LDAP against BEA identity

This may sound...odd...but I swear there's a legit business reason. :)
Situation:
==========
* I have ~5 auth sources
- BEA DB ("native" users)
- ~4 separate LDAP sources
* Read: no central user store
- auth sources are confusing to users
- very difficult to resolve integration with external services as portal is never truly able to integrate with 3rd part apps that assume we use a central AD/LDAP user store
* I want to provide a way to solve the second bit of that problem, but ... realistically... I won't be able to fix it the right way by getting a central store set up.
- central store not possible given our IT and business constraints
- setting up my own store creates other issues
My dumb idea
===============
I'm wondering. Has anyone ever considered authing against the portal natively over LDAP? Process might work like...
1) Portal replicates users from multiple sources, etc. (it knows where to phone home for synch/auth per user)
2) Configure a web service that mimics LDAP interfaces such that systems can synch and auth against the portal
- does a search against user name (in theory, finds user - realize you could get duplicate matches)
- knows the "true" auth source for that user (database, ldap, ad, whatever)
- passes on provided credentials to "true" auth source
This may sound stupid, but my thought is that if the portal can become the central point of aggregation for apps, profile data, etc. and is being pushed as a nice bridge between all these places, why not set it up to also be the bridge for the "federated" identity management problems that prohibit us from integrating 3rd party apps that rely on a central LDAP/AD store shared by those apps and the portal. Basically, the portal becomes the user store "glue."
Yeah - it would be slow. Not as worried about that atm :)
Just kinda seeing if I'm the only one facing this problem and if there are other options

Hi Eric,
I understand where you're coming from. You don't necessarily control the "guts" of the authentication and authorization code for the third-party application and it is expecting a single central user repository like LDAP or AD. You want Plumtree to be that repository (which would allow you to use any number of LDAPs or ADs AND native Plumtree DB users as well) by sync'ing with all the user repositories and then "brokering" authentication to the correct repository based on which repository was used to sync the given user.
Here's a 10,000-foot view of how I would build this.
You'll need the following ingredients:
1) One or more LDAP and/or AD auth sources
2) A custom SSO or Login solution
3) A portlet "container" that gets credentials, calls the authenticator web service, and then redirects to the portlet application
3) An authenticator web service running on a machine that has access to the server APIs (plumtreeserver.dll)
First, bring all your users and groups in using the LDAP and AD auth sources. Create the necessary Plumtree DB users as well.
Next, build a custom SSO or customized Login solution that will (ideally, log the user in automatically) capture their username, password and auth source id and send these values to portlets. That's accomplished very easily in custom SSO by putting the headers or cookies into an array, which instructs the portal to forward them to the portlets. However, if you customize login, you can set these settings as personal settings in Login or in one of the Login PEIs and then configure them to be sent to the portlets as User Settings. If you don't know how to do this, let me know and I'll walk you through it.
Next, configure a portlet "container" of sorts. This "container" will call the EDK to get the username, password and auth source, call the authenticator web service* to re-authenticate the user, and then redirect the request to eRoom (or whatever application you're trying to integrate).
*The authenticator web service will be the hardest peice of this puzzle to write. You'll need to use the auth source id sent down by the container to figure out which auth source to use, then crack open the auth source to get the settings out of the property bag, and then manually authenticate the user and return success or failure to the caller.
Theorically, all this sounds great -- albeit a little complicated. If any of it doesn't make sense, let me know. I'm always up for a challenge, so if you want me to help you write some or all of this stuff, I'm game. (Read: will work for food and/or alcohol. :-)
Regards,
Chris Bucchere | bdg | [email protected] | www.bdg-online.com

Similar Messages

  • Failed to authenticate user to ACS 5.1 with LDAP as external identity storage

    Hi ,  I have an ACS and Open-LDAP server running on my company network.
    Now, I 'm setting up a new linksys WAP-54G and choose WPA2-Enterprise option with ACS as the radius server.
    first thing first, I created new internal user on ACS, and trying to join the wireless network from my computer. I made it....
    then, I'm moving on external entity (LDAP Server). I've set up the LDAP configuration and identity sequence, also select it on access service.  but when I tried to authenticate from my computer, an error was occurred. I received : 
    the following error 22056 Subject not found in the applicable identity store (s)
    Wonder 'bout this thing, I set up a cisco 1841 router to become AAA client. and surprisingly... it works !!!
    so, is there any problem to authenticate from windows platform to ACS (pointing to LDAP) ?  
    any suggestion ?
    thanks

