OBIEE 11.1.1.5.0 ldap authentication provider

Similar Messages

• Problem with WLS LDAP Authentication Provider

  We have configured WLS LDAP Authentication provider on an Oracle Service Bus domain, which is used to authenticate WS-Security Username Token and SAML Tokens against an external LDAP Directory (Sun Directory Server). After configuring this, we see that the "Users & Groups" page on the WLS Admin console is getting populated with all the user ids available in LDAP. The organization corporate directory has thousands of user ids, and WLS is executing a generic query against LDAP to fetch all the users. This query would have a major performance impact on the LDAP Directory? Is there any way to prevent this generic query from happening? Any suggestions would help.
  Edited by: Ramakrishnan Venkataraman on Feb 1, 2011 11:46 AM

  Yes, you can apply filters on the Providers configuration, also u can select the DN from where to feth the users, you can fetch users with special attributes.
  Whole lot of things can be done, review the options under providers.
  Let me know if you have any doubts.
  HTH,
  -Faisal
  http://www.weblogic-wonders.com

• OBIEE 11g SSO using OAM and AD (authentication provider)

  Hi
  I am authenticating my OBIEE users thru Microsoft Active Directory and it works fine.
  I would like to set up sso, so as to achieve seamless navigation from my Peoplesoft system to OBIEE.
  If anyone has done this before, then could you point me to some reference material. I am not able to find any online.
  Thanks
  Madhu

  I believe you can integrate peoplesoft in the same way we have done it for EBS
  follow below link. it will help you.
  https://kr.forums.oracle.com/forums/thread.jspa?threadID=645740
  Thanks
  Jay.

• OBIEE Start/Stop Services failed(After LDAP Configuration)

  Hi ,
  We made some changes(that is we have added new OID
  and configured the new OID based upon the Oracle BI security guide which is in Oracle Site
  ) to the LDAP configuration in OBIEE web console and it prompted for a restart of the OBIEE services . when we tried restarting the services we are not able to stop all the services . Please find the attached log files .
  Note:
  1.unable to kill the process ID
  which is releated to OBIEE 11.1.1.6.0 services..
  2.We have follwed the section 3 in the below link to configure the LDAP : http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/toc.htm.
  Please find the below error details in short form and kindly find the attahced file(file name) for more details
  Error:
  Caused By: oracle.security.jps.service.igf.IGFException: JPS-02597: You configured a custom Authentication Provider or WLS generic LDAPAuthenticator, which the libOvd can not recognize. Supply the idstore.type property in jps-config.xml file, or use a specific WLS LDAP Authentication provider that matches your LDAP server instead of a generic one.
  at oracle.security.jps.internal.api.identitystore.IdentityStoreConfigurationUtil.checkIdStoreTypeLater(IdentityStoreConfigurationUtil.java:819)
  at oracle.security.jps.internal.api.identitystore.IdentityStoreConfigurationUtil.getLibOvdLdapPushData(IdentityStoreConfigurationUtil.java:524)
  at oracle.security.jps.internal.igf.ovd.OvdIGFServiceProvider$1.run(OvdIGFServiceProvider.java:232)
  at oracle.security.jps.internal.igf.ovd.OvdIGFServiceProvider$1.run(OvdIGFServiceProvider.java:229)
  at java.security.AccessController.doPrivileged(Native Method)
  Truncated. see log file for complete stacktrace
  >
  <Jan 29, 2013 6:39:05 AM CST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
  <Jan 29, 2013 6:39:05 AM CST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
  <Jan 29, 2013 6:39:05 AM CST> <Notice> <WebLogicServer> <BEA-000365> <Server state cha
  Error Codes
  Problem Category/Subcategory
  BI EE Platform Administration/Administration Tool
  Uploaded Files
  File: nohup.zip:134848
  Template Question Responses
  1) ### Admin Tool version ###
  2) Are you running Oracle Business Intelligence Enterprise Edition using virtualization or partitioning technologies (for example, VMWare) ?
  No
  3) If yes, please provide the product used and its version.
  4) ### Documentation Used ###
  5) ### Impact on Business ###
  Edited by: 919942 on Jan 31, 2013 5:10 AM

