Authenticating against both RDBMS and LDAP in WL6.0

Hi,
We are designing a webapp that will be accessible to both internal and
external users. For internal users, we would like to authenticate via LDAP;
for external users we would like to use RDBMS. In WL5.1, this looked to be
possible with the DelegatingRealm, however this has been removed in WL6.0.
Two questions:
1) Why was it removed?
2) How can we get this functionality in WL6.0?
Thanks much for your help,
-jt

We are currently deployed on WL5.1 with a similar situation as you and in
the process of migrating to WL6. We are Authenticating against LDAP and
Authorizing against RDBMS. But I can't see how you could tell it to go
one way for certain users and another for other users.
The delegatingrealm in WL5 was intended to split the responsibility of
Authenticating to one source and Authorization to another. To make this
work for your Application of splitting internal and external users
security, I suppose you can do it if you can somehow pass the information
to the Security Realm the type of the user that is logging in. Maybe you
can make this code a part of the userid such as ext_uersID or int_userID.
Doing this will allow you to filter the where the users are coming from
and Direct them to the appropriate security realm.
As far as WL6 goes, the Delegating realm class is no longer available
since the security model for WL6 is different from WL5. But you can take
a look at what they did with the RDBMSrealm example and use that. This is
what we did to make our Security work in WL6. However, you can no longer
store ACLs in the RDBMS realm in WL6.
Hopes this helps.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
You will need to create a Custom Realm which delegates to both your RDBMS
and LDAP perhaps using the Weblogic supplied RDBMS and LDAP realms
"Jonathan Thompson" <[email protected]> wrote in message
news:3accf1a3$[email protected]..
Hi,
We are designing a webapp that will be accessible to both internal and
external users. For internal users, we would like to authenticate viaLDAP;
for external users we would like to use RDBMS. In WL5.1, this looked tobe
possible with the DelegatingRealm, however this has been removed in WL6.0.
>
Two questions:
1) Why was it removed?
2) How can we get this functionality in WL6.0?
Thanks much for your help,
-jt
[att1.html]

Similar Messages

Authentication against both LDAP and BI repository

I have a lot of user who are authenticated against LDAP. I need add few users who aren't exist in LDAP. I can create user in BI repository and if this user is in an Administrator group he is able to log in. But if this user isn't in an Administrator group he get error "Succesfull execution of intitializtion block LDAP is required". Is there any way how to authenticate users agains both LDAP and BI repository?

Hi,
why dont you create a group in ldap and add the correspondng users to that group.
You can configure the LDAP server with that group and try...
Hope it works...
Regards
Venkat

OBIEE with both SSO and LDAP

I need to be able to run OBIEE using SSO with LDAP to 'reauthenticate' the user and then provide information as to which user groups they are in.
The overall idea is that the user logs in to the 'system' as a whole and is then provided a hyperlink to OBIEE. Behind the scenes, the system login process will set a cookie holding the users name, thus allowing SSO to be used with OBIEE. When the user logs in, LDAP will then be used to determine which groups the user is a member of.
I can get SSO working (on its own) and I can get LDAP authentication working (on its own), but when I try to combine the two I just get user authentication errors.
I suspect that what is happening is that the OBIEE login process is passing the correct username to LDAP (i.e. the one from the cookie), but the IMPERSONATOR password rather than the user one (at this point OBIEE does not know the user password).
Is there any way of getting around this? as far as I can tell the LDAP authentication mechanism requires both a username and password to be passed to it, but since we are using SSO, we only have the username.
Note: is it not considered secure enough to hold the user password as a cookie or as part of a 'GO' URL, which is why we wish to use SSO.
Many thanks,
Chris

We have the init block set up to login to LDAP and authenticate the user. The ID we use is not the user account that logged in to the BI Server, but an id we have that only has the ability to read users and groups.
You probably need to also uncheck "required for authorization" in this init block, otherwise the impersonator account will not be able to authenticate.
To get our group assignment we have a PL/SQL program that uses the ldap utils to connect to the ldap server and get the group membership and return it in a "GROUP" variable (row-wise) back to the BI Server.
I'm a relative newbie to BIEE, so this may not be the best or most secure way, but it is working.

