MS ActiveDirectory Ldap configration
Dear Forums members,
I didn't find MS ActiveDirectory Ldap configration so Apex (3.0) ldap test page rapidly Auth. filed. all of configration
mail=[email protected],DC=mycompany DC=org
port :3268 and host entery but failed
Have you a document this issue?
Thanks
Best regards
Selim
Thanks Bill
it works. but domain @<domain> must be non-static
During user will login, they will enter " [email protected] " , Normaly company static but domain too many values and ldap object name is "mail"
expample : mail=[email protected]
May be Your syntax? %LOGIN_USER%@COMPANY.??
Similar Messages
-
MS ActiveDirectory Ldap configration for BIpublisher
Dear forums Members,
I didn't find MS ActiveDirectory Ldap configration for BIpublisher all of configration
mail=[email protected],DC=mycompany DC=org
port :3268 and host entery but failed
Have you a document this issue?
Thanks
Best regards
SelimThanks Bill
it works. but domain @<domain> must be non-static
During user will login, they will enter " [email protected] " , Normaly company static but domain too many values and ldap object name is "mail"
expample : mail=[email protected]
May be Your syntax? %LOGIN_USER%@COMPANY.?? -
LC + ActiveDirectory + LDAP over SSL = doesn't work
Hi,
I installed Active Directory Certificate Services. Now I want setup LDAP over SSL. Unfortunatelly it doesn't work. I pressed "Test" and always get "Invalid username or invalid password" (
German: "Ungültiger Benutzername oder ungültiges Kennwort"). I'm pretty sure username and password are fine (it worked before I installed Active Directory Certificate Services and used LDAP without SSL).
On server.log, I got this:
2011-11-12 00:51:28,202 INFO [com.adobe.idp.um.businesslogic.synch.LdapHelper] Following stacktrace is generated due to the Test LDAP Server Configuration action
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at com.adobe.idp.um.businesslogic.synch.LdapHelper.createContext(LdapHelper.java:663)
at com.adobe.idp.um.businesslogic.synch.LdapHelper.testServerConfig(LdapHelper.java:682)
at com.adobe.idp.um.ui.config.ConfigDirectoryEditAction.testServerSettings_onClick(ConfigDirectoryEditAction.java:215)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.cc.framework.adapter.struts.ActionUtil.handleFormAction(Unknown Source)
at com.cc.framework.adapter.struts.FWAction.handleFormAction(Unknown Source)
at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)
at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:173)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.adobe.idp.um.auth.filter.CSRFFilter.doFilter(CSRFFilter.java:41)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:543)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Do you have some Idea?
cu FlohI have not done it for Netscape yet but I have done it for Novell and JNDI.. Here is the settings for Novell
// Dynamically set JSSE as a security provider
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
// Dynamically set the property that JSSE uses to identify
// the keystore that holds trusted root certificates
System.setProperty("javax.net.ssl.trustStore", m_connectionData.getLocal("KeyStore").toString());
ssf = new LDAPJSSESecureSocketFactory();
// Set the socket factory as the default for all future connections
LDAPConnection.setSocketFactory(ssf); -
LDAP - Filter on groups (iPlanet)
We connected Weblogic to our LDAP server (iPlanet type) and successfully imported all users and groups.
No we want to filter on the users being in one group (we are not interested in all users)
With an ActiveDirectory LDAP Provider you can set at the All Users filter & User From Name filter:
(&(sAMAccountName =*)(memberOf= CN=OBIEE,OU=Security,OU=Groups,OU=COMP1,DC=COMPANY,DC=com)(objectclass=person))
With this filter in place, only users that are member of "CN=OBIEE,OU=Security,OU=Groups,OU=COMP1,DC=COMPANY,DC=com" will be able to login.
Now we are migrating the LDAP server from ActiveDirectory to iPlanet.
The structure of this system is:
GROUPS
GRP OBIEE
uniqueMember:MVL
uniqueMember:DFG
USERS
uniqueMember: MVL
The relation between users and groups is stored on group level.
Does anyone know if this is possible and what the structure of the filter is?
Thanks in advance.Have you already found a work around?
Depending on your DIT, I'd assume you could set your base lower, and just do a search for (!(objectclass=SAccount)).
