Oracle Portal for LDAP Authentication using Iplanet directory server

Similar Messages

• Oracle Portal for LDAP Authentication(Iplanet)

  Oracle portal installed on Solaries machine and LDAP (iplanet) installed on windows NT machine.I am able to take ldif file from portal30 user and add to ldap.( under o=oracle tree)
  Completed all step mentioned in document conf_ldap.pdf as follows
  1. created library pointing to ssoxldap.so in portal30_sso schema
  2. made change to listner.ora and tnsnames.ora file and able tnsping also.
  - tnsping extproc_connection_data
  3. ssoldap.sql also ran in portal30_sso schema with all LDAP information.
  (like ----
  Host: challasv
  Port: 389
  Search Base: cn=Login Server (portal30_sso),o=oracle
  Unique Attribute: cn
  Bind DN: cn=Portal Login
  Bind Password: portal30
  If I am try to login through browser in say Unexpected errors (WWC-41400). Is I am doing any thing wrong.
  Also i am albe run ldapsearch from another machines working fine.user following command
  - ldapsearch -b "cn=Login Server (portal30_sso),o=oracle" -h challasv -p 389 -D "cn=Poral Login" -w portal30 cn=portal30
  my questions is Iplanet(LDAP) can integrate with Portal or any steps missed.
  Please help in this regard,
  Challa

  You may want to use ssoxoid.pkb package that comes with Portal/Login Server 3.0.9 which simplifies the configuration.
  Also, you will not have to run the external procdure listener. Please refer to the Login Server Admin. guide for more details.
  NOTE:
  the 3.0.9.8.0 version of ssoxoid.pkb is not good. You need to download 3.0.9.8.2 patch and get the ssoxoid.pkb file from there.
  Also, you may want to turn on debug for SSO Server to see debug msg.
  DEBUG
  ========
  You need to loginto the Login Server schema and run following commands to see debug msg.
  sqlplus portal30_sso/password
  TO TURN ON DEBUG
  1. Create debug proceure
  CREATE OR replace PROCEDURE debug_print (str VARCHAR2) AS
  PRAGMA autonomous_transaction;
  BEGIN
  INSERT INTO wwsso_log$ VALUES
  (wwsso_log_pk_seq.nextval,
  substr(str, 1, 1000),
  sysdate,
  dbms_session.unique_session_id
  commit;
  END debug_print;
  show errors;
  TO SEE THE DEBUG LOG
  2. Try to login using portal login link
  and see the error msg from the log table
  select msg from wwsso_log$ order by id;
  TO STOP THE DEBUG LOG
  3. Delete the log
  delete from wwsso_log$ ;
  commit;
  4. Turn off debugging
  CREATE OR replace PROCEDURE debug_print (str VARCHAR2)
  AS
  BEGIN
  null;
  END debug_print;
  show errors;

• Oracle 9i/10G DB authentication using Active Directory (with out OID)

  Hello All,
  We want to use a Single-Password authentication scheme using the Active
  Directory as the primary source for userId/Password.
  We don't want to use the Active Directory and OID bridge.
  As we have many databases and would like to configure all Databases to use Active
  Directory for Authentication. Our goal is to have single id/password across all
  the databases and any user should be able to login from any computer using their
  windows id/password, note that we don't want to use the OSAuthentication.
  We have read the documents provided by oracle for authentication using Active
  Directory, we were able to create Oracle Schema in Active Directory and were
  also able to register a DB with Active Directory and then created user as global
  user in Oracle Database and provided the DN of the user. When we tried
  authenticate with all this setup it comes back and says invalid ID/Password !!!
  And with 10G database we get the Oracle Error ORA-03113: end-of-file on communication channel !!
  Has any one tried or have information on Integrating Oracle to Auth against Active Directory?
  Envoirnment:
  Oracle DB Version: 9.2.0 and also tried on 10.0.1 with same results
  Operating System: Windows 2000/ Windows 2000 Server
  Constraint: We don't want to user OID ( as we don't have license for this
  product ! )

  I have a thread started similar to your request.
  OS Authenication on Windows
  Somewhere I read this. It works on Oracle 9i on Linux, but I have not tried it with Oracle 9i on Windows.
  SHOW PARAMETER OS_AUTHENT_PREFIX;
  SHOW PARAMETER REMOTE_OS_AUTHENT;
  CREATE USER OPS$SOMEUSER IDENTIFIED EXTERNALLY;
  GRANT CREATE SESSION TO OPS$SOMEUSER;
  For the username, I wonder if we are supposed to put the Windows Domain name as part of the username? Such as, for a Windows domain user MyDomain\SomeUser
  CREATE USER OPS$MYDOMAIN\SOMEUSER IDENTIFIED EXTERNALLY;
  I really wish Oracle or somebody created a guide or book on how to do this.

