Multiple LDAPs with SSO Kerberos

Hello,
Right now I'm using SAP EP 7.0 EHP1 with one LDAP and everything is working fine. However, I have to integrate two new enterprises to the same SAP EP with different domains and differents LDAP's. I see some information about how to integrate the LDAP's but I want to know what is going to happend with the SSO configuration. How can I enable the same SSO functionality to the new enterprises with multiple LDAP's?
Please, any ideas? Maybe someone have information about this topic

Hi,
Kerberose (Spnego) is possible with multiple ADS data sources. Check SAP Note 1007227 and the below link.
http://help.sap.com/saphelp_nw70/helpdata/en/45/40a320773a7527e10000000a114a6b/content.htm
Regards
Deb

Similar Messages

  • Multiple LDAPS with same username!

    Hi,
    we have a case where we need to connect to multiple LDAP servers and configure SPNego for Kerberos authentication of portal. we have a problem in case of user names. some user names are same in both LDAPs. LDAPs are portal are positioned as (Landscape convension)
    LDAP1: xxxx.yyyy
    LDAP2: ssss.yyyy
    Portal  : pppp.gggg.yyyy
    where as gggg.yyyy is a trusted domain for both xxxx.yyyy and ssss.yyyy.
    we have login problem in same user case. (same user exist in xxxx.yyyy and ssss.yyyy). I haven't gone into details yet like logs and all troubleshooting stuff. Before doing all this just want to know your views whether I can do this or not. If I can achieve any suggentions how to proceed further?
    Regards
    Ravindra

    Hi,
    Kerberose (Spnego) is possible with multiple ADS data sources. Check SAP Note 1007227 and the below link.
    http://help.sap.com/saphelp_nw70/helpdata/en/45/40a320773a7527e10000000a114a6b/content.htm
    Regards
    Deb

  • How i get user info from ldap using java after authenticating user with SSO

    Hi
    I have one jsp/bean application as a partner application with SSO.
    It works fine.
    Now i need to get other attributes of user from LDAP who has logged into the application through SSO.
    using SSO java APIs i only get username, userDN, subscriber info.
    To get user's other attribute i have to user LDAP APIs for that i have to create on Directory Context, for the same i need userpassword.
    so here i my question, how do i get user password after he has logged in thro SSO.
    regards..
    and thanking u in advance
    samir

    Valentina,
    there's no way to get the password value from the directory (it's one way). Of course you can get the hashed (MD4,MD5,SHA-1) base64 encoded value (i.e. the value you see in OiD) but not the 'password'.
    --Olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

  • How to configure ldap.ora with multiple ldap contexts

    Hello.
    My company has recently taken on another environment with it's own LDAP configuration. It's a bit tedious to have to keep switching my ldap.ora for both ldap configurations. Are there any good suggestions for either allowing me to search both LDAP configurations (2 separate LDAP setups, with 2 default context)? Or is there a smooth way to populate 1 LDAP with the others data? Or perhaps some form of redirect on one LDAP to the other LDAP server for queries?
    Some basic info: LDAP is Oracle OID version 10gR2
    Please let me know if you have any useful ideas...

    Hi,
    Here is the of OVD benefits :
    1-Easy to setup and manage via our Management client; 2-Unifies multiple directories into a single access point; 3-Normalize and Unify multiple directories; 4-Directly accesses remote repositories;
    5-Allows a unified view of an entry using data from multiple repositories;6-Can act as an LDAP proxy and firewall;
    Why you can not use OVD to improve these? Read, LDAP to the other LDAP server for queries, allowing you to search both LDAP?
    I hope this helps.
    Thiago L Guimaraes

  • Integrating BIP with multiple LDAP servers

    Hi,
    my question is very simple. In Admin->Security Configuration->Security Model section i've setted Security model combobox with LDAP value. Then i've filled all LDAP information field (for example:URL). All works. But in my rpd i 've multiple LDAP servers (multiple URL) and in the form i can insert information about only one LDAP server.
    Is it possible configure BIP with multiple LDAP servers?
    Thanks
    Giancarlo
    P.S. I'm using OBIEE 10g

