OIM OES Integration to use LDAP groups for policy making
Hi ,
I am trying to make policy for the OIM application using OES. i want to use my LDAP groups as principals to control the access in OIM. How it can be achieved
Thanks
Edited by: user10660448 on May 21, 2013 1:35 AM
Note that you can use the internal LDAP that comes with WebLogic, for your users and groups if you want.
When you have multiple domains, you have a problem with this set-up as the internal LDAP is coupled to
a specific domain. This means that users you created in one domain are not visible in the other. When using
a separate LDAP that contains the users. You can configure in each domain an authenticator that points
to the LDAP. In this way you can share to user accross multiple domains.
When you are planning to use one domain you can stick with the internal LDAP if you want.
An example set-up (that uses access manager not identity manager) can be found here: http://middlewaremagic.com/weblogic/?p=7819,
which might help you in how to proceed.
Similar Messages
-
Problem using a group which has a space in it's DN when using LDAP Group mappings in UCS 1.4
Hey,
We've been implementing LDAP authentication (Active Directory) using LDAP group mapping in UCS 1.4, and we've noticed that when using a group which has a DN with a space in it (such as "UCS Admins") it wouldn't authenticate the user with the appropriate role.
Using a DN without spaces (such as "UCSAdmins"), works just fine.
I should mention that having a base DN with spaces works just fine as well, it's just the group mappings that doesn't work.
I should also mention that Cisco's "Quick guide to configuring ldap for ucs 1.4" shows an example in which the group's DN doesn't include a space.
Is there a workaround available which can make it possible using a group which has a space in it's name?
Thanks,
DorHey Roman,
Thanks for your prompt reply.
We've tried putting quotes using UCSM which is not possible at all - not for the entire entry nor for the part with spaces.
We've also tried using CLI ("scope security/ldap/ldap-group") where you have to put quotes if you use a DN with spaces, and it still doesn't work. Furthermore, we tried adding quotes only to the part with the spaces, i.e. - CN="UCS Admins",OU=TEST,DC=TEST. It adds the entry without an error, but shows like we would use "CN=UCS Admins,OU=TEST,DC=TEST". Anyway, it doesn't work either.
Thanks again,
Dor -
I want to protect my EJB using LDAP groups. WLS is recognizing WLS users but unable
to recogniz groups. Here is my weblogic-ejb-jar.xml
<security-role-assignment>
<role-name>channel-role</role-name>
<principal-name>system</principal-name>
<principal-name>mygroup</principal-name>
<principal-name>cn=mygroup,ou=groups,o=mycompany</principal-name>
</security-role-assignment>
It recognizes user system but not the group. LDAP group is cn=mygroup,ou=groups,o=mycompany.
When I pass the credentials from the client of a uniquemember, WLS generates a
security exception. It won't recognise mygroups or cn=mygroup,ou=groups,o=mycompany
either.
Any suggestions?
Thanks
-SuryaYes, It has impact. You create groups in the Repository & Answers and assign the object level permissions.
You Populate Group Variable during authentication via LDAP server. Once you login with X name you see the authorized groups in the my account.
For dashboard A - For group Executive - User X - You have given full access.
Now you have changed the Group name to AD_Executive. When You Login variable values would be
User - X
Group - Ad_Executive
Dashboard A - No permissions.
If you have a scenario of changing the group names then get Groups from database using Init block after authorization. -
I would like to know if it is possible to set up a Inbound filter that will stop media files from being delivered unless the receipant is a member of a LDAP group.
I don't want media files (mpeg, avi, Divx, PPS, MOV) being delivered to everyone but the members of a Distribution group called Media_Access.
Does this need to be a distribution group or an mail enabled security group.
We are using Active Directory.
ThanksThough you could accomplish this with message filters, my vote would be for using ldap group query with the incoming mail policy. You can have the Media-policy that checks if the recipients are a member of the Media group. If recipients aren't members of the group, they will use the Default policy. This is called message splintering by the way.
Then, once things have splintered into their appropriate incoming mail policies, you can have incoming content filters that drop the media attachments for the default policy while the Media policy allows them through.
