Solaris 10 and LDAP Authentication
Were trying to use LDAP authentication with Solaris 10 accounts and Sun One Java Systems Directory Server 5.2, where there won't be no /etc/passwd or /etc/group user entries, ( only entries for system accounts). The Sun One Java Systems Directory Server 5.2 is on a separate machine from the accounts. Both machines are using Solaris 10.
I first ran the "idsconfig" utility to setup the VLV indexes, but I received an error on the "automountKey" when it was doing the index processing. It showed that the index processing had failed. All the other indexes were configured successfully. What would cause this?
My next step is initializing the LDAP Client . Then configure the pam.conf file to use pam_ldap. Finally import all the users into LDAP with the required ObjectClasses and attributes for the authentication process, (posixAccount, shadowAccounts etc.). This also includes adding the automount entries into LDAP, which I'm really not sure how to do that. All of our users paths will be under /export/home/username.
I'am missing any steps?
Doese anyone have a step by step guide to use LDAP authentication for Solaris 10 accounts, where LDAP will manage the groups, passwords, automounts for each user?
Message was edited by:
automount
Message was edited by:
automount
You may follow:
http://web.singnet.com.sg/~garyttt/
http://projects.alkaloid.net/content/view/15/26/
http://blogs.sun.com/roller/resources/raja/ldap-psd.html
http://jnester.lunarpages.com/howtos/solaris/howToSolarisLDAPAuth.html
http://www.thebergerbits.com/unix.shtml
http://blogs.sun.com/roller/page/baban?entry=steps_to_setup_ssl_using (SSL/TLS steps)
http://blogs.sun.com/roller/page/rohanpinto?entry=nis_to_ldap_migration_guide (NIS to LDAP migration)
http://blogs.sun.com/roller/page/anupcs?entry=ldap_related_documentation_at_sun
(LDAP related docs)
Gary
Similar Messages
-
XI 3.1 Client Tools and LDAP Authentication
I have Business Objects XI 3.1 SP2 installed. For the web clients (InfoView) single sign on and LDAP authentication are working correctly. However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
Take a look at note 1272536 (http://service.sap.com/notes)
Regards,
Stratos -
Weblogic Server 10.3.0 and LDAP authentication Issue
Hi - I have configured my WebLogic Server 10.3.0 for LDAP authentication (OID = 10.1.4.3.0) and so far the authentication works fine but I am having issue in terms of authorization.
I am not able to access the default web logic administrator console app using any of the LDAP user, getting Forbiden message.
It appears to me that the Weblogic Server is not pulling out the proper groups from the LDAP where user belongs too.
Can anyone please point me towards the right direction to get this resolved.
Thanks,
STEPS
Here are my steps I have followed:
- Created a group called Administrators in OID.
- Created a test user call uid=myadmin in the OID and assigned the above group to this user.
- Added a new Authentication Provider to the Weblogic and configured it what is required to communicate with OID (the config.xml file snipet is below)
<sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
<sec:name>OIDAuthentication</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:host>pmpdeva-idm.ncr.pwgsc.gc.ca</wls:host>
<wls:port>1389</wls:port>
<wls:principal>cn=orcladmin</wls:principal>
<wls:user-base-dn>ou=AppAdmins, o=gc, c=ca</wls:user-base-dn>
<wls:credential-encrypted>removed from here</wls:credential-encrypted>
<wls:group-base-dn>ou=IDM, ou=ServiceAccounts, o=gc, c=ca</wls:group-base-dn>
</sec:authentication-provider>
- Marked the default authentication provider as sufficient as well.
- Re-ordered the authentication provide such that the OIDauthentication is first in the list and default one is the last.
- Looking at the log file I see there are no groups returned for this user and that is the problem in my opinion.
