LDAP security authentication in weblogic sp4 (URGENT)
We have a web application which interacts to the D/B to authenticate a user during our login process. Now we are trying to change the login to LDAP authentication. Here is the List I did on weblogic configuration correct me if this is correct or if am missing any thing.
1. Created a Realm
2. Created a NOVELL LDAP Authenticator (configured user, groups, members, Novell LDAP, Details)
3. Created a X.509 certificates ????? Do I need to create this one for authentication. The only question is I am confused by these parameters and help me out in figuring out these:
a. filter attributes = cn=$subj.cn
b. username attribute = cn
c. userCertificate;binary ??? ( I have a certificate idmtree.der where do I add configuration about this certificate in the console)>>>>>>>>
d. certificate mapping : ou=user,ou=$subj.ou,o=$subj.o,c=$subj.c (IS THIS CORRECT)
4. created a new Weblogic Default Authorizer...
5. created a new Weblogic Default Role Mapper...
6. created a new Weblogic Default Credential Mapper ...(Do I need to setup my certificate inside this credential mapper or not.)
7. I made this realm as the DEFAULT realm and started the server
I get the following exception.
Initializing RoleMapper provider using LDIF template file C:\bea\user_projects\domains\mydomain\.\DefaultRoleMapperInit.ldift.>
The RoleMapper provider has had its LDIF information loaded from: C:\bea\user_projects\domains\mydomain\.\DefaultRoleMapperInit.ldift>
Initializing Authorizer provider using LDIF template file C:\bea\user_projects\domains\mydomain\.\DefaultAuthorizerInit.ldift.>
The Authorizer provider has had its LDIF information loaded from: C:\bea\user_projects\domains\mydomain\.\DefaultAuthorizerInit.ldift>
Loading trusted certificates from the jks keystore file C:\bea\weblogic81\server\lib\DemoTrust.jks.>
Loading trusted certificates from the jks keystore file C:\bea\JDK142~1\jre\lib\security\cacerts.>
Loading trusted certificates from the jks keystore file C:\bea\weblogic81\server\lib\DemoTrust.jks.>
Loading trusted certificates from the jks keystore file C:\bea\JDK142~1\jre\lib\security\cacerts.>
Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure.>
Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
[java.lang.reflect.InvocationTargetException - with target exception:
[netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]
weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
[java.lang.reflect.InvocationTargetException - with target exception:
[netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:205)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:262)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.doATN(SecurityServiceManagerDelegateImpl.java:581)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealm(SecurityServiceManagerDelegateImpl.java:420)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.loadRealm(SecurityServiceManagerDelegateImpl.java:700)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealms(SecurityServiceManagerDelegateImpl.java:733)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.initialize(SecurityServiceManagerDelegateImpl.java:876)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:734)
at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java:822)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:670)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:344)
at weblogic.Server.main(Server.java:32)
>
####<Apr 6, 2006 10:42:55 AM CDT> <Emergency> <WebLogicServer> <DXPCHI029398> <myserver> <main> <<WLS Kernel>> <> <BEA-000342> <Unable to initialize the server: weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
[java.lang.reflect.InvocationTargetException - with target exception:
[netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]>
ANY HELP on this would be greatly appreciated am totally exhausted seeing these error messages from morning.
I would like to know if I need a client for connecting to this LDAP authenticator. As am using the Novell API to access the LDAP directory. Let me know, and if so can some one provide me a snippet code.\
Waiting for response.
thanks in advance
kiran
Hi Christoper,
Based on your description, this seems to be more of a security related question than a workshop one.
Please post to the security newsgroup at http://forums.bea.com/bea/category.jspa?categoryID=2011
with information on service pack installed
Thanks
Raj
Similar Messages
-
Weblogic security authentication; question to interact with the realm
Hi, I have a quick question about weblogic security authentication....
We are using weblogic 81sp3. We have user-group info in an Novell eDirectory LDAP server.
Currently, a Novell Authenticator provider is configured under : Security > Realms > myRealm > Providers > Authentication This tells Weblogic from where to get the user and groups. Weblogic caches this information of the logged on users for certain time ( example : 60 secs ) after which it cleans the cache for all inactive users. We want to interact with the Weblogic cache. Add more user profile information to this cache and use it in our application .
Does somebody know how to programmatically interact with Weblogic user-group cache - read , write , update and delete user-group info in cache and control time to live for the cache ?already checked
TTLCache class which weblogic provides. But they seem to depracetd it
help ? -
Security Authentication in LDAP
Hi Chris/Raj/All,
We have one more generic issue. Please help us if possible.
