DBConsole (DBControl) and LDAP authentication

Does anyone know if it is possible to use LDAP authentication to login to the DBConsole? I have a user "identified globally as 'cn=username,dn=...'" who can login to the database locally and remotely through SQL*Plus but gets a ORA-01017 when trying to login to the DBConsole.
Any help greatly appreciated.
Rgds,
Barry Winterbottom

2009-02-25 17:09:22,824 [HTTPThreadGroup-2] ERROR eml.OMSHandshake processFailure.806 - OMSHandshake failed.(AGENT URL = https://nssdrdb01:1830/emd/main)(ERROR = INTERNAL_ERROR)(CAUSE =java.sql.SQLException: Io exception: The Network Adapter could not establish the connection)
2009-02-25 17:09:22,853 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.352 - Io exception: The Network Adapter could not establish the connection
2009-02-25 17:09:22,854 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17002; Cleaning up cache and retrying
2009-02-25 17:09:22,858 [HTTPThreadGroup-2] ERROR conn.ConnectionService verifyRepositoryEx.887 - Invalid Connection Pool. ERROR = Io exception: The Network Adapter could not establish the connection
2009-02-25 17:09:22,861 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.352 - Io exception: The Network Adapter could not establish the connection
2009-02-25 17:09:22,863 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17002; Cleaning up cache and retrying
2009-02-25 17:09:22,867 [HTTPThreadGroup-2] ERROR eml.OMSHandshake processFailure.806 - OMSHandshake failed.(AGENT URL = https://nssdrdb01:1830/emd/main)(ERROR = INTERNAL_ERROR)(CAUSE =java.sql.SQLException: Io exception: The Network Adapter could not establish the connection)
2009-02-25 17:09:26,386 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.352 - Io exception: The Network Adapter could not establish the connection
2009-02-25 17:09:26,388 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17002; Cleaning up cache and retrying
2009-02-25 17:09:26,392 [HTTPThreadGroup-2] ERROR conn.ConnectionService verifyRepositoryEx.887 - Invalid Connection Pool. ERROR = Io exception: The Network Adapter could not establish the connection
2009-02-25 17:09:26,396 [EMUI_17_09_26_/console/aboutApplication] ERROR svlt.PageHandler handleRequest.639 - java.lang.IllegalStateException: Response has already been committed
2009-02-25 17:09:26,398 [EMUI_17_09_26_/console/aboutApplication] ERROR em.console doGet.360 - java.lang.IllegalStateException: Response has already been committed, be sure not to write to the OutputStream or to trigger a commit due to any other action before calling this method.
2009-02-26 00:00:02,633 [JobWorker 381202:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-02-27 00:00:08,800 [JobWorker 383122:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-02-28 00:00:13,778 [JobWorker 385056:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-01 00:00:05,527 [JobWorker 386985:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-02 00:00:04,569 [JobWorker 388914:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-03 00:00:04,854 [JobWorker 390843:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-04 00:00:06,475 [JobWorker 392772:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-05 00:00:16,925 [JobWorker 394701:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-06 00:00:03,966 [JobWorker 396630:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-07 00:00:05,230 [JobWorker 398559:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-08 00:00:07,261 [JobWorker 400488:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-09 00:00:13,081 [JobWorker 402417:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-10 00:00:10,175 [JobWorker 404346:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-11 00:00:04,567 [JobWorker 406275:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-12 00:00:05,993 [JobWorker 408204:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-13 00:00:03,332 [JobWorker 410133:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-14 00:00:10,129 [JobWorker 412062:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-15 00:00:01,753 [JobWorker 413991:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-16 00:00:03,187 [JobWorker 415920:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-16 16:29:02,904 [shutdownThread] WARN jdbc.ConnectionCache _getConnection.352 - Closed Connection: OraclePooledConnection.getConnection() - SQLException Ocurred:Invalid or Stale Connection found in the Connection Cache
2009-03-16 16:29:02,906 [shutdownThread] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17008; Cleaning up cache and retrying
2009-03-16 16:30:42,529 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
2009-03-16 16:30:42,535 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
2009-03-16 16:30:44,381 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
2009-03-16 16:30:50,683 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
2009-03-16 16:30:50,686 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
2009-03-16 16:30:50,823 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
