Naming Service in separate LDAP
Hi All,
Can any body pls tell me if it is possible to use a LDAP server as a naming service
rather than the using weblogic's naming service ? If yes, then pls tell me how
it can be done.
TIA,
Sudarson
I click on the '+' sign or use the menu 'create' option but I do not get a screen to enter any information.
I hard coded my tnsnames connection in my application and it work fine.
Thanks for getting back to me with the information and link. I've tried all possible combination without successfully being able to use the 'Naming Service' function.
Fred
Similar Messages
-
DIRECTORY NAMING SERVICE (LDAP) supported in Oracle 11.5.10
Hi,
directory naming service (ldap) can be integrate directly with 11i (11.5.10) for netservices authentication.
Cheers !Please see these docs.
Oracle Application Server with Oracle E-Business Suite Release 11i FAQ [ID 186981.1]
Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On [ID 261914.1]
Installing Oracle Application Server 10g with Oracle E-Business Suite Release 11i [ID 233436.1]
Thanks,
Hussein -
Issue Password-less SSH: Sun OpenDS 2.0 as Naming Service
We are in the final phase of a proof of concept for Sun OpenDS as the Naming service for an important customer and facing problem with password-less ssh. We narrowed the problem down to password policy specifying a value for password maximum age. SSH succeeds with ?0? (zero) but requires password if the value is different from 0.
Any help in getting a resolution is greatly appreciated, as this is a road block now.
The following information is gathered.
The test is performed from a host thud which is setup as an ldapclient.
thud 275 ssh thud -i .ssh/thud
Password:
Last login: Tue Oct 13 06:57:01 2009 from xxx
Apparent reason (trimmed):
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying public key: .ssh/thud
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 434 lastkey 1166d0 hint 0
debug2: input_userauth_pk_ok: fp 07:15:b3:07:8d:da:b3:c8:34:d0:34:91:60:77:e0:39
debug3: sign_and_send_pubkey
debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:
Corresponding debug info from server (thud):
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: userauth-request for user doejohn service ssh-connection method publickey
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: test whether pkalg/pkblob are acceptable
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: temporarily_use_uid: 6147/150 (e=0/1)
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: trying public key file /home/doejohn/.ssh/authorized_keys
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: matching key found: file /home/doejohn/.ssh/authorized_keys,
line 2Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.info] Found matching DSA key: 07:15:b3:07:8d:da:b3:c8:34:d0:34:91:60:77:e0:39
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: restore_uid: 0/1
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: userauth-request for user doejohn service ssh-connection method publickey
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: attempt 2 initial attempt 0 failures 1 initial failures 0
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: temporarily_use_uid: 6147/150 (e=0/1)
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: trying public key file /home/doejohn/.ssh/authorized_keys
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: matching key found: file /home/doejohn/.ssh/authorized_keys, line 2
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.info] Found matching DSA key: 07:15:b3:07:8d:da:b3:c8:34:d0:34:91:60:77:e0:39
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: restore_uid: 0/1
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: ssh_dss_verify: signature correct
Oct 13 07:29:36 thud sshd[21187]: [ID 966290 auth.debug] PAM[21187]: pam_start(sshd-pubkey,doejohn,0:179560) - debug = 1
Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:service)
Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:user)
Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:conv)
Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:rhost)
Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:tty)
Oct 13 07:29:36 thud sshd[21187]: [ID 665327 auth.debug] PAM[21187]: pam_acct_mgmt(179560, 0)
Oct 13 07:29:36 thud sshd[21187]: [ID 118111 auth.debug] PAM[21187]: load_modules(179560, pam_sm_acct_mgmt)=/usr/lib/security/pam_roles.so.1
Oct 13 07:29:36 thud sshd[21187]: [ID 143372 auth.debug] PAM[21187]: load_function: successful load of pam_sm_acct_mgmt
Oct 13 07:29:36 thud sshd[21187]: [ID 118111 auth.debug] PAM[21187]: load_modules(179560, pam_sm_acct_mgmt)=/usr/lib/security/pam_projects.so.1
Oct 13 07:29:36 thud sshd[21187]: [ID 143372 auth.debug] PAM[21187]: load_function: successful load of pam_sm_acct_mgmt
Oct 13 07:29:36 thud sshd[21187]: [ID 118111 auth.debug] PAM[21187]: load_modules(179560, pam_sm_acct_mgmt)=/usr/lib/security/pam_unix_account.so.1
Oct 13 07:29:36 thud sshd[21187]: [ID 143372 auth.debug] PAM[21187]: load_function: successful load of pam_sm_acct_mgmt
Oct 13 07:29:36 thud sshd[21187]: [ID 118111 auth.debug] PAM[21187]: load_modules(179560, pam_sm_acct_mgmt)=/usr/lib/security/pam_ldap.so.1
Oct 13 07:29:36 thud sshd[21187]: [ID 143372 auth.debug] PAM[21187]: load_function: successful load of pam_sm_acct_mgmt
Oct 13 07:29:36 thud sshd[21187]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
Oct 13 07:29:36 thud sshd[21187]: [ID 267958 auth.debug] pam_unix_account: doejohn: Ignore module
Oct 13 07:29:36 thud sshd[21187]: [ID 545954 auth.debug] libsldap: more_info is empty, using default values
Oct 13 07:29:36 thud sshd[21187]: [ID 340006 auth.debug] PAM[21187]: pam_acct_mgmt(179560, 0): error Authentication failed
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.notice] Failed publickey for doejohn from 172.16.1.207 port 44363 ssh2
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: userauth-request for user doejohn service ssh-connection method keyboard-interactive
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: attempt 3 initial attempt 0 failures 3 initial failures 0
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: keyboard-interactive devs
Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:conv)
Oct 13 07:29:36 thud sshd[21187]: [ID 873394 auth.debug] PAM[21187]: pam_end(179560): status = Authentication failed
Sending the Account Usability control on the server returns:
?The account is not usable?
solaris-z1 487 # ldapsearch -D 'cn=directory manager' -w xxx -b 'dc=texas,dc=net' -J "accountUsability:true" uid=doejohn
# Account Usability Response Control
# The account is not usable
dn: uid=doejohn,ou=eng,ou=People,dc=texas,dc=net
uid: doejohn
shadowLastChange: 14480
loginShell: /bin/ksh
userPassword: {CRYPT}GOUlmnz01bJbwcY69Btp2sIRJrLf+5RtAj4oug==
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: IEEPerson
objectClass: posixAccount
objectClass: top
givenName: John
cn: John Doe
sn: Doe
telephoneNumber: ...
gecos: ...
homeDirectory: /home/doejohn
mail: [email protected]
uidNumber: 6147
gidNumber: 150
manager: ...
For someone with a different password policy (max age is 0) the account is usable.
