LDAP Provider and BEA 9.1 Local Groups

Our developers have written an application that has a group defined within an xml file. (for clarity we will call the group myBeaGroup.)
We have set up the bea 9.1 server to use the IDs within our LDAP server.
When I log into the BEA console, I can see the user IDs but I can not find any way of associating those IDs to the myBeaGroup security group. I have tried to change the provider of the group, but the only provider we see is the default provider.
Would someone please assist me to resolve this issue?
Message was edited by:
jprosiak

Thats your only option, in previous versions they would be removed by the garbage collector, on 9.x, theyll remain as local users, unless they match the LDAP userID, youll end up with two users in CUCM
Sent from Cisco Technical Support iPad App

Similar Messages

LDAP Users and Groups

Hi,

I have configured an LDAP Authenticator for an external LDAP directory in the security realm of the samples portal. User Management is working, but when I try to access the Group Management for the LDAP Authenticator I get the following error:

com.bea.p13n.usermgmt.hierarchy.TreeNotBuiltException: State: UNINITIALIZED. Tree is uninitialized. Add provider GAAD to list of providers to build. Tree is uninitialized. Add provider GAAD to list of providers to build.


It seems that this needs to be setup. How do I do this?


Some general notes on LDAP:

I think that in a production environment it is of great value to manage users and groups in a LDAP directory. For instance we have a company directory which contains all users. It seems that users from LDAP can not been added to groups which are in the DB. LDAP also has the advantage of supporting dynamic groups.
As in previous weblogic releases the LDAP authenticator is read only. It would be great if the write functionality could be added as well. Actually managing LDAP users and groups in one place would be a tremendous improvement for us.

Another thing on my wishlist are examples for delegated administration and visitor entitlements. For the sample portal these are empty. But I think it would be nice to have some out of the box examples that show what is possible and help developers and business analysts to understand the concepts and create their own roles.

It would be interesting to read what Bea and other developer think about this.

Kind regards,

Kai


Marcus,
Yes, I am using 9.2 TP.
We are already using LDAP for user management with 8.1.
Now, I try to configure 9.2 as well. I am running 9.2 installations on different machines. When I click on Service Administration in the Admin Portal, I get the following error message for each installation:
java.lang.NullPointerException at com.bea.jsptools.serviceadmin.ads.ToolAdServiceBean.cloneFromAdServiceBean(ToolAdServiceBean.java:190) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdContentProviderNodes(ServiceAdminTreeBuilder.java:769) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdServiceBranch(ServiceAdminTreeBuilder.java:746) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.createTreeElement(ServiceAdminTreeBuilder.java:184) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:234) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:235) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildTree(TreeService.java:122) at util.tree.TreeController.constructTree(TreeController.java:142) at util.tree.TreeController.buildTree(TreeController.java:422) at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source) at java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown Source) at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:852) at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:782) at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:456) at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:285) at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:336) at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:48) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:1984) at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:90) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2055) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:535) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:821) at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:625) at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:156) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414) at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1178)
java.lang.NullPointerException
java.lang.NullPointerException
at com.bea.jsptools.serviceadmin.ads.ToolAdServiceBean.cloneFromAdServiceBean(ToolAdServiceBean.java:190)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdContentProviderNodes(ServiceAdminTreeBuilder.java:769)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdServiceBranch(ServiceAdminTreeBuilder.java:746)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.createTreeElement(ServiceAdminTreeBuilder.java:184)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:234)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:235)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildTree(TreeService.java:122)
at util.tree.TreeController.constructTree(TreeController.java:142)
at util.tree.TreeController.buildTree(TreeController.java:422)
at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source)
at java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown Source)
at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:852)
at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:782)
at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:456)
at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:285)
at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:336)
at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:48)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:1984)
at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:90)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2055)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:535)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:821)
at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:625)
at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:156)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1178)

