Query related to LDAP Authentication

Hi ,
We are using LDAP Authentication . I found some users are not able to see particular dashboards.
Users are telling they have the position and Setup everything is ok. But still facing problems in getting in dashboards and answars.
Please provied some solution.
Thanks
Kishor sethy
PTP,Bangalore

Similar Messages

SharePoint 2010 with LDAP authentication, using NOVELL eDirectory

One of my customers needs a SharePoint application that allows people to authenticate with either an Active Directory account (internal staff) or a Novell eDirectory account (external customers).
Using the following article as a base guide (http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx)
I configured a claims-based test application that had Windows authentication enabled and Forms based authentication (FBA) enabled (this is on a Windows 2008 server and not a domain controller)
In the Membership provider name text box I entered "LdapMember"
In the Role provider name text box I entered "LdapRole"
In the web.config for the SharePoint Central Admin, I modified/added the following details right before </system.web>
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="((ObjectClass=group)"
userFilter="((ObjectClass=person)"
scope="Subtree" />
</providers>
</roleManager>
I modified the SecurityTokenServiceApplication web.config with these details
<system.web>
<membership>
<providers>
<add name="LdapMemebr"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
</system.web>
I modified the web.config of the test application I created with these details
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="cn"
dnAttribute="dn"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
useDNAttribute="true"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
With all of this configured, I can go to the new test site, I do see the form where I can choose either Windows authentication or Forms authentication. I can successfully login with Windows authentication, but forms authentication gives me me an error.
The server could not sign you in. Make sure your user name and password are correct, and then try again.
I can successfully login to a LDAP management tool, using the same credentials I entered on the form, so I know the username and password being submitted are correct. I get the following items in the event viewer
8306 - SharePoint Foundation - The security token username and password could not be validated.
in the SharePoint trace logs - Password check on 'testuser' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. and
then this:
Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
I monitored the LDAP server and did a packet-trace on the communication happening between the SharePoint server and the LDAP server and it is a bit odd. It goes like this:
The SharePoint server successfully connects to the LDAP server, binding the ldapserviceid+password
The LDAP server tells the SharePoint server it is ready to communicate
the SharePoint server sends an LDAP query to the LDAP server, asking if the name entered in the form authentication page can be found.
The LDAP server does the query, successfully finds the entered name and sends a success message back to SharePoint
The LDAP server sends notification that it is done and is closing the connection that was bound to theldapserviceid+password
The SharePoint server acknowledges the connection is closing
... and then nothing happens, except the error on SharePoint
What I understand is that the SharePoint server, once it gets confirmation that the submitted username exists in LDAP, should attempt to make a new LDAP connection, bound to the username and password submitted in the form (rather than the LDAP service account
specified in the web.config). That part does not seem to be happening.
I am at a standstill on this and any help would be greatly appreciated.

OK, our problem was resolved by removing any information about the ASP.NET role manager. Initially, we had information about a role manager defined in three different web.config files, as well as in the SharePoint Central Administration site, where there
is the checkbox to Enable Forms Based Authentication (you see this when you first create the new SharePoint app, or afterwards by modifying the Authentication Provider for the app.) In either case, you will see two text boxes, underneath the checkbox item
for enabling Forms Based Authentication:
"ASP.NET Membership provider name"
"ASP.NET Role manager name"
We entered a name for Membership provider, and left Role manager blank.
In the web.config for the SharePoint Central Administration site, the SecurityTokenServiceApplication app, and the web app we created with FBA enabled, we entered the following:
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword="validpassword"
useDNAttribute="false"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager>
<providers>
</providers>
</roleManager>
useDNAttribute="false" turned out to be important as well.
So, for us to get LDAP authentication working between SharePoint 2010 and Novel eDirectory, we had to:
leave anything related to the role provider blank
configure the web.config in three different applications, with the proper connection information to reach our Novel eDir
Ensure that useDNAttribute="false" was used in all three on the modified web.config files.
Since our eDir is flat and used pretty much exclusively for external users, we had never done any sort of advanced role management configuration in eDir. So, by having role manager details in the web.config files, SharePoint was waiting for information from
a non-existent role manager.

