Setting up LDAP authentication
Hi guys.
I am a newb when it comes to LDAP so please bear with me.
I installed dbms_ldap for a developer yesterday so they could run directory searches. I have now been asked to set up anonymous authentication on the directory.
I've looked through a few docs and am having trouble trying to figure out how excatly how to do this? I am assuming it is done somewhere from the admin gui.
Any help would be appreciated.
Oracle version 10.2.0.4 on Linux x86_64
Thanks
the name of your (portal) domain and the URL used to
access your portal have nothing to see with the LDAP
authentication server.
The LDAP authentication server is the hostname or FQDN
of the host where your LDAP authentication directory
resides.
When you're logged on the iPS machine, you should be
able to make a request to your LDAP directory using this hostname or FQDN (and port number, base dn,bind dn,.....)
Similar Messages
-
LDAP Authentication Scheme - Multiple LDAP Servers?
How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.
How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.
-
Setting up LDAP for authentication to portal:default property set named "ldap
Hi
I am trying to implement the LDAP authentication to WebLogic Portal .Iam went
thru the docmentation ( http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).It
mentions using the default property set named "ldap" and deploying ldapprofile.jar.My
quenstion is:
-Is there a way to look into the property using EBCC
- Apart from deploying,configuring the ldapprofile.jar,do I have to do any additional
steps in order to make my portal(say,stockportal) authenticate users from LDAP?
-If a create my own portal,should I create a similar "ldap" property set?If so,how.
Any suggestions/help is appreciated.Thanks
- MikeThanks Dave.
"David Anderson" <[email protected]> wrote:
You should be able to view the property set for LDAP through the EBCC
if you
have the propertysetws.jar installed in your Portal domain. This provides
the ability for the EBCC to retrieve property set information from your
server.
Dave
"mike" <[email protected]> wrote in message
news:[email protected]...
Hi Adrian
Thank you for the pointers.Much appreciate it.However,one questionstill
persists.
What is the significance of the property set "ldap" mentioned in the
document(http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).Where
does this property set feature vis-a-vis setting up LDAP securityrealm;does it
mater prior to/after the setting up as mentioned in the document pointeryou just
gave .
Is it sufficinet that i follow the procedure to set up the LDAP oris
there more
to post setting,like creating a property set (similar to "ldap" orcloning
it)
apaprt frpom deploying ldapprofile.jar.
Thanks.
- Mike
"Adrian Fletcher" <[email protected]> wrote:
Mike,
The documentation that covers LDAP authentication is listed under
Weblogic
Server rather than Weblogic Portal.
See Configuring the LDAP Security Realm in Managing Security
(http://e-docs.bea.com/wls/docs61////adminguide/cnfgsec.html#1071872)
Also take a look at the FAQ - Why can't I boot WebLogic Server whenusing
the LDAP Security Realm?
(http://e-docs.bea.com/wls/docs61//faq/security.html#25833)
Hope this helps,
Sincerely,
Adrian.
Adrian Fletcher.
Senior Software Engineer,
BEA Systems, Inc.
Boulder, CO.
email: [email protected]
"mike" <[email protected]> wrote in message
news:[email protected]...
Hi
I am trying to implement the LDAP authentication to WebLogic Portal.Iam
went
thru the docmentation
http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).It
mentions using the default property set named "ldap" and deployingldapprofile.jar.My
quenstion is:
-Is there a way to look into the property using EBCC
- Apart from deploying,configuring the ldapprofile.jar,do I have
to
do any
additional
steps in order to make my portal(say,stockportal) authenticate usersfrom
LDAP?
-If a create my own portal,should I create a similar "ldap" propertyset?If so,how.
Any suggestions/help is appreciated.Thanks
- Mike -
LDAP authenticator setting in Weblogic 10
Hi there,
I am a newbie to weblogic. I am migrating an application from OAS to Weblogic 10. The application is using LDAP for login. I am havng a trouble to set up those users in weblogic console.
Here is what I did:
in web.xml:
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>*</url-pattern>
<http-method>*</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>UserRole</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>RegularUser</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<role-name>UserRole</role-name>
</security-role>
In Weblogic.xml
<?xml version="1.0" encoding="windows-1252"?>
<weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-web-app http://www.bea.com/ns/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd" xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app">
<security-role-assignment>
<role-name>UserRole</role-name>
<externally-defined/>
</security-role-assignment>
</weblogic-web-app>
In Weblogic console, I created a new realm called RegularUser and setup LDAP authenticator. User Base DN is ou=axxx,dc=bxxx,dc=cxx. I can see those users already in the user list.
Did I miss any step?
ThanksThanks, Faisal.
Here is my config.xml. Do I need to select Custom Roles at the time of deployment? I manually deployed the application in console.
