Integrating LDAP/AD users to access servers console's

Similar Messages

• OBIEE Security - How to setup SSO-integrated EBS users & mobile access?

  I'm looking for the best approach to solution my company's OBIEE Security requirements, they are:
  1) Create a standard authentication/security process at an enterprise level
  2) Maintain EBS Roles to provide object-level and data-level security in OBIEE
  3) EBS Users must go through the EBS portal to get to OBIEE (ie. single signon integration)
  4) non-EBS users must go through the OBIEE portal
  5) Both EBS and non-EBS users need ability to use the OBIEE iPad mobile application
  So for the EBS users, I've implemented the SSO integration between OBIEE 11.1.1.5.0 and EBS R11 based on the Oracle white paper [ID 1343143.1]. I've also set up an Authorization session init block to read the user's EBS Roles and set up object/data level security.
  For the non-EBS users, I've kept the default identity store (WLS-LDAP) and authentication provider.
  My question is what's the best approach for providing mobile access to the EBS users? Obviously I can't pass an HTML cookie to the iPad for these guys. Assuming these EBS users are in an corporate-LDAP store, I was thinking to setup a dual authentication store that connects to both corporate-ldap(EBS) and the WLS-integrated LDAP(non-EBS).
  Will this work? Does anyone have a better approach they'd like to share?

  Please post the details of the application release, database version and OS.
  We have a customer, who has upgraded to EBS R12 recently. With EBS R12 there comes a responsibility that enables users to directly open embedded BI in EBS. When people do LDAP authentication to EBS, they can directly open the OBIEE inside the EBS. But, when the EBS is SSO (OAM+WNA) integrated, OBIEE SSO in EBS does not work. What is the error?
  It could be related that OAM generated cookies are not recognized by embedded OBIEE.
  Is there a way to do a setup with both OAM SSO enabled to EBS, and EBS-OBIEE SSO is enabled inside EBS ? I do not think there is a single document that covers all the above (I believe you are aware of the individual docs).
  For urgent issue, please always log a SR.
  Thanks,
  Hussein

• How to create Users/Roles for ldap in weblogic without using admin console

  Is it possible to create Users/Roles for ldap in weblogic without using admin console? if possible what are the files i need to modify in DefaultDomain?
  or is there any ant script for creating USers/Roles?
  Regards,
  Raghu.
  Edited by: user9942600 on Jul 2, 2009 1:00 AM
  Edited by: user9942600 on Jul 2, 2009 1:58 AM

  Hi..
  You can use wlst or jmx to perform all security config etc.. same as if it were perfomred from the admin console..
  .e.g. wlst create user
  ..after connecting to admin server
  serverConfig()
  cd("/SecurityConfiguration/your_domain_name/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator")
  cmo.createUser("userName","Password","UserDesc")
  ..for adding/configuring a role
  cd("/SecurityConfiguration/your_domain_name/Realms/myrealm/RoleMappers/XACMLRoleMapper")
  cmo.createRole('','roleName', 'userName')
  ...see the mbean docs for all the different attributes, operations etc..
  ..Mark.

• PIX Users Cannot Access Other Websites & Email Servers on Same-Shared T1 Co

  We are sharing a T1 connection with another business in our building. They have their own separate network environment from mine. I have a Windows 2003 Small Business Server behind a PIX-501 and the users in my network connect to the Internet via Windows Server?s DHCP and Internet sharing (NAT) services.
  All Internet and email traffic is accessible except for those hosted by the other company who we're sharing a connection with. My users cannot access that company?s web server or send email to their email server (we all get 4.4.7 SMTP errors? days later after sending the message).
  They have no firewall on their end; which is why I think there may be something wrong with my PIX configuration (see attached config file). I'm sort of a newbie with the PIX CLI, so any help I can get could be great. Thanks in advanced!

  The problem is not with PIX. This is a common problem when sharing a T1 link as it creates a routing problem since routing cannot be done based on shared T1 channels. Your PIX config is fine and has nothing to do with this issue.

