LDAP authentication issue for Admin Console 7.0U5

Similar Messages

• ERROR: Ldap Authentication failed for dap during installation of iAS 6.0 SP3

  I am attempting to install ias Enterprise Edition (6.0 SP3) on solaris 2.8 using typical in basesetup. I am trying to install new Directory server as I don't have an existing one.
  During the installation I got the following error.
  ERROR: Ldap Authentication failed for url ldap://hostname:389/o=NetScape Root user id admin (151: Unknown Error)
  Fatal Slapd did not add Directory server information to config Server.
  Warning slapd could'nt populate with ldif file Yes error code 151.
  ERROR:Failure installing iPlanet Directory Server.
  Do you want to continue: ( I entered yes )
  Configuring Administration Server Segmentation fault core dumped.
  Error: Failure installing Netscape Administration Server.
  Do you want to continue:( I responded with yes).
  And during the Extraction I got the following
  ERROR:mple_bind: Can't connect to the LDAP server - No route to host
  ERROR: Unable to connect to LDAP Directory Server
  Hostname: hostname
  Port: 389
  User: cn=Directory Manager
  Password: <password-for-cn=Directory Manager
  Please make sure this Directory Server is currently running.
  You might need to run 'stop-slapd' and then
  'start-slapd' in the Directory Server home directory, in order to restart
  LDAP. When finished, press ENTER to continue, or S to skip this step:
  Start registering Bootstrap EJB...
  javax.naming.NameNotFoundException
  at java.lang.Throwable.fillInStackTrace(Native Method)
  at java.lang.Throwable.fillInStackTrace(Compiled Code)
  at java.lang.Throwable.<init>(Compiled Code)
  at java.lang.Exception.<init>(Compiled > Code)
  at javax.naming.NamingException.<init>(NamingException.java:114)
  at javax.naming.NameNotFoundException.<init>(NameNotFoundException.java: 48)
  at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
  "ldaperror" 76 lines, 2944 characters
  at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
  at com.netscape.server.jndi.RootContext.bind(Unknown Source)
  at com.netscape.server.jndi.RootContext.bind(Unknown Source)
  at javax.naming.InitialContext.bind(InitialContext.java:371)
  at com.netscape.server.deployment.EjbReg.deployToNaming(Unknown Source)
  at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
  at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
  at com.netscape.server.deployment.EjbReg.run(Compiled Code)
  at com.netscape.server.deployment.EjbReg.main(Unknown Source)
  Start registering iAS 60 Fortune Application...
  Start iPlanet Application Server
  Start iPlanet Application Server
  Start Web Server iPlanet-WebServer-Enterprise/6.0SP1 B08/20/200100:58
  warning: daemon is running as super-user
  [LS ls1] http://gedemo1.plateau.com, port 80 ready
  to accept requests
  startup: server started successfully.
  After completion of installation, I tried to start the console. But I got the following error;
  "Cant connect ot the admin server. The url is not correct or the server is not running.
  Finally,when I started the admintool(iASTT),it shows the iAS1
  was registered( marked with a red cross mark) and says "cant login. make sure the user
  name & passwdord are correct" when i click on it.
  Thanks in advance for any help
  Madhavi

