JAAS, LDAP and RDBMS

Similar Messages

• Ldap Vs RDBMS

  hi Guys,
  can you provide exact difference between ladp vs rdbms.
  Thanks,
  subbu

  Hi,
  It is said that LDAP works better with JSP and
  servlets than standard databases; and its popularity
  is on the way up.
  I agree that it is popular, but I can'r agree that it is better than a database, for to agree I must know 'better at what'? LDAP is a non-transactional, atomic write, read optimized hierarchical data store - writing to LDAP can be quite slow. Databases (I'll assume relational for now) are designed to be transactional, are optimized for read, write and update, and can (fairly efficiently) maintain very complex relationships and integrity constraints between data elements.
  If I want to build user registry, credentials storage, rights type of data store, LDAP would be more efficient. If I am am building a traditional OLTP type of application (say for an online store) worrying about integrity and the ACID transaction characteristics, then a relational or object database is the way to go.
  Many (most these days?) web sites and intranet applications use both LDAP and relational datababases, hopefully leveraging the best qualities of each in the right places.
  This is a point, now for a web application that
  required doing some transaction, which is better using
  a database or LDAP? providing that number of users is
  above 1,000,000 users and they already registered in
  an LDAP server?Use LDAP for registry, credentials, rights, possibly configuration data, RDB for everything else.
  Chuck

• LDAP or RDBMS for J2EE Security Configuration

  I like to know if LDAP or RDBMS will be good in configuring J2EE applications Security and the reasons for that.
  With LDAP, i am creating new groups as new applications come. I can very well do the same in RDBMS. Plus, the advantage of keeping groups in RDBMS give me the ability to associate those group information to any other information in RDBMS.
  I do see every company going towards LDAP to store J2EE applications security groups.
  I appreciate the advantage of keeping user information in LDAP so that all applications and network can share that. But keeping groups information for each application in LDAP make things impossible to associate those groups to other information in RDBMS.

  ps. any to the point literature on end-to-end java-based architectures (online or printed)?Maybe you could take a look at the J2EE blueprint resources at http://java.sun.com/blueprints/enterprise/index.html.

• J2ee implementation with jaas/LDAP

  Hi;
            I search a good j2ee implementation or light framework using jaas API and LDAP directory to authentifies and affects a profil to a user.
            I have already analysed the framework : JGuard.
            regards;

  If I understand you correctly, you want to have an application deployed in WebLogic (you don't say what version) use standard J2EE JAAS for declarative authentication and authorization, but use an LDAP provider for the actual implementation.
            If that's the case, at least in WebLogic 8.1 (I don't know about older versions), you shouldn't need any third-party packages. You can configure your WebLogic domain with authentication and authorization providers that interface with an LDAP server. This will work with the JAAS implementation in WebLogic. You can go to <http://e-docs.bea.com/wls/docs81/secmanage/> to read about configuring security in WebLogic (including the LDAP authentication provider).

