Authenticating R/3 users using LDAP

Similar Messages

• Authenticate partial SSO users using LDAP

  Hi all,
  Is it possible to authenticate a group of the Portal users using an LDAP server, i.e. not to authenticate all the users using the LDAP server. I want to do this because we have a large number of customers (over 100,000) which are already defined in the LDAP server and I donot want to re-create them into the Portal login server, also I have many Portal users defined normally using the Portal "Add User". And if there is no such option, then is it smooth to move from database authentication to the LDAP server authentication (reference for the steps is appreciated)? We are using iPlanet LDAP server which is LDAP v3 compliant.
  Best to all

  Of course, Single Sign-On implies that you are using a portal, or a cunningly-configured BSP. NTLM is only an option if using a Windows-based IIS as a proxy to your Unix box. Otherwise, you need to use the SPNEGO login module, which is not on general release (it is available on a consulting basis only - see Michael Sambeth at SAP).
  Until SAP use UME within the ABAP core, I don't see an elegant solution to this.
  - Darren

• Custom ldap authenticator to retrieve user bean ldap profile

  Hi,
  Wondering if we could use a custom ldap authenticator to get the user profile from Ldap and put the data bean into session.
  This will allow to use the same connection to Ldap and to benefit from Bea security authentication configuration.
  Any input on this ?
  Thank you

  Increasing the search limit is the only practical solution. Really, ~2000 entries is not that many.

• Authentication of XI users using Webdynpro

  Hi,
  Here is a scenario that I am dealing with currently.Appreciate any help.
  There is a XI system which contains some data in the form of customer tables.
  A webdynpro for Java application needs to built which get the data from XI and displays it in the browser.This webdynpro application is to run on WAS6.40 of the XI system.
  All the users of the system would be created using the user managemnt function of the XI.
  Now the issue is:
  How to authenticate the users created in XI from the system developed in webdynpro.
  Please remeber that there is no EP here.Only an XI system and and webdypro application.
  regards,
  Bhupesh

  Bhupesh,
  if you set this parameter to true, the Standard-Netweaver Logon-Screen appears before your application, if the user wasn't authenticated yet against the UME of the WAS. After positive authentication, you'll be redirected to your application (and you can e.g. use the IUSER-Interface within your application to get the Username like this:
  IWDClientUser user;
  try {
  user = WDClientUser.getCurrentUser();
  String authenticated_User = user.getSAPUser().getUniqueName().toUpperCase());
  I'm not quite sure, why you still want to send the user/pw to the XI. I understood your application and the XI are running on the same WAS...
  You are able to change the Standard-Logon-Screen (http://help.sap.com/saphelp_nw2004s/helpdata/en/23/c0e240beb0702ae10000000a155106/frameset.htm)
  kr, achim

• Wireless controller lobby user and LDAP

  Hi team,
  I want to ask you is there any possible way to authenticate lobby ambasador users using LDAP? Our client wants to give lobby ambasador priviledges to users in Microsoft Active Directory, so they will be able to create guest users! Do you know if it is possible?
  Kind regards,
  Dimitar Katrandzhiev

  should be I use that with my NCS but for the WLCs I saw a solution..hope that is also one for you..
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080871921.shtml

