LDAP netgroup with SSH
I am planning to intergrate LDAP netgroup to SSH in Solaris 10 (SUN native SSH SUNWsshxx) in order to restrict unauthorized users to ssh in. Any advice?
i've only done this with java directory server - dscc (or whatever it's called) and opends. only real troubles i've had are when i've done something wrong in pam.conf or the compat line in nsswitch.conf.
works pretty well here
Similar Messages
-
Sudo with LDAP NetGroups Solaris 10
Hi All,
Can some one describe me the steps to configure sudoers to work with LDAP NetGroups Solaris 10 ?
I am using "sudo 1.7.2p6 " right now.
I am able to authenticate using the Netgroups , but not able to using sudo.
Thanks,
DDI have recently tested sudo 1.6.8p8 to be working with flat files /etc/sudoers or LDAP sudo maps, together with netgroup and automount, on a Solaris Native LDAP Client against DS5.2 server.
I assume you use Solaris8/9 Native LDAP Client, and assume netgroup LDAP maps have been working without sudo.
I read your other post about sudo and ldap, I think you did not configure and build "sudo" with "--with-pam", right?
Can you provide the following details?
1) First 10 lines of "sudo -V", i.e. "sudo -V | head".
2) How do you configure "sudo" on the LDAP Client? i.e. ./configure options.
3) Did you use an old gcc version eg: Solaris9 built-in gcc 3.1, to compile sudo?
4) Content of /var/ldap/ldap_client_file.
5) Content of /etc/ldap.conf, you should have this file.
6) Sample ldif showing some sudoRole entries in LDAP
7) Can you perform these commands?
ldaplist -l sudoers
ldaplist -l sudoers root
ldaplist -l sudoers some_sudoRole
8) Content of /etc/pam.conf
9) Any other relevant details, like err in /var/adm/messages.
Gary -
I've nearly got my LDAP deployment complete, but one thing I'm missing right now is netgroup-like restrictions for logins. I spoke with a Sun PS guy recently and he recommended this as the preferred method of restricting access to hosts, so I'm game.
The problem I have right now is that I can't seem to find any documentation on how to set this up. Most references using the word "netgroup" are for NIS, naturally. If anyone has solid docs on how to set this up for LDAP I'd appreciate it.
One thing to note is that I'm not transitioning from NIS. I have only DNS in my environment as a naming service, and so I couldn't just run the PADL tools to migrate.
My setup thus far is a 3 master configuration, with 3 hubs, and approximately 100 users, total. Please ask if my setup requires any clarification.
Thanks!
PatrickJust want to add more information:
1) The sample Solaris10 /etc/pam.conf could be found
at
http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=
view
(For this sample to work on Solaris8/9, commented out
all the pam_unix_cred.so.1 lines)
2) Making sure "getent passwd userid" shows something
is NOT enough to make it worked, objectClass
"shadowAccount" must be defined in the People entry,
below is an example:
bash-2.05# ldaplist -l passwd tuser2
dn: uid=tuser2, ou=People, dc=example,dc=com
givenName: Test
sn: User2
loginShell: /bin/sh
uidNumber: 9998
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: tuser2
cn: Test User2
homeDirectory: /var/tmp
userPassword:
assword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=
3) Edit /etc/nsswitch.conf and restart nscd.
Change this:
passwd: files ldap
netgroup: files
To that:
passwd: compat
passwd_compat: ldap
netgroup: ldap
Note that there is no need to change "shadow:" and
"group:", anyone pls correct me if I am wrong.
I have these two lines for both Solaris and Linux
clients:
shadow: files ldap
group: files ldap
4) Add these lines to the end of /etc/passwd and run
"pwconv".
+@netgroup1:x:::::
+@netgroup2:x:::::
-:x:::::
The corresponding DIT:
# ldaplist -l netgroup
dn: cn=netgroup1,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
cn: netgroup1
nisNetgroupTriple: (,gtay,)
nisNetgroupTriple: (,tuser,)
dn: cn=netgroup2,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
cn: netgroup2
nisNetgroupTriple: (,test,)
nisNetgroupTriple: (,tuser2)
I noticed that Solaris will add corresponding lines
to /etc/shadow after "pwconv" is run, whereas RHEL
will not.
