LDAP authenticator setting in Weblogic 10

Similar Messages

• Open LDAP Authenticator Configuration on WLSSP5

  I have problems in the open LDAP authenticator configuration on Weblogic Server with Service Pack 5. I have users on OpenLDAP Server that do not belong to any group. My LDIF file contents are as given below.
  dn: dc=my-domain,dc=com
  dc: my-domain
  objectClass: dcObject
  objectClass: organization
  o: MYABC, Inc
  dn: cn=Manager, dc=my-domain,dc=com
  userPassword:: c2VjcmV0
  objectClass: person
  sn: Manager
  cn: Manager
  dn: cn=myabcsystem, dc=my-domain,dc=com
  userPassword:: dmVuZGF2b3N5c3RlbQ==
  objectClass: person
  sn: myabcsystem
  cn: myabcsystem
  dn: cn=Philippe, dc=my-domain,dc=com
  userPassword:: UGhpbGlwcGU=
  objectClass: person
  sn: Philippe
  cn: Philippe
  dn: cn=mlrick, dc=my-domain,dc=com
  userPassword:: bWxyaWNr
  objectClass: person
  sn: mlrick
  cn: mlrick
  All these users appear in the Users tab after configuration on the console only if LDAP Server is up. While I select group tab, I get errors indicating BAD SEARCH Filter.
  Inspite of me not having any groups in the ldap as indicated in ldif contents.
  While I try to login t the application with this LDAP configuration, I do not get any errors. LDAP authentication is not happening with just the LDAP authenticator in place. Even if I stop the LDAP server, I do nto get any exceptions while trying ot login. The config params for the Open LADP are as given below
  <weblogic.security.providers.authentication.OpenLDAPAuthenticator
  AllGroupsFilter="objectclass=*"
  Credential="{3DES}rGCpYmhaIorI99BjZ2u6Fg=="
  GroupBaseDN="dc=my-domain,dc=com"
  GroupFromNameFilter="(cn=%u)"
  Name="Security:Name=MYABCAuthenticationOpenLDAPAuthenticator"
  Principal="cn=myabcsystem,dc=my-domain,dc=com"
  Realm="Security:Name=MYABCAuthentication"
  StaticGroupDNsfromMemberDNFilter=""
  StaticGroupNameAttribute="" StaticGroupObjectClass=""
  StaticMemberDNAttribute="" UserBaseDN="dc=my-domain, dc=com"/>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP ATN LoginModule initialized>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login username: bob>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <authenticate user:bob>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getDNForUser search("ou=people,ou=MYABCAuthentication,dc=myabc", "(&(uid=bob)(objectclass=person))", base DN & below)>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  CAN ANYONE HELP ME IDENTIFY WHAT IS THE ISSUE. Why is the authentication not happening?

  Hi Amol,
  I've seen this happen at least two times in 11.1.1.1 installs. You can safely restart and then add the service back again. Suggest you reboot after you re-add the service back or cycle all the Hyperion services.
  I was not aware you could install the service with that command.
  I used the below command instead:
  sc create OpenLDAP-slapd start= auto binPath= "D:\Hyperion\...\slapd.exe service" DisplayName= "Hyperion Shared Services OpenLAP"
  Regards,
  -John

