LDAP netgroup with SSH

I am planning to intergrate LDAP netgroup to SSH in Solaris 10 (SUN native SSH SUNWsshxx) in order to restrict unauthorized users to ssh in. Any advice?

i've only done this with java directory server - dscc (or whatever it's called) and opends. only real troubles i've had are when i've done something wrong in pam.conf or the compat line in nsswitch.conf.
works pretty well here

Similar Messages

  • Sudo with LDAP NetGroups Solaris 10

    Hi All,
    Can some  one describe me the steps to configure sudoers to work with LDAP NetGroups Solaris 10 ?
    I am using  "sudo  1.7.2p6 " right now.
    I am able to authenticate using  the Netgroups , but not able to using sudo.
    Thanks,
    DD

    I have recently tested sudo 1.6.8p8 to be working with flat files /etc/sudoers or LDAP sudo maps, together with netgroup and automount, on a Solaris Native LDAP Client against DS5.2 server.
    I assume you use Solaris8/9 Native LDAP Client, and assume netgroup LDAP maps have been working without sudo.
    I read your other post about sudo and ldap, I think you did not configure and build "sudo" with "--with-pam", right?
    Can you provide the following details?
    1) First 10 lines of "sudo -V", i.e. "sudo -V | head".
    2) How do you configure "sudo" on the LDAP Client? i.e. ./configure options.
    3) Did you use an old gcc version eg: Solaris9 built-in gcc 3.1, to compile sudo?
    4) Content of /var/ldap/ldap_client_file.
    5) Content of /etc/ldap.conf, you should have this file.
    6) Sample ldif showing some sudoRole entries in LDAP
    7) Can you perform these commands?
    ldaplist -l sudoers
    ldaplist -l sudoers root
    ldaplist -l sudoers some_sudoRole
    8) Content of /etc/pam.conf
    9) Any other relevant details, like err in /var/adm/messages.
    Gary

  • Configuring LDAP netgroups

    I've nearly got my LDAP deployment complete, but one thing I'm missing right now is netgroup-like restrictions for logins. I spoke with a Sun PS guy recently and he recommended this as the preferred method of restricting access to hosts, so I'm game.
    The problem I have right now is that I can't seem to find any documentation on how to set this up. Most references using the word "netgroup" are for NIS, naturally. If anyone has solid docs on how to set this up for LDAP I'd appreciate it.
    One thing to note is that I'm not transitioning from NIS. I have only DNS in my environment as a naming service, and so I couldn't just run the PADL tools to migrate.
    My setup thus far is a 3 master configuration, with 3 hubs, and approximately 100 users, total. Please ask if my setup requires any clarification.
    Thanks!
    Patrick

