Setting up LDAP realm with WLI 7
Any pointer to Step by step instruction on to how to set up LDAP realm for Access Control with Weblogic integration 7
Pramit Basu <[email protected]> wrote:
Any pointer to Step by step instruction on to how to set up LDAP realm
for Access Control with Weblogic integration 7In order to use LDAP realm with WLI 7.0, you need to do the following steps:
1) In WebLogic server level, you need to create a Caching Realm and a LDAP realm.
First, please backup your original config.xml file. Then, you can start configure
the realms. You can do this by modifying the config.xml file, or through WLS console.
After you have done this, your config.xml file should contain the following:
<LDAPRealm AuthProtocol="none"
Credential="{3DES}rYiW/DkUxq4UPwR0XLbM9w=="
GroupDN="o=beasys.com,ou=Groups" GroupIsContext="false"
GroupNameAttribute="cn" GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://jpengdesk:389"
Name="LDAPRealmForNetscapeDirectoryServer" Principal="cn=admin"
UserAuthentication="bind" UserDN="o=beasys.com,ou=People"
UserNameAttribute="uid" UserPasswordAttribute="userpassword"/>
--- You can also do this in Console. Please make sure the "UserDN" and "GroupDN"
values are correct according to the groups and users stored on your LDAP server.
In my example here, "beasys.com" is my root entry, and I have all the users created
underneath of OU "People", and I have all the groups created in OU "Groups".
<CachingRealm BasicRealm="LDAPRealmForNetscapeDirectoryServer" Name="MyCaching
Realm"/>
--- You can do this in console by clicking on "Caching Realms", then click on
the link of "Configure a new Caching Realm". Name it as "MyCaching Realm", and
select "LDAPRealmForNetscapeDirectoryServer" as the BasicRealm.
<Realm CachingRealm="MyCaching Realm" FileRealm="myFileRealm" Name="myRealm"/>
--- you can do this in console by clicking on "Compatibility Security", then click
on the "Filerealm" tab, then, in the "Caching Realm" field, select MyCaching Realm"
from the pull down comb box.
Please make sure all the names are related. See above example, the value in blue
color should match, and the value in red color should match too.
Please see the attached config.xml file for reference.
2) Create the users in LDAP server. In my example, I simply created 3 users underneath
of OU “People”, they are:
weblogic
wlisystem
admin
“weblogic” is the user I used as my system administrator user, which
I used to boot my WLS server and access my WLS console.
“wlisystem” and “admin” are the users created for WLI
component.
3) Create 11 groups in LDAP server. In my example, as I mentioned above, I create
all these groups underneath of OU “Groups”. These groups are:
ConfigureComponents
Administrators
wlpiUsers
MonitorInstance
ExecuteTemplate
CreateTemplate
UpdateTemplate
DeleteTemplate
AdminsterUser
ConfigureSystem
wlpiAdministrators
Also, add the users created in step 2 into all of these groups.
4) Clean up the fileRealm.properties file.
Backup your original fileRealm.properties file. Then, remove all the entries starting
with “user.xxx” and “group.xxx”, only leave those entries
starting with “acl.xxx”.
Please see the attached “fileRealm.properties” file for reference.
5) Restart your WLI server. Verify the users and groups you defined in LDAP server
are displayed in WLS console correctly. You can see the user and group information
in “Compatibility Security” à “Users”, and “Compatibility
Security” à “Groups” respectively.
6) Start your studio to design a simple Workflow. When you login, the authentication
of your username and password is against the LDAP server, since you don’t
have any user entries in your fiel realm any more.
7) Start your Worklist to execute the workflow. Also, When you login, the authentication
of your username and password is against the LDAP server, since you don’t
have any user entries in your fiel realm any more.
Once you execute the workflow, you can verify that workflow instance in Studio.
You can monitor the instance, and delete the instance.
Similar Messages
-
LDAP realm with Active Directory
Hello,
In the sun one app server admin console i have set the security role to LDAP.
I have set up security roles in my web.xml such as this:
<security-role>
<description>This role represents administrators of the system, see actor administrators</description>
<role-name>administrators</role-name>
</security-role>
..and mapped the roles to groups in sun-application as follows:
<security-role-mapping>
<role-name>administrators</role-name>
<group-name>CMS_PM</group-name>
<principal-name>rlancett</principal-name>
</security-role-mapping>
My user and group information is stored in Active Directory so I have tried to configure the ldap realm in the admin console to get it working. These are the settings i have put in:
directory: ldap://earth.tier2consulting.com:389
base-dn: cn=Users,dc=tier2consulting,dc=com
jaas-context: ldapRealm
search-bind-dn: cn=administrator,cn=Users,dc=domain,dc=com
search-bind-password: ******
search-filter: sAMAccountName=%s
I get the error message :javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
WARNING: va:850)
FINEST: JAAS authentication aborted.
INFO: SEC5046: Audit: Authentication refused for [administrator].
I am pretty stuck on this having looked arounds all the forums:
Has anyone got sun one app server using Active Directory to get user/group information for security roles?
Thanks.Howdy,
I don't have a solution to your problem, but maybe this tid-bit will help in debugging with Active Directory error messages. I'm new to AD, so excuse me if everyone already knows this, but...
The error message you get back from the directory contains an error code in hexidecimal:
LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
If you translate '525' from hex to decimal you get '1317' which is the error message you can look up here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/system_error_codes.asp
1317 - ERROR_NO_SUCH_USER - The specified user does not exist.
It took me a while to find this tip, so I thought I'd share it. Oh, and the easy way to get decimal from hexidecimal is:
System.out.println( "Here is 525 in decimal: " + Integer.parseInt("525", 16));
Okay, hope this helps somebody.
Now it's up to you to find out why it can't find the administrator!
Craig -
Problem configure Ldap realm with multi master Ldap server
I have a multimaster Directory Server (Ldap) eg: LdapMaster01 & LdapMaster02.