Ldapclient is running on a SPARC, Solaris 9 system; the Sun OpenDS 2.0 is running on Solaris 10 Sparc.
Password-less ssh works as expected when using a system not using LDAP.See https://opends.dev.java.net/servlets/ProjectForumMessageView?messageID=31827&forumID=3292.
Regards,
Ludovic. -
Naming Services cannot work well!!!
Hi,
I have configured the AM2005Q4 and Policy agent with apache, apache http.conf file is like
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /hzycportal http://exchange.hzliqun.com:8013/hzycportal
ProxyPassReverse /hzycportal http://exchange.hzliqun.com:8013/hzycportal
When I type http://exchange.hzliqun.com:8080/hzycportal in IE, and type the user/password, but it cannot reach at the application system. The agent debug log is like
2005-11-21 10:23:07.578 Debug 460:82f3d8 NamingService: HTTP Status = 200 (OK)
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Http::Response::readAndParse(): Reading headers.
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Server: Sun-Java-System-Web-Server/6.1
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Date: Mon, 21 Nov 2005 02:22:18 GMT
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Content-type: text/html
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Connection: close
2005-11-21 10:23:07.578 Debug 460:82f3d8 NamingService: Http::Response::readAndParse(): No content length in response.
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 all: Connection::waitForReply(): returns with status success.
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Http::Response::readAndParse(): Completed processing the response with status: success
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="com.iplanet.am.naming" reqid="2922">
<Response><![CDATA[<NamingResponse vers="1.0" reqid="2916">
<GetNamingProfile>
<Exception>SessionID ---AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%3D%40AAJTSQACMDE%3D%23---is Invalid</Exception>
</GetNamingProfile>
</NamingResponse>]]></Response>
</ResponseSet>
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: NamingService()::parseNamingResponse(): Buffer to be parsed: <NamingResponse vers="1.0" reqid="2916">
<GetNamingProfile>
<Exception>SessionID ---AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%3D%40AAJTSQACMDE%3D%23---is Invalid</Exception>
</GetNamingProfile>
</NamingResponse>
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: NamingService::parseNamingResponse(): Got Exception in XML.
2005-11-21 10:23:07.578 Debug 460:82f3d8 NamingService: NamingService::parseNamingResponse() returning with status invalid session.
2005-11-21 10:23:07.578 Debug 460:82f3d8 NamingService: NamingService()::getProfile() returning with error code invalid session.
2005-11-21 10:23:07.578 Info 460:82f3d8 PolicyEngine: am_policy_evaluate: InternalException in Service::update_policy with error message:Naming query failed. and code:18
2005-11-21 10:23:07.578 Warning 460:82f3d8 PolicyAgent: am_web_is_access_allowed()(http://exchange.hzliqun.com:8080/hzycportal, GET) denying access: status = invalid session
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_is_access_allowed(): Successfully logged to remote server for GET action by user unknown user to resource http://exchange.hzliqun.com:8080/hzycportal.
2005-11-21 10:23:07.578 Info 460:82f3d8 PolicyAgent: am_web_is_access_allowed()(http://exchange.hzliqun.com:8080/hzycportal, GET) returning status: invalid session.
2005-11-21 10:23:07.578 Info 460:82f3d8 PolicyAgent: process_request(): Access check for URL http://exchange.hzliqun.com:8080/hzycportal returned invalid session.
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 PolicyAgent: am_web_get_url_to_redirect(): goto URL is http://exchange.hzliqun.com:8080/hzycportal
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_get_url_to_redirect: Before invoking find_active_login_server()
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: is_server_alive(): Connection timeout set to 2
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_get_url_to_redirect: After invoking find_active_login_server()
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: process_access_redirect(): get redirect url returned AM_SUCCESS, redirect url [http://sunam1.hzliqun.com:80/amserver/UI/Login?goto=http%3A%2F%2Fexchange.hzliqun.com%3A8080%2Fhzycportal].
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: process_access_redirect(): returning web result AM_WEB_RESULT_REDIRECT.
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: process_request(): returning web result AM_WEB_RESULT_REDIRECT, data [http://sunam1.hzliqun.com:80/amserver/UI/Login?goto=http%3A%2F%2Fexchange.hzliqun.com%3A8080%2Fhzycportal]
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_process_request(): Rendering web result AM_WEB_RESULT_REDIRECT
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_process_request(): render result function returned AM_SUCCESS.
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: get_request_url(): Host: exchange.hzliqun.com:8080
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: get_request_url(): Port is 8080.
2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: get_request_url(): Returning request URL http://exchange.hzliqun.com:8080/hzycportal.
2005-11-21 10:23:07.593 Warning 460:82f3d8 PolicyAgent: get_method_num(): Apache request method number did not match method string. Setting method number to match method string GET.
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: am_web_is_notification(), http://exchange.hzliqun.com:8080/hzycportal is not notification url http://exchange.hzliqun.com:8080/amagent/UpdateAgentCacheServlet?shortcircuit=false.
2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: find_cookie(): cookie found: header [JSESSIONID=D835480D9BBF3902D562A596CC05E953; iPlanetDirectoryPro=AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%253D%2540AAJTSQACMDE%253D%2523] name [iPlanetDirectoryPro=AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%253D%2540AAJTSQACMDE%253D%2523] val [AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%253D%2540AAJTSQACMDE%253D%2523] val_len [78] next_cookie [NULL]
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: am_web_is_access_allowed(): processing url http://exchange.hzliqun.com:8080/hzycportal.
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: FqdnHandler::isValidFqdnResource() Resource => http://exchange.hzliqun.com:8080/hzycportal, is valid => true
2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: am_web_is_access_allowed(): client_ip 10.44.202.218 not found in client ip not enforced list
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 AM_POLICY_SERVICE_NAME: am_policy_compare_urls(): compare usePatterns=true returned 3
2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: in_not_enforced_list: enforcing access control for http://exchange.hzliqun.com:8080/hzycportal
2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: set_host_ip_in_env_map: map_insert: client_ip=10.44.202.218
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 ServiceEngine: Executing update_policy(AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%3D%40AAJTSQACMDE%3D%23, http://exchange.hzliqun.com:8080/hzycportal, GET, 2)
2005-11-21 10:23:07.593 Debug 460:82f3d8 all: cookieList is not empty
2005-11-21 10:23:07.593 Debug 460:82f3d8 all: Exit from buildCookieHeader
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 NamingService: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="2923">
<Request><![CDATA[
<NamingRequest vers="1.0" reqid="2917" sessid="AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%3D%40AAJTSQACMDE%3D%23">
<GetNamingProfile>
</GetNamingProfile>
</NamingRequest>]]>
</Request>
</RequestSet>
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 NamingService: BaseService::sendRequest Request line: POST /amserver/namingservice HTTP/1.0
2005-11-21 10:23:07.593 Debug 460:82f3d8 NamingService: BaseService::sendRequest Cookie and Headers =Host: sunam1.hzliqun.com
2005-11-21 10:23:07.593 Debug 460:82f3d8 NamingService: BaseService::sendRequest Content-Length =Content-Length: 346
2005-11-21 10:23:07.593 Debug 460:82f3d8 NamingService: BaseService::sendRequest Header Suffix =Accept: text/xml
Content-Type: text/xml; charset=UTF-8
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 NamingService: BaseService::sendRequest(): Total chunks: 7.