    Hi,
    my question is very simple. In Admin->Security Configuration->Security Model section i've setted Security model combobox with LDAP value. Then i've filled all LDAP information field (for example:URL). All works. But in my rpd i 've multiple LDAP servers (multiple URL) and in the form i can insert information about only one LDAP server.
    Is it possible configure BIP with multiple LDAP servers?
    Thanks
    Giancarlo
    P.S. I'm using OBIEE 10g

  • Multiple LDAP data sources in EP7.0 SP14

    Hello,
    I am new to a site that uses portal and SSO between portal and AD LDAP. The portal version is EP7.0 SP14. The datasource is configured with 'datasourceConfiguration_ads_readonly_db_with_krb5.xml'. User path is OU=Users,OU=Finance,DC=io,DC=network and Group Path is  OU=Groups,OU=Finance,DC=io,DC=network. The flag to use the Unique ID is also set to 'samaccountname'. The problem is that we also have users in OU=Admins,OU=Finance,DC=io,DC=network and OU=Managers,OU=Finance,DC=io,DC=network in the same AD LDAP that are not visible to the portal but we would like them to be?
    It did appear to work if I changed the User Path to OU=Finance,DC=io,DC=network but I can not find any SAP document that supports doing this?
    I have seen the document 'Configure multiple LDAP data sources for the UME' with the following link https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e1959b90-0201-0010-849c-d2b1d574768b however this specifies EP6 so I'm not sure if it is still relevant?
    Also somebody did warn me with "If you change the xml file it will remove all current user mappings to the portal, all the groups mapped to roles will be lost and you will have to set them up again". Is this true?
    Am I supposed to be using the SPNego Wizard as described in SAP Note 994791?
    And possibly the following links for configuring and testing the SPNego...
    Configuring and troubleshooting SPNego -- Part 1
    Configuring and troubleshooting SPNego -- Part 2
    Any guidance towards the best approach to solve our problem would be greatly appreciated.
    Thanks,
    Dave

    Hi Dave,
    It did appear to work if I changed the User Path to OU=Finance,DC=io,DC=network but I can not find any SAP document that supports doing this?
    OK, I am not an LDAP expert, but if you just want to change your entry point in the structure, I do not see how this would be a problem. I do not know what kind of statement you would expect in the SAP documentation allowing this. Maybe this will answer your question: [Organization of Users and Groups in LDAP Directory|http://help.sap.com/saphelp_nw04s/helpdata/en/09/c5ee407552742ae10000000a155106/frameset.htm]
    I have seen the document 'Configure multiple LDAP data sources for the UME' with the following ... however this specifies EP6 so I'm not sure if it is still relevant?
    This function has not changed much since EP6, only the administration tools.
    Also somebody did warn me with "If you change the xml file it will remove all current user mappings to the portal, all the groups mapped to roles will be lost and you will have to set them up again". Is this true?
    It depends on how you change the XML file, but it does not sound like you need to do this, just the configuration of the connection to the LDAP, that is, higher in the structure.
    Am I supposed to be using the SPNego Wizard as described in SAP Note 994791?
    Only if you want to use SPNego for SSO.
    -Michael

  • Cannot deploy BPEL process with SSO to BPELConsole activated

    I cannot deploy BPEL process with SSO to BPELConsole activated. Here is the error I get from JDeveloper (sorry for the french error message):
    Problème détecté lors de la connexion au serveur "ssdvoiagu.dev.local.csst.qc.ca" sur le port "7781" : java.security.AccessControlException: access denied (com.collaxa.security.DomainPermission generique read)
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
    at java.security.AccessController.checkPermission(AccessController.java:427)
    at com.collaxa.security.OC4JSecurityService.checkAccess(OC4JSecurityService.java:16)
    at com.collaxa.security.SecurityService.checkDomainAccess(SecurityService.java:26)
    at com.collaxa.cube.fe.util.ServletUtils.getLocatorWithoutUrlRewrite(ServletUtils.java:162)
    at deployHttpClientProcess.jspService(_deployHttpClientProcess.java:332)
    at com.orionserver.http.OrionHttpJspPage.service(OrionHttpJspPage.java:59)
    at oracle.jsp.runtimev2.JspPageTable.service(JspPageTable.java:462)
    at oracle.jsp.runtimev2.JspServlet.internalService(JspServlet.java:594)
    at oracle.jsp.runtimev2.JspServlet.service(JspServlet.java:518)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
    at oracle.security.jazn.oc4j.JAZNFilter$1.run(JAZNFilter.java:396)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
    at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:410)
    at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:623)
    at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:370)
    at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:871)
    at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:453)
    at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:302)
    at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:190)
    at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
    at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
    at java.lang.Thread.run(Thread.java:595)
    Target BPEL process manager runs under SOA 10.1.3.3. When the SSO to BPELConsole is disabled, the deployment works just fine. Is there any way to make it work with SSO?