I configured the realm Ldap:
realm= myLdapRealm
class name =com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
jaas-context = myLdapRealm
directory = ldap://LdapMaster01:389
base-dn = ou=my_APP, ou=Applications, dc=devinc, dc=com
search-bind-dn = cn=Directory Manager
search-bind-password = 99999999So how can i configure realm to automatically switch to LdapMaster02 when the LdapMaster01 is not up?
Thanks in advanceProbably you need an external intelligent
loadbalancer unit, that receives all requests for an
DNS like 'LdapMaster' and reroutes the traffic to
LdapMaster01 or LdapMaster02.
If one LdapMaster ist not available then the
loadbalancer is responsible to route all requests
only to the available server.Thank you very much. :)
I found other post on the internet about this, and yes, probably the only way is a loadbalancer.
Another way is to write a custum realm impl that receives the server list and try to connect until an available server is found. -
I'm runing WLS6.0 SP2 and I'm trying to set up a LDAP realm to talk to a openldap
server. I'm on Win2k and have it installed as a service.
I can connect to the server via a ldap browser, and I have a user in the ldap
tree with a clear text password.
I created a LDAP realm but I can't find where to configure WebLogic to use that
LDAP realm for authentication.
thanks
joeI guess they don't use the LDAP Realm in Weblogic, you should create your custom
realm that access to AD and return user/group enumerations, acl's, etc...
I'm able to access to AD using jdk1.4, and I have my custom realm, the only
problem is wl uses jdk1.3 (+jaas) and I couldn't connect to AD with the old jaas,
because it didn't support kerberos authentication. A more complete jaas it's included
in jdk1.4
Regards,
Marc
"Roy Cornell" <[email protected]> wrote:
Great news, Scott. I hope you don't mind answering the three questions
below:
1. Which LDAP realm ***version*** did you use : V1 or V2?
2. Which LDAP realm type did you specify during the configuration: "MS
Site
Server" or other ?
3. Did you encounter any problems during the integration?
Thanks a lot.
Roy
"Scott Harger" <[email protected]> wrote in message
news:3b794a7c$[email protected]..
We have been able to get the LDAP realm (6.0 SP1) to work with Active
Directory.
Scott
"Roy Cornell" <[email protected]> wrote in message
news:3b72eb32$[email protected]..
I've got the same question (posted it yesterday). Please, Please,
Please,
could somebody reply.
"Andrew Wallace" <[email protected]> wrote in message
news:3b72ce38$[email protected]..
Somehow my last message got truncated. Here's the full deal:
We're trying to setup an LDAP realm in a microsoft-centric environment
(Windows 2000). All the documentation from BEA that I've found
talks
about MS Site Server, which, as near as I can find, is not an LDAPserver.
So - can I use MS Active Directory on Win2k? Is it functionally
the
same
thing? Does the MS template in LDAP Realm V2 support it? Does anyone
have success or horror stories about using AD?
thanks,
andy -
Questions on LDAP Realm on different versions of Web Logic
Kaia,
I need you to ask JOS / BEA Systems some questions on LDAP
Integration. I have CC'd Randy and Todd in case they have any
feedback on this area. I have read the documentation and have
a
couple of simple questions. The questions differ depending on
the version (because the documentation is different):
4.5 SP7
Users and groups are cached in the WebLogic Server as Enterprise
Java Beans. This reduces the frequency of LDAP lookups
Exactly what is cached? Is authentication carried out against
the Directory each time, or against the cached credentials? Is
this configurable such that an authentication attempt is sent to
the LDAP server each time? Just a suggestion - LDAP lookups are
very "light" and caching them in this fashion is not a good
idea. Let the LDAP Directory do the caching.
The "system" user must be defined in the weblogic.properties
file and in your LDAP server. The LDAP "system" user must be a
member of the LDAP group that has administrative privileges in
the LDAP server
Does this really mean that the user ID in the LDAP server
called "system" needs to have full control over the entire
directory??
In the WebLogic property file realm, the "everyone" group
automatically includes all users. You must create an "everyone"
group and add every WebLogic Server user to its membership list,
including the "guest" and "system" users.
Does this really mean that I need to create a group in the LDAP
directory called "Everyone" and keep it updated with every user
object in the Directory that we want to authorize using weblogic
ACL's?
5.1 Pre SP7
The property:
weblogic.security.ldaprealm.userAuthentication
The description for this in the docs is:
This property determines the method for authenticating users. If
you set the property to local (appropriate for Netscape and
Microsoft servers), LDAPRealm retrieves user data, including
password, from the LDAP server and checks the password in
WebLogic Server. If you set the value to external (appropriate
for Novell NDS), LDAPRealm authenticates a user by attempting to
bind to the LDAP server with the username and password supplied
by the WebLogic client. If you use external authentication, you
must also use SSL
The way I read this is that if you have local set, the Weblogic
Server retrieves the entire user credentials from the LDAP
Directory, and compares the password with what the user passes
in. If you have external set, weblogic does a bind on your
behalf - however, you need to have SSL configured for this
option to be implemented.
However, in the example for an NDS server, the following is
listed:
weblogic.security.ldaprealm.userAuthentication=bind
What is the bind option referring to?
5.1 SP 7
This version makes no reference whatsoever to the
userAuthentication property above. Has it disappeared? What is
the authentication method used now?
6.0
The documentation below:
Table 12-10 LDAP Security Realm Fields on the Users Tab
Field
Description
User Authentication
Determines the method for authenticating Users. Set this field
to one of the following values:
Local specifies that the LDAP Security realm retrieves user
data, including the password from the LDAP Directory server, and
checks the password in WebLogic Server. The Local setting is
appropriate for Netscape Directory Server and Microsoft Site
Server.