• Weblogic Server 10.3.0 and LDAP authentication Issue

  Hi - I have configured my WebLogic Server 10.3.0 for LDAP authentication (OID = 10.1.4.3.0) and so far the authentication works fine but I am having issue in terms of authorization.
  I am not able to access the default web logic administrator console app using any of the LDAP user, getting Forbiden message.
  It appears to me that the Weblogic Server is not pulling out the proper groups from the LDAP where user belongs too.
  Can anyone please point me towards the right direction to get this resolved.
  Thanks,
  STEPS
  Here are my steps I have followed:
  - Created a group called Administrators in OID.
  - Created a test user call uid=myadmin in the OID and assigned the above group to this user.
  - Added a new Authentication Provider to the Weblogic and configured it what is required to communicate with OID (the config.xml file snipet is below)
  <sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
  <sec:name>OIDAuthentication</sec:name>
  <sec:control-flag>SUFFICIENT</sec:control-flag>
  <wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
  <wls:host>pmpdeva-idm.ncr.pwgsc.gc.ca</wls:host>
  <wls:port>1389</wls:port>
  <wls:principal>cn=orcladmin</wls:principal>
  <wls:user-base-dn>ou=AppAdmins, o=gc, c=ca</wls:user-base-dn>
  <wls:credential-encrypted>removed from here</wls:credential-encrypted>
  <wls:group-base-dn>ou=IDM, ou=ServiceAccounts, o=gc, c=ca</wls:group-base-dn>
  </sec:authentication-provider>
  - Marked the default authentication provider as sufficient as well.
  - Re-ordered the authentication provide such that the OIDauthentication is first in the list and default one is the last.
  - Looking at the log file I see there are no groups returned for this user and that is the problem in my opinion.
  <LDAP Atn Login username: myadmin>
  <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <authenticate user:myadmin>
  <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <authentication succeeded>
  <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <LDAP Atn Authenticated User myadmin>
  <List groups that member: myadmin belongs to>
  <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  *<search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>*
  *<Result has more elements: false>*
  <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <login succeeded for username myadmin>
  - I see the XACML RoleMapper getRoles() only returning the Anonymous role as oppose to Admin (because the OID user is a part of Administrators group in OID then it should be returning Admin as fars I can tell. Here is the log entry that shows that:
  <XACML RoleMapper getRoles(): returning roles Anonymous>
  - I did a ldap search and I found no issues in getting the results back:
  C:\>ldapsearch -h localhost -p 1389 -b"ou=IDM, ou=ServiceAccounts, o=gc, c=ca" -D cn=orcladmin -w "removed from here" (uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupOfUniqueNames)
  cn=Administrators,ou=IDM,ou=ServiceAccounts,o=gc,c=ca
  objectclass=groupOfUniqueNames
  objectclass=orclGroup
  objectclass=top
  END
  Here are the log entries:
  <1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
  <1291668685624> <BEA-000000> <LDAP Atn Login>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=myadmin>
  <1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
  <1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  <1291668685624> <BEA-000000> <authenticate user:myadmin>
  <1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685624> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  <1291668685624> <BEA-000000> <[Security:090302]Authentication Failed: User myadmin denied>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@facf0b>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>
  <1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
  <1291668685624> <BEA-000000> <LDAP Atn Login>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle did not get username from a callback>
  <1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
  <1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685624> <BEA-000000> <authenticate user:myadmin>
  <1291668685624> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685671> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <1291668685671> <BEA-000000> <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <1291668685671> <BEA-000000> <authentication succeeded>
  <1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685686> <BEA-000000> <LDAP Atn Authenticated User myadmin>
  <1291668685686> <BEA-000000> <List groups that member: myadmin belongs to>
  <1291668685686> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685686> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685686> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <1291668685686> <BEA-000000> <search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>
  <1291668685686> <BEA-000000> <Result has more elements: false>
  <1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685686> <BEA-000000> <login succeeded for username myadmin>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login delegated, returning true>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
  <1291668685686> <BEA-000000> <LDAP Atn Commit>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
  <1291668685686> <BEA-000000> <LDAP Atn Commit>
  <1291668685686> <BEA-000000> <LDAP Atn Principals Added>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning true>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
       Principal: myadmin
  >
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=myadmin>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
  <1291668685686> <BEA-000000> <Signed WLS principal myadmin>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user myadmin, Identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.isLocked(myadmin)>
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myadmin was not previously locked out>
  <1291668685702> <BEA-000000> <Using Common RoleMappingService>
  <1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
  <1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity will use common security service>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals)>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=myadmin>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator handles this PrincipalClass>
  <1291668685702> <BEA-000000> <Validate WLS principal myadmin returns true>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass, returning true>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals) validated all principals>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): input arguments:>
  <1291668685702> <BEA-000000> <     Subject: 1
       Principal = weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp>
  <1291668685702> <BEA-000000> <     Parent: type=<app>, application=consoleapp>
  <1291668685702> <BEA-000000> <     Parent: type=<url>>
  <1291668685702> <BEA-000000> <     Parent: null>
  <1291668685702> <BEA-000000> <     Context Handler: >
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AdminChannelUsers,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AdminChannelUser:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AdminChannelUser: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AppTesters,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AppTester:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AppTester: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(everyone,[everyone,users]) -> true>
  <1291668685702> <BEA-000000> <primary-rule evaluates to Permit>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Anonymous:, 1.0 evaluates to Permit>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Anonymous: GRANTED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Monitors,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Monitor:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Monitor: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Operators,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Operator:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Operator: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(CrossDomainConnectors,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:CrossDomainConnector:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role CrossDomainConnector: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Deployers,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Deployer:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Deployer: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, SC=null, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Administrators,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Admin:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Admin: DENIED>
  <1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): returning roles Anonymous>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles returning [ "Anonymous" ]>
  <1291668685702> <BEA-000000> <AuthorizationManager will use common security for ATZ>
  <1291668685702> <BEA-000000> <weblogic.security.service.WLSAuthorizationServiceWrapper.isAccessAllowed>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Roles=[ "Anonymous" ]>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Direction=ONCE>
  <1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
  <1291668685702> <BEA-000000> <     Subject: 1
       Principal = weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <     Roles:Anonymous>
  <1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Direction: ONCE>
  <1291668685702> <BEA-000000> <     Context Handler: >
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:role, SC=null, Value=Anonymous>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of([Admin,Operator,Deployer,Monitor],Anonymous) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): returning DENY>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>

