Authentification LDAP/ AD ?

Similar Messages

• Authentification ldap,pam.d on solaris 11

  Hi,
  I tested ldap authentification on Solaris 11 and I didn't succeed in ssh connection.
  I succeed in viewing ldap users (getent passwd) and i modified /etc/pam.d/login other and passwd
  with "auth required pam_ldap

  Hi,
  Try to change the following two files: /etc/pam.d/login and /etc/pam.d/other
  Change the line that states:
  auth required    
  pam_unix_auth.so.1
  to
  auth binding      
  pam_unix_auth.so.1 server_policy
  auth required     
  pam_ldap.so.1
  Did you also checked the attributemapping for the LDAP client?
  svccfg -s network/ldap/client setprop config/attribute_map= astring: '("shadow:homeDirectory=unixHomeDirectory" "shadow:description=distinguishedName" "shadow:uid=samaccountname" "shadow:gidnumber=primaryGroupID" "shadow:uidnumber=uidNumber" "shadow:gecos=displayName" "passwd:homeDirectory=unixHomeDirectory" "passwd:description=distinguishedName" "passwd:uid=samaccountname" "passwd:gidnumber=primaryGroupID" "passwd:uidnumber=uidNumber" "passwd:gecos=displayName")'
  svccfg -s network/ldap/client setprop config/objectclass_map= astring: '("group:posixGroup=group" "shadow:shadowAccount=person" "shadow:posixAccount=user" "passwd:shadowAccount=person" "passwd:posixAccount=user")'
  what does getent passwd username say? Does it return all the necessary fields (uid, gid etc.)?
  While configuring the LDAP client to point to our Microsoft AD I use the AD property uidNumber which I manually set to the last part of the objectSID property to keep it unique within the domain.
  Kind regards,
  Lambert

• Create external LDAP authentification to SAP via Web Dynpro

  Hi Guys,
  I have a requirement where I have to create access to SAP via external LDAP authentification. It is similiar how the Enterprise Portal works, but I want to achieve it with out the portal.
  The user will enter his LDAP user and password and I will check via LDAP connector to grant access to SAP.
  The only Problem I have is to switch to SAP user without knowing the SAP Password. Thats why I need external authentification.
  I have been told by an basis expert that I could use java to achieve this. I have also got the java coding what the Enterprise Portal uses.
  Am I on the right way? Can anybody advice me.
  Thanks and best regards
  Ali

  Hi,
  Refer this link and SAP Note
  [SAP GUI for HTML|http://help.sap.com/saphelp_nw04s/helpdata/en/47/4b0902d84818c9e10000000a114a6b/frameset.htm]
  SNote: 517484
  Regards
  Preethish

• Authentification from tow LDAP in webcenter spaces

  My customer need to open authentification in webcenter spaces for all his employees and for his partners which are saved on tow different LDAP directory.
  How can i do to allow authentification from this tow LDAP directory?
  Regards.
  CMN

  In Weblogic Console,
  Go to Security Realm - myrealm - Providers, select New
  Type your new Realm name, for example MSAD,select type ActivityDirectoryAuthentication and OK.
  In myrealm providers you'll see your new provider, click in reoder and put the new provider at first position. Do not restart server yet.
  Select your new provider, in Commom tab select Control Flag as SUFFICIENT.
  Go to Provider Specifc Tab, this is the configurantion tab, put your MSAD configuration.
  The principal field is the user that bind in your MSAD to search your MSAD users.
  User Base DN, is base that contains users.
  User From Name Filter: (&(sAMAccoauntName=%u)(objectclass=user))
  User Name Attribute: sAMAccountName.
  Apply all configurations, go to myrealm providers, select DefaultAuthentication and change Control Flag to SUFFICIENT.
  Restart you Admin and all your managed servers.
  Hope that help you.

• LDAP authentification JAAS Module ?

