Security - using LDAP groups

Similar Messages

• Problem using a group which has a space in it's DN when using LDAP Group mappings in UCS 1.4

  Hey,
  We've been implementing LDAP authentication (Active Directory) using LDAP group mapping in UCS 1.4, and we've noticed that when using a group which has a DN with a space in it (such as "UCS Admins") it wouldn't authenticate the user with the appropriate role.
  Using a DN without spaces (such as "UCSAdmins"), works just fine.
  I should mention that having a base DN with spaces works just fine as well, it's just the group mappings that doesn't work.
  I should also mention that Cisco's "Quick guide to configuring ldap for ucs 1.4" shows an example in which the group's DN doesn't include a space.
  Is there a workaround available which can make it possible using a group which has a space in it's name?
  Thanks,
  Dor

  Hey Roman,
  Thanks for your prompt reply.
  We've tried putting quotes using UCSM which is not possible at all - not for the entire entry nor for the part with spaces.
  We've also tried using CLI ("scope security/ldap/ldap-group") where you have to put quotes if you use a DN with spaces, and it still doesn't work. Furthermore, we tried adding quotes only to the part with the spaces, i.e. - CN="UCS Admins",OU=TEST,DC=TEST. It adds the entry without an error, but shows like we would use "CN=UCS Admins,OU=TEST,DC=TEST". Anyway, it doesn't work either.
  Thanks again,
  Dor

• INTEGRATING PUBLISHER WITH OBI EE SECURITY USING LDAP

  Hi !
  Just learned about how integrating BI Publisher with OBI EE Security had to be set. (SA SYSTEM blah blah blah)
  My question is : what if my OBI EE security is already based on LDAP server ? How do I manually insert user logon in SA_USER as I'm supposed to do ? No way...any turnaround ? Should I base my BI PUB security on the LDAP server ?
  Thanks in advance
  Yannis

  Hi,
  I too have the same question.
  Could you please let us know whether using "Oracle BI server" security model in BIP would address the SSO between Oracle BI and BI Publisher when BI uses LDAP authentication?
  Also I am facing some issues in setting up BI security in BIP.
  The issue is that, when logged into BIP as Administartor, Roles and Permissions tab of Admin displays only two roles namely "Administrator" and "XMLP_TEMPLATE_ONLINE".
  SA subject area is also set.
  Could you please let me know your thoughts on the same?
  Thanks in Advance.

• OIM OES Integration to use LDAP groups for policy making

  Hi ,
  I am trying to make policy for the OIM application using OES. i want to use my LDAP groups as principals to control the access in OIM. How it can be achieved
  Thanks
  Edited by: user10660448 on May 21, 2013 1:35 AM

  Note that you can use the internal LDAP that comes with WebLogic, for your users and groups if you want.
  When you have multiple domains, you have a problem with this set-up as the internal LDAP is coupled to
  a specific domain. This means that users you created in one domain are not visible in the other. When using
  a separate LDAP that contains the users. You can configure in each domain an authenticator that points
  to the LDAP. In this way you can share to user accross multiple domains.
  When you are planning to use one domain you can stick with the internal LDAP if you want.
  An example set-up (that uses access manager not identity manager) can be found here: http://middlewaremagic.com/weblogic/?p=7819,
  which might help you in how to proceed.

• Using LDAP group to autenticate users from inside network to Internet

  Hi team, I got an asa 5510 version 7.2.3 and i need to autenticate my users from inside network to internet using a security group in the Active Directory, anyone can help me with these?

  This might not be complete for your needs but it may give you enough of what you need without having to purchase full url filtering etc.
  Authenticate with LDAP as shown earlier in this thread, then use this aaa ldap with cut-through proxy -
  PIX/ASA : Cut-through Proxy for Network Access using TACACS+ and RADIUS Server Configuration Example
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml
  then do some filtering -
  ASA/PIX 8.x: Block Certain Websites (URLs) Using Regular Expressions With MPF Configuration Example
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

• Use of LDAP group external authentication in Essbase v7.16

  Hello Experts,
  One of my customer wants an answer for his query -
  They currently use LDAP external authentificaiton with userid only and would like to use LDAP groups. Is this supported in version 7.1.6 (Heard that It is a known limitation in version 7.x that LDAP / MSAD groups are not supported. MSAD groups are supported in System 9.x)
  My Research:
  I read in the Essbase v7 documentation the following 2 examples of using groups, under Essbase.CFG Configuration Settings > AUTHENTICATIONMODULE
  Can you explain how this works
  Thank you
  Example 1
  The entries in this example allow users in the group Engineers from domain yahoo.com to be authenticated on host Gorky, via port number 389, with a timeout period of 30 seconds.
  AuthenticationModule LDAP essldap.dll 30 cn=Engineers, ou=Groups, dc=yahoo, dc=com@Gorky:389
  Example 2
  The entries in this example allow users in the group Engineers from domain yahoo.com to be authenticated on host 129.63.140.122, via port number 389, with a timeout period of 45 seconds.
  AuthenticationModule MSAD essmsad.dll essmsad.lib 45 cn=Engineers, ou=Groups, dc=yahoo, dc=[email protected]:389
  Regards,
  Sonal
  Edited by: 637223 on Oct 23, 2009 7:16 PM

  I do not believe using LDAP groups is supported in 716.

