LDAP AUthentication in obiee11g

Dear Experts
I need to intergrate AD (LDAP) with obiee11.1.1.6 . Can I use teh rpd to create a new LDAP and then import all the user and create an initilization block to authenticate user.
OR
I will have to do it in Weblogic console. using the link ----- http://docs.oracle.com/cd/E15586_01/bi.1111/e10543/privileges.htm
Regds

Hi,
Do it via weblogic - FMW >>> LDAP Configuration Option
Refer my blog steps,
http://obieeelegant.blogspot.com/2012/01/obiee-11g-integration-with-ldap.html
Thanks
Deva

Similar Messages

SharePoint 2010 with LDAP authentication, using NOVELL eDirectory

One of my customers needs a SharePoint application that allows people to authenticate with either an Active Directory account (internal staff) or a Novell eDirectory account (external customers).
Using the following article as a base guide (http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx)
I configured a claims-based test application that had Windows authentication enabled and Forms based authentication (FBA) enabled (this is on a Windows 2008 server and not a domain controller)
In the Membership provider name text box I entered "LdapMember"
In the Role provider name text box I entered "LdapRole"
In the web.config for the SharePoint Central Admin, I modified/added the following details right before </system.web>
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="((ObjectClass=group)"
userFilter="((ObjectClass=person)"
scope="Subtree" />
</providers>
</roleManager>
I modified the SecurityTokenServiceApplication web.config with these details
<system.web>
<membership>
<providers>
<add name="LdapMemebr"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
</system.web>
I modified the web.config of the test application I created with these details
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="cn"
dnAttribute="dn"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
useDNAttribute="true"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
With all of this configured, I can go to the new test site, I do see the form where I can choose either Windows authentication or Forms authentication. I can successfully login with Windows authentication, but forms authentication gives me me an error.
The server could not sign you in. Make sure your user name and password are correct, and then try again.
I can successfully login to a LDAP management tool, using the same credentials I entered on the form, so I know the username and password being submitted are correct. I get the following items in the event viewer
8306 - SharePoint Foundation - The security token username and password could not be validated.
in the SharePoint trace logs - Password check on 'testuser' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. and
then this:
Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
I monitored the LDAP server and did a packet-trace on the communication happening between the SharePoint server and the LDAP server and it is a bit odd. It goes like this:
The SharePoint server successfully connects to the LDAP server, binding the ldapserviceid+password
The LDAP server tells the SharePoint server it is ready to communicate
the SharePoint server sends an LDAP query to the LDAP server, asking if the name entered in the form authentication page can be found.
The LDAP server does the query, successfully finds the entered name and sends a success message back to SharePoint
The LDAP server sends notification that it is done and is closing the connection that was bound to theldapserviceid+password
The SharePoint server acknowledges the connection is closing
... and then nothing happens, except the error on SharePoint
What I understand is that the SharePoint server, once it gets confirmation that the submitted username exists in LDAP, should attempt to make a new LDAP connection, bound to the username and password submitted in the form (rather than the LDAP service account
specified in the web.config). That part does not seem to be happening.
I am at a standstill on this and any help would be greatly appreciated.

OK, our problem was resolved by removing any information about the ASP.NET role manager. Initially, we had information about a role manager defined in three different web.config files, as well as in the SharePoint Central Administration site, where there
is the checkbox to Enable Forms Based Authentication (you see this when you first create the new SharePoint app, or afterwards by modifying the Authentication Provider for the app.) In either case, you will see two text boxes, underneath the checkbox item
for enabling Forms Based Authentication:
"ASP.NET Membership provider name"
"ASP.NET Role manager name"
We entered a name for Membership provider, and left Role manager blank.
In the web.config for the SharePoint Central Administration site, the SecurityTokenServiceApplication app, and the web app we created with FBA enabled, we entered the following:
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword="validpassword"
useDNAttribute="false"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager>
<providers>
</providers>
</roleManager>
useDNAttribute="false" turned out to be important as well.
So, for us to get LDAP authentication working between SharePoint 2010 and Novel eDirectory, we had to:
leave anything related to the role provider blank
configure the web.config in three different applications, with the proper connection information to reach our Novel eDir
Ensure that useDNAttribute="false" was used in all three on the modified web.config files.
Since our eDir is flat and used pretty much exclusively for external users, we had never done any sort of advanced role management configuration in eDir. So, by having role manager details in the web.config files, SharePoint was waiting for information from
a non-existent role manager.

How to get user attributes from LDAP authenticator

I am using an LDAP authenticator and identity asserter to get user / group information.
I would like to access LDAP attributes for the user in my ADF Taskflow (Deployed into webcenter spaces).
Is there an available api to get all the user attributes through the established weblogic authenticator provider or do i have to directly connect to the LDAP server again?
Any help would be appreciated

Hi Julián,
in fact, I've never worked with BSP iViews and so I don't know if there is a direct way to achieve what you want. Maybe you should ask within BSP forum...
A possibility would be to create a proxy iView around the BSP iView (in fact: before the BSP AppIntegrator component) which reads the user names and passes this as application params to the BSP component. But this is
Beginner
Medium
Advanced
Also see http://help.sap.com/saphelp_nw04/helpdata/en/16/1e0541a407f06fe10000000a1550b0/frameset.htm
Hope it helps
Detlev

How to use two different LDAP authentication for my Apex application login

Hi,
I have 2 user groups defined in the LDAP directory and I provided the DN string for apex authentication something like the below
cn=%LDAP_USER%,ou=usergrp1,dc=oracle,dc=com
cn=%LDAP_USER%,ou=usergrp2,dc=oracle,dc=com
The problem is I couln't pointout both the groups in DN string, I am trying to allow both usergroups to access the application.
Does anyone know how to define both the group in LDAP DN String ?.
Thanx in advance
Vijay.