• How to change LDAP server setting in Access Manager 6.2

  Hi,
  We have initially set authentication as a SunONE Directory Server 5.1 (master DS1) in Sun Java System Access Manager 6.2. In both /etc/opt/SUNWam/config/serverconfig.xml
  /etc/opt/SUNWam/config/AMConfig.properties
  conf files, DS1 was set initially. Also on console's Service Configuration ->LDAP->Primary LDAP Server was set as "DS1"
  Now the problem is that I am not able to change the DS1 to the other master "DS2". I set DS2 in both above conf files and also the Service Configuration page as Primary LDAP Server. I restarted the server. When I stopped the DS1, I couldn't login access manager console with any user. It looks like it is still trying to get authentication from DS1.
  Does anybody know what I am missing here?
  Regards,

  After hopeless tries, I finally made it work;) The trick was actually updating the sunKeyValue attribute of the entry:
  "dn:ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthLDAPService,ou=ser
  vices,dc=company,dc=com" in one of the master DS I have.
  Even though I set DS2 and loadBalancer hosts in all conf files and in Primary LDAP conf in amconsole's Service Configuration, it just didn't work until I inserted loadBalancer host in sunKeyValue attribute.
  Hope it helps to someone....
  -Bora

• Unable to access Admin Console

  Hi,
  I have installed Oracle Database11g and WebLogic 10.3.0 Application Server successfully in LINUX-64 bit environment. At the end of OIM server 9.1.0.1 it displays "The Oracle Identity Manager Application Server setup has some problem. Refer OIM_HOME/Xellerate/logs/setup_weblogic.log for information about the problem" in the console. So, when i able to access Admin console. It throws Error:404.
  Also setup_weblogic.log has the following error details
  BUILD FAILED
  /oracle/oimserver/xellerate/setup/setup.xml:443: The following error occurred while executing this line:
  /oracle/oimserver/xellerate/setup/weblogic-setup.xml:196: Could not create task or type of type: wlst.
  Ant could not find the task or a class this task relies upon.
  Also nexaweb.war and xlWebApp.war is missing in Weblogic console page-> Deployment tab.
  I have reinstalled the weblogic and OIM again but still getting the same problem..
  Please help me to resolve this issue.
  Thanks in advance.
  Regards
  Katheresh
  Edited by: Katheresh on May 10, 2010 9:47 PM