Weblogic Server 10.3.0 and LDAP authentication Issue

Hi - I have configured my WebLogic Server 10.3.0 for LDAP authentication (OID = 10.1.4.3.0) and so far the authentication works fine but I am having issue in terms of authorization.
I am not able to access the default web logic administrator console app using any of the LDAP user, getting Forbiden message.
It appears to me that the Weblogic Server is not pulling out the proper groups from the LDAP where user belongs too.
Can anyone please point me towards the right direction to get this resolved.
Thanks,
STEPS
Here are my steps I have followed:
- Created a group called Administrators in OID.
- Created a test user call uid=myadmin in the OID and assigned the above group to this user.
- Added a new Authentication Provider to the Weblogic and configured it what is required to communicate with OID (the config.xml file snipet is below)
<sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
<sec:name>OIDAuthentication</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:host>pmpdeva-idm.ncr.pwgsc.gc.ca</wls:host>
<wls:port>1389</wls:port>
<wls:principal>cn=orcladmin</wls:principal>
<wls:user-base-dn>ou=AppAdmins, o=gc, c=ca</wls:user-base-dn>
<wls:credential-encrypted>removed from here</wls:credential-encrypted>
<wls:group-base-dn>ou=IDM, ou=ServiceAccounts, o=gc, c=ca</wls:group-base-dn>
</sec:authentication-provider>
- Marked the default authentication provider as sufficient as well.
- Re-ordered the authentication provide such that the OIDauthentication is first in the list and default one is the last.
- Looking at the log file I see there are no groups returned for this user and that is the problem in my opinion.
<LDAP Atn Login username: myadmin>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<authenticate user:myadmin>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authentication succeeded>
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<LDAP Atn Authenticated User myadmin>
<List groups that member: myadmin belongs to>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
*<search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>*
*<Result has more elements: false>*
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<login succeeded for username myadmin>
- I see the XACML RoleMapper getRoles() only returning the Anonymous role as oppose to Admin (because the OID user is a part of Administrators group in OID then it should be returning Admin as fars I can tell. Here is the log entry that shows that:
<XACML RoleMapper getRoles(): returning roles Anonymous>
- I did a ldap search and I found no issues in getting the results back:
C:\>ldapsearch -h localhost -p 1389 -b"ou=IDM, ou=ServiceAccounts, o=gc, c=ca" -D cn=orcladmin -w "removed from here" (uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupOfUniqueNames)
cn=Administrators,ou=IDM,ou=ServiceAccounts,o=gc,c=ca
objectclass=groupOfUniqueNames
objectclass=orclGroup
objectclass=top
END
Here are the log entries:
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=myadmin>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <[Security:090302]Authentication Failed: User myadmin denied>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@facf0b>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle did not get username from a callback>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685671> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authentication succeeded>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <LDAP Atn Authenticated User myadmin>
<1291668685686> <BEA-000000> <List groups that member: myadmin belongs to>
<1291668685686> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685686> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685686> <BEA-000000> <search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>
<1291668685686> <BEA-000000> <Result has more elements: false>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <login succeeded for username myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <LDAP Atn Principals Added>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
     Principal: myadmin
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685686> <BEA-000000> <Signed WLS principal myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user myadmin, Identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.isLocked(myadmin)>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myadmin was not previously locked out>
<1291668685702> <BEA-000000> <Using Common RoleMappingService>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity will use common security service>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals)>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=myadmin>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685702> <BEA-000000> <Validate WLS principal myadmin returns true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass, returning true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals) validated all principals>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): input arguments:>
<1291668685702> <BEA-000000> <     Subject: 1
     Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/, httpMethod=GET>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console>
<1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp>
<1291668685702> <BEA-000000> <     Parent: type=<app>, application=consoleapp>
<1291668685702> <BEA-000000> <     Parent: type=<url>>
<1291668685702> <BEA-000000> <     Parent: null>
<1291668685702> <BEA-000000> <     Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AdminChannelUsers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AdminChannelUser:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AdminChannelUser: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AppTesters,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AppTester:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AppTester: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(everyone,[everyone,users]) -> true>
<1291668685702> <BEA-000000> <primary-rule evaluates to Permit>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Anonymous:, 1.0 evaluates to Permit>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Anonymous: GRANTED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Monitors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Monitor:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Monitor: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Operators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Operator:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Operator: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(CrossDomainConnectors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:CrossDomainConnector:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role CrossDomainConnector: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Deployers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Deployer:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Deployer: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, SC=null, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Administrators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Admin:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Admin: DENIED>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): returning roles Anonymous>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles returning [ "Anonymous" ]>
<1291668685702> <BEA-000000> <AuthorizationManager will use common security for ATZ>
<1291668685702> <BEA-000000> <weblogic.security.service.WLSAuthorizationServiceWrapper.isAccessAllowed>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Identity=Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Roles=[ "Anonymous" ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Direction=ONCE>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
<1291668685702> <BEA-000000> <     Subject: 1
     Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <     Roles:Anonymous>
<1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <     Direction: ONCE>
<1291668685702> <BEA-000000> <     Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:role, SC=null, Value=Anonymous>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of([Admin,Operator,Deployer,Monitor],Anonymous) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): returning DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>

Okay Finally the issue is resolved. Here is the findings to help others in case they ran into the same issue.
The OID version that we are using is not returning the groups the way Weblogic is building the ldapsearch command. We captured the ldap traffic to go deeper and noticed the filters and attributes list that wls was asking. For example, the filter was like:
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" cn
its was the "cn" attribute that was causing the result set to be empty.
from a command line we tried
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" uniquemember
and got the results back.
Then we start looking into OID configuration and one of my coworker pointed me towards the orclinmemfiltprocess attributes in cn=dsaconfig entry and told me that they had lot of issues in the past in relation to this attribute.
So as a test we removed the groupofuniquenames objectclass from the orclinmemfiltprocess attribute list and bingo it worked!
Since we needed the groupofuniquenames in this list for performance/other reasons and decided to use a different objectclass for our groups instead i.e. orclGroup.
Thanks everyone for showing interest on the problem and providing suggestions.

