OID External Authentication issue
Hi..
I have configured synchronization profile to import users from TDS to OID using DIP but it does not work as change log is not enabled on TDS side.
Now i have configured External Authentication Plugin and i craeted same users in in TDS and also in OID but external authenctication does not work.
Can you please point out if i missing some point or is synchronization profile is must for External Authentication.
Find the product version details -
OID 11.1.1.6
Tivoli Directory Server 6.1
Regards
Santosh
Edited by: user601746 on Jan 8, 2013 1:02 AM
Got the solution.
I used bootstrap loading to create users from TDS to OID then configure external authentication..works fine... :)
Similar Messages
-
Essbase 6.5 External Authentication Issue!! Urgent Please!!
Hi all,
I am great trouble over an external authentication issue in Essbase 6.5. I request you all to please give me your feedback on the same as soon as possible.
I am in a situation where I need to get my Essbase 6.5 external Authentication converted from LDAP to Active Directory services.
I suppose there has been necessary changes done to the .cfg file for the same. However, I think I am getting an error
"User [vikc]'c external authentication protocol [MSEX]'s password check module is not loaded".
Please let me know if you have come across such an issue earlier and can anybody to able to help me with the same.
Its kinda Urgent. so any replies for the same will be appreciated.
Thanks and Regards,
VikramVikram,
Yes you will have to reconfigure the CSS.xml and cfg file for external auth.
Here is the Sample CSS
<spi>
<provider>
<msad name="full360">
<trusted>false</trusted>
<url>ldap://192.168.1.100:389/DC=full360,DC=com</url>
<userDN>CN=Ravinder Singh,DC=full360,DC=com</userDN>
<password>full@360</password>
<authType>simple</authType>
<identityAttribute>dn</identityAttribute>
<maxSize>1000</maxSize>
<user>
<loginAttribute>sAMAccountName</loginAttribute>
<nameAttribute>dn</nameAttribute>
</user>
<group>
<nameAttribute>cn</nameAttribute>
<objectclass>
<entry>group?member</entry>
</objectclass>
</group>
</msad>
Download this toll "http://www.ldapbrowser.com/download.htm"
LDAP browser to get the perfact DN information.
Let me know the status
Ravikant -
OID External Authentication Plugin - Conceptual question
Hi-
Does anyone know the answer to this: If I enable the External Authentication Plugin for OID (to AD) does that mean that if I have any accounts in OID which do not exist in AD, they won't be able to authenticate?
Also, if anyone knows of some conceptual documentation on this, please let me know. All I could find was how to install it, but not how it works. (do I need to match users on CN or uid or what?)
ThanksHi,
Once you are done with user accounts synchorinzation successfully using dipassistant tool from edirectory to OID. Inorder to update/flush the user accounts password that which are synchronized to OID, in such case OID eDirectory External Authenctiation plugin will be used (oidspediri.sh file) located under <ORACLE_HOME>ldap/admin. Provide th neccessary eDirectory Details.
Regards,
ABP -
OID external authentication - having trouble excuting oidspadi.sh
Hi all,
I am setting up External Authentication for OID, and have trouble with it. My version is Oracle application server infrastructure 10.1.2 (OID 10.1.2) on windows.
hailie@Server1 /cygdrive/e/oracle/OraInfra/ldap/admin
$ export ORACLE_HOME="E:\oracle\OraInfra"
hailie@Server1 /cygdrive/e/oracle/OraInfra/ldap/admin
$ sh oidspadi.sh
oidspadi.sh: line 28: $'\r': command not found
oidspadi.sh: line 38: $'\r': command not found
oidspadi.sh: line 43: $'\r': command not found
oidspadi.sh: line 47: $'\r': command not found
oidspadi.sh: line 51: $'\r': command not found
oidspadi.sh: line 58: $'\r': command not found
oidspadi.sh: line 59: $'\r': command not found
oidspadi.sh: line 60: $'clear\r': command not found
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
oidspadi.sh: line 67: $'\r': command not found
oidspadi.sh: line 70: $'\r': command not found
oidspadi.sh: line 103: syntax error near unexpected token `fi'
'idspadi.sh: line 103: ` fi
Edited by: Hailie on Jan 16, 2009 8:05 AM
Edited by: Hailie on Jan 16, 2009 8:45 AM
Edited by: Hailie on Jan 16, 2009 11:32 AMAfter I removed all the blank lines in oidspadi.sh:
hailie@Server1 /cygdrive/e/oracle/OraInfra/ldap/admin
$ sh oidspadi.sh
oidspadi.sh: line 53: $'clear\r': command not found
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
oidspadi.sh: line 91: syntax error near unexpected token `fi'
'idspadi.sh: line 91: `fi
Thank you for your help.
