Open LDAP Authentication in SAPNW 7.0 AS ABAP ( Linux)

Similar Messages

• Open LDAP Authenticator Configuration on WLSSP5

  I have problems in the open LDAP authenticator configuration on Weblogic Server with Service Pack 5. I have users on OpenLDAP Server that do not belong to any group. My LDIF file contents are as given below.
  dn: dc=my-domain,dc=com
  dc: my-domain
  objectClass: dcObject
  objectClass: organization
  o: MYABC, Inc
  dn: cn=Manager, dc=my-domain,dc=com
  userPassword:: c2VjcmV0
  objectClass: person
  sn: Manager
  cn: Manager
  dn: cn=myabcsystem, dc=my-domain,dc=com
  userPassword:: dmVuZGF2b3N5c3RlbQ==
  objectClass: person
  sn: myabcsystem
  cn: myabcsystem
  dn: cn=Philippe, dc=my-domain,dc=com
  userPassword:: UGhpbGlwcGU=
  objectClass: person
  sn: Philippe
  cn: Philippe
  dn: cn=mlrick, dc=my-domain,dc=com
  userPassword:: bWxyaWNr
  objectClass: person
  sn: mlrick
  cn: mlrick
  All these users appear in the Users tab after configuration on the console only if LDAP Server is up. While I select group tab, I get errors indicating BAD SEARCH Filter.
  Inspite of me not having any groups in the ldap as indicated in ldif contents.
  While I try to login t the application with this LDAP configuration, I do not get any errors. LDAP authentication is not happening with just the LDAP authenticator in place. Even if I stop the LDAP server, I do nto get any exceptions while trying ot login. The config params for the Open LADP are as given below
  <weblogic.security.providers.authentication.OpenLDAPAuthenticator
  AllGroupsFilter="objectclass=*"
  Credential="{3DES}rGCpYmhaIorI99BjZ2u6Fg=="
  GroupBaseDN="dc=my-domain,dc=com"
  GroupFromNameFilter="(cn=%u)"
  Name="Security:Name=MYABCAuthenticationOpenLDAPAuthenticator"
  Principal="cn=myabcsystem,dc=my-domain,dc=com"
  Realm="Security:Name=MYABCAuthentication"
  StaticGroupDNsfromMemberDNFilter=""
  StaticGroupNameAttribute="" StaticGroupObjectClass=""
  StaticMemberDNAttribute="" UserBaseDN="dc=my-domain, dc=com"/>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP ATN LoginModule initialized>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login username: bob>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <authenticate user:bob>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getDNForUser search("ou=people,ou=MYABCAuthentication,dc=myabc", "(&(uid=bob)(objectclass=person))", base DN & below)>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  CAN ANYONE HELP ME IDENTIFY WHAT IS THE ISSUE. Why is the authentication not happening?

  Hi Amol,
  I've seen this happen at least two times in 11.1.1.1 installs. You can safely restart and then add the service back again. Suggest you reboot after you re-add the service back or cycle all the Hyperion services.
  I was not aware you could install the service with that command.
  I used the below command instead:
  sc create OpenLDAP-slapd start= auto binPath= "D:\Hyperion\...\slapd.exe service" DisplayName= "Hyperion Shared Services OpenLAP"
  Regards,
  -John