• Are there any known issues concerning using DIGEST-MD5 SASL authentication with iPlanet Directory Server 5.0 on Windows NT 4.0?

  I am developing support for the DIGEST-MD5 sasl mechnism on a c-ldap client. I am using the evaluation version of the iPlanet Directory Server 5.0 which lists DIGEST-MD5 as a supported SASL mechanism. The server is running on NT 4.0 After installing the Directory Server with the test database, a changed the passwordStorageScheme from the default of SSHA to clear text. I then added my test user. When I run my test I always get back a resultCode of 49 (invalidCredentials). The digest-challenge I receive from the server and my digest-response are shown below. I have satisfied myself that the calculation of the response directive in the digest response is correct. Does anyone see any problems in the digest response or have any other suggestions? Is there a known problem with the iPlanet Directory Server 5.0?
  digest-challenge:
  realm="BGB2.ndp.provo.novell.com",nonce="Ed8UPLXsWaC6CN",qop="auth",algorithm=md5-sess,charset=utf-8
  digest-response:
  username="uid=bgbrown,ou=people,dc=siroe,dc=com",realm="BGB2.ndp.provo.novell.com",cnonce="A9IuPJKr30RiwL",nc=00000001,qop=auth,digest-uri="ldap/BGB2.ndp.provo.novell.com",response=97061205298e5ebaf206c8ac3598fdce,charset=utf-8,nonce="Ed8UPLXsWaC6CN"

  Found the answer. When the username is an LDAP DN it needs to be proceeded by "dn:".
  example: username="dn:uid=bgbrown,ou=people,dc=siroe,dc=com"
  The server also accepts a simple uid value.
  example: username="bgbrown"

• Configuring Oracle 9iAS for LDAP Authentication

  I have installed OID Server on my PC. Now I want to switch my Login Server to External LDAP Authentication mode. For that I run the script ssoldap.sql passing the host, port, search base, etc.. from my login server schema (portal30_sso) The script throws me the following error :
  " Bind variable "CN" not declared ".
  I even compile the package ssoxldap.pkb before that. But still this error persists.
  tnsnames.ora and listener.ora files are fine and the tnsping to the external procedure is also working properly.
  Can anyone help me in this.

  I got that problem solved. Its little bit funny solution. Instead of running the sql file using the File->open->ssoldap.sql, we should directly write the whole path i.e. @d:\oracle9i\portal30\admin\plsql\sso\ssoldap.sql
  And secondly, I also found one small change related to the installation manual. Its related to Adding entries to the LDAP Server. the manual shows this syntax:
  ldapadd -h i3dt111 -p 389 -D 'cn=orcladmin'
  -w welcome -f d:\oracle\admin\phd\udump\users.ldif
  but instead we shoud write this:
  ldapadd -h i3dt111 -p 389 -D cn=orcladmin
  -w welcome -f d:\oracle\admin\phd\udump\users.ldif
  . Just remove the single quotes in the username string.
  Anyways, thanks for your suggestions.
  null

• Transparent logon to Oracle Portal for Win2000 users with Active Directory

  At a customer site, users log on to a Win2000 Domain based upon MicroSoft's Active Directory.
  They want to transparently (i.e.: without giving their credentials again) log on to Oracle Portal, in the same way as they could do with mod_ntlm if they were on a NT domain.
  Oracle 9iAS (not yet decided whether v.1 or v.2) will be installed on a AIX based server.
  Does anybody have any suggestions?