<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
<name>myTestDomain</name>
<domain-version>10.3.3.0</domain-version>
<security-configuration>
<name>myTestDomain</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
<sec:name>RegularUsers</sec:name>
<sec:control-flag>OPTIONAL</sec:control-flag>
<wls:host>holdap1.abc.org</wls:host>
<wls:user-object-class>user</wls:user-object-class>
<wls:user-name-attribute>sAMAccountName</wls:user-name-attribute>
<wls:principal>ldapviewsd</wls:principal>
<wls:user-base-dn>ou=a,dc=b,dc=c</wls:user-base-dn>
<wls:credential-encrypted>{AES}5dVfr76v1nSUvb8iMBO5e1WxZG5BA/M3MWZvNxDVMO4=</wls:credential-encrypted>
<wls:user-from-name-filter>(&(sAMAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
<wls:group-base-dn>ou=a,dc=b,dc=c</wls:group-base-dn>
<wls:group-from-name-filter>(&(cn=%g)(objectclass=group))</wls:group-from-name-filter>
<wls:static-group-object-class>group</wls:static-group-object-class>
<wls:static-member-dn-attribute>member</wls:static-member-dn-attribute>
<wls:static-group-dns-from-member-dn-filter>(&(member=%M)(objectclass=group))</wls:static-group-dns-from-member-dn-filter>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
<sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
<sec:name>SystemPasswordValidator</sec:name>
<pas:min-password-length>8</pas:min-password-length>
<pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
</sec:password-validator>
</realm>
<realm>
<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
<sec:name>RewardsUser</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:host>holdap1.abc.org</wls:host>
<wls:user-name-attribute>sAMAccountName</wls:user-name-attribute>
<wls:principal>ldapviewsd</wls:principal>
<wls:user-base-dn>ou=a,dc=b,dc=c</wls:user-base-dn>
<wls:credential-encrypted>{AES}6mfAIvAqFASMkZ4yHygBe3AODqNyzYyLLePzCI2HTE0=</wls:credential-encrypted>
<wls:user-from-name-filter>(&(sAMAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
<wls:group-base-dn>ou=a,dc=bdc=c</wls:group-base-dn>
<wls:max-sid-to-group-lookups-in-cache>1500</wls:max-sid-to-group-lookups-in-cache>
</sec:authentication-provider>
<sec:deploy-role-ignored>false</sec:deploy-role-ignored>
<sec:deploy-policy-ignored>false</sec:deploy-policy-ignored>
<sec:deploy-credential-mapping-ignored>false</sec:deploy-credential-mapping-ignored>
<sec:security-dd-model>CustomRoles</sec:security-dd-model>
<sec:combined-role-mapping-enabled>true</sec:combined-role-mapping-enabled>
<sec:name>RewardsUser</sec:name>
<sec:delegate-m-bean-authorization>false</sec:delegate-m-bean-authorization>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{AES}AOnncmyo+t9U78VAJHcbv8uiDUVggDlU55WY5xh6NukBIg3m2MK0In76UwCRuKdlVzHp9uWx/4uYZpkVQmq9Hqk3fTRZRx4dIuyU07siwupmYdq1UHttcgTIwqqKoaWn</credential-encrypted>
<node-manager-username>weblogic</node-manager-username>
<node-manager-password-encrypted>{AES}Yx0pabvYpXxQr7K7YRVB5B0f3Kyy8Lpn0cu1WQCXve8=</node-manager-password-encrypted>
</security-configuration>
<server>
<name>AdminServer</name>
<server-debug>
<debug-scope>
<name>weblogic.security.atn</name>
<enabled>true</enabled>
</debug-scope>
<debug-scope>
<name>weblogic.security.atz</name>
<enabled>true</enabled>
</debug-scope>
<debug-security-atn>true</debug-security-atn>
<debug-security-atz>true</debug-security-atz>
<debug-security-saml-atn>true</debug-security-saml-atn>
<debug-security-saml2-atn>true</debug-security-saml2-atn>
</server-debug>
<listen-address></listen-address>
</server>
<embedded-ldap>
<name>myTestDomain</name>
<credential-encrypted>{AES}Iidvc9S3UqScbvwktaeOZMYr4V9BQ4aU/T5z+npeFwiYEzUZi6iLF59pfpCNI0DQ</credential-encrypted>
</embedded-ldap>
<configuration-version>10.3.3.0</configuration-version>
<app-deployment>
<name>rewards</name>
<target>AdminServer</target>
<module-type>ear</module-type>
<source-path>servers\AdminServer\upload\rewards.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<admin-server-name>AdminServer</admin-server-name>
</domain> -
LDAP authentication not minding user set
I have a publishing rule for an internal website setup with LDAP authentication setup for two different domains, the domain the TMG 2010 is joined to (domain1) and another external domain (domain2). I want users from either domain to be able to authenticate
and I thought it was working perfectly, but found that anyone from domain2 can authenticate successfully (anyone can authenticate from domain1, but that's okay).
I have a LDAP user set with the AD group from domain2 that I want to allow access, but the TMG doesn't seem to adhere to this and lets any authenticated user from that domain in. I have added both user sets for domain1 and domain2 to the "This
rule applies to requests from the following user set:" under the Users tab in the publishing rule.
Any clues?Hi,
Based on my experience,
Server Authentication Certificates
should exist on DCs that you want TMG to use for authentication and
TMG must trust issuer of the Server Authentication Certificate. You can check that in
Trusted Root Certification Authorities on TMG.
In addition, when you add LDAP server Set for LDAP user authentication, you need to add the DCs and type the AD domain name. Please note that the domain name
is the domain in which the user accounts are defined, and not the domain to which Forefront TMG is joined.
