Authenticating IMS 5.2 user passwords against another LDAP

hi,
Am currently authenticating IMS 5.2 against IDS 5.1.
Is it possible to authencticate IMS 5.2 users passwords agains another LDAP server just for logins?
The rest of the user mail attributes still remains on IDS5.1 for mail delivery...etc
What would be the requirements from the other LDAP server to return to the user in order to log in to messenger express/pop/imap/smtp?
how would the http session id be returned to the user via the IMS?
thank you

Thanks Jay...
I did the following:
$ ./configutil -o store.defaultmailboxquota -v 10485760
Now, I think I read somewhere you have said it is required to restart...
Would it suffice to just refresh the cache with the following command?
./imsimta restart dispatcher
Thanks as always for your support.

Similar Messages

OpenLdap with ldap backend... / Authentication against another ldap

Hey everybody,
i'm trying to setup my OD that i can redirect the authentication of the user to a second ldap...
The second ldap-server is ssl secured. I had a solution under debian. and so i'm looking for the moduleload and modulpath or olcModuleLoad olcModulePath for Mac OS X 10.5.
But i can't find a place where i can activate modules.. i even can't find the modules... (In a default config file i found this):
16 # Load dynamic backend modules:
17 # modulepath /usr/libexec/openldap
18 # moduleload back_bdb.la
19 # moduleload back_ldap.la
20 # moduleload back_ldbm.la
21 # moduleload back_passwd.la
22 # moduleload back_shell.la
(in /etc/openldap/slapd.conf.default)
but the modules doesn't exist...
Can anyone help me how i can activate the ldap-backend in the mac osx 10.5?
my debian config looks like this: (/etc/ldap/slapd.conf)
30 moduleload back_ldap
150 database ldap
151 suffix MYSEARCHSUFFIX
152 uri ldaps://server:port
153 rebind-as-user yes
What I mean/what i want to know is how to load the modules in openldap and where can i find them?
I hope you can understand what i mean.... My english isn't the best
Thanks for help
greetings

Sun Java System Web Server 7.0 was tested with Sun's Directory Server and MSAD. For MSAD, you need to add extra settings refer blog "Using Web Server 7 with Microsoft Active Directory"
http://blogs.sun.com/jyrivirkki/entry/using_web_server_7_with
Can you run the server with log level "finest" and see errro logs also see whether Web Server is trying to connect to your directory server and try to find out what the problem is.

User Password as an iview parameter

Hello,
We want to call a webdynpro iView directly from URL without user/password previous step.
Is it possible to add user-password to the URL directly as a parameter? How?
Is it possible that iView obtains user/password from another system?
Thanks in advance,

I have decided to define an individual iView as anonymous content:
1. I have set the value of the iView parameter Authentication Scheme to anonymous
2. I have ensure that anonymous users have end user permissions for the iView (Display Permissions in the iview).
After that, I call the iView using changing URL escape codes for special characters such as colon ( or slash (/).
BUT the logon screen appears...
Did I skip any configuration step?
Best,
Marta.
Edited by: Marta Sánchez on Oct 31, 2008 11:22 AM

[nQSError: 43126]Authentication failed:invalid user/password, how to avoid?

Hi,
I encountered following error: [nQSError: 43126] Authentication failed: invalid user/password.
when I was starting weblogic server, and server used to shutdown.
After snooping around on net, came across this blog: http://obiee11gqna.blogspot.com/2011/09/obiee-11g-errors-nqserror-43113.html
Found that password for MDS & BIPLATFORM was 'expired', was able to solve my problem and my Presentation Services were up & running.
My question is, how to avoid password of MDS & BIPLATFORM from getting expired in future??
Regards,
Jitendra

Dpka,
Thanx for the link, it shows the way to avoid expiry of password.
I also found another link, in comment section which is equally useful: http://www.artofbi.com/index.php/2011/03/mds-or-biplatform-schema-password-change-considerations/
PS: Thanx to Deva as well for replying to my query.
Regards,
Jitendra

Use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature?