Vijay,
I don't think you'll be able to use the built-in LDAP authentication scheme. Just create a new authentication scheme that has its own authentication function. In that function code your calls to dbms_ldap however you need. Search the forum for dbms_ldap.simple_bind_s to find examples.
Scott

LDAP Authentication - Multiple Domains

I want to be able to use the built in LDAP Authentication scheme to allow authentication against multiple AD Domains... each with it's own separate Host IP/Server, and LDAP DN String. The User ID is formated the same among all Domains, so that is not a concern. I am currently authenticating against one Domain and it scans the tree successfully.
Host: xx.xx.xx.xx
DN String: %LDAP_USER%@amer.globalco.net
(amer.globalco.net is the domain)
How can this be accomplished? Is it possible all you guru's out there?
I saw one forum thread discussing how to add a drop down list to the login page, then use the value of the page item in the DN String to specify Domain... That makes sense - HOWEVER - I also have to use a different Host Server / IP address for each domain as well.... Now that is 2 fields that need updating based on one select list.
I can build the select list using "IP/Domain" - but how do I separate the two data bits in the ITEM Value into their own field values?
Can I use the ldap_dnprep function to do text editing to create two field values from one ITEM value that I can use in the standard LDAP authentication form fields?
As you can tell - I am not a SQL/PLSQL person... and I want to avoid creating my own LDAP scheme.
Please include example/suggested SQL -
Thanks in advance...
Rich
Apex v3.2.1
Oracle 10G Express

Based on prior post I had similar question and the result was to write custom auth scheme to read the values from the login page, perform auth against appropriate ldap, then return a valid session to proceed with login in apex app. In our case, the issue was having users is different branch nodes on the same ldap server but not being able to search from a common higher-level branch for some reason...
Another option you could try, not recommended as it would mean multiple pages to maintain, would be a separate login page per ldap/domain, maybe would even have to multiple apps with just a login page and then redirect to the main app... been a really long time since i've tried anything like it, just giving some options to try.

LDAP Authentication Scheme - Multiple LDAP Servers?

How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.

How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.

Cisco support LDAP Authentication - Multiple Domains

Hi,
I want to change the LDAP authentication as the multiple domains and my Windows AD environment is the child trust, that mean the root DC is the "abc.com", which have the two child DCs, e.g. "us.abc.com ", "uk.abc.com"
Is it possible I just changed the LDAP auth. with user search space as the root DC is fine?
OR
I must use the "userPrincipalName" ?

But it had the collision SAMAccountName, that would have the same account name between the us.abc.com and uk.abc.com.
If I changed the "userPrincipalName" LDAP sync to CM, how about the Jabber login?