• LDAP Authentication for Application APEX 3.2

  Dear All,
  I have created an application in APEX 3.2 for that i am using the below code for authentication all my domain users
  create or replace
  FUNCTION              "ADS_LDAP_AUTHENTICATE"
  (p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN AS
    c_Directory   VARCHAR2(50) ;
    c_Port        NUMBER(4);
    c_BaseDN      VARCHAR2(200);
    c_InitUser    VARCHAR2(200);
    c_InitPass    VARCHAR2(32);
    l_session     DBMS_LDAP.SESSION;
    l_success     PLS_INTEGER;
    l_attributes  DBMS_LDAP.STRING_COLLECTION;
    l_result      DBMS_LDAP.MESSAGE;
    l_userdn      VARCHAR2(2000);
    CURSOR get_authentication_dtls
    IS
    SELECT  domain_name,server_port,server_base_dn,server_principal,server_credentials
    FROM    PS_TB_SYSTEM_ADS_CONFIG_DICT;
  BEGIN
    OPEN get_authentication_dtls;
    LOOP
    FETCH get_authentication_dtls INTO c_Directory,c_port,c_baseDN,c_InitUser,c_InitPass;
    EXIT WHEN get_authentication_dtls%NOTFOUND;
    --Open initial lookup session.
    l_session := DBMS_LDAP.INIT(c_Directory,c_Port);
    l_success := DBMS_LDAP.SIMPLE_BIND_S(l_session, c_InitUser,c_InitPass);
    IF l_success = DBMS_LDAP.SUCCESS THEN
      l_attributes(1) := NULL;
      l_success := NULL;
      l_success := DBMS_LDAP.SEARCH_S(ld => l_session,
                                     base => c_BaseDN,
                                     scope => dbms_ldap.scope_subtree,
                                     filter => '(|(sAMAccountName=' ||p_Username || ')(mailNickname=' || p_Username || '))',
                                     attrs => l_attributes,
                                     attronly => 0,
                                     res => l_result);
      IF l_success = DBMS_LDAP.SUCCESS THEN
        l_userdn := dbms_ldap.get_dn(l_session,dbms_ldap.first_entry(l_session,l_result));
        IF l_userdn IS NOT NULL THEN
          l_success := dbms_ldap.unbind_s(l_session);
          l_session := dbms_ldap.init(c_Directory,c_Port);
          l_success := dbms_ldap.simple_bind_s(l_session, l_userdn,NVL(p_password, 'QWERTASDFZXC'));
        END IF;
      END IF;
    else
      return FALSE;
    END IF;
    IF l_success = DBMS_LDAP.SUCCESS THEN
    CLOSE get_authentication_dtls; /* Close cursor before returning */
      RETURN TRUE;
    END IF;
    END LOOP;
    CLOSE get_authentication_dtls;
     RETURN FALSE; /* if the success has not happened till all servers processed, then return FALSE */
  EXCEPTION
    WHEN OTHERS THEN
      RETURN FALSE;
  END;
  Now i dont want to allow all the domain user to access my application. So we planned to create a user group in active directory.
  Can anyone suggest me how to allow only a set of users to access my application using LDAP.
  Thanks in Advance.
  Cheers,
  San.

  Use the below link for Ldap Authentication
  LDAP (MS AD) Group Authentication

• Users changing passwords within LDAP authentication

  Hello all,
  I've noticed that if a user uses the 'Membership' authentication to access the portal, they are allowed to change their passwords within the 'user channel' edit section.
  If a user logs in throught the LDAP authentication, this password utility disapears.
  1 - Is there a way to use this password utility when using LADP authentication? Is it just a setting somewhere??
  2 - What are you using to change password if you are using LDAp authentication? i.e. did you create your own password tool??
  Thanks in advance,
  Jason

  Here's how I did it on 6.0:
  I created a bookmark with these properties:
  Bookmark Name: Change Personal Settings
  URL: /amconsole
  When the user clicks on the bookmark, they have to scroll all the way down to the bottom of the window to find the change password option. After changing the password, the user should close the amconsole window WITHOUT clicking on the logout button. Just kill the window.
  If they click "logout" it will log them out of the Portal Server while leaving the desktop window open. It will look like they are still logged in but they are not. They will have to re-login.

• PEAP-GTC on Win 7 and 8 platforms (LDAP authentication doesn't work)

  Hi all!
  Customer is using Open LDAP as directory services.
  We're setting Cisco Wi-Fi network with following authentication scheme:
  Wireless LAN Controller - Cisco ACS 5.3 - Open LDAP
  According to the documents ACS - LDAP supports only EAP-TLS and PEAP-GTC methods.
  We need to perform username/password authentication. It works good on Apple and Android devices. But id doesn't want to authenticate Windows 7 clients.
  We're unchecking "Validate Servers certificate" in WLAN settings of Win 7 client, but it still doesn't work.
  It seems, that Windows doesn't support PEAP-GTC method. Are there any workaround to solve the issue?
  I might assume, that there could be some software plug-ins (supplicants) that can be installed on Windows and give support of PEAP-GTC. But in this case customer will face serious organizational issues of provisioning new devices.
  Please advice!
  Thank you!
  Yuriy