  Hi,
  Make sure that the directory server is installed first. If it is running
  ok, then you can try adding an admin user, please check the following
  technote.
  http://knowledgebase.iplanet.com/ikb/kb/articles/4106.html
  regards
  Swami
  madhavi korupolu wrote:
  I am attempting to install ias Enterprise Edition (6.0 SP3) on
  solaris 2.8 using typical in basesetup. I am trying to install new
  Directory server as I don't have an existing one.
  During the installation I got the following error.
  ERROR: Ldap Authentication failed for url
  ldap://hostname:389/o=NetScape Root user id admin (151: Unknown
  Error)
  Fatal Slapd did not add Directory server information to config
  Server.
  Warning slapd could'nt populate with ldif file Yes error code 151.
  ERROR:Failure installing iPlanet Directory Server.
  Do you want to continue: ( I entered yes )
  Configuring Administration Server Segmentation fault core dumped.
  Error: Failure installing Netscape Administration Server.
  Do you want to continue:( I responded with yes).
  And during the Extraction I got the following
  ERROR:mple_bind: Can't connect to the LDAP server - No route to host
  ERROR: Unable to connect to LDAP Directory Server
  Hostname: hostname
  Port: 389
  User: cn=Directory Manager
  Password: <password-for-cn=Directory Manager
  Please make sure this Directory Server is currently running.
  You might need to run 'stop-slapd' and then
  'start-slapd' in the Directory Server home directory, in order to
  restart
  LDAP. When finished, press ENTER to continue, or S to skip this
  step:
  Start registering Bootstrap EJB...
  javax.naming.NameNotFoundException
  at java.lang.Throwable.fillInStackTrace(Native Method)
  at java.lang.Throwable.fillInStackTrace(Compiled Code)
  at java.lang.Throwable.<init>(Compiled Code)
  at java.lang.Exception.<init>(Compiled > Code)
  at javax.naming.NamingException.<init>(NamingException.java:114)
  at
  javax.naming.NameNotFoundException.<init>(NameNotFoundException.java:
  48)
  at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
  "ldaperror" 76 lines, 2944 characters
  at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
  at com.netscape.server.jndi.RootContext.bind(Unknown Source)
  at com.netscape.server.jndi.RootContext.bind(Unknown Source)
  at javax.naming.InitialContext.bind(InitialContext.java:371)
  at com.netscape.server.deployment.EjbReg.deployToNaming(Unknown
  Source)
  at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled
  Code)
  at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled
  Code)
  at com.netscape.server.deployment.EjbReg.run(Compiled Code)
  at com.netscape.server.deployment.EjbReg.main(Unknown Source)
  Start registering iAS 60 Fortune Application...
  Start iPlanet Application Server
  Start iPlanet Application Server
  Start Web Server iPlanet-WebServer-Enterprise/6.0SP1 B08/20/200100:58
  warning: daemon is running as super-user
  [LS ls1] http://gedemo1.plateau.com, port 80 ready
  to accept requests
  startup: server started successfully.
  After completion of installation, I tried to start the console. But I
  got the following error;
  "Cant connect ot the admin server. The url is not correct or the
  server is not running.
  Finally,when I started the admintool(iASTT),it shows the iAS1
  was registered( marked with a red cross mark) and says "cant login.
  make sure the user
  name & passwdord are correct" when i click on it.
  Thanks in advance for any help
  Madhavi
  Try our New Web Based Forum at http://softwareforum.sun.com
  Includes Access to our Product Knowledge Base!