• LDAP Group Lookup Policy

  I would like to know if it is possible to set up a Inbound filter that will stop media files from being delivered unless the receipant is a member of a LDAP group.
  I don't want media files (mpeg, avi, Divx, PPS, MOV) being delivered to everyone but the members of a Distribution group called Media_Access.
  Does this need to be a distribution group or an mail enabled security group.
  We are using Active Directory.
  Thanks

  Though you could accomplish this with message filters, my vote would be for using ldap group query with the incoming mail policy. You can have the Media-policy that checks if the recipients are a member of the Media group. If recipients aren't members of the group, they will use the Default policy. This is called message splintering by the way.
  Then, once things have splintered into their appropriate incoming mail policies, you can have incoming content filters that drop the media attachments for the default policy while the Media policy allows them through.
  Have you tried to create a policy allowing these file types and checking the recipients using LDAP group query ?
  Then, insert a policy below this (the mentioned above) not allowing these file type for non-group members.

• Map security roles to group within LDAP using external 3rd Party LDAP

  I'm haveing a problem mapping my logical role defined in my web.xml to a role within Active Directory. I'm currently authenticating using Active Directory succsfully, however after the user is authenticated I get a message from the OC4J container that my role can not be found. Can you map a logical role to group within Active Directory? Below are details about my configuration.
  Any help would be greatly appreciated.
  Log.xml log entry that confirms webtA is communicating successfully with AD.
  SG_TEXT>JAAS-LDAPLoginModule: authenticating user wmgraham</MSG_TEXT>
  </PAYLOAD>
  </MESSAGE>
  <MESSAGE>
  <HEADER>
  </CORRELATION_DATA>
  <PAYLOAD>
  <MSG_TEXT>JAAS-LDAPLoginModule: DN for user wmgraham is cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi</MSG_TEXT>
  </PAYLOAD>
  </MESSAGE>
  <MESSAGE>
  <HEADER>
  Error reported in the log
  <MESSAGE>
  <HEADER>
  <TSTZ_ORIGINATING>2008-08-27T11:38:05.991-04:00</TSTZ_ORIGINATING>
  <COMPONENT_ID>j2ee</COMPONENT_ID>
  <MSG_TYPE TYPE="TRACE"></MSG_TYPE>
  <MSG_LEVEL>16</MSG_LEVEL>
  <HOST_ID>F2287032-W</HOST_ID>
  <HOST_NWADDR>30.30.16.14</HOST_NWADDR>
  <MODULE_ID>security</MODULE_ID>
  <THREAD_ID>14</THREAD_ID>
  <USER_ID>wmgraham</USER_ID>
  </HEADER>
  <CORRELATION_DATA>
  <EXEC_CONTEXT_ID><UNIQUE_ID>30.30.16.14:59560:1219851485804:6</UNIQUE_ID><SEQ>0</SEQ></EXEC_CONTEXT_ID>
  </CORRELATION_DATA>
  <PAYLOAD>
  <MSG_TEXT>for group=[JAZNGroupAdaptor: webta] there's no matching role found.</MSG_TEXT>
  </PAYLOAD>
  </MESSAGE>
  Web.xml Logical Role definition
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>allpages</web-resource-name>
  <url-pattern>/servlet/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>WEBTA_J2EE_USER</role-name>
  </auth-constraint>
  </security-constraint>
  <security-role>
  <role-name>WEBTA_J2EE_USER</role-name>
  </security-role>
  Orion-web.xml This file maps the logical role defined in webxml to a group within Active Directory.
  <security-role-mapping name="WEBTA_J2EE_USER">
  <group name="webta"/> <-- Group defined in AD -->
  </security-role-mapping>

  What is the name of the group in AD (provide the DN) that you want to map the j2ee logical role WEBTA_J2EE_USER? What are the group search base and group mapping attribute?
  When wmgraham logs into the app, the 3rd party ldap login module will attempt to query for the groups wmgraham is a member of - this is done using the group search base configuration for the provider.
  In this example, the DN is "cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and likely user search base is set to "ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi".
  Assuming group search base is (say) "ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and and group mapping attr is "cn", then the role mapping you mention should work for group DN "cn=webta,ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi"