Also, you've probably checked it a number of times already, but could there be a spelling error? Have you tried using the wildcard on your ! filter, so that it reads:
(&(objectclass=customAccount)(!(objectclass=customSA*)))
Good luck! -
ActiveDirectory/LDAPRealm Problem
I'm trying to authenticate users of my Web Application against users in an
ActiveDirectory LDAP Server.
When the admin console lists all of the users in the ActiveDirectory server
it lists then by their full name which is stored in the 'cn' attribute. It
does not allow users to log into the application with either their username
or their full name as contained in the 'cn' attribute. I have tried both
'local' and 'bind' UserAuthentication.
When I try to access their login name or email address, using
'sAMAccountName' or 'userPrincipalName' in the UserNameAttribute field, I
get a RuntimeOperationsException when accessing either my application or the
admin console. Abbreviated exception folloed by LDAPRealm config...
javax.management.RuntimeOperationsException: RuntimeException thrown by the
getAttribute method of t
he DynamicMBean for the attribute FileTimeSpan
at
com.sun.management.jmx.MBeanServerImpl.getAttribute(MBeanServerImpl.java:118
3)
at
com.sun.management.jmx.MBeanServerImpl.getAttribute(MBeanServerImpl.java:115
1)
at
weblogic.management.internal.MBeanProxy.getAttribute(MBeanProxy.java:223)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:156)
at $Proxy3.getFileTimeSpan(Unknown Source)
at weblogic.logging.FileStreamLogger.log(FileStreamLogger.java:169)
My LDAPRealm looks like this
<LDAPRealm
Name="ActiveDirectoryRealm"
LDAPURL="ldap://server:389"
AuthProtocol="simple"
Principal="[email protected]"
Credential="credential"
GroupDN="DC=com,DC=xxx,DC=server,CN=Users"
GroupIsContext="false"
GroupNameAttribute="cn"
GroupUsernameAttribute="member"
UserAuthentication="local"
UserDN="DC=com,DC=xxx,DC=server,CN=Users"
UserNameAttribute="cn"
UserPasswordAttribute="userPassword"/>>
My production LDAP environment returns referrals. Normally this is dealt
with by setting the Context.Referral parameter to "follow" rather than the
default JNDI "ignore" value. I can't seem to find any documentation on the
"configuration data" field of weblogic.security.ldaprealmv2.LDAPRealm or
even get at any API docs for this class.
Can somebody tell me if there is a configuration parameter I can pass to
this class which accomplishes this? If not, can BEA provide someassistance
(source code or API documentation) so that we can modify this class? (I'm
not excited about writing my own CustomAuthentication class this week..)
The ldap realm v2 uses the netscape sdk. By default, a netscape sdk client
follows
referrals automatically.However, the client binds anonymously to the server.
There is currently no method for the ldap realm v2 to follow referrals and
bind
as a specific user.
Does your production system have the same principal and credentials for
both the original and referral directory server?
Peter -
Trouble with Unity Connection and LDAP
Our CUCM 8.6 is currently integrated with LDAP, this was done before I started with the company, I'm working on getting the CUC integrated as well, but I keep getting the following error message:
Error while Connecting to ldap://xx.xx.xx.xx:389, null
I took the exact same settings that was used on the cucm (the LDAP syncs fine with CUCM)
LDAP Configuration name: ActiveDirectory
LDAP Manager Distinguished Name: [email protected]
LDAP Password: *******
LDAP User Search Base: DC=xyz,DC=net
User ID: sAMAccountName
Middle Name: middleName
Manage ID: manager
phone number: ipPhone
First name: givenName
Last Name: sn
Department: department
Mail ID: mail
User ID: sAMAccountName
Middle Name: middleName
Manage ID: manager
phone number: ipPhone
First name: givenName
Last Name: sn
Department: department
Mail ID: mail
Any ideas what could be causing that error? I've ran into this before somewhere but was able to figure out that it was something with the way I had put in the OU..This time I'm really I have not idea, especially since I took the settings from the LDAP setup in CUCM.Hi Chris,
Yes I'm sure the sync is still working, I've went into CUCM and did a full sync and it was successful, I also hit save and that was successful as well, that was the first thing I did just to make sure it was working, I was thinking like you that maybe it wasn't working properly ...I'll take some screen shots and post shortly
Fred
Here's a screenshot of both CUCM and CUC
Message was edited by: Fred Rawlings -
Can LAUTHSVR be used with non WebLogic LDAP servers?