HT4837 3rd Party LDAP users in local groups aren't recognized by wiki

Having followed the KB article on setting up wiki webauth to allow 3rd party LDAP users to authenticate (http://support.apple.com/kb/HT4837) I have found that while individual users can be given permissions to access certain wikis, but LDAP users placed into local groups cannot. Is this a bug?
To be more specific:
- Directory Access setup to allow authentication from LDAP server (this works fine for all other services like File Sharing)
- Directions followed in the KB article which basically enables plain text authentication and turns off inline login window (http://support.apple.com/kb/HT4837)
- Local groups created in Server.app -- Accounts -> Groups
- LDAP users placed into those local groups
- Services like file sharing recognize proper permissions based on the groups the LDAP users are in
- Configure a wiki to allow access from a single LDAP user (Gear Icon -> Wiki Settings...) ... this works fine
- Configure a wiki to allow access from the local groups containing LDAP users (again, Gear Icon -> Wiki Settings) ... this appears like it is going to work, but it in fact will fail to give permissions to LDAP users of the respective group upon that user's login. A local user (Server.app -> Accounts -> Users) added to one of these local groups with LDAP people in it works fine and receives proper access to the wiki as expected.
Any ideas before I submit this as a bug?

Having followed the KB article on setting up wiki webauth to allow 3rd party LDAP users to authenticate (http://support.apple.com/kb/HT4837) I have found that while individual users can be given permissions to access certain wikis, but LDAP users placed into local groups cannot. Is this a bug?
To be more specific:
- Directory Access setup to allow authentication from LDAP server (this works fine for all other services like File Sharing)
- Directions followed in the KB article which basically enables plain text authentication and turns off inline login window (http://support.apple.com/kb/HT4837)
- Local groups created in Server.app -- Accounts -> Groups
- LDAP users placed into those local groups
- Services like file sharing recognize proper permissions based on the groups the LDAP users are in
- Configure a wiki to allow access from a single LDAP user (Gear Icon -> Wiki Settings...) ... this works fine
- Configure a wiki to allow access from the local groups containing LDAP users (again, Gear Icon -> Wiki Settings) ... this appears like it is going to work, but it in fact will fail to give permissions to LDAP users of the respective group upon that user's login. A local user (Server.app -> Accounts -> Users) added to one of these local groups with LDAP people in it works fine and receives proper access to the wiki as expected.
Any ideas before I submit this as a bug?

How can I use PowerShell 3.0 cmdlets or script to list all the local groups and local users of a server?

Using PowerShell 3.0 (And if possible the CIM, not WMI cmdlet), how can I script with | out-file C:\<filename>.txt or .csv option to list all local user accounts & local groups
on remote computers?
Thank You!

I don't recall PowerShell V3 introducing anything new to handle local users and groups. You need to use PowerShell V1 methods, using the [ADSI] accelerator and the WinNT: provider. The scripts linked above show this. No need to use WMI (which would probably
be slower).
Here is a script I've used to enumerate all local groups and their members:
$Computer
= "MyServer"
$Computer =
[ADSI]"WinNT://$Computer"
$Groups =
$Computer.psbase.Children | Where {$_.psbase.schemaClassName
-eq "group"}
ForEach ($Group
In $Groups)
 "Group: "
+ $Group.Name
 $Members
= @($Group.psbase.Invoke("Members"))
 ForEach ($Member
In $Members)
 $Class
= $Member.GetType().InvokeMember("Class",
'GetProperty', $Null,
$Member, $Null)
 $Name
= $Member.GetType().InvokeMember("Name",
'GetProperty', $Null,
$Member, $Null)
 "-- Member: $Name ($Class)"
A similar script to enumerate all local users would be:
$Computer
= "MyServer"
$Computer =
[ADSI]"WinNT://$Computer"
$Users =
$Computer.psbase.Children | Where {$_.psbase.schemaClassName
-eq "user"}
ForEach ($User
In $Users)
 "User: "
+ $User.Name
Richard Mueller - MVP Directory Services

LDAP UID and local UID different

I have a 10.5 server running LDAP with a master and a replica. In the LDAP i have a user who was deleted and the readded to the LDAP to correct an issue. Now on the replica that users LDAP id and her id from the command line command id are different which is preventing her from syncing. I have tried to remove and readd her again but I can not get the local id to go away. There is no user id for this user in any of the local files or databases that I can find.
How do I delete the user so the command line command ID does not see her so I can create her account with the correct user id??