• Java API's supported in the Jdeveloper, IAS, and RDBMS product components

  If there are any technical errors or "mistatement of the facts" in this posting, please let me know about them ..
  This article is being delivered in Draft form and may contain
  errors. Please use the MetaLink "Feedback" button to advise
  Oracle of any issues related to this article.
  PURPOSE
  This article describes the "Enterprise Java Beans" (EJB), "Java Server Pages"
  (JSP) and servlets Application Programming Interfaces (API) supported by the
  Oracle products, Jdeveloper, Internet Application Server (IAS) and the Oracle
  RDBMS release 2 and release 3, also known as Version 8.1.6 and 8.1.7,
  respectively.
  SCOPE & APPLICATION
  All parties interested in the Java API's supported by these products.
  Java API's supported in the Jdeveloper, IAS, and RDBMS product components
  JDEVELOPER
  JDEVELOPER is Oracle's Java development tool designed for coding / development,
  testing / debugging, and deployment of Java Applications to the IAS and
  RDBMS platforms.
  With the java software api's being in a constant state of evolution, each new
  release of Jdeveloper adds support for the "then current" version of the java
  software api's, if it does not already have it implemented.
  JDEVELOPER SERVLET API JSP API EJB API
  VERSION VERSION VERSION VERSION
  3.2.X.X 2.2 1.1 1.1
  3.1.X.X 2.1 1.0 1.0
  NOTE :
  Sun Microsystems and their advisory teams (Oracle is on it) is working on
  "draft" specifications for the next version of all of these API's
  EJB -------> http://java.sun.com/products/ejb/index.html
  JSP -------> http://java.sun.com/products/jsp/index.html
  Servlets --> http://java.sun.com/products/servlet/?frontpage-javaplatform
  It is anticipated that future releases of Jdeveloper will continue to be
  upgraded to include support for the next version of each api.
  To obtain the latest information on Oracle's Internet Development Suite (IDS)
  of tools, please review the "Internet Developer Suite" information located
  on Oracle's technet web site at :
  http://technet.oracle.com/products/index.htm
  IAS
  IAS is Oracle's next evolution of the web server and application server
  product technology superceeding the Web Application Server (WAS) and Oracle
  Application Server (OAS) product lines.
  IAS SERVLET API JSP API EJB API EJE VERSION
  VERSION VERSION VERSION VERSION SUPPORTED
  9I(1.0.2) 2.2 1.1 1.1 817
  8i(1.0.1-NT) 2.0 1.0 1.0 816
  8i(1.0.0-UNIX) 2.0 1.0 1.0 816
  The IAS product contains two Java Virtual Machines (JVM) within it's
  architecture.
  They are called :
  1) APACHE JSERV servlet engine
  2) ORACLE ENTERPRISE JAVA ENGINE (EJE)
  APACHE JSERV servlet engine
  The APACHE JSERV servlet engine is an EXISTING product licensed from the
  apache group which supports the servlet api 2.0.ONLY.
  The APACHE JSERV product does not support ANY JSP's unless the customer
  installs a third party jsp engine.
  The IAS 8i/9i which has the APACHE JSERV product embedded in it, comes with
  Oracle's JSP engine (OJSP) already integrated into it. OJSP supports JSP's up
  to the specific JSP engine version documented in the Oracle Universal
  Installer (OUI) for the 8.1.7 RDBMS or the IAS products. It is also documented
  in the product's release notes.
  Oracle ENTERPRISE JAVA ENGINE (EJE)
  The EJE formerly known as :
  1) Oracle 8i Java Virtual Machine (JVM)
  2) JSERVER component,
  3) Aurora JVM
  was originally releas ed in the RDBMS 8.1.5 database with jdk 1.1.6 based java
  support.
  The currently supported versions of the Oracle 8i RDBMS, versions 2 and 3,
  also known as Version 8.1.6 and 8.1.7, respectively, provides a jdk 1.2.1
  based java virtual machine support.
  "EJE" Version 816
  This EJE, found in rdbms 8.1.6 and IAS 8i, contains support for the ejb
  api 1.0, corba, and java stored procedures.
  "EJE" Version 817
  This EJE, found in rdbms 8.1.7 and IAS 9i, contains support for the ejb,
  corba, and java stored procedures as well as the Oracle Servlet Engine (OSE)
  which provides support for the servlets 2.2 api and JSP 1.1 api.
  Note :
  EJB support in the "EJE" Version 817 has been upgraded to comply with the EJB
  1.1 api specification which includes "entity beans" support.
  What is the bottom line ??
  1) Servlets deployed to the APACHE JSERV must comply with servlet api 2.0.
  2) Servlets 2.1 or higher are only supported in EJE's OSE component found in
  the rdbms 817 or ias 9i products. Servlets api 2.0 can also run in the OSE.
  References
  1) "Oracle9i Application Server Technical White Paper" located at :
  http://technet.oracle.com/products/ias/pdf/9ias_102.pdf
  2) "Whats New? Oracle8i JVM Accelerator, Oracle Servlet Engine, OracleJSP ..."
  located at :
  http://technet.oracle.com/products/oracle8i/pdf/504.pdf
  3) "Oracle8i Release 3 New Features Summary" located at :
  http://technet.oracle.com/products/oracle8i/pdf/8iR3_nfs.pdf
  null

