LDAP/RACF authentication

I'm having problems securing a web resource under WLS 8.1. I'm authenticating
with an iPlanet LDAP server. I need to retrieve the user's RACF group from LDAP,
which is contained as an attribute in the LDAP record. How do I "map" the LDAP
attribute to a group/role within the WebLogic domain?
Thanks - Jason

Anyone?
"Jason M" <[email protected]> wrote:
>
I'm having problems securing a web resource under WLS 8.1. I'm authenticating
with an iPlanet LDAP server. I need to retrieve the user's RACF group
from LDAP,
which is contained as an attribute in the LDAP record. How do I "map"
the LDAP
attribute to a group/role within the WebLogic domain?
Thanks - Jason

Similar Messages

  • External LDAP for authentication

    Hi All,
    I want to use external ldap for authentication purpose with Access Manager.
    I tried adding this external ldap as a secondary ldap but couldn�t succeed.
    If I add this ldap in the primary ldap along with the AM�s own ldap, this also fails to authenticate users from the external ldap.
    How can I achieve this?
    I read many topics in this forum regarding this but none of them explain how it can be achieved.
    Please suggest.
    Thanks in advance.

    This is what the amconsole log says:
    ERROR: ConsoleServletBase.onUncaughtException
    java.lang.NullPointerException
         at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.constructFilter(LDAPv3Repo.java:3126)
         at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.search(LDAPv3Repo.java:1996)
         at com.iplanet.am.sdk.AMDirectoryManager.search(AMDirectoryManager.java:1938)
         at com.sun.identity.idm.AMIdentityRepository.searchIdentities(AMIdentityRepository.java:221)
         at com.sun.identity.console.idm.model.EntitiesModelImpl.getEntityNames(EntitiesModelImpl.java:139)
         at com.sun.identity.console.idm.EntitiesViewBean.getEntityNames(EntitiesViewBean.java:222)
         at com.sun.identity.console.idm.EntitiesViewBean.beginDisplay(EntitiesViewBean.java:177)
         at com.iplanet.jato.taglib.UseViewBeanTag.doStartTag(UseViewBeanTag.java:149)
         at jsps.console._idm._Entities_jsp._jspService(_Entities_jsp.java:86)
         at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
         at com.iplanet.ias.web.jsp.JspServlet$JspServletWrapper.service(JspServlet.java:687)
         at com.iplanet.ias.web.jsp.JspServlet.serviceJspFile(JspServlet.java:459)
         at com.iplanet.ias.web.jsp.JspServlet.service(JspServlet.java:375)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
         at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:772)
         at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:471)
         at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:382)
         at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:340)
         at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
         at com.sun.identity.console.base.AMViewBeanBase.forwardTo(AMViewBeanBase.java:133)
         at com.sun.identity.console.base.AMPrimaryMastHeadViewBean.forwardTo(AMPrimaryMastHeadViewBean.java:149)
         at com.sun.identity.console.idm.HomeViewBean.forwardTo(HomeViewBean.java:109)
         at com.sun.identity.console.realm.RealmPropertiesBase.nodeClicked(RealmPropertiesBase.java:90)
         at com.sun.web.ui.view.tabs.CCTabs.handleTabHrefRequest(CCTabs.java:129)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:585)
         at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
         at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
         at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
         at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
         at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
         at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
         at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
         at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
         at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:787)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
         at com.sun.mobile.filter.AMLController.doFilter(AMLController.java:163)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:280)
         at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
         at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
         at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
         at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
         at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)

  • SQL Developer on Windows trying to connect to M/F with RACF authentication

    I am currently running the latest downloaded version of SQL Developer on a Windows XP client machine.
    We have recently upgraded our z/os Oracle version to 10.2.0.3
    I was advised to use the thin java client in SQL Developer by inputting the URL into the advanced window - jdbc:oracle:thin:user/******@ukmet-***:3010:***
    This returns an ORA-28037 Cannot get session key for RACF authentication
    If I however substitute oci for thin then I get a test successful but the subsequent attempt at a connection crashes SQL Developer.
    Any ideas on how I get a stable connection greatly appreciated

