Identity Server using external LDAP

Similar Messages

• Authentication in weblogic portal server 8.1 sp2 using external LDAP

  Hi,
  I am trying to use external LDAP for authentication.
  I have configured the ActiveDirectoryAuthenticator giving the necessary
  values
  ( and added
  "-Dcom.bea.p13n.usermgmt.AuthenticationProviderName=ActiveDirectoryAuthentic
  ator" in startWeblgoic.cmd )
  and can see the users and the groups from my LDAP provider in the admin
  console and in the admin portal's "users and groups".
  A set of users are given permission to access the restricted site and those
  users are visible in the global role with the permission.
  The web.xml is configured for BASIC auth-method, and the role is
  <externally-defined/> in weblogic.xml.
  Now when I access a restricted page, I am shown a dialog prompt to key in
  the username and password.
  Even when I key in the valid credentials, the restricted page is not shown
  and an "Unauthorized xxx" 401 access error is thrown.
  Any clue, on what i am missing.?
  Please let me know if any suggestion / idea.
  Regards,
  Arun.

  Assuming your application is a WebLogic Portal application, then yes you would definitely need to install WLP 8.1. WLP version 8.1 is the only version of WLP that will run on WLS/WLW version 8.1.
  In order to obtain the product installer, you'll need to contact Oracle Support and file a request. It is not available for download from any Oracle public site. Only version 10.3 is available for download.
  Brad

• Using external LDAP server for  WL JNDI lookups

  I'm trying to find out if it is possible to re-direct JNDI calls to the WL
  server to an external LDAP server. I know you can install an external LDAP
  server for security purposes, but I would like to use an external LDAP
  server to handle all JNDI lookups (like for JNDI EJB name location, etc.).
  Is this possible?

  You typically need to use our JNDI store. We strongly recommend this for
  performance reasons..
  You can use the JNDI To LDAP bridge which is available from the sun web
  site.
  Michael Girdley
  BEA Systems Inc
  "Jack Archer" <[email protected]> wrote in message
  news:[email protected]..
  I'm trying to find out if it is possible to re-direct JNDI calls to the WL
  server to an external LDAP server. I know you can install an external LDAP
  server for security purposes, but I would like to use an external LDAP
  server to handle all JNDI lookups (like for JNDI EJB name location, etc.).
  Is this possible?

• How to configure webcenter services to use external LDAP?

  Reassociating the identity store with an external LDAP server is mandatory only if you're using the Documents service and/or the Discussions service, in which case the WC_Spaces server, Content Server, and Collaboration server must all be configured to use the same external LDAP server.
  The question is how to configure?
  Is there any document which details this?
  Please help! this is urgent.
  Regards

  Refer
  http://docs.oracle.com/cd/E28280_01/webcenter.1111/e12405/wcadm_security_id_store.htm#WCADM1845
  http://docs.oracle.com/cd/E28280_01/webcenter.1111/e12405/wcadm_security_id_store.htm#WCADM345
  Thanks

• DISPLAYNAME when Using External LDAP

  Hi all,
  I'm using OBIEE 11g (11.1.1.6.0 onwards).
  I'm using an external LDAP (OpenLDAP, MSAD, etc). I'm looking for a way to populate the DISPLAYNAME session variable from the LDAP name attribute so that when logged in, the DISPLAYNAME is shown in OBIEE (instead of USER).
  Is this possible in OBIEE 11g? I remember it's possible in 10g.
  Any suggestion on how to achieve this? Thanks a lot!

  Login to Oracle Enterprise Manager (http://<servername>:7001/em ), navigate to WebLogic Domain > bifoundation_domain > Security > Security Provider Configuration
  then
  In the Identity Store Provider, click on Configure button. In Identity Store Configuration add 2 properties:
  Property name: user.login.attr, Value : sAMAccountName
  Property name: username.attr, Value: sAMAccountName
  Note:- sAMAccountName , this is for MSAD, you need to find out attribute for some other LDAP
  lemme know in case of issues
  please mark thread as answered and Assign point , if above soln answere's ur question.
  Regards
  Ankit
  Edited by: AnkitR Gupta on 12 Dec, 2012 1:27 AM
  Edited by: AnkitR Gupta on 12 Dec, 2012 1:32 AM

• WLI-8.1 Problem using external LDAP authenticaion provider

  I added a second authentication provider that uses iPlanet DS to authenticate. My external LDAP users show up in the WebLogic Server Admin Console, but they do not show up in the Integration Console's User Management section. I also can't authenticate through the Worklist app as one of the external users. Can anyone help?