Weblogic Server 10.3.0 and LDAP authentication Issue

Hi - I have configured my WebLogic Server 10.3.0 for LDAP authentication (OID = 10.1.4.3.0) and so far the authentication works fine but I am having issue in terms of authorization.
I am not able to access the default web logic administrator console app using any of the LDAP user, getting Forbiden message.
It appears to me that the Weblogic Server is not pulling out the proper groups from the LDAP where user belongs too.
Can anyone please point me towards the right direction to get this resolved.
Thanks,
STEPS
Here are my steps I have followed:
- Created a group called Administrators in OID.
- Created a test user call uid=myadmin in the OID and assigned the above group to this user.
- Added a new Authentication Provider to the Weblogic and configured it what is required to communicate with OID (the config.xml file snipet is below)
<sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
<sec:name>OIDAuthentication</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:host>pmpdeva-idm.ncr.pwgsc.gc.ca</wls:host>
<wls:port>1389</wls:port>
<wls:principal>cn=orcladmin</wls:principal>
<wls:user-base-dn>ou=AppAdmins, o=gc, c=ca</wls:user-base-dn>
<wls:credential-encrypted>removed from here</wls:credential-encrypted>
<wls:group-base-dn>ou=IDM, ou=ServiceAccounts, o=gc, c=ca</wls:group-base-dn>
</sec:authentication-provider>
- Marked the default authentication provider as sufficient as well.
- Re-ordered the authentication provide such that the OIDauthentication is first in the list and default one is the last.
- Looking at the log file I see there are no groups returned for this user and that is the problem in my opinion.
<LDAP Atn Login username: myadmin>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<authenticate user:myadmin>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authentication succeeded>
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<LDAP Atn Authenticated User myadmin>
<List groups that member: myadmin belongs to>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
*<search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>*
*<Result has more elements: false>*
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<login succeeded for username myadmin>
- I see the XACML RoleMapper getRoles() only returning the Anonymous role as oppose to Admin (because the OID user is a part of Administrators group in OID then it should be returning Admin as fars I can tell. Here is the log entry that shows that:
<XACML RoleMapper getRoles(): returning roles Anonymous>
- I did a ldap search and I found no issues in getting the results back:
C:\>ldapsearch -h localhost -p 1389 -b"ou=IDM, ou=ServiceAccounts, o=gc, c=ca" -D cn=orcladmin -w "removed from here" (uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupOfUniqueNames)
cn=Administrators,ou=IDM,ou=ServiceAccounts,o=gc,c=ca
objectclass=groupOfUniqueNames
objectclass=orclGroup
objectclass=top
END
Here are the log entries:
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=myadmin>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <[Security:090302]Authentication Failed: User myadmin denied>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@facf0b>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle did not get username from a callback>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685671> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authentication succeeded>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <LDAP Atn Authenticated User myadmin>
<1291668685686> <BEA-000000> <List groups that member: myadmin belongs to>
<1291668685686> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685686> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685686> <BEA-000000> <search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>
<1291668685686> <BEA-000000> <Result has more elements: false>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <login succeeded for username myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <LDAP Atn Principals Added>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
     Principal: myadmin
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685686> <BEA-000000> <Signed WLS principal myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user myadmin, Identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.isLocked(myadmin)>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myadmin was not previously locked out>
<1291668685702> <BEA-000000> <Using Common RoleMappingService>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity will use common security service>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals)>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=myadmin>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685702> <BEA-000000> <Validate WLS principal myadmin returns true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass, returning true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals) validated all principals>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): input arguments:>
<1291668685702> <BEA-000000> <     Subject: 1
     Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp>
<1291668685702> <BEA-000000> <     Parent: type=<app>, application=consoleapp>
<1291668685702> <BEA-000000> <     Parent: type=<url>>
<1291668685702> <BEA-000000> <     Parent: null>
<1291668685702> <BEA-000000> <     Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AdminChannelUsers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AdminChannelUser:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AdminChannelUser: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AppTesters,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AppTester:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AppTester: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(everyone,[everyone,users]) -> true>
<1291668685702> <BEA-000000> <primary-rule evaluates to Permit>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Anonymous:, 1.0 evaluates to Permit>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Anonymous: GRANTED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Monitors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Monitor:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Monitor: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Operators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Operator:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Operator: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(CrossDomainConnectors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:CrossDomainConnector:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role CrossDomainConnector: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Deployers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Deployer:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Deployer: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, SC=null, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Administrators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Admin:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Admin: DENIED>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): returning roles Anonymous>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles returning [ "Anonymous" ]>
<1291668685702> <BEA-000000> <AuthorizationManager will use common security for ATZ>
<1291668685702> <BEA-000000> <weblogic.security.service.WLSAuthorizationServiceWrapper.isAccessAllowed>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Roles=[ "Anonymous" ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Direction=ONCE>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
<1291668685702> <BEA-000000> <     Subject: 1
     Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <     Roles:Anonymous>
<1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <     Direction: ONCE>
<1291668685702> <BEA-000000> <     Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:role, SC=null, Value=Anonymous>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of([Admin,Operator,Deployer,Monitor],Anonymous) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): returning DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>

Okay Finally the issue is resolved. Here is the findings to help others in case they ran into the same issue.
The OID version that we are using is not returning the groups the way Weblogic is building the ldapsearch command. We captured the ldap traffic to go deeper and noticed the filters and attributes list that wls was asking. For example, the filter was like:
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" cn
its was the "cn" attribute that was causing the result set to be empty.
from a command line we tried
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" uniquemember
and got the results back.
Then we start looking into OID configuration and one of my coworker pointed me towards the orclinmemfiltprocess attributes in cn=dsaconfig entry and told me that they had lot of issues in the past in relation to this attribute.
So as a test we removed the groupofuniquenames objectclass from the orclinmemfiltprocess attribute list and bingo it worked!
Since we needed the groupofuniquenames in this list for performance/other reasons and decided to use a different objectclass for our groups instead i.e. orclGroup.
Thanks everyone for showing interest on the problem and providing suggestions.