I am connecting to LDAP Server(Microsoft ADS) from my weblogic workshop 8.1.We are using DirContext and InitialDirContext(java api) Through the java program I am able to connect to the port 389 by means of simple security authentication.
Our requirement is for SSL security authentication ie to connect ot port 636.
From our side we have done the following
1.We have installed the public certicate in the jre environment(lib/security in both the cacerts and jssecacerts)
2.We have also installed the cetificate in the ADS Server and enabled the SSL.
When we try to connect to port 636 with simple authentication we get Communication Exception
When we try to connect to port 636 with ssl authentication we get AuthenticationNotSupportedException
We also would like to know whether there is any Authentication Process like password encryption and so on.... to be followed.
Thanks & Regards,
Christoper.Hi Christoper,
Based on your description, this seems to be more of a security related question than a workshop one.
Please post to the security newsgroup at http://forums.bea.com/bea/category.jspa?categoryID=2011
with information on service pack installed
Thanks
Raj -
I have 2 questions and these are very urgent :-
1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
contractactors and employess. How do I map LDAP group contractors to weblogic security
Role contractors? Similarly for employees ?
2. I have not defined contarctors and employeees under People container in IPlanet.
e.g. The RDN for contractor is
uid=1234,ou=dir,dc=orams,dc=com
Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
under People ) OR I have to write my own custom code ?
3. I am planning to use Roles insetad of groups to manage the logical grouping in
iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
parameters ?)
This is very urgent ....so if any of you can throw any hints that will be greatly
appreciated.
--SunitaHi Ariel,
The driver is bundled with the product in WLS 6.1sp1. you don't have to
download any additional driver. Use it as you normally would only thing to
remember is if you are trying to write standalone java code then you have to
have weblogic.jar in your classpath. For the rest of the info follow the wls
docs for 6.1
HTH
sree
"Ariel" <[email protected]> wrote in message
news:3bb4a643$[email protected]..
We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
downloaded the JDriver from bea.com, but all the istructions that camewith
it are for WLserver 5.1.
What has to be done to do this with 6.1 sp1?
Thanks,
Ariel -
LDAP security provider and web service authentication
Background: we are currently developing web services to our existing weblogic application. Our users can configure user/password authentication in one of three ways: database, LDAP, or SSO. Setting SSO aside, we need to implement the same authentication for database and LDAP that we use in our existing logon servlet in our web services. In our servlet we detect which they are configured for and, if database, authenticate the encrypted password to a database table we have for user id/password. If LDAP we use weblogic.servlet.security.ServletAuthentication and the weak() method to authenticate.
We've to use SOAP headers to communicate username/password from the client to the web service. We want to code a SOAP message handler to grab the username/password and do the authentication there. We've successfully put something together that handles the database authentication no problem and are now struggling with how to handle the LDAP authentication. We distribute a LDAP security provider we've coded for LDAP authentication. I guess what I am looking for is an equivalent functionality provided with weblogic.servlet.security.ServletAuthentication. Note that I realize the weblogic.servlet.security package has been deprecated starting with Weblogic 9.0 but cannot find what functionality replaces it. Any help there would be appreciated as well.
Note that I am fairly new to web service development (about 10 months now) and definitely new to web service security and Weblogic security. I tried digging into the volumes of documentation out there regarding these two topics but am simply having a difficult time sorting it all out and figuring out how to do what I want to do.
Thanks in advance!
JuliaHi,
Add Provider (LDAP Credentials) in Admin console Security Realm --> defaultrealm -->Providers. Configuring Ldap in Admin Console will enable Admin Server to connect to LDAP. All the LDAP preconfigured Users/Groups will be available in Users and Groups Tab of Security Realms >defaultrealm >Users and Groups. Add Roles using Security Realms >defaultrealm > Roles and Policies > Global Roles > Roles. Add Role Conditions to the role by specifying users/groups configured in LDAP. If your webservice runs with SSL Anotate the Webservice file something like this below.
@RolesAllowed({
@SecurityRole(role="test")
@Policy(
uri="policy:Wssp1.2-2007-Https-UsernameToken-Plain.xml",
attachToWsdl=true)
Here the role is Preconfigired role in AdminConsole. Add the following tag in the soapenv:header.
