LDAP against BEA identity
This may sound...odd...but I swear there's a legit business reason. :)
Situation:
==========
* I have ~5 auth sources
- BEA DB ("native" users)
- ~4 separate LDAP sources
* Read: no central user store
- auth sources are confusing to users
- very difficult to resolve integration with external services as portal is never truly able to integrate with 3rd part apps that assume we use a central AD/LDAP user store
* I want to provide a way to solve the second bit of that problem, but ... realistically... I won't be able to fix it the right way by getting a central store set up.
- central store not possible given our IT and business constraints
- setting up my own store creates other issues
My dumb idea
===============
I'm wondering. Has anyone ever considered authing against the portal natively over LDAP? Process might work like...
1) Portal replicates users from multiple sources, etc. (it knows where to phone home for synch/auth per user)
2) Configure a web service that mimics LDAP interfaces such that systems can synch and auth against the portal
- does a search against user name (in theory, finds user - realize you could get duplicate matches)
- knows the "true" auth source for that user (database, ldap, ad, whatever)
- passes on provided credentials to "true" auth source
This may sound stupid, but my thought is that if the portal can become the central point of aggregation for apps, profile data, etc. and is being pushed as a nice bridge between all these places, why not set it up to also be the bridge for the "federated" identity management problems that prohibit us from integrating 3rd party apps that rely on a central LDAP/AD store shared by those apps and the portal. Basically, the portal becomes the user store "glue."
Yeah - it would be slow. Not as worried about that atm :)
Just kinda seeing if I'm the only one facing this problem and if there are other options
Hi Eric,
I understand where you're coming from. You don't necessarily control the "guts" of the authentication and authorization code for the third-party application and it is expecting a single central user repository like LDAP or AD. You want Plumtree to be that repository (which would allow you to use any number of LDAPs or ADs AND native Plumtree DB users as well) by sync'ing with all the user repositories and then "brokering" authentication to the correct repository based on which repository was used to sync the given user.
Here's a 10,000-foot view of how I would build this.
You'll need the following ingredients:
1) One or more LDAP and/or AD auth sources
2) A custom SSO or Login solution
3) A portlet "container" that gets credentials, calls the authenticator web service, and then redirects to the portlet application
3) An authenticator web service running on a machine that has access to the server APIs (plumtreeserver.dll)
First, bring all your users and groups in using the LDAP and AD auth sources. Create the necessary Plumtree DB users as well.
Next, build a custom SSO or customized Login solution that will (ideally, log the user in automatically) capture their username, password and auth source id and send these values to portlets. That's accomplished very easily in custom SSO by putting the headers or cookies into an array, which instructs the portal to forward them to the portlets. However, if you customize login, you can set these settings as personal settings in Login or in one of the Login PEIs and then configure them to be sent to the portlets as User Settings. If you don't know how to do this, let me know and I'll walk you through it.
Next, configure a portlet "container" of sorts. This "container" will call the EDK to get the username, password and auth source, call the authenticator web service* to re-authenticate the user, and then redirect the request to eRoom (or whatever application you're trying to integrate).
*The authenticator web service will be the hardest peice of this puzzle to write. You'll need to use the auth source id sent down by the container to figure out which auth source to use, then crack open the auth source to get the settings out of the property bag, and then manually authenticate the user and return success or failure to the caller.
Theorically, all this sounds great -- albeit a little complicated. If any of it doesn't make sense, let me know. I'm always up for a challenge, so if you want me to help you write some or all of this stuff, I'm game. (Read: will work for food and/or alcohol. :-)
Regards,
Chris Bucchere | bdg | [email protected] | www.bdg-online.com
Similar Messages
-
Failed to authenticate user to ACS 5.1 with LDAP as external identity storage
Hi , I have an ACS and Open-LDAP server running on my company network.