  In order to see PEAP EAP-GTC option on the client, you need to install EAP-GTC supplicant on the client machine.
  Check this:
  http://www.cisco.com/en/US/docs/wireless/technology/peap/technical/reference/PEAP_D.html#wp1007967
  Jatin Katyal
  - Do rate helpful posts -

• Configuring Oracle 9iAS for LDAP Authentication

  I have installed OID Server on my PC. Now I want to switch my Login Server to External LDAP Authentication mode. For that I run the script ssoldap.sql passing the host, port, search base, etc.. from my login server schema (portal30_sso) The script throws me the following error :
  " Bind variable "CN" not declared ".
  I even compile the package ssoxldap.pkb before that. But still this error persists.
  tnsnames.ora and listener.ora files are fine and the tnsping to the external procedure is also working properly.
  Can anyone help me in this.

  I got that problem solved. Its little bit funny solution. Instead of running the sql file using the File->open->ssoldap.sql, we should directly write the whole path i.e. @d:\oracle9i\portal30\admin\plsql\sso\ssoldap.sql
  And secondly, I also found one small change related to the installation manual. Its related to Adding entries to the LDAP Server. the manual shows this syntax:
  ldapadd -h i3dt111 -p 389 -D 'cn=orcladmin'
  -w welcome -f d:\oracle\admin\phd\udump\users.ldif
  but instead we shoud write this:
  ldapadd -h i3dt111 -p 389 -D cn=orcladmin
  -w welcome -f d:\oracle\admin\phd\udump\users.ldif
  . Just remove the single quotes in the username string.
  Anyways, thanks for your suggestions.
  null

• Weblogic  patch has broken the LDAP authentication

  Hi,
  We have installed  XIR2 SP4 on  Linux and also installed a patch for the weblogic ,after installing weblogic patch we are unable to login to the infoview using LDAP authentication getting  error  ""An Error has Occurred: java.lang.InstantiationException:Could not instantiate bean CE_Session, neither class nor beanName were specified."
  Curently we have  uninstalled the weblogic  patch , now everyting is working fine.
  We want to know the reason for this , why the instalation of patch has  broken the LDAP authentication?
  Environment -
  BOXIR2 SP4,
  LINUX,
  Web logic 9.2,
  Oracle 10g.
  Thank you  in Advance.
  Thanks & Regards,
  Bill.

  You'll have to open an incident with support, that error doesn't seem like an actual LDAP error so go with deployment if you do. See if you can get an engineer to reproduce or trace your environment. This is the 1st time I've heard of a weblogic patch breaking LDAP.
  Regards,
  Tim

• WebAccess, ldap authentication, grace logins

  GroupWise 2014 SP1. User only logs in to GroupWise via WebAccess.
  GroupWise is using LDAP authentication and eDirectory has a password
  policy in place. The user's password expired. I reset the password
  in eDirectory. But every time she logs into WebAccess, she still gets
  a notice that she has limited grace logins and she still gets prompted
  to change her password. Any suggestions? Or open an SR?
  Ken

  On Wed, 17 Sep 2014 20:38:04 GMT, KeN Etter
  <[email protected]> wrote:
  >GroupWise 2014 SP1. User only logs in to GroupWise via WebAccess.
  >GroupWise is using LDAP authentication and eDirectory has a password
  >policy in place. The user's password expired. I reset the password
  >in eDirectory. But every time she logs into WebAccess, she still gets
  >a notice that she has limited grace logins and she still gets prompted
  >to change her password. Any suggestions? Or open an SR?
  Just got a reply to this on the GroupWise Discussion List. Bouncing
  the post office fixed the problem.
  Ken

• Open Ldap problem

  Hi all,
  I have to use OpenLdap with weblogic.I have gown through the documents for creating the Authentication provider.
  I created with one authentication provider for openLdap in the weblogic default realm and i configured it for openLdap. I am able to see the groups and users in my portal now.
  I have created a new portal using the portal administration for sample portal application which comes with weblogic and set the entitlements on the portal and desktops and portlets.
  When i access the portal with the Users in my openLdap i am not able to login.
  I am confused, Is there any thing else i need to do in order to allow the users in the openLdap to access the portal application.
  Please guide me.
  Thanks,
  Milind