External specifies that the LDAP Security realm authenticates a
User by attempting to bind to the LDAP Directory server with the
username and password supplied by the WebLogic Server client. If
you choose the External setting, you must also use the SSL
protocol. The External setting is appropriate for Novell NDS.
Bind
Note that there is a reference to Bind, but no description for
what it is supposed to do. So, what is it supposed to do. Also
a follow up question - This field is not referenced in
documentation for 5.1 SP7, so I was curious as to whether this
will also be dropped in future service packs under 6.0, and if
so, what the authentication process will then be.
regards,
Craig GilmourCC 2014 should be the latest version. You can uninstall any others if you choose to.
-
WL6.0 LDAP Realm problems
I'm trying out WL6.0 (eval version) LDAP realm support and having trouble
getting it to work - basic auth just keeps popping the window up 3 times and
then giving up. Only pertinent message in the log is:
####<Mar 16, 2001 12:03:21 PM EST> <Info> <Security> <FOOBAR>
<examplesServer> <ExecuteThread: '11' for queue: 'default'> <> <> <090021>
<Locking account, user jdoe.>
No obvious LDAP info or errors in the log, despite adding the following two
to the startup script cmd line and restarting the server:
-Dweblogic.security.realm.debug=true -Dweblogic.security.ldaprealm.verbose=t
rue
The HTTP basic-auth dialog box is correctly showing me that I'm trying to
authenticate to: MyLDAPRealm
Here's the config info for MyLDAPRealm
<LDAPRealm AuthProtocol="simple"
Credential="myserverpasswd"
GroupDN="o=mycompany,c=us" GroupIsContext="false" GroupNameAttribute="cn"
GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://tug:390"
Name="MyLDAPRealm"
Principal="cn=myserver,ou=myserverstuff,o=mycompany,c=US"
UserAuthentication="local"
UserDN="o=mycompany,c=us" UserNameAttribute="uid"/>
It's a Netscape 4.1 Directory server, and I've verified that the above
server account exists AND can authenticate and retrieve account
userpasswords (yes, the server account is "cn=" while the user accounts are
"uid=" - don't ask :-)....
I've tried both "bind" and "local" and get the same results both ways.
Any ideas???Did you use the most recent ldap patch? I could not get it to work fine
with the default wls6.0sp1, but with the ldap-patch it works fine.
AND probably even more important... change
<Realm FileRealm="..." Name=".....">
to
<Realm CachingRealm"MyCachingRealm" FileRealm="..." Name=".....">
Hope this helps...
Ronald
Sushil Pulikkal wrote:
Hi Tom,
I am using iPlanet Directory server with WL6.0 (which I presume is supported as
Netscape's is) and facing the same problem as Mike was i.e account locking after
three attempts(bottom of the message). I have created my own caching realm with
the basic realm being MyLDAPRealm.
The log gives no info other than the one about account locking.
My config.xml looks something like this -
<CachingRealm BasicRealm="MyLDAPRealm" CacheCaseSensitive="true" Name="MyCachingRealm"/>
<PasswordPolicy Name="wl_default_password_policy"/>
<LDAPRealm AuthProtocol="simple" Credential="enslaved"
GroupDN="ou=Aussies,dc=timerasolutions,dc=com"
GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://DJ-SUSHILP.timerasolutions.com:389"
Name="MyLDAPRealm"
Principal="uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot"
UserAuthentication="bind"
UserDN="ou=Aussies,dc=timerasolutions,dc=com"
UserNameAttribute="uid"/>
The browser window does pop up, but the user id doesn't get authenticated. Is
there a way to know whether WLS is actually going to the LDAP server for authentication?
Any insight into this?
Thanks in advance,
Sushil
"Tom Moreau" <[email protected]> wrote:
Mike,
I haven't had any trouble getting the LDAPRealm to work
in WLS 6.0. Could it be that while you've created the LDAPRealmMBean,
you haven't told WLS to use it?
In other words, you can create many realm configurations then
you need to activate the one you want. If you haven't, the
we just use the file realm. The file realm won't be able
to authenticate you (since you put the info in LDAP!) and
after 3 failures, will lock out the account.
The instructions for selecting the realm are at:
http://e-docs.bea.com/wls/docs60/adminguide/index.html
See:
12. Managing Security
Specifying a Security Realm
Configuring the Caching Realm
The basic idea is:
1) create your LDAP Realm (you've already done this)
2) create a CachingRealm
3) set the CachingRealm's BasicRealm to your LDAP Realm
4) set the Security Realm's CachingRealm to your Caching Realm
5) reboot
It's pretty easy to do this through the admin console.
Otherwise, you can edit config.xml by hand.
Here's how:
<Domain>
<Security
Name="mydomain"
Realm="myRealm"
/>
<Realm
Name="myRealm"
FileRealm="myFileRealm"
CachingRealm="myCachingRealm"
/>
<FileRealm
Name="myFileRealm"
/>
<CachingRealm
Name="myCachingRealm"
BasicRealm="myLDAPRealm"
/>
<LDAPRealm
Name="myLDAPRealm"
/>
-Tom
"Mike" <[email protected]> wrote:
BTW, before someone suggests it, I found Tom Moreau's
suggestion to use:
<ServerDebug Name="examplesServer" DebugSecurityRealm="true"
/>
under the <Server> element in config.xml and restarted
with this and still
no additional
info from the LDAP realm printed about why it's not working
(nothing but the
same
locking account message mentioend below).
Is the source for the LDAP realm available so I can debug
it myself or has
anybody
written their own LDAP realm that they'd be willing to
share with the group?
Thanks again,
...Mike
"Mike" <[email protected]> wrote in message
news:[email protected]...
Ok I've verified that the -Dweblogic.security.ldaprealm.verbose
probably
won't
work with 6.0 (old 5.x and previous style property),
but I can't figure
out
what
replaced it, to figure out why the LDAP realm isn't
working for me...
