Pgina - authenticate windows against oid
Hi All,
Just thought I would let you know about pgina, if you don't already...
http://pgina.xpasystems.com/
It is a GINA (Graphical Identification aNd Authentication) that replaces the windows local or domain authenication, so you can authenicate against any plugin that you want. The LDAPAuth plugin works very smoothly with OID, very helpful if you are running the collaboration suite or just want to authenicate against oracle.
Here are the settings I used for my system...
LDAP Method: Map Mode
Server: your server's name
Port: 4032 (by default for OCS, 389 for some products)
prepend: cn=
append: cn=users,dc=xxx-domainname-xxx,dc=com
This works great for me...I have it setup so I can change my password through it and it maps network drives(Since i'm using oracle ifs). If you have any questions, I check the forums often or just email me at kbbdb --- marist --- edu.
--Bill
are you talking about OID ext. auth. plugin (which version?) or "pgina" mentioned above?
regards
--Olaf
Similar Messages
-
Authentication failing for APEX against OID when uppercase used in password
We are using Application Express 3.1. I am authenticating against OID 10.1.2.2 and noticed some users were having problems
logging into APEX. They are getting "Invalid Login Credentials". I eventually workout it was when they were authenticating using a password
having a uppercase character ... "Blackhawk" is one example. We authenticate discoverer using OID and do not have the same problem.
Has anyone else encounter this problem please ?
Cheers Rod
The Function I use is shown below:
DECLARE
V_TEST BOOLEAN;
V_EXIST NUMBER ;
BEGIN
SELECT COUNT(*) INTO V_EXIST FROM BE_MANAGERS
WHERE MANAGER_CSO_CODE = :APP_USER
AND FINANCIAL_YEAR_ID = BE_BUDGETS_APEX_PKG.CURRENT_FINANCIAL_YEAR ;
IF V_EXIST = 0 THEN
HTMLDB_APPLICATION.G_UNRECOVERABLE_ERROR := TRUE;
OWA_UTIL.REDIRECT_URL('f?p=' || v('APP_ID') || ':101:' || v('APP_SESSION') );
END IF ;
V_TEST := HTMLDB_LDAP.IS_MEMBER
( p_username => :APP_USER, p_pass => NULL
, p_auth_base => 'cn=Users,dc=planforlife'
, p_host => 'oraapp01'
, p_port => '389'
, p_group => 'OID-PilotUsers'
, p_group_base => 'cn=vaultgroups,cn=Groups,dc=planforlife');
IF V_TEST = FALSE THEN
HTMLDB_APPLICATION.G_UNRECOVERABLE_ERROR := TRUE;
OWA_UTIL.REDIRECT_URL('f?p=' || v('APP_ID') || ':101:' || v('APP_SESSION') );
END IF;
EXCEPTION
WHEN OTHERS THEN
HTMLDB_APPLICATION.G_UNRECOVERABLE_ERROR := TRUE;
OWA_UTIL.REDIRECT_URL('f?p=' || v('APP_ID') || ':101:' || v('APP_SESSION') );
END;Rod:
Are you sure it is not the 'username' which is causing the issue ? If it is the username then to preserve the case in which the username is entered you will need to set the ' p_preserve_case' parameter to true in the call to APEX_CUSTOM_AUTH.LOGIN . This API is invoked in the application's login page as an after-submit page process.
Varad -
Authenticate windows users via ACS
Hi,
Expert insight required for Cisco ACS, Is it possible to authentication windows user via ACS & apply ACL policies over network devices.
I would appreciate valued inputs.
Regards,Yes, it's possible to authenticate windows users via ACS and push DACL via radius.
Seems you are looking for DACL. Here is a document that can help you to understand the same
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml#user
Let me know if you need any further help.
Jatin Katyal
- Do rate helpful posts - -
Microsoft Windows CPU OID changes between reboots
On my ACE4710s I'm using least-loaded predictors monitoring Microsoft Windows CPU usage. There are times when the MS Windows CPU OIDs can change between reboots. Is anyone aware of a way for the ACE to automatically adjust to the new CPU OIDs and continue to get accurate CPU usage values?
