Set User Description by external ldap authenticator

Hi,
I used a customized iplanet Authentication Providers to authenticate the user.
After the system is started and I goes to "Security Realms > myrealm > Users and Groups -> Users", I am able to see a list of user from Ldap server. Name field is username. But description is empty. How could I populate description field by field in External Ldap server?
Thanks,

Hi,
I used a customized iplanet Authentication Providers to authenticate the user.
After the system is started and I goes to "Security Realms > myrealm > Users and Groups -> Users", I am able to see a list of user from Ldap server. Name field is username. But description is empty. How could I populate description field by field in External Ldap server?
Thanks,

Similar Messages

  • Users changing passwords within LDAP authentication

    Hello all,
    I've noticed that if a user uses the 'Membership' authentication to access the portal, they are allowed to change their passwords within the 'user channel' edit section.
    If a user logs in throught the LDAP authentication, this password utility disapears.
    1 - Is there a way to use this password utility when using LADP authentication? Is it just a setting somewhere??
    2 - What are you using to change password if you are using LDAp authentication? i.e. did you create your own password tool??
    Thanks in advance,
    Jason

    Here's how I did it on 6.0:
    I created a bookmark with these properties:
    Bookmark Name: Change Personal Settings
    URL: /amconsole
    When the user clicks on the bookmark, they have to scroll all the way down to the bottom of the window to find the change password option. After changing the password, the user should close the amconsole window WITHOUT clicking on the logout button. Just kill the window.
    If they click "logout" it will log them out of the Portal Server while leaving the desktop window open. It will look like they are still logged in but they are not. They will have to re-login.

  • Users from an external organization authenticating to a Remote Dekstop App

    Hi,
    We have set up Remote Desktop Apps using Remote Desktop Services
    The apps are permissioned with AD user accounts in our forest
    When an external company that has network access (i.e. routable addresses) tries to log in (with credentials in our AD) they sometimes get in and other times do not. They see an error message saying 'The credentials did not work' or 'The Local Security Authority
    cannot be contacted'
    I think this may be because all the Domain controllers for that domain are not reachable from the external company's PC
    i.e. if they get lucky they try and authenticate using a reachable DC but sometimes they pick a DC that is not routable and see this error
    Is my thinking correct?
    How is a DC chosen by a PC belonging to an external company?
    This article leads me to believe it is random:
    How Domain Controllers are Located Across Trusts
    Thank you for your time

    Hope this may help:
    "Your credentials did not work" error when connecting to Windows Azure VM's
    http://blogs.msdn.com/b/narahari/archive/2011/08/29/getting-quot-your-credentials-did-not-work-quot-when-connecting-to-windows-azure-vm-s.aspx
    http://social.technet.microsoft.com/Forums/windows/en-US/5ca3e416-e500-4b7c-a309-f15123914e5b/your-credentials-did-not-work?forum=w7itpronetworking
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/aa054168-8811-4329-8eb3-a07be874c71a/your-credentials-did-not-work-the-logon-attempt-failed?forum=winserverDS
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • Error while configuring external LDAP user store with weblogic

    Hi,
    I have weblogic 10.3 installed and I can access weblogic admin console using weblogic (admin) user. I want to use external ldap user store to access admin console with users present in external ldap.
    To do this, I have configured authentication provider and provided all the required details to connect to ldap.
    For example:
    Base DN: cn=admin,cn=Administrators,cn=dscc (user with which we will connect to LDAP)
    User DN: ou=People,dc=test,dc=com
    Group DN: ou=Groups,dc=test,dc=com
    This authentication provider is set to SUFFICIENT mode. I have deleted the default authentication provider.
    In the boot.properties file I have given the user name and password of the user with which LDAP instance was created something like below.
    password=xxxxxxx
    username=admin
    Now while starting the admin weblogic server, I am getting the below error:
    <Jul 25, 2012 2:22:28 PM IOT> <Critical> <Security> <BEA-090402> <Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.>
    <Jul 25, 2012 2:22:28 PM IOT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
    weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
    at weblogic.security.SecurityService.start(SecurityService.java:141)
    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
    Truncated. see log file for complete stacktrace
    Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User admin javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User admin denied
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    Truncated. see log file for complete stacktrace
    >
    <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
    <Jul 25, 2012 2:22:28 PM IOT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
    <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
    Can anyone please suggest how to resolve this problem? If, anyone can suggest the exact steps to configure external ldap store to manage admin console via ldap users.
    Regards,
    Neeraj Tati.

