Recursive ldap authentification

Similar Messages

• Create external LDAP authentification to SAP via Web Dynpro

  Hi Guys,
  I have a requirement where I have to create access to SAP via external LDAP authentification. It is similiar how the Enterprise Portal works, but I want to achieve it with out the portal.
  The user will enter his LDAP user and password and I will check via LDAP connector to grant access to SAP.
  The only Problem I have is to switch to SAP user without knowing the SAP Password. Thats why I need external authentification.
  I have been told by an basis expert that I could use java to achieve this. I have also got the java coding what the Enterprise Portal uses.
  Am I on the right way? Can anybody advice me.
  Thanks and best regards
  Ali

  Hi,
  Refer this link and SAP Note
  [SAP GUI for HTML|http://help.sap.com/saphelp_nw04s/helpdata/en/47/4b0902d84818c9e10000000a114a6b/frameset.htm]
  SNote: 517484
  Regards
  Preethish

• LDAP authentification with R/3

  hi!
  after a long long search I could not found out how to implement LDAP authentification for SAP R/3. To be honest I'm not an expert in R/3 basic, for Web AS / EP i would know how to do it
  Due to several network&security reasons we don't like to use the single-sign or the ldap syncronization functionality.
  The only thing we would use ldap for is to just authentificate the user. Unfortunately, our LDAP-users are not the same than the SAP-users (8 chars in sap, longer in ldap). What the system should do is:
  - ask for username (sap 8-char) and password (ldap)
  - map sap-username and ldap-username (e.g. by the sap-aliasname or external username in USR15)
  - connect to the ldap-directory, find out whether user/pass is correct
  - if correct, log the sap-user in
  - that's all
  Any Ideas?
  Thanks,
  Markus

  Hi,
  It can be done. It all depends a bit on what kind of platforms you want to use it.
  We're currently in the middle of introducing a shibolet CUA for all our systems, SAP or non SAP. That means that one needs to authenticate to a central server and via SSO, you will have access to the applications.
  For SAP, that'll mean that we no longer will login via a SAP Gui, but via the EP that authenticates against this CUA. Once logged in, one can launch a SAP Gui script that allows you to work on the SAP R/3 server.
  Have also a look at http://shib.kuleuven.be/
  Alternatively, you can set up an UME. See http://help.sap.com/saphelp_nw2004s/helpdata/en/cc/cdd93f130f9115e10000000a155106/frameset.htm for this.
  Eddy
  PS.
  Put yourself on the SDN world map (http://sdn.idizaai.be/sdn_world/sdn_world.html) and earn 25 points.
  Spread the wor(l)d!

• EN4093R LDAP authentification and authorization

  Hi,i want to configure ldap authentification and authorization. Can anyone help me to configure this. In my test environment – I want to give our Domain Admins access to our switches. I found only basic configuration in the user manual but I got now information to configure groups. Could I configure two or more groups to access the switch? 

  What thype of ldap server are you using? Microsoft Windows 2012 or 2008. I got a problem with 2012 not give the groups back with some users.
  Same problem as
  https://supportforums.cisco.com/message/3866327#3866327
  debug ldap 255
  shows correct value with one user that is workin:
  [196] Authentication successful for Administrator to 192.168.20.80
  [196] Retrieved User Attributes:
  [196]   objectClass: value = top
  [196]   objectClass: value = person
  [196]   objectClass: value = organizationalPerson
  [196]   objectClass: value = user
  [196]   cn: value = Administrator
  [196]   description: value = Vordefiniertes Konto f..r die Verwaltung des Computers bzw. der Dom..ne
  [196]   distinguishedName: value = CN=Administrator,CN=Users,DC=xxxx,DC=local
  [196]   instanceType: value = 4
  [196]   whenCreated: value = 20081201134058.0Z
  [196]   whenChanged: value = 20131126141559.0Z
  [196]   displayName: value = Administrator
  [196]   uSNCreated: value = 12298
  [196]   memberOf: value = CN=G_SSLVPN,OU=Service,OU=Groups,OU=XXXXX,DC=XXXX,DC=local
  [196]           mapped to Group-Policy: value = ssl_admin
  [196]           mapped to LDAP-Class: value = ssl_admin
  One user that is not working:
  no entries with memberOf in debug
  [190] Authentication successful for sdag to 192.168.20.80
  [190] Retrieved User Attributes:
  [190]   objectClass: value = top
  [190]   objectClass: value = person
  [190]   objectClass: value = organizationalPerson
  [190]   objectClass: value = user
  [190]   cn: value = sdag
  [190]   distinguishedName: value = CN=sdag,OU=Lieferanten,OU=Users,OU=xxxx,DC=xxxxxx,DC=local
  [190]   displayName: value = sdag
  [190]   homeMTA: value = CN=Microsoft MTA,CN=SRVSBS01,CN=Servers,CN=erste administrative gruppe,CN=Admini
  [190]   proxyAddresses: value = smtp:sdag@xxxx
  [190]   proxyAddresses: value = SMTP:sdag@xxxxx