<LDAP Atn Login username: myadmin>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<authenticate user:myadmin>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authentication succeeded>
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<LDAP Atn Authenticated User myadmin>
<List groups that member: myadmin belongs to>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
*<search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>*
*<Result has more elements: false>*
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<login succeeded for username myadmin>
- I see the XACML RoleMapper getRoles() only returning the Anonymous role as oppose to Admin (because the OID user is a part of Administrators group in OID then it should be returning Admin as fars I can tell. Here is the log entry that shows that:
<XACML RoleMapper getRoles(): returning roles Anonymous>
- I did a ldap search and I found no issues in getting the results back:
C:\>ldapsearch -h localhost -p 1389 -b"ou=IDM, ou=ServiceAccounts, o=gc, c=ca" -D cn=orcladmin -w "removed from here" (uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupOfUniqueNames)
cn=Administrators,ou=IDM,ou=ServiceAccounts,o=gc,c=ca
objectclass=groupOfUniqueNames
objectclass=orclGroup
objectclass=top
END
Here are the log entries:
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=myadmin>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <[Security:090302]Authentication Failed: User myadmin denied>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@facf0b>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle did not get username from a callback>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685671> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authentication succeeded>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <LDAP Atn Authenticated User myadmin>
<1291668685686> <BEA-000000> <List groups that member: myadmin belongs to>
<1291668685686> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685686> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685686> <BEA-000000> <search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>
<1291668685686> <BEA-000000> <Result has more elements: false>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <login succeeded for username myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <LDAP Atn Principals Added>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
Principal: myadmin
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685686> <BEA-000000> <Signed WLS principal myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user myadmin, Identity=Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.isLocked(myadmin)>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myadmin was not previously locked out>
<1291668685702> <BEA-000000> <Using Common RoleMappingService>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity will use common security service>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals)>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=myadmin>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685702> <BEA-000000> <Validate WLS principal myadmin returns true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass, returning true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals) validated all principals>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Identity=Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): input arguments:>
<1291668685702> <BEA-000000> < Subject: 1
Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> < Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp>
<1291668685702> <BEA-000000> < Parent: type=<app>, application=consoleapp>
<1291668685702> <BEA-000000> < Parent: type=<url>>
<1291668685702> <BEA-000000> < Parent: null>
<1291668685702> <BEA-000000> < Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AdminChannelUsers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AdminChannelUser:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AdminChannelUser: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AppTesters,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AppTester:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AppTester: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(everyone,[everyone,users]) -> true>
<1291668685702> <BEA-000000> <primary-rule evaluates to Permit>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Anonymous:, 1.0 evaluates to Permit>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Anonymous: GRANTED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Monitors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Monitor:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Monitor: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Operators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Operator:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Operator: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(CrossDomainConnectors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:CrossDomainConnector:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role CrossDomainConnector: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Deployers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Deployer:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Deployer: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, SC=null, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Administrators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Admin:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Admin: DENIED>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): returning roles Anonymous>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles returning [ "Anonymous" ]>
<1291668685702> <BEA-000000> <AuthorizationManager will use common security for ATZ>
<1291668685702> <BEA-000000> <weblogic.security.service.WLSAuthorizationServiceWrapper.isAccessAllowed>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Identity=Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Roles=[ "Anonymous" ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Direction=ONCE>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
<1291668685702> <BEA-000000> < Subject: 1
Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> < Roles:Anonymous>
<1291668685702> <BEA-000000> < Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> < Direction: ONCE>
<1291668685702> <BEA-000000> < Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:role, SC=null, Value=Anonymous>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of([Admin,Operator,Deployer,Monitor],Anonymous) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): returning DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>Okay Finally the issue is resolved. Here is the findings to help others in case they ran into the same issue.
The OID version that we are using is not returning the groups the way Weblogic is building the ldapsearch command. We captured the ldap traffic to go deeper and noticed the filters and attributes list that wls was asking. For example, the filter was like:
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" cn
its was the "cn" attribute that was causing the result set to be empty.
from a command line we tried
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" uniquemember
and got the results back.
Then we start looking into OID configuration and one of my coworker pointed me towards the orclinmemfiltprocess attributes in cn=dsaconfig entry and told me that they had lot of issues in the past in relation to this attribute.
So as a test we removed the groupofuniquenames objectclass from the orclinmemfiltprocess attribute list and bingo it worked!
