LDAP Groups Authorization

Hi,
I have read some of the forum threads about LDAP Group Authorization - I remain confused. Here's the problem I am trying to solve.
I was successfull in setting my Authentication to "Based on authentication scheme from gallery:Existing Login Page: Use LDAP Directory Credentials" -
That works fine, But I would not like all users in my OID LDAP directory to log into my application- Which is why I have created a group for the user I want to include in my OID directory.
Now at the " Builder->Application...->Security->Authorization Schemes->
I have created an Authorization Scheme as "PL/SQL Function returing a booloean" .
My Scheme Source(Identify Query or PL/SQL) is as follows and is set to "once Per session"
return wwv_flow_ldap.is_member
(:APP_USER,
null,
'cn=users,dc=wellesley,dc=edu',
'jadeland.wellesley.edu',
'389',
'wcd_HTMLDB',
'cn=portal.040323.1220,cn=Groups, dc=wellesley,dc=edu');
where in my LDAP directory, 'wcd_HTMLDB' is the subgroup under group "portal.040323.1220" -
I have included 3 users in the group 'wcd_HTMLDB' .
Still the login page allows all LDAP user ( and not just the 3 from the 'wcd_HTMLDB' group.
Where did I go wrong -?
What 's the proper way to authorise only LDAP users in a group ?
Any help would be really appreciated.
Thanks .

Indira,
The public synonym (and grant execute) must be created after that package is compiled which can happen after catldap is run in your database. This is only a problem if catldap has not been run before HTML DB is installed. That's described in the flows/doc/ldap.html file in the distribution directory (not very prominently, we know).
When you initially attached the authorization scheme to your login page and it wouldn't let you in, the reason is that it was using the value of APP_USER to drive your lookup function. But when the login page is rendered, APP_USER is null because you haven't logged in yet. So a user-based authorization scheme on a login page can never work.
When you changed the ldap username edit function the way you did, you achieved the goal of preventing an unauthorized user from using the login page to authenticate. Looks like the way it's set up is to give unauthorized users an authentication error, which is a little misleading (saying their credentials are invalid when in fact they are valid but they aren't authorized to use your application), but if it suits your purpose, great. You should consider that if you change the authentication method to, say Single Sign-On, you'll then want to use authorization schemes to keep unauthorized users out. So the authorization scheme that you first set about using would be fine in that case, so long as you adjust the code to allow for visits to public pages prior to authentication (v('APP_USER') = 'HTMLDB_PUBLIC_USER'). However, you'd want to attach that scheme to the application itself (Edit Application Attributes->Authorization) so it fires on every page. Evaluating a scheme like that on every page view rather that once per session probably works best, even better if you cache the result of the evaluation yourself for performance reasons, e.g., set an application item to some value the first time the authenticated user passes the ldap membership test, then using that item as an 'already passed' flag for subsequent invocations.
Finally, I assume you are using the built-in ldap_dnprep function because you need to replace '.' with '_' in the username value entered by the user. If that is not your requirement, let's talk.
Scott

Similar Messages

  • Mapping LDAP Groups to SAP Roles

    Hi there,
    i am trying to build up a synchron usermanagement with a LDAP-Server between EP, Web AS Java and Web AS ABAP.
    My thought is to administrate the users in the LDAP-Directory. The users will be assigned to groups.
    In EP and Web AS Java its no problem to assign these groups to roles and then just change the Users in the LDAP-Group and reach a synchron usermanagement.
    In Web AS ABAP it seems impossible to assign roles to groups.
    <b>The question is, is it possible to map ldap groups with the ldap connector of the web AS ABAP to Roles in an ABAP System?</b>
    Or is there another way to administrate users in different systems?
    Thanks alot for your answers,
    stefan

    Hi
    in this case u have to use the concept of central user administration. use the following links
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-biti-03/cua with sap webas, ldap and third party software
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/user management and authorizations overview.pdf
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/integration of sap central user administration into microsoft active directory.pdf
    hope this helps u to get fair bit of idea
    don,t forget to give points
    With regards
    subrato kundu

  • Securing AnyConnect VPN user access via specific LDAP groups in Active Directory?

