Getting the LDAP credential to do a SSO

Similar Messages

• Why can't I get my Mac to like the LDAP server?

  On Monday I started hammering away at getting the LDAP server setup on the Linux server with openldap. I was able to get a test Mac running Leopard to see the LDAP server and the accounts. The next battle was to get home directories to mount under /home. I was about to do that after finding a working ldif example using automaster and autohome. After that I was able to get the Public share automatically mounted on /Network/Public. Wonderful!
  Tuesday I came in thinking that the next battle would be with Samba. Unfortunately, somewhere in powering off the Mac and rebooting it, I lost all the share mounting! It still sees the accounts, but it absolutely will not see the mounts. In trying to figure it out I have wiped the LDAP database and restarted it, I have wiped the test Mac twice, I have made sure the Mac is running the latest updates, and still nothing.
  If I go into dscl this is now what I see:
  ls Automount/
  Record Name Unknown
  Record Name Unknown
  ls AutomountMap/
  Record Name Unknown
  Record Name Unknown
  cat Mounts/10.110.1.1:\/share\/public/
  dsAttrTypeNative:cn: 10.110.1.1:/share/public
  dsAttrTypeNative:objectClass: mount top
  AppleMetaNodeLocation: /LDAPv3/10.110.1.1
  RecordName: 10.110.1.1:/share/public
  RecordType: dsRecTypeStandard:Mounts
  On the LDAP server, the records look like:
  dn: automountMapName=auto_master,ou=mounts,dc=example,dc=com
  automountMapName: auto_master
  objectClass: top
  objectClass: automountMap
  dn: automountKey=/home,automountMapName=auto_master,ou=mounts,dc=example,dc=com
  objectClass: top
  objectClass: automount
  automountKey: /home
  automountInformation: auto_home
  dn: automountMapName=auto_home,ou=mounts,dc=example,dc=com
  automountMapName: auto_home
  objectClass: top
  objectClass: automountMap
  dn: automountKey=*,automountMapName=auto_home,ou=mounts,dc=example,dc=com
  objectClass: top
  objectClass: automount
  automountKey: *
  automountInformation: 10.110.1.1:/home/&
  dn: cn=10.110.1.1:/share/public,ou=mounts,dc=example,dc=com
  mountDirectory: /Network/Public
  objectClass: mount
  objectClass: top
  mountType: nfs
  cn: 10.110.1.1:/share/public
  It looks like for some reason it's either missing entries from the LDAP server, and/or it's ignoring some of the mapping and leaving them out. The Mounts entry is missing the VFSLinkDir which maps to mountDirectory. The Automount stuff is missing the RecordName which maps to automountKey and automountMapName.
  What the heck happened? Why does the Mac refuse to see the LDAP server the way it did on Monday?

  I am having something similar going on and can't sort out what it is doing:
  ldiffs:
  dn: automountMapName=auto_master,dc=example,dc=edu
  objectClass: top
  objectClass: automountMap
  automountMapName: auto_master
  dn: automountKey=/foo,automountMapName=auto_master,ou=Mounts,dc=soe,dc=ucsc,
  dc=edu
  objectClass: automount
  automountKey: /foo
  automountInformation: auto.foo,dc=example,dc=edu -rw,resvport,
  hard,intr,nosuid,tcp
  Second one:
  dn: automountMapName=auto.foo,dc=example,dc=edu
  objectClass: top
  objectClass: automountMap
  automountMapName: auto.foo
  dn: automountKey=tstaff,automountMapName=auto.foo,dc=example,dc=edu
  objectClass: top
  objectClass: automount
  automountInformation: fileserver:/export/foo/tstaff
  automountKey: tstaff
  9/25/09 11:45:25 AM com.apple.automountd[1101] t0xb0289000 name=tstaff[] map=auto.foo,dc=example,dc=edu opts=rw,resvport,hard,intr,nosuid,tcp path=/foo direct=0
  9/25/09 11:45:25 AM com.apple.automountd[1101] t0xb0289000 getmapent_ds called
  9/25/09 11:45:25 AM com.apple.automountd[1101] t0xb0289000 getmapent_ds: key=[ tstaff ]
  9/25/09 11:45:25 AM com.apple.automountd[1101] t0xb0289000 ds_match called
  9/25/09 11:45:25 AM com.apple.automountd[1101] t0xb0289000 ds_match: key =[ tstaff ]
  9/25/09 11:45:25 AM com.apple.automountd[1101] t0xb0289000 ds_match: Searching for tstaff,automountMapName=auto.foo,dc=example,dc=edu
  9/25/09 11:45:25 AM automountd[1101] ds_search failed
  exiting ...
  It seems like it can't find the trigger point tstaff. It is looking for:
  ds_match: Searching for tstaff,automountMapName=auto.foo,dc=example,dc=edu
  which isn't what the DN is in ldap:
  Distinguished Name: automountKey=tstaff,automountMapName=auto.foo,dc=example,dc=edu
  any thoughts?
  regards,
  Derek

• How does the LDAP authentication process?

