Password Recon from LDAP

Hi,
Does OIM not support recon of passwords from the Sun Java Directory Server? I am doing a trusted recon from the DS and would like to reconcile the passwords from DS as well during initial load. Can someone please tell me how can I achieve this?
Also, I was able to reconcile users with blank passwords into OIM. How does OIM allow this, since password is a mandatory field while creating any user. How does OIM populate the passwords in this case?
Thanks,
Supreetha

Being able to pull passwords from a target system is a big no no. This would create a huge risk in your targets. Also, if you recon the passwords, they would be available in plain text in the recon manager events. When you implement a system like OIM, and use OIM as the authenticator, you need to perform the registration process of some sort. Typically, you are integrating with a directory that already exists to provide your Single Sign on Access into your system, so the existing passwords will continue to work.
-Kevin

Similar Messages

Howto: pull Authn Questions and Answers during recon from ldap

hi Sun team,
ENV:
IDM6.0 , LDAP is a target resource and Psft is source resource.
Business case:
I have a CU Requirement, where I need to recon from LDAP and to do the initial seeding of idm.
This LDAP has questions and answers stored for each user as it was being used for their current self service app. When I recon against LDAP, I am able to pull the users, but I somehow cannot populate the waveset.questions[#0].question and answer fields as well as waveset.suppliedQuestions[#0].question and answer fields. How would I go about pulling that info from LDAP into IDM so that IDM becomes the self-service app.

Steve,
I have the same range of user population. I have tested the functionality of it, but not the performance of it. Here is how my file looked, it had to have the username.
**********FILE format*******************
command,user,waveset.questions[#0].answer,waveset.questions[#1].answer,
waveset.suppliedQuestions[#0].suppliedQuestion,waveset.suppliedQuestions[#0].answer
update,ac5234,helloA1,helloA2,what is my dogs name?,puppy
update,ac7234,helloAC1,helloAC2,what is my moms name?,angie
***********************************************************************************

Password retrieval from LDAP

Hi Guys,
I am trying to retrieve the password field from ldap and then send the same to the requested user ( forgotten password functionality ).
I am able to retrieve the password from LDAP in encrypted form(which is in md4 format) but not being able to get it in the clear text format from a ldap.
If anyone has successfully done the same, I would greatly appreciate
if he/she could help me out .
Thanks
Bindu

My getpass.cmd script extracts the PORTAL, ORASSO, ORASSO_PA, and ORASSO_PS passwords from OID. Take a look at that and you should be able to see a way to get what you need...
Look up my contributions in the Knowledge Exchange under BRUSARDL
HTH
LLB

LDAP : retreive the password from LDAP

Hi,
I am trying to authenticate the user with the password that is entered by him with the password in LDAP. Basically i have to do a String comparison. I am able to retreive all the attributes set for that user but the password is retrieved as:
[B@867e89
I did a toString() for that but no change.
String s=attr.get().toString();I even tried to convert this String to a byte and then compare:
byte[] newUnicodePassword=null;
                             try {
                                   newUnicodePassword = s.getBytes("UTF-16LE");
                                   System.out.println("Checking 2 :" + newUnicodePassword.toString());
                              } catch (UnsupportedEncodingException e) {
                                   // TODO Auto-generated catch block
                                   e.printStackTrace();
                              }But of no use.When i converted this byte array to a string it is the same encrypted characters.
So i could not compare with the password that is entered by the user.
Can anyone please tell why this is happening. And how i have to get the password from LDAP.
Thanks in advance.

You do not retrieve you passcode.
Connect the iOS device to your computer and restore via iTunes. Place the iOS device in Recovery Mode if necessary to allow the restore.
If recovery mode does not work try DFU mode.
How to put iPod touch / iPhone into DFU mode « Karthik's scribblings
For how to restore:
iTunes: Restoring iOS software
To restore from backup see:
iOS: How to back up
If you restore from iCloud backup the apps will be automatically downloaded. If you restore from iTunes backup the apps and music have to be in the iTunes library since synced media like apps and music are not included in the backup of the iOS device that iTunes makes.
You can redownload iTunes purchases by:
Downloading past purchases from the App Store, iBookstore, and iTunes Store

How to retrieve all the users along with their password from LDAP

Hello,
Can anyone let me know how to retrieve and list all the user along with their password from LDAP.
Thanks

