EN4093R LDAP authentification and authorization

Similar Messages

• Authentication and authorization done by different LDAP servers

  Is this possible with iPlanet LDAP Authenticator
  I want authentication to be done against LDAPServer A but authorization [ role
  assignment ] done by another LDAP Server B ?
  the authenticator only permits me to enter one server name
  would I need to write a custom authenticator ?
  help please
  currently on WLS 7.0, plan to move to 8.1
  prem

  "Prem" == Prem <[email protected]> writes:
  Prem> Is this possible with iPlanet LDAP Authenticator
  Prem> I want authentication to be done against LDAPServer A but authorization [ role
  Prem> assignment ] done by another LDAP Server B ?
  Prem> the authenticator only permits me to enter one server name
  Prem> would I need to write a custom authenticator ?
  Prem> help please
  Prem> currently on WLS 7.0, plan to move to 8.1
  Interesting. I believe I'm headed in the same direction. I have a
  company-wide LDAP server that I want to do authentication with, but I'd like to
  store authorization information for a small group of users (giving everyone
  else a "default" role), perhaps in the embedded LDAP server, and I'm hoping I
  can get this all to work in the JAAS framework. I'm still investigating this.
  ===================================================================
  David M. Karr ; Java/J2EE/XML/Unix/C++
  [email protected] ; SCJP; SCWCD

• Authentication and Authorization question.

  Hi All,
  I require your help in getting validated my understanding on Authentication and Authorization. This is wrt to WebLogic Server and WebLogic Portal.
  Authentication.
  1. The custom authentication provider can authenticate(user and group) against any datastore(LDAP OR DB). The LoginModule is a kind of blockbox and it can return true/false depending on authentication.
  2. The end result of this process is true/false.
  Authorization.
  1. The custom authorization providers can authorize the authenticated user based on role. All these entities ie(user,group,role) can be either in LDAP OR DB.
  2. The end result of this process is true/false.
  Role mapping.
  1. The custom role mapper can put all the roles that a user belongs and returns all Role. This can happen agaist LDAP OR DB.
  2. The end result is list of roles for a user.
  Security policy configuration.
  Is it mandatory that a user/group/role should be existing in WebLogic Server LDAP server(OR Portal LDAP server) to create these policies and authorization rules. What i mean by is that can user,group,role can exist in application specific database and still can be used for creatiing security policies??
  Thanks,
  Prashanth Bhat.

  The Security Providers are useful/can be used for developing a standard j2ee application , which will be deployed as standard j2ee application.
  The DA means Delegated Administrator, which is way how portal components are restricted to different types of administrators.
  The VE means Visitor Entitlemens, which is way how portal components are restricted to end users.
  My question is whether thess(DAs and VEs) can also be put
  our datastore for access rights??
  Thanks,
  Prashanth Bhat.

• Authentication and authorization capability in weblogic application server

  Hi,
  Need input from architecture point of view -
  Requirement is typical - have to build a web center portal application with authentication and authorization capability.
  I can think of three architecture options:
  1. weblogic server (where webcenter portal application will be deployed) with oracle IDM (or any other full blown IDM suite)...
  2. weblogic server with Active Directory (or any other LDAP directory), and a LDAP authenticator is configured in weblogic...
  3. only weblogic server (users created in weblogic admin console)...
  Obviously 1st one is costliest option (product cost, infrastructure cost, maintenance cost) and most flexible. However I am discarding it purely because of cost.
  Confused between 2nd and 3rd.
  2nd option - separate user store, user can be added/deleted without touching application server, cost wise - 1 extra server and 1 LDAP directory product (or open source LDAP server)...
  3rd option - application server becomes very 'heavy' with all users information, you need to access server to add/delete users, probably cheapest option money wise... However it might affect application performance if users grow large...
  Please let me know if I should consider more parameters/points before deciding. Is there any important thing I am missing? Your input appreciated.
  Thanks.

