External ldap mapping & portal 6.2
Hello
To my knowledge external ldap mapping is not supported in portal 6.0 & portal 6.1, my question is it implemented in portal 6.2 ?! , If not is there any workaround that can solve this issue and considered as a professtional solution !
Yes, you can do authentication against your existing
external LDAP and dynamicaly create user profiles
in your local LDAP(which can be physically on a different box)
The "professtional name" for this configuration is:
LDAP "profile server" with "external authentication" LDAP.
Cheers,
Alex :-)
PS: After "Sun Forum Accounts Update" I couldn't login to this forum and at SUN
no one cares - they just ignore my mails. "Thanks a lot" for supporting free comunity!
(Check my old profile at http://swforum.sun.com/jive/profile.jspa?userID=3455)
OK. I have now a new account and I will try to help you out here...
-------------------------------------------------------------------------
Similar Messages
-
External LDAP and attributes aliases mapping ?
I have mapped iwtUserInfoProvider-lastName = sn.
And when i after that access the Portal Server and try to uppdate for examlpe my "IMAP user name" in the User Info channel the Portal Server tries to update my "External LDAP Server". This update is unsuccessful and i get an "error storing user profile".
Why is the Portal Server trying to update my external LDAP server??
I only want it to fill in som info for me......By configuring External LDAP we map certain LDAP-parameters to portal-parameters. Thus while updating the User Info channel we get "error storing user profile". Edit the /etc/opt/SUNWips/desktop/default/iwtUserInfoProvider/edit.template file to not include the non-writable fields in the form, then the user info provider will not try to write those fields. This should help.
Thanks,
Raj_indts
Developer Technical Support
Sun Microsystems
http://www.sun.com/developers/support -
Can I map iwtUser-role to an attribute in external LDAP???
Hi,
I am using external LDAP for authentication. In the Ext. LDAP I am using
there is an attribute named title in every user cn. I want to use this
attribute for portal to decide which role the user belongs to. I mapped
iwtUser-role to title in Ext. LDAP configuration. When I go to console I
see user(s) under the roles defined in title attribute(in Ext. LDAP).
From console if I try to change the desktop profile of a role and check
'apply changes to all subroles', it's not applying changes to all users
who have the title as that role (even though when I go to that user(s),
I see them under the right tole). However, when I look at the
iwtUser-role attribute in profile LDAP using a LDAP browser it shows
/domainname/defaultRole which is not the value mapped (in Ext. LDAP). Do
you have any idea why it is happeing? I would like to know if mapping
iwtUser-role to an attribute in Ext. LDAP is right thing in the first
place (I am doing this because the Ext. LDAP is already populated, I
have no roles in that, all users are at same level and I have permission
to change title attribute only in Ext. LDAP).
Thanks,
Siva Kancheti.Block off the default role if you don't want anyone going into that role but only
the ones defined. You can do this by setting the filter to a value that will return
nothing. (example, title=nonexistant), since the search filter will not return
results, no one will be placed in that role (otherwise have to manually go into that
role and 'move' users).
Hope this helps,
Manon
Siva kancheti wrote:
Hi,
I am using external LDAP for authentication. In the Ext. LDAP I am using
there is an attribute named title in every user cn. I want to use this
attribute for portal to decide which role the user belongs to. I mapped
iwtUser-role to title in Ext. LDAP configuration. When I go to console I
see user(s) under the roles defined in title attribute(in Ext. LDAP).
From console if I try to change the desktop profile of a role and check
'apply changes to all subroles', it's not applying changes to all users
who have the title as that role (even though when I go to that user(s),
I see them under the right tole). However, when I look at the
iwtUser-role attribute in profile LDAP using a LDAP browser it shows
/domainname/defaultRole which is not the value mapped (in Ext. LDAP). Do
you have any idea why it is happeing? I would like to know if mapping
iwtUser-role to an attribute in Ext. LDAP is right thing in the first
place (I am doing this because the Ext. LDAP is already populated, I
have no roles in that, all users are at same level and I have permission
to change title attribute only in Ext. LDAP).
Thanks,
Siva Kancheti. -
External LDAP + Roles in portal
Folks,
I use weblogic 8.1 portal.
Can we use an external LDAP for storing portal roles? If so, what is supported,
recommended, etc. Does BEA have a recommendation/document on how to support an
environment with multiple domains that share a common LDAP so that we don’t have
to keep them all sync.