  Hi,
  the user cannot save private workbooksUnfortunately this is true. The workbook is saved with the database user so any workbooks saved by one user would be visible and could be changed by any user who shared the same database username. You could implement your own security over the EUL5_DOCUMENTS table by having a trigger to put the SYS_CONTEXT('userenv','client_identifier') into the doc_user_prop1 column and then create a VPD policy on the table that ensured users could only see their own workbooks. This is of course a un-supported change to the EUL tables.
  the user to manage a database password too in order to use Discoverer Plus and create/save workbooksThis is not necessary.
  Rod West

• Solaris 8 and iPlanet Directory Server 5.1: Help

  Could anyone help with advice or where to find documentation of how to setup a Solaris 8 client machine to authenticate against iPlanet Directory Server 5.1? The only documentation (eg books, BluePrint articles) I can find cover iPlanet Directory 4.11 or 4.12 and a Solaris 8 client. Even the tools from the BluePrint Tools area at Sun only talk about using iPlanet Directory Server 4.11/12. Quite a lot seems to have change from iDS 4.12 to iDS5.1.
  Any help would be greatly appreciated.
  Thanks in advance,
  Stewart

  Hi Steven, I suppose that this question is identical to your other question: " Topic: solaris 8 client setup with solaris 9 ldap".
  So the answer will be the same.
  You may find what you are looking for in the following technical note: http://knowledgebase.iplanet.com/ikb/kb/articles/7966.html
  It is called: "Cookbook for Solaris 8 client with Directory Server 5.1/Solaris 9"
  Cheers / Damien.

• Store Print & File Server on iPlanet Directory Server?

  I've a NT 4.0 server which I'm using as both a Print & File Server. Would I be able to use iPlanet Directory Server to do the same thing?
  If I can, please explain how? or direct me to where I can know how?
  If it can't be done, is there any other way(s) I can do it?
  Thanks!

  I don't understand. iDS is not a file and print server, it is a user data and user authentication server. Do you want to use iDS for your user authentication for file and print services instead of NT 4 domains? I don't think this is possible. What is possible is using iDS as your primary data store, and using iPlanet Meta Directory to sync changes from iDS to the NT 4 domain.

• Portal Authentication using Active Directory

  I am trying to set up authentication using Active Directory. Can anyone provide me with instructions on what to do ? I know that I have to go to System Admin - > System Configuration - > UM configuration and change the Data Source. What else do I need to do...How do specify which domain to authenticate against. Do I have to change the XML file. Please help.

  It depends on what you wanna do with the AD server. If you want to read/write on the AD then you have to first setup SSL connection between the two boxes.Else if you just want to read from AD server you don't require a SSL connection. Then you have to select the hierarchy type in the System Admin - > System Configuration - > UM configuration. Save.
  Next thing you do is to open the config tool and modify your xml file accordingly.
  And restsart the server.
  Hope this helps.
  Regards,
  Hassan

• Generating Self Signed Certificate for iPlanet Directory Server for testing

  Hi Experts,
  I am unable to find how to generate self signed certificate for iPlanet Directory Server for testing purpose. Actually what i mean is i want to connect to the iPlanet LDAP Server with LDAPS:// rather than LDAP:// for Secured LDAP Authentication. For this purpose How to create a Dummy Certificate to enable iPlanet Directory Server SSL. I searched in google but no help. Please provide me the solution how to test it.
  Thanks in Advance,
  Kalyan

  Here's one I did earlier.
  Refers to Solaris 10
  SSL Security
  add a new certificate that lasts for ten years (120 months).
  stop the instance:
  dsadm stop <instance>
  Remove DS from smf control:
  dsadm disable-service <instance>
  Change Certificate Database Password:
  dsadm set-flags <instance> cert-pwd-prompt=on
       Choose the new certificate database password:
       Confirm the new certificate database password:
  Certificate database password successfully updated.
  Restart the instance from the dscc:
  DSCC -> start <instance>
  Now add a new Certificate which lasts for ten years (120 months; -v 120):
  `cd <instance_path>`
  `certutil -S -d . -P slapd- -s "CN=<FQDN_server_name>" �n testcert �v 120 -t T,, -x`
       Enter Password or Pin for "NSS Certificate DB":
  Stop the Instance.
  On the DSCC Security -> Certificates tab:
       select option to "Do not Prompt for Password"
  Restart the instance.
  On the Security -> General tab, select the new certificate to use for ssl encryption
  Restart the instance
  Stop the instance
  Put DS back into smf control:
  dsadm enable-service <instance>
  Check the smf:
  svcs -a | grep ds
  # svcs -a|grep ds
  disabled Aug_16 svc:/application/sun/ds:default
  online Aug_16 svc:/application/sun/ds:ds--var-opt-SUNWdsee-dscc6-dcc-ads
  online 17:04:28 svc:/application/sun/ds:ds--var-opt-SUNWdsee-dsins1