    Hi,
    Please refer the below content that I found for Oracle 11g in the docs.
    "If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. Do one of the following in the LDAP directory:
    By default in WebLogic Server, the Admin role includes the Administrators group. Create an Administrators group in the LDAP directory, if one does not already exist. Make sure the LDAP user who will boot WebLogic Server is included in the group.
    The Active Directory LDAP directory has a default group called Administrators. Add the user who will be booting WebLogic Server to the Administrators group and define Group Base Distinguished Name (DN) so that the Administrators group is found.
    If you do not want to create an Administrators group in the LDAP directory (for example, because the LDAP directory uses the Administrators group for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the Admin role."
    Now in my LDAP directory, setup is in such a way that Administrators is a group created under following heirarchy " cn=Administrators,ou=Groups,dc=test,dc=com" and there is one user added in this Administrators group.
    The problem that I am having is when I modify the Admin role in which Administrators group should be added what exaclty I should give in Admin role. Whether I should give only Administrators or full DN: cn=Administrators,ou=Groups,dc=test,dc=com ???
    When i give full DN, it takes every attribute as different, i mean cn=Administrators as different and ou=Groups as different and shows a message that cn=Administrators does not exist.
    Here not sure what to do.
    Also if external ldap authentication provider is the only provider then I need to give the user information in boot.properties file also for weblogic to boot properly. Now, what should I give there in user? still complete DN ??
    Regards,
    Neeraj Tati.

  • Secure External LDAP with local user provisioning in a org.

    To all:
    I'm working with 05Q1 or as some say v3. I was able to successfully set up user authentication with external ldap and dynamic creation of users with in local org and ldap and map over attributes for storage into local ldap. Now I need to try and make it a secure external ldap authentication. Without disturbing any of the other orgs with in the local system.
    Is it possible without turning on security for all? Where would the certs be stored for the secure external LDAP that I am authenticating against?
    Help would be appreciated.
    If anyone is trying to do the same thing let me know if your having trouble. I sure did, just getting to the point that I am right now.
    Thanks,
    - Milo

    Hi,
    Check following forum thread.
    Re: custome role maper example
    Regards,
    Kal

  • External LDAP for authentication

    Hi All,
    I want to use external ldap for authentication purpose with Access Manager.
    I tried adding this external ldap as a secondary ldap but couldn�t succeed.
    If I add this ldap in the primary ldap along with the AM�s own ldap, this also fails to authenticate users from the external ldap.
    How can I achieve this?
    I read many topics in this forum regarding this but none of them explain how it can be achieved.
    Please suggest.
    Thanks in advance.