ERROR: Ldap Authentication failed for dap during installation of iAS 6.0 SP3

I am attempting to install ias Enterprise Edition (6.0 SP3) on solaris 2.8 using typical in basesetup. I am trying to install new Directory server as I don't have an existing one.
During the installation I got the following error.
ERROR: Ldap Authentication failed for url ldap://hostname:389/o=NetScape Root user id admin (151: Unknown Error)
Fatal Slapd did not add Directory server information to config Server.
Warning slapd could'nt populate with ldif file Yes error code 151.
ERROR:Failure installing iPlanet Directory Server.
Do you want to continue: ( I entered yes )
Configuring Administration Server Segmentation fault core dumped.
Error: Failure installing Netscape Administration Server.
Do you want to continue:( I responded with yes).
And during the Extraction I got the following
ERROR:mple_bind: Can't connect to the LDAP server - No route to host
ERROR: Unable to connect to LDAP Directory Server
Hostname: hostname
Port: 389
User: cn=Directory Manager
Password: <password-for-cn=Directory Manager
Please make sure this Directory Server is currently running.
You might need to run 'stop-slapd' and then
'start-slapd' in the Directory Server home directory, in order to restart
LDAP. When finished, press ENTER to continue, or S to skip this step:
Start registering Bootstrap EJB...
javax.naming.NameNotFoundException
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.fillInStackTrace(Compiled Code)
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.Exception.<init>(Compiled > Code)
at javax.naming.NamingException.<init>(NamingException.java:114)
at javax.naming.NameNotFoundException.<init>(NameNotFoundException.java: 48)
at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
"ldaperror" 76 lines, 2944 characters
at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
at com.netscape.server.jndi.RootContext.bind(Unknown Source)
at com.netscape.server.jndi.RootContext.bind(Unknown Source)
at javax.naming.InitialContext.bind(InitialContext.java:371)
at com.netscape.server.deployment.EjbReg.deployToNaming(Unknown Source)
at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
at com.netscape.server.deployment.EjbReg.run(Compiled Code)
at com.netscape.server.deployment.EjbReg.main(Unknown Source)
Start registering iAS 60 Fortune Application...
Start iPlanet Application Server
Start iPlanet Application Server
Start Web Server iPlanet-WebServer-Enterprise/6.0SP1 B08/20/200100:58
warning: daemon is running as super-user
[LS ls1] http://gedemo1.plateau.com, port 80 ready
to accept requests
startup: server started successfully.
After completion of installation, I tried to start the console. But I got the following error;
"Cant connect ot the admin server. The url is not correct or the server is not running.
Finally,when I started the admintool(iASTT),it shows the iAS1
was registered( marked with a red cross mark) and says "cant login. make sure the user
name & passwdord are correct" when i click on it.
Thanks in advance for any help
Madhavi

Hi,
Make sure that the directory server is installed first. If it is running
ok, then you can try adding an admin user, please check the following
technote.
http://knowledgebase.iplanet.com/ikb/kb/articles/4106.html
regards
Swami
madhavi korupolu wrote:
I am attempting to install ias Enterprise Edition (6.0 SP3) on
solaris 2.8 using typical in basesetup. I am trying to install new
Directory server as I don't have an existing one.
During the installation I got the following error.
ERROR: Ldap Authentication failed for url
ldap://hostname:389/o=NetScape Root user id admin (151: Unknown
Error)
Fatal Slapd did not add Directory server information to config
Server.
Warning slapd could'nt populate with ldif file Yes error code 151.
ERROR:Failure installing iPlanet Directory Server.
Do you want to continue: ( I entered yes )
Configuring Administration Server Segmentation fault core dumped.
Error: Failure installing Netscape Administration Server.
Do you want to continue:( I responded with yes).
And during the Extraction I got the following
ERROR:mple_bind: Can't connect to the LDAP server - No route to host
ERROR: Unable to connect to LDAP Directory Server
Hostname: hostname
Port: 389
User: cn=Directory Manager
Password: <password-for-cn=Directory Manager
Please make sure this Directory Server is currently running.
You might need to run 'stop-slapd' and then
'start-slapd' in the Directory Server home directory, in order to
restart
LDAP. When finished, press ENTER to continue, or S to skip this
step:
Start registering Bootstrap EJB...
javax.naming.NameNotFoundException
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.fillInStackTrace(Compiled Code)
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.Exception.<init>(Compiled > Code)
at javax.naming.NamingException.<init>(NamingException.java:114)
at
javax.naming.NameNotFoundException.<init>(NameNotFoundException.java:
48)
at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
"ldaperror" 76 lines, 2944 characters
at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
at com.netscape.server.jndi.RootContext.bind(Unknown Source)
at com.netscape.server.jndi.RootContext.bind(Unknown Source)
at javax.naming.InitialContext.bind(InitialContext.java:371)
at com.netscape.server.deployment.EjbReg.deployToNaming(Unknown
Source)
at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled
Code)
at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled
Code)
at com.netscape.server.deployment.EjbReg.run(Compiled Code)
at com.netscape.server.deployment.EjbReg.main(Unknown Source)
Start registering iAS 60 Fortune Application...
Start iPlanet Application Server
Start iPlanet Application Server
Start Web Server iPlanet-WebServer-Enterprise/6.0SP1 B08/20/200100:58
warning: daemon is running as super-user
[LS ls1] http://gedemo1.plateau.com, port 80 ready
to accept requests
startup: server started successfully.
After completion of installation, I tried to start the console. But I
got the following error;
"Cant connect ot the admin server. The url is not correct or the
server is not running.
Finally,when I started the admintool(iASTT),it shows the iAS1
was registered( marked with a red cross mark) and says "cant login.
make sure the user
name & passwdord are correct" when i click on it.
Thanks in advance for any help
Madhavi
Try our New Web Based Forum at http://softwareforum.sun.com
Includes Access to our Product Knowledge Base!