2009-03-16 16:30:51,219 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
2009-03-16 16:30:51,222 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
2009-03-16 16:30:51,225 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
2009-03-16 16:30:51,227 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
2009-03-16 16:30:51,230 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
2009-03-17 00:00:06,334 [JobWorker 417849:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-18 00:00:10,641 [JobWorker 419778:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-18 11:56:58,339 [EMUI_11_56_58_/console/database/monitoring/archiveFull$target=ADM111.nss.scot.nhs.uk$type=oracle*_database] ERROR perf.space logStackTrace.359 - java.sql.SQLException: Numeric Overflow
2009-03-19 00:00:02,843 [JobWorker 421707:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-20 00:00:03,388 [JobWorker 423631:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-21 00:00:03,407 [JobWorker 425565:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-22 00:00:06,065 [JobWorker 427494:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-23 00:00:02,580 [JobWorker 429423:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-23 15:37:15,441 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
2009-03-23 15:37:15,447 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
2009-03-23 15:37:17,177 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
2009-03-23 15:37:23,172 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
2009-03-23 15:37:23,176 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
2009-03-23 15:37:23,311 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
2009-03-23 15:37:23,684 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
2009-03-23 15:37:23,702 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
2009-03-23 15:37:23,706 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
2009-03-23 15:37:23,708 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
2009-03-23 15:37:23,711 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
2009-03-23 15:41:18,591 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
2009-03-23 15:41:18,596 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
2009-03-23 15:41:19,872 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
2009-03-23 15:41:24,915 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
2009-03-23 15:41:24,918 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
2009-03-23 15:41:24,997 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
2009-03-23 15:41:25,296 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
2009-03-23 15:41:25,299 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
2009-03-23 15:41:25,301 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
2009-03-23 15:41:25,303 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
2009-03-23 15:41:25,305 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
2009-03-23 15:52:29,116 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
2009-03-23 15:52:29,122 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
2009-03-23 15:52:30,750 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
2009-03-23 15:52:36,541 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
2009-03-23 15:52:36,544 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
2009-03-23 15:52:36,629 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
2009-03-23 15:52:36,973 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
2009-03-23 15:52:36,976 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
2009-03-23 15:52:36,978 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
2009-03-23 15:52:36,980 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
2009-03-23 15:52:36,982 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
2009-03-24 00:00:06,712 [JobWorker 431352:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-24 16:51:58,193 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
2009-03-24 16:51:58,202 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
2009-03-24 16:51:59,946 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
2009-03-24 16:52:06,485 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
2009-03-24 16:52:06,487 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
2009-03-24 16:52:06,605 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
2009-03-24 16:52:06,973 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
2009-03-24 16:52:06,983 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
2009-03-24 16:52:06,986 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
2009-03-24 16:52:06,989 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
2009-03-24 16:52:06,991 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
2009-03-25 00:00:05,652 [JobWorker 433276:Thread-26] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-26 00:00:02,804 [JobWorker 435194:Thread-26] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-27 00:00:07,235 [JobWorker 437123:Thread-26] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.