    This is what the amconsole log says:
    ERROR: ConsoleServletBase.onUncaughtException
    java.lang.NullPointerException
         at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.constructFilter(LDAPv3Repo.java:3126)
         at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.search(LDAPv3Repo.java:1996)
         at com.iplanet.am.sdk.AMDirectoryManager.search(AMDirectoryManager.java:1938)
         at com.sun.identity.idm.AMIdentityRepository.searchIdentities(AMIdentityRepository.java:221)
         at com.sun.identity.console.idm.model.EntitiesModelImpl.getEntityNames(EntitiesModelImpl.java:139)
         at com.sun.identity.console.idm.EntitiesViewBean.getEntityNames(EntitiesViewBean.java:222)
         at com.sun.identity.console.idm.EntitiesViewBean.beginDisplay(EntitiesViewBean.java:177)
         at com.iplanet.jato.taglib.UseViewBeanTag.doStartTag(UseViewBeanTag.java:149)
         at jsps.console._idm._Entities_jsp._jspService(_Entities_jsp.java:86)
         at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
         at com.iplanet.ias.web.jsp.JspServlet$JspServletWrapper.service(JspServlet.java:687)
         at com.iplanet.ias.web.jsp.JspServlet.serviceJspFile(JspServlet.java:459)
         at com.iplanet.ias.web.jsp.JspServlet.service(JspServlet.java:375)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
         at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:772)
         at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:471)
         at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:382)
         at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:340)
         at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
         at com.sun.identity.console.base.AMViewBeanBase.forwardTo(AMViewBeanBase.java:133)
         at com.sun.identity.console.base.AMPrimaryMastHeadViewBean.forwardTo(AMPrimaryMastHeadViewBean.java:149)
         at com.sun.identity.console.idm.HomeViewBean.forwardTo(HomeViewBean.java:109)
         at com.sun.identity.console.realm.RealmPropertiesBase.nodeClicked(RealmPropertiesBase.java:90)
         at com.sun.web.ui.view.tabs.CCTabs.handleTabHrefRequest(CCTabs.java:129)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:585)
         at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
         at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
         at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
         at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
         at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
         at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
         at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
         at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
         at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:787)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
         at com.sun.mobile.filter.AMLController.doFilter(AMLController.java:163)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:280)
         at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
         at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
         at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
         at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
         at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)

  • OCS + authentication external LDAP

    Is there anyone with experiences to use OCS in combination
    with external authentication against an SunONE LDAP server?
    I don't want to synchro the two LDAPs. I just want to use the usernames & passwords of the external LDAP.
    Can you explain to me which procedures must I follow?
    Is is necessary to create all the users of the external LDAP exists in the OID of OCS?
    If not how does this work? For example how do I grant email/files rights to a user which is not in the OCS OID?
    If the users must exists in the OID, which components must I configure within OCS? Must I write a pl/sql package for authentication to the external LDAP?
    Thanks in advantage!

    Hi Elvis!
    What you need to do is to configure an OID plug-in that can be used to authenticate the users against the SUN LDAP. There are some examples in the OID admin guide.
    The users must exist in the OID.
    The users need to be administered in the OID as the CS needs the entries in the users tree as well as the emailservercontainer tree.
    cu
    Andreas

  • Configuring Oracle 9iAS for LDAP Authentication

    I have installed OID Server on my PC. Now I want to switch my Login Server to External LDAP Authentication mode. For that I run the script ssoldap.sql passing the host, port, search base, etc.. from my login server schema (portal30_sso) The script throws me the following error :
    " Bind variable "CN" not declared ".
    I even compile the package ssoxldap.pkb before that. But still this error persists.
    tnsnames.ora and listener.ora files are fine and the tnsping to the external procedure is also working properly.
    Can anyone help me in this.

    I got that problem solved. Its little bit funny solution. Instead of running the sql file using the File->open->ssoldap.sql, we should directly write the whole path i.e. @d:\oracle9i\portal30\admin\plsql\sso\ssoldap.sql
    And secondly, I also found one small change related to the installation manual. Its related to Adding entries to the LDAP Server. the manual shows this syntax:
    ldapadd -h i3dt111 -p 389 -D 'cn=orcladmin'
    -w welcome -f d:\oracle\admin\phd\udump\users.ldif
    but instead we shoud write this:
    ldapadd -h i3dt111 -p 389 -D cn=orcladmin
    -w welcome -f d:\oracle\admin\phd\udump\users.ldif
    . Just remove the single quotes in the username string.
    Anyways, thanks for your suggestions.
    null

  • LDAP authentication not minding user set

    I have a publishing rule for an internal website setup with LDAP authentication setup for two different domains, the domain the TMG 2010 is joined to (domain1) and another external domain (domain2).  I want users from either domain to be able to authenticate
    and I thought it was working perfectly, but found that anyone from domain2 can authenticate successfully (anyone can authenticate from domain1, but that's okay).
    I have a LDAP user set with the AD group from domain2 that I want to allow access, but the TMG doesn't seem to adhere to this and lets any authenticated user from that domain in.  I have added both user sets for domain1 and domain2 to the "This
    rule applies to requests from the following user set:" under the Users tab in the publishing rule.
    Any clues?

