Ldap netgroup problem
i have some trouble configuring a solaris 10 clients to use netgroups.
if i change my nsswitch.conf to:
passwd: compat
passwd_compat: files ldap
shadow: files ldap
and add a netgroup to /etc/passwd, i can not see any ldap users on my system.
if i change it to:
passwd: files ldap
the ldap users are there, and can log in.
we have several solaris 9 boxes that work with this configuration.
any hints are welcome.
thanks
sorry it was a typo, the entries in my nsswitch are:
passwd: compat
passwd_compat: ldap [tryagain=continue]
shadow: files ldap
group: files ldap
hosts: files dns
netgroup: ldap
.........Looks valid to me (although I don't think 'tryagain' is valid in the passwd_compat field, I also don't think it'll cause too many problems).
You might want to start looking through the ldap server logs and see what requests are coming in. Is the machine doing queries for the netgroup and getting answers, or is it not even bothering to look?
Darren
Similar Messages
-
I've nearly got my LDAP deployment complete, but one thing I'm missing right now is netgroup-like restrictions for logins. I spoke with a Sun PS guy recently and he recommended this as the preferred method of restricting access to hosts, so I'm game.
The problem I have right now is that I can't seem to find any documentation on how to set this up. Most references using the word "netgroup" are for NIS, naturally. If anyone has solid docs on how to set this up for LDAP I'd appreciate it.
One thing to note is that I'm not transitioning from NIS. I have only DNS in my environment as a naming service, and so I couldn't just run the PADL tools to migrate.
My setup thus far is a 3 master configuration, with 3 hubs, and approximately 100 users, total. Please ask if my setup requires any clarification.
Thanks!
PatrickJust want to add more information:
1) The sample Solaris10 /etc/pam.conf could be found
at
http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=
view
(For this sample to work on Solaris8/9, commented out
all the pam_unix_cred.so.1 lines)
2) Making sure "getent passwd userid" shows something
is NOT enough to make it worked, objectClass
"shadowAccount" must be defined in the People entry,
below is an example:
bash-2.05# ldaplist -l passwd tuser2
dn: uid=tuser2, ou=People, dc=example,dc=com
givenName: Test
sn: User2
loginShell: /bin/sh
uidNumber: 9998
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: tuser2
cn: Test User2
homeDirectory: /var/tmp
userPassword:
assword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=
3) Edit /etc/nsswitch.conf and restart nscd.
Change this:
passwd: files ldap
netgroup: files
To that:
passwd: compat
passwd_compat: ldap
netgroup: ldap
Note that there is no need to change "shadow:" and
"group:", anyone pls correct me if I am wrong.
I have these two lines for both Solaris and Linux
clients:
shadow: files ldap
group: files ldap
4) Add these lines to the end of /etc/passwd and run
"pwconv".
+@netgroup1:x:::::
+@netgroup2:x:::::
-:x:::::
The corresponding DIT:
# ldaplist -l netgroup
dn: cn=netgroup1,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
cn: netgroup1
nisNetgroupTriple: (,gtay,)
nisNetgroupTriple: (,tuser,)
dn: cn=netgroup2,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
cn: netgroup2
nisNetgroupTriple: (,test,)
nisNetgroupTriple: (,tuser2)
I noticed that Solaris will add corresponding lines
to /etc/shadow after "pwconv" is run, whereas RHEL
will not.
5) The same works for BOTH SUN ONE DS5.2 and
OpenLDAP server netgroup LDAP maps, as well as BOTH
H SUN Solaris Native LDAP Clients and RHEL
OpenLDAP+PADL Linux LDAP Clients.
6) For Non-Netgroup accounts, "id userid" and "su -
userid" will show these error messages:
Solaris:
id: invalid user name: "userid"
su: unknown id: userid
Linux:
id: userid: No such user
su: user userid does not exist
7) Some examples of netGroupTriple:
# nisNetgroupTriple Examples: (host,user,domain)
# jdoe is in the appuser netgroup for all servers,
all domains.
# scarter is in the appuser netgroup only on the
server mars.
# all users are in the appuser netgroup on the server
pluto.
dn: cn=appuser,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
nisNetgroupTriple: (,jdoe,)
nisNetgroupTriple: (mars,scarter,)
nisNetgroupTriple: (pluto,,)
cn: appuser
HTH.
GaryGary,
Excellent summary...just what I would have looked for about 2 months ago :)
I would like to add that you can indeed nest netgroups. The following is how you would nest Gary's "appuser" netgroup into another, named prod_appservers (theoretically a superset which would be comprised of several netgroups):
dn: cn=prod_appservers,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: dev_svr
memberNisNetgroup: appusers
memberNisNetgroup: unixadmin
memberNisNetgroup: security
memberNisNetgroup: architecture
Patrick -
I am planning to intergrate LDAP netgroup to SSH in Solaris 10 (SUN native SSH SUNWsshxx) in order to restrict unauthorized users to ssh in. Any advice?
i've only done this with java directory server - dscc (or whatever it's called) and opends. only real troubles i've had are when i've done something wrong in pam.conf or the compat line in nsswitch.conf.
works pretty well here -
Sudo with LDAP NetGroups Solaris 10
Hi All,
Can some one describe me the steps to configure sudoers to work with LDAP NetGroups Solaris 10 ?
I am using "sudo 1.7.2p6 " right now.
I am able to authenticate using the Netgroups , but not able to using sudo.
Thanks,
DDI have recently tested sudo 1.6.8p8 to be working with flat files /etc/sudoers or LDAP sudo maps, together with netgroup and automount, on a Solaris Native LDAP Client against DS5.2 server.
I assume you use Solaris8/9 Native LDAP Client, and assume netgroup LDAP maps have been working without sudo.
I read your other post about sudo and ldap, I think you did not configure and build "sudo" with "--with-pam", right?
Can you provide the following details?
1) First 10 lines of "sudo -V", i.e. "sudo -V | head".
2) How do you configure "sudo" on the LDAP Client? i.e. ./configure options.
3) Did you use an old gcc version eg: Solaris9 built-in gcc 3.1, to compile sudo?
4) Content of /var/ldap/ldap_client_file.
5) Content of /etc/ldap.conf, you should have this file.
6) Sample ldif showing some sudoRole entries in LDAP
7) Can you perform these commands?
ldaplist -l sudoers
ldaplist -l sudoers root
ldaplist -l sudoers some_sudoRole
8) Content of /etc/pam.conf
9) Any other relevant details, like err in /var/adm/messages.