Is it possible to use LAUTHSVR with other LDAP servers like MS Active Directory?
Martin,
LAUTHSVR currently does not support ActiveDirectory. BEA Product Management
is aware that some customers would like to use alternate LDAP servers and a
future release of Tuxedo may or may not contain enhancements in this area.
With present releases of Tuxedo, it is possible for an application to modify
the $TUXDIR/lib/AUTHSVR.c source to write whatever sort of authorization
server is desired, but the application will need to handle interactions with
the ActiveDirectory LDAP server themselves if this approach is followed.
<Martin Borgman> wrote in message news:[email protected]..
Is it possible to use LAUTHSVR with other LDAP servers like MS ActiveDirectory? -
Operation Not Supported Exception in JNDI/Active Directory
Hi all,
When i am trying to change password or create user from JNDI program
on Active Directory i am getting OperationNotSupported Exception.
I wonder i am doing a common mistake in both functions.just when the execution comes to
ctx.createSubcontext("cn=surendra,cn=Users,DC=ABSI,dc=pcs",attrs);
in createUser method and
ctx.modifyAttributes(userString, ctx.REPLACE_ATTRIBUTE, testAttrs);
in changePassword method i am getting the below exception.
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-031D0AAB, problem 5003 (WILL_NOT
_PERFORM), data 0
]; remaining name 'cn=surendra,cn=Users,DC=ABSI,dc=pcs'
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.fillInStackTrace(Compiled Code)
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.Exception.<init>(Exception.java:42)
at javax.naming.NamingException.<init>(NamingException.java:106)
at javax.naming.OperationNotSupportedException.<init>(OperationNotSupportedException.java:50)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Compiled Code)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:657)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(Compiled Code)
at com.sun.jndi.toolkit.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
at com.sun.jndi.toolkit.PartialCompositeDirContext.createSubcontext(Compiled Code)
at com.sun.jndi.toolkit.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:258)
at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:183)
Your help is needed to go ahead......
Thanks in advance
NagaHi!
I just happened to stumble across your post today looking for something else, but...
Are you aware that you can only update a password ActiveDirectory/LDAP with a secure network connection? A certificate must be installed on the domain controller and tied to AD, and then the client must support an SSL connection to AD for LDAP. The other attributes in the schema do not have this restriction and can be updated without a secure connection.
Joel Mussman
Smallrock Internet Services -
Configration of LDAP in OBIEE 11g
Hi All,
Client has asked me to de the LDAP configuration. I will be doing first time. I have gone through the different posts the information is enough to do the same.
But i have one question on this. It might be funny for all of you :-) but it keep meaning for me.
There are few parameter need to be passed while configuration.
Base DN: Generally we give the value like. (CN=Users,DC=venkatad,DC=venkatlap,DC=com) , My question here is: The value for CN and DC will be provided from the client(or any specific value) or we can put any thing.
Bind DN: (CN=Administrator,CN=Users,DC=venkatad,DC=venkatlap,DC=com) here also my questing is same.
Bind password: is it generic? or any LDAP server releted?
port: 389 (Default LDAP port without SSL) 389 is the default, without SSL. So here my question is: If there is SSL then what would be the value for Port no.
And lastly could you please let me know what are the different parameters i need to ask from the client for LDAP authentication configuration.
Regards
NirajHi,
Refer the below
Reuired info from LDAP team:
1) LDAP server Host name and Platform(OS Type)
2) LDAP Server IP
3) LDAP Server Port no
4) User Path structure (Object )
ex.: like user and group(object of the user and group canonical name) path structure (Path : Functional user ID)
my group info got it from LDAP team
GROUP:
CN=deva,OU=SG,OU=OBIEE,OU=Groups,DC=reg9,DC=Hex1,DC=OPM,DC=com
5) Group Path Structure (Object)
like e.x: (Path : Functional usergroup)
6) Access required for our functional ID: deva
1) ldifd.tex files ---> permission required for our functional IDdeva
2) Windows Active Directory access required for our functional ID(deva)
3) Access requred for functional id user (deva) to properties of the user in AD
for more refer my blog:
http://obieeelegant.blogspot.com/2012/01/obiee-11g-integration-with-ldap.html
Thanks
Deva
Edited by: Devarasu on Mar 30, 2012 10:30 AM -
IBM Websphere to ActiveDirectory ( Win 2003 ) LDAP SSL.