    Hi,
    Based on my experience,
    Server Authentication Certificates
    should exist on DCs that you want TMG to use for authentication and
    TMG must trust issuer of the Server Authentication Certificate. You can check that in
    Trusted Root Certification Authorities on TMG.
    In addition, when you add LDAP server Set for LDAP user authentication, you need to add the DCs and type the AD domain name. Please note that the domain name
    is the domain in which the user accounts are defined, and not the domain to which Forefront TMG is joined.
    More information:
    Configuring LDAP authentication on AD LDS
    Setting Up and Troubleshooting LDAPS
    Authentication in Forefront TMG 2010
    Best regards,
    Susie

  • Server App not seeing external LDAP users & groups

    I have a clean 10.8.2 + Server install set up with our standard external LDAP directory (Novell's eDirectory in our case) configuration that is known to support Lion & Mountain Lion client LDAP authentication. With this same configuration on OS X 10.8.2 Server both Directory Utility and WGM can see all the LDAP users and groups as expected.
    When I look for the external users & groups in the LDAP domain under the Server App "Accounts" heading I cannot see any entries in either users or groups lists. Should I be able to or is this a Server App quirk?
    I can add individual LDAP users to a local group and enable access to individual services. How can I give access to services to all LDAP users without having to build & maintain a massive "All LDAP Users" local group?
    Is there a published list of required LDAP attributes for users & groups for Mountain Lion Server? I suspect there are new requirements over and above those for 10.6 server but I have failed to find a good reference. I've noticed I get different behaviours for LDAP templates that includes a mapping for GeneratedUID to one which does not for example.
    This is all so much more opaque than our superbly reliable Snow Leopard servers!
    TIA

    Ok, and again:
    You want to see Users and Groups , which are stored in an third Party directory service like OpenLDAP, in your Server.app? This is what you have to do:
    Connect the third party ldap to your server
    Have all your external LDAP entries made so you can see them in the Workgroup Manager and are able to Login with them
    When you see your LDAP-entry in the Directory Manager, change it from "From Server" to "RFC2307"
    Edit the entry, add the following mapping to it:GeneratedUUID maps to apple-generateduuid
    To your group and user entries in the external LDAP add the follwing attribute:apple-generateduuid gets the value taken from the output of "uuidgen"
    Feel lucky
    And there ist ist; now you are able to use The accounts taken from an external LDAP.

  • LDAP authenticator setting in Weblogic 10

    Hi there,
    I am a newbie to weblogic. I am migrating an application from OAS to Weblogic 10. The application is using LDAP for login. I am havng a trouble to set up those users in weblogic console.
    Here is what I did:
    in web.xml:
    <security-constraint>
    <display-name>Example Security Constraint</display-name>
    <web-resource-collection>
    <web-resource-name>Protected Area</web-resource-name>
    <url-pattern>*</url-pattern>
    <http-method>*</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>UserRole</role-name>
    </auth-constraint>
    </security-constraint>
    <security-role>
    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>RegularUser</realm-name>
    <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/loginerror.jsp</form-error-page>
    </form-login-config>
    </login-config>
    <role-name>UserRole</role-name>
    </security-role>
    In Weblogic.xml
    <?xml version="1.0" encoding="windows-1252"?>
    <weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-web-app http://www.bea.com/ns/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd" xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app">
    <security-role-assignment>
    <role-name>UserRole</role-name>
    <externally-defined/>
    </security-role-assignment>
    </weblogic-web-app>
    In Weblogic console, I created a new realm called RegularUser and setup LDAP authenticator. User Base DN is ou=axxx,dc=bxxx,dc=cxx. I can see those users already in the user list.
    Did I miss any step?
    Thanks