    Please check:
    http://blog.jpoot.com/category/oracle-appserver/oid-ldap/
    We had some issues with SSO and SSL but everything is running now.
    Marc

  • Multiple LDAP Providers?

    Is it possible to have multiple LDAP providers configured within one UCM instance?
    Users from A.DOMAIN.COM and users from B.DOMAIN.COM can authenticate with and share one UCM? This is of course not taking into consideration how security would be set up behind the scenes.. this is more of a 'what if...' question. We would want the users authenticating against their domain accounts in their respective domains.
    If it makes any difference, A & B are Active Directory domains in a two-way trusted relationship that belong to the common DOMAIN.COM forest.
    Thanks

    Hey Peter,
    This use case can be handled. If you notice in the documentation for security
    [Seen Here|http://download.oracle.com/docs/cd/E10316_01/cs/cs_doc_10/admin/users_security/wwhelp/wwhimpl/common/html/wwhelp.htm?context=managing_security_10&file=page_7_17.htm]
    You can set up additional LDAP providers. In this documentation, they are referencing fail-over, however, this will work for your case, with various users are in LDAP B vs LDAP A.
    Keep in mind that you need to set the provider priority to be different than your first provider, such as priority 1, then priority 2 and that all users will hit the first provider first if they have never logged in, however, their last success log in with X provider will be saved so all subsequent requests will go to the proper ldap provider.
    -AJ LaVenture
    Software Consultant
    www.fishbowlsolutions.com

  • Multiple LDAP Servers in Fusion Middleware (OBIEE 11g)

    Hello,
    I have a question, regarding integration of multiple LDAP servers with single Weblogic Server of Fusion Middleware (OBIEE 11g). We are currently using OBIEE 10g. We are on verge of migrating to 11g. However, I have a question regarding the LDAP server.
    Our two applications run on two distinct LDAP servers. The plan is to provide a single sign on link for OBIEE 11g reports to the end users and depending on what application they are using, they must be authenticated against the respective LDAP server.
    So, my question, is it possible to Integrate two different LDAP servers in the Weblogic of Fusion Middleware (OBIEE 11g). If so, what would be the steps. Any helpful document will also be appreciated.
    Thank you,
    Chandu.

    Yes, you can configure multiple authentication providers one by one as you generally do.
    When you configure multiple Authentication providers, use the JAAS Control Flag for each provider to control how the Authentication providers are used in the login sequence. You can set the JAAS Control Flag in the WebLogic Administration Console.
    REQUIRED—The Authentication provider is always called, and the user must always pass its authentication test. If authentication succeeds or fails, authentication still continues down the list of providers.
    REQUISITE—The user is required to pass the authentication test of the Authentication provider. If the user passes the authentication test of this Authentication provider, subsequent providers are executed but can fail (except for Authentication providers with the JAAS Control Flag set to REQUIRED).
    SUFFICIENT—The user is not required to pass the authentication test of the Authentication provider. If authentication succeeds, no subsequent Authentication providers are executed. If authentication fails, authentication continues down the list of providers.
    OPTIONAL—The user is allowed to pass or fail the authentication test of this Authentication provider. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.
    refer - http://docs.oracle.com/cd/E13222_01/wls/docs92/secmanage/atn.html
    Regards
    Mukesh Negi
    http://weblogicserveradministration.blogspot.in/

