GetUserRoles() in SecurityContext returns LDAP group names

Hi,
getUserRoles() in SecurityContext returns LDAP group names along with the application role of the user. Is this expected? If not what could be the possible issue.
I have OVDLDAP configured in the weblogic server.
Thank you.

Hi,
yes, this is expected. OPSS APIs expose application roles and user roles. To distinguish between the two I recommend a naming convention like <name>app-role to identify application roles
Frank

Similar Messages

How to search a property value in a TDMS and return the group name.

Hi.
Please help
I want to search a TDMS file by property value and then return the group names or channels.
I am using labview 8.2 with the connectivity toolkits.

The error # is -2558
I try to close the TDMS file before it reach the search part but still give me the error code -2558
Attachments:
search and read property value per group.jpg ‏77 KB

How to remove prefix from AD group names in ldap auth. provider?

Hi all,
I'm using weblogic 10.3.5 and LDAP authentication provider for accessing microsoft AD.
Group names in AD are created and look like this: PREFIX_basic_user, PREFIX_advanced_user...
but enterprise roles in ADF application are created like this: basic_user, advanced_user...
Is there a way to map AD groups to enterprise roles trough LDAP Authentication provider without adding PREFIX_ on enterprise roles in ADF application?
Thanks in advance

Powershell (or vbscript if you want to be old school).
You can trigger a powershell script which will remove the offending user(s) easily enough with out resorting to a TOLDAP pass. Nearly any script type thing would work but powershell is preferred. It can be triggered separately from the TO AD stuff and will take multiple objects to run in one pass if you can construct the command line (or create a text file and feed it in).
Otherwise, TOLDAP is the way to write to AD...
Peter

Not able to get group name by using memberof class, getting Total groups as 0 even I am member of that group.

Not able to get group name by using memberof class, getting Total groups as 0 even I am member of that group. Through this memberof class I am trying to find full qualified name(DN) of my group.
code I have used:
//specify the LDAP search filter
               String searchFilter = "(&(objectClass=user)(CN=Username))";
               //Specify the Base for the search
               String searchBase = "";
Also I have used,
             String searchFilter = "(&(objectClass=user)(CN=Username))";
               //Specify the Base for the search
               String searchBase = "ou=ibmgroups,o=ibm.com";
But in both cases I am getting value for Total groups as 0.
Code Reference:
* memberof.java
* December 2004
* Sample JNDI application to determine what groups a user belongs to
import java.util.Hashtable;
import javax.naming.*;
import javax.naming.ldap.*;
import javax.naming.directory.*;
public class memberof     {
     public static void main (String[] args)     {
          Hashtable env = new Hashtable();
          String adminName = "CN=Administrator,CN=Users,DC=ANTIPODES,DC=COM";
          String adminPassword = "XXXXXXX";
          String ldapURL = "ldap://mydc.antipodes.com:389";
          env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
          //set security credentials, note using simple cleartext authentication
          env.put(Context.SECURITY_AUTHENTICATION,"simple");
          env.put(Context.SECURITY_PRINCIPAL,adminName);
          env.put(Context.SECURITY_CREDENTIALS,adminPassword);
          //connect to my domain controller
          env.put(Context.PROVIDER_URL,ldapURL);
          try {
               //Create the initial directory context
               LdapContext ctx = new InitialLdapContext(env,null);
               //Create the search controls
               SearchControls searchCtls = new SearchControls();
               //Specify the search scope
               searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
               //specify the LDAP search filter
               String searchFilter = "(&(objectClass=user)(CN=Andrew Anderson))";
               //Specify the Base for the search
               String searchBase = "DC=antipodes,DC=com";
               //initialize counter to total the group members
               int totalResults = 0;
               //Specify the attributes to return
               String returnedAtts[]={"memberOf"};
               searchCtls.setReturningAttributes(returnedAtts);
               //Search for objects using the filter
               NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
               //Loop through the search results
               while (answer.hasMoreElements()) {
                    SearchResult sr = (SearchResult)answer.next();
                    System.out.println(">>>" + sr.getName());
                    //Print out the groups
                    Attributes attrs = sr.getAttributes();
                    if (attrs != null) {
                         try {
                              for (NamingEnumeration ae = attrs.getAll();ae.hasMore();) {
                                   Attribute attr = (Attribute)ae.next();
                                   System.out.println("Attribute: " + attr.getID());
                                   for (NamingEnumeration e = attr.getAll();e.hasMore();totalResults++) {
                                        System.out.println(" " + totalResults + ". " + e.next());
                         catch (NamingException e)     {
                              System.err.println("Problem listing membership: " + e);
               System.out.println("Total groups: " + totalResults);
               ctx.close();
          catch (NamingException e) {
               System.err.println("Problem searching directory: " + e);
Any help will be highly appreciated.