    The tns list might be empty due to the bug that it's only looking for lower case tns file names. This is a bug in 1.1 and has been addressed with the patch. Also in 1.1, there are some instance where the tns file is not picked up through the registry setting, you might need to set the PATH variable to address that. This too has been fixed in the patch.
    Sue

  • WLC connect LDAP for Authentication, but could not connect to server

    Hi Everyone, I got a problem when I use WLC 5508 connect to LDAP for authentication, but no luck there, it's a simple config, but not easy to work on my job, I got the following messgae:
    Service Port - Not connected
    Distrubution port include:
         Management Interface - in AP Management VLAN - 30
         Student AP interface - in Student VLAN - 20
         Staff AP interface - in Staff VLAN - 10
    AD is in Staff VLAN - 10
    WLC LDAP Server setting
    Base DN:OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
    User Attribute: sAMAccountName
    User Object Type: Person
    Debug aaa all enable message
    *LDAP DB Task 1: Jul 09 01:40:58.969: ldapInitAndBind [1] called lcapi_init (rc = 0 - Success)
    *LDAP DB Task 1: Jul 09 01:41:00.969: ldapInitAndBind [1] configured Method Anonymous lcapi_bind (rc = 1005 - LDAP bind failed)
    *LDAP DB Task 1: Jul 09 01:41:00.969: ldapClose [1] called lcapi_close (rc = 0 - Success)
    *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to IDLE
    *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to RETRY
    *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP_OPT_REFERRALS = -1
    WLC GUI Log:
    *LDAP DB Task 1: Jul 09 02:56:13.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
    *LDAP DB Task 1: Jul 09 02:56:11.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
    *LDAP DB Task 1: Jul 09 02:56:09.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
    LDP Message of LDAP BaseDN:
    Expanding base 'CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk'...
    Result <0>: (null)
    Matched DNs:
    Getting 1 entries:
    >> Dn: CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
    4> objectClass: top; person; organizationalPerson; user;
    1> cn: Frankie F. Yeung;
    1> sn: Yeung;
    1> givenName: Frankie;
    1> initials: F;
    1> distinguishedName: CN=Frankie F. Yeung,OU=OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
    1> instanceType: 0x4 = ( IT_WRITE );
    1> whenCreated: 8/10/2011 10:28:14 China Standard Time China Standard Time;
    1> whenChanged: 8/10/2011 10:31:26 China Standard Time China Standard Time;
    1> displayName: Frankie F. Yeung;
    1> uSNCreated: 3850555;
    1> uSNChanged: 3850571;
    1> name: Frankie F. Yeung;
    1> objectGUID: 6ebfc7e9-6989-4f11-bae7-62c23af67edc;
    1> userAccountControl: 0x10200 = ( UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD );
    1> badPwdCount: 0;
    1> codePage: 0;
    1> countryCode: 0;
    1> badPasswordTime: 0;
    1> lastLogoff: 0;
    1> lastLogon: 0;
    1> pwdLastSet: <ldp error <0x0>: cannot format time field;
    1> primaryGroupID: 513;
    1> objectSid: S-1-5-21-3867848445-1581729766-1247451615-2172;
    1> accountExpires: <ldp error <0x0>: cannot format time field;
    1> logonCount: 0;
    1> sAMAccountName: fckyeung;
    1> sAMAccountType: 805306368;
    1> userPrincipalName: [email protected];
    1> objectCategory: CN=Person,CN=Schema,CN=Configuration,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
    Hope I can resolve this problem ASAP, thanks!

    Your AD is in the Staff Vlan so maybe the WLC uses the Staff interface instead of management to contact the AD. I don't know how you sniffed exactly.
    The comment about eap methods you saw is when you use LDAP with dot1x security. It is the same as saying "You cannot do peap-mschapv2 or eap-fast-mschpv2 with LDAP".
    But you can do LDAP for web authentication, that has no eap methods.
    Your original problem was a binding problem from the WLC, so we can expect that the WLC really is sending traffic towards AD.

