OAM 11gR2 Authentication using username/password/additional ldap field

I want to add additional credential parameter along with username and password to be validated against LDAP.
Is there any out of the box solution for authentication using username/password/additional ldap field in OAM 11gR2?
This solutions exist in 10g and could not find any OOB feature in 11g.

Do you need to accept additional parameter from user via login form & then use it in credential mapping step
Not sure if %% syntax would work .. havent tried it. next option is to develop custom authentication plugin
Additional ldap attribute against static value
If you need to add additional ldap attribute (check against static value) that you can specify in LDAP search filter in "User Identification plugin" configuration
Take a look at "MTLDAPPlugin" under custom authentication modules
Hope this helps

Similar Messages

OSB Authentication using username and password (plaintext or digest)

Hi,
I want to implement a simple osb authentication using username/password (plain text or digest) , so that client required to provide username password token in soap header (message Level security) to access our webservices. I have read some of articles which shows how to create custom ws policy, but received following error during deployment.
weblogic.wsee.ws.init.WsDeploymentException: The WebLogic Server 9.x-style policy is not supported in JAX-WS web services
Please note - I can not install OWSM as part of my requirement
=======
<?xml version="1.0"?>

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://www.bea.com/wls90/security/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part">

<wssp:Identity>
<wssp:SupportedTokens>

<wssp:SecurityToken IncludeInMessage="true"
TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken">
<wssp:UsePassword Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"/>
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Identity>
</wsp:Policy>

You can use the default Auth.xml WS policy in OSB and be able implement the authentication using username and plain text password.
Just assign the Auth.xml on the Request Policies of the Proxy Service (under Policies).
Then use any user credentials that has access to the domain for testing.
If you want to restrict access for each operation then in the Security tab, under Message Access Control, specify a Role.
Then in the OSB > Security Configuration, create the appropriate role with the specific role conditions like User is User1 or User is User2 etc ...
Hope this helps.
Thanks,
Patrick

Webservice authentication using plaintext password

Hi All,
A basic question:
For plaintext password authentication, where on the server, do I set what password and username should it against?
Details:
We are trying to configure Webservice authentication using plaintext password. Using Jdev 10.1.3.0.4 [constrained to use this], from WebServices editor, it adds the following lines in oracle-webservices.xml:
<runtime enabled="security">
<security>
<inbound>
<verify-username-token password-type="PLAINTEXT"
require-nonce="false"
require-created="false"/>
</inbound>
<outbound/>
</security>
</runtime>
I am also able to see the username / password fields in the webservices UI.
The question is: where on the server, do I set what password and username should it against?
Any help would be appreciated
Thanks

Thanks indeed, Vinod. But my question still remains [perhaps what is obvious to you as expert, might not be obvious to me]. I have folllowed same steps and have achieved the results documented in this post. But where do I provide the correct password on the server side? Currently for any password that is supplied by the client, it allows the call to web services.
Thanks again!

Authentication with username/password *OR* certificates?

Hi folks,
we have to authenticate users either via username/password combo or via
certificate.
Of course, by using SSL in both cases. Is this possible with WLS 6.0? Since
I've read
that I have to configure WLS explicitly to support client certificates, I'm
rather suspiscious
if this will work.
Any ideas anybody?
Regards,
Gerhard

You can use certificates for authentication if you do the following:
1) you need to implement a CertAuthenticator which, given a
certificate from SSL, extracts a user name (for example, get
the email address from the certificate and return the name
portion - [email protected] might use foo as the user name)
2) in your realm, you must have a user for the user name in
the certificate (so, for the example above, you need to have
a user named "foo" in the realm)

Unable to connect using Username/Password

So this is the situation here:
I am trying to control my Mac Mini (Leopard Server) with my iMac (OSX Leopard) using the Finder.
I'm not able to control the screen from my MM when I try to login as the MM's admin, but I am able to control the screen if I just ask for permission to control it.
What can be the problem here? Both computers are giving each other permission to access the screen and both have the same version of Remote Desktop installed (if that is relevant to this issue)

And you've confirmed that your setting the permissions under "Remote Management", and that's the one that's active, not "Screen Sharing"? What version of ARD are you running?
I have set the access to "Allow access for: All users". So in this case it should work even without having to login, right?
It depends on what you mean by "log in". You still have to add the computer into ARD using a user name and password with the appropriate ARD privileges on the client.

