LDAP user group

I have configured the LDAP to connect to the AD. I can see the required Roles in the "Roles to Map" Tab on LDAP user Configuration.
I am able to import the Users.
I am able to see the groups in the SAP xMII Menu -> Portal Services -> Navigation tab and also in SAP xMII Menu -> Security Services -> System Security.
But when i assign pages to the Roles and Login with the Users under the Role. The Navigation menu doesnt show the pages linked to the role. When i tried accessing the property using http://<server name>/Lighthammer/PropertyAccessServlet?Mode=List, It shows that the user doesnt belong to any roles(blank space in place of roles).
However, when i try to check the same using LDAP queries (Select Roles for User & Select Role by Distinguished Name) it shows that the user belongs to the group to which i assigned the pages in the SAP xMII Menu -> Portal Services -> Navigation Menu.
Does it have something to do with the Role mapping in the LDAP user configuration? I havent assigned any of the groups(including the one i want) to any of the default xMII roles.
I also tried assigning all the roles to all the services in xMII. It still shows that the user doesnt belong to any group. Manually if i assign to any group through SAP xMII Menu ->Security manager ->Roles ->Admin, it works fine. But, as the imported groups are not listed in the security manager I cannot manually assign these users to the groups(also i cannot do this for all the users, even if it was possible)
Any ideas?

I tried assigning the user to the Everyone group and also checked the Logs. Below are the results:
cmsseclogin.log
2007-11-28 17:12:04,097 [login] IP 64.240.152.5 - Successful login for user a0000, service url http://phixmiiqas01.sbs.int/Lighthammer/
2007-11-28 17:12:04,534 [login] IP 10.144.18.63 - Ticket has been validated for user a0000
cmssecurity.log
2007-11-28 17:12:04,472 [ServletExec: request: time=1196287924456, uri=/LHSecurity/validate] WARN Validate - Proxy URL requested [http://phixmiiqas01.sbs.int], is not a authorized proxy
no luck so far!!

Similar Messages

How to only synchronize one specific LDAP user group with SAP?

Hi,
Hopefully this is the correct forum to post this in. I want to have continuous one-way synchronization of users from my LDAP server to my SAP central system. I've started configure in SAP using transaction SM59 and LDAP. Can I somewhere set that only one specific LDAP user group shall be transferred to SAP (they do not need to be assigned to any specific group, profile, role in SAP) - or should this be done on the LDAP server side (or is it at all possible)?
Correct me if I'm wrong, but the User Group field in the report RSLDAPSYNC_USER only concerns SAP user groups right? This would therefore not be sufficient since I want to select the users to synchronize based on user groups in the directory.
Thanks, Oscar

We've used a repository constant to specify the LDAP filter for reading users / groups from the LDAP target.
E.g. LDAP_FILTER_USERS (&(objectCategory=person)(objectClass=user))
Then we also have a constant for the LDAP_STARTING_POINT
For our AD Group Initial Load we filter according to these settings:
LDAP_FILTER_GROUPS = (objectclass=group)
LDAP_STARTING_POINT_GROUPS = ou=IDMManagedGroups,ou=Groups,dc=cfstest,dc=le,dc=ac,dc=uk
The above example only reads AD groups starting at the specified OU
Then in a Job From LDAP Pass the LDAP URL looks like this:
LDAP://%$rep.LDAP_HOST%:%$rep.LDAP_PORT%/%$rep.LDAP_STARTING_POINT_GROUPS%?*?SUB?%$rep.LDAP_FILTER_GROUPS%
I hope this helps
Paul

Server App not seeing external LDAP users & groups

I have a clean 10.8.2 + Server install set up with our standard external LDAP directory (Novell's eDirectory in our case) configuration that is known to support Lion & Mountain Lion client LDAP authentication. With this same configuration on OS X 10.8.2 Server both Directory Utility and WGM can see all the LDAP users and groups as expected.
When I look for the external users & groups in the LDAP domain under the Server App "Accounts" heading I cannot see any entries in either users or groups lists. Should I be able to or is this a Server App quirk?
I can add individual LDAP users to a local group and enable access to individual services. How can I give access to services to all LDAP users without having to build & maintain a massive "All LDAP Users" local group?
Is there a published list of required LDAP attributes for users & groups for Mountain Lion Server? I suspect there are new requirements over and above those for 10.6 server but I have failed to find a good reference. I've noticed I get different behaviours for LDAP templates that includes a mapping for GeneratedUID to one which does not for example.
This is all so much more opaque than our superbly reliable Snow Leopard servers!
TIA