Since we needed the groupofuniquenames in this list for performance/other reasons and decided to use a different objectclass for our groups instead i.e. orclGroup.
Thanks everyone for showing interest on the problem and providing suggestions. -
Database Table and LDAP Authentication in the same repository?
I'm wondering if it's possible to authenticate through database tables for some users and LDAP for other users. I can configure each one separately but I'm curious if anyone has ever successfully done both in the same repository.
Thanks,
-MattAnother thing to try is this. I don't have an LDAP server here but it worked for me without LDAP. I think it should also work with LDAP as it is the same idea. I don't think there is a way to have a conditional Init Blocks. Also you can't have two init blocks setting the same variable (USER in our case). But what you can do is to have two Init Blocks, one for LDAP authentication and the other one for table authentication. So you could have this scenario:
1) LDAP "authentication" init block sets custom variable LDAP_USER
2) Table "authentication" init block sets custom variable TABLE_USER
3) Final authentication init block (the real one) sets USER variable using something like this:
SELECT CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END
FROM DUAL
WHERE CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END = ':USER'
Note how I use the CASE statement both to return the user value I want the USER variable to be set and also in the WHERE clause to make sure no rows are returned in case authentication fails (which should return no rows to denote a failed authentication). Obviously you need to set the init block dependancies correctly. I did a quick test with users coming from two separate Oracle tables in 2 init biocks and it worked fine for me. Give it a try and let me know how it goes. -
DBConsole (DBControl) and LDAP authentication
Does anyone know if it is possible to use LDAP authentication to login to the DBConsole? I have a user "identified globally as 'cn=username,dn=...'" who can login to the database locally and remotely through SQL*Plus but gets a ORA-01017 when trying to login to the DBConsole.
Any help greatly appreciated.
Rgds,
Barry Winterbottom2009-02-25 17:09:22,824 [HTTPThreadGroup-2] ERROR eml.OMSHandshake processFailure.806 - OMSHandshake failed.(AGENT URL = https://nssdrdb01:1830/emd/main)(ERROR = INTERNAL_ERROR)(CAUSE =java.sql.SQLException: Io exception: The Network Adapter could not establish the connection)
2009-02-25 17:09:22,853 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.352 - Io exception: The Network Adapter could not establish the connection
2009-02-25 17:09:22,854 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17002; Cleaning up cache and retrying
2009-02-25 17:09:22,858 [HTTPThreadGroup-2] ERROR conn.ConnectionService verifyRepositoryEx.887 - Invalid Connection Pool. ERROR = Io exception: The Network Adapter could not establish the connection
2009-02-25 17:09:22,861 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.352 - Io exception: The Network Adapter could not establish the connection
2009-02-25 17:09:22,863 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17002; Cleaning up cache and retrying
2009-02-25 17:09:22,867 [HTTPThreadGroup-2] ERROR eml.OMSHandshake processFailure.806 - OMSHandshake failed.(AGENT URL = https://nssdrdb01:1830/emd/main)(ERROR = INTERNAL_ERROR)(CAUSE =java.sql.SQLException: Io exception: The Network Adapter could not establish the connection)
2009-02-25 17:09:26,386 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.352 - Io exception: The Network Adapter could not establish the connection
2009-02-25 17:09:26,388 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17002; Cleaning up cache and retrying
2009-02-25 17:09:26,392 [HTTPThreadGroup-2] ERROR conn.ConnectionService verifyRepositoryEx.887 - Invalid Connection Pool. ERROR = Io exception: The Network Adapter could not establish the connection
2009-02-25 17:09:26,396 [EMUI_17_09_26_/console/aboutApplication] ERROR svlt.PageHandler handleRequest.639 - java.lang.IllegalStateException: Response has already been committed
2009-02-25 17:09:26,398 [EMUI_17_09_26_/console/aboutApplication] ERROR em.console doGet.360 - java.lang.IllegalStateException: Response has already been committed, be sure not to write to the OutputStream or to trigger a commit due to any other action before calling this method.