Hailie
Edited by: Hailie on Jan 16, 2009 8:43 AM
Edited by: Hailie on Jan 16, 2009 8:46 AM
Edited by: Hailie on Jan 16, 2009 11:36 AM -
PHP external authentication issue
Trying to login to AFCS connection using external authentication.
PHP file generates a key correctly and everything seems to fine up until i get to using the key inside flex.
at the login stage i get the following error in the console trace from the library login call
As far as i can tell everything is right... how can i tell what is wrong with the authentication key?
AFCS Beta Build # : 1.1
requestInfo https://connectnow.acrobat.com/{roomname}?exx=eDp7dXRmOF9lbmNvZGUoZGFyaXVzKX06OmRtOmFnZW50ZG06aHR0cHM6Ly9jb25uZWN0bm93LmF jcm9iYXQuY29tL2hpaW50ZXJmYWNlL2RtOjEwMDo4N2NmNWUwMjIzZTVhMmFkYzI2MmY4MDVlNWJmMWVlM2Y4OTJlY 2Qx&mode=xml&x=0.2519759591668844
#THROWING ERROR# bad authentication keyThere are a few mistakes in the key. There is some PHP 'code' in it (wrong string expansion ?) and you are using a full URL instead of the room name.
If you want more details send me a private message, but you should check the way you call the get authentication token method. -
Hyperion Hub external authentication issue
I have Hyperion Hub installed in an Active Directory domain - the users still live in a NT4 domain (we are in the midst of a migration). I have set up trusts between the two domains. We have been utilizing external authentication with Hyperion Reports in this environment for several months. With Hyperion Hub I have setup two authentication providers one for active directory(NTLM) and one for NT4 (NTLM). When adding users in the Hyperion Configuration Console using the provider for NT4, I am only able to pull up users in the "Available Users" list if I have a '*' in the search box. If I try to perform a query of a subset of users (ie. 'g*') it returns nothing. The provider for Active Directory works correctly. Also, with both of the providers I am unable to pull up a full list of available users - even when setting the "Maximum Size" to a large number. Has anyone else come across this???<BR><BR><BR>Greg
I would suggest you set autoLogin="false" on rtc:ConnectSessionContainer and call cSession.login() when you are ready (you got the token and have everything set up).
I suspect the automatic login is getting executed before the AdobeHSAuthenticator has been correctly setup. -
OID External Authentication Plug-in and OVD
Hello, ppl.
I have success installed AD, OVD(11g), OID(10g), and BI Publisher with SSO (10g).
When i synchronize AD -> OID, and use External Auth Plug-in, synchronized users can success login to BI Publisher.
When i synchronize AD -> OID through OVD, and use External Auth Plug-in which look in the AD, synchronized users can success login to BI Publisher.
But when i synchronize AD -> OID through OVD, and switch External Auth Plug-in from AD to OVD, synchronize users can not login to BI Publisher.
How can i use External Auth Plug-in with OVD, did any one have solution?
In the future, OVD can contains multiple forests from AD's, now AD have one forest(dc).
Help :)
Thanks.
Jeff.I write custom plug-in for OVD.
When user bind, then log write...
OVD bind command's
1) ldapbind -h <OVD_HOST> -p 6501 -D "[email protected]" -w Oracle10g
ldap_bind: Invalid credentials
2) ldapbind -h <OVD_HOST> -p 6501 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g
bind successful
3) ldapbind -h <OVD_HOST> -p 6501 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g2
ldap_bind: Invalid credentials
AD bind command's
1) ldapbind -h <AD_HOST> -p 389 -D "[email protected]" -w Oracle10g
bind successful
2) ldapbind -h <AD_HOST> -p 389 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g
bind successful
In my log file for OVD bind command's, just second and third command written.
Did any one know, why first command not binded and why not logged?
public void bind(Chain chain, Credentials creds, DirectoryString dn, BinarySyntax password, Bool result) throws DirectoryException, ChainException {
//pre bind
try {
chain.nextBind(creds, dn, password, result);
} catch (DirectoryException e) {
try {
FileWriter out = new FileWriter("c://mylogs//bind_error.txt");
out.write("bind: " + dn.toString());
out.close();
} catch (IOException ioe) {
ioe.printStackTrace();
//post bind
try {
FileWriter out = new FileWriter("c://mylogs//bind.txt");
out.write("bind: " + dn.toString());
out.close();
} catch (IOException ioe) {
ioe.printStackTrace();
... -
OID external authentication plugin for edirectory
How do I get more info on, or has anyone managed to, add a plugin to OID to enable external authetication to eDirectory?