    Just want to add more information:
    1) The sample Solaris10 /etc/pam.conf could be found
    at
    http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=
    view
    (For this sample to work on Solaris8/9, commented out
    all the pam_unix_cred.so.1 lines)
    2) Making sure "getent passwd userid" shows something
    is NOT enough to make it worked, objectClass
    "shadowAccount" must be defined in the People entry,
    below is an example:
    bash-2.05# ldaplist -l passwd tuser2
    dn: uid=tuser2, ou=People, dc=example,dc=com
    givenName: Test
    sn: User2
    loginShell: /bin/sh
    uidNumber: 9998
    gidNumber: 102
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: shadowAccount
    uid: tuser2
    cn: Test User2
    homeDirectory: /var/tmp
    userPassword:
    assword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=
    3) Edit /etc/nsswitch.conf and restart nscd.
    Change this:
    passwd: files ldap
    netgroup: files
    To that:
    passwd: compat
    passwd_compat: ldap
    netgroup: ldap
    Note that there is no need to change "shadow:" and
    "group:", anyone pls correct me if I am wrong.
    I have these two lines for both Solaris and Linux
    clients:
    shadow: files ldap
    group: files ldap
    4) Add these lines to the end of /etc/passwd and run
    "pwconv".
    +@netgroup1:x:::::
    +@netgroup2:x:::::
    -:x:::::
    The corresponding DIT:
    # ldaplist -l netgroup
    dn: cn=netgroup1,ou=netgroup,dc=example,dc=com
    objectClass: top
    objectClass: nisNetgroup
    cn: netgroup1
    nisNetgroupTriple: (,gtay,)
    nisNetgroupTriple: (,tuser,)
    dn: cn=netgroup2,ou=netgroup,dc=example,dc=com
    objectClass: top
    objectClass: nisNetgroup
    cn: netgroup2
    nisNetgroupTriple: (,test,)
    nisNetgroupTriple: (,tuser2)
    I noticed that Solaris will add corresponding lines
    to /etc/shadow after "pwconv" is run, whereas RHEL
    will not.
    5) The same works for BOTH SUN ONE DS5.2 and
    OpenLDAP server netgroup LDAP maps, as well as BOTH
    H SUN Solaris Native LDAP Clients and RHEL
    OpenLDAP+PADL Linux LDAP Clients.
    6) For Non-Netgroup accounts, "id userid" and "su -
    userid" will show these error messages:
    Solaris:
    id: invalid user name: "userid"
    su: unknown id: userid
    Linux:
    id: userid: No such user
    su: user userid does not exist
    7) Some examples of netGroupTriple:
    # nisNetgroupTriple Examples: (host,user,domain)
    # jdoe is in the appuser netgroup for all servers,
    all domains.
    # scarter is in the appuser netgroup only on the
    server mars.
    # all users are in the appuser netgroup on the server
    pluto.
    dn: cn=appuser,ou=netgroup,dc=example,dc=com
    objectClass: top
    objectClass: nisNetgroup
    nisNetgroupTriple: (,jdoe,)
    nisNetgroupTriple: (mars,scarter,)
    nisNetgroupTriple: (pluto,,)
    cn: appuser
    HTH.
    GaryGary,
    Excellent summary...just what I would have looked for about 2 months ago :)
    I would like to add that you can indeed nest netgroups. The following is how you would nest Gary's "appuser" netgroup into another, named prod_appservers (theoretically a superset which would be comprised of several netgroups):
    dn: cn=prod_appservers,ou=netgroup,dc=example,dc=com
    objectClass: nisNetgroup
    objectClass: top
    cn: dev_svr
    memberNisNetgroup: appusers
    memberNisNetgroup: unixadmin
    memberNisNetgroup: security
    memberNisNetgroup: architecture
    Patrick

  • Problem with ssh and bash-completion

    I and a co-worker are having a weird problem with ssh and bash-completion. We have a local config in .ssh/config with hosts we connect everyday. An example:
    host foo
    hostname foo.org
    user foobar
    host foobar
    hostname foobar.org
    user foobar
    When we try to type
    ssh foo<tab><tab>b<tab>
    the console just freeze and we can't type anything, everything we type is ignored, but after about 30 seconds the host is completed.
    This works a some time ago, so some upgrade make this happen. Anyone can reproduce this?

    quigybo wrote:
    Actually thinking about it, rather than using the semi-dodgy fix posted on the bug tracker, we can just test if the daemon is running since we are not on MacOS X. It is cleaner and 250 ms quicker.
    --- bash_completion.orig 2010-09-14 05:33:22.000000000 +0930
    +++ bash_completion 2010-09-14 05:45:04.000000000 +0930
    @@ -1316,10 +1316,12 @@
    # contains ";", it may mistify the result. But on Gentoo (at least),
    # -k isn't available (even if mentioned in the manpage), so...
    if type avahi-browse >&/dev/null; then
    - COMPREPLY=( "${COMPREPLY[@]}" $( \
    - compgen -P "$prefix$user" -S "$suffix" -W \
    - "$( avahi-browse -cpr _workstation._tcp 2>/dev/null | \
    - awk -F';' '/^=/ { print $7 }' | sort -u )" -- "$cur" ) )
    + if [ -n "$(pidof avahi-daemon)" ]; then
    + COMPREPLY=( "${COMPREPLY[@]}" $( \
    + compgen -P "$prefix$user" -S "$suffix" -W \
    + "$( avahi-browse -cpr _workstation._tcp 2>/dev/null | \
    + awk -F';' '/^=/ { print $7 }' | sort -u )" -- "$cur" ) )
    + fi
    fi
    # Add results of normal hostname completion, unless
    This is the same test as was used in bash-completion 1.1.
    Thanks  quigybo, I use your patch, the issue is gone
    Why does so many packages depends on Avahi? Maybe make it optdepends is
    enough?
    my laptop $ pacman -Qi avahi
    Required By : gnome-disk-utility gnome-vfs libcups mpd sane

  • How to configure ldap.ora with multiple ldap contexts

    Hello.
    My company has recently taken on another environment with it's own LDAP configuration. It's a bit tedious to have to keep switching my ldap.ora for both ldap configurations. Are there any good suggestions for either allowing me to search both LDAP configurations (2 separate LDAP setups, with 2 default context)? Or is there a smooth way to populate 1 LDAP with the others data? Or perhaps some form of redirect on one LDAP to the other LDAP server for queries?
    Some basic info: LDAP is Oracle OID version 10gR2
    Please let me know if you have any useful ideas...

