Setting up LDAP realm with WLI 7

Similar Messages

• LDAP realm with Active Directory

  Hello,
  In the sun one app server admin console i have set the security role to LDAP.
  I have set up security roles in my web.xml such as this:
  <security-role>
  <description>This role represents administrators of the system, see actor administrators</description>
  <role-name>administrators</role-name>
  </security-role>
  ..and mapped the roles to groups in sun-application as follows:
  <security-role-mapping>
  <role-name>administrators</role-name>
  <group-name>CMS_PM</group-name>
  <principal-name>rlancett</principal-name>
  </security-role-mapping>
  My user and group information is stored in Active Directory so I have tried to configure the ldap realm in the admin console to get it working. These are the settings i have put in:
  directory: ldap://earth.tier2consulting.com:389
  base-dn: cn=Users,dc=tier2consulting,dc=com
  jaas-context: ldapRealm
  search-bind-dn: cn=administrator,cn=Users,dc=domain,dc=com
  search-bind-password: ******
  search-filter: sAMAccountName=%s
  I get the error message :javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
  WARNING: va:850)
  FINEST: JAAS authentication aborted.
  INFO: SEC5046: Audit: Authentication refused for [administrator].
  I am pretty stuck on this having looked arounds all the forums:
  Has anyone got sun one app server using Active Directory to get user/group information for security roles?
  Thanks.

  Howdy,
  I don't have a solution to your problem, but maybe this tid-bit will help in debugging with Active Directory error messages. I'm new to AD, so excuse me if everyone already knows this, but...
  The error message you get back from the directory contains an error code in hexidecimal:
  LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
  If you translate '525' from hex to decimal you get '1317' which is the error message you can look up here:
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/system_error_codes.asp
  1317 - ERROR_NO_SUCH_USER - The specified user does not exist.
  It took me a while to find this tip, so I thought I'd share it. Oh, and the easy way to get decimal from hexidecimal is:
  System.out.println( "Here is 525 in decimal: " + Integer.parseInt("525", 16));
  Okay, hope this helps somebody.
  Now it's up to you to find out why it can't find the administrator!
  Craig

• Problem configure Ldap realm with multi master Ldap server

  I have a multimaster Directory Server (Ldap) eg: LdapMaster01 & LdapMaster02.
  I configured the realm Ldap:
  realm= myLdapRealm
  class name =com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
  jaas-context = myLdapRealm
  directory = ldap://LdapMaster01:389
  base-dn = ou=my_APP, ou=Applications, dc=devinc, dc=com
  search-bind-dn = cn=Directory Manager
  search-bind-password = 99999999So how can i configure realm to automatically switch to LdapMaster02 when the LdapMaster01 is not up?
  Thanks in advance

  Probably you need an external intelligent
  loadbalancer unit, that receives all requests for an
  DNS like 'LdapMaster' and reroutes the traffic to
  LdapMaster01 or LdapMaster02.
  If one LdapMaster ist not available then the
  loadbalancer is responsible to route all requests
  only to the available server.Thank you very much. :)
  I found other post on the internet about this, and yes, probably the only way is a loadbalancer.
  Another way is to write a custum realm impl that receives the server list and try to connect until an available server is found.

• Trying to setup a LDAP Realm

  I'm runing WLS6.0 SP2 and I'm trying to set up a LDAP realm to talk to a openldap
  server. I'm on Win2k and have it installed as a service.
  I can connect to the server via a ldap browser, and I have a user in the ldap
  tree with a clear text password.
  I created a LDAP realm but I can't find where to configure WebLogic to use that
  LDAP realm for authentication.
  thanks
  joe

  I guess they don't use the LDAP Realm in Weblogic, you should create your custom
  realm that access to AD and return user/group enumerations, acl's, etc...
  I'm able to access to AD using jdk1.4, and I have my custom realm, the only
  problem is wl uses jdk1.3 (+jaas) and I couldn't connect to AD with the old jaas,
  because it didn't support kerberos authentication. A more complete jaas it's included
  in jdk1.4
  Regards,
  Marc
  "Roy Cornell" <[email protected]> wrote:
  Great news, Scott. I hope you don't mind answering the three questions
  below:
  1. Which LDAP realm ***version*** did you use : V1 or V2?
  2. Which LDAP realm type did you specify during the configuration: "MS
  Site
  Server" or other ?
  3. Did you encounter any problems during the integration?
  Thanks a lot.
  Roy
  "Scott Harger" <[email protected]> wrote in message
  news:3b794a7c$[email protected]..
  We have been able to get the LDAP realm (6.0 SP1) to work with Active
  Directory.
  Scott
  "Roy Cornell" <[email protected]> wrote in message
  news:3b72eb32$[email protected]..
  I've got the same question (posted it yesterday). Please, Please,
  Please,
  could somebody reply.
  "Andrew Wallace" <[email protected]> wrote in message
  news:3b72ce38$[email protected]..
  Somehow my last message got truncated. Here's the full deal:
  We're trying to setup an LDAP realm in a microsoft-centric environment
  (Windows 2000). All the documentation from BEA that I've found
  talks
  about MS Site Server, which, as near as I can find, is not an LDAPserver.
  So - can I use MS Active Directory on Win2k? Is it functionally
  the
  same
  thing? Does the MS template in LDAP Realm V2 support it? Does anyone
  have success or horror stories about using AD?
  thanks,
  andy