Ok, and again:
You want to see Users and Groups , which are stored in an third Party directory service like OpenLDAP, in your Server.app? This is what you have to do:
Connect the third party ldap to your server
Have all your external LDAP entries made so you can see them in the Workgroup Manager and are able to Login with them
When you see your LDAP-entry in the Directory Manager, change it from "From Server" to "RFC2307"
Edit the entry, add the following mapping to it:GeneratedUUID maps to apple-generateduuid
To your group and user entries in the external LDAP add the follwing attribute:apple-generateduuid gets the value taken from the output of "uuidgen"
Feel lucky
And there ist ist; now you are able to use The accounts taken from an external LDAP.

LDAP user groups not visible for configuring a Group Portal

Hi,
We have created a Custom Security Realm(myRealm) on WebLogic 7.0 SP2 in which
I've added the Novell LDAP Authentication provider as the authentication provider
and then set "myRealm" as the default realm for the domain. I am able to start
the WLS server instance and login to portalAppTools with the "administrator" account.
We would like to configure a Group Portal. In Portal Administration interfaces,
when I click on Group Administartion, I am unable to see any of my external LDAP
groups. I know that we cannot create/delete users or groups in the external LDAP
repository thru the Admin UI but the documentation says that I should be able
to view the users/groups in the Admin UI. Authentication against the external
LDAP repository works fine. Can anybody suggest the reason why we are unable to
view any of the Users or Groups in our external LDAP repository thru the User
Administration interfactes.
Appreciate any feedback.
Thanks
Vikram

Hi Jim,
I've configured a default LDAP V2 Compatibility Realm by modifying the Config.xml
file. I was able to restart Weblogic and see the LDAP Groups and Users thru the
WLS console. In our project we've a unique requirement wherein all Application
Groups and User Accounts would be stored in an LDAP repository and all BEA SERVICE
level accounts and groups are stored in a Database (groups like AdminEligible,
Administrators etc.). We need to be able to look at the groups in both the Database
and LDAP repositories in order to administer and configure a Group Portal. On
the outset it looks like we will not be able to do what we want to with the current
portal framework. Please suggest if there are any alternatives in order to implement
this solution. I am sure there are lot of other Clients who cannot create groups
like Administrators, AdminEligible etc in their LDAP repositories and will be
forced to think of alternatives.
I would appreciate if you can reply back at your earliest convenience.
Thanks
Vikram
Jim Litton <replyto@newsgroup> wrote:
The Weblogic 7.0 Authentication Providers (new JAAS Framework) is not
supported with Portal 7.0. You will need to configure the Compatibility
Security CustomRealm for Novell to try to get Portal working.
see defaultLDAPRealmForNovellDirectoryServices at
http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1083149
In addition, remember to test functionality through the Weblogic
Console. If you can see groups and users there okay it is very likely
that Portal will operate.
-- Jim
Vikram wrote:
Hi,
We have created a Custom Security Realm(myRealm) on WebLogic 7.0 SP2in which
I've added the Novell LDAP Authentication provider as the authenticationprovider
and then set "myRealm" as the default realm for the domain. I am ableto start
the WLS server instance and login to portalAppTools with the "administrator"account.
We would like to configure a Group Portal. In Portal Administrationinterfaces,
when I click on Group Administartion, I am unable to see any of myexternal LDAP
groups. I know that we cannot create/delete users or groups in theexternal LDAP
repository thru the Admin UI but the documentation says that I shouldbe able
to view the users/groups in the Admin UI. Authentication against theexternal
LDAP repository works fine. Can anybody suggest the reason why we areunable to
view any of the Users or Groups in our external LDAP repository thruthe User
Administration interfactes.
Appreciate any feedback.
Thanks
Vikram

LDAP User Groups

Is it possible to use LDAP to authenticate users based on credentials including that they are a member of a group? The LDAP setup screens do not seem to allow this functionality right off the bat, has anyone written any scripts that may do this? Thanks.

