OpenLDAP authentication provider with CA LDAP server

Similar Messages

• [OBPM 10gR3]How to configer a hybrid directory with Oracle LDAP Server

  Hey, guys,
  Does anyone have experience on configering a hybrid directory with Oracle LDAP Server? How to config the mapping conf file for Oracle LDAP in the directory of \OraBPMwlHome\conf?
  Here is my conf file. But I got some LDAP mapping errors. It's really weird OBPM doesn't support Oracle's self LDAP, at least it does not provide the conf file.
  -----------errors------------
  Exception [javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Function Not Implemented]; remaining name '']. Reason: [LDAP: error code 53 - Function Not Implemented] fuego.directory.DirectoryRuntimeException: Exception [javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Function Not Implemented]; remaining name '']. at fuego.directory.DirectoryRuntimeException.wrapException(DirectoryRuntimeException.java:85) at fuego.directory.hybrid.ldap.JNDIQueryExecutor.select(JNDIQueryExecutor.java:203) at fuego.directory.hybrid.ldap.JNDIQueryExecutor.selectAllFromView(JNDIQueryExecutor.java:84) at fuego.directory.hybrid.ldap.JNDIQueryExecutor.selectAllFromView(JNDIQueryExecutor.java:64) at fuego.directory.hybrid.ldap.Repository.selectAllFromView(Repository.java:54) at fuego.directory.hybrid.ldap.LDAPPollingEventGenerator.buildCurrentProxies(LDAPPollingEventGenerator.java:98) at fuego.directory.provider.notifiers.BasePollingEventGenerator.generateEvents(BasePollingEventGenerator.java:41) at fuego.directory.hybrid.HybridMultipleEventGenerator.generateEvents(HybridMultipleEventGenerator.java:43) at fuego.directory.provider.notifiers.DirectoryNotifier.notifyChanges(DirectoryNotifier.java:403) at fuego.server.service.DirectoryListener.updateEngineFromDirectoryImpl(DirectoryListener.java:309) at fuego.server.service.DirectoryListener$DirectoryPollingItem.execute(DirectoryListener.java:351) at fuego.server.execution.DefaultEngineExecution$AtomicExecutionTA.runTransaction(DefaultEngineExecution.java:304) at fuego.transaction.TransactionAction.startBaseTransaction(TransactionAction.java:470) at fuego.transaction.TransactionAction.startTransaction(TransactionAction.java:551) at fuego.transaction.TransactionAction.start(TransactionAction.java:212) at fuego.server.execution.DefaultEngineExecution.executeImmediate(DefaultEngineExecution.java:123) at fuego.server.execution.DefaultEngineExecution.executeAutomaticWork(DefaultEngineExecution.java:62) at fuego.server.execution.EngineExecution.executeAutomaticWork(EngineExecution.java:42) at fuego.ejbengine.ejb.EngineStartupBean.executeItem(EngineStartupBean.java:192) at fuego.ejbengine.ejb.EngineStartupBean.updateFromDirectory(EngineStartupBean.java:172) at fuego.ejbengine.ejb.engine_startup_bpmengine_wodkyx_ELOImpl.updateFromDirectory(engine_startup_bpmengine_wodkyx_ELOImpl.java:365) at fuego.ejbengine.servlet.SchedulerServlet$DirectoryPollingTask.runImpl(SchedulerServlet.java:269) at fuego.ejbengine.servlet.SchedulerServlet$ScheduledTask.run(SchedulerServlet.java:208) at java.util.TimerThread.mainLoop(Timer.java:512) at java.util.TimerThread.run(Timer.java:462) Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Function Not Implemented]; remaining name '' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3078) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2758) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1812) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1735) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248) at fuego.jndi.FaultTolerantDirContext.search(FaultTolerantDirContext.java:867) at fuego.directory.hybrid.ldap.JNDIQueryExecutor.select(JNDIQueryExecutor.java:190) ... 23 more
