J2ee project: ldap or rdbms for users?

Similar Messages

• LDAP or RDBMS for J2EE Security Configuration

  I like to know if LDAP or RDBMS will be good in configuring J2EE applications Security and the reasons for that.
  With LDAP, i am creating new groups as new applications come. I can very well do the same in RDBMS. Plus, the advantage of keeping groups in RDBMS give me the ability to associate those group information to any other information in RDBMS.
  I do see every company going towards LDAP to store J2EE applications security groups.
  I appreciate the advantage of keeping user information in LDAP so that all applications and network can share that. But keeping groups information for each application in LDAP make things impossible to associate those groups to other information in RDBMS.

  ps. any to the point literature on end-to-end java-based architectures (online or printed)?Maybe you could take a look at the J2EE blueprint resources at http://java.sun.com/blueprints/enterprise/index.html.

• LDAP object classes for user creation

  Hello,
  I use a remote LDAP for authentication, works fine. However, i want of copy some attributes from the remote LDAP into the dynamically created user profile. This works fine as long as the attributes are par5t of the standard object classes. The remote LDAP has an extra, site specific, object class for users. Since i want to use the same attribute names i added the schema extension (1 object class with a couple of attributes) to the AM LDAP. So far so good.
  My question is: How do i specify the additional object class to be added to the user which is dynamicaly created?
  Thanks in advance, Robert

  Robert,
  To resolve this, I believe that you will need to add the new objectclass to the "LDAP User Object Classes" field on the LDAP Data Store. You will also need to add the attributes to "LDAP User Attributes" on the same tab.
  Hope this helps.

• Search for users in a particular LDAP through Web Dynpro code...

  Hi Experts,
  Let me try explaining my problem. In my project we are using two ADAM LDAPs. One for storing internal users and the other for storing external users. I have configured the portal to connect to both the LDAPs. I am able to search for the users created in both the LDAPs through portal Indentity Management.
  I am trying to search for the users in a specific LDAP through Web Dynpro coding... I am not lucky enough to get it done. Let me explain you what I did.
  I created a custom attribute for UME through config tool. Gave a physical mapping for the custom attribute in dataSourceConfig_xxx.xml to the LDAP attribute distinguishedName which returns the distinguished Name for the user in ADAM LDAP.
  For Example: Custom attribute in UME is ldapuser which is mapped to distinguishedName attribute in ADAM LDAP in dataSourceConfig_xxx.xml.
  When I do a search for the users in a particular LDAP, I am trying to put a filter to the newly created ldapuser attribute to distinguish between the two LDAPs.
  The search will result if I pass the value as '*'. If I try to specify the user path for the LDAP in this attribute it doesnt result any data.
  For example:
  userSearchFilter.setSearchAttribute(
       "com.sap.com.cust.admn",
        "ldapuser",
       "OU=16482515,OU=Members",
       ISearchAttribute.LIKE_OPERATOR,
       false);
  The above code will not return the data, whereas
  userSearchFilter.setSearchAttribute(
       "com.sap.com.cust.admn",
        "ldapuser",
       ISearchAttribute.LIKE_OPERATOR,
       false);
  Will result with user list from both the LDAPs.
  If anyone tried searching for users in a particular LDAP through code, please help me with this issue.
  Thank you in advance.
  Regards,
  Rekha Malavathu

  I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.

• FAQ: BC-LDAP-USR (Directory Interface for User Management via LDAP )

