Is LDAP or AD as a external identity store recommended in ISE implementation for machine authentication
Hi Experts,
I have question about External identity store integration in ISE . I had chance to go through the cisco doc for ISE configuration especially for external identity store .
there are two ways to configure external identity store.
1) AD
2) LDAP
Which one is actually recommended ? technically which one would be convinient to configure to set-up machine authentication. do we have any limitation in terms of functionality in either of one ?
Hi Leo,
its not duplicate post , I have created one more post where you have linked that is for client policy enforcement . I want to understand how certificates will be pushed to client.
This post is to understand the LDAP & AD intergration with ISE .
I have requirement where client is asking to intergrate machine database using LDAP.
I am quite new for LDAP intergration that is the reason I have created this discussion.
Similar Messages
-
AD -vs- LDAP for external Identity store in ACS
Is there a difference in using AD versus LDAP in a Windows environment for an Identity Store? We are in the process of setting up the ACS 90 eval and I noticed you can setup either AD or LDAP or both as an external identity store. Are there advantages or disadvantages for one over the other?
Suggest to go to "Monitoring & Reports > Reports > Catalog > AAA Protocol"
Select TACACS Authorization and see the authorizations that occured today
If you click on the details icon you should be able to see the actual LDAP groups that were retrieved in processing the request and so can see that the format/contents matches that which you entered -
Renaming AD group used in external identity store
Hello,
There is a need to rename some of the Active Directory groups mapped to an external identity store on our ACS 5.4 server. Has anybody ever done this? Does the ACS server just magically pick up on the renamed group or do we need to manually remove the old group name and readd the new group name to the identity store? If so, does that mean we need to modify all the rules associated with that group?
Thanks, just trying to figure out how much work this is going to be.Hi,
AFAIK you would have to remove the policies associated with those group, remove the old groups, add the new groups and create the policies.
You can however just create the new groups in the Active Directory, add the groups in the ACS and using the AD group 'OR' condition just add the new groups in the Policy.
e,g if your old group name is "Helpdesk" and you would like to change it to "Helpdesk users"; you can create the new group in the AD, add the group in the ACS and in the policy just select if the user is part of either "Helpdesk" or "Helpdesk users" --> apply the policy.
This way you would be able to save some of your time.
Regards,
Kush -
ISE - External Identity Source (AD Groups)
Assume there are no groups populated in this bucket (Identity Management-> Active Directory -> Groups) Does ISE just check if the user is in AD and allows them on? I have clients authenticating that arent part of the single group I added to this bucket.
This is why I ask ..
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."Yes, you understood it right. Let me add little more explanation.
Group reterieval for authorization
You can use the AD group data in the authorization and group mapping tables and introduce special conditions to match them against the retrieved groups.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170416
Once you've selected the groups under
Users and Identity Stores >
External Identity Stores >
Active Directory > directory groups
The same groups will start appearing under below listed screen shot. From there you will see 2 options any / all like or / and condition. Based on user membership the authorization role can be assisgned.
~BR
Jatin Katyal
**Do rate helpful posts** -
What is the default identity store - and how can I set it?
Hi,
I'm running Webcenter on WLS, and using WLS and JPS for the authentication of users. On the WLS Console, if I go to Security Realms -> myrealm -> Providers, I have a list of four different providers.
If I understand correctly, these four providers are my identity stores. How can I set one as the 'default' identity store? Or see which one is currently the default?
The reason I'm asking is I have the following code in Webcenter to create a new user in the Active Directory:
// Get the default identity store
IdentityStore idStore = WCSecurityUtility.getDefaultIdentityStore();
// Get the user manager object
UserManager usermgr = idStore.getUserManager();
usermgr.createUser(loginName, password.toCharArray(), propertySet);So I have a utility Java class which gives me the "default identity store". Now I want to change the WLS configuration so that the Active Directory in which I want to create new users is the "default" identity store.
Thanks in advance for any help,
LudovicHi,
Thanks a lot for your help and providing this link. I'd actually already looked at that before, but I don't understand how it clarifies what the default identity store is. The relevant part is this, if I understand correctly:
OPSS initializes the identity store service with the LDAP authenticator chosen from the list of configured LDAP authenticators according to the following algorithm:
1. Consider the subset of LDAP authenticators configured. Note that, since the context is assumed to contain at least one LDAP authenticator, this subset is not empty.
