Loading LDAP groups into WLS JAAS Subject

Similar Messages

• DIP fails loading dynamic groups into OID

  Hello,
  we're trying to load groups from OeBS into OID and associate them via dynamic groups feature with user records that was loaded earlier as follows:
  personid=18630,cn=dev,cn=hrsyncusers,cn=users,dc=ic,dc=lan
  orcltimezone=Asia/Yekaterinburg
  displayname=NOT ASCII
  employeetype=NOT ASCII
  givenname=NOT ASCII
  postalcode=628484
  orcldateofbirth=19610404000000
  orclgender=F
  departmentnumber=342
  uid=18630
  mail=HRNULL
  cn=NOT ASCII
  initials=NOT ASCII
  street=NOT ASCII
  employeenumber=4824
  middlename=NOT ASCII
  l=NOT ASCII
  orclhiredate=20051107000000
  sn=NOT ASCII
  personid=18630
  c=Russia
  title=NOT ASCII
  objectclass=inetorgperson
  objectclass=person
  objectclass=organizationalperson
  objectclass=orcluserv2
  objectclass=kapitalperson
  objectclass=country
  objectclass=residentialperson
  objectclass=locality
  objectclass=top
  Among other attributes each user entity has 'departmentNumber' that indicates number of his/her department.
  Now trying to load list of departments as dynamic groups with the following config
  files:
  *** DevHRAgentGroups.cfg ***
  [SELECT]
  SELECT psv.version_number
  , pos.name hierarchyname
  , hou.organization_id depno
  , poe.organization_id_parent parent_id
  , REPLACE(hou2.name, '"') parentname
  , poe.organization_id_child child_id
  , REPLACE(hou.name, '"') orgname
  , ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(depar
  tmentnumber='||hou.organization_id||')' ldapuri
  , hrl.meaning org_type
  FROM per_organization_structures pos
  , per_org_structure_versions psv
  , per_org_structure_elements poe
  , hr_all_organization_units hou
  , hr_all_organization_units hou2
  , hr_lookups hrl
  WHERE pos.business_group_id = psv.business_group_id
  AND pos.organization_structure_id = psv.organization_structure_id
  AND pos.primary_structure_flag = 'Y'
  AND psv.date_to IS NULL
  AND poe.org_structure_version_id = psv.org_structure_version_id
  AND poe.business_group_id = hou.business_group_id
  AND poe.organization_id_child = hou.organization_id
  AND poe.business_group_id = hou2.business_group_id
  AND poe.organization_id_parent = hou2.organization_id
  AND hrl.lookup_code = hou.type
  AND hrl.enabled_flag = 'Y'
  AND hrl.lookup_type = 'ORG_TYPE'
  AND hrl.lookup_code NOT IN (30,40)
  AND TRUNC(SYSDATE) BETWEEN hou.date_from AND NVL(hou.date_to, TO_DATE('31.12.4712','dd.mm.yyyy'))
  AND hou.last_update_date >= to_date(:BINDVAR,'YYYYMMDDHH24MISS')
  *** DevHRAgentGroups.map ***
  DomainRules
  NONLDAP:cn=DEV,cn=HRSyncGroups,cn=Groups,dc=ic,dc=lan:departmentID=%,cn=DEV,cn=HRSyncGroups,cn=Groups,dc=ic,dc=lan
  AttributeRules
  orgname:1: : :cn: :groupOfUniqueNames
  depno:1: : :departmentID: :kapitalDepartment
  ldapuri: : : :labeledURI: :orclDynamicGroup
  We're getting the following error in ?/ldap/odi/log/DevHRAgentGroups.trc during HRAgent execution at mapping phase:
  Normalized DN : departmentid=82,cn=dev,cn=hrsyncgroups,cn=groups,dc=ic,dc=lan
  Changetype is 5
  Processing modifyRadd Operation ..
  Entry Not Found. Converting to an ADD op..
  Processing Insert Operation ..
  Performing createEntry..
  Exception creating Entry : javax.naming.NamingException: [LDAP: error code 1 - Dynamic group cache update failed.]; remaining name 'departmentid=82,cn=dev,cn=
  hrsyncgroups,cn=groups,dc=ic,dc=lan'
  [LDAP: error code 1 - Dynamic group cache update failed.]
  javax.naming.NamingException: [LDAP: error code 1 - Dynamic group cache update failed.]; remaining name 'departmentid=82,cn=dev,cn=hrsyncgroups,cn=groups,dc=i
  c,dc=lan'
  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3028)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
  at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
  at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
  at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)
  at oracle.ldap.odip.gsi.LDAPWriter.createEntry(LDAPWriter.java:1162)
  at oracle.ldap.odip.gsi.LDAPWriter.insert(LDAPWriter.java:425)
  at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java:822)
  at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:349)
  at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:655)
  at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:376)
  at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:237)
  DIP_LDAPWRITER_ERROR_CREATE
  Error in executing mapping DIP_LDAPWRITER_ERROR_CREATE
  DIP_LDAPWRITER_ERROR_CREATE
  Please, note. Loading is successful if we commenting out mapping line for labeledURI attribute (that's loading static groups).
  Loading is also successful when labeledURI is mapped to
  'ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(objec
  tclass=person)' but this definetly is not what we are going to get.
  I don't have ideas what's wrong for example with the following generated 'labeledURI' attribute:
  ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(departmentnumber=82)
  Any help is appreciated
  Thanks,
  Edward

