LDAP Trusted Authentication XI 3.1

Similar Messages

• Open document SSO using trusted authentication.

  Hi ,
  I have a issue,
  We configured trusted authentication with SSO and it is working fine.
  Now we want to configure open document SSO for trusted authentication.
  We are using Remote _ user method for trusted authentication.
  Any one please help me on this.
  Thanks for your help advance.
  Thanks & Regards,
  Collin.

  The same settings in the infoviewapp web.xml must be applied on the opendocument web.xml. Also you must be on XI 3.1 FP1 or higher. There is currently an Edge issue being investigated.
  Regards,
  Tim

• XI 3.1 SP2 QaaWS Trusted Authentication with WSDL

  Hi, there,
  QaaWS comes with a client tool to build query as a web service and provide corresponding WSDL to consume these services. We are not using Xcelsius, but using Apache Axis to access the query web service via WSDL.
  There's a [note from SMP KB|https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/sno/ui_entry/entry.htm?param=69765F6D6F64653D3030312669765F7361706E6F7465735F6E756D6265723D3134313434303726] that denoted the support for XI 3.1 SP2 and XI R2 SP5, but without further details:
  "XI 3.1 SP2 and XI R2 SP5 has the enhancement supporting Trusted Authentication but it's for Web Services (dswsbobje), isn't for LiveOffice."
  Our Java code generated from QaaWS WSDL works fine with correct user name and password.  I then setup the system so that trusted authentication works fine with InfoView, but the generate Java code failed to authenticate without providing a correct password.
  There're a few parameters in the dsws.properties file:
  trustedAuthentication.enabled = false
  #qaaws.principal.username=QaaWSServletPrincipal
  #qaaws.principal.password=
  Can someone explain how these parameters (and perhaps settings in the web.xml file for dswsbobje) need to be configured to get Trusted Authentication to work with Web Serivice Java SDK?
  Thanks in advance!
  Dafang Zhang

  I've used LoadRunner for this purpose before.  There is a tutorial that comes with the product.  My suggestion is to go through that and from there you should be able to get it working with enterprise.  I feel that's the best way to get up and running quickly.

• External LDAP for authentication

  Hi All,
  I want to use external ldap for authentication purpose with Access Manager.
  I tried adding this external ldap as a secondary ldap but couldn�t succeed.
  If I add this ldap in the primary ldap along with the AM�s own ldap, this also fails to authenticate users from the external ldap.
  How can I achieve this?
  I read many topics in this forum regarding this but none of them explain how it can be achieved.
  Please suggest.
  Thanks in advance.

  This is what the amconsole log says:
  ERROR: ConsoleServletBase.onUncaughtException
  java.lang.NullPointerException
       at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.constructFilter(LDAPv3Repo.java:3126)
       at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.search(LDAPv3Repo.java:1996)
       at com.iplanet.am.sdk.AMDirectoryManager.search(AMDirectoryManager.java:1938)
       at com.sun.identity.idm.AMIdentityRepository.searchIdentities(AMIdentityRepository.java:221)
       at com.sun.identity.console.idm.model.EntitiesModelImpl.getEntityNames(EntitiesModelImpl.java:139)
       at com.sun.identity.console.idm.EntitiesViewBean.getEntityNames(EntitiesViewBean.java:222)
       at com.sun.identity.console.idm.EntitiesViewBean.beginDisplay(EntitiesViewBean.java:177)
       at com.iplanet.jato.taglib.UseViewBeanTag.doStartTag(UseViewBeanTag.java:149)
       at jsps.console._idm._Entities_jsp._jspService(_Entities_jsp.java:86)
       at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
       at com.iplanet.ias.web.jsp.JspServlet$JspServletWrapper.service(JspServlet.java:687)
       at com.iplanet.ias.web.jsp.JspServlet.serviceJspFile(JspServlet.java:459)
       at com.iplanet.ias.web.jsp.JspServlet.service(JspServlet.java:375)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
       at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:772)
       at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:471)
       at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:382)
       at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:340)
       at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
       at com.sun.identity.console.base.AMViewBeanBase.forwardTo(AMViewBeanBase.java:133)
       at com.sun.identity.console.base.AMPrimaryMastHeadViewBean.forwardTo(AMPrimaryMastHeadViewBean.java:149)
       at com.sun.identity.console.idm.HomeViewBean.forwardTo(HomeViewBean.java:109)
       at com.sun.identity.console.realm.RealmPropertiesBase.nodeClicked(RealmPropertiesBase.java:90)
       at com.sun.web.ui.view.tabs.CCTabs.handleTabHrefRequest(CCTabs.java:129)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
       at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
       at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
       at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
       at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
       at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
       at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
       at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
       at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:787)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
       at com.sun.mobile.filter.AMLController.doFilter(AMLController.java:163)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:280)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
       at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)