ASA 8.2.5 LDAP authentication by memberof doesn't always work

I've configured LDAP authentication to allow access if members are a member of the "VPN_Users" Group. This configuration is working, but only for some users. For other users it isn't. The output of the 'debug ldap 255' shows an output of memberOf for the users that it's working for, but shows nothing for users it's not working for.   I've not been able to figure out any connection or differences that are the same between those users that work and those that don't. Any idea on what might be causing this problem? Both working and non-working users will authenticate, its just some of them don't pull the memberof data in the ldap query.
Config:
aaa-server AD protocol ldap
aaa-server AD (inside) host btfs2
ldap-base-dn dc=localdomain,dc=com
ldap-scope subtree
ldap-naming-attribute samAccountName
ldap-login-password *****
ldap-login-dn [email protected]
server-type microsoft
ldap-attribute-map VPNGroup
ldap attribute-map VPNGroup
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN_Users,OU=Security Groups,OU=Company OU,DC=localdomain,DC=com" btvpn
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec svc
webvpn
svc ask none default svc
group-policy btvpn internal
group-policy btvpn attributes
banner value This is a private data network. All connections are logged and are subject to
banner value monitoring. Unauthorized access is prohibited and will be prosecuted.
dns-server value 10.0.0.x 10.0.0.y
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittun
default-domain value localdomain.com
webvpn
svc keep-installer installed
svc rekey time 120
svc rekey method ssl
svc ask enable default svc
tunnel-group btvpn type remote-access
tunnel-group btvpn general-attributes
address-pool vpnpool
authentication-server-group AD LOCAL
default-group-policy NOACCESS
tunnel-group btvpn webvpn-attributes
group-alias webvpn enable
tunnel-group btvpn ipsec-attributes
pre-shared-key *****
Non-working user:
[1575] Session Start
[1575] New request Session, context 0xd7fbf210, reqType = Authentication
[1575] Fiber started
[1575] Creating LDAP context with uri=ldap://10.0.0.x:389
[1575] Connect to LDAP server: ldap://10.0.0.x:389, status = Successful
[1575] supportedLDAPVersion: value = 3
[1575] supportedLDAPVersion: value = 2
[1575] Binding as [email protected]
[1575] Performing Simple authentication for [email protected] to 10.0.0.x
[1575] LDAP Search:
        Base DN = [dc=localdomain,dc=com]
        Filter = [samAccountName=cmcbride]
        Scope   = [SUBTREE]
[1575] User DN = [CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com]
[1575] Talking to Active Directory server 10.0.0.x
[1575] Reading password policy for cmcbride, dn:CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com
[1575] Binding as cmcbride
[1575] Performing Simple authentication for cmcbride to 10.0.0.x
[1575] Processing LDAP response for user cmcbride
[1575] Message (cmcbride):
[1575] Authentication successful for cmcbride to 10.0.0.x
[1575] Retrieved User Attributes:
[1575] objectClass: value = top
[1575] objectClass: value = person
[1575] objectClass: value = organizationalPerson
[1575] objectClass: value = user
[1575] cn: value = Chris McBride
[1575] sn: value = McBride
[1575] l: value = Tulsa
[1575] description: value = cmcbride non-admin test account
[1575] givenName: value = Chris
[1575] distinguishedName: value = CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=co
[1575] displayName: value = Chris McBride
[1575] name: value = Chris McBride
[1575] objectGUID: value = ....5..L...[..K.
[1575] codePage: value = 0
[1575] countryCode: value = 0
[1575] primaryGroupID: value = 513
[1575] objectSid: value = ...............1...{C..2....
[1575] sAMAccountName: value = cmcbride
[1575] sAMAccountType: value = 805306368
[1575] userPrincipalName: value = [email protected]
[1575] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=localdomain,DC=com
[1575] Fiber exit Tx=616 bytes Rx=2007 bytes, status=1
[1575] Session End
Working user:
[1585] Session Start
[1585] New request Session, context 0xd7fbf210, reqType = Authentication
[1585] Fiber started
[1585] Creating LDAP context with uri=ldap://10.0.0.x:389
[1585] Connect to LDAP server: ldap://10.0.0.x:389, status = Successful
[1585] supportedLDAPVersion: value = 3
[1585] supportedLDAPVersion: value = 2
[1585] Binding as [email protected]
[1585] Performing Simple authentication for [email protected] to 10.0.0.x
[1585] LDAP Search:
        Base DN = [dc=localdomain,dc=com]
        Filter = [samAccountName=cmcbride_a]
        Scope   = [SUBTREE]
[1585] User DN = [CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com]
[1585] Talking to Active Directory server 10.0.0.x
[1585] Reading password policy for cmcbride_a, dn:CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com
[1585] Read bad password count 0
[1585] Binding as cmcbride_a
[1585] Performing Simple authentication for cmcbride_a to 10.0.0.x
[1585] Processing LDAP response for user cmcbride_a
[1585] Message (cmcbride_a):
[1585] Authentication successful for cmcbride_a to 10.0.0.x
[1585] Retrieved User Attributes:
[1585] objectClass: value = top
[1585] objectClass: value = person
[1585] objectClass: value = organizationalPerson
[1585] objectClass: value = user
[1585] cn: value = Admin Chris McBride
[1585] sn: value = McBride
[1585] description: value = PTC User, cjm 05312011
[1585] givenName: value = Chris
[1585] distinguishedName: value = CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain
[1585] instanceType: value = 4
[1585] whenCreated: value = 20110525173004.0Z
[1585] whenChanged: value = 20110619154158.0Z
[1585] displayName: value = Admin Chris McBride
[1585] uSNCreated: value = 6188062
[1585] memberOf: value = CN=VPN_Users,OU=Security Groups,OU=Company OU,DC=localdomain,DC=com
[1585]          mapped to IETF-Radius-Class: value = btvpn
[1585]          mapped to LDAP-Class: value = btvpn
[1585] memberOf: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=baer-t
[1585]          mapped to IETF-Radius-Class: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=localdomain,DC=com
[1585]          mapped to LDAP-Class: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=localdomain,DC=com
[1585] memberOf: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com
[1585]          mapped to IETF-Radius-Class: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com
[1585]          mapped to LDAP-Class: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com
[1585] memberOf: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to IETF-Radius-Class: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to LDAP-Class: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com
[1585] memberOf: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to IETF-Radius-Class: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to LDAP-Class: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com
[1585] memberOf: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to IETF-Radius-Class: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com
[1585]          mapped to LDAP-Class: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com
[1585] uSNChanged: value = 6560745
[1585] name: value = Admin Chris McBride
[1585] objectGUID: value = ..Kj4..E..c.VCHT
[1585] userAccountControl: value = 512
[1585] badPwdCount: value = 0
[1585] codePage: value = 0
[1585] countryCode: value = 0
[1585] badPasswordTime: value = 129531669834218721
[1585] lastLogoff: value = 0
[1585] lastLogon: value = 129532463799841621
[1585] scriptPath: value = SLOGIC.BAT
[1585] pwdLastSet: value = 129508182041981337
[1585] primaryGroupID: value = 513
[1585] objectSid: value = ...............1...{C..2. ..
[1585] adminCount: value = 1
[1585] accountExpires: value = 9223372036854775807
[1585] logonCount: value = 90
[1585] sAMAccountName: value = cmcbride_a
[1585] sAMAccountType: value = 805306368
[1585] userPrincipalName: value = [email protected]
[1585] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=localdomain,DC=com
[1585] dSCorePropagationData: value = 20110525174152.0Z
[1585] dSCorePropagationData: value = 16010101000000.0Z
[1585] lastLogonTimestamp: value = 129529717185508866
[1585] msTSExpireDate: value = 20110803160858.0Z
[1585] msTSLicenseVersion: value = 393216
[1585] msTSManagingLS: value = 92573-029-5868087-27549
[1585] Fiber exit Tx=633 bytes Rx=3420 bytes, status=1
[1585] Session End