• Questions on LDAP Realm on different versions of Web Logic

  Kaia,
  I need you to ask JOS / BEA Systems some questions on LDAP
  Integration. I have CC'd Randy and Todd in case they have any
  feedback on this area. I have read the documentation and have
  a
  couple of simple questions. The questions differ depending on
  the version (because the documentation is different):
  4.5 SP7
  Users and groups are cached in the WebLogic Server as Enterprise
  Java Beans. This reduces the frequency of LDAP lookups
  Exactly what is cached? Is authentication carried out against
  the Directory each time, or against the cached credentials? Is
  this configurable such that an authentication attempt is sent to
  the LDAP server each time? Just a suggestion - LDAP lookups are
  very "light" and caching them in this fashion is not a good
  idea. Let the LDAP Directory do the caching.
  The "system" user must be defined in the weblogic.properties
  file and in your LDAP server. The LDAP "system" user must be a
  member of the LDAP group that has administrative privileges in
  the LDAP server
  Does this really mean that the user ID in the LDAP server
  called "system" needs to have full control over the entire
  directory??
  In the WebLogic property file realm, the "everyone" group
  automatically includes all users. You must create an "everyone"
  group and add every WebLogic Server user to its membership list,
  including the "guest" and "system" users.
  Does this really mean that I need to create a group in the LDAP
  directory called "Everyone" and keep it updated with every user
  object in the Directory that we want to authorize using weblogic
  ACL's?
  5.1 Pre SP7
  The property:
  weblogic.security.ldaprealm.userAuthentication
  The description for this in the docs is:
  This property determines the method for authenticating users. If
  you set the property to local (appropriate for Netscape and
  Microsoft servers), LDAPRealm retrieves user data, including
  password, from the LDAP server and checks the password in
  WebLogic Server. If you set the value to external (appropriate
  for Novell NDS), LDAPRealm authenticates a user by attempting to
  bind to the LDAP server with the username and password supplied
  by the WebLogic client. If you use external authentication, you
  must also use SSL
  The way I read this is that if you have local set, the Weblogic
  Server retrieves the entire user credentials from the LDAP
  Directory, and compares the password with what the user passes
  in. If you have external set, weblogic does a bind on your
  behalf - however, you need to have SSL configured for this
  option to be implemented.
  However, in the example for an NDS server, the following is
  listed:
  weblogic.security.ldaprealm.userAuthentication=bind
  What is the bind option referring to?
  5.1 SP 7
  This version makes no reference whatsoever to the
  userAuthentication property above. Has it disappeared? What is
  the authentication method used now?
  6.0
  The documentation below:
  Table 12-10 LDAP Security Realm Fields on the Users Tab
  Field
  Description
  User Authentication
  Determines the method for authenticating Users. Set this field
  to one of the following values:
  Local specifies that the LDAP Security realm retrieves user
  data, including the password from the LDAP Directory server, and
  checks the password in WebLogic Server. The Local setting is
  appropriate for Netscape Directory Server and Microsoft Site
  Server.
  External specifies that the LDAP Security realm authenticates a
  User by attempting to bind to the LDAP Directory server with the
  username and password supplied by the WebLogic Server client. If
  you choose the External setting, you must also use the SSL
  protocol. The External setting is appropriate for Novell NDS.
  Bind
  Note that there is a reference to Bind, but no description for
  what it is supposed to do. So, what is it supposed to do. Also
  a follow up question - This field is not referenced in
  documentation for 5.1 SP7, so I was curious as to whether this
  will also be dropped in future service packs under 6.0, and if
  so, what the authentication process will then be.
  regards,
  Craig Gilmour

  CC 2014 should be the latest version.  You can uninstall any others if you choose to.

• WL6.0 LDAP Realm problems

  I'm trying out WL6.0 (eval version) LDAP realm support and having trouble
  getting it to work - basic auth just keeps popping the window up 3 times and
  then giving up. Only pertinent message in the log is:
  ####<Mar 16, 2001 12:03:21 PM EST> <Info> <Security> <FOOBAR>
  <examplesServer> <ExecuteThread: '11' for queue: 'default'> <> <> <090021>
  <Locking account, user jdoe.>
  No obvious LDAP info or errors in the log, despite adding the following two
  to the startup script cmd line and restarting the server:
  -Dweblogic.security.realm.debug=true -Dweblogic.security.ldaprealm.verbose=t
  rue
  The HTTP basic-auth dialog box is correctly showing me that I'm trying to
  authenticate to: MyLDAPRealm
  Here's the config info for MyLDAPRealm
  <LDAPRealm AuthProtocol="simple"
  Credential="myserverpasswd"
  GroupDN="o=mycompany,c=us" GroupIsContext="false" GroupNameAttribute="cn"
  GroupUsernameAttribute="uniquemember"
  LDAPURL="ldap://tug:390"
  Name="MyLDAPRealm"
  Principal="cn=myserver,ou=myserverstuff,o=mycompany,c=US"
  UserAuthentication="local"
  UserDN="o=mycompany,c=us" UserNameAttribute="uid"/>
  It's a Netscape 4.1 Directory server, and I've verified that the above
  server account exists AND can authenticate and retrieve account
  userpasswords (yes, the server account is "cn=" while the user accounts are
  "uid=" - don't ask :-)....
  I've tried both "bind" and "local" and get the same results both ways.
  Any ideas???