  -----------mapping conf file for Oracle LDAP---------
  <?xml version="1.0" encoding="UTF-8"?>
  <?fuego version="6.1 ALPHA" application="albpmenterprise"?>
  <!-- This file contains the propper attribute mapping for the FDI Generic Ldap Provider using Oracle Directory Service.          
  * Preference for group object
            <preference id="assignedParticipants.containsId" value="true"/>
            This preference is useful to speed up the provider and it can only be used if the assignedParticipant value is the dn of the user and the dn contains the participant id
            <preference id="assignedParticipants.containsId" value="true"/>
            This preference is useful to speed up the provider and it can only be used if the assignedGroup value is the dn of the group and the dn contains the group id
            <preference id="modifyTimeStamp.suffix" value="Z"/>
            This preference is useful when the suffix mofidyTimeStamp format of your ldap is not .OZ.
  -->
  <config>
       <object id="person">
            <object-filter>
                 <![CDATA[
                      (objectclass=inetOrgPerson)
                 ]]>
            </object-filter>
            <relative-dn>
                 <!-- the relative dn for person -->
            </relative-dn>
            <attribute id="id" value="uid"/>
            <attribute id="lastName" value="sn"/>
            <attribute id="firstName" value="givenname"/>
            <attribute id="accountLock" value="orclIsEnabled">
                 <attribute-comparator operation="EQUALS" compareTo="ENABLED"/>
                 <filter>
                      <![CDATA[
                           ($accountLock=ENABLED)
                      ]]>
                 </filter>
            </attribute>
            <attribute id="facsimileTelephoneNumber" value="facsimileTelephoneNumber"/>
            <attribute id="displayName" value="displayName"/>
            <attribute id="mail" value="mail"/>
            <attribute id="telephoneNumber" value="telephoneNumber"/>
            <attribute id="employeeId" value="employeeNumber"/>
            <attribute id="thumbnailPhoto" value="jpegPhoto"/>
            <attribute id="manager" value="manager"/>
            <attribute id="modifyTimeStamp" value="modifytimestamp"/>
       </object>
       <object id="group">
            <object-filter>
                 <![CDATA[
                      (objectclass=orclGroup)
                 ]]>
            </object-filter>
            <relative-dn>
                 <!-- the relative dn for group -->
  </relative-dn>
            <attribute id="id" value="dn"/>
            <attribute id="modifyTimeStamp" value="modifytimestamp"/>
            <attribute id="displayName" value="displayName"/>
            <attribute id="name" value="cn"/>
            <attribute id="description" value="description"/>
            <attribute id="assignedParticipants" value="uniquemember"/>
            <!--attribute id="assignedGroups" value="memberOf"/-->
            <attribute id="ou" value="uniquemember"/>
       </object>
       <object id="ou">
            <object-filter>
                 <![CDATA[
                      (objectclass=domain)
                 ]]>
            </object-filter>
            <relative-dn>
                 <!-- the relative dn for ous -->
  </relative-dn>
            <attribute id="name" value="orclsubscriberfullname"/>
            <attribute id="description" value="description"/>
       </object>
  </config>
  Edited by: Lemonice on 2009-3-30 上午2:08
  Edited by: Lemonice on 2009-3-30 下午7:01
  Edited by: Lemonice on 2009-3-30 下午8:43

