Authentication against both LDAP and BI repository

I have a lot of user who are authenticated against LDAP. I need add few users who aren't exist in LDAP. I can create user in BI repository and if this user is in an Administrator group he is able to log in. But if this user isn't in an Administrator group he get error "Succesfull execution of intitializtion block LDAP is required". Is there any way how to authenticate users agains both LDAP and BI repository?

Hi,
why dont you create a group in ldap and add the correspondng users to that group.
You can configure the LDAP server with that group and try...
Hope it works...
Regards
Venkat

Similar Messages

  • Authenticating against both RDBMS and LDAP in WL6.0

    Hi,
    We are designing a webapp that will be accessible to both internal and
    external users. For internal users, we would like to authenticate via LDAP;
    for external users we would like to use RDBMS. In WL5.1, this looked to be
    possible with the DelegatingRealm, however this has been removed in WL6.0.
    Two questions:
    1) Why was it removed?
    2) How can we get this functionality in WL6.0?
    Thanks much for your help,
    -jt

    We are currently deployed on WL5.1 with a similar situation as you and in
    the process of migrating to WL6. We are Authenticating against LDAP and
    Authorizing against RDBMS. But I can't see how you could tell it to go
    one way for certain users and another for other users.
    The delegatingrealm in WL5 was intended to split the responsibility of
    Authenticating to one source and Authorization to another. To make this
    work for your Application of splitting internal and external users
    security, I suppose you can do it if you can somehow pass the information
    to the Security Realm the type of the user that is logging in. Maybe you
    can make this code a part of the userid such as ext_uersID or int_userID.
    Doing this will allow you to filter the where the users are coming from
    and Direct them to the appropriate security realm.
    As far as WL6 goes, the Delegating realm class is no longer available
    since the security model for WL6 is different from WL5. But you can take
    a look at what they did with the RDBMSrealm example and use that. This is
    what we did to make our Security work in WL6. However, you can no longer
    store ACLs in the RDBMS realm in WL6.
    Hopes this helps.
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    You will need to create a Custom Realm which delegates to both your RDBMS
    and LDAP perhaps using the Weblogic supplied RDBMS and LDAP realms
    "Jonathan Thompson" <[email protected]> wrote in message
    news:3accf1a3$[email protected]..
    Hi,
    We are designing a webapp that will be accessible to both internal and
    external users. For internal users, we would like to authenticate viaLDAP;
    for external users we would like to use RDBMS. In WL5.1, this looked tobe
    possible with the DelegatingRealm, however this has been removed in WL6.0.
    >
    Two questions:
    1) Why was it removed?
    2) How can we get this functionality in WL6.0?
    Thanks much for your help,
    -jt
    [att1.html]

  • Cisco ACS 5.2 authentication against multiple LDAP servers

    Hi Folks,
    I have a wireless network that uses ACS 5.2 to handle authentication.   The ACS is integrated with an Active Directory LDAP server (my_ldap) and is working correctly at the moment.    The authentication flow looks like this:
     - User tries to associate to WLAN
     - Authentication request is sent to ACS
     - Service selection rule chooses an access-policy (wireless_access_policy)
     - wireless_access_policy is configured to use my_ldap as identity source.
    A sister company is about to move into our offices, and will need access to the same WLAN.    Users in the sister company are members of a separate AD domain (sister_company_ldap).    I would like to modify the wireless_access_policy so that when it receives an authentication request it will query both my_ldap and sister_company_ldap, and return a passed authentication if either attempt is successful.     Is this possible?

    Assuming you're already authenticating using your AD binding and AD1 as your identity source, you can add a further LDAP server as another identity source and add this to your identity store sequence in your access policy to authenticate against both.
    You can also add multiple LDAP servers and add them both to the identity store sequence (if you're not using AD1).