• Filtering Groups on Windows Active Directory using LDAP Authentication

  Hi All,
  I have small module that filters the groups from the Windows AD using LDAP attributes and flushes the data into the DB[code below].
  This module was developed and tested on weblogic 8.1[on windows]and works fine.
  Now the same is moved to another environment- Websphere on Linux Suse. The code fails to retreieve any value from the Windows AD.
  Please note no exception is aslo thrown.
  env.put(Context.INITIAL_CONTEXT_FACTORY,ldapCtxFactory);
            //set security credentials, note using simple cleartext authentication
            env.put(Context.SECURITY_AUTHENTICATION,authentication);
            env.put(Context.SECURITY_PRINCIPAL,adminName);
            env.put(Context.SECURITY_CREDENTIALS,adminPassword);
            //connect to my domain controller
            env.put(Context.PROVIDER_URL, domainController);
            // Create the initial directory context
            try {
                                dirCtx = new InitialDirContext(env);
                 // Create the search controls           
                 SearchControls searchCtls = new SearchControls();
                 //Specify the attributes to return
                 String returnedAtts[]={"member"};
                 searchCtls.setReturningAttributes(returnedAtts);
                 //Specify the search scope
                 searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                 int totalResults = 0;
                 int iteration=0;
                 // Search for objects using the filter
                 NamingEnumeration results = ctx.search(searchBase, searchFilter, searchCtls);
  In the above code the method exits even before the try block[i could detect this using Sysout's]
  Below is the property file from which the values are read.
  admin=username
  password=password
  #AD search attributes
  searchBase=DC=domainname,DC=domainname
  searchFilter=(&(objectClass=group) (CN=value*))
  #JNDI context attributes
  ldapCtxFactory=com.sun.jndi.ldap.LdapCtxFactory
  authentication=simple
  domainController=ldap://address
  groupPattern=pattern
  Please Assit,
  Thanks in Advance
  Message was edited by:
  radiant
  Message was edited by:
  radiant

  Assuming it is the same Active Directory environment and only your Java platform has changed, the I can only assume that if no exception is thrown, and no data is returned, then the credentials you are using on the new Java platform are being mapped to an anonymous user (perhaps a blank password ?). By default, Windows Server 2003 domains, do not return any results to anonymous users.

• Shared Services External Authentication using LDAP in 9.3.1

  Hi,
  I have installed Hyperion Shared Services with native directory. And now planning to setup external authentication using LDAP. I need some guidance to understanding how the external authentication works.
  Questions:
  1. Is it possible to setup Shared Services to use both Native and LDAP user directory? What I mean is some users will be able to login using Native directory, and some others will need to login using User Directory (external authentication).
  2. For User Directory (say we use LDAP), when the user is added into Shared Services, can they be assigned with Groups created in Native directory? We want to explore to use just the external authentication and define all of the groups within shared services.
  If not possible, can we manage the Groups of the User directory using shared services? How is the groups work with external authentication?
  Any feedback would be much appreciated.
  Thanks,
  Lian

  Hi,
  Yes you can use both Native and external authentication. When you add the external provider the native is left by defaut anyway.
  Yes you can add your external users to native groups. You can also provision the groups in the AD if you wish.
  Gee

• LDAP Authentication Listing the users

  Hi,
  Iam new to OBIEE. I have LDAP authentication added to my repository.Please let me know how i can get the list of users in LDAP on to my OBIEE Presentation Catalog and Users so that I can classify them into various groups and add security feature.

  If your user groups are held in LDAP you can pull them in as part of the authentication block my mapping the attribute to the GROUP variable.
  Basic principle of using those groups and how the RPD interacts with presentation catalogue is explained well here :
  http://obieeblog.wordpress.com/category/obiee/obiee-security/

• LDAP authentication in AD (users from other trusted domain)

  Hi
  I have two domain: my - DOMAINA.LOCAL and other trusted - DOMAINB.LOCAL
  I use LDAP authentication in AD for authentication users (AnyConnect).
  Now, I need to authenticate few users from other trusted domain (DOMAINB.LOCAL).
  I do not want direct connect with the domain contoller in the trusted domain.
  My domain controller (DOMAINA.LOCAL), can authenticate users from other trusted domain (if I use username "DOMAINB\userindomainb"), if I try to connect by RDP client to some server (for example, to my domain controller).
  But if I try to test aaa-server authentication from ASA
  I get error.
  I think, I must use username like "DOMAINB\userindomainb" but this not work.
  Help me please.
  Thanks!
  My config:
  aaa-server ADA protocol ldap
  aaa-server ADA (inside) host 10.0.0.1
   ldap-base-dn dc=domaina, dc=local
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn cn=Cisco ASA, ou=ServiceAccounts, ou=Services, dc=domaina, dc=local
   server-type microsoft

  Hello!
  I see in console (debug LDAP):
  Request for [email protected] returned code (10) Referral
  Does ASA support authentication via LDAP referrals?
  I read old thread:
  https://supportforums.cisco.com/discussion/11132591/cisco-asa-and-ldap-authentification
  And see: CSCsj32153  Symptom:the ASA/PIX doesn't currently support LDAP Referall searches. 
  But I use:
  Cisco Adaptive Security Appliance Software Version 9.2(3)
  Device Manager Version 7.3(3)
  Compiled on Mon 15-Dec-14 05:10 PST by builders
  System image file is "disk0:/asa923-smp-k8.bin"
  Thanks!