I am trying to connect to Win 2003 Ad LDAP from websphere Application server.
I have installed certificates Win2k in to local key store.
I used ikeyman of Websphere. Win 2k3 certificates were in .arm format ( thatz how Win2k3 admin gave me) . I succesfully installed the certificates in local keystore. and pointed to the keystoere when LDAP connection is happening.
I am getting a MalformedURLException canot parse url ldaps://xx.xx.x.x:636
Not an LDAP url .
At the same time i also tried with Sun JDK . it shows another error .
default context init failed: java.security.cert.CertificateParsingException: java.io.IOException: subject key, Unknown k
ey spec: Invalid RSA modulus size.
Please help me . I want this program to run from IBM Websphere Env.
Please find my code below
thanks in advance.
import java.util.Hashtable;
import javax.naming.*;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import java.io.*;
public class Test {
public static void main(String args[] ) {
//String userName = "CN=Renjith\\, Vasudevan";
String userName = null;
String test = ",OU=xx,OU=xx,DC=xx,DC=xxm";
String newPassword = "xxx";
String oldPassword = "xx";
Hashtable env = new Hashtable();
//Hard coded values - will be moved to properties file.
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//env.put(Context.PROVIDER_URL, "ldap://X.X.X.X:389");
env.put(Context.PROVIDER_URL, "ldaps://X.X.X.X:636");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
//env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "xxxx");
//env.put(Context.SECURITY_PROTOCOL,"ssl");
String keystore = "C:\\j2sdk1.4.2_04\\jre\\lib\\security\\cacerts";
System.setProperty("javax.net.ssl.trustStore",keystore);
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
try {
// Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
// This following code only for getting correct dn - Hardcoded dn had some tabbing/char problem.
// Renjith - begin
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
String[] strAttributes = { "sAMAccountName", "memberOf" };
//String FILTER = "(&(objectClass=user))";
String FILTER = "(&(objectClass=user)(sAMAccountName=prrev))";
String searchBase = "OU=xx,OU=xx,DC=infores,DC=xx";
constraints.setReturningAttributes(strAttributes);
NamingEnumeration results =
ctx.search(searchBase, FILTER, constraints);
System.out.println("results : " + results);
while (results != null && results.hasMore()) {
SearchResult sr = (SearchResult) results.next();
String dn = sr.getName();
//String dn = ((Context)sr.getObject()).getNameInNamespace();
if(dn.indexOf("Renjith") != -1 ) {
System.out.println("Distinguised Name : " + dn);
//System.out.println("Charg"+dn.toCharArray());
userName = dn+test;
break;
// Renjith - end.
//set password is a ldap modify operation
ModificationItem[] mods = new ModificationItem[2];
String oldQuotedPassword = "\"" + oldPassword + "\"";
byte[] oldUnicodePassword = oldQuotedPassword.getBytes("UTF-16LE");
String newQuotedPassword = "\"" + newPassword + "\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,
new BasicAttribute("unicodePwd", oldUnicodePassword));
mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd",
newUnicodePassword));
System.out.println("Trying to reset Password for: " + userName);
// Perform the update
ctx.modifyAttributes(userName, mods);
System.out.println("Reset Password for: " + userName);
ctx.close();
catch (NamingException e) {
e.printStackTrace();
System.out.println("Problem resetting password: " + e);
catch (UnsupportedEncodingException e) {
System.out.println("Problem encoding password: " + e);
}The first error you described "malformed URL" is possibly due to the fact that your JRE version 1.4 does not support the ldaps URL.