Not able to get group name by using memberof class, getting Total groups as 0 even I am member of that group. Through this memberof class I am trying to find full qualified name(DN) of my group.
code I have used:
//specify the LDAP search filter
               String searchFilter = "(&(objectClass=user)(CN=Username))";
               //Specify the Base for the search
               String searchBase = "";
Also I have used,
             String searchFilter = "(&(objectClass=user)(CN=Username))";
               //Specify the Base for the search
               String searchBase = "ou=ibmgroups,o=ibm.com";
But in both cases I am getting value for Total groups as 0.
Code Reference:
* memberof.java
* December 2004
* Sample JNDI application to determine what groups a user belongs to
import java.util.Hashtable;
import javax.naming.*;
import javax.naming.ldap.*;
import javax.naming.directory.*;
public class memberof     {
     public static void main (String[] args)     {
          Hashtable env = new Hashtable();
          String adminName = "CN=Administrator,CN=Users,DC=ANTIPODES,DC=COM";
          String adminPassword = "XXXXXXX";
          String ldapURL = "ldap://mydc.antipodes.com:389";
          env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
          //set security credentials, note using simple cleartext authentication
          env.put(Context.SECURITY_AUTHENTICATION,"simple");
          env.put(Context.SECURITY_PRINCIPAL,adminName);
          env.put(Context.SECURITY_CREDENTIALS,adminPassword);
          //connect to my domain controller
          env.put(Context.PROVIDER_URL,ldapURL);
          try {
               //Create the initial directory context
               LdapContext ctx = new InitialLdapContext(env,null);
               //Create the search controls
               SearchControls searchCtls = new SearchControls();
               //Specify the search scope
               searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
               //specify the LDAP search filter
               String searchFilter = "(&(objectClass=user)(CN=Andrew Anderson))";
               //Specify the Base for the search
               String searchBase = "DC=antipodes,DC=com";
               //initialize counter to total the group members
               int totalResults = 0;
               //Specify the attributes to return
               String returnedAtts[]={"memberOf"};
               searchCtls.setReturningAttributes(returnedAtts);
               //Search for objects using the filter
               NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
               //Loop through the search results
               while (answer.hasMoreElements()) {
                    SearchResult sr = (SearchResult)answer.next();
                    System.out.println(">>>" + sr.getName());
                    //Print out the groups
                    Attributes attrs = sr.getAttributes();
                    if (attrs != null) {
                         try {
                              for (NamingEnumeration ae = attrs.getAll();ae.hasMore();) {
                                   Attribute attr = (Attribute)ae.next();
                                   System.out.println("Attribute: " + attr.getID());
                                   for (NamingEnumeration e = attr.getAll();e.hasMore();totalResults++) {
                                        System.out.println(" " + totalResults + ". " + e.next());
                         catch (NamingException e)     {
                              System.err.println("Problem listing membership: " + e);
               System.out.println("Total groups: " + totalResults);
               ctx.close();
          catch (NamingException e) {
               System.err.println("Problem searching directory: " + e);
Any help will be highly appreciated.