• Weblogic Server 10.3.0 and LDAP authentication Issue

  Hi - I have configured my WebLogic Server 10.3.0 for LDAP authentication (OID = 10.1.4.3.0) and so far the authentication works fine but I am having issue in terms of authorization.
  I am not able to access the default web logic administrator console app using any of the LDAP user, getting Forbiden message.
  It appears to me that the Weblogic Server is not pulling out the proper groups from the LDAP where user belongs too.
  Can anyone please point me towards the right direction to get this resolved.
  Thanks,
  STEPS
  Here are my steps I have followed:
  - Created a group called Administrators in OID.
  - Created a test user call uid=myadmin in the OID and assigned the above group to this user.
  - Added a new Authentication Provider to the Weblogic and configured it what is required to communicate with OID (the config.xml file snipet is below)
  <sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
  <sec:name>OIDAuthentication</sec:name>
  <sec:control-flag>SUFFICIENT</sec:control-flag>
  <wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
  <wls:host>pmpdeva-idm.ncr.pwgsc.gc.ca</wls:host>
  <wls:port>1389</wls:port>
  <wls:principal>cn=orcladmin</wls:principal>
  <wls:user-base-dn>ou=AppAdmins, o=gc, c=ca</wls:user-base-dn>
  <wls:credential-encrypted>removed from here</wls:credential-encrypted>
  <wls:group-base-dn>ou=IDM, ou=ServiceAccounts, o=gc, c=ca</wls:group-base-dn>
  </sec:authentication-provider>
  - Marked the default authentication provider as sufficient as well.
  - Re-ordered the authentication provide such that the OIDauthentication is first in the list and default one is the last.
  - Looking at the log file I see there are no groups returned for this user and that is the problem in my opinion.
  <LDAP Atn Login username: myadmin>
  <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <authenticate user:myadmin>
  <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <authentication succeeded>
  <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <LDAP Atn Authenticated User myadmin>
  <List groups that member: myadmin belongs to>
  <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  *<search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>*
  *<Result has more elements: false>*
  <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <login succeeded for username myadmin>
  - I see the XACML RoleMapper getRoles() only returning the Anonymous role as oppose to Admin (because the OID user is a part of Administrators group in OID then it should be returning Admin as fars I can tell. Here is the log entry that shows that:
  <XACML RoleMapper getRoles(): returning roles Anonymous>
  - I did a ldap search and I found no issues in getting the results back:
  C:\>ldapsearch -h localhost -p 1389 -b"ou=IDM, ou=ServiceAccounts, o=gc, c=ca" -D cn=orcladmin -w "removed from here" (uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupOfUniqueNames)
  cn=Administrators,ou=IDM,ou=ServiceAccounts,o=gc,c=ca
  objectclass=groupOfUniqueNames
  objectclass=orclGroup
  objectclass=top
  END
  Here are the log entries:
  <1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
  <1291668685624> <BEA-000000> <LDAP Atn Login>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=myadmin>
  <1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
  <1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  <1291668685624> <BEA-000000> <authenticate user:myadmin>
  <1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685624> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  <1291668685624> <BEA-000000> <[Security:090302]Authentication Failed: User myadmin denied>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@facf0b>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>
  <1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
  <1291668685624> <BEA-000000> <LDAP Atn Login>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle did not get username from a callback>
  <1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
  <1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685624> <BEA-000000> <authenticate user:myadmin>
  <1291668685624> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685671> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <1291668685671> <BEA-000000> <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <1291668685671> <BEA-000000> <authentication succeeded>
  <1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685686> <BEA-000000> <LDAP Atn Authenticated User myadmin>
  <1291668685686> <BEA-000000> <List groups that member: myadmin belongs to>
  <1291668685686> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685686> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685686> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <1291668685686> <BEA-000000> <search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>
  <1291668685686> <BEA-000000> <Result has more elements: false>
  <1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685686> <BEA-000000> <login succeeded for username myadmin>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login delegated, returning true>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
  <1291668685686> <BEA-000000> <LDAP Atn Commit>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
  <1291668685686> <BEA-000000> <LDAP Atn Commit>
  <1291668685686> <BEA-000000> <LDAP Atn Principals Added>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning true>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
       Principal: myadmin
  >
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=myadmin>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
  <1291668685686> <BEA-000000> <Signed WLS principal myadmin>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user myadmin, Identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.isLocked(myadmin)>
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myadmin was not previously locked out>
  <1291668685702> <BEA-000000> <Using Common RoleMappingService>
  <1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
  <1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity will use common security service>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals)>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=myadmin>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator handles this PrincipalClass>
  <1291668685702> <BEA-000000> <Validate WLS principal myadmin returns true>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass, returning true>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals) validated all principals>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): input arguments:>
  <1291668685702> <BEA-000000> <     Subject: 1
       Principal = weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp>
  <1291668685702> <BEA-000000> <     Parent: type=<app>, application=consoleapp>
  <1291668685702> <BEA-000000> <     Parent: type=<url>>
  <1291668685702> <BEA-000000> <     Parent: null>
  <1291668685702> <BEA-000000> <     Context Handler: >
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AdminChannelUsers,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AdminChannelUser:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AdminChannelUser: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AppTesters,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AppTester:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AppTester: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(everyone,[everyone,users]) -> true>
  <1291668685702> <BEA-000000> <primary-rule evaluates to Permit>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Anonymous:, 1.0 evaluates to Permit>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Anonymous: GRANTED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Monitors,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Monitor:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Monitor: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Operators,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Operator:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Operator: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(CrossDomainConnectors,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:CrossDomainConnector:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role CrossDomainConnector: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Deployers,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Deployer:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Deployer: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, SC=null, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Administrators,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Admin:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Admin: DENIED>
  <1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): returning roles Anonymous>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles returning [ "Anonymous" ]>
  <1291668685702> <BEA-000000> <AuthorizationManager will use common security for ATZ>
  <1291668685702> <BEA-000000> <weblogic.security.service.WLSAuthorizationServiceWrapper.isAccessAllowed>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Roles=[ "Anonymous" ]>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Direction=ONCE>
  <1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
  <1291668685702> <BEA-000000> <     Subject: 1
       Principal = weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <     Roles:Anonymous>
  <1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Direction: ONCE>
  <1291668685702> <BEA-000000> <     Context Handler: >
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:role, SC=null, Value=Anonymous>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of([Admin,Operator,Deployer,Monitor],Anonymous) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): returning DENY>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>

  Okay Finally the issue is resolved. Here is the findings to help others in case they ran into the same issue.
  The OID version that we are using is not returning the groups the way Weblogic is building the ldapsearch command. We captured the ldap traffic to go deeper and noticed the filters and attributes list that wls was asking. For example, the filter was like:
  "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" cn
  its was the "cn" attribute that was causing the result set to be empty.
  from a command line we tried
  "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" uniquemember
  and got the results back.
  Then we start looking into OID configuration and one of my coworker pointed me towards the orclinmemfiltprocess attributes in cn=dsaconfig entry and told me that they had lot of issues in the past in relation to this attribute.
  So as a test we removed the groupofuniquenames objectclass from the orclinmemfiltprocess attribute list and bingo it worked!
  Since we needed the groupofuniquenames in this list for performance/other reasons and decided to use a different objectclass for our groups instead i.e. orclGroup.
  Thanks everyone for showing interest on the problem and providing suggestions.