2009-02-26 00:00:02,633 [JobWorker 381202:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-02-27 00:00:08,800 [JobWorker 383122:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-02-28 00:00:13,778 [JobWorker 385056:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-01 00:00:05,527 [JobWorker 386985:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-02 00:00:04,569 [JobWorker 388914:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-03 00:00:04,854 [JobWorker 390843:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-04 00:00:06,475 [JobWorker 392772:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-05 00:00:16,925 [JobWorker 394701:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-06 00:00:03,966 [JobWorker 396630:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-07 00:00:05,230 [JobWorker 398559:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-08 00:00:07,261 [JobWorker 400488:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-09 00:00:13,081 [JobWorker 402417:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-10 00:00:10,175 [JobWorker 404346:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-11 00:00:04,567 [JobWorker 406275:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-12 00:00:05,993 [JobWorker 408204:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-13 00:00:03,332 [JobWorker 410133:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-14 00:00:10,129 [JobWorker 412062:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-15 00:00:01,753 [JobWorker 413991:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-16 00:00:03,187 [JobWorker 415920:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-16 16:29:02,904 [shutdownThread] WARN jdbc.ConnectionCache _getConnection.352 - Closed Connection: OraclePooledConnection.getConnection() - SQLException Ocurred:Invalid or Stale Connection found in the Connection Cache
2009-03-16 16:29:02,906 [shutdownThread] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17008; Cleaning up cache and retrying
2009-03-16 16:30:42,529 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
2009-03-16 16:30:42,535 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
2009-03-16 16:30:44,381 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
2009-03-16 16:30:50,683 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
2009-03-16 16:30:50,686 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
2009-03-16 16:30:50,823 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
2009-03-16 16:30:51,219 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
2009-03-16 16:30:51,222 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
2009-03-16 16:30:51,225 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
2009-03-16 16:30:51,227 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
2009-03-16 16:30:51,230 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
2009-03-17 00:00:06,334 [JobWorker 417849:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-18 00:00:10,641 [JobWorker 419778:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-18 11:56:58,339 [EMUI_11_56_58_/console/database/monitoring/archiveFull$target=ADM111.nss.scot.nhs.uk$type=oracle*_database] ERROR perf.space logStackTrace.359 - java.sql.SQLException: Numeric Overflow
2009-03-19 00:00:02,843 [JobWorker 421707:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-20 00:00:03,388 [JobWorker 423631:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-21 00:00:03,407 [JobWorker 425565:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-22 00:00:06,065 [JobWorker 427494:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-23 00:00:02,580 [JobWorker 429423:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-23 15:37:15,441 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
2009-03-23 15:37:15,447 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
2009-03-23 15:37:17,177 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
2009-03-23 15:37:23,172 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
2009-03-23 15:37:23,176 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
2009-03-23 15:37:23,311 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
2009-03-23 15:37:23,684 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
2009-03-23 15:37:23,702 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
2009-03-23 15:37:23,706 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
2009-03-23 15:37:23,708 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
2009-03-23 15:37:23,711 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
2009-03-23 15:41:18,591 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
2009-03-23 15:41:18,596 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
2009-03-23 15:41:19,872 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
2009-03-23 15:41:24,915 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
2009-03-23 15:41:24,918 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
2009-03-23 15:41:24,997 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
2009-03-23 15:41:25,296 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
2009-03-23 15:41:25,299 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
2009-03-23 15:41:25,301 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
2009-03-23 15:41:25,303 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
2009-03-23 15:41:25,305 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
2009-03-23 15:52:29,116 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
2009-03-23 15:52:29,122 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
2009-03-23 15:52:30,750 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
2009-03-23 15:52:36,541 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
2009-03-23 15:52:36,544 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
2009-03-23 15:52:36,629 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
2009-03-23 15:52:36,973 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
2009-03-23 15:52:36,976 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
2009-03-23 15:52:36,978 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
2009-03-23 15:52:36,980 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
2009-03-23 15:52:36,982 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
2009-03-24 00:00:06,712 [JobWorker 431352:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-24 16:51:58,193 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
2009-03-24 16:51:58,202 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
2009-03-24 16:51:59,946 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
2009-03-24 16:52:06,485 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
2009-03-24 16:52:06,487 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
2009-03-24 16:52:06,605 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
2009-03-24 16:52:06,973 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
2009-03-24 16:52:06,983 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
2009-03-24 16:52:06,986 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
2009-03-24 16:52:06,989 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
2009-03-24 16:52:06,991 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
2009-03-25 00:00:05,652 [JobWorker 433276:Thread-26] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-26 00:00:02,804 [JobWorker 435194:Thread-26] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-27 00:00:07,235 [JobWorker 437123:Thread-26] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters. -
I have installed Iplanet dirserver (5.1 sp1) on Solaris 8. I have Solaris 8 clients which should authenticate every user ssh connections with this ldap server.