• LDAP authentification JAAS Module ?

  Hello
  We have installed a SAP Portal (EP7), using an R/3 data source for users.
  However, we would like to use a LDAP for authentification. The module should check login / password against the LDAP, check that the user exist in the UME, and then allow access to the portal (or not, depend on the result of the checks)
  In our case, it is not possible to use direcly the LDAP as the UME datasource, as storing users's groups in the LDAP as been ruled out by the client, and this configuration is not subject to change.
  Has someone already made such a (JAAS) module, and could give some pointers on the subject? or is authentification from another source than the one used in UME a thing to avoid ?
  regards
  Guillaume PATRY

  Hello
  We have installed a SAP Portal (EP7), using an R/3 data source for users.
  However, we would like to use a LDAP for authentification. The module should check login / password against the LDAP, check that the user exist in the UME, and then allow access to the portal (or not, depend on the result of the checks)
  In our case, it is not possible to use direcly the LDAP as the UME datasource, as storing users's groups in the LDAP as been ruled out by the client, and this configuration is not subject to change.
  Has someone already made such a (JAAS) module, and could give some pointers on the subject? or is authentification from another source than the one used in UME a thing to avoid ?
  regards
  Guillaume PATRY

• Java LDAP Authentification - problem!!!

  I found application in .NET (C#), and it's work perfectly! (http://www.codeproject.com/KB/system/arbauthentication.aspx)
  I want do this logic in my java web application. All users in our domain in first leg must be log-in in web application!
  And it - authetification must be over Active Directory (AD). Help me please.
              Hashtable authEnv = new Hashtable();
              String userName = "";
              String passWord = "";
              InputStreamReader converter = new InputStreamReader(System.in);
              BufferedReader in = new BufferedReader(converter);
              System.out.println("Input your username:");
              userName = in.readLine();
              System.out.println("Input your password:");
              passWord = in.readLine();           
              base = userName + "@" + "xxxyyyzzz.com";
              String ldapURL = "ldap://192.168.0.99:389/";
              authEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
              authEnv.put(Context.PROVIDER_URL, ldapURL);
              authEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
              authEnv.put(Context.SECURITY_PRINCIPAL, base);
              authEnv.put(Context.SECURITY_CREDENTIALS, passWord);
              try {
                  DirContext authContext = new InitialDirContext(authEnv);
                  System.out.println("Authentication Success!");               
              catch (AuthenticationException authEx)
                  System.out.println("Authentication failed!");
              catch (NamingException namEx) {
                  System.out.println("Something went wrong!");
                  namEx.printStackTrace();
              }This code is not working when truely input username & password. Exception!
  javax.naming.AuthenticationException:
  [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]
  And when input truely username, but password is a blank (password="") it's work...     
  Authentication Success!
  may be this is anonymous authentification.

  If you would have searched through the forum you would have discovered that the Active Directory error code 525 means username not found.
  And you may also have discovered that a null password implies an anonymous logon.
  Either the user has mistyped their username, or you have made an incorrect assumption when constructing the userPrincipalName and appending the upn suffix "xxxyyyzzz.com".