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 NamingService: BaseService::sendRequest(): Sent 7 chunks.
And it will recycle these processes. From the logs, it seems that cannot get correct namingservices. But the agent configuration is correct, and likes these
# $Id: AMAgent.properties,v 1.86.2.6 2005/10/25 18:14:11 dknab Exp $
# Copyright ?2002 Sun Microsystems, Inc. All rights reserved.
# U.S. Government Rights - Commercial software. Government users are
# subject to the Sun Microsystems, Inc. standard license agreement and
# applicable provisions of the FAR and its supplements. Use is subject to
# license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
# trademarks or registered trademarks of Sun Microsystems, Inc. in the
# U.S. and other countries.
# Copyright ?2002 Sun Microsystems, Inc. Tous droits r�serv�s.
# Droits du gouvernement am�ricain, utlisateurs gouvernmentaux - logiciel
# commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
# licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
# vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl�ments
# ?celles-ci.
# Distribu?par des licences qui en restreignent l'utilisation. Sun, Sun
# Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
# marques d�pos�es de Sun Microsystems, Inc. aux Etats-Unis et dans
# d'autres pays.
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Sun [TM] ONE Identity Server
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Sun [TM] ONE Identity Server will disable the SDK.
com.sun.am.cookieName = iPlanetDirectoryPro
# The URL for the Sun [TM] ONE Identity Server Naming service.
com.sun.am.namingURL = http://sunam1.hzliqun.com:80/amserver/namingservice http://sunim1.hzliqun.com:80/amserver/namingservice
# The URL of the login page on the Sun [TM] ONE Identity Server.
com.sun.am.policy.am.loginURL = http://sunam1.hzliqun.com:80/amserver/UI/Login http://sunim1.hzliqun.com:80/amserver/UI/Login
#com.sun.am.policy.am.loginURL = http://sunam1.hzliqun.com:80/amserver/gateway http://sunim1.hzliqun.com:80/amserver/gateway
# By default the agent checks if the Access Manager AUTH server is
# active before performing the login.
# This check can be ignored by setting the following property to true.
# In this case the first server indicated in the loginURL property will
# be selected, wether it is active or not.
com.sun.am.ignore_server_check = false
# Name of the file to use for logging messages.
com.sun.am.logFile = D:/Apache/sun/Identity_Server/Agents/2.1/debug/apache_8080/amAgent
# Name of the Sun [TM] ONE Identity Server log file to use for
# logging messages to Sun [TM] ONE Identity Server.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Sun [TM] ONE Identity Server.
com.sun.am.serverLogFile = amAuthLog.exchange.hzliqun.com.8080
# Set the logging level for the specified logging categories.
# The format of the values is
# <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
# 0 Disable logging from specified module*
# 1 Log error messages
# 2 Log warning and error messages
# 3 Log info, warning, and error messages
# 4 Log debug, info, warning, and error messages
# 5 Like level 4, but with even more debugging messages
# 128 log url access to log file on IS server.
# 256 log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.logLevels = all:5
# The org, username and password for Agent to login to IS.
#com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.username = amAdmin
com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslCertDir = D:/Apache/sun/Identity_Server/Agents/2.1/apache/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certDbPrefix =
# Should agent trust all server certificates when Sun [TM] ONE Identity Server
# is running SSL?
# Possible values are true or false.
com.sun.am.trustServerCerts = true
# Should the policy SDK use the Sun [TM] ONE Identity Server notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notificationEnabled = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notificationURL = http://exchange.hzliqun.com:8080/amagent/UpdateAgentCacheServlet?shortcircuit=false
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.urlComparison.caseIgnore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.cacheEntryLifeTime=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the identity server. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userIdParam=UserToken
# HTTP Header attributes mode
# String attribute mode to specify if additional policy response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional policy attributes will be introduced.
# HEADER - additional policy attributes will be introduced into HTTP header.
# COOKIE - additional policy attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.am.ldapattribute.mode=NONE
# The policy attributes to be added to the HTTP header. The specification is
# of the format ldap_attribute_name|http_header_name[,...]. ldap_attribute_name
# is the attribute in data store to be fetched and http_header_name
# is the name of the header to which the value needs to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.am.headerAttributes=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.ias_SLB_cookie_name = GX_jst
# indicate where a load balancer is used for Sun [TM] ONE Identity Server
# services.
# true | false
com.sun.am.loadBalancer_enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.version=2.1
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.logAccessType = LOG_DENY
# Agent prefix
com.sun.am.policy.agents.agenturiprefix = http://exchange.hzliqun.com:8080/amagent
# Locale setting.
com.sun.am.policy.agents.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.instanceName = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.do_sso_only = false
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.accessDeniedURL =
# This property allows the user to configure the URL Redirect parameter
# for different auth modules. By default this parameter is set to "goto"
com.sun.am.policy.agents.urlRedirectParam=goto
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.fqdnMap
com.sun.am.policy.agents.fqdnDefault = exchange.hzliqun.com
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.fqdnMap = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Identity Server policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdnMap = valid|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.fqdnMap =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Identity Server for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.cookie_reset_enabled=true
com.sun.am.policy.agents.cookie_reset_enabled=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Identity Server.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.cookie_reset_list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.cookie_reset_list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.cookieDomainList=.sun.com .iplanet.com
com.sun.am.policy.agents.cookieDomainList=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.unauthenticatedUser=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.anonRemoteUserEnabled=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
# com.sun.am.policy.agents.notenforcedList = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.reverse_the_meaning_of_notenforcedList = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.notenforced_client_IP_address_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.is_postdatapreserve_enabled = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.postcacheentrylifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.cdsso-enabled=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.cdcservletURL = http://sunam1.hzliqun.com:80/amserver/cdcservlet
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.client_ip_validation_enable = false
# Whether to decode the session cookie before sending it to IS.
# Set to true if the cookie value is URL encoded, false otherwise.
# For example, cookie values from browsers are URL encoded, and
# some containers always returns the cookie URL encoded.
com.sun.am.cookieEncoded = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.am.ldapattribute.cookiePrefix = HTTP_
com.sun.am.policy.am.ldapattribute.cookieMaxAge = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.logout.url=
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.logout.cookie_reset_list =
# Below property is reserved for future use. Please do not change the value.
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Identity Server.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetchFromRootResource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.getClientHostname = true
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.convertMbyteEnabled = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.overrideProtocol =
com.sun.am.policy.agents.overrideHost =
com.sun.am.policy.agents.overridePort =
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is tif you can add more details in your question, that'll be better.
in my case, i initially had pix515e with v6.1 on it, and cannot get a dialtone because my sip phone (ata186) is not registered on my proxy. but when i changed my pix to v6.2, it worked just fine. i didn't put any access-list though, as fixup does it for me already. -
Remote Authentication Naming Service Not Found
Hey everybody,
I found this thread:
http://swforum.sun.com/jive/thread.jspa?threadID=54004
That thread mentions (or implies) there is something different that must be accomplished when performing remote authentications vs local authentications but never actually states what is different.
