Linux authentication against OID ldap

Hi,
How to use OID as an authentication server for linux users. So when a users logs on the linux machine get's his information from the OID /ldap server?
What are the step to do this?
Regards

This link should help:
http://www.oracle.com/technology/products/oid/pdf/unix_pam_oid_wp.pdf

Similar Messages

Authentication against both LDAP and BI repository

I have a lot of user who are authenticated against LDAP. I need add few users who aren't exist in LDAP. I can create user in BI repository and if this user is in an Administrator group he is able to log in. But if this user isn't in an Administrator group he get error "Succesfull execution of intitializtion block LDAP is required". Is there any way how to authenticate users agains both LDAP and BI repository?

Hi,
why dont you create a group in ldap and add the correspondng users to that group.
You can configure the LDAP server with that group and try...
Hope it works...
Regards
Venkat

Authentication against a LDAP

All,
We have a requirement where in we want to validate a user against the LDAP of our organisation.
We wil like to build a simple JSP page.
Questions that come to my mind is
1> Can we create a Portal application that wil not ask for a Portal authentication and directly point to the JSP stored in a web application or a portal application?
2> How complex is it to validate a user gainst an LDAP?
3> After successful validation we will like the aplication to trigger an RFC is this possible?
Thanks and Regards
Pradeep Bhojak

Pradeep,
you have to create your own LogonModule to achieve your requirements (not only a jsp page). But on the other hand, why don't you configure your Portal UME to the LDAP anyway?
kr, achim

Cisco ACS 5.2 authentication against multiple LDAP servers

Hi Folks,
I have a wireless network that uses ACS 5.2 to handle authentication. The ACS is integrated with an Active Directory LDAP server (my_ldap) and is working correctly at the moment. The authentication flow looks like this:
- User tries to associate to WLAN
- Authentication request is sent to ACS
- Service selection rule chooses an access-policy (wireless_access_policy)
- wireless_access_policy is configured to use my_ldap as identity source.
A sister company is about to move into our offices, and will need access to the same WLAN. Users in the sister company are members of a separate AD domain (sister_company_ldap). I would like to modify the wireless_access_policy so that when it receives an authentication request it will query both my_ldap and sister_company_ldap, and return a passed authentication if either attempt is successful. Is this possible?

Assuming you're already authenticating using your AD binding and AD1 as your identity source, you can add a further LDAP server as another identity source and add this to your identity store sequence in your access policy to authenticate against both.
You can also add multiple LDAP servers and add them both to the identity store sequence (if you're not using AD1).

OpenLdap with ldap backend... / Authentication against another ldap

Hey everybody,
i'm trying to setup my OD that i can redirect the authentication of the user to a second ldap...
The second ldap-server is ssl secured. I had a solution under debian. and so i'm looking for the moduleload and modulpath or olcModuleLoad olcModulePath for Mac OS X 10.5.
But i can't find a place where i can activate modules.. i even can't find the modules... (In a default config file i found this):
16 # Load dynamic backend modules:
17 # modulepath /usr/libexec/openldap
18 # moduleload back_bdb.la
19 # moduleload back_ldap.la
20 # moduleload back_ldbm.la
21 # moduleload back_passwd.la
22 # moduleload back_shell.la
(in /etc/openldap/slapd.conf.default)
but the modules doesn't exist...
Can anyone help me how i can activate the ldap-backend in the mac osx 10.5?
my debian config looks like this: (/etc/ldap/slapd.conf)
30 moduleload back_ldap
150 database ldap
151 suffix MYSEARCHSUFFIX
152 uri ldaps://server:port
153 rebind-as-user yes
What I mean/what i want to know is how to load the modules in openldap and where can i find them?
I hope you can understand what i mean.... My english isn't the best
Thanks for help
greetings

Sun Java System Web Server 7.0 was tested with Sun's Directory Server and MSAD. For MSAD, you need to add extra settings refer blog "Using Web Server 7 with Microsoft Active Directory"
http://blogs.sun.com/jyrivirkki/entry/using_web_server_7_with
Can you run the server with log level "finest" and see errro logs also see whether Web Server is trying to connect to your directory server and try to find out what the problem is.

