Multiple LDAP realms?
It is possible if you develope your own custom realm :)
Regards
Rob
"Prashant Nayak" <[email protected]> wrote in message
news:[email protected]..
>
Hello:
Wondering if it is possible to use Weblogic in conjunction with more thanone LDAP
server for authentication?
Thanks in advance.
Prashant
Similar Messages
-
Multiple LDAP Servers in Fusion Middleware (OBIEE 11g)
Hello,
I have a question, regarding integration of multiple LDAP servers with single Weblogic Server of Fusion Middleware (OBIEE 11g). We are currently using OBIEE 10g. We are on verge of migrating to 11g. However, I have a question regarding the LDAP server.
Our two applications run on two distinct LDAP servers. The plan is to provide a single sign on link for OBIEE 11g reports to the end users and depending on what application they are using, they must be authenticated against the respective LDAP server.
So, my question, is it possible to Integrate two different LDAP servers in the Weblogic of Fusion Middleware (OBIEE 11g). If so, what would be the steps. Any helpful document will also be appreciated.
Thank you,
Chandu.Yes, you can configure multiple authentication providers one by one as you generally do.
When you configure multiple Authentication providers, use the JAAS Control Flag for each provider to control how the Authentication providers are used in the login sequence. You can set the JAAS Control Flag in the WebLogic Administration Console.
REQUIRED—The Authentication provider is always called, and the user must always pass its authentication test. If authentication succeeds or fails, authentication still continues down the list of providers.
REQUISITE—The user is required to pass the authentication test of the Authentication provider. If the user passes the authentication test of this Authentication provider, subsequent providers are executed but can fail (except for Authentication providers with the JAAS Control Flag set to REQUIRED).
SUFFICIENT—The user is not required to pass the authentication test of the Authentication provider. If authentication succeeds, no subsequent Authentication providers are executed. If authentication fails, authentication continues down the list of providers.
OPTIONAL—The user is allowed to pass or fail the authentication test of this Authentication provider. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.
refer - http://docs.oracle.com/cd/E13222_01/wls/docs92/secmanage/atn.html
Regards
Mukesh Negi
http://weblogicserveradministration.blogspot.in/ -
Multiple LDAP Servers and Attribute-Based Data Partitioning
Hello
We currently want to implement following szenario on Netweaver 2004s. From the
following SAP Help documentation we want attribute based data partitioning:
http://help.sap.com/saphelp_nw70/helpdata/EN/4e/4d0d40c04af72ee10000000a1550b0/frameset.htm
The difference to the SAP document is that we want a distribution of attributes over
multiple LDAP servers. So we tried to fit that concept into xml. see attached xml source.
The Portal finds both LDAP Systems but it is NOT that the useres are beeing merged
but they appear as two distict users in the portal UME. If you do a lookup in the portal
usernamagent system you get and see two users.
User1: unique ID = USER.Datasource1.uid
User2: unique ID = USER.Datasource2.uid
Obviously the UME system was not able to merge that information of the two distict
LDAP Systems. MSADS and Lotus Notes.