• Filtering Groups on Windows Active Directory using LDAP Authentication

  Hi All,
  I have small module that filters the groups from the Windows AD using LDAP attributes and flushes the data into the DB[code below].
  This module was developed and tested on weblogic 8.1[on windows]and works fine.
  Now the same is moved to another environment- Websphere on Linux Suse. The code fails to retreieve any value from the Windows AD.
  Please note no exception is aslo thrown.
  env.put(Context.INITIAL_CONTEXT_FACTORY,ldapCtxFactory);
            //set security credentials, note using simple cleartext authentication
            env.put(Context.SECURITY_AUTHENTICATION,authentication);
            env.put(Context.SECURITY_PRINCIPAL,adminName);
            env.put(Context.SECURITY_CREDENTIALS,adminPassword);
            //connect to my domain controller
            env.put(Context.PROVIDER_URL, domainController);
            // Create the initial directory context
            try {
                                dirCtx = new InitialDirContext(env);
                 // Create the search controls           
                 SearchControls searchCtls = new SearchControls();
                 //Specify the attributes to return
                 String returnedAtts[]={"member"};
                 searchCtls.setReturningAttributes(returnedAtts);
                 //Specify the search scope
                 searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                 int totalResults = 0;
                 int iteration=0;
                 // Search for objects using the filter
                 NamingEnumeration results = ctx.search(searchBase, searchFilter, searchCtls);
  In the above code the method exits even before the try block[i could detect this using Sysout's]
  Below is the property file from which the values are read.
  admin=username
  password=password
  #AD search attributes
  searchBase=DC=domainname,DC=domainname
  searchFilter=(&(objectClass=group) (CN=value*))
  #JNDI context attributes
  ldapCtxFactory=com.sun.jndi.ldap.LdapCtxFactory
  authentication=simple
  domainController=ldap://address
  groupPattern=pattern
  Please Assit,
  Thanks in Advance
  Message was edited by:
  radiant
  Message was edited by:
  radiant

  Assuming it is the same Active Directory environment and only your Java platform has changed, the I can only assume that if no exception is thrown, and no data is returned, then the credentials you are using on the new Java platform are being mapped to an anonymous user (perhaps a blank password ?). By default, Windows Server 2003 domains, do not return any results to anonymous users.

• Using LDAP as security realm

  Hi,
  Our goal is to use LDAP(Iplanet Directory Server 5.0) as a security Realm
  for Weblogic Personalization and Commerce 3.5.
  Using the WLCS console, I've modified the config.xml file and following
  elements are added:
  <LDAPRealm AuthProtocol='simple' Credential='admin'
  GroupDN='ou=groups,dc=netnumina,dc=com' GroupIsContext='false'
  GroupUsernameAttribute='uniquemember'
  LDAPURL='ldap://sanand.netnumina.com:389' Name='wlcsLDAPRealm'
  Principal='uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot'
  UserAuthentication='local' UserDN='ou=people,dc=netnumina,dc=com'
  UserNameAttribute='uid'/>
  <CachingRealm BasicRealm='wlcsLDAPRealm' CacheCaseSensitive='true'
  Name='wlcsCachingRealm'/>
  But when we try to restart the WLCS, it throws java exceptions that context
  is not initialized and I get the following error
  <Jun 15, 2001 3:41:28 PM EDT> <Emergency> <Server> <Unable to initialize the
  ser
  ver: 'Fatal initialization exception
  Throwable: weblogic.security.ldaprealm.LDAPException: could not get
  context - wi
  th nested exception:
  [java.lang.reflect.InvocationTargetException - with target exception:
  [javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid
  Credential
  s]]]
  weblogic.security.ldaprealm.LDAPException: could not get context - with
  nested e
  xception:
  I tried using Windows NT as a security realm but that gave me errors too.
  Does anyone has any experience using anything other than the default Realm?
  Any help would be appreciated. Thanks!
  Asim Raja
  [email protected]

  I'm not sure, but I suspect you can't
  since this would create a circular dependency -
  your realm would rely on the upper level security
  checking calls but those calls would rely on your
  realm.
  My suggestion is to give it a try and see what
  happens.
  -Tom
  Ozcan ADIYAMAN <[email protected]> wrote:
  Hi ,
  I am implementing a simple custom security realm using LDAP as the
  security store and I can see the users, groups and acls from the admin
  console.
  My question is (a custom realm newbie question) ;
  Is it possible to use weblogic.security.acl.Security with my custom
  realm to check permissions, get the current user,etc.,
  OR
  is this class ONLY used with default realms (when ACL is stored in a
  file) ?
  Thanks
  Ozcan

• ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

  Hi All,
  I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership.  This has been very difficult, even though I beleive it should be easy.
  The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
  There are two other portals that I would like to restrict access to based on AD group membership.  I have set these up to be selected by URL.
  The biggest problem is, I have no way of knowing how to go about this.  The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
  I can only do an all or nothing scenario.
  It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use.  So how do I go about using them in this scenario?  Turning off the aliases or URLs is not really an option right now.
  Scenario 1 would work the best for me.  Restrict access to profiles/groups based on AD group membership using LDAP.
  Scenario 2 would be an ideal longer term solution.
  Any thoughts, ideas or assitance would be greatly appreciated.
  Cheers

  This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:
  assert(function()
     if ( (type(aaa.ldap.distinguishedName) == "string") and
          (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
  then
         return true
     end
     return false
  end)()
  from the debug dap you can see what Users relates to;
  DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
  My admin account fails to get me in to the same profile:
  DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
  Thanks
  Andrew

• How to delete / remove a group in AD using LDAP?

  Can anyone please point me in the right direction to code the ability to delete or remove a group from AD using LDAP? Is this even possible? I'm surprised I cannot find anything related to this action.

  How would you delete any other object using LDAP ?
  Why do you think deleting a group is any different ?
  String groupName = "CN=Idiots,OU=Developers,DC=Antipodes,DC=Com";
  // Create the initial directory context
  LdapContext ctx = new InitialLdapContext(env,null);
  // Delete the group, and wishfully all the idiots that ask stupid questions
  ctx.destroySubcontext(groupName);

• Using LDAP with query on groups

  Hi,
  I configured our SAP Portal with LDAP authentification(+UME) successfully - so far so good. I used the standard configuration file (dataSourceConfiguration_ads_readonly_db.xml).
  Now I would like to filter the LDAP users and grant access only to users within a LDAP group.
  Is there a way to build a query for this case (datasource configuration file, etc...)?
  Thanks for your help...
  Bernd Hülsebusch

  Hi Shantanu,
  thanks for your fast reply!
  The problem is, that we have about 5.000 users in our LDAP system (Exchange), this includes several system users and also special users for e.g. domain administration, etc. Only about 2000 users are really respective portal users and only these users should have access to the portal generally. The intention is to filter the redundant users, so we won't have problems with SAP licenses for users who never should be able use the portal.
  I didn't mean how to provide access to some content within the portal. I know that this is this is realized with roles and groups in the portal.
  Best regards, Bernd Hülsebusch

• Using Active Directory - either Secure or Distribution Groups

  Reviewing the security documentation for UCM 10g R3, it appears that we should only map to Active Directory Secure Groups and not Distribution Groups, perhaps even if they are marked "secure"? Does anyone know if this is a technical limitation or a best practice? Our organization has processes in place to prevent ad-hoc updates to Distribution lists and I'd like to map UCM using this group type in AD because SQL statements can keep the membership list current in a Distribution Group.

  dll is not a good candidate for the Agent, this has to be an application(exe), and the server onces it identifies the PCs should push this Agent to those PCs and the Application should have the logic to Phone home etc...

• Configuring ADF Security to use LDAP

  HI All
  We are building an application which is secured using SSO authentication. We have an LDAP setup for this.
  During development, we wanted to configure LDAP in ADF Security Wizard in Jdeveloper for authentication. I tried the following in ADF Security Wizard in the 10 steps of the wizard:
  1) Configure ADF for Web Application, enforce Authorization
  2) Enable Credential Store
  3) No Policy Store
  4) LDAP Identity Store
  5) Enter LDAP credentials, LdAp URL, user base
  6) No Anonymous Provider
  7) Did not select any login module
  8) Form Based Authentication, generate default
  9) Added pages that need to be secured
  10) Finish
  The login page is rendered whenever i try to access a protected page. But when I enter the LDAP user credentials for login, it does not work. It says "You are not authorized to view this page".
  Is there anything missing in the setup that is causing the issue. Any pointers on this would be helpful.
  Thanks
  Srinidhi.

  Hi,
  note that there don't exist documentation for configuring ADF Security in JDeveloper 11 with LDAP. In general, ADF Security in JDeveloper 11 is not yet ready for SSO and LDAP testings and still is under development. Note that LDAP authentication - as container managed authentication - is configured in the jps-config.xml file of the deployed application. However, as said, its not documented and would be just too much at this point to put into a forum answer
  Frank