• Change passwords after using LDAP authentification

  It seeems that we have successfully set up a Portal server using external authentication. But somehow, no one can change his/her own passwords after logging into Portal. The error message is "the user does not have the privilege to perform this operation. (WWC-41661)". Is there any special setting needed to be done on LDAP for this?
  Thank you for any advice.
  Zhuang Li

  Hi,
  We upgraded our company email server, which effectively runs our email, DNS, Open Directory with dozen users. Last night the system was upgrading from 10.10.2 to 10.10.3, which seemed rutine.
  The upgrade process hung while it was finishing the installation and didn’t finish. Upon reboot, it looked OK and needed to upgrade the OXS Server to 4.1 from the previous version. Which I proceeded and completed.
  Since then we have lost all of our users accounts and can’t access the email data. Tried to reboot from the backups and it seems that the somehow when booting from external backups 10.10.2, we get a message that the OXS Server is not compatible. Our backups are usually done using Carbon Copy Cloner. 
  Not sure what to do, help is greatly appreciated. While I can recreate the users, I don’t want to damage the email data.
  Many thanks,
  /Oliver

• Error in LDAP Authentification

  hi all,
  i am wondering if there is someone who had the same error we are facing currently...
  here is the problem:
  in our single sing-on we authenticate the user with ldap in an stateless session bean. This works all perfect except that from time to time we get an error in the class "com.sun.jndi.ldap.BerEncoder" in the method "endSeq"... the exception is:
  java.lang.IllegalStateException: BER encode error: Unbalanced SEQUENCEs
  any ideas why this error occeurs?
  TIA
  sandro

  I started getting this error when I mistakenly changed a search filter from (&(uid=james)(objectclass=Staff)) to (uid=james)(objectclass=Staff)). It is complaining about the unbalanced parenthesis.

• Sasl and LDAP authentification for application

  Dear MAC administrators,
  I would like to ask how to set sasl to authentificate
  against  openLDAP for and svnserve application
  A) LDAP works well on MAC and slack as well
  ldapsearch -x -h ldap.stuba.sk -b "ou=People,dc=stuba, dc=sk" -W -D
  "uid=fodrek,ou=People,dc=stuba,dc=sk"  uid=*fodrek*|egrep employ
  Enter LDAP Password:
  employeeType: staff
  employeeType: ext
  employeeType: ext
  employeeType: student
  employeeType: staff
  B)  saslauthd -c -m /var/runsaslauthd -d -a ldap
  shows
  saslauthd : set_auth_mech: unknown mechanism: ldap
  Is there anobody who is able to tell me where am I doing an error, plase?
  I look forward hearingf from you
  Yours faithfully
  Peter Fodrek

  What thype of ldap server are you using? Microsoft Windows 2012 or 2008. I got a problem with 2012 not give the groups back with some users.
  Same problem as
  https://supportforums.cisco.com/message/3866327#3866327
  debug ldap 255
  shows correct value with one user that is workin:
  [196] Authentication successful for Administrator to 192.168.20.80
  [196] Retrieved User Attributes:
  [196]   objectClass: value = top
  [196]   objectClass: value = person
  [196]   objectClass: value = organizationalPerson
  [196]   objectClass: value = user
  [196]   cn: value = Administrator
  [196]   description: value = Vordefiniertes Konto f..r die Verwaltung des Computers bzw. der Dom..ne
  [196]   distinguishedName: value = CN=Administrator,CN=Users,DC=xxxx,DC=local
  [196]   instanceType: value = 4
  [196]   whenCreated: value = 20081201134058.0Z
  [196]   whenChanged: value = 20131126141559.0Z
  [196]   displayName: value = Administrator
  [196]   uSNCreated: value = 12298
  [196]   memberOf: value = CN=G_SSLVPN,OU=Service,OU=Groups,OU=XXXXX,DC=XXXX,DC=local
  [196]           mapped to Group-Policy: value = ssl_admin
  [196]           mapped to LDAP-Class: value = ssl_admin
  One user that is not working:
  no entries with memberOf in debug
  [190] Authentication successful for sdag to 192.168.20.80
  [190] Retrieved User Attributes:
  [190]   objectClass: value = top
  [190]   objectClass: value = person
  [190]   objectClass: value = organizationalPerson
  [190]   objectClass: value = user
  [190]   cn: value = sdag
  [190]   distinguishedName: value = CN=sdag,OU=Lieferanten,OU=Users,OU=xxxx,DC=xxxxxx,DC=local
  [190]   displayName: value = sdag
  [190]   homeMTA: value = CN=Microsoft MTA,CN=SRVSBS01,CN=Servers,CN=erste administrative gruppe,CN=Admini
  [190]   proxyAddresses: value = smtp:sdag@xxxx
  [190]   proxyAddresses: value = SMTP:sdag@xxxxx

• Authentification ldap,pam.d on solaris 11

  Hi,
  I tested ldap authentification on Solaris 11 and I didn't succeed in ssh connection.
  I succeed in viewing ldap users (getent passwd) and i modified /etc/pam.d/login other and passwd
  with "auth required pam_ldap