Hi Chuck,
I don't think that is possible. You need to know OID's before you configure them. You can configure multiple OID's but still you need to know them. If they are changing after reboot i don't think ACE can anyway know about it.
Regards,
Kanwal -
I am new to jDeveloper and java.
I developed an jsp/adf application using jDeveloper 10.1.2 which runs on Oracle 10g application server.
The application works using the jazn-data.xml to access the db.
I need to modify the application to hang off an Oracle portal and access the db is obtained after the user logs into the portal using the portal login.
The user will access the application from logging into an oracle portal.
I am not the Unix admin, so we assume the OID/SSO is properly configured.
How can I pass the portal authentication to the jsp application to access the db without having to log in again.
Reading the Oracle documentation and looking at the Oracle examples did not provide any clues to how to accomplish this.Shay
I have not seen the document you are referring.
The document appears to contain information I can utilize.
I will post my progress on authenticating against the OID.
Thanks -
Authenticating 10g databases against OID 11g
Hi.
Our client currently uses OID 10g to authenticate users on their 10g databases. They intend to begin an upgrade to 11g beginning with the OID upgrade. Some applications though are likely to remain on 10g databases for the foreseeable future.
Will it remain possible to authenticate existing 10g database installations against the new OID 11g setup?
If so, will this happen automatically as part of the OID 10g->11g upgrade steps?
Many thanks.
Edited by: 893987 on 31-Oct-2011 08:49Hi Sridhar
Did you come right with the Oracle case insensitive connection? I am at a client site and they are asking if I can create an Oracle case insensitive connection and need to know how to do this.
I have come right now. I have added the following into the parameters in the universe:
NTS_COMP = LINGUISTIC
NTS_SORT = BINARY_CI
When running a query the selection does not have to be case sensitive. eg. In the database it shows as "SOFTWARE" and if I run a query looking for "software" it returns the correct data.
Thanks
Sharon -
ACS 4.1 failure to authenticate Windows users.
Hello.
We are running Cisco Secure ACS for Windows version 4.1(1)b23p5 on a Windows 2000 member server.
Starting from today, ACS fails to authenticate users.
Using the same external user (andrea-meconi) I can verify successfull and failed authentication.
This is the AUTH.log for a genericRADIUS request...
AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [NTAuthenDLL.dll]: Starting authentication for user [andrea-meconi]
AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user andrea-meconi
AUTH 25/02/2013 15:30:24 E 0396 3900 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1783L)
AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [ODBCAuthDll.dll]: Starting 1 odbc workers
AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [ODBCAuthDll.dll]: DLL initialised OK
AUTH 25/02/2013 15:30:24 I 0571 3900 AuthenLoadLibrary: Loaded DLL for External ODBC Database
AUTH 25/02/2013 15:30:24 I 1645 3900 pvAuthenticateUser: authenticate 'andrea-meconi' against External ODBC Database
This is the log for an EAP request...
AUTH 25/02/2013 16:23:56 I 1645 4568 pvAuthenticateUser: authenticate 'venezia\andrea-meconi' against Windows NT/2000
AUTH 25/02/2013 16:23:56 I 0396 4568 External DB [NTAuthenDLL.dll]: Starting MSCHAP authentication for user [venezia\andrea-meconi]
AUTH 25/02/2013 16:23:56 I 0396 4568 External DB [NTAuthenDLL.dll]: Got WorkStation CISCO
AUTH 25/02/2013 16:23:56 I 0396 4568 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user andrea-meconi
AUTH 25/02/2013 16:23:56 I 0396 4568 External DB [NTAuthenDLL.dll]: Windows authentication SUCCESSFUL (by RVVMDCC01PW)
AUTH 25/02/2013 16:23:56 I 0396 4568 External DB [NTAuthenDLL.dll]: User mapped to ACS group id [20]
Windows AD running now on Windows 2008 server, migrating from 2003.
Any idea?
Thanks.
AndreaWindows authentication FAILED (error 1783L)
The above error indicates that the migration happened over night. In order to resolve this issue you need to upgrade your ACS to atleast ACS 4.2.0.124 patch 4 or above.