  which jvm is used by jserv ?? EJE or a separate jdk ?
  The Jserv servlet engine is running in a separate jdk JVM external to the EJE jvm which is embedded within the "database" component of ias and the RDBMS.
  See the reference below for more details ...
  if jserv only support old apis, why it is in oracle's products ?
  i would assume that the oracle servlet engine was under development when ias 8i was released and became available in time for the ias 9i and rdbms 817 products.
  looking back in history leads me to believe ias 8i was a migration path to get to ias 9i or rdbms 817.
  Based upon the long history of new releases of every oracle product being upgraded with new features, it's reasonable to assume that these products will continue to evolve.
  when I deploy a jsp how to deploy in the right servlet container ("EJE") ?
  as documented in the reference below, you can deploy JSP's to either the apache jserv jvm or the EJE since the ORACLE JSP engine functionality is in both jvm's.
  there are many posts where you can see that people have deploy in jserv and they have problems because they don't use the right container (servlet 2.0 instead of
  servlet 2.2) http://technet.oracle.com:89/ubb/Forum2/HTML/006349.html
  when ias 8i came out this was clearly an issue since servlet support was at api 2.0, and the current servlet api was probably at 2.1.
  oracle clearly made every effort to get ias 9i released quickly to supply a servlet 2.1 and 2.2 capable engine to resolve this issue.
  since ias 9i and rdbms 8.1.7 are available this is no longer an issue.
  The reference below explains the architecture and understanding it would eliminate a lot of "deploy to the wrong ias 9i component" issues.
  so why jserv is bundled with oracle 8i/9ias since EJE support the right api version ?
  if in ias 9i release , oracle had removed the jserv component without any advance warning, many customers would have been very upset since oracle makes every attempt to give advance notice before removal of functionality.
  References
  1) "Oracle9i Application Server Technical White Paper" located at :
  http://technet.oracle.com/products/ias/pdf/9ias_102.pdf

• OD, LDAP and DNS

  I am new to LDAP and I believe I have everything setup correctly on the server (everything under Open Directory in SA says "Running", logs don't show any errors). However, I can not access the LDAP server from a client machine using Directory Access. I suspect that client machines still can not "see" my LDAP server.
  I believe the issue may be with DNS and I am trying to understand the interaction between DNS and OD, etc. First off, I do not have DNS turned on for my Mac OS X Server since my ISP has always hosted our DNS. Is this a problem? Do I need DNS activated on the same server that I am running this LDAP server? I have tried entering the IP and DNS name on the client server using Directory Access and neither worked.

  The requirement is that references using your server's Fully Qualified Domain Name look up to its IP Address and its IP Address looks up to its Fully Qualified Domain Name. If your ISP does that for you, and does it correctly, Merry Christmas!
  All others must set up their own tiny DNS service to do the lookups. If you are behind an NAT firewall, you can Make Up whatever names you like and look them up locally, because they are invisible from the Internet.
  Remember that each workstation must have the address of the DNS available to it. It needs to be configured in the TCP/IP setup or dispensed via DHCP. If you use your own DNS (highly recommended) you must also dispense or configure the next upstream DNS (your ISP's DNS Address).
  "An Open Directory master requires properly configured DNS so it can provide single sign-on Kerberos authentication.
  Make sure DNS service is configured to resolve fully qualified DNS names and provide corresponding reverse lookups.
  DNS must resolve the fully qualified DNS name and provide reverse lookups for the Open Directory master server, all replica servers, and other servers that are members of the Kerberos realm.
  You can use the Lookup pane of Network Utility (in /Applications/Utilities/) to do a DNS lookup of a server's DNS name and a reverse lookup of the server's IP address.
  For instructions on setting up DNS service, browse Network Services Overview."
  -- from Server Admin 10.4 Help: Kerberos is Stopped on an Open Directory Master or Replica
  Message was edited by: Grant Bennet-Alder

• 10.6.6 Server Combo Update Crashes LDAP and Kerberos Services

  Just updated apple server from 10.6.4 to 10.6.6 with combo server overnight.
  Everything was working fine under 10.6.4
  All users can no longer authenticate to server via mail or ldap logins
  LDAP and Kerberos Services stopped.
  Will downgrade from an open directory master to standalone then back to master again and post status...