  Did you use the most recent ldap patch? I could not get it to work fine
  with the default wls6.0sp1, but with the ldap-patch it works fine.
  AND probably even more important... change
  <Realm FileRealm="..." Name=".....">
  to
  <Realm CachingRealm"MyCachingRealm" FileRealm="..." Name=".....">
  Hope this helps...
  Ronald
  Sushil Pulikkal wrote:
  Hi Tom,
  I am using iPlanet Directory server with WL6.0 (which I presume is supported as
  Netscape's is) and facing the same problem as Mike was i.e account locking after
  three attempts(bottom of the message). I have created my own caching realm with
  the basic realm being MyLDAPRealm.
  The log gives no info other than the one about account locking.
  My config.xml looks something like this -
  <CachingRealm BasicRealm="MyLDAPRealm" CacheCaseSensitive="true" Name="MyCachingRealm"/>
  <PasswordPolicy Name="wl_default_password_policy"/>
  <LDAPRealm AuthProtocol="simple" Credential="enslaved"
  GroupDN="ou=Aussies,dc=timerasolutions,dc=com"
  GroupUsernameAttribute="uniquemember"
  LDAPURL="ldap://DJ-SUSHILP.timerasolutions.com:389"
  Name="MyLDAPRealm"
  Principal="uid=admin, ou=Administrators,
  ou=TopologyManagement, o=NetscapeRoot"
  UserAuthentication="bind"
  UserDN="ou=Aussies,dc=timerasolutions,dc=com"
  UserNameAttribute="uid"/>
  The browser window does pop up, but the user id doesn't get authenticated. Is
  there a way to know whether WLS is actually going to the LDAP server for authentication?
  Any insight into this?
  Thanks in advance,
  Sushil
  "Tom Moreau" <[email protected]> wrote:
  Mike,
  I haven't had any trouble getting the LDAPRealm to work
  in WLS 6.0. Could it be that while you've created the LDAPRealmMBean,
  you haven't told WLS to use it?
  In other words, you can create many realm configurations then
  you need to activate the one you want. If you haven't, the
  we just use the file realm. The file realm won't be able
  to authenticate you (since you put the info in LDAP!) and
  after 3 failures, will lock out the account.
  The instructions for selecting the realm are at:
  http://e-docs.bea.com/wls/docs60/adminguide/index.html
  See:
  12. Managing Security
  Specifying a Security Realm
  Configuring the Caching Realm
  The basic idea is:
  1) create your LDAP Realm (you've already done this)
  2) create a CachingRealm
  3) set the CachingRealm's BasicRealm to your LDAP Realm
  4) set the Security Realm's CachingRealm to your Caching Realm
  5) reboot
  It's pretty easy to do this through the admin console.
  Otherwise, you can edit config.xml by hand.
  Here's how:
  <Domain>
  <Security
  Name="mydomain"
  Realm="myRealm"
  />
  <Realm
  Name="myRealm"
  FileRealm="myFileRealm"
  CachingRealm="myCachingRealm"
  />
  <FileRealm
  Name="myFileRealm"
  />
  <CachingRealm
  Name="myCachingRealm"
  BasicRealm="myLDAPRealm"
  />
  <LDAPRealm
  Name="myLDAPRealm"
  />
  -Tom
  "Mike" <[email protected]> wrote:
  BTW, before someone suggests it, I found Tom Moreau's
  suggestion to use:
  <ServerDebug Name="examplesServer" DebugSecurityRealm="true"
  />
  under the <Server> element in config.xml and restarted
  with this and still
  no additional
  info from the LDAP realm printed about why it's not working
  (nothing but the
  same
  locking account message mentioend below).
  Is the source for the LDAP realm available so I can debug
  it myself or has
  anybody
  written their own LDAP realm that they'd be willing to
  share with the group?
  Thanks again,
  ...Mike
  "Mike" <[email protected]> wrote in message
  news:[email protected]...
  Ok I've verified that the -Dweblogic.security.ldaprealm.verbose
  probably
  won't
  work with 6.0 (old 5.x and previous style property),
  but I can't figure
  out
  what
  replaced it, to figure out why the LDAP realm isn't
  working for me...
  The property mapping guide at:
  http://e-docs.bea.com/wls/docs60///////config_xml/properties.html
  shows that things like weblogic.security.ldaprealm.url
  changed to LDAPURL in config.xml (without telling
  you that this resides as an XML attribute of
  <Domain><LDAPRealm ... /></Domain> although that's
  easy enough to find by looking through the example
  LDAP realm.
  It then says that weblogic.security.ldaprealm.verbose
  has changed to "Debug" in config.xml, but doesn't
  say whether that's a "Debug" XML attribute on one
  of the XML elements in there, or whether it's an
  XML node itself, or where in the config.xml doc
  it goes... It doesn't work as an attribute of
  <LDAPRealm ...> (server won't start with it there)
  and it doesn't show up at all in the DTD for config.xml
  so I'm assuming the mapping doc at the above url is
  wrong. Anybody know what this really became in 6.0?
  I've tried setting StdoutDebugEnabled="true" in config.xml
  and turning the logging level all the way up to see
  everything, but even
  then all I
  get is the account locked message, not why it's failing
  to authenticate
  via
  LDAP...
  Any other ideas?
  "Mike" <[email protected]> wrote in message
  news:[email protected]...
  I'm trying out WL6.0 (eval version) LDAP realm support
  and having
  trouble
  getting it to work - basic auth just keeps popping
  the window up 3 times
  and
  then giving up. Only pertinent message in the log
  is:
  ####<Mar 16, 2001 12:03:21 PM EST> <Info> <Security>
  <FOOBAR>
  <examplesServer> <ExecuteThread: '11' for queue: 'default'>
  <> <>
  <090021>
  <Locking account, user jdoe.>
  No obvious LDAP info or errors in the log, despite
  adding the following
  two
  to the startup script cmd line and restarting the
  server:
  -Dweblogic.security.realm.debug=true -Dweblogic.security.ldaprealm.verbose
  =t
  rue
  The HTTP basic-auth dialog box is correctly showing
  me that I'm trying
  to
  authenticate to: MyLDAPRealm
  Here's the config info for MyLDAPRealm
  <LDAPRealm AuthProtocol="simple"
  Credential="myserverpasswd"
  GroupDN="o=mycompany,c=us" GroupIsContext="false"
  GroupNameAttribute="cn"
  GroupUsernameAttribute="uniquemember"
  LDAPURL="ldap://tug:390"
  Name="MyLDAPRealm"
  Principal="cn=myserver,ou=myserverstuff,o=mycompany,c=US"
  UserAuthentication="local"
  UserDN="o=mycompany,c=us" UserNameAttribute="uid"/>
  It's a Netscape 4.1 Directory server, and I've verified
  that the above
  server account exists AND can authenticate and retrieve
  account
  userpasswords (yes, the server account is "cn=" while
  the user accounts
  are
  "uid=" - don't ask :-)....
  I've tried both "bind" and "local" and get the same
  results both ways.
  Any ideas???