Now, I 'm setting up a new linksys WAP-54G and choose WPA2-Enterprise option with ACS as the radius server.
first thing first, I created new internal user on ACS, and trying to join the wireless network from my computer. I made it....
then, I'm moving on external entity (LDAP Server). I've set up the LDAP configuration and identity sequence, also select it on access service. but when I tried to authenticate from my computer, an error was occurred. I received :
the following error 22056 Subject not found in the applicable identity store (s)
Wonder 'bout this thing, I set up a cisco 1841 router to become AAA client. and surprisingly... it works !!!
so, is there any problem to authenticate from windows platform to ACS (pointing to LDAP) ?
any suggestion ?
thanksThis is the log when using windows 7 as authentication client (Failed) :
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started.
12805 Extracted TLS ClientHello message.
12806 Prepared TLS ServerHello message.
12807 Prepared TLS Certificate message.
12810 Prepared TLS ServerDone message.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message.
12804 Extracted TLS Finished message.
12801 Prepared TLS ChangeCipherSpec message.
12802 Prepared TLS Finished message.
12816 TLS handshake succeeded.
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store -
22043 Current Identity Store does not support the authentication method; Skipping it.
24210 Looking up User in Internal Users IDStore - xxxxx
24216 The user is not found in the internal users identity store.
22016 Identity sequence completed iterating the IDStores
22056 Subject not found in the applicable identity store(s).
22058 The advanced option that is configured for an unknown user is used.
22061 The 'Reject' advanced option is configured in case of a failed authentication request.
11815 Inner EAP-MSCHAP authentication failed
11520 Prepared EAP-Failure for inner EAP method
22028 Authentication failed and the advanced options are ignored.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12307 PEAP authentication failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
This is the log when using 1841 router as authentication client (succeded) :
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11049 Settings of RADIUS default network will be used
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - LDAPyyyy
24031 Sending request to primary LDAP server
24015 Authenticating user against LDAP Server
24022 User authentication succeeded
22037 Authentication Passed
22023 Proceed to attribute retrieval
22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against
24210 Looking up User in Internal Users IDStore - xxxxx
24216 The user is not found in the internal users identity store.
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
I realized that Windows is using PEAP-MSCHAPv2 while Router is using PAP-ASCII as it's protocol.
so now, why PEAP-MSCHAPv2 can't authenticate to LDAP ?
is there anything I can do to make it work ? -
Problem with LDAP in BEA Portal
Problem with LDAP in BEA Portal
I have a list of 50 user which should be cerated in portal staging(devlopment) machine and should be transfered to
production machine using LDAP
Steps which i followed to create Users
1.Create User Profile with 2 parameters branch and Role
2.I have list user in the Xls file with Username,password ,branch and Role
3.Write a java File which will read the Xls File
4.The users are created in the staging machine for the portal
Steps which i followed in LDAP to tranfer the created User form Devlopment to Production
1.Export the created user from Devlopment (which was moved as .DAT in my local directory)
2.import the user from local direcory to production machine
The Users are imported in the production machine with username and password but the role and branch values are empty
We need a solution for importing the user with role and branch corresponding to each user.
Thanks in Adv
SureshIn Portal 8.1, user name and password in stored in LDAP where as user profile values are stored in database. That is the reason you are not able to see the user profile values.
Check once again whether you can see these values through admin tool. In case,it is not(after confirmation again),you might have to use APIs to do this for you incase you dont want to manage through Admin Tool.
Thanks,
Prashanth Bhat. -
What can I do against the Identity Check from Entourage
What can I do against the Identity Check from Entourage???
Looks like you may have stumped the members. Can you explain in more detail? I've used Entourage for as long as it's been out and don't remember encountering an "Identity check" issue.
What version of Entourage? X, 2004, 2008, 2011?
Also --please modify your equipment line to correct your OS version. "iOS" is not a Mac computer operating system. It only runs of iPods, iPads and iPhones, not real computers. Do About this Mac from your Apple menu; that will show your OS version. -
User disabled in LDAP triggers disable identity in IDM?