Similar Messages

XI 3.1 Client Tools and LDAP Authentication

I have Business Objects XI 3.1 SP2 installed. For the web clients (InfoView) single sign on and LDAP authentication are working correctly. However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?

Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
Take a look at note 1272536 (http://service.sap.com/notes)
Regards,
Stratos

Weblogic Server 10.3.0 and LDAP authentication Issue

Hi - I have configured my WebLogic Server 10.3.0 for LDAP authentication (OID = 10.1.4.3.0) and so far the authentication works fine but I am having issue in terms of authorization.
I am not able to access the default web logic administrator console app using any of the LDAP user, getting Forbiden message.
It appears to me that the Weblogic Server is not pulling out the proper groups from the LDAP where user belongs too.
Can anyone please point me towards the right direction to get this resolved.
Thanks,
STEPS
Here are my steps I have followed:
- Created a group called Administrators in OID.
- Created a test user call uid=myadmin in the OID and assigned the above group to this user.
- Added a new Authentication Provider to the Weblogic and configured it what is required to communicate with OID (the config.xml file snipet is below)
<sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
<sec:name>OIDAuthentication</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:host>pmpdeva-idm.ncr.pwgsc.gc.ca</wls:host>
<wls:port>1389</wls:port>
<wls:principal>cn=orcladmin</wls:principal>
<wls:user-base-dn>ou=AppAdmins, o=gc, c=ca</wls:user-base-dn>
<wls:credential-encrypted>removed from here</wls:credential-encrypted>
<wls:group-base-dn>ou=IDM, ou=ServiceAccounts, o=gc, c=ca</wls:group-base-dn>
</sec:authentication-provider>
- Marked the default authentication provider as sufficient as well.
- Re-ordered the authentication provide such that the OIDauthentication is first in the list and default one is the last.
- Looking at the log file I see there are no groups returned for this user and that is the problem in my opinion.
<LDAP Atn Login username: myadmin>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<authenticate user:myadmin>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authentication succeeded>
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<LDAP Atn Authenticated User myadmin>
<List groups that member: myadmin belongs to>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
*<search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>*
*<Result has more elements: false>*
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<login succeeded for username myadmin>
- I see the XACML RoleMapper getRoles() only returning the Anonymous role as oppose to Admin (because the OID user is a part of Administrators group in OID then it should be returning Admin as fars I can tell. Here is the log entry that shows that:
<XACML RoleMapper getRoles(): returning roles Anonymous>
- I did a ldap search and I found no issues in getting the results back:
C:\>ldapsearch -h localhost -p 1389 -b"ou=IDM, ou=ServiceAccounts, o=gc, c=ca" -D cn=orcladmin -w "removed from here" (uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupOfUniqueNames)
cn=Administrators,ou=IDM,ou=ServiceAccounts,o=gc,c=ca
objectclass=groupOfUniqueNames
objectclass=orclGroup
objectclass=top
END
Here are the log entries:
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=myadmin>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <[Security:090302]Authentication Failed: User myadmin denied>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@facf0b>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle did not get username from a callback>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685671> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authentication succeeded>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <LDAP Atn Authenticated User myadmin>
<1291668685686> <BEA-000000> <List groups that member: myadmin belongs to>
<1291668685686> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685686> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685686> <BEA-000000> <search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>
<1291668685686> <BEA-000000> <Result has more elements: false>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <login succeeded for username myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <LDAP Atn Principals Added>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
     Principal: myadmin
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685686> <BEA-000000> <Signed WLS principal myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user myadmin, Identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.isLocked(myadmin)>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myadmin was not previously locked out>
<1291668685702> <BEA-000000> <Using Common RoleMappingService>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity will use common security service>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals)>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=myadmin>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685702> <BEA-000000> <Validate WLS principal myadmin returns true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass, returning true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals) validated all principals>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): input arguments:>
<1291668685702> <BEA-000000> <     Subject: 1
     Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp>
<1291668685702> <BEA-000000> <     Parent: type=<app>, application=consoleapp>
<1291668685702> <BEA-000000> <     Parent: type=<url>>
<1291668685702> <BEA-000000> <     Parent: null>
<1291668685702> <BEA-000000> <     Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AdminChannelUsers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AdminChannelUser:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AdminChannelUser: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AppTesters,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AppTester:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AppTester: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(everyone,[everyone,users]) -> true>
<1291668685702> <BEA-000000> <primary-rule evaluates to Permit>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Anonymous:, 1.0 evaluates to Permit>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Anonymous: GRANTED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Monitors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Monitor:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Monitor: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Operators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Operator:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Operator: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(CrossDomainConnectors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:CrossDomainConnector:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role CrossDomainConnector: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Deployers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Deployer:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Deployer: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, SC=null, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Administrators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Admin:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Admin: DENIED>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): returning roles Anonymous>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles returning [ "Anonymous" ]>
<1291668685702> <BEA-000000> <AuthorizationManager will use common security for ATZ>
<1291668685702> <BEA-000000> <weblogic.security.service.WLSAuthorizationServiceWrapper.isAccessAllowed>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Roles=[ "Anonymous" ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Direction=ONCE>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
<1291668685702> <BEA-000000> <     Subject: 1
     Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <     Roles:Anonymous>
<1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <     Direction: ONCE>
<1291668685702> <BEA-000000> <     Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:role, SC=null, Value=Anonymous>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of([Admin,Operator,Deployer,Monitor],Anonymous) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): returning DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>