Glassfish LDAP group search results in Exception

I'm trying to get my group search running but I keep getting the same exception
java.lang.NullPointerException
     at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.groupSearch(LDAPRealm.java:705)
     at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:497)
     at com.sun.enterprise.security.auth.login.LDAPLoginModule.authenticate(LDAPLoginModule.java:108)
     at com.sun.enterprise.security.auth.login.PasswordLoginModule.authenticateUser(PasswordLoginModule.java:117)
     at com.sun.appserv.security.AppservPasswordLoginModule.login(AppservPasswordLoginModule.java:148)
There's only on post on the web with the same problem and there is is not fixed.
This is the domain.xml
<auth-realm name="EpsLdapRealm" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
<property name="directory" value="ldap://myldap:389"></property>
<property name="base-dn" value="ou=Users,o=xxx"></property>
<property name="jaas-context" value="ldapRealm"></property>
<property name="search-bind-dn" value="cn=saepsman,ou=Users,ou=e-Directory,ou=Services,o=xxx"></property>
<property name="search-bind-password" value="xxxxx"></property>
<property name="search-filter" value="(&(objectClass=user)(uid=%s))"></property>
<property description="null" name="assign-groups" value="USER"></property>
<property name="group-search-filter" value="(&(objectClass=groupOfNames)(member=%d))"></property>
<property name="group-base-dn" value="ou=AccessControl,o=xxx"></property>
</auth-realm>
Authentication works fine, but group assignments do not work. When I remove the group-search-filter I get no error but then also no groups are assigned.
The group I am trying to map is
cn=cug-EPSManager-Administrators,ou=AccessControl,o=xxx
And I do the following mapping in glassfish-web.xml
<security-role-mapping>
          <role-name>ADMIN</role-name>
          <group-name>cug-EPSManager-Administrators</group-name>
     </security-role-mapping>
I also have used
-Djava.naming.referral=follow
EDIT:
I also get the following log message indicating that the search-bin-dn and password are OK. I can also browse the LDAP tree with the credentials in Softerra LDAP Browser.
Error during LDAP search with filter [(&(objectClass=groupOfNames)(member=cn=cdamen,ou=Users,o=xxx))].|#]
When I look at the look at the LDAPRealm source code I see it is failing on the following statement
int sz = grpAttr.size();
This looks like to me that it means that some group was found but there are no group attributes. But there are when I query with Softerra, strange...
* Search for group membership using the given connection.
private List groupSearch(DirContext ctx, String baseDN,
String filter, String target)
List groupList = new ArrayList();
try {
String[] targets = new String[1];
targets[0] = target;
SearchControls ctls = new SearchControls();
ctls.setReturningAttributes(targets);
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration e = ctx.search(baseDN,
filter.replaceAll(Matcher.quoteReplacement("\\"), Matcher.quoteReplacement("\\\\")), ctls);
while(e.hasMore()) {
SearchResult res = (SearchResult)e.next();
Attribute grpAttr = res.getAttributes().get(target);
int sz = grpAttr.size();
for (int i=0; i<sz; i++) {
String s = (String)grpAttr.get(i);
groupList.add(s);
} catch (Exception e) {
_logger.log(Level.WARNING, "ldaprealm.searcherror", filter);
_logger.log(Level.WARNING, "security.exception", e);
return groupList;
Hope anyone knows the solution.
Coen

Hi Jeong
Can you explain exactly what you're tyring to achieve.
Howard
http://www.avoka.com

How to verify user LDAP group membership

Hi,
we are attempting to determine if a user is a member of a specific LDAP group in our directory and if the user is a member it should return TRUE else FALSE (this is done by defining the LDAP attribute 'CN' (property) which returns a result 'CN=<UserName> or returns 'getting 0 entries'. The query we have is
(&(cn=<username>)(memberOf=CN=<groupname>,DC=domain,DC=com)).
Any pointers on how to do this ?
Thank you.

You could do a couple of things...
1) Install dsquery (add remote AD tools to your box) and run something like
dsquery group -u <user name>
Username would be their login name, yours is "swaupadh" for example. This would return a listing of all the groups they are in and you could regex through that output for the group you are looking for. Use either the Execute Powershell or Execute Windows Command activity here.
2) Use powershell functions and powershell capability to check for group membership, something like this:
function Get-GroupMembership($DN,$group){
$objEntry = [adsi]("LDAP://"+$DN)
$objEntry.memberOf | where { $_ -match $group}
//EXAMPLE CALL
Get-GroupMembership "Cn=kazun,dc=contoso,dc=com" "Backup Operators"
Then you can regex through the output for the "True" or "False" word and run with that.
Either should get you what you want.