  Hello
  We have installed a SAP Portal (EP7), using an R/3 data source for users.
  However, we would like to use a LDAP for authentification. The module should check login / password against the LDAP, check that the user exist in the UME, and then allow access to the portal (or not, depend on the result of the checks)
  In our case, it is not possible to use direcly the LDAP as the UME datasource, as storing users's groups in the LDAP as been ruled out by the client, and this configuration is not subject to change.
  Has someone already made such a (JAAS) module, and could give some pointers on the subject? or is authentification from another source than the one used in UME a thing to avoid ?
  regards
  Guillaume PATRY

  Hello
  We have installed a SAP Portal (EP7), using an R/3 data source for users.
  However, we would like to use a LDAP for authentification. The module should check login / password against the LDAP, check that the user exist in the UME, and then allow access to the portal (or not, depend on the result of the checks)
  In our case, it is not possible to use direcly the LDAP as the UME datasource, as storing users's groups in the LDAP as been ruled out by the client, and this configuration is not subject to change.
  Has someone already made such a (JAAS) module, and could give some pointers on the subject? or is authentification from another source than the one used in UME a thing to avoid ?
  regards
  Guillaume PATRY

• LDAP authentification with R/3

  hi!
  after a long long search I could not found out how to implement LDAP authentification for SAP R/3. To be honest I'm not an expert in R/3 basic, for Web AS / EP i would know how to do it
  Due to several network&security reasons we don't like to use the single-sign or the ldap syncronization functionality.
  The only thing we would use ldap for is to just authentificate the user. Unfortunately, our LDAP-users are not the same than the SAP-users (8 chars in sap, longer in ldap). What the system should do is:
  - ask for username (sap 8-char) and password (ldap)
  - map sap-username and ldap-username (e.g. by the sap-aliasname or external username in USR15)
  - connect to the ldap-directory, find out whether user/pass is correct
  - if correct, log the sap-user in
  - that's all
  Any Ideas?
  Thanks,
  Markus

  Hi,
  It can be done. It all depends a bit on what kind of platforms you want to use it.
  We're currently in the middle of introducing a shibolet CUA for all our systems, SAP or non SAP. That means that one needs to authenticate to a central server and via SSO, you will have access to the applications.
  For SAP, that'll mean that we no longer will login via a SAP Gui, but via the EP that authenticates against this CUA. Once logged in, one can launch a SAP Gui script that allows you to work on the SAP R/3 server.
  Have also a look at http://shib.kuleuven.be/
  Alternatively, you can set up an UME. See http://help.sap.com/saphelp_nw2004s/helpdata/en/cc/cdd93f130f9115e10000000a155106/frameset.htm for this.
  Eddy
  PS.
  Put yourself on the SDN world map (http://sdn.idizaai.be/sdn_world/sdn_world.html) and earn 25 points.
  Spread the wor(l)d!

• Recursive ldap authentification

  How to configure that the htmldb authentification allows user-logins where the user objects in different ldap-folders ?
  for examle all cn in o=xyz including any subfolder
  (we have unique cn; using Novell eDirectory)
  Ralf

  Ralf,
  You could try the search_s function in dbms_ldap package
  see http://download-west.oracle.com/docs/cd/B10501_01/appdev.920/a96612/d_ldap2.htm#1003459
  You can supply a parameter to tell it whether to search the tree or just the base dn.
  HTH
  Greg

• Java LDAP Authentification - problem!!!

