Authentication against a LDAP

Similar Messages

• Authentication against both LDAP and BI repository

  I have a lot of user who are authenticated against LDAP. I need add few users who aren't exist in LDAP. I can create user in BI repository and if this user is in an Administrator group he is able to log in. But if this user isn't in an Administrator group he get error "Succesfull execution of intitializtion block LDAP is required". Is there any way how to authenticate users agains both LDAP and BI repository?

  Hi,
  why dont you create a group in ldap and add the correspondng users to that group.
  You can configure the LDAP server with that group and try...
  Hope it works...
  Regards
  Venkat

• Cisco ACS 5.2 authentication against multiple LDAP servers

  Hi Folks,
  I have a wireless network that uses ACS 5.2 to handle authentication.   The ACS is integrated with an Active Directory LDAP server (my_ldap) and is working correctly at the moment.    The authentication flow looks like this:
   - User tries to associate to WLAN
   - Authentication request is sent to ACS
   - Service selection rule chooses an access-policy (wireless_access_policy)
   - wireless_access_policy is configured to use my_ldap as identity source.
  A sister company is about to move into our offices, and will need access to the same WLAN.    Users in the sister company are members of a separate AD domain (sister_company_ldap).    I would like to modify the wireless_access_policy so that when it receives an authentication request it will query both my_ldap and sister_company_ldap, and return a passed authentication if either attempt is successful.     Is this possible?

  Assuming you're already authenticating using your AD binding and AD1 as your identity source, you can add a further LDAP server as another identity source and add this to your identity store sequence in your access policy to authenticate against both.
  You can also add multiple LDAP servers and add them both to the identity store sequence (if you're not using AD1).

• OpenLdap with ldap backend... / Authentication against another ldap

  Hey everybody,
  i'm trying to setup my OD that i can redirect the authentication of the user to a second ldap...
  The second ldap-server is ssl secured. I had a solution under debian. and so i'm looking for the moduleload and modulpath or olcModuleLoad olcModulePath for Mac OS X 10.5.
  But i can't find a place where i can activate modules.. i even can't find the modules... (In a default config file i found this):
  16 # Load dynamic backend modules:
  17 # modulepath /usr/libexec/openldap
  18 # moduleload back_bdb.la
  19 # moduleload back_ldap.la
  20 # moduleload back_ldbm.la
  21 # moduleload back_passwd.la
  22 # moduleload back_shell.la
  (in /etc/openldap/slapd.conf.default)
  but the modules doesn't exist...
  Can anyone help me how i can activate the ldap-backend in the mac osx 10.5?
  my debian config looks like this: (/etc/ldap/slapd.conf)
  30 moduleload back_ldap
  150 database ldap
  151 suffix MYSEARCHSUFFIX
  152 uri ldaps://server:port
  153 rebind-as-user yes
  What I mean/what i want to know is how to load the modules in openldap and where can i find them?
  I hope you can understand what i mean.... My english isn't the best
  Thanks for help
  greetings

  Sun Java System Web Server 7.0 was tested with Sun's Directory Server and MSAD. For MSAD, you need to add extra settings refer blog "Using Web Server 7 with Microsoft Active Directory"
  http://blogs.sun.com/jyrivirkki/entry/using_web_server_7_with
  Can you run the server with log level "finest" and see errro logs also see whether Web Server is trying to connect to your directory server and try to find out what the problem is.

• Linux authentication against OID ldap

  Hi,
  How to use OID as an authentication server for linux users. So when a users logs on the linux machine get's his information from the OID /ldap server?
  What are the step to do this?
  Regards

  This link should help:
  http://www.oracle.com/technology/products/oid/pdf/unix_pam_oid_wp.pdf