More information:
Configuring LDAP authentication on AD LDS
Setting Up and Troubleshooting LDAPS
Authentication in Forefront TMG 2010
Best regards,
Susie -
Weblogic Server 10.3.0 and LDAP authentication Issue
Hi - I have configured my WebLogic Server 10.3.0 for LDAP authentication (OID = 10.1.4.3.0) and so far the authentication works fine but I am having issue in terms of authorization.
I am not able to access the default web logic administrator console app using any of the LDAP user, getting Forbiden message.
It appears to me that the Weblogic Server is not pulling out the proper groups from the LDAP where user belongs too.
Can anyone please point me towards the right direction to get this resolved.
Thanks,
STEPS
Here are my steps I have followed:
- Created a group called Administrators in OID.
- Created a test user call uid=myadmin in the OID and assigned the above group to this user.
- Added a new Authentication Provider to the Weblogic and configured it what is required to communicate with OID (the config.xml file snipet is below)
<sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
<sec:name>OIDAuthentication</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:host>pmpdeva-idm.ncr.pwgsc.gc.ca</wls:host>
<wls:port>1389</wls:port>
<wls:principal>cn=orcladmin</wls:principal>
<wls:user-base-dn>ou=AppAdmins, o=gc, c=ca</wls:user-base-dn>
<wls:credential-encrypted>removed from here</wls:credential-encrypted>
<wls:group-base-dn>ou=IDM, ou=ServiceAccounts, o=gc, c=ca</wls:group-base-dn>
</sec:authentication-provider>
- Marked the default authentication provider as sufficient as well.
- Re-ordered the authentication provide such that the OIDauthentication is first in the list and default one is the last.
- Looking at the log file I see there are no groups returned for this user and that is the problem in my opinion.
<LDAP Atn Login username: myadmin>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<authenticate user:myadmin>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authentication succeeded>
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<LDAP Atn Authenticated User myadmin>
<List groups that member: myadmin belongs to>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
*<search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>*
*<Result has more elements: false>*
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<login succeeded for username myadmin>
- I see the XACML RoleMapper getRoles() only returning the Anonymous role as oppose to Admin (because the OID user is a part of Administrators group in OID then it should be returning Admin as fars I can tell. Here is the log entry that shows that:
<XACML RoleMapper getRoles(): returning roles Anonymous>
- I did a ldap search and I found no issues in getting the results back:
C:\>ldapsearch -h localhost -p 1389 -b"ou=IDM, ou=ServiceAccounts, o=gc, c=ca" -D cn=orcladmin -w "removed from here" (uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupOfUniqueNames)
cn=Administrators,ou=IDM,ou=ServiceAccounts,o=gc,c=ca
objectclass=groupOfUniqueNames
objectclass=orclGroup
objectclass=top
END
Here are the log entries:
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=myadmin>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <[Security:090302]Authentication Failed: User myadmin denied>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@facf0b>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle did not get username from a callback>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685671> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authentication succeeded>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <LDAP Atn Authenticated User myadmin>
<1291668685686> <BEA-000000> <List groups that member: myadmin belongs to>
<1291668685686> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685686> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685686> <BEA-000000> <search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>
<1291668685686> <BEA-000000> <Result has more elements: false>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <login succeeded for username myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <LDAP Atn Principals Added>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
Principal: myadmin
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685686> <BEA-000000> <Signed WLS principal myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user myadmin, Identity=Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.isLocked(myadmin)>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myadmin was not previously locked out>
<1291668685702> <BEA-000000> <Using Common RoleMappingService>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity will use common security service>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals)>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=myadmin>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685702> <BEA-000000> <Validate WLS principal myadmin returns true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass, returning true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals) validated all principals>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Identity=Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): input arguments:>
<1291668685702> <BEA-000000> < Subject: 1
Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> < Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp>
<1291668685702> <BEA-000000> < Parent: type=<app>, application=consoleapp>
<1291668685702> <BEA-000000> < Parent: type=<url>>
<1291668685702> <BEA-000000> < Parent: null>
<1291668685702> <BEA-000000> < Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AdminChannelUsers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AdminChannelUser:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AdminChannelUser: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AppTesters,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AppTester:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AppTester: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(everyone,[everyone,users]) -> true>
<1291668685702> <BEA-000000> <primary-rule evaluates to Permit>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Anonymous:, 1.0 evaluates to Permit>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Anonymous: GRANTED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Monitors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Monitor:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Monitor: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Operators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Operator:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Operator: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(CrossDomainConnectors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:CrossDomainConnector:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role CrossDomainConnector: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Deployers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Deployer:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Deployer: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, SC=null, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Administrators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Admin:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Admin: DENIED>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): returning roles Anonymous>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles returning [ "Anonymous" ]>
<1291668685702> <BEA-000000> <AuthorizationManager will use common security for ATZ>
<1291668685702> <BEA-000000> <weblogic.security.service.WLSAuthorizationServiceWrapper.isAccessAllowed>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Identity=Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Roles=[ "Anonymous" ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Direction=ONCE>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
<1291668685702> <BEA-000000> < Subject: 1
Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> < Roles:Anonymous>
<1291668685702> <BEA-000000> < Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> < Direction: ONCE>
<1291668685702> <BEA-000000> < Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:role, SC=null, Value=Anonymous>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of([Admin,Operator,Deployer,Monitor],Anonymous) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): returning DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>Okay Finally the issue is resolved. Here is the findings to help others in case they ran into the same issue.
