LDAP authentification JAAS Module ?

Similar Messages

• Pass user type to JAAS module

  Hi,
  I have developed a JAAS module passing username and password and uses LDAP and Database for authentication. I also need to pass user type to the back-end. Can you please suggest how to do this?
  Thanks,
  Matt

  You can use to get the user/role information
  Subject s = context.getSubject();
  You can pass the Subject s as usual way.

• Custom JAAS Module - How to use in certification test?

  Hello,
  I just read the document about certification for custom JAAS modules ("BC-AUTH-SAML Test Plan"). What I don't understand is how our custom login module can get the custom information it needs (like a certain request parameter).
  First, what we would like to do is to create a JAAS module which examines proprietary login tickets created by our reverse proxy / authentication server. The example code shows how to retrieve HTTP parameter and headers using the callback methods, so that part is all fine and clear to me.
  But for the certification test, the description says that in order to execute the test, the browser must be opened with a certain URL (Test 1, GET w/o password change). That action alone must lead to a valid authentication. However, in your real-world setup, the reverse proxy - sitting between the browser client and the SAP system - would insert a custom HTTP header with the login ticket. Obviously, in the test setup as dictated by the certification document, we don't have our reverse proxy, so my question basically is:
  How can I add custom HTTP headers or parameters while running the certification test?

  I'd gladly send you something by mail. Two other details first:
  - My name is actually not Remo, but Marcel Schoen. I'm just using a company account for this forum. My address is marcel.schoen<at>united-security-providers.ch
  - I'm swiss. Do you speak german? Your name sounds german. Falls ja koennen wir das auch auf Deutsch weiter besprechen.
  In short, our product is a Web Application Firewall; a reverse proxy for protecting and integrating web applications. Some of the functionality also allows to implement single-sign-on over existing legacy applications with different user bases. And now we're looking into ways to integrate SAP application servers as well (right now, the JAAS module and SAML are the two most likely approaches).

• Create external LDAP authentification to SAP via Web Dynpro

  Hi Guys,
  I have a requirement where I have to create access to SAP via external LDAP authentification. It is similiar how the Enterprise Portal works, but I want to achieve it with out the portal.
  The user will enter his LDAP user and password and I will check via LDAP connector to grant access to SAP.
  The only Problem I have is to switch to SAP user without knowing the SAP Password. Thats why I need external authentification.
  I have been told by an basis expert that I could use java to achieve this. I have also got the java coding what the Enterprise Portal uses.
  Am I on the right way? Can anybody advice me.
  Thanks and best regards
  Ali

  Hi,
  Refer this link and SAP Note
  [SAP GUI for HTML|http://help.sap.com/saphelp_nw04s/helpdata/en/47/4b0902d84818c9e10000000a114a6b/frameset.htm]
  SNote: 517484
  Regards
  Preethish

• Frank session expiration sample - Does it work with a Custom JAAS Module ?

  I configured the sample as described in "Detecting and handling user session expiry" - http://thepeninsulasedge.com/frank_nimphius/2007/08/22/adf-faces-detecting-and-handling-user-session-expiry/
  I also have a custom database JAAS login module as described in http://www.oracle.com/technology/products/jdev/howtos/1013/oc4jjaas/oc4j_jaas_login_module.htm
  Thing is that when the session expires (timeout) I am redirected to the Login.jsp page of the JAAS Login Module instead of the SessionHasExpired.jspx page.
  Is there any way to say that the filter should go before the JAAS module ?
  Am I missing something ?
  Thanks,
  Claudio.

  Claudio,
  no, unfortunately not. The servlet filter is executed after the container checked for user authentication. This is less a problem for BASIC and cerificate based authentication because in both cases users are authenticated automatically (even if using custom LoginModules) by the brower or cerificate.
  Form based authentication is different because the browser doesn't re-establish the authentication and the container checks for security before the servlet is called.
  Frank

• Jaas Module deployed not working

  HI sap gurus
                      we have recently migrated from EP sever 32 bit to 64 bit and we a jaas module which is working fine in the old ep server. since it has not come in the new server we have deployed it manually in the new server by changing the required things( bcoz we r currenting pointing the new ep to r3 quality)
  after adding the login module certificate none of the user is able to login to the portal . if it remove back again user would able to login.
  THanks in advance
  Johny

