Migration of EmbeddedLDAP to 3rd Party LDAP

Hi,
Is it possible to migrate the complete authentication process of EmbeddedLDAP
used by Weblogic 8.1 to any 3rd Party LDAP system ? Even the system user (default
user : weblogic created during the domain setup) authentication should happen
on a 3rd Party LDAP system. EmbeddedLDAP can at the most act as a bridge between
Weblogic 8.1 and 3rd Party LDAP system. Is there any solution to this problem?
Thanks in advance.
Mandar

I do not believe there are any restrictions on removing the default authenticator.
When you boot the server make sure the user/pass is valid in the 3rd party LDAP
and they have the proper admin/oper privileges to boot the server.
You might want to configure the server with two authenticators first to verify
you can successfully authenticate to the 3rd party LDAP before removing the default
authenticator.
-Craig
"Mandar Jadhav" <[email protected]> wrote:
>
Hi,
Is it possible to migrate the complete authentication process of EmbeddedLDAP
used by Weblogic 8.1 to any 3rd Party LDAP system ? Even the system user
(default
user : weblogic created during the domain setup) authentication should
happen
on a 3rd Party LDAP system. EmbeddedLDAP can at the most act as a bridge
between
Weblogic 8.1 and 3rd Party LDAP system. Is there any solution to this
problem?
Thanks in advance.
Mandar

Similar Messages

  • Map security roles to group within LDAP using external 3rd Party LDAP

    I'm haveing a problem mapping my logical role defined in my web.xml to a role within Active Directory. I'm currently authenticating using Active Directory succsfully, however after the user is authenticated I get a message from the OC4J container that my role can not be found. Can you map a logical role to group within Active Directory? Below are details about my configuration.
    Any help would be greatly appreciated.
    Log.xml log entry that confirms webtA is communicating successfully with AD.
    SG_TEXT>JAAS-LDAPLoginModule: authenticating user wmgraham</MSG_TEXT>
    </PAYLOAD>
    </MESSAGE>
    <MESSAGE>
    <HEADER>
    </CORRELATION_DATA>
    <PAYLOAD>
    <MSG_TEXT>JAAS-LDAPLoginModule: DN for user wmgraham is cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi</MSG_TEXT>
    </PAYLOAD>
    </MESSAGE>
    <MESSAGE>
    <HEADER>
    Error reported in the log
    <MESSAGE>
    <HEADER>
    <TSTZ_ORIGINATING>2008-08-27T11:38:05.991-04:00</TSTZ_ORIGINATING>
    <COMPONENT_ID>j2ee</COMPONENT_ID>
    <MSG_TYPE TYPE="TRACE"></MSG_TYPE>
    <MSG_LEVEL>16</MSG_LEVEL>
    <HOST_ID>F2287032-W</HOST_ID>
    <HOST_NWADDR>30.30.16.14</HOST_NWADDR>
    <MODULE_ID>security</MODULE_ID>
    <THREAD_ID>14</THREAD_ID>
    <USER_ID>wmgraham</USER_ID>
    </HEADER>
    <CORRELATION_DATA>
    <EXEC_CONTEXT_ID><UNIQUE_ID>30.30.16.14:59560:1219851485804:6</UNIQUE_ID><SEQ>0</SEQ></EXEC_CONTEXT_ID>
    </CORRELATION_DATA>
    <PAYLOAD>
    <MSG_TEXT>for group=[JAZNGroupAdaptor: webta] there's no matching role found.</MSG_TEXT>
    </PAYLOAD>
    </MESSAGE>
    Web.xml Logical Role definition
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>allpages</web-resource-name>
    <url-pattern>/servlet/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>WEBTA_J2EE_USER</role-name>
    </auth-constraint>
    </security-constraint>
    <security-role>
    <role-name>WEBTA_J2EE_USER</role-name>
    </security-role>
    Orion-web.xml This file maps the logical role defined in webxml to a group within Active Directory.
    <security-role-mapping name="WEBTA_J2EE_USER">
    <group name="webta"/> <-- Group defined in AD -->
    </security-role-mapping>