    Hi,
    Here is the of OVD benefits :
    1-Easy to setup and manage via our Management client; 2-Unifies multiple directories into a single access point; 3-Normalize and Unify multiple directories; 4-Directly accesses remote repositories;
    5-Allows a unified view of an entry using data from multiple repositories;6-Can act as an LDAP proxy and firewall;
    Why you can not use OVD to improve these? Read, LDAP to the other LDAP server for queries, allowing you to search both LDAP?
    I hope this helps.
    Thiago L Guimaraes

  • Error in authentication with ldap server with certificate

    Hi,
    i have a problem in authentication with ldap server with certificate.
    here i am using java API to authenticate.
    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
    I issued the new certificate which is having the up to 5 years valid time.
    is java will authenticate up to one year only?
    Can any body help on this issue...
    Regards
    Ranga

    sorry i am gettting ythe same error
    javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
    here when i am using the old certificate and changing the system date means i can get the authentication.
    can you tell where we can concentrate and solve the issue..
    where is the issue
    1. need to check with the ldap server only
    2. problem in java code only.
    thanks in advance

  • OIM 11g R1 LDAP Synch with OID.

    Hi,
    We are doing an LDAP Synch with OID directly. The users from various organisations in OIM needs to be synched to different OU's in OID, instead of a single container. How do we acheive this? would it be easy if we involve OVD also?

    Here is some sample code configuration which may give you a start - hope it helps.
    Sample code that can be called in a pre-process event handler to copy the users organinisation to the LDAP Organization Unit
    HashMap<String, Serializable> parameters = orchestration.getParameters();
    Serializable param = parameters.get("act_key");
    String act_key = null;
    if (param instanceof ContextAware) {
    act_key = ((ContextAware) param).getObjectValue().toString();
    } else {
    act_key = param.toString();
    if (act_key != null) {
    OrganizationManager orgMgr = Platform.getService(OrganizationManager.class);
    Set<String> retAttrs = new HashSet<String>();
    retAttrs.add("Organization Name");
    Organization org = null;
    try {
    org = orgMgr.getDetails(act_key, retAttrs, false);
    } catch (OrganizationManagerException e) {
    } catch (AccessDeniedException e) {
    String orgName = (String) org.getAttribute("Organization Name");
    orchestration.addParameter("LDAP Organization Unit", orgName);
    Sample container mapping rule
    <rule>
    <expression>LDAP Organization Unit=Test Organization</expression>
    <container>ou=Test Organization,ou=users,o=org</container>
    <description>Add user to the Test Organization OU in LDAP if their OU is set to Test Organization</description>
    </rule>
    Sample change in /db/LDAPUser
    <!-- Two act_key entries in the <reconFields> section to set RECON_ACT_KEY. -->
    <!-- The first sets RECON_ACT_KEY to the default value from the scheduled job -->
    <!-- The second overwrites RECON_ACT_KEY with an OU value if supplied in the LDAP User data. -->
    <reconAttr>
    <oimFormDescriptiveName>act_key</oimFormDescriptiveName>
    <reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Organization Name</reconFieldName>
    <reconColName>RECON_ACT_KEY</reconColName>
    <emDataType>number</emDataType>
    <formFieldType/>
    <targetattr keyfield="false" encrypted="false" required="false" type="String" name="act_key"/>
    </reconAttr>
    <reconAttr>
    <oimFormDescriptiveName>act_key</oimFormDescriptiveName>
    <reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">ou</reconFieldName>
    <reconColName>RECON_ACT_KEY</reconColName>
    <emDataType>number</emDataType>
    <formFieldType/>
    <targetattr keyfield="false" encrypted="false" required="false" type="String" name="act_key"/>
    </reconAttr>

  • BizTalkServer 2010 SFTP Adapter from CodePlex - Configuring send and receive locations with SSH public and private keys

    Hi there,
    I am looking for step by step instrcutions on how to configure SFTP Codeplex adapter for both receive and send ports.
    Out business partner with whom we push/poll the files from wants us to use SSH encryption/decryption etc.
    Just wondering if the following functionality is supported in Codeplex SFTP adatper without having to write any code.
    Appreciate if there is manaul to do this for SFTP. BTW I do have all the our public and private keys and business partners Public key for configuring.
    For Send port: 1. we would need to encrypt the file with our business partners public key
                          2. sign the file with our private key.
                          3. Send the file through to SSH client which eventually transfers to Remote server.
    Receive port:   1. Connect to SSH Server with SSH-2 key and receive the file
                          2. Verify the file's digital signature agaisnt the Business partners PGP public key
                          3. Decrypt the file using our PGP Public key
    Thanks in advance