How do I configure the portal to allow both anonymous and LDAP or Membership Logins?

I want my portal's content to be publically accessable, to allow anonymous users to browse the content without the ability to modify layouts, content, etc. <br><br> But I can't figure out how to make the portal completely skip the login menu page. If I enable any modules besides the Anonymous module, I get the login menu. If I disable all modules but anonymous, I get a login module denied error message when I post to the login servlet from one of my pages.
What do I need to do? My frustration with the lack of decent documentation of most of the features of this product is growing by the second.

When opening up the administrative console
(http://localhost:8080/console?func=frameset) and looking at the source
it shows the following:
<HTML>
<HEAD>
<TITLE>iPlanet Portal Server 3.0 Administration Console</TITLE>
</HEAD>
<FRAMESET FRAMEBORDER="no" COLS="*" ROWS="110,*" BORDER=0>
<FRAME BORDER=0 SCROLLING="no" MARGINHEIGHT=10 SRC="/admin/top.html">
     <FRAMESET COLS="250,*" BORDER=0>
     <FRAME SRC="/console?func=directNav" NAME="navigatorFrame">
     <FRAME SRC="/console?func=frameAdmin" NAME="adminFrame">
     </FRAMESET>
</FRAMESET>
</HTML>
Where are the html files located that the console servlet is including?
The problem that I am encountering is this:
I need to set the "Primary Document Directory" in the iPlanet webserver
to something other than - <ipsbase>/public_html which seems to be the
default configuration. When I switched the doc root to /foo/bar/ I
noticed no problems with the portal server until I tried to enter the
admin console. My browser reported back file not found errors for each
of the frame pages that are included in the HTML snippet above. I
understand that by changing the document root that the servlet no longer
has a context of /admin/top.html but does anyone have thoughts as to
what is going on and how to resolve this?
thanks
-matt

PIX 525 aaa authentication with both tacacs and local

Hi,
I have configured the aaa authentication for the PIX with tacacs protocol (ACS Server).
It works fine, now i would like to add the back up authentication, as follows:
- If the ACS goes down i can to be authenticated with the local database.
Is it possible with PIX, if yes how?

Hi,
I am trying to configure aaa using TACACS+ , i am not able to close.Problems are
1.It dosent ask for username /password in first level.
2.on second level it asks for user name it dosent authenticate the user .
Cud u pls let me know if the following config is correct.If not cud u help me .
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host ip.ip.ip.ip key timeout 15
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
aaa authen enable console TACACS+

Two factor authentication ACS 5.x against external Radius and Active Directory

On ACS 5.x I'd like to authenticate against two external Directories
Active Directory
Black Shield Token Server (via RADIUS)
I found a description the meets mostly my requirements at
http://blog.pbmit.com/digipass2
Has somebody an Idea how this has to be implemented on Cisco ACS 5.3?
In the identity store swwquence there's no way to implement a compound condition (if user authenticated against Directory 1 AND Directory 2 then success)
Active Directory and Cisco ACS
This solution attempts to solve the limitation described in Solution 1. Instead of letting the Identikey server communicate directly to the AD, we use the Identikey server only to strip the PIN and OTP from the password and loop the authentication request back to the Cisco ACS to utilize its Identity Store Sequence, which can now be set to both Internal Identity Store and AD.

just following up to see if there was a solution to this. I am also interested in setting this type of scenerio out.