User authentication against LDAP - Non-AD

Hi,
We are trying to setup LDAP authentication against an LDAP, Oracle Unified Directory and below are the parameters of ldap.properties file:
ldapAuthentication.defaultRole = ROLE_AUTHENTICATED_PRINCIPAL
ldapAuthentication.enabled = true
ldapAuthentication.tryNextProviderIfNoAuthenticated = true
ldapAuthentication.stopIfCommunicationError = true
ldapAuthentication.url=ldap\://localhost:389/
ldapAuthentication.rootContext=DC=test,DC=com
ldapAuthentication.securityPrincipal=CN=Directory Manager
ldapAuthentication.securityCredential.encrypted=password
ldapAuthentication.keepContextPrefix=false
ldapAuthentication.isAD=false
ldapAuthentication.userAccountSearchKey=CN
ldapAuthentication.firstNameSearchKey=givenName
ldapAuthentication.lastNameSearchKey=sn
Still I am getting while I try to login to OIA as an OUD user:
WARN [UserManagerImpl] RbacxUser with username: 'cn=oiaadmin' not found
Please help

Hi Jcorker,
According to your description, you need to access the SQL Serve Analysis Services database which is configured as cluster for SQL & SSAS from another domain, right?
In SSAS we can use the solution below achieve the requirement.
1.Create new domain account and impersonate the web site with that.
2.Create local user account on the analysis service with same exact username/password as like domain account created in the previous step.
However, you cannot create a local account with the same name on both servers. I have tested it on my local environemnt, we can create the same local account with the same name on both servers. In your scenario, if DB1 and DB2 on different server, you can
create a local account with the same name on both servers. Please post the detail errors, so that we can make further analysis.
Besides, SSAS only allows users of the same domain or trusted domains and it does not allow users from any domain except from these two. You can configure the trust relationship between the domains.
http://technet.microsoft.com/en-us/library/cc961481.aspx
Regards,
Charlie Liao
If you have any feedback on our support, please click
here.
Charlie Liao
TechNet Community Support

Authentication failing for APEX against OID when uppercase used in password

We are using Application Express 3.1. I am authenticating against OID 10.1.2.2 and noticed some users were having problems
logging into APEX. They are getting "Invalid Login Credentials". I eventually workout it was when they were authenticating using a password
having a uppercase character ... "Blackhawk" is one example. We authenticate discoverer using OID and do not have the same problem.
Has anyone else encounter this problem please ?
Cheers Rod
The Function I use is shown below:
DECLARE
V_TEST BOOLEAN;
V_EXIST NUMBER ;
BEGIN
SELECT COUNT(*) INTO V_EXIST FROM BE_MANAGERS
WHERE MANAGER_CSO_CODE = :APP_USER
AND FINANCIAL_YEAR_ID = BE_BUDGETS_APEX_PKG.CURRENT_FINANCIAL_YEAR ;
IF V_EXIST = 0 THEN
HTMLDB_APPLICATION.G_UNRECOVERABLE_ERROR := TRUE;
OWA_UTIL.REDIRECT_URL('f?p=' || v('APP_ID') || ':101:' || v('APP_SESSION') );
END IF ;
V_TEST := HTMLDB_LDAP.IS_MEMBER
( p_username => :APP_USER, p_pass => NULL
, p_auth_base => 'cn=Users,dc=planforlife'
, p_host => 'oraapp01'
, p_port => '389'
, p_group => 'OID-PilotUsers'
, p_group_base => 'cn=vaultgroups,cn=Groups,dc=planforlife');
IF V_TEST = FALSE THEN
HTMLDB_APPLICATION.G_UNRECOVERABLE_ERROR := TRUE;
OWA_UTIL.REDIRECT_URL('f?p=' || v('APP_ID') || ':101:' || v('APP_SESSION') );
END IF;
EXCEPTION
WHEN OTHERS THEN
HTMLDB_APPLICATION.G_UNRECOVERABLE_ERROR := TRUE;
OWA_UTIL.REDIRECT_URL('f?p=' || v('APP_ID') || ':101:' || v('APP_SESSION') );
END;