• Cluster and trusted authentication

  I am using trusted authentication to log into BO server. Everything is set up correctly and working fine even with BO cluster.
  Recently, we created another cluster with separate set of servers. When try to connect to this cluster (using the cluster name) very weird thing is happening.
  When I try to log in using token - first attempt succeeds, second attempt fails, third succeeds, fourth fails..and so on.
  My doubt is that somehow two servers on the cluster are not communicating properly. So, if a token was generated for one server, it doesn't connect to another server. Has anyone seen anything like this before?  Where should I start looking in the cluster setup?

  Tokens aren't cluster member specific.
  You've mentioned Trusted Authentication and tokens, but token generation is separate from authentication, so what's the exact workflow going from Trusted Auth to token generation to token use?
  Sincerely,
  Ted Ueda

• Trusted Authentication using QUERY_STRING

  Hi All,
  We are trying to configure the Trusted Authentication using Query_String in XIR3.1
  We have customer portal ,where in login to custom web page and click on the link which routes to Infoview.We are configuring sso to bypass the credentials from webportal to Infoview home page.
  We have created a paramerter to pass the user information.We have made all the required changes for configuring trusted authentication,like:
  1) Enable Trusted Authentication in cmc.Enter shared secret in cmc
  2) Make changes to the web.xml file
  3) Create TrustedPrincipal.conf file
  In web.xml file we gave "trusted.auth.user.retrieval" as "QUERY_STRING" & "trusted.auth.user.param" as the parameter value we are using to pass the user information.
  If the parameter we are using is "MyUser" to pass the user information ,After configuring, we noticed that ,when we launch the url, "http://host:8080/InfoViewApp/logon/logon.do?MyUser=<username>"  we can directly login to Infoview without giving any credentials.We are not sure if we are moving in right direction? Is this how the QUERY_STRING work?
  We also noticed that,instead of giving any username if we give any other value the infoview home page opens up with Guest account?
  Thank you,
  Bill

  You should disable guest when using any method of SSO. Then anything placed in the URL other than a proper user would fail. And yes this is exactly how query string works (the username must be supplied in the URL). If looking for a more dynamic/secure method you will need to combine with a front end authenticator such as IIS, siteminder, etc and use one of our other methods such as remote_user, http_header, etc
  Regards,
  Tim

• WLC connect LDAP for Authentication, but could not connect to server

  Hi Everyone, I got a problem when I use WLC 5508 connect to LDAP for authentication, but no luck there, it's a simple config, but not easy to work on my job, I got the following messgae:
  Service Port - Not connected
  Distrubution port include:
       Management Interface - in AP Management VLAN - 30
       Student AP interface - in Student VLAN - 20
       Staff AP interface - in Staff VLAN - 10
  AD is in Staff VLAN - 10
  WLC LDAP Server setting
  Base DN:OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
  User Attribute: sAMAccountName
  User Object Type: Person
  Debug aaa all enable message
  *LDAP DB Task 1: Jul 09 01:40:58.969: ldapInitAndBind [1] called lcapi_init (rc = 0 - Success)
  *LDAP DB Task 1: Jul 09 01:41:00.969: ldapInitAndBind [1] configured Method Anonymous lcapi_bind (rc = 1005 - LDAP bind failed)
  *LDAP DB Task 1: Jul 09 01:41:00.969: ldapClose [1] called lcapi_close (rc = 0 - Success)
  *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to IDLE
  *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to RETRY
  *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP_OPT_REFERRALS = -1
  WLC GUI Log:
  *LDAP DB Task 1: Jul 09 02:56:13.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
  *LDAP DB Task 1: Jul 09 02:56:11.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
  *LDAP DB Task 1: Jul 09 02:56:09.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
  LDP Message of LDAP BaseDN:
  Expanding base 'CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk'...
  Result <0>: (null)
  Matched DNs:
  Getting 1 entries:
  >> Dn: CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
  4> objectClass: top; person; organizationalPerson; user;
  1> cn: Frankie F. Yeung;
  1> sn: Yeung;
  1> givenName: Frankie;
  1> initials: F;
  1> distinguishedName: CN=Frankie F. Yeung,OU=OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
  1> instanceType: 0x4 = ( IT_WRITE );
  1> whenCreated: 8/10/2011 10:28:14 China Standard Time China Standard Time;
  1> whenChanged: 8/10/2011 10:31:26 China Standard Time China Standard Time;
  1> displayName: Frankie F. Yeung;
  1> uSNCreated: 3850555;
  1> uSNChanged: 3850571;
  1> name: Frankie F. Yeung;
  1> objectGUID: 6ebfc7e9-6989-4f11-bae7-62c23af67edc;
  1> userAccountControl: 0x10200 = ( UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD );
  1> badPwdCount: 0;
  1> codePage: 0;
  1> countryCode: 0;
  1> badPasswordTime: 0;
  1> lastLogoff: 0;
  1> lastLogon: 0;
  1> pwdLastSet: <ldp error <0x0>: cannot format time field;
  1> primaryGroupID: 513;
  1> objectSid: S-1-5-21-3867848445-1581729766-1247451615-2172;
  1> accountExpires: <ldp error <0x0>: cannot format time field;
  1> logonCount: 0;
  1> sAMAccountName: fckyeung;
  1> sAMAccountType: 805306368;
  1> userPrincipalName: [email protected];
  1> objectCategory: CN=Person,CN=Schema,CN=Configuration,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
  Hope I can resolve this problem ASAP, thanks!