  I found application in .NET (C#), and it's work perfectly! (http://www.codeproject.com/KB/system/arbauthentication.aspx)
  I want do this logic in my java web application. All users in our domain in first leg must be log-in in web application!
  And it - authetification must be over Active Directory (AD). Help me please.
              Hashtable authEnv = new Hashtable();
              String userName = "";
              String passWord = "";
              InputStreamReader converter = new InputStreamReader(System.in);
              BufferedReader in = new BufferedReader(converter);
              System.out.println("Input your username:");
              userName = in.readLine();
              System.out.println("Input your password:");
              passWord = in.readLine();           
              base = userName + "@" + "xxxyyyzzz.com";
              String ldapURL = "ldap://192.168.0.99:389/";
              authEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
              authEnv.put(Context.PROVIDER_URL, ldapURL);
              authEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
              authEnv.put(Context.SECURITY_PRINCIPAL, base);
              authEnv.put(Context.SECURITY_CREDENTIALS, passWord);
              try {
                  DirContext authContext = new InitialDirContext(authEnv);
                  System.out.println("Authentication Success!");               
              catch (AuthenticationException authEx)
                  System.out.println("Authentication failed!");
              catch (NamingException namEx) {
                  System.out.println("Something went wrong!");
                  namEx.printStackTrace();
              }This code is not working when truely input username & password. Exception!
  javax.naming.AuthenticationException:
  [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]
  And when input truely username, but password is a blank (password="") it's work...     
  Authentication Success!
  may be this is anonymous authentification.

  If you would have searched through the forum you would have discovered that the Active Directory error code 525 means username not found.
  And you may also have discovered that a null password implies an anonymous logon.
  Either the user has mistyped their username, or you have made an incorrect assumption when constructing the userPrincipalName and appending the upn suffix "xxxyyyzzz.com".

• EN4093R LDAP authentification and authorization

  Hi,i want to configure ldap authentification and authorization. Can anyone help me to configure this. In my test environment – I want to give our Domain Admins access to our switches. I found only basic configuration in the user manual but I got now information to configure groups. Could I configure two or more groups to access the switch? 

  What thype of ldap server are you using? Microsoft Windows 2012 or 2008. I got a problem with 2012 not give the groups back with some users.
  Same problem as
  https://supportforums.cisco.com/message/3866327#3866327
  debug ldap 255
  shows correct value with one user that is workin:
  [196] Authentication successful for Administrator to 192.168.20.80
  [196] Retrieved User Attributes:
  [196]   objectClass: value = top
  [196]   objectClass: value = person
  [196]   objectClass: value = organizationalPerson
  [196]   objectClass: value = user
  [196]   cn: value = Administrator
  [196]   description: value = Vordefiniertes Konto f..r die Verwaltung des Computers bzw. der Dom..ne
  [196]   distinguishedName: value = CN=Administrator,CN=Users,DC=xxxx,DC=local
  [196]   instanceType: value = 4
  [196]   whenCreated: value = 20081201134058.0Z
  [196]   whenChanged: value = 20131126141559.0Z
  [196]   displayName: value = Administrator
  [196]   uSNCreated: value = 12298
  [196]   memberOf: value = CN=G_SSLVPN,OU=Service,OU=Groups,OU=XXXXX,DC=XXXX,DC=local
  [196]           mapped to Group-Policy: value = ssl_admin
  [196]           mapped to LDAP-Class: value = ssl_admin
  One user that is not working:
  no entries with memberOf in debug
  [190] Authentication successful for sdag to 192.168.20.80
  [190] Retrieved User Attributes:
  [190]   objectClass: value = top
  [190]   objectClass: value = person
  [190]   objectClass: value = organizationalPerson
  [190]   objectClass: value = user
  [190]   cn: value = sdag
  [190]   distinguishedName: value = CN=sdag,OU=Lieferanten,OU=Users,OU=xxxx,DC=xxxxxx,DC=local
  [190]   displayName: value = sdag
  [190]   homeMTA: value = CN=Microsoft MTA,CN=SRVSBS01,CN=Servers,CN=erste administrative gruppe,CN=Admini
  [190]   proxyAddresses: value = smtp:sdag@xxxx
  [190]   proxyAddresses: value = SMTP:sdag@xxxxx

• Ldap connection with weblogic console and authentification with java

  Hello,
  I want that my web application use ldap authentification for users and that all parameters (host, port, base, ...) are configured by weblogic console.
  I managed to do it by security-->realms-->.... , but now, I want to perform authentification in my java code.
  I don't know how realized it because I don't know how use my ldap connection in java code without redefine parameters into my code...
  can anyone help me please?
  thanks a lot for your help.