  I think there is something with LDAP on 10.6.6
  I was forced to make clean install in combo from 10.6.0 to 10.6.6 and today LDAP crashed.
  It seems to be an issue on ldap ACL.
  Message was edited by: Xalio

• MAC OS and LDAP and Samba Server

  How can I make my Mac OS authenticate against LDAP and automatically map shared by a Samba server folders? (samba domain)? The idea is that any person who is registered in the database of LDAP can log into any Mac machine and automatically access the folders stored on the Samba server.

  Are you using TopLink 11g or TopLink Essentials?
  You seem to be wanting to use TopLink 11g, but you have the provider set to Essentials in your persistence.xml.
  <provider>oracle.toplink.essentials.PersistenceProvider</provider>
  Change this to,
  <provider>oracle.toplink.PersistenceProvider</provider>
  The sessions-xml properties are only supported with TopLink 11g.
  Note that currently in 11g when using a sessions-xml it must contain a project xml that completely defines the mappings. It will not merge with annotations nor defaults.

• LDAP and OID

  FYI: I am new to Oracle (<1 month), and new to APEX (<3 weeks) so forgive me if I am asking the obvious.
  I would like to have APEX authenticate against LDAP (active directory), and went about trying to set that up. Got all AD settings from our sys admin, and then tried them in the LDAP test tool. I kept getting " Authentication failed!" no matter what I did. Due to the detailed nature of that error message, I started trying to track down every possible avenue so I talked to one of our DBA's about DBMS_LDAP.SIMPLE_BIND_S. The answer I got back was that we don't have access to it because it is part of OIN which we would have to pay outrageous amounts of money for if we wanted to use it. Not likely to happen, so I was hoping that there was another way to authenticate APEX via LDAP.
  Any suggestions would be most helpful.

  John - DBMS_LDAP is not part of OID so you can use it as part of your existing database product installation. Search this forum for LDAP and AD and you'll find lots of discussions about what you are trying to do.
  Also, just to clarify, you're not trying to authenticate Application Express using AD, you'll be authenticating users to your application (essentially a PL/SQL application in the database) using account information stored in AD. The authentication code that gets executed will belong to your application.
  Scott

• LDAP and SAP integration

  Hi,
  As a part of a project requirement, we are trying to integrate Solution manager with LDAP (Lightweight Directory Access Protocol).
  Using the directory service, we are trying to synchronize the CUA (Central user administration within Solution manager) with Active directory of LDAP so that we can maintain the User data centrally from a single point in LDAP.
  Problem description:
  Currently, Client has implemented the LDAP and CUA integration and when a new user is added in LDAP, it is automatically getting copied in all SAP systems and at real time, when the useru2019s u201CLASTNAMEu201D field is updated in LDAP, it is automatically getting synchronized in all SAP systems.
  But, If any attribute other than u201CLASTNAMEu201D is changed (i.e. The expiry /validity date of the User in LDAP, GLTGB in SAP), then the field value is not getting synchronized in the SAP Central User Adm.
  Our Findings:
  We have checked the configurations and imported mappings in SAP Solution Manager and everything looks fine. We have debugged the standard program RSLDAPSYNC_USER extensively and found out that an RFC call to function module LDAPRFC_SEARCH is not returning the expected values.
  Thanks
  Deb

  Hi Deb,
  It would be really nice if you can elaborate on the configurations that need to be done as part of this integration. I hope, you have been successfull by now.
  Actually, I too need to perform the same as part of a project.
  Thanks in advance.

• Is it possible to bypass JAAS authentication and use Authorisation alone?

