LDAP Authentication Listing the users

Similar Messages

• Set a default LDAP domain if the user does not specify one during logon

  We are using LDAP authentication. We have setup the repository to have 3 LDAP servers, with the following domain identifiers: PUBLIC, AGENT, CORPORATE. We would like to default the domain to PUBLIC for external users, so they do not need to provide a domain. AGENT and CORPORATE users would still specifiy the domain. Is there a way to do this? I've tried setting the USER variable in an init block using the following sql.
  Init block 1 - populates the USER session variable to prepend with PUBLIC if not specified
  select (CASE WHEN substr(':USER',1,instr(':USER','/')-1) is NULL then 'PUBLIC/'||':USER'
  ELSE ':USER'
  END)
  from dual
  Init block 2 - LDAP authentication - populates the EMAIL and UID session variables
  mail = EMAIL
  uid = UID
  Because I've defined the USER variable in the previous init block, I can't return the uid into the USER variable. This caused it to think that authentication was successful, and it allows you to login with valid LDAP users, but it will take any password you provide.
  ideas?

  Yes, I have done that. I have removed all other init blocks, and now have just the two. Init block 1 - set the value of the USER_TEMP variable, and init block 2 - the authentication init block. The authentication init block is marked as required for authentication, and the other init block must precede it. It is still allowing a user to login successfully under PUBLIC, when they are not a public user. If I explicitly login as PUBLIC/<user> it fails, as I would expect. But when I login as <user> it is successful. Which is not correct. I've checked in Answers that the variable USER_TEMP is being set to PUBLIC/<user>. So, I'm still confused as to why the LDAP init block is allowing it to go through.
  Edited by: user10603068 on Jun 9, 2010 7:26 AM

• Database Table and LDAP Authentication in the same repository?

  I'm wondering if it's possible to authenticate through database tables for some users and LDAP for other users. I can configure each one separately but I'm curious if anyone has ever successfully done both in the same repository.
  Thanks,
  -Matt

  Another thing to try is this. I don't have an LDAP server here but it worked for me without LDAP. I think it should also work with LDAP as it is the same idea. I don't think there is a way to have a conditional Init Blocks. Also you can't have two init blocks setting the same variable (USER in our case). But what you can do is to have two Init Blocks, one for LDAP authentication and the other one for table authentication. So you could have this scenario:
  1) LDAP "authentication" init block sets custom variable LDAP_USER
  2) Table "authentication" init block sets custom variable TABLE_USER
  3) Final authentication init block (the real one) sets USER variable using something like this:
  SELECT CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
  ELSE ':TABLE_USER'
  END
  FROM DUAL
  WHERE CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
  ELSE ':TABLE_USER'
  END = ':USER'
  Note how I use the CASE statement both to return the user value I want the USER variable to be set and also in the WHERE clause to make sure no rows are returned in case authentication fails (which should return no rows to denote a failed authentication). Obviously you need to set the init block dependancies correctly. I did a quick test with users coming from two separate Oracle tables in 2 init biocks and it worked fine for me. Give it a try and let me know how it goes.

• Why we use the LDAP Authentication over the DB authentication?

  Hi All,
  Why we use the LDAP Authentication over the DB authentication?
  Any specific region is for that?
  When we use LDAP do we need DB authentication again or it will be optional?
  In same case in ADSI do the DB authentication is optional or compulsory .
  Thanks in advance
  Tusar

  LDAP / AD authentication is useful if you already use it in your organisation and you'll find that most orgs have some form of user authentication already in place.
  Do users in your company have to log into to their machines every morning? If so, why not use those credentials to control access to Siebel? It's a way of providing a single directory of employee authentication information available across applications, keeping maintenance and change costs down.
  When you use LDAP authentication, you specify an AD object that contains a set of DB authentication details so that the component can access the Siebel database. In Siebel 8, you can directly specify those details in the security profile. As such, you only then have to maintain a single set of DB specific authentication details: much easier to manage. You can always switch back to DB authentication if you want to, but you'd have to go through all users accounts and create them with the same login and password specified in AD.

• Mod_ntlm/AD/LDAP How is the users password recovered and used.