  Okay Finally the issue is resolved. Here is the findings to help others in case they ran into the same issue.
  The OID version that we are using is not returning the groups the way Weblogic is building the ldapsearch command. We captured the ldap traffic to go deeper and noticed the filters and attributes list that wls was asking. For example, the filter was like:
  "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" cn
  its was the "cn" attribute that was causing the result set to be empty.
  from a command line we tried
  "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" uniquemember
  and got the results back.
  Then we start looking into OID configuration and one of my coworker pointed me towards the orclinmemfiltprocess attributes in cn=dsaconfig entry and told me that they had lot of issues in the past in relation to this attribute.
  So as a test we removed the groupofuniquenames objectclass from the orclinmemfiltprocess attribute list and bingo it worked!
  Since we needed the groupofuniquenames in this list for performance/other reasons and decided to use a different objectclass for our groups instead i.e. orclGroup.
  Thanks everyone for showing interest on the problem and providing suggestions.

• Setting up LDAP authentication

  Hi guys.
  I am a newb when it comes to LDAP so please bear with me.
  I installed dbms_ldap for a developer yesterday so they could run directory searches. I have now been asked to set up anonymous authentication on the directory.
  I've looked through a few docs and am having trouble trying to figure out how excatly how to do this? I am assuming it is done somewhere from the admin gui.
  Any help would be appreciated.
  Oracle version 10.2.0.4 on Linux x86_64
  Thanks

  the name of your (portal) domain and the URL used to
  access your portal have nothing to see with the LDAP
  authentication server.
  The LDAP authentication server is the hostname or FQDN
  of the host where your LDAP authentication directory
  resides.
  When you're logged on the iPS machine, you should be
  able to make a request to your LDAP directory using this hostname or FQDN (and port number, base dn,bind dn,.....)

• LDAP authentication not minding user set

  I have a publishing rule for an internal website setup with LDAP authentication setup for two different domains, the domain the TMG 2010 is joined to (domain1) and another external domain (domain2).  I want users from either domain to be able to authenticate
  and I thought it was working perfectly, but found that anyone from domain2 can authenticate successfully (anyone can authenticate from domain1, but that's okay).
  I have a LDAP user set with the AD group from domain2 that I want to allow access, but the TMG doesn't seem to adhere to this and lets any authenticated user from that domain in.  I have added both user sets for domain1 and domain2 to the "This
  rule applies to requests from the following user set:" under the Users tab in the publishing rule.
  Any clues?

  Hi,
  Based on my experience,
  Server Authentication Certificates
  should exist on DCs that you want TMG to use for authentication and
  TMG must trust issuer of the Server Authentication Certificate. You can check that in
  Trusted Root Certification Authorities on TMG.
  In addition, when you add LDAP server Set for LDAP user authentication, you need to add the DCs and type the AD domain name. Please note that the domain name
  is the domain in which the user accounts are defined, and not the domain to which Forefront TMG is joined.
  More information:
  Configuring LDAP authentication on AD LDS
  Setting Up and Troubleshooting LDAPS
  Authentication in Forefront TMG 2010
  Best regards,
  Susie

• Weblogic  patch has broken the LDAP authentication

  Hi,
  We have installed  XIR2 SP4 on  Linux and also installed a patch for the weblogic ,after installing weblogic patch we are unable to login to the infoview using LDAP authentication getting  error  ""An Error has Occurred: java.lang.InstantiationException:Could not instantiate bean CE_Session, neither class nor beanName were specified."
  Curently we have  uninstalled the weblogic  patch , now everyting is working fine.
  We want to know the reason for this , why the instalation of patch has  broken the LDAP authentication?
  Environment -
  BOXIR2 SP4,
  LINUX,
  Web logic 9.2,
  Oracle 10g.
  Thank you  in Advance.
  Thanks & Regards,
  Bill.

