Solaris Naming Service
Hi there,
I have installed solaris 10. i would like to make it run LDAP service or might as well mak my server sa LDAP server. What is my next step after i installed the OS. Please help and advice.
Thanks.
SunOSnewbie
Hi there,
I have installed solaris 10. i would like to make it run LDAP service or might as well mak my server sa LDAP server. What is my next step after i installed the OS. Please help and advice.
Thanks.
SunOSnewbie
Similar Messages
-
Issue Password-less SSH: Sun OpenDS 2.0 as Naming Service
We are in the final phase of a proof of concept for Sun OpenDS as the Naming service for an important customer and facing problem with password-less ssh. We narrowed the problem down to password policy specifying a value for password maximum age. SSH succeeds with ?0? (zero) but requires password if the value is different from 0.
Any help in getting a resolution is greatly appreciated, as this is a road block now.
The following information is gathered.
The test is performed from a host thud which is setup as an ldapclient.
thud 275 ssh thud -i .ssh/thud
Password:
Last login: Tue Oct 13 06:57:01 2009 from xxx
Apparent reason (trimmed):
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying public key: .ssh/thud
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 434 lastkey 1166d0 hint 0
debug2: input_userauth_pk_ok: fp 07:15:b3:07:8d:da:b3:c8:34:d0:34:91:60:77:e0:39
debug3: sign_and_send_pubkey
debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:
Corresponding debug info from server (thud):
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: userauth-request for user doejohn service ssh-connection method publickey
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: test whether pkalg/pkblob are acceptable
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: temporarily_use_uid: 6147/150 (e=0/1)
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: trying public key file /home/doejohn/.ssh/authorized_keys
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: matching key found: file /home/doejohn/.ssh/authorized_keys,
line 2Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.info] Found matching DSA key: 07:15:b3:07:8d:da:b3:c8:34:d0:34:91:60:77:e0:39
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: restore_uid: 0/1
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: userauth-request for user doejohn service ssh-connection method publickey
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: attempt 2 initial attempt 0 failures 1 initial failures 0
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: temporarily_use_uid: 6147/150 (e=0/1)
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: trying public key file /home/doejohn/.ssh/authorized_keys
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: matching key found: file /home/doejohn/.ssh/authorized_keys, line 2
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.info] Found matching DSA key: 07:15:b3:07:8d:da:b3:c8:34:d0:34:91:60:77:e0:39
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: restore_uid: 0/1
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: ssh_dss_verify: signature correct
Oct 13 07:29:36 thud sshd[21187]: [ID 966290 auth.debug] PAM[21187]: pam_start(sshd-pubkey,doejohn,0:179560) - debug = 1
Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:service)
Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:user)
Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:conv)
Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:rhost)
Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:tty)
Oct 13 07:29:36 thud sshd[21187]: [ID 665327 auth.debug] PAM[21187]: pam_acct_mgmt(179560, 0)
Oct 13 07:29:36 thud sshd[21187]: [ID 118111 auth.debug] PAM[21187]: load_modules(179560, pam_sm_acct_mgmt)=/usr/lib/security/pam_roles.so.1
Oct 13 07:29:36 thud sshd[21187]: [ID 143372 auth.debug] PAM[21187]: load_function: successful load of pam_sm_acct_mgmt
Oct 13 07:29:36 thud sshd[21187]: [ID 118111 auth.debug] PAM[21187]: load_modules(179560, pam_sm_acct_mgmt)=/usr/lib/security/pam_projects.so.1
Oct 13 07:29:36 thud sshd[21187]: [ID 143372 auth.debug] PAM[21187]: load_function: successful load of pam_sm_acct_mgmt
Oct 13 07:29:36 thud sshd[21187]: [ID 118111 auth.debug] PAM[21187]: load_modules(179560, pam_sm_acct_mgmt)=/usr/lib/security/pam_unix_account.so.1
Oct 13 07:29:36 thud sshd[21187]: [ID 143372 auth.debug] PAM[21187]: load_function: successful load of pam_sm_acct_mgmt
Oct 13 07:29:36 thud sshd[21187]: [ID 118111 auth.debug] PAM[21187]: load_modules(179560, pam_sm_acct_mgmt)=/usr/lib/security/pam_ldap.so.1
Oct 13 07:29:36 thud sshd[21187]: [ID 143372 auth.debug] PAM[21187]: load_function: successful load of pam_sm_acct_mgmt
Oct 13 07:29:36 thud sshd[21187]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
Oct 13 07:29:36 thud sshd[21187]: [ID 267958 auth.debug] pam_unix_account: doejohn: Ignore module
Oct 13 07:29:36 thud sshd[21187]: [ID 545954 auth.debug] libsldap: more_info is empty, using default values
Oct 13 07:29:36 thud sshd[21187]: [ID 340006 auth.debug] PAM[21187]: pam_acct_mgmt(179560, 0): error Authentication failed
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.notice] Failed publickey for doejohn from 172.16.1.207 port 44363 ssh2
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: userauth-request for user doejohn service ssh-connection method keyboard-interactive
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: attempt 3 initial attempt 0 failures 3 initial failures 0
Oct 13 07:29:36 thud sshd[21187]: [ID 800047 auth.debug] debug1: keyboard-interactive devs
Oct 13 07:29:36 thud sshd[21187]: [ID 390116 auth.debug] PAM[21187]: pam_set_item(179560:conv)
Oct 13 07:29:36 thud sshd[21187]: [ID 873394 auth.debug] PAM[21187]: pam_end(179560): status = Authentication failed
Sending the Account Usability control on the server returns:
?The account is not usable?
