LDAP user authentication on EP6 built on NW04 abap+java

Similar Messages

• Problem with Afaria and LDAP user authentication in Android device

  Hi all,
  I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
  I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
  I follow the next steps:
  1-Create a new tenant
  2- Configure LDAP integration
  3-Create a inventory policy with authentication required
  4-Create a static group associated to the inventory policy
  5-Create a enrolment policy associated to the static group.
  When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
  I have seen the log and seem the problem is that Afaria can't authenticate this user.
  I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
  The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
  Could you please help to solve this problem?
  Thanks in advance.  

  Hi all,
  I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
  I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
  I follow the next steps:
  1-Create a new tenant
  2- Configure LDAP integration
  3-Create a inventory policy with authentication required
  4-Create a static group associated to the inventory policy
  5-Create a enrolment policy associated to the static group.
  When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
  I have seen the log and seem the problem is that Afaria can't authenticate this user.
  I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
  The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
  Could you please help to solve this problem?
  Thanks in advance.  

• System copy NW04S ABAP+Java same host

  Hi All
  I have this dev system ECC 6.0 (SAP_SID and DB_SID: D01) ABAPJava system and enterprise portal 7.0 (SAP_SID and DB_SID: P01) on the same host (hostname: host1). Now I need to do a system copy of the D01 ABAPJava system to build new system D02 on the same host - host1. Its Oracle 10g/Solaris 10.
  My understanding is, after all preparations, to run sapinst with the 'database-independent procedure' to export ABAP+Java at the same time, which creates the Migration Export CD image. Does anyone know of any issues with system copies on the same host? I think I dont need to install Oracle software as its already there, right? I need to get the oracle and sap directories created for the new system D02, please correct me.
  Thanks
  Ali

  Hi,
  My understand was have the same installation of ABAP+JAVA ( UR CASE) which will install oracle and everything else auto...and lauch sapinst >> system copy >> then export to anyfolder, move that folder to target system. In target system, launch sapinst >> system copy>> and import.
  Thanks,
  Feel free to revert back.

• [VMWare][NW04s ABAP & Java Trial] Error 115 : Operation now in progress

  Hi,
  VMWare player has been stopped abruptly and now I got this message for the SAP Gui.
  partner 'ivml2005:3242' not reached
  Error 115
  'operation now in progress'
  Thanks in advance for your help.
  Best regards,
  Guillaume

  Closed (no answer)

• Off and On LDAP User Authenticaton

  Before I get started describing my issue, I would like to warn everyone that I am new to solaris administration and solaris in general. So please pardon me if I mispeak or don't initially provide enough information.
  I am having trouble with LDAP user authentication. I am using ldapclient to perform the mapping of user information from our Win2k3 Domain Controllers (running SFU) to our Solaris 10 box. When I configure the system initiallty everything works fine. For example, I can run:
  getent passwd <AD_username>
  and get all the attributes that SFU provides and login via SSH with valid AD credentails. However, for some reason after a period of time (not sure if it is a fixed period of time or vvariable) LDAP authentication will stop working, denying everyone with valid AD credentials. I have tried looking in almost every log file I can think of (/var/adm/messages, /var/ldap/cache_mgr) and there are no error messages from ldapclient. Similarly on the domain controllers I do not see any failed security audits nor any failed ldap requests.
  Any ideas on what could be causing this sort of behavior?
  If it helps I followed the following guide when configuring AD Integration:
  http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/
  Listed below is my ldap_client_file (sensative information removed):
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_SERVERS= <my_dc>
  NS_LDAP_SEARCH_BASEDN= dc=<my_domain>,dc=<extension>
  NS_LDAP_AUTH= simple
  NS_LDAP_CACHETTL= 0
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:dc=<my_domain>,dc=<extension>?sub
  NS_LDAP_SERVICE_SEARCH_DESC= group:dc=<my_domain>,dc=<extension>?sub
  NS_LDAP_ATTRIBUTEMAP= shadow:uid=msSFU30Name
  NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=msSFU30Password
  NS_LDAP_ATTRIBUTEMAP= shadow:shadowflag=msSFU30ShadowFlag
  NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=msSFU30LoginShell
  NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=msSFU30HomeDirectory
  NS_LDAP_ATTRIBUTEMAP= passwd:uid=msSFU30Name
  NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=msSFU30UidNumber
  NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=msSFU30GidNumber
  NS_LDAP_ATTRIBUTEMAP= passwd:gecos=displayName
  NS_LDAP_ATTRIBUTEMAP= group:gidnumber=msSFU30GidNumber
  NS_LDAP_ATTRIBUTEMAP= group:memberuid=msSFU30UidNumber
  NS_LDAP_ATTRIBUTEMAP= group:userpassword=msSFU30Password
  NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
  NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
  NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group