  Hi Ravin,
  I am not sure which version of Portal you are using.
  for version Weblogic portal 9.2 i have used these parameters for Open Ldap Provider.
  Group Base DN:ou=groups, dc=example, dc=com
  Group base DN values will be based on the Structure you have created in your LDAP.
  User Base DN:ou=people, dc=example, dc=com
  Userbase DN values will be based on the structure you have crated in your LDAP.
  Host:The host where your LDAP is running
  Principal: DN for LDAP Admin user say for example cn=admin,dc=somevalue,dc=com based on whatever you have used in your environment.
  Credential:Admin password cridentials for LDAP
  Confirm Credential:Admin password cridential for LDAP
  Control Flag:SUFFICIENT, you must check control flag value and set it to sufficient for all the providers or atleast DefaultAuthenticator or SQLAuthenticator.
  About weblogic users,in Weblogic 8.X there is a DefaultAnthenticator is used and i think they are picked from the database.Same will be case with Weblogic 9.2 where SQLAuthenticator is used.
  All the best
  Milind

• Discoverer against Open-LDAP

  Did anyone have experience of using Discoverer against Open-Ldap? We are using discoverer in non-apps mode and dont want to create 300db user's. Our current application uses Open-Ldap and we want to make use of it for Discoverer authentication. Any ideas?
  Thanks

  Thanks Rod for the metalink documents.
  I'd tried using eul_trigger$post_login using a similar function as indicated in the article you refer before posting my question but it didn't work - may be because i was not paying attention to upper/lower case.
  But, after reading the article 372067.1 and following the exact instructions I still can't make it work. Not even with Discoverer desktop while logged in as EUL owner.
  Here is the function I created:
  CREATE OR REPLACE FUNCTION EUL_TRIGGER$POST_LOGIN RETURN NUMBER IS
  BEGIN
  insert into my_eul.test_logon values (sysdate);
  commit;
  RETURN 0;
  END EUL_TRIGGER$POST_LOGIN;
  Some values for this registered function from EUL5_FUNCTIONS metadata table are:
  FUN_NAME: eul_trigger$post_login
  FUN_DEVELOPE_KEY: EUL_TRIGGERPOST_LOGIN
  FUN_FUNCTION_TYPE: 8
  FUN_HIDDEN: 0
  FUN_DATE_TYPE: 2
  FUN_AVAILABLE: 1
  FUN_MAXIMUM_ARGS: 0
  FUN_EXT_NAME: EUL_TRIGGER$POST_LOGIN
  FUN_EXT_OWNER: MY_EUL
  Any thing seems missing/incorrect?
  I am not 100% sure about EnableTrigger preferences. My pref.txt does not have an entry for EnableTriggers and according to Configuration Guide you should not add an entry if not present because by default triggers are enabled. But, since the trigger was not firing I also tried adding the line and applied preferences using the applypreferences.bat but it didn't work.
  To make it work with Discoverer Desktop I tried updating the registry to add entry for EnableTrigger registry entry, but no successs (Finally I removed all changes to registry and preferences).
  Now I am clueless why the trigger is not working. Any help would be appreciated.
  Using Discoverer 10G R1 (9.0.4)
  thanks
  Message was edited by:
  user552591