2. Within that subset, consider those that have set the maximum flag. The flag ordering used to compute this subset is the following:
REQUIRED > REQUISITE > SUFFICIENT > OPTIONAL
Again, this subset (of LDAPs realizing the maximum flag) is not empty.
3. Within that subset, consider the first configured in the context.Step (1) will match 2 external AD's and the built-in WLS LDAP, so 3 in total.
Step (2) will still match 3 in total, as they are all 'sufficient'. In my setup, I need them all to be 'sufficient'.
Step (3) is a step I don't understand. What is "the first configured in the context"? What context? Do they mean the one that was first created? In that case I can't change the default, right?
Or do they mean "the first in the list on the WLS Console"?
Best regards,
Ludovic -
Failed to authenticate user to ACS 5.1 with LDAP as external identity storage
Hi , I have an ACS and Open-LDAP server running on my company network.
Now, I 'm setting up a new linksys WAP-54G and choose WPA2-Enterprise option with ACS as the radius server.
first thing first, I created new internal user on ACS, and trying to join the wireless network from my computer. I made it....
then, I'm moving on external entity (LDAP Server). I've set up the LDAP configuration and identity sequence, also select it on access service. but when I tried to authenticate from my computer, an error was occurred. I received :
the following error 22056 Subject not found in the applicable identity store (s)
Wonder 'bout this thing, I set up a cisco 1841 router to become AAA client. and surprisingly... it works !!!
so, is there any problem to authenticate from windows platform to ACS (pointing to LDAP) ?
any suggestion ?
thanksThis is the log when using windows 7 as authentication client (Failed) :
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started.
12805 Extracted TLS ClientHello message.
12806 Prepared TLS ServerHello message.
12807 Prepared TLS Certificate message.
12810 Prepared TLS ServerDone message.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message.
12804 Extracted TLS Finished message.
12801 Prepared TLS ChangeCipherSpec message.
12802 Prepared TLS Finished message.
12816 TLS handshake succeeded.
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store -
22043 Current Identity Store does not support the authentication method; Skipping it.
24210 Looking up User in Internal Users IDStore - xxxxx
24216 The user is not found in the internal users identity store.
22016 Identity sequence completed iterating the IDStores
22056 Subject not found in the applicable identity store(s).
22058 The advanced option that is configured for an unknown user is used.
22061 The 'Reject' advanced option is configured in case of a failed authentication request.
11815 Inner EAP-MSCHAP authentication failed
11520 Prepared EAP-Failure for inner EAP method
22028 Authentication failed and the advanced options are ignored.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12307 PEAP authentication failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
This is the log when using 1841 router as authentication client (succeded) :
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11049 Settings of RADIUS default network will be used
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - LDAPyyyy
24031 Sending request to primary LDAP server
24015 Authenticating user against LDAP Server
24022 User authentication succeeded
22037 Authentication Passed
22023 Proceed to attribute retrieval
22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against
24210 Looking up User in Internal Users IDStore - xxxxx
24216 The user is not found in the internal users identity store.
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
I realized that Windows is using PEAP-MSCHAPv2 while Router is using PAP-ASCII as it's protocol.
so now, why PEAP-MSCHAPv2 can't authenticate to LDAP ?
is there anything I can do to make it work ? -
Multiple AD External Identity Sources in ISE 1.2
First I guess is it possible to have multiple AD entries for External Identity Sources in ISE 1.2? When I display Active Directory (AD1) it displays my four ISE servers with a status of connected but I see no where to add anything additional. I did not originally set this up so figure I am missing something somewhere if this is possible. I though maybe add under LDAP and then it would roll into AD or something but I have nothing listed under LDAP either.
What I am trying to do is figure out how to have ISE cover our two different domains. We ahve one big forest but currently that is split into two AD domains based upon our two divisions. am trying to see if possibly I can simply get through the existing configuration to pull security groups from the other domain into the dictionary but so far that has proven not do able.