  • Authentication against a LDAP

    All,
    We have a requirement where in we want to validate a user against the LDAP of our organisation.
    We wil like to build a simple JSP page.
    Questions that come to my mind is
    1> Can we create a Portal application that wil not ask for a Portal authentication and directly point to the JSP stored in a web application or a portal application?
    2> How complex is it to validate a user gainst an LDAP?
    3> After successful validation we will like the aplication to trigger an RFC is this possible?
    Thanks and Regards
    Pradeep Bhojak

    Pradeep,
    you have to create your own LogonModule to achieve your requirements (not only a jsp page). But on the other hand, why don't you configure your Portal UME to the LDAP anyway?
    kr, achim

  • OpenLdap with ldap backend... / Authentication against another ldap

    Hey everybody,
    i'm trying to setup my OD that i can redirect the authentication of the user to a second ldap...
    The second ldap-server is ssl secured. I had a solution under debian. and so i'm looking for the moduleload and modulpath or olcModuleLoad olcModulePath for Mac OS X 10.5.
    But i can't find a place where i can activate modules.. i even can't find the modules... (In a default config file i found this):
    16 # Load dynamic backend modules:
    17 # modulepath /usr/libexec/openldap
    18 # moduleload back_bdb.la
    19 # moduleload back_ldap.la
    20 # moduleload back_ldbm.la
    21 # moduleload back_passwd.la
    22 # moduleload back_shell.la
    (in /etc/openldap/slapd.conf.default)
    but the modules doesn't exist...
    Can anyone help me how i can activate the ldap-backend in the mac osx 10.5?
    my debian config looks like this: (/etc/ldap/slapd.conf)
    30 moduleload back_ldap
    150 database ldap
    151 suffix MYSEARCHSUFFIX
    152 uri ldaps://server:port
    153 rebind-as-user yes
    What I mean/what i want to know is how to load the modules in openldap and where can i find them?
    I hope you can understand what i mean.... My english isn't the best
    Thanks for help
    greetings

    Sun Java System Web Server 7.0 was tested with Sun's Directory Server and MSAD. For MSAD, you need to add extra settings refer blog "Using Web Server 7 with Microsoft Active Directory"
    http://blogs.sun.com/jyrivirkki/entry/using_web_server_7_with
    Can you run the server with log level "finest" and see errro logs also see whether Web Server is trying to connect to your directory server and try to find out what the problem is.

  • Linux authentication against OID ldap

    Hi,
    How to use OID as an authentication server for linux users. So when a users logs on the linux machine get's his information from the OID /ldap server?
    What are the step to do this?
    Regards

    This link should help:
    http://www.oracle.com/technology/products/oid/pdf/unix_pam_oid_wp.pdf

  • Essbase 9.3.1 fails login the first time for both LDAP and Native users

    Hi,
    Whenever I try to login into Essbase server using AAS or Maxl, it fails for the first time but when I try the second time it works.
    Essbase Logs at the time of the error shows:
    Local ESSBASE0 Info (1051001) Received client request: Get Log File (from user hadmin )
    Local ESSBASE0 Info (1051001) Received client request: Get Server Locale Description (from user hadmin )
    Local ESSBASE0 Info (1051164) Received login request from xxx.xxx.xxx.x
    Local ESSBASE0 Error (1051293) Login fails due to invalid login credentials
    Local ESSBASE0 Warning (1051003) Error 1051293 ~processing request Login - disconnecting
    SharedServices9\SystemErr.log
    SystemErr R com.hyperion.interop.AuthenticationException: Could not authenticate user 'CSSToken'. Please ensure the username and password is correct.
    SystemErr R at com.hyperion.interop.webservices.Security.slideAuthenticate(Unknown Source)
    SystemErr R Caused by: java.lang.Exception: Interop Security: Unauthorized
    SystemErr R at com.hyperion.interop.webservices.Security.authenticate(Unknown Source)
    SystemErr R 1282785593 [WebContainer : 0] WARN security.SecurityFacade - Error Executing cssAuthenticate()
    Error Code: -1
    com.hyperion.css.CSSTokenNotAcceptedException: Token is invalid. Error Code: 11
    And we are using SSL? Help please... Thanks.