The OID version that we are using is not returning the groups the way Weblogic is building the ldapsearch command. We captured the ldap traffic to go deeper and noticed the filters and attributes list that wls was asking. For example, the filter was like:
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" cn
its was the "cn" attribute that was causing the result set to be empty.
from a command line we tried
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" uniquemember
and got the results back.
Then we start looking into OID configuration and one of my coworker pointed me towards the orclinmemfiltprocess attributes in cn=dsaconfig entry and told me that they had lot of issues in the past in relation to this attribute.
So as a test we removed the groupofuniquenames objectclass from the orclinmemfiltprocess attribute list and bingo it worked!
Since we needed the groupofuniquenames in this list for performance/other reasons and decided to use a different objectclass for our groups instead i.e. orclGroup.
Thanks everyone for showing interest on the problem and providing suggestions. -
LDAP Authentication for Application APEX 3.2
Dear All,
I have created an application in APEX 3.2 for that i am using the below code for authentication all my domain users
create or replace
FUNCTION "ADS_LDAP_AUTHENTICATE"
(p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN AS
c_Directory VARCHAR2(50) ;
c_Port NUMBER(4);
c_BaseDN VARCHAR2(200);
c_InitUser VARCHAR2(200);
c_InitPass VARCHAR2(32);
l_session DBMS_LDAP.SESSION;
l_success PLS_INTEGER;
l_attributes DBMS_LDAP.STRING_COLLECTION;
l_result DBMS_LDAP.MESSAGE;
l_userdn VARCHAR2(2000);
CURSOR get_authentication_dtls
IS
SELECT domain_name,server_port,server_base_dn,server_principal,server_credentials
FROM PS_TB_SYSTEM_ADS_CONFIG_DICT;
BEGIN
OPEN get_authentication_dtls;
LOOP
FETCH get_authentication_dtls INTO c_Directory,c_port,c_baseDN,c_InitUser,c_InitPass;
EXIT WHEN get_authentication_dtls%NOTFOUND;
--Open initial lookup session.
l_session := DBMS_LDAP.INIT(c_Directory,c_Port);
l_success := DBMS_LDAP.SIMPLE_BIND_S(l_session, c_InitUser,c_InitPass);
IF l_success = DBMS_LDAP.SUCCESS THEN
l_attributes(1) := NULL;
l_success := NULL;
l_success := DBMS_LDAP.SEARCH_S(ld => l_session,
base => c_BaseDN,
scope => dbms_ldap.scope_subtree,
filter => '(|(sAMAccountName=' ||p_Username || ')(mailNickname=' || p_Username || '))',
attrs => l_attributes,
attronly => 0,
res => l_result);
IF l_success = DBMS_LDAP.SUCCESS THEN
l_userdn := dbms_ldap.get_dn(l_session,dbms_ldap.first_entry(l_session,l_result));
IF l_userdn IS NOT NULL THEN
l_success := dbms_ldap.unbind_s(l_session);
l_session := dbms_ldap.init(c_Directory,c_Port);
l_success := dbms_ldap.simple_bind_s(l_session, l_userdn,NVL(p_password, 'QWERTASDFZXC'));
END IF;
END IF;
else
return FALSE;
END IF;
IF l_success = DBMS_LDAP.SUCCESS THEN
CLOSE get_authentication_dtls; /* Close cursor before returning */
RETURN TRUE;
END IF;
END LOOP;
CLOSE get_authentication_dtls;
RETURN FALSE; /* if the success has not happened till all servers processed, then return FALSE */
EXCEPTION
WHEN OTHERS THEN
RETURN FALSE;
END;
Now i dont want to allow all the domain user to access my application. So we planned to create a user group in active directory.
Can anyone suggest me how to allow only a set of users to access my application using LDAP.
Thanks in Advance.
Cheers,
San.Use the below link for Ldap Authentication
LDAP (MS AD) Group Authentication -
LDAP Authentication Failed :user is not a member in any of the mapped group
Hi,
I tried to set up the LDAP Authentication but I failed.
LDAP Server Configuration Summary seems to be well filled.
I managed to add a Mapped LDAP member Group: This group appears correctly in the Group list.
But itu2019s impossible to create a User. Although this user is a member of the mapped group (checked with LDAP Brower) , an error message is displayed when I tried to create it (There was an error while writing data back to the server: Creation of the user User cannot complete because the user is not a member in any of the mapped groups)
LDAP Hosts: ldapserverip:389
LDAP Server Type: Custom
Base LDAP Distinguished Name: dc=vds,dc=enterprise
LDAP Server Administration Distinguished Name: CN=myAdminUser,OU=System Accounts,OU=ZZ Group Global,ou=domain1,dc=vds,dc=enterprise
LDAP Referral Distinguished Name:
Maximum Referral Hops: 0
SSL Type: Basic (no SSL)
Single Sign On Type: None
CMS Log :
trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
trace message: LDAP: LdapQueryForEntries: QUERY base: dc=vds, dc=enterprise, scope: 2, filter: (samaccountname=KR50162), attribute: dn objectclass
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 2453 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
trace message: GetParents from plugin for cn=huh\,chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise.
trace message: LDAP: De-activating query cache
trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
trace message: LDAP: query for DSE root returned 89
trace message: LdapQueryForEntries: incr. retries to 1
trace message: LDAP: Updating the graph
trace message: LDAP: Starting Graph Update...
trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
trace message: LDAP: query for DSE root returned 89
trace message: LdapQueryForEntries: incr. retries to 1
trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (&(cn=gp-asia)(objectclass=group)(member=cn=huh
, chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise)), attribute: objectclass
trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (cn=gp-asia), attribute: member objectclass samaccountname cn
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 3109 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
trace message: LDAP: query for DSE root returned 0
trace message: Failed to commit user 'KR50162'. Reason: user is not a member in any of the mapped groups.
trace message: [UID=0;USID=0;ID=79243] Update object in database failed
trace message: Commit failed.+
Can you please help?
