OID external authentication plugin for edirectory

Similar Messages

• OID External Authentication Plugin - Conceptual question

  Hi-
  Does anyone know the answer to this: If I enable the External Authentication Plugin for OID (to AD) does that mean that if I have any accounts in OID which do not exist in AD, they won't be able to authenticate?
  Also, if anyone knows of some conceptual documentation on this, please let me know. All I could find was how to install it, but not how it works. (do I need to match users on CN or uid or what?)
  Thanks

  Hi,
  Once you are done with user accounts synchorinzation successfully using dipassistant tool from edirectory to OID. Inorder to update/flush the user accounts password that which are synchronized to OID, in such case OID eDirectory External Authenctiation plugin will be used (oidspediri.sh file) located under <ORACLE_HOME>ldap/admin. Provide th neccessary eDirectory Details.
  Regards,
  ABP

• OID External Authentication issue

  Hi..
  I have configured synchronization profile to import users from TDS to OID using DIP but it does not work as change log is not enabled on TDS side.
  Now i have configured External Authentication Plugin and i craeted same users in in TDS and also in OID but external authenctication does not work.
  Can you please point out if i missing some point or is synchronization profile is must for External Authentication.
  Find the product version details -
  OID 11.1.1.6
  Tivoli Directory Server 6.1
  Regards
  Santosh
  Edited by: user601746 on Jan 8, 2013 1:02 AM

  Got the solution.
  I used bootstrap loading to create users from TDS to OID then configure external authentication..works fine... :)

• OID external authentication - having trouble excuting oidspadi.sh

  Hi all,
  I am setting up External Authentication for OID, and have trouble with it. My version is Oracle application server infrastructure 10.1.2 (OID 10.1.2) on windows.
  hailie@Server1 /cygdrive/e/oracle/OraInfra/ldap/admin
  $ export ORACLE_HOME="E:\oracle\OraInfra"
  hailie@Server1 /cygdrive/e/oracle/OraInfra/ldap/admin
  $ sh oidspadi.sh
  oidspadi.sh: line 28: $'\r': command not found
  oidspadi.sh: line 38: $'\r': command not found
  oidspadi.sh: line 43: $'\r': command not found
  oidspadi.sh: line 47: $'\r': command not found
  oidspadi.sh: line 51: $'\r': command not found
  oidspadi.sh: line 58: $'\r': command not found
  oidspadi.sh: line 59: $'\r': command not found
  oidspadi.sh: line 60: $'clear\r': command not found
  OID Active Directory Plug-in Configuration
  Please make sure Database and OID are up and running.
  oidspadi.sh: line 67: $'\r': command not found
  oidspadi.sh: line 70: $'\r': command not found
  oidspadi.sh: line 103: syntax error near unexpected token `fi'
  'idspadi.sh: line 103: ` fi
  Edited by: Hailie on Jan 16, 2009 8:05 AM
  Edited by: Hailie on Jan 16, 2009 8:45 AM
  Edited by: Hailie on Jan 16, 2009 11:32 AM

  After I removed all the blank lines in oidspadi.sh:
  hailie@Server1 /cygdrive/e/oracle/OraInfra/ldap/admin
  $ sh oidspadi.sh
  oidspadi.sh: line 53: $'clear\r': command not found
  OID Active Directory Plug-in Configuration
  Please make sure Database and OID are up and running.
  oidspadi.sh: line 91: syntax error near unexpected token `fi'
  'idspadi.sh: line 91: `fi
  Thank you for your help.
  Hailie
  Edited by: Hailie on Jan 16, 2009 8:43 AM
  Edited by: Hailie on Jan 16, 2009 8:46 AM
  Edited by: Hailie on Jan 16, 2009 11:36 AM