  Your AD is in the Staff Vlan so maybe the WLC uses the Staff interface instead of management to contact the AD. I don't know how you sniffed exactly.
  The comment about eap methods you saw is when you use LDAP with dot1x security. It is the same as saying "You cannot do peap-mschapv2 or eap-fast-mschpv2 with LDAP".
  But you can do LDAP for web authentication, that has no eap methods.
  Your original problem was a binding problem from the WLC, so we can expect that the WLC really is sending traffic towards AD.

• XI 3.0 Trusted Authentication

  When setting up for Trusted Authentication, the TrustedPrincipal.conf file needs to be added to the BO install.  The documentation (Admin Guide) says that it needs to go to <drive>:\Program Files\Files\Business Objects\
  BusinessObjects Enterprise
  12.0\win32_x86\plugins\auth\secEnterprise. However, this folder no longer exists.  I've tried creating the folder and putting the file there.  I've also tried putting the file in just win32_x86.
  Where is this file supposed to go with the new version?
  Thanks!
  -Dell

  It should go in the <install>\BusinessObjects Enterprise 12.0\win32_x86 if on Windows.
  You can set the Java System property 'bobj.trustedauth.home' to specify a different folder.
  A good tool to determine where the Java Web App process is looking for the file is [Filemon|http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx].
  Sincerely,
  Ted Ueda

• Retrieve parameters from LDAP using authentication module

  I have existing LDAP that contains organization people and their attributes. I have several web applications that use existing LDAP for authentication and authorization. My goal is to deploy single sign-on with openSSO so that users are authenticated against existing LDAP. Changing of the existing LDAP is forbidden.
  I deployed newest stable OpenSSO and Apache2 + newest policy agents to web service servers.
  OpenSSO server uses LDAP authentication module to authenticate users against existing LDAP. It uses flat file data repository and realm attributes -> user profile is ignored.
  This basic setup works fine. The next step is to integrate existing web applications to single sign-on system. The authentication part works fine. I just disabled old mechanism from web applications that did the LDAP authentication. OpenSSO and Apache Policy agent are handling that part.
  The existing web applications are still querying existing LDAP other attributes there than uid and userpassword. Is it possible to configure OpenSSO to forward LDAP attributes to web application as cookie or header value? Or is the forwarding feature only for attributes in Data Store?
  If the forwarding is not possible what is the next best alternative ?