  Hi,
  in my case, I am trying to configure the OBPM directory using ALUI and its native LDAP service.
  Now, I found that the first name and the last name in BPM are retrieved from the ALUI display name : provided we enter the display name in the format %first name% + %last name% we get them into BPM. But the display name is not always in this format...
  In addition, it's the portal telephone number information which is retrieved into BPM Telephone and Fax numbers.
  And, the email adress remains blank
  I have installed the latest patch for OBPM (Version: 10.3.1.0.0 Build: #97172)
  Would you have any documentation about creating a Profile Web Service in ALUI and specifying which LDAP attributes to map to which ALUI properties in the Profile Source ?
  Thanks !
  Edited by: vVince on May 6, 2009 3:46 PM

• Authentication problem by external ldap server for WLS 7.0

  Hi all,
  I have configured iPlanet directory Server to serve as authentication security
  provider for WLS 7.0.While doing so I have created a Test security realm and made
  it as default.I have also configured the other default settings for the remaining
  security providers for the realm.
  Now, while I start the WLS with the default username and password, boot-error
  comes as given below. As a matter of fact I have also created groups with relevant
  username and pwd in the ldap server as specified bu the Bea documentation.
  I have tried to remove the problem since last 4 days but all in fiasco.
  If anybody has any pointer to the problem - it will be a great help.
  The error :
  * To start WebLogic Server, use a username and *
  * password assigned to an admin-level user. For *
  * server administration, use the WebLogic Server *
  * console at http://[hostname]:[port]/console *
  D:\bea\weblogic700\samples\server\config\petstore>"D:\bea\jdk131_03\bin\java"
  -h
  otspot -Xms32m -Xmx200m -Dpet.mode= - Dweblogic.management.discover=false -Dweblo
  gic.Name=petstoreServer -Dbea.home="D:\bea" -Dweblogic.management.username=weblo
  gic -Dweblogic.management.password=weblogic -Dweblogic.ProductionModeEnabled=tru
  e -Djava.security.manager -Djava.security.policy=="D:\bea\weblogic700\server\lib
  \weblogic.policy" weblogic.Server
  Starting WebLogic Server...
  <Nov 19, 2002 10:08:04 AM IST> <Notice> <Management> <140005> <Loading configura
  tion D:\bea\weblogic700\samples\server\config\petstore\.\config.xml>
  <Nov 19, 2002 10:08:21 AM IST> <Notice> <Security> <090082> <Security initializi
  ng using realm RitTestRealm.>
  <Nov 19, 2002 10:08:22 AM IST> <Critical> <WebLogicServer> <000364> <Server fail
  ed during initialization. Exception:java.lang.SecurityException: User weblogic
  i
  s not permitted to boot the server
  java.lang.SecurityException: User weblogic is not permitted to boot the server
  at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
  SecurityServiceManager.java:1076)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
  erviceManager.java:1116)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)
  >
  Regards,
  Ritwik

  Thanks Vijay - it has worked by creating the Administrator group in LDAP but Weblogic
  documentation also states the creation of any group in Ldap server with the boot
  username and pwd and then adding the group in the admin role of WLS7.0 - but this
  did not work.
  If there is any info regarding the same - pl. do let me know
  Regards,
  Ritwik
  "Vijay" <[email protected]> wrote:
  >
  Ritwik,
  I think WebLogic 7 requires a group called "Administrators" in the LDAP
  server
  and requires an user to be added to that group. I have this working in
  one of
  my projects. The group really doesnt need to be an LDAP administrative
  group.
  Can you provide any additional information. I might be able to help since
  I got
  this working only a coupla days back.
  Vijay
  "Ritwik Batabyal" <[email protected]> wrote:
  Hi all,
  I have configured iPlanet directory Server to serve as authentication
  security
  provider for WLS 7.0.While doing so I have created a Test security realm
  and made
  it as default.I have also configured the other default settings forthe
  remaining
  security providers for the realm.
  Now, while I start the WLS with the default username and password, boot-error
  comes as given below. As a matter of fact I have also created groups
  with relevant
  username and pwd in the ldap server as specified bu the Bea documentation.
  I have tried to remove the problem since last 4 days but all in fiasco.
  If anybody has any pointer to the problem - it will be a great help.
  The error :
  * To start WebLogic Server, use a username and *
  * password assigned to an admin-level user. For *
  * server administration, use the WebLogic Server *
  * console at http://[hostname]:[port]/console *
  D:\bea\weblogic700\samples\server\config\petstore>"D:\bea\jdk131_03\bin\java"
  -h
  otspot -Xms32m -Xmx200m -Dpet.mode= - Dweblogic.management.discover=false
  -Dweblo
  gic.Name=petstoreServer -Dbea.home="D:\bea" -Dweblogic.management.username=weblo
  gic -Dweblogic.management.password=weblogic -Dweblogic.ProductionModeEnabled=tru
  e -Djava.security.manager -Djava.security.policy=="D:\bea\weblogic700\server\lib
  \weblogic.policy" weblogic.Server
  Starting WebLogic Server...
  <Nov 19, 2002 10:08:04 AM IST> <Notice> <Management> <140005> <Loading
  configura
  tion D:\bea\weblogic700\samples\server\config\petstore\.\config.xml>
  <Nov 19, 2002 10:08:21 AM IST> <Notice> <Security> <090082> <Security
  initializi
  ng using realm RitTestRealm.>
  <Nov 19, 2002 10:08:22 AM IST> <Critical> <WebLogicServer> <000364><Server
  fail
  ed during initialization. Exception:java.lang.SecurityException: User
  weblogic
  i
  s not permitted to boot the server
  java.lang.SecurityException: User weblogic is not permitted to bootthe
  server
  at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
  SecurityServiceManager.java:1076)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
  erviceManager.java:1116)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)
  >
  Regards,
  Ritwik