If using 1.4 then you must use the following syntax:env.put(Context.PROVIDER_URL,"ldap://servername:636");If using 1.5, then it supports the syntax:env.put(Context.PROVIDER_URL,"ldaps://servername:636");I can't comment on the other error message you receive, however I am concerned at two things, one is that in your sample code you are using a "null" user name, and secondly, I have no idea what certificate you have installed. I do not recall seeing a Windows CA cert with the extension of .arm. Normally the Root CA exported trust cert has the extension of .cer -
I'm trying to use kerberos V5 with ActiveDirectory but get an error
I'm trying to use kerberos V5 with ActiveDirectory im using simple code from previuos posts but
when i try with correct username/password i get :
Authentication attempt failedjavax.security.auth.login.LoginException: Message stream modified (41)
when i try incorrect username/pass i get :
Pre-authentication information was invalid (24)
Debug info is :
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Kerberos username [naiden]: naiden
Kerberos password for naiden: naiden
[Krb5LoginModule] user entered username: naiden
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
Authentication attempt failedjavax.security.auth.login.LoginException: Java code is :
import javax.naming.*;
import javax.naming.directory.*;
import javax.security.auth.login.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
import java.util.Hashtable;
* Demonstrates how to create an initial context to an LDAP server
* using "GSSAPI" SASL authentication (Kerberos v5).
* Requires J2SE 1.4, or JNDI 1.2 with ldapbp.jar, JAAS, JCE, an RFC 2853
* compliant implementation of J-GSS and a Kerberos v5 implementation.
* Jaas.conf
* racfldap.GssExample {com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true doNotPrompt=true; };
* 'qop' is a comma separated list of tokens, each of which is one of
* auth, auth-int, or auth-conf. If none is supplied, the default is 'auth'.
class KerberosExample {
public static void main(String[] args) {
java.util.Properties p = new java.util.Properties(System.getProperties());
p.setProperty("java.security.krb5.realm", "ISY");
p.setProperty("java.security.krb5.kdc", "192.168.0.101");
p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
System.setProperties(p);
// 1. Log in (to Kerberos)
LoginContext lc = null;
try {
lc = new LoginContext("ISY",
new TextCallbackHandler());
// Attempt authentication
lc.login();
} catch (LoginException le) {
System.err.println("Authentication attempt failed" + le);
System.exit(-1);
// 2. Perform JNDI work as logged in subject
Subject.doAs(lc.getSubject(), new LDAPAction(args));
// 3. Perform LDAP Action
* The application must supply a PrivilegedAction that is to be run
* inside a Subject.doAs() or Subject.doAsPrivileged().
class LDAPAction implements java.security.PrivilegedAction {
private String[] args;
private static String[] sAttrIDs;
private static String sUserAccount = new String("Administrator");
public LDAPAction(String[] origArgs) {
this.args = (String[])origArgs.clone();
public Object run() {
performLDAPOperation(args);
return null;
private static void performLDAPOperation(String[] args) {
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
// Must use fully qualified hostname
env.put(Context.PROVIDER_URL, "ldap://192.168.0.101:389/DC=isy,DC=local");
// Request the use of the "GSSAPI" SASL mechanism
// Authenticate by using already established Kerberos credentials
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
env.put("javax.security.sasl.server.authentication", "true");
try {
/* Create initial context */
DirContext ctx = new InitialDirContext(env);
/* Get the attributes requested */
Attributes aAnswer =ctx.getAttributes( "CN="+ sUserAccount + ",CN=Users,DC=isy,DC=local");
NamingEnumeration enumUserInfo = aAnswer.getAll();
while(enumUserInfo.hasMoreElements()) {
System.out.println(enumUserInfo.nextElement().toString());
// Close the context when we're done
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}JAAS conf file is :
ISY {
com.sun.security.auth.module.Krb5LoginModule required
debug=true;
};krb5.ini file is :
# Kerberos 5 Configuration File
# All available options are specified in the Kerberos System Administrator's Guide. Very
# few are used here.
# Determines which Kerberos realm a machine should be in, given its domain name. This is
# especially important when obtaining AFS tokens - in afsdcell.ini in the Windows directory
# there should be an entry for your AFS cell name, followed by a list of IP addresses, and,
# after a # symbol, the name of the server corresponding to each IP address.
[libdefaults]
default_realm = ISY
[domain_realm]
.isy.local = ISY
isy.local = ISY
# Specifies all the server information for each realm.
#[realms]
ISY=
kdc = 192.168.0.101
admin_server = 192.168.0.101
default_domain = ISY
}Now it works
i will try to explain how i do this :
step 1 )
fallow this guide http://www.cit.cornell.edu/computer/system/win2000/kerberos/
and configure AD to use kerberos and to heve Kerberos REALM
step 2 ) try windows login to the new realm to be sure that it works ADD trusted realm if needed.