solaris-z1 487 # ldapsearch -D 'cn=directory manager' -w xxx -b 'dc=texas,dc=net' -J "accountUsability:true" uid=doejohn
# Account Usability Response Control
# The account is not usable
dn: uid=doejohn,ou=eng,ou=People,dc=texas,dc=net
uid: doejohn
shadowLastChange: 14480
loginShell: /bin/ksh
userPassword: {CRYPT}GOUlmnz01bJbwcY69Btp2sIRJrLf+5RtAj4oug==
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: IEEPerson
objectClass: posixAccount
objectClass: top
givenName: John
cn: John Doe
sn: Doe
telephoneNumber: ...
gecos: ...
homeDirectory: /home/doejohn
mail: [email protected]
uidNumber: 6147
gidNumber: 150
manager: ...
For someone with a different password policy (max age is 0) the account is usable.
Ldapclient is running on a SPARC, Solaris 9 system; the Sun OpenDS 2.0 is running on Solaris 10 Sparc.
Password-less ssh works as expected when using a system not using LDAP.See https://opends.dev.java.net/servlets/ProjectForumMessageView?messageID=31827&forumID=3292.
Regards,
Ludovic. -
Naming Services cannot work well!!!
Hi,
I have configured the AM2005Q4 and Policy agent with apache, apache http.conf file is like
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /hzycportal http://exchange.hzliqun.com:8013/hzycportal
ProxyPassReverse /hzycportal http://exchange.hzliqun.com:8013/hzycportal
When I type http://exchange.hzliqun.com:8080/hzycportal in IE, and type the user/password, but it cannot reach at the application system. The agent debug log is like
2005-11-21 10:23:07.578 Debug 460:82f3d8 NamingService: HTTP Status = 200 (OK)
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Http::Response::readAndParse(): Reading headers.
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Server: Sun-Java-System-Web-Server/6.1
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Date: Mon, 21 Nov 2005 02:22:18 GMT
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Content-type: text/html
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Connection: close
2005-11-21 10:23:07.578 Debug 460:82f3d8 NamingService: Http::Response::readAndParse(): No content length in response.
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 all: Connection::waitForReply(): returns with status success.
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Http::Response::readAndParse(): Completed processing the response with status: success
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="com.iplanet.am.naming" reqid="2922">
<Response><![CDATA[<NamingResponse vers="1.0" reqid="2916">
<GetNamingProfile>
<Exception>SessionID ---AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%3D%40AAJTSQACMDE%3D%23---is Invalid</Exception>
</GetNamingProfile>
</NamingResponse>]]></Response>
</ResponseSet>
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: NamingService()::parseNamingResponse(): Buffer to be parsed: <NamingResponse vers="1.0" reqid="2916">
<GetNamingProfile>
<Exception>SessionID ---AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%3D%40AAJTSQACMDE%3D%23---is Invalid</Exception>
</GetNamingProfile>
</NamingResponse>
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: NamingService::parseNamingResponse(): Got Exception in XML.
2005-11-21 10:23:07.578 Debug 460:82f3d8 NamingService: NamingService::parseNamingResponse() returning with status invalid session.
2005-11-21 10:23:07.578 Debug 460:82f3d8 NamingService: NamingService()::getProfile() returning with error code invalid session.
2005-11-21 10:23:07.578 Info 460:82f3d8 PolicyEngine: am_policy_evaluate: InternalException in Service::update_policy with error message:Naming query failed. and code:18
2005-11-21 10:23:07.578 Warning 460:82f3d8 PolicyAgent: am_web_is_access_allowed()(http://exchange.hzliqun.com:8080/hzycportal, GET) denying access: status = invalid session
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_is_access_allowed(): Successfully logged to remote server for GET action by user unknown user to resource http://exchange.hzliqun.com:8080/hzycportal.
2005-11-21 10:23:07.578 Info 460:82f3d8 PolicyAgent: am_web_is_access_allowed()(http://exchange.hzliqun.com:8080/hzycportal, GET) returning status: invalid session.
2005-11-21 10:23:07.578 Info 460:82f3d8 PolicyAgent: process_request(): Access check for URL http://exchange.hzliqun.com:8080/hzycportal returned invalid session.
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 PolicyAgent: am_web_get_url_to_redirect(): goto URL is http://exchange.hzliqun.com:8080/hzycportal
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_get_url_to_redirect: Before invoking find_active_login_server()
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: is_server_alive(): Connection timeout set to 2
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_get_url_to_redirect: After invoking find_active_login_server()
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: process_access_redirect(): get redirect url returned AM_SUCCESS, redirect url [http://sunam1.hzliqun.com:80/amserver/UI/Login?goto=http%3A%2F%2Fexchange.hzliqun.com%3A8080%2Fhzycportal].
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: process_access_redirect(): returning web result AM_WEB_RESULT_REDIRECT.
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: process_request(): returning web result AM_WEB_RESULT_REDIRECT, data [http://sunam1.hzliqun.com:80/amserver/UI/Login?goto=http%3A%2F%2Fexchange.hzliqun.com%3A8080%2Fhzycportal]
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_process_request(): Rendering web result AM_WEB_RESULT_REDIRECT
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_process_request(): render result function returned AM_SUCCESS.
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: get_request_url(): Host: exchange.hzliqun.com:8080
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: get_request_url(): Port is 8080.
2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: get_request_url(): Returning request URL http://exchange.hzliqun.com:8080/hzycportal.