Hence my questions:
1) is it possible to distribute attributes over multiple ldap data sources
2) any ideas why UME constructs two different users based in Datasource ID's specified in XML
Thanks for any contributions or ideas,
Ulrich Scherb
<?xml version="1.0" encoding="UTF-8"?>
<dataSources>
<dataSource id="PRIVATE_DATASOURCE"
className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</homeFor>
<notHomeFor/>
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</responsibleFor>
<privateSection>
</privateSection>
</dataSource>
<dataSource id="NOTES_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="true"
isPrimary="true">
<homeFor/>
<responsibleFor>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user"/>
<attribute name="logonalias"/>
<attribute name="j_password"/>
<attribute name="userid"/>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal"/>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname" populateInitially="true"/>
<attribute name="lastname" populateInitially="true"/>
<attribute name="email"/>
<attribute name="uniquename" populateInitially="true"/>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER"/>
</nameSpace>
</principal>
</responsibleFor>
<attributeMapping>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user">
<physicalAttribute name="uid"/>
</attribute>
<attribute name="logonalias">
<physicalAttribute name="uid"/>
</attribute>
<attribute name="j_password">
<physicalAttribute name="unicodepwd"/>
</attribute>
<attribute name="userid">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal">
<physicalAttribute name="uid"/>
</attribute>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname">
<physicalAttribute name="givenname"/>
</attribute>
<attribute name="lastname">
<physicalAttribute name="sn"/>
</attribute>
<attribute name="uniquename">
<physicalAttribute name="uid"/>
</attribute>
<attribute name="loginid">
<physicalAttribute name="*null*"/>
</attribute>
<attribute name="email">
<physicalAttribute name="mail"/>
</attribute>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername"/>
</attribute>
</nameSpace>
</principal>
</attributeMapping>
<privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.server_name>ldap1</ume.ldap.access.server_name>
<ume.ldap.access.server_port>389</ume.ldap.access.server_port>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.user>xxxxx</ume.ldap.access.user>
<ume.ldap.access.password>xxxxx</ume.ldap.access.password>
<ume.ldap.access.base_path.user>O=SMT_TEST</ume.ldap.access.base_path.user>
<ume.ldap.record_access>TRUE</ume.ldap.record_access>
<ume.ldap.unique_uacc_attribute>uid</ume.ldap.unique_uacc_attribute>
<ume.ldap.unique_user_attribute>uid</ume.ldap.unique_user_attribute>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>person</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>person</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>uid</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>uid</ume.ldap.access.auxiliary_naming_attribute.uacc>
</privateSection>
</dataSource>
<dataSource id="CORP_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="true"
isPrimary="true">
<homeFor/>
<responsibleFor>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user"/>
<attribute name="logonalias"/>
<attribute name="j_password"/>
<attribute name="userid"/>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal"/>
<attribute name="realm"/>
<attribute name="domain"/>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname" populateInitially="true"/>
<attribute name="displayname" populateInitially="true"/>
<attribute name="lastname" populateInitially="true"/>
<attribute name="fax"/>
<attribute name="title"/>
<attribute name="department"/>
<attribute name="description"/>
<attribute name="mobile"/>
<attribute name="telephone"/>
<attribute name="streetaddress"/>
<attribute name="uniquename" populateInitially="true"/>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER"/>
</nameSpace>
</principal>
<principal type="group">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="displayname" populateInitially="true"/>
<attribute name="description" populateInitially="true"/>
<attribute name="uniquename"/>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"/>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attribute name="dn"/>
</nameSpace>
</principal>
</responsibleFor>
<attributeMapping>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="j_user">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="logonalias">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="j_password">
<physicalAttribute name="unicodepwd"/>
</attribute>
<attribute name="userid">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.authentication">
<attribute name="principal">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="realm">
<physicalAttribute name="*null*"/>
</attribute>
<attribute name="domain">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="firstname">
<physicalAttribute name="givenname"/>
</attribute>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="lastname">
<physicalAttribute name="sn"/>
</attribute>
<attribute name="fax">
<physicalAttribute name="facsimiletelephonenumber"/>
</attribute>
<attribute name="uniquename">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="loginid">
<physicalAttribute name="*null*"/>
</attribute>
<attribute name="mobile">
<physicalAttribute name="mobile"/>
</attribute>
<attribute name="telephone">
<physicalAttribute name="telephonenumber"/>
</attribute>
<attribute name="department">
<physicalAttribute name="ou"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="streetaddress">
<physicalAttribute name="postaladdress"/>
</attribute>
<attribute name="pobox">
<physicalAttribute name="postofficebox"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="memberof"/>
</attribute>
</nameSpace>
<nameSpace name="$usermapping$">
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername"/>
</attribute>
</nameSpace>
</principal>
<principal type="group">
<nameSpace name="com.sap.security.core.usermanagement">
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="uniquename" populateInitially="true">
<physicalAttribute name="cn"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">
<physicalAttribute name="member"/>
</attribute>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="memberof"/>
</attribute>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attribute name="dn">
<physicalAttribute name="*null*"/>
</attribute>
</nameSpace>
</principal>
</attributeMapping>
<privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.server_name>ldap2</ume.ldap.access.server_name>
<ume.ldap.access.server_port>389</ume.ldap.access.server_port>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.user>yyyyy</ume.ldap.access.user>
<ume.ldap.access.password>yyyyy</ume.ldap.access.password>
<ume.ldap.access.base_path.user>O=SMT_TEST</ume.ldap.access.base_path.user>
<ume.ldap.access.base_path.grup>O=SMT_TEST</ume.ldap.access.base_path.grup>
<ume.ldap.record_access>TRUE</ume.ldap.record_access>
<ume.ldap.unique_uacc_attribute>samaccountname</ume.ldap.unique_uacc_attribute>
<ume.ldap.unique_user_attribute>samaccountname</ume.ldap.unique_user_attribute>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.objectclass.grup>Group</ume.ldap.access.objectclass.grup>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>samaccountname</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>samaccountname</ume.ldap.access.auxiliary_naming_attribute.uacc>
<ume.ldap.access.naming_attribute.grup>cn</ume.ldap.access.naming_attribute.grup>
</privateSection>
</dataSource>
</dataSources>Hi Ulrich,
Hope your problem is resolved. We are using EP7 and SP18. We are doing some study on your first issue. i.e. Distributing a user attribute into multiple LDAPs. Can you please let me know the feasibility? If yes, what are all step do I have to follow? Expecting your valuable answer. Thanks in advance!
