RV220W LDAP Group Configuration

Similar Messages

• Error while adding LDAP group

  Hi, I configured LDAP authentication on BOXI R2 SP3 on IIS. The settings are as given below.
  To change a setting, click on the value to start the LDAP Configuration Wizard.  I have replaced few entries with XXXX and YYYY due to security.
  LDAP Hosts: nccXXX.XXX.YYYY.XX.YY:636
  LDAP Server Type: Novell eDirectory
  Base LDAP Distinguished Name: ou=XXXXX,dc=YY
  LDAP Server Administration Distinguished Name: cn=XXX,o=YYYYY
  LDAP Referral Distinguished Name: ""
  Maximum Referral Hops: 0
  SSL Type: Server Authentication
  Server Side SSL Strength: Always accept server certificate
  Single Sign On Type: None
  When I add any new group then its not added and I get below error message in the Logging directory  for WCA.
  Error: 2009-08-24 14:56:30, Thread:161, WriteData::_Flush catch unexcepted exception, source: System.Web, message: Specified argument was out of the range of valid values.
  Parameter name: offset, stack:    at System.Web.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 count)
     at BusinessObjects.Enterprise.WebComponentAdapter.WriteData._Flush(IntPtr handle)
  Can anyone help to find if LDAP is configured correctly before adding group?
  Thanks,

  Resolved. It was due to wrong LDAP group given to me.
  Thanks,

• Open LDAP Authenticator Configuration on WLSSP5

  I have problems in the open LDAP authenticator configuration on Weblogic Server with Service Pack 5. I have users on OpenLDAP Server that do not belong to any group. My LDIF file contents are as given below.
  dn: dc=my-domain,dc=com
  dc: my-domain
  objectClass: dcObject
  objectClass: organization
  o: MYABC, Inc
  dn: cn=Manager, dc=my-domain,dc=com
  userPassword:: c2VjcmV0
  objectClass: person
  sn: Manager
  cn: Manager
  dn: cn=myabcsystem, dc=my-domain,dc=com
  userPassword:: dmVuZGF2b3N5c3RlbQ==
  objectClass: person
  sn: myabcsystem
  cn: myabcsystem
  dn: cn=Philippe, dc=my-domain,dc=com
  userPassword:: UGhpbGlwcGU=
  objectClass: person
  sn: Philippe
  cn: Philippe
  dn: cn=mlrick, dc=my-domain,dc=com
  userPassword:: bWxyaWNr
  objectClass: person
  sn: mlrick
  cn: mlrick
  All these users appear in the Users tab after configuration on the console only if LDAP Server is up. While I select group tab, I get errors indicating BAD SEARCH Filter.
  Inspite of me not having any groups in the ldap as indicated in ldif contents.
  While I try to login t the application with this LDAP configuration, I do not get any errors. LDAP authentication is not happening with just the LDAP authenticator in place. Even if I stop the LDAP server, I do nto get any exceptions while trying ot login. The config params for the Open LADP are as given below
  <weblogic.security.providers.authentication.OpenLDAPAuthenticator
  AllGroupsFilter="objectclass=*"
  Credential="{3DES}rGCpYmhaIorI99BjZ2u6Fg=="
  GroupBaseDN="dc=my-domain,dc=com"
  GroupFromNameFilter="(cn=%u)"
  Name="Security:Name=MYABCAuthenticationOpenLDAPAuthenticator"
  Principal="cn=myabcsystem,dc=my-domain,dc=com"
  Realm="Security:Name=MYABCAuthentication"
  StaticGroupDNsfromMemberDNFilter=""
  StaticGroupNameAttribute="" StaticGroupObjectClass=""
  StaticMemberDNAttribute="" UserBaseDN="dc=my-domain, dc=com"/>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP ATN LoginModule initialized>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login username: bob>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <authenticate user:bob>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getDNForUser search("ou=people,ou=MYABCAuthentication,dc=myabc", "(&(uid=bob)(objectclass=person))", base DN & below)>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  CAN ANYONE HELP ME IDENTIFY WHAT IS THE ISSUE. Why is the authentication not happening?