  "JPS-02597: You configured a custom Authentication Provider or WLS generic LDAPAuthenticator, which the libOvd can not recognize. Supply the idstore.type property in jps-config.xml file, or use a specific WLS LDAP Authentication provider that matches your LDAP server instead of a generic one."
  Looks like the config you entered was a tad off. Any chance you can roll back by restoring the original files from before the change?
  $FMWH/user_projects/domains/yourdomain/config/config.xml
  $FMWH/user_projects/domains/yourdomain/config/fmwconfig/jps-config.xml
  In the config.xml, inside the <realm> tag yo ushould find your authenticaiton providers and there's two important things for your new one to check:
  1.) xsi-type="wls:..." <-- This should be your OID type rather than a generic (or wrong) one
  2.) If you're not 100% sure about the config or don't want to immediately shut out native WLS users or want to retain them (both OID and WLS LDAP considered valid), then PLEASE make sure that you run your new authenticator with <sec:control-flag>SUFFICIENT</sec:control-flag> and don't make it REQUIRED since otherwise you won't be able to bring anything up anymore if a single parameter in the authenticator config is off...
  Also, check out what Tony wrote together a while back: http://www.peakindicators.com/index.php/knowledge-base/115-oracle-bi-11g-security-troubleshooting
  Update:
  Should have read the error message more carefully...looks like you actually just slipped by one line in the authenticator config and chose "OracleVirtualDirectory" instead of "OracleInternetDirectory" since it tries to use the libOvd rather than the OID one.
  Edited by: Christian Berg on Jan 31, 2013 2:58 PM

• WLS 10.0: Security: LDAP Authenticator

  hi,
            I'm using WLS 10.0 with the following security providers:
            - SQL Authenticator (for weblogic console users like system)
            - Identity Asserter (custom developed, takes care for AUTHENTICATION only)
            - LDAP Authenticator (out of the box, takes care for AUTHORIZATION only against a SUN ONE LDAP).
            everything works fine except for the queries that the LDAP Authenticator provider generates:
            For each login, the providers performs these queries:
            a)
            2007-11-26 14:57:08,410] conn=241357 op=10893 SRCH base="ou=people,ou=intranet,dc=novartis,dc=com" scope=2 filter="objectclass=person"
            [2007-11-26 14:58:56,369] conn=241357 op=10893 RESULT err=4 tag=0 nentries=15000 etime=107959 mem=43481184/172441600                    as you can see, the query returns 15'000 entires (which is the max items for results inside SUN ONE LDAP).
            b)
                      [2007-11-22 12:04:31,943] conn=256293 op=12611 SRCH base="ou=people,ou=intranet,dc=novartis,dc=com" scope=2 filter="(&(uid=ADLERAI1)(objectclass=person))"
            [2007-11-22 12:04:32,031] conn=256293 op=12611 RESULT err=0 tag=0 nentries=1 etime=88 mem=14583600/46768128
                                this is the real query returning one single entry for the logged in user.
            Does anyone know why LDAP AUthentication provider generates the first query?
            cheers
            balz
            Edited by bschreier at 11/27/2007 1:44 AM
            Edited by bschreier at 11/27/2007 1:45 AM

  Hi
  1. Looking carefully at the following 3 lines in server statup logs, after 2:20:39 PM GST, server waited like for 16 mts like 2:36:43 and invoked the Force Shutdown. Possible reasons I gave below.
  ####<Feb 14, 2010 2:20:37 PM GST> <Info> <netuix> <ePIMSEDMS2> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <1266142837729> <BEA-423101> <[console] Initializing the NetUIx container>
  ####<Feb 14, 2010 2:20:39 PM GST> <Info> <netuix> <ePIMSEDMS2> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <1266142839433> <BEA-423120> <WEB-INF/client-classifications.xml file not found at uri [webapp]. Classifications functionality not enabled.>
  ####<Feb 14, 2010 2:36:43 PM GST> <Notice> <WebLogicServer> <ePIMSEDMS2> <AdminServer> <Thread-1> <<WLS Kernel>> <1266143803604> <BEA-000388> <JVM called WLS shutdown hook. The server will force shutdown now>
  2. Since you mentioned this worked fine and nothing else is changed over a year, the possible cause may be like this. Looks like you have some Documentum stuff (or webapp or modules) loaded on this server. I am not much familiar with EMC Documentum stuff, except that we use that as external Content Management repository for Portal Applications. Looking at the full thread dump for thread 0, looks like documentum code is trying to publish something or interact with its documentum server and may be it is not getting the response back. So make sure if any external systems that this WLS interacts are all up and running.
  HTH
  Ravi Jegga

• How to remove prefix from AD group names in ldap auth. provider?