• SharePoint 2010 with LDAP authentication, using NOVELL eDirectory

  One of my customers needs a SharePoint application that allows people to authenticate with either an Active Directory account (internal staff) or a Novell eDirectory account (external customers).
  Using the following article as a base guide (http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx)
  I configured a claims-based test application that had Windows authentication enabled and Forms based authentication (FBA) enabled (this is on a Windows 2008 server and not a domain controller)
  In the Membership provider name text box I entered "LdapMember"
  In the Role provider name  text box I entered "LdapRole"
  In the web.config for the SharePoint Central Admin, I modified/added the following details right before </system.web>
  <membership>
  <providers>
  <add name="LdapMember"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
  <providers>
  <add name="LdapRole"
  type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="sAMAccountName"
  dnAttribute="distinguishedName"
  groupFilter="((ObjectClass=group)"
  userFilter="((ObjectClass=person)"
  scope="Subtree" />
  </providers>
  </roleManager>
  I modified the SecurityTokenServiceApplication web.config with these details
  <system.web>
  <membership>
  <providers>
  <add name="LdapMemebr"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager enabled="true">
  <providers>
  <add name="LdapRole"
  type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="sAMAccountName"
  dnAttribute="distinguishedName"
  groupFilter="(&amp;(ObjectClass=group))"
  userFilter="(&amp;(ObjectClass=person))"
  scope="Subtree" />
  </providers>
  </roleManager>
  </system.web>
  I modified the web.config of the test application I created with these details
  <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
  <providers>
  <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
  <add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="cn"
  dnAttribute="dn"
  groupFilter="(&amp;(ObjectClass=group))"
  userFilter="(&amp;(ObjectClass=person))"
  scope="Subtree" />
  </providers>
  </roleManager>
  <membership defaultProvider="i">
  <providers>
  <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
  <add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  useDNAttribute="true"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  With all of this configured, I can go to the new test site, I do see the form where I can choose either Windows authentication or Forms authentication. I can successfully login with Windows authentication, but forms authentication gives me me an error.
  The server could not sign you in. Make sure your user name and password are correct, and then try again.
  I can successfully login to a LDAP management tool, using the same credentials I entered on the form, so I know the username and password being submitted are correct. I get the following items in the event viewer
  8306 - SharePoint Foundation - The security token username and password could not be validated.
  in the SharePoint trace logs - Password check on 'testuser' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. and
  then this:
  Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
  at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
  I monitored the LDAP server and did a packet-trace on the communication happening between the SharePoint server and the LDAP server and it is a bit odd. It goes like this:
  The SharePoint server successfully connects to the LDAP server, binding the ldapserviceid+password
  The LDAP server tells the SharePoint server it is ready to communicate
  the SharePoint server sends an LDAP query to the LDAP server, asking if the name entered in the form authentication page can be found.
  The LDAP server does the query, successfully finds the entered name and sends a success message back to SharePoint
  The LDAP server sends notification that it is done and is closing the connection that was bound to theldapserviceid+password
  The SharePoint server acknowledges the connection is closing
  ... and then nothing happens, except the error on SharePoint
  What I understand is that the SharePoint server, once it gets confirmation that the submitted username exists in LDAP, should attempt to make a new LDAP connection, bound to the username and password submitted in the form (rather than the LDAP service account
  specified in the web.config). That part does not seem to be happening.
  I am at a standstill on this and any help would be greatly appreciated.

  OK, our problem was resolved by removing any information about the ASP.NET role manager. Initially, we had information about a role manager defined in three different web.config files, as well as in the SharePoint Central Administration site, where there
  is the checkbox to Enable Forms Based Authentication (you see this when you first create the new SharePoint app, or afterwards by modifying the Authentication Provider for the app.) In either case, you will see two text boxes, underneath the checkbox item
  for enabling Forms Based Authentication:
  "ASP.NET Membership provider name"
  "ASP.NET Role manager name"
  We entered a name for Membership provider, and left Role manager blank.
  In the web.config for the SharePoint Central Administration site, the SecurityTokenServiceApplication app, and the web app we created with FBA enabled, we entered the following:
  <membership>
  <providers>
  <add name="LdapMember"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword="validpassword"
  useDNAttribute="false"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager>
  <providers>
  </providers>
  </roleManager>
  useDNAttribute="false" turned out to be important as well.
  So, for us to get LDAP authentication working between SharePoint 2010 and Novel eDirectory, we had to:
  leave anything related to the role provider blank
  configure the web.config in three different applications, with the proper connection information to reach our Novel eDir
  Ensure that useDNAttribute="false" was used in all three on the modified web.config files.
  Since our eDir is flat and used pretty much exclusively for external users, we had never done any sort of advanced role management configuration in eDir. So, by having role manager details in the web.config files, SharePoint was waiting for information from
  a non-existent role manager.