Retrieve nested LDAP groups independent from the network env. (five different approaches)

Hi all,
I want to retrieve a list of nested LDAP groups per user from the Active Directory. I have been searching google for half a day now, but I'm still not sure what approach to use. I have the following requirements:
* The script/program must run in different network environments (I can't be sure if there is a global catelog or AD DS or AD LDS, etc). I will write my own program.
* The membership info will be used in combination with directory ACL's and must be as complete as possible (global groups, universal groups, local groups, perhaps different domains). Distribution groups are not really necessary, because they are not used in
the directory ACL's.
* It would be nice to support other LDAP implementations than Active Directory using the same code, but that not a hard requirement. I could use another approach to support a different LDAP.
Now I have figured out five possible approaches (info comes from different sites, please correct me if I'm wrong):
1) tokengroups attribute:
- The attribute contains Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine.
- Returns a list of SIDs which will have to be translated to group names
- The tokenGroups attribute exists on both AD DS and AD LDS
- For AD DS, the tokenGroups attribute is not present if no GC server is available to evaluate the transitive reverse memberships.
- quote from site "Now that I have had a chance to test it though I can definitely say that tokenGroups WILL get the Universal groups from the other domains even if is NOT a GC. I just did it in my test lab."
- Token Groups cannot be retrieved if no Global Catalog is present to retrieve the transitive reverse memberships.
2) tokenGroupsGlobalAndUniversal
- A subset of the tokenGroups attribute. Only the global and universal group SIDs are included.
- If you want consistent results, read tokenGroupsGlobalAndUniversal that will return the same result no matter which DC you are connected to. However, it will not include local groups.
- other source says "tokenGroups will give you all the security groups this user belongs to, including nested groups and domain users, users, etc tokenGroupsGlobalAndUniversal will include everything from tokenGroups AND distribution groups". Not
sure if this is correct, I think it doesn't contain local groups.
- The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS.
3) LDAP_MATCHING_RULE_IN_CHAIN / 1.2.840.113556.1.4.1941
- Use a recursive search query which returns all nested groups for user at once.
- Returns all groups except for the primary group
- It's a fast approach, see performance test from Richard Mueller:
http://social.technet.microsoft.com/Forums/fr-FR/f238d2b0-a1d7-48e8-8a60-542e7ccfa2e8/recursive-retrieval-of-all-ad-group-memberships-of-a-user?forum=ITCG
- It only works on Active Directory, not for other LDAP implementations
4) Recursive retrieval of the memberOf attribute
- Retrieves all groups except the primary group. (also local groups from other domains??)
- works for all LDAP implementations
- executes a lot of queries to the LDAP, especially if you want to scan all users/groups (perhaps limited on OU, but still)
5) Store memberOf attribute in local database and calculate the nested groups using recursive queries to the local database
- No heavy load to the LDAP
- Needs space to store the user/group info locally (embedded Derby database perhaps)
- Performs fast since the queries are executed locally
- Works for all LDAP implementations
My thoughts on these different approaches:
* appreach 1) I understand that the tokengroups attribute is not present if no GC server is available. In how many network environments is this the case? This option won't work because I want to support different network environments.
* approach 2) The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS. Same here, in how many network environments is this the case? I don't think I can rely on this approach.
* approach 3) Seems to be a good option. How will it perform compared to approach 5 (local recursive queries)? Won't work for other LDAP implementations
* approach 4) I don't think I want to execute that many queries to the LDAP. I can limit the scan on OU, but still companies can have thousands of users and groups.
* approach 5) Perhaps the best approach. I want to store user/group info locally for fast filtering / reporting (only group DNs, user names, databse id's and membership info as id-id pairs). I only need the memberOf attribute of users and groups, recursive
loops are done locally. It will work for all LDAP implementations.
What do you guys think? I'm not a network admin, but a programmer, so I'm no expert in network setups and when to use AD DS or AD LDS. The thing is I want to use this code at different customers without knowing their network setup (except for the domain name(s),
LDAP host/port and bind user to connect to LDAP).
Thanks a lot!
Paul