2005-11-21 10:23:07.593 Warning 460:82f3d8 PolicyAgent: get_method_num(): Apache request method number did not match method string. Setting method number to match method string GET.
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: am_web_is_notification(), http://exchange.hzliqun.com:8080/hzycportal is not notification url http://exchange.hzliqun.com:8080/amagent/UpdateAgentCacheServlet?shortcircuit=false.
2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: find_cookie(): cookie found: header [JSESSIONID=D835480D9BBF3902D562A596CC05E953; iPlanetDirectoryPro=AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%253D%2540AAJTSQACMDE%253D%2523] name [iPlanetDirectoryPro=AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%253D%2540AAJTSQACMDE%253D%2523] val [AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%253D%2540AAJTSQACMDE%253D%2523] val_len [78] next_cookie [NULL]
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: am_web_is_access_allowed(): processing url http://exchange.hzliqun.com:8080/hzycportal.
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: FqdnHandler::isValidFqdnResource() Resource => http://exchange.hzliqun.com:8080/hzycportal, is valid => true
2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: am_web_is_access_allowed(): client_ip 10.44.202.218 not found in client ip not enforced list
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 AM_POLICY_SERVICE_NAME: am_policy_compare_urls(): compare usePatterns=true returned 3
2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: in_not_enforced_list: enforcing access control for http://exchange.hzliqun.com:8080/hzycportal
2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: set_host_ip_in_env_map: map_insert: client_ip=10.44.202.218
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 ServiceEngine: Executing update_policy(AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%3D%40AAJTSQACMDE%3D%23, http://exchange.hzliqun.com:8080/hzycportal, GET, 2)
2005-11-21 10:23:07.593 Debug 460:82f3d8 all: cookieList is not empty
2005-11-21 10:23:07.593 Debug 460:82f3d8 all: Exit from buildCookieHeader
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 NamingService: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="2923">
<Request><![CDATA[
<NamingRequest vers="1.0" reqid="2917" sessid="AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%3D%40AAJTSQACMDE%3D%23">
<GetNamingProfile>
</GetNamingProfile>
</NamingRequest>]]>
</Request>
</RequestSet>
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 NamingService: BaseService::sendRequest Request line: POST /amserver/namingservice HTTP/1.0
2005-11-21 10:23:07.593 Debug 460:82f3d8 NamingService: BaseService::sendRequest Cookie and Headers =Host: sunam1.hzliqun.com
2005-11-21 10:23:07.593 Debug 460:82f3d8 NamingService: BaseService::sendRequest Content-Length =Content-Length: 346
2005-11-21 10:23:07.593 Debug 460:82f3d8 NamingService: BaseService::sendRequest Header Suffix =Accept: text/xml
Content-Type: text/xml; charset=UTF-8
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 NamingService: BaseService::sendRequest(): Total chunks: 7.
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 NamingService: BaseService::sendRequest(): Sent 7 chunks.
And it will recycle these processes. From the logs, it seems that cannot get correct namingservices. But the agent configuration is correct, and likes these
# $Id: AMAgent.properties,v 1.86.2.6 2005/10/25 18:14:11 dknab Exp $
# Copyright ?2002 Sun Microsystems, Inc. All rights reserved.
# U.S. Government Rights - Commercial software. Government users are
# subject to the Sun Microsystems, Inc. standard license agreement and
# applicable provisions of the FAR and its supplements. Use is subject to
# license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
# trademarks or registered trademarks of Sun Microsystems, Inc. in the
# U.S. and other countries.
# Copyright ?2002 Sun Microsystems, Inc. Tous droits r�serv�s.
# Droits du gouvernement am�ricain, utlisateurs gouvernmentaux - logiciel
# commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
# licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
# vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl�ments
# ?celles-ci.
# Distribu?par des licences qui en restreignent l'utilisation. Sun, Sun
# Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
# marques d�pos�es de Sun Microsystems, Inc. aux Etats-Unis et dans
# d'autres pays.
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Sun [TM] ONE Identity Server
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Sun [TM] ONE Identity Server will disable the SDK.
com.sun.am.cookieName = iPlanetDirectoryPro
# The URL for the Sun [TM] ONE Identity Server Naming service.
com.sun.am.namingURL = http://sunam1.hzliqun.com:80/amserver/namingservice http://sunim1.hzliqun.com:80/amserver/namingservice
# The URL of the login page on the Sun [TM] ONE Identity Server.
com.sun.am.policy.am.loginURL = http://sunam1.hzliqun.com:80/amserver/UI/Login http://sunim1.hzliqun.com:80/amserver/UI/Login
#com.sun.am.policy.am.loginURL = http://sunam1.hzliqun.com:80/amserver/gateway http://sunim1.hzliqun.com:80/amserver/gateway
# By default the agent checks if the Access Manager AUTH server is
# active before performing the login.
# This check can be ignored by setting the following property to true.
# In this case the first server indicated in the loginURL property will
# be selected, wether it is active or not.
com.sun.am.ignore_server_check = false
# Name of the file to use for logging messages.
com.sun.am.logFile = D:/Apache/sun/Identity_Server/Agents/2.1/debug/apache_8080/amAgent
# Name of the Sun [TM] ONE Identity Server log file to use for
# logging messages to Sun [TM] ONE Identity Server.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Sun [TM] ONE Identity Server.