Gary -
DSEE 6.3 - LDAP and netgroup problem
All
I need your assistance or guidance with regards to my current situation with ldap and netgroups
Let me explain
I have configure ldap user authentication and need to group the user with netgroup
The problem I'm having is that when netgroup is disabled (client /etc/passwd and /etc/nsswitch.conf change back to normal) I can login with the ldap user but as soon as I enable netgroup restart the nscd I cannot login
The weird thing is I have gone through all the docs that was suggested in this forum with regards to ldap and netgroup but I'm still having a problem
The netgroup behavior is, I can do a # getent passwd username with success, # id username successful and I can even # su to that user with success but when I want to login as that user I get permission denied BTW I cannot do # passwd -r ldap username - Permission denied
See below My config
Hope this wil help as I,m sure that I have missed something small
Regards
*# /etc/nsswitch.ldap*
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# LDAP service requires that svc:/network/ldap/client:default be enabled
# and online.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
#passwd: ldap files
#group: ldap files
passwd: compat
passwd_compat: ldap
group: compat
group_compat: ldap
more /etc/pam.conf
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
tail -1 /etc/passwd
+@nidgroup:x:::::
more /var/ldap/ldap_client_cred
# Do not edit this file manually; your changes will be lost.Please use ldapclien
t (1M) instead.
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=nid,dc=domain,dc=co,dc=za
NS_LDAP_BINDPASSWD= {NS1}a10952b9857c6016
more /var/ldap/ldap_client_file
# Do not edit this file manually; your changes will be lost.Please use ldapclien
t (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= nisldap01.domain.co.za
NS_LDAP_SEARCH_BASEDN= dc=nid,dc=domain,dc=co,dc=za
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= nisldap01.domain.co.za
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= kobus
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,dc=nid,dc=domain,dc=co,dc=za?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=people,dc=nid,dc=domain,dc=co,dc=za?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=nid,dc=domain,dc=co,dc=za?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:ou=netgroup,dc=nid,dc=domain,dc=co,dc=za?one
NS_LDAP_BIND_TIME= 10
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:tls:simple
NS_LDAP_SERVICE_AUTH_METHOD= keyserv:tls:simple
NS_LDAP_SERVICE_AUTH_METHOD= passwd-cmd:tls:simpl
ldaplist -l netgroup
dn: cn=linuxgroup,ou=netgroup,dc=nid,dc=domain,dc=co,dc=za
nisNetgroupTriple: (,kobusj,)
objectClass: nisNetgroup
objectClass: top
cn: linuxgroup
dn: cn=nidgroup,ou=netgroup,dc=nid,dc=domain,dc=co,dc=za
nisNetgroupTriple: (,kobusj,)
objectClass: nisNetgroup
objectClass: top
cn: nidgroup
ldaplist -l passwd kobusj
dn: uid=kobusj,ou=People,dc=nid,dc=domain,dc=co,dc=za
givenName: kobus
sn: kobusj
loginShell: /usr/bin/bash
uidNumber: 130
gidNumber: 100
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: kobusj
cn: kobusj
homeDirectory: /home/kobusj
userPassword: {crypt}rnR9/Cv1oV1l6
*# getent passwd kobusj*
kobusj:x:130:100::/home/kobusj:/usr/bin/bash
*# id kobusj*
uid=130(kobusj) gid=100(nis)
*# passwd -r ldap kobusj*
Enter kobusj's password:
New Password:
Re-enter new Password:
Permission deniedHi,
can anybody show whole /etc/pam.conf with working pam_list?
The configuration below doesn't work:
cat /etc/pam.conf
+#+
+# Authentication management+
+#+
+# login service (explicit because of pam_dial_auth)+
+#+
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
login auth requisite pam_list.so.1 allow=/etc/user.allow debug
+#+
+# rlogin service (explicit because of pam_rhost_auth)+
+#+
+# rlogin auth sufficient pam_rhosts_auth.so.1+
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
+#+
+# rsh service (explicit because of pam_rhost_auth,+
+# and pam_unix_auth for meaningful pam_setcred)+
+#+
+# rsh auth sufficient pam_rhosts_auth.so.1+
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
+#+
+# PPP service (explicit because of pam_dial_auth)+
+#+
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
+#+
+# Default definitions for Authentication management+
+# Used when service name is not explicitly mentioned for authentication+
+#+
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
+#+
+# passwd command (explicit because of a different authentication module)+
+#+
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
+#+
+# cron service (explicit because of non-usage of pam_roles.so.1)+
+#+
cron account required pam_unix_account.so.1
+#+
+# Default definition for Account management+
+# Used when service name is not explicitly mentioned for account management+
+#+
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1
other account required pam_ldap.so.1
other account requisite pam_list.so.1 allow=/etc/user.allow debug
+#+
+# Default definition for Session management+
+# Used when service name is not explicitly mentioned for session management+
+#+
other session required pam_unix_session.so.1
+#+
+# Default definition for Password management+
+# Used when service name is not explicitly mentioned for password management+
+#+
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
+#+
+# Support for Kerberos V5 authentication and example configurations can+
+# be found in the pam_krb5(5) man page under the "EXAMPLES" section.+
+#+
Thanks!
Edited by: ffffffffff356dfd on 14 ??? 2009 16:25
Edited by: ffffffffff356dfd on 14 ??? 2009 16:30 -
LDAP CUA problem -- Could not logon to directory
Hi Experts,
I'm facing difficulties in accessing Active directory from SAP.
The LDAP Connectors were setup correctly (status with Green light).
The System User were also setup as: UserID :DirectoryUser; Distinguished Name:"cn=DirectoryManager" (DirectoryManager is a username in my Active Directory)
The LDAP Servers were also setup as: Hostname="sapserver001.abc.com", port number="389", Product name="MS03 Microsoft Windows 2003 Active Directory (Domain Mode)", Protocol Version="LDAP Version 3", LDAP Application="User", Base entry ="ou=Company00", System Logon="DirectoryUser"
But when I tried to logon the directory, system returns message:"Could not logon to directory"
Could not logon to directory
Message no. LDAPRC049
Diagnosis
The combination of user name (DN) and password transferred to the directory was not accepted by the directory.
Procedure
Check the set or entered data for the user and password for the directory.
If you are using an application with which you do not need to enter this data directly, you can find the data as configuration setting in the LDAP server used ("System User" field).
Procedure for System Administration
Check whether you can log on to the directory with the entered data using the LDAP protocol.