Okay Finally the issue is resolved. Here is the findings to help others in case they ran into the same issue.
The OID version that we are using is not returning the groups the way Weblogic is building the ldapsearch command. We captured the ldap traffic to go deeper and noticed the filters and attributes list that wls was asking. For example, the filter was like:
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" cn
its was the "cn" attribute that was causing the result set to be empty.
from a command line we tried
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" uniquemember
and got the results back.
Then we start looking into OID configuration and one of my coworker pointed me towards the orclinmemfiltprocess attributes in cn=dsaconfig entry and told me that they had lot of issues in the past in relation to this attribute.
So as a test we removed the groupofuniquenames objectclass from the orclinmemfiltprocess attribute list and bingo it worked!
Since we needed the groupofuniquenames in this list for performance/other reasons and decided to use a different objectclass for our groups instead i.e. orclGroup.
Thanks everyone for showing interest on the problem and providing suggestions.

Solaris 10 and LDAP Authentication

Were trying to use LDAP authentication with Solaris 10 accounts and Sun One Java Systems Directory Server 5.2, where there won't be no /etc/passwd or /etc/group user entries, ( only entries for system accounts). The Sun One Java Systems Directory Server 5.2 is on a separate machine from the accounts. Both machines are using Solaris 10.
I first ran the "idsconfig" utility to setup the VLV indexes, but I received an error on the "automountKey" when it was doing the index processing. It showed that the index processing had failed. All the other indexes were configured successfully. What would cause this?
My next step is initializing the LDAP Client . Then configure the pam.conf file to use pam_ldap. Finally import all the users into LDAP with the required ObjectClasses and attributes for the authentication process, (posixAccount, shadowAccounts etc.). This also includes adding the automount entries into LDAP, which I'm really not sure how to do that. All of our users paths will be under /export/home/username.
I'am missing any steps?
Doese anyone have a step by step guide to use LDAP authentication for Solaris 10 accounts, where LDAP will manage the groups, passwords, automounts for each user?
Message was edited by:
automount
Message was edited by:
automount

You may follow:
http://web.singnet.com.sg/~garyttt/
http://projects.alkaloid.net/content/view/15/26/
http://blogs.sun.com/roller/resources/raja/ldap-psd.html
http://jnester.lunarpages.com/howtos/solaris/howToSolarisLDAPAuth.html
http://www.thebergerbits.com/unix.shtml
http://blogs.sun.com/roller/page/baban?entry=steps_to_setup_ssl_using (SSL/TLS steps)
http://blogs.sun.com/roller/page/rohanpinto?entry=nis_to_ldap_migration_guide (NIS to LDAP migration)
http://blogs.sun.com/roller/page/anupcs?entry=ldap_related_documentation_at_sun
(LDAP related docs)
Gary

Database Table and LDAP Authentication in the same repository?