• User authentication against LDAP - Non-AD

  Hi,
  We are trying to setup LDAP authentication against an LDAP, Oracle Unified Directory and below are the parameters of ldap.properties file:
  ldapAuthentication.defaultRole = ROLE_AUTHENTICATED_PRINCIPAL
  ldapAuthentication.enabled = true
  ldapAuthentication.tryNextProviderIfNoAuthenticated = true
  ldapAuthentication.stopIfCommunicationError = true
  ldapAuthentication.url=ldap\://localhost:389/
  ldapAuthentication.rootContext=DC=test,DC=com
  ldapAuthentication.securityPrincipal=CN=Directory Manager
  ldapAuthentication.securityCredential.encrypted=password
  ldapAuthentication.keepContextPrefix=false
  ldapAuthentication.isAD=false
  ldapAuthentication.userAccountSearchKey=CN
  ldapAuthentication.firstNameSearchKey=givenName
  ldapAuthentication.lastNameSearchKey=sn
  Still I am getting while I try to login to OIA as an OUD user:
  WARN [UserManagerImpl] RbacxUser with username: 'cn=oiaadmin' not found
  Please help

  Hi Jcorker,
  According to your description, you need to access the SQL Serve Analysis Services database which is configured as cluster for SQL & SSAS from another domain, right?
  In SSAS we can use the solution below achieve the requirement.
  1.Create new domain account and impersonate the web site with that.
  2.Create local user account on the analysis service with same exact username/password as like domain account created in the previous step.
  However, you cannot create a local account with the same name on both servers. I have tested it on my local environemnt, we can create the same local account with the same name on both servers. In your scenario, if DB1 and DB2 on different server, you can
  create a local account with the same name on both servers. Please post the detail errors, so that we can make further analysis.
  Besides, SSAS only allows users of the same domain or trusted domains and it does not allow users from any domain except from these two. You can configure the trust relationship between the domains.
  http://technet.microsoft.com/en-us/library/cc961481.aspx
  Regards,
  Charlie Liao
  If you have any feedback on our support, please click
  here.
  Charlie Liao
  TechNet Community Support

• [ SOLVED] Authentication against two openldap servers.

  Hi everyone.
  Here is the deal. I have two openldap servers, used for user authentication (master and slave). I have all the clients to be able to authenticate users against the master openldap server, and that is working fine. I want to make them to be able to authenticate against the slave server, if the master is down for any reasons. Is there a way to configure the clients, and is that the way to manage this, or I have to use another software as heartbeat or something like heartbeat.
  Regards.
  PS: Sorry. I found it. It is written in the /etc/ldap.conf file. If you want authentication against several ldap servers, you have to specify them in the 'uri' row, separated by spaces.
  Last edited by Gruntz (2009-03-10 08:57:31)

  Hi,
  Is there a possibility to configure somewhere an external LDAP just for authentication purposes (possibly PKI), leaving everything else in OID?
  Yes, in our project we are using a third party LDAP server for authentication, whereas the rest of the user information is stored in the OID. I don't know the details about the implementation but we used DIP (Directory Integration Platform) to create and register a plugin. The plugin replaces the default 'ldapcompare' method that the SSO uses with our own method that makes a call to a third party ldap. Our code was written in PL/SQL and used the DBMS_LDAP package.
  You should be able to find more info from OID developers guide. http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/manage.902/a95193.pdf
  Good luck!
  /Rikard

• Authenticating against both RDBMS and LDAP in WL6.0

  Hi,
  We are designing a webapp that will be accessible to both internal and
  external users. For internal users, we would like to authenticate via LDAP;
  for external users we would like to use RDBMS. In WL5.1, this looked to be
  possible with the DelegatingRealm, however this has been removed in WL6.0.
  Two questions:
  1) Why was it removed?
  2) How can we get this functionality in WL6.0?
  Thanks much for your help,
  -jt