      This is the log when using windows 7 as authentication client (Failed) :
    Steps
    11001  Received RADIUS  Access-Request
    11017  RADIUS created a new session
    Evaluating Service Selection Policy
    15004  Matched rule
    15012  Selected Access Service - Default Network  Access
    11507  Extracted  EAP-Response/Identity
    12500  Prepared EAP-Request proposing EAP-TLS with  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12301  Extracted EAP-Response/NAK requesting to use  PEAP instead
    12300  Prepared EAP-Request proposing PEAP with  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12302  Extracted EAP-Response containing PEAP  challenge-response and accepting PEAP as negotiated
    12318  Successfully negotiated PEAP version  0
    12800  Extracted first TLS record; TLS handshake  started.
    12805  Extracted TLS ClientHello  message.
    12806  Prepared TLS ServerHello  message.
    12807  Prepared TLS Certificate  message.
    12810  Prepared TLS ServerDone  message.
    12305  Prepared EAP-Request with another PEAP  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12304  Extracted EAP-Response containing PEAP  challenge-response
    12318  Successfully negotiated PEAP version  0
    12812  Extracted TLS ClientKeyExchange  message.
    12804  Extracted TLS Finished  message.
    12801  Prepared TLS ChangeCipherSpec  message.
    12802  Prepared TLS Finished  message.
    12816  TLS handshake succeeded.
    12310  PEAP full handshake finished  successfully
    12305  Prepared EAP-Request with another PEAP  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12304  Extracted EAP-Response containing PEAP  challenge-response
    12313  PEAP inner method started
    11521  Prepared EAP-Request/Identity for inner EAP  method
    12305  Prepared EAP-Request with another PEAP  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12304  Extracted EAP-Response containing PEAP  challenge-response
    11522  Extracted EAP-Response/Identity for inner  EAP method
    11806  Prepared EAP-Request for inner method  proposing EAP-MSCHAP with challenge
    12305  Prepared EAP-Request with another PEAP  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12304  Extracted EAP-Response containing PEAP  challenge-response
    11808  Extracted EAP-Response containing EAP-MSCHAP  challenge-response for inner method and accepting EAP-MSCHAP as  negotiated
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity Store -
    22043  Current Identity Store does not support the  authentication method; Skipping it.
    24210  Looking up User in Internal Users IDStore -  xxxxx
    24216  The user is not found in the internal users  identity store.
    22016  Identity sequence completed iterating the  IDStores
    22056  Subject not found in the applicable identity  store(s).
    22058  The advanced option that is configured for  an unknown user is used.
    22061  The 'Reject' advanced option is configured  in case of a failed authentication request.
    11815  Inner EAP-MSCHAP authentication  failed
    11520  Prepared EAP-Failure for inner EAP  method
    22028  Authentication failed and the advanced  options are ignored.
    12305  Prepared EAP-Request with another PEAP  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12304  Extracted EAP-Response containing PEAP  challenge-response
    12307  PEAP authentication failed
    11504  Prepared EAP-Failure
    11003  Returned RADIUS Access-Reject
    This is the log when using 1841 router as authentication client (succeded)  :
    Steps
    11001  Received RADIUS  Access-Request
    11017  RADIUS created a new session
    11049  Settings of RADIUS default network will be  used
    Evaluating Service Selection Policy
    15004  Matched rule
    15012  Selected Access Service - Default Network  Access
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity Store -  LDAPyyyy
    24031  Sending request to primary LDAP  server
    24015  Authenticating user against LDAP  Server
    24022  User authentication  succeeded
    22037  Authentication Passed
    22023  Proceed to attribute  retrieval
    22038  Skipping the next IDStore for attribute  retrieval because it is the one we authenticated against
    24210  Looking up User in Internal Users IDStore -   xxxxx
    24216  The user is not found in the internal users  identity store.
    22016  Identity sequence completed iterating the  IDStores
    Evaluating Group Mapping Policy
    Evaluating Exception Authorization  Policy
    15042  No rule was matched
    Evaluating Authorization Policy
    15006  Matched Default Rule
    15016  Selected Authorization Profile - Permit  Access
    11002  Returned RADIUS Access-Accept
    I realized that Windows is using PEAP-MSCHAPv2 while Router is using PAP-ASCII as it's protocol.
    so now, why PEAP-MSCHAPv2 can't authenticate to LDAP ?
    is there anything I can do to make it work ?