step 3 ) create jaas.conf file for example in c:\
it looks like this :
ISY {
com.sun.security.auth.module.Krb5LoginModule required
debug=true;
};step 4)
( dont forget to make mappings which are explained in step 1 ) go to Active Directory users make sure from View to check Advanced Features Right click on the user go to mappings in secound tab kerberos mapping add USERNAME@KERBEROSreaLm for example [email protected]
step 5)
copy+paste this code and HIT RUN :)
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import com.sun.security.auth.callback.TextCallbackHandler;
public class Main {
public static void main(String[] args) {
java.util.Properties p = new java.util.Properties(System.getProperties());
p.setProperty("java.security.krb5.realm", "ISY.LOCAL");
p.setProperty("java.security.krb5.kdc", "192.168.0.101");
p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
System.setProperties(p);
// 1. Log in (to Kerberos)
LoginContext lc = null;
try {
lc = new LoginContext("ISY", new TextCallbackHandler());
// Attempt authentication
lc.login();
} catch (LoginException le) {
System.err.println("Authentication attempt failed" + le);
System.exit(-1);
// 2. Perform JNDI work as logged in subject
Subject.doAs(lc.getSubject(), new LDAPAction(args));
// 3. Perform LDAP Action
* The application must supply a PrivilegedAction that is to be run
* inside a Subject.doAs() or Subject.doAsPrivileged().
class LDAPAction implements java.security.PrivilegedAction {
private String[] args;
private static String[] sAttrIDs;
private static String sUserAccount = new String("Administrator");
public LDAPAction(String[] origArgs) {
this.args = origArgs.clone();
public Object run() {
performLDAPOperation(args);
return null;
private static void performLDAPOperation(String[] args) {
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
// Must use fully qualified hostname
env.put(Context.PROVIDER_URL, "ldap://192.168.0.101:389");
// Request the use of the "GSSAPI" SASL mechanism
// Authenticate by using already established Kerberos credentials
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
// env.put("javax.security.sasl.server.authentication", "true");
try {
/* Create initial context */
DirContext ctx = new InitialDirContext(env);
/* Get the attributes requested */
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(mail=*))";
//Specify the Base for the search
String searchBase = "DC=isy,DC=local";
//initialize counter to total the results
int totalResults = 0;
// Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
// Print out some of the attributes, catch the exception if the attributes have no values
Attributes attrs = sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" surname: " + attrs.get("sn").get());
System.out.println(" firstname: " + attrs.get("givenName").get());
System.out.println(" mail: " + attrs.get("mail").get());
catch (NullPointerException e) {
System.err.println("Error listing attributes: " + e);
System.out.println("RABOTIII");
System.out.println("Total results: " + totalResults);
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}It will ask for username and password
type for example : [email protected] for username
and password : TheSecretPassword
where ISY.LOCAL is the name of kerberos realm.
p.s. it is not good idea to use Administrator as login :)
Edited by: JOKe on Sep 14, 2007 2:23 PM -
LDAP Error during provisiong a user to AD
Hi,
We are trying to provision a user to AD.But create user task is failing.The status is provisioning. We are getting the following error in the application logs.Please help us.
ERROR,19 Aug 2011 11:52:43,811,[XL_INTG.ACTIVEDIRECTORY],Problem creating object: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - 00000057: LdapErr: DSID-0C090C26, comment: Error in attribute conversion operation, data 0, v1772]; remaining name 'cn=nkumars6'
Thanks,
Pavan.Hi ,
We have provided the value for Organization while creating user.But still we are getting following errors.
