Domain on externally identified users

Similar Messages

• Making database connection to externally identified user

  I try to make a database connection using an externally identified user.
  I have not succeeded so far.
  In Oracle Designer it is possible to just fill in /@SID in the username field.
  Somebody knows a workaround ?
  regards,
  Timo Schijf

  Timo,
  This question is not related to JHeadstart. Can you please post the question on the JDeveloper forum?
  Thank you,
  Steven Davelaar,
  JHeadstart Team.

• Unable to logged in to SOA server - No domains accessible to the user

  Dear Experts,
  I am getting the following error when tying to login in to SOA Server.
  Error: No domains accessible to the user logged in.
  Also I am not able to create new domain and not able to find default domain.
  Please suggest me that how can I login to SOA.
  Thanks,
  Rajesh

  Hi Rajesh,
  Check 1:
  First checkpoint where we can identify the detail of error description is checking the following log files;
  Domain Log: $SOA_Home\bpel\domains\default\logs\domain.log ('default' is the default domain name)
  - This log file will be created everytime the SOA service is started and will log any domain level startup issues
  OPMN Log: $SOA_Home\opmn\logs\OC4J~oc4j_soa~default_group~1.log
  - This log file will log all the BPEL process specific logs (creation/termination)
  System Log: $SOA_Home\bpel\system\logs\orabpel.log
  - System level logging is provided for infrastructure, AXIS, and WSIF issues
  All these log files should give a clear picture about the error which might be causing this issue, based on which you can take necessary actions.
  Check 2:
  Check whether the database on top of which Oracle SOA suite was installed is up & running. If not, ensure the RDBMS listener is running & restart SOA service.
  Check 3:
  The Oracle SOA suite will be installed on top of a database (Oracle Lite/external Oracle DB), where three schemas would have been created during installation namely Orabpel, Oraesb, Orawsm. These schemas might have got corrupted (or) their passwords might have got changed which throws "No domains accessible to the user logged in." error in Oracle BPEL console. Ensure all 3 schemas are present in the database and their passwords are intact as specified in the datasources.xml/during installation and restart SOA service after corrections.
  Check 4:
  If any class files have been added in the SOA suite, ensure they are properly compiled and deployed @ $SOA_Home\bpel\system\classes.
  Check 5:
  If you have added any custom xpath functions for use in the BPEL process, you might have added entries in the $SOA_Home/bpel/system/config/xpath-functions.xml. Ensure that this file is well formed.
  Check 6:
  If you have deployed any BPEL process recently after which the Oracle BPEL console throws this error, there might be high chance for issues in the deployed BPEL process.
  All deployed BPEL processes will be picked up from the following location. Take backup of the existing processes, delete all entries and then restart SOA service.
  $SOA_Home\bpel\domains\default\tmp ('default' is the default domain name)
  Refer : http://sathyam-soa.blogspot.com/2009/01/oracle-bpel-console-throws-no-domains.html
  Hope this helps!
  Cheers
  Anirudh Pucha

• Oracle Accounts - Externally Identified.

  Really quick Q..What, if any, is the issue w/ having accounts that are externally identified? As is, users login to Active Directory, the ID of the user will be account name &domain name.

  It's a security issue really. You are taking away control from the database for user authentication.
  If someone can get into the o/s then they are 'automatically' authenticated to access the database.
  In my experience this is not good. Hacking your way into a windows box is not difficult in most cases.

• Why do we create externally identfied users ?

  RDBMS version: 11.2.0.2
  Platform : Solaris 10
  I work in a Retail Banking/financial applications environment. All our applications are in Java running from Websphere/Tibco. Our DB servers only host DBs. ie Applications are run from dedicated Linux servers.
  But, in our DB server (solaris) several Unix users are created for application. Then we create DB schemas with EXT$ prefixed
  If unix user is xpsapp, then we'll create a schema named EXT$xpsapp
  os_authent_prefix parameter set to EXT$Why do applications need this externally identified schemas ? Can't they just use a normal schema?