  You'll have to open an incident with support, that error doesn't seem like an actual LDAP error so go with deployment if you do. See if you can get an engineer to reproduce or trace your environment. This is the 1st time I've heard of a weblogic patch breaking LDAP.
  Regards,
  Tim

• Weblogic or LDAP authentication

  Hello All,
  We are already using the OBIEE for 2 of the applications and currently we are using repository authentication(Creating users and groups in the rpd).
  Here are what we are planning to do
  1.Deploy OBIEE using weblogic application server (This would be our first preference.But could not find any oracle official documentation about the possibility of deploying obiee on weblogic.). Please let me know if any one succefully deployed obiee on weblogic.If so, please provide the documentation.
  2.If the first option is not possible, we are planning to use LDAP authentication.I have been reading the OBIEE administrator guide about LDAP authentication.
  I do have the following questions about both the procedures
  1.How the group premissions would work.
  EX: For some of the users, we gave just read only access to dashboard 1, noaccess to dashboard2 and full access to dashboard3.Now i can do it by creating security groups and apply the settings to these users.
  How can i achieve the same using ldap authentication?
  Please advise.
  Thanks in advance.

  I expected that could be a way to only redefine the User class, implementing a
  custom realm is much more work. I will consider directly accessing the database/LDAP.
  Thank you anyway.
  "Tom Moreau" <[email protected]> wrote:
  >
  David,
  The only way I know how to do this is:
  1) write your own security realm that creates
  users containing all the info you desire.
  That is, a realm derives its own user class
  so you're free to derive a class and add all
  the fancy stuff you require.
  The current RDBMS and LDAP realms don't
  put the info you desire into the user objects
  they create.
  2) in your servlet, get the authenticated user,
  then get the user's name from it, then use
  Realm.getRealm().getUser() passing in that name.
  This will get you the user out of your realm.
  3) cast this user to the user class that your realm
  created and use the info that your realm put in it.
  This is probably a lot of work - might be simpler for
  you to lookup the user in LDAP/your database directly.
  -Tom
  "David Ruana" <[email protected]> wrote:
  I use the Security.getCurrentUser() function from my servlets and EJBs
  in order
  to get the username of the authenticated user in the Weblogic realm.
  I wonder whether it is possible to add new attributes to the User object
  which
  I get from the Security.getCurrentUser() call.
  Suppose the User info is stored in an ODBC or LDAP realm. Besides the
  username
  and password, other attributes may be stored in the ODBC table or LDAP
  record.
  During authentication, Weblogic accesses the ODBC table or LDAP record
  in order
  to check that username exists and the password is correct. Could itbe
  possible
  at that time to get that extra attributes and assign them to the User
  class (or
  some subclass of the User class)?
  What java classes must be redefined in Weblogic in order to accomplish
  that?
  Any suggestions would be appreciated.

• LDAP Authentication / User-Role in a database (Weblogic Security)

  Hi,
  I would like to configure the Authentication with an LDAP Server (LDAP Authenticator) and the mapping between users and roles in an external database.
  I saw the following post, http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html.
  According to the previous post, I created an LDAP Authenticator (trying to use embedded LDAP) and a SQL Authenticator.
  The problem is that it doesn't uses LDAP Authentication, it only uses SQL Authentication.
  I'm looking for a solution where password would remain in the LDAP Server and the username/role mapping would be in the database tables.
  Consider I'm using WLS 10.3 and JDeveloper 11g.
  Any suggestions?
  Thanks in advance,
  Olga

  Hi,
  Check following forum thread.
  Re: custome role maper example
  Regards,
  Kal

• Error while configuring external LDAP user store with weblogic

  Hi,
  I have weblogic 10.3 installed and I can access weblogic admin console using weblogic (admin) user. I want to use external ldap user store to access admin console with users present in external ldap.
  To do this, I have configured authentication provider and provided all the required details to connect to ldap.
  For example:
  Base DN: cn=admin,cn=Administrators,cn=dscc (user with which we will connect to LDAP)
  User DN: ou=People,dc=test,dc=com
  Group DN: ou=Groups,dc=test,dc=com
  This authentication provider is set to SUFFICIENT mode. I have deleted the default authentication provider.
  In the boot.properties file I have given the user name and password of the user with which LDAP instance was created something like below.
  password=xxxxxxx
  username=admin
  Now while starting the admin weblogic server, I am getting the below error:
  <Jul 25, 2012 2:22:28 PM IOT> <Critical> <Security> <BEA-090402> <Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.>
  <Jul 25, 2012 2:22:28 PM IOT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
  weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  Truncated. see log file for complete stacktrace
  Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User admin javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User admin denied
  at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
  at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  Truncated. see log file for complete stacktrace
  >
  <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
  <Jul 25, 2012 2:22:28 PM IOT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
  <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
  Can anyone please suggest how to resolve this problem? If, anyone can suggest the exact steps to configure external ldap store to manage admin console via ldap users.
  Regards,
  Neeraj Tati.