  Here is the information that is present in /var/adm/messages:
  Jan 24 15:22:53 shiva.cs.uwec.edu sshd[9533]: [ID 800047 auth.crit] monitor fata
  l: login_init_entry: Cannot find user "thompstd"
  Jan 24 15:22:53 shiva.cs.uwec.edu sshd[9536]: [ID 800047 auth.crit] fatal: Monit
  or not responding
  Jan 24 15:25:43 shiva.cs.uwec.edu statd[280]: [ID 766906 daemon.warning] statd:
  cannot talk to statd at sgs2.uwec.edu, RPC: Timed out(5)
  Jan 24 15:25:47 shiva.cs.uwec.edu sshd[9508]: [ID 800047 auth.crit] monitor fata
  l: login_init_entry: Cannot find user "butallmj"
  Jan 24 15:25:47 shiva.cs.uwec.edu sshd[9511]: [ID 800047 auth.crit] fatal: Monit
  or not responding
  Jan 24 15:25:58 shiva.cs.uwec.edu statd[280]: [ID 766906 daemon.warning] statd:
  cannot talk to statd at sgs2.uwec.edu, RPC: Timed out(5)
  Jan 24 15:26:13 shiva.cs.uwec.edu statd[280]: [ID 766906 daemon.warning] statd:
  cannot talk to statd at sgs1.uwec.edu, RPC: Timed out(5)
  Jan 24 15:26:28 shiva.cs.uwec.edu last message repeated 1 timeThe statd warnings continue on and we see the two users (thompstd, butallmj) failing to authenticate. Right before the authentication errors I see the following:
  Jan 24 14:42:56 shiva.cs.uwec.edu ebus: [ID 521012 kern.info] su1 at ebus1: offs
  et 2,40
  Jan 24 14:42:56 shiva.cs.uwec.edu genunix: [ID 936769 kern.info] su1 is /ebus@1f
  ,464000/serial@2,40
  Jan 24 14:42:56 shiva.cs.uwec.edu ebus: [ID 521012 kern.info] epic0 at ebus1: of
  fset 3,0
  Jan 24 14:42:56 shiva.cs.uwec.edu genunix: [ID 936769 kern.info] epic0 is /ebus@
  1f,464000/env-monitor@3,0
  Jan 24 14:42:56 shiva.cs.uwec.edu pseudo: [ID 129642 kern.info] pseudo-device: f
  ssnap0
  Jan 24 14:42:56 shiva.cs.uwec.edu genunix: [ID 936769 kern.info] fssnap0 is /pse
  udo/fssnap@0
  Jan 24 14:42:56 shiva.cs.uwec.edu pseudo: [ID 129642 kern.info] pseudo-device: r
  amdisk1024
  Jan 24 14:42:56 shiva.cs.uwec.edu genunix: [ID 936769 kern.info] ramdisk1024 is
  /pseudo/ramdisk@1024
  Jan 24 14:42:56 shiva.cs.uwec.edu pseudo: [ID 129642 kern.info] pseudo-device: w
  inlock0
  Jan 24 14:42:56 shiva.cs.uwec.edu genunix: [ID 936769 kern.info] winlock0 is /ps
  eudo/winlock@0
  Jan 24 14:42:56 shiva.cs.uwec.edu pseudo: [ID 129642 kern.info] pseudo-device: d
  evinfo0
  Jan 24 14:42:56 shiva.cs.uwec.edu genunix: [ID 936769 kern.info] devinfo0 is /ps
  eudo/devinfo@0
  Jan 24 14:42:56 shiva.cs.uwec.edu pseudo: [ID 129642 kern.info] pseudo-device: l
  lc10
  Jan 24 14:42:56 shiva.cs.uwec.edu genunix: [ID 936769 kern.info] llc10 is /pseud
  o/llc1@0
  Jan 24 14:42:56 shiva.cs.uwec.edu pseudo: [ID 129642 kern.info] pseudo-device: p
  m0
  Jan 24 14:42:56 shiva.cs.uwec.edu genunix: [ID 936769 kern.info] pm0 is /pseudo/
  pm@0
  Jan 24 14:42:56 shiva.cs.uwec.edu pseudo: [ID 129642 kern.info] pseudo-device: t
  od0
  Jan 24 14:42:56 shiva.cs.uwec.edu genunix: [ID 936769 kern.info] tod0 is /pseudo
  /tod@0
  Jan 24 14:42:56 shiva.cs.uwec.edu pseudo: [ID 129642 kern.info] pseudo-device: l
  ofi0
  Jan 24 14:42:56 shiva.cs.uwec.edu genunix: [ID 936769 kern.info] lofi0 is /pseud
  o/lofi@0
  Jan 24 14:42:56 shiva.cs.uwec.edu pseudo: [ID 129642 kern.info] pseudo-device: f
  cp0
  Jan 24 14:42:56 shiva.cs.uwec.edu genunix: [ID 936769 kern.info] fcp0 is /pseudo
  /fcp@0
  Jan 24 14:42:56 shiva.cs.uwec.edu pseudo: [ID 129642 kern.info] pseudo-device: f
  csm0
  Jan 24 14:42:56 shiva.cs.uwec.edu genunix: [ID 936769 kern.info] fcsm0 is /pseud
  o/fcsm@0
  Jan 24 14:42:56 shiva.cs.uwec.edu pseudo: [ID 129642 kern.info] pseudo-device: r
  sm0
  Jan 24 14:42:56 shiva.cs.uwec.edu genunix: [ID 936769 kern.info] rsm0 is /pseudo
  /rsm@0
  Jan 24 14:42:56 shiva.cs.uwec.edu pseudo: [ID 129642 kern.info] pseudo-device: t
  rapstat0
  Jan 24 14:42:56 shiva.cs.uwec.edu genunix: [ID 936769 kern.info] trapstat0 is /p
  seudo/trapstat@0
  Jan 24 14:42:56 shiva.cs.uwec.edu pseudo: [ID 129642 kern.info] pseudo-device: r
  mcadm0
  Jan 24 14:42:56 shiva.cs.uwec.edu genunix: [ID 936769 kern.info] rmcadm0 is /pse
  udo/rmcadm@0
  Jan 24 14:42:56 shiva.cs.uwec.edu mac: [ID 543131 kern.info] NOTICE: bge2/0 regi
  stered
  Jan 24 14:42:56 shiva.cs.uwec.edu mac: [ID 543131 kern.info] NOTICE: bge3/0 regi
  stered
  Jan 24 14:42:57 shiva.cs.uwec.edu scsi: [ID 193665 kern.info] sd3 at mpt0: targe
  t 1 lun 0
  Jan 24 14:42:57 shiva.cs.uwec.edu genunix: [ID 936769 kern.info] sd3 is /pci@1e,