Hi Wajid,
I've done this by making the APEX ID a copy of the LDAP ID - then the APEX IDs are put in APEX Groups, which feed the Authorization Schemes that grant access to regions/tabs/fields, etc.
I no longer manage passwords, but the Apex Group still recognizes the :APP_USER.
Let me know if this doesn't make sense, or I need to get more detailed.
Rich

A member was added or deleted to a security-enabled local group. (4732 and 4733)

Hi Team,
We are getting below alerts continuously. it is specifying that user is adding and removing from security group. But it is happening automatically and we've checked no one is performing such operation. And we read on some site it happened on domain controller
but also our share point farm server is not on domain controller. Please find the alert below and suggest what we should do so that we'll not get this alert again. Thanks in advance.
A member was added to a security-enabled local group.
Subject:
Security ID:
POSTEN\s-sharep_farm
Account Name:
S-ShareP_Farm
Account Domain:
POSTEN
Logon ID:
0x8a121
Member:
Security ID:
NETWORK SERVICE
Account Name:
Group:
Security ID:
BUILTIN\IIS_IUSRS
Group Name:
IIS_IUSRS
Group Domain:
Builtin
Additional Information:
Privileges

Hi Kamal,
Per my knowledge, SharePoint does not have the function to audit the changes in domain groups.
What is “From” email address of the alerts?
Please check if you have configured Windows System Resource Manager to send e-mail notifications when an event is logged firstly.
https://technet.microsoft.com/en-us/library/cc732728.aspx
And it seems that the System Center Operations Manager(SCOM) can set the alert for auditing the changes to the local group membership.
Please also check if you have installed SCOM and set rule to send the alerts in SCOM.
http://blogs.technet.com/b/nzdse/archive/2009/11/10/audit-alert-scenarios-system-center-operations-manager-opsmgr-2007-r2.aspx
Best regards.
Thanks
Victoria Xia
TechNet Community Support

Can sap LDAP read and sync this group

Hello
I configure LDAP in my sap abap system and its run ok on ou.
But in my company I have lots of users and not all need sap, and the users are in some ouu2019s .
I create group in AD that called SAP_USERS and I add same users to this group.
Can sap LDAP read and sync this group?
Thanks
Nir

Hello,
have you find a solution for your problem?
Could you share the solution with us?
Thank you and Regards
Matteo

My SCCM 2007 Secondary Site Servers have multiple "SMS_SiteSystemToSiteServerConnection_ SiteCode " and "SMS_SiteToSiteConnection_ SiteCode " local groups

My organization is going through a SCCM 2012 migration and I was asked about our current SCCM 2007 Secondary Sites and when I remoted into my secondary site servers I saw that two of the three servers have multiple "SMS_SiteSystemToSiteServerConnection_<SiteCode>"
and "SMS_SiteToSiteConnection_<SiteCode>" local groups.
This just seemed quite odd and I wanted to know if anyone has dealt with this before.
Thank you