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>test</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header> -
Authentication in weblogic portal server 8.1 sp2 using external LDAP
Hi,
I am trying to use external LDAP for authentication.
I have configured the ActiveDirectoryAuthenticator giving the necessary
values
( and added
"-Dcom.bea.p13n.usermgmt.AuthenticationProviderName=ActiveDirectoryAuthentic
ator" in startWeblgoic.cmd )
and can see the users and the groups from my LDAP provider in the admin
console and in the admin portal's "users and groups".
A set of users are given permission to access the restricted site and those
users are visible in the global role with the permission.
The web.xml is configured for BASIC auth-method, and the role is
<externally-defined/> in weblogic.xml.
Now when I access a restricted page, I am shown a dialog prompt to key in
the username and password.
Even when I key in the valid credentials, the restricted page is not shown
and an "Unauthorized xxx" 401 access error is thrown.
Any clue, on what i am missing.?
Please let me know if any suggestion / idea.
Regards,
Arun.Assuming your application is a WebLogic Portal application, then yes you would definitely need to install WLP 8.1. WLP version 8.1 is the only version of WLP that will run on WLS/WLW version 8.1.
In order to obtain the product installer, you'll need to contact Oracle Support and file a request. It is not available for download from any Oracle public site. Only version 10.3 is available for download.
Brad -
Setting up LDAP for authentication to portal:default property set named "ldap
Hi
I am trying to implement the LDAP authentication to WebLogic Portal .Iam went
thru the docmentation ( http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).It
mentions using the default property set named "ldap" and deploying ldapprofile.jar.My
quenstion is:
-Is there a way to look into the property using EBCC
- Apart from deploying,configuring the ldapprofile.jar,do I have to do any additional
steps in order to make my portal(say,stockportal) authenticate users from LDAP?
-If a create my own portal,should I create a similar "ldap" property set?If so,how.
Any suggestions/help is appreciated.Thanks
- MikeThanks Dave.
"David Anderson" <[email protected]> wrote:
You should be able to view the property set for LDAP through the EBCC
if you
have the propertysetws.jar installed in your Portal domain. This provides
the ability for the EBCC to retrieve property set information from your
server.
Dave
"mike" <[email protected]> wrote in message
news:[email protected]...
Hi Adrian
Thank you for the pointers.Much appreciate it.However,one questionstill
persists.
What is the significance of the property set "ldap" mentioned in the
document(http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).Where
does this property set feature vis-a-vis setting up LDAP securityrealm;does it
mater prior to/after the setting up as mentioned in the document pointeryou just
gave .
Is it sufficinet that i follow the procedure to set up the LDAP oris
there more
to post setting,like creating a property set (similar to "ldap" orcloning
it)
apaprt frpom deploying ldapprofile.jar.
Thanks.
- Mike
"Adrian Fletcher" <[email protected]> wrote:
Mike,
The documentation that covers LDAP authentication is listed under
Weblogic
Server rather than Weblogic Portal.
See Configuring the LDAP Security Realm in Managing Security
(http://e-docs.bea.com/wls/docs61////adminguide/cnfgsec.html#1071872)
Also take a look at the FAQ - Why can't I boot WebLogic Server whenusing
the LDAP Security Realm?
(http://e-docs.bea.com/wls/docs61//faq/security.html#25833)
Hope this helps,
Sincerely,
Adrian.
Adrian Fletcher.
Senior Software Engineer,
BEA Systems, Inc.
Boulder, CO.
email: [email protected]
"mike" <[email protected]> wrote in message
news:[email protected]...
Hi
I am trying to implement the LDAP authentication to WebLogic Portal.Iam
went
thru the docmentation
http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).It
mentions using the default property set named "ldap" and deployingldapprofile.jar.My
quenstion is:
-Is there a way to look into the property using EBCC
- Apart from deploying,configuring the ldapprofile.jar,do I have
to
do any
additional
steps in order to make my portal(say,stockportal) authenticate usersfrom
LDAP?
-If a create my own portal,should I create a similar "ldap" propertyset?If so,how.
Any suggestions/help is appreciated.Thanks
- Mike -
Active Directory Authentication in Weblogic 8.1
Hi,
We want to do authentication from Microsoft Active Directory using weblogic 8.1.
I have created a Active directory and
configured weblogic from console to use it. But it is still not working. Your
help with these question would be highly
appreciated.
1. Is there anyone in group who have tried this before. Please let me know how
to proceed.