  Hey Kathy
  did you setup ORACLE_HOME to weblogic_home, JAVA_HOME and added java to PATH. Also do you have any other ANT installed on your server.
  Have you checked the OIM certification matrix for the version of various components like OIM, Weblogic and Database.
  If you are sure that you did all this correctly, then perform the following:
  The nexaweb classloader error is seen at times prior to performing the post installation steps. Then make a backup of the weblogic domain directory and the <OIM_HOME> directory.
  1. Please continue and perform the postinstallation steps.
  2. Restart the server
  3. In the weblogic console, shcek to see that the xellerate and nexaweb applications have an "ok" status.
  4. If not:
  a. Please upload the oim server log.
  b. Using the WebLogic console undeploy all oim applications including, xellerate, nexaweb and, if there, XIMDD, and SPML.
  c. Delete the directory <OIM_HOME>/xellerate/webapp/precompiled
  d. Delete the xellerate.ear and Nexaweb.ear from the directory <OIM_HOME>/xellerate/OIMApplications (Note: do this on all nodes of the cluster)
  e. Delete the ant_backup.jar, optional_backup.jar and xercesImpl_backup.jar files from the OIM_HOME/xellerate/ant/lib directory.
  f. Delete the xellerate and Nexaweb directories from the BEA_HOME/user_projects/domains/DOMAIN_NAME/servers/AdminServer/tmp/_WL_user directory.
  g. Delete the xellerate and Nexaweb directories from the BEA_HOME/user_projects/domains/DOMAIN_NAME/servers/MANAGED_SERVER_NAME/tmp/_WL_user directory.
  Delete the xellerate and Nexaweb directories from the BEA_HOME/user_projects/domains/DOMAIN_NAME/servers/MANAGED_SERVER_NAME/stage directory.
  h. In the OIM_HOME/xellerate/setup/weblogic-setup.xml file:
  i. Search for the following element:
  <wldeploy action="deploy"
  source="${WL_APP_LOCATION}/OIMApplications/WL${application.filename}"
  name="Xellerate"
  user="${weblogic_login_user}"
  password="${weblogic_login_password}"
  verbose="true"
  adminurl="t3://${weblogic_server_target_url}:${weblogic_server_admin_port}"
  debug="${action.deploy.debug}"
  targets="${wl.deploy.target}" />
  ii. Add a timeout value of 5400 as shown:
  <wldeploy action="deploy"
  source="${WL_APP_LOCATION}/OIMApplications/WL${application.filename}"
  name="Xellerate"
  user="${weblogic_login_user}"
  password="${weblogic_login_password}"
  verbose="true"
  adminurl="t3://${weblogic_server_target_url}:${weblogic_server_admin_port}"
  debug="${action.deploy.debug}"
  targets="${wl.deploy.target}"
  timeout="5400" />
  i. Restart the WebLogic server and managed servers.
  j.Open a terminal session and export the the JAVA_HOME and PATH environment variables.
  k. In the same terminal session, change to the directory <OIM_HOME>/xellerate/setup
  l. Run "patch_weblogic.sh"
  This should reinstall that xellerate applications on WebLogic.
  Hope this helps.

• Error in OAM Identity and Access Servers login pages

  Hi All,
  I am trying to install OAM I completed all installations . But now am getting error as invalid "*Invalid credential*". IS there any process to know what the userid and password for the both Identity and Access Servers . Please tell me if there is any process. It very helpful to me .
  Thank u & Regards
  Pokuri

  Hi Pokuri,
  Could be that the searchbase is wrong, so that OAM is not finding the user whose credentials you are entering. Or, maybe OAM is using a different attribute as the login attribute (for example, you could be entering the cn when OAM is expecting the uid).
  Try binding to ldap with another utility (such as ldapbind or ldapsearch) to see if this gives any indications. You may need to reconfigure the Identity Server to verify/correct the searchbase (for this, follow note 730376.1) and to check which attribute has the "Login" semantic type in OAM.
  Regards,
  Colin

• Can't access the console - Authentication failed

  Hi,
  I've just finished with DS and AM setup (consecutively).
  The AM setup was done with Configure Now JES wizard, with Webserver, everything on the same machine - remote doesn't work. Everything fine.
  When I try to access the console, I always get the message:
  "Authentication failed.
  Return to Login page"
  I've tried admin, amldapuser, amadmin, amAdmin.
  The logs in Directory Server says:
  [01/Nov/2006:02:50:44 -0300] conn=137 op=10 msgId=489 - SRCH base="dc=caverna,dc=net" scope=2 filter="(uid=amadmin)" attrs="dn uid"
  [01/Nov/2006:02:50:44 -0300] conn=137 op=10 msgId=489 - RESULT err=0 tag=101 entries=0 etime=0
  amAuthentication.access:
  "2006-11-01 02:47:25" "Login Success|module_instance|Application" Application AUTHENTICATION-105 dc=caverna,dc=net 31329a31876dc65001 INFO "cn=dsameuser,ou=DSAME Users,dc=caverna,dc=net" "Not Available" "cn=dsameuser,ou=DSAME Users,dc=caverna,dc=net" "Not Available"
  and amAuthentication.error:
  "2006-11-01 02:50:44" "Login Failed" LDAP AUTHENTICATION-200 dc=caverna,dc=net "Not Available" INFO "Not
  Available" 192.168.254.1 "cn=dsameuser,ou=DSAME Users,dc=caverna,dc=net" beta.caverna.net
  "2006-11-01 02:50:52" "Login Failed" LDAP AUTHENTICATION-200 dc=caverna,dc=net "Not Available" INFO "Not
  Available" 192.168.254.1 "cn=dsameuser,ou=DSAME Users,dc=caverna,dc=net" beta.caverna.net
  Any suggestions?
  Best regards,
  Luiz Felipe.