Homedirectory, migtrustees and ldap error

Hi,
We are starting the migration from NetWare 6.5 sp8 to OES11 sp1 and I have run into an error with the migration tool. I am doing a consolidation migration, both servers are in the same tree. In the File Services configuration there is an option for "Home Directory" that can be set to a path on the source server. The documentation is not clear on exactly how this option is used, but I figure it has to do with changing the User Object "homedirectory" attribute to the new destination server/volume/path. The problem is that during the exectution of the migration the utility "migtrustees" fails with a fatal error of "LDAPAuthError, Invalid credentials, NDS error -669".
This error (bad username/password) seems to be a bit of a red herring since I am authenticated to both source and target servers with the account for which I am attempting to test the migration.
Have I misunderstood the function of the "Home Directory" option?
If not, what might the real problem be?
Thanks,
Ron

Hi Laura,
Thanks. I'll probably do a similar thing. I tried the operation again in a new project and had the same ldap error (error 49, nds error -669) but on the MAPtrustees operation which had worked just fine previously. So I tried a third time with a different account (a full-on tree admin account) and had NO errors with ldap authentication for either the MAPtrustees or the MIGtrustees commands. However other errors occurred :
2013-09-18 16:44:27,268 ERROR - FILESYSTEM:migtrustees:Error: command LC_ALL=en_US;ldapmodify -H ldaps://206.87.24.12:636 -w "...." -D "..." -c -x -f /tmp/migdata.ldif 2>&1 2>/tmp/mig-err.txt>&1 failed, ldapmodify: modify operation type is missing at line 2, entry "....", contents of input LDIF file: dn: CN=.....
In addition to the error "modify operation type is missing at line 2" there is the problem that this error is repeated for a half-dozen-ish other accounts - but none of the accounts were selected as sources in the project.
So this Home Directory option is far too buggy to use in my particular case of doing a data migration from NetWare to OES in the same tree. Thanks again for your input and please don't spend any more time on this on my behalf since I am not going to pursue it.
Cheers,
Ron

Help with a PCR using both 401KL and 401KS

Hi,
Has anyone set up a supplemental savings plan that begins deductions when 401k limits hit either 401KL or 401KS? I have it setup using 401KS and it works great but unfortunately that scenario is only for one employee out of 48. I really need to be able to compare against both 401KS and 401KL to fully automate this. I'm new to PCR's so any advice would be greatly appreciated...
Thank you,
Stephanie

I'm sorry. Here is the query:
--Declare @EMail_Address nvarchar(100) = null
Select SVAssociationID.R_ShortValue as MATRIX_AssociationID, Matrix_Modified_DT as Matrix_LastModified
  ,RTRIM (MLS_ID) As Matrix_MLS_ID
  , ISNULL(EMail_Address, '') AS MATRIX_member_Email
  ,RTRIM (EMail_Address) as Matrix_Member_EMail
  --,RTRIM( LTRIM( ISNULL (@EMail_Address, '') ) ) as Matrix_Member_EMail
  ,Last_Name AS MATRIX_LastName, Nickname AS MATRIX_NickName
  FROM    dbo.Agent_Roster_VIEW a
        LEFT JOIN dbo.select_values_VIEW SV ON a.Status_SEARCH = SV.ID
        LEFT JOIN dbo.select_values_VIEW BillType ON a.Bill_Type_Code_SEARCH = BillType.ID
  LEFT JOIN dbo.select_values_VIEW SVAssociationID ON A.Primary_Association_SEARCH = SVAssociationID.ID
WHERE   Status_SEARCH IN (66,68)
    Order by MLS_ID
Results:
MATRIX_AssociationID
Matrix_LastModified
Matrix_MLS_ID
MATRIX_member_Email
Matrix_Member_EMail
MATRIX_LastName
MATRIX_NickName
STC
09/02/14
CCWILLI
[email protected]
[email protected]
Williams
Christine
STC
09/12/14
CCWORSL
[email protected]
[email protected]
Worsley
Charlie
STC
09/02/14
CCYROBIN
NULL
Robinson
ECBR
09/02/14
CDABLACK
[email protected]
[email protected]
Black
Dale
STC
09/02/14
CDABRADY
[email protected]
[email protected]
Brady
David
Thank you,

Cisco ACS 5.2 authentication against multiple LDAP servers

Hi Folks,
I have a wireless network that uses ACS 5.2 to handle authentication. The ACS is integrated with an Active Directory LDAP server (my_ldap) and is working correctly at the moment. The authentication flow looks like this:
- User tries to associate to WLAN
- Authentication request is sent to ACS
- Service selection rule chooses an access-policy (wireless_access_policy)
- wireless_access_policy is configured to use my_ldap as identity source.
A sister company is about to move into our offices, and will need access to the same WLAN. Users in the sister company are members of a separate AD domain (sister_company_ldap). I would like to modify the wireless_access_policy so that when it receives an authentication request it will query both my_ldap and sister_company_ldap, and return a passed authentication if either attempt is successful. Is this possible?