  Hey,
  on a windows server system you have to put the target system CA Certificate in the local Trusted System Certificate Store of Microsoft Server. Then the connection should work.
  On a Java System you have to put the CA in the Key Storage of the SAP System.
  I think on Unix you could use the SAPCRYPTOLIB to place the CA in  the abap system.
  Kind regards,
  Sven Walter

• Change passwords after using LDAP authentification

  It seeems that we have successfully set up a Portal server using external authentication. But somehow, no one can change his/her own passwords after logging into Portal. The error message is "the user does not have the privilege to perform this operation. (WWC-41661)". Is there any special setting needed to be done on LDAP for this?
  Thank you for any advice.
  Zhuang Li

  Hi,
  We upgraded our company email server, which effectively runs our email, DNS, Open Directory with dozen users. Last night the system was upgrading from 10.10.2 to 10.10.3, which seemed rutine.
  The upgrade process hung while it was finishing the installation and didn’t finish. Upon reboot, it looked OK and needed to upgrade the OXS Server to 4.1 from the previous version. Which I proceeded and completed.
  Since then we have lost all of our users accounts and can’t access the email data. Tried to reboot from the backups and it seems that the somehow when booting from external backups 10.10.2, we get a message that the OXS Server is not compatible. Our backups are usually done using Carbon Copy Cloner. 
  Not sure what to do, help is greatly appreciated. While I can recreate the users, I don’t want to damage the email data.
  Many thanks,
  /Oliver

• Error in LDAP Authentification

  hi all,
  i am wondering if there is someone who had the same error we are facing currently...
  here is the problem:
  in our single sing-on we authenticate the user with ldap in an stateless session bean. This works all perfect except that from time to time we get an error in the class "com.sun.jndi.ldap.BerEncoder" in the method "endSeq"... the exception is:
  java.lang.IllegalStateException: BER encode error: Unbalanced SEQUENCEs
  any ideas why this error occeurs?
  TIA
  sandro

  I started getting this error when I mistakenly changed a search filter from (&(uid=james)(objectclass=Staff)) to (uid=james)(objectclass=Staff)). It is complaining about the unbalanced parenthesis.

• Sasl and LDAP authentification for application

  Dear MAC administrators,
  I would like to ask how to set sasl to authentificate
  against  openLDAP for and svnserve application
  A) LDAP works well on MAC and slack as well
  ldapsearch -x -h ldap.stuba.sk -b "ou=People,dc=stuba, dc=sk" -W -D
  "uid=fodrek,ou=People,dc=stuba,dc=sk"  uid=*fodrek*|egrep employ
  Enter LDAP Password:
  employeeType: staff
  employeeType: ext
  employeeType: ext
  employeeType: student
  employeeType: staff
  B)  saslauthd -c -m /var/runsaslauthd -d -a ldap
  shows
  saslauthd : set_auth_mech: unknown mechanism: ldap
  Is there anobody who is able to tell me where am I doing an error, plase?
  I look forward hearingf from you
  Yours faithfully
  Peter Fodrek