  Hi Frank,
  there is something wrong with departmentnumber attribute of user records. Searching users with ldapsearch using "departmentnumber=*" filter fails with the following error:
  ldap_search: DSA is unwilling to perform
  ldap_search: additional info: Function Not Implemented
  I think this is probably the cause of failing creation of dynamic groups.
  Searching on other user attributes (cn, uid, employyenumber) works fine.
  Still don't understand what's wrong with this particular attribute.

• Security - using LDAP groups

  I want to protect my EJB using LDAP groups. WLS is recognizing WLS users but unable
  to recogniz groups. Here is my weblogic-ejb-jar.xml
  <security-role-assignment>
  <role-name>channel-role</role-name>
  <principal-name>system</principal-name>
  <principal-name>mygroup</principal-name>
  <principal-name>cn=mygroup,ou=groups,o=mycompany</principal-name>
  </security-role-assignment>
  It recognizes user system but not the group. LDAP group is cn=mygroup,ou=groups,o=mycompany.
  When I pass the credentials from the client of a uniquemember, WLS generates a
  security exception. It won't recognise mygroups or cn=mygroup,ou=groups,o=mycompany
  either.
  Any suggestions?
  Thanks
  -Surya

  Yes, It has impact. You create groups in the Repository & Answers and assign the object level permissions.
  You Populate Group Variable during authentication via LDAP server. Once you login with X name you see the authorized groups in the my account.
  For dashboard A - For group Executive - User X - You have given full access.
  Now you have changed the Group name to AD_Executive. When You Login variable values would be
  User - X
  Group - Ad_Executive
  Dashboard A - No permissions.
  If you have a scenario of changing the group names then get Groups from database using Init block after authorization.

• Provision a user into an LDAP Group/Organisation

  Is it possible to provision a user into a Role that is mapped to an LDAP Group/Organisation through Identity Manager? I've seen that you can add users directly into LDAP groups, but we would like to add users into groups where they already have an account in the Resource/Directory.
  For example I want to allow an existing user;
  uid=User1,ou=Users,o=mycompany
  to access a resource protected by LDAP Group;
  cn=AppGroup1,ou=Groups,o=mycompany
  this group would be mapped to an Application or Business Role within Identity Manager.
  Is this possible?

  If I understand your problem correctly then there is no need for customizing the resource adapter java source code at all. You can "calculate" in which OU or O a user is created by customizing the resource's identity template. Just add a variable to the identity template DN and "calculate" that variable in either your form or map it to IGNORE_ATTR on the resource and then you could even set that value in a role.
  Same for adding a user into a directory group. Map the respective groups attribute and create a role for that resource, then configure the role to set the group attribute or merge the values - as simple as that. Or did I misunderstand what you are trying to do?

• Cannot import LDAP group through Import Wizard.