• Getting iCal 3 to work with an LDAP server

  I've managed to set up Directory Utility with a third-party LDAP server (part of Communigate Pro) so that Directory will look up people.
  However I expected that once I did this, iCal would consult the LDAP server to do autocompletion when adding attendees to events. It doesn't.
  I thought maybe I could use Address Book's Directories Group to facilitate adding attendees. Both the LDAP server configured through Mail and the LDAP Directory Service configured through Directory Utility are visible here--but even though I can look people up, I can't drag any of the resulting names into the Attendees list in iCal.
  It seems I first have to drag them into a local Group; only then can I drag them into Attendee lists in iCal.
  Finally, iCal has a feature called the Address Panel which I thought might make use of an LDAP server configured through Directory Utility, but it hasn't worked for me. The Panel says "Open Directory Lookup" near the top of the window, which suggests it might not be intended to function with any old LDAP implementation.
  Any suggestions?
  By the way, I have the LDAP server's entry in Directory Utility as RFC 2307 with an empty searchbase for all mappings. However I haven't modified any of the mappings themselves.
  Thanks.

  iCal 3 looks for certain specific LDAP attributes which are (somewhat) unique to Open Directory.
  Some information on mimicking Open Directory can be found at http://wiki.expertmx.com/doku.php?id=applecalendarserver

• Delete Authenticator Provider with WLST

  Hi,
  I need to change an authentication provider for a newer one with a WLST script. Both providers have the same name.
  I found the createAuthenticationProvider method to add the new provider, but I find no way to delete the previous provider before adding the new. If I try to add new provider without removing the older returns an "alredy exists" error.
  Is there a WLST method to delete an authentication provider?
  Thank you.

  Ok... I have found the solution myself...
  There is a method called "destroyAuthenticationProvider".
  name = 'Authenticator';
  cd('/SecurityConfiguration/' + domainName + '/Realms/' + realmName);
  auth = cmo.lookupAuthenticationProvider(name);
  cmo.destroyAuthenticationProvider(auth);
  Reference: http://docs.oracle.com/cd/E14571_01/apirefs.1111/e13945/weblogic/management/security/authentication/class-use/AuthenticationProviderMBean.html

• Silent installation with different LDAP server

  I am trying to do a silent install of iAS 6.0 SP2 and it fails at the
  ACL, directory server stage (steps 10/11).
  I am trying to install iAS without installing the LDAP server component
  as I already have a directory server installed.
  The error message I am getting is as follows:
  10. ERROR: Register_NASA: Unable to find or execute programs
  /train/iplanet/ias/ias/bin/.ldapmodify
  or /shared/bin/ldapmodify
  ... skipping this step ...
  Changing ownership of iAS files to imm:imm .....
  Done.
  Start registering System/StaticServlet...
  Start registering Bootstrap EJB...
  javax.naming.NameNotFoundException
  at java.lang.Throwable.fillInStackTrace(Native Method)
  at java.lang.Throwable.fillInStackTrace(Compiled Code)
  at java.lang.Throwable.(Compiled Code)
  at java.lang.Exception.(Compiled Code)
  at javax.naming.NamingException.(NamingException.java:114)
  at javax.naming.NameNotFoundException.(NameNotFoundException.java:48)
  at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
  at com.netscape.server.jndi.RootContext.bind(Unknown Source)
  at com.netscape.server.jndi.RootContext.bind(Unknown Source)
  at javax.naming.InitialContext.bind(InitialContext.java:371)
  at com.netscape.server.deployment.EjbReg.deployToNaming(Unknown Source)
  at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
  at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
  at com.netscape.server.deployment.EjbReg.run(Compiled Code)
  at com.netscape.server.deployment.EjbReg.main(Unknown Source)
  Start registering iAS 60 Fortune Application...
  It looks like all the required ldap files - .ldapmodify, .ldapsearch
  etc. are not getting copied to the installed ias bin directory
  (/train/iplanet/ias/ias/bin) from the source directory
  (/train/software/ias/Solaris/iAS/nas) as I have not selected the
  Directory server during the iAS install.
  My install.inf has the following values for the components to be
  installed -
  Components= WEBCONNECTOR,WEBLESS,iAS-AT,iAS-DT,iAS_BASE
  What does iAS-DT stand for?
  Any workarounds?
  Thanks.
  Ranga