Thanks
- LaraLara,
The WLS SSPI (plug-in provider architecture) allows you to add additional
role mappers, however the WLS out-of-the-box authorizer and role mapper are
still required for WLP. Also, in a WLS domain/cluster each managed server
has a copy of the LDAP which is automatically kept in sync by the admin
server.
-Phil
"Lara Man" <[email protected]> wrote in message
news:3f78852c$[email protected]..
>
Folks,
I use weblogic 8.1 portal.
Can we use an external LDAP for storing portal roles? If so, what issupported,
recommended, etc. Does BEA have a recommendation/document on how tosupport an
environment with multiple domains that share a common LDAP so that wedon't have
to keep them all sync.
Thanks
- Lara -
Authentication in weblogic portal server 8.1 sp2 using external LDAP
Hi,
I am trying to use external LDAP for authentication.
I have configured the ActiveDirectoryAuthenticator giving the necessary
values
( and added
"-Dcom.bea.p13n.usermgmt.AuthenticationProviderName=ActiveDirectoryAuthentic
ator" in startWeblgoic.cmd )
and can see the users and the groups from my LDAP provider in the admin
console and in the admin portal's "users and groups".
A set of users are given permission to access the restricted site and those
users are visible in the global role with the permission.
The web.xml is configured for BASIC auth-method, and the role is
<externally-defined/> in weblogic.xml.
Now when I access a restricted page, I am shown a dialog prompt to key in
the username and password.
Even when I key in the valid credentials, the restricted page is not shown
and an "Unauthorized xxx" 401 access error is thrown.
Any clue, on what i am missing.?
Please let me know if any suggestion / idea.
Regards,
Arun.Assuming your application is a WebLogic Portal application, then yes you would definitely need to install WLP 8.1. WLP version 8.1 is the only version of WLP that will run on WLS/WLW version 8.1.
In order to obtain the product installer, you'll need to contact Oracle Support and file a request. It is not available for download from any Oracle public site. Only version 10.3 is available for download.
Brad -
Usage of external LDAP server with Portal
Hi All,
We are in a situation to use external LDAP server with WLP 8.1. These are the
constraints we have to deal with:
1. Only read is allowed from this LDAP server.
2. This would be used for authentication purpose
If thats the case, how can we use Visitor Entitlements/Delegated Admin and Group
creation using Portal Admin tool since this will write to the configured LDAP
server.
Can somebody answer my question:
1. Can we use external LDAP server - just for authetication (I know this is possible
by using JAAS LoginModule, but I just want to get confirmed on this ) and
2. Use default and embedded LDAP server for all others like Group/Visitor Entitlements/DAs.
Any relevant pointers are also welcome.
TIA,
Prashanth Bhat.Thanks for th ereply. Some of your answers are not clear. Can you pls eloborate
on this?? Pls see my comments below.
"Johnson" <[email protected]> wrote:
>
Phil,
Can I use embedded LDAP for production?
Thanks
Lawrence
"Phil Griffin" <BEA> wrote:
"Prashanth " <[email protected]> wrote in message
news:[email protected]..
Hi All,
We are in a situation to use external LDAP server with WLP 8.1. Theseare
the
constraints we have to deal with:
1. Only read is allowed from this LDAP server.
2. This would be used for authentication purpose
If thats the case, how can we use Visitor Entitlements/Delegated Adminand
Group
creation using Portal Admin tool since this will write to the configuredLDAP
server.
Can somebody answer my question:
1. Can we use external LDAP server - just for authetication (I knowthis
is possible
by using JAAS LoginModule, but I just want to get confirmed on this) and
>
You can add the external LDAP server just for authentication, but in
versions through
8.1 SP2 WLP will want to verify the user exists (via the UserReaderMBean)
during
the login process (this check has been removed in SP3). A work around
is to
duplicate
the user in a provider that does impl UserReaderMBean.
Prashanth : You mean to say we have to duplicate the User in embedded LDAP server
also??
>>
2. Use default and embedded LDAP server for all others like Group/VisitorEntitlements/DAs.
>
Yes, the default/embedded LDAP can still be used for DA/visitor
entitlements. In the current
release, the Portal Admin Tools can only be configured to use a single
authentication provider
while forming entitlements. In SP3, all configured providers are
listed/usable by the tools.Prashanth : How can we configure Portal Admin tool to use authentication provider
for entitlements??
>>
Any relevant pointers are also welcome.