  Hello,
  We have a issue where we are unable to import Ldap group if we use cluster name while logging into Import Wizard.
  we are able to import the LDAP users/groups if we use the primary CMS name while logging into Import Wizard
  Is this a known issue in XI R2 SP 3 or are we missing out something?
  Please help!!!
  Thanks...

  I'm really surprised the import wizard even works with a clustername. Considering it's design is to migrate from 1 CMS to another it should require a CMS name and not a clustername. I don't think using clusternames was ever part of its design. It's even more bizarre that a clustername would conflict with LDAP. SP3 had several other LDAP bugs that are fixed in SP4 but other than that I'm not sure. What's the issue with using just 1 CMS name. This should be desirable so you can control which CMS gets the added load from the IW, otherwise it would just randomly select one.
  Regards,
  Tim

• Retrieve nested LDAP groups independent from the network env. (five different approaches)

  Hi all,
  I want to retrieve a list of nested LDAP groups per user from the Active Directory. I have been searching google for half a day now, but I'm still not sure what approach to use. I have the following requirements:
  * The script/program must run in different network environments (I can't be sure if there is a global catelog or AD DS or AD LDS, etc). I will write my own program.
  * The membership info will be used in combination with directory ACL's and must be as complete as possible (global groups, universal groups, local groups, perhaps different domains). Distribution groups are not really necessary, because they are not used in
  the directory ACL's.
  * It would be nice to support other LDAP implementations than Active Directory using the same code, but that not a hard requirement. I could use another approach to support a different LDAP.
  Now I have figured out five possible approaches (info comes from different sites, please correct me if I'm wrong):
  1) tokengroups attribute:
  - The attribute contains Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine.
  - Returns a list of SIDs which will have to be translated to group names
  - The tokenGroups attribute exists on both AD DS and AD LDS
  - For AD DS, the tokenGroups attribute is not present if no GC server is available to evaluate the transitive reverse memberships.
  - quote from site "Now that I have had a chance to test it though I can definitely say that tokenGroups WILL get the Universal groups from the other domains even if is NOT a GC. I just did it in my test lab."
  - Token Groups cannot be retrieved if no Global Catalog is present to retrieve the transitive reverse memberships.
  2) tokenGroupsGlobalAndUniversal
  - A subset of the tokenGroups attribute. Only the global and universal group SIDs are included.
  - If you want consistent results, read tokenGroupsGlobalAndUniversal that will return the same result no matter which DC you are connected to. However, it will not include local groups.
  - other source says "tokenGroups will give you all the security groups this user belongs to, including nested groups and domain users, users, etc tokenGroupsGlobalAndUniversal will include everything from tokenGroups AND distribution groups". Not
  sure if this is correct, I think it doesn't contain local groups.
  - The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS.
  3) LDAP_MATCHING_RULE_IN_CHAIN / 1.2.840.113556.1.4.1941
  - Use a recursive search query which returns all nested groups for user at once.
  - Returns all groups except for the primary group
  - It's a fast approach, see performance test from Richard Mueller:
  http://social.technet.microsoft.com/Forums/fr-FR/f238d2b0-a1d7-48e8-8a60-542e7ccfa2e8/recursive-retrieval-of-all-ad-group-memberships-of-a-user?forum=ITCG
  - It only works on Active Directory, not for other LDAP implementations
  4) Recursive retrieval of the memberOf attribute
  - Retrieves all groups except the primary group. (also local groups from other domains??)
  - works for all LDAP implementations
  - executes a lot of queries to the LDAP, especially if you want to scan all users/groups (perhaps limited on OU, but still)
  5) Store memberOf attribute in local database and calculate the nested groups using recursive queries to the local database
  - No heavy load to the LDAP
  - Needs space to store the user/group info locally (embedded Derby database perhaps)
  - Performs fast since the queries are executed locally
  - Works for all LDAP implementations
  My thoughts on these different approaches:
  * appreach 1) I understand that the tokengroups attribute is not present if no GC server is available. In how many network environments is this the case? This option won't work because I want to support different network environments.
  * approach 2) The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS. Same here, in how many network environments is this the case? I don't think I can rely on this approach.
  * approach 3) Seems to be a good option. How will it perform compared to approach 5 (local recursive queries)? Won't work for other LDAP implementations
  * approach 4) I don't think I want to execute that many queries to the LDAP. I can limit the scan on OU, but still companies can have thousands of users and groups.
  * approach 5) Perhaps the best approach. I want to store user/group info locally for fast filtering / reporting (only group DNs, user names, databse id's and membership info as id-id pairs). I only need the memberOf attribute of users and groups, recursive
  loops are done locally. It will work for all LDAP implementations.
  What do you guys think? I'm not a network admin, but a programmer, so I'm no expert in network setups and when to use AD DS or AD LDS. The thing is I want to use this code at different customers without knowing their network setup (except for the domain name(s),
  LDAP host/port and bind user to connect to LDAP).
  Thanks a lot!
  Paul