POP authentication without username/password ??

Is there a way to disable authentication (authentication/password) in POP (incoming mails). Our mail client does not provide user info for authentication.
Sunil.

Got it. Uncheck the access login checkbox in IMAP.

BASIC OAM 11gR2 QUESTION

Can someone explain difference between "success url" for
1. Authentication Policy - success url is optional parameter.
2. Authrization Policy - success url is optional parameter.
3. Unsolicated Login - success url is required parameter.
This is with respect to Oracle Access Manager 11gR2.1

1. Authentication Policy - success url is optional parameter.
After successful authentication user will be redirected to URL mentioned in "success url".
2. Authrization Policy - success url is optional parameter.
After successful authorization user will be redirected to URL mentioned in "success url"
Both these parameters are optional. If these parameters are not present in OAM policy then user will be taken to a protected application url from where OAM flow began. For example user has started with http://mydomain.com/protectedapp URL
3. Unsolicated Login - success url is required parameter.
This is required parameter for "unsolicited login" feature. Basically you pass three parameters to OAM Direct authentication url "username" , "password" & "successurl". If provided username and password is correct redirection to URL in "successurl" parameter would happen. You can get more information about unsolicited login feature in this blog
http://www.ateam-oracle.com/unsolicited-login-with-oam-11gr2/
Hope this helps.

Authentication failing for APEX against OID when uppercase used in password

We are using Application Express 3.1. I am authenticating against OID 10.1.2.2 and noticed some users were having problems
logging into APEX. They are getting "Invalid Login Credentials". I eventually workout it was when they were authenticating using a password
having a uppercase character ... "Blackhawk" is one example. We authenticate discoverer using OID and do not have the same problem.
Has anyone else encounter this problem please ?
Cheers Rod
The Function I use is shown below:
DECLARE
V_TEST BOOLEAN;
V_EXIST NUMBER ;
BEGIN
SELECT COUNT(*) INTO V_EXIST FROM BE_MANAGERS
WHERE MANAGER_CSO_CODE = :APP_USER
AND FINANCIAL_YEAR_ID = BE_BUDGETS_APEX_PKG.CURRENT_FINANCIAL_YEAR ;
IF V_EXIST = 0 THEN
HTMLDB_APPLICATION.G_UNRECOVERABLE_ERROR := TRUE;
OWA_UTIL.REDIRECT_URL('f?p=' || v('APP_ID') || ':101:' || v('APP_SESSION') );
END IF ;
V_TEST := HTMLDB_LDAP.IS_MEMBER
( p_username => :APP_USER, p_pass => NULL
, p_auth_base => 'cn=Users,dc=planforlife'
, p_host => 'oraapp01'
, p_port => '389'
, p_group => 'OID-PilotUsers'
, p_group_base => 'cn=vaultgroups,cn=Groups,dc=planforlife');
IF V_TEST = FALSE THEN
HTMLDB_APPLICATION.G_UNRECOVERABLE_ERROR := TRUE;
OWA_UTIL.REDIRECT_URL('f?p=' || v('APP_ID') || ':101:' || v('APP_SESSION') );
END IF;
EXCEPTION
WHEN OTHERS THEN
HTMLDB_APPLICATION.G_UNRECOVERABLE_ERROR := TRUE;
OWA_UTIL.REDIRECT_URL('f?p=' || v('APP_ID') || ':101:' || v('APP_SESSION') );
END;

Rod:
Are you sure it is not the 'username' which is causing the issue ? If it is the username then to preserve the case in which the username is entered you will need to set the ' p_preserve_case' parameter to true in the call to APEX_CUSTOM_AUTH.LOGIN . This API is invoked in the application's login page as an after-submit page process.
Varad

OAM 11gR2 Throwing SSL Warning after configured to use HTTPS Load Balancer

I have configured OAM 11gR2 to use an https load balancer on 14100 and have set my managed servers SSL listen port to 14100 (Could not use 14101 because the HTTPS VIP created was listing on 14100) everything works fine with this configuration, but my logs are filling up the the following warning.
<Oct 3, 2012 1:41:54 PM UTC> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer 10.228.0.1 - 10.228.0.1 instead of an SSL handshake.>
I know that 10.228.0.1 is the DNS server, but I'm not sure why this happening. Any ideas?