Regards,
Kabali -
Unable to access Admin Tools for portal after configuring LDAP realm
After setting weblogic to use the LDAP realm I am unable to access the Administration Tools. It does not take the username "administrator" and password "password". I've created the SystemAdministrator Group in LDAP as well as the appropriate "administrator" user but it still does not let me access the Administratotion Tools.
This thread is being discussed in the weblogic.developer.interest.portal
newsgroup under the same title. You can cross-post to multiple groups in
the future so that the thread develops in all newsgroups that you posted to.
"Wendy Kajiyama" <[email protected]> wrote in message
news:[email protected]..
After setting weblogic to use the LDAP realm I am unable to access theAdministration Tools. It does not take the username "administrator" and
password "password". I've created the SystemAdministrator Group in LDAP as
well as the appropriate "administrator" user but it still does not let me
access the Administratotion Tools. -
Error while creating multiple identity realms
Hi,
I am trying the tutorial for creating multiple identity realms posted on
http://www.oracle.com/technology/obe/obe_as_10g/im/realm_mng/realm.htm
While executing "STEP 12" to enter the following values:
-User Search Base,
-User Creation Base,
-Group Search Base,
-Group Creation Base
I get the following error:
Identity Management Realm Modification Error!
Cannot Modify Identity Management Realm : [LDAP: error code 20 - Attribute Or Value Exists]
For some reason this step just doesnt seem to work. I am using OCS 10.1.1 on Solaris10
Can anyone please help me resolve this issue.
Thanks.Hi. It is a "feature" of SRM.
I asked SAP about it and did not get a good response.
If you enter Asset A, it will copy the internal order number from that asset into the cart. You can not see the internal order in the web, but you can see it in BBP_PD.
If you then change the asset to asset B, it will not refresh the internal order number.
This means you get internal order A on asset B.
It happens any time you change asset number, so if you copy a line then change you will get this problem.
We ended up using the BBP_DOC_CHANGE_BADI to RFC into R/3 and update the internal order number.
Regards,
Dave. -
Multiple LDAP servers on single System
hi,
Would like to know if its a good idea to have multiple LDAP servers running on a single System (Hardware) ..
100,000 user base
We would like to run the old and new LDAP databases on the same server till we phase out the old LDAP database after migrating all applications..
System:
2 x V880 4CPU 8GB RAM --multi-master configuration
4 x V420R 4CPU 8GB RAM -- read only replicasShouldnt be an issue - thats not a particularly large user base and thats some heft y HW. Keep in mind though that they will be on different ports so any software you migrate may eventually need tweaking to the default port when the new takes over.
-
Multiple LDAPS with same username!
Hi,
we have a case where we need to connect to multiple LDAP servers and configure SPNego for Kerberos authentication of portal. we have a problem in case of user names. some user names are same in both LDAPs. LDAPs are portal are positioned as (Landscape convension)
LDAP1: xxxx.yyyy
LDAP2: ssss.yyyy
Portal : pppp.gggg.yyyy
where as gggg.yyyy is a trusted domain for both xxxx.yyyy and ssss.yyyy.
we have login problem in same user case. (same user exist in xxxx.yyyy and ssss.yyyy). I haven't gone into details yet like logs and all troubleshooting stuff. Before doing all this just want to know your views whether I can do this or not. If I can achieve any suggentions how to proceed further?