  I can't remember very well, but I think I reinstalled AM and DS, But I can't remember very well.
  BTW, I'm gently answering your question suggesting this tip, but I've gave up about JES. So, don't trust me a lot ;)
  Maybe I will try the 2006 version... maybe.
  Message was edited by:
  luizfox

• Integrated LDAP authentication and now BAM start page is very slow to load

  Hi, all~
  I have a fresh install of BAM 10.1.3.3 with the 10.1.3.4 patch applied.
  I've reviewed the BAM installation guide and LDAP integration tech note, and have been able to successfully integrate BAM with our LDAP, where "successful" means that I'm able to provide my own LDAP credentials and log in to BAM.
  However, the BAM start screen now consistently takes somewhere on the order of 1-2 minutes to load... so I guess I'm wondering if there's a common cause for this sort of error?
  Any suggestions of things to check would be appreciated.
  Thanks,
  - Nathan

  For whatever it's worth, the solution in our case was to decouple BAM (10g) from LDAP.
  User administration becomes a slightly more manual process in this case, but the BAM pages load almost instantly for users now, whereas before for some users it would take as much as 10 minutes for a page to load following their logging in.
  Another benefit from LDAP decoupling is that IIS is able to do Windows integrated login for users, meaning that the users don't need to provide a login and password any longer.
  The one "gotcha" that was encountered had to do with IIS realms and creating JDeveloper connections to the BAM server following the decoupling. From our testing, under IIS -> Web Sites -> Default Web Site -> Properties -> Directory Security (tab) -> "Authentication and access control" Edit button, the following needs to be specified:
  Check only "Integrated Windows login" and "Basic authentication"
  Specify a "Default domain" by pressing the Select button and choosing an appropriate domain
  From there, in your JDeveloper BAM connection, be sure to include the selected domain in your connection properties.
  - Nathan

• How can I allow users to access SQLPLUS?

  Hi everyone,
  I have been charged with the task of creating an Oracle server on a CentOS VM. Installation and configuration is complete and SQL is working fine for the database admin user "oracle." I copied the environment variables to the .bashrc file for "oracle" and SQLPLUS starts without a hitch.
  Here is where I need a little guidance...
  I need to create basic Linux user accounts that will have access to the database, so they can then in turn log into their SQLPLUS accounts. The problem is, all of the database files and software are in located in the user "oracle's" directory. This means that no one but "oracle" and root have access to these files because they are the only ones with proper permissions.
  Before I put a ton of time into this, I thought I would pose these questions to the Oracle Linux community:
  1) Could I enable a specific Linux group (ex. "Oracle Users") to have access to the main database folder or possibly all folders along the path? I am hoping this would allow any users I put in the group access to the folders, and essentially the SQLPLUS application. (here is ORACLE_HOME=/home/oracle/app/oracle/product/11.2.0/dbhome_1)
  2) If that is not an option, will I need to make a completely new database and locate it in a location that all users can access?
  I understand that my first idea may not be the SAFEST method, but this is only for a small class of students learning how to use SQL and writing queries. There will be no sensitive information at risk. This would be a quick fix until I learned more about Oracle and how to use it.
  Thank you everyone.