ASA 8.2.5 LDAP authentication by memberof doesn't always work

I've configured LDAP authentication to allow access if members are a member of the "VPN_Users" Group. This configuration is working, but only for some users. For other users it isn't. The output of the 'debug ldap 255' shows an output of memberOf for the users that it's working for, but shows nothing for users it's not working for.   I've not been able to figure out any connection or differences that are the same between those users that work and those that don't. Any idea on what might be causing this problem? Both working and non-working users will authenticate, its just some of them don't pull the memberof data in the ldap query.
Config:
aaa-server AD protocol ldap
aaa-server AD (inside) host btfs2
ldap-base-dn dc=localdomain,dc=com
ldap-scope subtree
ldap-naming-attribute samAccountName
ldap-login-password *****
ldap-login-dn [email protected]
server-type microsoft
ldap-attribute-map VPNGroup
ldap attribute-map VPNGroup
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN_Users,OU=Security Groups,OU=Company OU,DC=localdomain,DC=com" btvpn
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec svc
webvpn
svc ask none default svc
group-policy btvpn internal
group-policy btvpn attributes
banner value This is a private data network. All connections are logged and are subject to
banner value monitoring. Unauthorized access is prohibited and will be prosecuted.
dns-server value 10.0.0.x 10.0.0.y
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittun
default-domain value localdomain.com
webvpn
svc keep-installer installed
svc rekey time 120
svc rekey method ssl
svc ask enable default svc
tunnel-group btvpn type remote-access
tunnel-group btvpn general-attributes
address-pool vpnpool
authentication-server-group AD LOCAL
default-group-policy NOACCESS
tunnel-group btvpn webvpn-attributes
group-alias webvpn enable
tunnel-group btvpn ipsec-attributes
pre-shared-key *****
Non-working user:
[1575] Session Start
[1575] New request Session, context 0xd7fbf210, reqType = Authentication
[1575] Fiber started
[1575] Creating LDAP context with uri=ldap://10.0.0.x:389
[1575] Connect to LDAP server: ldap://10.0.0.x:389, status = Successful
[1575] supportedLDAPVersion: value = 3
[1575] supportedLDAPVersion: value = 2
[1575] Binding as [email protected]
[1575] Performing Simple authentication for [email protected] to 10.0.0.x
[1575] LDAP Search:
        Base DN = [dc=localdomain,dc=com]
        Filter = [samAccountName=cmcbride]
        Scope   = [SUBTREE]
[1575] User DN = [CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com]
[1575] Talking to Active Directory server 10.0.0.x
[1575] Reading password policy for cmcbride, dn:CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com
[1575] Binding as cmcbride
[1575] Performing Simple authentication for cmcbride to 10.0.0.x
[1575] Processing LDAP response for user cmcbride
[1575] Message (cmcbride):
[1575] Authentication successful for cmcbride to 10.0.0.x
[1575] Retrieved User Attributes:
[1575] objectClass: value = top
[1575] objectClass: value = person
[1575] objectClass: value = organizationalPerson
[1575] objectClass: value = user
[1575] cn: value = Chris McBride
[1575] sn: value = McBride
[1575] l: value = Tulsa
[1575] description: value = cmcbride non-admin test account
[1575] givenName: value = Chris
[1575] distinguishedName: value = CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=co
[1575] displayName: value = Chris McBride
[1575] name: value = Chris McBride
[1575] objectGUID: value = ....5..L...[..K.
[1575] codePage: value = 0
[1575] countryCode: value = 0
[1575] primaryGroupID: value = 513
[1575] objectSid: value = ...............1...{C..2....
[1575] sAMAccountName: value = cmcbride
[1575] sAMAccountType: value = 805306368
[1575] userPrincipalName: value = [email protected]
[1575] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=localdomain,DC=com
[1575] Fiber exit Tx=616 bytes Rx=2007 bytes, status=1
[1575] Session End
Working user:
[1585] Session Start
[1585] New request Session, context 0xd7fbf210, reqType = Authentication
[1585] Fiber started
[1585] Creating LDAP context with uri=ldap://10.0.0.x:389
[1585] Connect to LDAP server: ldap://10.0.0.x:389, status = Successful
[1585] supportedLDAPVersion: value = 3
[1585] supportedLDAPVersion: value = 2
[1585] Binding as [email protected]
[1585] Performing Simple authentication for [email protected] to 10.0.0.x
[1585] LDAP Search:
        Base DN = [dc=localdomain,dc=com]
        Filter = [samAccountName=cmcbride_a]
        Scope   = [SUBTREE]
[1585] User DN = [CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com]
[1585] Talking to Active Directory server 10.0.0.x
[1585] Reading password policy for cmcbride_a, dn:CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com
[1585] Read bad password count 0
[1585] Binding as cmcbride_a
[1585] Performing Simple authentication for cmcbride_a to 10.0.0.x
[1585] Processing LDAP response for user cmcbride_a
[1585] Message (cmcbride_a):
[1585] Authentication successful for cmcbride_a to 10.0.0.x
[1585] Retrieved User Attributes:
[1585] objectClass: value = top
[1585] objectClass: value = person
[1585] objectClass: value = organizationalPerson
[1585] objectClass: value = user
[1585] cn: value = Admin Chris McBride
[1585] sn: value = McBride
[1585] description: value = PTC User, cjm 05312011
[1585] givenName: value = Chris
[1585] distinguishedName: value = CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain
[1585] instanceType: value = 4
[1585] whenCreated: value = 20110525173004.0Z
[1585] whenChanged: value = 20110619154158.0Z
[1585] displayName: value = Admin Chris McBride
[1585] uSNCreated: value = 6188062
[1585] memberOf: value = CN=VPN_Users,OU=Security Groups,OU=Company OU,DC=localdomain,DC=com
[1585]          mapped to IETF-Radius-Class: value = btvpn
[1585]          mapped to LDAP-Class: value = btvpn
[1585] memberOf: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=baer-t
[1585]          mapped to IETF-Radius-Class: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=localdomain,DC=com
[1585]          mapped to LDAP-Class: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=localdomain,DC=com
[1585] memberOf: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com
[1585]          mapped to IETF-Radius-Class: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com
[1585]          mapped to LDAP-Class: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com
[1585] memberOf: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to IETF-Radius-Class: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to LDAP-Class: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com
[1585] memberOf: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to IETF-Radius-Class: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to LDAP-Class: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com
[1585] memberOf: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to IETF-Radius-Class: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to LDAP-Class: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com
[1585] uSNChanged: value = 6560745
[1585] name: value = Admin Chris McBride
[1585] objectGUID: value = ..Kj4..E..c.VCHT
[1585] userAccountControl: value = 512
[1585] badPwdCount: value = 0
[1585] codePage: value = 0
[1585] countryCode: value = 0
[1585] badPasswordTime: value = 129531669834218721
[1585] lastLogoff: value = 0
[1585] lastLogon: value = 129532463799841621
[1585] scriptPath: value = SLOGIC.BAT
[1585] pwdLastSet: value = 129508182041981337
[1585] primaryGroupID: value = 513
[1585] objectSid: value = ...............1...{C..2. ..
[1585] adminCount: value = 1
[1585] accountExpires: value = 9223372036854775807
[1585] logonCount: value = 90
[1585] sAMAccountName: value = cmcbride_a
[1585] sAMAccountType: value = 805306368
[1585] userPrincipalName: value = [email protected]
[1585] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=localdomain,DC=com
[1585] dSCorePropagationData: value = 20110525174152.0Z
[1585] dSCorePropagationData: value = 16010101000000.0Z
[1585] lastLogonTimestamp: value = 129529717185508866
[1585] msTSExpireDate: value = 20110803160858.0Z
[1585] msTSLicenseVersion: value = 393216
[1585] msTSManagingLS: value = 92573-029-5868087-27549
[1585] Fiber exit Tx=633 bytes Rx=3420 bytes, status=1
[1585] Session End