I want to write a tool that can answer questions like "what users from group ABC have delete permission in all the (sub)directories of server MyDataServer?". This results in a list of directories and users and includes nested group membership. So it's about
effective permissions. That's why I want all information in a SQL database so I can answer these questions with a single query in milliseconds. Otherwise, in order to answer these questions, I would have to get all members from group ABC and determine the
nested groups for all these members (which can be thousands) for every report. Using a SQL database I can retrieve this information once a night for all the members.
But I guess I will use the LDAP_MATCHING_RULE_IN_CHAIN syntax which gives me all nested groups for a member and should work for all AD installations from W2K3 SP2 and higher. When I want to support other LDAPs I will use another method for that specific
LDAP.
Again - note that this question has nothing to do with LDAP or AD. It just asks what group has permissions on what resources.
I really think you would do well to spend time understanding the NTFS and its security along with how we sue security in Windows. By assuming this has something to do with AD you are making it a bigger issue than needed. AD is a repository for
accounts and trusts and manages authentication and security group membership. All file security is managed by the OS that hosts the files and not by AD. Users are not normally granted access to resources through direct inclusion in the DACL but
are given access through membership in one or more groups. Loading AD into a SQLL database will not help you.
¯\_(ツ)_/¯

LDAP Group Membership

I need help. I have a case where an LDAP group shows users as members but some of these users do not show the group in their "Member Of" listing when looking under the Home -> Users-> <userid> listing. What could be causing this. The LDAP group was recently added to the server. Thanks.

Stephen,
One returns an array (table) of groups and the other returns a ":" delimited string. Describing them from SQL Plus returns:
FUNCTION MEMBER_OF RETURNS TABLE OF VARCHAR2(32767)
Argument Name                  Type                    In/Out Default?
P_USERNAME                     VARCHAR2                IN     DEFAULT
P_PASS                         VARCHAR2                IN     DEFAULT
P_AUTH_BASE                    VARCHAR2                IN
P_HOST                         VARCHAR2                IN
P_PORT                         VARCHAR2                IN     DEFAULT
FUNCTION MEMBER_OF2 RETURNS VARCHAR2
Argument Name                  Type                    In/Out Default?
P_USERNAME                     VARCHAR2                IN     DEFAULT
P_PASS                         VARCHAR2                IN     DEFAULT
P_AUTH_BASE                    VARCHAR2                IN
P_HOST                         VARCHAR2                IN
P_PORT                         VARCHAR2                IN     DEFAULTThanks,
Tyler

How can we retrieve the Group name from oid?

Hi:
In following request object, we can get all the user related information from oid except group name where a particular user belongs to.
For instance user id, first name, last name and email etc but we could not get the group name.
PortletRenderRequest pReq = (PortletRenderRequest)
request.getAttribute(HttpCommonConstants.PORTLET_RENDER_REQUEST);
pReq.getUser()……
Please advice, how I we get the hold of group name from orcldefaultprofilegroup (oid)?
I would really appreciate your reply.
Thank you.
- Ali Raza.

I am not sure about the PDK API to get the group name. But using LDAP API its easy to get the User Group.
If you find the answer to get the group name using PDK API, Please update in forum. It will really help others.
--Balaji S

Error while adding LDAP group

Hi, I configured LDAP authentication on BOXI R2 SP3 on IIS. The settings are as given below.
To change a setting, click on the value to start the LDAP Configuration Wizard. I have replaced few entries with XXXX and YYYY due to security.
LDAP Hosts: nccXXX.XXX.YYYY.XX.YY:636
LDAP Server Type: Novell eDirectory
Base LDAP Distinguished Name: ou=XXXXX,dc=YY
LDAP Server Administration Distinguished Name: cn=XXX,o=YYYYY
LDAP Referral Distinguished Name: ""
Maximum Referral Hops: 0
SSL Type: Server Authentication
Server Side SSL Strength: Always accept server certificate
Single Sign On Type: None
When I add any new group then its not added and I get below error message in the Logging directory for WCA.
Error: 2009-08-24 14:56:30, Thread:161, WriteData::_Flush catch unexcepted exception, source: System.Web, message: Specified argument was out of the range of valid values.
Parameter name: offset, stack: at System.Web.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 count)
at BusinessObjects.Enterprise.WebComponentAdapter.WriteData._Flush(IntPtr handle)
Can anyone help to find if LDAP is configured correctly before adding group?
Thanks,