1.ERROR,19 Aug 2011 15:37:52,396,[XELLERATE.WORKFLOW],Class/Method: tcPrepopulateUtility:setDataFromAdapter:
Adapter not compiled: PrePopulate Account Expiration Date encounter some problems: {1}
2.ERROR,19 Aug 2011 15:37:55,681,[XL_INTG.ACTIVEDIRECTORY],Problem creating object: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - 00000057: LdapErr: DSID-0C090C26, comment: Error in attribute conversion operation, data 0, v1772]; remaining name 'cn=shaba'
Thanks,
Pavan. -
Hi all,
We have a concern regarding the user source to be selected at UME level.
At CUP level you can also set the user source for user details.
Our questions here:
1) Is there any relationship between such user source configuration?
2) Which is the best practice here?
Many thanks in advance. Best regards,
ImanolImanol,
if you're setting up UME to use ActiveDirectory as a data source you can set the CUP data source to UME and get at the AD users from CUP.
While I would advise linking UME to AD usually (if you do that there's no need to create users and passwords for new approvers), I would still create an LDAP connector for AD directly in CUP.
Only the LDAP connector will alllow you to use ALL ActiveDirectory fields for custom fields and/or provisioning extended data into your ERP systems (location, room, department etc.).
Frank. -
Buyer Account, Welcome mail with password & LDAP related query
Hi All
We are facing an issue with the LDAP configuration while creating Buy side users, please see below
If anyone of you could help, please provide your contact details or a solution to overcome this
Background
We have installed SAP E-Sourcing 5.1 On-premise.
We are currently doing the post installation configuration
- Imported the Out of the Box enterprise Deployment Workbook (We have not modified the contents of the workbook)
- We have configured an SMTP mail host to send and receive all mails from the application
Query
Based on the enterprise Deployment Workbook, the system has created the following Directory configuration settings pointing to different LDAP system
DISPLAY_NAME EXTERNAL_ID
QA SunOne 5.2 u2013 Buyside dir.qa.sun.bs
QA SunOne 5.2 u2013 Sellside dir.qa.sun.ss
QA ActiveDirectory 2003 - Buyside dir.qa.ms.bs
QA ActiveDirectory 2003 u2013 Sellside dir.qa.ms.ss
QA Oracle 9.0.2 u2013 Buyside dir.qa.ora.bs
QA Oracle 9.0.2 u2013 Sellside dir.qa.ora.ss
When we are creating the Buyside users (If we use the Check Box u2013 Create Directory account), we are getting a communication error
If we uncheck it, it creates the account but the system does not generate the welcome mail. We understand that the welcome mail has the system generated password to log-onto the application as the Buyer.
We are also not able to create the local users, as the password.properties template isnu2019t available in the downloaded software, we donu2019t know the format thatu2019s expected by the system.
Please let us know, if there is an alternate way to get the password even without using LDAP or Local directories.
Incase LDAP or creation of local directory is the key, then please let us know whatu2019s happening incorrectly in our case.
This has become a show stopper for us going any forward.
Request your help ASAP
Regards
TridipHi All
I had the same problem when I tried doing the email Set-up
I finally realised that you need to do the configuration steps for SMTP using the enterprise user and the system user. If you have done this setting as only the system user the mails will be in Awaiting retry.
Do this and the mails will start flowing, incase your SMTP mail server is working fine
Please do the following settings logged in as System User and Enterprise User
System Properties->searrch for messaging
Set - Property - Value - Context
messaging messaging.smtp.mailhost replace the default with your value System Context
messaging messaging.smtp.port 25 System Context
Also please let me know what is the status of the messages in your Queued Messages
This should work
Do let me know, if it does
Regards
Tridip
Edited by: Tridip Chakraborthy on May 27, 2009 11:57 AM
Edited by: Tridip Chakraborthy on May 27, 2009 12:02 PM
Edited by: Tridip Chakraborthy on May 27, 2009 12:02 PM -
Radius or LDAP (not Oracle LDAP) authentication for GridControl
I'm running GC 10.2.0.3.0 on Oracle Linux, and I'd like to be able to open up GridControl to other users without setting up accounts/passwords for them. Accounts I can handle, passwords, I don't want to handle.
I see that if I create a new GC user via enterprise manager, a new database accout is also created in the EMREP database. I've configured our EMREP database to use radius authentication and it works when I connect via sqlplus to the EMREP database. The user is set to authenticate "externally" and os_authent_prefix is set to ''.