Anyhow, I am attempting to perform a remote authentication, and am running into problems. I have taken the code listed in the above thread and modified it for my usage, with a few modifications. However, I keep getting this error:
[#|2006-02-13T15:50:56.321-0500|INFO|sun-appserver-pe8.1_02|javax.enterprise.system.stream.out|_ThreadID=25;|ERROR: updateNamingTable : Naming Service is not available.
|#]
[#|2006-02-13T15:50:56.332-0500|WARNING|sun-appserver-pe8.1_02|javax.enterprise.system.stream.err|_ThreadID=25;|
com.sun.identity.authentication.spi.AuthLoginException(1):null
com.sun.identity.authentication.spi.AuthLoginException(2):null
com.sun.identity.authentication.spi.AuthLoginException: Failed to create new Authentication Context: Naming Service is not available.
at com.sun.identity.authentication.AuthContext.createAuthContext(AuthContext.java:1310)
at com.sun.identity.authentication.AuthContext.createAuthContext(AuthContext.java:1261)
at com.sun.identity.authentication.AuthContext.<init>(AuthContext.java:178)
at infrastructure.SessionBean1.login(SessionBean1.java:224)
at infrastructure.login.button1_action(login.java:267)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at ...When I connect to the service via http://myserver.mydomain.tld/amserver/namingservice I recieve a message that looks like:
Webtop 2.5 Platform Low Level request servletWhich indicates it is running properly. I also am using the AMConfig.properties that is running on the server to pull my values and my code (listed below) prints out all the values it reads. I am using the base dn for the orgname as indicated in various documentation.
My code looks like:
public boolean login(String username, String password) {
try {
ResourceBundle resources = ResourceBundle.getBundle("AMConfig");
String orgname = null;
Properties props = new Properties();
Enumeration keyEnum = resources.getKeys();
while ( keyEnum.hasMoreElements() ) {
String key = (String) keyEnum.nextElement();
String value = (String) resources.getString(key);
props.setProperty(key, value);
if ( key.equalsIgnoreCase("com.iplanet.am.defaultOrg") ) {
orgname = value;
this.getFacesContext().addMessage(null, new FacesMessage(key + " = " + value));
SystemProperties.initializeProperties(props);
// Authenticate the user and obtain SSO Token
AuthContext lc = null;
lc = new AuthContext(orgname);
lc.login();
while (lc.hasMoreRequirements()) {
Callback[] callbacks = lc.getRequirements();
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof NameCallback) {
NameCallback nc = (NameCallback) callbacks;
nc.setName(username);
} else if (callbacks[i] instanceof PasswordCallback) {
PasswordCallback pc = (PasswordCallback) callbacks[i];
pc.setPassword(password.toCharArray());
} else {
log("Unknown Callback: " + callbacks[i]);
return false;
lc.submitRequirements(callbacks);
if (lc.getStatus() != AuthContext.Status.SUCCESS) {
log("Invalid credentials");
return false;
// Obtain the SSO Token
token = lc.getSSOToken();
log("SSOToken: " + token.getTokenID());
log("User DN: " +
token.getPrincipal().getName());
// Obtain AMUser object
db = new AMStoreConnection(token);
user = db.getUser(token.getPrincipal().getName());
// Get the attributes and display them
log("Attributes: " + user.getAttributes());
} catch (Exception e) {
this.getFacesContext().addMessage(null, new FacesMessage("An exception occurred, unable to login.", e.getMessage()));
e.printStackTrace();
return false;
Any ideas?
Thanks!
Joshua Preston.The most common reason for this error is improper
communication with your LDAP server . Is your DS
setup correctly and are you able to authenticate
using amadmin ?Yes, our DS is setup correctly and I am able to authenticate using amadmin. -
Im currently working on some code and Im really in need of a naming service, preferably one with a service provider for JNDI. In essence what Im looking for is a very basic name server, although knowing little about the suject at this point Im thinking that ldap, nis are really not well suited to my needs as my key goal is mapping names to references( under dynamic contexts), which Ive allready half implemented. As things are getting more complex and what Ive implemented of rather poor design, Im starting to feel like Im going to have a rough month or two ahead of me!! I dont want to re-invent the wheel and I know in my heart someone has allready coded the software I need!!! Unfortunately My search has been fruitless. Id greatly appreciate it if someone can steer me in the right direction. In the meantime I think Ill be pulling my hair out trying to figure out how to code the software I need.... Sorry for not fully explaining what Im after, if not enough info just let me know and Ill try to provide more detail.............
Hi Prisco,
You can go very well fo JNDI. And you can use Netscape or Iplanet Directory server as LDAP server.
Please Download the Directory Server from this URL.
http://www.iplanet.com/downloads/download/2087.html
Also here with I am giving you a simple Authentication program, which makes use of JNDI and Netscape Directory server. If you follow these steps, you will get a good idea about JNDI.
DESCRIPTION:
I am trying to use LDAP to control access to a HTML page. I want an authentication
box to pop up, allowing the user to authenticate to the HTML page through a LDAP server.
If they succesfully authenticate, I need to check their username against a list
of valid usernames that's stored in a database, then give access to the page
based on that list. How can I implement this solution?
SOLUTION:
The best way is to use Basic Authentication solution with JNDI and LDAP server,
Netscape Directory server(for example) with a simple servlet program. Java Naming
and Directory Interface (JNDI) API is standardized, and enable to use different
directory services such as Netscape Directory server. LDAP server can be used
for storing some common data's used in the sample solution.
It can be done through a servlet to check the user and its password which is
stored in the LDAP server.
In order to demonstrate a sample solution, I will use the Netscape Directory
Server 4.13 as the LDAP server, which is loaded my own LDIF file with customized
attributes. The basic authentication algorithm will be used in this sample
solution.