I have done everything as described in LDAP setup and Configuration Guide (found that in sun.com website) and everything works fine if i don't use SSL.
What should i do to make SSL work?
I have installed ssl ceritficates etc. and when i make dir server to use ssl it works fine with iplanet console (in access log it says SSL connection) But i can't get it work from my clients.
My default port is 5001 and i have set ssl port to 5002 but everytime that i change client profile (and configuring client with ldapclient command) to use port 5002, authentication don't work anymore. Actually that ldapclient command doesn't work either. I can see in access log that client tries to take SSL connection, but server doesn't respond to it.
Can anyone help me on this?
JaniI recently setup an iDS5.1 LDAP server as a naming service to a couple Solaris 9 clients. You must use the default SSL port (636), see http://docs.sun.com/db/doc/806-4077/6jd6blbdd?a=view .
In my case, I used a self-signed cert on the Server. I then copied the cert7.db, key3.db and secmod.db files from the server to the /var/dlap directory on the clients. The files you want from the server are in the SERVER_ROOT/alias directory. Specifically, the slapd-id-cert7.db and slapd-id-key3.db are the ones you want. Where id is the slapd server instance name, typically the host name of the computer.
HTH,
Roger S. -
Interface creation and LDAP authentication ...
Hi...All SAP friends,
i have to work on an interface creation with the following specifications:
1. SAP Enterprise Portal gives us an URL which contains UserID
2. You have to create an interface to read the URL,
3. Connect to LDAP server...from there come to know whether it is external or internal user, meaning if it exist in LDAP it is internal otherwise it is external user
4. If the user id is internal, interface has to create a file and place it at a particular location & create a webservice for this and expose to EP
5. if not it should give an alert saying it is an external user id
Please help me out how to start and what to do..!
Thank you.Hi,
These are the main steps,
***Assume that you know basic of authentication methods and how to define those in Apex
01. Create a function to authenticate the user
a. Check on the database whether user is exists
b. If exists then authenticate that user with LDAP
c. If user doesnot exists or authenticate failed then return false
d. If user exists and authentication success then return trueSignature of the function
FUNCTION <fucntion name> (p_username VARCHAR2, p_password VARCHAR2)
RETURN BOOLEAN;
* Makesure that you do both inside the one procedure
02. Create another function to check the page level authorization(if you need pagelevel verification. But if all users has same permissions on the aplication this is not necessary)
03. Create a new authentication
a.Go to Application Builder
b.Shared Component
c. Authentication Schemes(under Security)
d. Click "Create"
e. Select "From Scratch"
f. Proceed with the wizard and define "*Page Sentry Function*" (Only when you ahve page level authorization- BAove 2) and "*Authentication Function*"04. Set new authentication schema to current
a. Goto "*Change Current*" Tab
b. Sleect the new schema from the list
c. Click Next and proceed with wizard.
Thanks, -
AIR-WLC2106-K9 and ldap authentication
Is it possible to authenticate wireless clients using a external openldap server running on CentOS?
You can do that either with local EAP where LDAP as a backend server OR a web-authentication where LDAP is the backend auth server.
-
Ldap authentication not working for Solaris 8 host - Help!
Greetings folks,
I just recently migrated a host to use LDAP authentication. The only difference between this host and the rest of the hosts in the environment that I've converted to use LDAP is that this one is running Solaris 8.