Rod:
Are you sure it is not the 'username' which is causing the issue ? If it is the username then to preserve the case in which the username is entered you will need to set the ' p_preserve_case' parameter to true in the call to APEX_CUSTOM_AUTH.LOGIN . This API is invoked in the application's login page as an after-submit page process.
Varad

Error in OID ldap integration

I'm trying to integrate Portal and OID authentication.
I followed all the documentation in conf_ldap.pdf but I get the error:Unexpected errors (WWC-41400).
Both the tnsping exproc_connection_data
and lsnrctl status give the right result as stated in the document.
So I've tryed to launch from portal30_sso user this command:
select WWSSO_AUTH_EXTERNAL.authenticate_user('portal30','portal30') from dual
and I get the error:
ORA-28576: lost RPC connection to external procedure agent
ORA-06512: at "PORTAL30_SSO.WWSSO_AUTH_EXTERNAL", line 281
ORA-06512: at line 1
Both tnsnames.ora and lisner.ora seems to be configures fine.
I'm using OID coming from Oracle 8.1.7.0 and OiAS 1.0.2.1 for NT on a win 2000 sp1,
Where is the problem?
Thank's in advance
Mauro
null

Here are some things to check:
I beleive that some of the newer versions of Portal have a user
called "portal309_sso" instead of "portal30_sso". My examples
below use portal30_sso". Use whatever user is appropriate for
your version of Portal.
If you have not yet installed OID (Oracle's LDAP server) none of
this will work. Make sure OID is installed and running. OID can
be installed in the same database that Portal uses.
All of the following sql command steps must be executed as
portal30_sso schema user, NOT portal30.
Examples for NT:
Copy the appropriate library file (ssoxldap.dll) used for the
LDAP API callouts from the $PORTAL_HOME/portal30/admin/plsql/sso
directory of the product installation into the appropriate place
on the Login Server machine:
Examples for NT copy:
F:\>copy \PORTAL_HOME\portal30\admin\plsql\sso\ssoxldap.dll
ORACLE_HOME\bin
F:\>sqlplus portal30_sso/portal30_sso create or replace library
auth_ext as F:\Oracle\Ora8db\bin\ssoxldap.dll';
Notice that you must type a forward slash on a line by itself
after you execute the command.
Make sure that your network connectivity is working.
Make sure you have at least 1 service handler for PLSExtProc:
Example:
F:\>set ORACLE_HOME=F:\Oracle\Ora8db
F:\>lsnrctl status
PLSExtProc has 1 service handler(s)
Make sure you can tnsping extproc_connection_data.
Example:
F:\>tnsping extproc_connection_data
Attempting to contact (ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC0))
OK (80 msec)
F:\>
If either of these two network connectivity checks fail nothing
else will work.
Next make sure you enter the correct information for the
ssoldap.sql script. One small typing error will cause the problem
you had. In the example below there are a couple of common
mistakes people make. Make sure you type the full Search base.
The value for the search base should be "cn=Login Server
(portal30_sso)". Don't forget the cn= and be sure to put in the
spaces and capitol letters where you see them. In the "Bind DN"
make sure you dont forget to put in the "cn=" in front of the
"orcladmin".
Example:
sqlplus portal30_sso/portal30_sso
@\oracle\isuites9i\portal30\admin\plsql\sso\ssoldap
Host: 144.25.95.92
Port: 389
Search Base: cn=Login Server (portal30_sso)
Unique Attribute: cn
Bind DN: cn=orcladmin
Bind Password: welcome
Note: If you have already changed the password for cn=orcladmin
in the OID LDAP server you must use that password instead of
"welcome" for the "Bind Password:".
Creating the users.ldif file for migrating existing users in the
portal30 database schema.
sqlplus portal30_sso/portal30_sso
@f:\oracle\isuites9i\portal30\admin\plsql\sso\ssoldif
Generating 'users.ldif' file for existing Portal users.
Enter the desired file location.
F:\oracle\admin\oiddb2\udump
NOTE: The file location must be specified in the appropriate
parameter in the init.ora file.
Example (you should see a line like this in the init.ora file):
UTL_FILE_DIR = F:\Oracle\admin\oid2111\udump
This line specifies where to dump data the you want to migrate.
If this line was not present in the init.ora file before you
started your database you will have to restart the database for
this step to succeed.
Using the file that was created in the last step (users.ldif),
add the entries to the LDAP directory. This example uses Oracle
Internet Directory's ldapadd command line utility:
Note. The following command is one long line. If you have already
done this next step before you may want to go into OID and delete
the existing data that is already in OID. Use the ODM (Oracle
Directory Manager) tool to do this. Under "Entry management" make
sure you delete any entries that you may have already created. If
the directory entries already exist you will get an error when
you run the next command indicating that the entries already
exist. Because any previous entries you may have created may not
be good those entries should be deleted.
ldapadd -h 144.25.95.92 -p 389 D cn=orcladmin -w welcome f
f:\oracle\admin\oiddb2\udump\users.ldif
Once these users are successfully added, you are ready to log
into the Portal through the Login Server, authenticating against
this LDAP directory.
Make sure you login as a valid user that is under the "cn=Login
Server (portal30_sso)" directory of your LDAP server.
Example:
Open your browser and go to the URL:
http://ip_or_hostname:80/pls/portal30
Click on the Login link
Login as portal30_sso/portal30_sso
Note: Assuming portal30_sso is a valid user in the LDAP server. I
beleive that some of the newer versions of Portal have a user
called "portal309_sso" instead of "portal30_sso".
Hope this helps.
Jay