As far as your configuration is concerned it looks perfectly fine. As you mentioned that the difference between the working and non working debugs is that in the non working debugs we do not see memberof attribute being retrieved.
the main reason could be that the username "[email protected]" with which you are performing the LDAP bind does not have sufficient privileges to retreive all the attributes from all the users in the AD. This looks like permission issue at the AD user level.
One thing you can try on the AD is to "Delegate Control" to this user ([email protected]) to "Read all properties" for all users and not just a subset of users. Please get in touch with AD Admin before making such a change on the AD.
Here is an external link just to give an idea about delegation of control to "Read all properties"
http://www.advproxy.net/ldapads.html

Query related to UPN Suffix in Hierarchical domain architecture in Active Directory deployment

This is regarding a query related to UPN Suffix in Hierarchical domain architecture in Active Directory deployment.
We use LDAP query (filter uPNSuffixes=* for the parent domain DN) to retrieve the upn suffixes configured in the AD Domain. This returns the UpnSuffixes configured for the entire domain tree ( upnsuffixes of parent domain and all the child domains) in the
hierarchy. The AD Domains and Trusts configuration lists all the upnsuffixes as part of the dnsroot domain.
For one of our implementation, we need to distinguish between the UPNsuffixes belonging to the parent and child domain and map the UPN suffixes with the respective domain in the hierarchy. As the upnsuffixes are stored as part of the root domain in the AD
domains and trusts configuration, it was not clear how to retrieve the information specific to each domain in the hierarchy.
It would be helpful if you could provide pointers on how to obtain the above mapping for the upn suffixes in a hierarchical domain setup.
Thank you,
Durgesh