JoffreyPlease do this after you verify all permission settings for all the groups the account is associated with. Also, make sure you check the NTFS folder permissions before doing this as well.
Since the same result happens on multiple computers, it is not the profile.
I am recommending you delete the AD account (or rename to backup the account).
It will not effect the users Exchange account, but you will need to link it back to the new AD user account.
You can also delete her profile just to remove it, for the "just in case" scenario.
Don't forget to mark the post that solved your issue as "Answered." By marking the Answer you are enabling users with similar issues to find what helped you. Lewis Renwick - IT Professional -
LDAP AUTHENTICATION- PLEASE HELP
My client wants me use LDAP for authentication. I new to this: I have written a Authentication bean. As follows.
//Used to authenticate user from LDAP directry.
import javax.naming.*;
import javax.naming.directory.*;
import java.util.*;
import java.lang.*;
public class AuthBean {
private boolean attempted;
private String userName;
private String password;
public AuthBean() {
attempted = false;
userName = "";
password = "";
//Getter methods.
public String getUserName() {
return this.userName;
public String getPassword() {
return this.password;
//Setter methods.
public void setUserName (String userName) {
this.userName = userName;
if (!this.userName.equals("") && !this.password.equals(""))
attempted = true;
else
attempted = false;
public void setPassword(String password) {
this.password = password;
if (!this.userName.equals("") && !this.password.equals(""))
attempted = true;
else
attempted = false;
//Checks to see if attempted.
public boolean isAttempted() {
return this.attempted;
* Given a username and password, authenticates to the directory
* Takes a String for username, String for password.
* Calls getDn for the method.
public boolean ldapAuthenticate (String username, String pass) {
if ( username == null || pass == null ) {
System.out.println(" im here in the method");
System.out.println(" user" + username);
System.out.println(" pass" + pass);
return false;
String dn = getDN(username);
System.out.println(" dn" + dn);
if ( dn == null)
return false;
dn = dn + ",o=hcfhe";
//dn = dn + ",o=mu";
System.out.println(dn);
String ldap_url = "ldap://10.1.1.199:389/ou=it,o=hcfhe";
//set variables for context
Hashtable env = new Hashtable();
env.put("com.sun.naming.ldap.trace.ber", System.err);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldap_url);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, dn);
env.put(Context.SECURITY_CREDENTIALS, pass);
DirContext ctx;
//make connection, catch errors thrown
try {
ctx = new InitialDirContext(env);
} catch (AuthenticationException e) {
System.out.println("Authentication Exception");
return false;
} catch (NamingException e) {
e.printStackTrace();
return false;
//close connection
try {
ctx.close();
} catch (NamingException ne) {
System.out.println(ne);
return true;
* This methods cheks for the username from the LDAP directory.
* Takes a String.
public String getDN(String username) {
String dn = "";
String ldap_url = "ldap://10.1.1.199:389/ou=it,o=hcfhe";
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldap_url);
DirContext ctx;
try {
ctx = new InitialDirContext(env);
SearchControls ctls = new SearchControls();
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String filter = "(uid=" + username + ")"; // Search for objects with these matching attributes
NamingEnumeration results = ctx.search("",filter,ctls);
if ( results != null && results.hasMoreElements()) {
SearchResult sr = (SearchResult)results.nextElement();
dn = sr.getName();
} else dn = null;
ctx.close();
} catch (AuthenticationException e) {
System.out.println("Authentication Exception");
return null;
} catch (NamingException e) {
e.printStackTrace();
return null;
return dn;
I also done a validate. jsp as follows.
<%@page import="register.AuthBean"%>
<jsp:useBean id ="AuthBean" class="register.AuthBean" scope="session"/>
<%
//boolean valid = false;
String username = request.getParameter("user");
//System.out.println("The username" + username);
String password = request.getParameter("password");
//System.out.println("The username" +password);
%>
<jsp:setProperty name="AuthBean" property="userName" param="user" />
<jsp:setProperty name="AuthBean" property="password" param= "password" />
<%
//boolean validate = false;
String nn = AuthBean.getUserName();
System.out.println(nn);
String dn = AuthBean.getDN(username);
System.out.println(dn);
boolean validate = AuthBean.ldapAuthenticate(username, password);
if(validate) {
response.sendRedirect("../admin/Adminindex.jsp");
} else {
response.sendRedirect("Login.html");
%>
At current I keep getting 'false' for validate. But there are no errors. I m using tomcat and apache, do I need to configure any of these to LDAP. If so can you show me some examples.
Many thanks.Hi Irene,
I am posting my LDAP Authentication code for you to look at. If you have any more questions, please respond to this posting. I have just three days ago implemented this for my client. It works on Web Sphere against Microsoft Active Directory.