    Is there a brief tutorial on how to secure AnyConnect VPN access using Active Directoty security groups?
    I have AAA LDAP authentication working on my ASA5510, to authenticate users against my internal AD 2008 R2 server, but the piece I'm missing is how to lock down access to AnyConnect users ONLY if they are a member of a specific Security Group (i.e. VPNUsers) within my AD schema.

    This looks fairly complete
    http://www.compressedmatter.com/guides/2010/8/19/cisco-asa-ldap-authentication-authorization-for-vpn-clients.html
    Sent from Cisco Technical Support iPad App

  • Webcenter dicussion forum - Ldap Group Integration with JSSO

    Hi,
    We want to implement LDAP Group integration for the authorization purposes in
    webcenter Jive Disucussions deployed in our IAS 10.1.3.2 application server.
    Though jive provides support for the same, yet the JIve documentation says
    that we need to implement the JIve's LDAP User authentication steps in order
    to leverage LDAP Groups integration. In case of Webcenter if we use Java SSO
    for the authentication purpose, we need opt for the 'Default' in the Jive
    Admin's authentication page instead of LDAP settings. Opting for 'Default'
    scheme doesn't allow us to configure the LDAP group settings. We are not able
    find any documentation for LDAP Group Integration along with Java SSO. Could
    provide us the steps required for the same? Or has anyone tried the same?
    Thanks and Regards,
    ABhijit

    Hi Abhijit,
    You can ignore 'Default', and implement your own user authentication mechanism, which can include LDAP group settings. You will have to follow:
    - OC4J security documentation for using Java SSO in your own implementation (I think this is the right link - confirm the version numbers - http://download.oracle.com/docs/cd/B32110_01/web.1013/b28957/javasso.htm#BABEJFDI)
    - Jive documentation for implementing user authentication
    Navneet.

  • OBIEE Group authorization

    Hi,
    We are using the LDAP security for Authenticating the users.. but when I try to Authorize the Users to see a Particular dashboard it is failing. I have created a table in DB with Logon and the group details and created a session variable by using the below sql. But When I try to test this Initialization block the Test Button is not highlighting in the rpd .
    SELECT ‘GROUP’, R.GROUP_NAME FROM WC_USER_AUTH R WHERE UPPER(R.LOGON)=UPPER(‘:USER’)
    Please suggest me whether I am doing the correct approach to give access to dashboard.

    Yes... The three steps you have mentioned is the standard way of doing an authentication using LDAP and Authorization using external database.
    When ever a new user is added, you just have to add that user name and group name in the external db table.
    No need to give permissions to that particular user in Presentation Catalog as you might have already given permission to the group to whcih this user belongs.
    While logging in you have to give the correct username as it is configured in your LDAP server. For entering the new user in DB it need not be case sensitive as the Init block query takes care.
    SELECT ‘GROUP’, R.GROUP_NAME FROM WC_USER_AUTH R WHERE UPPER(R.LOGON)=UPPER(‘:USER’)
    Regards,
    Bhavik

  • LDAP (openldap) authorization with DAP (dymamic access policy)

    Hello,
    We have a asa 5520 and we try to make a ldap (openLdap) authorization with DAP (Dynamic Access Policy). We have problem with logical expression. We need more example of logical expression and we need to know how debug logical expression. We try to use de Debug dap trace and debug dap error but we need more debug informations.

    Hi
    I guess you are using an ldap attribute map, to map the ad group to a group policy. This does not work as you may expect when the user is part of multiple groups, I.e. the user will always be mapped to the same group (first or last in the list, not sure).
    Possible solution : remove the ldap attribute map, and configure dap rules that check the ldap.memberOf attribute instead
    Hth
    Herbert
    Sent from Cisco Technical Support iPad App - sorry for the brief explanation, if you need more details let me know.