  • Cisco ACS 5.2 authentication against multiple LDAP servers

    Hi Folks,
    I have a wireless network that uses ACS 5.2 to handle authentication.   The ACS is integrated with an Active Directory LDAP server (my_ldap) and is working correctly at the moment.    The authentication flow looks like this:
     - User tries to associate to WLAN
     - Authentication request is sent to ACS
     - Service selection rule chooses an access-policy (wireless_access_policy)
     - wireless_access_policy is configured to use my_ldap as identity source.
    A sister company is about to move into our offices, and will need access to the same WLAN.    Users in the sister company are members of a separate AD domain (sister_company_ldap).    I would like to modify the wireless_access_policy so that when it receives an authentication request it will query both my_ldap and sister_company_ldap, and return a passed authentication if either attempt is successful.     Is this possible?

    Assuming you're already authenticating using your AD binding and AD1 as your identity source, you can add a further LDAP server as another identity source and add this to your identity store sequence in your access policy to authenticate against both.
    You can also add multiple LDAP servers and add them both to the identity store sequence (if you're not using AD1).

  • Integrating BI Publisher 10.1.3.2 with SSO

    We have one OID/SSO server, one j2ee (10.1.2.0.2)/Portal server. We had xmlpublisher 5.6.2 deployed on the j2ee server. We installed J2ee (10.1.3.1) on a separate home and deployed BI Publisher. BIP works well standalone without any problems. We are having problems integrating BIP with SSO (10.1.4). The single sign on page comes up but after logging in, the Admin/Scheduler/Reports tabs won't show up. It will just have the Search Box displayed on the left side and nothing else. The security has been configured with LDAP and believe all the parameters have been entered correctly. If anybody has seen this error before or if there is any straightforward documentation on integrating BIP with SSO, please let me know. I greatly appreciate the help.
    Thanks.
    Satish...

    Check you settings in the
    xmlp-server-config.xml
    specifically the setting related to LDAP. Also make sure you have the roles defined and users added to these roles. The steps for this are in the XML Pub users guide Chapter 5. If you need further help contact me via email at [email protected]
    Of course I am assuming you mean Oracle SSO and not another flavor of SSO.

  • Configuring Multiple LDAP Domains

    I am having trouble configuring multiple ldap domains for declarative security and form-based authentication.
    I have setup another instance of Directory Server on my local machine, on a different port. I want to be able to talk to this alternate directory server for form-based authentication and roles.
    I have tried to do this by following the instructions at http://docs.iplanet.com/docs/manuals/ias/60/sp3/admin/adbasica.htm#21662, but I've had no luck. Below are screenshots of my configuration. (I've attached a word document in case you don't have a HTML-enabled mail reader).

    My screenshots were wrong in the e-mail below, but correct in the attached word doc.
    ----- Original Message -----
    From: Matt Raible
    Newsgroups: iplanet.ias.general
    Sent: Wednesday, August 22, 2001 7:05 AM
    Subject: Configuring Multiple LDAP Domains
    I am having trouble configuring multiple ldap domains for declarative security and form-based authentication with iPlanet Application Server 6.0, SP3.
    I have setup another instance of Directory Server on my local machine, on a different port. I want to be able to talk to this alternate directory server for form-based authentication and roles.
    I have tried to do this by following the instructions at http://docs.iplanet.com/docs/manuals/ias/60/sp3/admin/adbasica.htm#21662, but I've had no luck. Below are screenshots of my configuration. (I've attached a word document in case you don't have a HTML-enabled mail reader).

  • Configuring Multiple LDAP Datasources in VDS

    Hi,
    I'm trying to configure multiple LDAP Datasources using VDS, one talking to AD and other to Novell eDir from VDS, my LDAP connection strings works well but when I start the service in VDS the service will never startup all I see is Exception null, it does not throw any exception at the same time it doesn't start up the service. I've tried configuring with signle Datasource which works fine. This is failing  when I combine those two datasources into one configuration. Have any configured multiple datasources with in VDS. Not sure if you have encountered any problems.
    Thanks,
    Joe.P

    Are you just trying to bring in two LDAP data sources or do a join between them? 
    Actually both I believe are considered types of joins.
    You cannot just define two datasources and expect them to show up.