Dear all,
I am looking to setup the use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature. We SSO to the backened ABAP AS via an SAP NW Portal to which SPNEgo kerberos authentication is setup. Today we specify R3 user id/password to digitally approvae a lot release. The idea is to have users maintain one AD password and don't have to remember the R/3 password anymore and also our Security team to avoid password maintenance.
I know there are 3 options for digital signature and
System signature with authorization by user ID and password (We use this currently)
Digital User signature with verification - (We would like to use this with AD userid/password, so the system still ask the users their AD userid/password for the authentication when they try to "sign" a document.)
User signature without verification
Do you think there is a way to configure the system in order to ask and check the active directory userid/password instead of SAP R/3 password? Where can I found documentation about it ?
I have several different versions of AS ABAP starting from NW 7.02 to NW 7.31.
My active directory is based on Windows 2008.
Thanks in advance!!
Dhee

Actually enabling Kerberos for SSO purposes and enabling Kerberos for digital signatures are two different topics although the latter is because of the former. I'm interested in the topic as well and I'm currently looking at different options. SAP provides a BAdI for the digital signature API which can be used for external authentication but they do not provide the solution to invoke Kerberos authentication based on username and password. SAP provides a semi solution with NWSSO 2.0 SP2 which works only on Windows with classic dynpros meaning SAP GUI for Windows is assumed. The solution is based on an ActiveX component which does the actual Kerberos authentication using the Secure Login Client which is part of the NWSSO suite. Extending that implementation to non-Windows and non-GUI applications would require some sort of web enabled service that could be used to authenticate the user with username and password. In case authentication is successful, a Kerberos token would be returned to SAP which would then be validated. All the required pieces are there since SAP has Kerberos support now in both stacks of the NetWeaver Application Server, some bits are still missing though which leaves customers looking at 3rd party or custom solutions.

Authentication failed: invalid user/password.

After uploading a new RPD in obiee( 11.1.1.5), my obiee has started failing with following error in nqserver.log. I have verified that BISystemUser password is the same in console and EM. I have also verified that I am entering correct RPD password while uploading it through EM. What else may be wrong ?
[2011-08-23T03:52:39.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004emGWVmAQAtHd5Tf^Ayc0000K2000000] [tid: b38396d0] [36007] Loading repository /product/obiee_11.1.1.5/instances/instance1/bifoundation/OracleBIServerComponent/coreapplication_obis1/repository/iipreports_BI0038.rpd.
[2011-08-23T03:52:40.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004emGWVmAQAtHd5Tf^Ayc0000K2000000] [tid: b0923b90] [14055] Loading subject area: AIP ...
[2011-08-23T03:52:40.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004emGWVmAQAtHd5Tf^Ayc0000K2000000] [tid: b0923b90] [14056] Finished loading subject area: AIP.
[2011-08-23T03:52:40.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004emGWVmAQAtHd5Tf^Ayc0000K2000000] [tid: b38396d0] [85003] MDX Member Name Cache subsystem started successfully.
[2011-08-23T03:52:40.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004emGWVmAQAtHd5Tf^Ayc0000K2000000] [tid: b38396d0] [85004] MDX Member Name Cache subsystem recovered entries: 0, size: 0 bytes.
[2011-08-23T03:52:40.000+00:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: 004emGWVmAQAtHd5Tf^Ayc0000K2000000] [tid: b38396d0] [13026] Error in getting roles from BI Security Service: 'Error Message From BI Security Service: [nQSError: 46164] HTTP Server returned 404 (Not Found) for URL .'
[2011-08-23T03:52:40.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004emGWVmAQAtHd5Tf^Ayc0000K2000000] [tid: b38396d0] nqsserver:     Clustered Oracle BI Server started. Version: 11.1.1.5.0.110427.0846.000.
[2011-08-23T03:52:44.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004emGWVmAQAtHd5Tf^Ayc0000K2000000] [tid: b0923b90] [43071] A connection with Cluster Controller xxx.us.oracle.com:9706 was established.
[2011-08-23T03:52:46.000+00:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: 004emGWtbaWAtHd5Tf^Ayc0000K3000001] [tid: b00beb90] Error Message From BI Security Service: [nQSError: 46164] HTTP Server returned 404 (Not Found) for URL .
[2011-08-23T03:52:46.000+00:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: 004emGWtbaWAtHd5Tf^Ayc0000K3000001] [tid: b00beb90] [nQSError: 43126] Authentication failed: invalid user/password.
If I run opmnctl status then BIServer is up but the presentation services is down.
Following error is observed in sawlog0.log
[2011-08-22T22:52:46.000-05:00] [OBIPS] [ERROR:10] [] [saw.security.odbcuserpopulationimpl.initialize] [ecid: ] [tid: ] Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43113] Message returned from OBIS.
[nQSError: 43126] Authentication failed: invalid user/password. (08004)[[
File:odbcuserpoploaderimpl.cpp
Line:292
Location:
     saw.security.odbcuserpopulationimpl.initialize
     saw.catalog.local.loadCatalog
     saw.subsystems.catalogbootstrapper.loadcatalog
     saw.webextensionbase.init
     saw.sawserver
ecid:
[2011-08-22T22:52:46.000-05:00] [OBIPS] [NOTIFICATION:1] [] [saw.sawserver] [ecid: ] [tid: ] Oracle BI Presentation Services are shutting down.[[
File:sawserver.cpp
Line:712
Location:
     saw.sawserver
ecid:

Hi,
I have upgraded a existing OBIEE 10G file EBSAnalyticMaster.rpd to 11G using ua (upgrade assistant) and getting the same error while upgrading the catalog.
Presentation service is not starting. Do you have a solution yet.

SOAP Header based user/password authentication in OSB 11g Proxy Service

Hi,
I have implemented SOAP Header based authentication in my OSB 11g Proxy Service.
In the Security settings of my AnySOAP(Soap 1.1) HTTP Proxy service, I have amde the following changes:
1.
In Transport Access Control link, i selected the User predicate, and provided an user already existing on weblogic server with following roles(AppTesters, Monitors, Operators).
The AuthorizationProvider was XACMLAuthorizer
2.
Under Custom Authentication, I selected the Custom User Name and Password option, and provided the below mentiioned xpaths
User Name XPath: ./*/*:Username/text()
User Password XPath: ./*/*:Password/text()
3.
In Message Access Control link, i selected the User predicate with the same user as mentioned in Transport Access Control link.
Now, when I am testing this service from OSB Test Console, I am providing the following input.
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:N1="http://abcd.com/common/bodcomponents/transactional/model/1.0/">
<soap:Header>
<AuthHeader>
<N1:Username>userXYZ</N1:Username>
<N1:Password>passXYZ</N1:Password>
</AuthHeader>
</soap:Header>
<soap:Body>