Have you tried to create a policy allowing these file types and checking the recipients using LDAP group query ?
Then, insert a policy below this (the mentioned above) not allowing these file type for non-group members. -
OIM 11g high availability - is LDAP required for Weblogic credential store
Hi all,
Trying to understand whether we need an LDAP in an HA architecture with [OIM/SOA] - [OIM/SOA/Admin]?
The HA guide: http://docs.oracle.com/cd/E14571_01/core.1111/e10106/imha.htm#CDEFECJF
Does not mention this requirement, in fact it specifically says you only need an LDAP if: "only for LDAPSync-enabled Oracle Identity Manager installations and for Oracle Identity Manager installations that integrate with Oracle Access Manager. "
However I have seen mention of issues with viewing tasks in SOA from OIM:
How To : ORABPEL-30504: After Oim 11g Installation, Approval Tasks Cannot Be Read Through OIM Console
Stating then when using OIM, SOA and an isolated Admin server, you need to switch to a proper LDAP as a credential and policy store:
http://docs.oracle.com/cd/E17904_01/core.1111/e12036/net.htm#CIHIDJCC
"2.4 LDAP as Credential and Policy Store
With Oracle Fusion Middleware, you can use different types of credential and policy stores in a WebLogic domain. Domains can use stores based on XML files or on different types of LDAP providers. When a domain uses an LDAP store, all policy and credential data is kept and maintained in a centralized store. However, when using XML policy stores, the changes made on managed servers are not propagated to the Administration Server unless they use the same domain home.
An Oracle Fusion Middleware SOA Suite Enterprise Deployment Topology uses different domain homes for the Administration Server and the managed server as described in the Section 2.3, "Shared Storage and Recommended Directory Structure." Derived from this, and for integrity and consistency purposes, Oracle requires the use of an LDAP as policy and credential store in context of Oracle Fusion Middleware SOA Suite Enterprise Deployment Topology. To configure the Oracle Fusion Middleware SOA Suite Enterprise Deployment Topology with an LDAP as Credential and Policy store, follow the steps in Section 11.1, "Credential and Policy Store Configuration."
So which is it does anyone know?
Thanks,
Wayne.
Edited by: wblacklock on May 17, 2012 6:12 AMNote that you can use the internal LDAP that comes with WebLogic, for your users and groups if you want.
When you have multiple domains, you have a problem with this set-up as the internal LDAP is coupled to
a specific domain. This means that users you created in one domain are not visible in the other. When using
a separate LDAP that contains the users. You can configure in each domain an authenticator that points
to the LDAP. In this way you can share to user accross multiple domains.
When you are planning to use one domain you can stick with the internal LDAP if you want.
An example set-up (that uses access manager not identity manager) can be found here: http://middlewaremagic.com/weblogic/?p=7819,
which might help you in how to proceed. -
Link ECC roles to Portal roles (Portal is using LDAP source for UME)
Hi all,
If a user is assigned a certain ECC ABAP role, they should also receive a related portal role. Our portal is using LDAP.
If our portal ume source was an ABAP system, I think it would be easy to achieve the ECC to ABAP role linkage.
We were thinking of developing a UME java webservice and have an ABAP proxy class consume it to allow our abap system to assign the correct portal role, and delete the portal role.
Any other ideas?Rajendra,
Thx for your reply. Can you provide any more details as to the design of your solution with the web service? We are thinking of running a batch job nightly with a some mapping table in ECC to determine what ABAP role should link to the portal group then call the webservice to add the user to the portal group or delete the user from the portal group.
A second question is...does SAP Identity Manager offer any solution for this type of requirement?
Thanks -
Hi all,
can anybody gelp me with integrating (OIM 11g and OES 11g) or (OAM 11g and OES 11g ).please provide me the document that describe the integration steps.
Thank you.Can you give more information on your use case. BTW, you should look at attending OES training, this will give you a good high level picture as well as hands on experience.
Bye,
Subbu Devulapalli
*My Blog: [url http://accessmanagement.wordpress.com/]Authorization for the Real World*
*Follow me on [url https://twitter.com/#!/BloggerSubbu]Twitter* -
Using LDAP group to autenticate users from inside network to Internet
Hi team, I got an asa 5510 version 7.2.3 and i need to autenticate my users from inside network to internet using a security group in the Active Directory, anyone can help me with these?