  There is a patch available for this. pls. check with bea support.
  Kelly Graves <[email protected]> wrote:
  I added a second authentication provider that uses iPlanet DS to authenticate.
  My external LDAP users show up in the WebLogic Server Admin Console,
  but they do not show up in the Integration Console's User Management
  section. I also can't authenticate through the Worklist app as one
  of the external users. Can anyone help?

• Messaging server and external LDAP user store

  Is it possible to have an external LDAP application store all user information and then have the messaging server authenticate against it and create a mail profile in it's own LDAP instance, similar to the way portal handles LDAP users? If not, what is the best way to store user information outside of the mail server instance? Create an LDAP instance and extend the schema to support the mail classes and then use replication to push the users into the mail servers directory instance?

  Correct, extending the schema on the master directory server and replicating down to the messaging server ldap instance the user info is the way to go.
  This way you do not have to maintain two different sets of user data.
  -Chris

• Using external LDAP to create a web server

  Hello everyone, I am working on a project for the university I work for. We have an iPlanet LDAP server that contains the identities of everyone (faculty, staff, students). I have set up an experimental OS X server that we'd like to play with; in particular, we'd like to use it as a web server for faculty, etc. I am trying to collect as much information as possible on this topic. I'm learning a lot about Open Directory on the web.
  I would like to know if it's possible to use the OS X server to query the iPlanet LDAP directory to authenticate users' identities and give them web space automatically on the OS X server? Or will we have to perform extracts of data from LDAP and manually synch with the OS X server?
  (We also have an AD environment, but we'll skip that for now because the students aren't in AD... yet.)
  Thanks for any insight.
  MacBook 2Ghz   Mac OS X (10.4.8)  

  You should be able to use /Applications/Utilities/Directory Access to bind the server to the iPlanet directory. Once that's done the standard web installation should automatically handle personal home pages for any user in the directory.
  The web server doesn't talk directly to the LDAP server, it uses the standard system directory services so it doesn't matter what directory server you use.

• Setting up ACS 3.3 on a member server / use external windows user db

  Hi,
  I´ve a question referring to setting up an ACS (Version 3.3(1)Build 17 ) on a member server to use windows external user db.
  In step 2 of the installation guide you have to create am computer account named CISCO.
  Is it possible to use an other name instead? If yes, how can I amnage this?
  Does ACS support a more detailed logfile than the "Failed Attempts" report?
  Any replies appreciated.
  Thanks in advance.
  Regards.

  Dr. Livingstone wrote:
  For Address, I enter 192.168.1.102/ipp/2 and I get 'invalid or incomplete address' for any text entered after 102.
  Like I said, it's been a while...but have you tried 192.168.1.102/ipp/port2 (not just /2) ?

• External LDAP Server

  Hello.
  Is it possible to configure WebLogic to use external LDAP server, which in turn is "built in" in other WebLogic (at other physical machine)?
  And if it is possible, can I use OracleInternetDirectoryAuthenticator provider for this?
  (sorry for my english)

  Hi
  OID is all together a different LDAP provider.
  You can try to create a Authenticator of type LDAPAuthenticator and accordingly provide the configurations.
  Check the below note.
  http://docs.oracle.com/cd/E17904_01/web.1111/e13707/atn.htm#i1199007

• Usage of external LDAP server with Portal

  Hi All,
  We are in a situation to use external LDAP server with WLP 8.1. These are the
  constraints we have to deal with:
  1. Only read is allowed from this LDAP server.
  2. This would be used for authentication purpose
  If thats the case, how can we use Visitor Entitlements/Delegated Admin and Group
  creation using Portal Admin tool since this will write to the configured LDAP
  server.
  Can somebody answer my question:
  1. Can we use external LDAP server - just for authetication (I know this is possible
  by using JAAS LoginModule, but I just want to get confirmed on this ) and
  2. Use default and embedded LDAP server for all others like Group/Visitor Entitlements/DAs.
  Any relevant pointers are also welcome.
  TIA,
  Prashanth Bhat.