The following steps are to implement this sample solution:
1. Creating our own LDAP data Interchange format (LDIF) file.
2. Loading(Import) the Ldif file in Netscape Directory Server.
3. Creation of user schema files for customized attributes.
4. Load the user schema files in the Netscape Directory Server.
5. Restart the Directory Server
6. A simple servlet program for basic authentication.
7. A sample HTML file is given last, used in servlet program.
Here are the detail description of the above steps:
STEP 1: Creating our own LDAP data Interchange format (LDIF) file:
Here is the LDIF (LDAP data Interchange format) file is a text based format used to work
on LDAP data, with both our application and end users.
Through this LDIF file, I am having an attribute "customerid: timb" for which I will
be preparing the authentication, which will have its own password
"userpassword: bakrudeen", through which it can be maintained in a common place.
Here again in the same LDIF file, other information related to the "customerid: timb"
such as common name "cn: Tim Briggs", sur name "sn: Briggs" etc are maintained.
The data in LDAP is organized in a tree, called a Directory Information tree(DIT).
Each leaf in DIT is called an entry. The first entry in DIT is called the root entry.
Here is a sample LDIF File which is used in our sample solution:-
Here the DIT is maintained in such a way data is organized in LDAP, is fairly simple. In this
sample we store all of our entries in a common root o=fedup.com, with the following branches
Customers - Customer Entries with " customer id: timb" , userpassword: bakrudeen, and other
information related to this customer is kept in a common place.
dn: uid=timb,ou=Customers,o=fedup.com
changetype:add
objectclass: customer
objectclass: inetorgperson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: Tim Briggs
uid: timb
givenname: Tim
customerid: timb
sn: Briggs
facsimiletelephonenumber: 4101
telephonenumber: 4145
creatorsname: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
createtimestamp: 20000501084001Z
aci: (target="ldap:///uid=timb,ou=Customers,o=fedup.com")(targetattr="*")(version 3.0; acl "unknown"; allow (all)(userdn = "ldap:///anyone");)
ou: Customers
mail:
userpassword: bakrudeen
modifiersname: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
modifytimestamp: 20000605084001Z
STEP 2: Loading(Import) the Ldif file in Netscape Directory Server:-
Once after creating the above sample LDIF File, it should be added in Netscape Directory Server.
It should be imported in order to add the neccessary atributes in the Netscape Directory server,
so that we can make use of the Common data.
Steps for Importing the LDIF file in the Directory Server:-
1) Create an instance of the Directory Server.
2) Bind it to the different port with different organizational unit
(Here in this program, it is 1124).
3) Press the Configuration from the menu.
4) Then select import from the Console menu.
5) Choose the LDIF file you are going to import.
6) There also you have to provide a file for rejected entries, ie it will list all the entries
which is not added while loading.
STEP 3: Creation of our own USER SCHEMA Files:-
It is necessary for adding the attributes which are not defined in the
Netscape directory server. In the above, customerid which is defined in ldif
file is not existing in the directory server.
Here is the Schema file for attributes:(ie for defining for eg customer id).
The name of the file is slapd.user_at.conf:-
attribute customerid customerid-oid cis single
attribute packageid packageid-oid cis single
attribute receivedate receivedate-oid cis single
attribute shipdate shipdate-oid cis single
attribute shipperid shipperid-oid dn single
attribute receiveid receiveid-oid dn single
#Java Attributes
# Schema for storing java objects and java object references
attribute javaClassName 1.3.6.1.4.1.42.2.27.4.1.1 ces single
attribute javaCodebase 1.3.6.1.4.1.42.2.27.4.1.6 ces
attribute javaSerializedData 1.3.6.1.4.1.42.2.27.4.1.7 bin single
attribute javaRemoteLocation 1.3.6.1.4.1.42.2.27.4.1.8 ces single
attribute javaFactory 1.3.6.1.4.1.42.2.27.4.1.4 ces single
attribute javaReferenceAddress 1.3.6.1.4.1.42.2.27.4.1.3 ces
Here is Schema file for your own object classes:-
The name of the file is Slapd.user_oc.conf:-
In the similar way as above there are no "customer" class in the object classes
defined in the LDAP, so we will have to create our own "customer" Object class.
Also it extends inetOrgPerson to add some new attributes such as "customerid".
The object class of an entry specifies what attributes are required and what
attributes are allowed in a particular entry.
Also for eg, Package classes in the object class is created.
Here is the sample file for creating the above:-
objectclass package
oid package-oid
superior top
requires
packageid,
receiveid,
shipdate,
shipperid
allows
description,
ou,
receivedate
objectclass customer
oid customer-oid
superior inetorgperson
requires
customerid
allows
c
#JAVA Schema
# Schema for storing java objects and java object references
objectclass javaContainer
oid 1.3.6.1.4.1.42.2.27.4.2.1
superior top
requires
cn
objectclass javaObject
oid 1.3.6.1.4.1.42.2.27.4.2.4
superior top
requires
javaClassName
allows
javaCodebase
objectclass javaSerializedObject
oid 1.3.6.1.4.1.42.2.27.4.2.5
superior javaObject
requires
javaSerializedData
objectclass javaRemoteObject
oid 1.3.6.1.4.1.42.2.27.4.2.6
superior javaObject
requires
javaRemoteLocation
objectclass javaNamingReference
oid 1.3.6.1.4.1.42.2.27.4.2.7
superior javaObject
requires
javaReferenceAddress,
javaFactory
STEP 4: Loading the USER SCHEMA files in Directory Server:-
All the attributes created above should be added to the corresponding directory server,
in order to make it as a common attribute.
Steps for adding the User Schema files to the Directory Server:-
1. Copy the above user schema files to the appropriate instance of Netscape Directory Server
created above so that the existing LDIF file which is used in the Netscape directory
server is not appended or overwritten.
2. For eg, put it in "NetscapeServer/slapd-HostName/config" to replace the empty
files "slapd.user_at.conf" and "slapd.user_oc.conf" by default.
3. Then restart the Directory Server.
STEP 5: Simple Servlet Program for BASIC AUTHENTICATION.
Here is the simple servlet program for Basic Authentication:-
Here the way the LDAP authentication works is by attempting to the server with a
DN and a password. No user in their right mind will remember their DN, so we use
some other attribute such as user-id. Then we search in the LDAP server to find
an entry that contains the attribute. Here we are maintaining SUBTREE_SCOPE using
JNDI, which starts its search starting from the base entry, and searches
everything below it including the base entry. Also I am maintaining Global
variables for LDAP setting.