  Version: 20060317
  Q: Where can i find more information to the BC-LDAP-USR interface ?
  A: Have a look on our ICC webpage in the SDN:
  SAP NetWeaver AS - Directory Interface for User Management via LDAP (BC-LDAP-USR)[1] [original link is broken]
  Q: What costs a arising when we want our product to be certified ?
  A: See also our SDN page under the headline "Price List".
  Q: Is there a link/page for the already certified products for this interface ?
  A: Sure, have a look on our ICC page under the headline "Certified Solutions"
  Q: Who can we ask in case of general question ?
  A: Have a look at our general ICC forum:
  SAP Integration and Certification Center (SAP ICC)
  Of course, if you have urgent requests you can send them also directly to our local ICC's:
  ICC Walldorf in Germany: [email protected]
  ICC Palo Alto in USA: [email protected]
  ICC Bangalore in India: [email protected]
  Q: Who can we ask in case of technical questions ?
  A: This depends on the state of your certification project.
  1.) If the certification contracts have been signed then you can ask in this forum and if this does not solve your question go back to your assigned integration consultant.
  2.) When the certification contracts have not been signed then you can ask questions in this forum.

  I distinguish it using the passwordExpirationTime(or something like that, i don't have code here with me).
  This is possible if after password is expired user has at least one more access.It is a user policy that can be set in the Ldap server.
  If it is possible, user can still login and perform operations.You chan search the passwordExpirationTime attribute and determine if password is expired, and the send a message to the user, telling him to change it.(If only one access is allowed and you change the password with the same application or service then do not close context, else you should not be able to connect again.) Instead, if you use an external script, then the last acces should not give you problems.
  Hope i made myself clear.

• Problem with LDAP authentication for users in a group

  I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.
  I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:
  [6707]  memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
  [6707]          mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
  [6707]          mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN
  [6707]  msNPAllowDialin: value = TRUE
  I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.
  ldap attribute-map AuthUsers
    map-name  memberOf IETF-Radius-Class
    map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN
  aaa-server LDAP protocol ldap
  aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
   ldap-base-dn DC=COMPANY,DC=com
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
   server-type microsoft
   ldap-attribute-map AuthUsers
  group-policy NOACCESS internal
  group-policy NOACCESS attributes
   vpn-simultaneous-logins 0
   vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
   webvpn
    anyconnect ask none default anyconnect
  group-policy GroupPolicy_COMPANY_SSL_VPN internal
  group-policy GroupPolicy_COMPANY_SSL_VPN attributes
   wins-server none
   dns-server value 10.10.100.102
   vpn-tunnel-protocol ikev1 ikev2 ssl-client
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value SPLIT-TUNNEL
   default-domain value net.COMPANY.com
   webvpn
    anyconnect profiles value COMPANY_SSL_VPN_client_profile type user
  tunnel-group COMPANY_SSL_VPN type remote-access
  tunnel-group COMPANY_SSL_VPN general-attributes
   address-pool COMPANY-SSL-VPN-POOL
   authentication-server-group LDAP
   authorization-server-group LDAP
   authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
   default-group-policy NOACCESS
   authorization-required
  tunnel-group COMPANY_SSL_VPN webvpn-attributes
   group-alias COMPANY_SSL_VPN enable
  tunnel-group COMPANY_SSL_VPN ipsec-attributes
   ikev1 pre-shared-key *****

  I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.

• Logical identifiant for User Notes synchronized from LDAP

  After a synchronization from LDAP to Notes,
  The user entry is created, all attributes are OK
  The certificate is created and named with %uid%.id
  BUT the logical name of the user in the Notes database is constructed as "%givenname%SPACEd/DOMAIN".
  I don't understand the SPACE and the character d ?
  Thanks for your help !
  BRs
  Vincent