  Thanks for th ereply. Some of your answers are not clear. Can you pls eloborate
  on this?? Pls see my comments below.
  "Johnson" <[email protected]> wrote:
  >
  Phil,
  Can I use embedded LDAP for production?
  Thanks
  Lawrence
  "Phil Griffin" <BEA> wrote:
  "Prashanth " <[email protected]> wrote in message
  news:[email protected]..
  Hi All,
  We are in a situation to use external LDAP server with WLP 8.1. Theseare
  the
  constraints we have to deal with:
  1. Only read is allowed from this LDAP server.
  2. This would be used for authentication purpose
  If thats the case, how can we use Visitor Entitlements/Delegated Adminand
  Group
  creation using Portal Admin tool since this will write to the configuredLDAP
  server.
  Can somebody answer my question:
  1. Can we use external LDAP server - just for authetication (I knowthis
  is possible
  by using JAAS LoginModule, but I just want to get confirmed on this) and
  >
  You can add the external LDAP server just for authentication, but in
  versions through
  8.1 SP2 WLP will want to verify the user exists (via the UserReaderMBean)
  during
  the login process (this check has been removed in SP3). A work around
  is to
  duplicate
  the user in a provider that does impl UserReaderMBean.
  Prashanth : You mean to say we have to duplicate the User in embedded LDAP server
  also??
  >>
  2. Use default and embedded LDAP server for all others like Group/VisitorEntitlements/DAs.
  >
  Yes, the default/embedded LDAP can still be used for DA/visitor
  entitlements. In the current
  release, the Portal Admin Tools can only be configured to use a single
  authentication provider
  while forming entitlements. In SP3, all configured providers are
  listed/usable by the tools.Prashanth : How can we configure Portal Admin tool to use authentication provider
  for entitlements??
  >>
  Any relevant pointers are also welcome.
  TIA,
  Prashanth Bhat.

• Error while configuring external LDAP user store with weblogic

  Hi,
  I have weblogic 10.3 installed and I can access weblogic admin console using weblogic (admin) user. I want to use external ldap user store to access admin console with users present in external ldap.
  To do this, I have configured authentication provider and provided all the required details to connect to ldap.
  For example:
  Base DN: cn=admin,cn=Administrators,cn=dscc (user with which we will connect to LDAP)
  User DN: ou=People,dc=test,dc=com
  Group DN: ou=Groups,dc=test,dc=com
  This authentication provider is set to SUFFICIENT mode. I have deleted the default authentication provider.
  In the boot.properties file I have given the user name and password of the user with which LDAP instance was created something like below.
  password=xxxxxxx
  username=admin
  Now while starting the admin weblogic server, I am getting the below error:
  <Jul 25, 2012 2:22:28 PM IOT> <Critical> <Security> <BEA-090402> <Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.>
  <Jul 25, 2012 2:22:28 PM IOT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
  weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  Truncated. see log file for complete stacktrace
  Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User admin javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User admin denied
  at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
  at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  Truncated. see log file for complete stacktrace
  >
  <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
  <Jul 25, 2012 2:22:28 PM IOT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
  <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
  Can anyone please suggest how to resolve this problem? If, anyone can suggest the exact steps to configure external ldap store to manage admin console via ldap users.
  Regards,
  Neeraj Tati.

  Hi,
  Please refer the below content that I found for Oracle 11g in the docs.
  "If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. Do one of the following in the LDAP directory:
  By default in WebLogic Server, the Admin role includes the Administrators group. Create an Administrators group in the LDAP directory, if one does not already exist. Make sure the LDAP user who will boot WebLogic Server is included in the group.
  The Active Directory LDAP directory has a default group called Administrators. Add the user who will be booting WebLogic Server to the Administrators group and define Group Base Distinguished Name (DN) so that the Administrators group is found.
  If you do not want to create an Administrators group in the LDAP directory (for example, because the LDAP directory uses the Administrators group for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the Admin role."
  Now in my LDAP directory, setup is in such a way that Administrators is a group created under following heirarchy " cn=Administrators,ou=Groups,dc=test,dc=com" and there is one user added in this Administrators group.
  The problem that I am having is when I modify the Admin role in which Administrators group should be added what exaclty I should give in Admin role. Whether I should give only Administrators or full DN: cn=Administrators,ou=Groups,dc=test,dc=com ???
  When i give full DN, it takes every attribute as different, i mean cn=Administrators as different and ou=Groups as different and shows a message that cn=Administrators does not exist.
  Here not sure what to do.
  Also if external ldap authentication provider is the only provider then I need to give the user information in boot.properties file also for weblogic to boot properly. Now, what should I give there in user? still complete DN ??
  Regards,
  Neeraj Tati.