2. Is there any tool by which I can get to know the different attribute asked
for configuration in Weblogic?
3. I am not able to login to my application after configuration. Is there any
other way to come to know whether it is working
or not?
There could be plethora of reason but nothing which can come to my mind. Everything
seems to be configured correctly. Here is
portion of my config.xml related with authentication:
<FileRealm Name="wl_default_file_realm"/>
<PasswordPolicy Name="wl_default_password_policy"/>
<Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
<Security GuestDisabled="false" Name="vendavo-dev"
PasswordPolicy="wl_default_password_policy"
Realm="wl_default_realm" RealmSetup="true">
<weblogic.security.providers.authentication.DefaultAuthenticator
ControlFlag="SUFFICIENT"
Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.DefaultIdentityAsserter
ActiveTypes="AuthenticatedUser"
Name="Security:Name=myrealmDefaultIdentityAsserter" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultRoleMapper
Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAuthorizer
Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAdjudicator
Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.credentials.DefaultCredentialMapper
Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
<weblogic.management.security.authentication.UserLockoutManager
Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
<weblogic.management.security.Realm
Adjudicator="Security:Name=myrealmDefaultAdjudicator"
AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaultIdentityAsserter|Security:Name
=myrealmADAuthenticator"
Authorizers="Security:Name=myrealmDefaultAuthorizer"
CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
DefaultRealm="true" DisplayName="myrealm"
Name="Security:Name=myrealm"
RoleMappers="Security:Name=myrealmDefaultRoleMapper"
UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>
<weblogic.security.providers.pk.DefaultKeyStore
Name="Security:Name=myrealmDefaultKeyStore" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
ControlFlag="SUFFICIENT" Credential="{3DES}hvEo4sy7g1E="
DisplayName="ADAuthenticator" FollowReferrals="false"
GroupBaseDN="ou=ou=Groups,dc=devdc,dc=com" Host="venper5"
Name="Security:Name=myrealmADAuthenticator"
Principal="vendev" Realm="Security:Name=myrealm" UserBaseDN="ou=Users,dc=devdc,dc=com"/>
</Security>
First, of all is it possible to use Active Directory authentication in Weblogic
without writing any custom code. If yes, how?
Thanks in advance,
Amit TyagiAmit,
We have successfully used WLS 8.1 sp1 with AD - but not without our share of ups
and downs though.
|
|
1) First, make sure you are sending right LDAP queries to AD. To verify this,
we used free 3rd party LDAP browser from Softerra. There is also java based free
browser from Univ of Michigan. Personally, I like Softerra's LDAP browser better.
Play with your LDAP settings using this and make sure AD is returning the right
data.
|
2) AD has some default settings that makes it return only the top 1000 users.
Use ntdsutil.exe to modify these default settings
|
3) AD needs to have the right set of users and groups. To configure this, refer
to WLS docs. This is very well documented in WLS docs. Also refer to this article
http://dev2dev.bea.com/products/wlportal/whitepapers/wlp70_MSADS.jsp as additional
reference
|
4) Also, there are some bugs with 8.1 portal sp1 and AD. It cannot take more than
one Authentication provider. sp2 is supposed to have fixed it. For sp1 we used
another product AD/AM (AD in Application Mode) in combination with MIIS server.
But if you are using sp2, you shouldn't be worry about this.
|
5) In your providers, you might want to get rid of the DefaultAuthentication provider,
once you are able to establish a connection with your ActiveDirectoryAuthentication
provider. The DefaultAuthentication provider causes some problems and does not
let ActiveDirectoryAuthentication provider to behave properly. We haven't fully
investgated the root of this prob. When we deleted DefaultAuthentication provider,
everything worked normally - so we didn't really care that much :-)
|
6) Make sure you have your JAAS options set to OPTIONAL initially and make sure
your are able to authenticate talk to your AD.
|
These are the ones I could think of. Hope this helps..
Regards,
Anant
"Amit" <[email protected]> wrote:
>
Hi,
We want to do authentication from Microsoft Active Directory using weblogic
8.1.
I have created a Active directory and
configured weblogic from console to use it. But it is still not working.
Your
help with these question would be highly
appreciated.
1. Is there anyone in group who have tried this before. Please let me
know how
to proceed.
2. Is there any tool by which I can get to know the different attribute
asked
for configuration in Weblogic?
3. I am not able to login to my application after configuration. Is there
any
other way to come to know whether it is working
or not?
