LDAP authentification with R/3

Similar Messages

• Ldap connection with weblogic console and authentification with java

  Hello,
  I want that my web application use ldap authentification for users and that all parameters (host, port, base, ...) are configured by weblogic console.
  I managed to do it by security-->realms-->.... , but now, I want to perform authentification in my java code.
  I don't know how realized it because I don't know how use my ldap connection in java code without redefine parameters into my code...
  can anyone help me please?
  thanks a lot for your help.

  Hey,
  on a windows server system you have to put the target system CA Certificate in the local Trusted System Certificate Store of Microsoft Server. Then the connection should work.
  On a Java System you have to put the CA in the Key Storage of the SAP System.
  I think on Unix you could use the SAPCRYPTOLIB to place the CA in  the abap system.
  Kind regards,
  Sven Walter

• LDAP Synchronisation with CUCM with multiple forest

  Hello,
  We have CUCM 10.5.
  We want to add in CUCM multiple forest (we have multiple company with different domain name) using LDAP authentification so all the user/password sync with CUCM.
  We have as distinguished name CN=xxxx,CN=Users,DC=xxx,DC=local and for search base CN=xxxx,CN=Users,DC=xxx,DC=local.
  Can we add in the distinguished name and search base the information for multiple forest using the same username/password?
  If it not possible is there an easy way to achieve that?
  Any help would be appreciate.
  Thank you

  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/directry.html#pgfId-1133454

• Create external LDAP authentification to SAP via Web Dynpro

  Hi Guys,
  I have a requirement where I have to create access to SAP via external LDAP authentification. It is similiar how the Enterprise Portal works, but I want to achieve it with out the portal.
  The user will enter his LDAP user and password and I will check via LDAP connector to grant access to SAP.
  The only Problem I have is to switch to SAP user without knowing the SAP Password. Thats why I need external authentification.
  I have been told by an basis expert that I could use java to achieve this. I have also got the java coding what the Enterprise Portal uses.
  Am I on the right way? Can anybody advice me.
  Thanks and best regards
  Ali

  Hi,
  Refer this link and SAP Note
  [SAP GUI for HTML|http://help.sap.com/saphelp_nw04s/helpdata/en/47/4b0902d84818c9e10000000a114a6b/frameset.htm]
  SNote: 517484
  Regards
  Preethish

• EN4093R LDAP authentification and authorization

  Hi,i want to configure ldap authentification and authorization. Can anyone help me to configure this. In my test environment – I want to give our Domain Admins access to our switches. I found only basic configuration in the user manual but I got now information to configure groups. Could I configure two or more groups to access the switch? 

  What thype of ldap server are you using? Microsoft Windows 2012 or 2008. I got a problem with 2012 not give the groups back with some users.
  Same problem as
  https://supportforums.cisco.com/message/3866327#3866327
  debug ldap 255
  shows correct value with one user that is workin:
  [196] Authentication successful for Administrator to 192.168.20.80
  [196] Retrieved User Attributes:
  [196]   objectClass: value = top
  [196]   objectClass: value = person
  [196]   objectClass: value = organizationalPerson
  [196]   objectClass: value = user
  [196]   cn: value = Administrator
  [196]   description: value = Vordefiniertes Konto f..r die Verwaltung des Computers bzw. der Dom..ne
  [196]   distinguishedName: value = CN=Administrator,CN=Users,DC=xxxx,DC=local
  [196]   instanceType: value = 4
  [196]   whenCreated: value = 20081201134058.0Z
  [196]   whenChanged: value = 20131126141559.0Z
  [196]   displayName: value = Administrator
  [196]   uSNCreated: value = 12298
  [196]   memberOf: value = CN=G_SSLVPN,OU=Service,OU=Groups,OU=XXXXX,DC=XXXX,DC=local
  [196]           mapped to Group-Policy: value = ssl_admin
  [196]           mapped to LDAP-Class: value = ssl_admin
  One user that is not working:
  no entries with memberOf in debug
  [190] Authentication successful for sdag to 192.168.20.80
  [190] Retrieved User Attributes:
  [190]   objectClass: value = top
  [190]   objectClass: value = person
  [190]   objectClass: value = organizationalPerson
  [190]   objectClass: value = user
  [190]   cn: value = sdag
  [190]   distinguishedName: value = CN=sdag,OU=Lieferanten,OU=Users,OU=xxxx,DC=xxxxxx,DC=local
  [190]   displayName: value = sdag
  [190]   homeMTA: value = CN=Microsoft MTA,CN=SRVSBS01,CN=Servers,CN=erste administrative gruppe,CN=Admini
  [190]   proxyAddresses: value = smtp:sdag@xxxx
  [190]   proxyAddresses: value = SMTP:sdag@xxxxx

