MS ActiveDirectory Ldap configration

Similar Messages

• MS ActiveDirectory Ldap configration for BIpublisher

  Dear forums Members,
  I didn't find MS ActiveDirectory Ldap configration for BIpublisher all of configration
  mail=[email protected],DC=mycompany DC=org
  port :3268 and host entery but failed
  Have you a document this issue?
  Thanks
  Best regards
  Selim

  Thanks Bill
  it works. but domain @<domain> must be non-static
  During user will login, they will enter " [email protected] " , Normaly company static but domain too many values and ldap object name is "mail"
  expample : mail=[email protected]
  May be Your syntax? %LOGIN_USER%@COMPANY.??

• LC + ActiveDirectory + LDAP over SSL = doesn't work

  Hi,
  I installed Active Directory Certificate Services. Now I want setup LDAP over SSL. Unfortunatelly it doesn't work. I pressed "Test" and always get "Invalid username or invalid password" (
  German: "Ungültiger Benutzername oder ungültiges Kennwort"). I'm pretty sure username and password are fine (it worked before I installed Active Directory Certificate Services and used LDAP without SSL).
  On server.log, I got this:
  2011-11-12 00:51:28,202 INFO  [com.adobe.idp.um.businesslogic.synch.LdapHelper] Following stacktrace is generated due to the Test LDAP Server Configuration action
  javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
          at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
          at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
          at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
          at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
          at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
          at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
          at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
          at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
          at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
          at javax.naming.InitialContext.init(InitialContext.java:223)
          at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
          at com.adobe.idp.um.businesslogic.synch.LdapHelper.createContext(LdapHelper.java:663)
          at com.adobe.idp.um.businesslogic.synch.LdapHelper.testServerConfig(LdapHelper.java:682)
          at com.adobe.idp.um.ui.config.ConfigDirectoryEditAction.testServerSettings_onClick(ConfigDirectoryEditAction.java:215)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:597)
          at com.cc.framework.adapter.struts.ActionUtil.handleFormAction(Unknown Source)
          at com.cc.framework.adapter.struts.FWAction.handleFormAction(Unknown Source)
          at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)
          at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
          at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
          at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
          at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
          at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
          at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:173)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:91)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.idp.um.auth.filter.CSRFFilter.doFilter(CSRFFilter.java:41)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
          at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
          at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
          at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
          at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:543)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
          at java.lang.Thread.run(Thread.java:619)
  Do you have some Idea?
  cu Floh

  I have not done it for Netscape yet but I have done it for Novell and JNDI.. Here is the settings for Novell
  // Dynamically set JSSE as a security provider
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  // Dynamically set the property that JSSE uses to identify
  // the keystore that holds trusted root certificates
  System.setProperty("javax.net.ssl.trustStore", m_connectionData.getLocal("KeyStore").toString());
  ssf = new LDAPJSSESecureSocketFactory();
  // Set the socket factory as the default for all future connections
  LDAPConnection.setSocketFactory(ssf);

• LDAP - Filter on groups (iPlanet)

  We connected Weblogic to our LDAP server (iPlanet type) and successfully imported all users and groups.
  No we want to filter on the users being in one group (we are not interested in all users)
  With an ActiveDirectory LDAP Provider you can set at the All Users filter & User From Name filter:
  (&(sAMAccountName =*)(memberOf= CN=OBIEE,OU=Security,OU=Groups,OU=COMP1,DC=COMPANY,DC=com)(objectclass=person))
  With this filter in place, only users that are member of "CN=OBIEE,OU=Security,OU=Groups,OU=COMP1,DC=COMPANY,DC=com" will be able to login.
  Now we are migrating the LDAP server from ActiveDirectory to iPlanet.
  The structure of this system is:
  GROUPS
  GRP OBIEE
  uniqueMember:MVL
  uniqueMember:DFG
  USERS
  uniqueMember: MVL
  The relation between users and groups is stored on group level.
  Does anyone know if this is possible and what the structure of the filter is?
  Thanks in advance.

  Have you already found a work around?
  Depending on your DIT, I'd assume you could set your base lower, and just do a search for (!(objectclass=SAccount)).
  Also, you've probably checked it a number of times already, but could there be a spelling error? Have you tried using the wildcard on your ! filter, so that it reads:
  (&(objectclass=customAccount)(!(objectclass=customSA*)))
  Good luck!