</soap:Body>
</soap:Envelope>
The response is "The invocation resulted in an error: ."
The OSB server logs show the below error:
####<Feb 9, 2011 6:05:42 PM IST> <Error> <OSB Security> <test.abcd.co.in> <osb_server1> <[ACTIVE] ExecuteThread: '9' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <5a5769b8025ef997:-2bda316:12def49100a:-7fff-0000000000000c92> <1297254942782> <BEA-387082> <Proxy service access denied (proxy: ABCD/Services/Common_HTTP_Proxy, subject: Subject: 0
)>
####<Feb 9, 2011 6:05:42 PM IST> <Error> <OSB Kernel> <test.abcd.co.in> <osb_server1> <[ACTIVE] ExecuteThread: '9' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <5a5769b8025ef997:-2bda316:12def49100a:-7fff-0000000000000c92> <1297254942782> <BEA-382004> <Failed to process request message for service ProxyService ABCD/Services/Common_HTTP_Proxy: com.bea.wli.sb.security.AccessNotAllowedException
com.bea.wli.sb.security.AccessNotAllowedException
 at com.bea.wli.sb.pipeline.RouterSecurity.doAccessControl(RouterSecurity.java:136)
 at com.bea.wli.sb.pipeline.RouterSecurity.doAccessControl(RouterSecurity.java:117)
 at com.bea.wli.sb.pipeline.RouterManager.processMessage(RouterManager.java:586)
 at com.bea.wli.sb.test.service.ServiceMessageSender.send0(ServiceMessageSender.java:329)
 at com.bea.wli.sb.test.service.ServiceMessageSender.access$000(ServiceMessageSender.java:76)
 at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:134)
 at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:132)
 at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
 at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:147)
 at com.bea.wli.sb.security.WLSSecurityContextService.runAs(WLSSecurityContextService.java:55)
 at com.bea.wli.sb.test.service.ServiceMessageSender.send(ServiceMessageSender.java:137)
 at com.bea.wli.sb.test.service.ServiceProcessor.invoke(ServiceProcessor.java:454)
 at com.bea.wli.sb.test.TestServiceImpl.invoke(TestServiceImpl.java:172)
 at com.bea.wli.sb.test.client.ejb.TestServiceEJBBean.invoke(TestServiceEJBBean.java:167)
 at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl.invoke(TestService_sqr59p_EOImpl.java:353)
 at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl_WLSkel.invoke(Unknown Source)
 at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:589)
 at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230)
 at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:477)
 at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
 at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:147)
 at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:473)
 at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
 at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
 at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Please suggest where I am going wrong in this. I have cross checked the user/pass credentials with what I am giving in the input, and it is perfectly fine.

I have added the Username and Password as follows, since the namespace declaration was required due to the namespace prefix 'N1' in the XPath
declare namespace N1="http://abcd.com/common/bodcomponents/transactional/model/1.0/";./AuthHeader/N1:Username/text()
declare namespace N1="http://abcdp.com/common/bodcomponents/transactional/model/1.0/";./AuthHeader/N1:Password/text()
I have removed the Message Access Control conditions, have only kept Transport Access Control conditions.
If i keep the condition in Transport Access Control as "Allow access to everyone", and test with proper credentials in the Username/Password tags in SOAP Header, then it works fine. However, if I try to give an incorrect password in the SOAP Header, it denies the access. So that means the XPaths given for Username/Password are working fine. The OSB logs show the below message
+####<Feb 10, 2011 12:59:21 PM IST> <Error> <OSB Security> <test.abcd.co.in> <osb_server1> <[ACTIVE] ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <5a5769b8025ef997:-2bda316:12def49100a:-7fff-0000000000000ef2> <1297322961536> <BEA-386008> <Message level username/password authentication failed: [Security:090304]Authentication Failed: User weblogic javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User weblogic denied>+
However if i add the condition with predicate as "User" and user name argument as "weblogic", and try to pass the same in the SOAP Header as well with the correct password, it denies the access with below message in the logs.
+####<Feb 9, 2011 6:05:42 PM IST> <Error> <OSB Security> <test.abcd.co.in> <osb_server1> <[ACTIVE] ExecuteThread: '9' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <5a5769b8025ef997:-2bda316:12def49100a:-7fff-0000000000000c92> <1297254942782> <BEA-387082> <Proxy service access denied (proxy: ABCD/Services/Common_HTTP_Proxy, subject: Subject: 0+
+)>+
+####<Feb 9, 2011 6:05:42 PM IST> <Error> <OSB Kernel> <test.abcd.co.in> <osb_server1> <[ACTIVE] ExecuteThread: '9' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <5a5769b8025ef997:-2bda316:12def49100a:-7fff-0000000000000c92> <1297254942782> <BEA-382004> <Failed to process request message for service ProxyService ABCD/Services/Common_HTTP_Proxy: com.bea.wli.sb.security.AccessNotAllowedException+
com.bea.wli.sb.security.AccessNotAllowedException
at com.bea.wli.sb.pipeline.RouterSecurity.doAccessControl(RouterSecurity.java:136)
at com.bea.wli.sb.pipeline.RouterSecurity.doAccessControl(RouterSecurity.java:117)
at com.bea.wli.sb.pipeline.RouterManager.processMessage(RouterManager.java:586)
at com.bea.wli.sb.test.service.ServiceMessageSender.send0(ServiceMessageSender.java:329)
at com.bea.wli.sb.test.service.ServiceMessageSender.access$000(ServiceMessageSender.java:76)
at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:134)
at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:132)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:147)
at com.bea.wli.sb.security.WLSSecurityContextService.runAs(WLSSecurityContextService.java:55)
at com.bea.wli.sb.test.service.ServiceMessageSender.send(ServiceMessageSender.java:137)
at com.bea.wli.sb.test.service.ServiceProcessor.invoke(ServiceProcessor.java:454)
at com.bea.wli.sb.test.TestServiceImpl.invoke(TestServiceImpl.java:172)
at com.bea.wli.sb.test.client.ejb.TestServiceEJBBean.invoke(TestServiceEJBBean.java:167)
at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl.invoke(TestService_sqr59p_EOImpl.java:353)
at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:589)
at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230)
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:477)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:147)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:473)
at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