5) The same works for BOTH SUN ONE DS5.2 and
OpenLDAP server netgroup LDAP maps, as well as BOTH
H SUN Solaris Native LDAP Clients and RHEL
OpenLDAP+PADL Linux LDAP Clients.
6) For Non-Netgroup accounts, "id userid" and "su -
userid" will show these error messages:
Solaris:
id: invalid user name: "userid"
su: unknown id: userid
Linux:
id: userid: No such user
su: user userid does not exist
7) Some examples of netGroupTriple:
# nisNetgroupTriple Examples: (host,user,domain)
# jdoe is in the appuser netgroup for all servers,
all domains.
# scarter is in the appuser netgroup only on the
server mars.
# all users are in the appuser netgroup on the server
pluto.
dn: cn=appuser,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
nisNetgroupTriple: (,jdoe,)
nisNetgroupTriple: (mars,scarter,)
nisNetgroupTriple: (pluto,,)
cn: appuser
HTH.
GaryGary,
Excellent summary...just what I would have looked for about 2 months ago :)
I would like to add that you can indeed nest netgroups. The following is how you would nest Gary's "appuser" netgroup into another, named prod_appservers (theoretically a superset which would be comprised of several netgroups):
dn: cn=prod_appservers,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: dev_svr
memberNisNetgroup: appusers
memberNisNetgroup: unixadmin
memberNisNetgroup: security
memberNisNetgroup: architecture
Patrick -
Problem with ssh and bash-completion
I and a co-worker are having a weird problem with ssh and bash-completion. We have a local config in .ssh/config with hosts we connect everyday. An example:
host foo
hostname foo.org
user foobar
host foobar
hostname foobar.org
user foobar
When we try to type
ssh foo<tab><tab>b<tab>
the console just freeze and we can't type anything, everything we type is ignored, but after about 30 seconds the host is completed.
This works a some time ago, so some upgrade make this happen. Anyone can reproduce this?quigybo wrote:
Actually thinking about it, rather than using the semi-dodgy fix posted on the bug tracker, we can just test if the daemon is running since we are not on MacOS X. It is cleaner and 250 ms quicker.
--- bash_completion.orig 2010-09-14 05:33:22.000000000 +0930
+++ bash_completion 2010-09-14 05:45:04.000000000 +0930
@@ -1316,10 +1316,12 @@
# contains ";", it may mistify the result. But on Gentoo (at least),
# -k isn't available (even if mentioned in the manpage), so...
if type avahi-browse >&/dev/null; then
- COMPREPLY=( "${COMPREPLY[@]}" $( \
- compgen -P "$prefix$user" -S "$suffix" -W \
- "$( avahi-browse -cpr _workstation._tcp 2>/dev/null | \
- awk -F';' '/^=/ { print $7 }' | sort -u )" -- "$cur" ) )
+ if [ -n "$(pidof avahi-daemon)" ]; then
+ COMPREPLY=( "${COMPREPLY[@]}" $( \
+ compgen -P "$prefix$user" -S "$suffix" -W \
+ "$( avahi-browse -cpr _workstation._tcp 2>/dev/null | \
+ awk -F';' '/^=/ { print $7 }' | sort -u )" -- "$cur" ) )
+ fi
fi
# Add results of normal hostname completion, unless
This is the same test as was used in bash-completion 1.1.
Thanks quigybo, I use your patch, the issue is gone
Why does so many packages depends on Avahi? Maybe make it optdepends is
enough?
my laptop $ pacman -Qi avahi
Required By : gnome-disk-utility gnome-vfs libcups mpd sane -
How to configure ldap.ora with multiple ldap contexts
Hello.
My company has recently taken on another environment with it's own LDAP configuration. It's a bit tedious to have to keep switching my ldap.ora for both ldap configurations. Are there any good suggestions for either allowing me to search both LDAP configurations (2 separate LDAP setups, with 2 default context)? Or is there a smooth way to populate 1 LDAP with the others data? Or perhaps some form of redirect on one LDAP to the other LDAP server for queries?