By default, you can use only the domain name as UPN suffix for user accounts you create within the domain. It is possible to add extra UPN suffixes but these are added at the forest level and not specific to a domain.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

LDAP Authentication Failed :user is not a member in any of the mapped group

Hi,
I tried to set up the LDAP Authentication but I failed.
LDAP Server Configuration Summary seems to be well filled.
I managed to add a Mapped LDAP member Group: This group appears correctly in the Group list.
But itu2019s impossible to create a User. Although this user is a member of the mapped group (checked with LDAP Brower) , an error message is displayed when I tried to create it (There was an error while writing data back to the server: Creation of the user User cannot complete because the user is not a member in any of the mapped groups)
LDAP Hosts: ldapserverip:389
LDAP Server Type: Custom
Base LDAP Distinguished Name: dc=vds,dc=enterprise
LDAP Server Administration Distinguished Name: CN=myAdminUser,OU=System Accounts,OU=ZZ Group Global,ou=domain1,dc=vds,dc=enterprise
LDAP Referral Distinguished Name:
Maximum Referral Hops: 0
SSL Type: Basic (no SSL)
Single Sign On Type: None
CMS Log :
trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
trace message: LDAP: LdapQueryForEntries: QUERY base: dc=vds, dc=enterprise, scope: 2, filter: (samaccountname=KR50162), attribute: dn objectclass
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 2453 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
trace message: GetParents from plugin for cn=huh\,chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise.
trace message: LDAP: De-activating query cache
trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
trace message: LDAP: query for DSE root returned 89
trace message: LdapQueryForEntries: incr. retries to 1
trace message: LDAP: Updating the graph
trace message: LDAP: Starting Graph Update...
trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
trace message: LDAP: query for DSE root returned 89
trace message: LdapQueryForEntries: incr. retries to 1
trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (&(cn=gp-asia)(objectclass=group)(member=cn=huh
, chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise)), attribute: objectclass
trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (cn=gp-asia), attribute: member objectclass samaccountname cn
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 3109 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
trace message: LDAP: query for DSE root returned 0
trace message: Failed to commit user 'KR50162'. Reason: user is not a member in any of the mapped groups.
trace message: [UID=0;USID=0;ID=79243] Update object in database failed
trace message: Commit failed.+
Can you please help?
Joffrey

Please do this after you verify all permission settings for all the groups the account is associated with. Also, make sure you check the NTFS folder permissions before doing this as well.
Since the same result happens on multiple computers, it is not the profile.
I am recommending you delete the AD account (or rename to backup the account).
It will not effect the users Exchange account, but you will need to link it back to the new AD user account.
You can also delete her profile just to remove it, for the "just in case" scenario.
Don't forget to mark the post that solved your issue as "Answered." By marking the Answer you are enabling users with similar issues to find what helped you. Lewis Renwick - IT Professional

Problem with WLS LDAP Authentication Provider

We have configured WLS LDAP Authentication provider on an Oracle Service Bus domain, which is used to authenticate WS-Security Username Token and SAML Tokens against an external LDAP Directory (Sun Directory Server). After configuring this, we see that the "Users & Groups" page on the WLS Admin console is getting populated with all the user ids available in LDAP. The organization corporate directory has thousands of user ids, and WLS is executing a generic query against LDAP to fetch all the users. This query would have a major performance impact on the LDAP Directory? Is there any way to prevent this generic query from happening? Any suggestions would help.
Edited by: Ramakrishnan Venkataraman on Feb 1, 2011 11:46 AM

Yes, you can apply filters on the Providers configuration, also u can select the DN from where to feth the users, you can fetch users with special attributes.
Whole lot of things can be done, review the options under providers.
Let me know if you have any doubts.
HTH,
-Faisal
http://www.weblogic-wonders.com

Solaris 10 and LDAP Authentication

Were trying to use LDAP authentication with Solaris 10 accounts and Sun One Java Systems Directory Server 5.2, where there won't be no /etc/passwd or /etc/group user entries, ( only entries for system accounts). The Sun One Java Systems Directory Server 5.2 is on a separate machine from the accounts. Both machines are using Solaris 10.
I first ran the "idsconfig" utility to setup the VLV indexes, but I received an error on the "automountKey" when it was doing the index processing. It showed that the index processing had failed. All the other indexes were configured successfully. What would cause this?
My next step is initializing the LDAP Client . Then configure the pam.conf file to use pam_ldap. Finally import all the users into LDAP with the required ObjectClasses and attributes for the authentication process, (posixAccount, shadowAccounts etc.). This also includes adding the automount entries into LDAP, which I'm really not sure how to do that. All of our users paths will be under /export/home/username.
I'am missing any steps?
Doese anyone have a step by step guide to use LDAP authentication for Solaris 10 accounts, where LDAP will manage the groups, passwords, automounts for each user?
Message was edited by:
automount
Message was edited by:
automount