What is WLS and OHS versions are you using in this environment?
If it's old version than these, please upgrade WLS to 10.3.3 and the OHS to 11.1.1.3. These is a known bug on WLS side not it OAM.
I hope this helps,
Thiago Leoncio.

Can this be done using WLS 8.1 LDAP?

I am trying to configure WLS 8.1 to use LDAP for authentication/authorization.
I have the basics working so now I am trying to move to the next hurdle.
We are building a single webapp that will serve several different companies. The
main difference will be that the look and feel will be branded for each company
so when a user logs in to the app via a URL such as foo.domain.com they see the
"foo" branding and using bar.domain.com will see the "bar" branding. Simple so
far. The real problem is that we will be adding new companies over time and we
need to allow two users from two different companies to have the same userid.
How can I setup LDAP in WLS 8.1 so I can use a different "User Base DN" depending
on the company the user appears to be coming from? I need this for both authentication
and authorization.
- Maybe a custom LDAP realm? Where to begin?
- How about the "User From Name Filter" field in the console? It seems to take
a %u variable for the username. Are there any other variables I can use?
- Do I create a different authenticator for each company? If so, how do I resolve
one authenticator saying username/password is valid and other says it isn't? Then
how do I use the correct authorizer for that user?
I have to imagine that others have had this same issue. Any other ideas?
Thanks,
Rick

"Rick Maddy" <[email protected]> wrote in message
news:3ee9eccc$[email protected]..
>
I am trying to configure WLS 8.1 to use LDAP forauthentication/authorization.
I have the basics working so now I am trying to move to the next hurdle.
We are building a single webapp that will serve several differentcompanies. The
main difference will be that the look and feel will be branded for eachcompany
so when a user logs in to the app via a URL such as foo.domain.com theysee the
"foo" branding and using bar.domain.com will see the "bar" branding.Simple so
far. The real problem is that we will be adding new companies over timeand we
need to allow two users from two different companies to have the sameuserid.
>
How can I setup LDAP in WLS 8.1 so I can use a different "User Base DN"depending
on the company the user appears to be coming from? I need this for bothauthentication
and authorization.
It sounds like you need multiple realm support in additional to virtual host
support. WLS
currently only supports one realm activate at a time.
- Maybe a custom LDAP realm? Where to begin?You might be able to do this with a custom provider, but I am not sure if
you can
get at the original URL in the login module.
- How about the "User From Name Filter" field in the console? It seems totake
a %u variable for the username. Are there any other variables I can use?You can use %u for username, %g for group, but I don't think they are going
to help
you.
- Do I create a different authenticator for each company? If so, how do Iresolve
one authenticator saying username/password is valid and other says itisn't? Then
how do I use the correct authorizer for that user?You can use the control flags to specify the behavior of the login modules.
But unless
your usernames are scoped, then it could succeed in one provider when you
really
want it to go to the other provider.

Testing a secured Web Service (Basic -Username/Password)

Hello,
I configured security for a custom web service using [this |https://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/e08627de-9816-2a10-02b7-cbd60f7e4b2c&overridelayout=true] . I configured section
3.2 Configuring Document Authentication
Basic (Username/Password)
How should I go about testing this. I tried using Web Service Navigator, I get this error:
00118565098B00220000011400001D8C00047182FEC71535 : Authentication using a wsse:Username token failed. The error was com.sap.security.core.ws.wss.NoSecurityHeaderException No wsse:Security header has been defined for role soap:finalActor. Please verify the policy configuration..