This might not be complete for your needs but it may give you enough of what you need without having to purchase full url filtering etc.
Authenticate with LDAP as shown earlier in this thread, then use this aaa ldap with cut-through proxy -
PIX/ASA : Cut-through Proxy for Network Access using TACACS+ and RADIUS Server Configuration Example
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml
then do some filtering -
ASA/PIX 8.x: Block Certain Websites (URLs) Using Regular Expressions With MPF Configuration Example
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml -
Use DSAdd Group for adding several groups at the same time
Good Afternoon!,
As is written in my book:
"By leaving the DN parameter empty, at which point you can type the DNs one at a time at the keyboard console of the command prompt. Press Enter after each DN. After the last DN, press Ctrl+Z, and then press Enter"
Now I'm trying and this is what is happening:
PS AD:\ou=groups,dc=contoso,dc=com> dsadd group -secgrp yes -scope g
cn=test,ou=groups,dc=contoso,dc=com
cn=test2,ou=groups,dc=contoso,dc=com
cn=test3,ou=groups,dc=contoso,dc=com
^Z
dsadd failed:´cn=test2,ou=groups,dc=contoso,dc=com" is an unknown parameter.
type dsadd /? for help.
What is what i'm doing wrong??.
Thank you!Hi,
Have you tried this in a CMD prompt instead of using PowerShell?
Don't retire TechNet! -
(Don't give up yet - 12,575+ strong and growing) -
Using access groups for documents
Hi, there!
I have groups of users with different access rights. Also I would like to setup documents groups which should be different for show to different groups of users as matrix.
For example:
1) General Policy is a group A, which means shown to anybody who has an access to corp portal.
2) SOP ID123 is a group C, which means shown to selected tiny groups of users
3) Confidential attachment to specification belongs to a group D, which granted access to 3 users only, including to CFO
Can I use such matrix approach or it is difficult to implement?
Or as an idea - more simple way just to create different libraries and manage access on this level?Hello Alex,
I think the best solution is to create separate libraries, to separate permission.
But if you want to have the documentation in the same library, you can take another approach. Try to create a folder, or a document set, to separate the documents. Then assign permission to each folder/docset as needed.
finally, you can create a view to display all documents without folders. this way you can have the same view for all users, but users will only see what they have access. -
Using dynamic groups for j2ee security
Hi all,
I have my realm setup in server.xml and my standard and sun-specific deployment descriptors setup for j2ee security.
Everything seems to work fine for groups defined via uniquemember attributes (all users are specified), but I'm having trouble with dynamic groups (defined with the memberurl attribute)
How do I configure my realm in my server.xml to get this working?Hi,
I got an official answer from SUN.
"Dynamic Groups" are not (longer) supported with SJS AS 7!
It will probably be supported with SJS AS 8 SE.
If you have a iPlanet 6.5 application that is running with dynamic groups, just wait a little bit before you migrate. -
Hello
has any one done OIM OES integration
can I provision groups from OIM to OES database.... (can I create groups in OES using OIM)
Please provide me with links if there is any!!!
ThanksThis is purely my experience, so YMMV...
In my experience the act of creating a group after the initial setup of the environment & directory is fairly infrequent. Investing energy / time / money in wiring systems together for something like this tends to not be cost effective.
While not ideal if you need to write a policy on a group and the group hasn't been added to OES yet, AND you as the policy author don't have permission to add the group you can still write a policy on group membership by using the sys_subjectgroups attribute. e.g. "somenewgroup" in [sys_subjectgroups]
http://download.oracle.com/docs/cd/E12890_01/ales/docs32/policymanager/advanced_policy.html#wp1085485table1085479 -
Use of LDAP group external authentication in Essbase v7.16
Hello Experts,
One of my customer wants an answer for his query -
They currently use LDAP external authentificaiton with userid only and would like to use LDAP groups. Is this supported in version 7.1.6 (Heard that It is a known limitation in version 7.x that LDAP / MSAD groups are not supported. MSAD groups are supported in System 9.x)
My Research:
I read in the Essbase v7 documentation the following 2 examples of using groups, under Essbase.CFG Configuration Settings > AUTHENTICATIONMODULE
Can you explain how this works
Thank you
Example 1
The entries in this example allow users in the group Engineers from domain yahoo.com to be authenticated on host Gorky, via port number 389, with a timeout period of 30 seconds.