  • OnAfterLogin redirect !!!BROKEN!!! with SSO turned on -- Second Attempt at Response

    I posted this earlier, but have gotten no response. Any help out there?With SSO turned on, the redirect returned from onAfterLogin does not process. It is ignored. This is a huge issue for us, as we have a "profiling" application that runs from the redirect returned from onAfterLogin. As of right now, in our SSO environment, this is broken.
    Please let me know if this is a know issue (hopefully with a fix), or if it's new to you.Thanks,Jason OdomCox Enterprises
    PTControls.prepareEventHandlers();
    PTControls_Inits[PTControls_Inits.length] = 'topExplorer = PTPanelSet.createFromTextarea(\'_topExplorer_ta\');topExplorer.draw();PTControls.registerMasterComponent(topExplorer);';
    document.PCC.RegisterForWindowEvent('onload', 'new Function(\'window.setTimeout(\\\'PTControls.init()\\\',10)\')');
    document.PCC.RegisterForEvent('urn:schemas.plumtree.com:jsxml', 'responseError', handleError);

    Hi Joe,
    That's a very good analysis you did.
    As you already suspected, the issue comes from the TLS record fragmentation feature that was introduced in the latest browser versions to overcome a SSL vulnerability (http://www.kb.cert.org/vuls/id/864643). Unfortunately, similar issues are happening with multiple products.
    For CSS, the bug tracking this issue is CSCtx68270. The development team is actively working on a fix for it, which should be available (in an interim software release, so to get it you wil have to go through TAC) in the next couple of weeks
    In the meantime, as workaround, you can configure the CSS to use only RC4 cyphers (which is what you were suggesting also). These are not affected by the vulnerability, so, browsers don't apply the record fragmentation when they are in use. This workaround has been tested by several customers already, and the results seem to be very positive.
    Regards
    Daniel

  • Is it possible to have multiple LDAP Sync from OIM 11g?

    I have a requirement to setup LDAP sync to a legacy iPlanet 5.2 LDAP server and that looks pretty straight forward. Now I'm planning to integration OAM with OIM. Our OAM is configured against OVD/AD (multiple domains), so that needs a LDAP sync to be cofigured against OVD/AD. I would like to know if multiple LDAP sync is possible and is a supported config? Experts please help.
    Thanks,
    Sunil.

    Thanks for the reply.
    The below link lists the LDAP's supported:
    http://docs.oracle.com/cd/E21764_01/install.1111/e12002/oidonly.htm#autoId23
    My question specifically is, can I configure multiple LDAP sync's? I already have LDAP sync configured for iPlanet/ODSEE and now I wanted to set LDAP sync to AD to support OIM-OAM integration. Any thoughts?

Maybe you are looking for

  • In Initial View, can you set defaults for Navigation tab, Page layout, and Magnification?

    Adobe Acrobat 9 Pro V9.4.0 Win7 Pro x64 Problem: In Initial View, can you set defaults for Navigation tab, Page layout, and Magnification? Every time Acrobat scans a document, I have to go to Initial View to set Navigation tab, Page layout, and Magni

  • NFS makes OSX hang

    Normally if you are connected to an NFS server and the connection goes down, the Finder tries to reconnect and if it can't, it unmount the partition. But if a partition is not connected but it still mounted while Mac OS X is shutting down, this is no

  • Basics olm vs. iLearning, how to start

    Hi, I'm moving to learn R12 suite after working with g10, will apprecaite your recomendations how better do this. I'm bit confused about iLearning vs. OLM, etc.. Thansk for all tips. T

  • Quicktime 7.74 Silent install

    Hi, I'm having issues installing QuickTime 7.74 using quicktime.msi. On a fresh VM wi no traces of Quicktime at all I get this error (newer version already installed). AppleApplicationSupport.msi /qn works all right. This happens on all system I try

  • Files moved? Help please

    I have not used my itunes in a few months. Well today I decided to open it up play some songs and downloand a few new ones. The new ones all play fine, but for all my old songs they have this error message The song "song title" could not be used beca