OAM11g Authentication - Disabled User
Hi,
In OAM 11g, i am able to successfully authenticate using disabled user account. How to prevent this in OAM11g.
I have configured OAM to authenticate against Active Directory. The user account is disabled in Active Directory. Even then if the protected application is given the disabled account credentials, OAM is allowing him the access.
How to disabled that?
Thanks in Advance,
Sandeep D.
Hi Nishith,
You mean to say, we need to capture the disabled user account and handle in the Custom Authentication Module using the Error Codes? As per the link provided by you, they are handling using BaseUserSession class.
What is the attribute in case of Active Directory.
If so, can you throw some light on the BaseUserSession class. And some samples on the same.
Thanks,
Sandeep D.
Similar Messages
-
I am experiencing this error when a servlet or JSP is preloaded on the web
server and the init method of the preloaded item results in a call to the
app server. If I don't preload and then manually invoke the JSP or servlet
after the web server completely loads the call to the app server does not
produce the exception. The only security differences between the web and
app servers are the console and system passwords. I can fix the problem by
making the passwords (system and console) the same across the board, but
find it hard to believe that this is the true solution. I would prefer
sticking with the default security settings.
I've poured through hundreds of messages. I can find similar problems but
not this exact problem.
Any ideas would truly be appreciated!
More information:...
App and Web server are both wls 6.1.1.0 running on the same SUN Solaris box.
Both are using the basic, out of the box, security.
The App server has SSL disabled.
The exception reported in the app server's log is:
java.lang.SecurityException: Authentication for user system denied in realm
wl_realm
at weblogic.security.acl.Realm.authenticate(Realm.java:212)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
at
weblogic.security.acl.internal.Security.authenticate(Security.java:125)
at weblogic.security.acl.internal.Security.verify(Security.java:87)
at
weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:235)
at
weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:2
2)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
The exception reported in the web server's log is:
java.lang.SecurityException: Authentication for user system denied in realm
wl_realm
at
weblogic.rmi.internal.BasicOutboundRequest.sendReceive(BasicOutboundRequest.
java:85)
at
weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
:255)
at
weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
:222)
at weblogic.rmi.internal.ProxyStub.invoke(ProxyStub.java:35)
at $Proxy54.lookup(Unknown Source)
at
weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:323)
at javax.naming.InitialContext.lookup(InitialContext.java:350)
at
com.qwest.tmmt.manager.client.MDMAdapter.getEJBHome(MDMAdapter.java:197)
at
com.qwest.tmmt.manager.client.MDMAdapter.<init>(MDMAdapter.java:64)
at
com.qwest.tmmt.manager.client.ManagerFactory.createMetaDataManager(ManagerFa
ctory.java:305)
at
com.qwest.insite.util.ClientMetaDataCache.<init>(ClientMetaDataCache.java:53
at
com.qwest.insite.util.ClientMetaDataCache.getInstance(ClientMetaDataCache.ja
va:106)
at
com.qwest.insite.metadata.startup.MetaDataServlet.init(MetaDataServlet.java:
30)
at
weblogic.servlet.internal.ServletStubImpl.createServlet(ServletStubImpl.java
:700)
at
weblogic.servlet.internal.ServletStubImpl.createInstances(ServletStubImpl.ja
va:643)
at
weblogic.servlet.internal.ServletStubImpl.prepareServlet(ServletStubImpl.jav
a:588)
at
weblogic.servlet.internal.WebAppServletContext.preloadServlet(WebAppServletC
ontext.java:2203)
at
weblogic.servlet.internal.WebAppServletContext.preloadServlets(WebAppServlet
Context.java:2147)
at
weblogic.servlet.internal.WebAppServletContext.init(WebAppServletContext.jav
a:884)
at
weblogic.servlet.internal.WebAppServletContext.<init>(WebAppServletContext.j
ava:807)
at
weblogic.servlet.internal.HttpServer.loadWebApp(HttpServer.java:421)
at weblogic.j2ee.WebAppComponent.deploy(WebAppComponent.java:74)
at weblogic.j2ee.Application.addComponent(Application.java:160)
at weblogic.j2ee.J2EEService.addDeployment(J2EEService.java:117)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:329)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:144)
at
weblogic.management.mbeans.custom.WebServer.addWebDeployment(WebServer.java:
76)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy33.addWebDeployment(Unknown Source)