• URGENT help required : Custom Authentication Plugin for validation of users

  Hi Experts.
  I'm a newbie and am stuck in middle of nowhere.
  I have been asked to develop a custom authentication plug-in which would validate a user using the attributes such as a userid and a shared-userid.
  shared-userid is just a custom id that would be generated on the basis of some logic.
  Currently I'm using OAM 10.1.4.3.0 on WINDOWS server and as everybody, I'm also not able to find any sample files or sample folder structure.
  As per one of the other threads https://forums.oracle.com/forums/thread.jspa?messageID=3838474, sample code and sample folders are removed from this particular version and were present in some previous version.
  So, can anyone please help me out with the following:
  1. How can I proceed to accomplish this task, i.e. to check whether a user-id and a shared-userid both are validated and a user is granted access.
  2. Are all of these files required to create a custom authentication plug-in or can we proceed only with the ".c" file (i.e. make file, authn.c, and a dll file made using the make file and .c file)
  3. Can anybody provide me with a sample file or a sample code written in "C" wherein the plug-in connects to the LDAP and searches for a particular dn for comparison or something. Also a sample make file for windows to convert the .c file to .dll.
  PLEASEEEE help me ASAP.
  Regards
  Edited by: 805912 on Nov 15, 2011 7:18 PM

  Hi,
  Regarding question 2, you also need the header file is supplied in the Access Server installation directory, under ...access\oblix\sdk\authn_api and is called authn_api.h. you need this to build the dll which must then be placed in the Access Server's ...\access\oblix\lib directory.
  Regarding question 3, if you install an earlier version of the Access Server, ie 10.1.4.2 or less, then you will get a \access\oblix\sdk\authentication\samples\authn_api directory that contains a basic sample authentication plugin. However, there is still documented in the 10.1.4.3 Developer Guide another sample plugin, simplapi.c, in the 10.1.4.3 Developer Guide with instructions on how to use it. It does work, but unfortunately requires a couple of edits to get it working after copy&pasting it (no code changes, just fairly obvious case changes eg changing ObanPlugin* to ObAnPlugin*). I used the following commands to get it to compile into a .so file on unix:
  g++44 -c -fPIC -Wno-deprecated -m32 simpleapi.c
  g++44 -shared -nostdlib -lc -m32 simpleapi.o -o simpleapi.so
  but I really would not know if or how these translate into a Windows environment.
  Regards,
  Colin
  Edited by: ColinPurdon on Nov 15, 2011 2:50 PM

• OID External Authentication Plug-in and OVD

  Hello, ppl.
  I have success installed AD, OVD(11g), OID(10g), and BI Publisher with SSO (10g).
  When i synchronize AD -> OID, and use External Auth Plug-in, synchronized users can success login to BI Publisher.
  When i synchronize AD -> OID through OVD, and use External Auth Plug-in which look in the AD, synchronized users can success login to BI Publisher.
  But when i synchronize AD -> OID through OVD, and switch External Auth Plug-in from AD to OVD, synchronize users can not login to BI Publisher.
  How can i use External Auth Plug-in with OVD, did any one have solution?
  In the future, OVD can contains multiple forests from AD's, now AD have one forest(dc).
  Help :)
  Thanks.
  Jeff.

  I write custom plug-in for OVD.
  When user bind, then log write...
  OVD bind command's
  1) ldapbind -h <OVD_HOST> -p 6501 -D "[email protected]" -w Oracle10g
  ldap_bind: Invalid credentials
  2) ldapbind -h <OVD_HOST> -p 6501 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g
  bind successful
  3) ldapbind -h <OVD_HOST> -p 6501 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g2
  ldap_bind: Invalid credentials
  AD bind command's
  1) ldapbind -h <AD_HOST> -p 389 -D "[email protected]" -w Oracle10g
  bind successful
  2) ldapbind -h <AD_HOST> -p 389 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g
  bind successful
  In my log file for OVD bind command's, just second and third command written.
  Did any one know, why first command not binded and why not logged?
  public void bind(Chain chain, Credentials creds, DirectoryString dn, BinarySyntax password, Bool result) throws DirectoryException, ChainException {
  //pre bind
  try {
  chain.nextBind(creds, dn, password, result);
  } catch (DirectoryException e) {
  try {
  FileWriter out = new FileWriter("c://mylogs//bind_error.txt");
  out.write("bind: " + dn.toString());
  out.close();
  } catch (IOException ioe) {
  ioe.printStackTrace();
  //post bind
  try {
  FileWriter out = new FileWriter("c://mylogs//bind.txt");
  out.write("bind: " + dn.toString());
  out.close();
  } catch (IOException ioe) {
  ioe.printStackTrace();
  ...