• Creating users for admin console access

  When I install the web server onto my system part of the installation is to create an admin user and password. I'd like to create another user to log into the web server admin console with the same or limited permissions. I don't want to have to hand out the 'admin' password to multiple people, I'd prefer to create new accounts for each person that needs to administer some part of the webserver and set permissions for each. Can't seem to find out how this is done in the admin guide.

  "Andy" <[email protected]> wrote in message
  news:[email protected]..
  Hello,
  I am using a custom authentication and authorization providers that
  work just fine with my applications, but i have problems using Admin
  Console with them (WL Server 7.0). The server is successfully started
  with a user that has been given rights to '<svr>.myserver.boot' etc.
  Logging into Console is successful as well and most Console pages can
  be viewed as usual. But when i'm trying to save any changes, or if i
  try to just view certain Console pages, i get
  'weblogic.management.NoAccessRuntimeException'. For example:
  MBean operations need a user with Admin role.

• Fix for Admin Console UN/PW problem!!

  Hi all,
  The following will allow you to log on to the AdminConsole after setup in Win2000.
  First, open config.xml for your in your \bea\weblogic600\config\yourdomain directory in an editor. I used XMLWriter, but I'm sure Notepad would work.
  Next, find the following:
  <Security Name="mydomain" GuestDisabled="false"/>
  Add a SystemUser attribute to the line so that it looks like this:
  <Security Name="mydomain" GuestDisabled="false" SystemUser="system"/>
  where "system" is the UserName you want to log into the AdminConsole with.
  Now, fire up the Admin Console and login with this username. The password will be the password you entered during setup. To locate this password, open password.ini from the same directory where you found the XML file. Open password.ini in Notepad to see your password. If it's empty, no password is required.
  Good luck
  Bill

  Can you check if your admin-server's server.xml (admin-server/config/server.xml) has the following settings?
  <default-auth-db-name>ldap</default-auth-db-name>
  <auth-db>
      <name>ldap</name>
      <url>ldap://<hostname>:<port>/<base-dn></url>
      <property>
        <name>bindpw</name>
        <value><passwd></value>
        <encoded>true</encoded>
      </property>
      <property>
        <name>binddn</name>
        <value><binddn-value></value>
      </property>
    </auth-db>Can you also verify if the file under admin-server/config/default-sun-web.xml has the following settings?
  # cat default-sun-web.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <!--
  Copyright 2004 Sun Microsystems, Inc. All rights reserved.
  SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
  -->
  <sun-web-app>
    <security-role-mapping>
      <role-name>admin</role-name>
      <group-name><your_group></group-name>
    </security-role-mapping>
  </sun-web-app>- Amit

• Setting cookie path for JSESSIONID cookie for admin console

            We've run into a strange problem with the JSESSIONID cookie created for the weblogic
            console application clashing with the JSESSIONID cookie created for our application.
            We've set the path to application JSESSIONID cookie but have been unable to set
            the cookie path for the console application JSESSIONID cookie.
            Anyone know how to do this?
            Thanks,
            Mark
            

  Create a JAAS Authentication Entry in the Server configuration.
  This should then appear in the drop-down when specifying your DataSource.

• LDAP-based authN for EMGC console

  I am working on a EM11g POC and the customer is asking about authenticating users to the EM console via LDAP/ActiveDirectory.
  The EUS option described in Section 2 of the OEM Admin Guide (Enterprise Manager Security | Enterprise Manager Authentication) -- http://download.oracle.com/docs/cd/E11857_01/em.111/e16790/security3.htm#BABGAGIJ -- states that "Enterprise User Security (EUS) option enables you to create and store enterprise users and roles for the Oracle database in an LDAP-compliant directory server".
  However, this is not the same as authenticating against an existing LDAP directory.
  So... is there an option to configure EM console for LDAP-based auth? If not, is this something on the roadmap for 11gR2?
  Thanks,
  Roy
  Roy Kiesler | Principal Sales Consultant | Oracle NATO SC — FMW TSG | +1 925 876 6323

  OK,
  This configuration is for your EM Accounts
  You can however manage all local database users with the same LDAP solution (OID)
  If you want you can do a Single SIgn On configuration for EM as well.
  There is a possibility to interface between OID and Active Directory, so you are actually able to do what your customer wants.
  Regards
  Rob
  http://oemgc.wordpress.com