IDM 7.0 on Sun JES Stack
Authoritative Source is LDAP, Sun Directory Server 5.2
This pertains to Termination e.g. Employee/Contractor gets terminated.
1) When an employee is terminated, her user LDAP record is deleted from LDAP (authoritative source)
2) When a contractor is terminated, her user obuseraccountcontrol = DISABLED in LDAP (authoritative source)
Based on the above two criteria, how do I trigger the Disable User workflow in IDM so that the user's IDM Identity gets disabled?
I've been exploring the LDAP Activation Method/Parameter?
com.waveset.adapter.util.ActivationByAttributePullDisablePushEnable
But am unsure on how to approach this. Has anyone successfully implemented this? Documentation is pretty unclear. Thanks in advance.Given the below scenarios:
1) When an employee is terminated, her user LDAP record is deleted from LDAP (authoritative source)
2) When a contractor is terminated, her user obuseraccountcontrol = DISABLED in LDAP (authoritative source)
We've resolved #2 using MetaView and Rule. On the LDAP resource adapter itself, we used:
LDAP Activation Method: nsaccountlock
LDAP Activation Parameter: accountLockAttr
(where this is your IDM system attrib specified in resource schema)
In MetaView, for attrib "accountLockAttr", Source: Rule: Is obuseraccountcontrol disabled, Target: IDM, All Resources
In MetaView > Identity Events, we set the Disable event,
Based on that, we believe we can resolve #1 to trigger the Disable User Workflow. The problem is, how do you Re-Enable a user if the user's LDAP record is deleted from the authoritative source (LDAP)? -
AD -vs- LDAP for external Identity store in ACS
Is there a difference in using AD versus LDAP in a Windows environment for an Identity Store? We are in the process of setting up the ACS 90 eval and I noticed you can setup either AD or LDAP or both as an external identity store. Are there advantages or disadvantages for one over the other?
Suggest to go to "Monitoring & Reports > Reports > Catalog > AAA Protocol"
Select TACACS Authorization and see the authorizations that occured today
If you click on the details icon you should be able to see the actual LDAP groups that were retrieved in processing the request and so can see that the format/contents matches that which you entered -
Creating user in LDAP using Oracle Identity Store API
We are trying to create users in LDAP (open LDAP) using Oracle's Fusion Middleware's Oracle Identity Service API. Here is my code snippet to create user,
final IdentityStoreService identityStoreService = jpsContextFactory
.getContext().getServiceInstance(IdentityStoreService.class);
IdentityStore idmStore = identityStoreService.getIdmStore();
final Property statusProperty = new Property("status", Arrays.asList("active"));
final PropertySet propertySet = new PropertySet();
propertySet.put(statusProperty);
idmStore.getUserManager().createUser("userid", new char[0], propertySet);
but I am getting this error
Caused by: oracle.security.idm.IMException: Mandatory attribute missing :status
at oracle.security.idm.providers.stdldap.util.LDAPRealm.createUser(LDAPRealm.java:139)
even though I am clearly adding the attribute as mentioned above, am I missing any thing?
Thanks for your help :)
Full stack trace:
oracle.security.idm.OperationFailureException: oracle.security.idm.IMException: Mandatory attribute missing : status
at oracle.security.idm.providers.stdldap.util.LDAPRealm.throwException(LDAPRealm.java:785)
at oracle.security.idm.providers.stdldap.util.LDAPRealm.createUser(LDAPRealm.java:153)
at oracle.security.idm.providers.stdldap.LDUserManager.createUser(LDUserManager.java:170)
at oracle.security.idm.providers.stdldap.LDUserManager.createUser(LDUserManager.java:121)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:173)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:89)
at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:61)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:75)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:106)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:118)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:208)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:205)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:113)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:184)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:107)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:163)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)
Caused by: oracle.security.idm.IMException: Mandatory attribute missing :status
at oracle.security.idm.providers.stdldap.util.LDAPRealm.createUser(LDAPRealm.java:139)
... 52 more
Edited by: 940837 on Jun 14, 2012 5:00 PMURGENT** How to change OIM user password from outside OIM
-
[Q] Identity Sequence issue causes MAB to auth against AD ??
