Does weblogic server include an LDAP server

Similar Messages

• Weblogic 8.1 & Embedded LDAP server

  Hi,
  Is it possible to store user attributes alongwith username & password in the Weblogic 8.1 Embedded LDAP Server?.
  We have about 6 user profile attributes along with the username & password. Does weblogic's embedded LDAP Server
  support this feature.
  Any help will be appreciated.
  thanx,
  Vishwa

  Hi Vishwap,
  Did you ever found out how to manipulate additional information in the embedded LDAP server?
  I am in critical need to do the same.
  Thanks in advance for your comments.
  Zi

• Server Admin reports LDAP Server is Stopped

  Hi,
  My 10.5 server has stopped processing OD stuff.
  The server had been having problems with it's AD connection. I removed the AD binding and then performed the binding again. Rebooted the server and the AD connection was fine but Directory Utility said that the OD was not responding.
  I looked in server admin and it says:
  LDAP Server is Stopped
  Password Server is Running
  Kerberos Server is Stopped
  LDAP search base Not available
  The LDAP logs are displaying the following on a constant loop:
  Sep 29 16:22:52 Xserve01 slapd[8332]: @(#) $OpenLDAP: slapd 2.3.27 (Sep 29 2009 20:28:12) $
  Sep 29 16:22:52 Xserve01 slapd[8332]: could not open rootdse attr file "/etc/openldap/rootDSE.ldif" - absolute path?
  Sep 29 16:22:52 Xserve01 slapd[8332]: olcRootDSE: value #0: <olcRootDSE> could not read file /etc/openldap/rootDSE.ldif
  Sep 29 16:22:52 Xserve01 slapd[8332]: config error processing cn=config: <olcRootDSE> could not read file
  Sep 29 16:22:52 Xserve01 slapd[8332]: slapd stopped.
  Sep 29 16:22:52 Xserve01 slapd[8332]: connections_destroy: nothing to destroy.
  Any ideas anyone?

  Hi
  Assuming this is a classic 'AD-OD' Integration and all OSX Server is being used for is mac-style GPOs or MCX then you should be back to normal - hopefully - in 5 minutes or so.
  Export any OD Groups and/or Computer Lists you have, this will retain the Group Memberships as well as MCX applied at that level. Disconnect the Server from the Active Directory - unbind in other words - and finally demote the Server to Standalone. Server Admin > Open Directory > Settings > Role. Once demoted rebind to AD, verify WorkGroup Manager is accessing/reading the AD LDAP node and finally promote to Open Directory Master. Server Admin > Open Directory > Role > change from "Connected to a Directory System" to "Stay connected and promote to Open Directory Master". Fill in the appropriate details for the diradmin account, leave everything else at their defaults and you should be functional again in 30 seconds or so. Verify in the Overview tab that all Services are running apart from Kerberos. In an AD-OD Integrated environment you don't want Kerberos running on the OD Master.
  Finally launch WorkGroup Manager, navigate to the LDAPv3 node and import your saved Group and/or Computer Lists.
  You could have also archived the LDAP Database and restored it. But seeing as you don't have any real users (apart from diradmin) there's not much point IMO.
  Tony

• What is the best way to maintain access control management - Weblogic, LDAP Server or EJB

  Hi All,
  I am involved in creating an application which maintains/manages
  the user privileges. The application is deployed in Weblogic6.1 and
  the users are stored in LDAP Server. The LDAP Server is located
  geographically away and I dont have rights to add or remove users. I
  have to write an application in EJB which will give different
  privileges to the users who are stored in LDAP Server. users may have
  different privileges of same Group.
  Please let me know how can I proceed. Whether I got to go with ACL's
  or Declarative Security in EJB component.
  Thanks in Advance...
  with regards,
  Gokul.

  Please let me know how can I proceed. Whether I got to go with ACL's
  or Declarative Security in EJB component.Couple of points.
  o You can not set ACL on EJB thru console. ( If you mean to do that) You can
  set the
  ACL on JNDI context on which you do a lookup.
  o If you do not want to set ACLs in JNDI context, your option is use
  declarative security
  in your ejb xml descriptors.
  I hope this answers your question.
  -utpal

• Can I use LDAP server's authentication mechanism rather than comparing password ?