Thanks for your reply Eswar.
One of the SMS_SiteToSiteConnection_<SiteCode>
groups on two of my Secondary Site servers I believe are configured correctly and they both have my Primary Site Server as a member, but the
SMS_SiteSystemToSiteServerConnection_<SiteCode> group is empty. Is the
SMS_SiteSystemToSiteServerConnection_<SiteCode> group supposed to contain my Primary Site server as well? Both the SMS_SiteSystemToSiteServerConnection_<SiteCode>
and the
SMS_SiteToSiteConnection_<SiteCode> groups on my Primary Site Server have my Secondary Site Servers as members.
Is this correct?
I'm wondering now if the strange groups with the odd site codes that don't even exist were created when the secondary sites were initially being created a while back. From the documentation, it looks like the former admin initially configured the secondary
sites using a PowerShell script created by Kaido Jarvemets. According to some of the notes I have read, the admin kept uninstalling and re-installing the sites when they were not showing up in the SCCM 2007 Admin console, but apparently they simply forgot
to configure a Sender and an Address, if that makes any sense to you.
So, perhaps these groups ending with an odd Secondary Site code may have been a typo during one of the installation attempts? If this is the case, can these groups be deleted?
One thing I forgot to mention was that the Secondary Site servers belong to a Global Security AD group and that group is used to add them to both the SMS_SiteSystemToSiteServerConnection_<SiteCode
and the SMS_SiteToSiteConnection_<SiteCode>
groups on the Primary Site server.
Is this allowed?
Thanks

LDAP user and group configuration in ADF application

Hi All,
I have to use LDAP user and groups in my ADF application. I have configured the LDAP on WLS server successfully and can see all users/groups under tab "User and Groups". I have added the Enterprise Role in jazn-data.xml matching the name of groups. Created Application role in jazn-data.xml and assigned a role of Enterprise Role.
However not added any user in jazn-data.xml. Which i guess not required because it will picked from LDAP.
Now how to configure the JDeveloper to use those users ? What changes need to make in jazn-data.xml ? or in jps-config.xml / web.xml/ weblogic-application.xml
Am i missing nay configuration step. i have referred ADF Security set up - step by step tutorial - quick question but not found useful
I am using JDeveloper 11.1.1.5.
Thanking you all in advance.
Mukesh.

I have below changes in files
1] In jps-config.xml
-- Added identity store and selected it from drop down in Security Context tab.
2] In weblogic-application.xml
In Security tab --> Role assignment mapped valid-users to principle name.
<security>
<realm-name>myrealm</realm-name>
<security-role-assignment>
<role-name>valid-users</role-name>
<principal-name>DERDev</principal-name>
</security-role-assignment>
</security>
3] Same thing done in weblogic.xml . I do not know the difference between weblogic-application.xml and weblogic.xml configuartion and which will work.
4] Added security role "DERDev" along with the default/automatically added role "valid users"
<security-role>
<role-name>DERDev</role-name>
</security-role>
Still no luck ...... i am missing again ? I referred many links but found not a single document mentioning all steps
Mukesh

I got tis ipad 4g from ireland recently and i brought it to india with me and i got tis micro sim from a local service provider and it was activated 3 days later and show the name service provider at the top but no internet signal.pls help

pls help

agil123 wrote:
wud u not be able to get internet without signing up for data service
Correct, a standard phone service will not provide internet connection. You need to talk with your cellular provider and ask for a data plan for iPads. Not a phone service.

I got tis ipad 4g from ireland recently and i brought it to india with me and i got tis micro sim from a local service provider and it was activated 3 days later and show the name of service provider at the top but no internet connection.pls help

pls help

agil123 wrote:
wud u not be able to get internet without signing up for data service
Correct, a standard phone service will not provide internet connection. You need to talk with your cellular provider and ask for a data plan for iPads. Not a phone service.

EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility

Hello everyone,
Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
Here's what happens:
1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
http://discussions.apple.com/thread.jspa?messageID=5967023
http://discussions.apple.com/message.jspa?messageID=5982070
these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
Thanks,
Andrew

Hard to tell what is happening without looking at the application
source, knowing what OS & hardware you're using etc. You might want to
try running with different JVM versions to see if it's actually the VM
that is the problem. If you have a support contract with BEA you could
ask support to help you diagnose this.
Regards,
/Helena
Ayub Khan wrote:
I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
seems to happen on loading the machine..the performance progressively gets worse
and after a couple of seconds, all the threads stop responding. I checked the
heap, cpu and the idle threads in the execute queue and there is nothing there
to trigger alarms...there are quite a few idle threads still and the heap and
the cpu utilization seem OK. On doing a thread dump, Is see that all the other
threads seem to be in a state where they are waiting for data from LDAP and it
is basically read only data that they are waiting on.
Does anyone know what it is going on and help point me in the right direction.
-Ayub

Custom Authentication Provider and User Manage like SQLAuthenticator, How?

Hi everyone,
I faced a problem with login function of my portal (Webcenter Application). The Problem is:
- Allow the users logging in by user that store in another system. I must communicate using low level of socket. This really is not a problem.
- If user logged in, for first time of logging in, i must store them in some identity store (Maybe tables database).
- View Users in Weblogic Console. To do that, i known that i must implemeted something that i dont what that are.
Here are my work:
- I Created a Custom Authentication Provider. And configuration in Admin Console. But i don't know what are that i should implementing to View user & group in Admin Console.
- I Cannot logging in: After i created simple application for testing, i cannot logging in even i tested with SQLAuthenticator Provider and original DefaultProvider. In Logging Console, I saw every I Printed In The Code of Login Module.
Here are my Code:
<?xml version="1.0" ?>
<MBeanType Name = "OrkitVASPortal" DisplayName = "OrkitVASPortal"
 Package = "orkit"
 Extends = "weblogic.management.security.authentication.Authenticator"
 PersistPolicy = "OnUpdate">
 <MBeanAttribute
 Name = "ProviderClassName"
 Type = "java.lang.String"
 Writeable = "false"
 Default = ""orkit.OrkitVASPortalProviderImpl""
/>
 <MBeanAttribute
 Name = "Description"
 Type = "java.lang.String"
 Writeable = "false"
 Default = ""WebLogic Simple Sample Audit Provider""
/>
 <MBeanAttribute
 Name = "Version"
 Type = "java.lang.String"
 Writeable = "false"
 Default = ""1.0""
/>
 <MBeanAttribute
 Name = "LogFileName"
 Type = "java.lang.String"
 Default = ""SimpleSampleAuditor.log""
/>
</MBeanType>
package orkit;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.spi.*;
public final class OrkitVASPortalProviderImpl implements AuthenticationProviderV2 {
 private String description;
 private LoginModuleControlFlag controlFlag;
 public OrkitVASPortalProviderImpl() {
 System.out.println("The Orkit VASPortal Provider Implemented!!!!!");
 @Override
 public IdentityAsserterV2 getIdentityAsserter() {
 return null;
 // Our mapping of users to passwords/groups, instead of being in LDAP or in a
 // database, is represented by a HashMap of MyUserDetails objects..
 public class MyUserDetails {
 String pw;
 String group;
 // We use this to represent the user's groups and passwords
 public MyUserDetails(String pw, String group) {
 this.pw = pw;
 this.group = group;
 public String getPassword() {
 return pw;
 public String getGroup() {
 return group;
 // This is our database
 private HashMap userGroupMapping = null;
 public void initialize(ProviderMBean mbean, SecurityServices services) {
 System.out.println("The Orkit VASPortal Provider is intializing......");
 OrkitVASPortalMBean myMBean = (OrkitVASPortalMBean) mbean;
 description = myMBean.getDescription() + "\n" + myMBean.getVersion();
 System.err.println("#In realm:" + myMBean.getRealm().wls_getDisplayName());
 // We would typically use the realm name to find the database
 // we want to use for authentication. Here, we just create one.
 userGroupMapping = new HashMap();
 userGroupMapping.put("a", new MyUserDetails("passworda", "g1"));
 userGroupMapping.put("b", new MyUserDetails("passwordb", "g2"));