• LDAP Authentication Issues

  I hope someone can help me with these issues:
  ISSUE 1
  I am attempting to get WebLogic to authenticate to NDS via LDAP. Currently this is
  working but only by using the "bind" option for User Authentication when setting
  up the LDAP realm. The issue that I am having is that I need NDS to perform the authentication
  for me and to return just a "yes" or "no" answer. This would imply that the user
  authentication method to use is "external". However, everytime we setup "external"
  on the LDAP Realm, WebLogic DOES NOT startup - it complains of an invalid user authentication
  mechanism.
  ISSUE 2
  The second issue involves setting up the WebLogic LDAPRealm to cater for more than
  one group.
  The NDS server consists of a tree with about 5 organisational units. Each of the
  organisational unit (OU) is a logical division of the business. Users that will use
  the product we are implementing will fall into two of the five OUs. There seems to
  be no way in WebLogic 6.0 to specifiy more that one group in the LDAP realm settings.
  This implies that the WebLogic groups need to lie at root level, which make absolutely
  no sense structurally. Also given that there are 2000 users on the system and they
  all have different NDS contexts, searching for users when authenticating is going
  to affect the performance and response time of WebLogic.
  How can I setup various contexts in WLS' LDAPRealm?

  I hope someone can help me with these issues:
  ISSUE 1
  I am attempting to get WebLogic to authenticate to NDS via LDAP. Currently this is
  working but only by using the "bind" option for User Authentication when setting
  up the LDAP realm. The issue that I am having is that I need NDS to perform the authentication
  for me and to return just a "yes" or "no" answer. This would imply that the user
  authentication method to use is "external". However, everytime we setup "external"
  on the LDAP Realm, WebLogic DOES NOT startup - it complains of an invalid user authentication
  mechanism.
  ISSUE 2
  The second issue involves setting up the WebLogic LDAPRealm to cater for more than
  one group.
  The NDS server consists of a tree with about 5 organisational units. Each of the
  organisational unit (OU) is a logical division of the business. Users that will use
  the product we are implementing will fall into two of the five OUs. There seems to
  be no way in WebLogic 6.0 to specifiy more that one group in the LDAP realm settings.
  This implies that the WebLogic groups need to lie at root level, which make absolutely
  no sense structurally. Also given that there are 2000 users on the system and they
  all have different NDS contexts, searching for users when authenticating is going
  to affect the performance and response time of WebLogic.
  How can I setup various contexts in WLS' LDAPRealm?

• Authentication issue for Fedrated in Windows Phone mdm

  Hi group , i am implementing Windows phone MDM using Federated authentication mode. I succeeded in  OnPremise authentication mode. But if use  Federated authentication mode i am seeing following errors in logs. I am using windows phone
  8.1 device. I added EnrollmentPolicyServiceUrl,EnrollmentServiceUrl,AuthenticationServiceUrl
  in xml.
  GetEndpointsFromResponse() uses authentication mode (NULL). , 1, 45.574597604
   Unknown authentication mode (NULL) is used.
   Data transmission attempt (1) failed with (2149056518). , 1, 45.575081406
   [MDM Enroll End] Error HRESULT: 0x8018000
  Any advise would be greatly appreciated.

  This error suggests that the AuthPolicy node of your discovery response is either empty or could not be found. 
  Can you post the payload of your discovery response in this case?
  Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast
  your votes for existing suggestions.