Some basic info: LDAP is Oracle OID version 10gR2
Please let me know if you have any useful ideas...Hi,
Here is the of OVD benefits :
1-Easy to setup and manage via our Management client; 2-Unifies multiple directories into a single access point; 3-Normalize and Unify multiple directories; 4-Directly accesses remote repositories;
5-Allows a unified view of an entry using data from multiple repositories;6-Can act as an LDAP proxy and firewall;
Why you can not use OVD to improve these? Read, LDAP to the other LDAP server for queries, allowing you to search both LDAP?
I hope this helps.
Thiago L Guimaraes -
Error in authentication with ldap server with certificate
Hi,
i have a problem in authentication with ldap server with certificate.
here i am using java API to authenticate.
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
I issued the new certificate which is having the up to 5 years valid time.
is java will authenticate up to one year only?
Can any body help on this issue...
Regards
Rangasorry i am gettting ythe same error
javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
here when i am using the old certificate and changing the system date means i can get the authentication.
can you tell where we can concentrate and solve the issue..
where is the issue
1. need to check with the ldap server only
2. problem in java code only.
thanks in advance -
OIM 11g R1 LDAP Synch with OID.
Hi,
We are doing an LDAP Synch with OID directly. The users from various organisations in OIM needs to be synched to different OU's in OID, instead of a single container. How do we acheive this? would it be easy if we involve OVD also?Here is some sample code configuration which may give you a start - hope it helps.
Sample code that can be called in a pre-process event handler to copy the users organinisation to the LDAP Organization Unit
HashMap<String, Serializable> parameters = orchestration.getParameters();
Serializable param = parameters.get("act_key");
String act_key = null;
if (param instanceof ContextAware) {
act_key = ((ContextAware) param).getObjectValue().toString();
} else {
act_key = param.toString();
if (act_key != null) {
OrganizationManager orgMgr = Platform.getService(OrganizationManager.class);
Set<String> retAttrs = new HashSet<String>();
retAttrs.add("Organization Name");
Organization org = null;
try {
org = orgMgr.getDetails(act_key, retAttrs, false);
} catch (OrganizationManagerException e) {
} catch (AccessDeniedException e) {
String orgName = (String) org.getAttribute("Organization Name");
orchestration.addParameter("LDAP Organization Unit", orgName);
Sample container mapping rule
<rule>
<expression>LDAP Organization Unit=Test Organization</expression>
<container>ou=Test Organization,ou=users,o=org</container>
<description>Add user to the Test Organization OU in LDAP if their OU is set to Test Organization</description>
</rule>
Sample change in /db/LDAPUser
<!-- Two act_key entries in the <reconFields> section to set RECON_ACT_KEY. -->
<!-- The first sets RECON_ACT_KEY to the default value from the scheduled job -->
<!-- The second overwrites RECON_ACT_KEY with an OU value if supplied in the LDAP User data. -->
<reconAttr>
<oimFormDescriptiveName>act_key</oimFormDescriptiveName>
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Organization Name</reconFieldName>
<reconColName>RECON_ACT_KEY</reconColName>
<emDataType>number</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="String" name="act_key"/>
</reconAttr>
<reconAttr>
<oimFormDescriptiveName>act_key</oimFormDescriptiveName>
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">ou</reconFieldName>
<reconColName>RECON_ACT_KEY</reconColName>
<emDataType>number</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="String" name="act_key"/>
</reconAttr> -
Hi there,
I am looking for step by step instrcutions on how to configure SFTP Codeplex adapter for both receive and send ports.
Out business partner with whom we push/poll the files from wants us to use SSH encryption/decryption etc.
Just wondering if the following functionality is supported in Codeplex SFTP adatper without having to write any code.
Appreciate if there is manaul to do this for SFTP. BTW I do have all the our public and private keys and business partners Public key for configuring.
For Send port: 1. we would need to encrypt the file with our business partners public key
2. sign the file with our private key.
3. Send the file through to SSH client which eventually transfers to Remote server.
Receive port: 1. Connect to SSH Server with SSH-2 key and receive the file
2. Verify the file's digital signature agaisnt the Business partners PGP public key
3. Decrypt the file using our PGP Public key
Thanks in advanceYes it is supported.
You can find its documentation in this link
You can find section X.509 Certificate Identity Keys
You can set public and private key in property SSH Identity thumbprint of send and receive port
I prefer to test it using client tool like
FileZilla or WinSCP then test it using sftp adapter
When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer -
Problem when access to CSS with SSH
Hi,
We have an strange issue when we try to access to the management of the CSS with SSH protocol: we need to put the username twice.