User Password vs. Certificate based authentication

We have used the iPhone since day one and grown from 20 to 400 users over the years. Now managability is an issue and certificate based authentication is about to be replaced with user password only. Critics deny cutting some slack because of possible man in the middle attack scenarios. Is it true that user password can be exposed between the device and exchange server? Is it possible to read User/Password using a man in the middle attack?

We have used the iPhone since day one and grown from 20 to 400 users over the years. Now managability is an issue and certificate based authentication is about to be replaced with user password only. Critics deny cutting some slack because of possible man in the middle attack scenarios. Is it true that user password can be exposed between the device and exchange server? Is it possible to read User/Password using a man in the middle attack?

Can I use LDAP server's authentication mechanism rather than comparing password ?

Hi All,
The weblogic security and adminguide says that the user authencation can be of
the following 3 types:
1. Bind specifies that the LDAP security realm
retrieves user data, including the password for
the LDAP server, and checks the password in
WebLogic Server.
2. External specifies that the LDAP security
realm authenticates a User by attempting to
bind to the LDAP server with the username
and password supplied by theWebLogic
Server client. If you choose the External
setting, you must also use the SSL protocol.
3. Local specifies that the LDAP security realm
authenticates a User by looking up the
UserPassword property in the LDAP directory
and checking it against the passwords in
WebLogic Server.
But say I want that my users should be authenticated by the LDAP server rather
than picking up the password from LDAP and comparing at weblogic end. Then what
should I do ?
Because no. 2 is applicable only for ssl certificates, no.1 and no.3 picks up
password using the login dn and password provided at the time of configuration
of realm and compare with password given by user.
And once gain there some issues on having picking up password and comparing it:
1. Netscape directory server can store the password in oneway hashed form(and
that is preferred , too). So when userpassword attribute is read , it's in one
way hashed form. So how the comparison will go on ?
2. Creating a user who has the access to user data along with userpassword attribute
itself is a security threat, as if someone can crack that user's dn and password
then he/she can do anything as userdata can be read.
Any suggestion is welcome.
TIA,
Sudarson