  Hi All,
  In SAP KB1384915(https://bosap-support.wdf.sap.corp/sap/support/notes/1384915), BOE client authentication's process is described as follows:
  1. The BOXI SDK calls the login on the BOXI client plugin (passing username & password).
  2. The BOXI client plugin passes the username and password to the third-party authentication server. This may be an LDAP server, or a Windows Active Directory server, or any other server that the BI Platform supports.
  3. The third-party authentication server authenticates the credentials. This generates a security buffer needed by the BOXI server-side authentication plugin.
  4. The SDK passes the security buffer to the CMS, which forwards it to the server-side plugin.
  At this point the handshake process may be finished, or it may continue
  5. This exchange continues until the server-side authentication system indicates that the authentication process has completed.
  Authentication always ends on the server side.
  6. The user has been authenticated. The CMS must verify that the user is a member of a mapped group before the logon process can complete.
  Question about LDAP auth,
  I think that the client plugin doesn't know LDAP server's hostname & portnumber at the time of step2.(BOE server only knows it)
  So I think, the client will access to BOE server to get the LDAP-related informations before the step.
  Would you please tell me whether the following process is correct?
  1. The BOXI SDK calls the login on the BOXI client plugin.
  2. The client plugin gets LDAP-related information (LDAP hostname, portnum, base DN etc) from BOE server.
     At this step, client plugin DOESN'T pass the username&password to BOE Server. Only get informations.
  3. The client plugin passes the username and password to the LDAP server.
  4. The LDAP server authenticates the credentials. This generates a security buffer needed by the BOXI server-side authentication plugin.
  5. The SDK passes the security buffer to the CMS, which forwards it to the server-side plugin.
     At this point the handshake process may be finished, or it may continue
  6. This exchange continues until the server-side authentication system indicates that the authentication process has completed.
     Authentication always ends on the server side.
  7. The user has been authenticated. The CMS must verify that the user is a member of a mapped group before the logon process can complete.
  Thanks&regards,
  Tadashi

  Hi,
  in a BOE Environment the CMS does all of the authentication processes. So i would say that the Client passes the LDAP informations entered by the user to the CMS and the CMS does the authentication on behalf of the client.
  If you need an official Statement, i would recommend you open a Support Message with the SAP Support.
  Otherwise you could monitor the network traffic during the Authentication of the Client. There you should see if the Client communicates directly with the LDAP Host or only with the CMS.
  Regards
  -Seb.

• Exact syntax for the LDAP Username Edit Function

  Hi,
  I have followed the How-To on setting up LDAP as an authentication method but I am having trouble specifying the "Username Edit Function".
  I have a database table which contains a list of user email addresses and associated distinguished name (dn) as stored in an external LDAP...I populated this table using DBMS_LDAP. I want to allow the user to enter his/her email address and email password and execute a small lookup function (GET_DISTINGUISHED_NAME) to fetch the corresponding DN and pass it along to the built-in LDAP authentication.
  I have tried several things to get this to work such as:
  "get_distinguished_name(p_username)" - Returns ERR-10412 and then ORA-06550: line 2, column 1: PLS-00801: internal error [22503] ORA-06550: line 2, column 1: PL/SQL: Statement ignored.
  "get_distinguished_name(p_username);" - same as above.
  and so on. Rather than list each and every attempt here, could someone tell me what the syntax should be for specifying this function call?
  Thanks in advance,
  Ted

  Hi, Sergio
  Thanks for this. I had read the "Using LDAP for Login Authentication" document but I guess I did not correctly understand the "Enter 'return your_function;'" instruction properly...I thought I had to pass p_username as a parameter to my function. After ensuring that "p_username" was the name of the parameter in my function definition, I hit another error but another post in this forum showed me how to fix that issue (Re: Error ERR-10416 Error executing wwv_flow_custom_auth_ldap.authenticate Nov 20, 2003 5:24 PM ) and I am now able to get the LDAP Tool to authenticate okay.
  Do you think I can dynamically set the value for the "LDAP Host" field? We actually have two different email systems (results of a recent merger) and I'll need to find a way to have my LDAP authentication go against one or the other, depending upon what organization they were originally from. I can get this LDAP Host IP Address from my database tables but I am not sure how I could set it within the Authentication Scheme. Could I do something in the "Pre-Authentication Process"?
  Ted

• Get the user name of  sso user who  logged in from my partner application

  Hello,
  I have created a jsp web application and i registered it under oracle sso server. How can i get the user_name of the user logged in to the sso server from my web application in order to personalize my web page ???
  Thanks in advance.