The property mapping guide at:
http://e-docs.bea.com/wls/docs60///////config_xml/properties.html
shows that things like weblogic.security.ldaprealm.url
changed to LDAPURL in config.xml (without telling
you that this resides as an XML attribute of
<Domain><LDAPRealm ... /></Domain> although that's
easy enough to find by looking through the example
LDAP realm.
It then says that weblogic.security.ldaprealm.verbose
has changed to "Debug" in config.xml, but doesn't
say whether that's a "Debug" XML attribute on one
of the XML elements in there, or whether it's an
XML node itself, or where in the config.xml doc
it goes... It doesn't work as an attribute of
<LDAPRealm ...> (server won't start with it there)
and it doesn't show up at all in the DTD for config.xml
so I'm assuming the mapping doc at the above url is
wrong. Anybody know what this really became in 6.0?
I've tried setting StdoutDebugEnabled="true" in config.xml
and turning the logging level all the way up to see
everything, but even
then all I
get is the account locked message, not why it's failing
to authenticate
via
LDAP...
Any other ideas?
"Mike" <[email protected]> wrote in message
news:[email protected]...
I'm trying out WL6.0 (eval version) LDAP realm support
and having
trouble
getting it to work - basic auth just keeps popping
the window up 3 times
and
then giving up. Only pertinent message in the log
is:
####<Mar 16, 2001 12:03:21 PM EST> <Info> <Security>
<FOOBAR>
<examplesServer> <ExecuteThread: '11' for queue: 'default'>
<> <>
<090021>
<Locking account, user jdoe.>
No obvious LDAP info or errors in the log, despite
adding the following
two
to the startup script cmd line and restarting the
server:
-Dweblogic.security.realm.debug=true -Dweblogic.security.ldaprealm.verbose
=t
rue
The HTTP basic-auth dialog box is correctly showing
me that I'm trying
to
authenticate to: MyLDAPRealm
Here's the config info for MyLDAPRealm
<LDAPRealm AuthProtocol="simple"
Credential="myserverpasswd"
GroupDN="o=mycompany,c=us" GroupIsContext="false"
GroupNameAttribute="cn"
GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://tug:390"
Name="MyLDAPRealm"
Principal="cn=myserver,ou=myserverstuff,o=mycompany,c=US"
UserAuthentication="local"
UserDN="o=mycompany,c=us" UserNameAttribute="uid"/>
It's a Netscape 4.1 Directory server, and I've verified
that the above
server account exists AND can authenticate and retrieve
account
userpasswords (yes, the server account is "cn=" while
the user accounts
are
"uid=" - don't ask :-)....
I've tried both "bind" and "local" and get the same
results both ways.
Any ideas??? -
Setting a new realm as default realm
Hi all,
I need to integrate weblogic server 9.2 with OAM using SSPI connector.
I configured web logic policies in OAM and configured weglogic server.
But I couldnt get the NetPointRealm as a realm in weblogic admin console.
So configured a realm named NetPointRealm manually and provided required security providers.
So to activate this realm,we need to set this realm as default realm.
But I'm not able to set that as default realm.
Could anyone please provide any suggestions to set the new realm as default realm.
Thanks & Regards,
Swathi
Edited by: user9116523 on Apr 19, 2010 10:46 PMHi Faisal,
Thanks a lot for your reply.
Yes,the NetPoint realm is using the default identity asserter.
Config.xml file is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<domain xsi:schemaLocation="http://www.bea.com/ns/weblogic/920/domain
http://www.bea.com/ns/weblogic/920/domain.xsd" xmlns="http://www.bea.com/ns/weblogic/920/domain" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<name>base_domain</name>
<domain-version>9.2.3.0</domain-version>
<security-configuration xmlns:xacml="http://www.bea.com/ns/weblogic/90/security/xacml">
<name>base_domain</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"/>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
<sec:active-type>wsse:PasswordDigest</sec:active-type>
<sec:active-type>X.509</sec:active-type>
<sec:base64-decoding-required>false</sec:base64-decoding-required>
<wls:use-default-user-name-mapper>true</wls:use-default-user-name-mapper>
<wls:default-user-name-mapper-attribute-type>CN</default-user-name-mapper-attribute-type>
</sec:authentication-provider>
<sec:role-mapper xsi:type="xacml:xacml-role-mapperType"/>
<sec:authorizer xsi:type="xacml:xacml-authorizerType"/>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"/>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"/>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"/>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{3DES}Vi5yoJAzEZYw/U5nkiNT9B8M043431Rfr/QF2dMB65KlW2rbV3d7a0uGF9YxUnfFZwBv0q0BNLhzmIi/wjJ/sGUnWQ2SvNMK</credential-encrypted>
<node-manager-username>weblogic</node-manager-username>
<node-manager-password-encrypted>{3DES}RCc8ftzF/irGNnXbhZ3nRA==</node-manager-password-encrypted>
</security-configuration>
<server>
<name>AdminServer</name>
<listen-address/>
</server>
<embedded-ldap>
<name>base_domain</name>
<credential-encrypted>{3DES}tYhX7HO2bVJh5Pn4ldTY45UYYd2zBw/URUs++SXMZ8U=</credential-encrypted>
</embedded-ldap>
<configuration-version>9.2.3.0</configuration-version>
<admin-server-name>AdminServer</admin-server-name>
</domain>
Thanks & Regards,
Swathi -
I have problems running WebLogic 5.1 SP10 with a LDAP realm configured
I have used the script supplied with my OptimizeIt installation, but WebLogic can't find the ldaprealm.properties file but instead assumes the LDAP hostname ldapserver:389We ran into a similar situation where our users were stored in SiteMinder/LDAP.