Note: A frequent error when using the Microsoft Active Directory is that the user enters their Microsoft Windows user name instead of the full Distinguished Name, since it is also possible to log on to the directory using this Microsoft Windows logon with Microsoft tools (such as ldp.exe). However, these tools do not use the user/password logon used by the SAP system.
Could anyone help me find the solution?
For more information, I'm using Windows server 2003 as my AD server.
Ad server: sapserver001.abc.com
sap server:sapserver002.abc.com
In the control panel of sapserver001.abc.com., I open "Active Directory users and computers", within abc.com, I created an OU as "Company00", and under that OU, I created the InetOrgPerson "DirectoryManager".
That's all the information I can provide.
Any suggestions will be appreciated.
Thank you very much in advance.
Best regards,
NickHi, all,
Thanks for your reply.
The problem has been solved. that's because I specified wrong user name, if I enter"DirectoryManager" instead of "cn=DirectoryManager" in the Distinguished Name field, it will be ok. or, I should input entire path "cn=DirectoryManager,OU=employees,DC=abci,DC=com".
Just one more question: is there any tools or commands that can display the detail information of Active Directory on windows server 2003? I just wonder whether the detailed path like ""cn=DirectoryManager,OU=employees,DC=abci,DC=com"" can be shown by the tool or command.
And I have run ABAP program RSLDAPSCHEMAEXT to get an LDIF file for SAP fields extention on AD server, after successfully imported into the Directory, where can I find out/verify the added fields which are coming from SAP?
Sorry I'm lack of knowledge of Active Directory, any suggestions are appreciate.
Best regards,
Nick -
I am having a problem with LDAP integration. I have been working through the oracle manuals and the guide posted at http://onlineappsdba.com/index.php/2010/12/29/part-viii-optional-configure-ldap-sync-with-oim-11g-oim-11g-integration-with-ovdoid/.
I have competed all of the steps but when I try to create a new user I get the following Error:
An error occurred while performing create user operation. Unable to get LDAP connection, and the root cause is - Failed to get connection due to initialization error with the pool: Failed to intialize and start UCP Connection pool
I have created the full jar file for the client. Can anyone offer up any suggestions here?The other are related to something about a global connection pool, note the traces here are trimmed due to forum post limits:
<Jun 6, 2011 1:48:44 PM EDT> <Notice> <Stdout> <BEA-000000> <<Jun 6, 2011 1:48:44 PM EDT> <Error> <XELLERATE.SERVER> <BEA-000000> <PooledResourceConnectionProvider/createConnection: Failed to create Resource Connection to target
com.oracle.oim.gcp.exceptions.ResourceConnectionCreateException: java.lang.NullPointerException
at oracle.iam.ldapsync.impl.repository.LDAPConnection.createConnection(LDAPConnection.java:118)
at com.oracle.oim.gcp.ucp.PooledResourceConnectionProvider.createConnection(PooledResourceConnectionProvider.java:84)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.createOnePooledConnectionInternal(UniversalConnectionPoolImpl.java:1570)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.access$600(UniversalConnectionPoolImpl.java:1378)
at oracle.ucp.common.UniversalConnectionPoolImpl.createOnePooledConnection(UniversalConnectionPoolImpl.java:445)
at oracle.ucp.common.UniversalConnectionPoolImpl.addNewConnections(UniversalConnectionPoolImpl.java:945)
at oracle.ucp.common.UniversalConnectionPoolBase.getInitialConnections(UniversalConnectionPoolBase.java:613)
at oracle.ucp.common.UniversalConnectionPoolBase.start(UniversalConnectionPoolBase.java:728)
at com.oracle.oim.gcp.ucp.UCPPool.initializePool(UCPPool.java:94)
at com.oracle.oim.gcp.pool.PoolFactory.getPool(PoolFactory.java:91)
at com.oracle.oim.gcp.pool.ConnectionService.getConnection(ConnectionService.java:46)
at com.oracle.oim.gcp.pool.ConnectionService.getConnection(ConnectionService.java:176)
at oracle.iam.ldapsync.impl.repository.ITResourceRepository.getConnection(ITResourceRepository.java:34)
Caused By: java.lang.NullPointerException
at oracle.iam.ldapsync.impl.repository.LDAPConnection.createConnection(LDAPConnection.java:87)
at com.oracle.oim.gcp.ucp.PooledResourceConnectionProvider.createConnection(PooledResourceConnectionProvider.java:84)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.createOnePooledConnectionInternal(UniversalConnectionPoolImpl.java:1570)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.access$600(UniversalConnectionPoolImpl.java:1378)
at oracle.ucp.common.UniversalConnectionPoolImpl.createOnePooledConnection(UniversalConnectionPoolImpl.java:445)
at oracle.ucp.common.UniversalConnectionPoolImpl.addNewConnections(UniversalConnectionPoolImpl.java:945)
>>
<Jun 6, 2011 1:48:44 PM EDT> <Notice> <Stdout> <BEA-000000> <<Jun 6, 2011 1:48:44 PM EDT> <Error> <XELLERATE.SERVER> <BEA-000000> <Class/Method: UCPPool/initializePool encounter some problems: Failed to create Resource Connection to target
oracle.ucp.UniversalConnectionPoolException: Failed to create Resource Connection to target
at com.oracle.oim.gcp.ucp.PooledResourceConnectionProvider.createConnection(PooledResourceConnectionProvider.java:90)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.createOnePooledConnectionInternal(UniversalConnectionPoolImpl.java:1570)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.access$600(UniversalConnectionPoolImpl.java:1378)
at oracle.ucp.common.UniversalConnectionPoolImpl.createOnePooledConnection(UniversalConnectionPoolImpl.java:445)
at oracle.ucp.common.UniversalConnectionPoolImpl.addNewConnections(UniversalConnectionPoolImpl.java:945)
at oracle.ucp.common.UniversalConnectionPoolBase.getInitialConnections(UniversalConnectionPoolBase.java:613)
at oracle.ucp.common.UniversalConnectionPoolBase.start(UniversalConnectionPoolBase.java:728)
Caused By: com.oracle.oim.gcp.exceptions.ResourceConnectionCreateException: java.lang.NullPointerException
at oracle.iam.ldapsync.impl.repository.LDAPConnection.createConnection(LDAPConnection.java:118)
at com.oracle.oim.gcp.ucp.PooledResourceConnectionProvider.createConnection(PooledResourceConnectionProvider.java:84)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.createOnePooledConnectionInternal(UniversalConnectionPoolImpl.java:1570)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.access$600(UniversalConnectionPoolImpl.java:1378)