• Authentication of portal users with uid on oid/ldap

  All works fine with authenticating users created on DAS that have
  dn: cn=%LDAP_USER%,cn=users,dc=edmunds,dc=com
  When I migrated user to portal schema, the auth fails. The portal schema has user dn string
  uid=%LDAP_USER%, ou=people, dc=edmunds, dc=com
  I got this dn string from export to ldif file. The portal user can log in to DAS.
  We are using HTMLdb 1.6 and I used
  LDAP Host[LDAP Test Tool] at /htmldb/f?p=4000:802 to test the parameters.
  How to make this uid dn work with AppEx?
  Thanks.

  Kenny,
  I would forget about using the is_member function for authentication until you achieve what you need directly with dbms_ldap. You can experiment with an anonymous block in SQL*Plus starting with this sample code until you can get the simple_bind_s to work with your parameters:set serveroutput on
  declare
      l_retval      pls_integer;
      l_retval2      pls_integer;
      l_session     dbms_ldap.session;
      l_ldap_host   varchar2(256);
      l_ldap_port   varchar2(256);
      l_ldap_user   varchar2(256) := 'FIRSTNAME_LASTNAME'; -- enter username in this format
      l_ldap_passwd varchar2(256) := 'PASSWORD';           -- enter password
      l_ldap_base   varchar2(256);
  begin
      l_retval                := -1;
      dbms_ldap.use_exception := TRUE;
      l_ldap_host               := 'ldap-host.some-domain.com';
      l_ldap_port               := '389';
      l_ldap_user               := 'cn='||l_ldap_user||',l=amer,dc=oracle,dc=com';
      l_session := dbms_ldap.init( l_ldap_host, l_ldap_port );
      l_retval  := dbms_ldap.simple_bind_s( l_session, l_ldap_user, l_ldap_passwd );
      dbms_output.put_line( 'Return value: ' || l_retval );
      l_retval2  := dbms_ldap.unbind_s( l_session );
      exception when others                                                                                                  
       then 
            dbms_output.put_line (rpad('ldap session ',25,' ')  || ': ' ||
                 rawtohex(substr(l_session,1,8)) ||     '(returned from init)');
            dbms_output.put_line( 'error: ' || sqlerrm||' '||sqlcode );
            dbms_output.put_line( 'user: ' || l_ldap_user );                                                        
            dbms_output.put_line( 'host: ' || l_ldap_host );
            dbms_output.put_line( 'port: ' || l_ldap_port ); 
            l_retval  := dbms_ldap.unbind_s( l_session );
  end;
  /Scott

• Deploy authenticate VPN using LDAP AD (with user group)

  Hi,
  I'm stucking in configuration of LDAP Server with authenticate for VPN user using group in Windows Domain. I would like to create a group like "vpn-group" in Domain. If someone want to vpn, I just have to add that user in the group "vpn-group" then I can connect to the company.
  Here is my configuration
  aaa new-model
  aaa authentication login userauthen local group ldap
  aaa authorization network groupauthor local
  ldap attribute-map map1
   map type sAMAccountName username
  ldap server server1
   ipv4 192.168.0.5
   attribute map map1
   bind authenticate root-dn cn=administrator,cn=users,dc=test,dc=local password 7 0235114B0E144E621518
   base-dn cn=vpn-group,cn=users,dc=test,dc=local
  Please advice me.