• ActiveDirectory/LDAPRealm Problem

  I'm trying to authenticate users of my Web Application against users in an
  ActiveDirectory LDAP Server.
  When the admin console lists all of the users in the ActiveDirectory server
  it lists then by their full name which is stored in the 'cn' attribute. It
  does not allow users to log into the application with either their username
  or their full name as contained in the 'cn' attribute. I have tried both
  'local' and 'bind' UserAuthentication.
  When I try to access their login name or email address, using
  'sAMAccountName' or 'userPrincipalName' in the UserNameAttribute field, I
  get a RuntimeOperationsException when accessing either my application or the
  admin console. Abbreviated exception folloed by LDAPRealm config...
  javax.management.RuntimeOperationsException: RuntimeException thrown by the
  getAttribute method of t
  he DynamicMBean for the attribute FileTimeSpan
  at
  com.sun.management.jmx.MBeanServerImpl.getAttribute(MBeanServerImpl.java:118
  3)
  at
  com.sun.management.jmx.MBeanServerImpl.getAttribute(MBeanServerImpl.java:115
  1)
  at
  weblogic.management.internal.MBeanProxy.getAttribute(MBeanProxy.java:223)
  at
  weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:156)
  at $Proxy3.getFileTimeSpan(Unknown Source)
  at weblogic.logging.FileStreamLogger.log(FileStreamLogger.java:169)
  My LDAPRealm looks like this
  <LDAPRealm
  Name="ActiveDirectoryRealm"
  LDAPURL="ldap://server:389"
  AuthProtocol="simple"
  Principal="[email protected]"
  Credential="credential"
  GroupDN="DC=com,DC=xxx,DC=server,CN=Users"
  GroupIsContext="false"
  GroupNameAttribute="cn"
  GroupUsernameAttribute="member"
  UserAuthentication="local"
  UserDN="DC=com,DC=xxx,DC=server,CN=Users"
  UserNameAttribute="cn"
  UserPasswordAttribute="userPassword"/>

  >
  My production LDAP environment returns referrals. Normally this is dealt
  with by setting the Context.Referral parameter to "follow" rather than the
  default JNDI "ignore" value. I can't seem to find any documentation on the
  "configuration data" field of weblogic.security.ldaprealmv2.LDAPRealm or
  even get at any API docs for this class.
  Can somebody tell me if there is a configuration parameter I can pass to
  this class which accomplishes this? If not, can BEA provide someassistance
  (source code or API documentation) so that we can modify this class? (I'm
  not excited about writing my own CustomAuthentication class this week..)
  The ldap realm v2 uses the netscape sdk. By default, a netscape sdk client
  follows
  referrals automatically.However, the client binds anonymously to the server.
  There is currently no method for the ldap realm v2 to follow referrals and
  bind
  as a specific user.
  Does your production system have the same principal and credentials for
  both the original and referral directory server?
  Peter

• Trouble with Unity Connection and LDAP

  Our CUCM 8.6 is currently integrated with LDAP, this was done before I started with the company, I'm working on getting the CUC integrated as well, but I keep getting the following error message:
  Error while Connecting to ldap://xx.xx.xx.xx:389, null   
  I took the exact same settings that was used on the cucm (the LDAP syncs fine with CUCM)  
  LDAP Configuration name: ActiveDirectory
  LDAP Manager Distinguished Name: [email protected]
  LDAP Password: *******
  LDAP User Search Base: DC=xyz,DC=net
  User ID: sAMAccountName
  Middle Name: middleName
  Manage ID: manager
  phone number: ipPhone
  First name: givenName
  Last Name: sn
  Department: department
  Mail ID: mail
  User ID: sAMAccountName
  Middle Name: middleName
  Manage ID: manager
  phone number: ipPhone
  First name: givenName
  Last Name: sn
  Department: department
  Mail ID: mail    
  Any ideas what could be causing that error? I've ran into this before somewhere but was able to figure out that it was something with the way I had put in the OU..This time I'm really I have not idea, especially since I took the settings from the LDAP setup in CUCM. 

  Hi Chris,
  Yes I'm sure the sync is still working, I've went into CUCM and did a full sync and it was successful, I also hit save and that was successful as well, that was the first thing I did just to make sure it was working, I was thinking like you that maybe it wasn't working properly ...I'll take some screen shots and post shortly
  Fred
  Here's a screenshot of both CUCM and CUC
  Message was edited by: Fred Rawlings

• Can LAUTHSVR be used with non WebLogic LDAP servers?

  Is it possible to use LAUTHSVR with other LDAP servers like MS Active Directory?