 userGroupMapping.put("system", new MyUserDetails("12341234",
 "Administrators"));
 String flag = myMBean.getControlFlag();
 if (flag.equalsIgnoreCase("REQUIRED")) {
 controlFlag = LoginModuleControlFlag.REQUIRED;
 } else if (flag.equalsIgnoreCase("OPTIONAL")) {
 controlFlag = LoginModuleControlFlag.OPTIONAL;
 } else if (flag.equalsIgnoreCase("REQUISITE")) {
 controlFlag = LoginModuleControlFlag.REQUISITE;
 } else if (flag.equalsIgnoreCase("SUFFICIENT")) {
 controlFlag = LoginModuleControlFlag.SUFFICIENT;
 } else {
 throw new IllegalArgumentException("Invalid control flag " + flag);
 public AppConfigurationEntry getLoginModuleConfiguration() {
 HashMap options = new HashMap();
 options.put("usermap", userGroupMapping);
 System.out.println("UserMap: " + options);
 return new AppConfigurationEntry(
 "orkit.OrkitVASPortalLoginModule",
 controlFlag, options);
 public String getDescription() {
 return description;
 public PrincipalValidator getPrincipalValidator() {
 return new PrincipalValidatorImpl();
 public AppConfigurationEntry getAssertionModuleConfiguration() {
 return null;
// public IdentityAsserter getIdentityAsserter() {
// return null;
 public void shutdown() {
* To change this template, choose Tools | Templates
* and open the template in the editor.
package orkit;
import orkit.OrkitVASPortalProviderImpl;
import java.io.IOException;
import java.util.*;
import javax.security.auth.Subject;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import javax.security.auth.spi.LoginModule;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
* This login module will be called by our Authentication Provider. It assumes
* that the option, usermap, will be passed which contains the map of users to
* passwords and groups.
public class OrkitVASPortalLoginModule implements LoginModule {
 private Subject subject;
 private CallbackHandler callbackHandler;
 private HashMap userMap;
 // Authentication status
 private boolean loginSucceeded;
 private boolean principalsInSubject;
 private Vector principalsBeforeCommit = new Vector();
 public void initialize(Subject subject, CallbackHandler callbackHandler,
 Map sharedState, Map options) {
 this.subject = subject;
 this.callbackHandler = callbackHandler;
 // Fetch user/password map that should be set by the authenticator
 userMap = (HashMap) options.get("usermap");
 * Called once after initialize to try and log the person in
 public boolean login() throws LoginException {
 // First thing we do is create an array of callbacks so that
 // we can get the data from the user
 Callback[] callbacks;
 callbacks = new Callback[2];
 callbacks[0] = new NameCallback("username: ");
 callbacks[1] = new PasswordCallback("password: ", false);
 try {
 callbackHandler.handle(callbacks);
 } catch (IOException eio) {
 throw new LoginException(eio.toString());
 } catch (UnsupportedCallbackException eu) {
 throw new LoginException(eu.toString());
 String username = ((NameCallback) callbacks[0]).getName();
 System.out.println("Username: " + username);
 char[] pw = ((PasswordCallback) callbacks[1]).getPassword();
 String password = new String(pw);
 System.out.println("PASSWORD: " + password);
 if (username.length() > 0) {
 if (!userMap.containsKey(username)) {
 throw new FailedLoginException("Authentication Failed: Could not find user:" + username);
 }else{
 System.out.println("Contstainded Username");
 String realPassword = ((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getPassword();
 if (realPassword == null || !realPassword.equals(password)) {
 throw new FailedLoginException("Authentication Failed: Password incorrect for user" + username);
 }else{
 System.out.println("Everyitng OKIE");
 } else {
 // No Username, so anonymous access is being attempted
 loginSucceeded = true;
 // We collect some principals that we would like to add to the user
 // once this is committed.
 // First, we add his username itself
 principalsBeforeCommit.add(new WLSUserImpl(username));
 // Now we add his group
 principalsBeforeCommit.add(new WLSGroupImpl(((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getGroup()));
 return loginSucceeded;
 public boolean commit() throws LoginException {
 if (loginSucceeded) {
 subject.getPrincipals().removeAll(principalsBeforeCommit);
 principalsInSubject = true;
 return true;
 } else {
 return false;
 public boolean abort() throws LoginException {
 if (principalsInSubject) {
 subject.getPrincipals().removeAll(principalsBeforeCommit);
 principalsInSubject = false;
 return true;
 public boolean logout() throws LoginException {
 return true;
}and OrkitVASPortalMBean & OrkitVASPortalImpl class created by MBeanMaker tool.
Can someome help.
Thanks in advance!