BrentSaurav,
I was beginning to think that might be the solution. Now I just need to go through the release notes and make sure there are no issues with it running on ACS-2111 appliance. We are currently using this as the secondary Admin but knew we would have to move off something. I think management is hoping later than sooner especially since we are still in that initial roll out phase.
How does the system handle the fact that this is all centralized but I have users authenticating from the different time zones? I have been reading about everything pointing to the same NTP server but took that to simply be the servers in the ISE Cluster. Will this also impact all the switches and network devices involved in the authentication process?
Brent -
How to configure SOA Suite 11g Worklist with LDAP Identity Store
Hi
Im trying to configure the worklistapp to use an ldap identity store (SOA Suite 11g)
The ldap is a open source ldap (Open DS in this case), is NOT : OID, OVD, Active Directory, WLS OVD, IPlanet.
for doing so, i did the next configurations:
workflow-identity-config.xml
<configuration realmName="realm1">
<provider providerType="JPS" name="JpsProvider" service="Identity">
<property name="jpsContextName" value="worklist" />
</provider>
</configuration>
jps-config.xml
<?xml version="1.0" encoding="UTF-8" standalone='yes'?>
<jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" schema-major-version="11" schema-minor-version="1">
<!-- This property is for jaas mode. Possible values are "off", "doas" and "doasprivileged" -->
<property name="oracle.security.jps.jaas.mode" value="off"/>
<property name="custom.provider" value="true"/>
<serviceProviders>
<serviceProvider type="IDENTITY_STORE" name="idstore.ldap.provider" class="oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider">
<description>LDAP-based IdentityStore Provider</description>
</serviceProvider>
</serviceProviders>
<serviceInstances>
<serviceInstance name="idstore.ldap.opends" provider="idstore.ldap.provider">
<property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<property name="idstore.type" value="CUSTOM"/>
<property name="ldap.url" value="ldap://host:port"/>
<property name="subscriber.name" value="dc=company,dc=com"/>
<property name="search.type" value="SIMPLE"/>
<property name="security.principal" value="cn=adminuser,dc=company,dc=com"/>
<property name="security.credential" value="!adminuser_password"/>
<property name="user.login.attr" value="cn"/>
<property name="username.attr" value="cn"/>
<property name="groupname.attr" value="cn"/>
<extendedProperty>
<name>group.mandatory.attrs</name>
<values>
<value>cn</value>
<value>objectClass</value>
</values>
</extendedProperty>
<extendedProperty>
<name>group.object.classes</name>
<values>
<value>top</value>
<value>groupOfUniqueNames</value>
</values>
</extendedProperty>
<extendedProperty>
<name>group.filter.object.classes</name>
<values>
<value>groupOfUniqueNames</value>
</values>
</extendedProperty>
<extendedProperty>
<name>group.member.attrs</name>
<values>
<value>uniqueMember</value>
</values>
</extendedProperty>
<extendedProperty>
<name>group.search.bases</name>
<values>
<value>o=groups,dc=company,dc=com</value>
</values>
</extendedProperty>
<extendedProperty>
<name>user.mandatory.attrs</name>
<values>
<value>cn</value>
<value>objectClass</value>
<value>sn</value>
</values>
</extendedProperty>
<extendedProperty>
<name>user.object.classes</name>
<values>
<value>organizationalPerson</value>
<value>person</value>
<value>inetOrgPerson</value>
<value>top</value>
</values>
</extendedProperty>
<extendedProperty>
<name>user.filter.object.classes</name>
<values>
<value>inetOrgPerson</value>
</values>
</extendedProperty>
<extendedProperty>
<name>user.search.bases</name>
<values>
<value>o=users,dc=company,dc=com</value>
</values>
</extendedProperty>
</serviceInstance>
</serviceInstances>
<jpsContexts default="default">
<jpsContext name="worklist">
<serviceInstanceRef ref="credstore"/>
<serviceInstanceRef ref="keystore"/>
<serviceInstanceRef ref="policystore.xml"/>
<serviceInstanceRef ref="audit"/>
<serviceInstanceRef ref="idstore.ldap.opends"/>
</jpsContext>
</jpsContexts>
</jpsConfig>
but i get the error:
Jul 2, 2009 12:52:40 PM oracle.security.jps.internal.idstore.util.IdentityStoreUtil getIdentityStoreFactory
WARNING: The identity store factory name is not configured.