Here's the steps I took to migrate it (though, I used the same steps for another Sol8 host in another environment and it works fine):
ldapclient -P stg -d mydomain.com -D cn=proxyagent,ou=profile,dc=mydomain,dc=com -w secret 192.168.1.69
My /etc/nsswitch.conf looks like this:
passwd: files ldap
group: files ldap
My /etc/pam.conf looks like this:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1
sshd auth requisite pam_authtok_get.so.1
sshd auth sufficient pam_unix_auth.so.1
sshd auth required pam_ldap.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_ldap.so.1
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1
I've also cleared out the local user accounts for my human users, so there aren't any more passwd or shadow entries (yes, I ran pwconv). I also cleaned out the /etc/group entries for the same users. The machine appears to be configured properly, because I can run various DS commands that indicate this:
hostname# getent passwd user1
user1::1001:1001:User 1:/opt/home/user1:/bin/bash
hostname# ldaplist -l passwd user1
dn: uid=user1,ou=people,dc=mydomain,dc=com
shadowFlag: 0
userPassword: {crypt}(removed)
uid: user1
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
cn: user1
uidNumber: 1001
gidNumber: 1001
gecos: User 1
homeDirectory: /opt/home/user1
loginShell: /bin/bash
However, in the end, actual logins to this host fail via ssh. Snooping the traffic reveals that all the right info is being handed back to the client, including the crypt'ed password hash, uid, etc. just like I see with other hosts that work.
Any ideas?
Thanks!
PatrickI assume you have applied lastest kernel patch and 108993 to this Solaris8 machine, and its nss_ldap.so.1 and pam_ldap.so.1 are the same as the other Solaris8 LDAP clients that are working for ssh via LDAP auth.
1) Please replace "objectClass: account" with "objectClass: person", I know SUN ONE DS5.2 likes "person".
2) Did you test and verify telnet/ftp/su working? but SSH not working?
3) If telnet/ftp/su all worked, and SSH (SUN-SSH or OpenSSH), make sure you have "UsePAM yes" in sshd_config and restart sshd.
4) It is not a must I think but normally I will add "shadow: files ldap" to /etc/nsswitch.conf, restart nscd after that.
5) Whenever ldapclient command is run and ldap_cachemgr is restarted, I usually also restart nscd and sshd after that, if not testing result may not be accurate as nscd is still remembering OLD stuffs cached which could be very misleading.
6) You may use "ssh -v userid@localhost" to watch the SSH communications, on top of your usual "snoop"ing of network packets.
7) Use the sample pam.conf that is meant for pam_ldap from Solaris 10 system admin guide with all the pam_unix_cred.so.1 lines commented out. This works for me, there is no sshd defintions as it will follow "other".
http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
Gary -
Solaris 10 Ldap Client user authentication against edirectory
Hello,
We have moved some of our oracle databases from linux to solaris 10 u7, I need to setup secure ldap authentication for the users against a linux based eDirectory server. Can some one point me in the right direction of good documentation or a good explaination on what i need and how to go about this.
I have spent the last couple of days reading about pam, nsswitch.ldap nsswitch.conf and certificates now I need to pull all this information into a usable format.
Thanks
ukgreenmanI have a similar question.
Did you have a solution ?
thanks -
Ldap authentication on solaris 8 client
I have directory server 6.0 set up on solaris 9 system. I convert a Solaris 8 system to be a ldap client. However, I can use ssh to authentication against LDAP server. Here is the output I got:
# ssh -v user@localhost
SSH Version 1.2.27 [sparc-sun-solaris2.8], protocol version 1.5.