• User authentication in a linux ldap server

  Anyone knows how to make user authentication of Mac OS X (10.4.7) clients in a Linux (Suse 9.2) server running LDAP?? I can't figure out how to do this.
  Thanks and sorry the bad english.

  Not sure this will help, but perhaps reverse thinking this woould be a clue...
  http://docs.info.apple.com/article.html?artnum=106365

• User Authentication failed on configuring LDAP

  Hi,
  I had configured MS ADS ReadOnly Deep Hierarchy + Database as my datasource. earlier it was "Database only". Once I did new configuration to ADS+Database, the test connection was succesfull and then restarted the server.
  When I try to login it says user authentication failed. When I check for particular loginId say "testuser" in User Administration it gave 2 results for the same login ID one coing from UME and the other from LDAP.
  To resolve this conflict do I need to delete one of the login ID from either UME or LDAP, or is there any other solution where I can resolve this issue.
  Regards,
  Ravi.

  Ravi
  If the user id is same in the portal UME as well as LDAP there will be conflict and you need to delete the id at one place or if you want both you need to change the id.
  Thanks
  Lakshmi
  Reward points if useful !!

• LDAP user no longer able to log in

  We have CQ 5.3 set up using LDAP authentication.  We have one user who has been using CQ with her AD Userid/password for over a year with no issues, but she came in one day and now it's saying her user id and password don't match.
  We've tried on multiple different instances of CQ and she gets the same message every time.  She is able to log into other applicaitons that use LDAP for authentication just fine. We have tried resting CQ to see if that resolves the issue and it hasn't.  I originally thought it was some sort of issue with her LDAP account, but because she can log into other apps, I'm wondering if not? Or maybe there WAS an issue with her account, but it was resolved (she thought maybe her account was locked, so she ran an unlock procedure), but CQ just hasn't caught up to that fact?  This started happening a week ago.