  Hi All,
  The weblogic security and adminguide says that the user authencation can be of
  the following 3 types:
  1. Bind specifies that the LDAP security realm
  retrieves user data, including the password for
  the LDAP server, and checks the password in
  WebLogic Server.
  2. External specifies that the LDAP security
  realm authenticates a User by attempting to
  bind to the LDAP server with the username
  and password supplied by theWebLogic
  Server client. If you choose the External
  setting, you must also use the SSL protocol.
  3. Local specifies that the LDAP security realm
  authenticates a User by looking up the
  UserPassword property in the LDAP directory
  and checking it against the passwords in
  WebLogic Server.
  But say I want that my users should be authenticated by the LDAP server rather
  than picking up the password from LDAP and comparing at weblogic end. Then what
  should I do ?
  Because no. 2 is applicable only for ssl certificates, no.1 and no.3 picks up
  password using the login dn and password provided at the time of configuration
  of realm and compare with password given by user.
  And once gain there some issues on having picking up password and comparing it:
  1. Netscape directory server can store the password in oneway hashed form(and
  that is preferred , too). So when userpassword attribute is read , it's in one
  way hashed form. So how the comparison will go on ?
  2. Creating a user who has the access to user data along with userpassword attribute
  itself is a security threat, as if someone can crack that user's dn and password
  then he/she can do anything as userdata can be read.
  Any suggestion is welcome.
  TIA,
  Sudarson

  Thanks a lot Jerry.
  I got these stuff from weblogic 6.1 docs sets security.pdf and adminguide.pdf.
  I have another question, if that is the case (in Case of BIND), then why do we
  a require a dn of user and password who has the access to read the entire directory
  And at the same time, u specified this for Bind, what are the cases for other
  two-local and external ? And then what is actually difference between Bind and
  Local ?
  Pls help me.
  Thanks,
  Sudarson
  Jerry <[email protected]> wrote:
  Hi Sudarson,
  Whatever doc you were reading is at least partially incorrect, unfortunately...
  I know for sure that when you specify BIND, weblogic sends the username/password
  to your
  LDAP server in an attempt to bind to it.
  If the bind is successful, WLS determines that the username/password
  pair were correct.
  If the bind was unsuccessful, WLS determines that the username/password
  pairing is not
  valid.
  At all times, WebLogic is letting the LDAP server do the actual compare
  of
  username/password. WLS does not, at any time, retrieve a password from
  the LDAP server.
  I hope this helps,
  Joe Jerry
  sudarson wrote:
  Hi All,
  The weblogic security and adminguide says that the user authencationcan be of
  the following 3 types:
  1. Bind specifies that the LDAP security realm
  retrieves user data, including the password for
  the LDAP server, and checks the password in
  WebLogic Server.
  2. External specifies that the LDAP security
  realm authenticates a User by attempting to
  bind to the LDAP server with the username
  and password supplied by theWebLogic
  Server client. If you choose the External
  setting, you must also use the SSL protocol.
  3. Local specifies that the LDAP security realm
  authenticates a User by looking up the
  UserPassword property in the LDAP directory
  and checking it against the passwords in
  WebLogic Server.
  But say I want that my users should be authenticated by the LDAP serverrather
  than picking up the password from LDAP and comparing at weblogic end.Then what
  should I do ?
  Because no. 2 is applicable only for ssl certificates, no.1 and no.3picks up
  password using the login dn and password provided at the time of configuration
  of realm and compare with password given by user.
  And once gain there some issues on having picking up password and comparingit:
  1. Netscape directory server can store the password in oneway hashedform(and
  that is preferred , too). So when userpassword attribute is read ,it's in one
  way hashed form. So how the comparison will go on ?
  2. Creating a user who has the access to user data along with userpasswordattribute
  itself is a security threat, as if someone can crack that user's dnand password
  then he/she can do anything as userdata can be read.
  Any suggestion is welcome.
  TIA,
  Sudarson

• External LDAP Server

  Hello.
  Is it possible to configure WebLogic to use external LDAP server, which in turn is "built in" in other WebLogic (at other physical machine)?
  And if it is possible, can I use OracleInternetDirectoryAuthenticator provider for this?
  (sorry for my english)