Hi Prashant,
I have limited experience with Synchronization, but I agree with you - if you need to synchronize Passwords, you need to have the Password in clear Text.
If you trying to build your own Synchronization Solution using any of the avaliable LDAP APIs, I don't think you can ever retrieve a user's Password in clear text.
However, I did come across an interesting article & I hope you find it useful :-
http://www.oracle.com/technology/obe/obe_as_10g/im/configssl/configssl.htm
I am not sure if SSL is necessary - If you have a look at Metalink Note 277382.1 ( How to Configure OID External Authentication Plug-In for Authentication Via Microsoft Active Directory (MS AD) ), teh question asked by oidspadi.sh for the same is asnwered as "N".
Regards,
Sandeep

How i get user info from ldap using java after authenticating user with SSO

Hi
I have one jsp/bean application as a partner application with SSO.
It works fine.
Now i need to get other attributes of user from LDAP who has logged into the application through SSO.
using SSO java APIs i only get username, userDN, subscriber info.
To get user's other attribute i have to user LDAP APIs for that i have to create on Directory Context, for the same i need userpassword.
so here i my question, how do i get user password after he has logged in thro SSO.
regards..
and thanking u in advance
samir

Valentina,
there's no way to get the password value from the directory (it's one way). Of course you can get the hashed (MD4,MD5,SHA-1) base64 encoded value (i.e. the value you see in OiD) but not the 'password'.
--Olaf

How to get user information from ldap - bpm11g

hi all,
i need know how to do get information from ldap, but using adf bean for show user data in adf form.
anyone knows about this ?
tks.

Neal wrote:
>
Hi,
I am using WLS default authentication to protect my JSP pages. Can someone tell
me if it is possible to add more fields to the default login box (in addition
to login and password boxes, I want to ask user the department name). In additional,
can WLS propogate this information (department name) along with other security
credentails to other J2EE components such as EJBs? In my EJBs I want to be able
to get the department name that user provided during login and then use that for
conditional business logic.
Any insights on this subject will be greatly appreciated.
TIA,
-NealYou can't do this with the default simple authentication. That can only handle a
username / password combination.
You should be able to do this with JAAS. You could write a LoginModule that
populates the department as a Principal or public Credential on the Subject in
addition to the normal authentication. You would have to do a callback handler
that passed through the department info to it.
This link has more on WLS's stab at JAAS:
http://e-docs.bea.com/wls/docs61/security/prog.html#1039659
Once you have associated the Subject with the access control context by invoking
a doAs() you should be able to get it back at any point with
Subject.getSubject(AccessController.getContext()) to get access to the
department info.
It will all be a bit of a chore, mind.

Problem with activesync provisioning user from ldap to red hat

hello,
i am using activesync to provision the user from ldap to red hat linux . i am getting the following error message
An error occurred adding user '#########' to resource 'Red Hat Linux'.
Script failed waiting for " PASSWORD:" in response "passwd: Only one user name may be specified.
_,)#+(:"
Script processor timed out with nothing to read and the following unprocessed text: "passwd: Only one user name may be specified.
_,)#+(:".
when to try to assign redhat resource to a user from the idm the user is getting provisioned to redhat successfully .active sync form is working for all the other resource except the redhat.
can anyone give me solution for the above problem
thanks in advance.

Have you set the xhost as ROOT (xhost +hostname), and then as the ORACLE user type "export DISPLAY:0.0" (without the quotes of course) ? This needs to be done prior to running the installer. Try this site for further information - http://www.puschitz.com/OracleOnLinux.shtml

Logical identifiant for User Notes synchronized from LDAP

After a synchronization from LDAP to Notes,
The user entry is created, all attributes are OK
The certificate is created and named with %uid%.id
BUT the logical name of the user in the Notes database is constructed as "%givenname%SPACEd/DOMAIN".
I don't understand the SPACE and the character d ?
Thanks for your help !
BRs
Vincent

For analyze, we have synchronized 15 LDAP Users to Notes
FirstName, Lastname and login attributes are from 1 to 15 characters lenght as following :
givenname, lastname, UID
1,1,1
F2,L2,ID
F33,L33,ID3
F444,L444,ID44
F5555,L5555,ID555
F66666,L66666,ID6666
F777777,L777777,ID77777
F8888888,L8888888,ID888888
F99999999,L99999999,ID9999999
Faaaaaaaaa,Laaaaaaaaa,IDaaaaaaaa
Fbbbbbbbbbb,Lbbbbbbbbbb,IDbbbbbbbbb
Fccccccccccc,Lccccccccccc,IDcccccccccc
Fdddddddddddd,Ldddddddddddd,IDddddddddddd
Feeeeeeeeeeeee,Leeeeeeeeeeeee,IDeeeeeeeeeeee
Fffffffffffffff,Lffffffffffffff,IDfffffffffffff
Between 6 and 8 characters, le logical Name of the user is correct
He is constructed as %fistname% %lastname%/DOMAIN
Less than 6 or more than 8 characters, the logical name is not correct
We can show the partial path of the lotus's data directory.
I can send screenshot to an email Adress if you want
Why this ? It's not usable
PS : All certificates can be viewed without provide password !
Why the LDAP password of the user's entry is not used to open the ID ?
Thanks for your help.
BRs
Vincent