• LDAP AUTHENTICATION- PLEASE HELP

  My client wants me use LDAP for authentication. I new to this: I have written a Authentication bean. As follows.
  //Used to authenticate user from LDAP directry.
  import javax.naming.*;
  import javax.naming.directory.*;
  import java.util.*;
  import java.lang.*;
  public class AuthBean {
       private boolean attempted;
       private String userName;
       private String password;
       public AuthBean() {
            attempted = false;
            userName = "";
            password = "";
       //Getter methods.
       public String getUserName() {
            return this.userName;
       public String getPassword() {
            return this.password;
       //Setter methods.
       public void setUserName (String userName) {
            this.userName = userName;
            if (!this.userName.equals("") && !this.password.equals(""))
            attempted = true;
       else
                 attempted = false;
       public void setPassword(String password) {
            this.password = password;
            if (!this.userName.equals("") && !this.password.equals(""))
                 attempted = true;
            else
                 attempted = false;
       //Checks to see if attempted.
       public boolean isAttempted() {
            return this.attempted;
       * Given a username and password, authenticates to the directory
       * Takes a String for username, String for password.
       * Calls getDn for the method.
       public boolean ldapAuthenticate (String username, String pass) {
            if ( username == null || pass == null ) {
                 System.out.println(" im here in the method");
                 System.out.println(" user" + username);
                 System.out.println(" pass" + pass);
                 return false;
            String dn = getDN(username);
                 System.out.println(" dn" + dn);
                 if ( dn == null)
                 return false;
                 dn = dn + ",o=hcfhe";
                 //dn = dn + ",o=mu";
                 System.out.println(dn);
                 String ldap_url = "ldap://10.1.1.199:389/ou=it,o=hcfhe";
                 //set variables for context
                 Hashtable env = new Hashtable();
                 env.put("com.sun.naming.ldap.trace.ber", System.err);
                 env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
                 env.put(Context.PROVIDER_URL, ldap_url);
                 env.put(Context.SECURITY_AUTHENTICATION, "simple");
                 env.put(Context.SECURITY_PRINCIPAL, dn);
                 env.put(Context.SECURITY_CREDENTIALS, pass);
                 DirContext ctx;
                 //make connection, catch errors thrown
                 try {
                      ctx = new InitialDirContext(env);
                 } catch (AuthenticationException e) {
                           System.out.println("Authentication Exception");
                           return false;
                 } catch (NamingException e) {
                      e.printStackTrace();
                      return false;
            //close connection
            try {
                 ctx.close();
            } catch (NamingException ne) {
                      System.out.println(ne);
            return true;
       * This methods cheks for the username from the LDAP directory.
       * Takes a String.
       public String getDN(String username) {
            String dn = "";
            String ldap_url = "ldap://10.1.1.199:389/ou=it,o=hcfhe";
            Hashtable env = new Hashtable();
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, ldap_url);
            DirContext ctx;
            try {
                 ctx = new InitialDirContext(env);
                 SearchControls ctls = new SearchControls();
                 ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                 String filter = "(uid=" + username + ")"; // Search for objects with these matching attributes
                 NamingEnumeration results = ctx.search("",filter,ctls);
                 if ( results != null && results.hasMoreElements()) {
                      SearchResult sr = (SearchResult)results.nextElement();
                      dn = sr.getName();
                 } else dn = null;
                           ctx.close();
            } catch (AuthenticationException e) {
                      System.out.println("Authentication Exception");
                      return null;
            } catch (NamingException e) {
                      e.printStackTrace();
                      return null;
                 return dn;
  I also done a validate. jsp as follows.
  <%@page import="register.AuthBean"%>
  <jsp:useBean id ="AuthBean" class="register.AuthBean" scope="session"/>
  <%
            //boolean valid = false;
            String username = request.getParameter("user");
            //System.out.println("The username" + username);
            String password = request.getParameter("password");
            //System.out.println("The username" +password);
  %>
       <jsp:setProperty name="AuthBean" property="userName" param="user" />
       <jsp:setProperty name="AuthBean" property="password" param= "password" />
  <%
                 //boolean validate = false;
                 String nn = AuthBean.getUserName();
                 System.out.println(nn);     
                 String dn = AuthBean.getDN(username);
                 System.out.println(dn);
                 boolean validate = AuthBean.ldapAuthenticate(username, password);
                 if(validate) {
                      response.sendRedirect("../admin/Adminindex.jsp");
                 } else {
                      response.sendRedirect("Login.html");
  %>
  At current I keep getting 'false' for validate. But there are no errors. I m using tomcat and apache, do I need to configure any of these to LDAP. If so can you show me some examples.
  Many thanks.