• How to configure ldap.ora with multiple ldap contexts

  Hello.
  My company has recently taken on another environment with it's own LDAP configuration. It's a bit tedious to have to keep switching my ldap.ora for both ldap configurations. Are there any good suggestions for either allowing me to search both LDAP configurations (2 separate LDAP setups, with 2 default context)? Or is there a smooth way to populate 1 LDAP with the others data? Or perhaps some form of redirect on one LDAP to the other LDAP server for queries?
  Some basic info: LDAP is Oracle OID version 10gR2
  Please let me know if you have any useful ideas...

  Hi,
  Here is the of OVD benefits :
  1-Easy to setup and manage via our Management client; 2-Unifies multiple directories into a single access point; 3-Normalize and Unify multiple directories; 4-Directly accesses remote repositories;
  5-Allows a unified view of an entry using data from multiple repositories;6-Can act as an LDAP proxy and firewall;
  Why you can not use OVD to improve these? Read, LDAP to the other LDAP server for queries, allowing you to search both LDAP?
  I hope this helps.
  Thiago L Guimaraes

• Error in authentication with ldap server with certificate

  Hi,
  i have a problem in authentication with ldap server with certificate.
  here i am using java API to authenticate.
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
  I issued the new certificate which is having the up to 5 years valid time.
  is java will authenticate up to one year only?
  Can any body help on this issue...
  Regards
  Ranga

  sorry i am gettting ythe same error
  javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
  here when i am using the old certificate and changing the system date means i can get the authentication.
  can you tell where we can concentrate and solve the issue..
  where is the issue
  1. need to check with the ldap server only
  2. problem in java code only.
  thanks in advance

• OIM 11g R1 LDAP Synch with OID.

  Hi,
  We are doing an LDAP Synch with OID directly. The users from various organisations in OIM needs to be synched to different OU's in OID, instead of a single container. How do we acheive this? would it be easy if we involve OVD also?

  Here is some sample code configuration which may give you a start - hope it helps.
  Sample code that can be called in a pre-process event handler to copy the users organinisation to the LDAP Organization Unit
  HashMap<String, Serializable> parameters = orchestration.getParameters();
  Serializable param = parameters.get("act_key");
  String act_key = null;
  if (param instanceof ContextAware) {
  act_key = ((ContextAware) param).getObjectValue().toString();
  } else {
  act_key = param.toString();
  if (act_key != null) {
  OrganizationManager orgMgr = Platform.getService(OrganizationManager.class);
  Set<String> retAttrs = new HashSet<String>();
  retAttrs.add("Organization Name");
  Organization org = null;
  try {
  org = orgMgr.getDetails(act_key, retAttrs, false);
  } catch (OrganizationManagerException e) {
  } catch (AccessDeniedException e) {
  String orgName = (String) org.getAttribute("Organization Name");
  orchestration.addParameter("LDAP Organization Unit", orgName);
  Sample container mapping rule
  <rule>
  <expression>LDAP Organization Unit=Test Organization</expression>
  <container>ou=Test Organization,ou=users,o=org</container>
  <description>Add user to the Test Organization OU in LDAP if their OU is set to Test Organization</description>
  </rule>
  Sample change in /db/LDAPUser
  <!-- Two act_key entries in the <reconFields> section to set RECON_ACT_KEY. -->
  <!-- The first sets RECON_ACT_KEY to the default value from the scheduled job -->
  <!-- The second overwrites RECON_ACT_KEY with an OU value if supplied in the LDAP User data. -->
  <reconAttr>
  <oimFormDescriptiveName>act_key</oimFormDescriptiveName>
  <reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Organization Name</reconFieldName>
  <reconColName>RECON_ACT_KEY</reconColName>
  <emDataType>number</emDataType>
  <formFieldType/>
  <targetattr keyfield="false" encrypted="false" required="false" type="String" name="act_key"/>
  </reconAttr>
  <reconAttr>
  <oimFormDescriptiveName>act_key</oimFormDescriptiveName>
  <reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">ou</reconFieldName>
  <reconColName>RECON_ACT_KEY</reconColName>
  <emDataType>number</emDataType>
  <formFieldType/>
  <targetattr keyfield="false" encrypted="false" required="false" type="String" name="act_key"/>
  </reconAttr>