Supported Operating Systems section
--Windows Server 2008, Standard Edition
--Windows Server 2008, Enterprise Edition
--Japanese Windows Server 2008, Standard Edition, Service Pack 2
--Japanese Windows Server 2008, Enterprise Edition, Service Pack 2
NOTE: No version of ACS 4.x support 2008 R2. Only ACS 5.2 support it.
Regards,
Jatin Katyal
- Do rate helpful posts - -
Authenticate windows users accessing os x client using open directory?
I need to setup an OS X client machine (10.4.6) so that windows users (XP) can access folders based on their open directory credentials. (Using OS X server, open directory, windows PDC). If I turn on windows sharing in system preferences on the mac, it will only share local home folders to users with local accounts - not what I need. Any ideas? thanks.
Thanks! So now I see Open Directory, but it seems like it should be listed under the Server app with all the other services...
Anyhow, I seem to remember a way to administer the users and groups. This app shows me the status of the services, logs, settings. The Server app, if I click on Add Users button, then click "connect to it" to supposedly connect to the directory server, it won't take my credentials. I always get "Cannot authenticate to server. Please authenticate by entering the name and password of a user account in this server's directory."
Connect anonymously doesn't seem to do anything, it doesn't even dismiss the dialog.
So what am I missing? -
Can my AD connected server use kerberos to authenticate windows users?
Hi,
I have installed our brand new Xserve with leopard and set it up so that it is connected to a directory service (AD). I have check to see if it kerberized and it does appear so.
What I want to do is provide SSO for our users when they visit our intranet. Our users will be using Windows XP Pro clients. I have tried using basic authentication but this requires the user to enter their network username and password to authenticate. When I try setting the realm security to be Kerberos it doesn't work.
Can this be done and if so what am I doing wrong? Surely I am not the only person trying to integrate a mac server into a windows environment and provide windows clients with a seamless experience!
Please help anyone!!!!Ok, we managed to solve this!!!
It was to do with Active Directory. You need to set the xserve in Active Directory to be trusted for delegation (all kerberos services) and voila! Sorted! -
ACS 4.2 failure to authenticate windows users
Hi all , we have a bit of a problem which we cannot seem to resolve.
The ACS can authenticate people using local database , it can also authenticate a single user (using windows database) if you are fast after the service is restarted , however after a few secounds, it fails to authenticate any users , the error we are seeing on the logs appear as authentication failure type : internal error. Also on the log files, the authentication request from the user does not appear in the correct group, it is thrown into the default group.
Any ideas on where we should look to the problem?Hi,
Its running on windows 2003 server, is running as the system account.
Auth.log details below on a failed authentication
AUTH 04/09/2009 17:02:13 A 5789 3000 0x69 Worker 0 waiting for work
AUTH 04/09/2009 17:02:13 A 5789 1400 0x6 Worker 3 waiting for work
AUTH 04/09/2009 17:02:13 A 5789 0368 0x4 Worker 1 waiting for work
AUTH 04/09/2009 17:02:23 E 6028 3888 0x0 AllocateThread returned 0
AUTH 04/09/2009 17:02:23 A 5821 3000 0x69 Worker 0 established conn 166 with 127.0.0.1:1879
AUTH 04/09/2009 17:02:23 E 6028 3888 0x0 AllocateThread returned 1
AUTH 04/09/2009 17:02:23 A 5821 0368 0x4 Worker 1 established conn 167 with 127.0.0.1:1881
AUTH 04/09/2009 17:02:23 E 6028 3888 0x0 AllocateThread returned 3
AUTH 04/09/2009 17:02:23 A 5821 1400 0x6 Worker 3 established conn 168 with 127.0.0.1:1883
AUTH 04/09/2009 17:02:24 A 5853 0236 0x51 Worker 4 error/timeout, forcing API disconnect of connection 165.
AUTH 04/09/2009 17:02:24 A 5887 0236 0x51 Worker 4 closing conn 165 endpoint. Handled 2 messages.
AUTH 04/09/2009 17:02:24 A 5789 0236 0x51 Worker 4 waiting for work
AUTH 04/09/2009 17:02:30 E 2100 4080 0x6d External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1783L) -
Can't authenticate Windows account
Hi guys. I'm trying to log onto my Windows XP computer over Leopard's SMB share, but whenever I mount the computer share and try to enter my user name and password from the XP computer, all that ever happens is the authentication window disappears, and I end up logged in as a Guest user. I've tried it with a couple of different test accounts on the Windows computer, but no joy. Any suggestions?