I'm wondering if it's possible to authenticate through database tables for some users and LDAP for other users. I can configure each one separately but I'm curious if anyone has ever successfully done both in the same repository.
Thanks,
-Matt

Another thing to try is this. I don't have an LDAP server here but it worked for me without LDAP. I think it should also work with LDAP as it is the same idea. I don't think there is a way to have a conditional Init Blocks. Also you can't have two init blocks setting the same variable (USER in our case). But what you can do is to have two Init Blocks, one for LDAP authentication and the other one for table authentication. So you could have this scenario:
1) LDAP "authentication" init block sets custom variable LDAP_USER
2) Table "authentication" init block sets custom variable TABLE_USER
3) Final authentication init block (the real one) sets USER variable using something like this:
SELECT CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END
FROM DUAL
WHERE CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END = ':USER'
Note how I use the CASE statement both to return the user value I want the USER variable to be set and also in the WHERE clause to make sure no rows are returned in case authentication fails (which should return no rows to denote a failed authentication). Obviously you need to set the init block dependancies correctly. I did a quick test with users coming from two separate Oracle tables in 2 init biocks and it worked fine for me. Give it a try and let me know how it goes.

Interface creation and LDAP authentication ...

Hi...All SAP friends,
i have to work on an interface creation with the following specifications:
1. SAP Enterprise Portal gives us an URL which contains UserID
2. You have to create an interface to read the URL,
3. Connect to LDAP server...from there come to know whether it is external or internal user, meaning if it exist in LDAP it is internal otherwise it is external user
4. If the user id is internal, interface has to create a file and place it at a particular location & create a webservice for this and expose to EP
5. if not it should give an alert saying it is an external user id
Please help me out how to start and what to do..!
Thank you.

Hi,
These are the main steps,
***Assume that you know basic of authentication methods and how to define those in Apex
01. Create a function to authenticate the user
a. Check on the database whether user is exists
b. If exists then authenticate that user with LDAP
c. If user doesnot exists or authenticate failed then return false
d. If user exists and authentication success then return trueSignature of the function
FUNCTION <fucntion name> (p_username VARCHAR2, p_password VARCHAR2)
RETURN BOOLEAN;
* Makesure that you do both inside the one procedure
02. Create another function to check the page level authorization(if you need pagelevel verification. But if all users has same permissions on the aplication this is not necessary)
03. Create a new authentication
a.Go to Application Builder
b.Shared Component
c. Authentication Schemes(under Security)
d. Click "Create"
e. Select "From Scratch"
f. Proceed with the wizard and define "*Page Sentry Function*" (Only when you ahve page level authorization- BAove 2) and "*Authentication Function*"04. Set new authentication schema to current
a. Goto "*Change Current*" Tab
b. Sleect the new schema from the list
c. Click Next and proceed with wizard.
Thanks,

SSL and LDAP authentication

I have installed Iplanet dirserver (5.1 sp1) on Solaris 8. I have Solaris 8 clients which should authenticate every user ssh connections with this ldap server.
I have done everything as described in LDAP setup and Configuration Guide (found that in sun.com website) and everything works fine if i don't use SSL.
What should i do to make SSL work?
I have installed ssl ceritficates etc. and when i make dir server to use ssl it works fine with iplanet console (in access log it says SSL connection) But i can't get it work from my clients.
My default port is 5001 and i have set ssl port to 5002 but everytime that i change client profile (and configuring client with ldapclient command) to use port 5002, authentication don't work anymore. Actually that ldapclient command doesn't work either. I can see in access log that client tries to take SSL connection, but server doesn't respond to it.
Can anyone help me on this?
Jani

I recently setup an iDS5.1 LDAP server as a naming service to a couple Solaris 9 clients. You must use the default SSL port (636), see http://docs.sun.com/db/doc/806-4077/6jd6blbdd?a=view .
In my case, I used a self-signed cert on the Server. I then copied the cert7.db, key3.db and secmod.db files from the server to the /var/dlap directory on the clients. The files you want from the server are in the SERVER_ROOT/alias directory. Specifically, the slapd-id-cert7.db and slapd-id-key3.db are the ones you want. Where id is the slapd server instance name, typically the host name of the computer.
HTH,
Roger S.