=====================================================================
import javax.naming.directory.*;
import javax.naming.ldap.*;
import javax.naming.*;
import java.util.*;
import java.io.*;
import java.lang.*;
import java.math.*;
* Insert the type's description here.
* Creation date:
* @author: Sajjad Alam
public final class LDAPConn {
public static java.lang.Object Conn;
* LDAPConn constructor comment.
public LDAPConn() {
super();
* Insert the method's description here.
* @return java.lang.Object
public static DirContext getConn() throws Exception {
//Declarations of variables
Hashtable env = new Hashtable(11);
InitialLdapContext ctx = null;
//==============LDAP Authentication of a given user stored in Active Directory=============
System.out.println("Entered constructor for Ldap Context");
//Initialize the Context Factory.
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://XXX.XXX.XX.XXX:389/dc=domainURL1,dc=domainURL2,dc=com");
try {
The following syntax is a standard way of authenticating users stores in LDAP
when JNDI api is used.
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "password");
System.out.println("Issuing request to authenticate the user and create an LDAP context");
ctx = new InitialLdapContext(env, null);
System.out.println("Got handle on Ldap Context");
//==============Completed Authentication of user=============
//==============Retrieving attribute data about a user stored in Active Directory==========
//Here we will retrieve attributes of one of the users in LDAP ("cn=");
//Declarations of variables
String userInfo = "cn=someUserName ,ou=Users,ou=something,ou=something";
Attributes userAttr = ctx.getAttributes(userInfo);
Attribute orgUnitAttr = null;
//Looping through the enumeration to obtain attribute data
for (NamingEnumeration ae = userAttr.getAll(); ae.hasMore();) {
Attribute attr = (Attribute) ae.next();
if (attr.getID().equals("distinguishedName"))
orgUnitAttr = attr;
System.out.print(" Attribute: " + attr.getID());
//Print each value
for (NamingEnumeration e = attr.getAll(); e.hasMore();) {
System.out.println(" Value: " + e.next());
//============== Done retrieving attribute data about user==========
//==============To find which organizational unit a user belongs provided we pass the user==========
//This section of code uses the value from the "distinguishedName" attribute
System.out.println("");
Object parseOutOrgUnit = (Object) orgUnitAttr;
System.out.println("We can obtain the organizational unit (Role) from the " + parseOutOrgUnit.toString());
//======================================Done=============================
// Close the context when we're done or you can close the connection where you are using this object.
String grInfo = "CN=Sales-Administrator,OU=Java Application Accounts,OU=something,OU=something";
Attributes grAttr = ctx.getAttributes(grInfo);
//Looping through the enumeration to obtain attribute data
for (NamingEnumeration ae = grAttr.getAll(); ae.hasMore();) {
Attribute attr = (Attribute) ae.next();
System.out.print(" Attribute: " + attr.getID());
//Print each value
for (NamingEnumeration e = attr.getAll(); e.hasMore();) {
System.out.println(" Value: " + e.next());
//============== Done retrieving attribute data about user==========
//==============To find which organizational unit a user belongs provided we pass the user==========
//This section of code uses the value from the "distinguishedName" attribute
System.out.println("");
//======================================Done=============================
ctx.close();
catch (Exception e) {
System.out.println(e.getLocalizedMessage());
return ctx; -
XI 3.1 Client Tools and LDAP Authentication
I have Business Objects XI 3.1 SP2 installed. For the web clients (InfoView) single sign on and LDAP authentication are working correctly. However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
Take a look at note 1272536 (http://service.sap.com/notes)
Regards,
Stratos -
Users changing passwords within LDAP authentication
Hello all,
I've noticed that if a user uses the 'Membership' authentication to access the portal, they are allowed to change their passwords within the 'user channel' edit section.
If a user logs in throught the LDAP authentication, this password utility disapears.
1 - Is there a way to use this password utility when using LADP authentication? Is it just a setting somewhere??
2 - What are you using to change password if you are using LDAp authentication? i.e. did you create your own password tool??
Thanks in advance,
JasonHere's how I did it on 6.0:
I created a bookmark with these properties:
Bookmark Name: Change Personal Settings
URL: /amconsole
When the user clicks on the bookmark, they have to scroll all the way down to the bottom of the window to find the change password option. After changing the password, the user should close the amconsole window WITHOUT clicking on the logout button. Just kill the window.
If they click "logout" it will log them out of the Portal Server while leaving the desktop window open. It will look like they are still logged in but they are not. They will have to re-login. -
Radius or LDAP (not Oracle LDAP) authentication for GridControl
I'm running GC 10.2.0.3.0 on Oracle Linux, and I'd like to be able to open up GridControl to other users without setting up accounts/passwords for them. Accounts I can handle, passwords, I don't want to handle.
I see that if I create a new GC user via enterprise manager, a new database accout is also created in the EMREP database. I've configured our EMREP database to use radius authentication and it works when I connect via sqlplus to the EMREP database. The user is set to authenticate "externally" and os_authent_prefix is set to ''.
However, after I set up external authentication for a given user, they are no longer able to login to enterprise manager using their radius authenticated password. So something about EM is not capable of radius authentication with the local EMREP database?
Questions for all:
Is it possible to authenticate users of enterprise manager GridControl against an external password store? I have at my disposal: radius (works great for several of our databases), ActiveDirectory (without oracle schema extensions), LDAP (active directory), proxying the EM server with another Apache server.