  OpenSSO forum is quite silent so I'm back with you guys.
  I managed to solve the agent error log problem I mentioned before. The problem was about nonexisting attributes in AMAgent.properties com.sun.am.policy.agents.config.profile.attribute.map. I removed extra attributes and the authentication against LDAP started to work again.
  The problem is that no attributes are forwarded from LDAP to web application. I have tried HTTP_COOKIE and HTTP_HEADER settings in AMAgent.properties and com.sun.am.policy.agents.config.profile.attribute.map is set to cn|common-name,mail|email.
  My LDAP looks like this:
  # testuser, pollo.fi
  dn: cn=testuser,dc=pollo,dc=fi
  cn: testuser
  objectClass: organizationalPerson
  objectClass: inetOrgPerson
  givenName: Test
  sn: User
  ou: People
  uid: testuser
  mail: [email protected]
  And my datastore configuration:
  LDAP server->localhost:389
  LDAP bind DN->cn=admin,dc=pollo,dc=fi
  LDAP organization DN->dc=pollo,dc=fi
  Attribute name mapping->empty
  LDAP3 Plugin supported types and operations->agent,group,realm,user all read,create,edit,delete
  LDAP3 Plugin search scope->scope_sub
  LDAP Users Search Attribute->uid
  LDAP Users Search Filter->(objectclass=inetorgperson)
  LDAP User Object Class->organizationalPerson
  LDAP User Attributes->uid, userpassword
  Create User Attribute Mapping->empty
  Attribute Name of User Status->inetuserstatus
  User Status Active Value->Active
  User Status Inactive Value->inactive
  LDAP Groups Search Attribute->cn
  LDAP Groups Search Filter->(objectclass=groupOfUniqueNames)
  LDAP Groups container Naming Attribute->ou
  LDAP Groups Container Value->groups
  LDAP Groups Object Class->top
  LDAP Groups Attributes->cn,description,dn,objectclass
  Attribute Name for Group Membership->empty
  Attribute Name of Unqiue Member->uniqueMember
  Attribute Name of Group Member URL->memberUrl
  LDAP People Container Naming Attribute->ou
  LDAP People Container Value->people
  LDAP Agents Search Attribute->uid
  LDAP Agents Container Naming Attribute->ou
  LDAP Agents Container Value->agents
  LDAP Agents Search Filter->(objectClass=sunIdentityServerDevice)
  LDAP Agents Object Class->sunIdentityServerDevice,top
  LDAP Agents Attributes->empty
  Identity Types That Can Be Authenticated->Agent,User
  Authentication Naming Attribute->uid
  Persistent Search Base DN->dc=pollo,dc=fi
  Persistent Search Filter->(objectclass=*)
  Persistent Search Maximum Idle Time Before Restart->0
  Should I enable some setting still to get the forwarding going on? Any ideas for debugging?

• Trusted Authentication possible with Wed Sevices SDK? BOE - 3.1

  Hi,
  We are planning to upgrade to BOE 3.x. We have integrated our application with BOE using Wed Services SDK. I'd like to know if we can implement the trusted authentication using the web services APIs in BOE 3.x.
  Apparently the question was posted here before but no answers -
  Re: trusted authentication.
  Thanks
  Manas

  XI 3.1 Service Pack 2.
  Configure Trusted Authentication on the CMC.   Ensure TrustedPrincipal.conf file with the shared secret is in the <INSTALL>/BusinessObjects Enterprise 12.0/win32_x86 folder.
  If you look in dswsbobje/WEB-INF/classes/dsws.properties, you'll see a property trustedAuthentication.enabled set to false.
  Set it to true, then restart the dswsbobje Java Web Application Server.
  Then you only need to pass in domain (CMS name) and username to the Session Web Services for logon.
  Note that if you do the above, it'll use Trusted Authentication for all requests coming into dswsbobje - i.e., no longer need to pass in passwords.
  So you really need to put something in front of dswsbobje, to authenticate any requests going in.
  Sincerely,
  Ted Ueda

• Trusted Authentication

  Is it possible to open session with BO server using Trusted Authentication?
  Regards,
  Aleksejs

  Yes, you can.  (I only have the java code summary - but it should give you an idea for what to do in .NET)
  SYNOPSIS:
  How to use Trusted Authentication with SSO to InfoView using Enterprise Session?
  There may be a situation where only the enterprise username is known in the custom application. Trusted Authentication can come pretty handy.
  SOLUTION:
  Setup the Trusted Authentication first:
  I. Enable Trusted Authentication in BOE.
  1. Logon to Central Management Console with Administrator
  2. Click on "Authentication"
  3. Check the "Trusted Authentication is enabled"
  4. Enter the "Shared secret"
  5. Click Update
  II. Create/edit TrustedPrincipal.conf
  1. Create or open C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\plugins\auth\secEnterpise\TrustedPrincipal.conf
  2. Type in u201CSharedSecret=<shared secret value>u201D (without double quotes)
  3. Save the file.
  III. Deploy custom JSP
  1. Create a JSP in <webapps>/businessobjects/enterprise115/desktoplaunch/InfoView/logon.
  2. Cody and paste in the following code:
  <%@ page import = "com.crystaldecisions.sdk.framework.CrystalEnterprise"%>
  <%@ page import = "com.crystaldecisions.sdk.framework.ISessionMgr"%>
  <%@ page import = "com.crystaldecisions.sdk.framework.IEnterpriseSession"%>
  <%@ page import = "com.crystaldecisions.sdk.occa.security.ILogonTokenMgr"%>
  <%@ page import = "com.crystaldecisions.sdk.framework.ITrustedPrincipal" %>
  <%
  // Logon to CMS using without password
  ISessionMgr sessionMgr = CrystalEnterprise.getSessionMgr();
  ITrustedPrincipal trustedPrincipal = sessionMgr.createTrustedPrincipal("<username>", "<CMS>");
  IEnterpriseSession enterpriseSession = sessionMgr.logon(trustedPrincipal);
  // Store Enterprise session in HttpSession     
  session.setAttribute("MyEnterpriseSession", enterpriseSession);
  // Construct URL and redirect to InfoView start page.
  // ivsEntSessionVar is the reference to the HttpSession variable.
  String url = "http://<server name>:<port>/businessobjects/enterprise115/desktoplaunch/InfoView/start.do?ivsEntSessionVar=MyEnterpriseSession";
  response.sendRedirect(url);
  %>
  3. Go to the URL http://<servername>:<port>/businessobjects/enterprise115/desktoplaunch/InfoView/logon/<JSP file>.jsp
  Note: JSP does not have to be in /desktoplaunch/InfoView/logon folder but JSP should be in >/businessobjects context.
  Extra Note -
  A new API method has been introduced with BEXI R2 MHF1 for Trusted Authentication that removes the need for the TrustedPrincipal.conf file.  You can now specify the shared secret using the following method:
  ISessionMgr.createTrustedPrincipal(java.lang.String userName, java.lang.String cmsName, java.lang.String sharedSecret)
  So, you can eliminate Part II from the steps above and use this method call:
  ITrustedPrincipal trustedPrincipal = sessionMgr.createTrustedPrincipal("<username>", "<CMS>", u201Csharedsecretu201D);
  instead of the old method:
  ITrustedPrincipal trustedPrincipal = sessionMgr.createTrustedPrincipal("<username>", "<CMS>");