  Hi Amol,
  I've seen this happen at least two times in 11.1.1.1 installs. You can safely restart and then add the service back again. Suggest you reboot after you re-add the service back or cycle all the Hyperion services.
  I was not aware you could install the service with that command.
  I used the below command instead:
  sc create OpenLDAP-slapd start= auto binPath= "D:\Hyperion\...\slapd.exe service" DisplayName= "Hyperion Shared Services OpenLAP"
  Regards,
  -John

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• Webcenter dicussion forum - Ldap Group Integration with JSSO

  Hi,
  We want to implement LDAP Group integration for the authorization purposes in
  webcenter Jive Disucussions deployed in our IAS 10.1.3.2 application server.
  Though jive provides support for the same, yet the JIve documentation says
  that we need to implement the JIve's LDAP User authentication steps in order
  to leverage LDAP Groups integration. In case of Webcenter if we use Java SSO
  for the authentication purpose, we need opt for the 'Default' in the Jive
  Admin's authentication page instead of LDAP settings. Opting for 'Default'
  scheme doesn't allow us to configure the LDAP group settings. We are not able
  find any documentation for LDAP Group Integration along with Java SSO. Could
  provide us the steps required for the same? Or has anyone tried the same?
  Thanks and Regards,
  ABhijit

  Hi Abhijit,
  You can ignore 'Default', and implement your own user authentication mechanism, which can include LDAP group settings. You will have to follow:
  - OC4J security documentation for using Java SSO in your own implementation (I think this is the right link - confirm the version numbers - http://download.oracle.com/docs/cd/B32110_01/web.1013/b28957/javasso.htm#BABEJFDI)
  - Jive documentation for implementing user authentication
  Navneet.

• Portal Roles added to the LDAP group is not showing up for users

  Hello expert,
  I have implemented SSO for Enterprise Portal and MS LDAP.  It is working fine but when I assigned roles to the LDAP group instead of UME group, they are not taking effect when I refresh the browser.  My service account that I set up in the keytab file is a read only account for the LDAP.  Is there some permission issue that I have to do to be able to add Portal roles or groups to LDAP groups?

  Hi,
  By default the LDAP integration configuration file is readonly.
  In this case, is not possible to modify data in LDAP.
  You must to connect in read-write mode; and I think that, furthermore, you need to configure SSL between Portal and LDAP in order to use read-write mode.
  regards,

• Provision a user into an LDAP Group/Organisation

  Is it possible to provision a user into a Role that is mapped to an LDAP Group/Organisation through Identity Manager? I've seen that you can add users directly into LDAP groups, but we would like to add users into groups where they already have an account in the Resource/Directory.
  For example I want to allow an existing user;
  uid=User1,ou=Users,o=mycompany
  to access a resource protected by LDAP Group;
  cn=AppGroup1,ou=Groups,o=mycompany
  this group would be mapped to an Application or Business Role within Identity Manager.
  Is this possible?

  If I understand your problem correctly then there is no need for customizing the resource adapter java source code at all. You can "calculate" in which OU or O a user is created by customizing the resource's identity template. Just add a variable to the identity template DN and "calculate" that variable in either your form or map it to IGNORE_ATTR on the resource and then you could even set that value in a role.
  Same for adding a user into a directory group. Map the respective groups attribute and create a role for that resource, then configure the role to set the group attribute or merge the values - as simple as that. Or did I misunderstand what you are trying to do?