    Thanks, Faisal.
    Here is my config.xml. Do I need to select Custom Roles at the time of deployment? I manually deployed the application in console.
    <?xml version='1.0' encoding='UTF-8'?>
    <domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
    <name>myTestDomain</name>
    <domain-version>10.3.3.0</domain-version>
    <security-configuration>
    <name>myTestDomain</name>
    <realm>
    <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
    <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
    <sec:active-type>AuthenticatedUser</sec:active-type>
    </sec:authentication-provider>
    <sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
    <sec:name>RegularUsers</sec:name>
    <sec:control-flag>OPTIONAL</sec:control-flag>
    <wls:host>holdap1.abc.org</wls:host>
    <wls:user-object-class>user</wls:user-object-class>
    <wls:user-name-attribute>sAMAccountName</wls:user-name-attribute>
    <wls:principal>ldapviewsd</wls:principal>
    <wls:user-base-dn>ou=a,dc=b,dc=c</wls:user-base-dn>
    <wls:credential-encrypted>{AES}5dVfr76v1nSUvb8iMBO5e1WxZG5BA/M3MWZvNxDVMO4=</wls:credential-encrypted>
    <wls:user-from-name-filter>(&amp;(sAMAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
    <wls:group-base-dn>ou=a,dc=b,dc=c</wls:group-base-dn>
    <wls:group-from-name-filter>(&amp;(cn=%g)(objectclass=group))</wls:group-from-name-filter>
    <wls:static-group-object-class>group</wls:static-group-object-class>
    <wls:static-member-dn-attribute>member</wls:static-member-dn-attribute>
    <wls:static-group-dns-from-member-dn-filter>(&amp;(member=%M)(objectclass=group))</wls:static-group-dns-from-member-dn-filter>
    </sec:authentication-provider>
    <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
    <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
    <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
    <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
    <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
    <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
    <sec:name>myrealm</sec:name>
    <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
    <sec:name>SystemPasswordValidator</sec:name>
    <pas:min-password-length>8</pas:min-password-length>
    <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
    </sec:password-validator>
    </realm>
    <realm>
    <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
    <sec:name>RewardsUser</sec:name>
    <sec:control-flag>SUFFICIENT</sec:control-flag>
    <wls:host>holdap1.abc.org</wls:host>
    <wls:user-name-attribute>sAMAccountName</wls:user-name-attribute>
    <wls:principal>ldapviewsd</wls:principal>
    <wls:user-base-dn>ou=a,dc=b,dc=c</wls:user-base-dn>
    <wls:credential-encrypted>{AES}6mfAIvAqFASMkZ4yHygBe3AODqNyzYyLLePzCI2HTE0=</wls:credential-encrypted>
    <wls:user-from-name-filter>(&amp;(sAMAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
    <wls:group-base-dn>ou=a,dc=bdc=c</wls:group-base-dn>
    <wls:max-sid-to-group-lookups-in-cache>1500</wls:max-sid-to-group-lookups-in-cache>
    </sec:authentication-provider>
    <sec:deploy-role-ignored>false</sec:deploy-role-ignored>
    <sec:deploy-policy-ignored>false</sec:deploy-policy-ignored>
    <sec:deploy-credential-mapping-ignored>false</sec:deploy-credential-mapping-ignored>
    <sec:security-dd-model>CustomRoles</sec:security-dd-model>
    <sec:combined-role-mapping-enabled>true</sec:combined-role-mapping-enabled>
    <sec:name>RewardsUser</sec:name>
    <sec:delegate-m-bean-authorization>false</sec:delegate-m-bean-authorization>
    </realm>
    <default-realm>myrealm</default-realm>
    <credential-encrypted>{AES}AOnncmyo+t9U78VAJHcbv8uiDUVggDlU55WY5xh6NukBIg3m2MK0In76UwCRuKdlVzHp9uWx/4uYZpkVQmq9Hqk3fTRZRx4dIuyU07siwupmYdq1UHttcgTIwqqKoaWn</credential-encrypted>
    <node-manager-username>weblogic</node-manager-username>
    <node-manager-password-encrypted>{AES}Yx0pabvYpXxQr7K7YRVB5B0f3Kyy8Lpn0cu1WQCXve8=</node-manager-password-encrypted>
    </security-configuration>
    <server>
    <name>AdminServer</name>
    <server-debug>
    <debug-scope>
    <name>weblogic.security.atn</name>
    <enabled>true</enabled>
    </debug-scope>
    <debug-scope>
    <name>weblogic.security.atz</name>
    <enabled>true</enabled>
    </debug-scope>
    <debug-security-atn>true</debug-security-atn>
    <debug-security-atz>true</debug-security-atz>
    <debug-security-saml-atn>true</debug-security-saml-atn>
    <debug-security-saml2-atn>true</debug-security-saml2-atn>
    </server-debug>
    <listen-address></listen-address>
    </server>
    <embedded-ldap>
    <name>myTestDomain</name>
    <credential-encrypted>{AES}Iidvc9S3UqScbvwktaeOZMYr4V9BQ4aU/T5z+npeFwiYEzUZi6iLF59pfpCNI0DQ</credential-encrypted>
    </embedded-ldap>
    <configuration-version>10.3.3.0</configuration-version>
    <app-deployment>
    <name>rewards</name>
    <target>AdminServer</target>
    <module-type>ear</module-type>
    <source-path>servers\AdminServer\upload\rewards.ear</source-path>
    <security-dd-model>DDOnly</security-dd-model>
    </app-deployment>
    <admin-server-name>AdminServer</admin-server-name>
    </domain>