• External authentication with OID

  I know that OID 10g is capable of performing external authentication against AD, Sun OneDirectory, Novell eDirectory and openLDAP, but what about something else like Oracle Virtual Directory?
  As I understand, there is an out of the box script that will create and external authentication plugin that calls a few procedures from the auth_external package. The auth_external package also an out-of-the-box package with a few procedures (authenticate_user and change_passwd) I've seen so far. I haven't looked in the ODS schema, but I'm assuming this auth_external package is wrapped and not generally viewable.
  Anyone out there have any ideas, how this auth_external package works, or better yet... does anyone know if the out-of-the-box solution for external authentication will work with any LDAP directory (in this case a virtual one)?
  Thanks.

  Can someone from Oracle please comment on this? is "AUTH_EXTERNAL" package "out of box" or do we have to write it?
  I am following instructions from
  http://download.oracle.com/docs/cd/B14099_19/idmanage.1012/b14082/plugin_cust_ext_auth.htm
  LINE/COL ERROR
  143/9 PL/SQL: Statement ignored
  143/19 PLS-00201: identifier 'AUTH_EXTERNAL.AUTHENTICATE_USER' must be
  declared
  241/11 PL/SQL: Statement ignored
  241/11 PLS-00201: identifier 'AUTH_EXTERNAL.CHANGE_PASSWD' must be
  declared
  251/11 PL/SQL: Statement ignored
  251/11 PLS-00201: identifier 'AUTH_EXTERNAL.RESET_PASSWD' must be
  declared
  LINE/COL ERROR
  -------- -----------------------------------------------------------------

• External Authentication Solution?

  I am looking for an external authentication solution for Web AS (ABAP Specifically but the whole AS would be preferable)
  i.e. Our External Authetication system sits in front of SAP that does Auth then passes username in a HTTP Header to SAP..
  So far we have these previous solutions
  1. SAP WAS Java -> Using Header Authenticaion Module
  2. SAP Netweaver -> Using ITS Standalone configured for PAS and SNC
  So For SAP Web AS We need to do this for the ABAP side of things and I from what I can gather from the documentation the only mechanism to do this is to either :
  a) use ITS Standalone in front of the SAP Web AS ABAP or,
  b) use the current J2EE solution using Header Authentication Module.???
  Now we cannot install ITS Standalone so that is out it is then up to the J2ee solution.
  My question is : The documentation refers to Integrated Java -> Does this mean that the Java is installed by default? or does it have to be installed separately?
  I have installed the Web AS Preview Installation (ABAP) 2004s  but I've put it in this forum as it's more general type concept question
  Ideally we'd like to have an ICM SSO solution so that we just deal with one point but I don't know if this is possible?

  Raff,
  Thank you for your reply.  We checked with our server configuration and it does appear to have OpenSSL enabled.
  extension=openssl.so
  Apache Version
  Apache/2.2.11 (Unix) PHP/5.2.9 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.7m mod_apreq2-20051231/2.6.0 mod_perl/2.0.3 Perl/v5.8.7
  Other than the original apache error log message, we are not  getting any error messages in the php error log to indicate a problem.  I am making the call from an https://URL  with a valid certificate.  I get the same error message as before. 