• Problem using a group which has a space in it's DN when using LDAP Group mappings in UCS 1.4

  Hey,
  We've been implementing LDAP authentication (Active Directory) using LDAP group mapping in UCS 1.4, and we've noticed that when using a group which has a DN with a space in it (such as "UCS Admins") it wouldn't authenticate the user with the appropriate role.
  Using a DN without spaces (such as "UCSAdmins"), works just fine.
  I should mention that having a base DN with spaces works just fine as well, it's just the group mappings that doesn't work.
  I should also mention that Cisco's "Quick guide to configuring ldap for ucs 1.4" shows an example in which the group's DN doesn't include a space.
  Is there a workaround available which can make it possible using a group which has a space in it's name?
  Thanks,
  Dor

  Hey Roman,
  Thanks for your prompt reply.
  We've tried putting quotes using UCSM which is not possible at all - not for the entire entry nor for the part with spaces.
  We've also tried using CLI ("scope security/ldap/ldap-group") where you have to put quotes if you use a DN with spaces, and it still doesn't work. Furthermore, we tried adding quotes only to the part with the spaces, i.e. - CN="UCS Admins",OU=TEST,DC=TEST. It adds the entry without an error, but shows like we would use "CN=UCS Admins,OU=TEST,DC=TEST". Anyway, it doesn't work either.
  Thanks again,
  Dor

• Webcenter dicussion forum - Ldap Group Integration issue

  Hi All,
  I am trying to implement LDAP Group integration in our jive forums 5.1.0 installed in an Oracle IAS 10.1.3.2 server.
  I have followed the steps mentioned in the LDAP documentation and setup the following system properties:
  ldap.groupNameField cn
  ldap.groupMemberField uniquemember
  ldap.groupDescriptionField description
  ldap.groupSearchFilter (cn={0})
  I just restarted the server after setting up these , but the forums instance is not coming up in the server. Throwing the following error:
  08/01/21 14:52:33.550 jiveforums: http://CompressingFilter/1.4.4 CompressingFilter has initialized
  08/01/21 15:23:04.597 jiveforums: Servlet error
  java.io.IOException: An established connection was aborted by the software in your host machine
  at sun.nio.ch.SocketDispatcher.write0(Native Method)
  at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:33)
  at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:104)
  at sun.nio.ch.IOUtil.write(IOUtil.java:75)
  at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:302)
  at java.nio.channels.Channels.write(Channels.java:60)
  at java.nio.channels.Channels.access$000(Channels.java:47)
  at java.nio.channels.Channels$1.write(Channels.java:134)
  at com.evermind.server.http.AJPOutputStream.endRequest(AJPOutputStream.java:117)
  at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:309)
  at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:190)
  at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
  at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
  at java.lang.Thread.run(Thread.java:595)
  08/01/21 15:25:59.956 jiveforums: Exception thrown during contextDestroyed
  java.lang.ExceptionInInitializerError
  at com.jivesoftware.forum.database.DbForumFactory.getAttachmentManager(DbForumFactory.java:798)
  at com.jivesoftware.forum.database.DbForumFactory.destroy(DbForumFactory.java:410)
  at com.jivesoftware.forum.database.DbForumFactory.shutdown(DbForumFactory.java:381)
  at com.jivesoftware.forum.util.ForumsLifeCycleListener.contextDestroyed(ForumsLifeCycleListener.java:88)
  at com.evermind.server.http.HttpApplication.destroyContextListeners(HttpApplication.java:5877)
  at com.evermind.server.http.HttpApplication.destroy(HttpApplication.java:5843)
  at com.evermind.server.http.HttpSite.destroy(HttpSite.java:877)
  at com.evermind.server.http.HttpServer.destroy(HttpServer.java:548)
  at com.evermind.server.ApplicationServer.destroy(ApplicationServer.java:2030)
  at com.evermind.server.ApplicationServerShutdownHandler.run(ApplicationServerShutdownHandler.java:93)
  at java.lang.Thread.run(Thread.java:595)
  Caused by: java.lang.IllegalStateException: Timer already cancelled.
  at java.util.Timer.sched(Timer.java:354)
  at java.util.Timer.scheduleAtFixedRate(Timer.java:296)
  at com.jivesoftware.util.TaskEngine.scheduleTask(TaskEngine.java:218)
  at com.jivesoftware.util.TaskEngine.scheduleTask(TaskEngine.java:202)
  at com.jivesoftware.forum.database.DbAttachmentManager.<init>(DbAttachmentManager.java:160)
  at com.jivesoftware.forum.database.DbAttachmentManager.<clinit>(DbAttachmentManager.java:48)
  Can anyone please throw a light?
  Thanks and regards,
  ABhijit