  I have an application that currently uses LDAP authenticationand authorisation based on a username and password derived from the page 101 login screen. I am trying to convert it to a SSO solution using mod_ntlm to retrieve authenticate the users windows login against Active Directory. I authenticate fine with a standard mod_ntlm page sentry letting me access the application and I can use the owa_util.get_cgi_env('remote_user') to get the username. What I haven't established is how to retrieve the users password to pass as a parameter into the existing LDAP authorisation functions.
  I've based a lot of the ground work on the following article
  http://withasmiletomeltathousandhearts.wordpress.com/2009/01/29/apex-windows-integrated-authentication/
  However, this relies on a prestored LDAP_user and LDAP_Passwrd to retrieve data from AD. Rather than doing that I am trying to use the currently logged on user, whose login name I can retrieve but I have not found a way to retrieve and use their password?
  What am I missing?
  Thanks in advance
  FunkyMonky

  My question is regarding how to use LDAP to retrieve the users AD group information. mod_ntlm has successfully authenticated the windows user to get into the application without having to login. I now want to implement the applications functionality based on that user's Active Directory groups. Prior to the ntlm solution this was done with using LDAP with the authorisation and the credentials were available from the user manually logging on.
  The LDAP group determining method I referred to in my original post relies on a stored user to access the LDAP information rather than the actual logged in user as we had originally done it. Is this the only way we can implement our group based authorisation requirement?
  Cheers
  FunkyMonkey

• List the user's permissions

  Dear Experts,
  May I know how can I list the user's permissions; currently use Tcode & etc.?
  wilson

  Hi Wilson,
  See from SU01, you get the information about Which roles are assigned to the specified USER.
  E.g  Z_SPRO
  and in PFCG transaction, you enter this role ( Z_SPRO), and you will get a list of Transaction Codes assigned to Role (Z_SPRO).
  But please Note that, You must have the authorization to Display the Role in PFCG transaction, otherwise you can not see the Transcation Codes Assigned to that Role.
  so link is like this
  USER ID > Roles> Transaction Code
  I hope you will find this helpful.
  If my answer is satisfactory, Please grant me the points.
  Regards,
  Amol Joshi

• LDAP/AD - List of Users and User Attributes

  I have successfully authenticated myself using Java/LDAP with a Active Directory, now I need to be able to retrieve the attributes of the users in the active directory.
  My confusion is that I am not sure of the CN/OU/O/etc.. configurations, or how to determine what they are on my Active Directory Server. I understand that DC=host,DC=credit,DC=com is basically host.creditwave.com, but I need to be capable of retrieving an enumeration of users, and what object to cast them to etc...
  Any help would be appreciated.
  Regards,
  Dean.

  If you have access to the Active Directory itself, and it has the Win2k Support Tools installed on it, you can see the schema in terms of CN, OU etc. using ADSIEdit
  Often though, for Users created on the AD itself, they can be found in
  cn=Users,dc=yourdomain,dc=com
  A user is generally listed as a "cn=User.Name".
  If you create your InitialDirCtxt using the URL "ldap://adserver/dc=yourdomain,dc=com"
  then you can search for Users with
  initDirCtxt.search("cn=Users","(cn=*)",new SearchControls());
  Another good way to figure out the schema is to download the excellent 100% Java LDAP Browser from
  http://www.novell.com/coolsolutions/tools/1283.html

• Requires LDAP authentication on the click of a link

  i want to use anonymous login and after anonymous login if the user wants to click a secure resource link he should be prompted for a login screen and after the successful authentication against LDAP he should be directed to that resource. Can you please help me in getting solve this problem. i don't have any idea how to do this.