Please add insight to this, if you have this experience.
ThanksHi,
Once you are done with user accounts synchorinzation successfully using dipassistant tool from edirectory to OID. Inorder to update/flush the user accounts password that which are synchronized to OID, in such case OID eDirectory External Authenctiation plugin will be used (oidspediri.sh file) located under <ORACLE_HOME>ldap/admin. Provide th neccessary eDirectory Details.
Regards,
ABP -
Hi All
In Shared services I have 'Configured User directories' with the SQl server database. I could connect and get all the users from SQl server . I can see that there are items under User Directories 1.Native Directory 2.SQl server . The serach order is also set. I have restared the Shared services. Now how can i make the use of SQl server users ? .
From Console I have done the "Externalize users " for Essbase server. I have refreshed the security from shared services.
Now I should be able to login in console using the SQl server users .. isnt it ? How can I do that ? How can i use the SQl server users to login into EAS and essbase server? . I also provisioned the SQl server user in Shared services and given the Administrator priveleges to Analytic server.
Please help me.Hi,
1. As you see the newly added "user directory", It must be added properly. But,to re confirm your configuration of SQL server user directory. Do test it ( there is an option to "test" it ,when you go to 'use directory' within shared services.
2. After you have added, you have told that you have restarted shared services. But ,when you configure a new user directory, I would recommend you to restart shared services along with the other application related services ( like essbase, planning).
3. Now, if you want to use the users of newly configured User directory, search the user from the directory and assign the roles/preveleges . Then try to login into systems( shared services , planning or essbase ...etc).
Revert for further clarity.
Sandeep Reddy Enti
HCC
http://hyperionconsultancy.com/ -
AD External Authentication Plug-In verification issue
We are working on a Proof of Concept instance to integrate MS AD with OID for the first time for E-Biz 11i.
1) I completed the bulk load of all the existing users from AD to OID successfully
2) completed enabling the syncrhonization profile
3) Ran the txkrun.pl successfully
4) However i wanted to check the External authentication plug-in and i get the below issue.
How to debug ldapcompare ? Where is the logfile for ldapcompare ?
ldapcompare -h OID_Host -p 389 -D "cn=orcladmin" -w ******* -b "cn=lastname\, firstname,ou=consultants,ou=users,ou=usaeast,dc=adadmin,dc=lps,dc=netsrv,dc=us" -a userPassword -v abcdefgh
The value abcedefgh is not contained in the attribute userPassword in DN cn=lastname\, firstname,ou=consultants,ou=users,ou=usaeast,dc=adadmin,dc=lps,dc=netsrv,dc=us.
An ldapbind on the same AD server is successful, but ldapcompare is failing.I get invalid credentials. Though the network password is correct. I feel its somewhere i messed up the 3rd party plug-in configuration. Is there a method to get debug information for ldapcompare command ?
From metalink NOTE : 277382.1
"When using the above command, ldapcompare binds to OID using the OID admin user (typically "cn=orclAdmin") and password. Then it provides the AD username and requests that the value supplied as AD-USER-PASSWORD be compared to whatever is stored in AD username's userPassword attribute. Because OID does not store a value in its own user entries/userPassword attributes for AD-synchronized entries, this ldapcompare call will cause OID to invoke the plug-in and verify the userPassword value in AD instead.
If the plug-in works, the ldapcompare should return a message saying that the given password is contained in the userpassword attribute, e.g.
" -
OID 10.1.4 and external authentication (AD)
Has anyone gotten this to work with MS Active Directory? We were able to sync the AD users with OID, but have not be able to authenticate them. As long as they have their passwords stored in OID, it works, but we do not want to maintain the password sync'ing between AD and OID. We want to do external authentication.
Anyone who has gotten this to work in 10.1.4 (using the java plugins), please respond with any secrets or methods you have used to get this to work.
Thank you.
ShirleyI got the java plugins working here. The configuration is not a big deal. I still not implemented SSL though, so I didnt had to issue certificates.
Configuration is easier than on version 10.1.2, as all the plugin parameters are available on oidadmin.
I have two problems that remain unfixed.