  • Webcenter dicussion forum - Ldap Group Integration issue

    Hi All,
    I am trying to implement LDAP Group integration in our jive forums 5.1.0 installed in an Oracle IAS 10.1.3.2 server.
    I have followed the steps mentioned in the LDAP documentation and setup the following system properties:
    ldap.groupNameField cn
    ldap.groupMemberField uniquemember
    ldap.groupDescriptionField description
    ldap.groupSearchFilter (cn={0})
    I just restarted the server after setting up these , but the forums instance is not coming up in the server. Throwing the following error:
    08/01/21 14:52:33.550 jiveforums: http://CompressingFilter/1.4.4 CompressingFilter has initialized
    08/01/21 15:23:04.597 jiveforums: Servlet error
    java.io.IOException: An established connection was aborted by the software in your host machine
    at sun.nio.ch.SocketDispatcher.write0(Native Method)
    at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:33)
    at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:104)
    at sun.nio.ch.IOUtil.write(IOUtil.java:75)
    at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:302)
    at java.nio.channels.Channels.write(Channels.java:60)
    at java.nio.channels.Channels.access$000(Channels.java:47)
    at java.nio.channels.Channels$1.write(Channels.java:134)
    at com.evermind.server.http.AJPOutputStream.endRequest(AJPOutputStream.java:117)
    at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:309)
    at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:190)
    at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
    at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
    at java.lang.Thread.run(Thread.java:595)
    08/01/21 15:25:59.956 jiveforums: Exception thrown during contextDestroyed
    java.lang.ExceptionInInitializerError
    at com.jivesoftware.forum.database.DbForumFactory.getAttachmentManager(DbForumFactory.java:798)
    at com.jivesoftware.forum.database.DbForumFactory.destroy(DbForumFactory.java:410)
    at com.jivesoftware.forum.database.DbForumFactory.shutdown(DbForumFactory.java:381)
    at com.jivesoftware.forum.util.ForumsLifeCycleListener.contextDestroyed(ForumsLifeCycleListener.java:88)
    at com.evermind.server.http.HttpApplication.destroyContextListeners(HttpApplication.java:5877)
    at com.evermind.server.http.HttpApplication.destroy(HttpApplication.java:5843)
    at com.evermind.server.http.HttpSite.destroy(HttpSite.java:877)
    at com.evermind.server.http.HttpServer.destroy(HttpServer.java:548)
    at com.evermind.server.ApplicationServer.destroy(ApplicationServer.java:2030)
    at com.evermind.server.ApplicationServerShutdownHandler.run(ApplicationServerShutdownHandler.java:93)
    at java.lang.Thread.run(Thread.java:595)
    Caused by: java.lang.IllegalStateException: Timer already cancelled.
    at java.util.Timer.sched(Timer.java:354)
    at java.util.Timer.scheduleAtFixedRate(Timer.java:296)
    at com.jivesoftware.util.TaskEngine.scheduleTask(TaskEngine.java:218)
    at com.jivesoftware.util.TaskEngine.scheduleTask(TaskEngine.java:202)
    at com.jivesoftware.forum.database.DbAttachmentManager.<init>(DbAttachmentManager.java:160)
    at com.jivesoftware.forum.database.DbAttachmentManager.<clinit>(DbAttachmentManager.java:48)
    Can anyone please throw a light?
    Thanks and regards,
    ABhijit

    Hi Guneet,
    We are using jive 5.5.9 instead of 5.1.0 that comes with webcenter.
    Also we are just trying to validate the JIve's authorization scheme so didn't integrate the Java SSO part. Jive forum is just a standalone OC4J instance in the IAS server and we are using the LDAP configuration in the User,Groups Authentication page instead or default which is required for Java SSO.
    Thanks,
    ABhijit

  • Security - using LDAP groups

    I want to protect my EJB using LDAP groups. WLS is recognizing WLS users but unable
    to recogniz groups. Here is my weblogic-ejb-jar.xml
    <security-role-assignment>
    <role-name>channel-role</role-name>
    <principal-name>system</principal-name>
    <principal-name>mygroup</principal-name>
    <principal-name>cn=mygroup,ou=groups,o=mycompany</principal-name>
    </security-role-assignment>
    It recognizes user system but not the group. LDAP group is cn=mygroup,ou=groups,o=mycompany.
    When I pass the credentials from the client of a uniquemember, WLS generates a
    security exception. It won't recognise mygroups or cn=mygroup,ou=groups,o=mycompany
    either.
    Any suggestions?
    Thanks
    -Surya

    Yes, It has impact. You create groups in the Repository & Answers and assign the object level permissions.
    You Populate Group Variable during authentication via LDAP server. Once you login with X name you see the authorized groups in the my account.
    For dashboard A - For group Executive - User X - You have given full access.
    Now you have changed the Group name to AD_Executive. When You Login variable values would be
    User - X
    Group - Ad_Executive
    Dashboard A - No permissions.
    If you have a scenario of changing the group names then get Groups from database using Init block after authorization.