AIR-WLC2106-K9 and ldap authentication

Is it possible to authenticate wireless clients using a external openldap server running on CentOS?

You can do that either with local EAP where LDAP as a backend server OR a web-authentication where LDAP is the backend auth server.

Authenticating against both RDBMS and LDAP in WL6.0

Hi,
We are designing a webapp that will be accessible to both internal and
external users. For internal users, we would like to authenticate via LDAP;
for external users we would like to use RDBMS. In WL5.1, this looked to be
possible with the DelegatingRealm, however this has been removed in WL6.0.
Two questions:
1) Why was it removed?
2) How can we get this functionality in WL6.0?
Thanks much for your help,
-jt

We are currently deployed on WL5.1 with a similar situation as you and in
the process of migrating to WL6. We are Authenticating against LDAP and
Authorizing against RDBMS. But I can't see how you could tell it to go
one way for certain users and another for other users.
The delegatingrealm in WL5 was intended to split the responsibility of
Authenticating to one source and Authorization to another. To make this
work for your Application of splitting internal and external users
security, I suppose you can do it if you can somehow pass the information
to the Security Realm the type of the user that is logging in. Maybe you
can make this code a part of the userid such as ext_uersID or int_userID.
Doing this will allow you to filter the where the users are coming from
and Direct them to the appropriate security realm.
As far as WL6 goes, the Delegating realm class is no longer available
since the security model for WL6 is different from WL5. But you can take
a look at what they did with the RDBMSrealm example and use that. This is
what we did to make our Security work in WL6. However, you can no longer
store ACLs in the RDBMS realm in WL6.
Hopes this helps.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
You will need to create a Custom Realm which delegates to both your RDBMS
and LDAP perhaps using the Weblogic supplied RDBMS and LDAP realms
"Jonathan Thompson" <[email protected]> wrote in message
news:3accf1a3$[email protected]..
Hi,
We are designing a webapp that will be accessible to both internal and
external users. For internal users, we would like to authenticate viaLDAP;
for external users we would like to use RDBMS. In WL5.1, this looked tobe
possible with the DelegatingRealm, however this has been removed in WL6.0.
>
Two questions:
1) Why was it removed?
2) How can we get this functionality in WL6.0?
Thanks much for your help,
-jt
[att1.html]

Integrated LDAP authentication and now BAM start page is very slow to load

Hi, all~
I have a fresh install of BAM 10.1.3.3 with the 10.1.3.4 patch applied.
I've reviewed the BAM installation guide and LDAP integration tech note, and have been able to successfully integrate BAM with our LDAP, where "successful" means that I'm able to provide my own LDAP credentials and log in to BAM.
However, the BAM start screen now consistently takes somewhere on the order of 1-2 minutes to load... so I guess I'm wondering if there's a common cause for this sort of error?
Any suggestions of things to check would be appreciated.
Thanks,
- Nathan

For whatever it's worth, the solution in our case was to decouple BAM (10g) from LDAP.
User administration becomes a slightly more manual process in this case, but the BAM pages load almost instantly for users now, whereas before for some users it would take as much as 10 minutes for a page to load following their logging in.
Another benefit from LDAP decoupling is that IIS is able to do Windows integrated login for users, meaning that the users don't need to provide a login and password any longer.
The one "gotcha" that was encountered had to do with IIS realms and creating JDeveloper connections to the BAM server following the decoupling. From our testing, under IIS -> Web Sites -> Default Web Site -> Properties -> Directory Security (tab) -> "Authentication and access control" Edit button, the following needs to be specified:
Check only "Integrated Windows login" and "Basic authentication"
Specify a "Default domain" by pressing the Select button and choosing an appropriate domain
From there, in your JDeveloper BAM connection, be sure to include the selected domain in your connection properties.
- Nathan

APEX 3.2: Switching between APEX authentication and LDAP?