Urgent: Please help: Trusted recon - Sun LDAP - timeout

Hi Experts,
I am doing trusted reconciliation with sun ldap using oim 11.1.1.5 bp4.
LDAP system has around 3 lakh users. so i am planned to do trusted recon in 5 or 6 intervals to get around 50K records each time.
i tested for 1000 users - no timeout is happening and all users are created perfectly using trusted recon
when i run for 25K users, i am getting timeout excception below,
1. It is searching and listing the users, (please chck time)
recon.schedule.tasks.tcTskIPlanetUserReconciliation : countRecord() : Before search time: Tue Oct 09 13:24:41 KST 2012
recon.schedule.tasks.tcTskIPlanetUserReconciliation : countRecord() : TotalRecords from LDAP: 22882
recon.schedule.tasks.tcTskIPlanetUserReconciliation : countRecord() : After search time: Tue Oct 09 15:54:42 KST 2012
2. Timeout exception
recon.schedule.tasks.tcTskIPlanetUserReconciliation : pagingBatchingReconciliation() : The searchBase is: ou=XX,ou=XX,o=XX
pagingBatchingReconciliation() : Problem searching directory: javax.naming.TimeLimitExceededException: [LDAP: error code 3 - Timelimit Exceeded]; Remaining name: ou=XX,ou=XX,o=XX
In iPlanet User Truseted Recon I gave,
Abandoned connection timeout - 108000 (seconds)
Connection pooling supported - false
Connection wait timeout - 60 (seconds)
LDAP Connection TimeOut - 3000 (seconds)
Inactive connection timeout - 60 (seconds)
Above parameters are good for more than 25K users?
Please help me...
Thanks..

They look good...
Try to use Connection pooling too if possible...
Abandoned connection timeout - 108000 (seconds)
Connection pooling supported - true
Connection wait timeout - 60 (seconds) --> Increase it to say 90 (seconds)
LDAP Connection TimeOut - 3000 (seconds) --->
Inactive connection timeout - 60 (seconds) --> Increase it to 600 (As the default value in the LDAP Server IT Resource Type Definition)
Alternatively You can rather break your chunks in 20000 records because you are able to fetch 22882 records successfully....

OIM AD reverse password sync from one AD instance to multiple OIM instances

Hi All,
I have a followind scenario. My client is having multiple offices across the globe. They have OIM installed and configured in each location in each country to manage there local applications. Client also has a Global LDAP which is common across all the offices worldwide.
My requirement is then i need to setup reverse password sync from Global LDAP to all the OIM sysem across the Globe. As per the reverse password sync connector i can only define one OIM system to sync the password.
Can you please suggest me some way to achieve this functionality? Is it possible to install more than one password sync connector and configure them with different OIM systems?
Thanks
Yogesh

I have one AD instance and n OIM instances. Can i install multiple AD-OIM passwordd sync components on the same AD machine and configure each component with various OIM's?

Deleting user from LDAP

How to delete the user permanently from LDAP. I want to delete the user's mail and calendar services also.

Hi,
It is generally not a best practice to touch your directory server directly. If you're just playing around for learning purposes its ok. Otherwise, from an implementation perspective, do not try accessing DS directly.
I will try giving u a solution if u use legacy mode of AM. I'm still learning about realm mode, but i guess such scenarios are mostly common between the two.
You can use the amadmin command found in /opt/SUNWam/bin or in windows c:\program files\sun\javaes5\identity\bin. You have sample XML file pcDeleteRequests. You could use this to delete just one or few users.
The sample is
<Requests>
<PeopleContainerRequests DN="ou=People1,dc=example,dc=com">
     <DeleteUsers>
     <DN>uid=dpUser,ou=People1,dc=example,dc=com</DN>
     </DeleteUsers>
</PeopleContainerRequests>
</Requests>
Make an XML, run this command : amadmin -u "uid=amadmin,ou=people,dc=example,dc=com" -w <password> -t <your_file>