  Hi Guneet,
  We are using jive 5.5.9 instead of 5.1.0 that comes with webcenter.
  Also we are just trying to validate the JIve's authorization scheme so didn't integrate the Java SSO part. Jive forum is just a standalone OC4J instance in the IAS server and we are using the LDAP configuration in the User,Groups Authentication page instead or default which is required for Java SSO.
  Thanks,
  ABhijit

• Loading LDAP groups into WLS JAAS Subject

  Hi,
  I have a 10.1.4.3 OAM webgate+OHS setup to protect weblogic 10.3.2 as described ('1st best option') in this blog below.
  http://fusionsecurity.blogspot.com/2010/01/integrating-oracle-access-manager-oam.html
  In the weblogic security realm, I have the OAM Identity Asserter (REQUIRED), OID Authentication Provider (SUFFICIENT), Default Authenticator (SUFFICIENT), Default Identity Asserter configured in that order.
  A simple JSP app with CLIENT-CERT is deployed to the WLS. After the user is authenticated at OHS Webgate, the OAM Identity asserter is correctly asserting the user (and the obSSOCookie) as can be seen from the logs. The JSP app is getting a valid (non-anoymous) JAAS Subject with a single JAAS principal (of the user).
  But I 'm not sure it is loading the LDAP groups correctly using the OID provider. Are the LDAP groups supposed to be loaded as principals into the JAAS Subject? The user is part of many LDAP groups but only one principal (user itself) is in the JAAS Subject. Are there any additional steps to 'pair' the OAM Identity Asserter with the OID authentication provider as described in the above blog?
  I 'm using weblogic.security.Security.getCurrentSubject() to get the Subject and subject.getPrincipals() to get the principals in the JSP app.
  Thanks.

  Like I said in my post, subject.getPrincipals() has only one entry, the user id. The LDAP groups aren't in the Set returned. I 'm wondering how to debug this or fix it. I 'm wondering if I need to re-associate the domain policy store with LDAP as described here before the LDAP groups will be loaded into the subject.
  http://download.oracle.com/docs/cd/E14571_01/core.1111/e10043/cfgauthr.htm#CHDIIJDB

• LDAP groups to pool assignation problem

  Hi All,
  I have created two pools "Vista" and "Ubuntu" with two LDAP group associated ("Vista" and "Ubuntu"). I have a user "XX" which is in both LDAP groups (Vista and Ubuntu).
  When I display information about user XX in WEb interface, I get the information that the user is in 2 pools. But when I try to connect, I don't get any chooser and a desktop is started (generally the last used).
  Both pools contain enough free desktops (about 10).
  I have tried to use the "vda" command to see the configuration from command line.Unfortunately, I don't succeed. The command "vda user-search" give me the answer "XX uid=XX,ou=People" and when I try to pass the command "vda user-show XX" I get the answer "user not found, try command vda user-search".
  I use VDI3 software with the latest patches.
  Any help or idea would be greatly appreciated.
  Thanks
  rhino64