As far as your configuration is concerned it looks perfectly fine. As you mentioned that the difference between the working and non working debugs is that in the non working debugs we do not see memberof attribute being retrieved.
the main reason could be that the username "[email protected]" with which you are performing the LDAP bind does not have sufficient privileges to retreive all the attributes from all the users in the AD. This looks like permission issue at the AD user level.
One thing you can try on the AD is to "Delegate Control" to this user ([email protected]) to "Read all properties" for all users and not just a subset of users. Please get in touch with AD Admin before making such a change on the AD.
Here is an external link just to give an idea about delegation of control to "Read all properties"
http://www.advproxy.net/ldapads.html

LDAP Authentication for Application APEX 3.2

Dear All,
I have created an application in APEX 3.2 for that i am using the below code for authentication all my domain users
create or replace
FUNCTION              "ADS_LDAP_AUTHENTICATE"
(p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN AS
c_Directory   VARCHAR2(50) ;
c_Port        NUMBER(4);
c_BaseDN      VARCHAR2(200);
c_InitUser    VARCHAR2(200);
c_InitPass    VARCHAR2(32);
l_session     DBMS_LDAP.SESSION;
l_success     PLS_INTEGER;
l_attributes DBMS_LDAP.STRING_COLLECTION;
l_result      DBMS_LDAP.MESSAGE;
l_userdn      VARCHAR2(2000);
CURSOR get_authentication_dtls
IS
SELECT domain_name,server_port,server_base_dn,server_principal,server_credentials
FROM    PS_TB_SYSTEM_ADS_CONFIG_DICT;
BEGIN
OPEN get_authentication_dtls;
LOOP
FETCH get_authentication_dtls INTO c_Directory,c_port,c_baseDN,c_InitUser,c_InitPass;
EXIT WHEN get_authentication_dtls%NOTFOUND;
--Open initial lookup session.
l_session := DBMS_LDAP.INIT(c_Directory,c_Port);
l_success := DBMS_LDAP.SIMPLE_BIND_S(l_session, c_InitUser,c_InitPass);
IF l_success = DBMS_LDAP.SUCCESS THEN
    l_attributes(1) := NULL;
    l_success := NULL;
    l_success := DBMS_LDAP.SEARCH_S(ld => l_session,
                                   base => c_BaseDN,
                                   scope => dbms_ldap.scope_subtree,
                                   filter => '(|(sAMAccountName=' ||p_Username || ')(mailNickname=' || p_Username || '))',
                                   attrs => l_attributes,
                                   attronly => 0,
                                   res => l_result);
    IF l_success = DBMS_LDAP.SUCCESS THEN
      l_userdn := dbms_ldap.get_dn(l_session,dbms_ldap.first_entry(l_session,l_result));
      IF l_userdn IS NOT NULL THEN
        l_success := dbms_ldap.unbind_s(l_session);
        l_session := dbms_ldap.init(c_Directory,c_Port);
        l_success := dbms_ldap.simple_bind_s(l_session, l_userdn,NVL(p_password, 'QWERTASDFZXC'));
      END IF;
    END IF;
else
    return FALSE;
END IF;
IF l_success = DBMS_LDAP.SUCCESS THEN
CLOSE get_authentication_dtls; /* Close cursor before returning */
    RETURN TRUE;
END IF;
END LOOP;
CLOSE get_authentication_dtls;
   RETURN FALSE; /* if the success has not happened till all servers processed, then return FALSE */
EXCEPTION
WHEN OTHERS THEN
    RETURN FALSE;
END;
Now i dont want to allow all the domain user to access my application. So we planned to create a user group in active directory.
Can anyone suggest me how to allow only a set of users to access my application using LDAP.
Thanks in Advance.
Cheers,
San.