  For analyze, we have synchronized 15 LDAP Users to Notes
  FirstName, Lastname and login attributes are from 1 to 15 characters lenght as following :
  givenname, lastname, UID
  1,1,1
  F2,L2,ID
  F33,L33,ID3
  F444,L444,ID44
  F5555,L5555,ID555
  F66666,L66666,ID6666
  F777777,L777777,ID77777
  F8888888,L8888888,ID888888
  F99999999,L99999999,ID9999999
  Faaaaaaaaa,Laaaaaaaaa,IDaaaaaaaa
  Fbbbbbbbbbb,Lbbbbbbbbbb,IDbbbbbbbbb
  Fccccccccccc,Lccccccccccc,IDcccccccccc
  Fdddddddddddd,Ldddddddddddd,IDddddddddddd
  Feeeeeeeeeeeee,Leeeeeeeeeeeee,IDeeeeeeeeeeee
  Fffffffffffffff,Lffffffffffffff,IDfffffffffffff
  Between 6 and 8 characters, le logical Name of the user is correct
  He is constructed as %fistname% %lastname%/DOMAIN
  Less than 6 or more than 8 characters, the logical name is not correct
  We can show the partial path of the lotus's data directory.
  I can send screenshot to an email Adress if you want
  Why this ? It's not usable
  PS : All certificates can be viewed without provide password !
  Why the LDAP password of the user's entry is not used to open the ID ?
  Thanks for your help.
  BRs
  Vincent

• IMQ 2.0 and LDAP for user authentication

  Using the notes at http://knowledgebase.iplanet.com/ikb/kb/articles/7772.html
  i set up an LDAP with iMQ. The LDAP works OK for storing topics,
  connection factories, etc from jmqadmin
  The LDAP also now contains the 2 users as outlined in article 7772 -
  admin and guest.
  The broker stats up OK, but
  when I try to use
  jmqcmd query bkr -b localhost:7844 -u admin -p admin
  this is what I get:
  ERROR [B3018]: Unable to run the service admin, the broker will no longer accept connections on this service:
  com.sun.messaging.jmq.jmsserver.util.BrokerException: [B4077]: Undefined authentication type basic
  at com.sun.messaging.jmq.jmsserver.auth.AccessController.init(AccessController.java:99)
  at com.sun.messaging.jmq.jmsserver.auth.AccessController.loadProps(AccessController.java:251)
  at com.sun.messaging.jmq.jmsserver.auth.AccessController.getInstance(AccessController.java:206)
  at com.sun.messaging.jmq.jmsserver.service.Connection.<init>(Connection.java:144)
  at com.sun.messaging.jmq.jmsserver.service.standard.StandardConnection.<init>(StandardConnection.java:49)
  at com.sun.messaging.jmq.jmsserver.service.standard.StandardService.run(StandardService.java:547)
  at java.lang.Thread.run(Thread.java:484)

  It's likely caused by trailing space after 'basic' in configuration
  imq.authantication.type=basic
  This has been fixed in MQ 3.0.

• How to make field key for user fields cant be changed after project release

  Dear Expert,
  How can we make field key for user fields cannot be changed once we release the project/wbs?
  Cheers,
  Nies

  Do you mean 'field key' in the project profile in SPRo?
  I think after a project is created a change in the field key wont affect the fields in CJ20N..
  Can you verify?
  Regards
  Ramesh

• Table for user status field in CJ20n transaction project defination

  HI ALL,
  what is table for user status field in CJ20n transaction project defination creation. This field is in Basic Data tab.
  Thanks.