Regards
RavindraHi,
Kerberose (Spnego) is possible with multiple ADS data sources. Check SAP Note 1007227 and the below link.
http://help.sap.com/saphelp_nw70/helpdata/en/45/40a320773a7527e10000000a114a6b/content.htm
Regards
Deb -
Multiple LDAPs with SSO Kerberos
Hello,
Right now I'm using SAP EP 7.0 EHP1 with one LDAP and everything is working fine. However, I have to integrate two new enterprises to the same SAP EP with different domains and differents LDAP's. I see some information about how to integrate the LDAP's but I want to know what is going to happend with the SSO configuration. How can I enable the same SSO functionality to the new enterprises with multiple LDAP's?
Please, any ideas? Maybe someone have information about this topicHi,
Kerberose (Spnego) is possible with multiple ADS data sources. Check SAP Note 1007227 and the below link.
http://help.sap.com/saphelp_nw70/helpdata/en/45/40a320773a7527e10000000a114a6b/content.htm
Regards
Deb -
Is it possible to have multiple LDAP providers configured within one UCM instance?
Users from A.DOMAIN.COM and users from B.DOMAIN.COM can authenticate with and share one UCM? This is of course not taking into consideration how security would be set up behind the scenes.. this is more of a 'what if...' question. We would want the users authenticating against their domain accounts in their respective domains.
If it makes any difference, A & B are Active Directory domains in a two-way trusted relationship that belong to the common DOMAIN.COM forest.
ThanksHey Peter,
This use case can be handled. If you notice in the documentation for security
[Seen Here|http://download.oracle.com/docs/cd/E10316_01/cs/cs_doc_10/admin/users_security/wwhelp/wwhimpl/common/html/wwhelp.htm?context=managing_security_10&file=page_7_17.htm]
You can set up additional LDAP providers. In this documentation, they are referencing fail-over, however, this will work for your case, with various users are in LDAP B vs LDAP A.
Keep in mind that you need to set the provider priority to be different than your first provider, such as priority 1, then priority 2 and that all users will hit the first provider first if they have never logged in, however, their last success log in with X provider will be saved so all subsequent requests will go to the proper ldap provider.
-AJ LaVenture
Software Consultant
www.fishbowlsolutions.com -
LDAP Authentication Scheme - Multiple LDAP Servers?
How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.
How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.
-
Problem configure Ldap realm with multi master Ldap server
I have a multimaster Directory Server (Ldap) eg: LdapMaster01 & LdapMaster02.
I configured the realm Ldap:
realm= myLdapRealm
class name =com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
jaas-context = myLdapRealm
directory = ldap://LdapMaster01:389
base-dn = ou=my_APP, ou=Applications, dc=devinc, dc=com
search-bind-dn = cn=Directory Manager
search-bind-password = 99999999So how can i configure realm to automatically switch to LdapMaster02 when the LdapMaster01 is not up?
Thanks in advanceProbably you need an external intelligent
loadbalancer unit, that receives all requests for an
DNS like 'LdapMaster' and reroutes the traffic to
LdapMaster01 or LdapMaster02.
If one LdapMaster ist not available then the
loadbalancer is responsible to route all requests
only to the available server.Thank you very much. :)
I found other post on the internet about this, and yes, probably the only way is a loadbalancer.
Another way is to write a custum realm impl that receives the server list and try to connect until an available server is found. -
I am using Netscape Directory Service 4.2. I want to use LDAP realm for authentication from Weblogic 5.1. I have created a principal(kevink - username and cambridge - group) in NDS. I have created a servlet and registered in Weblogic giving permission to execute the servlet to the above username and group. I have the following entry in my weblogic properties file weblogic.allow.execute.weblogic.servlet.helloWorld=\ kevink, cambridge
I have also created the LDAPRealm.properties file in my weblogic home directory.