• Authentification with user and password

  hello experts,
  Someone knows, what steps are necessary to carry out in XI for Authentification  with user and pasword in  SOAP adapter receiver?.
  It's necesary put something in  visual  administrator?
  thanks for all

  user/pwd need to be provided by the Soap client. You'll need to store it there and maintain whenever the pwd is changed in XI.
  As of best practices:
  - The minimum requirements here should be SSL, so that no one can get the pwd;
  - Also, as to avoid this, you could take a look at client authentication with certificates.
  Regards,
  Henrique.

• Errors in LDAP configuration with Shared Services

  Dear sirs,
  we are getting errors in LDAP configuration with Shared Services.
  Base DN is ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo East
  The group cn is cn=AH
  In LDAP log you can see the applications is searching the group:
  "ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo"
  When it should be:
  “ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo East”
  We think the problem is with space in Base DN "o=Grupo East", it is not properly considered.
  Error Codes
  EPMCSS-05145
  Thanks in advance

  Hi.
  Could you try to define the Base DN as :
  ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo\ East
  I don't know if will work fine.. but you can use special characteres using with the "\"
  Good luck.
  Best regards!

• LDAP setup with SSL - Can't use tls auth type

  I'm trying to configure Solaris 10 to use ldap against my OpenLDAP server with SSL but whenever I try to set the authentication as tls:simple, it gives me an error :
  # ldapclient mod -a authenticationMethod=tls:simple
  Cannot specify LDAP port with tls
  # ldapclient mod -a authenticationMethod=tls
  Unable to set value: invalid authenticationMethod (tls)
  Any ideas how to get this to work - I can do an ldapsearch if I supply a -H ldaps://ldapserver:636 so my certs in /var/ldap are good.
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_BINDDN= cn=srv_login,ou=LDAPusers,dc=unix_srv,dc=energy.ge.com
  NS_LDAP_BINDPASSWD= {NS1}c53708877bc6
  NS_LDAP_SERVERS= 10.10.1.14:636
  NS_LDAP_SEARCH_BASEDN= dc=unix_srv,dc=energy.ge.com
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SERVER_PREF= 10.10.1.14:636
  NS_LDAP_CACHETTL= 0
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=unix_srv,dc=energy.ge.com?sub
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=unix_srv,dc=energy.ge.com?sub
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=unix_srv,dc=energy.ge.com?one
  Thanks,
  Jay

  When using TLS you have to specify the FQN for the LDAP server and the port is ALWAYS 636.
  Also, you need to setup up your client to use FQN as well (/etc/hosts).

• Usage of external LDAP server with Portal

  Hi All,
  We are in a situation to use external LDAP server with WLP 8.1. These are the
  constraints we have to deal with:
  1. Only read is allowed from this LDAP server.
  2. This would be used for authentication purpose
  If thats the case, how can we use Visitor Entitlements/Delegated Admin and Group
  creation using Portal Admin tool since this will write to the configured LDAP
  server.
  Can somebody answer my question:
  1. Can we use external LDAP server - just for authetication (I know this is possible
  by using JAAS LoginModule, but I just want to get confirmed on this ) and
  2. Use default and embedded LDAP server for all others like Group/Visitor Entitlements/DAs.
  Any relevant pointers are also welcome.
  TIA,
  Prashanth Bhat.