  I want to write a tool that can answer questions like "what users from group ABC have delete permission in all the (sub)directories of server MyDataServer?". This results in a list of directories and users and includes nested group membership. So it's about
  effective permissions. That's why I want all information in a SQL database so I can answer these questions with a single query in milliseconds. Otherwise, in order to answer these questions, I would have to get all members from group ABC and determine the
  nested groups for all these members (which can be thousands) for every report. Using a SQL database I can retrieve this information once a night for all the members.
  But I guess I will use the LDAP_MATCHING_RULE_IN_CHAIN syntax which gives me all nested groups for a member and should work for all AD installations from W2K3 SP2 and higher. When I want to support other LDAPs I will use another method for that specific
  LDAP.
  Again - note that this question has nothing to do with LDAP or AD.  It just asks what group has permissions on what resources.
  I really think you would do well to spend time understanding the NTFS and its security along with how we sue security in Windows.  By assuming this has something to do with AD you are making it a bigger issue than needed.  AD is a repository for
  accounts and trusts and manages authentication and security group membership.  All file security is managed by the OS that hosts the files and not by AD.  Users are not normally granted access to resources through direct inclusion in the DACL but
  are given access through membership in one or more groups.  Loading AD into a SQLL database will not help you.
  ¯\_(ツ)_/¯

• Novell LDAP Group - Role

  Hi,
  I have created a Novell LDAP Group. In my realm I have now two authentication
  providers: default and novell, both optional. If I authenticate my user which
  is stored in the novell ldap the user is correctly authenticated (request.getRemoteUser()
  != null), although the log says user denied (no matter if the user is in the embedded
  ldap or the novell, but maybe the other one always complains). (novell user gets
  rejected if password is wrong)
  For a novell group i create a role with the condition: caller is a member of the
  group"novell group" this seems not to work. with request.isUserInRole("novell
  group") i get "false" !!
  any ideas??
  regards
  tobias

  found my mistake. i created a role in the weblogic console which i also have defined
  in the web.xml. then i also need to assign this role to the principal (my group)
  in the weblogic.xml.
  if i have a role not defined in the web.xml the request.isUserInRole(<RoleName>)
  works fine, but not in the above described case without assignment in the weblogic.xml.
  "Tobias Voigt" <[email protected]> wrote:
  >
  Actually groups are also configured correctly as it seems for me. On
  the group
  page, the ldap group is also listed (in the provider column it says NovellAuthenticator).
  Also if i look at the output of weblogic.security.Security.getCurrentSubject()
  the LDAP group is also listed as a Principal.
  weblogic.security.SubjectUtils.isUserInGroup(<Subject>,<LDAPGroup>) says
  true.
  but request.isUserInRole(<Role for Members in LDAPGroup>) says false.
  (Btw: Weblogic 8.1 sp1)
  "tm" <no-reply> wrote:
  Hi Tobias,
  It sounds like you can successfully use users
  in your Novell LDAP server but you cannot
  successfully use groups from the LDAP server.
  (ie. when you login, it's finding the user, but it
  isn't finding the user's groups thus the role isn't working).
  I'm assuming that you have configured a NovellAuthenticator.
  You must configure the NovellAuthenticator to tell
  how groups are stored in your Novell LDAP server
  (ie. tell it about the group schema). If this is not
  correctly configured, then groups won't work.
  See http://e-docs.bea.com/wls/docs81/secmanage/providers.html#1172008
  for more information on configuring group schemas for LDAP authentication
  providers.
  -tm
  "Tobias Voigt" <[email protected]> wrote in message
  news:[email protected]...
  Hi,
  I have created a Novell LDAP Group. In my realm I have now twoauthentication
  providers: default and novell, both optional. If I authenticate myuser
  which
  is stored in the novell ldap the user is correctly authenticated(request.getRemoteUser()
  != null), although the log says user denied (no matter if the useris in
  the embedded
  ldap or the novell, but maybe the other one always complains). (novelluser gets
  rejected if password is wrong)
  For a novell group i create a role with the condition: caller is amember
  of the
  group"novell group" this seems not to work. withrequest.isUserInRole("novell
  group") i get "false" !!
  any ideas??
  regards
  tobias