  Hi Irene,
  I am posting my LDAP Authentication code for you to look at. If you have any more questions, please respond to this posting. I have just three days ago implemented this for my client. It works on Web Sphere against Microsoft Active Directory.
  =====================================================================
  import javax.naming.directory.*;
  import javax.naming.ldap.*;
  import javax.naming.*;
  import java.util.*;
  import java.io.*;
  import java.lang.*;
  import java.math.*;
  * Insert the type's description here.
  * Creation date:
  * @author: Sajjad Alam
  public final class LDAPConn {
       public static java.lang.Object Conn;
  * LDAPConn constructor comment.
  public LDAPConn() {
       super();
  * Insert the method's description here.
  * @return java.lang.Object
  public static DirContext getConn() throws Exception {
       //Declarations of variables
       Hashtable env = new Hashtable(11);
       InitialLdapContext ctx = null;
       //==============LDAP Authentication of a given user stored in Active Directory=============
       System.out.println("Entered constructor for Ldap Context");
       //Initialize the Context Factory.
       env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
       env.put(Context.PROVIDER_URL, "ldap://XXX.XXX.XX.XXX:389/dc=domainURL1,dc=domainURL2,dc=com");
       try {
            The following syntax is a standard way of authenticating users stores in LDAP
            when JNDI api is used.
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
            env.put(Context.SECURITY_CREDENTIALS, "password");
            System.out.println("Issuing request to authenticate the user and create an LDAP context");
            ctx = new InitialLdapContext(env, null);
            System.out.println("Got handle on Ldap Context");
            //==============Completed Authentication of user=============
            //==============Retrieving attribute data about a user stored in Active Directory==========
            //Here we will retrieve attributes of one of the users in LDAP ("cn=");
            //Declarations of variables
            String userInfo = "cn=someUserName ,ou=Users,ou=something,ou=something";
            Attributes userAttr = ctx.getAttributes(userInfo);
            Attribute orgUnitAttr = null;
            //Looping through the enumeration to obtain attribute data
            for (NamingEnumeration ae = userAttr.getAll(); ae.hasMore();) {
                 Attribute attr = (Attribute) ae.next();
                 if (attr.getID().equals("distinguishedName"))
                      orgUnitAttr = attr;
                 System.out.print(" Attribute: " + attr.getID());
                 //Print each value
                 for (NamingEnumeration e = attr.getAll(); e.hasMore();) {
                      System.out.println(" Value: " + e.next());
            //============== Done retrieving attribute data about user==========
            //==============To find which organizational unit a user belongs provided we pass the user==========
            //This section of code uses the value from the "distinguishedName" attribute
            System.out.println("");
            Object parseOutOrgUnit = (Object) orgUnitAttr;
            System.out.println("We can obtain the organizational unit (Role) from the " + parseOutOrgUnit.toString());
            //======================================Done=============================
            // Close the context when we're done or you can close the connection where you are using this object.
            String grInfo = "CN=Sales-Administrator,OU=Java Application Accounts,OU=something,OU=something";
            Attributes grAttr = ctx.getAttributes(grInfo);
            //Looping through the enumeration to obtain attribute data
            for (NamingEnumeration ae = grAttr.getAll(); ae.hasMore();) {
                 Attribute attr = (Attribute) ae.next();
                 System.out.print(" Attribute: " + attr.getID());
                 //Print each value
                 for (NamingEnumeration e = attr.getAll(); e.hasMore();) {
                      System.out.println(" Value: " + e.next());
            //============== Done retrieving attribute data about user==========
            //==============To find which organizational unit a user belongs provided we pass the user==========
            //This section of code uses the value from the "distinguishedName" attribute
            System.out.println("");
            //======================================Done=============================
            ctx.close();
       catch (Exception e) {
            System.out.println(e.getLocalizedMessage());
       return ctx;

• LDAP authentication not minding user set

  I have a publishing rule for an internal website setup with LDAP authentication setup for two different domains, the domain the TMG 2010 is joined to (domain1) and another external domain (domain2).  I want users from either domain to be able to authenticate
  and I thought it was working perfectly, but found that anyone from domain2 can authenticate successfully (anyone can authenticate from domain1, but that's okay).
  I have a LDAP user set with the AD group from domain2 that I want to allow access, but the TMG doesn't seem to adhere to this and lets any authenticated user from that domain in.  I have added both user sets for domain1 and domain2 to the "This
  rule applies to requests from the following user set:" under the Users tab in the publishing rule.
  Any clues?

  Hi,
  Based on my experience,
  Server Authentication Certificates
  should exist on DCs that you want TMG to use for authentication and
  TMG must trust issuer of the Server Authentication Certificate. You can check that in
  Trusted Root Certification Authorities on TMG.
  In addition, when you add LDAP server Set for LDAP user authentication, you need to add the DCs and type the AD domain name. Please note that the domain name
  is the domain in which the user accounts are defined, and not the domain to which Forefront TMG is joined.
  More information:
  Configuring LDAP authentication on AD LDS
  Setting Up and Troubleshooting LDAPS
  Authentication in Forefront TMG 2010
  Best regards,
  Susie

• How do i restore/reset Admin console password

  Hi
  Here is the scenario
  1. i install a new Sun Directory Server 5.2 in my development Server ( Solaris 10 )
  2. i set admin/password for my admin console password
  3. i backup the data from UAT server using
  - ./saveconfig
  - ./db2bak
  then transfer over the file to my development server
  4. i do ./restoreconfig
  and ./bak2db
  5. the development ldap server is up and running
  BUT somehow the password for admin console get overwritten
  by the config i extract from UAT Server ( which i dont know the password for admin console in UAT server )
  how do i reset/restore the admin console password?
  Thanks.
  can i just do ./bak2db without doing restore config to restore the data??