at
weblogic.management.configuration.WebServerMBean_CachingStub.addWebDeploymen
t(WebServerMBean_CachingStub.java:1094)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:315)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployments(Deployment
Target.java:279)
at
weblogic.management.mbeans.custom.DeploymentTarget.updateServerDeployments(D
eploymentTarget.java:233)
at
weblogic.management.mbeans.custom.DeploymentTarget.updateDeployments(Deploym
entTarget.java:193)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy32.updateDeployments(Unknown Source)
at
weblogic.management.configuration.ServerMBean_CachingStub.updateDeployments(
ServerMBean_CachingStub.java:2734)
at
weblogic.management.mbeans.custom.ApplicationManager.startConfigManager(Appl
icationManager.java:362)
at
weblogic.management.mbeans.custom.ApplicationManager.start(ApplicationManage
r.java:154)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy45.start(Unknown Source)
at
weblogic.management.configuration.ApplicationManagerMBean_CachingStub.start(
ApplicationManagerMBean_CachingStub.java:480)
at
weblogic.management.Admin.startApplicationManager(Admin.java:1151)
at weblogic.management.Admin.finish(Admin.java:570)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:506)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:203)
at weblogic.Server.main(Server.java:35)
Thanks,
Jed ZimmerYou're correct. I meant the DOMAIN_SYSTEM_PASSWORD password in my
<domain-name>domain.ksh file. The DOMAIN_SYSTEM_PASSWORD value (if
specified) has to match the system user's password or else the server will
not start/stop.
I have determined more since my post. A startup class also produces the
same error. I have minimized my environments as follows and still receive
the exception, and a soon as I synchronize the system users' passwords on
the app/web server the problem goes away. Or, I can keep the passwords
different and just not access the app server EJBs until after the web server
finished loading, which also causes the error to go away. I'm just confused
about what I might be doing wrong.
Steps to produce the error:
App server:
- Installed from 6.1.1.0 from scratch and started it up.
- Changed the system user's password from the admin console, persisting the
changes.
- Modified logging settings to see more info in the log files.
- Disabled instrument stack traces.
- Stopped/Started the app server
Web server:
- Installed from 6.1.1.0 from scratch and started it up.
- Modified logging settings to see more info in the log files.
- Disabled instrument stack traces.
- Added a servlet to the DefaultWebApp_insiteserver application
- specified name and class
- the load on startup setting defaulted to zero, which will cause the
preloading
- Added 3 jar files to the classpath to support the EJB call
- Stopped/Started the web server
When the web server loads the servlet loads and tries to locate the EJB on
the app server. The app server throws the security exception. The app/web
servers are both running on the same SUN box, have the same IP address
(different ports) and I'm using non-SSL. Each server is it's own WLS
environment. The only installed file that is shared it the
weblogic_domain_registry.dat file in the root directory. As for security,
I'm doing nothing except changing one password (system user on the app
server).
I then tried to manually upgrade the app/web servers to 6.1.2.0 by updating
the WEBLOGIC_ROOT in the respective xxxxdomain.ksh files. Same problem.
I then cleanly reinstalled the app/web servers using version 6.1.2.0 and
configured as above. Same problem.
Let me know if I need to provide additional details.
Thanks,
Jed Zimmer
"Joseph Nguyen" <[email protected]> wrote in message
news:[email protected]...
>
"Jed Zimmer" <[email protected]> wrote in message
news:[email protected]...
I am experiencing this error when a servlet or JSP is preloaded on the
web
server and the init method of the preloaded item results in a call tothe
app server. If I don't preload and then manually invoke the JSP orservlet
after the web server completely loads the call to the app server does
not
produce the exception. The only security differences between the weband
app servers are the console and system passwords. I can fix the problemby
making the passwords (system and console) the same across the board, but
find it hard to believe that this is the true solutionI don't quite understand what you mean by "console" password? Are you
talking about the admin console? If so then it's confusing because youhave
to log into the console using the system user. If you can clarify morehere
it would great.