  Traditionally, externally authenticated accounts are used for application batch jobs and DBA utility jobs run from "cron." The shell scripts executed by "cron" invoke Oracle tools (usually sqlplus) connecting to the database "as slash" and not hardcoding a password on the command line. This has the following benefits:
  * The O/S-level password can be changed on a regular basis without any associated code (or preference file) changes
  * No hard-coded passwords are used on the command line (which can be seen with the "ps -ef" utility)
  * The batch jobs are not affected by network outages due to the bequeath connection type

• Connecting to an externally identified account

  Hi,
  Is there a way to connect to an externally identified account in a database from SQL Developer?
  Thanks,

  If I can recall, the person who got it to work was with an OPS$ account by using ALTER USER to identify the user with a password. I don't think they got it to work with external authentication.
  First of all, when I tried to use the OCI driver, it required a user id and password. Yet, for external authentication, you do not specify a user and password.
  When reading the docs for the oci jdbc driver, I could not find anything about external authentication.
  I think oracle will have to get external authentication to work via their jdbc odbc driver first before they could even consider getting it to work under sql developer.

• Migrating one email domain to external server

  our AD domain "domain1.com" users have @domain1.com, @domain2.com, and @domain3.com (this one is for testing usage) mailboxes/addresses on our internal Exchange 2010 14.01.0438.000 server.   All users are on the same domain regardless
  of the email address they use.  mailboxes with @domain1.com as their primary smtp address are being migrated to an email service outside of our organization/domain but will still remain users on our domain.  For those users we'll be creating a new
  profile in Outlook pointed at that new external mail server to switch over to on the cutover date while leaving the existing profile as is.  Following migration for a period of time we want  @domain1.com users to still be able revert to their current
  Outlook profile and be able to get to our OWA in case any problems/inconsistencies occurred migrating contents to the new service. It's understood that sending/receiving mail would no longer work for them on the internal Exchange server, the point is just
  that they could access the old contacts/calendar/notes/tasks/emails. 
  My testing with migrating @domain3.com indicated that in order for domain2.com senders to be able to send mail to @domain1.com recipients after the cutover date and have the mail arrive at the external server instead of the internal server, the following
  would have to be done:
  -domain1.com removed from gatewayproxy attribute in recipient polices -
  removal of gatewayProxy via ADSI
  -domain1.com removed from exchange >> organization configuration >> hub transport >> accepted domains
  -mx record pointing at external mail server added to internal dns server domain1.com zone
  -domain1.com removed from smtp proxyAddresses attribute on each mailbox
  It seems like there should be a way to achieve the result of getting the mail to the external server without modifying the proxyAddresses attributes so that the users could still get back into the old exchange server after cutover with their original address. 
  any ideas?
  Thanks

  the steps to get [email protected] to [email protected] mail sent to external server are clear from testing and additional testing shows some option for still getting into the old mailboxes from clients/owa but not clear is how it could be done while leaving
  domain1.com mailbox addresses intact on the old Exchange server and the AD user object 'mail' attribute intact as it was pre-cutover.  To expand and rephrase my original post, is there a way to make Exchange determine whether it should route domain1.com
  mail internally vs externally via a global setting that would take priority over and cause to be ignored smtp proxyAddresses attributes on individual mailboxes so these don't have to be stripped/modified causing unwanted AD attribute alteration?
  objective partially achieved -
  AD object for [email protected] mailbox has the following attributes -
  proxyAddresses =  SMTP:[email protected] (Exchange primary reply-to address) & smtp:[email protected]
  'mail' attribute = [email protected]
  if we change primary/reply SMTP in exchange to [email protected] and remove SMTP:[email protected], the result of internal mail sent to [email protected] going to the external server is accomplished but the 'mail' attribute in AD then changes to [email protected]
  which is unwanted.  we still want 'mail' attribute left as is for these users since their email addresses are not changing.  access to mailbox contents on old exchange server via old [email protected]'s old outlook profile + OWA still work which
  is good though. 
  also found that adding a domain to organization configuration >> hub transport >> accepted domains as 'external relay' in addition to a send connector for the domain pointed at the MX for the external server still isn't enough to override/ignore
  any proxyaddresses on the internal mailboxes.  mail willl still end up at the internal mailbox.