  Hi,
  Check following tables for Usre status:
  TJ30 - User status
  TJ30T - Texts for user status
  TJ20 - Status profile
  JEST - Object status
  JSTO- WBS status profile.
  Check this code:
  REPORT zps_get_userstatus .
  PARAMETERS: p_posid LIKE prps-posid.
  *-- Constants
  CONSTANTS: gc_yes(1)     TYPE c                 VALUE 'X',
             gc_no(1)      TYPE c                 VALUE ' '.
  *-- Variables
  DATA: l_objnr LIKE prps-objnr.
  *-- Internal tables
  DATA: BEGIN OF lit_jest OCCURS 0,
         objnr LIKE jest-objnr,
         stat  LIKE jest-stat,
       END OF lit_jest.
  DATA: BEGIN OF lit_jsto OCCURS 0,
         objnr LIKE jsto-objnr,
         stsma LIKE jsto-stsma,
        END OF lit_jsto.
  DATA: BEGIN OF lit_status OCCURS 0,       "Combination of JEST & JSTO
            objnr LIKE jest-objnr,
            stsma LIKE jsto-stsma,
            stat  LIKE jest-stat,
          END OF lit_status.
  DATA: BEGIN OF lit_usrsta OCCURS 0,       "Uer status for all wbs
           objnr LIKE jest-objnr,
           stsma LIKE jsto-stsma,
           stat  LIKE tj30t-estat,
           txt04 LIKE tj30t-txt04,
         END OF lit_usrsta.
  DATA: BEGIN OF lit_usrtxt OCCURS 0,       "User Status text - TJ30T
          stsma LIKE tj30t-stsma,
          stat  LIKE tj30t-estat,
          txt04 LIKE tj30t-txt04,
        END OF lit_usrtxt.
  * get WBS object number
  SELECT SINGLE
       objnr FROM prps
             INTO l_objnr
             WHERE posid = p_posid.
  * get WBS active status from table JEST
  SELECT
        objnr
        stat
             FROM jest INTO TABLE lit_jest
             WHERE objnr =  l_objnr AND
                   inact <> gc_yes.
  * get WBS status profile from table JSTO
  SELECT
        objnr
        stsma FROM jsto
              INTO TABLE lit_jsto
              WHERE objnr =  l_objnr.
  * combine JEST and JSTO table for user status
  LOOP AT lit_jest.
    IF lit_jest-stat CP 'E++++'.
      READ TABLE lit_jsto WITH KEY
                          objnr = l_objnr.
      IF sy-subrc = 0.
        lit_status-objnr = lit_jest-objnr.
        lit_status-stsma = lit_jsto-stsma.
        lit_status-stat  = lit_jest-stat.
        APPEND lit_status.
      ENDIF.
    ENDIF.
    CLEAR: lit_jsto, lit_status.
  ENDLOOP.
  *  get text for user status
  SELECT DISTINCT
           stsma
           estat
           txt04 FROM tj30t
                 INTO TABLE lit_usrtxt
                 FOR ALL ENTRIES IN lit_status
                 WHERE stsma = lit_status-stsma AND
                       estat = lit_status-stat  AND
                       spras = sy-langu.
  Let me know if you have any question.
  Regards,
  RS

• Can't create blogs for users created in LDAP directory

  I have an LDAP directory set up on an Open Directory Master and use it for user management. I want to allow users to create blogs off of the main web site. However, when I try to create a blog, it won't authenticate to any of the LDAP users, only the local user (of which the administrator account for the server is the only one).
  LDAP directory users can access their personal websites, though (http://mydomain/~user).
  Does anyone have any ideas how I can get the blog portion of the web site to allow my LDAP users to create a blog?
  Thanks.

  Sorry, I should have mentioned I am using Leopard Server (10.5.5).

• Invalid resource 'LDAP' for user

  Hi all,
  I want to integarate IDM with LDAP.Test connection is working when i intergarate with LDAP.I got the status as "succeeded" on full reconcilation and I was able to create users through IDM.I could see the users created in LDAP too...In IDM when i click assignments tab i get "Inalid resource 'LDAP' for user '12121'.Here,'12121'is my account id. I don't know wat mistake i have made.Please anyone of u help me out in this problem.

  hehehe... no problem.
  There's a flag somewhere that gives you the option of omitting the domain. If you do, it defaults to the domain that the content server is on. I think you can get there from the "active directory" config link at the top of the "filter debug" administration page. Its kind of buried...

• LDAP design question for multiple sites

  LDAP design question for multiple sites
  I'm planning to implement the Sun Java System Directory Server 5.2 2005Q1 for replacing the NIS.
  Currently we have 3 sites with different NIS domains.
  Since the NFS over the WAN connection is very unreliable, I would like to implement as follows:
  1. 3 LDAP servers + replica for each sites.
  2. Single username and password for every end user cross those 3 sites.
  3. Different auto_master, auto_home and auto_local maps for three sites. So when user login to different site, the password is the same but the home directory is different (local).
  So the questions are
  1. Should I need to have 3 domains for LDAP?
  2. If yes for question 1, then how can I keep the username password sync for three domains? If no for question 1, then what is the DIT (Directory Infrastructure Tree) or directory structure I should use?
  3. How to make auto map work on LDAP as well as mount local home directory?
  I really appreciate that some LDAP experta can light me up on this project.