Joseph Nguyen
BEA Support
. I would prefer
sticking with the default security settings.
I've poured through hundreds of messages. I can find similar problems
but
not this exact problem.
Any ideas would truly be appreciated!
More information:...
App and Web server are both wls 6.1.1.0 running on the same SUN Solarisbox.
Both are using the basic, out of the box, security.
The App server has SSL disabled.
The exception reported in the app server's log is:
java.lang.SecurityException: Authentication for user system denied inrealm
wl_realm
at weblogic.security.acl.Realm.authenticate(Realm.java:212)
atweblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
at
weblogic.security.acl.internal.Security.authenticate(Security.java:125)
atweblogic.security.acl.internal.Security.verify(Security.java:87)
at
weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:235)
at
weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:2
2)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
The exception reported in the web server's log is:
java.lang.SecurityException: Authentication for user system denied inrealm
wl_realm
at
weblogic.rmi.internal.BasicOutboundRequest.sendReceive(BasicOutboundRequest.
java:85)
at
weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
:255)
at
weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
:222)
at weblogic.rmi.internal.ProxyStub.invoke(ProxyStub.java:35)
at $Proxy54.lookup(Unknown Source)
at
weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:323)
at javax.naming.InitialContext.lookup(InitialContext.java:350)
at
com.qwest.tmmt.manager.client.MDMAdapter.getEJBHome(MDMAdapter.java:197)
at
com.qwest.tmmt.manager.client.MDMAdapter.<init>(MDMAdapter.java:64)
at
com.qwest.tmmt.manager.client.ManagerFactory.createMetaDataManager(ManagerFa
ctory.java:305)
at
com.qwest.insite.util.ClientMetaDataCache.<init>(ClientMetaDataCache.java:53
at
com.qwest.insite.util.ClientMetaDataCache.getInstance(ClientMetaDataCache.ja
va:106)
at
com.qwest.insite.metadata.startup.MetaDataServlet.init(MetaDataServlet.java:
30)
at
weblogic.servlet.internal.ServletStubImpl.createServlet(ServletStubImpl.java
:700)
at
weblogic.servlet.internal.ServletStubImpl.createInstances(ServletStubImpl.ja
va:643)
at
weblogic.servlet.internal.ServletStubImpl.prepareServlet(ServletStubImpl.jav
a:588)
at
weblogic.servlet.internal.WebAppServletContext.preloadServlet(WebAppServletC
ontext.java:2203)
at
weblogic.servlet.internal.WebAppServletContext.preloadServlets(WebAppServlet
Context.java:2147)
at
weblogic.servlet.internal.WebAppServletContext.init(WebAppServletContext.jav
a:884)
at
weblogic.servlet.internal.WebAppServletContext.<init>(WebAppServletContext.j
ava:807)
at
weblogic.servlet.internal.HttpServer.loadWebApp(HttpServer.java:421)
at weblogic.j2ee.WebAppComponent.deploy(WebAppComponent.java:74)
at weblogic.j2ee.Application.addComponent(Application.java:160)
at weblogic.j2ee.J2EEService.addDeployment(J2EEService.java:117)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:329)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:144)
at
weblogic.management.mbeans.custom.WebServer.addWebDeployment(WebServer.java:
76)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy33.addWebDeployment(Unknown Source)
at
weblogic.management.configuration.WebServerMBean_CachingStub.addWebDeploymen
t(WebServerMBean_CachingStub.java:1094)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployment(DeploymentT
arget.java:315)
at
weblogic.management.mbeans.custom.DeploymentTarget.addDeployments(Deployment
Target.java:279)
at
weblogic.management.mbeans.custom.DeploymentTarget.updateServerDeployments(D
eploymentTarget.java:233)
at
weblogic.management.mbeans.custom.DeploymentTarget.updateDeployments(Deploym
entTarget.java:193)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy32.updateDeployments(Unknown Source)
at
weblogic.management.configuration.ServerMBean_CachingStub.updateDeployments(
ServerMBean_CachingStub.java:2734)
at
weblogic.management.mbeans.custom.ApplicationManager.startConfigManager(Appl
icationManager.java:362)
at
weblogic.management.mbeans.custom.ApplicationManager.start(ApplicationManage
r.java:154)
at java.lang.reflect.Method.invoke(Native Method)
at
weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
.java:608)
at
weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
92)
at
weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
nImpl.java:352)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