  It certainly is rather a question for the General Database forum, though I doubt you will get a lot of happy replies for such a basic question.
  You can use / as sysdba OS authentication through SSH or using the server console, provided the user's account belongs to the "dba" user group. For remote connection through sqlnet you need create a $ORACLE_HOME/dbs/orapw$SID password file.
  If you would like to know more about this:
  Connecting / as sysdba is used for OS authentication. It ignores password credentials stored in the database and allows any user belonging to the OSDBA system group to connect to the database. Connections as sysdba will always connect to the SYS schema of the database, regardless of any username or password specified. Using OS authentication relies on the BEQ protocol, which connects to the database directly, without using the Oracle Listener process.
  The "oinstall" group will give access to the database software repository. There could be different oracle home installations, each with a different oracle user/owner like "oracle_prod1" and "oracle_prod2", but both users must be able to read/write the shared oraInventory, in which case both users must have read and write access to the oraInventory directory, hence the oinstall group.

• Unable to edit user properties in SBS Console (2011)

  Hello,
  When attempting to edit properties for a user in the SBS Console, I receive the following error: "Attempted to perform an unauthorized operation."  This only occurs when attempting to edit the user account properties for this single user.
  I understand that this may be a scurity permission problem in Active Directory Users and Computers, but I do not know which permission entries would cause this.  Is this where I need to look or is there another way to resolve this?
  Thanks in advance.
  Jeff

  [13284] 120106.095830.3107: Storage: Get quota for F:\Users\Shares\Alex
  [13284] 120106.095830.3107: Storage: Initialize the quota manager.
  [13284] 120106.095830.3575: AdminTME: Status: TaskId = StorageTasks.TaskGetUserShareFolderQuota, RootTaskId = TaskEditUser, Success: False, Warning: False, Continue: True, Message:
  [13284] 120106.095830.4667: Exception:
  An exception of type 'Type: System.UnauthorizedAccessException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' has occurred.
  Timestamp: 01/06/2012 09:58:30
  Message: Attempted to perform an unauthorized operation.
  This seems to indicate that the Administrator or System account is not able to access the particular folder. It may be a permissions issue where the person has modified permissions on a file or folder that is locking everyone else out. Try resetting the
  permissions on this folder.
  Regards, Boon Tee - PowerBiz Solutions, Australia - http://blog.powerbiz.net.au

• Error 404 while trying to access eas console

  We are getting error 404 all of a sudden when trying to access eas console. We have checked to make sure that all the services are up and running, and the port(10080) is up and running.
  We had a similar error with workspace a while back, and we had to modify port numbers on the mod_wl_ohs.conf file.
  But we find that the port numbers are unchanged this time in the conf file.
  Is there any other port we can use for eas console? http://<servername>:10080/easconsole/console.html
  All other services that sit on the same server work fine.(workspace, APS etc)
  Has anybody seen this kind of problem before?
  Thanks.

  If you are using 11.1.2 search for 404 in the EPM readme at: http://download.oracle.com/docs/cd/E17236_01/epm.1112/epm_1112000_readme.pdf
  What happens if if the install user logs into the machine and then out temp files in use by the application are removed; out of the box the user temp variables are used during deployment; there is a work-around to turn off terminal service feature to delete files on exist.
  In addition to confirming the service is up and running and the port answers you should review the syserror and sysout files which for 11.1.1.X are located in <HYPERION_INSTALL_DRIVE>\Hyperion\logs\services and in 11.1.2.X are located in <ORACLE_INSTALL_DRIVE>\Oracle\Middleware\user_projects\epmsystem1\diagnostics\logs\services
  Regards,
  John A. Booth
  http://www.metavero.com

• SharePoint 2013 and Windows authentication (integrated) or SharePoint user for report data source

  Hello,
  I am having issues creating report datasource in "Windows authentication (integrated) or SharePoint user" in SharePoint 2013. I followed the steps mentioned in the link http://blogs.msdn.com/b/psssql/archive/2014/04/28/sharepoint-adventures-using-claims-with-reporting-services.aspx.
  I am just stuck in the delegation piece here. I have a SSAS instance by name "XXXXAPPV01\Multidimensional". First thing is what is the procedure to set SPN for this instance? I need to add this service in the delegation tab so that C2WTS service
  configured correctly.
  Nothing but I should be able to access my SSAS 2012 cube from SSRS 2012 by "Windows authentication (integrated) or SharePoint user" as the authentication method.
  Palash