  Martin,
  LAUTHSVR currently does not support ActiveDirectory. BEA Product Management
  is aware that some customers would like to use alternate LDAP servers and a
  future release of Tuxedo may or may not contain enhancements in this area.
  With present releases of Tuxedo, it is possible for an application to modify
  the $TUXDIR/lib/AUTHSVR.c source to write whatever sort of authorization
  server is desired, but the application will need to handle interactions with
  the ActiveDirectory LDAP server themselves if this approach is followed.
  <Martin Borgman> wrote in message news:[email protected]..
  Is it possible to use LAUTHSVR with other LDAP servers like MS ActiveDirectory?

• Operation Not Supported Exception in JNDI/Active Directory

  Hi all,
  When i am trying to change password or create user from JNDI program
  on Active Directory i am getting OperationNotSupported Exception.
  I wonder i am doing a common mistake in both functions.just when the execution comes to
  ctx.createSubcontext("cn=surendra,cn=Users,DC=ABSI,dc=pcs",attrs);
  in createUser method and
  ctx.modifyAttributes(userString, ctx.REPLACE_ATTRIBUTE, testAttrs);
  in changePassword method i am getting the below exception.
  javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-031D0AAB, problem 5003 (WILL_NOT
  _PERFORM), data 0
  ]; remaining name 'cn=surendra,cn=Users,DC=ABSI,dc=pcs'
  at java.lang.Throwable.fillInStackTrace(Native Method)
  at java.lang.Throwable.fillInStackTrace(Compiled Code)
  at java.lang.Throwable.<init>(Compiled Code)
  at java.lang.Exception.<init>(Exception.java:42)
  at javax.naming.NamingException.<init>(NamingException.java:106)
  at javax.naming.OperationNotSupportedException.<init>(OperationNotSupportedException.java:50)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(Compiled Code)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:657)
  at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(Compiled Code)
  at com.sun.jndi.toolkit.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
  at com.sun.jndi.toolkit.PartialCompositeDirContext.createSubcontext(Compiled Code)
  at com.sun.jndi.toolkit.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:258)
  at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:183)
  Your help is needed to go ahead......
  Thanks in advance
  Naga

  Hi!
  I just happened to stumble across your post today looking for something else, but...
  Are you aware that you can only update a password ActiveDirectory/LDAP with a secure network connection? A certificate must be installed on the domain controller and tied to AD, and then the client must support an SSL connection to AD for LDAP. The other attributes in the schema do not have this restriction and can be updated without a secure connection.
  Joel Mussman
  Smallrock Internet Services

• Configration of LDAP in OBIEE 11g

  Hi All,
  Client has asked me to de the LDAP configuration. I will be doing first time. I have gone through the different posts the information is enough to do the same.
  But i have one question on this. It might be funny for all of you :-) but it keep meaning for me.
  There are few parameter need to be passed while configuration.
  Base DN: Generally we give the value like. (CN=Users,DC=venkatad,DC=venkatlap,DC=com) , My question here is: The value for CN and DC will be provided from the client(or any specific value) or we can put any thing.
  Bind DN: (CN=Administrator,CN=Users,DC=venkatad,DC=venkatlap,DC=com) here also my questing is same.
  Bind password: is it generic? or any LDAP server releted?
  port: 389 (Default LDAP port without SSL) 389 is the default, without SSL. So here my question is: If there is SSL then what would be the value for Port no.
  And lastly could you please let me know what are the different parameters i need to ask from the client for LDAP authentication configuration.
  Regards
  Niraj

  Hi,
  Refer the below
  Reuired info from LDAP team:
  1) LDAP server Host name and Platform(OS Type)
  2) LDAP Server IP
  3) LDAP Server Port no
  4) User Path structure (Object )
  ex.: like user and group(object of the user and group canonical name) path structure (Path : Functional user ID)
  my group info got it from LDAP team
  GROUP:
  CN=deva,OU=SG,OU=OBIEE,OU=Groups,DC=reg9,DC=Hex1,DC=OPM,DC=com
  5) Group Path Structure (Object)
  like e.x: (Path : Functional usergroup)
  6) Access required for our functional ID: deva
  1) ldifd.tex files ---> permission required for our functional IDdeva
  2) Windows Active Directory access required for our functional ID(deva)
  3) Access requred for functional id user (deva) to properties of the user in AD
  for more refer my blog:
  http://obieeelegant.blogspot.com/2012/01/obiee-11g-integration-with-ldap.html
  Thanks
  Deva
  Edited by: Devarasu on Mar 30, 2012 10:30 AM

• IBM Websphere to ActiveDirectory ( Win 2003 ) LDAP SSL.