    I know this wont help but we had the same issue in 9.3.1 and decide to reinstall without SSL as we could not get to the bottom of it.
    I suspect there s something wrong with the SSL config but not sure what it is...
    Seb

  • PIX 525 aaa authentication with both tacacs and local

    Hi,
    I have configured the aaa authentication for the PIX with tacacs protocol (ACS Server).
    It works fine, now i would like to add the back up authentication, as follows:
    - If the ACS goes down i can to be authenticated with the local database.
    Is it possible with PIX, if yes how?

    Hi,
    I am trying to configure aaa using TACACS+ , i am not able to close.Problems are
    1.It dosent ask for username /password in first level.
    2.on second level it asks for user name it dosent authenticate the user .
    Cud u pls let me know if the following config is correct.If not cud u help me .
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ (outside) host ip.ip.ip.ip key timeout 15
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
    aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
    aaa authen enable console TACACS+

  • User authentication against LDAP - Non-AD

    Hi,
    We are trying to setup LDAP authentication against an LDAP, Oracle Unified Directory and below are the parameters of ldap.properties file:
    ldapAuthentication.defaultRole = ROLE_AUTHENTICATED_PRINCIPAL
    ldapAuthentication.enabled = true
    ldapAuthentication.tryNextProviderIfNoAuthenticated = true
    ldapAuthentication.stopIfCommunicationError = true
    ldapAuthentication.url=ldap\://localhost:389/
    ldapAuthentication.rootContext=DC=test,DC=com
    ldapAuthentication.securityPrincipal=CN=Directory Manager
    ldapAuthentication.securityCredential.encrypted=password
    ldapAuthentication.keepContextPrefix=false
    ldapAuthentication.isAD=false
    ldapAuthentication.userAccountSearchKey=CN
    ldapAuthentication.firstNameSearchKey=givenName
    ldapAuthentication.lastNameSearchKey=sn
    Still I am getting while I try to login to OIA as an OUD user:
    WARN [UserManagerImpl] RbacxUser with username: 'cn=oiaadmin' not found
    Please help

    Hi Jcorker,
    According to your description, you need to access the SQL Serve Analysis Services database which is configured as cluster for SQL & SSAS from another domain, right?
    In SSAS we can use the solution below achieve the requirement.
    1.Create new domain account and impersonate the web site with that.
    2.Create local user account on the analysis service with same exact username/password as like domain account created in the previous step.
    However, you cannot create a local account with the same name on both servers. I have tested it on my local environemnt, we can create the same local account with the same name on both servers. In your scenario, if DB1 and DB2 on different server, you can
    create a local account with the same name on both servers. Please post the detail errors, so that we can make further analysis.
    Besides, SSAS only allows users of the same domain or trusted domains and it does not allow users from any domain except from these two. You can configure the trust relationship between the domains.
    http://technet.microsoft.com/en-us/library/cc961481.aspx
    Regards,
    Charlie Liao
    If you have any feedback on our support, please click
    here.
    Charlie Liao
    TechNet Community Support

  • Two factor authentication ACS 5.x against external Radius and Active Directory

    On ACS 5.x I'd like to authenticate against two external Directories
    Active Directory
    Black Shield Token Server (via RADIUS)
    I found a description the meets mostly my requirements at
         http://blog.pbmit.com/digipass2
    Has somebody an Idea how this has to be implemented on Cisco ACS 5.3?
    In the identity store swwquence there's no way to implement a compound condition (if user authenticated against Directory 1 AND Directory 2 then success)
    Active Directory and Cisco ACS
          This solution attempts to solve the limitation described in Solution 1. Instead of letting the Identikey server communicate directly to the AD, we use the Identikey server only to strip the PIN and OTP from the password and loop the authentication request back to the Cisco ACS to utilize its Identity Store Sequence, which can now be set to both Internal Identity Store and AD.

    just following up to see if there was a solution to this.  I am also interested in setting this type of scenerio out.

  • [ SOLVED] Authentication against two openldap servers.