  Hi Jennifer,
  Have you tried running a manual LDAP User sync for the single user (http://localhost:4502/crx/config/ldap.jsp)?  Since the user can login to other systems via LDAP, the problem is most likely with their account in CQ.  Maybe try deleting their account in CQ and re-creating/re-sync via LDAP User sync.
  Hope this helps.
  Ron

• Server App not seeing external LDAP users & groups

  I have a clean 10.8.2 + Server install set up with our standard external LDAP directory (Novell's eDirectory in our case) configuration that is known to support Lion & Mountain Lion client LDAP authentication. With this same configuration on OS X 10.8.2 Server both Directory Utility and WGM can see all the LDAP users and groups as expected.
  When I look for the external users & groups in the LDAP domain under the Server App "Accounts" heading I cannot see any entries in either users or groups lists. Should I be able to or is this a Server App quirk?
  I can add individual LDAP users to a local group and enable access to individual services. How can I give access to services to all LDAP users without having to build & maintain a massive "All LDAP Users" local group?
  Is there a published list of required LDAP attributes for users & groups for Mountain Lion Server? I suspect there are new requirements over and above those for 10.6 server but I have failed to find a good reference. I've noticed I get different behaviours for LDAP templates that includes a mapping for GeneratedUID to one which does not for example.
  This is all so much more opaque than our superbly reliable Snow Leopard servers!
  TIA

  Ok, and again:
  You want to see Users and Groups , which are stored in an third Party directory service like OpenLDAP, in your Server.app? This is what you have to do:
  Connect the third party ldap to your server
  Have all your external LDAP entries made so you can see them in the Workgroup Manager and are able to Login with them
  When you see your LDAP-entry in the Directory Manager, change it from "From Server" to "RFC2307"
  Edit the entry, add the following mapping to it:GeneratedUUID maps to apple-generateduuid
  To your group and user entries in the external LDAP add the follwing attribute:apple-generateduuid gets the value taken from the output of "uuidgen"
  Feel lucky
  And there ist ist; now you are able to use The accounts taken from an external LDAP.

• Error while configuring external LDAP user store with weblogic

  Hi,
  I have weblogic 10.3 installed and I can access weblogic admin console using weblogic (admin) user. I want to use external ldap user store to access admin console with users present in external ldap.
  To do this, I have configured authentication provider and provided all the required details to connect to ldap.
  For example:
  Base DN: cn=admin,cn=Administrators,cn=dscc (user with which we will connect to LDAP)
  User DN: ou=People,dc=test,dc=com
  Group DN: ou=Groups,dc=test,dc=com
  This authentication provider is set to SUFFICIENT mode. I have deleted the default authentication provider.
  In the boot.properties file I have given the user name and password of the user with which LDAP instance was created something like below.
  password=xxxxxxx
  username=admin
  Now while starting the admin weblogic server, I am getting the below error:
  <Jul 25, 2012 2:22:28 PM IOT> <Critical> <Security> <BEA-090402> <Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.>
  <Jul 25, 2012 2:22:28 PM IOT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
  weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  Truncated. see log file for complete stacktrace
  Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User admin javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User admin denied
  at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
  at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  Truncated. see log file for complete stacktrace
  >
  <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
  <Jul 25, 2012 2:22:28 PM IOT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
  <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
  Can anyone please suggest how to resolve this problem? If, anyone can suggest the exact steps to configure external ldap store to manage admin console via ldap users.
  Regards,
  Neeraj Tati.

  Hi,
  Please refer the below content that I found for Oracle 11g in the docs.
  "If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. Do one of the following in the LDAP directory:
  By default in WebLogic Server, the Admin role includes the Administrators group. Create an Administrators group in the LDAP directory, if one does not already exist. Make sure the LDAP user who will boot WebLogic Server is included in the group.
  The Active Directory LDAP directory has a default group called Administrators. Add the user who will be booting WebLogic Server to the Administrators group and define Group Base Distinguished Name (DN) so that the Administrators group is found.
  If you do not want to create an Administrators group in the LDAP directory (for example, because the LDAP directory uses the Administrators group for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the Admin role."
  Now in my LDAP directory, setup is in such a way that Administrators is a group created under following heirarchy " cn=Administrators,ou=Groups,dc=test,dc=com" and there is one user added in this Administrators group.
  The problem that I am having is when I modify the Admin role in which Administrators group should be added what exaclty I should give in Admin role. Whether I should give only Administrators or full DN: cn=Administrators,ou=Groups,dc=test,dc=com ???
  When i give full DN, it takes every attribute as different, i mean cn=Administrators as different and ou=Groups as different and shows a message that cn=Administrators does not exist.
  Here not sure what to do.
  Also if external ldap authentication provider is the only provider then I need to give the user information in boot.properties file also for weblogic to boot properly. Now, what should I give there in user? still complete DN ??
  Regards,
  Neeraj Tati.