TIA,
Prashanth Bhat. -
Issue while integrating external LDAP with weblogic
Hi,
i am trying integrating external LDAP (OpenLdap) with weblogic 10.3. I created a provider and provided required credentials and able to see users and group of the LDAP into the weblogic console. I am also able to login in the weblogic console with the users available in the LDAP after assigning the admin role to the ldap group. But i when i see the user's property (by clicking on the user in the admin console) it only shows the tabs for General, Password and Group only. on the other hand if i see the users from DefaultAuthenticator, it shows the Attribute tab apart from the General, Password and Group.
Can anyone let me knwo how can we get the Attribute tab for the Ldap users.
thx,
AjayHi Ajay
By default Weblogic has READ ONLY adapters for any External Security Providers that are configured like any AD Providers. READ ONLY means, you can only read the data from the ldap but not modify it, hence may be its not showing the Attributes tag. For Default Authenticator, see the first paragraph note in Attributes tab, that says the same thing. NOW, may be WLS can atleast show Attributes in READ only format, but it needs some sort of mappings to be defined. Say on Weblogic side, we have like firstName, lastName which on any typical AD will be like sn (surname = lastname), givenname (firstname) etc etc. This mapping is tough to generalize.
One thing for sure is, from Weblogic you cannot modify or edit any attributes for any user in external AD. If you really want to get those attributes, you may need to use some javax.ldap apis or some 3rd party ready to use tools/apis. I remember Weblogic Portal has a facility to configure a xml file that defines attributes mapping and get all attributes for any user. But again thats in Weblogic Portal product and not part of weblogic server.
If you have any SOA Software, they have some utilities for the same.
Thanks
Ravi Jegga -
Server App not seeing external LDAP users & groups
I have a clean 10.8.2 + Server install set up with our standard external LDAP directory (Novell's eDirectory in our case) configuration that is known to support Lion & Mountain Lion client LDAP authentication. With this same configuration on OS X 10.8.2 Server both Directory Utility and WGM can see all the LDAP users and groups as expected.
When I look for the external users & groups in the LDAP domain under the Server App "Accounts" heading I cannot see any entries in either users or groups lists. Should I be able to or is this a Server App quirk?
I can add individual LDAP users to a local group and enable access to individual services. How can I give access to services to all LDAP users without having to build & maintain a massive "All LDAP Users" local group?
Is there a published list of required LDAP attributes for users & groups for Mountain Lion Server? I suspect there are new requirements over and above those for 10.6 server but I have failed to find a good reference. I've noticed I get different behaviours for LDAP templates that includes a mapping for GeneratedUID to one which does not for example.
This is all so much more opaque than our superbly reliable Snow Leopard servers!
TIAOk, and again:
You want to see Users and Groups , which are stored in an third Party directory service like OpenLDAP, in your Server.app? This is what you have to do:
Connect the third party ldap to your server
Have all your external LDAP entries made so you can see them in the Workgroup Manager and are able to Login with them
When you see your LDAP-entry in the Directory Manager, change it from "From Server" to "RFC2307"
Edit the entry, add the following mapping to it:GeneratedUUID maps to apple-generateduuid
To your group and user entries in the external LDAP add the follwing attribute:apple-generateduuid gets the value taken from the output of "uuidgen"
Feel lucky
And there ist ist; now you are able to use The accounts taken from an external LDAP. -
Steps to connect an external LDAP
Dear Gurus,
What are the steps to connect an external LDAP like ADS.
Pls let me know the step by step procedure e.g.
creating the admin,guest and ??? users in Portal.Deleting the same from the LDAPs and so on.
Thanks for the help.
NirmalHi,
Check the below link for LDAP connectivity...
Integrated Windows Authentication with SAP EP 6.0 SP 3 and higher Part 1 of 2
Regards
Vasu -
Use of external LDAP server in Weblogic Commerce Server
I'm using the following software:
Iplanet Directory Server v5
Weblogic Application Server v6
Weblogic Commerce v3.5
I need to configure Weblogic Commerce Server to use Iplanet Directory Server directory
services. How do I do that?
I have a couple of questions related to this:
1) As Weblogic Commerce Server runs on top of Weblogic v6, does it mean that to
use an external LDAP server, I need to configure weblogic v6 to do that and not
Weblogic Commerce Server?
2) Whatever may be the case above, how do I do that?
3) config.xml (weblogic application server v6) contains information that needs
to be modified to point to an external JNDI source provider but what information
do I need to modify?
I'd really appreciate if someone can help me out here. Thanks!"JP" <[email protected]> wrote in message news:[email protected]..