    What is the name of the group in AD (provide the DN) that you want to map the j2ee logical role WEBTA_J2EE_USER? What are the group search base and group mapping attribute?
    When wmgraham logs into the app, the 3rd party ldap login module will attempt to query for the groups wmgraham is a member of - this is done using the group search base configuration for the provider.
    In this example, the DN is "cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and likely user search base is set to "ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi".
    Assuming group search base is (say) "ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and and group mapping attr is "cn", then the role mapping you mention should work for group DN "cn=webta,ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi"

  • Migration of Documents from 3rd party software to SAP DMS

    Dear Experts,
    We have implemented SAP DMS . Prior to DMS we were using Third party software for creating and storing the documents.
    There are abot 3000 documents in the third party software, now the challege is how we  must have to migrate the DATA from 3rd party software to SAP DMS with creating Dirs. Are there any upload programmes suffice the requirement or any development needs to be done or any possibilities.
    Kindly help me out in the above scenario.
    Regards
    jayanth

    Hi,
    from DMS point of view I think that SDXA functionality could also be useful for this action. For further information on SXDA functions please see SAP note 817743.
    Best regards,
    Christoph

  • HT4837 3rd Party LDAP users in local groups aren't recognized by wiki

    Having followed the KB article on setting up wiki webauth to allow 3rd party LDAP users to authenticate (http://support.apple.com/kb/HT4837) I have found that while individual users can be given permissions to access certain wikis, but LDAP users placed into local groups cannot.  Is this a bug?
    To be more specific:
    - Directory Access setup to allow authentication from LDAP server (this works fine for all other services like File Sharing)
    - Directions followed in the KB article which basically enables plain text authentication and turns off inline login window (http://support.apple.com/kb/HT4837)
    - Local groups created in Server.app -- Accounts -> Groups
    - LDAP users placed into those local groups
    - Services like file sharing recognize proper permissions based on the groups the LDAP users are in
    - Configure a wiki to allow access from a single LDAP user (Gear Icon -> Wiki Settings...) ... this works fine
    - Configure a wiki to allow access from the local groups containing LDAP users (again, Gear Icon -> Wiki Settings) ... this appears like it is going to work, but it in fact will fail to give permissions to LDAP users of the respective group upon that user's login.  A local user (Server.app -> Accounts -> Users) added to one of these local groups with LDAP people in it works fine and receives proper access to the wiki as expected.
    Any ideas before I submit this as a bug?

    Having followed the KB article on setting up wiki webauth to allow 3rd party LDAP users to authenticate (http://support.apple.com/kb/HT4837) I have found that while individual users can be given permissions to access certain wikis, but LDAP users placed into local groups cannot.  Is this a bug?
    To be more specific:
    - Directory Access setup to allow authentication from LDAP server (this works fine for all other services like File Sharing)
    - Directions followed in the KB article which basically enables plain text authentication and turns off inline login window (http://support.apple.com/kb/HT4837)
    - Local groups created in Server.app -- Accounts -> Groups
    - LDAP users placed into those local groups
    - Services like file sharing recognize proper permissions based on the groups the LDAP users are in
    - Configure a wiki to allow access from a single LDAP user (Gear Icon -> Wiki Settings...) ... this works fine
    - Configure a wiki to allow access from the local groups containing LDAP users (again, Gear Icon -> Wiki Settings) ... this appears like it is going to work, but it in fact will fail to give permissions to LDAP users of the respective group upon that user's login.  A local user (Server.app -> Accounts -> Users) added to one of these local groups with LDAP people in it works fine and receives proper access to the wiki as expected.
    Any ideas before I submit this as a bug?