  Thanks for your information.
  My current environment has 3 sites with 3 different NIS domainname: SiteA: A.com, SiteB:B.A.com, SiteC:C.A.com (A.com is our company domainname).
  So everytime I add a new user account and I need to create on three NIS domains separately. Also, the password is out of sync if user change the password on one site.
  I would like to migrate NIS to LDAP.
  I want to have single username and password for each user on 3 sites. However, the home directory is on local NFS filer.
  Say for userA, his home directory is /user/userA in passwd file/map. On location X, his home directory will mount FilerX:/vol/user/userA,
  On location Y, userA's home directory will mount FilerY:/vol/user/userA.
  So the mount drive is determined by auto_user map in NIS.
  In other words, there will be 3 different auto_user maps in 3 different LDAP servers.
  So userA login hostX in location X will mount home directory on local FilerX, and login hostY in location Y will mount home directory on local FilerY.
  But the username and password will be the same on three sites.
  That'd my goal.
  Some LDAP expert suggest me the MMR (Multiple-Master-Replication). But I still no quite sure how to do MMR.
  It would be appreciated if some LDAP guru can give me some guideline at start point.
  Best wishes

• Running j2ee project in netbeans

  Hi,
  I have developed an j2ee project in netbeans 6.5.1. But I have a problrm in deploying this. When I build and run the project I got the following error.
  Deploying application in domain completed successfully
  Rollback completed successfully
  Trying to create reference for application in target server  failed; Bad File parameter in AppDD ctor: E:\project_eps\esubApplication\dist\gfdeploy
  E:\project\EPS\EPS-war\nbproject\build-impl.xml:556: The module has not been deployed.
  BUILD FAILED
  My project is in the folder E:\Project\EPS...
  But it is showied a reference to another project E:\project_eps\esubApplication. Then I removed this application along with all its sub contenets. Now when I run the project it shows a link to another project EPS1 like this
  Deploying application in domain completed successfully
  Rollback completed successfully
  Trying to create reference for application in target server failed; Cannot find application.xml. Searched for: E:\project_eps\EPS1\dist\gfdeploy\META-INF\application.xml -- perhaps this is not an Application?
  E:\project\EPS\EPS-war\nbproject\build-impl.xml:556: The module has not been deployed.
  BUILD FAILED
  Now I removed EPS1 project also. But still I'm getting the same error.
  My earlier proograms including esubapplication & EPS1 ran successfully.
  Please tell me what is the problem and how to set it. Thanks in advance.

  Hi Louis,
  You can do it by creating a URL iView for that you need to have content administration rights on portal then you can create URL iView in Portal Content Directory (PCD) and then you can attach it to a page or workset or to a role and then give that role authorization to rquired user.
  Ninad

• Can you add a group in LDAP as owners for a calendar?

  The documentation indicates that you can create a group calendar by adding
  owners to a calendar. The set_calprops
  WCAP command allows you to specify
  a list of owners for the calendar. However, I would like to know if there is
  a way to add a group in LDAP as owners for a calendar.
  <P>
  No, you cannot reference an LDAP group in this version of the iPlanet Calendar
  Server.

  Has this problem been resolved in Update 3 ?
  I just set up LDAP ACL with OpenLdap v 2.4.10 . Every thing work fine so far, except that I can't add a user or group by Admin Console ,
  It response this :
  {color:#ff0000}for host x.x.x.x trying to POST /admingui/admingui/newUserDialog, service-j2ee reports: Exception : ADMIN3132: Error while communicating to the LDAP server: ldap://127.0.0.1:389/dc=xxx,dc=xxx,dc=xxx
  {color}
  Though I can do this task in other tool . It will be good for SJSWS to support OpenLdap .