Hi,
I'm looking for someone who has used the Lotus LDAP server for WLP7
authentication.
I connect my portal to the Domino LDAP, User and Groups are working
fine, but the membership of a user to a group is not.
I assume that it's related to the parameters I use (especially the
membership.filter ?):
"user.filter=(&(uid=%u)(objectclass=person));
user.dn=O=Apac;
membership.filter=(&(uniquemember=%M)(objectclass=groupOfNames));
group.filter=(&(cn=%g)(objectclass=groupOfNames));
server.host=jpgal01.apac.bea.com;
group.dn="
Any help would be appreciate, because I just don't where to look for.
Try setting the com.netscape.ldap.trace property.
\* When -D command line option is used, defining the property with
* no value will send the trace output to the standard error. If the
* value is defined, it is assumed to be the name of an output file.
* If the file name is prefixed with a '+' character, the file is
* opened in append mode.
This will create a ldap trace file of the requests that WLS is making on the
LDAP server. You can then see
where the filters are not returning the correct value for the group
membership. -
How to authenticate CXF-Webservice against external LDAP in WebLogic?
Hi there,
I'm trying to integrate our Camel-application into WebLogic 12c. All the incoming endpoints are CXF-based webservices. These are secured by "UsernameToken Timestamp" with the WSS4JInInterceptor configured like this:
<bean id="wss4jInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken Timestamp" />
<entry key="passwordType" value="PasswordDigest" />
<entry key="passwordCallbackClass"
value="de.mycompany.camel.cxf.UserTokenCallbackHandler" />
</map>
</constructor-arg>
</bean>
My problem is: WSS4JInInterceptor expects the UserTokenCallbackHandler to return the password of the user delivered in the header <wsse:Username>. Is there any way to retrieve this from an external LDAP configured in WebLogic? I've already managed to retrieve the users, groups etc with JMX (javax.management.MBeanServerConnection and weblogic.security.providers.authentication.LDAPAuthenticatorMBean), but I can't figure out how to authenticate the user against the LDAP, i. e. retrieve the password.
Or am I heading in a completely wrong direction and this is not the way to achieve authentication for CXF-Webservices in WebLogic?
Please give me a hint (code-snippets preferred ;-) ) how to solve this.
Regards,
FrankI have run into the exact same situation ? Did you ever get around this ? If so, how ? Please let me know.
-
Identity Server using external LDAP
anyone have idea whether ID Server can use external an LDAP server for authentication, like the Policy Server in Portal Server 3 ?
Wilson.You typically need to use our JNDI store. We strongly recommend this for
performance reasons..
You can use the JNDI To LDAP bridge which is available from the sun web
site.
Michael Girdley
BEA Systems Inc
"Jack Archer" <[email protected]> wrote in message
news:[email protected]..
I'm trying to find out if it is possible to re-direct JNDI calls to the WL
server to an external LDAP server. I know you can install an external LDAP
server for security purposes, but I would like to use an external LDAP
server to handle all JNDI lookups (like for JNDI EJB name location, etc.).
Is this possible? -
Hi.
Is it possible to use external LDAP server for my UCM server without using external LDAP server for my admin server?
That is I have a domain with admin server and UCM server.
My admin server doesn't have external LDAP.
So is it possible to use external LDAP server for my UCM server in such situation?
And if it is possible, could you give me some information about it?
(sorry for my english)First of all, thank you for links.
But I have a problem: I configured my own LDAP provider and I can see that 'Connection State' is good (5 out of 5 connections are good), but I can not log in into UCM with users in my LDAP (Invalid Credentials. Please try entering your user name and password again.).
Here is my LDAP provider configuration:
Provider Name: MyLDAP
Provider Description: MyLDAP
Connection State: 5 out of 5 connections are good
Last Activity Date: 12/17/12 4:23 PM
Provider Type: ldapuser
Provider Class: intradoc.provider.LdapUserProvider
Provider Connection: intradoc.provider.LdapConnection
Source Path: MyLDAP
LDAP Server: localhost
LDAP Suffix: dc=example,dc=com
LDAP Port: 10389
Number of connections: 5
Connection timeout: 10
Priority: 1
Credential Map:
SSL Enabled: No
Attribute Map: uid:dFullName
Role Prefix: ou=groups
Default Network Roles: guest
Filter Groups: Yes
Use Full Group Name: No
LDAP Admin DN: uid=admin,ou=system
And my LDAP structure:
"dc=example,dc=com"
_____"ou=groups,dc=example,dc=com"
__________"cn=Administrators,ou=groups,dc=example,dc=com"
__________"cn=admin,ou=groups,dc=example,dc=com"
_____"ou=people,dc=example,dc=com"
__________"uid=asdasd,ou=people,dc=example,dc=com"
__________"uid=qweqwe,ou=people,dc=example,dc=com"
In 'cn=Administrators' entry I have 'uniqueMember:uid=asdasd,ou=people,dc=example,dc=com' property
In 'cn=admin' entry I have 'uniqueMember:uid=qweqwe,ou=people,dc=example,dc=com' property
Nevertheless I can't log in into UCM with users in my LDAP (Invalid Credentials. Please try entering your user name and password again.).