  • Authentication in weblogic portal server 8.1 sp2 using external LDAP

    Hi,
    I am trying to use external LDAP for authentication.
    I have configured the ActiveDirectoryAuthenticator giving the necessary
    values
    ( and added
    "-Dcom.bea.p13n.usermgmt.AuthenticationProviderName=ActiveDirectoryAuthentic
    ator" in startWeblgoic.cmd )
    and can see the users and the groups from my LDAP provider in the admin
    console and in the admin portal's "users and groups".
    A set of users are given permission to access the restricted site and those
    users are visible in the global role with the permission.
    The web.xml is configured for BASIC auth-method, and the role is
    <externally-defined/> in weblogic.xml.
    Now when I access a restricted page, I am shown a dialog prompt to key in
    the username and password.
    Even when I key in the valid credentials, the restricted page is not shown
    and an "Unauthorized xxx" 401 access error is thrown.
    Any clue, on what i am missing.?
    Please let me know if any suggestion / idea.
    Regards,
    Arun.

    Assuming your application is a WebLogic Portal application, then yes you would definitely need to install WLP 8.1. WLP version 8.1 is the only version of WLP that will run on WLS/WLW version 8.1.
    In order to obtain the product installer, you'll need to contact Oracle Support and file a request. It is not available for download from any Oracle public site. Only version 10.3 is available for download.
    Brad

  • EA2 - Cannot connect LDAP-authenticated users in 10.1 and 10.2, OK in 9.2

    First, the relevant versions and such:
    SQL Developer 1.5.0.52.03 (aka EA2)
    Oracle client 10.2.0.1
    Oracle database 9.2.0.6, 9.2.0.7, 10.1.0.5, 10.2.0.2, 10.2.0.3.
    Hosts: Linux x86, Solaris
    Most of the users in my databases are set up as global users (i.e. authenticated via LDAP). I've found that in 9.2.0.6 and 9.2.0.7, I can make connections of the basic type for global users as well as database-authenticated users.
    In any 10g database I've tried (see the versions above), database-authenticated users work fine, but for connections with the global users in the same databases I receive ora-01017. I've tried both basic connections and advanced connections, supplying a thin JDBC string, with the same result. I have verified that the password is correct. The pattern persists across server OSs (Linux and Solaris).
    I cannot make TNS connections at all, but that seems to require an 11g client and has been documented in an enhancement request separately.
    If anyone has advice on this I would be happy to hear it. Thanks.