  Here you go..
  <b>Layout code:</b>
            <htmlb:button id      = "MyButton"
                           design  = "STANDARD"
                           onClick = "Menu"
                           layout  = "BLOCK" />
  <% if my_event = 'Menu'. %>
        <htmlb:dropdownListBox    id          = "dd_id"
                                selection         = "<%= selected %>"
        onSelect="DD_event" >
          <htmlb:listBoxItem      key         = "key_delete"   value = " Delete"   />
          <htmlb:listBoxItem      key         = "key_create" value = "Create" />
        </htmlb:dropdownListBox>
  <% endif. %>
  <b>Oninputprocessing:</b>
  DATA EVENT TYPE REF TO CL_HTMLB_EVENT.
  IF NOT EVENT_ID IS INITIAL.
    EVENT ?= CL_HTMLB_MANAGER=>GET_EVENT_EX( REQUEST ).
    IF NOT EVENT IS INITIAL.
      CASE EVENT->SERVER_EVENT.
        WHEN 'Menu'.
          my_event = 'Menu'.
        WHEN 'DD_event'.
          CALL METHOD REQUEST->GET_FORM_FIELD
            EXPORTING
              NAME  = 'dd_id'
            RECEIVING
              VALUE = selected.
  * Here you will get the value key_create or key_delete.
  * Write the logic..
      ENDCASE.
    ENDIF.
  ENDIF
  Raja T

• LDAP authentication not minding user set

  I have a publishing rule for an internal website setup with LDAP authentication setup for two different domains, the domain the TMG 2010 is joined to (domain1) and another external domain (domain2).  I want users from either domain to be able to authenticate
  and I thought it was working perfectly, but found that anyone from domain2 can authenticate successfully (anyone can authenticate from domain1, but that's okay).
  I have a LDAP user set with the AD group from domain2 that I want to allow access, but the TMG doesn't seem to adhere to this and lets any authenticated user from that domain in.  I have added both user sets for domain1 and domain2 to the "This
  rule applies to requests from the following user set:" under the Users tab in the publishing rule.
  Any clues?

  Hi,
  Based on my experience,
  Server Authentication Certificates
  should exist on DCs that you want TMG to use for authentication and
  TMG must trust issuer of the Server Authentication Certificate. You can check that in
  Trusted Root Certification Authorities on TMG.
  In addition, when you add LDAP server Set for LDAP user authentication, you need to add the DCs and type the AD domain name. Please note that the domain name
  is the domain in which the user accounts are defined, and not the domain to which Forefront TMG is joined.
  More information:
  Configuring LDAP authentication on AD LDS
  Setting Up and Troubleshooting LDAPS
  Authentication in Forefront TMG 2010
  Best regards,
  Susie

• Custom ldap authenticator to retrieve user bean ldap profile

  Hi,
  Wondering if we could use a custom ldap authenticator to get the user profile from Ldap and put the data bean into session.
  This will allow to use the same connection to Ldap and to benefit from Bea security authentication configuration.
  Any input on this ?
  Thank you

  Increasing the search limit is the only practical solution. Really, ~2000 entries is not that many.

• LDAP authentication in AD (users from other trusted domain)

  Hi
  I have two domain: my - DOMAINA.LOCAL and other trusted - DOMAINB.LOCAL
  I use LDAP authentication in AD for authentication users (AnyConnect).
  Now, I need to authenticate few users from other trusted domain (DOMAINB.LOCAL).
  I do not want direct connect with the domain contoller in the trusted domain.
  My domain controller (DOMAINA.LOCAL), can authenticate users from other trusted domain (if I use username "DOMAINB\userindomainb"), if I try to connect by RDP client to some server (for example, to my domain controller).
  But if I try to test aaa-server authentication from ASA
  I get error.
  I think, I must use username like "DOMAINB\userindomainb" but this not work.
  Help me please.
  Thanks!
  My config:
  aaa-server ADA protocol ldap
  aaa-server ADA (inside) host 10.0.0.1
   ldap-base-dn dc=domaina, dc=local
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn cn=Cisco ASA, ou=ServiceAccounts, ou=Services, dc=domaina, dc=local
   server-type microsoft

  Hello!
  I see in console (debug LDAP):
  Request for [email protected] returned code (10) Referral
  Does ASA support authentication via LDAP referrals?
  I read old thread:
  https://supportforums.cisco.com/discussion/11132591/cisco-asa-and-ldap-authentification
  And see: CSCsj32153  Symptom:the ASA/PIX doesn't currently support LDAP Referall searches. 
  But I use:
  Cisco Adaptive Security Appliance Software Version 9.2(3)
  Device Manager Version 7.3(3)
  Compiled on Mon 15-Dec-14 05:10 PST by builders
  System image file is "disk0:/asa923-smp-k8.bin"
  Thanks!