Hi ,
SQLAuthenticator is not yet supported with UCM 11g due to some JPS Provider limitations .
Currently there is an Enhancement request for this .
Thanks
Srinath

Difference in the Balance between FS10N and Customer Balances in Local Curr

Hi,
When i am trying to match the Balances between FS10N and Customer Balances in Local Currency for the Period 8, we are getting the difference, The reconcilliaton Account was changed on 30.08.2010.
Please help Us in tracing the differences between FS10N and Customer Balances in Local Currency.
What could be the possible reasons for the differences..
Thanks

Hi Varshani,
Please use the program/report SAPF070 to compare or reconcile your AR with GL balances. You can use SAPF071 to correct any inconsistencies. Provided below documentation for these programs.
SAPF070 - Compare Documents and Account Transaction Figures
Description
This program compares debit and credit transaction figures in customer, vendor, and G/L accounts with the debit and credit totals from documents posted in the corresponding posting period (accounting reconciliation). The sales totals are also compared for customer and vendor accounts. There is no separate comparison for special G/L transactions.
A comparison for G/L accounts can be made in company code currency and in parallel currencies (such as group currency). A comparison for customer and vendor accounts can only be made in company code currency.
After the program has finished, a message is issued to the user that started the program. This message summarizes the results of the reconciliation.
Output
The program compares the totals of an account on a periodic basis. If the debit and credit total differs between account and documents, the account is printed with the debit and credit totals and the difference.
Differences in G/L accounts are shown per transaction currency. The first line shows the amount in local currency, the second line shows the amounts in transaction currency.
If a document which falls within the selection range is posted during the program run, the program is terminated since a reliable result can no longer be delivered.
SAPF071 - Adjust Balances after Comparing Documents/Transaction Figures
Description
If a financial accounting comparative analysis (SAPF190) or a comparison of documents and transaction figures (SAPF070) shows that there are differences between documents and transaction figures, you can use this program to make an adjustment. The documents form the basis for this adjustment. The program adjusts the (redundant) transaction figures, which are only totals of amounts from documents.
Requirements
All of the following listed requirements must be fulfilled:
1. A financial accounting comparative analysis (SAPF190) or a comparison of documents and transaction figures (SAPF070) must be made, and differences must be found between documents and transaction figures.
2. There must not be any inconsistent documents found. These are listed in both SAPF070 and SAPF190 as well as in this program.
3. There cannot be any problems in the other modules. Caution: You have to check this yourself. Financial Accounting may be correct but the other modules may not be, and this will adversely affect the program run.
4. You can only make the adjustment in the ledgers which are compared by program SAPF070. This is ledger 00 or a user-defined ledger for all parallel local currencies except the group currency. (The program displays these ledgers). You have to adjust any additional ledgers as well as average balance ledgers yourself.
5. No documents during the period in which you are adjusting transaction figures can be archived. Caution: You must ensure that these documents are not archived by establishing appropriate organizational rules and procedures.
Only use this program after consulting with SAP or after checking the prerequisites thoroughly.
You should adjust all differences together for a single company code. By setting the program parameters you can limit the adjustment to G/L currency types or to balances in subledgers.
It is advisable to execute a test run first, which will list any differences that are found.
Further notes - Authorizations
Repair program authorization group (F_005)
Company code authorization (F_BKPF_BUK)
Thanks
Venkata Ganesh Perumalla
Edited by: Venkata Ganesh Perumalla on Sep 28, 2010 1:30 PM