  • Problem with LDAP in BEA Portal

    Problem with LDAP in BEA Portal
    I have a list of 50 user which should be cerated in portal staging(devlopment) machine and should be transfered to
    production machine using LDAP
    Steps which i followed to create Users
    1.Create User Profile with 2 parameters branch and Role
    2.I have list user in the Xls file with Username,password ,branch and Role
    3.Write a java File which will read the Xls File
    4.The users are created in the staging machine for the portal
    Steps which i followed in LDAP to tranfer the created User form Devlopment to Production
    1.Export the created user from Devlopment (which was moved as .DAT in my local directory)
    2.import the user from local direcory to production machine
    The Users are imported in the production machine with username and password but the role and branch values are empty
    We need a solution for importing the user with role and branch corresponding to each user.
    Thanks in Adv
    Suresh

    In Portal 8.1, user name and password in stored in LDAP where as user profile values are stored in database. That is the reason you are not able to see the user profile values.
    Check once again whether you can see these values through admin tool. In case,it is not(after confirmation again),you might have to use APIs to do this for you incase you dont want to manage through Admin Tool.
    Thanks,
    Prashanth Bhat.

  • What can I do against the Identity Check from Entourage

    What can I do against the Identity Check from Entourage???

    Looks like you may have stumped the members. Can you explain in more detail? I've used Entourage for as long as it's been out and don't remember encountering an "Identity check" issue.
    What version of Entourage? X, 2004, 2008, 2011?
    Also --please modify your equipment line to correct your OS version. "iOS" is not a Mac computer operating system. It only runs of iPods, iPads and iPhones, not real computers. Do About this Mac from your Apple menu; that will show your OS version.

  • User disabled in LDAP triggers disable identity in IDM?

    IDM 7.0 on Sun JES Stack
    Authoritative Source is LDAP, Sun Directory Server 5.2
    This pertains to Termination e.g. Employee/Contractor gets terminated.
    1) When an employee is terminated, her user LDAP record is deleted from LDAP (authoritative source)
    2) When a contractor is terminated, her user obuseraccountcontrol = DISABLED in LDAP (authoritative source)
    Based on the above two criteria, how do I trigger the Disable User workflow in IDM so that the user's IDM Identity gets disabled?
    I've been exploring the LDAP Activation Method/Parameter?
    com.waveset.adapter.util.ActivationByAttributePullDisablePushEnable
    But am unsure on how to approach this. Has anyone successfully implemented this? Documentation is pretty unclear. Thanks in advance.

    Given the below scenarios:
    1) When an employee is terminated, her user LDAP record is deleted from LDAP (authoritative source)
    2) When a contractor is terminated, her user obuseraccountcontrol = DISABLED in LDAP (authoritative source)
    We've resolved #2 using MetaView and Rule. On the LDAP resource adapter itself, we used:
    LDAP Activation Method: nsaccountlock
    LDAP Activation Parameter: accountLockAttr
    (where this is your IDM system attrib specified in resource schema)
    In MetaView, for attrib "accountLockAttr", Source: Rule: Is obuseraccountcontrol disabled, Target: IDM, All Resources
    In MetaView > Identity Events, we set the Disable event,
    Based on that, we believe we can resolve #1 to trigger the Disable User Workflow. The problem is, how do you Re-Enable a user if the user's LDAP record is deleted from the authoritative source (LDAP)?

  • AD -vs- LDAP for external Identity store in ACS

    Is there a difference in using AD versus LDAP in a Windows environment for an Identity Store? We are in the process of setting up the ACS 90 eval and I noticed you can setup either AD or LDAP or both as an external identity store. Are there advantages or disadvantages for one over the other?