com.sun.am.serverLogFile = amAuthLog.exchange.hzliqun.com.8080
# Set the logging level for the specified logging categories.
# The format of the values is
# <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
# 0 Disable logging from specified module*
# 1 Log error messages
# 2 Log warning and error messages
# 3 Log info, warning, and error messages
# 4 Log debug, info, warning, and error messages
# 5 Like level 4, but with even more debugging messages
# 128 log url access to log file on IS server.
# 256 log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.logLevels = all:5
# The org, username and password for Agent to login to IS.
#com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.username = amAdmin
com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslCertDir = D:/Apache/sun/Identity_Server/Agents/2.1/apache/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certDbPrefix =
# Should agent trust all server certificates when Sun [TM] ONE Identity Server
# is running SSL?
# Possible values are true or false.
com.sun.am.trustServerCerts = true
# Should the policy SDK use the Sun [TM] ONE Identity Server notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notificationEnabled = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notificationURL = http://exchange.hzliqun.com:8080/amagent/UpdateAgentCacheServlet?shortcircuit=false
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.urlComparison.caseIgnore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.cacheEntryLifeTime=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the identity server. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userIdParam=UserToken
# HTTP Header attributes mode
# String attribute mode to specify if additional policy response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional policy attributes will be introduced.
# HEADER - additional policy attributes will be introduced into HTTP header.
# COOKIE - additional policy attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.am.ldapattribute.mode=NONE
# The policy attributes to be added to the HTTP header. The specification is
# of the format ldap_attribute_name|http_header_name[,...]. ldap_attribute_name
# is the attribute in data store to be fetched and http_header_name
# is the name of the header to which the value needs to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.am.headerAttributes=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.ias_SLB_cookie_name = GX_jst
# indicate where a load balancer is used for Sun [TM] ONE Identity Server
# services.
# true | false
com.sun.am.loadBalancer_enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.version=2.1
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.logAccessType = LOG_DENY
# Agent prefix
com.sun.am.policy.agents.agenturiprefix = http://exchange.hzliqun.com:8080/amagent
# Locale setting.
com.sun.am.policy.agents.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.instanceName = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.do_sso_only = false
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.accessDeniedURL =
# This property allows the user to configure the URL Redirect parameter
# for different auth modules. By default this parameter is set to "goto"
com.sun.am.policy.agents.urlRedirectParam=goto
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.fqdnMap
com.sun.am.policy.agents.fqdnDefault = exchange.hzliqun.com
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.fqdnMap = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Identity Server policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdnMap = valid|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.fqdnMap =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Identity Server for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.cookie_reset_enabled=true
com.sun.am.policy.agents.cookie_reset_enabled=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Identity Server.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.cookie_reset_list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.cookie_reset_list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.cookieDomainList=.sun.com .iplanet.com
com.sun.am.policy.agents.cookieDomainList=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.unauthenticatedUser=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.anonRemoteUserEnabled=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
# com.sun.am.policy.agents.notenforcedList = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.reverse_the_meaning_of_notenforcedList = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.notenforced_client_IP_address_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.is_postdatapreserve_enabled = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.postcacheentrylifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.cdsso-enabled=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.cdcservletURL = http://sunam1.hzliqun.com:80/amserver/cdcservlet
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.client_ip_validation_enable = false
# Whether to decode the session cookie before sending it to IS.
# Set to true if the cookie value is URL encoded, false otherwise.
# For example, cookie values from browsers are URL encoded, and
# some containers always returns the cookie URL encoded.
com.sun.am.cookieEncoded = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.am.ldapattribute.cookiePrefix = HTTP_
com.sun.am.policy.am.ldapattribute.cookieMaxAge = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.logout.url=
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.logout.cookie_reset_list =
# Below property is reserved for future use. Please do not change the value.
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Identity Server.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetchFromRootResource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.getClientHostname = true
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.convertMbyteEnabled = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.overrideProtocol =
com.sun.am.policy.agents.overrideHost =
com.sun.am.policy.agents.overridePort =
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is tif you can add more details in your question, that'll be better.
in my case, i initially had pix515e with v6.1 on it, and cannot get a dialtone because my sip phone (ata186) is not registered on my proxy. but when i changed my pix to v6.2, it worked just fine. i didn't put any access-list though, as fixup does it for me already. -
Distributed application: Networked Shared Variables, Named Services (Raw TCP/IP) or Other?
Happy New Year NI forums!
I am working on a project involving mobile interacting robots. In the future it is likely the application's components may need to run on different PCs (Targets). Note: at this point in time all the components are seperate but all running on the localhost machine. Thinking towards the future I want to pick the 'best' architecture to allow all these components (VIs performing various functions) in multiple locations. For example, several VIs on the Robots, VIs on serveral PCs.
I am currently aware of using Server/Client TCP/IP using named services. My mock up works well, but is it time efficient (my time coding) I wonder.. ?
Whereas I am aware of networked shared variables which handle connections and all the parsing for the underlying tcp/ip communication. But will this be difficult the manage? I am unsure if I can associate shared variables with a VI similar to named services. I suppose I could pro grammatically create the variable upon initialization of the server component - and the client could just search the list of avaiaible variables to connect too. Downside this would require DSC module.
As you can see, I am rather unsure. Any advice would be great!
Kind Regards,
James
Kind Regards
James Hillman
Applications Engineer 2008 to 2009 National Instruments UK & Ireland
Loughborough University UK - 2006 to 2011
Remember Kudos those who help!Hi Jason,
Thanks for your reply. I hope your enjoying NI UK as much as I did.. fun times!
I have seen the link you posted a few times before. But today, I took a better look at it.
My issue is I need several multi-client severs, i.e. many servers which allow multiple clients to connect to them.