[ SOLVED] Authentication against two openldap servers.

Hi everyone.
Here is the deal. I have two openldap servers, used for user authentication (master and slave). I have all the clients to be able to authenticate users against the master openldap server, and that is working fine. I want to make them to be able to authenticate against the slave server, if the master is down for any reasons. Is there a way to configure the clients, and is that the way to manage this, or I have to use another software as heartbeat or something like heartbeat.
Regards.
PS: Sorry. I found it. It is written in the /etc/ldap.conf file. If you want authentication against several ldap servers, you have to specify them in the 'uri' row, separated by spaces.
Last edited by Gruntz (2009-03-10 08:57:31)

Hi,
Is there a possibility to configure somewhere an external LDAP just for authentication purposes (possibly PKI), leaving everything else in OID?
Yes, in our project we are using a third party LDAP server for authentication, whereas the rest of the user information is stored in the OID. I don't know the details about the implementation but we used DIP (Directory Integration Platform) to create and register a plugin. The plugin replaces the default 'ldapcompare' method that the SSO uses with our own method that makes a call to a third party ldap. Our code was written in PL/SQL and used the DBMS_LDAP package.
You should be able to find more info from OID developers guide. http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/manage.902/a95193.pdf
Good luck!
/Rikard

Authenticating & Authorising using OID (LDAP)

Has anyone successfully used OID to manage authentication & authorisation?

<BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR>Originally posted by Norbert Monfort ([email protected]):
I need to have OC4J authenticate to an LDAP directory (Netscape's iPlanet). Where did you find how to write your custom UserManager? I haven't been able to find specs on how to write mine.
Thanks!<HR></BLOCKQUOTE>
There aren't any specs per se on how to write this - however, go to www.orionsupport.com and check out the user manager information (in several articles) and use this to figure out the functions you need to write (use the javax.naming.directory package to write the functions against the LDAP.) I wrote just a basic authentication against Active Directory (the user type name/password which authenticates or it doesn't) - no add user stuff - which works well for our purposes.
Cheers
Ray
null