Is it a normal behaviour?
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
login as: test
User Access Verification
Username:test
Password:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
test# show version
Version: sg0810106 (08.10.1.06)
Flash (Locked): 08.10.1.06
Flash (Operational): 08.10.1.06
Thanks.
Best regards,
DaniHello Dani,
This has been the behavior of the CSS when logging in via SSH since the product was introduced. So yes, this is normal behavior for the CSS.
Hope this helps,
Sean -
Errors in LDAP configuration with Shared Services
Dear sirs,
we are getting errors in LDAP configuration with Shared Services.
Base DN is ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo East
The group cn is cn=AH
In LDAP log you can see the applications is searching the group:
"ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo"
When it should be:
“ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo East”
We think the problem is with space in Base DN "o=Grupo East", it is not properly considered.
Error Codes
EPMCSS-05145
Thanks in advanceHi.
Could you try to define the Base DN as :
ou=Grupos,cn=East,o=SSGH,c=br,o=Grupo\ East
I don't know if will work fine.. but you can use special characteres using with the "\"
Good luck.
Best regards! -
LDAP setup with SSL - Can't use tls auth type
I'm trying to configure Solaris 10 to use ldap against my OpenLDAP server with SSL but whenever I try to set the authentication as tls:simple, it gives me an error :
# ldapclient mod -a authenticationMethod=tls:simple
Cannot specify LDAP port with tls
# ldapclient mod -a authenticationMethod=tls
Unable to set value: invalid authenticationMethod (tls)
Any ideas how to get this to work - I can do an ldapsearch if I supply a -H ldaps://ldapserver:636 so my certs in /var/ldap are good.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=srv_login,ou=LDAPusers,dc=unix_srv,dc=energy.ge.com
NS_LDAP_BINDPASSWD= {NS1}c53708877bc6
NS_LDAP_SERVERS= 10.10.1.14:636
NS_LDAP_SEARCH_BASEDN= dc=unix_srv,dc=energy.ge.com
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SERVER_PREF= 10.10.1.14:636
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=unix_srv,dc=energy.ge.com?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=unix_srv,dc=energy.ge.com?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=unix_srv,dc=energy.ge.com?one
Thanks,
JayWhen using TLS you have to specify the FQN for the LDAP server and the port is ALWAYS 636.
Also, you need to setup up your client to use FQN as well (/etc/hosts). -
Usage of external LDAP server with Portal
Hi All,
We are in a situation to use external LDAP server with WLP 8.1. These are the
constraints we have to deal with:
1. Only read is allowed from this LDAP server.
2. This would be used for authentication purpose
If thats the case, how can we use Visitor Entitlements/Delegated Admin and Group
creation using Portal Admin tool since this will write to the configured LDAP
server.
Can somebody answer my question:
1. Can we use external LDAP server - just for authetication (I know this is possible
by using JAAS LoginModule, but I just want to get confirmed on this ) and
2. Use default and embedded LDAP server for all others like Group/Visitor Entitlements/DAs.
Any relevant pointers are also welcome.
TIA,
Prashanth Bhat.Thanks for th ereply. Some of your answers are not clear. Can you pls eloborate
on this?? Pls see my comments below.
"Johnson" <[email protected]> wrote:
>
Phil,
Can I use embedded LDAP for production?
Thanks
Lawrence
"Phil Griffin" <BEA> wrote:
"Prashanth " <[email protected]> wrote in message
news:[email protected]..
Hi All,
We are in a situation to use external LDAP server with WLP 8.1. Theseare
the
constraints we have to deal with:
1. Only read is allowed from this LDAP server.
2. This would be used for authentication purpose
If thats the case, how can we use Visitor Entitlements/Delegated Adminand
Group
creation using Portal Admin tool since this will write to the configuredLDAP
server.
Can somebody answer my question:
1. Can we use external LDAP server - just for authetication (I knowthis
is possible
by using JAAS LoginModule, but I just want to get confirmed on this) and
>
You can add the external LDAP server just for authentication, but in
versions through
8.1 SP2 WLP will want to verify the user exists (via the UserReaderMBean)
during
the login process (this check has been removed in SP3). A work around
is to
duplicate
the user in a provider that does impl UserReaderMBean.