    Suggest to go to "Monitoring & Reports > Reports > Catalog > AAA Protocol"
    Select TACACS Authorization and see the authorizations that occured today
    If you click on the details icon you should be able to see the actual LDAP groups that were retrieved in processing the request and so can see that the format/contents matches that which you entered

  • Creating user in LDAP using Oracle Identity Store API

    We are trying to create users in LDAP (open LDAP) using Oracle's Fusion Middleware's Oracle Identity Service API. Here is my code snippet to create user,
              final IdentityStoreService identityStoreService = jpsContextFactory
                        .getContext().getServiceInstance(IdentityStoreService.class);
              IdentityStore idmStore = identityStoreService.getIdmStore();
              final Property statusProperty = new Property("status", Arrays.asList("active"));
              final PropertySet propertySet = new PropertySet();
              propertySet.put(statusProperty);
              idmStore.getUserManager().createUser("userid", new char[0], propertySet);
    but I am getting this error
    Caused by: oracle.security.idm.IMException: Mandatory attribute missing :status
         at oracle.security.idm.providers.stdldap.util.LDAPRealm.createUser(LDAPRealm.java:139)
    even though I am clearly adding the attribute as mentioned above, am I missing any thing?
    Thanks for your help :)
    Full stack trace:
    oracle.security.idm.OperationFailureException: oracle.security.idm.IMException: Mandatory attribute missing : status
         at oracle.security.idm.providers.stdldap.util.LDAPRealm.throwException(LDAPRealm.java:785)
         at oracle.security.idm.providers.stdldap.util.LDAPRealm.createUser(LDAPRealm.java:153)
         at oracle.security.idm.providers.stdldap.LDUserManager.createUser(LDUserManager.java:170)
         at oracle.security.idm.providers.stdldap.LDUserManager.createUser(LDUserManager.java:121)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:173)
         at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:89)
         at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:61)
         at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:75)
         at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
         at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
         at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
         at java.util.concurrent.FutureTask.run(FutureTask.java:138)
         at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
         at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:106)
         at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
         at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:118)
         at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:208)
         at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223)
         at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:205)
         at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:113)
         at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:184)
         at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:107)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
         at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:163)
         at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
         at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
         at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
         at java.security.AccessController.doPrivileged(Native Method)
         at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
         at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
         at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
         at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
         at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
         at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
         at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
         at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
         at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
         at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
         at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)
    Caused by: oracle.security.idm.IMException: Mandatory attribute missing :status
         at oracle.security.idm.providers.stdldap.util.LDAPRealm.createUser(LDAPRealm.java:139)
         ... 52 more
    Edited by: 940837 on Jun 14, 2012 5:00 PM

    URGENT** How to change  OIM user password from outside OIM

  • [Q] Identity Sequence issue causes MAB to auth against AD ??