    Yes it is supported.
    You can find its documentation in this link 
    You can find section X.509 Certificate Identity Keys
    You can set public and private key in property SSH Identity thumbprint  of send and receive port
    I prefer to test it using client tool like
    FileZilla or WinSCP then test it using sftp adapter
    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

  • Problem when access to CSS with SSH

    Hi,
    We have an strange issue when we try to access to the management of the CSS with SSH protocol: we need to put the username twice.
    Is it a normal behaviour?
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Tabla normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    login as: test
    User Access Verification
    Username:test
    Password:
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Tabla normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    test# show version
    Version:               sg0810106 (08.10.1.06)
    Flash (Locked):        08.10.1.06
    Flash (Operational):   08.10.1.06
    Thanks.
    Best regards,
    Dani

    Hello Dani,
    This has been the behavior of the CSS when logging in via SSH since the product was introduced.  So yes, this is normal behavior for the CSS.
    Hope this helps,
    Sean

  • Errors in LDAP configuration with Shared Services

    Dear sirs,
    we are getting errors in LDAP configuration with Shared Services.
    Base DN is ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo East
    The group cn is cn=AH
    In LDAP log you can see the applications is searching the group:
    "ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo"
    When it should be:
    “ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo East”
    We think the problem is with space in Base DN "o=Grupo East", it is not properly considered.
    Error Codes
    EPMCSS-05145
    Thanks in advance

    Hi.
    Could you try to define the Base DN as :
    ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo\ East
    I don't know if will work fine.. but you can use special characteres using with the "\"
    Good luck.
    Best regards!

  • LDAP setup with SSL - Can't use tls auth type

    I'm trying to configure Solaris 10 to use ldap against my OpenLDAP server with SSL but whenever I try to set the authentication as tls:simple, it gives me an error :
    # ldapclient mod -a authenticationMethod=tls:simple
    Cannot specify LDAP port with tls
    # ldapclient mod -a authenticationMethod=tls
    Unable to set value: invalid authenticationMethod (tls)
    Any ideas how to get this to work - I can do an ldapsearch if I supply a -H ldaps://ldapserver:636 so my certs in /var/ldap are good.
    NS_LDAP_FILE_VERSION= 2.0
    NS_LDAP_BINDDN= cn=srv_login,ou=LDAPusers,dc=unix_srv,dc=energy.ge.com
    NS_LDAP_BINDPASSWD= {NS1}c53708877bc6
    NS_LDAP_SERVERS= 10.10.1.14:636
    NS_LDAP_SEARCH_BASEDN= dc=unix_srv,dc=energy.ge.com
    NS_LDAP_SEARCH_REF= FALSE
    NS_LDAP_SERVER_PREF= 10.10.1.14:636
    NS_LDAP_CACHETTL= 0
    NS_LDAP_CREDENTIAL_LEVEL= proxy
    NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=unix_srv,dc=energy.ge.com?sub
    NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=unix_srv,dc=energy.ge.com?sub
    NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=unix_srv,dc=energy.ge.com?one
    Thanks,
    Jay

    When using TLS you have to specify the FQN for the LDAP server and the port is ALWAYS 636.
    Also, you need to setup up your client to use FQN as well (/etc/hosts).

  • Usage of external LDAP server with Portal

    Hi All,
    We are in a situation to use external LDAP server with WLP 8.1. These are the
    constraints we have to deal with:
    1. Only read is allowed from this LDAP server.
    2. This would be used for authentication purpose
    If thats the case, how can we use Visitor Entitlements/Delegated Admin and Group
    creation using Portal Admin tool since this will write to the configured LDAP
    server.
    Can somebody answer my question:
    1. Can we use external LDAP server - just for authetication (I know this is possible
    by using JAAS LoginModule, but I just want to get confirmed on this ) and
    2. Use default and embedded LDAP server for all others like Group/Visitor Entitlements/DAs.
    Any relevant pointers are also welcome.
    TIA,
    Prashanth Bhat.