• Creating Externally Authenticated users

  Greetings,
  We recently migrated our Security team from Windows XP to Windows 7. With this upgrade, they were forced to stop using the java Oracle 9i Enterprise Manager to manage security and database users. I was able to find the View->DBA tab in Oracle SQL Developer which allows for things like CREATE LIKE, CREATE, etc, but under the CREATE USER, I see nowhere where the tool allows for a user other than a normal database authenticated account. We have a few key databases where we must create externally authenticated users (EXTERNAL) and this just isn't an option. Is this functionality anywhere in the tool?
  Thanks
  Bradd

  We recently migrated our Security team from Windows XP to Windows 7. With this upgrade, they were forced to stop using the java Oracle 9i Enterprise Manager to manage security and database users. I was able to find the View->DBA tab in Oracle SQL Developer which allows for things like CREATE LIKE, CREATE, etc, but under the CREATE USER, I see nowhere where the tool allows for a user other than a normal database authenticated account. We have a few key databases where we must create externally authenticated users (EXTERNAL) and this just isn't an option. Is this functionality anywhere in the tool?
  I don't understand what you are trying to do.
  Post your full sql developer info and explain in detail what you mean; with an example if possible.
  You can create users in the DB the way you do with any tool: write the appropriate DDL for CREATE USER. For OS authentication you add the OS_AUTHENT_PREFIX to the user name.
  In sql developer create connections for those users using the connections dialog that you use for any other user. On that dialog there is a checkbox for OS authentication.
  See this article by Sue Harper and see if the example for local OS authentication she provides answers your question:
  http://www.oracle.com/technetwork/issue-archive/2008/08-may/o38sql-102034.html
  To configure local OS authentication for a new user, first find the value of the OS_AUTHENT_PREFIX database initialization parameter in your system's init.ora file. When you create this new user in the database, you must add this parameter value as a prefix to the OS username. The default value is OPS$, for backward compatibility with earlier database releases. (If the value is "", the OS username and the database username are the same, so you don't need to add a prefix to create the Oracle usernames.)
  Establish a basic connection with the HR schema as the SYSTEM user. Execute the following from the SQL worksheet, using your database's OS_AUTHENT_PREFIX prefix and substituting your own OS username for "sue":
  CREATE USER ops$sue IDENTIFIED EXTERNALLY;  GRANT Connect, resource to sue;     
  Now create a basic connection for this user from the New / Select Database Connection dialog box. Enter a connection name; select Basic for Connection Type ; fill in the Hostname and Port fields; select OS Authentication ; and provide a SID or Service name . Click Test and Connect as before.

• E Recruitment External candidate user id in SU01

  Dear All,
  while creating user name for  external candidate through HRRCF_CAND_REG, a user name is getting created with some different sequence and we can see it in SU01. will SAP treats it as a new user when it comes to user licences or will SAP ignore this user. please let us know if we are missing on something.
  Regards

  Dear ,
  Following information about E-Recruiting user licenses:
  For Reference User,Service user & Communication user you may please refer to the chapter 13.7 of the System Measurement guide 7.0 available in the service market place (service.sap.com/licenseauditing   >Named
  user Measurement     > Documentaion) Please also refer to the SAP Notes
  327917 & 553606)
  Regarding Dialog Users, You need to customize some special user types to identify these users like the following:
  Special user 01 (ID 71): e-Recruiting, External
  Special user 02 (ID 72): e-Recruiting, Internal
  a.For the External Candidates who log on to SAP System Via URL- Should be classified with Special user 01(71)= e-recruiting External
  b.Internal Candidates who are employees (and not already have a chargeable user in another SAP System)Should be classified with Special user 02 (72) = e-Recruiting,Internal
  So the external users (ID71) are not counted against your e-recruiting
  user licenses!
  This is 100% assurance..
  Best Regards,
  Deepak...

• NO domains accessible to the user error while opening bpel console

  Hi all,
  I have applied SOA patchset 10.1.3.5 on SOA 10.1.3.1 .After that when I am trying to access bpel console is givving the error like
  'No Domains accessable to the user logged in'. I am able to connect to the database using jdeveloper.
  I am missing any post instalation steps ?.Can anybody help me please.
  Thanks and Regards,
  Durgareddy Katta.