• Setting a new realm as default realm

  Hi all,
  I need to integrate weblogic server 9.2 with OAM using SSPI connector.
  I configured web logic policies in OAM and configured weglogic server.
  But I couldnt get the NetPointRealm as a realm in weblogic admin console.
  So configured a realm named NetPointRealm manually and provided required security providers.
  So to activate this realm,we need to set this realm as default realm.
  But I'm not able to set that as default realm.
  Could anyone please provide any suggestions to set the new realm as default realm.
  Thanks & Regards,
  Swathi
  Edited by: user9116523 on Apr 19, 2010 10:46 PM

  Hi Faisal,
  Thanks a lot for your reply.
  Yes,the NetPoint realm is using the default identity asserter.
  Config.xml file is as follows:
  <?xml version="1.0" encoding="UTF-8"?>
  <domain xsi:schemaLocation="http://www.bea.com/ns/weblogic/920/domain
  http://www.bea.com/ns/weblogic/920/domain.xsd" xmlns="http://www.bea.com/ns/weblogic/920/domain" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <name>base_domain</name>
  <domain-version>9.2.3.0</domain-version>
  <security-configuration xmlns:xacml="http://www.bea.com/ns/weblogic/90/security/xacml">
  <name>base_domain</name>
  <realm>
  <sec:authentication-provider xsi:type="wls:default-authenticatorType"/>
  <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
  <sec:active-type>AuthenticatedUser</sec:active-type>
  <sec:active-type>wsse:PasswordDigest</sec:active-type>
  <sec:active-type>X.509</sec:active-type>
  <sec:base64-decoding-required>false</sec:base64-decoding-required>
  <wls:use-default-user-name-mapper>true</wls:use-default-user-name-mapper>
  <wls:default-user-name-mapper-attribute-type>CN</default-user-name-mapper-attribute-type>
  </sec:authentication-provider>
  <sec:role-mapper xsi:type="xacml:xacml-role-mapperType"/>
  <sec:authorizer xsi:type="xacml:xacml-authorizerType"/>
  <sec:adjudicator xsi:type="wls:default-adjudicatorType"/>
  <sec:credential-mapper xsi:type="wls:default-credential-mapperType"/>
  <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"/>
  <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
  <sec:name>myrealm</sec:name>
  </realm>
  <default-realm>myrealm</default-realm>
  <credential-encrypted>{3DES}Vi5yoJAzEZYw/U5nkiNT9B8M043431Rfr/QF2dMB65KlW2rbV3d7a0uGF9YxUnfFZwBv0q0BNLhzmIi/wjJ/sGUnWQ2SvNMK</credential-encrypted>
  <node-manager-username>weblogic</node-manager-username>
  <node-manager-password-encrypted>{3DES}RCc8ftzF/irGNnXbhZ3nRA==</node-manager-password-encrypted>
  </security-configuration>
  <server>
  <name>AdminServer</name>
  <listen-address/>
  </server>
  <embedded-ldap>
  <name>base_domain</name>
  <credential-encrypted>{3DES}tYhX7HO2bVJh5Pn4ldTY45UYYd2zBw/URUs++SXMZ8U=</credential-encrypted>
  </embedded-ldap>
  <configuration-version>9.2.3.0</configuration-version>
  <admin-server-name>AdminServer</admin-server-name>
  </domain>
  Thanks & Regards,
  Swathi

• OptimizeIt and LDAP realm

  I have problems running WebLogic 5.1 SP10 with a LDAP realm configured
  I have used the script supplied with my OptimizeIt installation, but WebLogic can't find the ldaprealm.properties file but instead assumes the LDAP hostname ldapserver:389

  We ran into a similar situation where our users were stored in SiteMinder/LDAP.
  So we are going to bulk load all the users into WLI and then synchronize the users
  nightly for any activated and deactivated users. We kept the roles in LDAP different
  from the roles in WLI though. Would like to know if you guys addresses this differently
  Thanks
  Sreeram
  "Peter Giesin" <[email protected]> wrote:
  >
  I am curious to know if anyone is actually running WLI with a LDAP Realm.
  I would
  like to know how you dealt with the fact that the users still need to
  be defined
  in the WLI database so that they can be added to the organization.
  Thanks,
  Pete

• OIM 11g R1 LDAP Synch with OID.

  Hi,
  We are doing an LDAP Synch with OID directly. The users from various organisations in OIM needs to be synched to different OU's in OID, instead of a single container. How do we acheive this? would it be easy if we involve OVD also?