  i have resolved

• Wls 11g jaas module not working

  Hi,
  I am successfully using a standard JAAS module to authorize and authenticate users on an HPUX – WebLogic 9.2 environment. However when we port this exact JAAS module to a LINUX – WebLogic 11g environment, the JAAS module times-out after 25 minutes at WebLogic managed server startup and eventually fails.
  We want to know if anything has changed from a JAAS perspective when comparing WebLogic 9.2 versus 11g? We have been unable to get JAAS authentication working. We tried re-creating the jar file but have now run out of options. They have over 16 different Linux servers that all have the same problem. All time out once the JAAS module has been implemented.
  We are primarily interested in knowing if there have been any significant changes to the JAAS functionality between WLS 9.2 and 11g versions. They have tried recompiling/recreating the JAAS file on our Linux servers but the same result occurs. It simply stalls and then doesn't work after appearing to be hung for 25 minutes at start-up time.
  It is a custom JAAS module that we have implemented. However the very same JAAS module that works for WLS 9.2 does not work for WLS 11g.
  Any suggestions on how we can get this working would be very helpful.
  Thanks in advance.
  Edited by: user10600611 on Jul 8, 2010 5:53 PM

  Yes, the packaging has changed somwhat, when you compiled for 11g didn't u get compilcation exceptions?
  If you didnt, then you might not be using those packages.
  Can u paste the stak trace/ thread dump at the time it was hung?

• LDAP authentification with R/3

  hi!
  after a long long search I could not found out how to implement LDAP authentification for SAP R/3. To be honest I'm not an expert in R/3 basic, for Web AS / EP i would know how to do it
  Due to several network&security reasons we don't like to use the single-sign or the ldap syncronization functionality.
  The only thing we would use ldap for is to just authentificate the user. Unfortunately, our LDAP-users are not the same than the SAP-users (8 chars in sap, longer in ldap). What the system should do is:
  - ask for username (sap 8-char) and password (ldap)
  - map sap-username and ldap-username (e.g. by the sap-aliasname or external username in USR15)
  - connect to the ldap-directory, find out whether user/pass is correct
  - if correct, log the sap-user in
  - that's all
  Any Ideas?
  Thanks,
  Markus

  Hi,
  It can be done. It all depends a bit on what kind of platforms you want to use it.
  We're currently in the middle of introducing a shibolet CUA for all our systems, SAP or non SAP. That means that one needs to authenticate to a central server and via SSO, you will have access to the applications.
  For SAP, that'll mean that we no longer will login via a SAP Gui, but via the EP that authenticates against this CUA. Once logged in, one can launch a SAP Gui script that allows you to work on the SAP R/3 server.
  Have also a look at http://shib.kuleuven.be/
  Alternatively, you can set up an UME. See http://help.sap.com/saphelp_nw2004s/helpdata/en/cc/cdd93f130f9115e10000000a155106/frameset.htm for this.
  Eddy
  PS.
  Put yourself on the SDN world map (http://sdn.idizaai.be/sdn_world/sdn_world.html) and earn 25 points.
  Spread the wor(l)d!

• EN4093R LDAP authentification and authorization

  Hi,i want to configure ldap authentification and authorization. Can anyone help me to configure this. In my test environment – I want to give our Domain Admins access to our switches. I found only basic configuration in the user manual but I got now information to configure groups. Could I configure two or more groups to access the switch? 

  What thype of ldap server are you using? Microsoft Windows 2012 or 2008. I got a problem with 2012 not give the groups back with some users.
  Same problem as
  https://supportforums.cisco.com/message/3866327#3866327
  debug ldap 255
  shows correct value with one user that is workin:
  [196] Authentication successful for Administrator to 192.168.20.80
  [196] Retrieved User Attributes:
  [196]   objectClass: value = top
  [196]   objectClass: value = person
  [196]   objectClass: value = organizationalPerson
  [196]   objectClass: value = user
  [196]   cn: value = Administrator
  [196]   description: value = Vordefiniertes Konto f..r die Verwaltung des Computers bzw. der Dom..ne
  [196]   distinguishedName: value = CN=Administrator,CN=Users,DC=xxxx,DC=local
  [196]   instanceType: value = 4
  [196]   whenCreated: value = 20081201134058.0Z
  [196]   whenChanged: value = 20131126141559.0Z
  [196]   displayName: value = Administrator
  [196]   uSNCreated: value = 12298
  [196]   memberOf: value = CN=G_SSLVPN,OU=Service,OU=Groups,OU=XXXXX,DC=XXXX,DC=local
  [196]           mapped to Group-Policy: value = ssl_admin
  [196]           mapped to LDAP-Class: value = ssl_admin
  One user that is not working:
  no entries with memberOf in debug
  [190] Authentication successful for sdag to 192.168.20.80
  [190] Retrieved User Attributes:
  [190]   objectClass: value = top
  [190]   objectClass: value = person
  [190]   objectClass: value = organizationalPerson
  [190]   objectClass: value = user
  [190]   cn: value = sdag
  [190]   distinguishedName: value = CN=sdag,OU=Lieferanten,OU=Users,OU=xxxx,DC=xxxxxx,DC=local
  [190]   displayName: value = sdag
  [190]   homeMTA: value = CN=Microsoft MTA,CN=SRVSBS01,CN=Servers,CN=erste administrative gruppe,CN=Admini
  [190]   proxyAddresses: value = smtp:sdag@xxxx
  [190]   proxyAddresses: value = SMTP:sdag@xxxxx

• JAAS Module for Internet solution

  Hi,
  We have Portal internet enabled and Other webapplication internet enabled both reside in different networks.
  Users get into Web Application with their logon credentials. We want to have a link in this webapplication to the portal and it should automatically log user into portal without asking for username and password.
  Is this possible with JAAS module??
  If so can anyone please let me know how?? I am new to JAAS.