  Hi all,
  I'm using weblogic 10.3.5 and LDAP authentication provider for accessing microsoft AD.
  Group names in AD are created and look like this: PREFIX_basic_user, PREFIX_advanced_user...
  but enterprise roles in ADF application are created like this: basic_user, advanced_user...
  Is there a way to map AD groups to enterprise roles trough LDAP Authentication provider without adding PREFIX_ on enterprise roles in ADF application?
  Thanks in advance

  Powershell (or vbscript if you want to be old school).
  You can trigger a powershell script which will remove the offending user(s) easily enough with out resorting to a TOLDAP pass.  Nearly any script type thing would work but powershell is preferred.  It can be triggered separately from the TO AD stuff and will take multiple objects to run in one pass if you can construct the command line (or create a text file and feed it in).
  Otherwise, TOLDAP is the way to write to AD...
  Peter

• OBIEE 11.1.1.5.0 LDAP group restriction @authentication

  Hi all,
  We have OBIEE 11.1.1.5.0 with LDAP authenticator... We want just one group @LDAP to login and other groups not authenticated .. What should we do ?

  Hi,
  @weblogic Home >Summary of Security Realms >myrealm >Providers >LDAPAuthenticator>Provider Specific>Users
  I tried something like :
  All Users Filter:(&(memberOf=cn=LDAPGroupName,cn=Users,dc=xxxx,dc=yyy,dc=com))
  User From Name Filter: (&(cn=%u)(objectclass=user))
  the original was:
  All Users Filter: (&(uid=*)(objectclass=person))
  User From Name Filter: (&(uid=%u)(objectclass=person))
  and restarted the server but it did not work ...

• LDAP Authentication Listing the users

  Hi,
  Iam new to OBIEE. I have LDAP authentication added to my repository.Please let me know how i can get the list of users in LDAP on to my OBIEE Presentation Catalog and Users so that I can classify them into various groups and add security feature.

  If your user groups are held in LDAP you can pull them in as part of the authentication block my mapping the attribute to the GROUP variable.
  Basic principle of using those groups and how the RPD interacts with presentation catalogue is explained well here :
  http://obieeblog.wordpress.com/category/obiee/obiee-security/

• LDAP Authentication in Siebel integrated OBI

  Hi, We have OBI integrated in Siebel through Symbolic URL. We want to implement LDAP Authentication in OBI. Can anybody tell me the high level steps on the Siebel side which we need to do for supporting LDAP Authentication.
  thx,
  parag

  1.Register LDAP server on OBIEE Repository and test.
  2. modify authentication init block to use LDAP server.
  3.Create siebel responsibilities in RPD
  4. test obiee answers with a user exist in ldap
  Thanks
  Jay.

• Weblogic or LDAP authentication

  Hello All,
  We are already using the OBIEE for 2 of the applications and currently we are using repository authentication(Creating users and groups in the rpd).
  Here are what we are planning to do
  1.Deploy OBIEE using weblogic application server (This would be our first preference.But could not find any oracle official documentation about the possibility of deploying obiee on weblogic.). Please let me know if any one succefully deployed obiee on weblogic.If so, please provide the documentation.
  2.If the first option is not possible, we are planning to use LDAP authentication.I have been reading the OBIEE administrator guide about LDAP authentication.
  I do have the following questions about both the procedures
  1.How the group premissions would work.
  EX: For some of the users, we gave just read only access to dashboard 1, noaccess to dashboard2 and full access to dashboard3.Now i can do it by creating security groups and apply the settings to these users.
  How can i achieve the same using ldap authentication?
  Please advise.
  Thanks in advance.

  I expected that could be a way to only redefine the User class, implementing a
  custom realm is much more work. I will consider directly accessing the database/LDAP.
  Thank you anyway.
  "Tom Moreau" <[email protected]> wrote:
  >
  David,
  The only way I know how to do this is:
  1) write your own security realm that creates
  users containing all the info you desire.
  That is, a realm derives its own user class
  so you're free to derive a class and add all
  the fancy stuff you require.
  The current RDBMS and LDAP realms don't
  put the info you desire into the user objects
  they create.
  2) in your servlet, get the authenticated user,
  then get the user's name from it, then use
  Realm.getRealm().getUser() passing in that name.
  This will get you the user out of your realm.
  3) cast this user to the user class that your realm
  created and use the info that your realm put in it.
  This is probably a lot of work - might be simpler for
  you to lookup the user in LDAP/your database directly.
  -Tom
  "David Ruana" <[email protected]> wrote:
  I use the Security.getCurrentUser() function from my servlets and EJBs
  in order
  to get the username of the authenticated user in the Weblogic realm.
  I wonder whether it is possible to add new attributes to the User object
  which
  I get from the Security.getCurrentUser() call.
  Suppose the User info is stored in an ODBC or LDAP realm. Besides the
  username
  and password, other attributes may be stored in the ODBC table or LDAP
  record.
  During authentication, Weblogic accesses the ODBC table or LDAP record
  in order
  to check that username exists and the password is correct. Could itbe
  possible
  at that time to get that extra attributes and assign them to the User
  class (or
  some subclass of the User class)?
  What java classes must be redefined in Weblogic in order to accomplish
  that?
  Any suggestions would be appreciated.