• External authentication using Headervariable

  Hi SAP Experts
  We have configured External authentication for WEM using Headervariable.We are using BI Java 7.0
  External authentication is working fine using Headervariable Login module for URL http://<WEb Server hostname>/irj which redirect to http://<J2EE hostname>:<port #>/irj
  As you all know that we also use http://<J2EE hostname>:<port #> for Administation point of view where many options available like user management, SLD, Webdynpro, NetWeaver Administation etc.We have not configured this URL for External Authentication  and also do not want to configure but when tyring to access any administration option on this, portal prompts default logon page and after entering Portal UserID/Password we get message like " No Loginmodules configured for Header"
  I do not know why system display this message
  Please help me if anyone has experience to resolve this issue, as we want to use URL http://<J2EE hostname:<port #>, which should prompts Portal Logon screen and after entering Portal userid/password we should access the administration screen without afftecting our External Authentication configuration for URL http://<WEb Server host>/irj
  Thanks in Advance
  Thanks with Regards
  Deelip Kumar

  Hi Deelip,
  my earlier post referred to an additional authscheme that you may have created. If you have done so, please remove it. If you have checked this, there still is a predelivered authscheme called header, wich references a login stack called header. This login stack template does not exist as a default.
  In this case, you may have assigned this authscheme (header) to some component, like an iview. How this works is explained in the docs <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/54/f91fba71ae48309e4267b4a36fa47b/frameset.htm">here</a> and<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/54/a334ed5bbfd5488b8cdd67b2c594a9/frameset.htm">here</a> for example.
  If you have done so, this reference to the authscheme header may trigger the lookup of the login stack template called header, which does not exist and thus leads to the error.
  For detailed error analysis, I would recommend to search the security log and the portal logs for indications where the source of this error might be.
  Regards,
  Patrick

• OID 10.1.4 and external authentication (AD)

  Has anyone gotten this to work with MS Active Directory? We were able to sync the AD users with OID, but have not be able to authenticate them. As long as they have their passwords stored in OID, it works, but we do not want to maintain the password sync'ing between AD and OID. We want to do external authentication.
  Anyone who has gotten this to work in 10.1.4 (using the java plugins), please respond with any secrets or methods you have used to get this to work.
  Thank you.
  Shirley

  I got the java plugins working here. The configuration is not a big deal. I still not implemented SSL though, so I didnt had to issue certificates.
  Configuration is easier than on version 10.1.2, as all the plugin parameters are available on oidadmin.
  I have two problems that remain unfixed.
  One is on AD. Since we have several domain controllers, when the user changes his password in Windows the change is done on whatever domain controller that the user connected to when logging on windows, and it sometimes takes a long time for this to be replicated to the domain controller that configured on the plugin. So the user cannot use SSO for a few hours. Sometimes he can logon with the old password, sometimes even with both passwords (the old and the new one). I want to make clear that this is a Microsoft AD problem, that reproduces even with simple tools like ldapbind.
  The other is the plugin failover, it is still broken like it was on 10.1.2. Authentication attemps always try it the primary domain controller, and wait for a operating system timeout before trying the secondary. So if the PDC is down, it takes several minutes for the authentication process to complete, which is very annoying, as no user waits on a browser screen for several minutes, and usually keeps trying until all oidldapd backend processes hang. It is a little better than 10.1.2. That version was so dumb that it tried two connections before giving up and going to the secondary, even if you did not setup SSL.
  For this last one the recommendation on metalink is to put a loadbalancer in front of the domain controllers and configure the plugin to connect to it.
  Regards,
  Luis

• OID external plugin to delete a user in OID

  Hi,
  My requirement is that when the value of a attribute (e.g. employeeType) in OID 11g is set to a particular value for a user, then that user in OID should be deleted / disabled automatically.
  Can this be achieved using e.g. OID external plugin ?
  Thanks