  We are currently deployed on WL5.1 with a similar situation as you and in
  the process of migrating to WL6. We are Authenticating against LDAP and
  Authorizing against RDBMS. But I can't see how you could tell it to go
  one way for certain users and another for other users.
  The delegatingrealm in WL5 was intended to split the responsibility of
  Authenticating to one source and Authorization to another. To make this
  work for your Application of splitting internal and external users
  security, I suppose you can do it if you can somehow pass the information
  to the Security Realm the type of the user that is logging in. Maybe you
  can make this code a part of the userid such as ext_uersID or int_userID.
  Doing this will allow you to filter the where the users are coming from
  and Direct them to the appropriate security realm.
  As far as WL6 goes, the Delegating realm class is no longer available
  since the security model for WL6 is different from WL5. But you can take
  a look at what they did with the RDBMSrealm example and use that. This is
  what we did to make our Security work in WL6. However, you can no longer
  store ACLs in the RDBMS realm in WL6.
  Hopes this helps.
  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  You will need to create a Custom Realm which delegates to both your RDBMS
  and LDAP perhaps using the Weblogic supplied RDBMS and LDAP realms
  "Jonathan Thompson" <[email protected]> wrote in message
  news:3accf1a3$[email protected]..
  Hi,
  We are designing a webapp that will be accessible to both internal and
  external users. For internal users, we would like to authenticate viaLDAP;
  for external users we would like to use RDBMS. In WL5.1, this looked tobe
  possible with the DelegatingRealm, however this has been removed in WL6.0.
  >
  Two questions:
  1) Why was it removed?
  2) How can we get this functionality in WL6.0?
  Thanks much for your help,
  -jt
  [att1.html]

• Ubuntu Karmic authentication against Snow leopard open directory server

  Hi,
  I'm looking for help. I've tried to configure an installation of Karmic to authenticate against our office's open directory server running on an osx snow leopard server. Currently `getent password` show all users including those from the open directory server when running the command as both root and normal users. However authentication against the open directry users fails with the following messages in the /var/log/auth.log:-
  Dec 7 22:42:05 [hostname] getent: nss_ldap: failed to bind to LDAP server ldap://server.domain.com: Invalid credentials
  Dec 7 22:42:05 [hostname] getent: nss_ldap: could not search LDAP server - Server is unavailable
  (I've changed the hostname and ldap url)
  /etc/ldap.conf has:-
  base dc=server,dc=domain,dc=com
  ldap_version 3
  rootbinddn cn=diradmin,dc=server,dc=domain,dc=com
  bind_policy soft
  pam_password md5
  /etc/ldap.secret is set to the password of the diradmin user and has a permission mask of 600
  /etc/pam.d/common-passwd :-
  password sufficient pam_ldap.so md5
  password required pam_unix.so nullok obscure md5
  password optional pam_smbpass.so nullok use_authtok tryfirstpass missingok
  /etc/pam.d/common-auth:-
  auth [success=2 default=ignore] pam_unix.so nullok_secure
  auth [success=1 default=ignore] pam_ldap.so usefirstpass
  auth requisite pam_deny.so
  auth required pam_permit.so
  /etc/pam.d/common-account:-
  account [success=2 newauthtokreqd=done default=ignore] pam_unix.so
  account [success=1 default=ignore] pam_ldap.so
  account requisite pam_deny.so
  account required pam_permit.so
  /etc/pam.d/common-session
  session [default=1] pam_permit.so
  session requisite pam_deny.so
  session required pam_permit.so
  session required pam_unix.so
  session optional pam_ldap.so
  session optional pamckconnector.so nox11
  Does anyone have any ideas where to go from here?
  Message was edited by: zebardy

  Hi
  It's easy enough to 'connect' any version of OS X Server to any other version of OS X Server. Use the Join button in the Users & Groups Preferences Pane. Alternatively use the Directory Utility itself.
  You seem to be misunderstanding what an Open Directory Master and Replica are? They are not what I think you think they are. They are not a 'back-up' of each other if you're providing more than the shared Directory Service.
  An OD Replica maintains a read-only copy of the LDAP Database (Usernames, Passwords and Policies etc) that's stored on the OD Master and nothing more. If the Master was to go offline for any reason the Replica can be quickly promoted to a Master Role and continue to provide information for the shared directory. This assumes it has easy and quick access to the Volume storing networked home folders? The LDAP Database in that case would then become writable. Later on and whenever you've fixed the problem with the old Master it can quickly be demoted and made a Replica of the now new Master.
  Although this is for 10.6 Server (it is nevertheless still applicable) everything you need to know about Master and Replica relationships is here:
  http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf
  Page 55 onwards.
  From Page 64:
  "The Open Directory master and its replicas must use the same version of Mac OS X Server. . ."
  If your OD Master is also providing Mail, Calendar and Contact Services then none of these will be replicated. You will have to maintain a backup of these databases yourself using whatever method you deem fit for your needs.
  HTH?
  Tony

• How to authenticate CXF-Webservice against external LDAP in WebLogic?