  • Retrieve parameters from LDAP using authentication module

    I have existing LDAP that contains organization people and their attributes. I have several web applications that use existing LDAP for authentication and authorization. My goal is to deploy single sign-on with openSSO so that users are authenticated against existing LDAP. Changing of the existing LDAP is forbidden.
    I deployed newest stable OpenSSO and Apache2 + newest policy agents to web service servers.
    OpenSSO server uses LDAP authentication module to authenticate users against existing LDAP. It uses flat file data repository and realm attributes -> user profile is ignored.
    This basic setup works fine. The next step is to integrate existing web applications to single sign-on system. The authentication part works fine. I just disabled old mechanism from web applications that did the LDAP authentication. OpenSSO and Apache Policy agent are handling that part.
    The existing web applications are still querying existing LDAP other attributes there than uid and userpassword. Is it possible to configure OpenSSO to forward LDAP attributes to web application as cookie or header value? Or is the forwarding feature only for attributes in Data Store?
    If the forwarding is not possible what is the next best alternative ?

    OpenSSO forum is quite silent so I'm back with you guys.
    I managed to solve the agent error log problem I mentioned before. The problem was about nonexisting attributes in AMAgent.properties com.sun.am.policy.agents.config.profile.attribute.map. I removed extra attributes and the authentication against LDAP started to work again.
    The problem is that no attributes are forwarded from LDAP to web application. I have tried HTTP_COOKIE and HTTP_HEADER settings in AMAgent.properties and com.sun.am.policy.agents.config.profile.attribute.map is set to cn|common-name,mail|email.
    My LDAP looks like this:
    # testuser, pollo.fi
    dn: cn=testuser,dc=pollo,dc=fi
    cn: testuser
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    givenName: Test
    sn: User
    ou: People
    uid: testuser
    mail: [email protected]
    And my datastore configuration:
    LDAP server->localhost:389
    LDAP bind DN->cn=admin,dc=pollo,dc=fi
    LDAP organization DN->dc=pollo,dc=fi
    Attribute name mapping->empty
    LDAP3 Plugin supported types and operations->agent,group,realm,user all read,create,edit,delete
    LDAP3 Plugin search scope->scope_sub
    LDAP Users Search Attribute->uid
    LDAP Users Search Filter->(objectclass=inetorgperson)
    LDAP User Object Class->organizationalPerson
    LDAP User Attributes->uid, userpassword
    Create User Attribute Mapping->empty
    Attribute Name of User Status->inetuserstatus
    User Status Active Value->Active
    User Status Inactive Value->inactive
    LDAP Groups Search Attribute->cn
    LDAP Groups Search Filter->(objectclass=groupOfUniqueNames)
    LDAP Groups container Naming Attribute->ou
    LDAP Groups Container Value->groups
    LDAP Groups Object Class->top
    LDAP Groups Attributes->cn,description,dn,objectclass
    Attribute Name for Group Membership->empty
    Attribute Name of Unqiue Member->uniqueMember
    Attribute Name of Group Member URL->memberUrl
    LDAP People Container Naming Attribute->ou
    LDAP People Container Value->people
    LDAP Agents Search Attribute->uid
    LDAP Agents Container Naming Attribute->ou
    LDAP Agents Container Value->agents
    LDAP Agents Search Filter->(objectClass=sunIdentityServerDevice)
    LDAP Agents Object Class->sunIdentityServerDevice,top
    LDAP Agents Attributes->empty
    Identity Types That Can Be Authenticated->Agent,User
    Authentication Naming Attribute->uid
    Persistent Search Base DN->dc=pollo,dc=fi
    Persistent Search Filter->(objectclass=*)
    Persistent Search Maximum Idle Time Before Restart->0
    Should I enable some setting still to get the forwarding going on? Any ideas for debugging?

  • LDAP Web Authentication

    1. In WLC GUI, Security > AAA > LDAP, what other User Base DN / User Attribute / User Object Type syntax to use when you have 2 or more OU (not pertaining to sub-OUs)? aside from using the domail alone, ex: dc=cisco,dc=com
    2. Can OU be grouped in the active directory? then the WLC LDAP config will be pointing to the group created in the active directory?
    Reference in configuring LDAP Web Authentication:
    Web Authentication Using LDAP on Wireless LAN Controllers (WLCs) Configuration Example, Document ID: 108008
    Any help would be appreciated. Thank you in advance!