Please download tutorial bundle from:
http://java.sun.com/javaee/5/docs/tutorial/information/download.html
some details about it:
http://docs.sun.com/app/docs/doc/819-3669/gfiud?a=view
You can try examples after downloading zip file :
The zip file also contains a documentation e.g. pdf file.
There you can find more info.
Here is one chapter from doc.
Example: Basic Authentication with JAX-WS
This section discusses how to configure a JAX-WS-based web service for HTTP basic
authentication. When a service that is constrained by HTTP basic authentication is requested,
the server requests a user name and password from the client and verifies that the user name
and password are valid by comparing them against a database of authorized users.
Regards Miro

CFSchedule : Username & Password Scope

When using username and password attributes of cfschedule (or in CFAdmin), what scope or how do I reference them (username and password)? Do they come in as attributes or form variables?
Thank you.

According to the documentation, the username and password is used for HTTP authentication. If you are using basic authentication, the username/password would be available in the cgi scope
Username : #cgi.auth_user#<br>
Password : #cgi.auth_password#<br>

Question on how to Hide the User Name, Password, and Domain fields in the MDT Wizard

MDT 2012 U1
Deploying Windows 7 via Offline Media (ISO) to MS Virtual PC's
I am looking on how to Hide the User Name, Password, and Domain fields which are prepopulated in the MDT wizard via the CS.ini (Not so concerned about the Domain field as I am User Name and Password)
We do need the Computer Name and OU fields to be seen, so skipping the wizard is not a option
The client just does not want these fields to be seen by the end users, they dont want them to even know the account name used for adding the machine to the domain, of course the password is not displayed but it must not be displayed either.
But since we use the fields they must still be fuctional just not seen.
Thanks.....
If this post is helpful please click "Mark for answer", thanks! Kind regards

You shouldn't have to edit DeployWiz_Definition_ENU.xml. You should only need to add "SkipAdminPassword=YES" to the CS.ini file and your authentication information.
Example:
[Settings]
Priority=Default
Properties=MyCustomProperty
[Default]
OSInstall=Y
SkipCapture=NO
SkipAdminPassword=YES
UserID=<MyUserID>
UserPassword=<MyPassword>
UserDomain=<MyDomain.com>
SkipProductKey=NO
SkipComputerBackup=YES
SkipBitLocker=NO
-Nick O.
Nick,
SkipAdminPassword=YES is for:
You can skip the Administrator Password wizard page by using this property in the
customsettings.ini.
I am hidding the Username/Password/and domain field in the computer name Wizard pane which is read from the cs.iniDomainAdmin=xxxxx
DomainAdminPassword=xxxxx
DomainAdminDomain=xxxxxx
JoinDomain=xxxxxx
If this post is helpful please click "Mark for answer", thanks! Kind regards

ORA-01017 (invalid username/password) using globally authenticated account

Kris and team,
Having a hard time believing no one else has encountered this already. But searching on 1017 and "globally" and "identified" in the forum yields nothing useful.
New corporate policy has all our DBAs, developers and QA logging into globally authenticated (against OID) accounts. Oracle docs call these accounts "global users". They are able to do so just fine using SQL*Plus, TOAD and PL/SQL Developer. But when we attempt the same in SQL Developer, different rules seem to be applied, and the user is told their username/password is invalid, which is not correct.
We have several hundred developers ready to use their new accounts in SQL Developer, but cannot. Would appreciate quick reply or patch on this.
btw, when I say "global user", I'm referring to accounts that are created in Oracle using the "identified globally as" syntax.
Am I missing something?
Edited by: chromedome on Aug 9, 2010 1:49 PM

Thank you, this was helpful in that it caused me to try the other connection methods: Basic, TNS (as you mentioned on your blog), LDAP and Advanced, both with regular accounts and with global users, both with thin and thick drivers employed.
In all cases, using a normal Oracle account, I was able to connect.
But using a global user, with the thick/OCI client forced, I get the "Status: Failure -Test failed: oracle.jdbc.driver.T2Connection.t2cCreateState([BI[BI[BI[BI[BISI[S[B[BZ)I" message. And with the thin driver used, I get the "ORA-01017: invalid username/password; logon denied" message. The possibility I have the password incorrect is non-existent as I'm both typing it in manually, and copying and pasting it, from successful global user connections in PL/SQL Developer and TOAD into SQL Developer.
SQL Developer 2.1.1.64 is not working using InstantClient 11.2 when attempting to login with a global user.
Sue/Kris, due I use "the site formerly known as Metalink" to log a bug, or are you already tackling this internally? We really need this patched soon.