Could you show me my mistake?
Edited by: Michael Baygeldin on Dec 17, 2012 5:34 AM -
External LDAP user only has search priviledge in UCM
After I have configed external LDAP successfully in weblogic console, I can see all user from external LDAP. And external LDAP user can login UCM successfully, but these users only has search priviledge. I want external LDAP user has Admin priviledge as weblogic(Default in embed LDAP). How to solve it. Any help will be appreciated greatly! Otherwise, I refer to Oracle's ducument,
51.1.14 LDAP Users Not Receiving Some Administrator Privileges
UCM inspects for the group "Administrators" on each user's login to grant UCM roles. If a user should have access to the UCM admin server, the UCM server requires that the user be a member in a group named "Administrators."
How to add external LDAP user to the group of Administrators.Hi ,
You can use Credential Maps to be achieve the requirement:
Steps for the same are :
1. Login to UCM - Administration - Credential Maps .
2. Create the map name and the following mapping :
<ldap role> , admin
3. Save the changes
4. Navigate to <domain_home>/ucm/cs/data/providers/jpsuserprovider/provider.hda
add the following variable there :
ProviderCredentialsMap=<map name created in step 2>
5. Save the changes and restart ucm server .
After that login with the user who has the ldap role that is mapped in stpe 2 , this user will have the ucm admin role .
Hope this helps .
Thanks
Srinath -
Create external LDAP authentification to SAP via Web Dynpro
Hi Guys,
I have a requirement where I have to create access to SAP via external LDAP authentification. It is similiar how the Enterprise Portal works, but I want to achieve it with out the portal.
The user will enter his LDAP user and password and I will check via LDAP connector to grant access to SAP.
The only Problem I have is to switch to SAP user without knowing the SAP Password. Thats why I need external authentification.
I have been told by an basis expert that I could use java to achieve this. I have also got the java coding what the Enterprise Portal uses.
Am I on the right way? Can anybody advice me.
Thanks and best regards
AliHi,
Refer this link and SAP Note
[SAP GUI for HTML|http://help.sap.com/saphelp_nw04s/helpdata/en/47/4b0902d84818c9e10000000a114a6b/frameset.htm]
SNote: 517484
Regards
Preethish
Maybe you are looking for
-
Creating DLL using Acrobat SDK
Hi, I want to create one DLL using Acrobat SDK and VS 2010 Win32. If i use this dll in our program it should show functions for opening pddoc, total number of annots, Can I do this using Acrobat SDK. I know we can create plug-in extension with .API.
-
Solution of "no ocijdbc8 in shared library path" Windows95 Jdeveloper 3.0
I installed Jdeveloper 3.0 and got the message "no ocijdbc8 in shared library path". We are using Oracle 8.0.5 so I had Oracle 8.0.5 client in my PC. 1. I down loaded oci805jdbc.dll, oci805jdbc_g.dll and put my c:\orawin95\bin directory. The PATH con
-
How to delete all email attachments to free up space?
I'm on a MBP with a 240 GB SSD. Somehow my Mail folder is 90 GB! I'd like to have an expert tell me how to go about deleting all of the attachments from my SSD so that I can free up space. My set up is several work email accounts, and one personal em
-
Solstice X.25 9.2 Link status: LAPB Link 0 is in state ADM
Hy all, I have a problem when I am trying to start the x.25 network. I have a temporary license, so I have to install a new valid license file each month. It has always worked fine until now. This last time, when I pulled down the Network Menu (of th
-
My iPad air won't charge or turn on
I've had mu iPad for 8 months, and yesterday when I woke up it turned off by itself. Everytime I turn it on it shows the apple logo for 2 minutes and shows the loading screen. once the circle thingy has gone around one round, it stops. It needs to ch