Help required in OIM-OID LDap Synch and GTC flat file connector

Hi Experts,
I am using OIM 11.1.1.5 with OID LDap Synch enabled. I have OIM protected with OAM 11.1.1.5.0 and almost all normal things are working.
Once I am doing TRUSTED FLAT FILE GTC recon to OIM, the users are getting created in OIM without any password and due to that my users are not getting created in OID(Ldap Synch is enabled);
The following exception is getting thrown:
<Nov 13, 2011 9:48:21 AM CET> <Warning> <XELLERATE.GC.PROVIDER.RECONCILIATIONTRANSPORT> <BEA-000000> <FILE SUCCESSFULLY ARCHIVED : /home/oracle/OAM_ProtoTyping/TestCSV/Scheduled.csv>
<Nov 13, 2011 9:48:21 AM CET> <Warning> <oracle.iam.callbacks.common> <IAM-2030146> <[CALLBACKMSG] Are applicable policies present for this async eventhandler ? : false>
<Nov 13, 2011 9:48:22 AM CET> <Error> <oracle.iam.ldapsync.impl.eventhandlers.user> <IAM-3010021> <An error occurred while creating the user in LDAP.
oracle.iam.platform.entitymgr.MissingRequiredAttributeException: [usr_password]
at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.checkRequired(EntityManagerImpl.java:1450)
at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.createEntity(EntityManagerImpl.java:263)
at oracle.iam.ldapsync.impl.eventhandlers.user.UserCreateLDAPPostProcessHandler.createUser(UserCreateLDAPPostProcessHandler.java:261)
at oracle.iam.ldapsync.impl.eventhandlers.user.UserCreateLDAPHandler.execute(UserCreateLDAPHandler.java:123)
at oracle.iam.platform.kernel.impl.OrchProcessData.runPostProcessEvents(OrchProcessData.java:1166)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:710)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:675)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:705)
at oracle.iam.platform.kernel.impl.OrhestrationAsyncTask.execute(OrhestrationAsyncTask.java:108)
at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
at sun.reflect.GeneratedMethodAccessor1821.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy335.onMessage(Unknown Source)
at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:574)
at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:477)
at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:380)
at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3822)
at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
>
Has any body faced similar kind of issue.
I tried to use post process event handler on create but while updating password its saying the user state is not in synch with OID.
So I am unable to use post process event handlers as well.
Regards,
J

Thanks Sunny,
But the post process event handler with reset/update password is not working on CREATE;
the following error message is being thrown:
oracle.iam.platform.kernel.EventFailedException: Password reset failed because user JSMITH151 is not synchronized to the LDAP directory.
at oracle.iam.ldapsync.impl.eventhandlers.user.util.LDAPUserHandlerUtil.resetPassword(LDAPUserHandlerUtil.java:203)
at oracle.iam.ldapsync.impl.eventhandlers.user.UserResetPasswordLDAPHandler.execute(UserResetPasswordLDAPHandler.java:167)
at oracle.iam.platform.kernel.impl.OrchProcessData.runPreProcessEvents(OrchProcessData.java:898)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:634)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:665)
In 11.1.1.3 OIM, I found the password was available for mapping in GTC connector, but in OIM 11.1.1.5, oracle has removed the password mapping attribute.
Can you please suggest?
I checked with Oracle Support, They are saying in OIM 11.1.1.5 they have introduced a new post process event handler which should generate the password on every trusted reconcilication event.
But in my environment its not behaving like that.
Regards,
J

LDAP Provider and BEA 9.1 Local Groups

Similar Messages

Maybe you are looking for