• Mapping LDAP Groups to SAP Roles

  Hi there,
  i am trying to build up a synchron usermanagement with a LDAP-Server between EP, Web AS Java and Web AS ABAP.
  My thought is to administrate the users in the LDAP-Directory. The users will be assigned to groups.
  In EP and Web AS Java its no problem to assign these groups to roles and then just change the Users in the LDAP-Group and reach a synchron usermanagement.
  In Web AS ABAP it seems impossible to assign roles to groups.
  <b>The question is, is it possible to map ldap groups with the ldap connector of the web AS ABAP to Roles in an ABAP System?</b>
  Or is there another way to administrate users in different systems?
  Thanks alot for your answers,
  stefan

  Hi
  in this case u have to use the concept of central user administration. use the following links
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-biti-03/cua with sap webas, ldap and third party software
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/user management and authorizations overview.pdf
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/integration of sap central user administration into microsoft active directory.pdf
  hope this helps u to get fair bit of idea
  don,t forget to give points
  With regards
  subrato kundu

• Load AS2 swf into AS3 swf problem

  I have a flash with AS3 and inside this swf i load in a AS2 swf.
  to load swf works just fine, but the problem is when i load this i want to go to
  a specific part of it, for example i want to go to frame 3 in the loaded swf.
  i must control this from the AS3 swf, does someone know if this is possible?
  thanks in advance

  so can i do like this then to go to frame 3 in my loaded swf?
  MovieClip(ldr.content).gotoAndStop(3); ?
  sorry for being such an airhead
  thanks for helping me out =)
  Date: Sun, 7 Jun 2009 10:25:09 -0600
  From: [email protected]
  To: [email protected]
  Subject: load AS2 swf into AS3 swf problem
  no.
  if, in your loaded swf, you have a function f1() on the loaded swf's main timeline and you load that swf using a loader (say ldr), use:
  MovieClip(ldr.content).f1();   // to call f1() in the loaded swf
  >

• LDAP groups and WebLogic Roles - Urgent ( weblogic 6.1 sp1, iPLanet 5.1)

  I have 2 questions and these are very urgent :-
  1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
  2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
  contractactors and employess. How do I map LDAP group contractors to weblogic security
  Role contractors? Similarly for employees ?
  2. I have not defined contarctors and employeees under People container in IPlanet.
  e.g. The RDN for contractor is
  uid=1234,ou=dir,dc=orams,dc=com
  Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
  under People ) OR I have to write my own custom code ?
  3. I am planning to use Roles insetad of groups to manage the logical grouping in
  iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
  parameters ?)
  This is very urgent ....so if any of you can throw any hints that will be greatly
  appreciated.
  --Sunita

  Hi Ariel,
  The driver is bundled with the product in WLS 6.1sp1. you don't have to
  download any additional driver. Use it as you normally would only thing to
  remember is if you are trying to write standalone java code then you have to
  have weblogic.jar in your classpath. For the rest of the info follow the wls
  docs for 6.1
  HTH
  sree
  "Ariel" <[email protected]> wrote in message
  news:3bb4a643$[email protected]..
  We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
  downloaded the JDriver from bea.com, but all the istructions that camewith
  it are for WLserver 5.1.
  What has to be done to do this with 6.1 sp1?
  Thanks,
  Ariel