Assuming you're already authenticating using your AD binding and AD1 as your identity source, you can add a further LDAP server as another identity source and add this to your identity store sequence in your access policy to authenticate against both.
You can also add multiple LDAP servers and add them both to the identity store sequence (if you're not using AD1).

User authentication against LDAP - Non-AD

Hi,
We are trying to setup LDAP authentication against an LDAP, Oracle Unified Directory and below are the parameters of ldap.properties file:
ldapAuthentication.defaultRole = ROLE_AUTHENTICATED_PRINCIPAL
ldapAuthentication.enabled = true
ldapAuthentication.tryNextProviderIfNoAuthenticated = true
ldapAuthentication.stopIfCommunicationError = true
ldapAuthentication.url=ldap\://localhost:389/
ldapAuthentication.rootContext=DC=test,DC=com
ldapAuthentication.securityPrincipal=CN=Directory Manager
ldapAuthentication.securityCredential.encrypted=password
ldapAuthentication.keepContextPrefix=false
ldapAuthentication.isAD=false
ldapAuthentication.userAccountSearchKey=CN
ldapAuthentication.firstNameSearchKey=givenName
ldapAuthentication.lastNameSearchKey=sn
Still I am getting while I try to login to OIA as an OUD user:
WARN [UserManagerImpl] RbacxUser with username: 'cn=oiaadmin' not found
Please help

Hi Jcorker,
According to your description, you need to access the SQL Serve Analysis Services database which is configured as cluster for SQL & SSAS from another domain, right?
In SSAS we can use the solution below achieve the requirement.
1.Create new domain account and impersonate the web site with that.
2.Create local user account on the analysis service with same exact username/password as like domain account created in the previous step.
However, you cannot create a local account with the same name on both servers. I have tested it on my local environemnt, we can create the same local account with the same name on both servers. In your scenario, if DB1 and DB2 on different server, you can
create a local account with the same name on both servers. Please post the detail errors, so that we can make further analysis.
Besides, SSAS only allows users of the same domain or trusted domains and it does not allow users from any domain except from these two. You can configure the trust relationship between the domains.
http://technet.microsoft.com/en-us/library/cc961481.aspx
Regards,
Charlie Liao
If you have any feedback on our support, please click
here.
Charlie Liao
TechNet Community Support

Database Table and LDAP Authentication in the same repository?

I'm wondering if it's possible to authenticate through database tables for some users and LDAP for other users. I can configure each one separately but I'm curious if anyone has ever successfully done both in the same repository.
Thanks,
-Matt

Another thing to try is this. I don't have an LDAP server here but it worked for me without LDAP. I think it should also work with LDAP as it is the same idea. I don't think there is a way to have a conditional Init Blocks. Also you can't have two init blocks setting the same variable (USER in our case). But what you can do is to have two Init Blocks, one for LDAP authentication and the other one for table authentication. So you could have this scenario:
1) LDAP "authentication" init block sets custom variable LDAP_USER
2) Table "authentication" init block sets custom variable TABLE_USER
3) Final authentication init block (the real one) sets USER variable using something like this:
SELECT CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END
FROM DUAL
WHERE CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END = ':USER'
Note how I use the CASE statement both to return the user value I want the USER variable to be set and also in the WHERE clause to make sure no rows are returned in case authentication fails (which should return no rows to denote a failed authentication). Obviously you need to set the init block dependancies correctly. I did a quick test with users coming from two separate Oracle tables in 2 init biocks and it worked fine for me. Give it a try and let me know how it goes.