  Hi
  It means that your bpel services have failed to start up. perhaps a failure with patching it.
  Did you also patched the orabpel schema? Did you follow the post install tasks?
  Look into $ORACLE_HOME/bpel/domains/domain_name/logs/domain.log and ORACLE_HOME/opmn/logs, oc4j_soa logs what kind of errors there are related to bpel startup
  Michel

• Error when opening BPEL Console:No domains accessible to the user logged in

  Hi,
  I have upgraded the SOA SUITE from 10.1.3.1 to 10.1.3.4 by applying the patch. Before applying the patch, I run the scripts to upgrade the database for both ESB and BPEL. After applying the patch I made the change in <ORACLE_HOME>\j2ee\oc4j_soa\configdata-sources.xml file for the BPELPM_CONNECTION_POOL parameter. But when I am opening BPEL Console it is showing the error like “No domains accessible to the user logged in". And in the log file I am getting the error like
  ORABPEL-03003
  Incorrect db schema version.
  The database schema version "2.0.4" from the database does not match the version "10.1.3.4.0" expected by the server.
  The database schema currently in place has probably been configured for a previous release; please re-install the database schema and try to start the server again.
  Does anybody knows how to fix this problem?
  Thanks,
  Anju

  Hello,
  I had the same problem and reconfiguring the datasources.xml was the solution. Because the installer replace its values with all wrong values. For example: using polite driver instead OracleDriver, 1522 instead 1521, user and password.
  That solved my problem, maybe you must check all parameters of the datasources.xml and restart the server.

• Error while configuring external LDAP user store with weblogic

  Hi,
  I have weblogic 10.3 installed and I can access weblogic admin console using weblogic (admin) user. I want to use external ldap user store to access admin console with users present in external ldap.
  To do this, I have configured authentication provider and provided all the required details to connect to ldap.
  For example:
  Base DN: cn=admin,cn=Administrators,cn=dscc (user with which we will connect to LDAP)
  User DN: ou=People,dc=test,dc=com
  Group DN: ou=Groups,dc=test,dc=com
  This authentication provider is set to SUFFICIENT mode. I have deleted the default authentication provider.
  In the boot.properties file I have given the user name and password of the user with which LDAP instance was created something like below.
  password=xxxxxxx
  username=admin
  Now while starting the admin weblogic server, I am getting the below error:
  <Jul 25, 2012 2:22:28 PM IOT> <Critical> <Security> <BEA-090402> <Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.>
  <Jul 25, 2012 2:22:28 PM IOT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
  weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  Truncated. see log file for complete stacktrace
  Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User admin javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User admin denied
  at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
  at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  Truncated. see log file for complete stacktrace
  >
  <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
  <Jul 25, 2012 2:22:28 PM IOT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
  <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
  Can anyone please suggest how to resolve this problem? If, anyone can suggest the exact steps to configure external ldap store to manage admin console via ldap users.
  Regards,
  Neeraj Tati.

  Hi,
  Please refer the below content that I found for Oracle 11g in the docs.
  "If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. Do one of the following in the LDAP directory:
  By default in WebLogic Server, the Admin role includes the Administrators group. Create an Administrators group in the LDAP directory, if one does not already exist. Make sure the LDAP user who will boot WebLogic Server is included in the group.
  The Active Directory LDAP directory has a default group called Administrators. Add the user who will be booting WebLogic Server to the Administrators group and define Group Base Distinguished Name (DN) so that the Administrators group is found.
  If you do not want to create an Administrators group in the LDAP directory (for example, because the LDAP directory uses the Administrators group for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the Admin role."
  Now in my LDAP directory, setup is in such a way that Administrators is a group created under following heirarchy " cn=Administrators,ou=Groups,dc=test,dc=com" and there is one user added in this Administrators group.
  The problem that I am having is when I modify the Admin role in which Administrators group should be added what exaclty I should give in Admin role. Whether I should give only Administrators or full DN: cn=Administrators,ou=Groups,dc=test,dc=com ???
  When i give full DN, it takes every attribute as different, i mean cn=Administrators as different and ou=Groups as different and shows a message that cn=Administrators does not exist.
  Here not sure what to do.
  Also if external ldap authentication provider is the only provider then I need to give the user information in boot.properties file also for weblogic to boot properly. Now, what should I give there in user? still complete DN ??
  Regards,
  Neeraj Tati.