Query list of users from LDAP

Hi Gurus,
I am trying to programatically query the list of users belonging to a particular user-group, from LDAP.
LDAP is deployed on Weblogic as a 'provider'.
I have the following details of the LDAP instance - host:port, security principal (CN=aaa,OU=bbb,OU=ccc,DC=ddd,DC=com), LDAP password (credential), User Base DN.
I tried the following using BPEL:
<sequence name="main">
    
    <receive name="receiveInput" partnerLink="bpelprocess1_client" portType="client:BPELProcess1" operation="process" variable="inputVariable" createInstance="yes"/>
    
    <assign name="Assign1">
      <copy>
        <from>ora:getContentAsString(ldap:listUsers('people','ou=people'))</from>
        <to>$outputVariable.payload/client:result</to>
      </copy>
    </assign>
    <reply name="replyOutput" partnerLink="bpelprocess1_client" portType="client:BPELProcess1" operation="process" variable="outputVariable"/>
</sequence>
</process>
and following is the content of the directories.xml that I have created:
<?xml version="1.0" ?>
<directories>
<directory name='people'>
<property name="java.naming.provider.url">ldap://<host>:<port></property>
<property
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</property>
<property name="java.naming.security.principal">CN=aaa,OU=bbb,OU=ccc,DC=ddd,DC=com</property>
<property name="java.naming.security.authentication">simple</property>
<property name="java.naming.security.credentials">password</property>
<property name="entryDN">User Base DN</property>
</directory>
</directories>
When I run this BPEL process, I get a blank value on my output variable -
<outputVariable>
<part name="payload">
<processResponse>
<result><users xmlns="http://schemas.oracle.com/bpel/ldap"/></result>
</processResponse>
</part>
</outputVariable>
Is there something I am missing here?
Regards,
Arindam

slight change in my approach here:
I would like to use welogic provider to connect to this LDAP
so... instead of MyProgram --> LDAP, it should now be MyProgram --> Weblogic/SecurityRealms/myrealm/Providers/myAuthenticator --> LDAP
in this guess, i wont be using LDAP connection details, instead the weblogic host/port and Authenticator name should be sufficient
How can I programatically query the list of users using this approach?

Need help in retrieving attributes from LDAP using JNDI

I am trying to retrieve attributes from LDAP using JNDI, but I'm getting the following error when I try to run my Java program.
Exception in thread "main" java.lang.NoClassDefFoundError: javax/naming/NamingException
I have all the jar files in my classpath: j2ee.jar, fscontext.jar and providerutil.jar. The interesting thing is that it gets compiled just fine but gives an error at run-time.
Could anyone tell me why I'm getting this error? Thanks!
Here's my code:
import javax.naming.*;
import javax.naming.directory.*;
import java.util.*;
import java.io.*;
class Getattr {
public static void main(String[] args) {
// Identify service provider to use
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
// user     info
String userName = "username";
String password = "password";
// LDAP server specific information
String host = "ldaphostname";
String port = "portnumber";
String basedn = "o=organization,c=country";
String userdn = "cn=" + userName + "," + basedn;
env.put(Context.PROVIDER_URL, "ldap://" + host + ":" + port + "/" + basedn);
env.put(Context.SECURITY_PRINCIPAL, userdn);
env.put(Context.SECURITY_CREDENTIALS, password);
try {
System.setErr(new PrintStream(new FileOutputStream(new File("data.txt"))));
// Create the initial directory context
DirContext ctx = new InitialDirContext(env);
// Ask for all attributes of the object
Attributes attrs = ctx.getAttributes("cn=" + userName);
NamingEnumeration ne = attrs.getAll();
while(ne.hasMore()){
Attribute attr = (Attribute) ne.next();
if(attr.size() > 1){
for(Enumeration e = attr.getAll(); e.hasMoreElements() ;) {
System.err.println(attr.getID() + ": " + e.nextElement());
} else {
     System.err.println(attr.getID() + ": " + attr.get());
// Close the context when we're done
ctx.close();
} catch(javax.naming.NamingException ne) {
     System.err.println("Naming Exception: " + ne);
} catch(IOException ioe) {
     System.err.println("IO Exception: " + ioe);

That doesn't work either. It seems its not finding the NamingException class in any of the jar files. I don't know why? Any clues?