// Importing the necessary Packages
import java.io.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
import javax.naming.*;
import javax.naming.directory.*;
public class AuthServ extends HttpServlet {
// Here are our global variables of our LDAP Settings.
public static String MY_CUSTOMER_BASE = "ou=Customers,o=fedup.com";
public static String INITCTX = "com.sun.jndi.ldap.LdapCtxFactory";
public static int MY_PORT = 1124;
public static String MY_HOST = "ldap://sundts1.india.sun.com:" + MY_PORT;
public static String MY_MGR = "cn=Directory Manager";
public static String MY_PWD = "password";
public static String MY_SEARCHBASE = "o=fedup.com";
Hashtable env = new Hashtable();
// Using the Get Method of Servlet
public void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
res.setContentType("text/html");
// To Check to See if there is any data in the "Authorization" Http header from the browser.
// If not it will prompt for username and password.
String auth = req.getHeader("Authorization");
// Do we allow the user
if (!allowedUser(auth) ) {
// Not Allowed, so report unauthorized
res.setStatus(res.SC_UNAUTHORIZED);
res.setHeader("WWW-Authenticate", "BASIC realm=\"users\"");
// User is allowed in
else
// Using SSI to include and display the content of a Simple HTML Page
RequestDispatcher rd= this.getServletContext().getRequestDispatcher("/auth.html");
rd.include(req,res);
// This method checks to see whether the user exist in the LDAP database.
protected boolean allowedUser(String auth) throws IOException {
Hashtable env = new Hashtable();
boolean status = false;
try {
// No Authorization
if (auth == null) return false;
// Basic Authentication is Handled, Other possibilities are MD5 hash or SSL Certificates.
if (!auth.toUpperCase().startsWith("BASIC ")) {
return false; //only do BASIC
// Get encoded user and password, comes after BASIC
String userpassEncoded = auth.substring(6);
// Decode it, using any base 64 decoder
sun.misc.BASE64Decoder dec = new sun.misc.BASE64Decoder();
String userpassDecoded = new String(dec.decodeBuffer(userpassEncoded));
StringTokenizer st = new StringTokenizer(userpassDecoded,":");
String customerid = st.nextToken();
String pwd = st.nextToken();
Please Note:
LDAP Authentication works by attempting to bind to the server with a DN and a password.
No user will remember their DN so we use some other attribute such as user-id.
Then we search in the LDAP server to find an entry in the LDAP server to find an entry
that contains the attribute.
For a Secure System, we should use an attribute that will be unique per entry such as
uid, in our case the "customerid" attribute.
// Prepare for context
env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
env.put(Context.PROVIDER_URL, MY_HOST);
// Get a reference to a directory context
DirContext ctx = new InitialDirContext(env);
// Specify the scope of the search
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
// Perform the actual search
// We give it a searchbase, a filter and the constraints
// containing the scope of the search
NamingEnumeration results =
ctx.search(MY_CUSTOMER_BASE, "(customerid=" + customerid + ")", constraints);
String dn = null;
If it does not throw an exception,
then it is considered to be an Successful Authentication
// Now step through the search results
while (results != null && results.hasMore()) {
SearchResult sr = (SearchResult) results.next();
dn = sr.getName() + "," + MY_CUSTOMER_BASE;
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, dn);
env.put(Context.SECURITY_CREDENTIALS, pwd);
try {
DirContext ctx2 = new InitialDirContext(env);
status = true;
} catch (AuthenticationException e) {
log(e.toString());
} catch (NamingException x) {
log(x.toString());
return status;
STEP 6: Simple HTML file used in Servlet Program:-
Here is the Simple HTML File we are including in RequestDispatcher of the above program:-
<html>
<head>
<title> Authorisation</title>
</head>
<body>
<h1> Your Authorisation is Successful </h1>
</body>
</html>
I hope this will help you.
Thanks
Bakrudeen -
How to configure Apache/Portal to service 2 separate groups of users
Before someone say this is a Portal issue - please read on.
I would like to know how to configure Portal to service 2 separate groups of * Internet * users (A and B) all within the same installation so that when a user enters www.aaa.com or www.bbb.com that user is directed to a public page for that group only.
Currently, when a user of either group enters www.aaa.com or www.bbb.com they arrive at the same public page where they can click on a link and goto their respective private pages (SSO Protected) after logging in.
My installation facts
infra - host1.mycompany.com
portal - host2.mycompany.com (www.aaa.com and www.bbb.com are pointing to this host)
j2ee - host3.mycompany.com
I have configured web-cache to listen on port 80 and direct all requests to host2.mycompany.com:7778.
I used RedirectMatch within host2 httpd.conf to redirect any request to the portal public page.
I wondering if it is possible to read the "IP NAME" and do a RedirectMatch on it. In other words when a request come into the Apache listener - is it seeing an IP address request or an IP name ie "www.aaa.com". Because if it is - then there may be some way to redirect based upon that. My assumption is the "http://www.aaa.com" cannot be read by RedirectMatch - only the portion after "http://www.aaa.com/mypage" ie "mypage.
Any help is appreciated!
Bill G...I don't think the issue is one of Apache (not even sure it's one of named virtual hosts since you want both sites to serve the same content). The issue is one of having multiple .local names point to the same machine.
I don't know this can be done without your own DNS server running in the network. -
Cos Naming & WLS Naming Service problem in distributed Tuxedo application
Hi,
we have been starting our investigation into using the distributed application feature of Tuxedo (multiple machines running under 1 Tuxedo domain which make up the entire Tuxedo Application).
when trying to access WLS EJB object references from Tuxedo, we hit a road block.
we have been using the standard method of searching through Cos Naming for a bind context which refers to WLS Naming Service. (this method is documented online and in dev2dev samples) Under non distributed application setup (1 Tux domain with 1 machine as in all examples), everything works fine and I can see into 1 WLS server's JNDI tree. But when in distributed application setup where we want to have two (for example) machines and we also want two WLS managed server with each running on their own machine, it seems that there are some unexpected problems:
1. - only one set of GWADM/GWTDOMAIN is running
- each WLS managed server has its own WTC server
- each WTC server has its own LOCAL ACCESS POINTs
- each WTC server uses the single REMOTE ACCESS POINT
(since only one GWTDOMAIN is running in this scenario)
--> problem: only one of the managed server's JNDI tree can be traversed into, and only one of the WTC link works for Cos Naming -> WLS Naming Service resolution
2. - each machine is running their set of GWADM/GWTDOMAIN
- in dmconfig, two local Tux domain-ids are defined, for the
two groups of GW
- WTC server setup is identical to above; except
each of the WTC is pointing to separate REMOTE ACCESS POINTs
- when DOMAINID in ubbconfig is not defined, the same Cos Naming to WLS Naming Service search fails.
- when DOMAINID in ubbconfig is defined, the same Cos naming to WLS Naming Service search fails with an CORBA:INTERNAL error.
Does anyone know how to get Cos Naming -> WLS Naming Service working properly under a distributed Tuxedo application setup and also with multiple sets of GWADM/GWTDOMAIN?