at
com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:449)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:190)
at $Proxy45.start(Unknown Source)
at
weblogic.management.configuration.ApplicationManagerMBean_CachingStub.start(
ApplicationManagerMBean_CachingStub.java:480)
at
weblogic.management.Admin.startApplicationManager(Admin.java:1151)
at weblogic.management.Admin.finish(Admin.java:570)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:506)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:203)
at weblogic.Server.main(Server.java:35)
Thanks,
Jed Zimmer -
Invalid Credential/Disabled User
Hi,
I have a requirment of capturing the message "Invalid Username/Password" or Disabled User on the OAM Login (Enterprise Login Page). For example -
I have 2 applications which are protected by the same authentication scheme and they are SSO enabled. If a user tries to access those applications will be challanged by the Login Page. If the user puts the wrong password or user name over to the Login Page, I should be able to caputre that message and show a message to the User saying that "The username or password provided are wrong". Similar is the case for the Disabled users, so if the userid is disabled and the user tries to get in to the application he should get a message "Your User ID is disabled" on the Log in Page. Is there any way I can achive this. Is it a Out of Box functionality of OAM or I have to write any custom scheme for this. Please help me on this.
Thanks&Regards
DebiOriginally Posted by DParkes
Can you try this from the standalone GWCheck, Tommy and I think the server
side is broken for this specific operation
Cheers Dave
Dave Parkes [NSCS]
Occasionally resident at http://support-forums.novell.com/
Awesome. Local GWCheck works when you specify a user that is on the same post office as the library. The server task does not work even though the user is on the same po. Is this a confirmed bug? -
AD Identity Service: Delete or Disable users that aren't found?
We currently set users to be "disabled" but then we have to periodically remember to go in there and delete them manually. It also creates issues with duplicate login names. Do you delete your users automatically? I've always been concerned that if something goes wrong with a sync then all my users would be deleted.
We had the same issue here, so I wrote an external operation that piggybacks on the user sync job and deletes any disabled users older than X amount of days. For instance, in our case users are deleted after 180 days of being disabled (this is a bit extreme). This way you can give yourself a few days before the users are actually deleted, but keep the process automated. There are a couple of options built in, which should be discernible from the source code. Here is the source:
package com.oracle.services.jobs;
import com.oracle.services.utility.SessionManager;
import com.plumtree.openfoundation.util.XPCalendar;
import com.plumtree.openfoundation.util.XPDateTime;
import com.plumtree.portaluiinfrastructure.resultwrapper.ASQueryResultWrapper;
import com.plumtree.server.IPTObjectManager;
import com.plumtree.server.IPTQueryResult;
import com.plumtree.server.IPTSession;
import com.plumtree.server.IPTUser;
import com.plumtree.server.IPTUserManager;
import com.plumtree.server.PT_LOCKSTATES;
import com.plumtree.server.PT_PROPIDS;
* This class takes care of the automation server job for deleting user accounts
* which have been disabled for some number of days.
* @author hross
public class DeleteDisabledAccountsJob {
// filter for only deleting agent disabled accounts
private static String FILTER_AGENT = "This user has been locked by a User Synchronization Job.";
// filter for deleting all disabled accounts (including those disabled by an
// admin)
private static String FILTER_ALL = "";
public static void main(String[] args) {
// check arguments
if ((args.length < 2) || (args.length > 4)) {
System.err.println("usage: ");
System.err
.println("DeleteDisabledAccountsJob <security_token> <num_days>");
System.err
.println("DeleteDisabledAccountsJob <security_token> <num_days> all");
return;
// get a session from the login token
IPTSession session = SessionManager.createSession(args[0]);
// get a number of days
int numDays = 0;
try {
numDays = Integer.parseInt(args[1]);
} catch (Exception ex) {
System.err.println("Number of days not a valid integer.");
return;
// filter all or just the agent?