Prashanth : You mean to say we have to duplicate the User in embedded LDAP server
also??
>>
2. Use default and embedded LDAP server for all others like Group/VisitorEntitlements/DAs.
>
Yes, the default/embedded LDAP can still be used for DA/visitor
entitlements. In the current
release, the Portal Admin Tools can only be configured to use a single
authentication provider
while forming entitlements. In SP3, all configured providers are
listed/usable by the tools.Prashanth : How can we configure Portal Admin tool to use authentication provider
for entitlements??
>>
Any relevant pointers are also welcome.
TIA,
Prashanth Bhat. -
LDAP Intigration with Oracle BPM 10.3.0.0.0
Hi,
I want to know about integration with LDAP connectivity with Oracle BPM suite.
We don’t have any knowledge between the integration on Oracle BPM suit & LDAP.
Please do the needful on the same as soon as possible.
With Best Regards,
Ratna Prasad.I configured LDAP directory, and I was able to see the participants. However the group information is not retrieved properly. Here is the error
(cont) ] Main: Invalid characters found for attribute [OU name].
[ (cont) ] Main: Detail:Attribute [OU name] cannot be assigned the following value: [Dev/Test].
[ (cont) ] Main: The invalid character is: [].
[ (cont) ] Main:
[ (cont) ] Main: fuego.directory.exception.InvalidAttributeValueException: Invalid characters found for attribute [OU name].
[ (cont) ] Main: Detail:Attribute [OU name] cannot be assigned the following value: [Dev/Test].
[ (cont) ] Main: The invalid character is: [].
[ (cont) ] Main:
Any ideas on what can be the possible solution?
Thanks -
As I understand it, RMI listens on port 1099 and opens other ports upon a connection. This is why we have to open ports 1099 and >1023 on the server firewall. Which is great for all the users on the LAN.
The site will only let us connect to this system through SSH (port 22). We might be able to use ssh to create a poor mans VPN to connect to RMI as in: ssh -L 1234:localhost:1099 user@remotehost. This fails to work because RMI uses more than just port 1099. If it were something like telnet, ssh -L 1234:localhost:23 user@remotehost it would just work.
What I think I need is something running on the remote server which connects to port 1099 and listens on a port, for example, 1098. We could then connect with ssh -L 1234:localhost:1098 user@remotehost and packets would be passed to the appropriate RMI connection. Any ideas on how this could be done AND if it could work.
**CRITICAL: I am not interested in changing the application running RMI at all. It works for everthing the end users need and don't fix it if it isn't broken. In any case, this isn't just about RMI, there are three non-RMI apps which do the same thing, so one solution would be used for all four of them.As I understand it, RMI listens on port 1099 and opens other ports upon a connection.No. The RMI Registry listens at port 1099 unless you tell it otherwise. Remote objects listen at system-chosen ports unless you specify a specific port when constructing/exporting them. You can use port 1099 for everything if:
1. You create the Registry via LocateRegistry.createRegistry() in the same JVM that exports your remote objects.
2. You cite port 1099 when constructing (super(1099)) or exporting (UnicastRemoteObject.exportObject(obj, 1099)) remote objects.
Having done that, the only server-side port you need to be concerned with is 1099. That's a reserved IANA port number and it should be possible to get it opened in the firewall.
And neither RMI nor TCP 'opens other ports' on inbound connections. -
Setting up LDAP realm with WLI 7
Any pointer to Step by step instruction on to how to set up LDAP realm for Access Control with Weblogic integration 7
Pramit Basu <[email protected]> wrote:
Any pointer to Step by step instruction on to how to set up LDAP realm
for Access Control with Weblogic integration 7In order to use LDAP realm with WLI 7.0, you need to do the following steps:
1) In WebLogic server level, you need to create a Caching Realm and a LDAP realm.
First, please backup your original config.xml file. Then, you can start configure
the realms. You can do this by modifying the config.xml file, or through WLS console.