Thanks a lot Jerry.
I got these stuff from weblogic 6.1 docs sets security.pdf and adminguide.pdf.
I have another question, if that is the case (in Case of BIND), then why do we
a require a dn of user and password who has the access to read the entire directory
And at the same time, u specified this for Bind, what are the cases for other
two-local and external ? And then what is actually difference between Bind and
Local ?
Pls help me.
Thanks,
Sudarson
Jerry <[email protected]> wrote:
Hi Sudarson,
Whatever doc you were reading is at least partially incorrect, unfortunately...
I know for sure that when you specify BIND, weblogic sends the username/password
to your
LDAP server in an attempt to bind to it.
If the bind is successful, WLS determines that the username/password
pair were correct.
If the bind was unsuccessful, WLS determines that the username/password
pairing is not
valid.
At all times, WebLogic is letting the LDAP server do the actual compare
of
username/password. WLS does not, at any time, retrieve a password from
the LDAP server.
I hope this helps,
Joe Jerry
sudarson wrote:
Hi All,
The weblogic security and adminguide says that the user authencationcan be of
the following 3 types:
1. Bind specifies that the LDAP security realm
retrieves user data, including the password for
the LDAP server, and checks the password in
WebLogic Server.
2. External specifies that the LDAP security
realm authenticates a User by attempting to
bind to the LDAP server with the username
and password supplied by theWebLogic
Server client. If you choose the External
setting, you must also use the SSL protocol.
3. Local specifies that the LDAP security realm
authenticates a User by looking up the
UserPassword property in the LDAP directory
and checking it against the passwords in
WebLogic Server.
But say I want that my users should be authenticated by the LDAP serverrather
than picking up the password from LDAP and comparing at weblogic end.Then what
should I do ?
Because no. 2 is applicable only for ssl certificates, no.1 and no.3picks up
password using the login dn and password provided at the time of configuration
of realm and compare with password given by user.
And once gain there some issues on having picking up password and comparingit:
1. Netscape directory server can store the password in oneway hashedform(and
that is preferred , too). So when userpassword attribute is read ,it's in one
way hashed form. So how the comparison will go on ?
2. Creating a user who has the access to user data along with userpasswordattribute
itself is a security threat, as if someone can crack that user's dnand password
then he/she can do anything as userdata can be read.
Any suggestion is welcome.
TIA,
Sudarson

Sychronisation AD - OID: Is it possible to read the user password from AD?

Hi.
We are using the Oracle Internet Directory shipped with the Oracle 9i Database Rel. 2 (9.2.0.1).
I try to synchronise the user accounts from AD to OID using JAVA JNDI. I'm able to read all necessary user information except the user password (MD5 value). Even if I connect to the AD using SSL, it's not possible to read the attribute userPassword.
Is anybody out there who got this work or knows a way (may also be by the use of another programming language or tool) to get the user password out of AD? Is this possible? How does the Oracle Integration Agents accomplish this?
Thanks in advance.
Hermann S.

Hermann,
I am working with this as well, though from AS10g, not RDBMS. According to the OID Administrator Guide chapter 43, page 43-52:
<snip>
Synchronizing passwords from Microsoft Active Directory to Oracle Internet Directory is not possible in the Oracle Application Server 10g release because passwords in Microsoft Active Directory are not accessible by LDAP clients. However, if a deployment requires passwords to be available in Oracle Internet Directory, then the following two methods are recommended:
Build a custom plug-in for Microsoft Active Directory that captures a password change and synchronizes it with Oracle Internet Directory
Manage Active Directory passwords from the Oracle environment. This enables passwords to be available in both Oracle Internet Directory and Microsoft Active Directory because the Active Directory connector can synchronize passwords from Oracle Internet Directory to Microsoft Active Directory.
</snip>
As10g can however look up the password in AD using the "Active Directory External Authentication Plug-In". This is documented in the same chapter.
Hope this helps,
Jens

J_security_check in form-based authentication - not checking for blank passwords

I am using the LDAP Security Realm to authenticate against an iPlanet
Directory Server. All works as expected when a user-id and password
are entered for form-based authentication.
However, when a userid is entered but no password, j_security_check
logs the user in successfully. Aparently, this is correct LDAP
behaviour as anonymous login to the LDAP server is permitted. It seems
that the j_security_check servlet should check for blank passwords
before trying to authenticate against the LDAP server and fail
authentication if this is the case.
Has anyone else experienced this problem?