• Trusted authentication from two systems to BOXI

  Hi,
  We have a system that currently uses trusted authentication to direct users to infoView.  Is it an option for us to use trusted authentication from SharePoint to BOXI at the same time? BOXI 3.1 SP5.
  Thanks,
  Sam

  Hi Sam,
  Looks like this is possible. Please refer
  http://help.sap.com/businessobject/product_guides/boexir31SP4/en/xi31_sp4_ivforsp_admin_en.pdf
  I can see tags related to trusted authentication in the guide.
  Hope it helps.
  Regards
  Chinmaya

• LDAP Web Authentication

  1. In WLC GUI, Security > AAA > LDAP, what other User Base DN / User Attribute / User Object Type syntax to use when you have 2 or more OU (not pertaining to sub-OUs)? aside from using the domail alone, ex: dc=cisco,dc=com
  2. Can OU be grouped in the active directory? then the WLC LDAP config will be pointing to the group created in the active directory?
  Reference in configuring LDAP Web Authentication:
  Web Authentication Using LDAP on Wireless LAN Controllers (WLCs) Configuration Example, Document ID: 108008
  Any help would be appreciated. Thank you in advance!

  LDAP with web authentication only shows up in 5.0 config guides and later.
  The 2006 only supports up to 4.2 software. I think this should answer your question :-) It's a no

• How do we use SSO for both Windows AD and Trusted authentication?

  We want to have the majority of our users access the BO 4 BI Launchpad using SSO with Windows AD authentication.  We have set this up and it's working ok.  We also have a subset of external users and need to configure SSO with Trusted authentication for their Enterprise accounts.  Support says we can only have SSO for one authentication type.  I'm assuming we can work around this by installing a 2nd Tomcat instance on our Linux server.  Has anyone done this type of config successfully?  Any other ideas would be greatly appreciated.  Thanks!

  Hi Collins,
  BOE's CMS can be accessed from multiple application servers.
  Please have a look on this new article [here|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/00240702-8343-2f10-ed9a-85ece14c93db] .
  You may use this method for other application servers(not only NW) but just dont add the file "web-j2ee-engine.xml" as its not  needed.
  regarding sections 4.2.4 on the document, On one application server just set "authentication.default" property under the file BIlaunchpad.properties, to "secWinAD"(for win AD). and on the other set it to "secEnterprise".
  please report any problems you may encounter,
  thanks,
  Idan

• Windows AD and Trusted Authentication

  Do you have to use IIS as the webserver when installing on a Windows platform and trying to implement SSO?  Unfortunately, using standard AD and Kerberos is NOT an option.  Without having to implement extra coding out of the box, can you implement SSO with trusted authentication using Windows AD accounts to be passed to the CMS and using Apache/Tomcat as the Web and app server?

  OK.  IF I can use Tomcat as web and app server in the WIndows Server environment, What retrieval method would you recommend (ie. Remote_user, Query_String, etc).  I have successfully tested query string, however, that would require a way to capture the AD account of every user.  This is where I have not found documentation or examples without IIS being utilized.