  Hello,
  you can look for more information about the failing commands in the cacao log file
  /var/cacao/instances/default/logs/cacao.0
  after increasing the log level as explained in:
  [http://wikis.sun.com/pages/viewpage.action?pageId=139002331|http://wikis.sun.com/pages/viewpage.action?pageId=139002331]
  rhino64 wrote:
  root@zzz:/ # vda user-show test1
  User test1 not found. Use the user-search subcommand to search for existing
  users or groups.
  root@zzz:/ # vda user-show 10009
  User 10009 not found. Use the user-search subcommand to search for existing
  users or groups. In the two commands above, you seem to be trying to use the userid of the user. VDI uses the list of attributes defined in the global setting ldap.userid.attributes to search for users from their userid. So what is the value of the ldap.userid.attributes setting ?
  #/opt/SUNWvda/sbin/vda settings-getprops -p ldap.userid.attributes
  And then what is the value of the corresponding attribute for your user ? You should use this value as userid for your user.
  It is up to you to decide which attribute of the directory is the userid of your user, and then edit ldap.userid.attributes accordingly.
  See http://wikis.sun.com/display/VDI3/Customizing+the+LDAP+Filters+and+Attributes for more details.
  root@zzz:/ # vda user-show 'cn=test1,ou=People'
  User cn=test1,ou=People not found. Use the user-search subcommand to search for
  existing users or groups. This command would not work because as listed in the user-search command, the dn for your user is not cn=test1...
  root@zzz:/ # vda user-show 'uid=test1,ou=People'
  User uid=test1,ou=People not found. Use the user-search subcommand to search for
  existing users or groups.This command should work fine and I can't really explain why it doesn't. The only difference I can see with the result of user-search is the capitalized 'People' so maybe try:
  # vda user-show 'uid=test1,ou=people'
  Katell

• Ldap groups autocreation

  Hi,
  i'm trying to have autocreation for ldap groups, but even with group.invite.autoprovision = "yes" in the ics.conf (actually all autoprovision variables are on), cals groups are not created when i invite a group in an event.
  I patched with the 121659-18 patch but it does not works at all.
  what is missing ?
  thx.

  Make sure you've modified the Schema Map for the LDAPResourceAdapter that you have configured, here's an example of the XML :
  <AccountAttributeType name='ldapGroups' syntax='string' mapName='ldapGroups' mapType='string'>    </AccountAttributeType>When you edit the Schema Map make sure you enter the right and left hand side of the schema map to be ldapGroups.
  Here's an example of implementing the multi-select with the LDAP groups
  <Field name='accounts[LDAP].ldapGroups'>
                    <Display class='MultiSelect'>
                      <Property name='title' value='LDAP Group Membership'/>
                      <Property name='availableTitle' value='Available LDAP Groups'/>
                      <Property name='selectedTitle' value='Selected LDAP Groups'/>
                      <Property name='allowedValues'>
                        <block>                                                                         
                              <invoke name='listResourceObjects' class='com.waveset.ui.FormUtil'>
                                <ref>:display.session</ref>
                                <s>Group</s>
                                <s>LDAP</s>
                                <null/>
                                <s>false</s>
                              </invoke>                              
                          </block>
                        </block>
                      </Property>
                    </Display>
                  </Field>HTH,
  Paul

• GetUserRoles() in SecurityContext returns LDAP group names

  Hi,
  getUserRoles() in SecurityContext returns LDAP group names along with the application role of the user. Is this expected? If not what could be the possible issue.
  I have OVDLDAP configured in the weblogic server.
  Thank you.

  Hi,
  yes, this is expected. OPSS APIs expose application roles and user roles. To distinguish between the two I recommend a naming convention like <name>app-role to identify application roles
  Frank