Security using both rpd users and ldap

Hi,
I need 5 dummy users in rpd. I dont want to give them adminstrator previleges because they are not allowed to see everything in my dashboards. My authentication works using an LDAP server, is there any way I can let these dummy users login along with those in the LDAP server??

I dont think it is possible to use both BI server default authentication and LDAP. You can always have multiple LDAP servers to authenticate. You can request for 5 service accounts to be created in the LDAP for OBIEE, and assign the privileges accordingly so they will see only required dashboards.
Please award points if helpful,
Thanks,
-Amith.

Weblogic Server 10.3.0 and LDAP authentication Issue

Hi - I have configured my WebLogic Server 10.3.0 for LDAP authentication (OID = 10.1.4.3.0) and so far the authentication works fine but I am having issue in terms of authorization.
I am not able to access the default web logic administrator console app using any of the LDAP user, getting Forbiden message.
It appears to me that the Weblogic Server is not pulling out the proper groups from the LDAP where user belongs too.
Can anyone please point me towards the right direction to get this resolved.
Thanks,
STEPS
Here are my steps I have followed:
- Created a group called Administrators in OID.
- Created a test user call uid=myadmin in the OID and assigned the above group to this user.
- Added a new Authentication Provider to the Weblogic and configured it what is required to communicate with OID (the config.xml file snipet is below)
<sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
<sec:name>OIDAuthentication</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:host>pmpdeva-idm.ncr.pwgsc.gc.ca</wls:host>
<wls:port>1389</wls:port>
<wls:principal>cn=orcladmin</wls:principal>
<wls:user-base-dn>ou=AppAdmins, o=gc, c=ca</wls:user-base-dn>
<wls:credential-encrypted>removed from here</wls:credential-encrypted>
<wls:group-base-dn>ou=IDM, ou=ServiceAccounts, o=gc, c=ca</wls:group-base-dn>
</sec:authentication-provider>
- Marked the default authentication provider as sufficient as well.
- Re-ordered the authentication provide such that the OIDauthentication is first in the list and default one is the last.
- Looking at the log file I see there are no groups returned for this user and that is the problem in my opinion.
<LDAP Atn Login username: myadmin>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<authenticate user:myadmin>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authentication succeeded>
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<LDAP Atn Authenticated User myadmin>
<List groups that member: myadmin belongs to>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
*<search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>*
*<Result has more elements: false>*
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<login succeeded for username myadmin>
- I see the XACML RoleMapper getRoles() only returning the Anonymous role as oppose to Admin (because the OID user is a part of Administrators group in OID then it should be returning Admin as fars I can tell. Here is the log entry that shows that:
<XACML RoleMapper getRoles(): returning roles Anonymous>
- I did a ldap search and I found no issues in getting the results back:
C:\>ldapsearch -h localhost -p 1389 -b"ou=IDM, ou=ServiceAccounts, o=gc, c=ca" -D cn=orcladmin -w "removed from here" (uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupOfUniqueNames)
cn=Administrators,ou=IDM,ou=ServiceAccounts,o=gc,c=ca
objectclass=groupOfUniqueNames
objectclass=orclGroup
objectclass=top
END
Here are the log entries:
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=myadmin>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <[Security:090302]Authentication Failed: User myadmin denied>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@facf0b>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle did not get username from a callback>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685671> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authentication succeeded>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <LDAP Atn Authenticated User myadmin>
<1291668685686> <BEA-000000> <List groups that member: myadmin belongs to>
<1291668685686> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685686> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685686> <BEA-000000> <search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>
<1291668685686> <BEA-000000> <Result has more elements: false>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <login succeeded for username myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <LDAP Atn Principals Added>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
     Principal: myadmin
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685686> <BEA-000000> <Signed WLS principal myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user myadmin, Identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.isLocked(myadmin)>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myadmin was not previously locked out>
<1291668685702> <BEA-000000> <Using Common RoleMappingService>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity will use common security service>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals)>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=myadmin>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685702> <BEA-000000> <Validate WLS principal myadmin returns true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass, returning true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals) validated all principals>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): input arguments:>
<1291668685702> <BEA-000000> <     Subject: 1
     Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp>
<1291668685702> <BEA-000000> <     Parent: type=<app>, application=consoleapp>
<1291668685702> <BEA-000000> <     Parent: type=<url>>
<1291668685702> <BEA-000000> <     Parent: null>
<1291668685702> <BEA-000000> <     Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AdminChannelUsers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AdminChannelUser:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AdminChannelUser: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AppTesters,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AppTester:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AppTester: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(everyone,[everyone,users]) -> true>
<1291668685702> <BEA-000000> <primary-rule evaluates to Permit>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Anonymous:, 1.0 evaluates to Permit>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Anonymous: GRANTED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Monitors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Monitor:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Monitor: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Operators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Operator:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Operator: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(CrossDomainConnectors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:CrossDomainConnector:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role CrossDomainConnector: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Deployers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Deployer:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Deployer: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, SC=null, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Administrators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Admin:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Admin: DENIED>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): returning roles Anonymous>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles returning [ "Anonymous" ]>
<1291668685702> <BEA-000000> <AuthorizationManager will use common security for ATZ>
<1291668685702> <BEA-000000> <weblogic.security.service.WLSAuthorizationServiceWrapper.isAccessAllowed>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Roles=[ "Anonymous" ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Direction=ONCE>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
<1291668685702> <BEA-000000> <     Subject: 1
     Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <     Roles:Anonymous>
<1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <     Direction: ONCE>
<1291668685702> <BEA-000000> <     Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:role, SC=null, Value=Anonymous>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of([Admin,Operator,Deployer,Monitor],Anonymous) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): returning DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>