When I start weblogic with the LDAP debug mode on, I get the following messages
Mon May 01 14:38:52 EDT 2000:<W> <CachingRealm> ACL "weblogic.servlet.helloWorld" contains non existent principal "kevink" - ignoring principal ******** Error: ACL "weblogic.servlet.helloWorld" contains non-existent principal "kevink" - i noring principal
Mon May 01 14:38:52 EDT 2000:<W> <CachingRealm> ACL "weblogic.servlet.helloWorld" contains non- existent principal "cambridge" - ignoring principal ******** Error: ACL "weblogic.servlet.helloWorld" contains non-existent principal "cambridge" - ignoring principal
Any ideas to solve this problem are welcome RamYep. And if your LDAP realm is hooked up correctly, you'll see groups from your ldap realm
in the weblogic console, under the Security->Groups tab on the frame to the left.
Keep in mind that you will not see users from your LDAP server under the Security->Users
tab. This is expected behavior. But if you see the groups, then you've most likely hooked
up the LDAP realm the right way ...
Joe Jerry
Vishwanath Kumar wrote:
Hello Kumar,
I am attaching a small portion of config.xml which contains LDAP settings . Please change
this according to your LDAP server configuration and test it . I hope this should help
you out.
You also need to create a caching realm and then hook up that caching realm to this LDAP
realm .
For more information this URL should be helpful:
http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1071872
here is portion of config.xml
<LDAPRealm AuthProtocol="simple" Credential="dropdead"
GroupDN="o=beasys.com,ou=Groups" GroupIsContext="false"
GroupNameAttribute="cn" GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://mmanson:389"
Name="defaultLDAPRealmForNetscapeDirectoryServer"
Notes="This is provided as an example. Before enabling this Realm, you must edit
the configuration parameters as appropriate for your environment."
Principal="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
UserAuthentication="bind" UserDN="o=beasys.com,ou=People"
UserNameAttribute="uid" UserPasswordAttribute="userpassword"/>
kumar wrote:
Hi,
I have tried to configure LDAP realm in weblogic, but I think it is not configured
correctly. And I don't know how to test it. Can anybody send me the sample config.xml
having LDAP realm configured correctly. Please send me a sample program to access
LDAP realm via weblogic.
Thx--
Vishwanath Kumar
Developer Relations Engineer
BEA Systems, Inc. -
I'm runing WLS6.0 SP2 and I'm trying to set up a LDAP realm to talk to a openldap
server. I'm on Win2k and have it installed as a service.
I can connect to the server via a ldap browser, and I have a user in the ldap
tree with a clear text password.
I created a LDAP realm but I can't find where to configure WebLogic to use that
LDAP realm for authentication.
thanks
joeI guess they don't use the LDAP Realm in Weblogic, you should create your custom
realm that access to AD and return user/group enumerations, acl's, etc...
I'm able to access to AD using jdk1.4, and I have my custom realm, the only
problem is wl uses jdk1.3 (+jaas) and I couldn't connect to AD with the old jaas,
because it didn't support kerberos authentication. A more complete jaas it's included
in jdk1.4
Regards,
Marc
"Roy Cornell" <[email protected]> wrote:
Great news, Scott. I hope you don't mind answering the three questions
below:
1. Which LDAP realm ***version*** did you use : V1 or V2?
2. Which LDAP realm type did you specify during the configuration: "MS
Site
Server" or other ?
3. Did you encounter any problems during the integration?
Thanks a lot.
Roy
"Scott Harger" <[email protected]> wrote in message
news:3b794a7c$[email protected]..
We have been able to get the LDAP realm (6.0 SP1) to work with Active
Directory.
Scott
"Roy Cornell" <[email protected]> wrote in message
news:3b72eb32$[email protected]..
I've got the same question (posted it yesterday). Please, Please,
Please,
could somebody reply.
"Andrew Wallace" <[email protected]> wrote in message
news:3b72ce38$[email protected]..
Somehow my last message got truncated. Here's the full deal:
We're trying to setup an LDAP realm in a microsoft-centric environment
(Windows 2000). All the documentation from BEA that I've found
talks
about MS Site Server, which, as near as I can find, is not an LDAPserver.
So - can I use MS Active Directory on Win2k? Is it functionally
the
same
thing? Does the MS template in LDAP Realm V2 support it? Does anyone
have success or horror stories about using AD?
thanks,
andy -
LDAP realm with Active Directory
Hello,
In the sun one app server admin console i have set the security role to LDAP.