  Hi,
  Try to change the following two files: /etc/pam.d/login and /etc/pam.d/other
  Change the line that states:
  auth required    
  pam_unix_auth.so.1
  to
  auth binding      
  pam_unix_auth.so.1 server_policy
  auth required     
  pam_ldap.so.1
  Did you also checked the attributemapping for the LDAP client?
  svccfg -s network/ldap/client setprop config/attribute_map= astring: '("shadow:homeDirectory=unixHomeDirectory" "shadow:description=distinguishedName" "shadow:uid=samaccountname" "shadow:gidnumber=primaryGroupID" "shadow:uidnumber=uidNumber" "shadow:gecos=displayName" "passwd:homeDirectory=unixHomeDirectory" "passwd:description=distinguishedName" "passwd:uid=samaccountname" "passwd:gidnumber=primaryGroupID" "passwd:uidnumber=uidNumber" "passwd:gecos=displayName")'
  svccfg -s network/ldap/client setprop config/objectclass_map= astring: '("group:posixGroup=group" "shadow:shadowAccount=person" "shadow:posixAccount=user" "passwd:shadowAccount=person" "passwd:posixAccount=user")'
  what does getent passwd username say? Does it return all the necessary fields (uid, gid etc.)?
  While configuring the LDAP client to point to our Microsoft AD I use the AD property uidNumber which I manually set to the last part of the objectSID property to keep it unique within the domain.
  Kind regards,
  Lambert

• Authentification LDAP/ AD ?

  Hi,
  I have this configuration:
  BOXI 3.1 setup on a Windows Server 2008.
  A server with Active Directory where a users group have been created.
  I don't know how AD and LDAP work together. I reade on internet, that, AD is a LDAP directory (a Directory which use LDAP protocol) it is true?
  So i would like to configure and authentification on BusinessObjects that allow users to login on InfoView/Designer by using their window logins(login created in the Active Directory).
  What should i do?
  Configure AD authentification on CMC ? or LDAP authentifcation ?
  does someone make LDAP authentification? i tried to do it but i got an error when i click on button finish: The SecLdap have not been able to connect to the host.
  thanks for your reply.

  Hi Coulio,
  Generally speaking as you have an AD server you should be looking to configure the AD plugin in XI3.1 to enable your users to login with their AD accounts and facilitate SSO (single sign on).
  There are many KBases and documentation around this area, but what you would need to do would be the following:
  So there are 12 steps required to ensure a successful SSO configuration. Please let me know if you have any further questions, or if there is something unclear. Thanks.
  Windows AD steps (please have AD team manage this)
  1.     Create and configure a Service Account
  a.     Create a user account -> login name: bossosvcacct
  i.     First Name: BO Service
  ii.     Last Name: Account
  iii.     Set password to not expire, User cannot change password.
  b.     Save.
  2.     Creation of SPNs for Service Account
  a.     Create 3 SPNs for Service account with following commands. Please replace u2018boservernameu2019 with the actual name, and FQDN with the actual Fully Qualified Domain Name. Replace IPADDRESS with the actual IP address of the BO Server. Leave u2018bossosvcacctu2019, it is required to bind the SPN to the Service Account we created above.
  i.     setspn u2013a HTTP\boservername bossosvcacct
  ii.     setspn u2013a HTTP\boservername.FQDN bossosvcacct    (ie. setspn u2013a HTTP\myboserver.microgoogle.com bossosvcacct)
  iii.     setspn u2013a HTTP\IPADDRESS bossosvcacct
  3.     Run ktpass command to create *.keytab
  a.     Please run the following command:
  i.     ktpass -out bosso.keytab -princ HTTP/bossosvcacct.FQDN@FQDN u2013mapuser bossosvcacct@FQDN -pass PW_FOR_SERVICEACCOUNT -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
  ii.     replace PW_FOR_SERVICEACCOUNT with the password you entered for the BO Service Account you created in Step 1.
  4.     Permitting Delegation for Service Account
  a.     Once above steps are complete, go into properties of BO Service Account->Delegation.
  i.     Set Delegation to u201CTrust this user for delegation to any services (Kerberos only)
  As a final step, please copy the keytab file that was created to a directory in the BO Server, add it to C:\WINNT, create it if it doesnu2019t exist there already.
  BO XI3.1 Server steps:
  5. Configure WinAD Authentication settings in the CMC
  6. Edit Service Account in Local Policy Settings + Local Admin
  7. Modify SIA to login with Service Account
  8. Configure and add krb5.ini, bsclogin.conf, and bosso.keytab to C:\WINNT on BO Server.
  9. Configure Tomcat Java Options
  10. Modify the web.xml with all necessary changes
  11. Modify server.xml with MaxHttpHeader change
  I hope this is a very, very helpful answer.
  Kind regards,
  John