    We have a strange issue whereby some users have suddenly failed to correctly authenticate against ACS 5.1 - we cant work out why, as nothing has changed and would greatly appreciate your help.
    We have dot1x configured on our network with MAB fallback. We havent yet rolled out dot1x to the clients even though the network is set up for this. In the meantime, we are using Mac Authentication Bypass. We do use 802.1x for wireless though.
    I have set up the folowing Identity Sequence:
    AD1 (this is set up as our AD servers for 802.1X user and machine auth)
    SecurID Server (we dont use this yet either)
    Internal Users (this is just used to authenticate ciscoworks)
    Internal Hosts (this contains the list of allowed MAC addresses)
    Typically what we have seen today is a user initially authenticates successfully by matching the Internal Hosts identity store, but then an hour later, re-authentication fails as the MAC address matches the AD1 id store and subsequently fails due to the MAC address not being present within AD.
    Here is the successful connection entry (all MAC addresses substituted form the originals)...
    Steps
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    11027  Detected Host Lookup UseCase (Service-Type = Call Check (10))
    Evaluating Service Selection Policy
    15004  Matched rule
    15012  Selected Access Service - Network Access
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity Store - Internal Hosts
    24432  Looking up user in Active Directory - 00-1B-78-00-33-00
    24412  User not found in Active Directory
    24559  Searching for user in the RSA identity store.
    24556  User record was not found in the cache.
    24210  Looking up User in Internal Users IDStore - 00-1B-78-00-33-00
    24216  The user is not found in the internal users identity store.
    24209  Looking up Host in Internal Hosts IDStore - 00-1B-78-00-33-00
    24211  Found Host in Internal Hosts IDStore
    22037  Authentication Passed
    22023  Proceed to attribute retrieval
    24432  Looking up user in Active Directory - 00-1B-78-00-33-00
    24412  User not found in Active Directory
    22016  Identity sequence completed iterating the IDStores
    Evaluating Group Mapping Policy
    24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory
    Evaluating Exception Authorization Policy
    15042  No rule was matched
    Evaluating Authorization Policy
    15004  Matched rule
    15016  Selected Authorization Profile - MAB-PC
    11022  Added the dACL specified in the Authorization Profile
    11002  Returned RADIUS Access-Accept
    Here is the failed connection entry....
    Steps
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    11027  Detected Host Lookup UseCase (Service-Type = Call Check (10))
    Evaluating Service Selection Policy
    15004  Matched rule
    15012  Selected Access Service - Network Access
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity Store - AD1
    24432  Looking up user in Active Directory - 00-1B-78-00-33-00
    24416  User's Groups retrieval from Active Directory succeeded
    22037  Authentication Passed
    22023  Proceed to attribute retrieval
    22038  Skipping the next IDStore for attribute retrieval because it is the one we authenticated against
    22016  Identity sequence completed iterating the IDStores
    Evaluating Group Mapping Policy
    24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory
    Evaluating Exception Authorization Policy
    15042  No rule was matched
    Evaluating Authorization Policy
    15006  Matched Default Rule
    15016  Selected Authorization Profile - DenyAccess
    15039  Selected Authorization Profile is DenyAccess
    11003  Returned RADIUS Access-Reject
    Any help greatly appreciated!

    Hello Paul,
    If a switch is configured for dot1x with MAB fallback as ours is, does  the switch still send the MAC address for a dot1x-enabled client as well  as the user and host AD credentials even though the MAC address is not  required for auth in this case?
    A switchport configured for 802.1x with MAB fallback will first send an EAPOL Start message. An 802.1x enabled client would be able to provide the appropriate User and Host information and get authenticated via 802.1x. No MAC address will be send at this point.
    For the same switch and a client with dot1x DISABLED, does the switch forward just the MAC address to ACS?
    Yes, the switch will send the EAPOL Start messages to the 802.1x Disabled client. It will not be able to respond to the switchport request. After the retries the switchport will fallback to MAB and expect the client to send the MAC Address to get authenticated.
    If the switch invokes MAB and passes just the MAC address to ACS, does  ACS still run the MAC address through the full identity store sequence  which starts with AD1, even though dot1x is not running (and therefore  AD matching is not relevant)?
    Yes, the ACS will still run the authentication against all the Database specified on the Identity Store Sequest from top to bottom
    Ultimately, I am trying to decide if
    a) ACS is passing non-dot1x credentials (namely the MAC address)  to AD erroneously ---> Do not think this might be the case as it will  always pass the credentials to the every database on the specified  order
    b) if AD is responding (correctly or incorrectly) with a match ---> We know this one is happening.
    c)   if AD is rejecting the MAC address but that the rejection message isnt   triggering the next iteration in the identity store sequence. ---->  Do not think AD is rejecting the MAC Address based on:
    24432  Looking up user in Active Directory - 00-1B-78-00-33-00
    24416  User's Groups retrieval from Active Directory succeeded
    At this point I have no suggestions on how to determine if the MAC Address is being properly authenticated on the AD Side