Retriving user list from ldap (username - first and last, dn, cn)

Hi,
I tried connecting LDAP server and succesfully connected and now i need to get userlist from LDAP can anyone give me a sample code to get userlist from LDAP.
public static boolean testLDAP() {
               InitialDirContext ctx = null;
               try {
                       Hashtable htbl = new Hashtable();
                       htbl.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
                       htbl.put(Context.PROVIDER_URL, "ldap://padl:389");
                       htbl.put(Context.URL_PKG_PREFIXES, "com.sun.jndi.url");
                       htbl.put(Context.REFERRAL, "ignore");
                       htbl.put(Context.SECURITY_AUTHENTICATION, "simple");
                       htbl.put(Context.SECURITY_PRINCIPAL, "cn=administrator");
                       htbl.put(Context.SECURITY_CREDENTIALS, "password");
                       ctx = new InitialDirContext(htbl);
                       if (ctx != null) {
                               ctx.close();
                               return true;
               catch (NamingException e) {
                       System.out.println("Error Connecting to LDAP Server.");
                       System.out.println(e.toString());
                       ctx=null;
                       return false;
               return false;
       }Thank You.

Ok here is the code to fetch userlist(First Name, Last Name, cn, dn, mail) from LDAP.
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
public class UserListFromLDAP
   public static void main(String args[])
      Hashtable env = new Hashtable();
      env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
      env.put(Context.PROVIDER_URL,"ldap://host:389");
      DirContext ctx;
      try {
         ctx = new InitialDirContext(env);
      } catch (NamingException e) {
         throw new RuntimeException(e);
      NamingEnumeration results = null;
      try {
         SearchControls controls = new SearchControls();
         controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
         results = ctx.search("", "(objectclass=person)", controls);
         while (results.hasMore()) {
            SearchResult searchResult = (SearchResult) results.next();
            Attributes attributes = searchResult.getAttributes();
            System.out.println("dn----------> "+searchResult.getName());
            System.out.println("cn----------> "+attributes.get("cn").get());
            if (attributes.get("givenName")!=null)
                 System.out.println("First Name--> "+attributes.get("givenName").get());
            System.out.println("Last Name---> "+attributes.get("sn").get());
            System.out.println("Mail--------> "+attributes.get("mail").get()+"\n\n");
      } catch (NameNotFoundException e) {
           System.out.println("Error : "+e);
      } catch (NamingException e) {
         throw new RuntimeException(e);
      } finally {
         if (results != null) {
            try {
               results.close();
            } catch (Exception e) {
                 System.out.println("Error : "+e);
         if (ctx != null) {
            try {
               ctx.close();
            } catch (Exception e) {
                 System.out.println("Error : "+e);
}Here is the code to search user from LDAP based on cn and sn
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
public class LDAPUserSearch
   public static void main(String args[])
      Hashtable env = new Hashtable();
      env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
      env.put(Context.PROVIDER_URL,"ldap://host:10389");
      DirContext ctx;
      try {
         ctx = new InitialDirContext(env);
      } catch (NamingException e) {
         throw new RuntimeException(e);
      NamingEnumeration results = null;
      // give either cn or sn to check
      String cn = "Common Name";
      String sn = "lastName";
      try {
         SearchControls controls = new SearchControls();
         controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
         if(!cn.equalsIgnoreCase("") && !sn.equalsIgnoreCase("")){
              System.out.println("Please test with either cn or sn");
         else if(cn!=null && !cn.equalsIgnoreCase("")){
              System.out.println("Result based on cn:");
              results = ctx.search("", "(cn="+cn+")", controls);
         else if(sn!=null && !sn.equalsIgnoreCase("")){
              System.out.println("Result based on sn:");
              results = ctx.search("", "(sn="+sn+")", controls);
         else{
              System.out.println("No results found");
         while (results.hasMore()) {
             SearchResult searchResult = (SearchResult) results.next();
             Attributes attributes = searchResult.getAttributes();
             System.out.println("Full Name:--------> "+attributes.get("cn").get());
             if(attributes.get("givenName")!=null)
                  System.out.println("First Name:-------> "+attributes.get("givenName").get());
             System.out.println("Last Name:--------> "+attributes.get("sn").get());
             System.out.println("Mail:-------------> "+attributes.get("mail").get());
      } catch (NullPointerException e) {
           // Leave this...
      catch (NameNotFoundException e) {
         System.out.println("Error : "+e);
      } catch (NamingException e) {
         throw new RuntimeException(e);
      } finally {
         if (results != null) {
            try {
               results.close();
            } catch (Exception e) {
                 System.out.println("Error : "+e);
         if (ctx != null) {
            try {
               ctx.close();
            } catch (Exception e) {
                 System.out.println("Error : "+e);
   public static void common() {
}

Password Recon from LDAP

Similar Messages

Maybe you are looking for