• Ldap connection with weblogic console and authentification with java

  Hello,
  I want that my web application use ldap authentification for users and that all parameters (host, port, base, ...) are configured by weblogic console.
  I managed to do it by security-->realms-->.... , but now, I want to perform authentification in my java code.
  I don't know how realized it because I don't know how use my ldap connection in java code without redefine parameters into my code...
  can anyone help me please?
  thanks a lot for your help.

  Hey,
  on a windows server system you have to put the target system CA Certificate in the local Trusted System Certificate Store of Microsoft Server. Then the connection should work.
  On a Java System you have to put the CA in the Key Storage of the SAP System.
  I think on Unix you could use the SAPCRYPTOLIB to place the CA in  the abap system.
  Kind regards,
  Sven Walter

• Using LDAP with query on groups

  Hi,
  I configured our SAP Portal with LDAP authentification(+UME) successfully - so far so good. I used the standard configuration file (dataSourceConfiguration_ads_readonly_db.xml).
  Now I would like to filter the LDAP users and grant access only to users within a LDAP group.
  Is there a way to build a query for this case (datasource configuration file, etc...)?
  Thanks for your help...
  Bernd Hülsebusch

  Hi Shantanu,
  thanks for your fast reply!
  The problem is, that we have about 5.000 users in our LDAP system (Exchange), this includes several system users and also special users for e.g. domain administration, etc. Only about 2000 users are really respective portal users and only these users should have access to the portal generally. The intention is to filter the redundant users, so we won't have problems with SAP licenses for users who never should be able use the portal.
  I didn't mean how to provide access to some content within the portal. I know that this is this is realized with roles and groups in the portal.
  Best regards, Bernd Hülsebusch

• LDAP Synchronisation with CUCM with multiple forest

  Hello,
  We have CUCM 10.5.
  We want to add in CUCM multiple forest (we have multiple company with different domain name) using LDAP authentification so all the user/password sync with CUCM.
  We have as distinguished name CN=xxxx,CN=Users,DC=xxx,DC=local and for search base CN=xxxx,CN=Users,DC=xxx,DC=local.
  Can we add in the distinguished name and search base the information for multiple forest using the same username/password?
  If it not possible is there an easy way to achieve that?
  Any help would be appreciate.
  Thank you

  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/directry.html#pgfId-1133454

• NFS and  LDAP on different servers: Problems with location of home director

  Dear Apple Experts.
  We are using LDAP server for user authentification
  and NFS server for home directories.
  Both are decictaed servers on differnt machines.
  on the NFS server there are directories
  /home/urpi
  for staff's home directories
  and
  /home/students
  for student's home directories
  both are mounted to the Mac minis in
  /Users directory
  so
  /Users/urpi
  contains home directories for staff
  /Users/students
  contains home directories for students
  Authentification works well andpermission are set as needed
  but OS X shows missing home directories for LDAP authentificated users
  and terminal shows missing home directory
  for me it is
  /home/urpi/fodrek
  I was tried to mount NFS to /home, but it is not allowed
  Would I ask if there is any setting to add directories, where home directories are placed,please?
  I look forward hearing form you.
  Yours faithfully
  Peter Fodrek

  So none of these machines are Snow Leopard servers?
  What exactly do you mean when you say you tried to mount the NFS share to home? Can you copy and paste the command and error?
  It sounds as though you don't actually have the NFS shares mounted. Assuming this is so, you might want to investigate how the automount command works so that your MacMinis mount the NFS shares on boot.
  If your NFS/LDAP server is an OS X 10.6 server, set the shares to be automounted as user/group directories. Make sure your LDAP server is providing correct information on the home directory location. If it is local, I think the home directories need to be in /Users. If your mounts are indeed working but you cannot login, you might consider making links from /Users to /home/urpi or /home/students on an account-by-account basis (could be done with a quick shell script).