So we are going to bulk load all the users into WLI and then synchronize the users
nightly for any activated and deactivated users. We kept the roles in LDAP different
from the roles in WLI though. Would like to know if you guys addresses this differently
Thanks
Sreeram
"Peter Giesin" <[email protected]> wrote:
>
I am curious to know if anyone is actually running WLI with a LDAP Realm.
I would
like to know how you dealt with the fact that the users still need to
be defined
in the WLI database so that they can be added to the organization.
Thanks,
Pete -
OIM 11g R1 LDAP Synch with OID.
Hi,
We are doing an LDAP Synch with OID directly. The users from various organisations in OIM needs to be synched to different OU's in OID, instead of a single container. How do we acheive this? would it be easy if we involve OVD also?Here is some sample code configuration which may give you a start - hope it helps.
Sample code that can be called in a pre-process event handler to copy the users organinisation to the LDAP Organization Unit
HashMap<String, Serializable> parameters = orchestration.getParameters();
Serializable param = parameters.get("act_key");
String act_key = null;
if (param instanceof ContextAware) {
act_key = ((ContextAware) param).getObjectValue().toString();
} else {
act_key = param.toString();
if (act_key != null) {
OrganizationManager orgMgr = Platform.getService(OrganizationManager.class);
Set<String> retAttrs = new HashSet<String>();
retAttrs.add("Organization Name");
Organization org = null;
try {
org = orgMgr.getDetails(act_key, retAttrs, false);
} catch (OrganizationManagerException e) {
} catch (AccessDeniedException e) {
String orgName = (String) org.getAttribute("Organization Name");
orchestration.addParameter("LDAP Organization Unit", orgName);
Sample container mapping rule
<rule>
<expression>LDAP Organization Unit=Test Organization</expression>
<container>ou=Test Organization,ou=users,o=org</container>
<description>Add user to the Test Organization OU in LDAP if their OU is set to Test Organization</description>
</rule>
Sample change in /db/LDAPUser
<!-- Two act_key entries in the <reconFields> section to set RECON_ACT_KEY. -->
<!-- The first sets RECON_ACT_KEY to the default value from the scheduled job -->
<!-- The second overwrites RECON_ACT_KEY with an OU value if supplied in the LDAP User data. -->
<reconAttr>
<oimFormDescriptiveName>act_key</oimFormDescriptiveName>
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Organization Name</reconFieldName>
<reconColName>RECON_ACT_KEY</reconColName>
<emDataType>number</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="String" name="act_key"/>
</reconAttr>
<reconAttr>
<oimFormDescriptiveName>act_key</oimFormDescriptiveName>
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">ou</reconFieldName>
<reconColName>RECON_ACT_KEY</reconColName>
<emDataType>number</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="String" name="act_key"/>
</reconAttr> -
Setting up LDAP for authentication to portal:default property set named "ldap
Hi
I am trying to implement the LDAP authentication to WebLogic Portal .Iam went
thru the docmentation ( http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).It
mentions using the default property set named "ldap" and deploying ldapprofile.jar.My
quenstion is:
-Is there a way to look into the property using EBCC
- Apart from deploying,configuring the ldapprofile.jar,do I have to do any additional
steps in order to make my portal(say,stockportal) authenticate users from LDAP?
-If a create my own portal,should I create a similar "ldap" property set?If so,how.
Any suggestions/help is appreciated.Thanks
- MikeThanks Dave.
"David Anderson" <[email protected]> wrote:
You should be able to view the property set for LDAP through the EBCC
if you
have the propertysetws.jar installed in your Portal domain. This provides
the ability for the EBCC to retrieve property set information from your
server.
Dave
"mike" <[email protected]> wrote in message
news:[email protected]...
Hi Adrian
Thank you for the pointers.Much appreciate it.However,one questionstill
persists.
What is the significance of the property set "ldap" mentioned in the
document(http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).Where
does this property set feature vis-a-vis setting up LDAP securityrealm;does it
mater prior to/after the setting up as mentioned in the document pointeryou just
gave .
Is it sufficinet that i follow the procedure to set up the LDAP oris
there more
to post setting,like creating a property set (similar to "ldap" orcloning
it)
apaprt frpom deploying ldapprofile.jar.
Thanks.
- Mike
"Adrian Fletcher" <[email protected]> wrote:
Mike,
The documentation that covers LDAP authentication is listed under
Weblogic
Server rather than Weblogic Portal.
See Configuring the LDAP Security Realm in Managing Security
(http://e-docs.bea.com/wls/docs61////adminguide/cnfgsec.html#1071872)
Also take a look at the FAQ - Why can't I boot WebLogic Server whenusing
the LDAP Security Realm?
(http://e-docs.bea.com/wls/docs61//faq/security.html#25833)
Hope this helps,
Sincerely,
Adrian.
Adrian Fletcher.
Senior Software Engineer,
BEA Systems, Inc.
Boulder, CO.
email: [email protected]
"mike" <[email protected]> wrote in message
news:[email protected]...
Hi
I am trying to implement the LDAP authentication to WebLogic Portal.Iam
went
thru the docmentation
http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).It
mentions using the default property set named "ldap" and deployingldapprofile.jar.My
quenstion is:
-Is there a way to look into the property using EBCC
- Apart from deploying,configuring the ldapprofile.jar,do I have
to
do any
additional
steps in order to make my portal(say,stockportal) authenticate usersfrom
LDAP?
-If a create my own portal,should I create a similar "ldap" propertyset?If so,how.
Any suggestions/help is appreciated.Thanks
- Mike -
I am using Netscape Directory Service 4.2. I want to use LDAP realm for authentication from Weblogic 5.1. I have created a principal(kevink - username and cambridge - group) in NDS. I have created a servlet and registered in Weblogic giving permission to execute the servlet to the above username and group. I have the following entry in my weblogic properties file weblogic.allow.execute.weblogic.servlet.helloWorld=\ kevink, cambridge
I have also created the LDAPRealm.properties file in my weblogic home directory.