  I got it working by including the AD security group in the search-filter
  search-filter user-object-type User)(memberOf=CN=vpn-group,OU=Security groups,OU=company,DC=test,DC=local

• ASP application authenticating users using OID

  Hi, I'm a newbie using ASP, but I need to modify an existing application to use LDAP authentication, using OID as it's directory server.
  I thought that if I get an LDAP ASP library that can be used against any LDAP server (non propietary), my problem is solved.
  My questions are :
  1) Does this library exist ? Where can I find it ?
  2) Has anyone any experience in this matter ? Is there another way to get around this problem ?
  Thanks for any clue that you can give me,
  Sebastian.

  This is an example where your Active Directory allows simple binds:
  FUNCTION authenticate_aduser (p_username IN VARCHAR2, p_password IN VARCHAR2)
     RETURN BOOLEAN
  IS
     v_user          VARCHAR2 (256);
     v_ldap_server   VARCHAR2 (256)    := '10.128.1.81';
     --h80081.isd_it.company_ag.local
     v_domain        VARCHAR2 (256)    := 'isd_it.company_ag.local';
     v_ldap_port     NUMBER            := 389;
     v_retval        PLS_INTEGER;
     v_session       DBMS_LDAP.SESSION;
     v_cnt           NUMBER;
  BEGIN
     IF p_password IS NOT NULL
     THEN
        v_user := p_username || '@' || v_domain;
        v_session := DBMS_LDAP.init (v_ldap_server, v_ldap_port);
        -- start session
        v_retval := DBMS_LDAP.simple_bind_s (v_session, v_user, p_password);
        -- auth as user
        v_retval := DBMS_LDAP.unbind_s (v_session);                   -- unbind
        RETURN TRUE;
     ELSE
        RETURN FALSE;
     END IF;
  EXCEPTION
     WHEN OTHERS
     THEN
        v_retval := DBMS_LDAP.unbind_s (v_session);
        RETURN FALSE;
  END authenticate_aduser;You need to replace the IP with the IP of your AD Server.
  Denes Kubicek
  http://deneskubicek.blogspot.com/
  http://www.opal-consulting.de/training
  http://apex.oracle.com/pls/otn/f?p=31517:1
  -------------------------------------------------------------------

• ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

  Hi All,
  I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership.  This has been very difficult, even though I beleive it should be easy.
  The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
  There are two other portals that I would like to restrict access to based on AD group membership.  I have set these up to be selected by URL.
  The biggest problem is, I have no way of knowing how to go about this.  The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
  I can only do an all or nothing scenario.
  It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use.  So how do I go about using them in this scenario?  Turning off the aliases or URLs is not really an option right now.
  Scenario 1 would work the best for me.  Restrict access to profiles/groups based on AD group membership using LDAP.
  Scenario 2 would be an ideal longer term solution.
  Any thoughts, ideas or assitance would be greatly appreciated.
  Cheers

  This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:
  assert(function()
     if ( (type(aaa.ldap.distinguishedName) == "string") and
          (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
  then
         return true
     end
     return false
  end)()
  from the debug dap you can see what Users relates to;
  DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
  My admin account fails to get me in to the same profile:
  DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
  Thanks
  Andrew

• Users using SQL Server Authentication

  What tables/views would I use to create a list of users using SQL Server Authentication? I want the name, whether password (complexity) policy is set and whether password expiration is set. I only want current/active users.

  You can query query sys.sql_logins to get this information.
  http://msdn.microsoft.com/en-GB/library/ms174355.aspx
  Regards, Ashwin Menon My Blog - http:\\sqllearnings.com

• Designer takes several minutes for login using LDAP authentication

  We have a issue, when we tried to login to the designer using LDAP authentication it takes several minutes and using enterprise account we are able to login to the designer with in seconds.
  CMC and infoview all are working fine using LDAP authentication.
  We are using BOXIR2,
  FP 1.6.
  Thank You in Advance.
  Thanks & Regards,
  Collin.

  There have been several changes in LDAP since FP 1.6 but if infoview is ok then hopefully you aren't running into any of them. When logging into client tools the LDAP requests are sent to the LDAP server directly from the client. An issue like this would suggest there is a problem reaching the LDAP server from the client.
  Is LDAP SSL being used? If yes try disabling it, if no then you can packet scan the logon attempt on the client and filter the LDAP traffic to see how long it's taking for that communication.
  Regards,
  Tim