Okay Finally the issue is resolved. Here is the findings to help others in case they ran into the same issue.
The OID version that we are using is not returning the groups the way Weblogic is building the ldapsearch command. We captured the ldap traffic to go deeper and noticed the filters and attributes list that wls was asking. For example, the filter was like:
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" cn
its was the "cn" attribute that was causing the result set to be empty.
from a command line we tried
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" uniquemember
and got the results back.
Then we start looking into OID configuration and one of my coworker pointed me towards the orclinmemfiltprocess attributes in cn=dsaconfig entry and told me that they had lot of issues in the past in relation to this attribute.
So as a test we removed the groupofuniquenames objectclass from the orclinmemfiltprocess attribute list and bingo it worked!
Since we needed the groupofuniquenames in this list for performance/other reasons and decided to use a different objectclass for our groups instead i.e. orclGroup.
Thanks everyone for showing interest on the problem and providing suggestions.

XI 3.1 Client Tools and LDAP Authentication

I have Business Objects XI 3.1 SP2 installed. For the web clients (InfoView) single sign on and LDAP authentication are working correctly. However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?

Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
Take a look at note 1272536 (http://service.sap.com/notes)
Regards,
Stratos

Get an error for changing the windows authentication mode to the both SQL and windows authentication mode

I installed the SQL server Express 2008 R2 and then SQL Server Management Studio 2008 R2 . But during the installation, I could not choose the both SQL and windows authentication mode and an error accrued so I did that just with windows authentication mode.
Now, I want to change the windows authentication mode account to the SQL authentication mode but it shows me an error which is you do not have permission (Although I am the administrator in windows), what can I do?
Following steps are the steps that I went but I got an error:
Server properties >> security >> choose the option of SQL Server and Windows Authentication mode
and the error that I got is attached(access is denied)
Can you please help me?

You can change the setting after you gain admin rights to your SQL Server. You don't admin rights automatically, you have to explicitly add yourself during the install
Here's a guide on how to (re)gain those rights:
http://v-consult.be/2011/05/26/recover-sa-password-microsoft-sql-server-2008-r2/

Authenticating against both RDBMS and LDAP in WL6.0

Similar Messages

Maybe you are looking for