When I start weblogic with the LDAP debug mode on, I get the following messages
Mon May 01 14:38:52 EDT 2000:<W> <CachingRealm> ACL "weblogic.servlet.helloWorld" contains non existent principal "kevink" - ignoring principal ******** Error: ACL "weblogic.servlet.helloWorld" contains non-existent principal "kevink" - i noring principal
Mon May 01 14:38:52 EDT 2000:<W> <CachingRealm> ACL "weblogic.servlet.helloWorld" contains non- existent principal "cambridge" - ignoring principal ******** Error: ACL "weblogic.servlet.helloWorld" contains non-existent principal "cambridge" - ignoring principal
Any ideas to solve this problem are welcome RamYep. And if your LDAP realm is hooked up correctly, you'll see groups from your ldap realm
in the weblogic console, under the Security->Groups tab on the frame to the left.
Keep in mind that you will not see users from your LDAP server under the Security->Users
tab. This is expected behavior. But if you see the groups, then you've most likely hooked
up the LDAP realm the right way ...
Joe Jerry
Vishwanath Kumar wrote:
Hello Kumar,
I am attaching a small portion of config.xml which contains LDAP settings . Please change
this according to your LDAP server configuration and test it . I hope this should help
you out.
You also need to create a caching realm and then hook up that caching realm to this LDAP
realm .
For more information this URL should be helpful:
http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1071872
here is portion of config.xml
<LDAPRealm AuthProtocol="simple" Credential="dropdead"
GroupDN="o=beasys.com,ou=Groups" GroupIsContext="false"
GroupNameAttribute="cn" GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://mmanson:389"
Name="defaultLDAPRealmForNetscapeDirectoryServer"
Notes="This is provided as an example. Before enabling this Realm, you must edit
the configuration parameters as appropriate for your environment."
Principal="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
UserAuthentication="bind" UserDN="o=beasys.com,ou=People"
UserNameAttribute="uid" UserPasswordAttribute="userpassword"/>
kumar wrote:
Hi,
I have tried to configure LDAP realm in weblogic, but I think it is not configured
correctly. And I don't know how to test it. Can anybody send me the sample config.xml
having LDAP realm configured correctly. Please send me a sample program to access
LDAP realm via weblogic.
Thx--
Vishwanath Kumar
Developer Relations Engineer
BEA Systems, Inc. -
LDAP realm for authentication and ACL in Database
We are thinking of using LDAP realm for authentication and we want to use ACL from a Database. But the documentation says: "WebLogic Server defers to the LDAP realm for authentication, but not for authorization. Authorization is accomplished with access control lists (ACLs), which are defined in the weblogic.properties file"
Can we use LDAP realm for authentication and manage our ACL from a Database? or do we have to use the weblogic.properties file? Do the weblogic security API help in the above scenario? Thanks RamUnfortunately, there is no easy way to do this in wls 6.0.
The only way to handle it is to write your own custom realm
that uses ldap for users and groups and a database for acls -
probably not a viable alternative.
-Tom
"kevin doherty" <[email protected]> wrote:
>
Jeffrey Hirsch <[email protected]> wrote:
You should be able to use the DelegatedRealm interface to utilize the authentication methods from LDAP and the authorization methods from RDBMSRealm...
I'm trying to do this too, but we are using WL6 and I see that the DelegatedRealm interface has been deprecated in this version. I'd greatly appreciate more information on doing this in WL6.
Thanks!
-kd -
Configuring Active Directory Realm with WLP7.0
Has any one configured win 2000 Active Directory(AD) LDAP v2 compatibility realm
with WLP7.0?
We don't have any groups and all Users in AD are under one dn. Since AD is administered
by a different group, I have decided to put the Portal mandated Groups/Users in
the filerealm.properties file.
After configuration and successful booting of weblogic server, I am able to see
the groups in the Active Directory LDAP via the weblogic console. I get the "Sizelimit
exceeded" exception when I try to browse users which makes sense. A partial list
of Users is listed in the console. Surprisingly all the users are listed with
a "=" sign in front of them.
I am not able to authenticate against any users in AD. I am not able to login
in to the PortalAppTools using "administrator" user although I have put it in
the "filerealm.properties". I am able to log in to the PortalAppTools using
"system" user but that doesn't help as I cannot see Default Portal Mgmt stuff.
user.administrator=password
user.praveen=paul
user.ashley=ashley
group.Monitors=Administrators
group.Deployers=Administrators
group.Administrators=weblogic,system,paul
group.SystemAdministrator=administrator,paul
group.AdminEligible=ashley
group.DelegatedAdministrator=paul
When I try to open the Portal Application, I get the following exception:
<Mar 13, 2003 8:03:46 PM MST> <Error> <Security> <090060> <The AccessDecision
class "weblogic.securi
ty.providers.realmadapter.AuthorizationProviderImpl" returned an error: java.lang.SecurityException:
Realm Adapter ACL Mapping Failed.