One is on AD. Since we have several domain controllers, when the user changes his password in Windows the change is done on whatever domain controller that the user connected to when logging on windows, and it sometimes takes a long time for this to be replicated to the domain controller that configured on the plugin. So the user cannot use SSO for a few hours. Sometimes he can logon with the old password, sometimes even with both passwords (the old and the new one). I want to make clear that this is a Microsoft AD problem, that reproduces even with simple tools like ldapbind.
The other is the plugin failover, it is still broken like it was on 10.1.2. Authentication attemps always try it the primary domain controller, and wait for a operating system timeout before trying the secondary. So if the PDC is down, it takes several minutes for the authentication process to complete, which is very annoying, as no user waits on a browser screen for several minutes, and usually keeps trying until all oidldapd backend processes hang. It is a little better than 10.1.2. That version was so dumb that it tried two connections before giving up and going to the secondary, even if you did not setup SSL.
For this last one the recommendation on metalink is to put a loadbalancer in front of the domain controllers and configure the plugin to connect to it.
Regards,
Luis -
External authentication with OID
I know that OID 10g is capable of performing external authentication against AD, Sun OneDirectory, Novell eDirectory and openLDAP, but what about something else like Oracle Virtual Directory?
As I understand, there is an out of the box script that will create and external authentication plugin that calls a few procedures from the auth_external package. The auth_external package also an out-of-the-box package with a few procedures (authenticate_user and change_passwd) I've seen so far. I haven't looked in the ODS schema, but I'm assuming this auth_external package is wrapped and not generally viewable.
Anyone out there have any ideas, how this auth_external package works, or better yet... does anyone know if the out-of-the-box solution for external authentication will work with any LDAP directory (in this case a virtual one)?
Thanks.Can someone from Oracle please comment on this? is "AUTH_EXTERNAL" package "out of box" or do we have to write it?
I am following instructions from
http://download.oracle.com/docs/cd/B14099_19/idmanage.1012/b14082/plugin_cust_ext_auth.htm
LINE/COL ERROR
143/9 PL/SQL: Statement ignored
143/19 PLS-00201: identifier 'AUTH_EXTERNAL.AUTHENTICATE_USER' must be
declared
241/11 PL/SQL: Statement ignored
241/11 PLS-00201: identifier 'AUTH_EXTERNAL.CHANGE_PASSWD' must be
declared
251/11 PL/SQL: Statement ignored
251/11 PLS-00201: identifier 'AUTH_EXTERNAL.RESET_PASSWD' must be
declared
LINE/COL ERROR
-------- ----------------------------------------------------------------- -
User authentication issues when auth by external radius server
We tend to use FF in a corporate environment to manage our networking devices (firewalls/switches/routers etc). Came across a bizarre problem under the following conditions:
ZyXEL Network Switch (GS2200-24) uses external authentication (RADIUS) to allow management and accounting of who makes changes.
When logging into the switch with FF, we get repeated prompts for user authentication. Eventually the user is logged in (and no it's not a typo!). Looking through the dev console in the beta, it seems to get a 401 unauthorised back from the switch once it tries to load another html file.
The browser *should* be presenting the same credentials to each called page within the site, it doesn't seem to :-(
No site added as it's an internal IP address....We tend to use FF in a corporate environment to manage our networking devices (firewalls/switches/routers etc). Came across a bizarre problem under the following conditions:
ZyXEL Network Switch (GS2200-24) uses external authentication (RADIUS) to allow management and accounting of who makes changes.
When logging into the switch with FF, we get repeated prompts for user authentication. Eventually the user is logged in (and no it's not a typo!). Looking through the dev console in the beta, it seems to get a 401 unauthorised back from the switch once it tries to load another html file.
The browser *should* be presenting the same credentials to each called page within the site, it doesn't seem to :-(
No site added as it's an internal IP address.... -
Oracle Virtual Directory vs. Oracle External Authentication Plug-in
I am working in Windows 2003 Server platform and I have Oracle Portal 10g R2 with Oracle Single Sign On 10g R2 setup. I also have Microsoft Active Directory setup. I want to use Microsoft Active Directory users from Oracle Portal and as per my understanding I could use Oracle External Authentication Plug-in or Oracle Virtual Directory for this purpose. I would like to use Oracle Virtual Directory if possible. Could someone please tell me if I could use Oracle Virtual Directory or not?
Thanks.Yeah, I could use Oracle External Authentication Plug-in, but I am having issues with running the oidspadi.sh script on my Windows 2003 server environment. I am running this script using Cygwin's latest software, but for some reason I get the following error message.