at oracle.ucp.common.UniversalConnectionPoolImpl.createOnePooledConnection(UniversalConnectionPoolImpl.java:445)
at oracle.ucp.common.UniversalConnectionPoolImpl.addNewConnections(UniversalConnectionPoolImpl.java:945)
Caused By: java.lang.NullPointerException
at oracle.iam.ldapsync.impl.repository.LDAPConnection.createConnection(LDAPConnection.java:87)
at com.oracle.oim.gcp.ucp.PooledResourceConnectionProvider.createConnection(PooledResourceConnectionProvider.java:84)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.createOnePooledConnectionInternal(UniversalConnectionPoolImpl.java:1570)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.access$600(UniversalConnectionPoolImpl.java:1378)
at oracle.ucp.common.UniversalConnectionPoolImpl.createOnePooledConnection(UniversalConnectionPoolImpl.java:445)
at oracle.ucp.common.UniversalConnectionPoolImpl.addNewConnections(UniversalConnectionPoolImpl.java:945)
at oracle.ucp.common.UniversalConnectionPoolBase.getInitialConnections(UniversalConnectionPoolBase.java:613)
at oracle.ucp.common.UniversalConnectionPoolBase.start(UniversalConnectionPoolBase.java:728)
>>
<Jun 6, 2011 1:48:44 PM EDT> <Notice> <Stdout> <BEA-000000> <<Jun 6, 2011 1:48:44 PM EDT> <Error> <XELLERATE.SERVER> <BEA-000000> <Class/Method: ConnectionService/getConnection encounter some problems: Failed to intialize and start UCP Connection pool
com.oracle.oim.gcp.exceptions.ConnectionPoolInitException: Failed to intialize and start UCP Connection pool
at com.oracle.oim.gcp.ucp.UCPPool.initializePool(UCPPool.java:100)
at com.oracle.oim.gcp.pool.PoolFactory.getPool(PoolFactory.java:91)
at com.oracle.oim.gcp.pool.ConnectionService.getConnection(ConnectionService.java:46)
at com.oracle.oim.gcp.pool.ConnectionService.getConnection(ConnectionService.java:176)
at oracle.iam.ldapsync.impl.repository.ITResourceRepository.getConnection(ITResourceRepository.java:34)
Caused By: oracle.ucp.UniversalConnectionPoolException: Failed to create Resource Connection to target
at com.oracle.oim.gcp.ucp.PooledResourceConnectionProvider.createConnection(PooledResourceConnectionProvider.java:90)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.createOnePooledConnectionInternal(UniversalConnectionPoolImpl.java:1570)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.access$600(UniversalConnectionPoolImpl.java:1378)
at oracle.ucp.common.UniversalConnectionPoolImpl.createOnePooledConnection(UniversalConnectionPoolImpl.java:445)
at oracle.ucp.common.UniversalConnectionPoolImpl.addNewConnections(UniversalConnectionPoolImpl.java:945)
at oracle.ucp.common.UniversalConnectionPoolBase.getInitialConnections(UniversalConnectionPoolBase.java:613)
at oracle.ucp.common.UniversalConnectionPoolBase.start(UniversalConnectionPoolBase.java:728)
at com.oracle.oim.gcp.ucp.UCPPool.initializePool(UCPPool.java:94)
at com.oracle.oim.gcp.pool.PoolFactory.getPool(PoolFactory.java:91)
at com.oracle.oim.gcp.pool.ConnectionService.getConnection(ConnectionService.java:46)
at com.oracle.oim.gcp.pool.ConnectionService.getConnection(ConnectionService.java:176)
at oracle.iam.ldapsync.impl.repository.ITResourceRepository.getConnection(ITResourceRepository.java:34)
at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.getChangelogType(LDAPDataProvider.java:2261)
Caused By: com.oracle.oim.gcp.exceptions.ResourceConnectionCreateException: java.lang.NullPointerException
at oracle.iam.ldapsync.impl.repository.LDAPConnection.createConnection(LDAPConnection.java:118)
at com.oracle.oim.gcp.ucp.PooledResourceConnectionProvider.createConnection(PooledResourceConnectionProvider.java:84)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.createOnePooledConnectionInternal(UniversalConnectionPoolImpl.java:1570)
Caused By: java.lang.NullPointerException
at oracle.iam.ldapsync.impl.repository.LDAPConnection.createConnection(LDAPConnection.java:87)
at com.oracle.oim.gcp.ucp.PooledResourceConnectionProvider.createConnection(PooledResourceConnectionProvider.java:84)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.createOnePooledConnectionInternal(UniversalConnectionPoolImpl.java:1570)
>>
<Jun 6, 2011 1:48:45 PM EDT> <Notice> <Stdout> <BEA-000000> <<Jun 6, 2011 1:48:44 PM EDT> <Error> <oracle.iam.platform.entitymgr.provider.ldap> <IAM-0042017> <An error occurred while finding the change log type - oracle.iam.platform.entitymgr.vo.ConnectivityException: com.oracle.oim.gcp.exceptions.ConnectionServiceException: Failed to get connection due to initialization error with the pool: Failed to intialize and start UCP Connection pool >>
<Jun 6, 2011 1:48:45 PM EDT> <Notice> <Stdout> <BEA-000000> <<Jun 6, 2011 1:48:45 PM EDT> <Warning> <oracle.iam.platform.entitymgr.impl> <IAM-0040017> <Cannot initialize data provider - java.lang.NullPointerException
at java.util.Hashtable.get(Hashtable.java:334)
at oracle.iam.ldapsync.impl.repository.ITResourceRepository.returnConnection(ITResourceRepository.java:46)
at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.getChangelogType(LDAPDataProvider.java:2291)
at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.initialize(LDAPDataProvider.java:378)
at oracle.iam.ldapsync.impl.provider.LDAPSyncDataprovider.initialize(LDAPSyncDataprovider.java:28)
at oracle.iam.platform.entitymgr.impl.EntityManagerConfigImpl.getDataProvider(EntityManagerConfigImpl.java:325)
>>
<Jun 6, 2011 1:48:45 PM EDT> <Notice> <Stdout> <BEA-000000> <<Jun 6, 2011 1:48:45 PM EDT> <Error> <XELLERATE.SERVER> <BEA-000000> <PooledResourceConnectionProvider/createConnection: Failed to create Resource Connection to target
com.oracle.oim.gcp.exceptions.ResourceConnectionCreateException: java.lang.NullPointerException
at oracle.iam.ldapsync.impl.repository.LDAPConnection.createConnection(LDAPConnection.java:118)
at com.oracle.oim.gcp.ucp.PooledResourceConnectionProvider.createConnection(PooledResourceConnectionProvider.java:84)
Caused By: java.lang.NullPointerException
at oracle.iam.ldapsync.impl.repository.LDAPConnection.createConnection(LDAPConnection.java:87)
at com.oracle.oim.gcp.ucp.PooledResourceConnectionProvider.createConnection(PooledResourceConnectionProvider.java:84) -
Portal LDAP permission problems: Login causing "Insufficient access"
Hello,
We have OID / Portal / 10gAS version 9.0.4.1 in development and production. We are using the 10gAS as a J2EE webapp server and the OID server as an LDAP server. Portal was working, but we had to make modifications to the default ACP's in OID for our DIT to be secure.