  Hi,
  You are right your first requirement make more costly and complex environment.
  I would recommend to go with Second option instead of the third one.
  In cause in future if you want to use different server also you will have option to use external AD.
  Well now you will think why I recommend you second option instead of the third option.
  external LDAP is more secure than internal one.
  If you have any further query let me know.
  Regards,
  Kal

• Use of default XACML with custom role mapper and authorization provider

  Hi,
  Is it possible to use the default XACML provider for custom role mappers and authorization providers when role information will be provided via an external application ( not an LDAP or RDBMS server )?
  My custom providers will be communicating with the external application via an API that accepts user credentials and will return decisions whether the credentials were successfully authenticated as well as returning a list of roles for the authenticated user.
  Once the roles and the subject are cached, will the default XACML provider be able to use them to make role mapping and authorization decisions?

  I see 2 approaches. First, write a custom authenticator that stores the role information in the subject either by creating a custom java.security.Principal that is stored in the Subject or by saving it in PrivateCredentials of the Subject. Then right a custom role mapper that knows how to get the role information from the Subject and return a role Map. The default XACML Authorizer will then work with the role information in the role map.
  Second approach is to write a custom role mapper that looks up the role information based on the Subject and returns a role map.
  The chosen approach depends on where you're getting the role information from.

• Creating LDAP filter in authorization rule OAM 10G

  Hi,
  I want to set up a LDAP filter in Authorization rule based on which i will redirect users to specific URL's. what is the syntax to writing LDAP filters in OAM authorization policy. Any pointers to documentation will be appreciated.
  Also i want to know whether authorizations always follow authentication. i.e. my redirection will be successful only after a user is authenticated in end application based on the headers we send out after successful authentication.
  Please Help
  Thanks
  Edited by: 904630 on Dec 27, 2011 5:34 AM
  Edited by: 904630 on Dec 27, 2011 5:36 AM

  Open Identity server console and check the attribute's Display Name and type in Object classes section. I recently faced a similar issue and it got fixed after providing these two values.
  Hope it works for your as well :)

• How can I authenticate and authorize with Web Service on ESB ?

  Hello,
  I want to authenticate and authorize client with Web Service published
  by HTTP/SOAP BC.
  Simply if it is an Web Service as J2EE application, I will use
  Basic Authentication with JAX-RPC and Realm.
  But I think that Web Service published by HTTP/SOAP BC is not belong
  to J2EE Application. Threre is no place to describe security role mapping
  (like web.xml).
  JBI 1.0 the section "5.5.1.1.3 Normalized Message Properties" comments
  JAAS Subject is given in the NM Properties. Really in this package
  com.sun.jbi.internal.security.*
  implements JAAS autentication and authorization (at JaasAuthenticator).
  But I can't see how to configure my Service to use this.
  How can I authenticate and authorize with Web Service on ESB ?
  I referred to the resources.
  Mutual Authentication for Web Services: A Live Example
  http://developers.sun.com/prodtech/appserver/reference/techart/mutual_auth.html
  XML and Web Services Security
  http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security7.html
  JAAS Authentication Tutorial
  http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html
  Thanks,
  Takurou
  - environment ---------------------------------------------
  OpenESB : Project Open ESB Starter Kit
  AppServer : Sun Java Systems Application Server 9.0 PE
  OS : Windows XP
  I don't assume to use SSL (if It's necessary I will try).
  User information is stored in a LDAP Server.
  -----------------------------------------------------------

  Hello,
  I read this resource.
  SecurityDesign
  http://www.glassfishwiki.org/jbiwiki/Wiki.jsp?page=SecurityDesign
  Then I think [non-ssl and ssl/tls and so on] securing by basic authentication is ongoing feature at this time.
  But I can't see well why this page comments 'HTTP over SSL, TLS'.
  HTTP/SOAP Binding Component Overview
  http://download.java.net/general/open-esb/docs/jbi-components/httpsoap-bc.html
  Does BC support only "SSL server authentication" ?
  Doesn't BC support "SSL client authentication" by username/password ?
  Thanks,
  Takurou

• Create external LDAP authentification to SAP via Web Dynpro

  Hi Guys,
  I have a requirement where I have to create access to SAP via external LDAP authentification. It is similiar how the Enterprise Portal works, but I want to achieve it with out the portal.
  The user will enter his LDAP user and password and I will check via LDAP connector to grant access to SAP.
  The only Problem I have is to switch to SAP user without knowing the SAP Password. Thats why I need external authentification.
  I have been told by an basis expert that I could use java to achieve this. I have also got the java coding what the Enterprise Portal uses.
  Am I on the right way? Can anybody advice me.
  Thanks and best regards
  Ali