We have a strange issue whereby some users have suddenly failed to correctly authenticate against ACS 5.1 - we cant work out why, as nothing has changed and would greatly appreciate your help.
We have dot1x configured on our network with MAB fallback. We havent yet rolled out dot1x to the clients even though the network is set up for this. In the meantime, we are using Mac Authentication Bypass. We do use 802.1x for wireless though.
I have set up the folowing Identity Sequence:
AD1 (this is set up as our AD servers for 802.1X user and machine auth)
SecurID Server (we dont use this yet either)
Internal Users (this is just used to authenticate ciscoworks)
Internal Hosts (this contains the list of allowed MAC addresses)
Typically what we have seen today is a user initially authenticates successfully by matching the Internal Hosts identity store, but then an hour later, re-authentication fails as the MAC address matches the AD1 id store and subsequently fails due to the MAC address not being present within AD.
Here is the successful connection entry (all MAC addresses substituted form the originals)...
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Hosts
24432 Looking up user in Active Directory - 00-1B-78-00-33-00
24412 User not found in Active Directory
24559 Searching for user in the RSA identity store.
24556 User record was not found in the cache.
24210 Looking up User in Internal Users IDStore - 00-1B-78-00-33-00
24216 The user is not found in the internal users identity store.
24209 Looking up Host in Internal Hosts IDStore - 00-1B-78-00-33-00
24211 Found Host in Internal Hosts IDStore
22037 Authentication Passed
22023 Proceed to attribute retrieval
24432 Looking up user in Active Directory - 00-1B-78-00-33-00
24412 User not found in Active Directory
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15004 Matched rule
15016 Selected Authorization Profile - MAB-PC
11022 Added the dACL specified in the Authorization Profile
11002 Returned RADIUS Access-Accept
Here is the failed connection entry....
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11027 Detected Host Lookup UseCase (Service-Type = Call Check (10))
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD1
24432 Looking up user in Active Directory - 00-1B-78-00-33-00
24416 User's Groups retrieval from Active Directory succeeded
22037 Authentication Passed
22023 Proceed to attribute retrieval
22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - DenyAccess
15039 Selected Authorization Profile is DenyAccess
11003 Returned RADIUS Access-Reject
Any help greatly appreciated!Hello Paul,
If a switch is configured for dot1x with MAB fallback as ours is, does the switch still send the MAC address for a dot1x-enabled client as well as the user and host AD credentials even though the MAC address is not required for auth in this case?
A switchport configured for 802.1x with MAB fallback will first send an EAPOL Start message. An 802.1x enabled client would be able to provide the appropriate User and Host information and get authenticated via 802.1x. No MAC address will be send at this point.
For the same switch and a client with dot1x DISABLED, does the switch forward just the MAC address to ACS?
Yes, the switch will send the EAPOL Start messages to the 802.1x Disabled client. It will not be able to respond to the switchport request. After the retries the switchport will fallback to MAB and expect the client to send the MAC Address to get authenticated.
If the switch invokes MAB and passes just the MAC address to ACS, does ACS still run the MAC address through the full identity store sequence which starts with AD1, even though dot1x is not running (and therefore AD matching is not relevant)?
Yes, the ACS will still run the authentication against all the Database specified on the Identity Store Sequest from top to bottom
Ultimately, I am trying to decide if
a) ACS is passing non-dot1x credentials (namely the MAC address) to AD erroneously ---> Do not think this might be the case as it will always pass the credentials to the every database on the specified order
b) if AD is responding (correctly or incorrectly) with a match ---> We know this one is happening.
c) if AD is rejecting the MAC address but that the rejection message isnt triggering the next iteration in the identity store sequence. ----> Do not think AD is rejecting the MAC Address based on:
24432 Looking up user in Active Directory - 00-1B-78-00-33-00
24416 User's Groups retrieval from Active Directory succeeded
At this point I have no suggestions on how to determine if the MAC Address is being properly authenticated on the AD Side -
Authentication getting failed in sun one Ldap
HI,
Any one please can assist me for sun one ldap.