  Hi,
  Please refer the below content that I found for Oracle 11g in the docs.
  "If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. Do one of the following in the LDAP directory:
  By default in WebLogic Server, the Admin role includes the Administrators group. Create an Administrators group in the LDAP directory, if one does not already exist. Make sure the LDAP user who will boot WebLogic Server is included in the group.
  The Active Directory LDAP directory has a default group called Administrators. Add the user who will be booting WebLogic Server to the Administrators group and define Group Base Distinguished Name (DN) so that the Administrators group is found.
  If you do not want to create an Administrators group in the LDAP directory (for example, because the LDAP directory uses the Administrators group for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the Admin role."
  Now in my LDAP directory, setup is in such a way that Administrators is a group created under following heirarchy " cn=Administrators,ou=Groups,dc=test,dc=com" and there is one user added in this Administrators group.
  The problem that I am having is when I modify the Admin role in which Administrators group should be added what exaclty I should give in Admin role. Whether I should give only Administrators or full DN: cn=Administrators,ou=Groups,dc=test,dc=com ???
  When i give full DN, it takes every attribute as different, i mean cn=Administrators as different and ou=Groups as different and shows a message that cn=Administrators does not exist.
  Here not sure what to do.
  Also if external ldap authentication provider is the only provider then I need to give the user information in boot.properties file also for weblogic to boot properly. Now, what should I give there in user? still complete DN ??
  Regards,
  Neeraj Tati.

• How to get user attributes from LDAP authenticator

  I am using an LDAP authenticator and identity asserter to get user / group information.
  I would like to access LDAP attributes for the user in my ADF Taskflow (Deployed into webcenter spaces).
  Is there an available api to get all the user attributes through the established weblogic authenticator provider or do i have to directly connect to the LDAP server again?
  Any help would be appreciated

  Hi Julián,
  in fact, I've never worked with BSP iViews and so I don't know if there is a direct way to achieve what you want. Maybe you should ask within BSP forum...
  A possibility would be to create a proxy iView around the BSP iView (in fact: before the BSP AppIntegrator component) which reads the user names and passes this as application params to the BSP component. But this is
  Beginner
  Medium
  Advanced
  Also see http://help.sap.com/saphelp_nw04/helpdata/en/16/1e0541a407f06fe10000000a1550b0/frameset.htm
  Hope it helps
  Detlev

• LDAP Authentication Scheme - Multiple LDAP Servers?

  How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.

  How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.

• LDAP Authentication for Application APEX 3.2

  Dear All,
  I have created an application in APEX 3.2 for that i am using the below code for authentication all my domain users
  create or replace
  FUNCTION              "ADS_LDAP_AUTHENTICATE"
  (p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN AS
    c_Directory   VARCHAR2(50) ;
    c_Port        NUMBER(4);
    c_BaseDN      VARCHAR2(200);
    c_InitUser    VARCHAR2(200);
    c_InitPass    VARCHAR2(32);
    l_session     DBMS_LDAP.SESSION;
    l_success     PLS_INTEGER;
    l_attributes  DBMS_LDAP.STRING_COLLECTION;
    l_result      DBMS_LDAP.MESSAGE;
    l_userdn      VARCHAR2(2000);
    CURSOR get_authentication_dtls
    IS
    SELECT  domain_name,server_port,server_base_dn,server_principal,server_credentials
    FROM    PS_TB_SYSTEM_ADS_CONFIG_DICT;
  BEGIN
    OPEN get_authentication_dtls;
    LOOP
    FETCH get_authentication_dtls INTO c_Directory,c_port,c_baseDN,c_InitUser,c_InitPass;
    EXIT WHEN get_authentication_dtls%NOTFOUND;
    --Open initial lookup session.
    l_session := DBMS_LDAP.INIT(c_Directory,c_Port);
    l_success := DBMS_LDAP.SIMPLE_BIND_S(l_session, c_InitUser,c_InitPass);
    IF l_success = DBMS_LDAP.SUCCESS THEN
      l_attributes(1) := NULL;
      l_success := NULL;
      l_success := DBMS_LDAP.SEARCH_S(ld => l_session,
                                     base => c_BaseDN,
                                     scope => dbms_ldap.scope_subtree,
                                     filter => '(|(sAMAccountName=' ||p_Username || ')(mailNickname=' || p_Username || '))',
                                     attrs => l_attributes,
                                     attronly => 0,
                                     res => l_result);
      IF l_success = DBMS_LDAP.SUCCESS THEN
        l_userdn := dbms_ldap.get_dn(l_session,dbms_ldap.first_entry(l_session,l_result));
        IF l_userdn IS NOT NULL THEN
          l_success := dbms_ldap.unbind_s(l_session);
          l_session := dbms_ldap.init(c_Directory,c_Port);
          l_success := dbms_ldap.simple_bind_s(l_session, l_userdn,NVL(p_password, 'QWERTASDFZXC'));
        END IF;
      END IF;
    else
      return FALSE;
    END IF;
    IF l_success = DBMS_LDAP.SUCCESS THEN
    CLOSE get_authentication_dtls; /* Close cursor before returning */
      RETURN TRUE;
    END IF;
    END LOOP;
    CLOSE get_authentication_dtls;
     RETURN FALSE; /* if the success has not happened till all servers processed, then return FALSE */
  EXCEPTION
    WHEN OTHERS THEN
      RETURN FALSE;
  END;
  Now i dont want to allow all the domain user to access my application. So we planned to create a user group in active directory.
  Can anyone suggest me how to allow only a set of users to access my application using LDAP.
  Thanks in Advance.
  Cheers,
  San.