Now the STM does have an example of this - STM mutli-client Example - Server.vi (used with the STM mutli-client.vi)
However, when a make copies of these code (to have my second server) - it refuses to run. As in , it just stops itself.
I DID change the port number, on the lister aspect of the server code. But I Am unsure what else I would need to change to get this setup to work?
One thought I had was, the FIFOs all having the same name - this probably isn't a good idea between servers.
Any suggestions would be grateful!
*please could you provide me email support
Kind Regards,
James Hillman
Kind Regards
James Hillman
Applications Engineer 2008 to 2009 National Instruments UK & Ireland
Loughborough University UK - 2006 to 2011
Remember Kudos those who help! -
Remote Authentication Naming Service Not Found
Hey everybody,
I found this thread:
http://swforum.sun.com/jive/thread.jspa?threadID=54004
That thread mentions (or implies) there is something different that must be accomplished when performing remote authentications vs local authentications but never actually states what is different.
Anyhow, I am attempting to perform a remote authentication, and am running into problems. I have taken the code listed in the above thread and modified it for my usage, with a few modifications. However, I keep getting this error:
[#|2006-02-13T15:50:56.321-0500|INFO|sun-appserver-pe8.1_02|javax.enterprise.system.stream.out|_ThreadID=25;|ERROR: updateNamingTable : Naming Service is not available.
|#]
[#|2006-02-13T15:50:56.332-0500|WARNING|sun-appserver-pe8.1_02|javax.enterprise.system.stream.err|_ThreadID=25;|
com.sun.identity.authentication.spi.AuthLoginException(1):null
com.sun.identity.authentication.spi.AuthLoginException(2):null
com.sun.identity.authentication.spi.AuthLoginException: Failed to create new Authentication Context: Naming Service is not available.
at com.sun.identity.authentication.AuthContext.createAuthContext(AuthContext.java:1310)
at com.sun.identity.authentication.AuthContext.createAuthContext(AuthContext.java:1261)
at com.sun.identity.authentication.AuthContext.<init>(AuthContext.java:178)
at infrastructure.SessionBean1.login(SessionBean1.java:224)
at infrastructure.login.button1_action(login.java:267)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at ...When I connect to the service via http://myserver.mydomain.tld/amserver/namingservice I recieve a message that looks like:
Webtop 2.5 Platform Low Level request servletWhich indicates it is running properly. I also am using the AMConfig.properties that is running on the server to pull my values and my code (listed below) prints out all the values it reads. I am using the base dn for the orgname as indicated in various documentation.
My code looks like:
public boolean login(String username, String password) {
try {
ResourceBundle resources = ResourceBundle.getBundle("AMConfig");
String orgname = null;
Properties props = new Properties();
Enumeration keyEnum = resources.getKeys();
while ( keyEnum.hasMoreElements() ) {
String key = (String) keyEnum.nextElement();
String value = (String) resources.getString(key);
props.setProperty(key, value);
if ( key.equalsIgnoreCase("com.iplanet.am.defaultOrg") ) {
orgname = value;
this.getFacesContext().addMessage(null, new FacesMessage(key + " = " + value));
SystemProperties.initializeProperties(props);
// Authenticate the user and obtain SSO Token
AuthContext lc = null;
lc = new AuthContext(orgname);
lc.login();
while (lc.hasMoreRequirements()) {
Callback[] callbacks = lc.getRequirements();
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof NameCallback) {
NameCallback nc = (NameCallback) callbacks;
nc.setName(username);
} else if (callbacks[i] instanceof PasswordCallback) {
PasswordCallback pc = (PasswordCallback) callbacks[i];
pc.setPassword(password.toCharArray());
} else {
log("Unknown Callback: " + callbacks[i]);
return false;
lc.submitRequirements(callbacks);
if (lc.getStatus() != AuthContext.Status.SUCCESS) {
log("Invalid credentials");
return false;
// Obtain the SSO Token
token = lc.getSSOToken();
log("SSOToken: " + token.getTokenID());
log("User DN: " +
token.getPrincipal().getName());
// Obtain AMUser object
db = new AMStoreConnection(token);
user = db.getUser(token.getPrincipal().getName());
// Get the attributes and display them
log("Attributes: " + user.getAttributes());
} catch (Exception e) {
this.getFacesContext().addMessage(null, new FacesMessage("An exception occurred, unable to login.", e.getMessage()));
e.printStackTrace();
return false;
Any ideas?
Thanks!
Joshua Preston.The most common reason for this error is improper
communication with your LDAP server . Is your DS
setup correctly and are you able to authenticate
using amadmin ?Yes, our DS is setup correctly and I am able to authenticate using amadmin. -
Error getting the server-side naming service functionality
Hi all,
we are currently setting up the CTS+ activity based transport scenario. Everything seems to be working fine, however, we have to import each transport twice...
Before I go into detail in the error we get I will first describe our landscape. All the configuration we did was done in debate with SAP.
We use the SAP Solution manager (ehp1 SP 4) as the CTS+ server as recommended by SAP and have an NWDI system of which we only use the components DTR and CBS (since CMS is not used anymore in the activity based transport). We have defined three logical ports/RFCs. CTSCONFIG points to the NWDI system. CTSDEPLOY is running on the java stack of the solution manager and is only used for portal content (=epa) transports. CTSDEPLOY_DI is pointing to the NWDI system and is used for all NWDI (=dip) changes. The NWDI is running ehp1 SP3.