I'm building an APEX 3.2 application that has to be deployed automatically to the target environments (by executing the APEX export SQL in the relevant parsing schema).
One problem is that different environments will have to use different authentication mechanisms:
Development and System Test will use simple APEX authentication (i.e. APEX users).
Acceptance Test and Production will use LDAP via OID for single sign-on.
So how do I set the application up so that it can switch from APEX authentication to LDAP authentication if it is in the Acceptance Test or Production environments?
My customers seem very reluctant to have a manual step in the process e.g. to switch the authentication scheme for the application after installation, so I need to find a way to do this automatically if possible.
Any suggestions?
Thanks.
Chris

Chris,
We do something similar, in that we dynamically switch authentication based on the application you're trying to log in to. Basically, you need to set up a custom authentication procedure which checks which system you're in, and then validates the user appropriately.
Does that help?
-David

SharePoint 2010 with LDAP authentication, using NOVELL eDirectory

One of my customers needs a SharePoint application that allows people to authenticate with either an Active Directory account (internal staff) or a Novell eDirectory account (external customers).
Using the following article as a base guide (http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx)
I configured a claims-based test application that had Windows authentication enabled and Forms based authentication (FBA) enabled (this is on a Windows 2008 server and not a domain controller)
In the Membership provider name text box I entered "LdapMember"
In the Role provider name text box I entered "LdapRole"
In the web.config for the SharePoint Central Admin, I modified/added the following details right before </system.web>
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="((ObjectClass=group)"
userFilter="((ObjectClass=person)"
scope="Subtree" />
</providers>
</roleManager>
I modified the SecurityTokenServiceApplication web.config with these details
<system.web>
<membership>
<providers>
<add name="LdapMemebr"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
</system.web>
I modified the web.config of the test application I created with these details
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="cn"
dnAttribute="dn"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
useDNAttribute="true"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
With all of this configured, I can go to the new test site, I do see the form where I can choose either Windows authentication or Forms authentication. I can successfully login with Windows authentication, but forms authentication gives me me an error.
The server could not sign you in. Make sure your user name and password are correct, and then try again.
I can successfully login to a LDAP management tool, using the same credentials I entered on the form, so I know the username and password being submitted are correct. I get the following items in the event viewer
8306 - SharePoint Foundation - The security token username and password could not be validated.
in the SharePoint trace logs - Password check on 'testuser' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. and
then this:
Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
I monitored the LDAP server and did a packet-trace on the communication happening between the SharePoint server and the LDAP server and it is a bit odd. It goes like this:
The SharePoint server successfully connects to the LDAP server, binding the ldapserviceid+password
The LDAP server tells the SharePoint server it is ready to communicate
the SharePoint server sends an LDAP query to the LDAP server, asking if the name entered in the form authentication page can be found.
The LDAP server does the query, successfully finds the entered name and sends a success message back to SharePoint
The LDAP server sends notification that it is done and is closing the connection that was bound to theldapserviceid+password
The SharePoint server acknowledges the connection is closing
... and then nothing happens, except the error on SharePoint
What I understand is that the SharePoint server, once it gets confirmation that the submitted username exists in LDAP, should attempt to make a new LDAP connection, bound to the username and password submitted in the form (rather than the LDAP service account
specified in the web.config). That part does not seem to be happening.
I am at a standstill on this and any help would be greatly appreciated.