  Hi Ranga,
  iAS-DT is (iPlanet Application Server Deployment Tool).its a GUI for
  deployment of J2EE application. You can use existing directory server
  but you have to spacify directory server at the time of installation .
  If you need more help please send your install.inf and userinput.log
  file
  Deepak
  Dev support
  Ranga T S wrote:
  I am trying to do a silent install of iAS 6.0 SP2 and it fails at the
  ACL, directory server stage (steps 10/11).
  I am trying to install iAS without installing the LDAP server
  component as I already have a directory server installed.
  The error message I am getting is as follows:
  10. ERROR: Register_NASA: Unable to find or execute programs
  /train/iplanet/ias/ias/bin/.ldapmodify
  or /shared/bin/ldapmodify
  ... skipping this step ...
  Changing ownership of iAS files to imm:imm .....
  Done.
  Start registering System/StaticServlet...
  Start registering Bootstrap EJB...
  javax.naming.NameNotFoundException
  at java.lang.Throwable.fillInStackTrace(Native Method)
  at java.lang.Throwable.fillInStackTrace(Compiled Code)
  at java.lang.Throwable.(Compiled Code)
  at java.lang.Exception.(Compiled Code)
  at javax.naming.NamingException.(NamingException.java:114)
  at javax.naming.NameNotFoundException.(NameNotFoundException.java:48)
  at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
  at com.netscape.server.jndi.RootContext.bind(Unknown Source)
  at com.netscape.server.jndi.RootContext.bind(Unknown Source)
  at javax.naming.InitialContext.bind(InitialContext.java:371)
  at com.netscape.server.deployment.EjbReg.deployToNaming(Unknown Source)
  at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
  at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
  at com.netscape.server.deployment.EjbReg.run(Compiled Code)
  at com.netscape.server.deployment.EjbReg.main(Unknown Source)
  Start registering iAS 60 Fortune Application...
  It looks like all the required ldap files - .ldapmodify, .ldapsearch
  etc. are not getting copied to the installed ias bin directory
  (/train/iplanet/ias/ias/bin) from the source directory
  (/train/software/ias/Solaris/iAS/nas) as I have not selected the
  Directory server during the iAS install.
  My install.inf has the following values for the components to be
  installed -
  Components= WEBCONNECTOR,WEBLESS,iAS-AT,iAS-DT,iAS_BASE
  What does iAS-DT stand for?
  Any workarounds?
  Thanks.
  Ranga

• Issues with an LDAP server configured using DHCP instead of static.

  Can anyone tell me if there is a known issue using a DHCP address instead of a static IP address to build a 10.4 MAC server that will is a LDAP master?
  I have an LDAP master that is running 10.4 that has user account issues. Random users will suddenly not be able to authenticate against the server. I have been told this is because the server was originally built using a DHCP address and then migrated to a static IP. Being a UNIX geek this does not seem to make a lot of sense to me but I am new to MAC..... So?

  It absolutely could be the cause of the issue. Open Directory uses Kerberos (among other things) for authentication. Kerberos is VERY VERY VERY particular about DNS... and if your OD master changed the IP address, it could cause these problems. I wouldn't expect that it would ever work, but perhaps some days the IP is the same as it was during initial setup.
  Do a 'sudo changeip -checkhostname' from the server and see if it says everything is okay. If not, you definitely have things you need to fix. Frankly, with DHCP on the server you are 100% guaranteed to have problems at some point.

• User authentication in a linux ldap server

  Anyone knows how to make user authentication of Mac OS X (10.4.7) clients in a Linux (Suse 9.2) server running LDAP?? I can't figure out how to do this.
  Thanks and sorry the bad english.