  Here is some sample code configuration which may give you a start - hope it helps.
  Sample code that can be called in a pre-process event handler to copy the users organinisation to the LDAP Organization Unit
  HashMap<String, Serializable> parameters = orchestration.getParameters();
  Serializable param = parameters.get("act_key");
  String act_key = null;
  if (param instanceof ContextAware) {
  act_key = ((ContextAware) param).getObjectValue().toString();
  } else {
  act_key = param.toString();
  if (act_key != null) {
  OrganizationManager orgMgr = Platform.getService(OrganizationManager.class);
  Set<String> retAttrs = new HashSet<String>();
  retAttrs.add("Organization Name");
  Organization org = null;
  try {
  org = orgMgr.getDetails(act_key, retAttrs, false);
  } catch (OrganizationManagerException e) {
  } catch (AccessDeniedException e) {
  String orgName = (String) org.getAttribute("Organization Name");
  orchestration.addParameter("LDAP Organization Unit", orgName);
  Sample container mapping rule
  <rule>
  <expression>LDAP Organization Unit=Test Organization</expression>
  <container>ou=Test Organization,ou=users,o=org</container>
  <description>Add user to the Test Organization OU in LDAP if their OU is set to Test Organization</description>
  </rule>
  Sample change in /db/LDAPUser
  <!-- Two act_key entries in the <reconFields> section to set RECON_ACT_KEY. -->
  <!-- The first sets RECON_ACT_KEY to the default value from the scheduled job -->
  <!-- The second overwrites RECON_ACT_KEY with an OU value if supplied in the LDAP User data. -->
  <reconAttr>
  <oimFormDescriptiveName>act_key</oimFormDescriptiveName>
  <reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Organization Name</reconFieldName>
  <reconColName>RECON_ACT_KEY</reconColName>
  <emDataType>number</emDataType>
  <formFieldType/>
  <targetattr keyfield="false" encrypted="false" required="false" type="String" name="act_key"/>
  </reconAttr>
  <reconAttr>
  <oimFormDescriptiveName>act_key</oimFormDescriptiveName>
  <reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">ou</reconFieldName>
  <reconColName>RECON_ACT_KEY</reconColName>
  <emDataType>number</emDataType>
  <formFieldType/>
  <targetattr keyfield="false" encrypted="false" required="false" type="String" name="act_key"/>
  </reconAttr>

• Setting up LDAP for authentication to portal:default property set named "ldap

  Hi
  I am trying to implement the LDAP authentication to WebLogic Portal .Iam went
  thru the docmentation ( http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).It
  mentions using the default property set named "ldap" and deploying ldapprofile.jar.My
  quenstion is:
  -Is there a way to look into the property using EBCC
  - Apart from deploying,configuring the ldapprofile.jar,do I have to do any additional
  steps in order to make my portal(say,stockportal) authenticate users from LDAP?
  -If a create my own portal,should I create a similar "ldap" property set?If so,how.
  Any suggestions/help is appreciated.Thanks
  - Mike

  Thanks Dave.
  "David Anderson" <[email protected]> wrote:
  You should be able to view the property set for LDAP through the EBCC
  if you
  have the propertysetws.jar installed in your Portal domain. This provides
  the ability for the EBCC to retrieve property set information from your
  server.
  Dave
  "mike" <[email protected]> wrote in message
  news:[email protected]...
  Hi Adrian
  Thank you for the pointers.Much appreciate it.However,one questionstill
  persists.
  What is the significance of the property set "ldap" mentioned in the
  document(http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).Where
  does this property set feature vis-a-vis setting up LDAP securityrealm;does it
  mater prior to/after the setting up as mentioned in the document pointeryou just
  gave .
  Is it sufficinet that i follow the procedure to set up the LDAP oris
  there more
  to post setting,like creating a property set (similar to "ldap" orcloning
  it)
  apaprt frpom deploying ldapprofile.jar.
  Thanks.
  - Mike
  "Adrian Fletcher" <[email protected]> wrote:
  Mike,
  The documentation that covers LDAP authentication is listed under
  Weblogic
  Server rather than Weblogic Portal.
  See Configuring the LDAP Security Realm in Managing Security
  (http://e-docs.bea.com/wls/docs61////adminguide/cnfgsec.html#1071872)
  Also take a look at the FAQ - Why can't I boot WebLogic Server whenusing
  the LDAP Security Realm?
  (http://e-docs.bea.com/wls/docs61//faq/security.html#25833)
  Hope this helps,
  Sincerely,
  Adrian.
  Adrian Fletcher.
  Senior Software Engineer,
  BEA Systems, Inc.
  Boulder, CO.
  email: [email protected]
  "mike" <[email protected]> wrote in message
  news:[email protected]...
  Hi
  I am trying to implement the LDAP authentication to WebLogic Portal.Iam
  went
  thru the docmentation
  http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824).It
  mentions using the default property set named "ldap" and deployingldapprofile.jar.My
  quenstion is:
  -Is there a way to look into the property using EBCC
  - Apart from deploying,configuring the ldapprofile.jar,do I have
  to
  do any
  additional
  steps in order to make my portal(say,stockportal) authenticate usersfrom
  LDAP?
  -If a create my own portal,should I create a similar "ldap" propertyset?If so,how.
  Any suggestions/help is appreciated.Thanks
  - Mike

• LDAP realm in Weblogic

  I am using Netscape Directory Service 4.2. I want to use LDAP realm for authentication from Weblogic 5.1. I have created a principal(kevink - username and cambridge - group) in NDS. I have created a servlet and registered in Weblogic giving permission to execute the servlet to the above username and group. I have the following entry in my weblogic properties file weblogic.allow.execute.weblogic.servlet.helloWorld=\ kevink, cambridge
  I have also created the LDAPRealm.properties file in my weblogic home directory.
  When I start weblogic with the LDAP debug mode on, I get the following messages
  Mon May 01 14:38:52 EDT 2000:<W> <CachingRealm> ACL "weblogic.servlet.helloWorld" contains non existent principal "kevink" - ignoring principal ******** Error: ACL "weblogic.servlet.helloWorld" contains non-existent principal "kevink" - i noring principal
  Mon May 01 14:38:52 EDT 2000:<W> <CachingRealm> ACL "weblogic.servlet.helloWorld" contains non- existent principal "cambridge" - ignoring principal ******** Error: ACL "weblogic.servlet.helloWorld" contains non-existent principal "cambridge" - ignoring principal
  Any ideas to solve this problem are welcome Ram