Authenticating against both RDBMS and LDAP in WL6.0

Hi,
We are designing a webapp that will be accessible to both internal and
external users. For internal users, we would like to authenticate via LDAP;
for external users we would like to use RDBMS. In WL5.1, this looked to be
possible with the DelegatingRealm, however this has been removed in WL6.0.
Two questions:
1) Why was it removed?
2) How can we get this functionality in WL6.0?
Thanks much for your help,
-jt

We are currently deployed on WL5.1 with a similar situation as you and in
the process of migrating to WL6. We are Authenticating against LDAP and
Authorizing against RDBMS. But I can't see how you could tell it to go
one way for certain users and another for other users.
The delegatingrealm in WL5 was intended to split the responsibility of
Authenticating to one source and Authorization to another. To make this
work for your Application of splitting internal and external users
security, I suppose you can do it if you can somehow pass the information
to the Security Realm the type of the user that is logging in. Maybe you
can make this code a part of the userid such as ext_uersID or int_userID.
Doing this will allow you to filter the where the users are coming from
and Direct them to the appropriate security realm.
As far as WL6 goes, the Delegating realm class is no longer available
since the security model for WL6 is different from WL5. But you can take
a look at what they did with the RDBMSrealm example and use that. This is
what we did to make our Security work in WL6. However, you can no longer
store ACLs in the RDBMS realm in WL6.
Hopes this helps.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
You will need to create a Custom Realm which delegates to both your RDBMS
and LDAP perhaps using the Weblogic supplied RDBMS and LDAP realms
"Jonathan Thompson" <[email protected]> wrote in message
news:3accf1a3$[email protected]..
Hi,
We are designing a webapp that will be accessible to both internal and
external users. For internal users, we would like to authenticate viaLDAP;
for external users we would like to use RDBMS. In WL5.1, this looked tobe
possible with the DelegatingRealm, however this has been removed in WL6.0.
>
Two questions:
1) Why was it removed?
2) How can we get this functionality in WL6.0?
Thanks much for your help,
-jt
[att1.html]

Oracle Database Authentication against Microsoft Active Directory

Hello
Does anyone know if it is possible or can point me in the right direction of some documentation that discuss Oracle database user authentication against and Enterprise Directory Service, in my cases MS AD?
My environment consists of Oracle RDBMS 10.2.0.3 on Linux Red Hat AS 4. Our users connect in from Window clients. I would like to know if there is a way to autheticate users from Windows to the database using LDAP based (AD) authentication. In oters words how do I configure authentication to be done for "identified globally accounts"? I know that the identified by globally accounts require the use of the CN which I have done, but it seems like there is some piece missing. Perhaps an Oracle schema or modification to Active Directory??
So my questions are
1. Is it possible to authenticate users against AD without the implementation of OID?
2. Is there documentation someone has or can point me to that outlines the required steps?
3. Anything I should know?
I appreciate any help. The documentation I have found so far doesn't seem to be what I need... So I am looking for some advice.
Thanks.

Sure, two methods to auth from Oracle DB to MSAD:
OID and OVD
I am working on our own proof of concept configuring EUS connect to OVD with an MSAD as auth at the moment. OVD basically is presenting the database with OracleSchema and OracleContext info. And when you connect via netca (ldap.ora), you assign it as OID directory authentication type.
Here's an OVD manual on Integrating with EUS (chapter 7 is for MSAD)http://www.oracle.com/technology/products/id_mgmt/ovds/pdf/e10286.pdf
And this would be what the EUS config should look like:
http://www.oracle.com/technology/deploy/security/database-security/howtos/eus-how-to.html
If you've done everything in the first doc...
Hope this answers your questions.