Bottom line:
Logging in as a user to portal yields:
" Unexpected error encountered in wwsec_app_priv.process_signon (User-Defined Exception) (WWC-41417)
An exception was raised when accessing the Oracle Internet Directory: 50: Insufficient access
Details
Operation: dbms_ldap_utl.get_group_membership. (WWC-41743)
Looking back at the ACL trace yields the following:
BEGIN
2004/12/10:08:57:25 * ServerWorker:4 * ConnID:31 * OpId:1 * OpName:search
gslsfbiDumpSubscribedGroups: Op. ID: <1> Subscribed Orclprivilege Groups for the user DN: <orclapplicationcommonname=portal.040405.1647,cn=portal,cn=products,cn=oraclecontext>
08:57:25 * Op. ID: <1> Group0 for the user DN:<cn=authenticationservices,cn=groups,cn=oraclecontext>
08:57:25 * Op. ID: <1> Group1 for the user DN:<cn=userproxyprivilege,cn=groups,cn=oraclecontext>
08:57:25 * Op. ID: <1> Group2 for the user DN:<cn=oracledascreateuser,cn=groups,cn=oraclecontext>
08:57:25 * Op. ID: <1> Group3 for the user DN:<cn=oracledascreategroup,cn=groups,cn=oraclecontext>
08:57:25 * Op. ID: <1> Group4 for the user DN:<cn=common group attributes,cn=groups,cn=oraclecontext>
08:57:25 * Op. ID: <1> Group5 for the user DN:<cn=oracledasconfiguration,cn=groups,cn=oraclecontext,dc=tekelec,dc=com>
08:57:25 * Op. ID: <1> Group6 for the user DN:<cn=authenticationservices,cn=groups,cn=oraclecontext,dc=tekelec,dc=com>
08:57:25 * Op. ID: <1> Group7 for the user DN:<cn=userproxyprivilege,cn=groups,cn=oraclecontext,dc=tekelec,dc=com>
08:57:25 * Op. ID: <1> Group8 for the user DN:<cn=oracledascreateuser,cn=groups,cn=oraclecontext,dc=tekelec,dc=com>
08:57:25 * Op. ID: <1> Group9 for the user DN:<cn=oracledascreategroup,cn=groups,cn=oraclecontext,dc=tekelec,dc=com>
08:57:25 * Op. ID: <1> Group10 for the user DN:<cn=common group attributes,cn=groups,cn=oraclecontext,dc=tekelec,dc=com>
08:57:25 * gslsfbiDumpSubscribedGroups: Op. ID: <1> Subscribed Orclacp Groups for the user DN: <orclapplicationcommonname=portal.040405.1647,cn=portal,cn=products,cn=oraclecontext>
08:57:25 * gslfacZEvaluate_Filter:Operation id:(1) Entry DN:(uid=saitken,cn=users,dc=tekelec,dc=com)
08:57:25 * gslfacZEvaluate_Filter: Operation id:(1) User DN: (orclapplicationcommonname=portal.040405.1647,cn=portal,cn=products,cn=oraclecontext)
08:57:25 * gslfacZEvaluate_Filter:Operation id:(1) Visiting ACP at: (cn=users,dc=tekelec,dc=com)
08:57:25 * gslfacZEvaluate_Filter:Operation id:(1) Filter Accees denied by ACP: (cn=users,dc=tekelec,dc=com)
08:57:25 * gslfacZEvaluate_Filter:Operation id:(1) User being Privileged group member, Evaluation continues
08:57:25 * gslfacZEvaluate_Filter:Operation id:(1) Visiting ACP at: (dc=tekelec,dc=com)
08:57:25 * gslfacZEvaluate_Filter:Operation id:(1) Visiting ACP at: (dc=com)
08:57:25 * gslfacZEvaluate_Filter:Operation id:(1) Filter Accees denied by ACP: (dc=com)
08:57:25 * gslfacZEvaluate_Filter:Operation id:(1) User being Privileged group member, Evaluation continues
08:57:25 * gslfacZEvaluate_Filter:Operation id:(1) Visiting ACP at: (cn=root)
08:57:25 * gslfacZEvaluate_Filter:Operation id:(1) Filter Accees denied by ACP: (cn=root)
08:57:25 * gslfacZEvaluate_Filter:Operation id:(1) User being Privileged group member, Evaluation continues
08:57:25 * gslfacZEvaluate_Filter: Op id:(1) Filter Access to entry (uid=saitken,cn=Users,dc=tekelec,dc=com) not allowed
08:57:25 * INFO: gslfrsDSendSearchEntry : Access to filter attributes not allowed
END
The interpretation of this is that the service account "(orclapplicationcommonname=portal.040405.1647,cn=portal,cn=products,cn=oraclecontext)" does not have sufficient privileges to "Op id:(1) Filter Access to entry" or, "Browse the entry" with the DN "uid=saitken,cn=Users,dc=tekelec,dc=com". This is the user I am attempting to log in as.
The current ACP entries against the "users" container that is causing the deny.. "Filter Accees denied by ACP: (cn=users,dc=tekelec,dc=com)" seems to be the problem.