  I am trying to connect to Win 2003 Ad LDAP from websphere Application server.
  I have installed certificates Win2k in to local key store.
  I used ikeyman of Websphere. Win 2k3 certificates were in .arm format ( thatz how Win2k3 admin gave me) . I succesfully installed the certificates in local keystore. and pointed to the keystoere when LDAP connection is happening.
  I am getting a MalformedURLException canot parse url ldaps://xx.xx.x.x:636
  Not an LDAP url .
  At the same time i also tried with Sun JDK . it shows another error .
  default context init failed: java.security.cert.CertificateParsingException: java.io.IOException: subject key, Unknown k
  ey spec: Invalid RSA modulus size.
  Please help me . I want this program to run from IBM Websphere Env.
  Please find my code below
  thanks in advance.
  import java.util.Hashtable;
  import javax.naming.*;
  import javax.naming.ldap.*;
  import javax.naming.directory.*;
  import java.io.*;
  public class Test {
  public static void main(String args[] ) {
            //String userName = "CN=Renjith\\, Vasudevan";
            String userName = null;
            String test = ",OU=xx,OU=xx,DC=xx,DC=xxm";
            String newPassword = "xxx";
            String oldPassword = "xx";
            Hashtable env = new Hashtable();
            //Hard coded values - will be moved to properties file.
            env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
            //env.put(Context.PROVIDER_URL, "ldap://X.X.X.X:389");
            env.put(Context.PROVIDER_URL, "ldaps://X.X.X.X:636");
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            //env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
            env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
            env.put(Context.SECURITY_CREDENTIALS, "xxxx");
            //env.put(Context.SECURITY_PROTOCOL,"ssl");
            String keystore = "C:\\j2sdk1.4.2_04\\jre\\lib\\security\\cacerts";
            System.setProperty("javax.net.ssl.trustStore",keystore);
            System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
            try {
                 // Create the initial directory context
                 LdapContext ctx = new InitialLdapContext(env,null);
                 // This following code only for getting correct dn - Hardcoded dn had some tabbing/char problem.
                 // Renjith - begin
                 SearchControls constraints = new SearchControls();
                 constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
                 String[] strAttributes = { "sAMAccountName", "memberOf" };
                 //String FILTER = "(&(objectClass=user))";
                 String FILTER = "(&(objectClass=user)(sAMAccountName=prrev))";
                 String searchBase = "OU=xx,OU=xx,DC=infores,DC=xx";
                 constraints.setReturningAttributes(strAttributes);
                 NamingEnumeration results =
                      ctx.search(searchBase, FILTER, constraints);
                 System.out.println("results : " + results);
                 while (results != null && results.hasMore()) {
                      SearchResult sr = (SearchResult) results.next();
                      String dn = sr.getName();
                      //String dn =  ((Context)sr.getObject()).getNameInNamespace();
                      if(dn.indexOf("Renjith") != -1 ) {
                      System.out.println("Distinguised Name : " + dn);
                      //System.out.println("Charg"+dn.toCharArray());
                      userName = dn+test;
                      break;
                 // Renjith - end.
                 //set password is a ldap modify operation
                 ModificationItem[] mods = new ModificationItem[2];
                 String oldQuotedPassword = "\"" + oldPassword + "\"";
                 byte[] oldUnicodePassword = oldQuotedPassword.getBytes("UTF-16LE");
                 String newQuotedPassword = "\"" + newPassword + "\"";
                 byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
                 mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,
                            new BasicAttribute("unicodePwd", oldUnicodePassword));
                 mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd",
                           newUnicodePassword));
                 System.out.println("Trying to reset Password for: " + userName);
                 // Perform the update
                 ctx.modifyAttributes(userName, mods);
                 System.out.println("Reset Password for: " + userName);     
                 ctx.close();
            catch (NamingException e) {
                 e.printStackTrace();
                 System.out.println("Problem resetting password: " + e);
            catch (UnsupportedEncodingException e) {
                 System.out.println("Problem encoding password: " + e);
  }

  The first error you described "malformed URL" is possibly due to the fact that your JRE version 1.4 does not support the ldaps URL.
  If using 1.4 then you must use the following syntax:env.put(Context.PROVIDER_URL,"ldap://servername:636");If using 1.5, then it supports the syntax:env.put(Context.PROVIDER_URL,"ldaps://servername:636");I can't comment on the other error message you receive, however I am concerned at two things, one is that in your sample code you are using a "null" user name, and secondly, I have no idea what certificate you have installed. I do not recall seeing a Windows CA cert with the extension of .arm. Normally the Root CA exported trust cert has the extension of .cer