  Not sure this will help, but perhaps reverse thinking this woould be a clue...
  http://docs.info.apple.com/article.html?artnum=106365

• Ldap server authentication for EAI domain

  Hi everybody,
  I have configured a new realm fot the security of the created EAI Domain and
  made it default. In this realm, the authentication provider is the iPlanet LDAP
  Server.
  Now the booting is fine but then when I am starting the Weblogic Studio, it is
  not getting authenticated and I keep getting the error :
  <Nov 26, 2002 10:00:27 AM IST> <Error> <B2B> <000000> <<WLI-Security> ERROR: No
  realm found.>
  <Nov 26, 2002 10:00:27 AM IST> <Error> <B2B> <000000> <<WLI-Security> ERROR: Ini
  tialization of WLI Authentication Service failed with exception java.lang.Runtim
  eException: ERROR: No realm found..>
  The error page obtained at studio is what is given as attachment.
  Anybody having any info regarding the same - pl. do pass on.
  Thanks and regards,
  Ritwik
  [wli-error.doc]

  Hello Ritwik,
  it should for sure, but with this release WLI depends on the
  compatibility realm.
  Christian Plenagl
  Developer Relations Engineer
  BEA Support
  "Ritwik" <[email protected]> wrote:
  >
  Conceptually if I create respective groups (similar to the groups and
  users of
  the compatability realm) in the ldap server and do the authentication
  from there
  - it should work - shouldn't it???
  Any pointer !!!
  Regds,
  Ritwik
  "Christian Plenagl" <[email protected]> wrote:
  Hi Ritwik,
  you can read in the WLI documentation, that WLI7 currently supportsthe
  compatibility
  realm only.
  Please have a look at:
  http://e-docs.bea.com/wli/docs70/deploy/secure.htm#1365621
  Christian Plenagl
  Developer Relations Engineer
  BEA Support
  "Ritwik" <[email protected]> wrote:
  Hi everybody,
  I have configured a new realm fot the security of the created EAI
  Domain
  and
  made it default. In this realm, the authentication provider is theiPlanet
  LDAP
  Server.
  Now the booting is fine but then when I am starting the Weblogic Studio,
  it is
  not getting authenticated and I keep getting the error :
  <Nov 26, 2002 10:00:27 AM IST> <Error> <B2B> <000000> <<WLI-Security>
  ERROR: No
  realm found.>
  <Nov 26, 2002 10:00:27 AM IST> <Error> <B2B> <000000> <<WLI-Security>
  ERROR: Ini
  tialization of WLI Authentication Service failed with exception java.lang.Runtim
  eException: ERROR: No realm found..>
  The error page obtained at studio is what is given as attachment.
  Anybody having any info regarding the same - pl. do pass on.
  Thanks and regards,
  Ritwik