I have set up security roles in my web.xml such as this:
<security-role>
<description>This role represents administrators of the system, see actor administrators</description>
<role-name>administrators</role-name>
</security-role>
..and mapped the roles to groups in sun-application as follows:
<security-role-mapping>
<role-name>administrators</role-name>
<group-name>CMS_PM</group-name>
<principal-name>rlancett</principal-name>
</security-role-mapping>
My user and group information is stored in Active Directory so I have tried to configure the ldap realm in the admin console to get it working. These are the settings i have put in:
directory: ldap://earth.tier2consulting.com:389
base-dn: cn=Users,dc=tier2consulting,dc=com
jaas-context: ldapRealm
search-bind-dn: cn=administrator,cn=Users,dc=domain,dc=com
search-bind-password: ******
search-filter: sAMAccountName=%s
I get the error message :javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
WARNING: va:850)
FINEST: JAAS authentication aborted.
INFO: SEC5046: Audit: Authentication refused for [administrator].
I am pretty stuck on this having looked arounds all the forums:
Has anyone got sun one app server using Active Directory to get user/group information for security roles?
Thanks.Howdy,
I don't have a solution to your problem, but maybe this tid-bit will help in debugging with Active Directory error messages. I'm new to AD, so excuse me if everyone already knows this, but...
The error message you get back from the directory contains an error code in hexidecimal:
LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
If you translate '525' from hex to decimal you get '1317' which is the error message you can look up here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/system_error_codes.asp
1317 - ERROR_NO_SUCH_USER - The specified user does not exist.
It took me a while to find this tip, so I thought I'd share it. Oh, and the easy way to get decimal from hexidecimal is:
System.out.println( "Here is 525 in decimal: " + Integer.parseInt("525", 16));
Okay, hope this helps somebody.
Now it's up to you to find out why it can't find the administrator!
Craig -
Cisco ACS 5.2 authentication against multiple LDAP servers
Hi Folks,
I have a wireless network that uses ACS 5.2 to handle authentication. The ACS is integrated with an Active Directory LDAP server (my_ldap) and is working correctly at the moment. The authentication flow looks like this:
- User tries to associate to WLAN
- Authentication request is sent to ACS
- Service selection rule chooses an access-policy (wireless_access_policy)
- wireless_access_policy is configured to use my_ldap as identity source.
A sister company is about to move into our offices, and will need access to the same WLAN. Users in the sister company are members of a separate AD domain (sister_company_ldap). I would like to modify the wireless_access_policy so that when it receives an authentication request it will query both my_ldap and sister_company_ldap, and return a passed authentication if either attempt is successful. Is this possible?Assuming you're already authenticating using your AD binding and AD1 as your identity source, you can add a further LDAP server as another identity source and add this to your identity store sequence in your access policy to authenticate against both.
You can also add multiple LDAP servers and add them both to the identity store sequence (if you're not using AD1).
Maybe you are looking for
-
Performance Issue with RHBAUS00 Report
Hello All, In our current project we have scheduled RHBAUS02 and RHBAUS00 reports in Prod, and it runs all fine. But when we try to execute RHBAUS00 report in quality environment through SA38, it takes much time, infact it goes endless. Could you ple
-
I can't download free apps without a credit card anymore with ios 6. Help?
Hey guys maybe you can help me. After updating to ios 6 on my iPad 2 everything was fine. I was downloading free apps. Now if I try it says I need to enter credit card details which I have never needed to do in the past. Is there any way to get aroun
-
Easy vpn or site-to-site vpn for back up connection?
Hi, All of my remote sites are connected to HQ via MPLS circuits. I would like to create back link for those remote sites using 871 routers with DSL connection and terminate ipsec vpn tunnels at the outside interface of ASA5540 located at HQ. The 871
-
Radius authentication for wifi users
Hi all, I have a aeronet 1250 access point and i have a windows 2003 radius server configured to authenticate users. I need to configure the access point for radius authentication . Can anyone please help me to configure the access point . thanks in
-
Anyconnect-win-2.5.1025 isatalltion Error in XP, WinSetup-Release-web-deploy.msi
I was Having Cisco Anyconnect VPN Client which was uninstalled due to some reason now again when I am installing it on my WIn XP machine an error is coming like WinSetup-Release-web-deploy.msi under location C:\.....\Temp\install\A08563F\WinSetup-Rel