    LDAP with web authentication only shows up in 5.0 config guides and later.
    The 2006 only supports up to 4.2 software. I think this should answer your question :-) It's a no

  • 4.0.1 to 4.1.1 -- LDAP Directory Authentication Scheme fails

    Using the out of the box LDAP directory authentication scheme that worked fine in v. 4.0.1 is failing in v. 4.1.1. User authentication is failing with 'Invalid Login Credentials'. Debug shows that the User is 'nobody'. Looking at v. 4.0.1, User shows 'Admin'. Also, the 'LDAP test link' is no longer available in 4.1.1 - that's a bummer.
    Example debug 4.1.1:
    4161     426774014496602     nobody     103     101     50     6 minutes ago     0.8562
    Example debug 4.0.1:
    661     3340172823117775     ADMIN     130     101     57     36 seconds ago     0.3298
    Does anyone know if something was changed with the standard LDAP directory scheme? Or am I missing some configuration?

    Hi Julie,
    sorry, there is too little context for me to answer this question. I have no idea where and how you got that debug output, for example.
    As for testing, the LDAP authentication scheme calls wwv_flow_custom_auth_ldap.authenticate. It's no official API and we may revoke the grant in future versions, but in 4.1, you can for test LDAP auth in SQL workshop with
    declare
        l_status boolean;
    begin
        l_status := wwv_flow_custom_auth_ldap.authenticate (
                                     p_ldap_host     => ...host...,
                                     p_ldap_port     => ...port...,
                                     p_dn            => ...dn_string...,
                                     p_search_filter => ...search_filter...,
                                     p_password      => ...password...,
                                     p_use_ssl       => ...ssl_mode... (Y for SSL, A for SSL with authentication, N for no SSL),
                                     p_use_exact_dn  => ...use_exact_dn... (Y or N) );
        dbms_output.put_line(case when l_status then 'authenticated' else 'auth error' end);
    end;Regards,
    Christian

  • Problem with Afaria and LDAP user authentication in Android device

    Hi all,
    I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
    I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
    I follow the next steps:
    1-Create a new tenant
    2- Configure LDAP integration
    3-Create a inventory policy with authentication required
    4-Create a static group associated to the inventory policy
    5-Create a enrolment policy associated to the static group.
    When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
    I have seen the log and seem the problem is that Afaria can't authenticate this user.
    I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
    The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
    Could you please help to solve this problem?
    Thanks in advance.  

    Hi all,
    I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
    I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
    I follow the next steps:
    1-Create a new tenant
    2- Configure LDAP integration
    3-Create a inventory policy with authentication required
    4-Create a static group associated to the inventory policy
    5-Create a enrolment policy associated to the static group.
    When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
    I have seen the log and seem the problem is that Afaria can't authenticate this user.
    I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
    The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
    Could you please help to solve this problem?
    Thanks in advance.  

  • LDAP External Authentication Multiple Search Base DNs question

    hi,
    im trying two add two LDAP search DNs to a portal 6.2 organisation.
    with one search base dn it works fine.
    when i add another, all ldap auth for that org stops working.
    the docs confusingly state that if you have multiple search dns (not talking about multiple ldap servers here - just the search base dns) that you should prefix each entry with the local server name. the docs however provide no examples of the syntax.
    can anyone provide an example for multiple search dns? e.g. is it <server:port>:o=<etc> (doesn't seem to work).
    thanks