The real issue is that "entry level" access should be possible by all users in the system. The ACP entries I have on the 'users' entry / container is as follows:
- orclaci: access to entry by self (browse)
- orclaci: access to entry filter=(objectclass=tekuser) by * (browse) by group="cn=service accounts,cn=groups,dc=tekelec,dc=com" (browse,delete) by group="cn=it - user admins,cn=groups,dc=tekelec,dc=com" (browse,delete)
- orclaci: access to entry filter=(objectclass=inetorgperson) by group="cn=oracledascreateuser, cn=groups,cn=OracleContext,dc=tekelec,dc=com" added_object_constraint=(objectclass=orcluser*) (browse,add) by group="cn=oracledasdeleteuser, cn=groups,cn=OracleContext,dc=tekelec,dc=com" (browse,delete) by group="cn=oracledasedituser, cn=groups,cn=OracleContext,dc=tekelec,dc=com" (browse) by group="cn=UserProxyPrivilege, cn=Groups,cn=OracleContext,dc=tekelec,dc=com" (browse, proxy) by dn="orclApplicationCommonName=DASApp, cn=DAS, cn=Products,cn=oraclecontext" (browse,proxy) by self (browse, nodelete, noadd) by group="cn=Common User Attributes, cn=Groups,cn=OracleContext,dc=tekelec,dc=com" (browse)
All users under the "Users" container are of objectclass 'tekuser'. The last ACP point was massaged from the original install of Portal.
The real clincher that I don't understand is that the single entry "access to entry filter=(objectclass=tekuser) by * (browse)" should be allowing browse access to my entry to everyone! (Including the service account for portal!)
So, as I wind around this ball of wax, I deparately seek assistance. I understand the complexities of ACP's and know of a few problems, but nothing that would cause this.
Does anyone have any insight? Any feedback is greatly appreciated!
The best thing that I could have right now would be a spec (or requirements) of permission configuration against an LDAP server (or OID) for Portal to perform it's normal tasks. Unfortunately, I have yet to find any docos on ACL requirements of Portal. :(
-SeanSean: Did you find an answer to your issue. We seem to be experiencing the same issue here - but not much help for the Error - WWC-41743.
Error Text - Operation: dbms_ldap.modify_s
Entry DN: cn=AUTHENTICATED_USERS,cn=portal.050125.132734.548814000,cn=groups,dc=us,dc=deloitte,dc=com
Changes
uniquemember: Add: cn=invcm1,cn=users,dc=us,dc=deloitte,dc=com.
Would appreciate any help. You can send mail to [email protected]
Thank you again!
Shomic -
We are runnign BEA weblogic server 8.1 sp2 on windows 2000 machine. It
starts up fine but after some days the service is stopped. If I try to restart
it,
it doesn't start but shows the following exception.
<main> <<WLS Kernel>> <> <BEA-000364> <Server failed during initialization.
Exception:java.lang.NumberFormatException:
null
java.lang.NumberFormatException: null
at java.lang.Integer.parseInt(Integer.java:394)
at java.lang.Integer.<init>(Integer.java:567)
at weblogic.ldap.EmbeddedLDAP.validateVDEDirectories(EmbeddedLDAP.java:1057)
at weblogic.ldap.EmbeddedLDAP.initialize(EmbeddedLDAP.java:196)
at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java:777)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:627)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:337)
at weblogic.Server.main(Server.java:32)
####<Jan 7, 2004 5:35:01 PM PST> <Emergency> <WebLogicServer> <SAM-APPS38>
<EpServer-US-Srv1>
<main> <<WLS Kernel>> <> <BEA-000342> <Unable to initialize the server:
java.lang.NumberFormatException:
null>
We haven't changed or even used nothing referring to LDAP. So?????I am having the same problem, though the source code line number is different.
<Feb 4, 2005 1:01:58 PM EST> <Critical> <WebLogicServer> <BEA-000364> <Server failed during initialization. Exception:java.lang.NumberFormatException: null
java.lang.NumberFormatException: null
at java.lang.Integer.parseInt(Integer.java:394)
at java.lang.Integer.<init>(Integer.java:567)
at weblogic.ldap.EmbeddedLDAP.validateVDEDirectories(EmbeddedLDAP.java:1069)
at weblogic.ldap.EmbeddedLDAP.initialize(EmbeddedLDAP.java:196)
at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java:814)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:664)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:342)
at weblogic.Server.main(Server.java:32)
> -
HELP! LDAP server problem
I'm using IDS 5.1 in our system, yesterday it had problems, other servers connected it's port 389 said connection time out. The network was ok, the service was ok, but users could not authenticated. In the ldap server files in the directory changelogdb had been held for days, the errors log said:
[11/Jan/2006:10:49:39 +0800] NSMMReplicationPlugin - agmt_delete: begin
[11/Jan/2006:10:49:48 +0800] NSMMReplicationPlugin - agmt_delete: begin
[11/Jan/2006:10:53:55 +0800] NSMMReplicationPlugin - _cl5GetNextEntry: failed to get entry;
db error - 12 Not enough space
[11/Jan/2006:10:53:55 +0800] NSMMReplicationPlugin - _cl5TrimFile: failed to commit transac
tion; db error - -30989 DB_RUNRECOVERY: Fatal error, run database recovery
[11/Jan/2006:10:53:56 +0800] NSMMReplicationPlugin - _cl5TrimFile: failed to begin transact
ion; db error - -30989 DB_RUNRECOVERY: Fatal error, run database recovery
[11/Jan/2006:10:53:56 +0800] NSMMReplicationPlugin - _cl5TrimFile: failed to begin transact
ion; db error - -30989 DB_RUNRECOVERY: Fatal error, run database recovery
Does anyone know what happened and what might cause this problem?
ThanksAs indicated by the log:
11/Jan/2006:10:53:55 +0800] NSMMReplicationPlugin - _cl5GetNextEntry: failed to get entry;
db error - 12 Not enough space
So check out your disk space first. -
Hi,
I'm trying to configure Netsacape Directory Server 4.1 to work with the
LDAP Security Realm Update for WebLogic Server 6.1. The Weblogic Server
is unable to connect to NDS and there is not error message to indicate
any exception. I have connect to the NDS using a LDAP browser using the
same principal and credential in the ldaprealm.properties file and was
able to establish connection.
Has anyone encountered the same problem? Any help is appreciated.
Thank you,
PYHumm,
I have heard of different people with the same name but with the same
email address. Strange...
Will the person who did the posting below please email me. You've
already have my email address.
Han.
"Ng, Wey-Han" <[email protected]> wrote in message news:<[email protected]>...
Hi,
I'm trying to configure Netsacape Directory Server 4.1 to work with the
LDAP Security Realm Update for WebLogic Server 6.1. The Weblogic Server
is unable to connect to NDS and there is not error message to indicate
any exception. I have connect to the NDS using a LDAP browser using the
same principal and credential in the ldaprealm.properties file and was
able to establish connection.