  Hi Abdul,
  Thanks for reply. Now I have more information on this Web Application. It is something running on Web Sphere.
  Is there any out of the box JAAS module that can be used in this situation?? I came across a scenario where the steps are described below.
  1. User logs into Application running on Web Sphere.
  2. LTPA(I assume this is like a SSO Cookie as in SAP Portal)will be issued by Web Sphere and stored on Clients Browser.
  3. In further clicks on EP links on Web Sphere applications, LTPA will be sent to Custom Login module in WAS.
  4. Custom Login module makes sure that there this LTPA token is genuine by talking to Web Sphere.
  5. Web Sphere responds saying this is user id and this is genuine.
  6. Custom Login module(JAAS) logs user into portal.
  So my question here is this Custom Login(JAAS) module available?
  Is this process correct ? What exactly needs to be done in this case?
  Please advise me .
  Message was edited by:
          E D

• Retrieve parameters from LDAP using authentication module

  I have existing LDAP that contains organization people and their attributes. I have several web applications that use existing LDAP for authentication and authorization. My goal is to deploy single sign-on with openSSO so that users are authenticated against existing LDAP. Changing of the existing LDAP is forbidden.
  I deployed newest stable OpenSSO and Apache2 + newest policy agents to web service servers.
  OpenSSO server uses LDAP authentication module to authenticate users against existing LDAP. It uses flat file data repository and realm attributes -> user profile is ignored.
  This basic setup works fine. The next step is to integrate existing web applications to single sign-on system. The authentication part works fine. I just disabled old mechanism from web applications that did the LDAP authentication. OpenSSO and Apache Policy agent are handling that part.
  The existing web applications are still querying existing LDAP other attributes there than uid and userpassword. Is it possible to configure OpenSSO to forward LDAP attributes to web application as cookie or header value? Or is the forwarding feature only for attributes in Data Store?
  If the forwarding is not possible what is the next best alternative ?

  OpenSSO forum is quite silent so I'm back with you guys.
  I managed to solve the agent error log problem I mentioned before. The problem was about nonexisting attributes in AMAgent.properties com.sun.am.policy.agents.config.profile.attribute.map. I removed extra attributes and the authentication against LDAP started to work again.
  The problem is that no attributes are forwarded from LDAP to web application. I have tried HTTP_COOKIE and HTTP_HEADER settings in AMAgent.properties and com.sun.am.policy.agents.config.profile.attribute.map is set to cn|common-name,mail|email.
  My LDAP looks like this:
  # testuser, pollo.fi
  dn: cn=testuser,dc=pollo,dc=fi
  cn: testuser
  objectClass: organizationalPerson
  objectClass: inetOrgPerson
  givenName: Test
  sn: User
  ou: People
  uid: testuser
  mail: [email protected]
  And my datastore configuration:
  LDAP server->localhost:389
  LDAP bind DN->cn=admin,dc=pollo,dc=fi
  LDAP organization DN->dc=pollo,dc=fi
  Attribute name mapping->empty
  LDAP3 Plugin supported types and operations->agent,group,realm,user all read,create,edit,delete
  LDAP3 Plugin search scope->scope_sub
  LDAP Users Search Attribute->uid
  LDAP Users Search Filter->(objectclass=inetorgperson)
  LDAP User Object Class->organizationalPerson
  LDAP User Attributes->uid, userpassword
  Create User Attribute Mapping->empty
  Attribute Name of User Status->inetuserstatus
  User Status Active Value->Active
  User Status Inactive Value->inactive
  LDAP Groups Search Attribute->cn
  LDAP Groups Search Filter->(objectclass=groupOfUniqueNames)
  LDAP Groups container Naming Attribute->ou
  LDAP Groups Container Value->groups
  LDAP Groups Object Class->top
  LDAP Groups Attributes->cn,description,dn,objectclass
  Attribute Name for Group Membership->empty
  Attribute Name of Unqiue Member->uniqueMember
  Attribute Name of Group Member URL->memberUrl
  LDAP People Container Naming Attribute->ou
  LDAP People Container Value->people
  LDAP Agents Search Attribute->uid
  LDAP Agents Container Naming Attribute->ou
  LDAP Agents Container Value->agents
  LDAP Agents Search Filter->(objectClass=sunIdentityServerDevice)
  LDAP Agents Object Class->sunIdentityServerDevice,top
  LDAP Agents Attributes->empty
  Identity Types That Can Be Authenticated->Agent,User
  Authentication Naming Attribute->uid
  Persistent Search Base DN->dc=pollo,dc=fi
  Persistent Search Filter->(objectclass=*)
  Persistent Search Maximum Idle Time Before Restart->0
  Should I enable some setting still to get the forwarding going on? Any ideas for debugging?