  hi,
  stop the slapd process,
  go to the config directory of your server and open the dse.ldif with a editor,
  serach for 'nsslapd-rootdn' and 'nsslapd-rootpw',
  you will find your ldap manager account, should be something like:
  nsslapd-rootdn: cn=Manager
  an his password:
  nsslapd-rootpw: {SSHA}lrSK6wJmZMBBg/jOdCd/fxKf+hhUfaFQFCpLFw==
  generate a new password with:
  ./getpwenc <encryption scheme> <password to encrypt>
  ./getpwenc SSHA newsecret
  {SSHA}cwn+TWDDcex1nJgA1QxkWJN/V+hWTytPyCZTbw==
  the 'getpwenc' script is located in the slapd-<hostname> directory of your server-install-directory.
  take the new generated pasword and replace it with the old one in the dse.ldif.
  don't forget to make an extra backup of the dse.ldif!

• No more than 10 client computers appear in WSUS 3.0 Admin Console

  Hi Folks,
  I installed WSUS 3.0 SP1 on our SBS 2003 R2 Premium server a few days ago. I've noticed that the WSUS admin console will never display more than 10 client computers at a time. In fact, I've got roughly 16 clients that get used daily.
  I've used the ClientDiag.exe tool to confirm that an invisible client actually does has connectivity to the WSUS server. Group policy settings have flowed through to the clients as well. When I took a quick look at WindowsUpdate.log, it seemed to confirm connectivity to the WSUS server as well. If I run: wuauclt.exe /resetauthorization /detectnow on an invisible client, the client will then show up in the admin console, but at the same time, a previously displayed client will disappear from view. 10 clients seems to be the upper limit for admin console viewing.
  Where should I be looking? Thanks, Derek.

  Hi Folks,
  I installed WSUS 3.0 SP1 on our SBS 2003 R2 Premium server a few days ago. I've noticed that the WSUS admin console will never display more than 10 client computers at a time.
  If I run: wuauclt.exe /resetauthorization /detectnow on an invisible client, the client will then show up in the admin console, but at the same time, a previously displayed client will disappear from view. 10 clients seems to be the upper limit for admin console viewing.
  This is a classic symptom of duplicated SusClientIDs caused by cloning an image with an already present SusClientID.
  Delete the SusClientID registry value from the registry key
  HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate
  on EVERY PC
  and reboot (or restart the Automatic Updates service)
  and THEN run wuauclt /resetauthorization /detectnow
  which will force the WUA to generate a new (unique) SusClientID and reregister with the WSUS Server.
  Lawrence Garvin, M.S., MCITP:EA, MCDBA
  Principal/CTO, Onsite Technology Solutions, Houston, Texas
  Microsoft MVP - Software Distribution (2005-2009)
  Hi,
  I have the same issue. My S.O is Windows 2003 R2 Standard. ¿any idea?
  admin
  Yes. The ANSWER provided on June 12th and marked as The Answer IS the answer.
  See KB903262 for explicit details
  Lawrence Garvin, M.S., MCITP:EA, MCDBA
  Principal/CTO, Onsite Technology Solutions, Houston, Texas
  Microsoft MVP - Software Distribution (2005-2009)
  My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
  My Blog: http://onsitechsolutions.spaces.live.com

• Location of admin console war

  I am using weblogic 10 and i would liek to know where is the war file for admin console physically located on the file system. Basically i hope to add the precompile true jsp-param to the weblogic.xml of admin console to make it fucntion faster on restart of admin server

  I though so, i went into the directory and modified the weblogic.xml to include precompile as true but still the first load of admin console is taking a lot of time. Maybe it is not a precompile issue and maybe on server restart weblogic reads some configuration files and tries to load all the configuration as there is one admin console for WL_HOME but there can be multiple domains and each domain needs to dispaly different configurations. Is there a way to configure admin console war on domain level so that it loaads faster first time, i am using weblogic 10.0

• Built-in LDAP Authentication Problem

  Hi All,
  I have used Built-in LDAP Authentication Method for my application authentication which works fine,but i need to have an database authentication as well in combination to LDAP one.
  I tried putting a database authentication function (Returning Boolean) in the post authentication process but without success.
  Please suggest how to go about this.
  cheers
  Dhrubo

  You really didn't explain much more than in your first post.
  For Example ,LDAP verifies all users now,but i would like to enable persons with their role as managers to have access priviledge for my application.Right now, managers do have access privilege so that requirement does not make sense.
  For this Manager problem i need a database level authentication.What does that mean? You can't just make up terms like that.
  I think you are mixing up authentication and authorization. Please search this forum and read the User's Guide for more info about how these are differrent.
  We can show you how to do both authentication and authorization, you just need to work harder stating your exact requirements.
  Scott