Also, is there any reason why the Windows computer pretty regularly disappears from the Finder sidebar for seemingly no reason?
Thanks!Ah well that's irritating. How do things like this slip through Apple's obviously extensive testing? Another possible bug I've found is that I can't connect to a Vista computer on my network at all. It shows up in the sidebar, but that's as far as connecting goes. Does Vista sharing work in Leopard?
-
OEL ldap client setup with SSL against OID using either ldaps or starttls
Hi, I've got OID 11.1.1.1.0 running with SSL enabled on port 3132. It's running in mode 2, SSL Server Authentication mode (orclsslauthentication is set to 32). I'd like to setup my OEL 5.3 and Solaris 10 ldap clients to connect to OID using SSL for user authentication. I have everything already working on the non-SSL port (3060), but I need to switch over to SSL. So far I can't get it to work on either OEL or Solaris. Does anyone out there know how to configure the client to use SSL?
Here's my /etc/ldap.conf file on OEL 5.3.
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
URI ldaps://FQDN:3132/
port 3132
ssl yes
host FQDN
base dc=DOMAIN,dc=com
pam_password clear
tls_cacertdir /etc/oracle-certs
tls_cacertfile /etc/oracle-certs/oid-test-ca.pem
tls_ciphers SSLv3
# filter to AND with uid=%s
pam_filter objectclass=posixaccount
#The search scope
scope sub
I have /etc/nsswitch.conf set to check for files first, then ldap
passwd: files ldap
shadow: files ldap
group: files ldap
Here's my /etc/openldap/ldap.conf file
URI ldaps://FQDN:3132/
BASE dc=DOMAIN,dc=com
TLS_CACERT /etc/openldap/cacerts/oid-test-ca.pem
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
TLS_CIPHERS SSLv3
The oid-test-ca.pem is a self-signed cert from the OID server. I also have the hash file configured.
4224de9f.0 -> oid-test-ca.pem
I can run ldapsearch using ldaps and it works fine.
ldapsearch -v -d 1 -x -H ldaps://FQDN:3132 -b "dc=DOMAIN,dc=com" -D "cn=user,cn=users,dc=DOMAIN,dc=com" -w somepass -s sub objectclass=* | more
But when I run the 'getent passwd' command, it only shows me my local user accounts and none of my ldap accounts. I also can't SSH in using a ldap account.
Solaris 10 is actually a whole other beast...I'm using the native Solaris ldap client (not PADL based) and I don't think it even works with SSL unless you're using the default ports (389/636).
Does anyone out there know how to setup the client-side for ldap authentication using SSL? Any tips, howto docs, or advice are appreciated. Thanks!Hello again...
after some research and work together with Oracle Support I found out how to get it to work:
1. You have to create your own ConfigSet in OID using
SSL-Server-Authentication
(OpenSSL seems not to support SSL-encryption-only).
The following link shows on how to do that:
http://otn.oracle.com/products/oid/oidhtml/oidqs/html_masters/a_port01.htm
2. Add the following lines to your $HOME/ldaprc
TLS_CACERT /home/frank/oid-caroot.pem
TLS_REQCERT allow
TLS_CIPHERS SSLv3
ssl on
tls_checkpeer no
oid-caroot.pem is the CA-Root Certificate you got
during step 1
3. you should now be able to use ldapsearch using SSL
If you still can't connect using SSL you may have run into another issue with OpenSSL which affects systems using OpenSSL version 0.9.6d and above. The problem seems to be caused by an security fix which may not be compliant with the SSL implementation of Oracle.
I opened an Bug for that problem with RedHat. This Bug Description also includes an proposal for an Patch which solves the problem (but may introduce some security risks). See the Bug at RedHat:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123849
Bye
Frank Berger -
How can I authenticate users against a WAS system from third-party app?
We are looking at developing a third-party standalone web application e.g. in Rails (but it could be on any framework for that matter).
How would we go about authenticating users against a SAP WAS backend? Are there some standard web services for this? What other means are there for authentication?