Use the below link for Ldap Authentication
LDAP (MS AD) Group Authentication

Open LDAP Authenticator Configuration on WLSSP5

I have problems in the open LDAP authenticator configuration on Weblogic Server with Service Pack 5. I have users on OpenLDAP Server that do not belong to any group. My LDIF file contents are as given below.
dn: dc=my-domain,dc=com
dc: my-domain
objectClass: dcObject
objectClass: organization
o: MYABC, Inc
dn: cn=Manager, dc=my-domain,dc=com
userPassword:: c2VjcmV0
objectClass: person
sn: Manager
cn: Manager
dn: cn=myabcsystem, dc=my-domain,dc=com
userPassword:: dmVuZGF2b3N5c3RlbQ==
objectClass: person
sn: myabcsystem
cn: myabcsystem
dn: cn=Philippe, dc=my-domain,dc=com
userPassword:: UGhpbGlwcGU=
objectClass: person
sn: Philippe
cn: Philippe
dn: cn=mlrick, dc=my-domain,dc=com
userPassword:: bWxyaWNr
objectClass: person
sn: mlrick
cn: mlrick
All these users appear in the Users tab after configuration on the console only if LDAP Server is up. While I select group tab, I get errors indicating BAD SEARCH Filter.
Inspite of me not having any groups in the ldap as indicated in ldif contents.
While I try to login t the application with this LDAP configuration, I do not get any errors. LDAP authentication is not happening with just the LDAP authenticator in place. Even if I stop the LDAP server, I do nto get any exceptions while trying ot login. The config params for the Open LADP are as given below
<weblogic.security.providers.authentication.OpenLDAPAuthenticator
AllGroupsFilter="objectclass=*"
Credential="{3DES}rGCpYmhaIorI99BjZ2u6Fg=="
GroupBaseDN="dc=my-domain,dc=com"
GroupFromNameFilter="(cn=%u)"
Name="Security:Name=MYABCAuthenticationOpenLDAPAuthenticator"
Principal="cn=myabcsystem,dc=my-domain,dc=com"
Realm="Security:Name=MYABCAuthentication"
StaticGroupDNsfromMemberDNFilter=""
StaticGroupNameAttribute="" StaticGroupObjectClass=""
StaticMemberDNAttribute="" UserBaseDN="dc=my-domain, dc=com"/>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP ATN LoginModule initialized>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login username: bob>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <authenticate user:bob>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getDNForUser search("ou=people,ou=MYABCAuthentication,dc=myabc", "(&(uid=bob)(objectclass=person))", base DN & below)>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
CAN ANYONE HELP ME IDENTIFY WHAT IS THE ISSUE. Why is the authentication not happening?

Hi Amol,
I've seen this happen at least two times in 11.1.1.1 installs. You can safely restart and then add the service back again. Suggest you reboot after you re-add the service back or cycle all the Hyperion services.
I was not aware you could install the service with that command.
I used the below command instead:
sc create OpenLDAP-slapd start= auto binPath= "D:\Hyperion\...\slapd.exe service" DisplayName= "Hyperion Shared Services OpenLAP"
Regards,
-John

Ldap authentication not working for Solaris 8 host - Help!

Greetings folks,
I just recently migrated a host to use LDAP authentication. The only difference between this host and the rest of the hosts in the environment that I've converted to use LDAP is that this one is running Solaris 8.
Here's the steps I took to migrate it (though, I used the same steps for another Sol8 host in another environment and it works fine):
ldapclient -P stg -d mydomain.com -D cn=proxyagent,ou=profile,dc=mydomain,dc=com -w secret 192.168.1.69
My /etc/nsswitch.conf looks like this:
passwd: files ldap
group: files ldap
My /etc/pam.conf looks like this:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1
sshd auth requisite pam_authtok_get.so.1
sshd auth sufficient pam_unix_auth.so.1
sshd auth required pam_ldap.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_ldap.so.1
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1
I've also cleared out the local user accounts for my human users, so there aren't any more passwd or shadow entries (yes, I ran pwconv). I also cleaned out the /etc/group entries for the same users. The machine appears to be configured properly, because I can run various DS commands that indicate this:
hostname# getent passwd user1
user1::1001:1001:User 1:/opt/home/user1:/bin/bash
hostname# ldaplist -l passwd user1
dn: uid=user1,ou=people,dc=mydomain,dc=com
shadowFlag: 0
userPassword: {crypt}(removed)
uid: user1
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
cn: user1
uidNumber: 1001
gidNumber: 1001
gecos: User 1
homeDirectory: /opt/home/user1
loginShell: /bin/bash
However, in the end, actual logins to this host fail via ssh. Snooping the traffic reveals that all the right info is being handed back to the client, including the crypt'ed password hash, uid, etc. just like I see with other hosts that work.
Any ideas?
Thanks!
Patrick