AuthenticationModule LDAP essldap.dll 30 cn=Engineers, ou=Groups, dc=yahoo, dc=com@Gorky:389
Example 2
The entries in this example allow users in the group Engineers from domain yahoo.com to be authenticated on host 129.63.140.122, via port number 389, with a timeout period of 45 seconds.
AuthenticationModule MSAD essmsad.dll essmsad.lib 45 cn=Engineers, ou=Groups, dc=yahoo, dc=[email protected]:389
Regards,
Sonal
Edited by: 637223 on Oct 23, 2009 7:16 PMI do not believe using LDAP groups is supported in 716.
-
LDAP realm for authentication and ACL in Database
We are thinking of using LDAP realm for authentication and we want to use ACL from a Database. But the documentation says: "WebLogic Server defers to the LDAP realm for authentication, but not for authorization. Authorization is accomplished with access control lists (ACLs), which are defined in the weblogic.properties file"
Can we use LDAP realm for authentication and manage our ACL from a Database? or do we have to use the weblogic.properties file? Do the weblogic security API help in the above scenario? Thanks RamUnfortunately, there is no easy way to do this in wls 6.0.
The only way to handle it is to write your own custom realm
that uses ldap for users and groups and a database for acls -
probably not a viable alternative.
-Tom
"kevin doherty" <[email protected]> wrote:
>
Jeffrey Hirsch <[email protected]> wrote:
You should be able to use the DelegatedRealm interface to utilize the authentication methods from LDAP and the authorization methods from RDBMSRealm...
I'm trying to do this too, but we are using WL6 and I see that the DelegatedRealm interface has been deprecated in this version. I'd greatly appreciate more information on doing this in WL6.
Thanks!
-kd -
OIM - OIA integration documentation
hi,
i am facing some issues in OIM-OIA integration.
version used:
OIM ( Version: 9.1.0.1866.47 )
OIA 11gR1 where we have applied bundle patch 11.1.1.3_bp04
can anyone please share with me the link or guide for integrating OIM ( Version: 9.1.0.1866.47 ) and OIA 11gR1
Thanks in advance.Hi,
Those are not a really a document, but I think will be helpful for you, because helped me as well.
1-http://cn.forums.oracle.com/forums/thread.jspa?messageID=9612293
2-OIM & OIA 11g integration
3--http://www.identigral.com/blog/2009/10/19/oracle-identity-analytics-11g
I hope this help.
Thiago Leoncio Guimaraes
Maybe you are looking for
-
My ipod classic, have these problem: One day I find out that all the music was completely gone, I always charged the ipod on Ihome. So, I connect the ipod to my computer to sync the music, but mi computer recognize the ipod as a memory device. so del
-
I have too many unfixable permissions!!!
I get all of these permissions error when running permission verify: Verifying permissions for “Macintosh HD” Permissions differ on “System/Library/PreferencePanes/.Displays/V1/Displays.prefPane/Contents/Resourc es/Dutch.lproj/DisplaysPref.nib”; shou
-
HT4942 "then click the iCloud button"
I don't have an iCloud button in the upper left of my documents browser, do you folks? I am using Mountain Lion on a MBP. I cannot find a way to access my iWork documents in the cloud. Can't find this button on my MB with Lion either. Phil
-
Convert old photo slides to .jpegs using an iMac?
I am not sure if posting this request in iPhoto is thebest place, but here goes: I havecome across "slide converter" hardware for use with PC's. I am wondering if anyone knows of a MAC-compatible product that scans and creates digital files from old
-
Preventing manual entry in delivery document.
Hi , Is there any solution regarding how the manual entry can be stopped in delivery document? Thanks & regards, Rupam.