    hi,
    yes i have.. but when you enter more than one it stop working... with only one entry in the gui it will work for that entry but when you add another it stops working...
    i had to use a manual workaround like this to get the second going... :(
    External ldap authentication
    register the LDAP authentication service in the gui and setup the first DN as normal.
    create the first set of entries for the ldap host and the base dn in the gui as normal etc.
    the gui in the admin console is not working (depending on your point of view), so you need to add the second ldap config manually -
    All commands are run from the /apps/jes/SUNWam/bin directory
    1. Get an encrypted value for the bind dns (cn=Directory Manager) password you want to bind to the ldap directory as by using the ampassword utility shipped with Identity Server.
    ./ampassword -e directory_manager password
    More information on this utility can be found in the Sun ONE Identity Server Administration Guide.
    2. Copy the encrypted password as the value for the iplanet-am-auth-ldap-bind-passwd in the XML file (serviceAddMultipleLDAPConfigurationRequests.xml) created in Step 1. The XML file contains a template for creating the second LDAP DN.
    3. Modify the data XML file accordingly so that the relevant details are provided for the 2nd ldap server (bind dn search base etc) and load this into the portal directory using the amadmin command line tool as follows from the /opt/SUNWam/bin directory
    ./amadmin -u amadmin -w administrator_password -v -t serviceAddMultipleLDAPConfigurationRequests.xml
    If the imported xml values are incorrect delete and reload the imported xml data using amadmin command tool. Alternatively you can modify the ldap data directly on the primary identity server (ldap server) using a client browser though this method is not supported .
    You should be able to see new imported values for the second ldap server at dn:ou=subconfig1,ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthLDAP
    Service,ou=services,ou=ORG,o=lgaq.qld.gov.au on the primary ldap server (where ORG is the organisation you wanted to add the second DN).

  • LDAP security authentication in weblogic sp4 (URGENT)

    We have a web application which interacts to the D/B to authenticate a user during our login process. Now we are trying to change the login to LDAP authentication. Here is the List I did on weblogic configuration correct me if this is correct or if am missing any thing.
    1. Created a Realm
    2. Created a NOVELL LDAP Authenticator (configured user, groups, members, Novell LDAP, Details)
    3. Created a X.509 certificates ????? Do I need to create this one for authentication. The only question is I am confused by these parameters and help me out in figuring out these:
    a. filter attributes = cn=$subj.cn
    b. username attribute = cn
    c. userCertificate;binary ??? ( I have a certificate idmtree.der where do I add configuration about this certificate in the console)>>>>>>>>
    d. certificate mapping : ou=user,ou=$subj.ou,o=$subj.o,c=$subj.c (IS THIS CORRECT)
    4. created a new Weblogic Default Authorizer...
    5. created a new Weblogic Default Role Mapper...
    6. created a new Weblogic Default Credential Mapper ...(Do I need to setup my certificate inside this credential mapper or not.)
    7. I made this realm as the DEFAULT realm and started the server
    I get the following exception.
    Initializing RoleMapper provider using LDIF template file C:\bea\user_projects\domains\mydomain\.\DefaultRoleMapperInit.ldift.>
    The RoleMapper provider has had its LDIF information loaded from: C:\bea\user_projects\domains\mydomain\.\DefaultRoleMapperInit.ldift>
    Initializing Authorizer provider using LDIF template file C:\bea\user_projects\domains\mydomain\.\DefaultAuthorizerInit.ldift.>
    The Authorizer provider has had its LDIF information loaded from: C:\bea\user_projects\domains\mydomain\.\DefaultAuthorizerInit.ldift>
    Loading trusted certificates from the jks keystore file C:\bea\weblogic81\server\lib\DemoTrust.jks.>
    Loading trusted certificates from the jks keystore file C:\bea\JDK142~1\jre\lib\security\cacerts.>
    Loading trusted certificates from the jks keystore file C:\bea\weblogic81\server\lib\DemoTrust.jks.>
    Loading trusted certificates from the jks keystore file C:\bea\JDK142~1\jre\lib\security\cacerts.>
    Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure.>
    Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
    [java.lang.reflect.InvocationTargetException - with target exception:
    [netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]
    weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
    [java.lang.reflect.InvocationTargetException - with target exception:
    [netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]
    at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:205)
    at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:262)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.doATN(SecurityServiceManagerDelegateImpl.java:581)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealm(SecurityServiceManagerDelegateImpl.java:420)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.loadRealm(SecurityServiceManagerDelegateImpl.java:700)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealms(SecurityServiceManagerDelegateImpl.java:733)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.initialize(SecurityServiceManagerDelegateImpl.java:876)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:734)
    at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java:822)
    at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:670)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:344)
    at weblogic.Server.main(Server.java:32)
    >
    ####<Apr 6, 2006 10:42:55 AM CDT> <Emergency> <WebLogicServer> <DXPCHI029398> <myserver> <main> <<WLS Kernel>> <> <BEA-000342> <Unable to initialize the server: weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
    [java.lang.reflect.InvocationTargetException - with target exception:
    [netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]>
    ANY HELP on this would be greatly appreciated am totally exhausted seeing these error messages from morning.
    I would like to know if I need a client for connecting to this LDAP authenticator. As am using the Novell API to access the LDAP directory. Let me know, and if so can some one provide me a snippet code.\
    Waiting for response.
    thanks in advance
    kiran