Hey John,
Yep we find it much easier using our OID for users and groups and authenticating/authorizing against it. With over 3500 staff and faculty having the potential of accessing our applications, we never even contemplated using the application userDB. The only drawback that I'm having is the inability of adding users into the OID groups (I can create a group and add initially, but have no edit capability once I submit - (am told to allow editing one group opens the ability to edit any group.. :( )), but we have an APP DBA who is handling that part for us. Overall, we find this much easier to use as we would otherwise have to replicate that userbase into the APP userDB.
Thx,
cliff

How java will identifies LDAP user groups to admin/normal users -BOXIi3.1

Hi all,
We have successfully implemented Java interface with BOXI3.1.Now our client wants to move to LDAP Configuration in CMC.
If we use LDAP configuration, is java login page will identify the user role(wether user is admin group/normal group).
we have used below API for enterprise authentication:
IEnterpriseSession enterpriseSession;
ISessionMgr sessionMgr = CrystalEnterprise.getSessionMgr();
enterpriseSession = sessionMgr.logon(userID, password, CMS, auth);
auth=<secEnterprise> is it enough to use auth=<secLDAP>
or do we need to add any code/API for this requirement.
Thanks,
Subash

Use secLDAP as the authentication type, and ensure both the CMS and your Java Web App Server machines can connect to the LDAP server.
Sincerely,
Ted Ueda

LDAP Users and Groups

Hi,

I have configured an LDAP Authenticator for an external LDAP directory in the security realm of the samples portal. User Management is working, but when I try to access the Group Management for the LDAP Authenticator I get the following error:

com.bea.p13n.usermgmt.hierarchy.TreeNotBuiltException: State: UNINITIALIZED. Tree is uninitialized. Add provider GAAD to list of providers to build. Tree is uninitialized. Add provider GAAD to list of providers to build.


It seems that this needs to be setup. How do I do this?


Some general notes on LDAP:

I think that in a production environment it is of great value to manage users and groups in a LDAP directory. For instance we have a company directory which contains all users. It seems that users from LDAP can not been added to groups which are in the DB. LDAP also has the advantage of supporting dynamic groups.
As in previous weblogic releases the LDAP authenticator is read only. It would be great if the write functionality could be added as well. Actually managing LDAP users and groups in one place would be a tremendous improvement for us.

Another thing on my wishlist are examples for delegated administration and visitor entitlements. For the sample portal these are empty. But I think it would be nice to have some out of the box examples that show what is possible and help developers and business analysts to understand the concepts and create their own roles.

It would be interesting to read what Bea and other developer think about this.

Kind regards,

Kai


Marcus,
Yes, I am using 9.2 TP.
We are already using LDAP for user management with 8.1.
Now, I try to configure 9.2 as well. I am running 9.2 installations on different machines. When I click on Service Administration in the Admin Portal, I get the following error message for each installation:
java.lang.NullPointerException at com.bea.jsptools.serviceadmin.ads.ToolAdServiceBean.cloneFromAdServiceBean(ToolAdServiceBean.java:190) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdContentProviderNodes(ServiceAdminTreeBuilder.java:769) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdServiceBranch(ServiceAdminTreeBuilder.java:746) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.createTreeElement(ServiceAdminTreeBuilder.java:184) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:234) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:235) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildTree(TreeService.java:122) at util.tree.TreeController.constructTree(TreeController.java:142) at util.tree.TreeController.buildTree(TreeController.java:422) at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source) at java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown Source) at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:852) at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:782) at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:456) at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:285) at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:336) at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:48) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:1984) at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:90) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2055) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:535) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:821) at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:625) at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:156) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414) at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1178)
java.lang.NullPointerException
java.lang.NullPointerException
at com.bea.jsptools.serviceadmin.ads.ToolAdServiceBean.cloneFromAdServiceBean(ToolAdServiceBean.java:190)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdContentProviderNodes(ServiceAdminTreeBuilder.java:769)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdServiceBranch(ServiceAdminTreeBuilder.java:746)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.createTreeElement(ServiceAdminTreeBuilder.java:184)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:234)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:235)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildTree(TreeService.java:122)
at util.tree.TreeController.constructTree(TreeController.java:142)
at util.tree.TreeController.buildTree(TreeController.java:422)
at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source)
at java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown Source)
at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:852)
at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:782)
at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:456)
at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:285)
at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:336)
at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:48)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:1984)
at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:90)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2055)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:535)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:821)
at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:625)
at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:156)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1178)

