eDirectory 8.5).
  I also wrote a small program as below and I am getting back results from LDAP. We want to build BSP application where users would enter LDAP User ID and password and we want to Authenticate BSP application based on this input. My questions are
  1) Is it possible to Authenticate BSP application based on LDAP user ID and password.
  2) IF so, what is the function module to use. I searched LDAP_* but did not find anything.
  3) If we authenticate using LDAP user ID and password, do we have to provide SAP User id and password in SICF and allow all users to log in using same SAP user ID and password ?
  Niranjan
  data: dns_out type table of ldap_dnii,
        ldapinfo type ldap_dnii,
        attrs_io type table of ldap_atii.
  call function 'LDAP_SIMPLEBIND'
    exporting
      serverid = 'HQLDAP'.   " Logical Server ID set in LDAP tcode
  if sy-subrc eq 0.
    call function 'LDAP_SEARCH'
      exporting
        base     = 'o=xxxxxxxx'  " Company's Base
        filter   = 'uid=xxxxxxxx'  " Novell User ID or LDAP user ID
      tables
        dns_out  = dns_out
        attrs_io = attrs_io.
    if sy-subrc eq 0.
      loop at dns_out into ldapinfo.
      endloop.
    endif.
  endif.

  Thanks Raja for your inputs. This is our requirement.
  We have about 350 SAP Users and about 700 Novell Users (computers). We want to provide Employee Personnel Information like Vacation details, Savings/Insurance details in BSP application. But half of them cannot access because they don't have access to SAP. We cannot give access to all of them since we have only 400 licenses. So, we were thinking to Authenticate against Novell Used ID and password and show them their personnel details. We have a mapping between Novell Used ID and SAP HR Empl # and so we can easily get their information. So, we want users to authenticate using Novell Used ID and password (each Novell user ID is mapped as LDAP ID) and, if it is successful, show their personnel details.
  How can we achieve this ?
  Niranjan

• Need to know about SSO using LDAP

  Hi Everyone,
  Thank you very much to help me to come out from my all problems i faced in the past.. I really appreciate your efforts and valuable time you have given to me. and I'm sure that You all will always help all newbies and help seekers like me in future too.. Thanks for your kind efforts..
  I am very new to ADF securities, I was thinking to built an Enterprise application with Multiple small sub application using ADF in JDev... No big deal but the My problem is i want use SSO for user authentication using LDAP.. But i really have no idea that where to start and how to start.. Which Softwares do i need to Download?
  For my all past problem there must be a sample example for help i found.. and learned a lot from that.. and also i tried a lot to find a little example for this as i required.. but I failed to find any example for SSO using LDAP(Like Oracle SSO)...
  So i need your guidance to get my solution...and i hope that as usual i'll get the right solution..
  Thanks
  Fizzz...

  Fizzz,
  Oracle SSO is part of Oracle Identity Management. You can find the download link [url http://www.oracle.com/technology/software/products/ias/htdocs/101310.html]here. It's "bigger than a breadbox," however - installing enough bits to get to Oracle SSO will ensue creating a new repository (aka database) together with a middle-tier app server instance for the SSO server. I'm not sure if there are any OBE's (Oracle by Example), but I do know there is an identity management forum.
  Best,
  John

• How to Identify database sessions used by forms sso user sessions?

  Hi:
  When using forms with SSO, all database sessions are opened by the same OSUSER (usually oracle), from the same machine (usually the forms server) and by the same program (usually [email protected] [TNS V1-V3]).
  I need a way to identify the database session (v$session) that is beeing used by a specific SSO user. By using SSO, we say implicitly that all users using that SSO resource will be connect to the database by a specific database user.
  So, what can I do to identify the database session that a specific forms user is using ?
  Thanks
  Joao Oliveira

  You could try something like the following in a when new form instance trigger:
  declare
  authenticated_username varchar2(30);
  begin
  authenticated_username := get_application_property(`sso_userid');
  DBMS_APPLICATION_INFO.SET_CLIENT_INFO (
  client_info IN VARCHAR2);
  end;
  This will store the sso userid in the client_info field of v$session.
  I hope this works for you.
  Randy McGregor

• ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

  Hi All,
  I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership.  This has been very difficult, even though I beleive it should be easy.
  The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
  There are two other portals that I would like to restrict access to based on AD group membership.  I have set these up to be selected by URL.
  The biggest problem is, I have no way of knowing how to go about this.  The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
  I can only do an all or nothing scenario.
  It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use.  So how do I go about using them in this scenario?  Turning off the aliases or URLs is not really an option right now.
  Scenario 1 would work the best for me.  Restrict access to profiles/groups based on AD group membership using LDAP.
  Scenario 2 would be an ideal longer term solution.
  Any thoughts, ideas or assitance would be greatly appreciated.
  Cheers

  This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:
  assert(function()
     if ( (type(aaa.ldap.distinguishedName) == "string") and
          (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
  then
         return true
     end
     return false
  end)()
  from the debug dap you can see what Users relates to;
  DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
  My admin account fails to get me in to the same profile:
  DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
  Thanks
  Andrew

• How to increase limit of users using portal/SSO

  Hello,
  I am expending number of users using a portal forms application and recently started to get this error
  Service Temporarily Unavailable
  The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
  The error appears only for the pages that require SSO, no problem for the public pages. Can something be done to increase the limits for SSO connections?
  Thanks.

  Hi, can you review this link:
  http://www.oracle.com/technology/products/forms/pdf/10g/forms904capacityplanning.pdf
  Good Luck...

• Content Engine cannot authenticate using LDAP

  Dear All,
  I have a problem with content engine 511 authenticating with LDAP server. I am using Lotus notes LDAP server to authenticate with content engine but it doesn't work. Anyone has try with LDAP before? Please advice. Thank you for your help.
  Regards,
  Chris

  Dear,
  I already using the latest version of ACNS software 5.3. And there is an option to use LDAP authentication in CLI and WEB based management. Thank you for your help.
  Regards,
  Chris

• Creating user in LDAP using Oracle Identity Store API

  We are trying to create users in LDAP (open LDAP) using Oracle's Fusion Middleware's Oracle Identity Service API. Here is my code snippet to create user,
            final IdentityStoreService identityStoreService = jpsContextFactory
                      .getContext().getServiceInstance(IdentityStoreService.class);
            IdentityStore idmStore = identityStoreService.getIdmStore();
            final Property statusProperty = new Property("status", Arrays.asList("active"));
            final PropertySet propertySet = new PropertySet();
            propertySet.put(statusProperty);
            idmStore.getUserManager().createUser("userid", new char[0], propertySet);
  but I am getting this error
  Caused by: oracle.security.idm.IMException: Mandatory attribute missing :status
       at oracle.security.idm.providers.stdldap.util.LDAPRealm.createUser(LDAPRealm.java:139)
  even though I am clearly adding the attribute as mentioned above, am I missing any thing?
  Thanks for your help :)
  Full stack trace:
  oracle.security.idm.OperationFailureException: oracle.security.idm.IMException: Mandatory attribute missing : status
       at oracle.security.idm.providers.stdldap.util.LDAPRealm.throwException(LDAPRealm.java:785)
       at oracle.security.idm.providers.stdldap.util.LDAPRealm.createUser(LDAPRealm.java:153)
       at oracle.security.idm.providers.stdldap.LDUserManager.createUser(LDUserManager.java:170)
       at oracle.security.idm.providers.stdldap.LDUserManager.createUser(LDUserManager.java:121)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:173)
       at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:89)
       at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:61)
       at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:75)
       at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
       at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
       at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
       at java.util.concurrent.FutureTask.run(FutureTask.java:138)
       at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
       at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:106)
       at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
       at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:118)
       at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:208)
       at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223)
       at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:205)
       at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:113)
       at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:184)
       at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:107)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
       at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:163)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
       at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
       at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
       at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
       at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)
  Caused by: oracle.security.idm.IMException: Mandatory attribute missing :status
       at oracle.security.idm.providers.stdldap.util.LDAPRealm.createUser(LDAPRealm.java:139)
       ... 52 more
  Edited by: 940837 on Jun 14, 2012 5:00 PM

  URGENT** How to change  OIM user password from outside OIM