There could be plethora of reason but nothing which can come to my mind.
Everything
seems to be configured correctly. Here is
portion of my config.xml related with authentication:
<FileRealm Name="wl_default_file_realm"/>
<PasswordPolicy Name="wl_default_password_policy"/>
<Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
<Security GuestDisabled="false" Name="vendavo-dev"
PasswordPolicy="wl_default_password_policy"
Realm="wl_default_realm" RealmSetup="true">
<weblogic.security.providers.authentication.DefaultAuthenticator
ControlFlag="SUFFICIENT"
Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.DefaultIdentityAsserter
ActiveTypes="AuthenticatedUser"
Name="Security:Name=myrealmDefaultIdentityAsserter" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultRoleMapper
Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAuthorizer
Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAdjudicator
Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.credentials.DefaultCredentialMapper
Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
<weblogic.management.security.authentication.UserLockoutManager
Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
<weblogic.management.security.Realm
Adjudicator="Security:Name=myrealmDefaultAdjudicator"
AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaultIdentityAsserter|Security:Name
=myrealmADAuthenticator"
Authorizers="Security:Name=myrealmDefaultAuthorizer"
CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
DefaultRealm="true" DisplayName="myrealm"
Name="Security:Name=myrealm"
RoleMappers="Security:Name=myrealmDefaultRoleMapper"
UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>
<weblogic.security.providers.pk.DefaultKeyStore
Name="Security:Name=myrealmDefaultKeyStore" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
ControlFlag="SUFFICIENT" Credential="{3DES}hvEo4sy7g1E="
DisplayName="ADAuthenticator" FollowReferrals="false"
GroupBaseDN="ou=ou=Groups,dc=devdc,dc=com" Host="venper5"
Name="Security:Name=myrealmADAuthenticator"
Principal="vendev" Realm="Security:Name=myrealm" UserBaseDN="ou=Users,dc=devdc,dc=com"/>
</Security>
First, of all is it possible to use Active Directory authentication in
Weblogic
without writing any custom code. If yes, how?
Thanks in advance,
Amit Tyagi -
Internal error message configuring LDAP security options in CMC
After entering LDAP security information in Central Management Console - option authentication, when clicking 'Finish' an error message appears: "internal error in secLdap complement". How can I solve this problem ?
Hi,
Please check that whether you are following the proper steps while configuring the LDAP.
You can refer the BusinessObjects Admin guide for the configuration:
http://help.sap.com/businessobject/product_guides/boexir31/en/xi3-1_bip_admin_en.pdf
And also, please check troubleshooting section for more information.
Regards,
Noor. -
Create , delete "security roles" in weblogic console - sample Security providers
Hi Everyone:
Weblogic gave out sample Security Providers for version 7.0 and 8.1. In
those sample Security Provider , the author of codes used property files as
Security Providers Database, however he/she didn't show how to create a
Manageable Sample Role Mapping Provider or Manageable Sample Authentication
Provider, so Administrator of weblogic console can create and delete
"security roles" in weblogic console.
Have anyone known how to do that?
Ming Qin"ming qin" <[email protected]> wrote in message news:[email protected]..
Hi Everyone:
Weblogic gave out sample Security Providers for version 7.0 and 8.1.In
those sample Security Provider , the author of codes used property filesas
Security Providers Database, however he/she didn't show how to create a
Manageable Sample Role Mapping Provider or Manageable SampleAuthentication
Provider, so Administrator of weblogic console can create and delete
"security roles" in weblogic console.
Have anyone known how to do that?
I would ask in the weblogic.developer.interest.management.console newsgroup.
>
Ming Qin -
Serious security bug in weblogic 6.0
when I use jaas authenticated to weblogic server 6.0. everything is beatiful. but
I easily bypass the jaas authentication and could login to weblogic server 6.0
as anybody with any credential. Think about it, if I login as system and with
wrong password, and I get in , and the caller will be system.
If anyone inside weblogic team is interested in talking about it, please give
me a email. I don't want to post the way how I did it right nowThis potential vulnerability has been confirmed and has been fixed in BEA WebLogic
Server 6.0 Service Pack 1 (SP1). SP1 is currently available for download from
the BEA Download Center at
http://commerce.bea.com/downloads/weblogic_server.jsp#wls.
BEA advises every Service Pack be applied as they are released. Service Packs
include a roll up of all bug fixes for each version of the product, as well as
each of the previously released Service Packs.