My application developed(ldap related) based on lotus domino ldap server and webspere.
now we are trying to deploy the same code with Websphere and sun one ldap server at our local environment.
Iam getting the prblem of authentication fail.
please follow the logs as.
My question is what ever the code written for lotus domino is compatible with sun one ldap.Iam new to LDAP .
pls any one give the suggestions.
LDAP Interface: Performing LDAP authentication for user [NYilmaz]
17 Dec 2007 18:43:13,359 [WARN ] NABLDAP: Transmission will be over an unencrypted connection. The username and password are transmitted in clear text form which is very insecure. Consider replacing the LDAP protocol with LDAPS (SSL).
17 Dec 2007 18:43:13,359 [DEBUG] NABLDAP: Establishing a new authenticating connection to [ldap://gpat.bsdev.com]
17 Dec 2007 18:43:13,375 [INFO ] NABLDAP: Failed to authenticate with the remote server on [ldap://gpat.bsdev.com] because of error '[LDAP: error code 34 - Invalid DN]'
17 Dec 2007 18:43:13,375 [WARN ] LDAP Interface: Unsuccessful authentication attempt for user [NYilmaz]
17 Dec 2007 18:43:13,375 [DEBUG] LDAP Interface: Writing the value {javax.naming.InvalidNameException:[LDAP: error code 34 - Invalid DN]} to General[1].OnionErrorMessage
17 Dec 2007 18:43:13,390 [WARN ] NABLDAP: Transmission will be over an unencrypted connection. Consider replacing the LDAP protocol with LDAPS (SSL).
17 Dec 2007 18:43:13,390 [DEBUG] NABLDAP: Establishing a new anonymous connection to [ldap://gpat.bsdev.com]
17 Dec 2007 18:43:13,390 [DEBUG] NABLDAP: Connection established.
17 Dec 2007 18:43:13,390 [DEBUG] NABLDAP: Searching remote LDAP directory using the filter of [(&(objectclass=person)(&(cn=NYilmaz)))]Hello Vinay,
when configuring multiple Ldap directories, There are a number of prerequisities that you need to
consider.
For example, One prerequisite for Multi domains is that logon IDs must be unique across mutliple LDAP datasources. This will cause issue if duplicate IDs exist.
Please see the following Documentation and notes for more information on this.
Examples of Data Source Configuration Files - Identity Management - SAP Library
Example: Configuration of Multiple LDAP Data Sources - Identity Management - SAP Library
1618342 - Multiple LDAP Datasources - Active Directories where logon IDs
are not unique
762419 - Multi-Domain Logon Using Microsoft Active Directory
Please have a look at the above notes which documet this and also tells
you what to do in these situations.
Regards,
David -
How to get user attributes from LDAP authenticator
I am using an LDAP authenticator and identity asserter to get user / group information.
I would like to access LDAP attributes for the user in my ADF Taskflow (Deployed into webcenter spaces).
Is there an available api to get all the user attributes through the established weblogic authenticator provider or do i have to directly connect to the LDAP server again?
Any help would be appreciatedHi Julián,
in fact, I've never worked with BSP iViews and so I don't know if there is a direct way to achieve what you want. Maybe you should ask within BSP forum...
A possibility would be to create a proxy iView around the BSP iView (in fact: before the BSP AppIntegrator component) which reads the user names and passes this as application params to the BSP component. But this is
Beginner
Medium
Advanced
Also see http://help.sap.com/saphelp_nw04/helpdata/en/16/1e0541a407f06fe10000000a1550b0/frameset.htm
Hope it helps
Detlev -
SUN One LDAP Retrieving Dynamic group
Hi, I would like to know how can I retrieve the groups a user belongs to, if the groups are of dynamic type.
can I use the attribute memberOf?
//Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,*null*);
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(CN=Andrew Anderson))";
//Specify the Base for the search
String searchBase = "DC=antipodes,DC=com";
//initialize counter to total the group members
int totalResults = 0;
//Specify the attributes to return
String returnedAtts[]={"*memberOf*"};
searchCtls.setReturningAttributes(returnedAtts);
//Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);Hello Vinay,
when configuring multiple Ldap directories, There are a number of prerequisities that you need to
consider.
For example, One prerequisite for Multi domains is that logon IDs must be unique across mutliple LDAP datasources. This will cause issue if duplicate IDs exist.
Please see the following Documentation and notes for more information on this.
Examples of Data Source Configuration Files - Identity Management - SAP Library
Example: Configuration of Multiple LDAP Data Sources - Identity Management - SAP Library
1618342 - Multiple LDAP Datasources - Active Directories where logon IDs
are not unique
762419 - Multi-Domain Logon Using Microsoft Active Directory
Please have a look at the above notes which documet this and also tells
you what to do in these situations.
Regards,
David -
Identity firewall NetBIOS Probe problem
Hi,
I've setup an Identity Firewall on a ASA5510 version 8.4.5 (inside interface). ADAgent is installed and configured on an Windows 2003 server and connected to the DC (Windows 2008 server). Everything works fine except the NetBIOS Probe function.
The NetBIOS probe function is active and configured as below.
user-identity domain TEST aaa-server LDAP_Identity
user-identity default-domain TEST
no user-identity action mac-address-mismatch remove-user-ip
user-identity inactive-user-timer minutes 120
user-identity logout-probe netbios local-system
user-identity poll-import-user-group-timer hours 1
user-identity ad-agent aaa-server adagent
user-identity user-not-found enable
The problem is following message...
"746013 user-identity: Delete IP-User mapping 192.168.3.61 - TEST\Peter Succeeded - Netbios probing failed"
I've never seen an NetBIOS probe successful message
Can anyone help me with this issue?
ThanksHi,
Could you please run some of these debug commands:
debug user-identity user
debug user-identity user-group
debug user-identity ad-agent
debug-user-identity ldap
debug user-identity logout-probe
debug user-identity acl
debug user-identity tmatch
debug user-identity fqdn
debug user-identity process
debug user-identity debug
debug user-identity error
debug ldap 255
Also here is a guide that may provide some direction -
https://supportforums.cisco.com/docs/DOC-20366
Tarik Admani
*Please rate helpful posts* -
Account names can break LDAP logins?
I've successfully installed and patched (patches 118833-36, 119963-08 and 122032-05) my Solaris 10 system so it's using LDAP against the Sun Java System Directory Server Enterprise Edition 6.2.
On my test box, I have several test accounts setup.
On the one that is simply my last name, everything works fine. SSH logins, telnet logins, and password changes. SO I'm sure the pam.conf and nsswitch.conf works right.
On several other accounts, they work just as well.
However two accounts do not. getent -v | grep username shows the accounts. I can "su - account" from root and get in fine. However if I try to SSH or telnet in it rejects my password. The password being entered IS correct.
The one thing they have in common is that they are both contractor accounts, which due to corporate standards are
8 numeric digits starting with an 8, so something like 81234567 would be a contractor ID.
Renaming the bad contractor accounts in the LDAP editor (but NOT changing the password) allows me to SSH in.
Renaming the test account with my last name to a contractor style name breaks it.
I read "man -s 4 passwd" and couldn't find where our naming standard violates the Solaris system standard.
Thoughts?From the Solaris 10 Basic System Admin Guide at: http://docs.sun.com/app/docs/doc/817-1985/6mhm8o5l8?a=view#userconcept-30
"User names � They should contain from two to eight letters and numerals. The first character should be a letter. At least one character should be a lowercase letter."