  Use the below link for Ldap Authentication
  LDAP (MS AD) Group Authentication

• LDAP Authentication Failed :user is not a member in any of the mapped group

  Hi,
  I tried to set up the LDAP Authentication but I failed.
  LDAP Server Configuration Summary seems to be well filled.
  I managed to add a Mapped LDAP member Group: This group appears correctly in the Group list. 
  But itu2019s impossible to create a User. Although this user is a member of the mapped group (checked with LDAP Brower) , an error message is displayed when I tried to create it (There was an error while writing data back to the server: Creation of the user User cannot complete because the user is not a member in any of the mapped groups)
  LDAP Hosts: ldapserverip:389
  LDAP Server Type: Custom
  Base LDAP Distinguished Name: dc=vds,dc=enterprise
  LDAP Server Administration Distinguished Name: CN=myAdminUser,OU=System Accounts,OU=ZZ Group Global,ou=domain1,dc=vds,dc=enterprise
  LDAP Referral Distinguished Name:
  Maximum Referral Hops: 0
  SSL Type: Basic (no SSL)
  Single Sign On Type: None
  CMS Log :
  trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
  trace message: LDAP: LdapQueryForEntries: QUERY base: dc=vds, dc=enterprise, scope: 2, filter: (samaccountname=KR50162), attribute: dn objectclass
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 2453 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
  trace message: GetParents from plugin for cn=huh\,chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise.
  trace message: LDAP: De-activating query cache
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
  trace message: LDAP: query for DSE root returned 89
  trace message: LdapQueryForEntries: incr. retries to 1
  trace message: LDAP: Updating the graph
  trace message: LDAP: Starting Graph Update...
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
  trace message: LDAP: query for DSE root returned 89
  trace message: LdapQueryForEntries: incr. retries to 1
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
  assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
  trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
  trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (&(cn=gp-asia)(objectclass=group)(member=cn=huh
  , chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise)), attribute: objectclass
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
  assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
  trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
  trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (cn=gp-asia), attribute: member objectclass samaccountname cn
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 3109 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
  trace message: LDAP: query for DSE root returned 0
  trace message: Failed to commit user 'KR50162'. Reason: user is not a member in any of the mapped groups.
  trace message: [UID=0;USID=0;ID=79243] Update object in database failed
  trace message: Commit failed.+
  Can you please help?
  Joffrey

  Please do this after you verify all permission settings for all the groups the account is associated with. Also, make sure you check the NTFS folder permissions before doing this as well.
  Since the same result happens on multiple computers, it is not the profile.
  I am recommending you delete the AD account (or rename to backup the account).
  It will not effect the users Exchange account, but you will need to link it back to the new AD user account. 
  You can also delete her profile just to remove it, for the "just in case" scenario.
  Don't forget to mark the post that solved your issue as &quot;Answered.&quot; By marking the Answer you are enabling users with similar issues to find what helped you. Lewis Renwick - IT Professional