• Getting error in starting identity server and access server in OAM

  Hi all,
  Am new to OAM . now am try to do sso for two different resources . i completed installations but now the error is the while starting the identity server the error is "*oracle access manager identity server services on local computer started and then stopped .some services stop automatically if they have no work to do , for example, the performance logs and alters service* ". and while starting access server the error is "*could not start the oracle access manager access server service on local computer. error 1067: the process terminated unexpectedly* " any one please give me solution for this error

  Hi Pokuri,
  Perhaps the Identity Server's oblog.log file has some helpful information in it. One possibility: is the ldap server that the Identity Server uses up and running (and visible on the network)?
  Regards,
  Colin

• How many entries is embedded LDAP of weblogic 8.1 capable to store ? let's assume we use default LDAP schema being defined in schema.core.xml

   

  "ming qin" <[email protected]> wrote in message news:[email protected]..
  I would like to have entries as users.There are a few issues that arise as the number of users increases. The
  first is management
  of all these users. Will you be able to load/update/manage all of the users
  via the WLS console?
  You can certainly use external LDAP tools to manage the data in the WLS
  embedded LDAP
  server, but using an external LDAP server may offer better tools for
  management than those
  offered in WLS.
  The second is performance. Since the ldap server embedded within WLS uses
  in-memory
  indices, the time to load the indices and the memory required for storing
  them increases as
  the number of users increases. 20-50K seems to have reasonable performance.
  The last is extensibility. The WLS default authenticator stores user,
  description, and password.
  You may have different requirements and want to store additional
  information.

• External LDAP for authentication

  Hi All,
  I want to use external ldap for authentication purpose with Access Manager.
  I tried adding this external ldap as a secondary ldap but couldn�t succeed.
  If I add this ldap in the primary ldap along with the AM�s own ldap, this also fails to authenticate users from the external ldap.
  How can I achieve this?
  I read many topics in this forum regarding this but none of them explain how it can be achieved.
  Please suggest.
  Thanks in advance.

  This is what the amconsole log says:
  ERROR: ConsoleServletBase.onUncaughtException
  java.lang.NullPointerException
       at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.constructFilter(LDAPv3Repo.java:3126)
       at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.search(LDAPv3Repo.java:1996)
       at com.iplanet.am.sdk.AMDirectoryManager.search(AMDirectoryManager.java:1938)
       at com.sun.identity.idm.AMIdentityRepository.searchIdentities(AMIdentityRepository.java:221)
       at com.sun.identity.console.idm.model.EntitiesModelImpl.getEntityNames(EntitiesModelImpl.java:139)
       at com.sun.identity.console.idm.EntitiesViewBean.getEntityNames(EntitiesViewBean.java:222)
       at com.sun.identity.console.idm.EntitiesViewBean.beginDisplay(EntitiesViewBean.java:177)
       at com.iplanet.jato.taglib.UseViewBeanTag.doStartTag(UseViewBeanTag.java:149)
       at jsps.console._idm._Entities_jsp._jspService(_Entities_jsp.java:86)
       at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
       at com.iplanet.ias.web.jsp.JspServlet$JspServletWrapper.service(JspServlet.java:687)
       at com.iplanet.ias.web.jsp.JspServlet.serviceJspFile(JspServlet.java:459)
       at com.iplanet.ias.web.jsp.JspServlet.service(JspServlet.java:375)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
       at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:772)
       at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:471)
       at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:382)
       at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:340)
       at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
       at com.sun.identity.console.base.AMViewBeanBase.forwardTo(AMViewBeanBase.java:133)
       at com.sun.identity.console.base.AMPrimaryMastHeadViewBean.forwardTo(AMPrimaryMastHeadViewBean.java:149)
       at com.sun.identity.console.idm.HomeViewBean.forwardTo(HomeViewBean.java:109)
       at com.sun.identity.console.realm.RealmPropertiesBase.nodeClicked(RealmPropertiesBase.java:90)
       at com.sun.web.ui.view.tabs.CCTabs.handleTabHrefRequest(CCTabs.java:129)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
       at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
       at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
       at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
       at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
       at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
       at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
       at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
       at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:787)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
       at com.sun.mobile.filter.AMLController.doFilter(AMLController.java:163)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:280)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
       at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)