You may follow:
http://web.singnet.com.sg/~garyttt/
http://projects.alkaloid.net/content/view/15/26/
http://blogs.sun.com/roller/resources/raja/ldap-psd.html
http://jnester.lunarpages.com/howtos/solaris/howToSolarisLDAPAuth.html
http://www.thebergerbits.com/unix.shtml
http://blogs.sun.com/roller/page/baban?entry=steps_to_setup_ssl_using (SSL/TLS steps)
http://blogs.sun.com/roller/page/rohanpinto?entry=nis_to_ldap_migration_guide (NIS to LDAP migration)
http://blogs.sun.com/roller/page/anupcs?entry=ldap_related_documentation_at_sun
(LDAP related docs)
Gary

AD LDAP authentication or authorization

Hi,
It really drives me crazy because I can't seem to find the right solution for my issue.
I'm trying to use the LDAP authentication for my apex applications.
So far, straight forward LDAP authentication works just fine, but EVERYBODY who has a user account can log into any application.
I'm using the %LDAP_USER% string to validate the users and that's just fine.
But I want to restrict somehow users from logging into my applications.
Either way by ldap groups or an users table in every application.
Can someone please help me with this, or give me directions/examples of login functions/schemes?
Thanks so much!
Regards, Bas

What you have done so far is called Authentication. It's the question of "who am I?"
What you want to add is called Authorization, which is the "what can I do?"
So, you need to create an Authorization Scheme to secure components of your application. An authorization scheme can secure almost any component of an APEX app including:
- The application
- Pages
- Tabs
- Regions
- List items
- Items
- Columns in reports
- More that I'm not thinking of
Look at the doc on authorization schemes. You have 2 primary options that I can think of:
1) Use LDAP groups by using the APEX_LDAP package to lookup information about a user. I'm not sure if the member_of function works against AD or just OID, you might need to use the get_attribute function instead. In short, you query AD, then return true or false based on the attributes of the user. Once they are logged in you can reference the username with the :APP_USER APEX variable
2) A table of usernames (not passwords). You authorization scheme could just be an "Exists query" such as:
select 1 from valid_users where username = :APP_USEROnce you decide on an authorization scheme and create it, you then edit the security attributes of your app / page / region / etc and apply it
Tyler Muth
http://tylermuth.wordpress.com
"Applied Oracle Security: Developing Secure Database and Middleware Environments": http://sn.im/aos.book

How does the LDAP authentication process?

Hi All,
In SAP KB1384915(https://bosap-support.wdf.sap.corp/sap/support/notes/1384915), BOE client authentication's process is described as follows:
1. The BOXI SDK calls the login on the BOXI client plugin (passing username & password).
2. The BOXI client plugin passes the username and password to the third-party authentication server. This may be an LDAP server, or a Windows Active Directory server, or any other server that the BI Platform supports.
3. The third-party authentication server authenticates the credentials. This generates a security buffer needed by the BOXI server-side authentication plugin.
4. The SDK passes the security buffer to the CMS, which forwards it to the server-side plugin.
At this point the handshake process may be finished, or it may continue
5. This exchange continues until the server-side authentication system indicates that the authentication process has completed.
Authentication always ends on the server side.
6. The user has been authenticated. The CMS must verify that the user is a member of a mapped group before the logon process can complete.
Question about LDAP auth,
I think that the client plugin doesn't know LDAP server's hostname & portnumber at the time of step2.(BOE server only knows it)
So I think, the client will access to BOE server to get the LDAP-related informations before the step.
Would you please tell me whether the following process is correct?
1. The BOXI SDK calls the login on the BOXI client plugin.
2. The client plugin gets LDAP-related information (LDAP hostname, portnum, base DN etc) from BOE server.
   At this step, client plugin DOESN'T pass the username&password to BOE Server. Only get informations.
3. The client plugin passes the username and password to the LDAP server.
4. The LDAP server authenticates the credentials. This generates a security buffer needed by the BOXI server-side authentication plugin.
5. The SDK passes the security buffer to the CMS, which forwards it to the server-side plugin.
   At this point the handshake process may be finished, or it may continue
6. This exchange continues until the server-side authentication system indicates that the authentication process has completed.
   Authentication always ends on the server side.
7. The user has been authenticated. The CMS must verify that the user is a member of a mapped group before the logon process can complete.
Thanks&regards,
Tadashi

Hi,
in a BOE Environment the CMS does all of the authentication processes. So i would say that the Client passes the LDAP informations entered by the user to the CMS and the CMS does the authentication on behalf of the client.
If you need an official Statement, i would recommend you open a Support Message with the SAP Support.
Otherwise you could monitor the network traffic during the Authentication of the Client. There you should see if the Client communicates directly with the LDAP Host or only with the CMS.
Regards
-Seb.