  Thanks for th ereply. Some of your answers are not clear. Can you pls eloborate
  on this?? Pls see my comments below.
  "Johnson" <[email protected]> wrote:
  >
  Phil,
  Can I use embedded LDAP for production?
  Thanks
  Lawrence
  "Phil Griffin" <BEA> wrote:
  "Prashanth " <[email protected]> wrote in message
  news:[email protected]..
  Hi All,
  We are in a situation to use external LDAP server with WLP 8.1. Theseare
  the
  constraints we have to deal with:
  1. Only read is allowed from this LDAP server.
  2. This would be used for authentication purpose
  If thats the case, how can we use Visitor Entitlements/Delegated Adminand
  Group
  creation using Portal Admin tool since this will write to the configuredLDAP
  server.
  Can somebody answer my question:
  1. Can we use external LDAP server - just for authetication (I knowthis
  is possible
  by using JAAS LoginModule, but I just want to get confirmed on this) and
  >
  You can add the external LDAP server just for authentication, but in
  versions through
  8.1 SP2 WLP will want to verify the user exists (via the UserReaderMBean)
  during
  the login process (this check has been removed in SP3). A work around
  is to
  duplicate
  the user in a provider that does impl UserReaderMBean.
  Prashanth : You mean to say we have to duplicate the User in embedded LDAP server
  also??
  >>
  2. Use default and embedded LDAP server for all others like Group/VisitorEntitlements/DAs.
  >
  Yes, the default/embedded LDAP can still be used for DA/visitor
  entitlements. In the current
  release, the Portal Admin Tools can only be configured to use a single
  authentication provider
  while forming entitlements. In SP3, all configured providers are
  listed/usable by the tools.Prashanth : How can we configure Portal Admin tool to use authentication provider
  for entitlements??
  >>
  Any relevant pointers are also welcome.
  TIA,
  Prashanth Bhat.

• LDAP Intigration with Oracle BPM 10.3.0.0.0

  Hi,
  I want to know about integration with LDAP connectivity with Oracle BPM suite.
  We don’t have any knowledge between the integration on Oracle BPM suit & LDAP.
  Please do the needful on the same as soon as possible.
  With Best Regards,
  Ratna Prasad.

  I configured LDAP directory, and I was able to see the participants. However the group information is not retrieved properly. Here is the error
  (cont) ] Main: Invalid characters found for attribute [OU name].
  [     (cont)     ] Main: Detail:Attribute [OU name] cannot be assigned the following value: [Dev/Test].
  [     (cont)     ] Main: The invalid character is: [].
  [     (cont)     ] Main:
  [     (cont)     ] Main: fuego.directory.exception.InvalidAttributeValueException: Invalid characters found for attribute [OU name].
  [     (cont)     ] Main: Detail:Attribute [OU name] cannot be assigned the following value: [Dev/Test].
  [     (cont)     ] Main: The invalid character is: [].
  [     (cont)     ] Main:
  Any ideas on what can be the possible solution?
  Thanks

• Setting up LDAP realm with WLI 7

  Any pointer to Step by step instruction on to how to set up LDAP realm for Access Control with Weblogic integration 7