Hi Brian,
I do not believe it is j_security_check's job to check for blank
passwords.
In many security realms, it is "legal" for a user to have a blank
password. j_security_check forwards whatever password was entered so that
even users with blank passwords can be authenticated by the realm on the
backend. For this reason I believe that j_security_check is "doing the
right thing" by just forwarding whatever is presented to it, rather than
having its own logic. It is best if j_security_check just acts as a very
dumb middle man.
If behavior was altered, it is true that your particular problem would be
solved, but then many other people would have a problem with their users
with blank passwords authenticating properly...
Try looking into how to disable anonymous logins on the LDAP end of
things. Hope this helps.
Cheers,
Joe Jerry
brian wrote:
I am using the LDAP Security Realm to authenticate against an iPlanet
Directory Server. All works as expected when a user-id and password
are entered for form-based authentication.
However, when a userid is entered but no password, j_security_check
logs the user in successfully. Aparently, this is correct LDAP
behaviour as anonymous login to the LDAP server is permitted. It seems
that the j_security_check servlet should check for blank passwords
before trying to authenticate against the LDAP server and fail
authentication if this is the case.
Has anyone else experienced this problem?

User Password Not Replicated during ACS Replication

I am provisioning user accounts in ACS through a provisioning system. The provisioned ACS is set to replicate user and group database to another ACS. Replication interval time is set to 15 mins.
Problem is that even though the replication cycle runs every 15 mins, if no user is added or deleted, the pre-checks determine that outbound replication is not required and cycle is completed. Hence, if user's password change, they are not replicated to other ACS and in case the authentication request goes to the other ACS then it fails. Manual replication is fine.
How to make sure replication is run even in case of user password change and not just when a user is added or removed.

Hi,
What is the acs ver ? Are the user accounts you are referring to stored? i.e. are the local to the ACS server itself, or are they defined in an external user database (e.g. Active Directory, LDAP, etc.)?
Users defined via Active Directory are dynamically mapped to a user account in ACS and this account information is typically not replicated since the users created are dynamic and can change properties based on
configuration/changes in Active Directory itself.
Regards,
Jagdeep

Mod_ntlm/AD/LDAP How is the users password recovered and used.

I have an application that currently uses LDAP authenticationand authorisation based on a username and password derived from the page 101 login screen. I am trying to convert it to a SSO solution using mod_ntlm to retrieve authenticate the users windows login against Active Directory. I authenticate fine with a standard mod_ntlm page sentry letting me access the application and I can use the owa_util.get_cgi_env('remote_user') to get the username. What I haven't established is how to retrieve the users password to pass as a parameter into the existing LDAP authorisation functions.
I've based a lot of the ground work on the following article
http://withasmiletomeltathousandhearts.wordpress.com/2009/01/29/apex-windows-integrated-authentication/
However, this relies on a prestored LDAP_user and LDAP_Passwrd to retrieve data from AD. Rather than doing that I am trying to use the currently logged on user, whose login name I can retrieve but I have not found a way to retrieve and use their password?
What am I missing?
Thanks in advance
FunkyMonky

My question is regarding how to use LDAP to retrieve the users AD group information. mod_ntlm has successfully authenticated the windows user to get into the application without having to login. I now want to implement the applications functionality based on that user's Active Directory groups. Prior to the ntlm solution this was done with using LDAP with the authorisation and the credentials were available from the user manually logging on.
The LDAP group determining method I referred to in my original post relies on a stored user to access the LDAP information rather than the actual logged in user as we had originally done it. Is this the only way we can implement our group based authorisation requirement?
Cheers
FunkyMonkey

Procedure/package to change user password through plsql gateway

I'm not sure is this the right place to ask, but I don't know anywhere better.
I'm using Oracle 817 with the apache that bundled. I use the plsql gateway (mod_plsql). I want to create a page for user to change their password, however, I don't know how to verify the existing password of the user before changing to a new password. Also, how can I change the password, is there a standard procedure to do that?
One more question, when I key in the following:
http://myhost/pls/my_dad/my_schema.my_procedure
the web server return a page with lots of cgi environment (assuming the my_procedure doesn't exist), how can I customise this page?
thx.

