Searching LDAP attributes after Authentication

Similar Messages

• LDAP sub tree search by OAM during authentication

  Hi,
  Is it possible to configure OAM to perform sub tree search for user id while authenticating a user. The scenario is - OAM is configured to search LDAP at level ou=comp, dc=com. User ID U01 is stored in ou=fin,ou=comp,dc=com.  When user logs in with user ID U01, will OAM search in sub tree level ou=fin,ou=comp,dc=com and not just under ou=comp, dc=com?

  Also, you can get more info at http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/datasrc.htm#CHDIACJI URL with more description.
  ~J

• How setup LDAP Sync After Install in OIM 11g  ver, 11.1.1.5.0

  Hi guys, I'm trying to find how to setup LDAP Sync After Install in OIM 11g (ver, 11.1.1.5)....
  I found on Metalink an interesting article "*How to Setup LDAP Sync After Install in OIM 11g [ID 1272682.1]*", but inside there is a Note that says:
  Note: This article is applicable to OIM version 11.1.1.3 only. Steps for 11.1.1.5 are not the same, and product manual has documented steps to setup LDAP sync after install.
  So, that the steps for 11.1.1.5 are not the same, it's clear.....
  and I tried to look for these steps in the manual:
  Oracle® Fusion Middleware Quick Installation Guide for Oracle Identity Management
  11g Release 1 (11.1.1)
  Part Number E10033-06
  but I didn't still find nothing for the specific 11.1.1.5.0 version....only for the 11.1.1.3.0 version
  Can anyone help me to find where these steps are ? I need this information as soon as possible ti start the development
  Thanks in advance for the help
  Alex

  If you are creating Before and After Create Opeation script, you would be able to access all the variables in the process form. Now obvious question, what are the names of these variables? The answer is: the name of the variable is same as that mentioned in the "decode" column of the provisioning attribute map lookup or in other words, the variable name is same as the AD attribute name. In the example mentioned in the documentation, the variable "%givenName% was used in the script. On the similar lines you can use other variables like "sn", "samAccountName", etc.
  Hope the information helps.

• How to redirect to a page dynamically after authentication Apex

  We have developed an application and the application id is 333.
  we have developed a login screen(page No. 111).
  After login Company page (Page No.1) will appear where the user selects the company name.
  Once company is selected, the control goes to Menu Page(Page No.10). The menu will be displayed based on the user rights.
  In shared Components - Authentication scheme,
       In session Not Valid region, URL option is selected and URL is assigned as "we have given "f?p=&APP_ID.:111:&SESSION."
       In Logout URL, URL option is enabled and URL is assigned as "f?p=&APP_ID.:111"
  In shared Components - Security Attributes,
       In Authentication region, in HOME link "f?p=&APP_ID.:1:&SESSION." is assigned
  In login page (Page No. 111), we have created a process "On Submit - After computation and validations".
       in that
            we are checking a condition like
            if the user has access to Only one company then he will be redirected to Menu_page(Page No.10).
            if the user has access to more than one company then he will be redirected to Company Page(Page No.1).
  if "No. of company access" =1 then
  wwv_flow_custom_auth_std.login (p_uname => :p111_username,
  p_password => :p111_password,
  p_session_id => v ('APP_SESSION'),
  p_flow_page => :app_id||':10'
  else
  wwv_flow_custom_auth_std.login (p_uname => :p111_username,
  p_password => :p111_password,
  p_session_id => v ('APP_SESSION'),
  p_flow_page => :app_id||':1'
  end if;
  The above condition is not working. ie. it is always loading Company Page(Page No.1) even if the user has access to one company alone.
  Can anyone point out the place where I have done wrong. Or please suggest me a method to achieve the above said task.

  Hi User490632,
  During the login,
  it using the custom authentication function which I mentioned below,
  *create or replace FUNCTION custom_auth_g (
  p_username IN VARCHAR2,
  p_password IN VARCHAR2)
  RETURN BOOLEAN IS
  BEGIN
  FOR c1 IN (SELECT 1
  FROM login_table
  WHERE upper(username) = upper(p_username)
  AND upper(password) = upper(p_password))
  LOOP
  RETURN TRUE;
  END LOOP;
  RETURN FALSE;
  END;*
  its working fine, If I give the username and password which exist in the table login_table.
  Now I need to redirect to 2 different pages.
  if the username is 'guru' then when he clicked the login button he has to redirect to page 2,
  if username is any other name except 'guru' they have to be redirected to page 3.
  Can you please give the step by step procedure to follow?
  Thank you.
  Regards,
  gurujothi