• ASA Remote Access Authentication with LDAP Server

  Thank you in advance for your help.
  I am configuring an ASA to authenticate with a ldap server for ipsec vpn access.  My customer has 3 networks that are to be accessed by remote users.  However they want to be able to say that one user can get to 2 of the networks and not the 3rd.  So basically they want control over what network behind the firewall each user can access.  This seems doable from my reading and I had planned to creating a group for each network that needs accessible and either do attribute maps to each group with a separate group created on the ldap server for authentication.  Basically a ldap group on the ldap server that will have the users name in the group in order for access.  I can restrict access via acl's or filtering to force my group to only be allowed access to a specific network.  Here is the problem I am having now.
  The ldap server has been created and seems to be working fine.  I have created my AAA groups and servers and I have done the ldap test with a test user vpntest and a password on the ldap server.  When I run the authentication test from the ADSM or command line I get a good authentication successful message.  So I configured a vpn client remotely and attempted to authenticate to this group and it says there is no user by that name.  Below is a paste of the debug.  The second part is when I did a successful test from the ASDM or CLI and it worked great.  The first part is when I attempted from the vpn client.  It all looks the same from the search criteria.  What am I missing here or does anyone more knowledgeable see anything that I am doing wrong.  Can this be done this way or should I try radius.  The customer was just adament about using ldap.
  extvpnasa5510#
  [243] Session Start
  [243] New request Session, context 0xd5713fe0, reqType = 1
  [243] Fiber started
  [243] Creating LDAP context with uri=ldaps://130.18.22.44:636
  [243] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
  [243] supportedLDAPVersion: value = 2
  [243] supportedLDAPVersion: value = 3
  [243] No Login DN configured for server 130.18.22.44
  [243] Binding as administrator
  [243] Performing Simple authentication for  to 130.18.22.44
  [243] LDAP Search:
          Base DN = [ou=employees,o=msues]
          Filter  = [uid=vpntest]
          Scope   = [SUBTREE]
  [243] User DN = [uid=vpntest,ou=employees,o=msues]
  [243] Talking to iPlanet server 130.18.22.44
  [243] No results returned for iPlanet global password policy
  [243] Fiber exit Tx=386 bytes Rx=414 bytes, status=-1
  [243] Session End
  extvpnasa5510#
  [244] Session Start
  [244] New request Session, context 0xd5713fe0, reqType = 1
  [244] Fiber started
  [244] Creating LDAP context with uri=ldaps://130.18.22.44:636
  [244] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
  [244] supportedLDAPVersion: value = 2
  [244] supportedLDAPVersion: value = 3
  [244] No Login DN configured for server 130.18.22.44
  [244] Binding as administrator
  [244] Performing Simple authentication for  to 130.18.22.44
  [244] LDAP Search:
          Base DN = [ou=employees,o=msues]
          Filter  = [uid=vpntest]
          Scope   = [SUBTREE]
  [244] User DN = [uid=vpntest,ou=employees,o=msues]
  [244] Talking to iPlanet server 130.18.22.44
  [244] Binding as user
  [244] Performing Simple authentication for vpntest to 130.18.22.44
  [244] Processing LDAP response for user vpntest
  [244] Authentication successful for vpntest to 130.18.22.44
  [244] Retrieved User Attributes:
  [244]   sn: value = test user
  [244]   givenName: value = vpn
  [244]   uid: value = vpntest
  [244]   cn: value = vpn test user
  [244]   objectClass: value = top
  [244]   objectClass: value = person
  [244]   objectClass: value = organizationalPerson
  [244]   objectClass: value = inetOrgPerson
  [244] Fiber exit Tx=284 bytes Rx=414 bytes, status=1
  [244] Session End

  Hi Larry,
  You can map AD group memberships to specific group policies on the ASA, you can find that configuration here:
  - http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
  Let me know if further assistance is required!
  Please proceed to rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• Error in authentication with ldap server with certificate

  Hi,
  i have a problem in authentication with ldap server with certificate.
  here i am using java API to authenticate.
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
  I issued the new certificate which is having the up to 5 years valid time.
  is java will authenticate up to one year only?
  Can any body help on this issue...
  Regards
  Ranga

  sorry i am gettting ythe same error
  javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
  here when i am using the old certificate and changing the system date means i can get the authentication.
  can you tell where we can concentrate and solve the issue..
  where is the issue
  1. need to check with the ldap server only
  2. problem in java code only.
  thanks in advance

• Still LDAP server not responding when add to authentication search path ...

  Howdy All,
  I still have an OS X Server 10.5.6 (running Open Directory with its own Master directory) that when configured to connect to a corporate LDAP server indicates the server is responding fine, but when I add the server to the authentication search path, the server is no-longer responding.
  I suspect this may mean the LDAP server is choosing to no-longer respond? Is it possible that the LDAP server could have my machine / IP address "black-listed" in some way? I have asked corporate IT but they didn't seem to think so (although I was queried before about repeated connect attempts).
  Somewhat strangely I can configure a laptop client (OS X 10.5.6) to connect to the same LDAP server from an Ethernet port on the same LAN and it works fine. However, when I connect this laptop to the LAN through my server (WiFi NAT) I get the same issue as described above.
  I don't have the firewall on the server turned on, I have played around with some certificates on the server, but have set "TLS_REQCERT never" in the ldap.conf file on the server (and client) as suggested by corporate IT. I have Kerberos running on the server and all else seems fine on the server.
  Can anyone suggest what may be causing this? Or how I can debug the problem?
  Thanks in advance.
  Cheers,
  Ashley.