Has anyone encountered the same problem? Any help is appreciated.
Thank you,
PY -
Java JNDI LDAP connectivity problem. NoSuchAttributeException
Hello,
I am trying to add a user to Active Directory server through LDAP. Following is the code I am using:
======================================================================
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://192.123.321.123:389");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "user1");
env.put(Context.SECURITY_CREDENTIALS, "user123");
try {
System.out.println("68");
Context ctx = new InitialContext(env);
System.out.println("71");
BasicAttribute oc = new BasicAttribute("objectclass", "top");
oc.add("person");
oc.add("organizationalperson");
oc.add("User");
BasicAttribute ouSet = new BasicAttribute("ou");
ouSet.add("test");
BasicAttributes attrs = new BasicAttributes(true);
attrs.put(oc);
attrs.put(ouSet);
attrs.put("cn", "ndubey001");
attrs.put("sn", "ndubey001");
attrs.put("sAMAccountName", "ndubey001");
attrs.put("givenName", "ndubey001");
attrs.put("name", "ndubey001");
ctx.bind("uid=ndubey001,ou=test,o=myserver.com", attrs);
System.out.println("74");
ctx.close();
} catch (NamingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
======================================================================
I have tried with so many different combinations. Most of the times the parameters I am passing looks okay but I keep getting the same exception as follows:
======================================================================
68
71
javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090B38, comment: Error in attribute conversion operation, data 0, vece
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.c_bind(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.c_bind(Unknown Source)
at com.sun.jndi.toolkit.ctx.ComponentContext.p_bind(Unknown Source)
at com.sun.jndi.toolkit.ctx.PartialCompositeContext.bind(Unknown Source)
at com.sun.jndi.toolkit.ctx.PartialCompositeContext.bind(Unknown Source)
at javax.naming.InitialContext.bind(Unknown Source)
at LDAPTest.main(LDAPTest.java:99)Coming out
======================================================================
Can anyone tell what is the exact problem ?
Cheers,
NitinToo many errors to even consider correcting your code (objectClasses, UID attribute, ctx.create)....
Refer to the following for a description & sample code:
JNDI, Active Directory (Creating new users & demystifying userAccountControl
http://forum.java.sun.com/thread.jspa?threadID=582103&tstart=15 -
WL6.0 LDAP Realm problems
I'm trying out WL6.0 (eval version) LDAP realm support and having trouble
getting it to work - basic auth just keeps popping the window up 3 times and
then giving up. Only pertinent message in the log is:
####<Mar 16, 2001 12:03:21 PM EST> <Info> <Security> <FOOBAR>
<examplesServer> <ExecuteThread: '11' for queue: 'default'> <> <> <090021>
<Locking account, user jdoe.>
No obvious LDAP info or errors in the log, despite adding the following two
to the startup script cmd line and restarting the server:
-Dweblogic.security.realm.debug=true -Dweblogic.security.ldaprealm.verbose=t
rue
The HTTP basic-auth dialog box is correctly showing me that I'm trying to
authenticate to: MyLDAPRealm
Here's the config info for MyLDAPRealm
<LDAPRealm AuthProtocol="simple"
Credential="myserverpasswd"
GroupDN="o=mycompany,c=us" GroupIsContext="false" GroupNameAttribute="cn"
GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://tug:390"
Name="MyLDAPRealm"
Principal="cn=myserver,ou=myserverstuff,o=mycompany,c=US"
UserAuthentication="local"
UserDN="o=mycompany,c=us" UserNameAttribute="uid"/>
It's a Netscape 4.1 Directory server, and I've verified that the above
server account exists AND can authenticate and retrieve account
userpasswords (yes, the server account is "cn=" while the user accounts are
"uid=" - don't ask :-)....
I've tried both "bind" and "local" and get the same results both ways.
Any ideas???Did you use the most recent ldap patch? I could not get it to work fine
with the default wls6.0sp1, but with the ldap-patch it works fine.
AND probably even more important... change
<Realm FileRealm="..." Name=".....">
to
<Realm CachingRealm"MyCachingRealm" FileRealm="..." Name=".....">
Hope this helps...
Ronald
Sushil Pulikkal wrote:
Hi Tom,
I am using iPlanet Directory server with WL6.0 (which I presume is supported as
Netscape's is) and facing the same problem as Mike was i.e account locking after
three attempts(bottom of the message). I have created my own caching realm with
the basic realm being MyLDAPRealm.
The log gives no info other than the one about account locking.
My config.xml looks something like this -
<CachingRealm BasicRealm="MyLDAPRealm" CacheCaseSensitive="true" Name="MyCachingRealm"/>
<PasswordPolicy Name="wl_default_password_policy"/>
<LDAPRealm AuthProtocol="simple" Credential="enslaved"
GroupDN="ou=Aussies,dc=timerasolutions,dc=com"
GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://DJ-SUSHILP.timerasolutions.com:389"
Name="MyLDAPRealm"
Principal="uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot"
UserAuthentication="bind"
UserDN="ou=Aussies,dc=timerasolutions,dc=com"
UserNameAttribute="uid"/>
The browser window does pop up, but the user id doesn't get authenticated. Is
there a way to know whether WLS is actually going to the LDAP server for authentication?
Any insight into this?
Thanks in advance,
Sushil
"Tom Moreau" <[email protected]> wrote:
Mike,
I haven't had any trouble getting the LDAPRealm to work
in WLS 6.0. Could it be that while you've created the LDAPRealmMBean,
you haven't told WLS to use it?
In other words, you can create many realm configurations then
you need to activate the one you want. If you haven't, the
we just use the file realm. The file realm won't be able
to authenticate you (since you put the info in LDAP!) and
after 3 failures, will lock out the account.
The instructions for selecting the realm are at:
http://e-docs.bea.com/wls/docs60/adminguide/index.html
See:
12. Managing Security
Specifying a Security Realm
Configuring the Caching Realm
The basic idea is:
1) create your LDAP Realm (you've already done this)
2) create a CachingRealm
3) set the CachingRealm's BasicRealm to your LDAP Realm
4) set the Security Realm's CachingRealm to your Caching Realm
5) reboot
It's pretty easy to do this through the admin console.
Otherwise, you can edit config.xml by hand.