• Problem with WLS LDAP Authentication Provider

  We have configured WLS LDAP Authentication provider on an Oracle Service Bus domain, which is used to authenticate WS-Security Username Token and SAML Tokens against an external LDAP Directory (Sun Directory Server). After configuring this, we see that the "Users & Groups" page on the WLS Admin console is getting populated with all the user ids available in LDAP. The organization corporate directory has thousands of user ids, and WLS is executing a generic query against LDAP to fetch all the users. This query would have a major performance impact on the LDAP Directory? Is there any way to prevent this generic query from happening? Any suggestions would help.
  Edited by: Ramakrishnan Venkataraman on Feb 1, 2011 11:46 AM

  Yes, you can apply filters on the Providers configuration, also u can select the DN from where to feth the users, you can fetch users with special attributes.
  Whole lot of things can be done, review the options under providers.
  Let me know if you have any doubts.
  HTH,
  -Faisal
  http://www.weblogic-wonders.com

• LDAP AUTHENTICATION- PLEASE HELP

  My client wants me use LDAP for authentication. I new to this: I have written a Authentication bean. As follows.
  //Used to authenticate user from LDAP directry.
  import javax.naming.*;
  import javax.naming.directory.*;
  import java.util.*;
  import java.lang.*;
  public class AuthBean {
       private boolean attempted;
       private String userName;
       private String password;
       public AuthBean() {
            attempted = false;
            userName = "";
            password = "";
       //Getter methods.
       public String getUserName() {
            return this.userName;
       public String getPassword() {
            return this.password;
       //Setter methods.
       public void setUserName (String userName) {
            this.userName = userName;
            if (!this.userName.equals("") && !this.password.equals(""))
            attempted = true;
       else
                 attempted = false;
       public void setPassword(String password) {
            this.password = password;
            if (!this.userName.equals("") && !this.password.equals(""))
                 attempted = true;
            else
                 attempted = false;
       //Checks to see if attempted.
       public boolean isAttempted() {
            return this.attempted;
       * Given a username and password, authenticates to the directory
       * Takes a String for username, String for password.
       * Calls getDn for the method.
       public boolean ldapAuthenticate (String username, String pass) {
            if ( username == null || pass == null ) {
                 System.out.println(" im here in the method");
                 System.out.println(" user" + username);
                 System.out.println(" pass" + pass);
                 return false;
            String dn = getDN(username);
                 System.out.println(" dn" + dn);
                 if ( dn == null)
                 return false;
                 dn = dn + ",o=hcfhe";
                 //dn = dn + ",o=mu";
                 System.out.println(dn);
                 String ldap_url = "ldap://10.1.1.199:389/ou=it,o=hcfhe";
                 //set variables for context
                 Hashtable env = new Hashtable();
                 env.put("com.sun.naming.ldap.trace.ber", System.err);
                 env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
                 env.put(Context.PROVIDER_URL, ldap_url);
                 env.put(Context.SECURITY_AUTHENTICATION, "simple");
                 env.put(Context.SECURITY_PRINCIPAL, dn);
                 env.put(Context.SECURITY_CREDENTIALS, pass);
                 DirContext ctx;
                 //make connection, catch errors thrown
                 try {
                      ctx = new InitialDirContext(env);
                 } catch (AuthenticationException e) {
                           System.out.println("Authentication Exception");
                           return false;
                 } catch (NamingException e) {
                      e.printStackTrace();
                      return false;
            //close connection
            try {
                 ctx.close();
            } catch (NamingException ne) {
                      System.out.println(ne);
            return true;
       * This methods cheks for the username from the LDAP directory.
       * Takes a String.
       public String getDN(String username) {
            String dn = "";
            String ldap_url = "ldap://10.1.1.199:389/ou=it,o=hcfhe";
            Hashtable env = new Hashtable();
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, ldap_url);
            DirContext ctx;
            try {
                 ctx = new InitialDirContext(env);
                 SearchControls ctls = new SearchControls();
                 ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                 String filter = "(uid=" + username + ")"; // Search for objects with these matching attributes
                 NamingEnumeration results = ctx.search("",filter,ctls);
                 if ( results != null && results.hasMoreElements()) {
                      SearchResult sr = (SearchResult)results.nextElement();
                      dn = sr.getName();
                 } else dn = null;
                           ctx.close();
            } catch (AuthenticationException e) {
                      System.out.println("Authentication Exception");
                      return null;
            } catch (NamingException e) {
                      e.printStackTrace();
                      return null;
                 return dn;
  I also done a validate. jsp as follows.
  <%@page import="register.AuthBean"%>
  <jsp:useBean id ="AuthBean" class="register.AuthBean" scope="session"/>
  <%
            //boolean valid = false;
            String username = request.getParameter("user");
            //System.out.println("The username" + username);
            String password = request.getParameter("password");
            //System.out.println("The username" +password);
  %>
       <jsp:setProperty name="AuthBean" property="userName" param="user" />
       <jsp:setProperty name="AuthBean" property="password" param= "password" />
  <%
                 //boolean validate = false;
                 String nn = AuthBean.getUserName();
                 System.out.println(nn);     
                 String dn = AuthBean.getDN(username);
                 System.out.println(dn);
                 boolean validate = AuthBean.ldapAuthenticate(username, password);
                 if(validate) {
                      response.sendRedirect("../admin/Adminindex.jsp");
                 } else {
                      response.sendRedirect("Login.html");
  %>
  At current I keep getting 'false' for validate. But there are no errors. I m using tomcat and apache, do I need to configure any of these to LDAP. If so can you show me some examples.
  Many thanks.