Jul 2, 2009 12:52:40 PM oracle.bpel.services.common.ServicesLogger __logException
SEVERE: <.> Error in authenticating user.
Error in authenticating and creating a workflow context for user realm1/user1.
Verify that the user credentials and identity service configurations are correct.
ORABPEL-30501
Error in authenticating user.
Error in authenticating and creating a workflow context for user sigfe.com/user1.
Verify that the user credentials and identity service configurations are correct.
at oracle.bpel.services.workflow.verification.impl.VerificationService.authenticateUser(VerificationService.java:603)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
So, anyone knows how i can specify the identity store factory?
or the correct parameters for a ldap identity store repository?
I used the 11G documentation for the security file :
http://download.oracle.com/docs/cd/E12839_01/core.1111/e10043/jpsprops.htm
thanksI am having exactly the same issue. Once I configure jps-config.xml file to use my custom authenticator and login into the worklist app, the following gets thrown. I was wondering if you need map some roles to the existing users in the Custom Authenticator.
Exception
exception.70692.type: error
exception.70692.severity: 2
exception.70692.name: Error while granting BPMOrganizationAdmin role to SOAOperator.
exception.70692.description: Error occured while granting the application role BPMOrganizationAdmin to application role SOAOperator.
exception.70692.fix: In the policy store, please add SOAOperator role as a member of BPMOrganizationAdmin role, if it is not already present. -
External Identity Sources, binding RSA securID to ISE
Hi all,
Say, my topology was using ISE doing VPN inline posture, and bind RSA securID (version 7.1) as external Identity Sources.
During the deployment, in order to let my iPEP node join the Policy Service Node, for the certificate i using the third party CA server (Window server 2008 R2) as the root CA, both of these 2 ISE were mutual authenticated and done.
My question. as i using RSA secureID as external identity sources, native behaviour, Will the ISE trust RSA with no identity certificate signed by the identitical root CA?
Should i enroll this RSA appliance issue the CSR to CA server to sign and in the PKI environment? Is there a need for this?
Thanks
NoelNoel,
From my experience when integrating with the RSA token server you need the sdconf.rec file exported from the RSA and you import that into the ISE configuration. You then select this identity store with your authentication policies for vpn users. There isnt a need for any certificates when integrating with a token server (that was the last time I checked) and even if there would just need to trust each other's certficats.
I hope that helps!
Sent from Cisco Technical Support iPad App -
Integrate external identity management solution in SAP GRC Access Control
We need to integrate an external identity management solution into SAP GRC Access Enforcer. Some white paper mention extensibility is provided by web services. It seems that none of these web services are documented. Does anybody have infos about these services and documentation. Any hint is appreciated.
thanks
DetlefUnfortunately Access Enforcer doesn't implement a number of critical requirements and implementing it "as is" would be a lot of steps backwards in our process.
what do the published webservices do? Is there any documentation about them?
In a part of our process, we must manually pick the current roles(1), the pending roles(2) (roles that were approved but not given due to training prerequisites) and the requested new roles(3) and make the simulation in the VCC.
The information (1) and (2) and (3) we have in our internal system, the information (1) we have inside VCC and (2) and(3) must be manually inputted by the operator to run the simulations. Since this operation is repeated 6000+ times a month in my company, eliminating this manual input will cause a great gain in efficiency.
Other thing that we want to do is to create a job where it would automatically desassociate the mitigating controls if the user does not have the risks anymore (users can lose roles automatically in some events here, so it would be coherent that the user also loses the associated mitigating controls)
IMHO as a former programmer, these are classic cases where I would like to consume some webservices for this tasks to avoid a lot of ctrc ctrlv from the operators (inefficient and error prone)
VCC has any documentation that would help me to find how I would do this integrations?
Thanks in advance -
Questions on Credential Store and Identity Store in 11G
Hi All,
I have two questions
Question 1
About the credential store. Can anybody please tell me what information does credential store stores ? I have read that it stores the usernames and passwords for system accounts, now my question is what are those system accounts? Can anybody please explain in detail with a small example? Has BISystemUser has something to do with that?