  Hi
  <b>There is a standard report available for deleting the BP's, "BUPA_TEST_DELETE"..tcode for the same is "BUPA_DEL".</b>
  Please provide the System version details in next reply ->
  <b>Other approaches -></b>
  1) You can unassign or block this vendor contact person by using transaction code BP. Find out the business partner number of the vendor contact person and go to the status tab in T-code BP for the role vendor in business partner maintanance and click on block business partner. This will ensure that you are unable to select this business partner in the search criteria.
  2) There is a Standard SAP report to delete the Business partner.
  Use Transaction SE38 and execute the report BUPA_TEST_DELETE.
  You can select Business partner or partners and delete.
  3) Either using BBPMAININT (Manage Business Partner - Web Transaction)- Try either - Edit / Delete / Block; this Contact person.
  4) You can do it from transaction USERS_GEN. You can delete and/or assign user from there.
  <b>Related links -></b>
  Re: Central Person already exists
  regarding business partner, central person and organizational unit relation
  Hope this will help. Do let me know.
  Regards
  - Atul

• HT1295 Is it possible to use vst plugins for garageband from an external hard disk? (Without installing to the system hard disk)

  Hi,
  I got my MacBook pro 17" installed a 250GB of SSD as a system disk.
  And i got 4TB of Thunderbolt External Disk.
  The thing that i want is: to use my VST plugins for Garageband or Logic without fulling the system disk. Is it possible use them from an external disk?
  Thnx

  Garageband can't use VST plugins.
  If you're talking about AUs: you could try to put an alias into the HD/Library/Audio/Plug-Ins/Components folder instead of the actual files, and see if GB loads them.

• External authentication for Essbase 7.1.6.

  Hi all,
  We are trying to set up external authentication for Essbase 7.1.6. We have a customized version of Essbase which does not use DLL. we do not have a Hyperion Hub or any CSS set up. All we have is an authentication module from the vendor to be used instead of the DLL. As per the documents provided to us all we have to do is change the cfg file to include the AUTHENTICATIONMODULE setting. Does anyone has any experience with this? What all parameters do we need to pass to Active Directory for this to work? Please help.
  Thanks.
  Vish.

  You could create a maxl script that replaces the filters, when you call the maxl script you could pass in a variable such as YR08 and use that variable in the script.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Hyperion Hub Required for External Authentication?

  Need to use external authentication for three products, Essbase 7.1.2, Analyzer and Reports. Do you have to use Hyperion Hub?

  Also, can you use mixed mode, some users using Essbase Native and some using Active Directory or a combination of Active Directory and NTML?