• I'm trying to use kerberos V5 with ActiveDirectory but get an error

  I'm trying to use kerberos V5 with ActiveDirectory im using simple code from previuos posts but
  when i try with correct username/password i get :
  Authentication attempt failedjavax.security.auth.login.LoginException: Message stream modified (41)
  when i try incorrect username/pass i get :
  Pre-authentication information was invalid (24)
  Debug info is :
  Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Kerberos username [naiden]: naiden
  Kerberos password for naiden:      naiden
            [Krb5LoginModule] user entered username: naiden
  Acquire TGT using AS Exchange
            [Krb5LoginModule] authentication failed
  Pre-authentication information was invalid (24)
  Authentication attempt failedjavax.security.auth.login.LoginException: Java code is :
  import javax.naming.*;
  import javax.naming.directory.*;
  import javax.security.auth.login.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  import java.util.Hashtable;
  * Demonstrates how to create an initial context to an LDAP server
  * using "GSSAPI" SASL authentication (Kerberos v5).
  * Requires J2SE 1.4, or JNDI 1.2 with ldapbp.jar, JAAS, JCE, an RFC 2853
  * compliant implementation of J-GSS and a Kerberos v5 implementation.
  * Jaas.conf
  * racfldap.GssExample {com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true doNotPrompt=true; };
  * 'qop' is a comma separated list of tokens, each of which is one of
  * auth, auth-int, or auth-conf. If none is supplied, the default is 'auth'.
  class KerberosExample {
  public static void main(String[] args) {
  java.util.Properties p = new java.util.Properties(System.getProperties());
  p.setProperty("java.security.krb5.realm", "ISY");
  p.setProperty("java.security.krb5.kdc", "192.168.0.101");
  p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
  System.setProperties(p);
  // 1. Log in (to Kerberos)
  LoginContext lc = null;
  try {
  lc = new LoginContext("ISY",
  new TextCallbackHandler());
  // Attempt authentication
  lc.login();
  } catch (LoginException le) {
  System.err.println("Authentication attempt failed" + le);
  System.exit(-1);
  // 2. Perform JNDI work as logged in subject
  Subject.doAs(lc.getSubject(), new LDAPAction(args));
  // 3. Perform LDAP Action
  * The application must supply a PrivilegedAction that is to be run
  * inside a Subject.doAs() or Subject.doAsPrivileged().
  class LDAPAction implements java.security.PrivilegedAction {
  private String[] args;
  private static String[] sAttrIDs;
  private static String sUserAccount = new String("Administrator");
  public LDAPAction(String[] origArgs) {
  this.args = (String[])origArgs.clone();
  public Object run() {
  performLDAPOperation(args);
  return null;
  private static void performLDAPOperation(String[] args) {
  // Set up environment for creating initial context
  Hashtable env = new Hashtable(11);
  env.put(Context.INITIAL_CONTEXT_FACTORY,
  "com.sun.jndi.ldap.LdapCtxFactory");
  // Must use fully qualified hostname
  env.put(Context.PROVIDER_URL, "ldap://192.168.0.101:389/DC=isy,DC=local");
  // Request the use of the "GSSAPI" SASL mechanism
  // Authenticate by using already established Kerberos credentials
  env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
  env.put("javax.security.sasl.server.authentication", "true");
  try {
  /* Create initial context */
  DirContext ctx = new InitialDirContext(env);
  /* Get the attributes requested */
  Attributes aAnswer =ctx.getAttributes( "CN="+ sUserAccount + ",CN=Users,DC=isy,DC=local");
  NamingEnumeration enumUserInfo = aAnswer.getAll();
  while(enumUserInfo.hasMoreElements()) {
  System.out.println(enumUserInfo.nextElement().toString());
  // Close the context when we're done
  ctx.close();
  } catch (NamingException e) {
  e.printStackTrace();
  }JAAS conf file is :
  ISY {
       com.sun.security.auth.module.Krb5LoginModule required
  debug=true;
  };krb5.ini file is :
  # Kerberos 5 Configuration File
  # All available options are specified in the Kerberos System Administrator's Guide.  Very
  # few are used here.
  # Determines which Kerberos realm a machine should be in, given its domain name.  This is
  # especially important when obtaining AFS tokens - in afsdcell.ini in the Windows directory
  # there should be an entry for your AFS cell name, followed by a list of IP addresses, and,
  # after a # symbol, the name of the server corresponding to each IP address.
  [libdefaults]
       default_realm = ISY
  [domain_realm]
       .isy.local = ISY
       isy.local = ISY
  # Specifies all the server information for each realm.
  #[realms]
       ISY=
            kdc = 192.168.0.101
            admin_server = 192.168.0.101
            default_domain = ISY
       }