Resolved. It was due to wrong LDAP group given to me.
Thanks,

Group name in which a particular user is member

Hi all,
I would like to be able to get the group name in which a particular user is a member.
I have created 2 groups: CHEFS and EMPLOYEES.
The Chefs are members of both groups. The "normal" Employee is the member only of EMPLOYEE group.
I have the navigation plsql portlet. And I would like to enable any links of this portlet only for chefs. At default these are disabled.
Now I make it with the function get_user_group:
=========================================
create or replace function get_user_group
v_username IN VARCHAR2,
v_groupname IN VARCHAR2
return boolean
as
var_groupname varchar2(50);
begin
select upper(name)
into var_groupname
from portal.wwsec_group
where id in (select group_id from portal.wwsec_flat
where person_id in (select id from portal.wwsec_person
where user_name=upper(v_username)))
and name=v_groupname;
return true;
exception
when no_data_found then
return false;
end;
=====================================
But the user needs DBA privileges to select on the tables of PORTAL-User.
I don't want to give this privileges to user.
Is there any other way to get the usergroup?
Regards
Leonid Pavlov

There are portal API's that look like they would do exactly what you are asking for. Take a look at the wwsec_api functions, specifically, is_user_in_direct_group or is_user_in_group in http://portalstudio.oracle.com/pls/ops/docs/FOLDER/COMMUNITY/PDK/PLSQL/DOC/PLDOC_9026/D:/PDK/pdkjuly/pdk/plsql/doc/pldoc_9026/index.html.
These API's are specific to 9.0.2.6. You'll have to ask someone who knows other versions if you are running something else.

How to get Group Name of current Group Portal session?

How do I obtain the Group Name associated with the Group Portal of the current user session?

Michel,
Thank you that worked. I have a follow up question that I am hoping you can answer.
I am trying to build a drop menu for all the Portal Pages that appear in the nav
bar. The drop down menu items should correspond to the users visible portlets for
each Portal Page.
The following code works if the ProfileIdentity is created for the Group, but does
not return any results if the ProfileIdentity is created with the User.
PagePersonalization pagePersonalization = portalPersonalization.getPagePersonalization(pageState.getPageIdentifier());
if (pagePersonalization != null) {
     Iterator menuItr = pagePersonalization.getPortletPersonalizations();
     while (menuItr.hasNext()) {
          PortletPersonalization portletPersonalization = (PortletPersonalization)menuItr.next();
          String portletName = portletPersonalization.getDisplayName();
Is there another way to obtain the information I am looking for?
Thanks,
Diana
"Michel Bisson" <[email protected]> wrote:
>
Diana,
You can retrieve the group name for the current session as follows:
// Sample code... (disclaimer: not compiled!)
import com.bea.portal.appflow.PortalAppflowFactory;
import com.bea.portal.appflow.PortalSession;
import com.bea.p13n,usermgmt.profile.ProfileIdentity;
PortalSession portalSession = PortalAppflowFactory.createPortalSession(request,
false);
ProfileIdentity profileIdentity = portalSession.getIdentity();
String groupName = profileIdentity.getGroupname();
You can read the Javadoc online http://edocs.bea.com/wlp/docs40/javadoc/wlp/index.html
for the classes used above.
Hope this helps.
Michel.
"Diana" <[email protected]> wrote in message news:3ce1ac7c$[email protected]..
How do I obtain the Group Name associated with the Group Portal of thecurrent user session?