• SharePoint 2010 with LDAP authentication, using NOVELL eDirectory

  One of my customers needs a SharePoint application that allows people to authenticate with either an Active Directory account (internal staff) or a Novell eDirectory account (external customers).
  Using the following article as a base guide (http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx)
  I configured a claims-based test application that had Windows authentication enabled and Forms based authentication (FBA) enabled (this is on a Windows 2008 server and not a domain controller)
  In the Membership provider name text box I entered "LdapMember"
  In the Role provider name  text box I entered "LdapRole"
  In the web.config for the SharePoint Central Admin, I modified/added the following details right before </system.web>
  <membership>
  <providers>
  <add name="LdapMember"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
  <providers>
  <add name="LdapRole"
  type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="sAMAccountName"
  dnAttribute="distinguishedName"
  groupFilter="((ObjectClass=group)"
  userFilter="((ObjectClass=person)"
  scope="Subtree" />
  </providers>
  </roleManager>
  I modified the SecurityTokenServiceApplication web.config with these details
  <system.web>
  <membership>
  <providers>
  <add name="LdapMemebr"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager enabled="true">
  <providers>
  <add name="LdapRole"
  type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="sAMAccountName"
  dnAttribute="distinguishedName"
  groupFilter="(&amp;(ObjectClass=group))"
  userFilter="(&amp;(ObjectClass=person))"
  scope="Subtree" />
  </providers>
  </roleManager>
  </system.web>
  I modified the web.config of the test application I created with these details
  <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
  <providers>
  <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
  <add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="cn"
  dnAttribute="dn"
  groupFilter="(&amp;(ObjectClass=group))"
  userFilter="(&amp;(ObjectClass=person))"
  scope="Subtree" />
  </providers>
  </roleManager>
  <membership defaultProvider="i">
  <providers>
  <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
  <add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  useDNAttribute="true"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  With all of this configured, I can go to the new test site, I do see the form where I can choose either Windows authentication or Forms authentication. I can successfully login with Windows authentication, but forms authentication gives me me an error.
  The server could not sign you in. Make sure your user name and password are correct, and then try again.
  I can successfully login to a LDAP management tool, using the same credentials I entered on the form, so I know the username and password being submitted are correct. I get the following items in the event viewer
  8306 - SharePoint Foundation - The security token username and password could not be validated.
  in the SharePoint trace logs - Password check on 'testuser' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. and
  then this:
  Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
  at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
  I monitored the LDAP server and did a packet-trace on the communication happening between the SharePoint server and the LDAP server and it is a bit odd. It goes like this:
  The SharePoint server successfully connects to the LDAP server, binding the ldapserviceid+password
  The LDAP server tells the SharePoint server it is ready to communicate
  the SharePoint server sends an LDAP query to the LDAP server, asking if the name entered in the form authentication page can be found.
  The LDAP server does the query, successfully finds the entered name and sends a success message back to SharePoint
  The LDAP server sends notification that it is done and is closing the connection that was bound to theldapserviceid+password
  The SharePoint server acknowledges the connection is closing
  ... and then nothing happens, except the error on SharePoint
  What I understand is that the SharePoint server, once it gets confirmation that the submitted username exists in LDAP, should attempt to make a new LDAP connection, bound to the username and password submitted in the form (rather than the LDAP service account
  specified in the web.config). That part does not seem to be happening.
  I am at a standstill on this and any help would be greatly appreciated.