• No domains accessible to the user logged in Error in BPEL Console

  HI All ,
  We have done cluster for two servers , but when we try to open BPEL Console then we are facing this issue
  No domains accessible to the user logged in .
  Can anyone help on this .
  Regards,
  Karthik

  HI Anuj ,
  When i debug the issue , this was the msg written in log file
  <2011-03-08 12:57:39,752> <DEBUG> <collaxa> <ServerObserverRegistry::__registerObserver> Registering observer class com.collaxa.cube.admin.adaptors.platform.PlatformAdaptor_oc4j_10g$1 for aspect class com.collaxa.cube.admin.observer.DomainInitAspect
  <2011-03-08 12:57:39,752> <DEBUG> <collaxa> <ServerObserverRegistry::__registerObserver> Registering observer class com.collaxa.cube.admin.adaptors.platform.PlatformAdaptor_oc4j_10g$1 for aspect class com.collaxa.cube.admin.observer.DomainUninitAspect
  <2011-03-08 12:57:39,776> <INFO> <collaxa> <ConnectionFactoryImpl::init> Initialized connection factory jdbc/BPELServerDataSourceWorkflow
  <2011-03-08 12:57:39,776> <INFO> <collaxa> <ConnectionFactoryImpl::init> Initialized connection factory jdbc/BPELServerDataSource
  <2011-03-08 12:57:39,776> <DEBUG> <collaxa> <ServerObserverRegistry::__registerObserver> Registering observer class com.collaxa.cube.admin.data.ServerConnectionFactory for aspect class com.collaxa.cube.admin.observer.ServerConfigChangeAspect
  <2011-03-08 12:57:40,171> <INFO> <collaxa> <ServerManager::__init> Detected datasource 'oracle'
  <2011-03-08 12:57:40,208> <INFO> <collaxa> <gsServerSchemaManager::validateCompatibility> Detected database version '10.1.3.4.0'
  <2011-03-08 12:57:40,208> <INFO> <collaxa> <ServerAdaptorManager::init> Initialized adaptors for platform 'ias_10g'
  <2011-03-08 12:57:40,869> <DEBUG> <collaxa> <BPELServerXPathRegistry::init> Done loading XPath service for server
  <2011-03-08 12:57:40,932> <DEBUG> <collaxa> <ClusterService::createJChannel> Creating jgroup channel
  <2011-03-08 12:57:40,934> <DEBUG> <collaxa> <ClusterService::createJChannel> Creating the jgroups channel using the install jgroups config file from /opt/oracle/product/OracleAS/bpel/system/config/jgroups-protocol.xml
  <2011-03-08 12:57:41,609> <INFO> <collaxa> <ServerManager::uninit> Shutting down all domains
  <2011-03-08 12:57:41,609> <INFO> <collaxa> <ServerManager::uninit> Done shutting down all domains
  <2011-03-08 12:57:41,610> <DEBUG> <collaxa> <ServerObserverRegistry::__registerObserver> Unregistered observer class com.collaxa.cube.admin.data.ServerConnectionFactory from aspect list class com.collaxa.cube.admin.observer.ServerConfigChangeAspect
  Can you suggest on this .
  Regards,
  Karthik

• External LDAP user only has search priviledge in UCM

  After I have configed external LDAP successfully in weblogic console, I can see all user from external LDAP. And external LDAP user can login UCM successfully, but these users only has search priviledge. I want external LDAP user has Admin priviledge as weblogic(Default in embed LDAP). How to solve it. Any help will be appreciated greatly! Otherwise, I refer to Oracle's ducument,
  51.1.14 LDAP Users Not Receiving Some Administrator Privileges
  UCM inspects for the group "Administrators" on each user's login to grant UCM roles. If a user should have access to the UCM admin server, the UCM server requires that the user be a member in a group named "Administrators."
  How to add external LDAP user to the group of Administrators.

  Hi ,
  You can use Credential Maps to be achieve the requirement:
  Steps for the same are :
  1. Login to UCM - Administration - Credential Maps .
  2. Create the map name and the following mapping :
  <ldap role> , admin
  3. Save the changes
  4. Navigate to <domain_home>/ucm/cs/data/providers/jpsuserprovider/provider.hda
  add the following variable there :
  ProviderCredentialsMap=<map name created in step 2>
  5. Save the changes and restart ucm server .
  After that login with the user who has the ldap role that is mapped in stpe 2 , this user will have the ucm admin role .
  Hope this helps .
  Thanks
  Srinath

• ACS issue - External unknown user policy database

  HI all,
  Is there any way I can get back information from an external user database into ACS:
  I have 2 ssids, both on seperate IP address ranges. I have an external unknown user policy to pass username and passwords to. In the database there are flags which distinguish between two different types of users. Can I pass this 'flag' back to ACS somehow. When a user tries to logon to one SSID I want ACS to somehow check this flag and decide if that user can  access that SSID.
  Any ideas ??

  What is your external database?