BEA treats security issues with the highest degree of urgency and does everything
possible to ensure the security of all customer assets. As a policy, if there
are any security-related issues with any BEA product, BEA will distribute an advisory
and instructions with the appropriate course of action.
Because the security of your site, data, and code is
our highest priority, we are committed to communicating all
security-related issues clearly and openly.
BEA has established a permission-based emailing list specifically
targeted for product security advisories. As a policy, if a user has opted in
to our emailing list and there are any security issues with the BEA product(s)
he/she is using, BEA will distribute an advisory and instructions via email with
the appropriate course of action.
REPORTING SECURITY ISSUES
For immediate attention, BEA has established an email address to which you can
send reports of any possible security issues in BEA products.
These reports should be sent to: [email protected]
All correspondence to this address will be promptly reviewed and all necessary
actions taken to ensure the continued security of all customer assets.
SUBSCRIBE TO EMAIL ALERT
You may subscribe to the permission-based emailing list to receive alerts of security
advisories by registering with BEA at:
http://contact.beasys.com/bea/www/securityelogin.jsp.
Sincerely,
Marc Bishop
Security Product Manager
BEA WebLogic Server -
Using Weblogic 7.0 I have an LDAP security realm setup with the LDAP URL admins
user name and password. I want to be able to interface this connection to access
the LDAP and make changes to user information within in the ldap. Right now in
my code I make a connection to the LDAP and supply the same user name and password
set up in the LDAP security realm. I want to be able to rather then re-supply
the URL and user name and password in my code I want to be able to just get that
(or create a connection simil;ar to a jdbc connection pool) connection to the
LDAP that configured in the Security Realm. Is this possible? And how would I
go about it if so?
Thanks
Sjbthe LDAPConnection pool which is used WLS Realm is not accessible to public
for programming.
thanks
kiran
"Sjb" <[email protected]> wrote in message
news:3f5744c1$[email protected]..
>
Using Weblogic 7.0 I have an LDAP security realm setup with the LDAP URLadmins
user name and password. I want to be able to interface this connection toaccess
the LDAP and make changes to user information within in the ldap. Rightnow in
my code I make a connection to the LDAP and supply the same user name andpassword
set up in the LDAP security realm. I want to be able to rather thenre-supply
the URL and user name and password in my code I want to be able to justget that
(or create a connection simil;ar to a jdbc connection pool) connection tothe
LDAP that configured in the Security Realm. Is this possible? And howwould I
go about it if so?
Thanks
Sjb -
WLC connect LDAP for Authentication, but could not connect to server
Hi Everyone, I got a problem when I use WLC 5508 connect to LDAP for authentication, but no luck there, it's a simple config, but not easy to work on my job, I got the following messgae:
Service Port - Not connected
Distrubution port include:
Management Interface - in AP Management VLAN - 30
Student AP interface - in Student VLAN - 20
Staff AP interface - in Staff VLAN - 10
AD is in Staff VLAN - 10
WLC LDAP Server setting
Base DN:OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
User Attribute: sAMAccountName
User Object Type: Person
Debug aaa all enable message
*LDAP DB Task 1: Jul 09 01:40:58.969: ldapInitAndBind [1] called lcapi_init (rc = 0 - Success)
*LDAP DB Task 1: Jul 09 01:41:00.969: ldapInitAndBind [1] configured Method Anonymous lcapi_bind (rc = 1005 - LDAP bind failed)
*LDAP DB Task 1: Jul 09 01:41:00.969: ldapClose [1] called lcapi_close (rc = 0 - Success)
*LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to IDLE
*LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to RETRY
*LDAP DB Task 1: Jul 09 01:41:00.969: LDAP_OPT_REFERRALS = -1
WLC GUI Log:
*LDAP DB Task 1: Jul 09 02:56:13.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
*LDAP DB Task 1: Jul 09 02:56:11.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
*LDAP DB Task 1: Jul 09 02:56:09.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
LDP Message of LDAP BaseDN:
Expanding base 'CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
4> objectClass: top; person; organizationalPerson; user;
1> cn: Frankie F. Yeung;
1> sn: Yeung;
1> givenName: Frankie;
1> initials: F;
1> distinguishedName: CN=Frankie F. Yeung,OU=OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
1> instanceType: 0x4 = ( IT_WRITE );
1> whenCreated: 8/10/2011 10:28:14 China Standard Time China Standard Time;
1> whenChanged: 8/10/2011 10:31:26 China Standard Time China Standard Time;
1> displayName: Frankie F. Yeung;
1> uSNCreated: 3850555;
1> uSNChanged: 3850571;
1> name: Frankie F. Yeung;
1> objectGUID: 6ebfc7e9-6989-4f11-bae7-62c23af67edc;
1> userAccountControl: 0x10200 = ( UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD );
1> badPwdCount: 0;
1> codePage: 0;
1> countryCode: 0;
1> badPasswordTime: 0;
1> lastLogoff: 0;
1> lastLogon: 0;
1> pwdLastSet: <ldp error <0x0>: cannot format time field;
1> primaryGroupID: 513;
1> objectSid: S-1-5-21-3867848445-1581729766-1247451615-2172;
1> accountExpires: <ldp error <0x0>: cannot format time field;
1> logonCount: 0;
1> sAMAccountName: fckyeung;
1> sAMAccountType: 805306368;
1> userPrincipalName: [email protected];
1> objectCategory: CN=Person,CN=Schema,CN=Configuration,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
Hope I can resolve this problem ASAP, thanks!Your AD is in the Staff Vlan so maybe the WLC uses the Staff interface instead of management to contact the AD. I don't know how you sniffed exactly.