    Thanks for th ereply. Some of your answers are not clear. Can you pls eloborate
    on this?? Pls see my comments below.
    "Johnson" <[email protected]> wrote:
    >
    Phil,
    Can I use embedded LDAP for production?
    Thanks
    Lawrence
    "Phil Griffin" <BEA> wrote:
    "Prashanth " <[email protected]> wrote in message
    news:[email protected]..
    Hi All,
    We are in a situation to use external LDAP server with WLP 8.1. Theseare
    the
    constraints we have to deal with:
    1. Only read is allowed from this LDAP server.
    2. This would be used for authentication purpose
    If thats the case, how can we use Visitor Entitlements/Delegated Adminand
    Group
    creation using Portal Admin tool since this will write to the configuredLDAP
    server.
    Can somebody answer my question:
    1. Can we use external LDAP server - just for authetication (I knowthis
    is possible
    by using JAAS LoginModule, but I just want to get confirmed on this) and
    >
    You can add the external LDAP server just for authentication, but in
    versions through
    8.1 SP2 WLP will want to verify the user exists (via the UserReaderMBean)
    during
    the login process (this check has been removed in SP3). A work around
    is to
    duplicate
    the user in a provider that does impl UserReaderMBean.
    Prashanth : You mean to say we have to duplicate the User in embedded LDAP server
    also??
    >>
    2. Use default and embedded LDAP server for all others like Group/VisitorEntitlements/DAs.
    >
    Yes, the default/embedded LDAP can still be used for DA/visitor
    entitlements. In the current
    release, the Portal Admin Tools can only be configured to use a single
    authentication provider
    while forming entitlements. In SP3, all configured providers are
    listed/usable by the tools.Prashanth : How can we configure Portal Admin tool to use authentication provider
    for entitlements??
    >>
    Any relevant pointers are also welcome.
    TIA,
    Prashanth Bhat.

  • LDAP Intigration with Oracle BPM 10.3.0.0.0

    Hi,
    I want to know about integration with LDAP connectivity with Oracle BPM suite.
    We don’t have any knowledge between the integration on Oracle BPM suit & LDAP.
    Please do the needful on the same as soon as possible.
    With Best Regards,
    Ratna Prasad.

    I configured LDAP directory, and I was able to see the participants. However the group information is not retrieved properly. Here is the error
    (cont) ] Main: Invalid characters found for attribute [OU name].
    [     (cont)     ] Main: Detail:Attribute [OU name] cannot be assigned the following value: [Dev/Test].
    [     (cont)     ] Main: The invalid character is: [].
    [     (cont)     ] Main:
    [     (cont)     ] Main: fuego.directory.exception.InvalidAttributeValueException: Invalid characters found for attribute [OU name].
    [     (cont)     ] Main: Detail:Attribute [OU name] cannot be assigned the following value: [Dev/Test].
    [     (cont)     ] Main: The invalid character is: [].
    [     (cont)     ] Main:
    Any ideas on what can be the possible solution?
    Thanks

  • RMI with SSH

    As I understand it, RMI listens on port 1099 and opens other ports upon a connection. This is why we have to open ports 1099 and >1023 on the server firewall. Which is great for all the users on the LAN.
    The site will only let us connect to this system through SSH (port 22). We might be able to use ssh to create a poor mans VPN to connect to RMI as in: ssh -L 1234:localhost:1099 user@remotehost. This fails to work because RMI uses more than just port 1099. If it were something like telnet, ssh -L 1234:localhost:23 user@remotehost it would just work.
    What I think I need is something running on the remote server which connects to port 1099 and listens on a port, for example, 1098. We could then connect with ssh -L 1234:localhost:1098 user@remotehost and packets would be passed to the appropriate RMI connection. Any ideas on how this could be done AND if it could work.
    **CRITICAL: I am not interested in changing the application running RMI at all. It works for everthing the end users need and don't fix it if it isn't broken. In any case, this isn't just about RMI, there are three non-RMI apps which do the same thing, so one solution would be used for all four of them.

    As I understand it, RMI listens on port 1099 and opens other ports upon a connection.No. The RMI Registry listens at port 1099 unless you tell it otherwise. Remote objects listen at system-chosen ports unless you specify a specific port when constructing/exporting them. You can use port 1099 for everything if:
    1. You create the Registry via LocateRegistry.createRegistry() in the same JVM that exports your remote objects.
    2. You cite port 1099 when constructing (super(1099)) or exporting (UnicastRemoteObject.exportObject(obj, 1099)) remote objects.
    Having done that, the only server-side port you need to be concerned with is 1099. That's a reserved IANA port number and it should be possible to get it opened in the firewall.
    And neither RMI nor TCP 'opens other ports' on inbound connections.