  Hi there,
  I'm trying to integrate our Camel-application into WebLogic 12c. All the incoming endpoints are CXF-based webservices. These are secured by "UsernameToken Timestamp" with the WSS4JInInterceptor configured like this:
  <bean id="wss4jInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
            <constructor-arg>
                 <map>
                      <entry key="action" value="UsernameToken Timestamp" />
                      <entry key="passwordType" value="PasswordDigest" />
                      <entry key="passwordCallbackClass"
                           value="de.mycompany.camel.cxf.UserTokenCallbackHandler" />
                 </map>
            </constructor-arg>     
  </bean>
  My problem is: WSS4JInInterceptor expects the UserTokenCallbackHandler to return the password of the user delivered in the header <wsse:Username>. Is there any way to retrieve this from an external LDAP configured in WebLogic? I've already managed to retrieve the users, groups etc with JMX (javax.management.MBeanServerConnection and weblogic.security.providers.authentication.LDAPAuthenticatorMBean), but I can't figure out how to authenticate the user against the LDAP, i. e. retrieve the password.
  Or am I heading in a completely wrong direction and this is not the way to achieve authentication for CXF-Webservices in WebLogic?
  Please give me a hint (code-snippets preferred ;-) ) how to solve this.
  Regards,
  Frank

  I have run into the exact same situation ? Did you ever get around this ? If so, how ? Please let me know.

• Oracle Database Authentication against Microsoft Active Directory

  Hello
  Does anyone know if it is possible or can point me in the right direction of some documentation that discuss Oracle database user authentication against and Enterprise Directory Service, in my cases MS AD?
  My environment consists of Oracle RDBMS 10.2.0.3 on Linux Red Hat AS 4. Our users connect in from Window clients. I would like to know if there is a way to autheticate users from Windows to the database using LDAP based (AD) authentication. In oters words how do I configure authentication to be done for "identified globally accounts"? I know that the identified by globally accounts require the use of the CN which I have done, but it seems like there is some piece missing. Perhaps an Oracle schema or modification to Active Directory??
  So my questions are
  1. Is it possible to authenticate users against AD without the implementation of OID?
  2. Is there documentation someone has or can point me to that outlines the required steps?
  3. Anything I should know?
  I appreciate any help. The documentation I have found so far doesn't seem to be what I need... So I am looking for some advice.
  Thanks.

  Sure, two methods to auth from Oracle DB to MSAD:
  OID and OVD
  I am working on our own proof of concept configuring EUS connect to OVD with an MSAD as auth at the moment. OVD basically is presenting the database with OracleSchema and OracleContext info. And when you connect via netca (ldap.ora), you assign it as OID directory authentication type.
  Here's an OVD manual on Integrating with EUS (chapter 7 is for MSAD)http://www.oracle.com/technology/products/id_mgmt/ovds/pdf/e10286.pdf
  And this would be what the EUS config should look like:
  http://www.oracle.com/technology/deploy/security/database-security/howtos/eus-how-to.html
  If you've done everything in the first doc...
  Hope this answers your questions.