    Hi everyone.
    Here is the deal. I have two openldap servers, used for user authentication (master and slave). I have all the clients to be able to authenticate users against the master openldap server, and that is working fine. I want to make them to be able to authenticate against the slave server, if the master is down for any reasons. Is there a way to configure the clients, and is that the way to manage this, or I have to use another software as heartbeat or something like heartbeat.
    Regards.
    PS: Sorry. I found it. It is written in the /etc/ldap.conf file. If you want authentication against several ldap servers, you have to specify them in the 'uri' row, separated by spaces.
    Last edited by Gruntz (2009-03-10 08:57:31)

    Hi,
    Is there a possibility to configure somewhere an external LDAP just for authentication purposes (possibly PKI), leaving everything else in OID?
    Yes, in our project we are using a third party LDAP server for authentication, whereas the rest of the user information is stored in the OID. I don't know the details about the implementation but we used DIP (Directory Integration Platform) to create and register a plugin. The plugin replaces the default 'ldapcompare' method that the SSO uses with our own method that makes a call to a third party ldap. Our code was written in PL/SQL and used the DBMS_LDAP package.
    You should be able to find more info from OID developers guide. http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/manage.902/a95193.pdf
    Good luck!
    /Rikard

  • Help with a PCR using both 401KL and 401KS

    Hi,
    Has anyone set up a supplemental savings plan that begins deductions when 401k limits hit either 401KL or 401KS?  I have it setup using 401KS and it works great but unfortunately that scenario is only for one employee out of 48.  I really need to be able to compare against both 401KS and 401KL to fully automate this.  I'm new to PCR's  so any advice would be greatly appreciated...
    Thank you,
    Stephanie

    I'm sorry.  Here is the query:
    --Declare @EMail_Address nvarchar(100) = null
    Select SVAssociationID.R_ShortValue as MATRIX_AssociationID, Matrix_Modified_DT as Matrix_LastModified
      ,RTRIM (MLS_ID) As Matrix_MLS_ID
      , ISNULL(EMail_Address, '') AS MATRIX_member_Email
      ,RTRIM (EMail_Address) as Matrix_Member_EMail
      --,RTRIM( LTRIM(  ISNULL (@EMail_Address, '') ) ) as Matrix_Member_EMail 
      ,Last_Name AS MATRIX_LastName, Nickname AS MATRIX_NickName
      FROM    dbo.Agent_Roster_VIEW a
            LEFT JOIN dbo.select_values_VIEW SV ON a.Status_SEARCH = SV.ID
            LEFT JOIN dbo.select_values_VIEW BillType ON a.Bill_Type_Code_SEARCH = BillType.ID
      LEFT JOIN dbo.select_values_VIEW SVAssociationID ON A.Primary_Association_SEARCH = SVAssociationID.ID
    WHERE   Status_SEARCH IN (66,68) 
        Order by MLS_ID
    Results:
    MATRIX_AssociationID
    Matrix_LastModified
    Matrix_MLS_ID
    MATRIX_member_Email
    Matrix_Member_EMail
    MATRIX_LastName
    MATRIX_NickName
    STC
    09/02/14
    CCWILLI
    [email protected]
    [email protected]
    Williams                      
    Christine   
    STC
    09/12/14
    CCWORSL
    [email protected]
    [email protected]
    Worsley                       
    Charlie
    STC
    09/02/14
    CCYROBIN
    NULL
    Robinson       
    ECBR
    09/02/14
    CDABLACK
    [email protected]
    [email protected]
    Black                         
    Dale        
    STC
    09/02/14
    CDABRADY
    [email protected]
    [email protected]
    Brady                         
    David       
    Thank you,