java.lang.SecurityException: Realm Adapter ACL Mapping Failed
at weblogic.security.providers.realmadapter.AuthorizationProviderImpl.isAccessAllowed(Author
izationProviderImpl.java:345)
at weblogic.security.service.AuthorizationManager.isAccessAllowed(AuthorizationManager.java:
475)
at weblogic.security.service.AuthorizationManager.isAccessAllowed(AuthorizationManager.java:
612)
at weblogic.jndi.internal.ServerNamingNode.checkPermission(ServerNamingNode.java:332)
at weblogic.jndi.internal.ServerNamingNode.checkLookup(ServerNamingNode.java:295)
at weblogic.jndi.internal.ServerNamingNode.lookupHere(ServerNamingNode.java:146)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:187)
at weblogic.jndi.internal.RootNamingNode_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:159)
at weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java:262)
at weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java:229)
at weblogic.jndi.internal.ServerNamingNode_WLStub.lookup(Unknown Source)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:337)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:332)
at javax.naming.InitialContext.lookup(InitialContext.java:345)
at weblogic.jndi.internal.WLNamingManager.getObjectInstance(WLNamingManager.java:94)
at weblogic.jndi.internal.BasicNamingNode.resolveObject(BasicNamingNode.java:763)
at weblogic.jndi.internal.BasicNamingNode.resolveObject(BasicNamingNode.java:735)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:190)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:337)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:332)
at weblogic.jndi.factories.java.ReadOnlyContextWrapper.lookup(ReadOnlyContextWrapper.java:36
at weblogic.jndi.internal.AbstractURLContext.lookup(AbstractURLContext.java:124)
at javax.naming.InitialContext.lookup(InitialContext.java:345)
at com.bea.p13n.util.JndiHelper.lookupNarrow(JndiHelper.java:96)
at com.bea.portal.appflow.PortalAppflowHelper.<clinit>(PortalAppflowHelper.java:70)
at com.bea.portal.appflow.servlets.internal.PortalWebflowServlet.init(PortalWebflowServlet.j
ava:84)
at javax.servlet.GenericServlet.init(GenericServlet.java:258)
at weblogic.servlet.internal.ServletStubImpl$ServletInitAction.run(ServletStubImpl.java:1075
at weblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManager.java:744)
at weblogic.servlet.internal.ServletStubImpl.createServlet(ServletStubImpl.java:899)
at weblogic.servlet.internal.ServletStubImpl.createInstances(ServletStubImpl.java:833)
at weblogic.servlet.internal.ServletStubImpl.prepareServlet(ServletStubImpl.java:773)
at weblogic.servlet.internal.ServletStubImpl.getServlet(ServletStubImpl.java:517)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:351)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:306)
at weblogic.servlet.internal.RequestDispatcherImpl$ForwardAction.run(RequestDispatcherImpl.j
ava:341)
at weblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManager.java:744)
at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:251)
at weblogic.servlet.jsp.PageContextImpl.forward(PageContextImpl.java:116)
at jsp_servlet.__index._jspService(index.jsp:3)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:27)
at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.jav
a:1058)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:401)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:445)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:306)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletC
ontext.java:5412)
at weblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManager.java:744)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:30
86)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2544)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:153)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:134)
>
<Mar 13, 2003 8:03:46 PM MST> <Error> <PortalAppflow> <415400> <Could not lookup
PortalManagerHome i
n the JNDI tree using EJB reference java:comp/env/ejb/PortalManager.
javax.naming.LinkException: . Root exception is javax.naming.NoPermissionException:
User <anonymous
does not have permission on portalAppat weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174)
Any help is appreciated.
Thank You
Paulhi Paul
check this doc out
http://dev2dev.bea.com/resourcelibrary/technicalguides/LDAP_in_Portal_7.0.jsp
-tulan
"Paul" <[email protected]> wrote in message
news:[email protected]...
>
Has any one configured win 2000 Active Directory(AD) LDAP v2 compatibilityrealm
with WLP7.0?
We don't have any groups and all Users in AD are under one dn. Since ADis administered
by a different group, I have decided to put the Portal mandatedGroups/Users in
the filerealm.properties file.
After configuration and successful booting of weblogic server, I am ableto see
the groups in the Active Directory LDAP via the weblogic console. I getthe "Sizelimit
exceeded" exception when I try to browse users which makes sense. Apartial list
of Users is listed in the console. Surprisingly all the users are listedwith
a "=" sign in front of them.
I am not able to authenticate against any users in AD. I am not able tologin
in to the PortalAppTools using "administrator" user although I have put itin
the "filerealm.properties". I am able to log in to the PortalAppToolsusing
"system" user but that doesn't help as I cannot see Default Portal Mgmtstuff.
>
user.administrator=password
user.praveen=paul
user.ashley=ashley
group.Monitors=Administrators
group.Deployers=Administrators
group.Administrators=weblogic,system,paul
group.SystemAdministrator=administrator,paul
group.AdminEligible=ashley
group.DelegatedAdministrator=paul
When I try to open the Portal Application, I get the following exception:
<Mar 13, 2003 8:03:46 PM MST> <Error> <Security> <090060> <TheAccessDecision
class "weblogic.securi
ty.providers.realmadapter.AuthorizationProviderImpl" returned an error:java.lang.SecurityException:
Realm Adapter ACL Mapping Failed.