• Loadbalancing ldaps on ACE module

  Is it possible to configure loadbalancing of ldaps with end-to-end mode (encryption from end to end) on ACE module ?
  And if yes, do i have to use a special script for health checking ?

  Please correct me if this is wrong or bad design: I have ldaps running just by permitting the port in the ACLs and VIP class. Customer says it works fine.
  I'm sure you're aware of the health probe scripts you can get from Cisco (attached). This script defaults to ldap port (386) if none is specified. So you can specify the port under the "probe scripted LDAP_PROBE" config to use ldaps (636). Perhaps you should use both scripted probes together so that if one port is unavailable the server will be taken out of service.

• Recursive ldap authentification

  How to configure that the htmldb authentification allows user-logins where the user objects in different ldap-folders ?
  for examle all cn in o=xyz including any subfolder
  (we have unique cn; using Novell eDirectory)
  Ralf

  Ralf,
  You could try the search_s function in dbms_ldap package
  see http://download-west.oracle.com/docs/cd/B10501_01/appdev.920/a96612/d_ldap2.htm#1003459
  You can supply a parameter to tell it whether to search the tree or just the base dn.
  HTH
  Greg

• Java LDAP Authentification - problem!!!

  I found application in .NET (C#), and it's work perfectly! (http://www.codeproject.com/KB/system/arbauthentication.aspx)
  I want do this logic in my java web application. All users in our domain in first leg must be log-in in web application!
  And it - authetification must be over Active Directory (AD). Help me please.
              Hashtable authEnv = new Hashtable();
              String userName = "";
              String passWord = "";
              InputStreamReader converter = new InputStreamReader(System.in);
              BufferedReader in = new BufferedReader(converter);
              System.out.println("Input your username:");
              userName = in.readLine();
              System.out.println("Input your password:");
              passWord = in.readLine();           
              base = userName + "@" + "xxxyyyzzz.com";
              String ldapURL = "ldap://192.168.0.99:389/";
              authEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
              authEnv.put(Context.PROVIDER_URL, ldapURL);
              authEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
              authEnv.put(Context.SECURITY_PRINCIPAL, base);
              authEnv.put(Context.SECURITY_CREDENTIALS, passWord);
              try {
                  DirContext authContext = new InitialDirContext(authEnv);
                  System.out.println("Authentication Success!");               
              catch (AuthenticationException authEx)
                  System.out.println("Authentication failed!");
              catch (NamingException namEx) {
                  System.out.println("Something went wrong!");
                  namEx.printStackTrace();
              }This code is not working when truely input username & password. Exception!
  javax.naming.AuthenticationException:
  [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]
  And when input truely username, but password is a blank (password="") it's work...     
  Authentication Success!
  may be this is anonymous authentification.

  If you would have searched through the forum you would have discovered that the Active Directory error code 525 means username not found.
  And you may also have discovered that a null password implies an anonymous logon.
  Either the user has mistyped their username, or you have made an incorrect assumption when constructing the userPrincipalName and appending the upn suffix "xxxyyyzzz.com".

• Change passwords after using LDAP authentification

  It seeems that we have successfully set up a Portal server using external authentication. But somehow, no one can change his/her own passwords after logging into Portal. The error message is "the user does not have the privilege to perform this operation. (WWC-41661)". Is there any special setting needed to be done on LDAP for this?
  Thank you for any advice.
  Zhuang Li

  Hi,
  We upgraded our company email server, which effectively runs our email, DNS, Open Directory with dozen users. Last night the system was upgrading from 10.10.2 to 10.10.3, which seemed rutine.
  The upgrade process hung while it was finishing the installation and didn’t finish. Upon reboot, it looked OK and needed to upgrade the OXS Server to 4.1 from the previous version. Which I proceeded and completed.
  Since then we have lost all of our users accounts and can’t access the email data. Tried to reboot from the backups and it seems that the somehow when booting from external backups 10.10.2, we get a message that the OXS Server is not compatible. Our backups are usually done using Carbon Copy Cloner. 
  Not sure what to do, help is greatly appreciated. While I can recreate the users, I don’t want to damage the email data.
  Many thanks,
  /Oliver