HT4837 3rd Party LDAP users in local groups aren't recognized by wiki

Having followed the KB article on setting up wiki webauth to allow 3rd party LDAP users to authenticate (http://support.apple.com/kb/HT4837) I have found that while individual users can be given permissions to access certain wikis, but LDAP users placed into local groups cannot. Is this a bug?
To be more specific:
- Directory Access setup to allow authentication from LDAP server (this works fine for all other services like File Sharing)
- Directions followed in the KB article which basically enables plain text authentication and turns off inline login window (http://support.apple.com/kb/HT4837)
- Local groups created in Server.app -- Accounts -> Groups
- LDAP users placed into those local groups
- Services like file sharing recognize proper permissions based on the groups the LDAP users are in
- Configure a wiki to allow access from a single LDAP user (Gear Icon -> Wiki Settings...) ... this works fine
- Configure a wiki to allow access from the local groups containing LDAP users (again, Gear Icon -> Wiki Settings) ... this appears like it is going to work, but it in fact will fail to give permissions to LDAP users of the respective group upon that user's login. A local user (Server.app -> Accounts -> Users) added to one of these local groups with LDAP people in it works fine and receives proper access to the wiki as expected.
Any ideas before I submit this as a bug?

Having followed the KB article on setting up wiki webauth to allow 3rd party LDAP users to authenticate (http://support.apple.com/kb/HT4837) I have found that while individual users can be given permissions to access certain wikis, but LDAP users placed into local groups cannot. Is this a bug?
To be more specific:
- Directory Access setup to allow authentication from LDAP server (this works fine for all other services like File Sharing)
- Directions followed in the KB article which basically enables plain text authentication and turns off inline login window (http://support.apple.com/kb/HT4837)
- Local groups created in Server.app -- Accounts -> Groups
- LDAP users placed into those local groups
- Services like file sharing recognize proper permissions based on the groups the LDAP users are in
- Configure a wiki to allow access from a single LDAP user (Gear Icon -> Wiki Settings...) ... this works fine
- Configure a wiki to allow access from the local groups containing LDAP users (again, Gear Icon -> Wiki Settings) ... this appears like it is going to work, but it in fact will fail to give permissions to LDAP users of the respective group upon that user's login. A local user (Server.app -> Accounts -> Users) added to one of these local groups with LDAP people in it works fine and receives proper access to the wiki as expected.
Any ideas before I submit this as a bug?

Ldap schema extension to control which users / group are imported

Hello,
would like to have your opinion:
would it be a good idea to implement ldap schema extensions to control
which users / group are imported and controlled from ldap in a ldap
mastered installation?
e.g. we could implement the following schema extension for users:
attributetype ( 1.3.6.1.4.1.<iana-org-id>.1.1 NAME ( 'BogusisBeehiveUser' )
 DESC ''
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
# BogusinetOrgPerson
# The BogusinetOrgPerson is derived from inetOrgPerson
objectclass ( 1.3.6.1.4.1.<iana-org-id>.1
NAME 'BogusinetOrgPerson'
 DESC 'RFC2798: Internet Organizational Person, plus Bogus Extensions'
SUP inetOrgPerson
STRUCTURAL
 MAY (
 BogusisBeehiveUser )
Then we could control the inclusion in beehive by simply switching
BogusisBeehiveUser on or off.

sure; that's pretty much what is talked about in the Install Guide for LDAP Integration under the "inclusion and exclusion" section, about here:
http://download.oracle.com/docs/cd/E14897_01/bh.100/e14830/ldap.htm#CHDEFFJF
that doesn't go into the specifics of how you might want to design your objectClass schemas, though, as beehive is agnostic to that.
If you don't want to provision all users that match a certain existing rule (like everyone under dn=foo, or everyone where userType=employee), then adding a new attribute and building the profile inclusion rule around it is a valid thing to do.
richard