• Is it possible for a Web Part to interact with a list the user does not have permissions for?

  Say I have a custom web part that queries a list or adds list items, etc. Does the user have to have the equivalent permissions on the list itself to use the web part? Would the SPSecurity.RunWithElevatedPrivileges Method be a way to get around this? Or is
  there a better way?
  Basically I want certain users to have a more controlled access to a list. But if I try to access the page with the web part on an account without permissions for the list, I get an Access Denied response.

  One way of elevating code is, as you already mentioned, using SPSecurity.RunWithElevatedPrivileges which will run SPSecurity.CodeToRunElevated with Full Control rights. From MSDN documentation of the method for SP 2013 (http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spsecurity.runwithelevatedprivileges.aspx)
  you can see that this code runs under Application Pool identity:
      Type: Microsoft.SharePoint.SPSecurity.CodeToRunElevated
      A delegate method that is to run with elevated rights. This method runs under the Application Pool identity, which has site collection administrator privileges on all site collections hosted by that application pool.
  Another method, a bit more security fine-grained, can be used. The idea is to instantiate new SPSite object using overloaded constructor which takes Microsoft.SharePoint.SPUserToken as a parameter: http://msdn.microsoft.com/EN-US/library/ms469253(v=office.15).aspx.
  Example can be seen here: http://www.sharepointdeveloperhq.com/2009/04/how-to-programmatically-impersonate-users-in-sharepoint/. Using this approach, you can run your code in the context of the user who doesn't necessarily have to be site collection admin.
  This user can have only access to the list in question.

• Script to list the users and their privileges in a database

  Hi Team,
  Can someone provide me a script that list all the users and their privileges in a database?
  DB version:11.2.0.2
  OS:AIX

  Osama_mustafa wrote:
  Why you create your own script
  SELECT * FROM USER_SYS_PRIVS;
  SELECT * FROM USER_TAB_PRIVS;
  SELECT * FROM USER_ROLE_PRIVS;
  That won't tell him what privileges a user has via a role. It will only tell him what privilges were granted directly, and what roles were granted directly. But those roles have privileges, and may have other roles, which have still more roles and privs, etc. It's a recursive issue and a simple select from user__privs won't get it.
  Pete Finnigan has a good script for reporting the entire picture. I leave it as an exercise for the student to use google to find it. I have already given all the information needed to complete that exercise.

• How to get user attributes from LDAP authenticator

  I am using an LDAP authenticator and identity asserter to get user / group information.
  I would like to access LDAP attributes for the user in my ADF Taskflow (Deployed into webcenter spaces).
  Is there an available api to get all the user attributes through the established weblogic authenticator provider or do i have to directly connect to the LDAP server again?
  Any help would be appreciated

  Hi Julián,
  in fact, I've never worked with BSP iViews and so I don't know if there is a direct way to achieve what you want. Maybe you should ask within BSP forum...
  A possibility would be to create a proxy iView around the BSP iView (in fact: before the BSP AppIntegrator component) which reads the user names and passes this as application params to the BSP component. But this is
  Beginner
  Medium
  Advanced
  Also see http://help.sap.com/saphelp_nw04/helpdata/en/16/1e0541a407f06fe10000000a1550b0/frameset.htm
  Hope it helps
  Detlev

• LDAP Authentication / User-Role in a database (Weblogic Security)

  Hi,
  I would like to configure the Authentication with an LDAP Server (LDAP Authenticator) and the mapping between users and roles in an external database.
  I saw the following post, http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html.
  According to the previous post, I created an LDAP Authenticator (trying to use embedded LDAP) and a SQL Authenticator.
  The problem is that it doesn't uses LDAP Authentication, it only uses SQL Authentication.
  I'm looking for a solution where password would remain in the LDAP Server and the username/role mapping would be in the database tables.
  Consider I'm using WLS 10.3 and JDeveloper 11g.
  Any suggestions?
  Thanks in advance,
  Olga

  Hi,
  Check following forum thread.
  Re: custome role maper example
  Regards,
  Kal