• Problem with getting LDAP attributes on ISE when EAPChaining is enabled

  Hi All,
  has anybody and idea how to set LDAP attributes retrieval with EAPChaining enabled?
  My scenarios is:
  - user with AnyConnect (EAP-FAST) connects to WLAN and sends it's credentials
  - ISE authenticates username and password against Active Directory
  - ISE should check if the same userid contains in LDAP Directory (not AD, different store) special attribute which controls access to our WLAN
  - If the attribute is found, then authorization profile is matched.
  This works when I disable EAP-Chaining Policy -> Policy Elements -> Results -> Authentication -> Allowed Protocols ...
  In logs I've found that the user was not found in LDAP, but the user exists.
  Maybe the workaround can be if just user from EAPChaining is used and not also the hostname, then it could match. But I cannot find any similar parameter which returns only user.
  Does anybody have an idea how to solve this?
  Thanks!
  K.

  Hi,
  This seems like a corner issue, because eap-fast with ldap is not supported. LDAP as the protocol doest support hash based authentication hence the reason ISE is failing to hit the ldap database.
  Referencing acs material since ise docs are not complete:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html
  Sent from Cisco Technical Support Android App

• ISE 1.1.1. and additional LDAP attribute retrieval

  Hello All,
  I'm authenticating users against Active Directory and want to also check additionals attributes from LDAP. In ACS 5.3. it was possible to set this up via External Identity Sequence, but in ISE I don't see this possibility. I can set sequence only for authentication, but not for additional attribute retrieval.
  When I set a condition in a policy that an LDAP attribute must match with some value, the attribute is not retrieved and autorization ends on default Deny Access.
  Can anyone help me how this can be set on ISE?
  Thanks!
  Regards
  Karel Navratil

  Yes that's what I've tried as I wrote in my first post, but the ISE does not retrieve the attribute from LDAP
  Here are some screenshots:
  authorization rule:
  ldap attribute in external identity source:
  and the logs:
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  11507  Extracted EAP-Response/Identity
  12100  Prepared EAP-Request proposing EAP-FAST with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12102  Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12806  Prepared TLS ServerHello message
  12807  Prepared TLS Certificate message
  12810  Prepared TLS ServerDone message
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  12812  Extracted TLS ClientKeyExchange message
  12804  Extracted TLS Finished message
  12801  Prepared TLS ChangeCipherSpec message
  12802  Prepared TLS Finished message
  12816  TLS handshake succeeded
  12149  EAP-FAST built authenticated tunnel for purpose of PAC provisioning
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  12209  Starting EAP chaining
  12218  Selected identity type 'User'
  12125  EAP-FAST inner method started
  11521  Prepared EAP-Request/Identity for inner EAP method
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  12212  Identity type provided by client is equal to requested
  11522  Extracted EAP-Response/Identity for inner EAP method
  11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - Internal Endpoints
  22043  Current Identity Store does not support the authentication method; Skipping it
  24210  Looking up User in Internal Users IDStore - test,host/test-pc
  24216  The user is not found in the internal users identity store
  24430  Authenticating user against Active Directory
  24402  User authentication against Active Directory succeeded
  22037  Authentication Passed
  11824  EAP-MSCHAP authentication attempt passed
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response
  11814  Inner EAP-MSCHAP authentication succeeded
  11519  Prepared EAP-Success for inner EAP method
  12128  EAP-FAST inner method finished successfully
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  12126  EAP-FAST cryptobinding verification passed
  12200  Approved EAP-FAST client Tunnel PAC request
  12219  Selected identity type 'Machine'
  12125  EAP-FAST inner method started
  11521  Prepared EAP-Request/Identity for inner EAP method
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  12212  Identity type provided by client is equal to requested
  11522  Extracted EAP-Response/Identity for inner EAP method
  11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  Evaluating Identity Policy
  11055  User name change detected for the session. Attributes for the session will be removed from the cache
  15006  Matched Default Rule
  15013  Selected Identity Store - Internal Endpoints
  22043  Current Identity Store does not support the authentication method; Skipping it
  24210  Looking up User in Internal Users IDStore - test,host/test-pc
  24216  The user is not found in the internal users identity store
  24431  Authenticating machine against Active Directory
  24470  Machine authentication against Active Directory is successful
  22037  Authentication Passed
  11824  EAP-MSCHAP authentication attempt passed
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response
  11814  Inner EAP-MSCHAP authentication succeeded
  11519  Prepared EAP-Success for inner EAP method
  12128  EAP-FAST inner method finished successfully
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  12126  EAP-FAST cryptobinding verification passed
  12201  Approved EAP-FAST client Machine PAC request
  Evaluating Authorization Policy
  15004  Matched rule
  15016  Selected Authorization Profile - DenyAccess
  15039  Rejected per authorization profile
  12855  PAC was not sent due to authorization failure
  12105  Prepared EAP-Request with another EAP-FAST challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  11105  Request received from a device that is configured with KeyWrap in ISE.
  12104  Extracted EAP-Response containing EAP-FAST challenge-response
  11514  Unexpectedly received empty TLS message; treating as a rejection by the client
  12512  Treat the unexpected TLS acknowledge message as a rejection from the client
  11504  Prepared EAP-Failure
  11003  Returned RADIUS Access-Reject
  So no any information that ISE tries to retrieve something from LDAP.
  Regards
  Karel