  Now it works
  i will try to explain how i do this :
  step 1 )
  fallow this guide http://www.cit.cornell.edu/computer/system/win2000/kerberos/
  and configure AD to use kerberos and to heve Kerberos REALM
  step 2 ) try windows login to the new realm to be sure that it works ADD trusted realm if needed.
  step 3 ) create jaas.conf file for example in c:\
  it looks like this :
  ISY {
       com.sun.security.auth.module.Krb5LoginModule required
  debug=true;
  };step 4)
  ( dont forget to make mappings which are explained in step 1 ) go to Active Directory users make sure from View to check Advanced Features Right click on the user go to mappings in secound tab kerberos mapping add USERNAME@KERBEROSreaLm for example [email protected]
  step 5)
  copy+paste this code and HIT RUN :)
  import java.util.Hashtable;
  import javax.naming.Context;
  import javax.naming.NamingEnumeration;
  import javax.naming.NamingException;
  import javax.naming.directory.Attributes;
  import javax.naming.directory.DirContext;
  import javax.naming.directory.InitialDirContext;
  import javax.naming.directory.SearchControls;
  import javax.naming.directory.SearchResult;
  import javax.security.auth.Subject;
  import javax.security.auth.login.LoginContext;
  import javax.security.auth.login.LoginException;
  import com.sun.security.auth.callback.TextCallbackHandler;
  public class Main {
      public static void main(String[] args) {
      java.util.Properties p = new java.util.Properties(System.getProperties());
      p.setProperty("java.security.krb5.realm", "ISY.LOCAL");
      p.setProperty("java.security.krb5.kdc", "192.168.0.101");
      p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
      System.setProperties(p);
      // 1. Log in (to Kerberos)
      LoginContext lc = null;
      try {
              lc = new LoginContext("ISY", new TextCallbackHandler());
      // Attempt authentication
      lc.login();
      } catch (LoginException le) {
      System.err.println("Authentication attempt failed" + le);
      System.exit(-1);
      // 2. Perform JNDI work as logged in subject
      Subject.doAs(lc.getSubject(), new LDAPAction(args));
      // 3. Perform LDAP Action
      * The application must supply a PrivilegedAction that is to be run
      * inside a Subject.doAs() or Subject.doAsPrivileged().
      class LDAPAction implements java.security.PrivilegedAction {
      private String[] args;
      private static String[] sAttrIDs;
      private static String sUserAccount = new String("Administrator");
      public LDAPAction(String[] origArgs) {
      this.args = origArgs.clone();
      public Object run() {
      performLDAPOperation(args);
      return null;
      private static void performLDAPOperation(String[] args) {
      // Set up environment for creating initial context
      Hashtable env = new Hashtable(11);
      env.put(Context.INITIAL_CONTEXT_FACTORY,
      "com.sun.jndi.ldap.LdapCtxFactory");
      // Must use fully qualified hostname
      env.put(Context.PROVIDER_URL, "ldap://192.168.0.101:389");
      // Request the use of the "GSSAPI" SASL mechanism
      // Authenticate by using already established Kerberos credentials
      env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
  //    env.put("javax.security.sasl.server.authentication", "true");
      try {
      /* Create initial context */
      DirContext ctx = new InitialDirContext(env);
      /* Get the attributes requested */
      //Create the search controls        
      SearchControls searchCtls = new SearchControls();
      //Specify the attributes to return
      String returnedAtts[]={"sn","givenName","mail"};
      searchCtls.setReturningAttributes(returnedAtts);
      //Specify the search scope
      searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
      //specify the LDAP search filter
      String searchFilter = "(&(objectClass=user)(mail=*))";
      //Specify the Base for the search
      String searchBase = "DC=isy,DC=local";
      //initialize counter to total the results
      int totalResults = 0;
      // Search for objects using the filter
      NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
      //Loop through the search results
      while (answer.hasMoreElements()) {
              SearchResult sr = (SearchResult)answer.next();
          totalResults++;
          System.out.println(">>>" + sr.getName());
          // Print out some of the attributes, catch the exception if the attributes have no values
          Attributes attrs = sr.getAttributes();
          if (attrs != null) {
              try {
              System.out.println("   surname: " + attrs.get("sn").get());
              System.out.println("   firstname: " + attrs.get("givenName").get());
              System.out.println("   mail: " + attrs.get("mail").get());
              catch (NullPointerException e)    {
              System.err.println("Error listing attributes: " + e);
      System.out.println("RABOTIII");
          System.out.println("Total results: " + totalResults);
      ctx.close();
      } catch (NamingException e) {
      e.printStackTrace();
  }It will ask for username and password
  type for example : [email protected] for username
  and password : TheSecretPassword
  where ISY.LOCAL is the name of kerberos realm.
  p.s. it is not good idea to use Administrator as login :)
  Edited by: JOKe on Sep 14, 2007 2:23 PM