Question 2
My understanding is that the usernames and passwords for the users which we have in the embedded Weblogic LDAP is store in the identity store, right? Now if we have configured an external LDAP (now I can sound stupid on this one) where are the usernames and password stored, in the external LDAP or still in the identity store ? Does external LDAP has its own store of storing the user name and password for users or it uses the identity store?
Thanks,
RonnyPlease refer to this excellent post: http://shivabizint.wordpress.com/2012/05/03/how-are-credentials-stored-in-obiee-11g-and-weblogic-infrastructure/
The system accounts that are created with an OBIEE 11g install are weblogic, OracleSystemUser and BISystemUser. BISystemUser is a specific user that OBI uses as the configured authenticator of internal communication among components.
Please mark if helpful/correct. -
Guest Portal Identity Store Sequence
As part of my ISE deployment I have configured the last rule in the Autentication Rules to continue if a user is found in Identity Store Sequence BYOD-USERS.
This Identity store specifies that Active Directory and Guest users should be searched, when a user logins into the Guest Sponsor Portal.
However at the moment Guest users are working fine and are permitted onto the Guest network once they have authenticated, as part of a corresponding Authroization profile however with Active Directory I only want a small subsection of users who can continue once entering in their details. If the user isn't in that particular AD security group they can't progress further from the guest portal.
So my question is, is the identity store sequence where I have requested that active directory be searched that I can filter which user group can potentially login. I understand that under the Active Directory Identity store I can specifiy groups which I have done, but my question is can I restrict which groups are search in the identity store sequence for active directory.
Thank you for your help in advance guys.Tony,
They way to accomplish this (I think) would be to create another Identity Source. Go to Administration > Identity Management > External Identity Sources. From there, click LDAP from the menu on the left.
Click the +Add button to add an identity source. Bind this connection to the AD server you are currently using. Choose the groups you want to be in the Authorization Profile and then, Choose the Attributes for the Identity Source:
From here, you MUST use the full LDAP object name for the group to get the list of attributes:
Click Submit, then OK (the dialog might just contain the number 1). Use this new Identity Source in your Identity Source Sequence.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
Content Server Error - User not found in Identity Store
Hello,
I am trying to setup an external provider in Weblogic so that I can authenticate users via Oracle Access Manager / Oracle Internet Directory.
I have followed the documentation and created a new provider for my external Provider and called it OIDAuthenticator. I have made sure that the Control Flag is set to SUFFICIENT. Oracle Access Manager is installed and configured. It authenticates my logins and SSO works fine.
The problem is that when I try to create users in OID and then login to Webcenter, I get the following error:
WCS#2012.02.14.07.49.09 : User: tuser03 not found in identity store.
The strange thing is that I am successfully logged in with the correct groups after I click on the ok button on the error popup.
Any ideas???
Thanks,
Darren.The error goes away if I add the user to the Embedded LDAP.
This looks like a problem with the Control Flag setting but I can't see what I've done wrong because I have checked the Control Flag has been set to SUFFICIENT for OIDAuthenticator and OIDAuthenticator providers.
Have I missed something? -
Custom Authentication With Identity Store
Hi everyone,
I faced a problem with login function of my portal (Webcenter Application). The Problem is:
- Allow the users logging in by user that store in another system. I must communicate using low level of socket. This really is not a problem.
- If user logged in, for first time of logging in, i must store them in some identity store (Maybe tables database).
- View Users in Weblogic Console. To do that, i known that i must implemeted something that i dont what that are.
Here are my work:
- I Created a Custom Authentication Provider. And configuration in Admin Console. But i don't know what are that i should implementing to View user & group in Admin Console.
- I Cannot logging in: After i created simple application for testing, i cannot logging in even i tested with SQLAuthenticator Provider and original DefaultProvider. In Logging Console, I saw every I Printed In The Code of Login Module.