Thanks.
Edited by a_tam at 04/17/2008 11:34 AMHi,
we have been starting our investigation into using the distributed application feature of Tuxedo (multiple machines running under 1 Tuxedo domain which make up the entire Tuxedo Application).
when trying to access WLS EJB object references from Tuxedo, we hit a road block.
we have been using the standard method of searching through Cos Naming for a bind context which refers to WLS Naming Service. (this method is documented online and in dev2dev samples) Under non distributed application setup (1 Tux domain with 1 machine as in all examples), everything works fine and I can see into 1 WLS server's JNDI tree. But when in distributed application setup where we want to have two (for example) machines and we also want two WLS managed server with each running on their own machine, it seems that there are some unexpected problems:
1. - only one set of GWADM/GWTDOMAIN is running
- each WLS managed server has its own WTC server
- each WTC server has its own LOCAL ACCESS POINTs
- each WTC server uses the single REMOTE ACCESS POINT
(since only one GWTDOMAIN is running in this scenario)
--> problem: only one of the managed server's JNDI tree can be traversed into, and only one of the WTC link works for Cos Naming -> WLS Naming Service resolution
2. - each machine is running their set of GWADM/GWTDOMAIN
- in dmconfig, two local Tux domain-ids are defined, for the
two groups of GW
- WTC server setup is identical to above; except
each of the WTC is pointing to separate REMOTE ACCESS POINTs
- when DOMAINID in ubbconfig is not defined, the same Cos Naming to WLS Naming Service search fails.
- when DOMAINID in ubbconfig is defined, the same Cos naming to WLS Naming Service search fails with an CORBA:INTERNAL error.
Does anyone know how to get Cos Naming -> WLS Naming Service working properly under a distributed Tuxedo application setup and also with multiple sets of GWADM/GWTDOMAIN?
Thanks.
Edited by a_tam at 04/17/2008 11:34 AM -
Ldap service providers vs ldap servers
Are these terms equivalent?
I am having the hardest time trying to getting jndi setup.
What is the default naming service fro j2ee?
I know that the jdk comes with a few service providers,
and I am assuming that service providers means just
the interface not the actual server. So then the question
is which ldap server to use.
I am just trying to learn JMS. First experience with j2ee.
So far it hasn't been that good. :-)
MikeI apologize for the unclear first post. Desperate I guess. :-) No, more
like tired and fed up...
I dumped ldap for now. Downloaded ActiveMQ. They had reasonable
instructions. Well they had instructions that nearly worked when followed. I was able to fill in a couple minor gaps. Up to now I'd follow instructions and get nowhere.
In the jndi.properties file for ActiveMQ, they had properties for
designating the JNDI names for the connection factories,
topics, and queues. Is this standard or just ActiveMQ? How do
others do this?
Mike -
Which naming service should I use? DNS NIS NIS+????
DNS? NIS? NIS+?
Which one should I opt for. We already use DNS in our demilitarized zone, but the corporation uses /etc/hosts. What would be the best naming service of all the ones available in your opinion. Bear in mind I recently heard that NIS has many security vulnerabilities.
Many Thanks
CharlesDNS is probably the easiest to setup on clients.
You might also consider using LDAP but this is going to take some work to plan out the LDAP domain and implement it. -
While registering a remote object with a naming service, for example, Naming.rebind("MyService", remoteobj),the stub gets registered and that stub is sent by a registry to a client in response to Naming.lookup(""MyService). Then client becomes able to call method remotely. I tried a example in which I did not bind a remote object and I had a stub on client. And at client I created an object of stub class and invoked a remote method but it did not work. Why it is necessary to have a remote object bound to registry at server, because it ultimately binds stub and that stub is sent by a call (Naming.lookup("MyService")). To me the only requirement is to have a stub at client side to make remote calls. Is there any additional information sent by a registry to a client in addition to sending a stub in a rsponse to callNaming.lookup("MYService") which isneeded at client for calling remote method on stub. Another point is that Stub needs to know the IP address and port no. to be able to talk to listening service on remote jvm for execution of methods there, but when I decompiled the stub, I did not find anything like that. I would be thankfull to you if you provide me a clear picture of what I have asked for.
Thanks in advanceSince you have no clue what remote procedure calls are all about, I would suggest you take the tutorial on RMI. This should answer all your questions.
Additionally, you should also take a lesson in using separate paragraphs when writing. -
Happy New Year NI forums!
I am working on a project involving mobile interacting robots. In the future it is likely the application's components may need to run on different PCs (Targets). Note: at this point in time all the components are seperate but all running on the localhost machine. Thinking towards the future I want to pick the 'best' architecture to allow all these components (VIs performing various functions) in multiple locations. For example, several VIs on the Robots, VIs on serveral PCs.
I am currently aware of using Server/Client TCP/IP using named services. My mock up works well, but is it time efficient (my time coding) I wonder.. ?
Whereas I am aware of networked shared variables which handle connections and all the parsing for the underlying tcp/ip communication. But will this be difficult the manage? I am unsure if I can associate shared variables with a VI similar to named services. I suppose I could pro grammatically create the variable upon initialization of the server component - and the client could just search the list of avaiaible variables to connect too. Downside this would require DSC module.
As you can see, I am rather unsure. Any advice would be great!
Kind Regards,
James
Kind Regards
James Hillman
Applications Engineer 2008 to 2009 National Instruments UK & Ireland
Loughborough University UK - 2006 to 2011
Remember Kudos those who help!Hi Jason,
Thanks for your reply. I hope your enjoying NI UK as much as I did.. fun times!
I have seen the link you posted a few times before. But today, I took a better look at it.
My issue is I need several multi-client severs, i.e. many servers which allow multiple clients to connect to them.
Now the STM does have an example of this - STM mutli-client Example - Server.vi (used with the STM mutli-client.vi)
However, when a make copies of these code (to have my second server) - it refuses to run. As in , it just stops itself.
I DID change the port number, on the lister aspect of the server code. But I Am unsure what else I would need to change to get this setup to work?
One thought I had was, the FIFOs all having the same name - this probably isn't a good idea between servers.
Any suggestions would be grateful!
*please could you provide me email support
Kind Regards,
James Hillman
Kind Regards
James Hillman
Applications Engineer 2008 to 2009 National Instruments UK & Ireland
Loughborough University UK - 2006 to 2011
Remember Kudos those who help! -
Error getting the server-side naming service functionality
Hi all,
we are currently setting up the CTS+ activity based transport scenario. Everything seems to be working fine, however, we have to import each transport twice...
Before I go into detail in the error we get I will first describe our landscape. All the configuration we did was done in debate with SAP.