  • Authentication getting failed in sun one Ldap

    HI,
    Any one please can assist me for sun one ldap.
    My application developed(ldap related) based on lotus domino ldap server and webspere.
    now we are trying to deploy the same code with Websphere and sun one ldap server at our local environment.
    Iam getting the prblem of authentication fail.
    please follow the logs as.
    My question is what ever the code written for lotus domino is compatible with sun one ldap.Iam new to LDAP .
    pls any one give the suggestions.
    LDAP Interface: Performing LDAP authentication for user [NYilmaz]
    17 Dec 2007 18:43:13,359 [WARN ] NABLDAP: Transmission will be over an unencrypted connection. The username and password are transmitted in clear text form which is very insecure. Consider replacing the LDAP protocol with LDAPS (SSL).
    17 Dec 2007 18:43:13,359 [DEBUG] NABLDAP: Establishing a new authenticating connection to [ldap://gpat.bsdev.com]
    17 Dec 2007 18:43:13,375 [INFO ] NABLDAP: Failed to authenticate with the remote server on [ldap://gpat.bsdev.com] because of error '[LDAP: error code 34 - Invalid DN]'
    17 Dec 2007 18:43:13,375 [WARN ] LDAP Interface: Unsuccessful authentication attempt for user [NYilmaz]
    17 Dec 2007 18:43:13,375 [DEBUG] LDAP Interface: Writing the value {javax.naming.InvalidNameException:[LDAP: error code 34 - Invalid DN]} to General[1].OnionErrorMessage
    17 Dec 2007 18:43:13,390 [WARN ] NABLDAP: Transmission will be over an unencrypted connection. Consider replacing the LDAP protocol with LDAPS (SSL).
    17 Dec 2007 18:43:13,390 [DEBUG] NABLDAP: Establishing a new anonymous connection to [ldap://gpat.bsdev.com]
    17 Dec 2007 18:43:13,390 [DEBUG] NABLDAP: Connection established.
    17 Dec 2007 18:43:13,390 [DEBUG] NABLDAP: Searching remote LDAP directory using the filter of [(&(objectclass=person)(&(cn=NYilmaz)))]

    Hello Vinay,
    when configuring multiple Ldap directories, There are a number of prerequisities that you need to
    consider.
    For example, One prerequisite for Multi domains is that logon IDs must be unique across mutliple LDAP datasources. This will cause issue if duplicate IDs exist.
    Please see the following Documentation and notes for more information on this.
    Examples of Data Source Configuration Files - Identity Management - SAP Library
    Example: Configuration of Multiple LDAP Data Sources - Identity Management - SAP Library
    1618342 - Multiple LDAP Datasources - Active Directories where logon IDs
    are not unique
    762419 - Multi-Domain Logon Using Microsoft Active Directory
    Please have a look at the above notes which documet this and also tells
    you what to do in these situations.
    Regards,
    David

  • How to get user attributes from LDAP authenticator

    I am using an LDAP authenticator and identity asserter to get user / group information.
    I would like to access LDAP attributes for the user in my ADF Taskflow (Deployed into webcenter spaces).
    Is there an available api to get all the user attributes through the established weblogic authenticator provider or do i have to directly connect to the LDAP server again?
    Any help would be appreciated

    Hi Julián,
    in fact, I've never worked with BSP iViews and so I don't know if there is a direct way to achieve what you want. Maybe you should ask within BSP forum...
    A possibility would be to create a proxy iView around the BSP iView (in fact: before the BSP AppIntegrator component) which reads the user names and passes this as application params to the BSP component. But this is
    Beginner
    Medium
    Advanced
    Also see http://help.sap.com/saphelp_nw04/helpdata/en/16/1e0541a407f06fe10000000a1550b0/frameset.htm
    Hope it helps
    Detlev

  • SUN One LDAP Retrieving Dynamic group

    Hi, I would like to know how can I retrieve the groups a user belongs to, if the groups are of dynamic type.
    can I use the attribute memberOf?
    //Create the initial directory context
    LdapContext ctx = new InitialLdapContext(env,*null*);
    //Create the search controls
    SearchControls searchCtls = new SearchControls();
    //Specify the search scope
    searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
    //specify the LDAP search filter
    String searchFilter = "(&(objectClass=user)(CN=Andrew Anderson))";
    //Specify the Base for the search
    String searchBase = "DC=antipodes,DC=com";
    //initialize counter to total the group members
    int totalResults = 0;
    //Specify the attributes to return
    String returnedAtts[]={"*memberOf*"};
    searchCtls.setReturningAttributes(returnedAtts);
    //Search for objects using the filter
    NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);