• Git authentication against proxies

  Hello there:
  Maybe this is not the right place to post this, but, maybe here more interested people will hear of it.
  My situation is this, i found myself behind a proxy trying to make git clone over http protocol, and i wasn't able to do it. My proxy use digest authentiction, and git software doesn't manage http proxy with auth, so i downloaded the code of git (course after i got tired of searching google) and start reading to patch it.
  After a few looks and some advice from my fellow developers i managed to do so, then i made a patch and i thougt about make a PKGBUILD and submit a package to aur, then after reading all the guidelines (aur guildelines, bug report guidelines) i decide the right thing to do was not to upload a package to aur.
  So i submitted the patch to the git's maintainers and now i'll posted here fpor someone else looking for it.
  --- git-1.6.6/http.c 2009-12-23 19:00:22.000000000 -0500
  +++ git-1.6.6/http.c 2010-01-19 11:59:17.000000000 -0500
  @@ -33,6 +33,10 @@
  static long curl_low_speed_time = -1;
  static int curl_ftp_no_epsv;
  static const char *curl_http_proxy;
  +static const char *curl_http_proxy_auth;
  +static const char *curl_http_proxy_user;
  +static const char *curl_http_proxy_pass;
  +
  static char *user_name, *user_pass;
  #if LIBCURL_VERSION_NUM >= 0x071700
  @@ -174,6 +178,15 @@
  if (!strcmp("http.proxy", var))
  return git_config_string(&curl_http_proxy, var, value);
  + if (!strcmp("http.proxy-auth", var))
  + return git_config_string(&curl_http_proxy_auth, var, value);
  +
  + if (!strcmp("http.proxy-user", var))
  + return git_config_string(&curl_http_proxy_user, var, value);
  +
  + if (!strcmp("http.proxy-pass", var))
  + return git_config_string(&curl_http_proxy_pass, var, value);
  +
  if (!strcmp("http.postbuffer", var)) {
  http_post_buffer = git_config_int(var, value);
  if (http_post_buffer < LARGE_PACKET_MAX)
  @@ -267,8 +280,32 @@
  curl_easy_setopt(result, CURLOPT_FTP_USE_EPSV, 0);
  if (curl_http_proxy)
  + {
  curl_easy_setopt(result, CURLOPT_PROXY, curl_http_proxy);
  + if(curl_http_proxy_user && curl_http_proxy_pass)
  + {
  + char* c;
  + c = xstrdup(curl_http_proxy_user);
  + strcpy(c, curl_http_proxy_user);
  + strcat(c, ":");
  + strcat(c, curl_http_proxy_pass);
  + c[strlen(curl_http_proxy_user) + strlen(curl_http_proxy_pass) + 1] = 0;
  + curl_easy_setopt(result, CURLOPT_PROXYUSERPWD, c);
  + free(c);
  + }
  + if(curl_http_proxy_auth)
  + {
  + if(!strcmp(curl_http_proxy_auth, "digest"))
  + curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_DIGEST);
  + else if(!strcmp(curl_http_proxy_auth, "basic"))
  + curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_BASIC);
  + else if(!strcmp(curl_http_proxy_auth, "ntlm"))
  + curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_NTLM);
  + }
  +
  + }
  +
  return result;
  @@ -430,6 +467,21 @@
  curl_http_proxy = NULL;
  + if (curl_http_proxy_auth) {
  + free((void *)curl_http_proxy_auth);
  + curl_http_proxy_auth = NULL;
  + }
  +
  + if (curl_http_proxy_user) {
  + free((void *)curl_http_proxy_user);
  + curl_http_proxy_user = NULL;
  + }
  +
  + if (curl_http_proxy_pass) {
  + free((void *)curl_http_proxy_pass);
  + curl_http_proxy_pass = NULL;
  + }
  +
  if (ssl_cert_password != NULL) {
  memset(ssl_cert_password, 0, strlen(ssl_cert_password));
  free(ssl_cert_password);
  Any suggestion, would be appreciated.

  Ni Nicolaj,
  why? Because the security team is requesting this. If some went out of the office just for a coffee and leave his PC open everyone is able to connect to any system. If there is needed a re-authentication against LDAP this becomes secure and only an open session with one R/3 can be used.
  The re-authentication against LDAP because in this case the user has ONE password: windows password. No need to remember 20 passwords on 20 systems. And it is not possible to syncronize the password from LDAP to ABAP user store.
  So if the user is successful re-authenticated the portal will use the SAPLogonTicket.
  The question is how to implement this re-authentication for example the portal login itself?
  And yes, ITS with PAS is using LDAP - this we want to have also for the connection from the portal to R/3.
  Best regards,
  Michael

• Discoverer against Open-LDAP

  Did anyone have experience of using Discoverer against Open-Ldap? We are using discoverer in non-apps mode and dont want to create 300db user's. Our current application uses Open-Ldap and we want to make use of it for Discoverer authentication. Any ideas?
  Thanks