  Hi
  OID is all together a different LDAP provider.
  You can try to create a Authenticator of type LDAPAuthenticator and accordingly provide the configurations.
  Check the below note.
  http://docs.oracle.com/cd/E17904_01/web.1111/e13707/atn.htm#i1199007

• OpenLDAP authentication provider with CA LDAP server

  Hi,
  I am trying to get authentication to work using an OpenLDAP AP connecting to CA LDAP server (formerly eTrust LDAP server). I am at the point where the bind is successful, the user account is authenticated in LDAP, but I am unable to retrieve the group information.
  Here is the error for the group lookup:
  ####<Apr 8, 2013 9:48:33 AM CDT> <Debug> <SecurityAtn> <EPMDOWCS8> <ms1> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <01f9ee928bc01ecd:275c5c34:13dea1201e3:-7ffd-000000000000021d> <1365432513554> <BEA-000000> <[Security:090278]Error listing member groups myACID>
  This is the final error, presumably because the group lookup failed:
  ####<Apr 8, 2013 9:48:33 AM CDT> <Debug> <SecurityAtn> <EPMDOWCS8> <ms1> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <01f9ee928bc01ecd:275c5c34:13dea1201e3:-7ffd-000000000000021d> <1365432513554> <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User myACID denied
       at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
       at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
       at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:684)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
       at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
  The CA LDAP server is pointed to a Top Secret database, so the attribute names are atypical as far as directory services objects are concerned. I've tried modifying the group and static group information to search both groups and profiles, but both fail. I've also tried omitting the static group information, and specifying dynamic group info, but that failed as well.
  Here is the search it is running:
  (&(memberOf=tssacid=myACID,tssadmingrp=acids,host=ourdevsysid,o=our.ORG)(objectclass=tssprofile))
  Here the is the group based DN: tssadmingrp=profiles,host=ourdevsysid,o=our.org
  The group search scope is subtree. I tried unlimited, and a limited of 2 levels.
  If I execute the filtered search using a third party tool (JXplorer), I receive this error:
  javax.naming.NamingException: [LDAP: error code 80 - LDP2900E Unknown attribute, , in filter string]; remaining name 'tssadmingrp=profiles,host=ourdevsysid,o=our.org'
       at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3085)
       at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
       at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
       at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1826)
       at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1749)
       at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
       at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
       at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:257)
       at com.ca.commons.jndi.JNDIOps.rawSearch(JNDIOps.java:1192)
       at com.ca.commons.jndi.JNDIOps.rawSearchSubTree(JNDIOps.java:1039)
       at com.ca.commons.naming.DXOps.rawSearchSubTree(DXOps.java:343)
       at com.ca.commons.jndi.JNDIOps.searchSubTree(JNDIOps.java:1030)
       at com.ca.directory.jxplorer.broker.JNDIDataBroker.unthreadedSearch(JNDIDataBroker.java:772)
       at com.ca.directory.jxplorer.broker.DataBroker.doSearchQuery(DataBroker.java:485)
       at com.ca.directory.jxplorer.broker.DataBroker.processRequest(DataBroker.java:253)
       at com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:376)
       at com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200)
       at com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:883)
       at com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165)
       at java.lang.Thread.run(Thread.java:662)
  When I execute that same search in JXplorer directly on one of the profile objects (e.g. tssprofile=@oneofourprofiles,tssadmingrp=profiles,host=a12sysid,o=tgslc.org), it runs successfully.
  Here is an old post. Seems the op encountered the same problem I did.
  authentication provider for CA eTrust LDAP server
  Anyone work with these technologies in a past life?
  Thanks,
  Rob

  Are you able to see the users in weblogic?Not for this AP. I have a ReadOnly SQL authenticator as well. I am able to see users for that, and for the Default Authenticator.
  Have you assigned admin roles to the user in weblogic?No. I do not intend to do that, and I don't believe I am required to do that.
  is the group base dn properly configured?Yes.

• InitialContext.unbind() deleted the admin user for LDAP server...

  Hi,
  I am doing a connection to a LDAP server from Java code. Everything was fine for several days. But today I noticed that I don't execute an unbind operation and decided to put the necessary code. So I used InitialContext.unbind(). The result was that on the first execution of my program everything was OK. But on the second execution I was not able to bind to the server at all with the constructor of InitialLdapContext class even after restarting the machine from which I execute the Java code and the machine with the server. So it went that the admin user I was using for bind and unbind credentials was deleted. I am sure that the unbind() method is causing the problem because I actually broke the two LDAPs that I have (testing referrals...).
  Now I use close() method instead of the unbind() method and everything is OK but I wonder how is this possible and why is it not documented?