• How to get user attributes from LDAP authenticator

  I am using an LDAP authenticator and identity asserter to get user / group information.
  I would like to access LDAP attributes for the user in my ADF Taskflow (Deployed into webcenter spaces).
  Is there an available api to get all the user attributes through the established weblogic authenticator provider or do i have to directly connect to the LDAP server again?
  Any help would be appreciated

  Hi Julián,
  in fact, I've never worked with BSP iViews and so I don't know if there is a direct way to achieve what you want. Maybe you should ask within BSP forum...
  A possibility would be to create a proxy iView around the BSP iView (in fact: before the BSP AppIntegrator component) which reads the user names and passes this as application params to the BSP component. But this is
  Beginner
  Medium
  Advanced
  Also see http://help.sap.com/saphelp_nw04/helpdata/en/16/1e0541a407f06fe10000000a1550b0/frameset.htm
  Hope it helps
  Detlev

• How to create a configuration file for open ldap.

  hi,
  I have installed open ldap on my machine. Now I want to configure it to NetWeaver.
  For this, I started configuration through configtool utility of NetWeaver. While configuring, we need to select or upload configuration file. But now as it is open ldap we need to write our own config file.
  I tried it by selecting dataSourceConfiguration_ads_deep_readonly_db.xml  as a configuratio file. it shows successful test connection but the user which  I have created is not appearing in UME store.
  Does any body having solution for this?
  I am trying to solve this problem from two days. I really appriciate one who will sove this problem

  Well the configuration file you chose does not allow users created in NetWeaver to be created in the LDAP.  That's why it's a "readonly" configuration.  I would guess that you need a custom configuration file specifically for open ldap.
  This should help get you started on a custom configuration file:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/b7/14d43f2dd44821e10000000a1550b0/frameset.htm
  Then again, if the only problem with the .XML file you chose is that you can't write to the LDAP, give the dataSourceConfiguration_ads_writeable_db.xml configuration file a shot.

• How to use two different LDAP authentication for my Apex application login

  Hi,
  I have 2 user groups defined in the LDAP directory and I provided the DN string for apex authentication something like the below
  cn=%LDAP_USER%,ou=usergrp1,dc=oracle,dc=com
  cn=%LDAP_USER%,ou=usergrp2,dc=oracle,dc=com
  The problem is I couln't pointout both the groups in DN string, I am trying to allow both usergroups to access the application.
  Does anyone know how to define both the group in LDAP DN String ?.
  Thanx in advance
  Vijay.

  Vijay,
  I don't think you'll be able to use the built-in LDAP authentication scheme. Just create a new authentication scheme that has its own authentication function. In that function code your calls to dbms_ldap however you need. Search the forum for dbms_ldap.simple_bind_s to find examples.
  Scott

• LDAP Authentication - Multiple Domains

  I want to be able to use the built in LDAP Authentication scheme to allow authentication against multiple AD Domains... each with it's own separate Host IP/Server, and LDAP DN String. The User ID is formated the same among all Domains, so that is not a concern. I am currently authenticating against one Domain and it scans the tree successfully.
  Host: xx.xx.xx.xx
  DN String: %LDAP_USER%@amer.globalco.net
  (amer.globalco.net is the domain)
  How can this be accomplished? Is it possible all you guru's out there?
  I saw one forum thread discussing how to add a drop down list to the login page, then use the value of the page item in the DN String to specify Domain... That makes sense - HOWEVER - I also have to use a different Host Server / IP address for each domain as well.... Now that is 2 fields that need updating based on one select list.
  I can build the select list using "IP/Domain" - but how do I separate the two data bits in the ITEM Value into their own field values?
  Can I use the ldap_dnprep function to do text editing to create two field values from one ITEM value that I can use in the standard LDAP authentication form fields?
  As you can tell - I am not a SQL/PLSQL person... and I want to avoid creating my own LDAP scheme.
  Please include example/suggested SQL -
  Thanks in advance...
  Rich
  Apex v3.2.1
  Oracle 10G Express

  Based on prior post I had similar question and the result was to write custom auth scheme to read the values from the login page, perform auth against appropriate ldap, then return a valid session to proceed with login in apex app. In our case, the issue was having users is different branch nodes on the same ldap server but not being able to search from a common higher-level branch for some reason...
  Another option you could try, not recommended as it would mean multiple pages to maintain, would be a separate login page per ldap/domain, maybe would even have to multiple apps with just a login page and then redirect to the main app... been a really long time since i've tried anything like it, just giving some options to try.