Here's how:
<Domain>
<Security
Name="mydomain"
Realm="myRealm"
/>
<Realm
Name="myRealm"
FileRealm="myFileRealm"
CachingRealm="myCachingRealm"
/>
<FileRealm
Name="myFileRealm"
/>
<CachingRealm
Name="myCachingRealm"
BasicRealm="myLDAPRealm"
/>
<LDAPRealm
Name="myLDAPRealm"
/>
-Tom
"Mike" <[email protected]> wrote:
BTW, before someone suggests it, I found Tom Moreau's
suggestion to use:
<ServerDebug Name="examplesServer" DebugSecurityRealm="true"
/>
under the <Server> element in config.xml and restarted
with this and still
no additional
info from the LDAP realm printed about why it's not working
(nothing but the
same
locking account message mentioend below).
Is the source for the LDAP realm available so I can debug
it myself or has
anybody
written their own LDAP realm that they'd be willing to
share with the group?
Thanks again,
...Mike
"Mike" <[email protected]> wrote in message
news:[email protected]...
Ok I've verified that the -Dweblogic.security.ldaprealm.verbose
probably
won't
work with 6.0 (old 5.x and previous style property),
but I can't figure
out
what
replaced it, to figure out why the LDAP realm isn't
working for me...
The property mapping guide at:
http://e-docs.bea.com/wls/docs60///////config_xml/properties.html
shows that things like weblogic.security.ldaprealm.url
changed to LDAPURL in config.xml (without telling
you that this resides as an XML attribute of
<Domain><LDAPRealm ... /></Domain> although that's
easy enough to find by looking through the example
LDAP realm.
It then says that weblogic.security.ldaprealm.verbose
has changed to "Debug" in config.xml, but doesn't
say whether that's a "Debug" XML attribute on one
of the XML elements in there, or whether it's an
XML node itself, or where in the config.xml doc
it goes... It doesn't work as an attribute of
<LDAPRealm ...> (server won't start with it there)
and it doesn't show up at all in the DTD for config.xml
so I'm assuming the mapping doc at the above url is
wrong. Anybody know what this really became in 6.0?
I've tried setting StdoutDebugEnabled="true" in config.xml
and turning the logging level all the way up to see
everything, but even
then all I
get is the account locked message, not why it's failing
to authenticate
via
LDAP...
Any other ideas?
"Mike" <[email protected]> wrote in message
news:[email protected]...
I'm trying out WL6.0 (eval version) LDAP realm support
and having
trouble
getting it to work - basic auth just keeps popping
the window up 3 times
and
then giving up. Only pertinent message in the log
is:
####<Mar 16, 2001 12:03:21 PM EST> <Info> <Security>
<FOOBAR>
<examplesServer> <ExecuteThread: '11' for queue: 'default'>
<> <>
<090021>
<Locking account, user jdoe.>
No obvious LDAP info or errors in the log, despite
adding the following
two
to the startup script cmd line and restarting the
server:
-Dweblogic.security.realm.debug=true -Dweblogic.security.ldaprealm.verbose
=t
rue
The HTTP basic-auth dialog box is correctly showing
me that I'm trying
to
authenticate to: MyLDAPRealm
Here's the config info for MyLDAPRealm
<LDAPRealm AuthProtocol="simple"
Credential="myserverpasswd"
GroupDN="o=mycompany,c=us" GroupIsContext="false"
GroupNameAttribute="cn"
GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://tug:390"
Name="MyLDAPRealm"
Principal="cn=myserver,ou=myserverstuff,o=mycompany,c=US"
UserAuthentication="local"
UserDN="o=mycompany,c=us" UserNameAttribute="uid"/>
It's a Netscape 4.1 Directory server, and I've verified
that the above
server account exists AND can authenticate and retrieve
account
userpasswords (yes, the server account is "cn=" while
the user accounts
are
"uid=" - don't ask :-)....
I've tried both "bind" and "local" and get the same
results both ways.
Any ideas??? -
Built-in LDAP Authentication Problem
Hi All,
I have used Built-in LDAP Authentication Method for my application authentication which works fine,but i need to have an database authentication as well in combination to LDAP one.
I tried putting a database authentication function (Returning Boolean) in the post authentication process but without success.
Please suggest how to go about this.
cheers
DhruboYou really didn't explain much more than in your first post.
For Example ,LDAP verifies all users now,but i would like to enable persons with their role as managers to have access priviledge for my application.Right now, managers do have access privilege so that requirement does not make sense.
For this Manager problem i need a database level authentication.What does that mean? You can't just make up terms like that.
I think you are mixing up authentication and authorization. Please search this forum and read the User's Guide for more info about how these are differrent.
We can show you how to do both authentication and authorization, you just need to work harder stating your exact requirements.
Scott -
LDAP V2 Problems after 6.1SP3 upgrade
I've got an LDAP custom realm working with 6.1 SP2, but then move the exact configuration to 6.1 SP3 and the server boots, but does not authenticate. I can see the groups from the LDAP server in the console, but the console hangs when I try and look at users. Is there anything I need to change for SP3?
there are some patches available on top sp3 for ldap problems. please
contact support.
"Jason Prigge" <[email protected]> wrote in message
news:3d933268$[email protected]..
I've got an LDAP custom realm working with 6.1 SP2, but then move theexact configuration to 6.1 SP3 and the server boots, but does not
authenticate. I can see the groups from the LDAP server in the console, but
the console hangs when I try and look at users. Is there anything I need to
change for SP3?
Maybe you are looking for
-
Passing dynamic internal table into ALV
I have made one ALV report where i had created one button 'GENERATE'. ON CLICKING THIS BUTTON the data in the ALV report is downloaded to excel file. i have used this:- CALL METHOD cl_gui_frontend_services=>file_save_dialog EXPORTING windo
-
All songs of one genre have half filled stars - but they have NO album tag at all
This picture says it all: http://youscreen.de/mordax/half_filled_stars-no_album.jpg All my songs of the genre "Techno Radio" which all have the Interpret "Radio Mitschnitt" have half filled stars if they did not receive a rating yet. They do NOT have
-
Why do I have 2 to 3 unknown charges in my account
I have charges in my bank account with unknown charges in dad i didn't purchase anything
-
What is Self Referencing Synonym?
Who can explain to me with an example? I searched from metalink and google, can get much useful information. Thanks!
-
Content Engine multicast duration logs
With Content Engines and CDN solution, we deployed a multicast station (for non-live contents). With the transaction logs we were able to log access to the first connection to the content-engine (as a http connection) but for our customer would be us