Here are my Code:
<?xml version="1.0" ?>
<MBeanType Name = "OrkitVASPortal" DisplayName = "OrkitVASPortal"
Package = "orkit"
Extends = "weblogic.management.security.authentication.Authenticator"
PersistPolicy = "OnUpdate">
<MBeanAttribute
Name = "ProviderClassName"
Type = "java.lang.String"
Writeable = "false"
Default = ""orkit.OrkitVASPortalProviderImpl""
/>
<MBeanAttribute
Name = "Description"
Type = "java.lang.String"
Writeable = "false"
Default = ""WebLogic Simple Sample Audit Provider""
/>
<MBeanAttribute
Name = "Version"
Type = "java.lang.String"
Writeable = "false"
Default = ""1.0""
/>
<MBeanAttribute
Name = "LogFileName"
Type = "java.lang.String"
Default = ""SimpleSampleAuditor.log""
/>
</MBeanType>
package orkit;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.spi.*;
public final class OrkitVASPortalProviderImpl implements AuthenticationProviderV2 {
private String description;
private LoginModuleControlFlag controlFlag;
public OrkitVASPortalProviderImpl() {
System.out.println("The Orkit VASPortal Provider Implemented!!!!!");
@Override
public IdentityAsserterV2 getIdentityAsserter() {
return null;
// Our mapping of users to passwords/groups, instead of being in LDAP or in a
// database, is represented by a HashMap of MyUserDetails objects..
public class MyUserDetails {
String pw;
String group;
// We use this to represent the user's groups and passwords
public MyUserDetails(String pw, String group) {
this.pw = pw;
this.group = group;
public String getPassword() {
return pw;
public String getGroup() {
return group;
// This is our database
private HashMap userGroupMapping = null;
public void initialize(ProviderMBean mbean, SecurityServices services) {
System.out.println("The Orkit VASPortal Provider is intializing......");
OrkitVASPortalMBean myMBean = (OrkitVASPortalMBean) mbean;
description = myMBean.getDescription() + "\n" + myMBean.getVersion();
System.err.println("#In realm:" + myMBean.getRealm().wls_getDisplayName());
// We would typically use the realm name to find the database
// we want to use for authentication. Here, we just create one.
userGroupMapping = new HashMap();
userGroupMapping.put("a", new MyUserDetails("passworda", "g1"));
userGroupMapping.put("b", new MyUserDetails("passwordb", "g2"));
userGroupMapping.put("system", new MyUserDetails("12341234",
"Administrators"));
String flag = myMBean.getControlFlag();
if (flag.equalsIgnoreCase("REQUIRED")) {
controlFlag = LoginModuleControlFlag.REQUIRED;
} else if (flag.equalsIgnoreCase("OPTIONAL")) {
controlFlag = LoginModuleControlFlag.OPTIONAL;
} else if (flag.equalsIgnoreCase("REQUISITE")) {
controlFlag = LoginModuleControlFlag.REQUISITE;
} else if (flag.equalsIgnoreCase("SUFFICIENT")) {
controlFlag = LoginModuleControlFlag.SUFFICIENT;
} else {
throw new IllegalArgumentException("Invalid control flag " + flag);
public AppConfigurationEntry getLoginModuleConfiguration() {
HashMap options = new HashMap();
options.put("usermap", userGroupMapping);
System.out.println("UserMap: " + options);
return new AppConfigurationEntry(
"orkit.OrkitVASPortalLoginModule",
controlFlag, options);
public String getDescription() {
return description;
public PrincipalValidator getPrincipalValidator() {
return new PrincipalValidatorImpl();
public AppConfigurationEntry getAssertionModuleConfiguration() {
return null;
// public IdentityAsserter getIdentityAsserter() {
// return null;
public void shutdown() {
* To change this template, choose Tools | Templates
* and open the template in the editor.
package orkit;
import orkit.OrkitVASPortalProviderImpl;
import java.io.IOException;
import java.util.*;
import javax.security.auth.Subject;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import javax.security.auth.spi.LoginModule;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
* This login module will be called by our Authentication Provider. It assumes
* that the option, usermap, will be passed which contains the map of users to
* passwords and groups.