    I should probably add that I am able to make successful connections via sqlplus and other tools (SQL Navigator) with the users that fail to connect in SQL Developer.

  • LDAP Authentication / User-Role in a database (Weblogic Security)

    Hi,
    I would like to configure the Authentication with an LDAP Server (LDAP Authenticator) and the mapping between users and roles in an external database.
    I saw the following post, http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html.
    According to the previous post, I created an LDAP Authenticator (trying to use embedded LDAP) and a SQL Authenticator.
    The problem is that it doesn't uses LDAP Authentication, it only uses SQL Authentication.
    I'm looking for a solution where password would remain in the LDAP Server and the username/role mapping would be in the database tables.
    Consider I'm using WLS 10.3 and JDeveloper 11g.
    Any suggestions?
    Thanks in advance,
    Olga

    Hi,
    Check following forum thread.
    Re: custome role maper example
    Regards,
    Kal

  • LDAP Authentication Failed :user is not a member in any of the mapped group

    Hi,
    I tried to set up the LDAP Authentication but I failed.
    LDAP Server Configuration Summary seems to be well filled.
    I managed to add a Mapped LDAP member Group: This group appears correctly in the Group list. 
    But itu2019s impossible to create a User. Although this user is a member of the mapped group (checked with LDAP Brower) , an error message is displayed when I tried to create it (There was an error while writing data back to the server: Creation of the user User cannot complete because the user is not a member in any of the mapped groups)
    LDAP Hosts: ldapserverip:389
    LDAP Server Type: Custom
    Base LDAP Distinguished Name: dc=vds,dc=enterprise
    LDAP Server Administration Distinguished Name: CN=myAdminUser,OU=System Accounts,OU=ZZ Group Global,ou=domain1,dc=vds,dc=enterprise
    LDAP Referral Distinguished Name:
    Maximum Referral Hops: 0
    SSL Type: Basic (no SSL)
    Single Sign On Type: None
    CMS Log :
    trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
    trace message: LDAP: LdapQueryForEntries: QUERY base: dc=vds, dc=enterprise, scope: 2, filter: (samaccountname=KR50162), attribute: dn objectclass
    trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 2453 ms
    trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
    trace message: GetParents from plugin for cn=huh\,chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise.
    trace message: LDAP: De-activating query cache
    trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
    trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
    trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
    trace message: LDAP: query for DSE root returned 89
    trace message: LdapQueryForEntries: incr. retries to 1
    trace message: LDAP: Updating the graph
    trace message: LDAP: Starting Graph Update...
    trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
    trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
    trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
    trace message: LDAP: query for DSE root returned 89
    trace message: LdapQueryForEntries: incr. retries to 1
    trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
    trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
    trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
    assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
    trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
    trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (&(cn=gp-asia)(objectclass=group)(member=cn=huh
    , chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise)), attribute: objectclass
    trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
    trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
    trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
    assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
    trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
    trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (cn=gp-asia), attribute: member objectclass samaccountname cn
    trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 3109 ms
    trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
    trace message: LDAP: query for DSE root returned 0
    trace message: Failed to commit user 'KR50162'. Reason: user is not a member in any of the mapped groups.
    trace message: [UID=0;USID=0;ID=79243] Update object in database failed
    trace message: Commit failed.+
    Can you please help?
    Joffrey

    Please do this after you verify all permission settings for all the groups the account is associated with. Also, make sure you check the NTFS folder permissions before doing this as well.
    Since the same result happens on multiple computers, it is not the profile.
    I am recommending you delete the AD account (or rename to backup the account).
    It will not effect the users Exchange account, but you will need to link it back to the new AD user account. 
    You can also delete her profile just to remove it, for the "just in case" scenario.
    Don't forget to mark the post that solved your issue as &quot;Answered.&quot; By marking the Answer you are enabling users with similar issues to find what helped you. Lewis Renwick - IT Professional

Maybe you are looking for