• Only one UPN suffix works with OAM plugin for RSA-integrated Authentication

  Only one UPN suffix works with OAM plugin for RSA-integrated Authentication while others give "CredentialsRejected" error
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-
  Has anyone seen this before and might know the answer? Any suggestions? Thanks!
  I have setup an OAM authentication scheme that uses a custom plugin to use RSA ACE server - all pretty much exactly as it is outlined in the chapter called "Integrating the RSA SecurID Authentication Plug-in" in Oracle Access Manager Integration Guide. Here's the problem:
  Everything works fine when I use a particular UPN suffix to login to the RSA Securid Login form that is presented, eg. [email protected], but if I create another user that uses a different UPN suffix as defined in Active Directory, (eg. [email protected]), the credentials are rejected. This happens before the secuirid.pl script even gets a chance to run. After hitting "POST" the user is present with the same login screen he was just at, as expected during an authentication failure.
  More info:
  - I have performed successful anonymous ldap queries for both users in Active Directory using LDP. Both users exist in the same domain and in the same OU. If I change the UPN (in AD and the RSA database) to something different from the "good" one, on either user, it fails. If I change the UPN to the "good one" on either user (in AD and the RSA database) it works.
  - if I test users with either the "good" or the "bad" UPN via the RSA agent tester that sits on the OAM box, both of them show as authenticating successfully. However, it doesn't work for the "bad" UPN when I try to access via a web browser on a remote client (but does work with the "Good" UPN)
  - I am not using SSL in any of this yet, it's all http://
  - yes, I already got rid of the "-w" parameter in the first line of the perl script, as per the "login can fail if the Login Attribute Contains an "@" Character in Integration Guide Troubleshooting section
  - here's an example of the settings in rsa securid authentication scheme:
  action:/OracleAccessManager/securid-cgi/securid.pl
  form:/OracleAccessManager/securid-forms-adforest/securid-std-login.html
  creds:login password domain newpin newpin2
  passthrough:yes
  authn_securid fullformdir="C:\apache\Apache2\htdocs/OracleAccessManager/securid-forms-adforest/",machine="MyComputer.mydomain.com:80"
  credential_mapping obMappingBase="%domain%",obMappingFilter="(&(objectclass=user)(userPrincipalName=%login%))"
  Environment:
  OAM 7.0.4.3
  RSA Ace Server 5.2
  Windows 2003 domain with multiple UPNs defined in Active Direcory Domains and Trusts
  Error as seen in the oblog.log for the webgate on the server that holds the RSA login pages and perl script:
  Message^A plugin for the authentication scheme SecurID Authentication has denied authentication for credentials ([email protected]
  password=(omitted) domain=dc=ourdomain,dc=com newpin= newpin2= Resource=/OracleAccessManager/securid-cgi/securid.pl RequesterIP=10.250.1.2 Operation=POST).
  ReqReq^POST /OracleAccessManager/securid-cgi/securid.pl HTTP/1.1 ReqProto^HTTP/1.1 ReqHost^www.MyComputer.mydomain.com. ReqStatLine^
  ReqStatus^200 ReqRawUri^/OracleAccessManager/securid-cgi/securid.pl ReqUri^/OracleAccessManager/securid-cgi/securid.pl
  ReqFilename^C:/apache/Apache2/htdocs/OracleAccessManager/securid-cgi/securid.pl ReqPath^ ReqArgs^
  2009/07/13@15:19:49.665000 45688 46472 AUTHENTICATION ERROR 0x00001515
  \Oblix\coreid\palantir\webgate\src\authentication_event_handler.cpp:1361 "Authentication failed" HTTPStatus^401
  authenticationSchemeName^SecurID Authentication AuthenticationStatus^majorCode = 11[CredentialsRejected], minorCode = 47[AuthnPluginDenied],
  StatusMsg = , GSN = 0, needInfo = NONE Creds^[email protected] password=(omitted) domain=dc=ourdomain,dc=com newpin= newpin2=
  Resource=/OracleAccessManager/securid-cgi/securid.pl RequesterIP=10.250.1.2 Operation=POST
  Only error seen in log produced by the RSA agent that sits on the Access server:
  [20804] 12:27:08.915 File:ACNETSUB.C Line:326 # CheckServerAddress: server 0 detected from address 10.250.88.100
  [20804] 12:27:08.915 File:udpmsg.c Line:968 # Entering decrypts_ok_legacy()
  [20804] 12:27:08.915 File:udpmsg.c Line:999 # decrypts_ok_legacy: decrypt() wpcode1 failed; wpcode0 next ***********
  [20804] 12:27:08.915 File:udpmsg.c Line:1089 # Leaving decrypts_ok_legacy(), result=1
  [20804] 12:27:08.915 File:ACEXPORT.C Line:820 # Entering AceGetUserData()
  [20804] 12:27:08.915 File:ACEXPORT.C Line:833 # Leaving AceGetUserData() return: ACE_SUCCESS
  [20804] 12:27:08.915 File:ACEXPORT.C Line:579 # Entering AceGetAuthenticationStatus()
  [20804] 12:27:08.915 File:ACEXPORT.C Line:592 # Leaving AceGetAuthenticationStatus() return: ACE_SUCCESS

  What are the logs you see at the ACE server end? You can try passing an additional parameter debug="true" to the authn_securid plug-in - it should generate some more logs at the access server - I think in apps\common\bin.
  Also does "ReqHost^www.MyComputer.mydomain.com" look right in the logs?
  -Vinod