  • OBIEE with both SSO and LDAP

    I need to be able to run OBIEE using SSO with LDAP to 'reauthenticate' the user and then provide information as to which user groups they are in.
    The overall idea is that the user logs in to the 'system' as a whole and is then provided a hyperlink to OBIEE. Behind the scenes, the system login process will set a cookie holding the users name, thus allowing SSO to be used with OBIEE. When the user logs in, LDAP will then be used to determine which groups the user is a member of.
    I can get SSO working (on its own) and I can get LDAP authentication working (on its own), but when I try to combine the two I just get user authentication errors.
    I suspect that what is happening is that the OBIEE login process is passing the correct username to LDAP (i.e. the one from the cookie), but the IMPERSONATOR password rather than the user one (at this point OBIEE does not know the user password).
    Is there any way of getting around this? as far as I can tell the LDAP authentication mechanism requires both a username and password to be passed to it, but since we are using SSO, we only have the username.
    Note: is it not considered secure enough to hold the user password as a cookie or as part of a 'GO' URL, which is why we wish to use SSO.
    Many thanks,
    Chris

    We have the init block set up to login to LDAP and authenticate the user. The ID we use is not the user account that logged in to the BI Server, but an id we have that only has the ability to read users and groups.
    You probably need to also uncheck "required for authorization" in this init block, otherwise the impersonator account will not be able to authenticate.
    To get our group assignment we have a PL/SQL program that uses the ldap utils to connect to the ldap server and get the group membership and return it in a "GROUP" variable (row-wise) back to the BI Server.
    I'm a relative newbie to BIEE, so this may not be the best or most secure way, but it is working.

  • Get an error for changing the windows authentication mode to the both SQL and windows authentication mode

    I installed the SQL server Express 2008 R2 and then SQL Server Management Studio 2008 R2 . But during the installation, I could not choose the both SQL and windows authentication mode and an error accrued so I did that just with windows authentication mode. 
    Now, I want to change the windows authentication mode account to the SQL authentication mode but it shows me an error which is you do not have permission (Although I am the administrator in windows), what can I do?
    Following steps are the steps that I went but I got an error:
    Server properties >> security >> choose the option of SQL Server and Windows Authentication mode 
    and the error that I got is attached(access is denied)  
    Can you please help me?

    You can change the setting after you gain admin rights to your SQL Server. You don't admin rights automatically, you have to explicitly add yourself during the install
    Here's a guide on how to (re)gain those rights:
    http://v-consult.be/2011/05/26/recover-sa-password-microsoft-sql-server-2008-r2/

  • ISE and authenticating against Windows AD with RADIUS realm that is different from the Windows domain

    Hello
    We are in the process of evaluating the Cisco ISE VMWare appliance with a view to replace our existing FreeRADIUS installation as authentication provider for our wireless network and VPN service. As a part of this we are hoping to migrate our user authentication to Microsoft Active Directory - we have previously authenticated against a different identity store (not MS AD).  Because of this legacy our Windows domain is not the same as our RADIUS realm name - the Windows domain is "win.mydomain" whereas we wish to allow users to authenticate using "username@mydomain" or even "[email protected]" as they are doing today. We are experiencing an issue where authentication requests with the format "[email protected]" will be forwarded to the Windows AD whereas authentication requests with the format "username@mydomain" will fail with the log message "User not found in Active Directory". We do not know if the ISE itself is validating the username and triggering this error, or if the error originates from AD. We suspect the that the ISE is not even asking AD because "win.mydomain" is the domain configured in "Active Directory" in "External Identity Sources".
    Authentication requests against the AD without a realm are successful (that is, using only "username"). With this in mind we located a post on the Cisco support forums that described a process of proxying the request back to the ISE and strip the realm information, but this was specific for the ACS platform. We have attempted to implement this solution but it is still not working as we would have hoped, and we are not entirely certain where the fault might lie. We are currently using PEAP with MSCHAPv2 for authentication in our WLAN where the main problem is. We suspect that the "proxy-to-self" with realm stripping is an issue with PEAP.
    Is there a supported method of achieving our goal, or should we abandon the ISE platform as our scenario is simply not supported?

    Seems like your issue maybe related to DNS, when ISE receives the format [email protected], the dns request is failing. However, there is a setting for alternate UPN Suffixes that can be configured to include domain.com and student.domain.com.
    Here is a windows article that should fix this for you. Once you get this updated please reboot ISE so it rejoins AD. Try your tests again.
    http://technet.microsoft.com/en-us/library/cc772007.aspx
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

Maybe you are looking for