  • OBIEE Groups - RPD Groups, Catalog Groups, LDAP Groups

    Greeting Experts
    I am trying to get a clear understanding of how these different groups play out in the OBIEE world.  Ideally I am looking to get clarity around what the boundaries are for these groups (what they control and don't). Really appreciate if someone could enlighten me
    Thank you very much.

    will LDAP Group security takes precedence over Catalog Group security
    Yes
    when it comes to LDAP security, can it be extended to control Authorizations besides, just User Authentication ?
    Basically LDAP groups are associated with the users and those groups are again associated to Application Roles so Authorization and authentication can be done using Application role rather than a group
    But if you have catalog groups (default 10g security model) you can still assign application roles for those catalog group and enable the object level security (Goto Administrator ---> Manage Catalog Groups ---> select any default 10g group there you can search and add applicatoin roles)
    thanks,
    Saichand

  • VPN with RSA and LDAP Groups

    I'm tryin to rebuild our VPN environment with a pair of 5520. WE're going to use Anyconnect mobility exclusively with SSL. No IPSec and no SSL Webvpn.
    We have a large number of contractors using the VPN to access specific internal resources so I would like to use different IP subnets for each contractor assigned through group policy. I don't want to have a different URL for each contractor so I want to assign the group policy through LDAP group memebership. However, primary authentication will be via RSA 2 factor.
    How do I get the ASA to check group membership and hense assign the right group when primary authentication is through RSA?
    Thanks for any help.

    yes you can do the Authentication to an RSA server and the Authorization to the LDAP server.
    Please configure LDAP as an authorization server.
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
    Do let me know how it goes.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Error while adding LDAP group

    Hi, I configured LDAP authentication on BOXI R2 SP3 on IIS. The settings are as given below.
    To change a setting, click on the value to start the LDAP Configuration Wizard.  I have replaced few entries with XXXX and YYYY due to security.
    LDAP Hosts: nccXXX.XXX.YYYY.XX.YY:636
    LDAP Server Type: Novell eDirectory
    Base LDAP Distinguished Name: ou=XXXXX,dc=YY
    LDAP Server Administration Distinguished Name: cn=XXX,o=YYYYY
    LDAP Referral Distinguished Name: ""
    Maximum Referral Hops: 0
    SSL Type: Server Authentication
    Server Side SSL Strength: Always accept server certificate
    Single Sign On Type: None
    When I add any new group then its not added and I get below error message in the Logging directory  for WCA.
    Error: 2009-08-24 14:56:30, Thread:161, WriteData::_Flush catch unexcepted exception, source: System.Web, message: Specified argument was out of the range of valid values.
    Parameter name: offset, stack:    at System.Web.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 count)
       at BusinessObjects.Enterprise.WebComponentAdapter.WriteData._Flush(IntPtr handle)
    Can anyone help to find if LDAP is configured correctly before adding group?
    Thanks,

    Resolved. It was due to wrong LDAP group given to me.
    Thanks,

  • Can an email address be a member of an LDAP group even if it isn't associated with an object in the Directory Server?

    Can an email address be a member of an LDAP group even if it isn't
    associated with an object in the Directory Server?
    <P>
    General members of a group are the members defined in the
    Directory Server. They are full-fledged members of the group who
    may have a set of permissions associated with their membership,
    a title, or other attributes. Mail-specific users are users who
    are not full-fledged members of the group, but who receive mail
    sent to the group. Mail-specific users need not be identified as
    a user in the Directory Server--an email address is sufficient.
    An example of this is a group of salespeople, all of whom are in
    the group "North American Sales Team." They have access to a
    sales-tracking database, on-line quota information, and
    competitive information. The mail-specific users of this group
    are the admins who support the members of the sales team, who need
    to get the mail that goes out to the group, but don't need access
    to the applications and information that the salespeople do.