  • 3rd party LDAP JAZN configuration

    Hey,
    I've been struggling with the jazn configuration of a 3rd party LDAP (Sun One) server. I've followed the Oracle 10AS documentation on creating the <jazn-loginconfig> element and there is an example template for sun one in the Oracle 10 AS. What about the <jazn-policy> and <jazn-realm> elements? Are these necessary or are these just required when you are using just the XML file itself and not LDAP? What other files besides jazn-data.xml need to be modified?
    Thanks

    Ok, a bit of progress...
    I turned on jazn logging and got the following exception:
    05/09/19 16:05:02 JAAS: LoginConfigProvider: JAZNConfig=[JAZNConfig file:[bpel home]
    BPELPM_2/integration/orabpel/system/appserver/oc4j/j2ee/home/config/jazn.xml]
    05/09/19 16:05:02 JAAS: LoginConfigProvider=oracle.security.jazn.spi.xml.XMLLoginModuleManager@de5cd9
    05/09/19 16:05:02 No Login Module configured for application [deployed app name].
    Using default Login Module, RealmLoginModule.05/09/19 16:05:02 javax.security.auth.login.LoginException: No LoginModules conf
    igured for oracle.security.jazn.oc4j.JAZNUserManager
    05/09/19 16:05:02 at javax.security.auth.login.LoginContext.init(LoginCont
    ext.java:189)
    05/09/19 16:05:02 at javax.security.auth.login.LoginContext.<init>(LoginCo
    ntext.java:404)
    05/09/19 16:05:02 at oracle.security.jazn.oc4j.OC4JUtil.getLoginContext(Un
    known Source)
    05/09/19 16:05:02 at oracle.security.jazn.oc4j.GenericUser$1.run(Unknown S
    ource)
    05/09/19 16:05:02 at oracle.security.jazn.oc4j.OC4JUtil.doWithJAZNClsLdr(U
    nknown Source)
    05/09/19 16:05:02 at oracle.security.jazn.oc4j.GenericUser.authenticate(Un
    known Source)
    05/09/19 16:05:02 at oracle.security.jazn.oc4j.FilterUser.authenticate(Unk
    nown Source)
    05/09/19 16:05:02 at com.evermind.server.http.HttpRequestHandler.processRe
    quest(HttpRequestHandler.java:614)
    05/09/19 16:05:02 at com.evermind.server.http.HttpRequestHandler.run(HttpR
    equestHandler.java:270)
    05/09/19 16:05:02 at com.evermind.server.http.HttpRequestHandler.run(HttpR
    equestHandler.java:112)
    05/09/19 16:05:02 at com.evermind.util.ReleasableResourcePooledExecutor$My
    Worker.run(ReleasableResourcePooledExecutor.java:192)
    05/09/19 16:05:02 at java.lang.Thread.run(Thread.java:534)
    05/09/19 16:05:02 Authentication: FAILED.
    05/09/19 16:05:02 JAAS-OC4J: Authentication failure for user: [username]05/09/19 16:05:02 No Login Module configured for application [app name] Using default Login Module, RealmLoginModule.
    05/09/19 16:05:02 javax.security.auth.login.LoginException: No LoginModules configured for oracle.security.jazn.oc4j.JAZNUserManager

  • Error using 10.1.3 Security Provider:3rd party LDAP or Custom Login Module

    Hello all,
    After deploying my JSF/ADF application using Jdeveloper 10.1.3 to Oracle Application Server 10.1.3, I used the Application Server control to change the 'Security Provider' configuration:
    1. Using 3rd Party LDAP Provider (Novell eDirectory)
    I get the following error when restarting the application with the new config.
    06/06/21 16:42:32 Error while configuring security provider MBean for application AccessList
    06/06/21 16:42:32 java.lang.ClassNotFoundException: oracle/security/jazn/jmx/CustomLDAPSecurityProvider
    2. Using Custom Login Module (again programmatically talks to eDirectory and it works in UIX/10.1.2 application)
    I get the following error when restarting the application with the new config.
    06/06/21 14:31:19 Error while configuring security provider MBean for application AccessList
    06/06/21 14:31:19 java.lang.ClassNotFoundException: oracle/security/jazn/jmx/LoginModuleSecurityProviderAlso, I get this error with both the settings..
    06/06/21 14:31:19 WARNING: Application.setConfig Application: AccessList is in failed state as initialization failedjava.lang.
    InstantiationException
    Jun 21, 2006 2:31:19 PM com.evermind.server.Application setConfig
    WARNING: Application: AccessList is in failed state as initialization failedjava.lang.InstantiationException
    06/06/21 14:31:19 java.lang.InstantiationException
    06/06/21 14:31:19       at com.evermind.server.ApplicationStateRunning.initDataSources(ApplicationStateRunning.java:1424)
    06/06/21 14:31:19       at com.evermind.server.ApplicationStateRunning.initializeApplication(ApplicationStateRunning.java:195)
    java.lang.ClassNotFoundException error leads me to believe, I am just missing to include some libraries..
    I have included "bc4j.security" in my web project and I am not sure if that is what is needed!
    Will appreciate your help..
    Thanks,
    Karthik