• Client Certificate Mapping authentication using Active Directory across trusted forests

  Hi,
  We currently have a setup where the on-premises environment and the cloud environment are based on two separate forests linked by a 1-way trust, i.e., the exist in the on-premises AD and the 1-way trust allows them to use their
  credentials to login to a cloud domain joined server. This works fine with the Windows authentication.
  We are now looking at implementing a 2-Factor authentication using Certificate. The PKI infrastructure exists in the On-Premises Forest. The users are able to successfully login to on-premise servers configured with "AD CLient Certificate
  Mapping".
  However, we are unable to achieve the same functionality on the cloud domain joined servers. I would like to know
  1. Is this possible?
  2. If yes, what do we need to do to make this work.
  Just to clarify, we are able to authenticate using certificates by enabling anonymous authentication. However, we are unable to do the same after turning on "Client Certificate Mapping authentication using Active Directory"

  1. Yes!
  2. Before answering this I need to know if your are trying to perform a smart card logon on a desktop/console or if you just want to use certificate based authentication in an application like using a web application with client certificate requirements
  and mapping?
  /Hasain
  We will eventually need it for smartcard logon on to desktop/console. However, at present, I am trying to use this for certificate based authentication on a web application.
  To simulate the scenario, I setup up two separate forests and established a trust between them.
  I then setup a Windows PKI in one of the forests and issued a client certificate to a user.
  I then setup a web server in both the forests and configured them for anonymous authentication with Client SSL requirement configured.
  I setup a test ASP page to capture the Login Info on both the servers.
  With the client and the server in the same forest, I got the following results
  Login Info
  LOGON_USER: CORP\ASmith
  AUTH_USER: CORP\ASmith
  AUTH_TYPE: SSL/PCT
  With the client in the domain with the PKI and the server in the other Forest, I got the following response
  Login Info
  LOGON_USER:
  AUTH_USER:
  AUTH_TYPE: 
  I tried the configuration with the Anonymous Authentication turned off and the AD CLient Certificate mapping turned on.
  With the client and the server in the same forest, I am able to login to the default page. However, with the server in a trusted forest, I get the following error.
  401 - Unauthorized: Access is denied due to invalid credentials.
  You do not have permission to view this directory or page using the credentials that you supplied

• Oracle Portal for win98?

  Is oracle portal for Win98 available for download? Will it work with Microsoft PWS?

  This is really not the forum for this type of question.
  However, Oracle Portal is available for Solaris and will be available shortly for Windows NT. It will be ported to platforms that 9i Application Server is ported. I do not believe that Windows 98 is on that list.
  Second answer. Microsoft PWS is not currently supported with 9i Application Server.
  null

• Where can I get iPlanet Directory Server 4.1.3 for Linux

  Hello everyone,
  we are developing IMPS solution. but we need to support legacy system. How can we get a iPlanet Directory Server 4.1.3 for Linux for evaluation?
  Many thanks
  Billiken Xie

  Why you want to have NDS 4.11? Any version of the NDS 4.1x will support Solaris 2.6 and 8. This version is nolonger available in iplanet's site. I suggest you to get NDS 4.13 or later version. At iplanet's web site, you will find the latest version, 4.16. Also, you will find 4.13 from Solaris 8's CD ording from Sun's reseller.
  Lucas

• Is there any hardware requirement guideline for iPlanet Directory Server?

  I plan to set up the iPlanet Directory server. I need to select the appropriate hardware platform for the DS capacity. e.g what CPU model, ram & hard disk size if entries is around 10000 etc.

  The upper limit for iDS 5.0 is 2G of RAM but for 100K users, expect about 80-85MB ldif file which correlates to about 290-300Mb importCacheSize. This means that you will need 64Mb+300Mb minimum.
  As far as network, 100BaseT is adequate but GBit or multiple 100BaseTs are better.
  SSL hardware is recommended if running securely.
  As far as processors, an Ultra60 1x440Mhz or a Dell PowerEdge 2400 1x776Mhz will work. Attaching 2x18G disk should be enough. Go with scsi over ide if possible.
  pat

• Backup / Journaling function for IPlanet Directory Server?

  Hi,
  does the iPlanet Directory Server provide a journaling function (logging and restore possibility of all changes made between two backups) ?
  I can�t find anything in the docs, but I somehow can�t image that this feature is not supported ...
  Thanks
  Kris

  I'd be interested to know this, as well. Did you find an answer for this?