OBIEE 11.1.1.5.0 ldap authentication provider

Hi all,
We are having problem with OBIEE 11.1.1.5.0 .. We create a role and give some permissions to a folder in the catalog with that role. Then we login with a user in that role, the user is not able to see the contents of the folder until we restart the server.. We have LDAP authentication provider.. Could this be related to that ?

Hi,
@weblogic Home >Summary of Security Realms >myrealm >Providers >LDAPAuthenticator>Provider Specific>Users
I tried something like :
All Users Filter:(&(memberOf=cn=LDAPGroupName,cn=Users,dc=xxxx,dc=yyy,dc=com))
User From Name Filter: (&(cn=%u)(objectclass=user))
the original was:
All Users Filter: (&(uid=*)(objectclass=person))
User From Name Filter: (&(uid=%u)(objectclass=person))
and restarted the server but it did not work ...

Configuring Oracle 9iAS for LDAP Authentication

I have installed OID Server on my PC. Now I want to switch my Login Server to External LDAP Authentication mode. For that I run the script ssoldap.sql passing the host, port, search base, etc.. from my login server schema (portal30_sso) The script throws me the following error :
" Bind variable "CN" not declared ".
I even compile the package ssoxldap.pkb before that. But still this error persists.
tnsnames.ora and listener.ora files are fine and the tnsping to the external procedure is also working properly.
Can anyone help me in this.

I got that problem solved. Its little bit funny solution. Instead of running the sql file using the File->open->ssoldap.sql, we should directly write the whole path i.e. @d:\oracle9i\portal30\admin\plsql\sso\ssoldap.sql
And secondly, I also found one small change related to the installation manual. Its related to Adding entries to the LDAP Server. the manual shows this syntax:
ldapadd -h i3dt111 -p 389 -D 'cn=orcladmin'
-w welcome -f d:\oracle\admin\phd\udump\users.ldif
but instead we shoud write this:
ldapadd -h i3dt111 -p 389 -D cn=orcladmin
-w welcome -f d:\oracle\admin\phd\udump\users.ldif
. Just remove the single quotes in the username string.
Anyways, thanks for your suggestions.
null

WLS 10.0: Security: LDAP Authenticator

hi,
          I'm using WLS 10.0 with the following security providers:
          - SQL Authenticator (for weblogic console users like system)
          - Identity Asserter (custom developed, takes care for AUTHENTICATION only)
          - LDAP Authenticator (out of the box, takes care for AUTHORIZATION only against a SUN ONE LDAP).
          everything works fine except for the queries that the LDAP Authenticator provider generates:
          For each login, the providers performs these queries:
          a)
          2007-11-26 14:57:08,410] conn=241357 op=10893 SRCH base="ou=people,ou=intranet,dc=novartis,dc=com" scope=2 filter="objectclass=person"
          [2007-11-26 14:58:56,369] conn=241357 op=10893 RESULT err=4 tag=0 nentries=15000 etime=107959 mem=43481184/172441600                    as you can see, the query returns 15'000 entires (which is the max items for results inside SUN ONE LDAP).
          b)
                    [2007-11-22 12:04:31,943] conn=256293 op=12611 SRCH base="ou=people,ou=intranet,dc=novartis,dc=com" scope=2 filter="(&(uid=ADLERAI1)(objectclass=person))"
          [2007-11-22 12:04:32,031] conn=256293 op=12611 RESULT err=0 tag=0 nentries=1 etime=88 mem=14583600/46768128
                              this is the real query returning one single entry for the logged in user.
          Does anyone know why LDAP AUthentication provider generates the first query?
          cheers
          balz
          Edited by bschreier at 11/27/2007 1:44 AM
          Edited by bschreier at 11/27/2007 1:45 AM

Hi
1. Looking carefully at the following 3 lines in server statup logs, after 2:20:39 PM GST, server waited like for 16 mts like 2:36:43 and invoked the Force Shutdown. Possible reasons I gave below.
####<Feb 14, 2010 2:20:37 PM GST> <Info> <netuix> <ePIMSEDMS2> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <1266142837729> <BEA-423101> <[console] Initializing the NetUIx container>
####<Feb 14, 2010 2:20:39 PM GST> <Info> <netuix> <ePIMSEDMS2> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <1266142839433> <BEA-423120> <WEB-INF/client-classifications.xml file not found at uri [webapp]. Classifications functionality not enabled.>
####<Feb 14, 2010 2:36:43 PM GST> <Notice> <WebLogicServer> <ePIMSEDMS2> <AdminServer> <Thread-1> <<WLS Kernel>> <1266143803604> <BEA-000388> <JVM called WLS shutdown hook. The server will force shutdown now>
2. Since you mentioned this worked fine and nothing else is changed over a year, the possible cause may be like this. Looks like you have some Documentum stuff (or webapp or modules) loaded on this server. I am not much familiar with EMC Documentum stuff, except that we use that as external Content Management repository for Portal Applications. Looking at the full thread dump for thread 0, looks like documentum code is trying to publish something or interact with its documentum server and may be it is not getting the response back. So make sure if any external systems that this WLS interacts are all up and running.
HTH
Ravi Jegga