java.lang.SecurityException: Realm Adapter ACL Mapping Failed
atweblogic.security.providers.realmadapter.AuthorizationProviderImpl.isAccessA
llowed(Author
izationProviderImpl.java:345)
atweblogic.security.service.AuthorizationManager.isAccessAllowed(Authorization
Manager.java:
475)
atweblogic.security.service.AuthorizationManager.isAccessAllowed(Authorization
Manager.java:
612)
atweblogic.jndi.internal.ServerNamingNode.checkPermission(ServerNamingNode.jav
a:332)
atweblogic.jndi.internal.ServerNamingNode.checkLookup(ServerNamingNode.java:29
5)
atweblogic.jndi.internal.ServerNamingNode.lookupHere(ServerNamingNode.java:146
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:187)
at weblogic.jndi.internal.RootNamingNode_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:159)
atweblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
:262)
atweblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
:229)
at weblogic.jndi.internal.ServerNamingNode_WLStub.lookup(Unknown Source)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:337)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:332)
at javax.naming.InitialContext.lookup(InitialContext.java:345)
atweblogic.jndi.internal.WLNamingManager.getObjectInstance(WLNamingManager.jav
a:94)
atweblogic.jndi.internal.BasicNamingNode.resolveObject(BasicNamingNode.java:76
3)
atweblogic.jndi.internal.BasicNamingNode.resolveObject(BasicNamingNode.java:73
5)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:190)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:337)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:332)
atweblogic.jndi.factories.java.ReadOnlyContextWrapper.lookup(ReadOnlyContextWr
apper.java:36
atweblogic.jndi.internal.AbstractURLContext.lookup(AbstractURLContext.java:124
at javax.naming.InitialContext.lookup(InitialContext.java:345)
at com.bea.p13n.util.JndiHelper.lookupNarrow(JndiHelper.java:96)
atcom.bea.portal.appflow.PortalAppflowHelper.<clinit>(PortalAppflowHelper.java
:70)
atcom.bea.portal.appflow.servlets.internal.PortalWebflowServlet.init(PortalWeb
flowServlet.j
ava:84)
at javax.servlet.GenericServlet.init(GenericServlet.java:258)
atweblogic.servlet.internal.ServletStubImpl$ServletInitAction.run(ServletStubI
mpl.java:1075
atweblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManage
r.java:744)
atweblogic.servlet.internal.ServletStubImpl.createServlet(ServletStubImpl.java
:899)
atweblogic.servlet.internal.ServletStubImpl.createInstances(ServletStubImpl.ja
va:833)
atweblogic.servlet.internal.ServletStubImpl.prepareServlet(ServletStubImpl.jav
a:773)
atweblogic.servlet.internal.ServletStubImpl.getServlet(ServletStubImpl.java:51
7)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:351)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:306)
atweblogic.servlet.internal.RequestDispatcherImpl$ForwardAction.run(RequestDis
patcherImpl.j
ava:341)
atweblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManage
r.java:744)
atweblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImp
l.java:251)
at weblogic.servlet.jsp.PageContextImpl.forward(PageContextImpl.java:116)
at jsp_servlet.__index._jspService(index.jsp:3)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:27)
atweblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(Servle
tStubImpl.jav
a:1058)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:401)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:445)
atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:306)
atweblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(W
ebAppServletC
ontext.java:5412)
atweblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManage
r.java:744)
atweblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
ntext.java:30
86)
atweblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
:2544)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:153)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:134)
>
<Mar 13, 2003 8:03:46 PM MST> <Error> <PortalAppflow> <415400> <Could notlookup
PortalManagerHome i
n the JNDI tree using EJB reference java:comp/env/ejb/PortalManager.
javax.naming.LinkException: . Root exception isjavax.naming.NoPermissionException:
User <anonymous
does not have permission on portalAppat weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174)
Any help is appreciated.
Thank You
Paul--
Edited by jonmountjoy at 01/03/2008 1:45 AM -
LDAP setup with SSL - Can't use tls auth type
I'm trying to configure Solaris 10 to use ldap against my OpenLDAP server with SSL but whenever I try to set the authentication as tls:simple, it gives me an error :
# ldapclient mod -a authenticationMethod=tls:simple
Cannot specify LDAP port with tls
# ldapclient mod -a authenticationMethod=tls
Unable to set value: invalid authenticationMethod (tls)
Any ideas how to get this to work - I can do an ldapsearch if I supply a -H ldaps://ldapserver:636 so my certs in /var/ldap are good.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=srv_login,ou=LDAPusers,dc=unix_srv,dc=energy.ge.com
NS_LDAP_BINDPASSWD= {NS1}c53708877bc6
NS_LDAP_SERVERS= 10.10.1.14:636
NS_LDAP_SEARCH_BASEDN= dc=unix_srv,dc=energy.ge.com
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SERVER_PREF= 10.10.1.14:636
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=unix_srv,dc=energy.ge.com?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=unix_srv,dc=energy.ge.com?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=unix_srv,dc=energy.ge.com?one
Thanks,
JayWhen using TLS you have to specify the FQN for the LDAP server and the port is ALWAYS 636.
Also, you need to setup up your client to use FQN as well (/etc/hosts). -
Unable to access Admin Tools for portal after configuring LDAP realm
After setting weblogic to use the LDAP realm I am unable to access the Administration Tools. It does not take the username "administrator" and password "password". I've created the SystemAdministrator Group in LDAP as well as the appropriate "administrator" user but it still does not let me access the Administratotion Tools.
This thread is being discussed in the weblogic.developer.interest.portal
newsgroup under the same title. You can cross-post to multiple groups in
the future so that the thread develops in all newsgroups that you posted to.
"Wendy Kajiyama" <[email protected]> wrote in message
news:[email protected]..
After setting weblogic to use the LDAP realm I am unable to access theAdministration Tools. It does not take the username "administrator" and
password "password". I've created the SystemAdministrator Group in LDAP as
well as the appropriate "administrator" user but it still does not let me
access the Administratotion Tools.
Maybe you are looking for
-
Downloading iPhone 3GS photos and Videos to other computers
I recently got my first iPhone and am still finding out how to do things, so, apologies if this sounds dim but.... How do I download photos and videos from my iPhone 3GS to other computers? I can plug in to my mac and sync everything with iTunes - no
-
Using WLS6.0, sp 1, EJB2.0 CMP Entity Beans: If I modify 2 existing Entity EJBs (an Order EJB and an OrderLineItem EJB, for example) within a single user transaction and an exception occurs, modifications to both entitie
-
2005 database and log file locations
Is there a SQL query to list where exactly the database and log files reside for all databases on an instance (sql server 2005)?
-
IOS8 Family Sharing Limitations
I have a really interesting problem, and wonder if anyone might be able to help. In short. We have 4 iOS devices (iPhone x2 for me and my wife, iPad x2 for home/kids - under 12 yrs). All devices used to all use my iCloud/iTunes account. This gives us
-
Photoshop CS activation license missing
I have been running Photoshop CS - Windows for years. However, now, while in the middle of work, I get a window that says;"the configuration for the activation license is missing. Please uninstall and reinstall this application". I have done this but