    Hi Christoper,
    Based on your description, this seems to be more of a security related question than a workshop one.
    Please post to the security newsgroup at http://forums.bea.com/bea/category.jspa?categoryID=2011
    with information on service pack installed
    Thanks
    Raj

  • LDAP user authentication on EP6 built on NW04 abap+java

    Hello,
    Our customer insisted we install is EP6 system as a ABAPJAVA system. He asked that users login to the portal will be authenticated (username password) from their directory service via LDAP. Because the EP6 is built on a ABAPJAVA, and not only JAVA, I cannot use the portal or visual adiministrator tools to make the LDAP be the source User Management system.
    I have been looking all day in the sap online help and I do not see any instructions on how to configure user+password logon authentication via LDAP on an ABAP based UME system. The most I have managed was to setup the connection from the EP6 system to ldap via transaction LDAP and bring up the ldap connector.
    I need to know how to proceed from here.
    Thanks
    Boaz

    Hello,
    I add a notion that this configuration is not supported.
    However, please look at the following link, which relates to an ABAP system, I refer to the bolded section.
    http://help.sap.com/saphelp_nw2004s/helpdata/en/aa/a17941601b050de10000000a1550b0/frameset.htm
    The following is mentioned in this link:
    The user password is not transferred from the SAP Web AS to the LDAP directory during the synchronization of the user data. You must therefore maintain the user password with one of the following options:
    You specify the passwords centrally in the LDAP server. The users must log on using the UME, are authenticated with the LDAP server, receive a logon ticket and can then access all systems with Single Sign-On. In this case, all systems must be configured so that they accept logon tickets.
    ·        You specify the passwords in a decentralized way, both in the CUA and in the LDAP directory (or in the UME). In this case, the CUA systems do not need to accept logon tickets.
    What is the meaning behind this?
    Thanks
    Boaz

  • Issue with LDAP login authentication in CMC console

    We have a existing issues with Business Objects BOE XIR2 SP2 and LDAP authentication with the BOE CMC Console.
    We use websphere as the application server and it is installed on the same machine (Solaris) as BOE.
    We have this issue on both our production and our recently rebuilt development environment to duplicate the issue.
    Both environment have configured LDAP over SSL and we can login to BOE Infoview Reports with LDAP and we can map groups and users if we login to CMC but we can not login to CMC with secLDAP.
    The specific error still being shown is "Security plugin error: Failed to set parameters on plugin".
    Both environments (DEV and PROD) are fresh installs of BOE XIR2 SP2.
    Any ideas are much appreciated
    Thankyou

    The CMC in XIR2 used com components for the SSL (rather than java like infoview) and I'm betting the WAS deployment is not finding them. Is WAS on a seperate server or is BOE installed there as well?
    I'm not familiar with any regular fixes for an issue like this. If no other replies I'd recommend opening a case with either deployment(WAS on "nix") or authentication(WAS on windows) to see if they can trace down the problem.
    Regards,
    Tim

  • Ldap server authentication for EAI domain

    Hi everybody,
    I have configured a new realm fot the security of the created EAI Domain and
    made it default. In this realm, the authentication provider is the iPlanet LDAP
    Server.
    Now the booting is fine but then when I am starting the Weblogic Studio, it is
    not getting authenticated and I keep getting the error :
    <Nov 26, 2002 10:00:27 AM IST> <Error> <B2B> <000000> <<WLI-Security> ERROR: No
    realm found.>
    <Nov 26, 2002 10:00:27 AM IST> <Error> <B2B> <000000> <<WLI-Security> ERROR: Ini
    tialization of WLI Authentication Service failed with exception java.lang.Runtim
    eException: ERROR: No realm found..>
    The error page obtained at studio is what is given as attachment.
    Anybody having any info regarding the same - pl. do pass on.
    Thanks and regards,
    Ritwik
    [wli-error.doc]