  Hi,
  Refer this link and SAP Note
  [SAP GUI for HTML|http://help.sap.com/saphelp_nw04s/helpdata/en/47/4b0902d84818c9e10000000a114a6b/frameset.htm]
  SNote: 517484
  Regards
  Preethish

• LDAP authenication with authorization roles

  I currently have LDAP functioning and working correctly on my application (APEX 4.0). Our system is limited to a certain number of users witiin the AD group that can access the system. I have created an authorization scheme that looks at a database table to determine if the user has access to the system. If I put this authorization scheme on the login process of the login page it works successfully however the failure error message does not show up if the user does not have access. If I put this authorization scheme on the page that you are redirected to after login I get the message. However, what I would like to do is have this authorization failure message appear as a pop up message on the login screen once the login button is pressed. Is this possible?
  Thank You!

  However, what I would like to do is have this authorization failure message appear as a pop up
  message on the login screen once the login button is pressed. Is this possible?Create a 'Page processing' process that runs after the login completes. Apply the authorization function to it. If it fails the authorization, this should abort the login and display an error on the login page. Theoretically... not something I've needed to do.

• How can I get authentication and authorization through OS X open directory with the Sun ZFS STOR ZS3-2

  how can I get authentication and authorization through OS X open directory with the Sun ZFS STOR ZS3-2
  I have configure NFS, I need help configuring the share that I created in the Sun ZFS STOR ZS3-2 to connect with the OS X Open Directory

  Hi,
      You may  try checking the help page for ldap configuration :
  https://<Appliance_IP>:215/wiki/index.php/Configuration:Services:LDAP
  ZFS Storage supports LDAP, NIS, AD as directory service.
  Hope Open Directory is also based on LDAP and may work in similar fashion.
  Thanks
  Nitin

• LDAP authentification with R/3

  hi!
  after a long long search I could not found out how to implement LDAP authentification for SAP R/3. To be honest I'm not an expert in R/3 basic, for Web AS / EP i would know how to do it
  Due to several network&security reasons we don't like to use the single-sign or the ldap syncronization functionality.
  The only thing we would use ldap for is to just authentificate the user. Unfortunately, our LDAP-users are not the same than the SAP-users (8 chars in sap, longer in ldap). What the system should do is:
  - ask for username (sap 8-char) and password (ldap)
  - map sap-username and ldap-username (e.g. by the sap-aliasname or external username in USR15)
  - connect to the ldap-directory, find out whether user/pass is correct
  - if correct, log the sap-user in
  - that's all
  Any Ideas?
  Thanks,
  Markus

  Hi,
  It can be done. It all depends a bit on what kind of platforms you want to use it.
  We're currently in the middle of introducing a shibolet CUA for all our systems, SAP or non SAP. That means that one needs to authenticate to a central server and via SSO, you will have access to the applications.
  For SAP, that'll mean that we no longer will login via a SAP Gui, but via the EP that authenticates against this CUA. Once logged in, one can launch a SAP Gui script that allows you to work on the SAP R/3 server.
  Have also a look at http://shib.kuleuven.be/
  Alternatively, you can set up an UME. See http://help.sap.com/saphelp_nw2004s/helpdata/en/cc/cdd93f130f9115e10000000a155106/frameset.htm for this.
  Eddy
  PS.
  Put yourself on the SDN world map (http://sdn.idizaai.be/sdn_world/sdn_world.html) and earn 25 points.
  Spread the wor(l)d!

• LDAP UID and local UID different

  I have a 10.5 server running LDAP with a master and a replica. In the LDAP i have a user who was deleted and the readded to the LDAP to correct an issue. Now on the replica that users LDAP id and her id from the command line command id are different which is preventing her from syncing. I have tried to remove and readd her again but I can not get the local id to go away. There is no user id for this user in any of the local files or databases that I can find.
  How do I delete the user so the command line command ID does not see her so I can create her account with the correct user id??