• Address Book now showing all LDAP attributes

  The Address Book does not provide access to all LDAP attributes. For example
  homePhone
  homePostalAddress
  labeledURI
  are some of the fields currently left out. It would be nice if it was possible to configure the schema mapping, similar to thunderbird which allows the mapping off all the field it know about to corresponding LDAP attributes. Also inetOrgPerson, even though it is the defacto standard is rather due for redesign.
  I am just wondering if anybody else if having this problem and if they found a solution?

  the script did not work for me
  python fixBirthdays
  Traceback (most recent call last):
  File "fixBirthdays", line 6, in <module>
  import AddressBook
  ImportError: No module named AddressBook
  further, the particular one vcard that is misbehaving - i exported it, and opened in Tedit.
  this is what isee for the date field.
  item1.X-ABDATE;type=pref:2003-06-17
  year is not negative either.
  i unchecked and checked birthday calendar in iCal. exited iCal after uncheck, relaunched iCal and checked that option.
  no show of the birthdate.
  stumped.

• Windows LDAP attributes match for the Synology LDAP client profile filter.

  I am having Windows server 2012 domain controller with LDAP enabled. I wish to enable LDAP client on Synology Diskstation to search for users and enable them access of shared folders of Synology. Hence, I have enabled the client which shows connected to the Windows LDAP service, but not populating any users.
  Anybody figured out this? It requires profile settings. I'm finding difficult to identify the LDAP attributes match for the Synology profile filter attributes.
  Refer following image.
  This topic first appeared in the Spiceworks Community

  Specify a Dynamic Access Profile with:
  Criteria: User has ALL of the following AAA attribute values...
  ldap.memberOf != GroupName
  cisco.tunnelgroup = TunnelGruopName
  Should work
  /K

• How to associate LDAP attributes with the subject?

  I am writing a custom role mapper and want to determine the roles of the subject
  depending on values of LDAP attributes. Is it posssible to associate LDAP attributes
  with the Subject?
  We use iPlanet and hence I have configured iPlanetAuthenticator as the Authentication
  Provider. Is it possible to configure iPlanetAuthenticator so that the LDAP attribute
  values are associated with the subject? Or is it possible to extend iPlanetAuthenticator
  for this purpose?
  Is there a way to do this other than writing my own AuthenticationProvider?
  Thanks in advance.
  Jay

  "Jay" <[email protected]> wrote in message
  news:3f1d77f7$[email protected]..
  >
  I am writing a custom role mapper and want to determine the roles of thesubject
  depending on values of LDAP attributes. Is it posssible to associate LDAPattributes
  with the Subject?
  Which LDAP attributes are you interested in? We can look at adding this
  functionality
  if we have more info.
  We use iPlanet and hence I have configured iPlanetAuthenticator as theAuthentication
  Provider. Is it possible to configure iPlanetAuthenticator so that theLDAP attribute
  values are associated with the subject? Or is it possible to extendiPlanetAuthenticator
  for this purpose?
  There is no way to extend the provider.
  Is there a way to do this other than writing my ownAuthenticationProvider?
  >
  You may be able to write a separate provider that works in conjunction with
  the
  authentication provider. It would add the principals with the ldap
  attributes.
  Thanks in advance.
  Jay

• Is there a way to have LDAP record an authenticated user's current ip address?

  Hello All,
  Trying to have authenticated user's IP addresses stored in LDAP somehow. This value would then be readable via LDAP and thus accessible to external machines/services.
  I'm toying with the idea of a login hook + cron script (both client side) to update an LDAP attribute periodically. However, I wanted to find out if there were other/better ideas out there.
  1) How do you modify (in OD I would assume) the user record to include an IP address field?
  2) How do you collect the data from the client and get it into the directory?
  Any thoughts/hints/tips/solutions would be very welcome.
  Thanks.