I do not have a license for OID and the "free use" license for OID does not allow for user management. We cannot we purchase OID for this purpose.
Our GC environment is Linux so Windows OS authentication against AD isn't going to work and we need to support Firefox/IE/Other browsers on various OS's.
I've seen hints that "external authentication" is possible with "generic" sources, but nothing concrete. Anyone doing this?<QUOTE>All I want now is the capability to perform my own method of LDAP BIND to AD to be used as a security plugin to the database authentication piece</QUOTE>
Amen.
Right now, I've got an SR open on the radius authentication issue in GC. It took me a two weeks to convince the Oracle tech that I wasn't talking about getting Oracle to use OS authentication where OS users were authenticated by radius.
I've put about 40 actual work hours in on this issue, going so far as to deconstruct the EM install .jar files and trying to replace the JDBC drivers.
At this point I believe that it would be relatively easy for Oracle to add Radius authentication support to Grid control in their next big release (11g).
Doing so would involve replacing the 10g JDBC thin drivers with 11g JDBC thin drivers. The 10g thin jdbc drivers support advanced security encryption and checksums, but not the radius authentication. The 11g thin drivers DO implement the radius option as well as a full complement of encryption checksum types not supported in 10g. From there it should be a simple matter of the EM java login procedure/bean/servlet/jsp being able to set the thin driver to use the radius code in the jdbc layer.
The other option, which I haven't yet given up on would be to hack the EM code so that instead of using 10g thin drivers it uses 10g OCI jdbc (thick) drivers. The thick drivers support the radius authentication and encryption/checksum features natively, and the settings are controled by the sqlnet.ora file. I've got java code using those just fine. If only I could hack EM to use them.
In short, if I had access to the source, I could probably code this up in a week. Very frustrating.
I thought about trying the OID route, but as I said in my original post, we don't have a license. Even if I got it working, and it sounds like it doesn't really work, I can't justify spending $x00,000 for 10-15 dbas not to have to use dedicated accounts and passwords.
Normal user login to our 9i and 10g databases we have working with radius (backed by Active Directory). All we do is "create user xxxxxx identified externally;" and the user is good to go.
In short, I think EM GridControl is awesome. I manage 36 databases with it and I've solved problems in minutes that used to take hours or days. When I show it to some of our oracle "power users" they all want it, but they're all radius authenticated.
I'll keep the thread updated if I see results from our SR. -
Ldap authentication on solaris 8 client
I have directory server 6.0 set up on solaris 9 system. I convert a Solaris 8 system to be a ldap client. However, I can use ssh to authentication against LDAP server. Here is the output I got:
# ssh -v user@localhost
SSH Version 1.2.27 [sparc-sun-solaris2.8], protocol version 1.5.
Standard version. Does not use RSAREF.
host: Reading configuration data /etc/ssh_config
host: ssh_connect: getuid 0 geteuid 0 anon 0
host: Allocated local port 1023.
host: Connecting to 127.0.0.1 port 22.
host: Connection established.
host: Remote protocol version 1.5, remote software version 1.2.27
host: Waiting for server public key.
host: Received server public key (768 bits) and host key (1024 bits).
host: Forcing accepting of host key for localhost.
host: Host '127.0.0.1' is known and matches the host key.
host: Initializing random; seed file /root/.ssh/random_seed
host: Encryption type: idea
host: Sent encrypted session key.
host: Installing crc compensation attack detector.
host: Received encrypted confirmation.
host: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
host: Server refused our rhosts authentication or host key.
host: No agent.
host: Doing password authentication.
[email protected]'s password:
Permission denied.
This is the pam.conf I use:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
ppp auth required pam_unix_auth.so.1
Not sure why Solaris 8 can't authentication with LDAP server. I have applied the patch 108993-67. Also, su and telnet can work with LDAP but not 'ftp' and 'ssh'.
Any ideas?No, my problem seems different.
The authentication between ldap client and server is through tls:simple. Also, exact same configuration can work with Solaris 9 client, but not Solaris 8 client. Furthur checks on ssh on Solaris 8, the ssh is 'SSH Version 1.2.27 [sparc-sun-solaris2.8], protocol version 1.5.
Standard version. Does not use RSAREF.'. But on a Solaris 9 client, the ssh is 'SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0.' Not sure why the Solaris 8 ssh can't work with ldap authentication.
Thanks,
--xinhuan -
Database Table and LDAP Authentication in the same repository?
I'm wondering if it's possible to authenticate through database tables for some users and LDAP for other users. I can configure each one separately but I'm curious if anyone has ever successfully done both in the same repository.