boolean filterAll = ((args.length > 2) && (args[2].equals("all")))
|| ((args.length > 3) && (args[3].equals("all")));
boolean test = ((args.length > 2) && (args[2].equals("test")))
|| ((args.length > 3) && (args[3].equals("test")));
if (test) {
System.err.println("This is a just a test. Nothing will be deleted.");
if (filterAll) {
System.err
.println("This job will delete all disabled accounts (even those disabled by an admin).");
} else {
System.err
.println("This job will delete only users disabled by an authentication source.");
// calculate 180 days in the past based on today's date
XPDateTime cutOff = new XPDateTime();
XPCalendar xpCalendar = XPCalendar.GetInstance();
xpCalendar.Add(XPCalendar.HOUR, -(24 * numDays));
cutOff = xpCalendar.GetTime(); // subtract 180 days from current time
System.err
.println("This job will delete any user accounts disabled before: "
+ cutOff.toString());
// query for disabled user accounts
IPTUserManager userManager = (IPTUserManager) session.GetUsers();
IPTQueryResult result = userManager.GetLockedAccounts(filterAll ? FILTER_ALL
: FILTER_AGENT, 0, -1);
//ASQueryResultWrapper ptqrUserLock = new ASQueryResultWrapper(result);
for (int i = 0; i < result.RowCount(); i++) {
// get some basic user info
int userId = result.ItemAsInt(i, PT_PROPIDS.PT_PROPID_OBJECTID);
String name = result.ItemAsString(i, PT_PROPIDS.PT_PROPID_NAME);
String login = result.ItemAsString(i, PT_PROPIDS.PT_PROPID_USER_LOGINNAME);
XPDateTime dt = result.ItemAsXPDateTime(i, PT_PROPIDS.PT_PROPID_CREATED);
// System.err.println("Found account: (" + userId + ") " + login
// + ", " + name);
// check to see if we need to delete the user
if (dt.Before(cutOff)) {
if (!test) { // if test, we just want to see who we would have delted
// we have to try to unlock the user b/c of a bug in
// automation
// server
IPTUser user = (IPTUser) ((IPTObjectManager) userManager)
.Open(userId, false);
try {
user.SetLockedStatus(false);
user.Store();
} catch (Exception ex) {
// we expect this will fail b/c of a bug
// make sure the account gets unlocked
if (user.GetLockState() == PT_LOCKSTATES.PT_LOCKED)
user.UnlockObject();
// okay, now we can delete the user
((IPTObjectManager) userManager).Delete(userId);
System.err.println("Removed user account: " + userId + " - " + login + " - " + name);
} -
Disable user automatically when he leaves Organization
Hi All,
Is ithere any way by which we can disable user automatically when he/she leaves Organization.
User addition/deletion should be automatic.
Current authentication way is Enterprise login.
Is there any readymade SDK available for this?
We are using BO XI R2 (JAVA SDK)
Please suggest,
Thanks in advance
Regards,
ChaitanyaWhen the person leaves the organization you can run an app to go in a delete him/her.
Here is a sample: [Delete User|http://www.sdn.sap.com/irj/boc/index?rid=/library/uuid/d022c31a-3857-2c10-bd91-f3495fece879] -
Disable user automatically when he/she leaves Organization
Hi All,
Is ithere any way by which we can disable user automatically when he/she leaves Organization.
User addition/deletion should be automatic.
Current authentication way is Enterprise login.
Is there any readymade SDK available for this?
We are using BO XI R2 (JAVA SDK)
Thanks in advance,
Regards,
Chaitanya.Hi Chaitanya,
Maintainence of users and groups is an Administrative task.
Normally outside of the SDK this would simply involve disabling or deleting the user from the User+Groups area of the CMC. This action will result in the ownership of the schedule list for the user passing over to the Administrator.
As this is the workflow when not using the SDK it will be possible to automate this workflow with the SDK too.
In XI3.1 there are several notes which cover this workflow, i.e.:
1609054 - How to remove a user using Java SDK from Business Objects Enterprise?