• End-to-End user authentication with XI

  Dear community,
  we sit in a situation where the customer wants to have an end-to-end-authentication throughout an integration process.
  The setup is as follows: a dialog-user in a legacy system uses an application that triggers an integration process through XI into SAP ERP. The dialog-user in the legacy system must be used for authentication in XI as well as SAP ERP.
  To avoid having to re-create all users in XI and SAP ERP, ideally an LDAP instance would be used for authentication.
  Based on my knowledge, the above scenario is not possible with XI and there is a 2 year old thread discussing the same without any positive outcome:
  XI and user authentication VS R/3 systems
  Nevertheless I consider this requirement as a pretty standard one. Has there been any development in this area - or how have similar customer requirements been met ?
  Thanks a lot in advance !
  Jochen

  Hi Jochen,
  i've heard rumours saying that credential forwarding will be incorporated in the next XI release as it is a rather frequent requirement by customers and will make live much easier.
  Maybe you can get a statement through your clients SAP account representative on the release date and the planned feature.
  Regards
  Christine

• GRC AC 10.0 - CUP User Authentication

  Hi All
  We have installed GRC AC 10.0 as a part of ramp up implementation. We will soon start with the configuration steps. For user interfacing we have 2 options (1) NWBC (2) Portal. Architecture of GRC AC 10.0 is based on webdynpro ABAP.
  Now we had a question wherein if we choose NWBC as a front end, then how do we integrate the LDAP for CUP user authentication.
  If we need to integrate LDAP as a authentication source for users in CUP, do we have the only option of going with Portal as a user interface.
  Please advise.
  Thank you.
  Anjan pandey

  > That feature in AC 10.0 is called End User Login and will have it's own URL to access via browser.
  Thanks Frank for your response. I did go through the RKT documents and seems that there is a link through which the end users will create request. we have also planned to setup a LDAP connectivity for user authentication.
  Thanks.
  Anjan Pandey

• External LDAP for authentication

  Hi All,
  I want to use external ldap for authentication purpose with Access Manager.
  I tried adding this external ldap as a secondary ldap but couldn�t succeed.
  If I add this ldap in the primary ldap along with the AM�s own ldap, this also fails to authenticate users from the external ldap.
  How can I achieve this?
  I read many topics in this forum regarding this but none of them explain how it can be achieved.
  Please suggest.
  Thanks in advance.

  This is what the amconsole log says:
  ERROR: ConsoleServletBase.onUncaughtException
  java.lang.NullPointerException
       at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.constructFilter(LDAPv3Repo.java:3126)
       at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.search(LDAPv3Repo.java:1996)
       at com.iplanet.am.sdk.AMDirectoryManager.search(AMDirectoryManager.java:1938)
       at com.sun.identity.idm.AMIdentityRepository.searchIdentities(AMIdentityRepository.java:221)
       at com.sun.identity.console.idm.model.EntitiesModelImpl.getEntityNames(EntitiesModelImpl.java:139)
       at com.sun.identity.console.idm.EntitiesViewBean.getEntityNames(EntitiesViewBean.java:222)
       at com.sun.identity.console.idm.EntitiesViewBean.beginDisplay(EntitiesViewBean.java:177)
       at com.iplanet.jato.taglib.UseViewBeanTag.doStartTag(UseViewBeanTag.java:149)
       at jsps.console._idm._Entities_jsp._jspService(_Entities_jsp.java:86)
       at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
       at com.iplanet.ias.web.jsp.JspServlet$JspServletWrapper.service(JspServlet.java:687)
       at com.iplanet.ias.web.jsp.JspServlet.serviceJspFile(JspServlet.java:459)
       at com.iplanet.ias.web.jsp.JspServlet.service(JspServlet.java:375)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
       at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:772)
       at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:471)
       at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:382)
       at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:340)
       at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
       at com.sun.identity.console.base.AMViewBeanBase.forwardTo(AMViewBeanBase.java:133)
       at com.sun.identity.console.base.AMPrimaryMastHeadViewBean.forwardTo(AMPrimaryMastHeadViewBean.java:149)
       at com.sun.identity.console.idm.HomeViewBean.forwardTo(HomeViewBean.java:109)
       at com.sun.identity.console.realm.RealmPropertiesBase.nodeClicked(RealmPropertiesBase.java:90)
       at com.sun.web.ui.view.tabs.CCTabs.handleTabHrefRequest(CCTabs.java:129)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
       at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
       at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
       at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
       at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
       at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
       at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
       at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
       at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:787)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
       at com.sun.mobile.filter.AMLController.doFilter(AMLController.java:163)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:280)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
       at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)