In STMS I defined all the non-abap systems (and configured them to use CTSDEPLOY_DI) and created the following transport route:
upload system (IMP) -> DEV -> ACC -> QAS -> PRD
I first attached the used dependencies in a transport request (SAP_BUILDT, EP_BUILDT, etc) these imported just fine. Then I did the SCA files which contain our custom code. I extracted these from the assemble step on our current NWDI system which will be removed as soon as we switch to the new CTS+ environment.
When we import the transport into the runtime systems then we see the DTR and CBS be filled sucesfully for this specific system. However, the transport request itself always fails with errorcode 12 and the error is:
Error during export service registration: Error getting the server-side naming service functionality during getInitialContext opera
tion. com.sap.engine.services.jndi.persistent.exceptions.NamingException: Error getting the server-side naming service functionality during getInitialContext operation.
Error in execution of Web services CTSDEPLOY_DI , exception is cx_cts_file_import_failed
File import canceled
When we then reimport the same transport it will go the second time fine. This is no problem during the setup but will not be workable when we go live ofcourse. Is there anyone who had this issue before as well and have a solution for it?
Kind Regards,
Nico van der Linden...Hello Nico,
I would need the java trace files to get more info on this issue, but you can start troubleshooting this error with these notes:
#1172252: CTS+, 'attach file': Troubleshooting Guide;
#1003674: Enhancement for non-ABAP systems in CTS;
#1155884: CTS+, configuration 'close coupling': Troubleshooting guide;
Pay special attention to parameter NON_ABAP_WBO_CLIENT, whether it's correctly set on your CTS+ system(s).
Note #1003674 is a must for any CTS+ systems to work properly, as well as having an updated version of the transport programs (tp and R3trans).
Lastly, note #1155884 goes through some JCoException exceptions that commonly take place during CTS+ transports. But again, you need to check the underlying trace files to find the root cause of your issue.
I hope this information helps.
Best regards,
Tomas Black -
JApplet communication with CORBA naming service
I have an applet that needs to resolve/bind to object in the CORBA naming service (we are using Orbix2000). The applet is able to establish a socket connection to the host that is running the naming service; however it cannot find the naming service. I have done extensive research on the web (followed the tutorials from the Sun site) and google to no avail. Can anyone shed some light? We have successfully used Orbix2000 with Java apps. This is the first access via an applet.
thanks,
kat
This is the exception I get when running it from NS4.7 browser:
Initializing the ORB CORBA exception: java.lang.NullPointerException java.lang.NullPointerException at com.iona.corba.art.artimpl.ORBDelegate.resolve_initial_references(ORBDelegate.java:835) at com.iona.corba.art.artimpl.ORBImpl.resolve_initial_references(ORBImpl.java:203) at CSGConsole.init(CSGConsole.java:139) at sun.applet.AppletPanel.run(Unknown Source) at java.lang.Thread.run(Unknown Source)
This is the applet code snippet
import CLMOperator.*; // package contains the CORBA client stubs
import org.omg.CosNaming.*;
import org.omg.CosNaming.NamingContextPackage.*;
import org.omg.CORBA.*;
// Create and initialize the CORBA ORB
System.setProperty("org.omg.CORBA.ORBClass","com.iona.corba.art.artimpl.ORBImpl");
System.setProperty("org.omg.CORBA.ORBSingletonClass","com.iona.corba.art.artimpl.ORBSingleton");
String[] args = { "-ORBInitRef", "NameService=corbaloc:iiop:sea03s20.ds.boeing.com:3075/NameService" };
System.out.println( "Initializing the ORB" );
// ORB orb = ORB.init(this, args);
Properties props = new Properties();
props.put("org.omg.CORBA.ORBInitialHost", "sea03s20.ds.boeing.com");
props.put("org.omg.CORBA.ORBInitialPort", "3075");
ORB orb = ORB.init(this, props);
// Get the root naming context
org.omg.CORBA.Object objRef = orb.resolve_initial_references("NameService");
NamingContext ncRef = NamingContextHelper.narrow( objRef );
// Resolve the object reference in naming
NameComponent nc = new NameComponent("CLMOperator", "");
NameComponent path[] = { nc };
CLMOperator.CLMOper clmOper = CLMOperator.CLMOperHelper.narrow(ncRef.resolve(path));
// Call the CLMOperator server object and invoke on the method
clmOper.Notify(1, 'A');
catch(Exception e) {
System.out.println("CORBA exception: " + e);
e.printStackTrace(System.out);Kat:
I ran into a similar problem. I was wondering if it had anything to do with a security policy between the applet and CORBA, i.e., apllet using the NamingService. To test this, I built a another CORBA Java Client (character interface, not applet) and it works fine. The applet must require something else, like setting a security policy. I sent a query off to someone who manages the Java environment. If I get an answer, I'll post it here.
bfin -
Solaris Name Service Cache and Directory Proxy Problem
We have some Solaris 10 clients ldapcliented to a Directory Proxy Server. After 15 minutes, the Solaris name service cache will fail to communicate to the proxy instance and the proxy instance's readconnectionsrefused attribute will start incrementing.
At first it seemed we would need to increase the worker-threads and num-bind-limit, but those do not fix the problem.
At the same time the name-service-cache starts failing, I am still able to query and search the proxy. I have set up a Jmeter test which continues to run and they never fail.
It seems very consistent that the problem with the name-service-cache occurs every 15 minutes and I am able to reproduce this at the client's site and in my lab. Restarting either the proxy or the name-service-cache clears the problem.
Has anyone else seen this problem?