Fatal error 78: Cannot connect to User Group LDAP Server

After configuring Calendar server when trying to start:
give following error:
# ./start-cal
Restarting calendar services
Stopping all calendar services
Starting all calendar services
# enpd is started
csnotifyd is started
csadmind is started
Fatal error 78: Cannot connect to User Group LDAP Server
cshttpd is not started
Calendar service(s) not started
cshttpd is not started
Calendar service(s) not started
Following logs are from http logs of calendar server
[13/Sep/2004:22:02:47 +0100] Vigor11 cshttpd[17916]: General Information: Log created (1095109367)
[13/Sep/2004:22:02:47 +0100] Vigor11 cshttpd[17916]: General Notice: Sun Java System Calendar Server 6 2004Q2 (built Apr 28 2004) cshttpd starting up
[13/Sep/2004:22:02:47 +0100] Vigor11 cshttpd[17916]: General Notice: cshttpd attempting to open Counters Database
[13/Sep/2004:22:02:47 +0100] Vigor11 cshttpd[17916]: General Notice: cshttpd successfully opened the Counters Database
[13/Sep/2004:22:02:48 +0100] Vigor11 cshttpd[17916]: General Notice: HTTP Module is refreshing
[13/Sep/2004:22:02:48 +0100] Vigor11 cshttpd[17916]: General Notice: cshttpd is refreshing
[13/Sep/2004:22:02:48 +0100] Vigor11 cshttpd[17916]: General Notice: cshttpd is refreshed
[13/Sep/2004:22:02:48 +0100] Vigor11 cshttpd[17916]: General Notice: HTTP Module has refreshed
[13/Sep/2004:22:02:48 +0100] Vigor11 cshttpd[17916]: General Notice: cshttpd: argc=3 argv[0]=/opt/SUNWics5/cal/lib/cshttpd
[13/Sep/2004:22:02:48 +0100] Vigor11 cshttpd[17916]: General Notice: session_init: attempting to open session database for cshttpd
[13/Sep/2004:22:02:49 +0100] Vigor11 cshttpd[17916]: General Notice: session_init: session database open completed for cshttpd
[13/Sep/2004:22:02:49 +0100] Vigor11 cshttpd[17916]: Store Critical: Error checking session database: DB->set_alloc: method not permitted in shared environment
[13/Sep/2004:22:02:49 +0100] Vigor11 cshttpd[17916]: General Notice: LdapCacheInit: Ldap Cache not enabled.
[13/Sep/2004:22:02:49 +0100] Vigor11 cshttpd[17916]: General Notice: cshttpd_parse_commandline: successfully bind process 17916 to processor 0
[13/Sep/2004:22:02:49 +0100] Vigor11 cshttpd[17916]: General Critical: Fatal error 78: Cannot connect to User Group LDAP Server
Have any body seen this before.
Regards

The server was running fine for few months until i restarted the calendar server. i started to see the same error and the problem was the machine name got changed at some point.
I added the old hostname to the /etc/hosts file and restarted the calender server and it started to work fine.

Can't start server -- Fatal error: Cannot connect to user group ldap server

After installing iCS 2.1, iCS 2.1p1, and iCS 2.1p3, a user will receive the
following error message when trying to start the server:

Fatal error: Cannot connect to user group ldap server.

In addition, the Directory Server access logs will contain the following
entry:

-0400] conn=125 op=1 SRCH base="dc=ldgw-llc,dc=com" scope=2
filter="(objectclass=People)"
In the server.conf file,
check the local.enduseradmindn
parameter. The parameter
should appear as follows:

uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot

If the parameter contains
"calmaster" or any user
other than "admin,"
change it to match the line above.

Hi,
I am getting the same error, kindly let me know how did you solved this problem
Thanks
Ahmad

LDAP user and group configuration in ADF application

Hi All,
I have to use LDAP user and groups in my ADF application. I have configured the LDAP on WLS server successfully and can see all users/groups under tab "User and Groups". I have added the Enterprise Role in jazn-data.xml matching the name of groups. Created Application role in jazn-data.xml and assigned a role of Enterprise Role.
However not added any user in jazn-data.xml. Which i guess not required because it will picked from LDAP.
Now how to configure the JDeveloper to use those users ? What changes need to make in jazn-data.xml ? or in jps-config.xml / web.xml/ weblogic-application.xml
Am i missing nay configuration step. i have referred ADF Security set up - step by step tutorial - quick question but not found useful
I am using JDeveloper 11.1.1.5.
Thanking you all in advance.
Mukesh.