  • Setting up LDAP realm with WLI 7

    Any pointer to Step by step instruction on to how to set up LDAP realm for Access Control with Weblogic integration 7

    Pramit Basu <[email protected]> wrote:
    Any pointer to Step by step instruction on to how to set up LDAP realm
    for Access Control with Weblogic integration 7In order to use LDAP realm with WLI 7.0, you need to do the following steps:
    1) In WebLogic server level, you need to create a Caching Realm and a LDAP realm.
    First, please backup your original config.xml file. Then, you can start configure
    the realms. You can do this by modifying the config.xml file, or through WLS console.
    After you have done this, your config.xml file should contain the following:
    <LDAPRealm AuthProtocol="none"
    Credential="{3DES}rYiW/DkUxq4UPwR0XLbM9w=="
    GroupDN="o=beasys.com,ou=Groups" GroupIsContext="false"
    GroupNameAttribute="cn" GroupUsernameAttribute="uniquemember"
    LDAPURL="ldap://jpengdesk:389"
    Name="LDAPRealmForNetscapeDirectoryServer" Principal="cn=admin"
    UserAuthentication="bind" UserDN="o=beasys.com,ou=People"
    UserNameAttribute="uid" UserPasswordAttribute="userpassword"/>
    --- You can also do this in Console. Please make sure the "UserDN" and "GroupDN"
    values are correct according to the groups and users stored on your LDAP server.
    In my example here, "beasys.com" is my root entry, and I have all the users created
    underneath of OU "People", and I have all the groups created in OU "Groups".
    <CachingRealm BasicRealm="LDAPRealmForNetscapeDirectoryServer" Name="MyCaching
    Realm"/>
    --- You can do this in console by clicking on "Caching Realms", then click on
    the link of "Configure a new Caching Realm". Name it as "MyCaching Realm", and
    select "LDAPRealmForNetscapeDirectoryServer" as the BasicRealm.
    <Realm CachingRealm="MyCaching Realm" FileRealm="myFileRealm" Name="myRealm"/>
    --- you can do this in console by clicking on "Compatibility Security", then click
    on the "Filerealm" tab, then, in the "Caching Realm" field, select MyCaching Realm"
    from the pull down comb box.
    Please make sure all the names are related. See above example, the value in blue
    color should match, and the value in red color should match too.
    Please see the attached config.xml file for reference.
    2) Create the users in LDAP server. In my example, I simply created 3 users underneath
    of OU &#8220;People&#8221;, they are:
    weblogic
    wlisystem
    admin
    &#8220;weblogic&#8221; is the user I used as my system administrator user, which
    I used to boot my WLS server and access my WLS console.
    &#8220;wlisystem&#8221; and &#8220;admin&#8221; are the users created for WLI
    component.
    3) Create 11 groups in LDAP server. In my example, as I mentioned above, I create
    all these groups underneath of OU &#8220;Groups&#8221;. These groups are:
    ConfigureComponents
    Administrators
    wlpiUsers
    MonitorInstance
    ExecuteTemplate
    CreateTemplate
    UpdateTemplate
    DeleteTemplate
    AdminsterUser
    ConfigureSystem
    wlpiAdministrators
    Also, add the users created in step 2 into all of these groups.
    4) Clean up the fileRealm.properties file.
    Backup your original fileRealm.properties file. Then, remove all the entries starting
    with &#8220;user.xxx&#8221; and &#8220;group.xxx&#8221;, only leave those entries
    starting with &#8220;acl.xxx&#8221;.
    Please see the attached &#8220;fileRealm.properties&#8221; file for reference.
    5) Restart your WLI server. Verify the users and groups you defined in LDAP server
    are displayed in WLS console correctly. You can see the user and group information
    in &#8220;Compatibility Security&#8221; à &#8220;Users&#8221;, and &#8220;Compatibility
    Security&#8221; à &#8220;Groups&#8221; respectively.
    6) Start your studio to design a simple Workflow. When you login, the authentication
    of your username and password is against the LDAP server, since you don&#8217;t
    have any user entries in your fiel realm any more.
    7) Start your Worklist to execute the workflow. Also, When you login, the authentication
    of your username and password is against the LDAP server, since you don&#8217;t
    have any user entries in your fiel realm any more.
    Once you execute the workflow, you can verify that workflow instance in Studio.
    You can monitor the instance, and delete the instance.

Maybe you are looking for