  Yep. And if your LDAP realm is hooked up correctly, you'll see groups from your ldap realm
  in the weblogic console, under the Security->Groups tab on the frame to the left.
  Keep in mind that you will not see users from your LDAP server under the Security->Users
  tab. This is expected behavior. But if you see the groups, then you've most likely hooked
  up the LDAP realm the right way ...
  Joe Jerry
  Vishwanath Kumar wrote:
  Hello Kumar,
  I am attaching a small portion of config.xml which contains LDAP settings . Please change
  this according to your LDAP server configuration and test it . I hope this should help
  you out.
  You also need to create a caching realm and then hook up that caching realm to this LDAP
  realm .
  For more information this URL should be helpful:
  http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1071872
  here is portion of config.xml
  <LDAPRealm AuthProtocol="simple" Credential="dropdead"
  GroupDN="o=beasys.com,ou=Groups" GroupIsContext="false"
  GroupNameAttribute="cn" GroupUsernameAttribute="uniquemember"
  LDAPURL="ldap://mmanson:389"
  Name="defaultLDAPRealmForNetscapeDirectoryServer"
  Notes="This is provided as an example. Before enabling this Realm, you must edit
  the configuration parameters as appropriate for your environment."
  Principal="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
  UserAuthentication="bind" UserDN="o=beasys.com,ou=People"
  UserNameAttribute="uid" UserPasswordAttribute="userpassword"/>
  kumar wrote:
  Hi,
  I have tried to configure LDAP realm in weblogic, but I think it is not configured
  correctly. And I don't know how to test it. Can anybody send me the sample config.xml
  having LDAP realm configured correctly. Please send me a sample program to access
  LDAP realm via weblogic.
  Thx--
  Vishwanath Kumar
  Developer Relations Engineer
  BEA Systems, Inc.

• LDAP realm for authentication and ACL in Database

  We are thinking of using LDAP realm for authentication and we want to use ACL from a Database. But the documentation says: "WebLogic Server defers to the LDAP realm for authentication, but not for authorization. Authorization is accomplished with access control lists (ACLs), which are defined in the weblogic.properties file"
  Can we use LDAP realm for authentication and manage our ACL from a Database? or do we have to use the weblogic.properties file? Do the weblogic security API help in the above scenario? Thanks Ram

  Unfortunately, there is no easy way to do this in wls 6.0.
  The only way to handle it is to write your own custom realm
  that uses ldap for users and groups and a database for acls -
  probably not a viable alternative.
  -Tom
  "kevin doherty" <[email protected]> wrote:
  >
  Jeffrey Hirsch <[email protected]> wrote:
  You should be able to use the DelegatedRealm interface to utilize the authentication methods from LDAP and the authorization methods from RDBMSRealm...
  I'm trying to do this too, but we are using WL6 and I see that the DelegatedRealm interface has been deprecated in this version. I'd greatly appreciate more information on doing this in WL6.
  Thanks!
  -kd