We use the SAP Solution manager (ehp1 SP 4) as the CTS+ server as recommended by SAP and have an NWDI system of which we only use the components DTR and CBS (since CMS is not used anymore in the activity based transport). We have defined three logical ports/RFCs. CTSCONFIG points to the NWDI system. CTSDEPLOY is running on the java stack of the solution manager and is only used for portal content (=epa) transports. CTSDEPLOY_DI is pointing to the NWDI system and is used for all NWDI (=dip) changes. The NWDI is running ehp1 SP3.
In STMS I defined all the non-abap systems (and configured them to use CTSDEPLOY_DI) and created the following transport route:
upload system (IMP) -> DEV -> ACC -> QAS -> PRD
I first attached the used dependencies in a transport request (SAP_BUILDT, EP_BUILDT, etc) these imported just fine. Then I did the SCA files which contain our custom code. I extracted these from the assemble step on our current NWDI system which will be removed as soon as we switch to the new CTS+ environment.
When we import the transport into the runtime systems then we see the DTR and CBS be filled sucesfully for this specific system. However, the transport request itself always fails with errorcode 12 and the error is:
Error during export service registration: Error getting the server-side naming service functionality during getInitialContext opera
tion. com.sap.engine.services.jndi.persistent.exceptions.NamingException: Error getting the server-side naming service functionality during getInitialContext operation.
Error in execution of Web services CTSDEPLOY_DI , exception is cx_cts_file_import_failed
File import canceled
When we then reimport the same transport it will go the second time fine. This is no problem during the setup but will not be workable when we go live ofcourse. Is there anyone who had this issue before as well and have a solution for it?
Kind Regards,
Nico van der Linden...Hello Nico,
I would need the java trace files to get more info on this issue, but you can start troubleshooting this error with these notes:
#1172252: CTS+, 'attach file': Troubleshooting Guide;
#1003674: Enhancement for non-ABAP systems in CTS;
#1155884: CTS+, configuration 'close coupling': Troubleshooting guide;
Pay special attention to parameter NON_ABAP_WBO_CLIENT, whether it's correctly set on your CTS+ system(s).
Note #1003674 is a must for any CTS+ systems to work properly, as well as having an updated version of the transport programs (tp and R3trans).
Lastly, note #1155884 goes through some JCoException exceptions that commonly take place during CTS+ transports. But again, you need to check the underlying trace files to find the root cause of your issue.
I hope this information helps.
Best regards,
Tomas Black -
JApplet communication with CORBA naming service
I have an applet that needs to resolve/bind to object in the CORBA naming service (we are using Orbix2000). The applet is able to establish a socket connection to the host that is running the naming service; however it cannot find the naming service. I have done extensive research on the web (followed the tutorials from the Sun site) and google to no avail. Can anyone shed some light? We have successfully used Orbix2000 with Java apps. This is the first access via an applet.
thanks,
kat
This is the exception I get when running it from NS4.7 browser:
Initializing the ORB CORBA exception: java.lang.NullPointerException java.lang.NullPointerException at com.iona.corba.art.artimpl.ORBDelegate.resolve_initial_references(ORBDelegate.java:835) at com.iona.corba.art.artimpl.ORBImpl.resolve_initial_references(ORBImpl.java:203) at CSGConsole.init(CSGConsole.java:139) at sun.applet.AppletPanel.run(Unknown Source) at java.lang.Thread.run(Unknown Source)
This is the applet code snippet
import CLMOperator.*; // package contains the CORBA client stubs
import org.omg.CosNaming.*;
import org.omg.CosNaming.NamingContextPackage.*;
import org.omg.CORBA.*;
// Create and initialize the CORBA ORB
System.setProperty("org.omg.CORBA.ORBClass","com.iona.corba.art.artimpl.ORBImpl");
System.setProperty("org.omg.CORBA.ORBSingletonClass","com.iona.corba.art.artimpl.ORBSingleton");
String[] args = { "-ORBInitRef", "NameService=corbaloc:iiop:sea03s20.ds.boeing.com:3075/NameService" };
System.out.println( "Initializing the ORB" );
// ORB orb = ORB.init(this, args);
Properties props = new Properties();
props.put("org.omg.CORBA.ORBInitialHost", "sea03s20.ds.boeing.com");
props.put("org.omg.CORBA.ORBInitialPort", "3075");
ORB orb = ORB.init(this, props);
// Get the root naming context
org.omg.CORBA.Object objRef = orb.resolve_initial_references("NameService");
NamingContext ncRef = NamingContextHelper.narrow( objRef );
// Resolve the object reference in naming
NameComponent nc = new NameComponent("CLMOperator", "");
NameComponent path[] = { nc };
CLMOperator.CLMOper clmOper = CLMOperator.CLMOperHelper.narrow(ncRef.resolve(path));
// Call the CLMOperator server object and invoke on the method
clmOper.Notify(1, 'A');
catch(Exception e) {
System.out.println("CORBA exception: " + e);
e.printStackTrace(System.out);Kat:
I ran into a similar problem. I was wondering if it had anything to do with a security policy between the applet and CORBA, i.e., apllet using the NamingService. To test this, I built a another CORBA Java Client (character interface, not applet) and it works fine. The applet must require something else, like setting a security policy. I sent a query off to someone who manages the Java environment. If I get an answer, I'll post it here.
bfin -
How to get the naming attribute of an LDAP using JNDI.?
Hi,
How do we fetch the naming attribute of a LDAP using JNDI. Is this possible using JNDI..?
By default, every LDAP has been set with a naming attribute such as 'uid' or 'cn'. This could be changed according to business needs.
How to determine this using JNDI.
Regards,
BaraniAre you trying to call the portlet Customization form directly from the browser?
Maybe you are looking for
-
Webdynpro activation - ABAP/JAVA
Hi , I activated the components neccessary for ABAP Webdynpro in SICF. But still when i click show/hide layout preview, its saying NO VENDOR SPECIFIED I am able create a view,component..and other things..but only when i clik to create elements inside
-
Setting the Size of a Column in a JTable
Hi there, does anybody knows a way how to set the size of a specified column in a JTable without changinge the size of the other columns? thx anyway Errraddicator
-
Hi all. I decided to purchase Lee Evans Audiobook last night! I'm new to this kind of thing this was my first! The problem being is that I cannot find it anywhere, let alone listen to it!!! When I go in to ITunes and select the audiobook it states th
-
Not enough Memory (RAM)
I have a PC windows 7 home premium, and I have the latest adobe updated version 2014 when I open the adobe photoshop and I start working on it, for example I want to use the brush tool with big size, or I want to do "image resize" from 400x600 pixel
-
Now I've gone and lost my ipod somewhere i have the serial number but i cant use icloud because i have win. XP with service pack 3 plz some one help soon