: command not found8:
: command not found8:
: command not found3:
: command not found7:
: command not found1:
: command not found8:
: command not found9:
: command not found0: clear
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
: command not found7:
: command not found0:
oidspadi.sh: line 103: syntax error near unexpected token 'fi'
'idspadi.sh: line 103:' fi
Therefore, I was trying to find an alternative solution, which will be using Virtual Directory. Right now, I have installed Oracle Virtual Directory on my testing system and I have both Active Directory server and OID server part of LDAP Browser. My goal is to using Oracle Portal to log-in and first look for the user in OID if not found then look in Active Directory. Can this be accomplished using Oracle Virtual Directory?
Please let me know. -
Error while Configuring AD external authentication plug in
Hi
While configuring Active directory external authentication plug I am getting following error
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
Please enter Active Directory host name: clmad101.ad.company.com
Do you want to use SSL to connect to Active Directory? (y/n) n
Please enter Active Directory port number [389]: 389
Please enter DB connect string:SQLPLUS sys/manager1 @infradb.ad.company-.com @md61nthiims1.ad.company.com:1521
Please enter ODS password:
Please enter confirmed ODS password:
Please enter OID host name: md61nthiims1.ad.company.com
Please enter OID port number [389]: 389
Please enter orcladmin password:
Please enter confirmed orcladmin password:
Please enter the subscriber common user search base [orclcommonusersearchbase]:
CN=Users,dc=ad,dc=company,dc=com
Please enter the Plug-in Request Group DN:
Please enter the exception entry property [(!(objectclass=orcladuser))]: (|(!obj
ectclass=orcladuser))(cn=orcladmin))
Do you want to setup the backup Active Directory for failover? (y/n) n
Installing Plug-in Packages ...
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Registering Plug-ins ...
adding new entry cn=adwhencompare,cn=plugin,cn=subconfigsubentry
adding new entry cn=adwhenbind,cn=plugin,cn=subconfigsubentry
Done.
Is there anythign wrong in the DB connect string??
ThanksDid you check the debug information from the external auth plugin.?
This is mentioned in metalink note https://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=277382.1
here an excerpt:
D) Enabled plug in debugging at the database level. Reference documentation: Oracle Internet Directory Administrator's Guide 10g (9.0.4) Chapter 43 Integration with the Microsoft Windows Environment - Troubleshooting Integration with Microsoft Windows Under section "Debugging the Microsoft Active Directory External Authentication Plug-in"
...enable the plug-in debugging. To do this, enter:
> sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.pls
To check the plug-in debugging log, enter:
> sqlplus system/manager
SQL> select * from ods.plg_debug_log order by id;
(To delete the plug-in debugging log:
> sqlplus system/manager
SQL> truncate table ods.plg_debug_log
To disable the plug-in debugging:
> sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.pls
E) Dump the plug-in profile to make sure it is enabled and configured correctly:
> ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <orcladmin password> -b "cn=plugin,cn=subconfigsubentry" -L -s sub "(objectclass=*)" "*"
please take also a look into the DIPTESTER tool available in
http://www.oracle.com/technology/sample_code/products/oid/java_diptester.tar
regards
--Olaf
Maybe you are looking for
-
Need some graphics card advice for using 3D and Adobe
Below are the specs for the workstation I just bought. I'm planning on upgrading the graphics card to a GeForce GTX 570 (Fermi) 1280MB. The chassis is pretty small, and I'm concerned that it might get too hot. Does anyone have any advice as to whethe
-
Objectclasses for supplier BIND DN Entry
Can anybody tell what objectclasses are required for supplier BIND DN Entry which use for replication authentication ? Iam using top, person . Is that a problem ?
-
Af: richTextEditor is hyper link addition
can we create hyper links in af:richTextEditor without appending the http://www protol to link ?, since i have created link with www.google.com it is not working but when i create hyper link with http://www.google.com its working is this expected beh
-
Audit logs on Windows 2008 works different when file is modified from UNC path
Hello All, Here i have a strange situation with the generation of audit logs when folders\files are changed locally(my computer) on the server (vs) from the UNC path (\\servername\drive$\folder\....). File Server : Windows 2008 R2. Audting enabled an
-
GUI 640 Patch 4274 smaller than required(8). Continue with Alpha Screen
Hi, the Screen painter gives following error while opening any screen in the program. "GUI 640 Patch 4274 smaller than required(8). Continue with Alpha Screen" Please suggest. Regards Vivek