Standard version. Does not use RSAREF.
host: Reading configuration data /etc/ssh_config
host: ssh_connect: getuid 0 geteuid 0 anon 0
host: Allocated local port 1023.
host: Connecting to 127.0.0.1 port 22.
host: Connection established.
host: Remote protocol version 1.5, remote software version 1.2.27
host: Waiting for server public key.
host: Received server public key (768 bits) and host key (1024 bits).
host: Forcing accepting of host key for localhost.
host: Host '127.0.0.1' is known and matches the host key.
host: Initializing random; seed file /root/.ssh/random_seed
host: Encryption type: idea
host: Sent encrypted session key.
host: Installing crc compensation attack detector.
host: Received encrypted confirmation.
host: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
host: Server refused our rhosts authentication or host key.
host: No agent.
host: Doing password authentication.
[email protected]'s password:
Permission denied.
This is the pam.conf I use:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
ppp auth required pam_unix_auth.so.1
Not sure why Solaris 8 can't authentication with LDAP server. I have applied the patch 108993-67. Also, su and telnet can work with LDAP but not 'ftp' and 'ssh'.
Any ideas?No, my problem seems different.
The authentication between ldap client and server is through tls:simple. Also, exact same configuration can work with Solaris 9 client, but not Solaris 8 client. Furthur checks on ssh on Solaris 8, the ssh is 'SSH Version 1.2.27 [sparc-sun-solaris2.8], protocol version 1.5.
Standard version. Does not use RSAREF.'. But on a Solaris 9 client, the ssh is 'SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0.' Not sure why the Solaris 8 ssh can't work with ldap authentication.
Thanks,
--xinhuan -
Solaris 8/LDAP (iDS 5.1) authentication
Hi, i'm currently trying to get solaris 8 authenticate against a solaris 9 ldap server. I have run idsconfig which completed fine, i've setup up the solaris 8 client, which seems to be fine. listusers on the client shows the LDAP users, i can su to an LDAP user from root. But when i try to login via the cde login screen it says it's incorrect. I've run a sniffer on the network and the client seems to be authenticating, but it fails when looking for the following info: SolarisProjectName;SolarisProjectId;desc;memberUid;membergid;SolarisProjectAttr; It then does another search with filter gid number 2001 for : cn; gidnumber;userpassword;memberuid.
Help please : )
Cheers, IanLooks like your /etc/pam.conf is not configured for a ldap authentication using dtlogin
You should have something like below for dtlogin to work.
dtlogin auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
dtlogin auth required /usr/lib/security/$ISA/pam_ldap.so.1 -
Solaris 9 LDAP client sun_ssh public key authentication
I have directory server 6.0 up on solaris 9 system and I have a couple of solaris 9 system migrated to LDAP client. I need to configure ssh public key authentication on two Solaris 9 LDAP clients. However, I seem can't make it working. I have done 1) generate rsa public/private key pairs on one host 2) cat public key to the authorized_keys file on another host. I checked the permission on $HOME and $HOME/.ssh, they both set to 700. The file permission are also correct. But I still get prompt when ssh from one LDAP client to another. If I add my password/shadow entry back to local files, then public key authentication works. My /etc/pam.conf is set up according to the Sun documentation for LDAP client. In /etc/nsswitch.conf
passwd: compat
passwd_compat: ldap
shadow: files ldap
group: files ldap
netgroup: ldap
loginShell does exist for the user.and LDAP entry has objectClasses 'posixAccount' and 'shadowAccount'
I have latest patch 112960 installed on all of LDAP clients.
What am I missing here?
Thanks,
--xinhuanOne more thing - I have latest patch 112960 installed on all of LDAP clients.
--xinhuan -
Authenticating against both RDBMS and LDAP in WL6.0
Hi,
We are designing a webapp that will be accessible to both internal and
external users. For internal users, we would like to authenticate via LDAP;
for external users we would like to use RDBMS. In WL5.1, this looked to be
possible with the DelegatingRealm, however this has been removed in WL6.0.
Two questions:
1) Why was it removed?
2) How can we get this functionality in WL6.0?
Thanks much for your help,
-jtWe are currently deployed on WL5.1 with a similar situation as you and in
the process of migrating to WL6. We are Authenticating against LDAP and
Authorizing against RDBMS. But I can't see how you could tell it to go
one way for certain users and another for other users.