  Hi Irene,
  I am posting my LDAP Authentication code for you to look at. If you have any more questions, please respond to this posting. I have just three days ago implemented this for my client. It works on Web Sphere against Microsoft Active Directory.
  =====================================================================
  import javax.naming.directory.*;
  import javax.naming.ldap.*;
  import javax.naming.*;
  import java.util.*;
  import java.io.*;
  import java.lang.*;
  import java.math.*;
  * Insert the type's description here.
  * Creation date:
  * @author: Sajjad Alam
  public final class LDAPConn {
       public static java.lang.Object Conn;
  * LDAPConn constructor comment.
  public LDAPConn() {
       super();
  * Insert the method's description here.
  * @return java.lang.Object
  public static DirContext getConn() throws Exception {
       //Declarations of variables
       Hashtable env = new Hashtable(11);
       InitialLdapContext ctx = null;
       //==============LDAP Authentication of a given user stored in Active Directory=============
       System.out.println("Entered constructor for Ldap Context");
       //Initialize the Context Factory.
       env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
       env.put(Context.PROVIDER_URL, "ldap://XXX.XXX.XX.XXX:389/dc=domainURL1,dc=domainURL2,dc=com");
       try {
            The following syntax is a standard way of authenticating users stores in LDAP
            when JNDI api is used.
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
            env.put(Context.SECURITY_CREDENTIALS, "password");
            System.out.println("Issuing request to authenticate the user and create an LDAP context");
            ctx = new InitialLdapContext(env, null);
            System.out.println("Got handle on Ldap Context");
            //==============Completed Authentication of user=============
            //==============Retrieving attribute data about a user stored in Active Directory==========
            //Here we will retrieve attributes of one of the users in LDAP ("cn=");
            //Declarations of variables
            String userInfo = "cn=someUserName ,ou=Users,ou=something,ou=something";
            Attributes userAttr = ctx.getAttributes(userInfo);
            Attribute orgUnitAttr = null;
            //Looping through the enumeration to obtain attribute data
            for (NamingEnumeration ae = userAttr.getAll(); ae.hasMore();) {
                 Attribute attr = (Attribute) ae.next();
                 if (attr.getID().equals("distinguishedName"))
                      orgUnitAttr = attr;
                 System.out.print(" Attribute: " + attr.getID());
                 //Print each value
                 for (NamingEnumeration e = attr.getAll(); e.hasMore();) {
                      System.out.println(" Value: " + e.next());
            //============== Done retrieving attribute data about user==========
            //==============To find which organizational unit a user belongs provided we pass the user==========
            //This section of code uses the value from the "distinguishedName" attribute
            System.out.println("");
            Object parseOutOrgUnit = (Object) orgUnitAttr;
            System.out.println("We can obtain the organizational unit (Role) from the " + parseOutOrgUnit.toString());
            //======================================Done=============================
            // Close the context when we're done or you can close the connection where you are using this object.
            String grInfo = "CN=Sales-Administrator,OU=Java Application Accounts,OU=something,OU=something";
            Attributes grAttr = ctx.getAttributes(grInfo);
            //Looping through the enumeration to obtain attribute data
            for (NamingEnumeration ae = grAttr.getAll(); ae.hasMore();) {
                 Attribute attr = (Attribute) ae.next();
                 System.out.print(" Attribute: " + attr.getID());
                 //Print each value
                 for (NamingEnumeration e = attr.getAll(); e.hasMore();) {
                      System.out.println(" Value: " + e.next());
            //============== Done retrieving attribute data about user==========
            //==============To find which organizational unit a user belongs provided we pass the user==========
            //This section of code uses the value from the "distinguishedName" attribute
            System.out.println("");
            //======================================Done=============================
            ctx.close();
       catch (Exception e) {
            System.out.println(e.getLocalizedMessage());
       return ctx;