Thanks,
-MattAnother thing to try is this. I don't have an LDAP server here but it worked for me without LDAP. I think it should also work with LDAP as it is the same idea. I don't think there is a way to have a conditional Init Blocks. Also you can't have two init blocks setting the same variable (USER in our case). But what you can do is to have two Init Blocks, one for LDAP authentication and the other one for table authentication. So you could have this scenario:
1) LDAP "authentication" init block sets custom variable LDAP_USER
2) Table "authentication" init block sets custom variable TABLE_USER
3) Final authentication init block (the real one) sets USER variable using something like this:
SELECT CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END
FROM DUAL
WHERE CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END = ':USER'
Note how I use the CASE statement both to return the user value I want the USER variable to be set and also in the WHERE clause to make sure no rows are returned in case authentication fails (which should return no rows to denote a failed authentication). Obviously you need to set the init block dependancies correctly. I did a quick test with users coming from two separate Oracle tables in 2 init biocks and it worked fine for me. Give it a try and let me know how it goes. -
Setting up LDAP realm with WLI 7
Any pointer to Step by step instruction on to how to set up LDAP realm for Access Control with Weblogic integration 7
Pramit Basu <[email protected]> wrote:
Any pointer to Step by step instruction on to how to set up LDAP realm
for Access Control with Weblogic integration 7In order to use LDAP realm with WLI 7.0, you need to do the following steps:
1) In WebLogic server level, you need to create a Caching Realm and a LDAP realm.
First, please backup your original config.xml file. Then, you can start configure
the realms. You can do this by modifying the config.xml file, or through WLS console.
After you have done this, your config.xml file should contain the following:
<LDAPRealm AuthProtocol="none"
Credential="{3DES}rYiW/DkUxq4UPwR0XLbM9w=="
GroupDN="o=beasys.com,ou=Groups" GroupIsContext="false"
GroupNameAttribute="cn" GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://jpengdesk:389"
Name="LDAPRealmForNetscapeDirectoryServer" Principal="cn=admin"
UserAuthentication="bind" UserDN="o=beasys.com,ou=People"
UserNameAttribute="uid" UserPasswordAttribute="userpassword"/>
--- You can also do this in Console. Please make sure the "UserDN" and "GroupDN"
values are correct according to the groups and users stored on your LDAP server.
In my example here, "beasys.com" is my root entry, and I have all the users created
underneath of OU "People", and I have all the groups created in OU "Groups".
<CachingRealm BasicRealm="LDAPRealmForNetscapeDirectoryServer" Name="MyCaching
Realm"/>
--- You can do this in console by clicking on "Caching Realms", then click on
the link of "Configure a new Caching Realm". Name it as "MyCaching Realm", and
select "LDAPRealmForNetscapeDirectoryServer" as the BasicRealm.
<Realm CachingRealm="MyCaching Realm" FileRealm="myFileRealm" Name="myRealm"/>
--- you can do this in console by clicking on "Compatibility Security", then click
on the "Filerealm" tab, then, in the "Caching Realm" field, select MyCaching Realm"
from the pull down comb box.
Please make sure all the names are related. See above example, the value in blue
color should match, and the value in red color should match too.
Please see the attached config.xml file for reference.
2) Create the users in LDAP server. In my example, I simply created 3 users underneath
of OU “People”, they are:
weblogic
wlisystem
admin
“weblogic” is the user I used as my system administrator user, which
I used to boot my WLS server and access my WLS console.
“wlisystem” and “admin” are the users created for WLI
component.
3) Create 11 groups in LDAP server. In my example, as I mentioned above, I create
all these groups underneath of OU “Groups”. These groups are:
ConfigureComponents
Administrators
wlpiUsers
MonitorInstance
ExecuteTemplate
CreateTemplate
UpdateTemplate
DeleteTemplate
AdminsterUser
ConfigureSystem
wlpiAdministrators
Also, add the users created in step 2 into all of these groups.
4) Clean up the fileRealm.properties file.
Backup your original fileRealm.properties file. Then, remove all the entries starting
with “user.xxx” and “group.xxx”, only leave those entries
starting with “acl.xxx”.
Please see the attached “fileRealm.properties” file for reference.
5) Restart your WLI server. Verify the users and groups you defined in LDAP server
are displayed in WLS console correctly. You can see the user and group information
in “Compatibility Security” à “Users”, and “Compatibility
Security” à “Groups” respectively.
6) Start your studio to design a simple Workflow. When you login, the authentication
of your username and password is against the LDAP server, since you don’t
have any user entries in your fiel realm any more.
7) Start your Worklist to execute the workflow. Also, When you login, the authentication
of your username and password is against the LDAP server, since you don’t
have any user entries in your fiel realm any more.
Once you execute the workflow, you can verify that workflow instance in Studio.
You can monitor the instance, and delete the instance.
Maybe you are looking for
-
Updating from 9.2 - 9.2.2 my iMac freezes. Can anyone help?
I have an iMac that's a few years old, and it's been in my buddy's basement for the last 2 years, and he was moving so he gave it to me and I booted it up and hit software update and it said it would update to 9.2.2. I hit okay and it proceeded to do
-
Generate WHERE clause for VO using imported entities
Hi, I am using JDev 9.0.3 Preview. I attempt to create in one BC project a view based on a join of three entities. One of the entities is from the same project, but the other two are imported. After importing the project(s) containing the two additio
-
Exporting from Numbers to Excel - New User needs help!
Hoping someone here can help me out, as I have searched the discussions and still haven't found what I'm looking for. I'm a new Numbers 09 user, and I love it. My experiences with Excel have been nothing short of frustrating, but with Numbers I feel
-
When I send a email I would like to have my photo and signature added at the end of my email. How do I add that?
-
Losing some customization after a reboot
Hello, I have created several folders and organized all of my apps in them, but 2 days ago the folders started to get messed up on reboot. Basically, it seems like certain apps (it appears that this affects apps that are placed in folders by default,