To ensure security of the Oracle database system and prevent unauthorized access to the Oracle database, it’s important for Oracle users to not only using strong and long Oracle passwords to avoid brute force or dictionary attacks, but also to change the Oracle user password regularly. Oracle users also have to change the password when the password has or going to expire, if database system administrator implements and enforces strict password control with PASSWORD_LIFE_TIME option for user profiles which limits the number of days the password can be used for authentication to login to the system.
To change the Oracle password, users can use SQL*Plus or Oracle SQL and PL/SQL language interface administration tool such as Toad for Oracle. No matter what SQL apps you use, the commands and SQL query languages used to change the password are similar.
There are two SQL command syntaxes that can be used to change Oracle database user password:
ALTER USER user_name IDENTIFIED BY new_password;or (from Oracle8 and above):
PASSWORD
For above SQL query, if you need to change another user’s password, use the following command:
PASSWORD user_name
For PASSWORD command, after you press Enter, you will be prompted to input the old password and new password interactively. For example:
SQL> password
Changing password for DAVID
Old password:
New password:
Retype new password: Note: You need to have enough privileges to change other Oracle user’s password.
As the variable in italic implied by name, user_name is the user whose password wishes to be changed, and new_password is the new password to assign.
As ALTER USER SQL syntax will send the new password to the Oracle database server unencrypted if use without Advanced Security Option, and thus expose to security risk, Oracle users should always use the PASSWORD command to change the Oracle user password.

How to change Analyzer user password with Administration API?

Hi, I would like to change Analyzer user password with Administration API. Can someone post some sample commands to do the task? I would just like to write an application to change end user's Analyzer password. As I see I would need to do the following: 1. login with admin userid/password 2. execute some method to change password for required userid. I think the input parameter should be userid (of the user I would like to change password) and new password (the new password for the user). 3. logout Can someone post some sample code (commands to execute)? Thanks, grofaty My system: Analyzer Server 7.0.1. Essbase server 7.1 Windows XP SP2 

<blockquote>quote: <hr>Originally posted by: knightrich Hello Mr. Jordan. I would like to exchange some thoughts about "housekeeping" Analyzer reports in preparation for migration from Analyzer 7.0.0.0.01472 to 9.x: ... Did you solved such a problem or do you have an idea if it could be solved with the Admin API methods? ... Migration from 7.00 to 9.x: As we heard last week the "Migration Wizard for Reports" in 9.3 should be able to migrate reports. Do you have experience or more detailed information about that Wizard? Many thanks in advance knigthrich<hr></blockquote> knighrich, I'd like to be more help, but I have no experience with System 9. I did substantial cleanup when we migrated from Analyzer 6 to Analyzer 7.1, and even more cleanup when moving up to 7.2, but our installation is smaller in scale than yours and we didn't need to automate report cleanup. You might be able to get the ownership information you need through the back door, doing a direct query on the database, but simpler might be an export users, at least from 7.0. (This facility probably doesn't exist in system 9; it was dropped in 7.2 in favor of an undocumented API) The export file is an xml file that could easily be parsed to identify reports that have the administrator as user and then a second pass to delete those with otuer ownership as well. As previously suggested, you might be able to get this by a well crafted SQL query against the repository. Procedurally, we have both public reports that have the blessing of management and are widely available, owned by a "public owner", and private reports developed by indivdual users and shared or not. Our team maintains the public reports, but not the private reports. We may be asked to make a previously private report public and take over maintenance of it. I hope that you can find a solution that meets your needs. Certainly a call to customer support to identify a poorly documented feature would be in order.

Authenticating IMS 5.2 user passwords against another LDAP

Similar Messages

Maybe you are looking for