public class OrkitVASPortalLoginModule implements LoginModule {
private Subject subject;
private CallbackHandler callbackHandler;
private HashMap userMap;
// Authentication status
private boolean loginSucceeded;
private boolean principalsInSubject;
private Vector principalsBeforeCommit = new Vector();
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map sharedState, Map options) {
this.subject = subject;
this.callbackHandler = callbackHandler;
// Fetch user/password map that should be set by the authenticator
userMap = (HashMap) options.get("usermap");
* Called once after initialize to try and log the person in
public boolean login() throws LoginException {
// First thing we do is create an array of callbacks so that
// we can get the data from the user
Callback[] callbacks;
callbacks = new Callback[2];
callbacks[0] = new NameCallback("username: ");
callbacks[1] = new PasswordCallback("password: ", false);
try {
callbackHandler.handle(callbacks);
} catch (IOException eio) {
throw new LoginException(eio.toString());
} catch (UnsupportedCallbackException eu) {
throw new LoginException(eu.toString());
String username = ((NameCallback) callbacks[0]).getName();
System.out.println("Username: " + username);
char[] pw = ((PasswordCallback) callbacks[1]).getPassword();
String password = new String(pw);
System.out.println("PASSWORD: " + password);
if (username.length() > 0) {
if (!userMap.containsKey(username)) {
throw new FailedLoginException("Authentication Failed: Could not find user:" + username);
}else{
System.out.println("Contstainded Username");
String realPassword = ((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getPassword();
if (realPassword == null || !realPassword.equals(password)) {
throw new FailedLoginException("Authentication Failed: Password incorrect for user" + username);
}else{
System.out.println("Everyitng OKIE");
} else {
// No Username, so anonymous access is being attempted
loginSucceeded = true;
// We collect some principals that we would like to add to the user
// once this is committed.
// First, we add his username itself
principalsBeforeCommit.add(new WLSUserImpl(username));
// Now we add his group
principalsBeforeCommit.add(new WLSGroupImpl(((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getGroup()));
return loginSucceeded;
public boolean commit() throws LoginException {
if (loginSucceeded) {
subject.getPrincipals().removeAll(principalsBeforeCommit);
principalsInSubject = true;
return true;
} else {
return false;
public boolean abort() throws LoginException {
if (principalsInSubject) {
subject.getPrincipals().removeAll(principalsBeforeCommit);
principalsInSubject = false;
return true;
public boolean logout() throws LoginException {
return true;
}and OrkitVASPortalMBean & OrkitVASPortalImpl class created by MBeanMaker tool.
Can someome help.
Thank you very much!When i login with the password and username from my custom authentication provider, my login module check ok, but logon form still there.
-
"ming qin" <[email protected]> wrote in message news:[email protected]..
I would like to have entries as users.There are a few issues that arise as the number of users increases. The
first is management
of all these users. Will you be able to load/update/manage all of the users
via the WLS console?
You can certainly use external LDAP tools to manage the data in the WLS
embedded LDAP
server, but using an external LDAP server may offer better tools for
management than those
offered in WLS.
The second is performance. Since the ldap server embedded within WLS uses
in-memory
indices, the time to load the indices and the memory required for storing
them increases as
the number of users increases. 20-50K seems to have reasonable performance.
The last is extensibility. The WLS default authenticator stores user,
description, and password.
You may have different requirements and want to store additional
information.
Maybe you are looking for
-
Problems with outlook and address book contacts: my outlook contacts had around 3,000 entries. Outlook duplicated entries and have now 340,000. I reinstalled microsoft office and, thus, outlook, and reinstalled mac OS X system and applications. While
-
Aperture 3.0.1 - the more I use it the worse it gets - here is a new one
Well, at least for me it is. Running Aperture 3.0.1 with the latest proskit installed. I am using the program in split screen mode, in which I have the viewer stacked above the browser and underneath the browse I have the keywords showing. This is wh
-
Oracle 10g OCI based application talking to an Oracle 9i database
Hi all, Got a question. I have an OCI C++ application that is written using the Oracle 10g OCI includes, etc ... This of course is running on a 10g client. The client OS is actually a Windows x64 system since 10g is the only native OCI client right n
-
Max L Import from Server data_file - Essbase 11.1.1.3
I got a problem setting the right path for importing data-files directly from a directory on the server (that is not under the "arborpath"). As I mentioned in the techref: http://download.oracle.com/docs/cd/E10530_01/doc/epm.931/html_esb_techref/maxl
-
Have installed two of the new apps (Premiere and Photoshop) and I see nothing on the menu of a WIndows 7 machine. I have the CS5 folder, the CS6 folder but no entries for CC. The control panel says they're installed but I can't run them from there.