• Configuring Active Directory Realm with WLP7.0

  Has any one configured win 2000 Active Directory(AD) LDAP v2 compatibility realm
  with WLP7.0?
  We don't have any groups and all Users in AD are under one dn. Since AD is administered
  by a different group, I have decided to put the Portal mandated Groups/Users in
  the filerealm.properties file.
  After configuration and successful booting of weblogic server, I am able to see
  the groups in the Active Directory LDAP via the weblogic console. I get the "Sizelimit
  exceeded" exception when I try to browse users which makes sense. A partial list
  of Users is listed in the console. Surprisingly all the users are listed with
  a "=" sign in front of them.
  I am not able to authenticate against any users in AD. I am not able to login
  in to the PortalAppTools using "administrator" user although I have put it in
  the "filerealm.properties". I am able to log in to the PortalAppTools using
  "system" user but that doesn't help as I cannot see Default Portal Mgmt stuff.
  user.administrator=password
  user.praveen=paul
  user.ashley=ashley
  group.Monitors=Administrators
  group.Deployers=Administrators
  group.Administrators=weblogic,system,paul
  group.SystemAdministrator=administrator,paul
  group.AdminEligible=ashley
  group.DelegatedAdministrator=paul
  When I try to open the Portal Application, I get the following exception:
  <Mar 13, 2003 8:03:46 PM MST> <Error> <Security> <090060> <The AccessDecision
  class "weblogic.securi
  ty.providers.realmadapter.AuthorizationProviderImpl" returned an error: java.lang.SecurityException:
  Realm Adapter ACL Mapping Failed.
  java.lang.SecurityException: Realm Adapter ACL Mapping Failed
  at weblogic.security.providers.realmadapter.AuthorizationProviderImpl.isAccessAllowed(Author
  izationProviderImpl.java:345)
  at weblogic.security.service.AuthorizationManager.isAccessAllowed(AuthorizationManager.java:
  475)
  at weblogic.security.service.AuthorizationManager.isAccessAllowed(AuthorizationManager.java:
  612)
  at weblogic.jndi.internal.ServerNamingNode.checkPermission(ServerNamingNode.java:332)
  at weblogic.jndi.internal.ServerNamingNode.checkLookup(ServerNamingNode.java:295)
  at weblogic.jndi.internal.ServerNamingNode.lookupHere(ServerNamingNode.java:146)
  at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:187)
  at weblogic.jndi.internal.RootNamingNode_WLSkel.invoke(Unknown Source)
  at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:159)
  at weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java:262)
  at weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java:229)
  at weblogic.jndi.internal.ServerNamingNode_WLStub.lookup(Unknown Source)
  at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:337)
  at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:332)
  at javax.naming.InitialContext.lookup(InitialContext.java:345)
  at weblogic.jndi.internal.WLNamingManager.getObjectInstance(WLNamingManager.java:94)
  at weblogic.jndi.internal.BasicNamingNode.resolveObject(BasicNamingNode.java:763)
  at weblogic.jndi.internal.BasicNamingNode.resolveObject(BasicNamingNode.java:735)
  at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:190)
  at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
  at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
  at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
  at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:337)
  at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:332)
  at weblogic.jndi.factories.java.ReadOnlyContextWrapper.lookup(ReadOnlyContextWrapper.java:36
  at weblogic.jndi.internal.AbstractURLContext.lookup(AbstractURLContext.java:124)
  at javax.naming.InitialContext.lookup(InitialContext.java:345)
  at com.bea.p13n.util.JndiHelper.lookupNarrow(JndiHelper.java:96)
  at com.bea.portal.appflow.PortalAppflowHelper.<clinit>(PortalAppflowHelper.java:70)
  at com.bea.portal.appflow.servlets.internal.PortalWebflowServlet.init(PortalWebflowServlet.j
  ava:84)
  at javax.servlet.GenericServlet.init(GenericServlet.java:258)
  at weblogic.servlet.internal.ServletStubImpl$ServletInitAction.run(ServletStubImpl.java:1075
  at weblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManager.java:744)
  at weblogic.servlet.internal.ServletStubImpl.createServlet(ServletStubImpl.java:899)
  at weblogic.servlet.internal.ServletStubImpl.createInstances(ServletStubImpl.java:833)
  at weblogic.servlet.internal.ServletStubImpl.prepareServlet(ServletStubImpl.java:773)
  at weblogic.servlet.internal.ServletStubImpl.getServlet(ServletStubImpl.java:517)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:351)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:306)
  at weblogic.servlet.internal.RequestDispatcherImpl$ForwardAction.run(RequestDispatcherImpl.j
  ava:341)
  at weblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManager.java:744)
  at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:251)
  at weblogic.servlet.jsp.PageContextImpl.forward(PageContextImpl.java:116)
  at jsp_servlet.__index._jspService(index.jsp:3)
  at weblogic.servlet.jsp.JspBase.service(JspBase.java:27)
  at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.jav
  a:1058)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:401)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:445)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:306)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletC
  ontext.java:5412)
  at weblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManager.java:744)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:30
  86)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2544)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:153)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:134)
  >
  <Mar 13, 2003 8:03:46 PM MST> <Error> <PortalAppflow> <415400> <Could not lookup
  PortalManagerHome i
  n the JNDI tree using EJB reference java:comp/env/ejb/PortalManager.
  javax.naming.LinkException: . Root exception is javax.naming.NoPermissionException:
  User <anonymous
  does not have permission on portalAppat weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174)
  Any help is appreciated.
  Thank You
  Paul