  Hi Jeff,
  Thanks for your post. That said, I'm not sure how you got the impression that I wish to go to Maine I'm happy here in Perth, Western Australia.
  Jeff Kelleher wrote:
  Connecting a Mac to an LDAP server is a far cry from connecting a OS X Server to an existing LDAP server. Not that I could necessarily help, but asking how to connect an OS X Server to an LDAP server is a bit like asking "guess where I am now, how do I get to Maine?"
  You need to provide as much info as you can.
  Seriously though, I'm not sure of the difference. I am using Directory Utility to allow this OS X Server to get authentication information from an LDAP server just like an OS X Client would.
  I have Open Directory in Server Admin just setup to connect to a directory system (i.e. the organisation LDAP server), not a master or replica.
  My final goal is to allow access to an OS X TeamsServer Wiki by users who are authenticated against the LDAP server (rather than having to have separate accounts, logins, on the OSXS.)
  I am hoping that I can use a group from the LDAP server to define the team, but perhaps I will have to run a standalone OD. I hope then I can add LDAP users to the OD group.
  What other information would help?
  Thanks,
  Ashley.
  OS X Server 10.5.6

• J2ee implementation with jaas/LDAP

  Hi;
            I search a good j2ee implementation or light framework using jaas API and LDAP directory to authentifies and affects a profil to a user.
            I have already analysed the framework : JGuard.
            regards;

  If I understand you correctly, you want to have an application deployed in WebLogic (you don't say what version) use standard J2EE JAAS for declarative authentication and authorization, but use an LDAP provider for the actual implementation.
            If that's the case, at least in WebLogic 8.1 (I don't know about older versions), you shouldn't need any third-party packages. You can configure your WebLogic domain with authentication and authorization providers that interface with an LDAP server. This will work with the JAAS implementation in WebLogic. You can go to <http://e-docs.bea.com/wls/docs81/secmanage/> to read about configuring security in WebLogic (including the LDAP authentication provider).

• FMWControl with thirdparty LDAP

  Hello,
  We have a need to configure our application that is built using ADF to manage security policies for page and task flow authorization. I understand that we can use FMWControl from Oracle Enterprise Manager to define the security policies in OID 11g. How do we configure FMWControl to manage the same security policies in other thrid party LDAP servers. Our customer base may have already defined their enterprise users and roles in a different LDAP. We want our customers to leverage their existing investments.
  Thanks.
  Rama

  "Ross Bonner" <[email protected]> wrote in message
  news:3f818fe9$[email protected]..
  I can't find any documentation for WebLogic 70 on how to configure LDAP
  authentication using the embedded LDAP server.
  Has anyone successfully gotten LDAP authentication configured embeddedLDAP
  in WebLogic70?
  What steps did you taske to get it working?
  Can you provide more information on exactly what you are trying to do? There
  is the external ldap
  provider and the default authenticator provider. Do you want to configure
  authentication in one domain to use
  the embedded ldap server of another domain?
  >
  >

• HELP! LDAP server problem

  I'm using IDS 5.1 in our system, yesterday it had problems, other servers connected it's port 389 said connection time out. The network was ok, the service was ok, but users could not authenticated. In the ldap server files in the directory changelogdb had been held for days, the errors log said:
  [11/Jan/2006:10:49:39 +0800] NSMMReplicationPlugin - agmt_delete: begin
  [11/Jan/2006:10:49:48 +0800] NSMMReplicationPlugin - agmt_delete: begin
  [11/Jan/2006:10:53:55 +0800] NSMMReplicationPlugin - _cl5GetNextEntry: failed to get entry;
  db error - 12 Not enough space
  [11/Jan/2006:10:53:55 +0800] NSMMReplicationPlugin - _cl5TrimFile: failed to commit transac
  tion; db error - -30989 DB_RUNRECOVERY: Fatal error, run database recovery
  [11/Jan/2006:10:53:56 +0800] NSMMReplicationPlugin - _cl5TrimFile: failed to begin transact
  ion; db error - -30989 DB_RUNRECOVERY: Fatal error, run database recovery
  [11/Jan/2006:10:53:56 +0800] NSMMReplicationPlugin - _cl5TrimFile: failed to begin transact
  ion; db error - -30989 DB_RUNRECOVERY: Fatal error, run database recovery
  Does anyone know what happened and what might cause this problem?
  Thanks

  As indicated by the log:
  11/Jan/2006:10:53:55 +0800] NSMMReplicationPlugin - _cl5GetNextEntry: failed to get entry;
  db error - 12 Not enough space
  So check out your disk space first.