    Hey EllyK,
    Welcome to the BlackBerry Support Community Forums.
    Thanks for the question.
    I would suggest performing this workaround and then try to login to BlackBerry Link:
    Open BlackBerry World on the BlackBerry smartphone and sign in using the BlackBerry ID. 
    Connect the BlackBerry 10 smartphone to the computer. 
    Open BlackBerry Link
    Sign in using the BlackBerry ID. 
    Let me know if the issue still persists.
    Cheers.
    -ViciousFerret
    Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
    Be sure to click Like! for those who have helped you.
    Click  Accept as Solution for posts that have solved your issue(s)!

  • LDAP groups and WebLogic Roles - Urgent ( weblogic 6.1 sp1, iPLanet 5.1)

    I have 2 questions and these are very urgent :-
    1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
    2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
    contractactors and employess. How do I map LDAP group contractors to weblogic security
    Role contractors? Similarly for employees ?
    2. I have not defined contarctors and employeees under People container in IPlanet.
    e.g. The RDN for contractor is
    uid=1234,ou=dir,dc=orams,dc=com
    Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
    under People ) OR I have to write my own custom code ?
    3. I am planning to use Roles insetad of groups to manage the logical grouping in
    iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
    parameters ?)
    This is very urgent ....so if any of you can throw any hints that will be greatly
    appreciated.
    --Sunita

    Hi Ariel,
    The driver is bundled with the product in WLS 6.1sp1. you don't have to
    download any additional driver. Use it as you normally would only thing to
    remember is if you are trying to write standalone java code then you have to
    have weblogic.jar in your classpath. For the rest of the info follow the wls
    docs for 6.1
    HTH
    sree
    "Ariel" <[email protected]> wrote in message
    news:3bb4a643$[email protected]..
    We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
    downloaded the JDriver from bea.com, but all the istructions that camewith
    it are for WLserver 5.1.
    What has to be done to do this with 6.1 sp1?
    Thanks,
    Ariel

  • RSA authentication with LDAP group mapping

    Greetings,
    I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
    The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
    As far as I know, you can only use one LDAP configuration with RSA.
    Any thoughts on this?

    @Tarik
    I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
    I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
    Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
    I would still prefer to do this dynamically.
    Scott

  • Where we check the authorization group & authorization object?

    Hi all,
    i have a  std program & tcode  like fb03 . now i want to know the authorization group & authorization object. so where we will check..?
    help me.
    thanks.
    Vipin

    Hi,
    Use transaction SU21 & SU22 for Auth Objects & Class

Maybe you are looking for

  • Transparent smoke text after effects CS5.5

    Hello all, Need some help here.  I'm sure this has been asked but as you search there's a million posts that come up and to read through all is, lets just say time consuming.  I wish I had more time to learn AE but I've been working with tutorials un

  • How to get a sub tag in xml file

    As the xml file is the below thing ------ <?xml version="1.0" encoding="UTF-8"?> <addRequest xmlns:spml="urn:oasis:names:tc:SPML:2:0">      <data>      <attributes>                <attr name="Objectclass">                     <value>SafePolicy</value

  • Upon upgrade to itunes 9, my iphone 3.0.1 can no longer connect

    i now get the following error every time i try to connect to itunes 9: "itunes could not connect to this iphone because and unknown error occurred (0xE800005E) What the **** do i do now...i can't just revert to itunes 8 because my time machine has be

  • On windows 8.1 charms bar does not show up and the touch functionality is also degraded

    upgraded my elitepad 900 to windows 8.1 . after this the charms bar does not show up and the touch functionality is also degraded while playing games. i believe i need the latest synaptics gesture suite.  Cannot find it. Please help.

  • Opening an Application on IMAC

    I have just downloaded the "Pages" application on my IMAC but I cant open it. I open Itunes and then click on the icon but it does nothing.