    Hello Vinay,
    when configuring multiple Ldap directories, There are a number of prerequisities that you need to
    consider.
    For example, One prerequisite for Multi domains is that logon IDs must be unique across mutliple LDAP datasources. This will cause issue if duplicate IDs exist.
    Please see the following Documentation and notes for more information on this.
    Examples of Data Source Configuration Files - Identity Management - SAP Library
    Example: Configuration of Multiple LDAP Data Sources - Identity Management - SAP Library
    1618342 - Multiple LDAP Datasources - Active Directories where logon IDs
    are not unique
    762419 - Multi-Domain Logon Using Microsoft Active Directory
    Please have a look at the above notes which documet this and also tells
    you what to do in these situations.
    Regards,
    David

  • Identity firewall NetBIOS Probe problem

    Hi,
    I've setup an Identity Firewall on a ASA5510 version 8.4.5 (inside interface). ADAgent is installed and configured on an Windows 2003 server and connected to the DC (Windows 2008 server). Everything works fine except the NetBIOS Probe function.
    The NetBIOS probe function is active and configured as below.
    user-identity domain TEST aaa-server LDAP_Identity
    user-identity default-domain TEST
    no user-identity action mac-address-mismatch remove-user-ip
    user-identity inactive-user-timer minutes 120
    user-identity logout-probe netbios local-system
    user-identity poll-import-user-group-timer hours 1
    user-identity ad-agent aaa-server adagent
    user-identity user-not-found enable
    The problem is following message...
    "746013 user-identity: Delete IP-User mapping 192.168.3.61 - TEST\Peter Succeeded - Netbios probing failed"
    I've never seen an NetBIOS probe successful message
    Can anyone help me with this issue?
    Thanks

    Hi,
    Could you please run some of these debug commands:
    debug user-identity user
    debug user-identity user-group
    debug user-identity ad-agent
    debug-user-identity ldap
    debug user-identity logout-probe
    debug user-identity acl
    debug user-identity tmatch
    debug user-identity fqdn
    debug user-identity process
    debug user-identity debug
    debug user-identity error
    debug ldap 255
    Also here is a guide that may provide some direction -
    https://supportforums.cisco.com/docs/DOC-20366
    Tarik Admani
    *Please rate helpful posts*

  • Account names can break LDAP logins?

    I've successfully installed and patched (patches 118833-36, 119963-08 and 122032-05) my Solaris 10 system so it's using LDAP against the Sun Java System Directory Server Enterprise Edition 6.2.
    On my test box, I have several test accounts setup.
    On the one that is simply my last name, everything works fine. SSH logins, telnet logins, and password changes. SO I'm sure the pam.conf and nsswitch.conf works right.
    On several other accounts, they work just as well.
    However two accounts do not. getent -v | grep username shows the accounts. I can "su - account" from root and get in fine. However if I try to SSH or telnet in it rejects my password. The password being entered IS correct.
    The one thing they have in common is that they are both contractor accounts, which due to corporate standards are
    8 numeric digits starting with an 8, so something like 81234567 would be a contractor ID.
    Renaming the bad contractor accounts in the LDAP editor (but NOT changing the password) allows me to SSH in.
    Renaming the test account with my last name to a contractor style name breaks it.
    I read "man -s 4 passwd" and couldn't find where our naming standard violates the Solaris system standard.
    Thoughts?

    From the Solaris 10 Basic System Admin Guide at: http://docs.sun.com/app/docs/doc/817-1985/6mhm8o5l8?a=view#userconcept-30
    "User names � They should contain from two to eight letters and numerals. The first character should be a letter. At least one character should be a lowercase letter."
    Sun probably should have used the word "must" instead of "should." ie. First letter must be a letter.
    The system behavior you are describing seems to bear this out.

  • Does Discoverer work with BEA Web logic Server ?