  Hi zeliko,
  Have you tried request.getRemoteUser() or request.getHeader("Osso-User-Dn")?
  -Vinod

• How to Get  the SSO Logged user information in database trigger

  I need to track which SSO user is inserting data into a table , so how can i get the information of that user in a database trigger on that table
  thanks

  Try using portal30.wwctx_api.get_user returns a varchar2 (PUBLIC) or the Username that is logged in
  I need to track which SSO user is inserting data into a table , so how can i get the information of that user in a database trigger on that table
  thanks

• Where to get the SSO ticket for a JCO-Connection from?

  Hey All,
  The szenario is, I've got a Java application and I want to connect to a SAP System. For this I want to use SSO. In the documentation of JCO I found this phrase:
  For SSO specify the user to be $MYSAPSSO2$ and pass the base64 encoded ticket as as the passwd parameter.
  Well... Now my question... Where to get this base64 ticket from? The problem is, I'm NOT using WebDynpro, it's a custom application running on client side. Now how to get the needed information? (PSE?)
  It would be great when you could give me a clue.
  Best regards,
  Kristian

  This linksactualy leads to the same place I mentioned where
  it installs the
  player over the Internet
  Another thing is that these players are said to be different
  for different
  browsers which means they are working together with a
  browser. I am looking
  for a player which allows to play SWF file directly, without
  a browser.
  I have such a player installed together with FLASH-8 - I am
  looking for
  such a player
  "DMennenoh" <[email protected]> wrote in
  message
  news:e2qgmu$t5r$[email protected]..
  > Does this help:
  >
  http://www.macromedia.com/shockwave/download/alternates/
  >
  > --
  > Dave -
  > Adobe Community Expert
  > www.blurredistinction.com
  > www.macromedia.com/support/forums/team_macromedia/
  >
  >

• How can i get the list of all users present in the LDAP

  Hi Experts,
  How can i get the list of all users present in the LDAP ?
  Is there any API or function Code to get all user list??
  Please help me out!!!
  Help will be rewarded

  Well it will depend on exactly where your UME configuration points to in the LDAP tree but yes, it is possible to get all users.  Something like the following should do it:
  import com.sap.security.api.*;
  import com.sapportals.portal.prt.component.*;
  IUserFactory iuf;
  ISearchResult isr;
  IUser user
  String userid;
  iuf = UMFactory.getUserFactory();
  isr = iuf.getUniqueIDs();
  you will need to iterate the ISearchResult object but you can get IUser objects by
  userid = (String)isr.next();
  user = iuf.getUser(userid);
  then you can imanipulate / identify / or whatever you need with the user object
  Haydn

• How to get the value of passwordexpirationtime at LDAP

  LDAP Gurus,
  I want to sent an email notification before user's password is expired, so I need get the value of attribute "passwordexpirationtime" for all the users.
  while I tried a lot of ways, but I can not see and get the value.
  e.g command and output of 1 user as follow
  ldapsearch -p 370 -h ldapserver.abc.com -b 'ou=People,dc=abc,dc=com' objectclass=*
  dn: uid=user1,ou=People, dc=abc,dc=com
  objectClass: top
  objectClass: person
  objectClass: organizationalPerson
  objectClass: inetorgperson
  objectClass: posixAccount
  objectClass: shadowaccount
  givenName: John
  sn: Paul
  description: John Paul
  loginShell: /bin/bash
  gidNumber: 9042
  uidNumber: 9042
  uid: user1
  cn: John Paul
  gecos: John Paul
  homeDirectory: /export/home/user1
  Question:
  which ldap command and options can be used to get the value of attribute "passwordexpirationtime" for all the users.
  Environment:
  Sun Directory Server 5.2_Patch_4
  Thanks you in advance.