The same packages\classes will apply to XIr2:
Package com.crystaldecisions.sdk.occa.infostore
This package provides the ability to query for InfoObjects, as well as add, delete, and update them.
Please also be aware that XIr2 is no longer in support, you would be advised to upgrade to at least XI3.1 SP3 for patch support.
I hope this is a very helpfuil answer to you.
Kind regards,
John -
Getting error "1013009 Administrator Has Temporarily Disabled User Commands
Hi All,
I am getting the error"1013009 Administrator Has Temporarily Disabled User Commands" while executing a report script in Essbase 11.1.1.3
Appreciate any help..
Thanks
MaheshMahesh wrote:
Hi All,
I am getting the error"1013009 Administrator Has Temporarily Disabled User Commands" while executing a report script in Essbase 11.1.1.3
Appreciate any help..
Thanks
Mahesh
Possible Cause
When a database is being restructured or any application/database on the server is being copied, you can get this message.
or
When a cube is being restructured, commands are restricted because the integrity of the cube has to be stable and no one is allowed to access it.
or
Copying an application requires that the Essbase security file be in read/write mode and therefore other applications are not accessible until the process is completed.
Possible Solution
In Application Settings, verify that the Allow Commands or Allow Updates options are not selected.
If not selected select those..and try
Regards,
Prabhas
Edited by: P on Apr 7, 2011 3:36 PM
Edited by: P on Apr 7, 2011 3:38 PM -
Authenticating a user using JCO
Hi,
I was authenticating a user in SAP using the following code:
System.out.println("\n\nVersion of the JCO-library:\n" + "----
\n"
+ JCO.getMiddlewareVersion());
Properties props = new Properties();
props.put("jco.client.client", "800");
props.put("jco.client.user", "gk1");
props.put("jco.client.passwd", "password");
props.put("jco.client.lang", "EN");
props.put("jco.client.sysnr", "01");
props.put("jco.client.ashost", "172...*");
client = JCO.createClient(props);
// Open the connection
client.connect();
Here, the password for the "gk1" user is "password". Now if I update the password to be "password1" in the code - the user is still authenticated. No matter how many times I add digits towards the end of the password for this user, it still gets authenticated. Any ideas?
ThanksHi Gaurav,
In SAP R/3 system, it takes only 8 digit password for any user. So, it checks upto 8 characters only. No metter how much digits or characters you have appended.
Try to give some other password instead of just appending digits or characters behing "password".
Regards,
Bhavik -
Outlook Contact Card - Organization Tab disabled users
In Outlook there is a Contact Card showing detailed information about that person. the Organization tab shows the contact's "Manager", "Shares Same Manager" (other contacts with the same manager), and "Direct Reports" (people
that report to that contact).
The problem i am seeing is that Users disabled in Active Directory (people that have left the company) are showing up in the Organization Tab.
How can i filter out disabled users from this list for anyone using Outlook?
I cannot permanently delete users from Active Directory until after a disabled account reaches a certain age. Also i would prefer not modifying the disabled Active Directory user accounts.
We mostly run Outlook 2010 with a few people running Outlook 2013Hi,
Outlook has no control over this, it just displays what it got from the server end. And to my knowledge, there is no such a feature to filter out those users from that list, at least on Outlook client.
Regards,
Ethan Hua
TechNet Community Support
It's recommended to download and install
Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
programs. -
How to do Archiving of deleted & disabled users in OIM11g
Hi All,
As per the requirement we have to do archive of deleted & disabled users in OIM11g(11.1.1.2) after 75days. Can i know how can i achieve this?
Regards,
user7609Just to recap:
Your client requirement is to archive users out of OIM after 75 days. This means in addition to actually disabling and/or deleting them, fully removing any traces of them from the system.
As Kevin & GP said, OIM is just not built to do this. API alone is not going to accomplish this task... you'll also need to include SQL to actually drop data out of tables.
All that being said, your post said the reason for this was because of a "license for limited users". Oracle Identity Manager is licensed on an active user basis. You really should talk with your Oracle rep to confirm, but I've never had licensing contracts include deleted/disabled users. -
Is there anyway to change the way the resource adapter for Solaris and Linux disables users so that it uses the native lock provided through passwd rather than setting a random password?