    Hello Ritwik,
    it should for sure, but with this release WLI depends on the
    compatibility realm.
    Christian Plenagl
    Developer Relations Engineer
    BEA Support
    "Ritwik" <[email protected]> wrote:
    >
    Conceptually if I create respective groups (similar to the groups and
    users of
    the compatability realm) in the ldap server and do the authentication
    from there
    - it should work - shouldn't it???
    Any pointer !!!
    Regds,
    Ritwik
    "Christian Plenagl" <[email protected]> wrote:
    Hi Ritwik,
    you can read in the WLI documentation, that WLI7 currently supportsthe
    compatibility
    realm only.
    Please have a look at:
    http://e-docs.bea.com/wli/docs70/deploy/secure.htm#1365621
    Christian Plenagl
    Developer Relations Engineer
    BEA Support
    "Ritwik" <[email protected]> wrote:
    Hi everybody,
    I have configured a new realm fot the security of the created EAI
    Domain
    and
    made it default. In this realm, the authentication provider is theiPlanet
    LDAP
    Server.
    Now the booting is fine but then when I am starting the Weblogic Studio,
    it is
    not getting authenticated and I keep getting the error :
    <Nov 26, 2002 10:00:27 AM IST> <Error> <B2B> <000000> <<WLI-Security>
    ERROR: No
    realm found.>
    <Nov 26, 2002 10:00:27 AM IST> <Error> <B2B> <000000> <<WLI-Security>
    ERROR: Ini
    tialization of WLI Authentication Service failed with exception java.lang.Runtim
    eException: ERROR: No realm found..>
    The error page obtained at studio is what is given as attachment.
    Anybody having any info regarding the same - pl. do pass on.
    Thanks and regards,
    Ritwik

  • Setting up LDAP for authentication to portal:default property set named "ldap

    Hi
    I am trying to implement the LDAP authentication to WebLogic Portal .Iam went
    thru the docmentation ( http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).It
    mentions using the default property set named "ldap" and deploying ldapprofile.jar.My
    quenstion is:
    -Is there a way to look into the property using EBCC
    - Apart from deploying,configuring the ldapprofile.jar,do I have to do any additional
    steps in order to make my portal(say,stockportal) authenticate users from LDAP?
    -If a create my own portal,should I create a similar "ldap" property set?If so,how.
    Any suggestions/help is appreciated.Thanks
    - Mike

    Thanks Dave.
    "David Anderson" <[email protected]> wrote:
    You should be able to view the property set for LDAP through the EBCC
    if you
    have the propertysetws.jar installed in your Portal domain. This provides
    the ability for the EBCC to retrieve property set information from your
    server.
    Dave
    "mike" <[email protected]> wrote in message
    news:[email protected]...
    Hi Adrian
    Thank you for the pointers.Much appreciate it.However,one questionstill
    persists.
    What is the significance of the property set "ldap" mentioned in the
    document(http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).Where
    does this property set feature vis-a-vis setting up LDAP securityrealm;does it
    mater prior to/after the setting up as mentioned in the document pointeryou just
    gave .
    Is it sufficinet that i follow the procedure to set up the LDAP oris
    there more
    to post setting,like creating a property set (similar to "ldap" orcloning
    it)
    apaprt frpom deploying ldapprofile.jar.
    Thanks.
    - Mike
    "Adrian Fletcher" <[email protected]> wrote:
    Mike,
    The documentation that covers LDAP authentication is listed under
    Weblogic
    Server rather than Weblogic Portal.
    See Configuring the LDAP Security Realm in Managing Security
    (http://e-docs.bea.com/wls/docs61////adminguide/cnfgsec.html#1071872)
    Also take a look at the FAQ - Why can't I boot WebLogic Server whenusing
    the LDAP Security Realm?
    (http://e-docs.bea.com/wls/docs61//faq/security.html#25833)
    Hope this helps,
    Sincerely,
    Adrian.
    Adrian Fletcher.
    Senior Software Engineer,
    BEA Systems, Inc.
    Boulder, CO.
    email: [email protected]
    "mike" <[email protected]> wrote in message
    news:[email protected]...
    Hi
    I am trying to implement the LDAP authentication to WebLogic Portal.Iam
    went
    thru the docmentation
    http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).It
    mentions using the default property set named "ldap" and deployingldapprofile.jar.My
    quenstion is:
    -Is there a way to look into the property using EBCC
    - Apart from deploying,configuring the ldapprofile.jar,do I have
    to
    do any
    additional
    steps in order to make my portal(say,stockportal) authenticate usersfrom
    LDAP?
    -If a create my own portal,should I create a similar "ldap" propertyset?If so,how.
    Any suggestions/help is appreciated.Thanks
    - Mike