LDAP authentication in BO XI3.1

Hi All,
We are using Bo XI R3.1 with FP 1.6. We are using LDAP authentication and have successfully implemented this in our Production environment. We are in the middle of testing a new LDAP "tree" that will be used in a different environment, and we are finding that the group search is not working correctly.
It seems that even though we specify the Base LDAP Distinguished Name, BO seems to be ignoring that setting and starting at the LDAP ROOT to search for the group. This is causing an issue because when searching from the root, BO is finding some virtual directories which we don't want it to find.
We were expecting BO to start searching from the base DN, but it is not. Is that something that should be working?
For example we have set the Base LDAP Distinguished Name to "ou=mkt,dc=test123,dc=com". But, BO is starting from the top root level instead of searching only in the "mkt" tree
Thanks in advance for your help.

When we try to add a new group and run the update, we get this error: "The LDAP server could not complete this action because it requires more than the allowable number of referral hops. Please increase the maximum number of referral hops and click Update. Then, try again"
I realize there is a setting that controls how many referral hops are used, but even if we set that to a very high number (in the thousands and hundreds of thousands), we still get the same error.
So, it seems almost like it hits a loop due to the virtual directories.
I talked with my LDAP team, as they did some tracing when we tried to add a group in. I asked them if what they saw was that BO was "looping". Here is what they are saying:
"Yes, the BO query is looping. VDS presents a virtual view of the directory that merges in the Top Secret information. The problem is because BO is starting its search at the root of the tree, it is seeing both the original copy of the directory and the virtual copy that VDS presents."
Thanks,
V

LDAP authentication to Win2K8 server nightmare.

Hello All, I have been trying to get LDAP authentication working on this Solaris 10 server. To this point i've had little success. The domain controller/LDAP server is W2K8. I am able to authenticate successfully using "kinit" so i'm sure kerberos is configures. I have extended the Unix services on 2K8 as well. Here is the /var/ldap/ldap_client_file:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= parwindom
NS_LDAP_SEARCH_BASEDN= dc=stcg,dc=net
NS_LDAP_AUTH= sasl/GSSAPI
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= self
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=Unix Services,ou=Service Accounts,dc=stcg,dc=net?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Unix Services,ou=Service Accounts,dc=stcg,dc=net?one
NS_LDAP_ATTRIBUTEMAP= shadow:uid=sAMAccountName
NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
NS_LDAP_ATTRIBUTEMAP= shadow:shadowflag=shadowFlag
NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:uid=sAMAccountName
NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=gecos
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid
NS_LDAP_ATTRIBUTEMAP= group:userpassword=userPassword
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
The ldap service is enabled. Here is /etc/nsswitch.conf
passwd: files ldap [TRYAGAIN=5]
group: files ldap
hosts: dns files
ipnodes: dns files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
And Finally here is /etc/pam.conf
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
passwd auth required pam_passwd_auth.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account sufficient pam_unix_account.so.1
other account required pam_ldap.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
Here is what happens if i run ldaplist
# ldaplist
ldaplist: Object not found (LDAP ERROR (12): Unavailable critical extension.)
I have been pulling what little hair I have left out on this issue and I'm starting to run out of time on this project. There is nothing in any log file anywhere. Any help would be greatly appreciated.

Nathalie,
LDAP authentication against AD is fully supported since AD is LDAP v3 compliant.
For the Unix and Linux versions of XIR2 / XI31, LDAP is really your only choice since the Active Directory tab is not displayed unless your CMS is on windows.
To get LDAP working against AD I would recommend the following::
1) Use an IP address
You can use the IP of a Domain Controller or a Global Catalog Server depending on how large your AD domain is.
2) Use port 3268 over 389 for large AD configurations.
This port is the Global Catalog server port. The GC server contains all the information about all objects in an AD Forest. This is useful when using groups across multiple domains where 389 just contains information in 1 domain.
3) Change your Application Mappings
On the LDAP tab, connecting to AD wont work unless you make a few changes. First, change your Application mappings to "Microsoft Active Directory Application Server" and then choose "Show Application Mappings".
Change:
User Name: sAMAccountName
Default User Search Attribute: sAMAccountName
These settings should work for you.
Also note that the group "Domain Users" is not valid when querying AD via LDAP.
Regards,
-Brian

Query related to LDAP Authentication

Similar Messages

Maybe you are looking for