ScottIs there anyway to change the way the resource
adapter for Solaris and Linux disables users so that
it uses the native lock provided through passwd
rather than setting a random password?No there is no way to do that.
The usage of passwd -d and or -l is limited to certain installations. If you read the man page for passwd you will see that it only works for files as the repository not for any of the other possibilities (NIS or NIS+ or ldap). It also depends on PAM modules to implement this and they do not have to be configured on the system.
WilfredS -
SOA Managed Server "Authentication for user denied" exception
Hello,
I have installed Weblogic and Soa Suite according to the SOA Suite installation "Oracle® Fusion Middleware Quick Installation Guide for Oracle SOA Suite
11g Release 1 (11.1.1)" document.
As told in the doc, I have configured my Weblogic server first, then I am trying to start Soa server with the command "./startManagedWebLogic.sh soa_server1"
But I am getting this error; mucho obrigado!
<Nov 3, 2010 5:35:20 PM EET> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
<Nov 3, 2010 5:35:20 PM EET> <Critical> <Security> <BEA-090403> <Authentication for user denied>
<Nov 3, 2010 5:35:20 PM EET> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user denied
weblogic.security.SecurityInitializationException: Authentication for user denied
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:965)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
Truncated. see log file for complete stacktrace
Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User javax.security.auth.login.LoginException: [Security:090301]Password Not Supplied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:250)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Truncated. see log file for complete stacktrace
>
<Nov 3, 2010 5:35:20 PM EET> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Nov 3, 2010 5:35:20 PM EET> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Nov 3, 2010 5:35:20 PM EET> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>Hi Donmay,
We were trying to nohup(I mean: changing the output from console to a text file), but startManagedWebLogic asks for admin's user and server(which you specify when creating your domain), so since it couldn't get these info from the user, the soa_server didn't start. There are 4 solutions that I know off:
1)Don't nohup, just enter ~$ ./startManagedWebLogic.sh soa_server1
2)Specify the user and passwd in startManagedWebLogic. The two variables are WLS_USER and WLS_PW
3)Create a boot.password file in .../domain/bin and in the startManagedWebLogic add this -Dweblogic.system.BootIdentityFile="fileGoesHere" JAVA_OPTIONS (http://blogs.oracle.com/middleware/2010/05/weblogic_not_reading_bootproperties_1111x.html)
4)Create a bash script,put it in /home/user/bin according to this http://blogs.oracle.com/reynolds/2010/03/cold_start.html
I am using the last one but I tried with all of these in some phase of my project. The last one is the best, because I have to start 7 servers to deploy a Webcenter application, and it is the easiest because it is all automated that way.
Sorry for the late reply, I have posted from my phone. -
Disabled User Password should not be changed
Hi,
We have a requirement that only if the user's status is active, then only administartor must be able to change the user password. Admin should not be able to change the password if the user is in disabled state/locked state.How can we achieve this?please sugest...
Regards
VinothHi,
We have made an entity adapter which is taking usr login value from User[in Data object manager] and calling our java method which is making connection to OIM database and getting us the status of user.
Now if the status of user is disabled method is returning true and on true we have associated our error code to it.
We are executing our entity adapter in pre-update execution.
Now when we are changing password of any disabled user we are able to see our error code. But what ever update [either first name update, enable] we are running on that user same error code is appearing.
Plesae suggest/reply.
thanks -
Disable User on updating an User attribute in OIM
Hi,
I have OIM 11g R2 with LDAP SYNC enabled with OID through OVD.
I want to trigger Disable user on modifying an UDF attribute of user.
Like if attribute1 of user is set to true then disabke user operation should be triggered for the user.
So first in my adapter i will check whether attribute is true and then trigger disable user.
In 11g R2 as mapping adapters attached to Users form in dataobject manager is not supported i am not able to map to the userdefinition and hence not able to check if attribute1 is true or false.
Please help and let me know if this can be achieved in any other way.