Edited by: 957466 on Sep 6, 2012 9:11 AMThe idle-timeout on DSEE was set to none, which I believe is the default. I tried setting it to 1200 and 2400 seconds without success.
h3. get-ldap-data-source-pool-prop
<pre>
client-affinity-bind-dn-filters : any
client-affinity-criteria : connection
client-affinity-ip-address-filters : any
client-affinity-policy : write-affinity-after-write
client-affinity-timeout : 20s
description : -
enable-client-affinity : false
load-balancing-algorithm : proportional
minimum-total-weight : 100
proportion : 100
sample-size : 100
</pre>
h3. get-ldap-data-source-prop
<pre>
bind-dn : none
bind-pwd : none
client-cred-mode : use-client-identity
connect-timeout : 10s
description : -
down-monitoring-interval : inherited
is-enabled : true
is-read-only : false
ldap-address : localhost
ldap-port : ldap
ldaps-port : ldaps
monitoring-bind-dn : none
monitoring-bind-pwd : none
monitoring-bind-timeout : 5s
monitoring-entry-dn : ""
monitoring-entry-timeout : 5s
monitoring-inactivity-timeout : 2m
monitoring-interval : 30s
monitoring-mode : proactive
monitoring-retry-count : 3
monitoring-search-filter : (objectClass=*)
monitoring-search-scope : base
num-bind-incr : 10
num-bind-init : 2
num-bind-limit : 1024
num-read-incr : 10
num-read-init : 2
num-read-limit : 1024
num-write-incr : 10
num-write-init : 2
num-write-limit : 1024
proxied-auth-use-v1 : false
ssl-policy : never
use-read-connections-for-writes : false
use-tcp-keep-alive : true
use-tcp-no-delay : true
</pre> -
Hi,
We are devloping Wrapper arround the Identity server sdk which is going to be placed on linux+weblogic platform. Everything is working fine without SSL enabled for access manager(identity server). When AM is running in SSL mode we are facing problem when our code is trying to create AuthContext. Following is the log trace from debug file
01/20/2005 06:00:06:750 PM MST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
authenticate...START
01/20/2005 06:00:09:586 PM MST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
ERROR: authenticate :
com.sun.identity.authentication.spi.AuthLoginException(1):null
com.sun.identity.common.L10NMessageImpl(2):Failed to create New AuthContext: Error while processing XML request
Naming Service is not available
com.sun.identity.common.L10NMessageImpl: Failed to create New AuthContext: Error while processing XML request
Naming Service is not available
at com.sun.identity.authentication.AuthContext.createAuthContext(AuthContext.java:1220)
at com.sun.identity.authentication.AuthContext.createAuthContext(AuthContext.java:1142)
at com.sun.identity.authentication.AuthContext.<init>(AuthContext.java:148)
at com.abs.security.b2b.AuthenticationService.authenticate(Unknown Source)
at com.abs.security.b2b.B2BIDSInterfaceImpl.authenticate(Unknown Source)
at com.abs.security.b2b.client.B2BInitialAdminClientServlet.authenticate(Unknown Source)
at com.abs.security.b2b.client.B2BInitialAdminClientServlet.doGet(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:971)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:402)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:305)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6350)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:317)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3635)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2585)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
we took care of loading JSS libraries and AMConfig. properties file changes, trusted CA certificate import and also we added system property java.protocol.handler.pkgs=com.iplanet.services.comm
any help is appreciated.Did you resolve this issue. I have just encountered it when I switched from non-SSL to an SSL port. The exception I get is the same as yours. The debug log indicates that the host name is incorrect:
03/25/2005 03:23:57:841 PM EST: Thread[main,5,main]
ERROR: updateNamingTable : Naming Service is not available^M
03/25/2005 03:23:57:881 PM EST: Thread[main,5,main]
ERROR: Naming service connection failed for https://dakota.abcd.com:4405/am
server/namingservice
com.iplanet.services.comm.client.SendRequestException: HTTPS hostname wrong: sh
ould be <dakota.abcd.com>^M
at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:131)^M
at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:71)^M
at com.iplanet.services.naming.WebtopNaming.updateNamingTable(WebtopNaming.jav
a:335)^M
at com.iplanet.services.naming.WebtopNaming.getNamingProfile(WebtopNaming.java
:308)^M
at com.iplanet.services.naming.WebtopNaming.getServiceURL(WebtopNaming.java:12 -
Access Manager 6 2005Q1 naming service behind load balancer
Access Manager is running on box A & box B using the Sun Web Server as its front end web server. Box A & B both have a complete install of Sun Web Server, Access Manager, and Directory Server. The Directory servers are set up to replicate changes between each other. Our Policy Agents are running on box C & box D under the Apache web servers.
Users will access applications on box C/D via https. The policy agents on box C/D should redirect the user to box A/B (via a load balancer VIP)for authentication. The redirect will be https. Once authenticated the user should be redirected back to box C/D.
All subsequent communications between the Agents on box C/D to AM on box A/B (via load balancer VIP) are http.
The load balancer VIP is setup in active/failover mode so all requests go to one server. We implemented it this way because our load balancers do not support SSL with cookies.
The data returned to the agent from a call to the naming service contains the host name of our AM hosts instead of the load balancer VIP. Subsequent calls from the agent to AM bypass the load balancer and go directly to one of the AM hosts.
We are looking to upgrade our load balancers to a version that supports cookies with ssl in order to take advantage of the second AM host.
How do we configure AM so the values returned by the naming service contain the load balancer VIP instead of the actual AM host names?Bernhard,
We have upgraded our Web PA to version 2.1-09. One of your previous replies stated the com.iplanet.am.naming.ignoreNamingservice property was not availalbe in the PA agent properties but only in the Java SKD. Indeed we do not see such a key in the new Web PA AMAgent.properties.