    The problem i had with my Custom login module was that JDeveloper includes the datasources listed in the connection tab.
    When JDeveloper does that it writes the username and password in the jazn-data.xml. But with the Custom Login module the reference in de data-source declaration cannot find the password. that's why i got the InstantiationException at the initDataSources point.
    In tools>preferences>deployment you can uncheck the option:
    Bundle Default data-sources.xml During Deployment.
    The problem with this is when i specify a datasource in the data-sources.xml i included myself, jdeveloper will also put de datasources under the Connections tab in the data-sources.xml.
    Does anyone knows how to stop jdeveloper putting the datasources automatic in the file, or how to prevent jdeveloper storing the password in jazn-data.xml?

  • User can't see some OID entry from 3rd party ldap browser but OAM?

    Hi All,
    after tried to applied access control to some OID entry, user then can't see that entry from 3rd party ldap browster, and this is a expected behavior, but why the same user can see that entry from user management interface of OAM?
    Regards,
    Makson

    Hi Makson,
    OAM's Identity Server binds to OID as a single user* (typically an OID admin, even orcladmin) and applies only those acl's that have been defined within OAM. So when you login to OAM as end-user X, the Identity Server (eg orcladmin) checks to see what rights within OAM have been defined for User X - but in this scenario any rights defined within OID are not applied to user X. By default, OAM end-users have no access to information in ldap (although the OAM Admins have full access by default).
    Regards,
    Colin
    *Depending on how you are accessing OAM, you may see extra binds in the OID logs when the end-users actually login to OAM.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

  • 3rd party LDAP security provider problem

    I'm having an issue that when I've deployed my j2ee application to Oracle AS 10g rel3 app server, the security-constraint I've configured in my web.xml file isn't being obeyed, or at least it doesn't appear to be.
    As part of the deployment process I've configured a 3rd party LDAP server as the security provider. As for mapping groups to roles, I've set it such that all users and groups should be mapped to the role AuthorisedUser - my intention is that for any protected url's defined in the web.xml, the user should be redirected to a login page as defined in the web.xml file as well (I'm using FORM based authentication in the login-config) - but after they are logged in they will be assigned the role of AuthorisedUser.
    The following is being written to the orion-application.xml file
    <security-role-mapping name="AuthorisedUser" impliesAll="true" />
    What I'm observing is that users aren't being challenged when they hit a secured url-pattern. Is this as a result of the impliesAll="true" attribute ?

    I found that the <security-role-mapping> element is not functioning correctly for 10.1.3.4 OC4J LDAP authentication. I saw in the log.xml that I was getting authenticated but it wasn't finding the role-group map.
    I changed the role-name in the web.xml to be the exact same thing as the group in LDAP and that fixed that problem.
    I know the original poster has gone past this problem, but for people in the future, I hope this helps.
    Now my problem is the j_security_check... once I'm authenticated, the browser ends up at http://hostname:port/OrderManagement/j_security_check instead of the application page. Any ideas?
    Thanks,
    David

  • Integrating standalone OC with existing 3rd party LDAP directory question

    Hello everyone,
    we have a standalone version 9 Oracle Calendar server with internal directory. We also have an existing enterprise wide LDAP directory. We would like to integrate them together, with as few changes to our existing LDAP schema as possible. Has anyone dealt with this issue before? Are there any documents out there describing how to deal with such situation? What if we upgrade to OC version 10 first?
    Thanks