• LDAP Groups Authorization

  Hi,
  I have read some of the forum threads about LDAP Group Authorization - I remain confused. Here's the problem I am trying to solve.
  I was successfull in setting my Authentication to "Based on authentication scheme from gallery:Existing Login Page: Use LDAP Directory Credentials" -
  That works fine, But I would not like all users in my OID LDAP directory to log into my application- Which is why I have created a group for the user I want to include in my OID directory.
  Now at the " Builder->Application...->Security->Authorization Schemes->
  I have created an Authorization Scheme as "PL/SQL Function returing a booloean" .
  My Scheme Source(Identify Query or PL/SQL) is as follows and is set to "once Per session"
  return wwv_flow_ldap.is_member
  (:APP_USER,
  null,
  'cn=users,dc=wellesley,dc=edu',
  'jadeland.wellesley.edu',
  '389',
  'wcd_HTMLDB',
  'cn=portal.040323.1220,cn=Groups, dc=wellesley,dc=edu');
  where in my LDAP directory, 'wcd_HTMLDB' is the subgroup under group "portal.040323.1220" -
  I have included 3 users in the group 'wcd_HTMLDB' .
  Still the login page allows all LDAP user ( and not just the 3 from the 'wcd_HTMLDB' group.
  Where did I go wrong -?
  What 's the proper way to authorise only LDAP users in a group ?
  Any help would be really appreciated.
  Thanks .

  Indira,
  The public synonym (and grant execute) must be created after that package is compiled which can happen after catldap is run in your database. This is only a problem if catldap has not been run before HTML DB is installed. That's described in the flows/doc/ldap.html file in the distribution directory (not very prominently, we know).
  When you initially attached the authorization scheme to your login page and it wouldn't let you in, the reason is that it was using the value of APP_USER to drive your lookup function. But when the login page is rendered, APP_USER is null because you haven't logged in yet. So a user-based authorization scheme on a login page can never work.
  When you changed the ldap username edit function the way you did, you achieved the goal of preventing an unauthorized user from using the login page to authenticate. Looks like the way it's set up is to give unauthorized users an authentication error, which is a little misleading (saying their credentials are invalid when in fact they are valid but they aren't authorized to use your application), but if it suits your purpose, great. You should consider that if you change the authentication method to, say Single Sign-On, you'll then want to use authorization schemes to keep unauthorized users out. So the authorization scheme that you first set about using would be fine in that case, so long as you adjust the code to allow for visits to public pages prior to authentication (v('APP_USER') = 'HTMLDB_PUBLIC_USER'). However, you'd want to attach that scheme to the application itself (Edit Application Attributes->Authorization) so it fires on every page. Evaluating a scheme like that on every page view rather that once per session probably works best, even better if you cache the result of the evaluation yourself for performance reasons, e.g., set an application item to some value the first time the authenticated user passes the ldap membership test, then using that item as an 'already passed' flag for subsequent invocations.
  Finally, I assume you are using the built-in ldap_dnprep function because you need to replace '.' with '_' in the username value entered by the user. If that is not your requirement, let's talk.
  Scott

• Cannot Add user to CMC Group when they are a member of LDAP group

  On PreProduction Server CMC
  Softerra LDAP browser used to verify user is a member of LDAP group
  User does not show as a member of that group in the CMC
  Cannot add user to LDAP group showing in CMC, the same group shows the member in LDAP browser
  On Production Server CMC
  For kicks I logged into the CMC on Production and I found the user is correctly showing as a member of the Group
  Why doesn't the groups in CMC show what is actually showing in the LDAP browser?

  Hi,
  Check if you have also mapped in both servers the same groups. It might be that there are some groups missing in the Pre-prod.
  Also, try restarting the CMS. I have seen similar issues that are solved after forcing the recreation of the graph.
  If after the restart you still can't see the groups, check the mapping on the LDAP server. It might be that both servers do not use the same attribute mappings.
  Regards,
  Julian

• Ldap groups

  Hi,
  I have 5 roles and each role selection should provision user to a seperate ldap group + a default ldap group.
  How can i achieve that...
  dn: cn=group1,ou=people,o=domain,o=com
  + dn:cn=mail,ou=people,o=domain,o=com
  Where cn=mail is common for every role selection. I have a variable temp which generates group values based on role selection and i am mapping it in identity template. i think that will provision the user to one group. How can i provision the user to the default group.
  Any ideas?