Kind Regards,
MartinFrom the comment in SUSR_LOGIN_CHECK_RFC you just need to pass user name and it will return if user can still log on. Only your system will know credentials for this user so an attacker won't be able to use this service for cracking passwords.
This FM is in the same function group as:
CREATE_RFC_REENTRANCE_TICKET
SUSR_CHECK_LOGON_DATA
SUSR_DELETE_OWN_PASSWORD
SUSR_GENERATE_PASSWORD
SUSR_GET_ADMIN_USER_LOGIN_INFO
SUSR_GET_X509CERT_MAPPING_LIST
SUSR_LOGIN_CHECK_RFC
SUSR_USER_CHANGE_PASSWORD_RFC
SUSR_USER_EXTID_DEL
SUSR_USER_EXTID_GET
SUSR_USER_EXTID_GET_ALL
SUSR_USER_EXTID_LOOKUP
SUSR_USER_EXTID_RENAME
SUSR_USER_EXTID_SET
SUSR_USER_EXTID_SET_ALL
SUSR_USER_FROM_CERTIFICATE_RFC
SUSR_USER_SETEXTID
You would need to ensure that only the service exposing the "login check" can be called, and not the FM's in the group.
BTW: SAP Java WAS can provide SAML 2.0 assersions (technically a component shipped with IdM, but you don't have to use the rst of the IdM if you don't want to..). If your applications are all web enabled ones (WDA?) then that is an option to consider, which is also strategically supported.
SSO2 Logon tickets are not really a strategy anymore... and installing a double-stack system on all ECC sytems just to have SAML is not strategic either..
I have heard several wishes for SAML authentication for SAPGui, but not seen anything official yet in that direction.
Cheers,
Julius -
Linux authentication against OID ldap
Hi,
How to use OID as an authentication server for linux users. So when a users logs on the linux machine get's his information from the OID /ldap server?
What are the step to do this?
RegardsThis link should help:
http://www.oracle.com/technology/products/oid/pdf/unix_pam_oid_wp.pdf -
OIF Simple authentication (Form) against OID
Hello,
Have installed OIF, and OID without problems, the OID is set as a user repository for OIF, I would like to create a simple form based authentication to create a session on OIF for a given user, but I dont now how to do it, I tried with the sample provided with oif (at .../shareid/login.jsp, http://mydo:8778/shareid/login.jsp) but I am getting errors!!!!
Could any one help me?What are the error messages you see?
You are not supposed to invoke the login page directly. Did you configure the IdP and SP for Federated SSO? The simplest way to do this is Loopback Testing, where the same OIF is the IdP and SP. The URL for Loopback Testing is:
http://mydo:8778/shareid/saml/ObSAMLTransferService?DOMAIN=MyDomain&METHOD=artifact&TARGET=http://mydo:8778/shareid/saml/ObSAMLTestTarget
When you fire this URL, you will hit a form login page. Upon login, a user session will be created. For more information, read this link:
http://download.oracle.com/docs/cd/E10773_01/doc/oim.1014/b25355/configuring.htm#BCGHGCAB
-shetty2k
Maybe you are looking for
-
Hi, I'm using a sender email adapter. But its throwing the following error. error occured: exception caught during processing mail message; java.io.IOException: invalid IMAP status response; not finding * STATUS, but 001I NO The requested item could
-
How to solve the "Method invocation failed" error in script?
Hello, I'm trying to modify the script that enumerates all the txt (csv) files on folder and deletes empty columns, but with no luck. The script is working when I execute it on single csv file. But when I put script on loop, it generates errors: Meth
-
Displaying images through forms6 stored as bfile
The image is stored in a database as bfile datatype. How the image can be displayed using forms6?
-
Suspend/Re-instate: Siebel account not displayed
Hi all, When you click on a user and then either the 'Suspend' or 'Reactivate' buttons on the Accounts page, all of the user's currently assigned accounts should be displayed i.e. Lighthouse, LDAP, etc. One of the resources I am provisioning to is Si
-
I recently changed my internet service provider and my e mail address. I updated my iTunes account with the new e mail. Now I cannot get updates on my devices, because the login box on each device still contains my old e mail, and I do not know how t