• LDAP Error during provisiong a user to AD

  Hi,
  We are trying to provision a user to AD.But create user task is failing.The status is provisioning. We are getting the following error in the application logs.Please help us.
  ERROR,19 Aug 2011 11:52:43,811,[XL_INTG.ACTIVEDIRECTORY],Problem creating object: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - 00000057: LdapErr: DSID-0C090C26, comment: Error in attribute conversion operation, data 0, v1772]; remaining name 'cn=nkumars6'
  Thanks,
  Pavan.

  Hi ,
  We have provided the value for Organization while creating user.But still we are getting following errors.
  1.ERROR,19 Aug 2011 15:37:52,396,[XELLERATE.WORKFLOW],Class/Method: tcPrepopulateUtility:setDataFromAdapter:
  Adapter not compiled: PrePopulate Account Expiration Date encounter some problems: {1}
  2.ERROR,19 Aug 2011 15:37:55,681,[XL_INTG.ACTIVEDIRECTORY],Problem creating object: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - 00000057: LdapErr: DSID-0C090C26, comment: Error in attribute conversion operation, data 0, v1772]; remaining name 'cn=shaba'
  Thanks,
  Pavan.

• LDAP as a user source in UME

  Hi all,
  We have a concern regarding the user source to be selected at UME level.
  At CUP level you can also set the user source for user details.
  Our questions here:
  1) Is there any relationship between such user source configuration?
  2) Which is the best practice here?
  Many thanks in advance. Best regards,
     Imanol

  Imanol,
  if you're setting up UME to use ActiveDirectory as a data source you can set the CUP data source to UME and get at the AD users from CUP.
  While I would advise linking UME to AD usually (if you do that there's no need to create users and passwords for new approvers), I would still create an LDAP connector for AD directly in CUP.
  Only the LDAP connector will alllow you to use ALL ActiveDirectory fields for custom fields and/or provisioning extended data into your ERP systems (location, room, department etc.).
  Frank.

• Buyer Account, Welcome mail with password & LDAP related query

  Hi All
  We are facing an issue with the LDAP configuration while creating Buy  side users, please see below
  If anyone of you could help, please provide your contact details or a solution to overcome this
  Background
  We have installed SAP E-Sourcing 5.1 On-premise.
  We are currently doing the post installation configuration
  -          Imported the Out of the Box enterprise Deployment Workbook (We have not modified the contents of the workbook)
  -          We have configured an SMTP mail host to send and receive all mails from the application
  Query
  Based on the enterprise Deployment Workbook, the system has created the following Directory configuration settings pointing to different LDAP system
  DISPLAY_NAME   EXTERNAL_ID
  QA SunOne 5.2 u2013 Buyside  dir.qa.sun.bs
  QA SunOne 5.2 u2013 Sellside  dir.qa.sun.ss
  QA ActiveDirectory 2003 - Buyside dir.qa.ms.bs
  QA ActiveDirectory 2003 u2013 Sellside  dir.qa.ms.ss
  QA Oracle 9.0.2 u2013 Buyside  dir.qa.ora.bs
  QA Oracle 9.0.2 u2013 Sellside  dir.qa.ora.ss
  When we are creating the Buyside users (If we use the Check Box u2013 Create Directory account), we are getting a communication error
  If we uncheck it, it creates the account but the system does not generate the welcome mail. We understand that the welcome mail has the system generated password to log-onto the application as the Buyer.
  We are also not able to create the local users, as the password.properties template isnu2019t available in the downloaded software, we donu2019t know the format thatu2019s expected by the system.
  Please let us know, if there is an alternate way to get the password even without using LDAP or Local directories.
  Incase LDAP or creation of local directory is the key, then please let us know whatu2019s happening incorrectly in our case.
  This has become a show stopper for us going any forward.
  Request your help ASAP
  Regards
  Tridip