  What's your ultimate goal here?
  The reason I ask is that storing this data in OD seems unusual. What do you expect to gain from this?
  If it's just a matter of locating a specific active user on the network then DNS would be a more typical approach -you can combine the DHCP client IDs with dynamic DNS so update the DNS records as users connect to the network (or use bonjour, of course).
  If you're looking at this for historical records, then the DHCP server logs would hold that data, with the advantage that you'd have a historical archive of IP address assignments over time.
  Don't get me wrong, it should be possible to extend the OS schema to incorporate any data you like. It's just a matter of whether that's the best approach, or whether you're re-inventing the wheel.

• GroupWise ldap attributes names

  Hi,
  I'm using Novell Identity Manager to synchronize users accounts to GroupWise. What are ldap attributes used to store information about email address, distribution lists and license type (full and limited)?
  Thanks

  moularbi,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• Which LDAP attribute is utilized by CertStore to retrive certifications?

  Hi
  thank you for reading my post
  I find that CertStore and LDAPCertStoreParameters and X509CertSelector and X509CRLSelector can be used to extract certifications from LDAP.
  What i can not figure out is,
  which LDAP attribute uses by these class to extract certifications?
  for example we have person class in LDAP which one of its attribute can be userCertificate, how does these class figure out what is name of these attribute?
  maybe they uses some other mechanism, and my assumption are not correct?
  Thanks

  Hi
  Thank you for your reply.
  Imagine that i have the following requirement, what could be possible steps to implement it?
  I need to check and see whether a digital certification belongs to a user or not.
  user will gives it uid and digital certification.
  here is one way that i have in my mind:
  -Search the LDAP for that user.
  -Extract the userCertificate attribute as binary
  -Create a X509 certificate from it
  -Compare it with what user provides.
  Is it a good way?
  Does all of the above steps are do-able?
  Do you have suggestion to improve the procedure or make it more standard ?
  Thanks

• Inbound mail routing based on LDAP attribute mailsystem

  Hi gents and ladies,
  i have a small question ...
  is it possible to route an email to a recipient based on an LDAP attribute like mailsystem or ldap attribute domain ?
  We have an infrastructure with domino and Xchange. All users have a - so called - maindomain.net SMTP Address.
  Is it possible to manage such routing via mail policies or message filters ?
  Or is it just easy to realize this jjust with SMTP routing list ? e.g. maindomain.net gets an entry in SMTP routing pointing to the domino gateway ... if no delivery is possible the default gateway (Xchange gateway) would be used instead ?
  Thanks in advance for your help and hints.                

  Hello  HPGroh2013,
  I think I answered your question in the previous entry, at least it looks the same to me.
  Regards,
  Andreas

• J_security_check not redirecting after authentication - in one environment

  Hi all,
  I have a J2EE web application developed in JDeveloper 10.1.3 which uses JAAS security with a custom authentication provider class. I can configure this is both a windows and unix based OC4J. The windows OC4J is stand alone, the unix one is part of a managed instance (OPMN).
  When I deploy to windows, attempts to access a protected resource cause the authentication to fire off perfectly and redirect to the appropriate url after login is successful. Absolutely no problems.
  When I deploy to unix with the same configuration, the authentication fires off perfectly but after authentication the redirect attempts to go to Base URL/j_security_check which results in a 404 not found as j_security_check is a logical name and not a real url.
  I have tried setting the ocfj.formauth.redirect flag in the oc4j startup options and this did not seen to help. I still got the 404 error.
  Can anyone advise me on whether there are any switches or parameters I need to set for the j_security_check redirection to work correctly, or is there something else I need to do in a unix (Solaris) environment to cause the redirections to work?
  thanks for any suggestions
  Ben

  Hi,
  you are always seeing the j_security_check in the URL. It seems that this problem is OC4J rekated and I suggest to post the question on the Application Server or the J2EE forum here on OTN
  Frank

• Conditional copy of payload attributes after HT

  Hi,
  How can I conditionally copy the payload attributes after the execution of a HT.
  Say that I have an attribute in my payload named hasAtlestOneCustomerAcceptedOffer and I have a Parellel gateway where I create multiple tasks in parellel.
  I want to copy the value of this attribute only when it is "Yes". I looked at teh data associations but couldn't be sure about how to do it ..
  I am using 11.1.16
  Thanks

  Hi --
  You have to use the XSLT 'if' or 'when' constructs - you can find examples here:
  - http://www.w3schools.com/xsl/el_if.asp
  - http://www.w3schools.com/xsl/el_when.asp
  Hope this helps,
  Fernando