  OK, our problem was resolved by removing any information about the ASP.NET role manager. Initially, we had information about a role manager defined in three different web.config files, as well as in the SharePoint Central Administration site, where there
  is the checkbox to Enable Forms Based Authentication (you see this when you first create the new SharePoint app, or afterwards by modifying the Authentication Provider for the app.) In either case, you will see two text boxes, underneath the checkbox item
  for enabling Forms Based Authentication:
  "ASP.NET Membership provider name"
  "ASP.NET Role manager name"
  We entered a name for Membership provider, and left Role manager blank.
  In the web.config for the SharePoint Central Administration site, the SecurityTokenServiceApplication app, and the web app we created with FBA enabled, we entered the following:
  <membership>
  <providers>
  <add name="LdapMember"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword="validpassword"
  useDNAttribute="false"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager>
  <providers>
  </providers>
  </roleManager>
  useDNAttribute="false" turned out to be important as well.
  So, for us to get LDAP authentication working between SharePoint 2010 and Novel eDirectory, we had to:
  leave anything related to the role provider blank
  configure the web.config in three different applications, with the proper connection information to reach our Novel eDir
  Ensure that useDNAttribute="false" was used in all three on the modified web.config files.
  Since our eDir is flat and used pretty much exclusively for external users, we had never done any sort of advanced role management configuration in eDir. So, by having role manager details in the web.config files, SharePoint was waiting for information from
  a non-existent role manager.

• How to get user attributes from LDAP authenticator

  I am using an LDAP authenticator and identity asserter to get user / group information.
  I would like to access LDAP attributes for the user in my ADF Taskflow (Deployed into webcenter spaces).
  Is there an available api to get all the user attributes through the established weblogic authenticator provider or do i have to directly connect to the LDAP server again?
  Any help would be appreciated

  Hi Julián,
  in fact, I've never worked with BSP iViews and so I don't know if there is a direct way to achieve what you want. Maybe you should ask within BSP forum...
  A possibility would be to create a proxy iView around the BSP iView (in fact: before the BSP AppIntegrator component) which reads the user names and passes this as application params to the BSP component. But this is
  Beginner
  Medium
  Advanced
  Also see http://help.sap.com/saphelp_nw04/helpdata/en/16/1e0541a407f06fe10000000a1550b0/frameset.htm
  Hope it helps
  Detlev

• How to use two different LDAP authentication for my Apex application login

  Hi,
  I have 2 user groups defined in the LDAP directory and I provided the DN string for apex authentication something like the below
  cn=%LDAP_USER%,ou=usergrp1,dc=oracle,dc=com
  cn=%LDAP_USER%,ou=usergrp2,dc=oracle,dc=com
  The problem is I couln't pointout both the groups in DN string, I am trying to allow both usergroups to access the application.
  Does anyone know how to define both the group in LDAP DN String ?.
  Thanx in advance
  Vijay.

  Vijay,
  I don't think you'll be able to use the built-in LDAP authentication scheme. Just create a new authentication scheme that has its own authentication function. In that function code your calls to dbms_ldap however you need. Search the forum for dbms_ldap.simple_bind_s to find examples.
  Scott

• LDAP Authentication - Multiple Domains

  I want to be able to use the built in LDAP Authentication scheme to allow authentication against multiple AD Domains... each with it's own separate Host IP/Server, and LDAP DN String. The User ID is formated the same among all Domains, so that is not a concern. I am currently authenticating against one Domain and it scans the tree successfully.
  Host: xx.xx.xx.xx
  DN String: %LDAP_USER%@amer.globalco.net
  (amer.globalco.net is the domain)
  How can this be accomplished? Is it possible all you guru's out there?
  I saw one forum thread discussing how to add a drop down list to the login page, then use the value of the page item in the DN String to specify Domain... That makes sense - HOWEVER - I also have to use a different Host Server / IP address for each domain as well.... Now that is 2 fields that need updating based on one select list.
  I can build the select list using "IP/Domain" - but how do I separate the two data bits in the ITEM Value into their own field values?
  Can I use the ldap_dnprep function to do text editing to create two field values from one ITEM value that I can use in the standard LDAP authentication form fields?
  As you can tell - I am not a SQL/PLSQL person... and I want to avoid creating my own LDAP scheme.
  Please include example/suggested SQL -
  Thanks in advance...
  Rich
  Apex v3.2.1
  Oracle 10G Express

  Based on prior post I had similar question and the result was to write custom auth scheme to read the values from the login page, perform auth against appropriate ldap, then return a valid session to proceed with login in apex app. In our case, the issue was having users is different branch nodes on the same ldap server but not being able to search from a common higher-level branch for some reason...
  Another option you could try, not recommended as it would mean multiple pages to maintain, would be a separate login page per ldap/domain, maybe would even have to multiple apps with just a login page and then redirect to the main app... been a really long time since i've tried anything like it, just giving some options to try.

• LDAP Authentication Scheme - Multiple LDAP Servers?

  How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.

  How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.