  Hi All
  I had the same problem when I tried doing the email Set-up
  I finally realised that you need to do the configuration steps for SMTP using the enterprise user and the system user. If you have done this setting as only the system user the mails will be in Awaiting retry.
  Do this and the mails will start flowing, incase your SMTP mail server is working fine
  Please do the following settings logged in as System User and Enterprise User
  System Properties->searrch for messaging
  Set           -                Property                       -               Value                -                   Context
  messaging messaging.smtp.mailhost                replace the default with your value  System Context
  messaging messaging.smtp.port                       25                                               System Context
  Also please let me know what is the status of the messages in your Queued Messages
  This should work
  Do let me know, if it does
  Regards
  Tridip
  Edited by: Tridip Chakraborthy on May 27, 2009 11:57 AM
  Edited by: Tridip Chakraborthy on May 27, 2009 12:02 PM
  Edited by: Tridip Chakraborthy on May 27, 2009 12:02 PM

• Radius or LDAP (not Oracle LDAP) authentication for GridControl

  I'm running GC 10.2.0.3.0 on Oracle Linux, and I'd like to be able to open up GridControl to other users without setting up accounts/passwords for them. Accounts I can handle, passwords, I don't want to handle.
  I see that if I create a new GC user via enterprise manager, a new database accout is also created in the EMREP database. I've configured our EMREP database to use radius authentication and it works when I connect via sqlplus to the EMREP database. The user is set to authenticate "externally" and os_authent_prefix is set to ''.
  However, after I set up external authentication for a given user, they are no longer able to login to enterprise manager using their radius authenticated password. So something about EM is not capable of radius authentication with the local EMREP database?
  Questions for all:
  Is it possible to authenticate users of enterprise manager GridControl against an external password store? I have at my disposal: radius (works great for several of our databases), ActiveDirectory (without oracle schema extensions), LDAP (active directory), proxying the EM server with another Apache server.
  I do not have a license for OID and the "free use" license for OID does not allow for user management. We cannot we purchase OID for this purpose.
  Our GC environment is Linux so Windows OS authentication against AD isn't going to work and we need to support Firefox/IE/Other browsers on various OS's.
  I've seen hints that "external authentication" is possible with "generic" sources, but nothing concrete. Anyone doing this?

  <QUOTE>All I want now is the capability to perform my own method of LDAP BIND to AD to be used as a security plugin to the database authentication piece</QUOTE>
  Amen.
  Right now, I've got an SR open on the radius authentication issue in GC. It took me a two weeks to convince the Oracle tech that I wasn't talking about getting Oracle to use OS authentication where OS users were authenticated by radius.
  I've put about 40 actual work hours in on this issue, going so far as to deconstruct the EM install .jar files and trying to replace the JDBC drivers.
  At this point I believe that it would be relatively easy for Oracle to add Radius authentication support to Grid control in their next big release (11g).
  Doing so would involve replacing the 10g JDBC thin drivers with 11g JDBC thin drivers. The 10g thin jdbc drivers support advanced security encryption and checksums, but not the radius authentication. The 11g thin drivers DO implement the radius option as well as a full complement of encryption checksum types not supported in 10g. From there it should be a simple matter of the EM java login procedure/bean/servlet/jsp being able to set the thin driver to use the radius code in the jdbc layer.
  The other option, which I haven't yet given up on would be to hack the EM code so that instead of using 10g thin drivers it uses 10g OCI jdbc (thick) drivers. The thick drivers support the radius authentication and encryption/checksum features natively, and the settings are controled by the sqlnet.ora file. I've got java code using those just fine. If only I could hack EM to use them.
  In short, if I had access to the source, I could probably code this up in a week. Very frustrating.
  I thought about trying the OID route, but as I said in my original post, we don't have a license. Even if I got it working, and it sounds like it doesn't really work, I can't justify spending $x00,000 for 10-15 dbas not to have to use dedicated accounts and passwords.
  Normal user login to our 9i and 10g databases we have working with radius (backed by Active Directory). All we do is "create user xxxxxx identified externally;" and the user is good to go.
  In short, I think EM GridControl is awesome. I manage 36 databases with it and I've solved problems in minutes that used to take hours or days. When I show it to some of our oracle "power users" they all want it, but they're all radius authenticated.
  I'll keep the thread updated if I see results from our SR.