After you have done this, your config.xml file should contain the following:
<LDAPRealm AuthProtocol="none"
Credential="{3DES}rYiW/DkUxq4UPwR0XLbM9w=="
GroupDN="o=beasys.com,ou=Groups" GroupIsContext="false"
GroupNameAttribute="cn" GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://jpengdesk:389"
Name="LDAPRealmForNetscapeDirectoryServer" Principal="cn=admin"
UserAuthentication="bind" UserDN="o=beasys.com,ou=People"
UserNameAttribute="uid" UserPasswordAttribute="userpassword"/>
--- You can also do this in Console. Please make sure the "UserDN" and "GroupDN"
values are correct according to the groups and users stored on your LDAP server.
In my example here, "beasys.com" is my root entry, and I have all the users created
underneath of OU "People", and I have all the groups created in OU "Groups".
<CachingRealm BasicRealm="LDAPRealmForNetscapeDirectoryServer" Name="MyCaching
Realm"/>
--- You can do this in console by clicking on "Caching Realms", then click on
the link of "Configure a new Caching Realm". Name it as "MyCaching Realm", and
select "LDAPRealmForNetscapeDirectoryServer" as the BasicRealm.
<Realm CachingRealm="MyCaching Realm" FileRealm="myFileRealm" Name="myRealm"/>
--- you can do this in console by clicking on "Compatibility Security", then click
on the "Filerealm" tab, then, in the "Caching Realm" field, select MyCaching Realm"
from the pull down comb box.
Please make sure all the names are related. See above example, the value in blue
color should match, and the value in red color should match too.
Please see the attached config.xml file for reference.
2) Create the users in LDAP server. In my example, I simply created 3 users underneath
of OU “People”, they are:
weblogic
wlisystem
admin
“weblogic” is the user I used as my system administrator user, which
I used to boot my WLS server and access my WLS console.
“wlisystem” and “admin” are the users created for WLI
component.
3) Create 11 groups in LDAP server. In my example, as I mentioned above, I create
all these groups underneath of OU “Groups”. These groups are:
ConfigureComponents
Administrators
wlpiUsers
MonitorInstance
ExecuteTemplate
CreateTemplate
UpdateTemplate
DeleteTemplate
AdminsterUser
ConfigureSystem
wlpiAdministrators
Also, add the users created in step 2 into all of these groups.
4) Clean up the fileRealm.properties file.
Backup your original fileRealm.properties file. Then, remove all the entries starting
with “user.xxx” and “group.xxx”, only leave those entries
starting with “acl.xxx”.
Please see the attached “fileRealm.properties” file for reference.
5) Restart your WLI server. Verify the users and groups you defined in LDAP server
are displayed in WLS console correctly. You can see the user and group information
in “Compatibility Security” à “Users”, and “Compatibility
Security” à “Groups” respectively.
6) Start your studio to design a simple Workflow. When you login, the authentication
of your username and password is against the LDAP server, since you don’t
have any user entries in your fiel realm any more.
7) Start your Worklist to execute the workflow. Also, When you login, the authentication
of your username and password is against the LDAP server, since you don’t
have any user entries in your fiel realm any more.
Once you execute the workflow, you can verify that workflow instance in Studio.
You can monitor the instance, and delete the instance.
Maybe you are looking for
-
Hello I created a PDF documentation for a report and want to link it with a SAP report (called by transaction SA38) I created a DMS document by transaction CV01N created document links to report, transaction and developement object R3TR/PROG/<report
-
Hi, I am using kodo 4.0 with weblogic10. I set the ra.xml using XATransaction... ra.xml <managedconnectionfactory-class>kodo.persistence.jdbc.JPAManagedConnectionFactory</managedconnectionfactory-class>
-
Imac 4,1 freezing, new install, still freezing
Hi All, As the subject indicates, my imac 4,1 (got it used for free) is freezing, tried new install of OS X and problems persist (had trouble installing it b/c i kept freezing) - oh, and i did a clean install. The last time it froze on me, I was tryi
-
IMac (24" Aluminium, Mid 2008) Freezing and Graphical Glitches
Hi all, I'm having to write this on my MacBook as my iMac developed serious problems yesterday evening. Nothing new has been installed recently, and I was just listening to music on iTunes when I noticed that my iMac seemed to have frozen, although m
-
Purchased a new Macbook Pro 13". I used migration assistant to transfer. I can't backup to time capsule. I am getting on error "The backup disk image "/Volumes/Herb's Time Capsul/Herb MacBook Pro.sparsebundle" could not be created (error 17). Help!