  I can't imagine documenting something like "This method will delete the admin user from your server". If that's the case then it's a bug, not something to be documented. Report it to whoever wrote your Java implementation. If that's Sun, then here:
  http://bugs.sun.com/bugdatabase/login.do
  You might also want to look into your LDAP server and see if it's a known bug there.

• OSX 10.9 Maverick add a LDAP server via script

  I use applescript to add a LDAP sever on 10.8, but after the 10.9 released, I found the script cannot use any more.
  Seems is the new Mail app doesn't support LDAP sever , it is integrated to Internet Accounts
  However the SAMPLE script is still the same. (  /Library/Scripts/Mail\ Scripts/Create\ New\ LDAP\ Server.scpt )
  Does any one know how to config internet accounts via script (BASH script is OK too)?
  the new mail app does not understand
  make new ldap server with properties {name:theName, host name:theAddress, search base:theSearchBase, Çclass ldpoÈ:thePort, scope:theScope}
  any more.

  I'd first read the subject and thought this involved creating an entire LDAP server via script and thought... whoa, that's some script.    
  But you're seeking to reference a remote resource or some automated way to configure your client mail, and that's currently using LDAP, right?  If so, then Apple has shifted over to Profiles and away from LDAP and MCX and related.  Profiles would be the approach I'd follow here, either with OS X Server and its profile manager or some other MDM service.
  If you have access to the Apple WWDC13 session videos, there's a session on the Profile Manager that might be worth your time.

• Still LDAP server not responding when add to authentication search path ...

  Howdy All,
  I still have an OS X Server 10.5.6 (running Open Directory with its own Master directory) that when configured to connect to a corporate LDAP server indicates the server is responding fine, but when I add the server to the authentication search path, the server is no-longer responding.
  I suspect this may mean the LDAP server is choosing to no-longer respond? Is it possible that the LDAP server could have my machine / IP address "black-listed" in some way? I have asked corporate IT but they didn't seem to think so (although I was queried before about repeated connect attempts).
  Somewhat strangely I can configure a laptop client (OS X 10.5.6) to connect to the same LDAP server from an Ethernet port on the same LAN and it works fine. However, when I connect this laptop to the LAN through my server (WiFi NAT) I get the same issue as described above.
  I don't have the firewall on the server turned on, I have played around with some certificates on the server, but have set "TLS_REQCERT never" in the ldap.conf file on the server (and client) as suggested by corporate IT. I have Kerberos running on the server and all else seems fine on the server.
  Can anyone suggest what may be causing this? Or how I can debug the problem?
  Thanks in advance.
  Cheers,
  Ashley.

  Hi Jeff,
  Thanks for your post. That said, I'm not sure how you got the impression that I wish to go to Maine I'm happy here in Perth, Western Australia.
  Jeff Kelleher wrote:
  Connecting a Mac to an LDAP server is a far cry from connecting a OS X Server to an existing LDAP server. Not that I could necessarily help, but asking how to connect an OS X Server to an LDAP server is a bit like asking "guess where I am now, how do I get to Maine?"
  You need to provide as much info as you can.
  Seriously though, I'm not sure of the difference. I am using Directory Utility to allow this OS X Server to get authentication information from an LDAP server just like an OS X Client would.
  I have Open Directory in Server Admin just setup to connect to a directory system (i.e. the organisation LDAP server), not a master or replica.
  My final goal is to allow access to an OS X TeamsServer Wiki by users who are authenticated against the LDAP server (rather than having to have separate accounts, logins, on the OSXS.)
  I am hoping that I can use a group from the LDAP server to define the team, but perhaps I will have to run a standalone OD. I hope then I can add LDAP users to the OD group.
  What other information would help?
  Thanks,
  Ashley.
  OS X Server 10.5.6

• Use of external LDAP server in Weblogic Commerce Server

  I'm using the following software:
  Iplanet Directory Server v5
  Weblogic Application Server v6
  Weblogic Commerce v3.5
  I need to configure Weblogic Commerce Server to use Iplanet Directory Server directory
  services. How do I do that?
  I have a couple of questions related to this:
  1) As Weblogic Commerce Server runs on top of Weblogic v6, does it mean that to
  use an external LDAP server, I need to configure weblogic v6 to do that and not
  Weblogic Commerce Server?
  2) Whatever may be the case above, how do I do that?
  3) config.xml (weblogic application server v6) contains information that needs
  to be modified to point to an external JNDI source provider but what information
  do I need to modify?
  I'd really appreciate if someone can help me out here. Thanks!