• Weblogic 10.3 ldap provider configuration

  Hello, I am trying to configure Weblogic 10.3 to use an LDAP authentication provider. I can see my list of Users from the ldap server, but I can not see the list of Groups. Any help with my config would be appreciated. I turned on debug for DebugSecurity and ldap. I do not seem to have a recent error from trying to view the groups in the logs. I have been doing grep -i error on the log dir.
  Ldap-auth Config
  Weblogic 10.3 (Windows install)
  IPlanetAuth Provider - 1.0
  LDAP Server – Fedora Directory Server (fedora-ds-1.0.4-1.RHEL4)
  LDAP Group DN
       ou=fssys02,ou=Groups,dc=hns-net,dc=com
       Groups under fssys02 – 4 cn=fs* groups that do not show up in Weblogic
  Group objectClass - groupOfUniqueNames (structural)
  Control flag - OPTIONAL
  IPlanetAuth Provider - 1.0
  Keep Alive Enabled – yes
  User Name Attribute – uid
  Propagate Cause for Login Exception – yes
  Principal -
  Host – ldap
  User Object Class – person
  All Users filter -
  User Search Scope – subtree
  All Groups filter –
  Static Member DN Attribute – uniqueMember
  Bind Anonymously on Referrals – yes
  Group From Name Filter - (&(cn=%g)(objectclass=groupofUniqueNames))
  Static Group DNs from Member DN Filter - (&(uniqueMember=%M)(objectclass=groupofUniqueNames))
  Use Retrieved user Name as Principal –
  Results Time Limit – 0
  Cache TTL – 60
  Dynamic Group Name Attribute –
  Credential –
  Confirm Credential –
  Group Search Scope – subtree
  Group Base DN - ou=fssys02,ou=Groups,dc=hns-net,dc=com
  Dynamic Group Object Class – groupofURLs
  User From Name Filter - (&(uid=%u)(objectclass=person))
  Dynamic Member URL Attribute – memberURL
  Cache Size – 32
  SSLEnabled –
  Cache Enabled – yes
  Connection Retry Limit – 1
  Connect Timeout – 0
  Parallel Connect Delay – 0
  User Dynamic Group DN Attribute – cn
  Static Group Name Attribute – cn
  User Base DN - ou=People, dc=hns-net,dc=com
  Follow Referrals – yes
  Port – 389
  Ignore Duplicate Membership –
  Static Group Object Class –
  Group Membersip Searching – unlimited
  Max Group Membership Search Level – 15

  Hi To View the LDAP Groups and the users
  Groups and users has to been under one OU (organizational Unit) Check the Below Format
  and in the Properties files you have to enable the LDAPGroup Proprties to true.
  This is for iplanet
  User path
  ou=groups,dc=xxx,dc=xxxsoft,dc=com
  Group path
  ou=groups,dc=xxx,dc=xxxsoft,dc=com
  Search filter
  (objectclass=person)
  for ADS Group base DN and user base Dn should be same (for example:-ou=test)
  Group Base DN - ou=fssys02,ou=Groups,dc=hns-net,dc=com
  User Base DN - ou=People, dc=hns-net,dc=com
  Check it out.This Should work.

• Use of LDAP group external authentication in Essbase v7.16

  Hello Experts,
  One of my customer wants an answer for his query -
  They currently use LDAP external authentificaiton with userid only and would like to use LDAP groups. Is this supported in version 7.1.6 (Heard that It is a known limitation in version 7.x that LDAP / MSAD groups are not supported. MSAD groups are supported in System 9.x)
  My Research:
  I read in the Essbase v7 documentation the following 2 examples of using groups, under Essbase.CFG Configuration Settings > AUTHENTICATIONMODULE
  Can you explain how this works
  Thank you
  Example 1
  The entries in this example allow users in the group Engineers from domain yahoo.com to be authenticated on host Gorky, via port number 389, with a timeout period of 30 seconds.
  AuthenticationModule LDAP essldap.dll 30 cn=Engineers, ou=Groups, dc=yahoo, dc=com@Gorky:389
  Example 2
  The entries in this example allow users in the group Engineers from domain yahoo.com to be authenticated on host 129.63.140.122, via port number 389, with a timeout period of 45 seconds.
  AuthenticationModule MSAD essmsad.dll essmsad.lib 45 cn=Engineers, ou=Groups, dc=yahoo, dc=[email protected]:389
  Regards,
  Sonal
  Edited by: 637223 on Oct 23, 2009 7:16 PM

  I do not believe using LDAP groups is supported in 716.