  Hi,
  Here is one suggestion:
  Edit each the role using the admin pages under the Roles Tab, you will see
  a section called Assigned Resources, where you can set resource attribute values.
  Here you can override the ldapGroups attribute for your ldap resource.
  ldapGroups is a List, so you want to add a specific <s>cn=...</s>
  string to the existing ldapGroups list. This seems to work well and no xml editing required!
  The effect of this will be that different dns will get added to the ldapGroups
  variable, depending on which role gets assigned to the user.
  Does that make sense? hope this helps.
  As for the default dn (cn=mail...), you can either do it the same way (but call a rule rather that replicating the dn 5 times for each resource), or put that into the userform
  that gets invoked.
  I'm not sure if I explained this well enough, I hope this helps,
  John I

• Obtaining JAAS subject in a servlet.

  G'day,
  There are problems in Java with getting the JAAS subject, as the standard Subject.getSubject() call can return null if called within a privileged action:
  Subject s = Subject.getSubject(AccessController.getContext());
  Subject.doAs(s, new PrivilegedAction() {
    public Object run() {
      Subject s1 = Subject.getSubject(AccessController.getContext());
      AccessController.doPrivileged(new PrivilegedAction() {
        public Object run() {
          Subject s2 = Subject.getSubject(AccessController.getContext());
          return null;
      return null;
  Here, s2 may be null, which is why other app servers have custom approaches (such as JBoss and its SecurityAssociation.getSubject() call).
  Is there a similar API for Netweaver AS Java for obtaining the JAAS subject? Or can the JAAS subject be obtained always using the standard Java API?
  Edit I put the above code into a servlet protected by BasicLoginModule, and all three subject objects (s, s1, and s2) were null. I thought that at least 's' would be non-null, but apparently not.
  --Geoff

  G'day,
  Thanks for the link to the JAAS login module section of the SAP Library documentation.
  I have already written a custom JAAS login module (which populates a subject with principals and their credentials), but I am looking for the Netweaver equivalent of JBoss's SecurityAssociation.getSubject() that can be called from any code. I did not find anything suitable while searching through the SAP Library documentation.
  However, I did stumble upon an API that might be useful:
  Object object = com.sap.security.core.InternalUMFactory.getEngineResourceHelper();
  if (object != null && object instanceof com.sap.security.core.IEngineResourceHelper) {
    com.sap.security.core.IEngineResourceHelper helper =
        (com.sap.security.core.IEngineResourceHelper) object;
    Subject subject = helper.getCurrentSubject();
  The class name InternalUMFactory suggests that this API may be undocumented or unstable.
  If I have a servlet protected by the BasicLoginModule, and I authenticate to the servlet using a username/password, then the subject returned is a principal with the correct username, and with password credentials.
  If the servlet is not protected by a login module, then the subject returned is "Guest".
  If I put the servlet as an iView within a portal, then the subject returned is "Guest", even though the portal is protected by a login module and authentication is required. I thought here that the Subject for the portal would be propogated to the servlets running in that portal, but maybe my understanding is wrong.
  --Geoff

• Error on Linux 64 bit "Failed to load LDAP Library: libibmldap.so"

  Hi Experts,
  Currently i am testing out OBIEE 11g application on Linux (64bit). I am running into the following exception when i try to configure the LDAP authentication provider for authentication. The error message is "Failed to load LDAP Library: libibmldap.so" However i cannot be able to reproduce in this same issue on my windows environment. I am sure this is some lib issue on Linux 64bit. Please advice me in case if i miss out any configuration or in case if you know the work around to resolve this issue.
  Thank you
  Edited by: user10476276 on Oct 13, 2010 8:47 PM

  Hi Srikanth ,
  Iam stuck with the same above error configuring LDAP connectivity for OBIEE 11g and I get the same error . I tried following John's blog but I dont see the libibmldap file at all in our linux 64bit set up . Any ideas pls ...
  Thanks
  Karthik