  Thanks Rod for the metalink documents.
  I'd tried using eul_trigger$post_login using a similar function as indicated in the article you refer before posting my question but it didn't work - may be because i was not paying attention to upper/lower case.
  But, after reading the article 372067.1 and following the exact instructions I still can't make it work. Not even with Discoverer desktop while logged in as EUL owner.
  Here is the function I created:
  CREATE OR REPLACE FUNCTION EUL_TRIGGER$POST_LOGIN RETURN NUMBER IS
  BEGIN
  insert into my_eul.test_logon values (sysdate);
  commit;
  RETURN 0;
  END EUL_TRIGGER$POST_LOGIN;
  Some values for this registered function from EUL5_FUNCTIONS metadata table are:
  FUN_NAME: eul_trigger$post_login
  FUN_DEVELOPE_KEY: EUL_TRIGGERPOST_LOGIN
  FUN_FUNCTION_TYPE: 8
  FUN_HIDDEN: 0
  FUN_DATE_TYPE: 2
  FUN_AVAILABLE: 1
  FUN_MAXIMUM_ARGS: 0
  FUN_EXT_NAME: EUL_TRIGGER$POST_LOGIN
  FUN_EXT_OWNER: MY_EUL
  Any thing seems missing/incorrect?
  I am not 100% sure about EnableTrigger preferences. My pref.txt does not have an entry for EnableTriggers and according to Configuration Guide you should not add an entry if not present because by default triggers are enabled. But, since the trigger was not firing I also tried adding the line and applied preferences using the applypreferences.bat but it didn't work.
  To make it work with Discoverer Desktop I tried updating the registry to add entry for EnableTrigger registry entry, but no successs (Finally I removed all changes to registry and preferences).
  Now I am clueless why the trigger is not working. Any help would be appreciated.
  Using Discoverer 10G R1 (9.0.4)
  thanks
  Message was edited by:
  user552591

• How can I tell if a user has already authenticated against AD?

  Sorry to begin with if this has been dealt with in another thread already. Ive taken a look around and cant see something that answers my questions exactly. If such a thread exists, please point me in that direction.
  We have a product that needs to be installed on a customer site. Its a windows based, web fronted application with a client program on the user's pc and a server side component that handles requests for data. What I need to do is to check if the user has already authenticated against active directory. If so then I dont need to ask for authentication (single sign on).
  This is my first look at jndi so Im in the dark about how this should be done. Is there a way to use the user's credentials (is there a token?) to check or do I need a specific login for my application to access the customer AD?
  Any tips would be very welcome,
  Mark

  You may want to refer to the Java Security forum at http://forum.java.sun.com/forum.jspa?forumID=545 for information on Kerberos & JAAS.
  There is a also a post in this forum, outlining how to utilise Kerberos, JAAS with JNDI to access Active Directory. JNDI, Active Directory and Authentication (Part 1) (Kerberos)
  at http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
  Possibly the part you are looking for is the functionality included in the class that implements java.security.PrivilegedAction
  Good luck.

• ISE 1.2 - 24492 Machine authentication against AD has failed

  Currently experiencing a machine authentication problem between ISE 1.2 patch 2 and a customer AD installation.
  AuthZ policy is set to match agains /Users/Domain Computers and /Users Domain Users.  User authentication works, machine auth doesnt.
  Machine authentication box is ticked.
  If you try to disable an AD machine, or try a machine not in the domain you get the appropriate different response in the ISE logs which sugests it has the right access into AD to check this info.
  This happens on all computers, both WinXP and Win7 corporate builds.
  I know its not an ISE policy configuration as I have resorted to testing the same ISE against a vanilla lab AD environment with the same AD domain name (just by changing the DNS servers ISE uses) and the computer lookup works!
  Anybody got any ideas?
  thanks.

  24492
  External-Active-Directory
  Machine   authentication against Active Directory has failed
  Machine   authentication against Active Directory has failed.
  Error
  Please check NTP is in sync or not  ISE