I assume you have applied lastest kernel patch and 108993 to this Solaris8 machine, and its nss_ldap.so.1 and pam_ldap.so.1 are the same as the other Solaris8 LDAP clients that are working for ssh via LDAP auth.
1) Please replace "objectClass: account" with "objectClass: person", I know SUN ONE DS5.2 likes "person".
2) Did you test and verify telnet/ftp/su working? but SSH not working?
3) If telnet/ftp/su all worked, and SSH (SUN-SSH or OpenSSH), make sure you have "UsePAM yes" in sshd_config and restart sshd.
4) It is not a must I think but normally I will add "shadow: files ldap" to /etc/nsswitch.conf, restart nscd after that.
5) Whenever ldapclient command is run and ldap_cachemgr is restarted, I usually also restart nscd and sshd after that, if not testing result may not be accurate as nscd is still remembering OLD stuffs cached which could be very misleading.
6) You may use "ssh -v userid@localhost" to watch the SSH communications, on top of your usual "snoop"ing of network packets.
7) Use the sample pam.conf that is meant for pam_ldap from Solaris 10 system admin guide with all the pam_unix_cred.so.1 lines commented out. This works for me, there is no sshd defintions as it will follow "other".
http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
Gary

LDAP Authentication / User-Role in a database (Weblogic Security)

Hi,
I would like to configure the Authentication with an LDAP Server (LDAP Authenticator) and the mapping between users and roles in an external database.
I saw the following post, http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html.
According to the previous post, I created an LDAP Authenticator (trying to use embedded LDAP) and a SQL Authenticator.
The problem is that it doesn't uses LDAP Authentication, it only uses SQL Authentication.
I'm looking for a solution where password would remain in the LDAP Server and the username/role mapping would be in the database tables.
Consider I'm using WLS 10.3 and JDeveloper 11g.
Any suggestions?
Thanks in advance,
Olga

Hi,
Check following forum thread.
Re: custome role maper example
Regards,
Kal

LDAP Authentication Failed :user is not a member in any of the mapped group

Hi,
I tried to set up the LDAP Authentication but I failed.
LDAP Server Configuration Summary seems to be well filled.
I managed to add a Mapped LDAP member Group: This group appears correctly in the Group list.
But itu2019s impossible to create a User. Although this user is a member of the mapped group (checked with LDAP Brower) , an error message is displayed when I tried to create it (There was an error while writing data back to the server: Creation of the user User cannot complete because the user is not a member in any of the mapped groups)
LDAP Hosts: ldapserverip:389
LDAP Server Type: Custom
Base LDAP Distinguished Name: dc=vds,dc=enterprise
LDAP Server Administration Distinguished Name: CN=myAdminUser,OU=System Accounts,OU=ZZ Group Global,ou=domain1,dc=vds,dc=enterprise
LDAP Referral Distinguished Name:
Maximum Referral Hops: 0
SSL Type: Basic (no SSL)
Single Sign On Type: None
CMS Log :
trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
trace message: LDAP: LdapQueryForEntries: QUERY base: dc=vds, dc=enterprise, scope: 2, filter: (samaccountname=KR50162), attribute: dn objectclass
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 2453 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
trace message: GetParents from plugin for cn=huh\,chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise.
trace message: LDAP: De-activating query cache
trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
trace message: LDAP: query for DSE root returned 89
trace message: LdapQueryForEntries: incr. retries to 1
trace message: LDAP: Updating the graph
trace message: LDAP: Starting Graph Update...
trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
trace message: LDAP: query for DSE root returned 89
trace message: LdapQueryForEntries: incr. retries to 1
trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (&(cn=gp-asia)(objectclass=group)(member=cn=huh
, chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise)), attribute: objectclass
trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (cn=gp-asia), attribute: member objectclass samaccountname cn
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 3109 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
trace message: LDAP: query for DSE root returned 0
trace message: Failed to commit user 'KR50162'. Reason: user is not a member in any of the mapped groups.
trace message: [UID=0;USID=0;ID=79243] Update object in database failed
trace message: Commit failed.+
Can you please help?
Joffrey

Please do this after you verify all permission settings for all the groups the account is associated with. Also, make sure you check the NTFS folder permissions before doing this as well.
Since the same result happens on multiple computers, it is not the profile.
I am recommending you delete the AD account (or rename to backup the account).
It will not effect the users Exchange account, but you will need to link it back to the new AD user account.
You can also delete her profile just to remove it, for the "just in case" scenario.
Don't forget to mark the post that solved your issue as "Answered." By marking the Answer you are enabling users with similar issues to find what helped you. Lewis Renwick - IT Professional

LDAP AUthentication in obiee11g

Similar Messages

Maybe you are looking for