  "JP" <[email protected]> wrote in message news:[email protected]..
  Hi,
  I'm looking for someone who has used the Lotus LDAP server for WLP7
  authentication.
  I connect my portal to the Domino LDAP, User and Groups are working
  fine, but the membership of a user to a group is not.
  I assume that it's related to the parameters I use (especially the
  membership.filter ?):
  "user.filter=(&(uid=%u)(objectclass=person));
  user.dn=O=Apac;
  membership.filter=(&(uniquemember=%M)(objectclass=groupOfNames));
  group.filter=(&(cn=%g)(objectclass=groupOfNames));
  server.host=jpgal01.apac.bea.com;
  group.dn="
  Any help would be appreciate, because I just don't where to look for.
  Try setting the com.netscape.ldap.trace property.
  \* When -D command line option is used, defining the property with
  * no value will send the trace output to the standard error. If the
  * value is defined, it is assumed to be the name of an output file.
  * If the file name is prefixed with a '+' character, the file is
  * opened in append mode.
  This will create a ldap trace file of the requests that WLS is making on the
  LDAP server. You can then see
  where the filters are not returning the correct value for the group
  membership.

• Does Weblogic server 9.2 provide support for CRL checking

  Does Weblogic server 9.2 provide support for CRL checking?

  No, but you can create a custom CertPath provider for your own implementation.
  Mike
  Weblogic/J2EE Security Blog: http://monduke.com

• Help: which LDAP server should I use with weblogic 5.1

  Hi:
  I try to use LDAP for user profile management. I am free to use any LDAP
  server as long as it is easy to work with weblogic 5.1 or 6.0.
  Any suggestions?
  Thank you.
  li

  This is what I did for my DS settings
  1. select Oracle JDBC Driver
  2. set Classes12.jar in Websphre classpath - (Oracle thin driver)
  3. create DS with option User defined JDBC provider
  means I have added Thin driver provided by Oracle , instead of deprecated Thin driver from IBM.

• Does the Mac Mini Server include iLife?

  Hi,
  I couldn't find a question to this anywhere...
  I'm considering buying a Mac Mini Server soon.
  Question - Does the Mac Mini Server include iLife?

  When Apple first came out with the Mini with Snow Leopard server, even their sales support people said it came with iLife. (They no longer make that mistake.)
  By using the statements of sales support and by referring to the claims on the iLife page (which you quote) -- with some insistence on my part -- I was able to get AppleCare to send me iLife for free. Worth a try. Though frankly, my time would have been better spent just buying the iLife.

• Does Weblogic Server 5.1 supports RedHat Linux 6.2?

  Hello All,
  Does Weblogic Server 5.1 supports RedHat Linux 6.2?
  Best Regards,
  Samuel Yung
  [email protected]

  FYI.
  I am running RH 6.2 and Weblogic 5.10 with no problems.
  w/Apache 1.3.12
  Only using WL for EJBs and jdbc pool at this time. So your milage may vary.
  Michael Girdley wrote:
  No, not yet. Version 6.0 will.
  The platform support page for WebLogic Server is located at:
  http://www.weblogic.com/platforms/index.html
  This page has the latest and greatest information on the platforms that
  WebLogic is certified and supported on.
  Thanks,
  Michael
  Michael Girdley
  BEA Systems Inc
  "Samuel Yung" <[email protected]> wrote in message
  news:[email protected]..
  Hello All,
  Does Weblogic Server 5.1 supports RedHat Linux 6.2?
  Best Regards,
  Samuel Yung
  [email protected]
  /\/\i|<e
  Mike Kincer
  Solutions Developer/Engineer
  Atlas Commerce "ebusiness evolved"
  Office phone: +1-607-741-9988
  mailto:[email protected] [http://www.atlascommerce.com]