    We are planning to get Oracle Discoverer as an BI Tool and
    BEA WebLogic Server as the web application server.
    I am just interested to know if anybody using Oracle Discoverer
    as an application tool against BEA WebLogic Server in the Middle Tier
    and Oracle 8i/9i database.
    I will appreciate the help.
    Thanks.
    Debjit

              Could someone kindly follow this and find us a solution?
              Thank you.
              ==========================================================
              Dimitri Rakitine <[email protected]> wrote:
              >Did you check that this is not an error message being returned ? That
              >would explain text/html mime type.
              >
              >Jim Mittler <[email protected]> wrote:
              >> Hi,
              >
              >> I am trying to use Java Web Start with a Weblogic HTTP cluster. The
              >> HttpClusterServlet seems to never return a proper jnlp mime type.
              >
              >> What I see in JWS is :
              >
              >> Bad MIME type returned from server when accessing resource:
              >> http://myserver:7070/myapp.jnlp - text/html
              >
              >> The web.xml looks ok to me.
              >
              >> <mime-mapping>
              >> <extension>jnlp</extension>
              >> <mime-type>application/x-java-jnlp-file</mime-type>
              >> </mime-mapping>
              >
              >> Everything works ok when I don't use the cluster servlet.
              >
              >> Any help is much appreciated!
              >
              >> Jim
              >
              >--
              >Dimitri
              

  • LDAP setup with SSL - Can't use tls auth type

    I'm trying to configure Solaris 10 to use ldap against my OpenLDAP server with SSL but whenever I try to set the authentication as tls:simple, it gives me an error :
    # ldapclient mod -a authenticationMethod=tls:simple
    Cannot specify LDAP port with tls
    # ldapclient mod -a authenticationMethod=tls
    Unable to set value: invalid authenticationMethod (tls)
    Any ideas how to get this to work - I can do an ldapsearch if I supply a -H ldaps://ldapserver:636 so my certs in /var/ldap are good.
    NS_LDAP_FILE_VERSION= 2.0
    NS_LDAP_BINDDN= cn=srv_login,ou=LDAPusers,dc=unix_srv,dc=energy.ge.com
    NS_LDAP_BINDPASSWD= {NS1}c53708877bc6
    NS_LDAP_SERVERS= 10.10.1.14:636
    NS_LDAP_SEARCH_BASEDN= dc=unix_srv,dc=energy.ge.com
    NS_LDAP_SEARCH_REF= FALSE
    NS_LDAP_SERVER_PREF= 10.10.1.14:636
    NS_LDAP_CACHETTL= 0
    NS_LDAP_CREDENTIAL_LEVEL= proxy
    NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=unix_srv,dc=energy.ge.com?sub
    NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=unix_srv,dc=energy.ge.com?sub
    NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=unix_srv,dc=energy.ge.com?one
    Thanks,
    Jay

    When using TLS you have to specify the FQN for the LDAP server and the port is ALWAYS 636.
    Also, you need to setup up your client to use FQN as well (/etc/hosts).

Maybe you are looking for

  • Triangle Intercept Theorem -

    import java.awt.BorderLayout; import java.awt.CardLayout; import java.awt.Dimension; import java.awt.event.MouseEvent; import java.awt.event.MouseMotionListener; import javax.swing.JFrame; import javax.swing.JPanel; public class G {     CardLayout ca

  • Can't post reply to my question

    I have tried all morning and in 2 different browsers to reply to an answer to my question. Despite repeatedly logging in, I am being logged out every time I hit reply. Extremely frustrating

  • Macbook Pro Randomly Shuts down...SMC Reset only temporarily

    I have a somewhat concerning problem with my 2011 Macbook Pro (15").  It started two nights ago, didn't happen yesterday, and happened again today.  It has also fried two iPhone chargers.  Here's the story: On Sunday night, my Macbook randomly shut d

  • Html files play in main stage of flash

    How can macromedia flash play html files? I have a problem my friends! First of all I should say that I know flash is not a browser!!! I have lots of internal and external html files next to my main swf movie and I made lots of botton for each html f

  • Blurred image Apple TV

    The screen is blurred on my Apple TV. It has done this intermittently before and mysteriously "normalizes" on its own.  I have reset via menu and with the remote (down & menu x 6 secs) without effect. Could this be a temperature related issue?  Any k