I have below changes in files
1] In jps-config.xml
-- Added identity store and selected it from drop down in Security Context tab.
2] In weblogic-application.xml
In Security tab --> Role assignment mapped valid-users to principle name.
<security>
<realm-name>myrealm</realm-name>
<security-role-assignment>
<role-name>valid-users</role-name>
<principal-name>DERDev</principal-name>
</security-role-assignment>
</security>
3] Same thing done in weblogic.xml . I do not know the difference between weblogic-application.xml and weblogic.xml configuartion and which will work.
4] Added security role "DERDev" along with the default/automatically added role "valid users"
<security-role>
<role-name>DERDev</role-name>
</security-role>
Still no luck ...... i am missing again ? I referred many links but found not a single document mentioning all steps
Mukesh

Configure Groups to LDAP Users

Hi,
We have configured LDAP for authentication of users. We would like to associate set of users to groups.
Can we create custom groups and associate LDAP users to those groups in Weblogic server ?
Or is it the only way we need to create groups in LDAP and associate users to those groups?
Thanks,
Satya

Satya, if u have a user in ur LDAP, you cant make a user from ur LDAP be a member of a Group in WLS.
What you can do it modify the Global Roles so that the user has the same previledge as a user belonging to the group in WLS.
Follow the steps below
1. Go to "myrealm"
2. Click the tab "Roles and Policies"
3. Click the tab "Realm Roles"
4. Expand the link "Global Roles"
5. Click the link "View Role Conditions" coressponding to the name "Admin". Enter the panel "Edit Global Role"
6. Click the button "Add Conditions"
7. Select "Predicate List" as "user"
8. Click the button "Next"
9. Enter my username (ldapuser) in LDAP to the field "User Argument Name:"
10. Click the button "Add"
11. Click the button "Finish"
12. Back to the page "Edit Global Role"
13. Here I can see
User :ldapuser
Or
Group : Administrators
14. Click the button "Save"
15. Restart the server
ldapuser will have the same previledge as a user belonging to Administrator group..

Problem with Afaria and LDAP user authentication in Android device

Hi all,
I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
I follow the next steps:
1-Create a new tenant
2- Configure LDAP integration
3-Create a inventory policy with authentication required
4-Create a static group associated to the inventory policy
5-Create a enrolment policy associated to the static group.
When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
I have seen the log and seem the problem is that Afaria can't authenticate this user.
I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
Could you please help to solve this problem?
Thanks in advance.

Hi all,
I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
I follow the next steps:
1-Create a new tenant
2- Configure LDAP integration
3-Create a inventory policy with authentication required
4-Create a static group associated to the inventory policy
5-Create a enrolment policy associated to the static group.
When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
I have seen the log and seem the problem is that Afaria can't authenticate this user.
I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
Could you please help to solve this problem?
Thanks in advance.

Assigning roles to LDAP users through BIP API

Hi.
My customer has BIP 11g and OIM 9.1.0.2 running on the same weblogic server (11g). Both authenticate against the same LDAP server.
One of our desired next steps is to provision from OIM the BIP roles to each LDAP user so every user gets the correct roles (and access to the correct reports) according to the groups he has on OIM.
I've been searching for info regarding this without success. The BIP API doc does not show any info about assigning roles to users.
We don't need to manage LDAP users, BIP roles, etc... through OIM. We only need to assign BIP roles to LDAP users.
Is it possible to make that assignments through BIP API?
If not, any other ideas? New ideas or different approaches are welcome.
Thanks in advance.

In OBIEE 11g which includes BIP the application roles are applied to LDAP users and groups using the Enterprise Manager Fusion Control.
During the upgrade process from OBIEE 10g to OBIEE 11g the groups do get assigned to these roles transparently so there must be some API to leverage this functionality.
I would start there, http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10541/admin_api.htm
There are no specific instructions on accomplishing what you seek but if you have some WLST or Java Skills you should be able to get something prototyped.
Let me know if that helps.

LDAP user group

Similar Messages

Maybe you are looking for