The delegatingrealm in WL5 was intended to split the responsibility of
Authenticating to one source and Authorization to another. To make this
work for your Application of splitting internal and external users
security, I suppose you can do it if you can somehow pass the information
to the Security Realm the type of the user that is logging in. Maybe you
can make this code a part of the userid such as ext_uersID or int_userID.
Doing this will allow you to filter the where the users are coming from
and Direct them to the appropriate security realm.
As far as WL6 goes, the Delegating realm class is no longer available
since the security model for WL6 is different from WL5. But you can take
a look at what they did with the RDBMSrealm example and use that. This is
what we did to make our Security work in WL6. However, you can no longer
store ACLs in the RDBMS realm in WL6.
Hopes this helps.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
You will need to create a Custom Realm which delegates to both your RDBMS
and LDAP perhaps using the Weblogic supplied RDBMS and LDAP realms
"Jonathan Thompson" <[email protected]> wrote in message
news:3accf1a3$[email protected]..
Hi,
We are designing a webapp that will be accessible to both internal and
external users. For internal users, we would like to authenticate viaLDAP;
for external users we would like to use RDBMS. In WL5.1, this looked tobe
possible with the DelegatingRealm, however this has been removed in WL6.0.
>
Two questions:
1) Why was it removed?
2) How can we get this functionality in WL6.0?
Thanks much for your help,
-jt
[att1.html] -
Integrated LDAP authentication and now BAM start page is very slow to load
Hi, all~
I have a fresh install of BAM 10.1.3.3 with the 10.1.3.4 patch applied.
I've reviewed the BAM installation guide and LDAP integration tech note, and have been able to successfully integrate BAM with our LDAP, where "successful" means that I'm able to provide my own LDAP credentials and log in to BAM.
However, the BAM start screen now consistently takes somewhere on the order of 1-2 minutes to load... so I guess I'm wondering if there's a common cause for this sort of error?
Any suggestions of things to check would be appreciated.
Thanks,
- NathanFor whatever it's worth, the solution in our case was to decouple BAM (10g) from LDAP.
User administration becomes a slightly more manual process in this case, but the BAM pages load almost instantly for users now, whereas before for some users it would take as much as 10 minutes for a page to load following their logging in.
Another benefit from LDAP decoupling is that IIS is able to do Windows integrated login for users, meaning that the users don't need to provide a login and password any longer.
The one "gotcha" that was encountered had to do with IIS realms and creating JDeveloper connections to the BAM server following the decoupling. From our testing, under IIS -> Web Sites -> Default Web Site -> Properties -> Directory Security (tab) -> "Authentication and access control" Edit button, the following needs to be specified:
Check only "Integrated Windows login" and "Basic authentication"
Specify a "Default domain" by pressing the Select button and choosing an appropriate domain
From there, in your JDeveloper BAM connection, be sure to include the selected domain in your connection properties.
- Nathan
Maybe you are looking for
-
i was going to upgrade from 10.6.8 to mavericks 10.9.2, but the installer program notified me stating my appleworks 6 app will not run on the new set up. is there a procedure to keep or switch my documents in order to obtain the mavericks upgrade?
-
Flex Builder 3 Design View Not Working
For some reason, the Design view has stopped working. I've tried uninstalling and reinstalling twice with no luck restoring it. All I see is a blank page when switching from Source to Design view. Source view works fine. Any help would be appreciated
-
Relation between maintainance order and capacity plannig
Hi If i create maintainance order for workcenter or resource that has been used in capacity planning in production process then is it going to affect capacity value. if it is then how and where? Thanking you.
-
Which runtime systems do i need to configure in CMS
Hi, We have development,Test,Production systems in the system landscape. So What runtime systems do i need to configure in CMS I am assuming it should be Development-Development Consolidation-Test Test-? Production-Production Which runtime system do
-
Need idea : Integration of CRM On Demand web services with Oracle SOA 10g
Hi Al, Can anyone have any idea on integration of CRM on Demand Web service with Oracle SOA 10g specially BPEL 10g. If you have any idea please share with us. Or if you know any good link on the same... please let me know..... Thanks in advance Debar