Connecting Using SSL Authentication Without Username and Password

Hi,
We're on RedHat Linux 4.0 using 10.2.0.3 (server/client). We're trying to figure out a way to connect to the database using instantclient and JDBC-OCI and SSL authentication without using a username or password. According to the documentation this should be possible but no sample code is given.
LD_LIBRARY_PATH is set /opt/app/oracle/product/10.2.0/db_1/lib:/usr/lib:/home/oracle/instantclient where the instantclient was installed from the 10.2.0.1 client software
and we are using JDK version 1.6.0_03.
We're also referencing the following paper:
http://www.oracle.com/technology/tech/java/sqlj_jdbc/pdf/wp-oracle-jdbc_thin_ssl_2007.pdf
We've got our client and server wallets configured and the sample code we tried looks like this:
import java.sql.*;
import java.sql.*;
import java.io.*;
import java.util.*;
import oracle.net.ns.*;
import oracle.net.ano.*;
import oracle.jdbc.*;
import oracle.jdbc.pool.*;
import java.security.*;
import oracle.jdbc.pool.OracleDataSource;
public static void main(String[] argv) throws Exception {
DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
Security.addProvider(new oracle.security.pki.OraclePKIProvider());
System.setProperty("oracle.net.tns_admin", "/opt/app/oracle/product/10.2.0/db_1/network/admin");
String url = "jdbc:oracle:thin:@orcl";
java.util.Properties props = new java.util.Properties();
props.setProperty("oracle.net.authentication_services","(TCPS)");
props.setProperty("javax.net.ssl.trustStore",
"/opt/app/oracle/product/10.2.0/db_1/admin/wallet/server/cwallet.sso");
props.setProperty("javax.net.ssl.trustStoreType","SSO");
props.setProperty("javax.net.ssl.keyStore", "/opt/app/oracle/product/10.2.0/db_1/admin/wallet/client/cwallet.sso");
props.setProperty("javax.net.ssl.keyStoreType","SSO");
props.put ("oracle.net.ssl_version","3.0");
props.put ("oracle.net.wallet_location", "(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=/opt/app/oracle/product/10.2.0/db_1/admin/wallet/client)))");
System.out.println("At Here...");
OracleDataSource ods = new OracleDataSource();
//ods.setUser("scott");
//ods.setPassword("tiger");
ods.setURL(url);
ods.setConnectionProperties(props);
System.out.println("At Here1...");
Connection conn = ods.getConnection();
System.out.println("At Here2...");
Statement stmt = conn.createStatement();
ResultSet rset = stmt.executeQuery("select 'Hello Thin driver SSL "
+ "tester ' from dual");
while (rset.next())
System.out.println(rset.getString(1));
rset.close();
stmt.close();
conn.close();
When this code is compiled and run, the following error is thrown:
Exception in thread "main" java.sql.SQLException: invalid arguments in call
at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:112)
If a username and password is supplied, the code works. So does anyone have a working of using SSL to authenticate without supplying username/password?
Thanks
mohammed

Hi,
I just solved this. I noticed from another thread that I was not using the OCI driver (see below):
String url = "jdbc:oracle:thin:@pki14";
Once I changed it to:
String url = "jdbc:oracle:oci:@pki14";
The code worked perfectly. One more setting that you'll have to do is to create the user you want to connect as externally:
create user scott identified externally as
'CN=acme, OU=development, O=acme, C=US';
grant connect,create session to scott;
Note that the DN should be the same as the SSL certificate that you created in your wallet.
hth
mohammed

OAM 11gR2 Authentication using username/password/additional ldap field

Similar Messages

Maybe you are looking for