    Migration might be tricky -
    We've been running Calendar since the Netscape era with external LDAP. Basically user's preferences are stored in LDAP, though these can be 'regenerated' on the fly by the client using defaults.
    You will need to modify the schema, but it's simply as loading the supplied schema file.
    Data itself is still maintained in the internal DB. The link between the DB and LDAP is done via the calendar ID number which gets stored in the user's entry in ldap.
    I don't think it would matter on upgrading OC to 10 or not, since the upgrade would not modify anything on the LDAP side (schema has not changed).
    You should set up a test environment and test it out...

  • Migration Accelerator - Documentation about 3rd party app defaults

    The App defaults we need to pick for the CX/CS dependencies:
    MySQL and CGYWIN specifically.   What do we need to configure when those wizards pop up?  Both have multiple paths and options and the documentation just says "follow the wizard".     The cgywin specifically has
    up to 15GB of downloads if you pick all the libraries to install, but the documentation doesn't say what we actually need to pick to finish that installation? (it wont finish if you don't pick something)
    I know you are working on improving the documentation, so please review these items.  
    Also the interchanging of CS and CX in the documentation can be confusing, you should settle on one naming convention.

    Hi Joe,
    As document/wizard indicates please download the required Cygwin setup-x86.exe and other MySQL and rrdtool.  Cygwin won't download 15 GB of data, just follow the wizard and you will be able to download the required software in 5 to 10 min. we will improve
    our documentation regarding naming of CX and CS.
    Thx-Gopi

  • Email account and Internet service not working after migration onto a new (upgraded 3rd party) 2012 MBP. Hardware or software issue.

    I just purchased a refurb Mac Book Pro from the Apple on-line store. When I received the machine (serial number)  I purchased 3rd party (OWC) parts. All of these were installed by the authorized, local Apple repair store I have had excellant results with past issues with my 2006 MBP. The parts installed are: 16 meg ram, 240 SSD and a 1 T installed replacing the optical drive.
    Feeling ready now, I had the Apple store do the migration from my 2006 MacBook Pro (OS 10.6.8) over to the 2012.
    When trying to get the new machine into the production flow, I cannot get email to work. It will launch but I cannot access accounts.
    During the One to One, then moved over to the Genius Bar appointment, they reentered the account(s) data. Nothing.
    Also at this time they noticed that the Internet connection was not working.
    A new internet account was set up and it worked. They (Genius) launched email and the Internet connection crashed. This was repeated about 5 times.
    The computer was left with Apple to reinstall the OS (10.8) - their best suggestion as a fix and I have now had a call to say that the install did not correct the problem. Now they are questioning the install of the 3rd party parts as the possible problem.
    I'm to go back into the Apple store to discuss the next steps.
    I would really, really appreciate anyones thoughts / suggestions on this problem. Is it software or hardware? Should I re-install the original ram and 500 m hard drive to start over with the migration? I'll be honest here and state - I'm not a technician in computers or this side of technology. That is why I have reliable parties do the install and trouble shoot. Not a comfortable feeling being at their mercy.
    Advanced thanks to all who believe they have answers.

    Back from the Apple store with my 2012 MacBook Pro.
    After one re-install of the OS - no better - a clean install was performed - purging all of the data that they had migrated over from my 2006 MBP last week.
    The belief is, that the migrated data from my 2006 MBP was too great of a leap for the new 10.8. My (a lot) software was too dated and there in was a "blip" of some sort in some / one of the programs.
    So - all of the OWC parts and pieces that I had installed are not the issue - as they all show up on the About this Mac - and other things are functional. Yeah.
    I now have my 2012 back (with upgrades) in the original form (OS and programs) and I will start a one by one migration of programs that I do need and use. Being cautious not to make one large transfer.... weeding out programs that will no longer be needed or will work on the OS 10.8. I will manually set up the email accounts one by one.
    Fingers crossed.