  Thanks your guys help first.
  1.we need send email notification to user before password expired as a lot of users not often login servers(UNIX) and they even can not get password expired prompt, these users are personal UNIX users, not service users. we need the value of passwordexpirationtime to do a script to send email.
  2. I tried these command you advised, while still can not get the value of passwordexpirationtime.
  1)ldapsearch -p 370 -h ldapserver1.abc.com -b 'ou=People,dc=abc,dc=com' objectclass=* passwordexpirationtime
  dn: uid=d411,ou=People, dc=abc,dc=com
  dn: uid=user2,ou=People, dc=abc,dc=com
  2)ldapsearch -p 370 -h ldapserver1.abc.com -b 'ou=People,dc=abc,dc=com' objectclass=passwordobject passwordexpirationtime
  ldapsearch -p 370 -h ldapserver1.abc.com -b 'ou=People,dc=abc,dc=com' objectclass=passwordobject
  output is nothing.
  3.Enrique mentioned about passwordobject object class to have access to the passwordexpirationtime attribute. I am not sure if it has been
  granted/defined or not.while I check the DS GUI as follow(sorry I can not past screenshoot here, so I need describe as follow)
  when I go to DS server GUI, configuration->Schema and select "passwordobject" under Standard Object Classes(Read-Only), I can see there are "passwordExpirationTime" Under Allowed Attributes.
  if NOT, what I need do to grant the access (or through create custom object), how this will affect our ldap server as ldap server is very critical.
  4.I did above ldapsearch using unix root user, do I need use ldap directory manager user to do search, if so , how I can put manager username/password into ldapsearch command?
  Again thank all your help.

• How can I get the people's attribute from LDAP?

  The LDAP Server is Netscape Directory Server 4.1.
  I have been trying to connect to my LDAP server from WLS, but when I try to get an Attributes , I get a "No attributes".
  The source code is following:
  Hashtable env = new Hashtable(11);
  env.put(Context.INITIAL_CONTEXT_FACTORY,
  "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL, "ldap://10.0.1.253:389/o=rl.com");
  // Create the initial directory context
  DirContext ctx = new InitialDirContext(env);
  // Ask for all attributes of object
  Attributes attrs = ctx.getAttributes("uid=joe,ou=People");
  // Find the surname ("sn") and print it out
  System.out.println("sn: " + attrs);
  dn: uid=joe,ou=People, o=rl.com
  objectclass: top
  objectclass: person
  objectclass: organizationalPerson
  objectclass: inetOrgPerson
  cn: Joe Ken
  uid: joe
  givenName: Joe
  sn: Ken

  When you initialize the context, you must have read priviledges.
  I have resolve it.
  Cui Qiang <[email protected]> wrote in message
  news:39fe94ac$[email protected]..
  >
  The LDAP Server is Netscape Directory Server 4.1.
  I have been trying to connect to my LDAP server from WLS, but when I tryto get an Attributes , I get a "No attributes".
  The source code is following:
  Hashtable env = new Hashtable(11);
  env.put(Context.INITIAL_CONTEXT_FACTORY,
  "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL, "ldap://10.0.1.253:389/o=rl.com");
  // Create the initial directory context
  DirContext ctx = new InitialDirContext(env);
  // Ask for all attributes of object
  Attributes attrs = ctx.getAttributes("uid=joe,ou=People");
  // Find the surname ("sn") and print it out
  System.out.println("sn: " + attrs);
  dn: uid=joe,ou=People, o=rl.com
  objectclass: top
  objectclass: person
  objectclass: organizationalPerson
  objectclass: inetOrgPerson
  cn: Joe Ken
  uid: joe
  givenName: Joe
  sn: Ken

• How can i get the SSO to work successfully?

  How can i get the SSO to work successfully?  I followed the note for configuring infoview with ad sso using kerveros & .net.
  Adding the AD group into the win ad authentication configuration page creates the user group but the members of the group aren't being pulled in when I go to the group and select / query the users tab

  Bart,
  By default the setting for update options on the Windows AD tab of authentication does not actually create the aliases until the user attempts to login the first time. We set it this way to prevent a huge group of alias's being created when the administrator sets up Windows AD and also so that only user aliases for users actually using the system get created.  You can change this behaviour though if you like.  Simply change the radio button option to 'New Aliases will be added and new users will be created' this will create the accounts for you when you hit the update button.  If you have a large group your adding I would wait until and afterhours time when you have less activity as this will impact CMS performance while it creates all the accounts.

• Ldap query to get the users of a OU

  Hi,
  I want to get the available users into a OU and the query I'm using is like this:
  (OU=Departamento Informatica,DC=mydomain,DC=com)
  There is a user into this OU so when I do the LDAP test query the user shuld be returned but the result is 0.
  Can anybody help me or tell me which must be the correct query?
  Thanks in advance.
  Regards.