  Pramit Basu <[email protected]> wrote:
  Any pointer to Step by step instruction on to how to set up LDAP realm
  for Access Control with Weblogic integration 7In order to use LDAP realm with WLI 7.0, you need to do the following steps:
  1) In WebLogic server level, you need to create a Caching Realm and a LDAP realm.
  First, please backup your original config.xml file. Then, you can start configure
  the realms. You can do this by modifying the config.xml file, or through WLS console.
  After you have done this, your config.xml file should contain the following:
  <LDAPRealm AuthProtocol="none"
  Credential="{3DES}rYiW/DkUxq4UPwR0XLbM9w=="
  GroupDN="o=beasys.com,ou=Groups" GroupIsContext="false"
  GroupNameAttribute="cn" GroupUsernameAttribute="uniquemember"
  LDAPURL="ldap://jpengdesk:389"
  Name="LDAPRealmForNetscapeDirectoryServer" Principal="cn=admin"
  UserAuthentication="bind" UserDN="o=beasys.com,ou=People"
  UserNameAttribute="uid" UserPasswordAttribute="userpassword"/>
  --- You can also do this in Console. Please make sure the "UserDN" and "GroupDN"
  values are correct according to the groups and users stored on your LDAP server.
  In my example here, "beasys.com" is my root entry, and I have all the users created
  underneath of OU "People", and I have all the groups created in OU "Groups".
  <CachingRealm BasicRealm="LDAPRealmForNetscapeDirectoryServer" Name="MyCaching
  Realm"/>
  --- You can do this in console by clicking on "Caching Realms", then click on
  the link of "Configure a new Caching Realm". Name it as "MyCaching Realm", and
  select "LDAPRealmForNetscapeDirectoryServer" as the BasicRealm.
  <Realm CachingRealm="MyCaching Realm" FileRealm="myFileRealm" Name="myRealm"/>
  --- you can do this in console by clicking on "Compatibility Security", then click
  on the "Filerealm" tab, then, in the "Caching Realm" field, select MyCaching Realm"
  from the pull down comb box.
  Please make sure all the names are related. See above example, the value in blue
  color should match, and the value in red color should match too.
  Please see the attached config.xml file for reference.
  2) Create the users in LDAP server. In my example, I simply created 3 users underneath
  of OU &#8220;People&#8221;, they are:
  weblogic
  wlisystem
  admin
  &#8220;weblogic&#8221; is the user I used as my system administrator user, which
  I used to boot my WLS server and access my WLS console.
  &#8220;wlisystem&#8221; and &#8220;admin&#8221; are the users created for WLI
  component.
  3) Create 11 groups in LDAP server. In my example, as I mentioned above, I create
  all these groups underneath of OU &#8220;Groups&#8221;. These groups are:
  ConfigureComponents
  Administrators
  wlpiUsers
  MonitorInstance
  ExecuteTemplate
  CreateTemplate
  UpdateTemplate
  DeleteTemplate
  AdminsterUser
  ConfigureSystem
  wlpiAdministrators
  Also, add the users created in step 2 into all of these groups.
  4) Clean up the fileRealm.properties file.
  Backup your original fileRealm.properties file. Then, remove all the entries starting
  with &#8220;user.xxx&#8221; and &#8220;group.xxx&#8221;, only leave those entries
  starting with &#8220;acl.xxx&#8221;.
  Please see the attached &#8220;fileRealm.properties&#8221; file for reference.
  5) Restart your WLI server. Verify the users and groups you defined in LDAP server
  are displayed in WLS console correctly. You can see the user and group information
  in &#8220;Compatibility Security&#8221; à &#8220;Users&#8221;, and &#8220;Compatibility
  Security&#8221; à &#8220;Groups&#8221; respectively.
  6) Start your studio to design a simple Workflow. When you login, the authentication
  of your username and password is against the LDAP server, since you don&#8217;t
  have any user entries in your fiel realm any more.
  7) Start your Worklist to execute the workflow. Also, When you login, the authentication
  of your username and password is against the LDAP server, since you don&#8217;t
  have any user entries in your fiel realm any more.
  Once you execute the workflow, you can verify that workflow instance in Studio.
  You can monitor the instance, and delete the instance.

• Configuring one LDAP domain with two OU (one RO, another RW)

  Hi Team,
  My client is implementing NW 7.0 Enterprise Portal on SP14, AIX 5.3 & Oracle 10.2.0.4.
  We're using MS-ADS LDAP as an UME data source. The client wishes to configure UME for one single ADS LDAP (domain) with two OU (NOT domains) such that:
      1. One OU has read only access
      2. Second OU has read/write access
  Following is an illustration of the LDAP tree structure:
  CORP_DOM
  -- INT_USERS    (CN=IntUsers, DC=CORP_DOM, DC=NET) - read-only
  -- INT_GROUPS  (CN=IntUsers, DC=CORP_DOM, DC=NET) - read-only
  -- EXT_USERS    (CN=ExtUsers, DC=CORP_DOM, DC=NET) - read/write
  -- EXT_GROUPS  (CN=ExtGrp, DC=CORP_DOM, DC=NET) - read/write
     |-- SAccounts
     |--
     |--
  Note the single LDAP domain, multiple user and group paths with different access privileges.
  Based on what I've read so far, this does not seem feasible as the datasource configuration file has to have unique datasource id and the private section allows only one tag for user path and group path.
  I checked OSS, SDN but could only find information on configuring multiple domain/LDAP and not one LDAP domain but two OU/CN.
  Kindly let me know if anyone has come across or done such a configuration.
  Thanks.

  Hi GLM,
  You are right, access permissions to the OU are given to the service account used to access the directory from the portal.
  The issue I have is not about granting permissions - its more about whether it is possible at all to configure UME for one single ADS LDAP (domain) containing two OU (NOT domains). I'd need to access the directory with two different service users having differen access privileges.
  I don't see how it can be done, since the datasource id in the portal datasource configuration file has to be same as the domain and the private section allows only one tag for user path and group path.
  Thanks.