However, after I set up external authentication for a given user, they are no longer able to login to enterprise manager using their radius authenticated password. So something about EM is not capable of radius authentication with the local EMREP database?
Questions for all:
Is it possible to authenticate users of enterprise manager GridControl against an external password store? I have at my disposal: radius (works great for several of our databases), ActiveDirectory (without oracle schema extensions), LDAP (active directory), proxying the EM server with another Apache server.
I do not have a license for OID and the "free use" license for OID does not allow for user management. We cannot we purchase OID for this purpose.
Our GC environment is Linux so Windows OS authentication against AD isn't going to work and we need to support Firefox/IE/Other browsers on various OS's.
I've seen hints that "external authentication" is possible with "generic" sources, but nothing concrete. Anyone doing this?<QUOTE>All I want now is the capability to perform my own method of LDAP BIND to AD to be used as a security plugin to the database authentication piece</QUOTE>
Amen.
Right now, I've got an SR open on the radius authentication issue in GC. It took me a two weeks to convince the Oracle tech that I wasn't talking about getting Oracle to use OS authentication where OS users were authenticated by radius.
I've put about 40 actual work hours in on this issue, going so far as to deconstruct the EM install .jar files and trying to replace the JDBC drivers.
At this point I believe that it would be relatively easy for Oracle to add Radius authentication support to Grid control in their next big release (11g).
Doing so would involve replacing the 10g JDBC thin drivers with 11g JDBC thin drivers. The 10g thin jdbc drivers support advanced security encryption and checksums, but not the radius authentication. The 11g thin drivers DO implement the radius option as well as a full complement of encryption checksum types not supported in 10g. From there it should be a simple matter of the EM java login procedure/bean/servlet/jsp being able to set the thin driver to use the radius code in the jdbc layer.
The other option, which I haven't yet given up on would be to hack the EM code so that instead of using 10g thin drivers it uses 10g OCI jdbc (thick) drivers. The thick drivers support the radius authentication and encryption/checksum features natively, and the settings are controled by the sqlnet.ora file. I've got java code using those just fine. If only I could hack EM to use them.
In short, if I had access to the source, I could probably code this up in a week. Very frustrating.
I thought about trying the OID route, but as I said in my original post, we don't have a license. Even if I got it working, and it sounds like it doesn't really work, I can't justify spending $x00,000 for 10-15 dbas not to have to use dedicated accounts and passwords.
Normal user login to our 9i and 10g databases we have working with radius (backed by Active Directory). All we do is "create user xxxxxx identified externally;" and the user is good to go.
In short, I think EM GridControl is awesome. I manage 36 databases with it and I've solved problems in minutes that used to take hours or days. When I show it to some of our oracle "power users" they all want it, but they're all radius authenticated.
I'll keep the thread updated if I see results from our SR.
Maybe you are looking for
-
Application: FileNet content SG (Panagon) and MGETDOC(Web application) Issue: when open a doc, the doc goes to .zip file instead of going to the doc directly. Only this issue happens for .xlsx,docs and pptx document. Note: On all client machine, we a
-
I have an iMac upgraded to a 10.6.8, 2 years ago. We aren't computer savy but have gotten along with this one well. I wanted to make the words larger on screen when we read our emails and such. I went to the window button on the top row pushed it a
-
How To Convert Multi Page Tiff Image Through open office in application
I will Appreciate Any Effort Or Reply Which Can Tell Me , To convert a multi-page tiff image in pdf format in application i.e not on desktop using simple open -office but through coding. I doubt if there Exists Ny Plugin Or Separate Library Which Can
-
The value 1 is not allowed for the field variace key
Hi experts, When i was creating material master i was getting the status message as "the value 1 is not allowed for the field variance key" , but its stopping there its not moving out of that screen and creating the material record. When i
-
While navigating the pages in Menu Not showing correct jspx
Hi , We develop 10 ADF Pages and attached those pages to Menu . Now while going to page A its not showing pagA.jspx in address Bar ( though its showing correct Page ) But when navigating to PageB its showing PAgeA.jspx in ( Address Bar ) but its show