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

• Hello, Identity manager fail to add entries in the LDAP and database table

  Hello,
  Well I installed identity manager 7 in a windows 2003 advanced server.
  I I appended an NT server resource, a Mysql table, a solaris server resource and an ldap server resource.
  I created the roles for these resources and then I assigned them to an account that I created for testing purposes.
  After the aprooval, in the solaris machine, the user has been added in the user database but no home directory has been created as I didn't set the apropriate flag to true.
  I the windows resource everything worked very smooth and with no problem.
  In the ldap and mysql table resources I recieved a failure having error message null. and from a sniffing that I did for investigation I never saw a sigle packed arrive to the mysql server or to the directory server from the idm server.
  Any ideas or suggestions on what to do ?

  Well the problem with the directory server just solved.
  But the problem with mysql remains.
  The first thing that I do when I add a resource is to test the connection.
  The problem with the LDAP is that the dn was not present in the directory server. They gave me an ou that didn't exist.

• Domino ldap and weblogic server 6.1

  Hi,
  I am trying to use domino ldap for authentication in weblogic server 6.1
  I configured a custom ldap realm.
  But the users were not listed from domino ldap and authentication also failed.
  Can anybody help me?
  Thanx in advance.
  - prabha.

  at the moment it is possible for me to work, though. i worked around the
  problem and i set web.xml as a read only file. i still can't use wizards to
  create servlets and i can't edit web.xml with jbuilder.

• Authentication against both LDAP and BI repository

  I have a lot of user who are authenticated against LDAP. I need add few users who aren't exist in LDAP. I can create user in BI repository and if this user is in an Administrator group he is able to log in. But if this user isn't in an Administrator group he get error "Succesfull execution of intitializtion block LDAP is required". Is there any way how to authenticate users agains both LDAP and BI repository?

  Hi,
  why dont you create a group in ldap and add the correspondng users to that group.
  You can configure the LDAP server with that group and try...
  Hope it works...
  Regards
  Venkat

• LDAP and everyone group

  I am using wls version 5.1 with service pack 7. I still need to add all
  users the the "everyone" group in order to be able to authenticate. I
  thought this issue was resolved in the latest service pack. But I still
  get an exception thrown if my user is not in "everyone" group. Does
  anyone know what the status of this bug is? Is it resolved or not?
  Here is the exception:
  java.rmi.RemoteException: Security violation: insufficient permission to
  access method
  at
  weblogic.ejb.internal.BaseEJBObject.preInvoke(BaseEJBObject.java:431)
  at
  com.itginc.webtrade.ejb.LoginBeanEOImpl.loginUser(LoginBeanEOImpl.java:143)
  at
  com.itginc.webtrade.ejb.LoginBeanEOImpl_ServiceStub.loginUser(LoginBeanEOImpl_ServiceStub.java:112)
  at
  com.itginc.webtrade.servlets.LoginServlet.service(LoginServlet.java:190)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:865)
  at
  weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:106)
  at
  weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContextImpl.java:907)
  at
  weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContextImpl.java:851)
  at
  weblogic.servlet.internal.ServletContextManager.invokeServlet(ServletContextManager.java:252)
  at
  weblogic.socket.MuxableSocketHTTP.invokeServlet(MuxableSocketHTTP.java:364)
  at
  weblogic.socket.MuxableSocketHTTP.execute(MuxableSocketHTTP.java:252)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:129)

  Glen wrote:
  >
  I just encountered this error and deleted the 'everyone' group as a workaround.We authenticate with LDAP and WL always complained about not finding the group 'everyone'. The app worked fine but I thought I'd be a good guy and add the group to LDAP. Once I did, I got your error.Could the issue be that the 'everyone' group is OK but the permissions on the group deny access? I'm searching BEA to find out the expected permissions when I found your posting.I still need the expected permissions for the 'everyone' group.According to http://www.weblogic.com/docs51/admindocs/ldap.html#changes
  .. you don't need to define the everyone group in any version after WLS 5.0
  because of the introduction of the CachingRealm.