Edited by: 988070 on Mar 20, 2013 3:55 AMYou can write a post process event handler:
It will update the user status to disable when UDF attrtibute is set to true.
For this, you need to set the condition as:
Get the value of user defined attribute and store it in a variable "flag".
disable UserManagerResult disable(java.lang.String attributeName, java.lang.Object attributeValue) //attributeName will be user defined fieldm value will be "true"
throws ValidationFailedException,
oracle.iam.platform.authz.exception.AccessDeniedException,
UserDisableException,
NoSuchUserException,
SearchKeyNotUniqueException
Disables the user account matching the search criteria.
Parameters:
attributeName - - The attribute name for the search criteria.
attributeValue - - The attribute value for the search criteria.
Returns:
UserManagerResult containing the entity id of the disabled user.
Cheers,
Vamsi. -
Can't start managed server - Authentication for user denied
Greetings,
I have a WebLogic 10.3.6 based domain. The admin server works correctly. Using the admin console, I created a managed server. It is not associated to any machine and I don't use node manager. The managed server listens on localhost:7101 while the admin listens on localhost:7001. Starting the managed server asks for an user/password authentication. Using the same as the one used for the admin console says:
<7 dÚc. 2012 13 h 55 CET> <Critical> <Security> <BEA-090403> <Authentication for
user nicolas denied>
<7 dÚc. 2012 13 h 55 CET> <Critical> <WebLogicServer> <BEA-000386> <Server subsy
stem failed. Reason: weblogic.security.SecurityInitializationException: Authenti
cation for user nicolas denied
weblogic.security.SecurityInitializationException: Authentication for user nicol
as denied
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.do
BootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:966)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.in
itialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:873)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
Truncated. see log file for complete stacktrace
Caused By: javax.security.auth.login.FailedLoginException: [Security:090303]Auth
entication Failed: User nicolas weblogic.security.providers.authentication.LDAPA
tnDelegateException: [Security:090295]caught unexpected exception
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.log
in(LDAPAtnLoginModuleImpl.java:251)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(Log
inModuleWrapper.java:110)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(Log
inModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Truncated. see log file for complete stacktrace
>
<7 dÚc. 2012 13 h 55 CET> <Notice> <WebLogicServer> <BEA-000365> <Server state c
hanged to FAILED>
<7 dÚc. 2012 13 h 55 CET> <Error> <WebLogicServer> <BEA-000383> <A critical serv
ice failed. The server will shut itself down>
<7 dÚc. 2012 13 h 55 CET> <Notice> <WebLogicServer> <BEA-000365> <Server state c
hanged to FORCE_SHUTTING_DOWN>
I googled a while and found a post saying that the realm is probably altered or in an incorrect status. I reset the the admin's credentials using weblogic.security.utils.AdminAccount but this disn't change anything. Of course, upon the managed server creation, I initialized the fierlds user and password in the server starting tab of the admin console.
Many thanks for any help.
NicolasHi,
Have you configured LDAP Authenticator on the server?
If yes, afther the change did you restart both the servers - admin and managed?
Maybe you are looking for
-
Text from another source?
I want to create a flash website that has some text content (and other content also), so I want that the text would update based on a text file. I really don't know if it is possible, maybe there are other posibilities to make the text update from a
-
Do you recommend me "Learning Oracle 11g Training DVD - Tutorial Video"?
Hi I found on Amazon "Learning Oracle 11g Training DVD - Tutorial Video by InfiniteSkills". Is it worth it? There are no Amazon reviews :-( Do you use other video training? What do you recommend me?
-
How to send sap generated invoice numbers using rffoedi1 program
Hi all we are generating PEXR2002 IDocs using RFFOEDI1 program . The program is populating the invoice number field in IDoc with the value from reference number field in MIRO screen. Is there any way that we can populate the SAP generated invoice num
-
Weblogic 10.0 webservice java to wsdl
can i use JAXB annotations in my web service for which im using weblogic 10.0 to deploy the service. Does weblogic 10.0 supports JAXB annotations..
-
this problem has been annoying me for a while now. I cant see logically what im doing wrong.im trying to select all child nodes of a root node and print the current node <xsl:stylesheet xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" version = "1.