OK, our problem was resolved by removing any information about the ASP.NET role manager. Initially, we had information about a role manager defined in three different web.config files, as well as in the SharePoint Central Administration site, where there
is the checkbox to Enable Forms Based Authentication (you see this when you first create the new SharePoint app, or afterwards by modifying the Authentication Provider for the app.) In either case, you will see two text boxes, underneath the checkbox item
for enabling Forms Based Authentication:
"ASP.NET Membership provider name"
"ASP.NET Role manager name"
We entered a name for Membership provider, and left Role manager blank.
In the web.config for the SharePoint Central Administration site, the SecurityTokenServiceApplication app, and the web app we created with FBA enabled, we entered the following:
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword="validpassword"
useDNAttribute="false"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager>
<providers>
</providers>
</roleManager>
useDNAttribute="false" turned out to be important as well.
So, for us to get LDAP authentication working between SharePoint 2010 and Novel eDirectory, we had to:
leave anything related to the role provider blank
configure the web.config in three different applications, with the proper connection information to reach our Novel eDir
Ensure that useDNAttribute="false" was used in all three on the modified web.config files.
Since our eDir is flat and used pretty much exclusively for external users, we had never done any sort of advanced role management configuration in eDir. So, by having role manager details in the web.config files, SharePoint was waiting for information from
a non-existent role manager.

Jabber for Windows and Ldap Contacts without CUPC license

Dear Sr:
It is possible to add a user on ldap as a jabber contact WITHOUT assigning a CUPC license to the user?
The idea is that some users on the ldap don't have jabber but we should be able to add them as a contact AND we dont want to use jabber licenses for those users or have Presence server to load balance those users.
We can add Microsoft contact as jabber contact with no issues...
Thanks

LDAP Authentication of End Users in CUCM is strongly recommended for CUPC/Jabber. When you login to CUPC/Jabber it authenticates against CUCM. If LDAP doesn't have the same password (i.e. CUCM isn't synced from LDAP) the client won't be able to do LDAP queries if using BDI. This is because it re-uses the same credentials when it attempts to bind to LDAP. If Jabber is configured for EDI, which is only even possible on Jabber for Windows running on domain-joined workstations, then this is not as critical since it would use the Windows ADSI API in the context of the logged-in user. Using EDI exclusively would rule out Jabber for Mac, iOS, Android, and Windows on a non-domain joined workstation though.
As for usernames: You can continue to use employeeNumber if you wish. You'll need to ensure that the jabber-config.xml file maps the username to this value for everything to work. Note that this will be their XMPP URI: [email protected] so be sure that you're comfortable with employee numbers being public.
Please remember to rate helpful responses and identify helpful or correct answers.

How to get user attributes from LDAP authenticator

I am using an LDAP authenticator and identity asserter to get user / group information.
I would like to access LDAP attributes for the user in my ADF Taskflow (Deployed into webcenter spaces).
Is there an available api to get all the user attributes through the established weblogic authenticator provider or do i have to directly connect to the LDAP server again?
Any help would be appreciated

Hi Julián,
in fact, I've never worked with BSP iViews and so I don't know if there is a direct way to achieve what you want. Maybe you should ask within BSP forum...
A possibility would be to create a proxy iView around the BSP iView (in fact: before the BSP AppIntegrator component) which reads the user names and passes this as application params to the BSP component. But this is
Beginner
Medium
Advanced
Also see http://help.sap.com/saphelp_nw04/helpdata/en/16/1e0541a407f06fe10000000a1550b0/frameset.htm
Hope it helps
Detlev

How to use two different LDAP authentication for my Apex application login

Hi,
I have 2 user groups defined in the LDAP directory and I provided the DN string for apex authentication something like the below
cn=%LDAP_USER%,ou=usergrp1,dc=oracle,dc=com
cn=%LDAP_USER%,ou=usergrp2,dc=oracle,dc=com
The problem is I couln't pointout both the groups in DN string, I am trying to allow both usergroups to access the application.
Does anyone know how to define both the group in LDAP DN String ?.
Thanx in advance
Vijay.

Vijay,
I don't think you'll be able to use the built-in LDAP authentication scheme. Just create a new authentication scheme that has its own authentication function. In that function code your calls to dbms_ldap however you need. Search the forum for dbms_ldap.simple_bind_s to find examples.
Scott

DBConsole (DBControl) and LDAP authentication

Similar Messages

Maybe you are looking for