• SAP User Authentication via Windows Active Directory

  The non-profit company I work for as an SAP Security Admin has been using SAP since 1999.  We are currently running ECC 6.0, BI 7.0, and CRM 7.0.  With fewer than 300 SAP users, we have not implemented CUA, so each of our multiple clients in these systems is managed independently. 
  The company recently licensed and implemented some non-SAP software to be used by all of our employees (~1200) in keeping track of & catagorizing their work time; a very handy feature of this software is that it depends upon Windows Active Directory for user authentication.  Therefore, each employee logs into this time-keeping package by entering his/her standard PC userID & password.  If you can log onto your PC, you can log into the time-keeping software. 
  That got me thinking & researching, because our SAP users - especially those who have access to three or more SAP clients - must maintain their passwords independently in each SAP client that they hope to access in the future.  I'm certainly not the first person who has thought of how nice it would be to permit SAP users to log into all SAP clients across the landscape in which they have defined userIDs, using the same password that they are using to log into their PCs (i.e., the password that is stored & maintained in Windows Active Directory).  My quest has led me to find presentations on this topic that typically involve modules we aren't using & very complicated configurations that we really lack the time & resources to employ; or, to third-party solution providers who claim to be certified SAP partners who would love to sell us more software to provide this convenience, usually irelated to single sign-on, LDAP, etc.  The lowest pricing tier for such software usually would cover many times the number of SAP users we have to serve here - and it feels like trying to push in a tack using a sledgehammer.  It is true that we have not used the same userID for our PCs that we have defined in SAP, so there would need to be some way to translate from one to the other, but our PC password rules are consistent with those we have configured in SAP clients, so it seems to me it should be very simple.   Can anyone lead me to a more straightforward solution?  If not, can you articulate why this has to be so complicated using SAP software when it seems so simple using relatively inexpensive timekeeping sotware?

  >
  Gagan Deep Kaushal wrote:
  > Hi Tim,
  >
  > Its nice to see video.
  >
  > Is that mean using different username on OS and SAP level still we can achieve SSO.
  >
  > Correct if if am wrong.
  > The only thing we need to maintain SNC name.
  Once installed, yes. This is all you need to maintain when users are added. You can even use LDAP if you like to sync all user info between SAP and MS AD domain, but this cannot sync the password, so using SNC authentication instead of using SAP passwords is ideal.
  >
  > So for user test1 i can manage name as p:test2.....  ??
  Yes, that is correct. The mapping is maintained using standard SAP user management, such as su01. The user in AD domain might have long account name, e.g. "firstname.verylonglastname" which is too big for use as a SAP username so you can map this long AD account name onto a SAP user called FIRSTLAST in one or more SAP clients.
  >
  > I think that is what Ronald is also looking, user name need not to be same.
  >
  > Regards,
  > Gagan Deep Kaushal

• How to enable only a subset of LDAP users to be able to login to OBIEE

  We have enabled LDAP authentication. Now every single LDAP user can login to Presentation server. That is an issue. Not all LDAP users are OBIEE users. Only a small subset of the LDAP users should be able to access OBIEE. We have a database table that lists all OBIEE users. This table however does not have user password information. User Password information is stored in the LDAP.
  so question is how do we limit OBIEE access to only OBIEE users and not all LDAP users.
  Thank you

  Thanks for your suggestion. If i understand it correctly, user will still be able to login to Presentation server but will not have access to any content using your solution approach. Did i get it right?
  In my current setup, user gets authenticated against LDAP, then i extract user group for that user and assign it to GROUP. Only those users gets assigned to GROUP who have access to OBIEE. We have secured RPD and Catalogs so that user must be a member of at least one GROUP to be able to access content.
  Right now, a LDAP user who is not present in OBIEE user table, is able to login to BI Presentation server but is not able to see any thing. Because user gets authenticated, but does not have any authorization rights. So far so good.
  I would like to take next step, where use login to BI Presentation server is denied if user id does not exist in the OBIEE user table ( but exists in the LDAP).
  Thank you