External authentication with OID

I know that OID 10g is capable of performing external authentication against AD, Sun OneDirectory, Novell eDirectory and openLDAP, but what about something else like Oracle Virtual Directory?
As I understand, there is an out of the box script that will create and external authentication plugin that calls a few procedures from the auth_external package. The auth_external package also an out-of-the-box package with a few procedures (authenticate_user and change_passwd) I've seen so far. I haven't looked in the ODS schema, but I'm assuming this auth_external package is wrapped and not generally viewable.
Anyone out there have any ideas, how this auth_external package works, or better yet... does anyone know if the out-of-the-box solution for external authentication will work with any LDAP directory (in this case a virtual one)?
Thanks.

Can someone from Oracle please comment on this? is "AUTH_EXTERNAL" package "out of box" or do we have to write it?
I am following instructions from
http://download.oracle.com/docs/cd/B14099_19/idmanage.1012/b14082/plugin_cust_ext_auth.htm
LINE/COL ERROR
143/9 PL/SQL: Statement ignored
143/19 PLS-00201: identifier 'AUTH_EXTERNAL.AUTHENTICATE_USER' must be
declared
241/11 PL/SQL: Statement ignored
241/11 PLS-00201: identifier 'AUTH_EXTERNAL.CHANGE_PASSWD' must be
declared
251/11 PL/SQL: Statement ignored
251/11 PLS-00201: identifier 'AUTH_EXTERNAL.RESET_PASSWD' must be
declared
LINE/COL ERROR
-------- -----------------------------------------------------------------

Windows users authenticating in OID in Unix

Hi !!!
I am newbie with LDAP and OID, so If anyone can help me...
I have a Computer Associates Aplication which authenticate users against LDAP server but this application is installed in a Windows 2003 Server.
This application already query OID sucessfuly, because this application simply point to OID server through it´s configuration.
My problem is for authenticate users against OID because in Computer Associates Application does not have any configuration to tell authentication server.
What I must configure to tell the Computer Associates Application, or Windows 2003 server to authenticate the users in OID instead locally??

Hi !!!
I am newbie with LDAP and OID, so If anyone can help me...
I have a Computer Associates Aplication which authenticate users against LDAP server but this application is installed in a Windows 2003 Server.
This application already query OID sucessfuly, because this application simply point to OID server through it´s configuration.
My problem is for authenticate users against OID because in Computer Associates Application does not have any configuration to tell authentication server.
What I must configure to tell the Computer Associates Application, or Windows 2003 server to authenticate the users in OID instead locally??

OC4J 9.0.4.0.1 doesn't connect to OID LDAP

I'm trying to have an application using basic authentication with JAZN LDAP (the LDAP is an OID in an Oracle 9iAS 9.0.2 Infrastructure) for authentication/authorization but without any success. The same application works fine on OC4J 9.0.3 and 9.0.2.
I get no errors or exceptions, simply I don't get authenticated.
Sniffing TCP traffic I noticed that OC4J 9.0.4.0.1 doesn't contact OID(LDAP) server at all.
The documentation says it should work, but my suspect is this standalone OC4J version doesn't really support JAZN with LDAP.
My jazn.xml is like this:
<jazn provider="LDAP" location="ldap://myserver:4032">
<property name="ldap.user" value="cn=orcladmin"/>
<property name="ldap.password" value="{903}encryptedpassword"/>
</jazn>
Luciano

FYI:
If you take a look at Oracle AS v 9.0.3 standalone in the /j2ee/home directory, you notice an ldap.jar that is no longer present in the 9.0.4 product, in addition to the fact that the jazn.jar file in the 9.0.4 product is about half the size of the prior release.
It seems as if they moved this LDAP functionality into other more OS-dependent libraries. In 10g Enterprise, it appears as if OPMN somehow controls LDAP.
I've read that it's somehow possible to get LDAP working in standalone, but it's not published because it's too complicated to explain.
I personally think this is rediculous. It's waaaayyyy too much trouble to install developer workstations with 10g enterprise -- esp. since it doesn't even do windows -- and the linux version is very picky and troublesome to install.
So we are left we a very crappy development environment.
Thanks Oracle.

Linux authentication against OID ldap

Similar Messages

Maybe you are looking for