  What thype of ldap server are you using? Microsoft Windows 2012 or 2008. I got a problem with 2012 not give the groups back with some users.
  Same problem as
  https://supportforums.cisco.com/message/3866327#3866327
  debug ldap 255
  shows correct value with one user that is workin:
  [196] Authentication successful for Administrator to 192.168.20.80
  [196] Retrieved User Attributes:
  [196]   objectClass: value = top
  [196]   objectClass: value = person
  [196]   objectClass: value = organizationalPerson
  [196]   objectClass: value = user
  [196]   cn: value = Administrator
  [196]   description: value = Vordefiniertes Konto f..r die Verwaltung des Computers bzw. der Dom..ne
  [196]   distinguishedName: value = CN=Administrator,CN=Users,DC=xxxx,DC=local
  [196]   instanceType: value = 4
  [196]   whenCreated: value = 20081201134058.0Z
  [196]   whenChanged: value = 20131126141559.0Z
  [196]   displayName: value = Administrator
  [196]   uSNCreated: value = 12298
  [196]   memberOf: value = CN=G_SSLVPN,OU=Service,OU=Groups,OU=XXXXX,DC=XXXX,DC=local
  [196]           mapped to Group-Policy: value = ssl_admin
  [196]           mapped to LDAP-Class: value = ssl_admin
  One user that is not working:
  no entries with memberOf in debug
  [190] Authentication successful for sdag to 192.168.20.80
  [190] Retrieved User Attributes:
  [190]   objectClass: value = top
  [190]   objectClass: value = person
  [190]   objectClass: value = organizationalPerson
  [190]   objectClass: value = user
  [190]   cn: value = sdag
  [190]   distinguishedName: value = CN=sdag,OU=Lieferanten,OU=Users,OU=xxxx,DC=xxxxxx,DC=local
  [190]   displayName: value = sdag
  [190]   homeMTA: value = CN=Microsoft MTA,CN=SRVSBS01,CN=Servers,CN=erste administrative gruppe,CN=Admini
  [190]   proxyAddresses: value = smtp:sdag@xxxx
  [190]   proxyAddresses: value = SMTP:sdag@xxxxx

• How can I use LDAP for Tomcat authentication ?

  Hi
  I have an implementation of apache 1.3.20 with tomcat 3.2.3. I an doing
  auth. with a ldap server wihich works prefectly with apache
  mod_auth_ldap (module). When i am trying to read the environment
  variables with a cgi , REMOTE_USER returns me the authentificated user
  but when i am doing a getremoteuser() in my servlet with tomcat , it
  returns NULL Why ?
  I came accross this page when looking for material and
  http://www.peacetech.com/java/files/apache/tomcat/
  did the following
  1) Downloaded - jndi_auth_beta1.jar, Extracted jndi_auth.jar file which contained
  class files and plcaed them inside my tomcat/lib directory
  2) Then i have updated the server.xml file of my Tomcat, that i wanted to use LDAPRealm
  <RequestInterceptor className="com.peacetech.webtools.tomcat.LdapRealm"
  debug="1"
  directoryUrl = "ldap://csee.usf.edu:389"
  searchBaseContext = "o=usf.edu"
  searchFilter = "uid={0}"
  searchScopeAsString = "sub"
  securityAttributes = "securityEquals"
  attributesReadByOwner = "true"
  connectionMaxPoolSize = "10"
  ldapVersion = "3" />
  Then i had shutdown and restarted the server after some initial hickups, then i have tried to open some sample JSP and sevlets in the examples directory of my server. But i was not asked for any UserId/Password. Was wondering if i have done anything wrong ??
  Thanks
  Arun

  Maybe you should look at JAAS for that. I think it could help you.
  http://java.sun.com/products/jaas/
  C

• Using LDAP with query on groups

  Hi,
  I configured our SAP Portal with LDAP authentification(+UME) successfully - so far so good. I used the standard configuration file (dataSourceConfiguration_ads_readonly_db.xml).
  Now I would like to filter the LDAP users and grant access only to users within a LDAP group.
  Is there a way to build a query for this case (datasource configuration file, etc...)?
  Thanks for your help...
  Bernd Hülsebusch

  Hi Shantanu,
  thanks for your fast reply!
  The problem is, that we have about 5.000 users in our LDAP system (Exchange), this includes several system users and also special users for e.g. domain administration, etc. Only about 2000 users are really respective portal users and only these users should have access to the portal generally. The intention is to filter the redundant users, so we won't have problems with SAP licenses for users who never should be able use the portal.
  I didn't mean how to provide access to some content within the portal. I know that this is this is realized with roles and groups in the portal.
  Best regards, Bernd Hülsebusch