  • Using Weblogic LDAP JAAS credentials for 3rd party authentication

    Hello to all!
    I'm posting this question because I'm developing a software layer that will connect a weblogic based web application, with LDAP authentication, to a 3rd party application, also with LDAP authentication, and I'm having difficulties in getting a <b><i>javax.security.auth.Subject</i></b> object from the weblogic server.
    I already have a way of doing it, but it requires that a username and a password exist in some sort of storage, in order to work (either hardcoded (which is to be avoided as much as possible) or stored in a file (which is to be avoided if possible, but if nothing better exists...)).
    I'm using a Weblogic 11g server, with LDAP authentication (LDAP provider placed in last at the provider list, with flag SUFFICIENT) and I'm developing the software layer using Oracle's jDeveloper 11g Release 1.
    Now, this 3rd party application requires a <b><i>javax.security.auth.Subject</i></b> object in order to perform authentication.
    How do I get this from the weblogic server ?
    Of the following approaches, can you tell me which are the most correct ones ?
    <ul>
    a)<b>
        LoginContext lc = null;
        try {
            lc = new LoginContext("<JAAS instance name>");
            lc.login();
        } catch (LoginException e) {
            e.printStackTrace();
        javax.security.auth.Subject subject = lc.getSubject();
    </b>
    </ul>
    <ul>
    b)<b>
        LoginContext lc = new LoginContext("<JAAS instance name>"
            new MyClass.CallbackHandler(userid, password));
        lc.login();
        javax.security.auth.Subject subject = lc.getSubject();
        javax.security.auth.Subject.doAs(subject, myClassObject);
    </b>
    </ul>
    <ul>
    c)<b>
        javax.security.auth.Subject subjectA = weblogic.security.Security.getCurrentSubject();
        subjectA.doAs(subjectA, myClassObject);
    </b>
    </ul>
    Thanks in advance,
    Nuno B.

    Here is a document on Monitoring and Reporting Tool Integration into Network Admission Control.
    http://www.cisco.com/en/US/netsol/ns466/networking_solutions_white_paper0900aecd801dee49.shtml

  • 3rd party tools to migrate Authorization profiles to roles

    Experts,
    Are there any 3rd party tools to migrate Authorization profiles to roles while upgrading to ECC 6.0?
    NW

    Hi,
    Thanks so much for replying. I posted the errors here (no answers though):
    XML to Forms conversion gives error for menus
    Error when converting form to XML

  • Migrating 3rd Party Apps

    Hello,
    I am in the process of buying a new iMac G5 20", and I have purchased several dowloadable 3rd party apps on my current iMac. Can anyone tell me how I can get these apps off my computer and onto my new one?
    Thanks!
    ~NS

    Hi, Nathan.
    New Macs have an improved Setup Assistant that will walk you through the process of moving the Users, Applications, and other files from your old Mac to your new Mac, presuming your old Mac has a FireWire port.
    See "Mac OS X 10.3: Transferring data with Setup Assistant frequently asked questions (FAQ)." See also this page describing the new Setup Assistant.
    A little, undocumented secret about the Setup/Migration Assistant is that it will also work using a bootable duplicate of your old Mac if that duplicate is on a FireWire drive.
    You can move everything from the old Mac to the new, or selected bits. However, moving just applications can be problematic if the applications have bits installed outside of the /Applications folder: not all third-party apps are distributed in bundles, but rather install bits all over the system.
    Good luck!
    Dr. Smoke
    Author: Troubleshooting Mac® OS X

  • Use This Thread for All 3rd Party Extension Questions (Migrating from v3-v4)

    This thread is for the 3rd Party Extension developers as they update their extensions to be compatible with the new framework in SQL Developer v4.0.
    To get started with the process, consult this post from the JDeveloper team. If you have questions, post them here.

    What is the correct way to deploy migrated extension on local installation of SQL Developer 4 for testing?
    Could such operation be automated with help of JDeveloper 12c?

Maybe you are looking for