  • WLC/LDAP/WPA authentication solution

    Hi Experts,
    I have Cisco WLC 4404 with 100 LWAP access points. Currently I am using shared WEP authentication. I like to migrate it WPA. I want the clients to have authenticated using Individual username / password to get into the network. I am using LDAP for username password repository. I also have Cisco ACS (AAA) server kept unused.
    I think it can be achieved using
    1. web authentication configured in WLC itself. But i donot want this as WLC may be loaded unnecessarily. Is this correct.
    2. Another option I read is 802.1x authentication with WPA. Since I am integrating with LDAP, I also learned that only EAP-FAST can be used.
    The question is, whether windows XP supports EAP-FAST client by default (I didn't the option in win XP). Or otherwise should i load a third party clients in all the client laptops. Whether cisco aironet client is free to download and use?
    Kindly help me
    THANKS IN ADVANCE
    sairam

    Let me list your requirements, to better define them:
    1) Clients must log in (each time?) with their username and password
    2) You don't have, and don't want to implement, a certificate server
    3) You are using a non-Windows AD LDAP directory for user authentication
    4) You have a Cisco ACS (version ?) that you can use for RADIUS, to interact between the client and the LDAP server
    5) You want to avoid web authentication if you can, because of concerns about overloading the WLC.
    One thing - what is your supplicant? Are these standard Windows XP, SP2 machines? Also, what are your encryption requirements? Web authentication provides no encryption for the data after authentication.
    And, without a certificate on at least the ACS server (plus appropriate Certificate Authority server), you're out of luck for EAP.
    EAP-FAST generally requires a certificate on the server side (if you want it to be at least somewhat secure). And, it requires a Cisco supplicant, such as the Aironet Desktop Utility with the Cisco CB21AG PCMCIA card (or can potentially use the EAPHost supplicant in Windows Vista.)
    If you don't need encryption, go with web authentication. The WLC should not have a problem handling the requests (how many simultaneous logins are you looking at?) If you do need encryption, you are going to need some additional components, whether supplicants or a certificate server.

Maybe you are looking for

  • Flash CS5 locks settings for new AS3 document

    New install of Flash CS5.5, and I just opened it up after three weeks and the latest update.  I create a new AS3 document, 940 X 226 with a black background, and work on several animations. I close the document, and click File>New, and choose a new A

  • Problem when calling a method

    hello, I have a problem when Im trying to call the make method that in the Tree class. Im calling it from the main method like you can see and It writes: -Cannot make a static reference to the non-static method make() from the type Tree. Can anyone h

  • How to register a DIP profile using command line

    Hi All, Am trying to register a profile in OID11.1.1.5 as shown below, but i face the below error message. I have set the JAVA_HOME, PATH, ORACLE_HOME, WL_HOME as suggested in document. Any pointers would be helpful [orasso@company bin]$ ./manageSync

  • Photo book format change

    I made a hardcover book for my daughters' teacher and I want to make the same book as a softcover for my girls. Is there an easy way to copy everything over to a new book?

  • Automatic opening of pdf file

    on Adobe XI reader the pdf files are not opening automatically . What can be done?