The comment about eap methods you saw is when you use LDAP with dot1x security. It is the same as saying "You cannot do peap-mschapv2 or eap-fast-mschpv2 with LDAP".
But you can do LDAP for web authentication, that has no eap methods.
Your original problem was a binding problem from the WLC, so we can expect that the WLC really is sending traffic towards AD. -
How to disable authentication for weblogic server
Hi expert,
I have a web application deployed on weblogic server 12c. And I have a client which connects to the web application. The client will authenticate with server with digest authentication (challenge\response). We use the default authentication in weblogic server and the authentication is done by weblogic server. And it works fine.
However, I want to run a performance testing to replay all client requests including the requests for authentication. Since it's challenge/response authentication mechanism, the original requests can not pass authentication and weblogic server replies 401. I want to know is there any way to disable weblogic authentication so that the authentication passes when I replay my original request?
Thanks very much!
Regards,
YanYou can disable the security of the application in the web.xml. Here there is a security-constraint configured that tells WebLogic what to do, for example,
<security-constraint>
<web-resource-collection>
<web-resource-name>All</web-resource-name>
<url-pattern>/faces/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>MANAGER</role-name>
<role-name>EMPLOYEE</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
If you put the security-constraint in comments, you can access the application, without authentication (note that the application itself probably uses the authentication in order to set certain things, so I do not if this is going to work). -
1. In WLC GUI, Security > AAA > LDAP, what other User Base DN / User Attribute / User Object Type syntax to use when you have 2 or more OU (not pertaining to sub-OUs)? aside from using the domail alone, ex: dc=cisco,dc=com
2. Can OU be grouped in the active directory? then the WLC LDAP config will be pointing to the group created in the active directory?
Reference in configuring LDAP Web Authentication:
Web Authentication Using LDAP on Wireless LAN Controllers (WLCs) Configuration Example, Document ID: 108008
Any help would be appreciated. Thank you in advance!LDAP with web authentication only shows up in 5.0 config guides and later.
The 2006 only supports up to 4.2 software. I think this should answer your question :-) It's a no
Maybe you are looking for
-
XML Publisher report stuck at Calling XDO Data Engine...
Hi ! I am upgrading a custom report from 11i to R12 , the report works fine in 11i but when moved to R12 the report is stuck at "Calling XDO Data Engine..." and then it doesnot parse the Template. Below are the logs from the request: XDO Data Engine
-
How do I get my bookmarks bar back on my safari browser window?
how do I get my bookmarks bar back on my safari browser window?
-
Payment run is picking up the old bank details of the vendor
Hi Experts, Following is the issue : 1. Vendor invoice entered through MIRO/FB60. This picks up the prevalent bank details from the vendor master. 2. Vendor bank details are changed subsequently and payment run made. The payment run picks up the old
-
Hi all, Does anyone have experience with patching messaging cluster? We have active-active messaging store (Sparc, Sun Java(tm) System Messaging Server 6.2-6.01 (built Apr 3 2006)). and want to install -63 patch. For patch we have to boot server into
-
Hi I was browsing through the internet on my I-Touch going to one of my websites that I use for school. It popped up as a big "X" saying that it was a Java program. Is there a way I can run Java on my I-Touch for the internet?