Sun probably should have used the word "must" instead of "should." ie. First letter must be a letter.
The system behavior you are describing seems to bear this out. -
Does Discoverer work with BEA Web logic Server ?
We are planning to get Oracle Discoverer as an BI Tool and
BEA WebLogic Server as the web application server.
I am just interested to know if anybody using Oracle Discoverer
as an application tool against BEA WebLogic Server in the Middle Tier
and Oracle 8i/9i database.
I will appreciate the help.
Thanks.
DebjitCould someone kindly follow this and find us a solution?
Thank you.
==========================================================
Dimitri Rakitine <[email protected]> wrote:
>Did you check that this is not an error message being returned ? That
>would explain text/html mime type.
>
>Jim Mittler <[email protected]> wrote:
>> Hi,
>
>> I am trying to use Java Web Start with a Weblogic HTTP cluster. The
>> HttpClusterServlet seems to never return a proper jnlp mime type.
>
>> What I see in JWS is :
>
>> Bad MIME type returned from server when accessing resource:
>> http://myserver:7070/myapp.jnlp - text/html
>
>> The web.xml looks ok to me.
>
>> <mime-mapping>
>> <extension>jnlp</extension>
>> <mime-type>application/x-java-jnlp-file</mime-type>
>> </mime-mapping>
>
>> Everything works ok when I don't use the cluster servlet.
>
>> Any help is much appreciated!
>
>> Jim
>
>--
>Dimitri
-
LDAP setup with SSL - Can't use tls auth type
I'm trying to configure Solaris 10 to use ldap against my OpenLDAP server with SSL but whenever I try to set the authentication as tls:simple, it gives me an error :
# ldapclient mod -a authenticationMethod=tls:simple
Cannot specify LDAP port with tls
# ldapclient mod -a authenticationMethod=tls
Unable to set value: invalid authenticationMethod (tls)
Any ideas how to get this to work - I can do an ldapsearch if I supply a -H ldaps://ldapserver:636 so my certs in /var/ldap are good.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=srv_login,ou=LDAPusers,dc=unix_srv,dc=energy.ge.com
NS_LDAP_BINDPASSWD= {NS1}c53708877bc6
NS_LDAP_SERVERS= 10.10.1.14:636
NS_LDAP_SEARCH_BASEDN= dc=unix_srv,dc=energy.ge.com
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SERVER_PREF= 10.10.1.14:636
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=unix_srv,dc=energy.ge.com?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=unix_srv,dc=energy.ge.com?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=unix_srv,dc=energy.ge.com?one
Thanks,
JayWhen using TLS you have to specify the FQN for the LDAP server and the port is ALWAYS 636.
Also, you need to setup up your client to use FQN as well (/etc/hosts).
Maybe you are looking for
-
import java.awt.BorderLayout; import java.awt.CardLayout; import java.awt.Dimension; import java.awt.event.MouseEvent; import java.awt.event.MouseMotionListener; import javax.swing.JFrame; import javax.swing.JPanel; public class G { CardLayout ca
-
Can't post reply to my question
I have tried all morning and in 2 different browsers to reply to an answer to my question. Despite repeatedly logging in, I am being logged out every time I hit reply. Extremely frustrating
-
Macbook Pro Randomly Shuts down...SMC Reset only temporarily
I have a somewhat concerning problem with my 2011 Macbook Pro (15"). It started two nights ago, didn't happen yesterday, and happened again today. It has also fried two iPhone chargers. Here's the story: On Sunday night, my Macbook randomly shut d
-
Html files play in main stage of flash
How can macromedia flash play html files? I have a problem my friends! First of all I should say that I know flash is not a browser!!! I have lots of internal and external html files next to my main swf movie and I made lots of botton for each html f
-
The screen is blurred on my Apple TV. It has done this intermittently before and mysteriously "normalizes" on its own. I have reset via menu and with the remote (down & menu x 6 secs) without effect. Could this be a temperature related issue? Any k