RSA authentication with LDAP group mapping

Greetings,
I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
The problem I'm having is that my users are in multiple OU's on our AD tree. When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error. If I add an OU in front of it, then it will work fine.
As far as I know, you can only use one LDAP configuration with RSA.
Any thoughts on this?

@Tarik
I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen. I have resorted to creating a Radius profile on the RSA appliance for each access group I need. Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
Thankfully, I have a small group of users that I am attempting to map. I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create. Likewise, our Account Admin will have to determine who gets assigned a particular access group.
I would still prefer to do this dynamically.
Scott

LDAP Groups Authorization

Hi,
I have read some of the forum threads about LDAP Group Authorization - I remain confused. Here's the problem I am trying to solve.
I was successfull in setting my Authentication to "Based on authentication scheme from gallery:Existing Login Page: Use LDAP Directory Credentials" -
That works fine, But I would not like all users in my OID LDAP directory to log into my application- Which is why I have created a group for the user I want to include in my OID directory.
Now at the " Builder->Application...->Security->Authorization Schemes->
I have created an Authorization Scheme as "PL/SQL Function returing a booloean" .
My Scheme Source(Identify Query or PL/SQL) is as follows and is set to "once Per session"
return wwv_flow_ldap.is_member
(:APP_USER,
null,
'cn=users,dc=wellesley,dc=edu',
'jadeland.wellesley.edu',
'389',
'wcd_HTMLDB',
'cn=portal.040323.1220,cn=Groups, dc=wellesley,dc=edu');
where in my LDAP directory, 'wcd_HTMLDB' is the subgroup under group "portal.040323.1220" -
I have included 3 users in the group 'wcd_HTMLDB' .
Still the login page allows all LDAP user ( and not just the 3 from the 'wcd_HTMLDB' group.
Where did I go wrong -?
What 's the proper way to authorise only LDAP users in a group ?
Any help would be really appreciated.
Thanks .

Indira,
The public synonym (and grant execute) must be created after that package is compiled which can happen after catldap is run in your database. This is only a problem if catldap has not been run before HTML DB is installed. That's described in the flows/doc/ldap.html file in the distribution directory (not very prominently, we know).
When you initially attached the authorization scheme to your login page and it wouldn't let you in, the reason is that it was using the value of APP_USER to drive your lookup function. But when the login page is rendered, APP_USER is null because you haven't logged in yet. So a user-based authorization scheme on a login page can never work.
When you changed the ldap username edit function the way you did, you achieved the goal of preventing an unauthorized user from using the login page to authenticate. Looks like the way it's set up is to give unauthorized users an authentication error, which is a little misleading (saying their credentials are invalid when in fact they are valid but they aren't authorized to use your application), but if it suits your purpose, great. You should consider that if you change the authentication method to, say Single Sign-On, you'll then want to use authorization schemes to keep unauthorized users out. So the authorization scheme that you first set about using would be fine in that case, so long as you adjust the code to allow for visits to public pages prior to authentication (v('APP_USER') = 'HTMLDB_PUBLIC_USER'). However, you'd want to attach that scheme to the application itself (Edit Application Attributes->Authorization) so it fires on every page. Evaluating a scheme like that on every page view rather that once per session probably works best, even better if you cache the result of the evaluation yourself for performance reasons, e.g., set an application item to some value the first time the authenticated user passes the ldap membership test, then using that item as an 'already passed' flag for subsequent invocations.
Finally, I assume you are using the built-in ldap_dnprep function because you need to replace '.' with '_' in the username value entered by the user. If that is not your requirement, let's talk.
Scott

Get the groups name of a user in openldap authenticator

Hi,
I am using an openldap for user authentification. How can i retreive the groups name of a user ? I read that i must use the GroupManagerControl class.
What is the way to specify the openldap authenticator using the above class ?
Thanks for help.

If you are referring to a user's group membership in the Active Directory, then indeed JNDI & LDAP can be used to retrieve these values.
If you are referring to a user's local groups on their own workstation, then you may want to investigate either the JNDI NTLM provider or perhaps the Samba JCIFS stuff.

GetUserRoles() in SecurityContext returns LDAP group names

Similar Messages

Maybe you are looking for