  This can be done either by dsquery or Powershell commands (Like
  Get-ADUser).
  For dsquery, I would recommend that you refer to this Wiki article initiated by Richard for more details about LDAP filtering: 
  http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters-en-us.aspx
  dsquery * "OU=TargetOU,DC=CONTOSO,DC=COM" -filter "(&(objectcategory=person)(objectclass=user))"
  For Get-ADUser, all you need is to specify your OU as the search base:
  Get-ADUser -SearchBase "OU=TargetOU,DC=CONTOSO,DC=COM" -Filter *
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• How to get the SSO user from PL/SQL with Windows native authen

  I connect to a 10g daabase using SSO through Windows Native Authentication wher the OID user mapps to a single Database user.
  I need to get the SSO user from pl/sql
  My fornt end is Portal & Forms

  Hmm, I see.
  Well your problem boils down to being in the database and needing to have access to web environment variables. The SSO sets specific variables in the environment but your stored procedure is not privy to them.
  Now having said that, note that the mod_plsql Web Toolkit has a utility for accessing cgi variables. For instance,
  owa_util.get_cgi_env('Osso-User-Dn')
  If your web application cannot capture the SSO info and pass it to the stored proc in a parameter, OWA may be the only way.
  Check out the Single Sign-On Developers Guide, specifically the part about developing statically protected PLSQL applications.
  Hope this helps.
  regards,
  tt

• How do get the role from ldap session.

  i am using the follwing getting the role from the request in openldap and j_security_check:
  f(request.isUserInRole("manager")){
  how can i use this in the session:

  You might wanna change permissions for that attribute ...
  Change it from Admin to OWNER and you should be able to then get it for any user ...
  HTH ..

• Why do I get error "The LDAP server is unavailable" while connecting to external domain via sync connection in SharePoint UPSA ?

  Hello,
  I am trying to connect to external domain via UPS Account having "Replicate Directory changes" permission on external domain while creating sync connection in UPSA.
  I have checked below URLS :
  http://social.technet.microsoft.com/Forums/en-US/1912bf88-8fec-4b5d-9d1e-a42db8318e33/ldap-server-is-unavailable-sharepoint-2010-user-synchronization?forum=sharepointadminprevious
  http://social.technet.microsoft.com/Forums/en-US/6525d3aa-9197-42a2-aea0-190b84ac8356/the-ldap-server-is-unavailable?forum=sharepointadminprevious
  And looks like its network connectivity issue - and hence I have verified that port 389 is open by infra team.
  Note : I am able to connect to local AD , does it make sense that port is not open for external domain ? 
  Can anyone please let me know what can be the issue ? 
  Your help will be highly appreciated as I am struggling to fix this issue since  quite long time but no luck yet.
  Thank you in advance.
  Kind regards,
  Dipti Chhatrapati

  Hi Dipti,
  If you have Two-Way trust relationship then not sure if you have tried below:
  Create a folder on the SharePoint server
  Go to Folder properties - Security tab
  Try adding user of the external domain on the folder
  Please let us know if you are able to add the user or not. If you are able to add then it means that the connection and trust is proper and you should be able to create sync connection in UPA without any issues or else there is some issue with the connectivity
  or the trust which is configured.
  Please also make sure that you have given permissions to sync account as per below TechNet:
  http://technet.microsoft.com/en-us/library/hh296982(v=office.15).aspx
  Replicate Directory changes permissions are also required on cn=configuration container, below are the steps:
  Grant Replicate Directory Changes permission on the cn=configuration container
  Use this procedure to grant Replicate Directory Changes permission on the cn=configuration container to an account.
  To grant Replicate Directory Changes permission on the cn=configuration container
  On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.
  If the Configuration node is not already present, do the following:
  In the navigation pane, click ADSI Edit.
  On the Action menu, click Connect to.
  In the Connection Point area of the Connection Settings dialog box, click Select
  a well know Naming Context, select Configuration from the drop-down list, and then click OK.
  Expand the Configuration node, right-click the CN=Configuration... node, and then click Properties.
  In the Properties dialog box, click the Security tab.
  In the Group or user names section, click Add.
  Type the name of the synchronization account, and then click OK.
  In the Group or user names section, select the synchronization account.
  In the Permissions section, select the Allow check box next to the Replicating
  Directory Changes (Replicate Directory Changes on Windows Server 2003) permission, and then click OK.
  Kind regards,
  Bhavik K Jain
  Please ensure that you mark a question as Answered once you receive a satisfactory response.