  Hi Wajid,
  I've done this by making the APEX ID a copy of the LDAP ID - then the APEX IDs are put in APEX Groups, which feed the Authorization Schemes that grant access to regions/tabs/fields, etc.
  I no longer manage passwords, but the Apex Group still recognizes the :APP_USER.
  Let me know if this doesn't make sense, or I need to get more detailed.
  Rich

• An issue with authentication and authorization on ISE 1.2

  Hi, I'm new to ISE.
  I have an issue with authentication and authorization.
  I have ISE 1.2 plus patch 6 installed on VMware.
  I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
  On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
  I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
  I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
  I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
  What  should I do to resolve this issue?
  Switch configuration:
   testISE#sh runn
  Building configuration...
  Current configuration : 7103 bytes
  ! Last configuration change at 12:20:15Tue Apr 15 2014
  ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname testISE
  boot-start-marker
  boot-end-marker
  no logging console
  logging monitor informational
  enable secret 5 ************
  enable password ********
  username radius-test password 0 ********
  username admin privilege 15 secret 5 ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
   client 172.16.0.90 server-key ********
  aaa session-id common
  clock timezone 4 0
  system mtu routing 1500
  authentication mac-move permit
  ip dhcp snooping vlan 1,22
  ip dhcp snooping
  ip domain-name elauloks
  ip device tracking probe use-svi
  ip device tracking
  epm logging
  crypto pki trustpoint TP-self-signed-1888913408
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1888913408
   revocation-check none
   rsakeypair TP-self-signed-1888913408
  crypto pki certificate chain TP-self-signed-1888913408
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  ip ssh version 2
  interface FastEthernet0/5
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/6
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/7
  interface Vlan1
   ip address 172.16.0.204 255.255.240.0
   no ip route-cache
  ip default-gateway 172.16.0.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   deny   icmp any host 172.16.0.1
   permit ip any any
  ip radius source-interface Vlan1
  logging origin-id ip
  logging source-interface Vlan1
  logging host 172.16.0.90 transport udp port 20514
  snmp-server community public RO
  snmp-server community ciscoro RO
  snmp-server trap-source Vlan1
  snmp-server source-interface informs Vlan1
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host 172.16.0.90 ciscoro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  radius server ISE-Alex
   address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key ******
  ntp server 172.16.0.1
  ntp server 172.16.0.5
  end

  Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

• Multiprovider and Authorizations

  Multiprovider and Authorizations:
  The challenge is to ensure you do not have more access trough the multiprovider then you have trough the sourcecubes.
  example:
  Multiprovider, Joining sourcecube 1 + 2 ( Heterogeneous MP combining data from different infoareas)
  Sourcecube 1: Authorizations for company code X+Y
  Sourcecube 2: Authorizations for company code Y+Z
  What company codes in which source cubes will you have access to report on trough the multiprovider?
  1) XYZ from both cubes ?
  2) X from cube 1 , Y from cube 1+2, Z from cube 1
  3) only the common Y from cube 1 +2
  The expected results is scenario 2. Basically the same access/restriction you would get, if reporting directly on the sourcecube's.
  This can of course be tested with a test user with limited authorizations. The obstacle here though is that the authorization setup is defined with roles and a business unit hierarchy authorization object (consisting of several company codes) that is not fully in place yet. Hence the test will not give you a 100 % liable verification.
  Has anyone else faced the same question, or can verify the expected results? I have not found any good documentation on authorization and multiprovider .
  (PS, With Support package 2 for BW 3.0B a new authorization object is available used to define authorizations on a Multiprovider level. S_RS_MPRO - Multiprovider. This gives more flexibility , but is not the answer to the general question)
  Best regards Per Roar

  It depends. When you create an authorization object you decide on which InfoProviders the authorization object is valid. So if it's valid on Cube 1 it doesn't say anything about authorization on the Multiprov.
  Best regards
     Dirk

• How can I remove the Apple ID authorization only on one computer and authorize another in his place?

  how can I remove the Apple ID authorization only on one computer and authorize another in his place?

  De-authorize the computer in question.
  Then authorize the new computer.
  Or de-authorize all computers and authorize only the ones that actually exist.