  I used the below command to set SPN for analysis services.
  setspn -S MSOLAPSvc.3/XXXXAPPV01APPV01.xxxxdmo.local:Multidimensional xxxxdmo\svcMyService
  After setting the SPN for this service account I added this account(xxxxdmo\svcMyService) in the delegation tab of my domain account created earlier for claim service (xxxxdmo\svcC2WTS). Now in service type it shows -> MSOLAPSvc.3, User or Computer it shows
  -> XXXXAPPV01APPV01.xxxxdmo.local and in Port it shows -> Multidimensional. This is in my svcC2WTS account delegation tab. Still I am not able to connect datasource by "Windows authentication(integrated) or SharePoint User". I am getting the
  same error "Cannot convert claims identity to windows token".
  I am not sure what am I missing in this configuration piece yet to get this working.
  Palash

• The best way to implement user's access level via Servlet & JSP (or more)?

  Hi all,
  I am trying to implement user's access level in an application to allow certain access to certain page or components within a page (buttons, etc.). From my experience with JSP, Java, servlet, I am think of having the jsp/servlet to check for user's access level to decide what jsp components or forward page to go to next but that doesn't seem clean or elegant way to handle it.
  Any suggestions of how to do this? Are there other technologies (Struts) out there that can handle this?
  Thanks so much in advance for your feedback or suggestion,
  Thong Bui

  I haven't experienced a lot in defining security roles before, and there is probably a lot to learn about this area. However I might be able to assist you in some way. Whenever I have 2 or more objects that need to be stored in the session, I create a class called UserContainer. Say you have three properties:
  empSsn (String) , isAdmin (Boolean), isAgent (Boolean), then:
  public class UserContainer implements Serializable  {
  private String empSsn = null;
  private Boolean isAdmin = null;
  private Boolean isAgent = null;
  public UserContainer() {
  super();
  public void setIsAdmin(Boolean isAdmin) {
  this.isAdmin = isAdmin;
  public Boolean getIsAdmin() {
  return this.isAdmin;
  // getters and setters for the other properties
  Of course after you decide (in your sevlet) whether the app user is an administrator or an agent, you can set the corresponding property in the user container, and then save it in the session. Afterwords, in any jsp, you can decide to display a certain element (e.g a button) after you check the user's role. Example:
  // Welcome.jsp
  <% UserContainer userContainer = (UserContainer) session.getAttribute("userContainer");
  boolean isAdmin = userContainer.getIsAdmin().booleanValue();
  boolean isAgent = userContainer.getIsAgent.booleanValue();
  if(isAdmin) { %>
  <!-- HTML/Code corresponding to an administrator -->
  <% } if(isAgent) { %>
  <!-- HTML /Code corresponding to an agent -->
  <% } >Of course, this is a very simple way of doing such a task, you will find more secure ways if you look at LDAP or something of that matter.
  Cheers

• 7.01 to 7.3 Upgrade - Users lost access to Delegaed User Administration

  Hi all
  After upgrading our portal from 7.01 to 7.3 have (specific) users lost access to display information (roles etc) about other users in the Delegated User Administraion area (Content Author --> Delegated User Administration).
  Does anybody know how this access can be given again?
  Thanks.

  After a long running OSS SAP found the solution.
  1. http://server:port/irj/servlet/prt/portal/prtroot/com.sap.portal.themes.integrity.update?themetype=portal
  2. Select u201Cdefaultu201D for browser and u201CparPrtlMastHeadNotchBgColoru201D for parameter
  3. Change the value from #E2D575 to #FFFFFF, press u201CSet Valueu201D and then u201CSave and Generateu201D