  hi Paul
  check this doc out
  http://dev2dev.bea.com/resourcelibrary/technicalguides/LDAP_in_Portal_7.0.jsp
  -tulan
  "Paul" <[email protected]> wrote in message
  news:[email protected]...
  >
  Has any one configured win 2000 Active Directory(AD) LDAP v2 compatibilityrealm
  with WLP7.0?
  We don't have any groups and all Users in AD are under one dn. Since ADis administered
  by a different group, I have decided to put the Portal mandatedGroups/Users in
  the filerealm.properties file.
  After configuration and successful booting of weblogic server, I am ableto see
  the groups in the Active Directory LDAP via the weblogic console. I getthe "Sizelimit
  exceeded" exception when I try to browse users which makes sense. Apartial list
  of Users is listed in the console. Surprisingly all the users are listedwith
  a "=" sign in front of them.
  I am not able to authenticate against any users in AD. I am not able tologin
  in to the PortalAppTools using "administrator" user although I have put itin
  the "filerealm.properties". I am able to log in to the PortalAppToolsusing
  "system" user but that doesn't help as I cannot see Default Portal Mgmtstuff.
  >
  user.administrator=password
  user.praveen=paul
  user.ashley=ashley
  group.Monitors=Administrators
  group.Deployers=Administrators
  group.Administrators=weblogic,system,paul
  group.SystemAdministrator=administrator,paul
  group.AdminEligible=ashley
  group.DelegatedAdministrator=paul
  When I try to open the Portal Application, I get the following exception:
  <Mar 13, 2003 8:03:46 PM MST> <Error> <Security> <090060> <TheAccessDecision
  class "weblogic.securi
  ty.providers.realmadapter.AuthorizationProviderImpl" returned an error:java.lang.SecurityException:
  Realm Adapter ACL Mapping Failed.
  java.lang.SecurityException: Realm Adapter ACL Mapping Failed
  atweblogic.security.providers.realmadapter.AuthorizationProviderImpl.isAccessA
  llowed(Author
  izationProviderImpl.java:345)
  atweblogic.security.service.AuthorizationManager.isAccessAllowed(Authorization
  Manager.java:
  475)
  atweblogic.security.service.AuthorizationManager.isAccessAllowed(Authorization
  Manager.java:
  612)
  atweblogic.jndi.internal.ServerNamingNode.checkPermission(ServerNamingNode.jav
  a:332)
  atweblogic.jndi.internal.ServerNamingNode.checkLookup(ServerNamingNode.java:29
  5)
  atweblogic.jndi.internal.ServerNamingNode.lookupHere(ServerNamingNode.java:146
  at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:187)
  at weblogic.jndi.internal.RootNamingNode_WLSkel.invoke(Unknown Source)
  at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:159)
  atweblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
  :262)
  atweblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
  :229)
  at weblogic.jndi.internal.ServerNamingNode_WLStub.lookup(Unknown Source)
  at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:337)
  at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:332)
  at javax.naming.InitialContext.lookup(InitialContext.java:345)
  atweblogic.jndi.internal.WLNamingManager.getObjectInstance(WLNamingManager.jav
  a:94)
  atweblogic.jndi.internal.BasicNamingNode.resolveObject(BasicNamingNode.java:76
  3)
  atweblogic.jndi.internal.BasicNamingNode.resolveObject(BasicNamingNode.java:73
  5)
  at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:190)
  at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
  at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
  at weblogic.jndi.internal.BasicNamingNode.lookup(BasicNamingNode.java:195)
  at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:337)
  at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:332)
  atweblogic.jndi.factories.java.ReadOnlyContextWrapper.lookup(ReadOnlyContextWr
  apper.java:36
  atweblogic.jndi.internal.AbstractURLContext.lookup(AbstractURLContext.java:124
  at javax.naming.InitialContext.lookup(InitialContext.java:345)
  at com.bea.p13n.util.JndiHelper.lookupNarrow(JndiHelper.java:96)
  atcom.bea.portal.appflow.PortalAppflowHelper.<clinit>(PortalAppflowHelper.java
  :70)
  atcom.bea.portal.appflow.servlets.internal.PortalWebflowServlet.init(PortalWeb
  flowServlet.j
  ava:84)
  at javax.servlet.GenericServlet.init(GenericServlet.java:258)
  atweblogic.servlet.internal.ServletStubImpl$ServletInitAction.run(ServletStubI
  mpl.java:1075
  atweblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManage
  r.java:744)
  atweblogic.servlet.internal.ServletStubImpl.createServlet(ServletStubImpl.java
  :899)
  atweblogic.servlet.internal.ServletStubImpl.createInstances(ServletStubImpl.ja
  va:833)
  atweblogic.servlet.internal.ServletStubImpl.prepareServlet(ServletStubImpl.jav
  a:773)
  atweblogic.servlet.internal.ServletStubImpl.getServlet(ServletStubImpl.java:51
  7)
  atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :351)
  atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :306)
  atweblogic.servlet.internal.RequestDispatcherImpl$ForwardAction.run(RequestDis
  patcherImpl.j
  ava:341)
  atweblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManage
  r.java:744)
  atweblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImp
  l.java:251)
  at weblogic.servlet.jsp.PageContextImpl.forward(PageContextImpl.java:116)
  at jsp_servlet.__index._jspService(index.jsp:3)
  at weblogic.servlet.jsp.JspBase.service(JspBase.java:27)
  atweblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(Servle
  tStubImpl.jav
  a:1058)
  atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :401)
  atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :445)
  atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :306)
  atweblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(W
  ebAppServletC
  ontext.java:5412)
  atweblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManage
  r.java:744)
  atweblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
  ntext.java:30
  86)
  atweblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
  :2544)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:153)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:134)
  >
  <Mar 13, 2003 8:03:46 PM MST> <Error> <PortalAppflow> <415400> <Could notlookup
  PortalManagerHome i
  n the JNDI tree using EJB reference java:comp/env/ejb/PortalManager.
  javax.naming.LinkException: . Root exception isjavax.naming.NoPermissionException:
  User <anonymous
  does not have permission on portalAppat weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174)
  Any help is appreciated.
  Thank You
  Paul--
  Edited by jonmountjoy at 01/03/2008 1:45 AM

• LDAP setup with SSL - Can't use tls auth type

  I'm trying to configure Solaris 10 to use ldap against my OpenLDAP server with SSL but whenever I try to set the authentication as tls:simple, it gives me an error :
  # ldapclient mod -a authenticationMethod=tls:simple
  Cannot specify LDAP port with tls
  # ldapclient mod -a authenticationMethod=tls
  Unable to set value: invalid authenticationMethod (tls)
  Any ideas how to get this to work - I can do an ldapsearch if I supply a -H ldaps://ldapserver:636 so my certs in /var/ldap are good.
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_BINDDN= cn=srv_login,ou=LDAPusers,dc=unix_srv,dc=energy.ge.com
  NS_LDAP_BINDPASSWD= {NS1}c53708877bc6
  NS_LDAP_SERVERS= 10.10.1.14:636
  NS_LDAP_SEARCH_BASEDN= dc=unix_srv,dc=energy.ge.com
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SERVER_PREF= 10.10.1.14:636
  NS_LDAP_CACHETTL= 0
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=unix_srv,dc=energy.ge.com?sub
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=unix_srv,dc=energy.ge.com?sub
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=unix_srv,dc=energy.ge.com?one
  Thanks,
  Jay

  When using TLS you have to specify the FQN for the LDAP server and the port is ALWAYS 636.
  Also, you need to setup up your client to use FQN as well (/etc/hosts).

• Unable to access Admin Tools for portal after configuring LDAP realm

  After setting weblogic to use the LDAP realm I am unable to access the Administration Tools. It does not take the username "administrator" and password "password". I've created the SystemAdministrator Group in LDAP as well as the appropriate "administrator" user but it still does not let me access the Administratotion Tools.

  This thread is being discussed in the weblogic.developer.interest.portal
  newsgroup under the same title. You can cross-post to multiple groups in
  the future so that the thread develops in all newsgroups that you posted to.
  "Wendy Kajiyama" <[email protected]> wrote in message
  news:[email protected]..
  After setting weblogic to use the LDAP realm I am unable to access theAdministration Tools. It does not take the username "administrator" and
  password "password". I've created the SystemAdministrator Group in LDAP as
  well as the appropriate "administrator" user but it still does not let me
  access the Administratotion Tools.