Can you please explain how to configure the AMAgent.properties and/or the Access Manager server (or properties) so that subsequent calls to the services (returned by the call to the naming service) get directed thru the load balancer? Below are the setting in our AMAgent and AMConfig properties files
AMAgent.properties
com.sun.am.namingURL = https://lb-mydomain.com:443/amserver/namingservice
com.sun.am.policy.am.loginURL = https://lb-mydomain.com:443/amserver/UI/Login
AMConfig.properties
com.iplanet.am.server.protocol=https
com.iplanet.am.server.host=am.mydomain.com
com.iplanet.am.server.port=443
com.iplanet.am.console.protocol=https
com.iplanet.am.console.host=lb-mydomain.com
com.iplanet.am.console.port=443
com.iplanet.am.profile.host=lb-mydomain.com
com.iplanet.am.profile.port=443
com.iplanet.am.naming.url=https://lb-mydomain.com:443/amserver/namingservice
com.iplanet.am.notification.url=https://lb-mydomain.com:443/amserver/notifica
tionservice
If we set com.iplanet.am.server.host=lb-mydomain.com we get an exception when trying to start the AM web container. I don't know if this may be partof our issue or not. Please comment.
Thanks,
Craig -
How to Connect to the Visibroker Naming Service using the Servlet
Hi
I am facing Problem in finding the Initial JNDI Context.
It is giving me ClassCastException.
In our Application the Tomcat is Integrated with One of the Partitions. And the EJB' are registered on Visibroker Naming Service (on the same machine).
I want to Access one of the EJB's.
Following is my Client Code in the Servlet.
==============================================================================
public void doPost(HttpServletRequest request, HttpServletResponse res)
throws IOException, ServletException
res.setContentType("text/html");
PrintWriter pw = res.getWriter();
pw.println("<html>");
try{
Enumeration e= super.getInitParameterNames();
while(e.hasMoreElements())
String paramName= (String)super.getInitParameterNames().nextElement();
String paramValue=super.getInitParameter(paramName);
pw.println("paramName="+paramName);
Context ic;
java.util.Properties props = new java.util.Properties();
props.putContext.INITIAL_CONTEXT_FACTORY, "com.inprise.j2ee.jndi.CtxFactory");
props.put(Context.URL_PKG_PREFIXES, "com.inprise.j2ee.jndi");
ic = new InitialContext();
pw.println("Initial Context"+ ic);
========================================================================
And I am getting following Error while getting the Inital Context.
============================
ERROR - javax.naming.NoInitialContextException: Cannot instantiate class: com.inprise.j2ee.jndi.CtxFactory [Root exception is java.lang.ClassCastException]
2006-09-30 05:16:27,461 ERROR - at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
2006-09-30 05:16:27,461 ERROR - at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
2006-09-30 05:16:27,461 ERROR - at javax.naming.InitialContext.init(Unknown Source)
2006-09-30 05:16:27,461 ERROR - at javax.naming.InitialContext.<init>(Unknown Source)
2006-09-30 05:16:27,461 ERROR - at com.lucent.omcran.servlet.OmcRanTpuGuiReDirectServlet.doPost(OmcRanTpuGuiReDirectServlet.java:56)
2006-09-30 05:16:27,461 ERROR - at com.lucent.omcran.servlet.OmcRanTpuGuiReDirectServlet.doGet(OmcRanTpuGuiReDirectServlet.java:33)
2006-09-30 05:16:27,461 ERROR - at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
2006-09-30 05:16:27,461 ERROR - at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
2006-09-30 05:16:27,461 ERROR - at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:248)
2006-09-30 05:16:27,461 ERROR -
===========================================
Below are the Parameters that I use to Start my Partition
=============================================================================
-Diems.locator.localzonetype=presentation -Diems.arm.context=presentation -XX:+DisableExplicitGC= -XX:+UseCMSInitiatingOccupancyOnly= -DAPPNAME=appl1 -DContextId=1 -DCOMMONPATH=/omcsw/common -DIEMSPATH=/omcsw/28.0.1.22.00 -Djava.util.prefs.PreferencesFactory=com.lucent.iems.platform.util.prefs.spi.IEMSPreferencesFactory -Dcom.lucent.iems.prefs.PrefsDirectory=/omcsw/28.0.1.22.00/data/registry -Dorg.omg.CORBA.ORBClass=com.inprise.vbroker.orb.ORB -Dorg.omg.CORBA.ORBSingletonClass=com.inprise.vbroker.orb.ORBSingleton -Djavax.rmi.CORBA.StubClass=com.inprise.vbroker.rmi.CORBA.StubImpl -Djavax.rmi.CORBA.PortableRemoteObjectClass=com.inprise.vbroker.rmi.CORBA.PortableRemoteObjectImpl -Djavax.rmi.CORBA.UtilClass=com.inprise.vbroker.rmi.CORBA.UtilImpl -Diems.arm.factory=com.lucent.iems.platform.util.arm.impl1.ARMFactoryImpl1 -Dcom.lucent.iems.platform.util.intfc.maxnumofobjects=25 -DGUMDBPOOLNAME=GUMdb -Dvbroker.orb.enableKeyId=false
==============================================
Does Any one have Idea what is going wrong..
AnkitYou can check whether any cookies were sent in the request to your servlet:
Cookie cookies[] = request.getCookies();
if cookies is not null (cookies != null) then the browser sending you the request suppoerts cookies.
If it is null then you would need to do a little extra work. Basically add a cookie to the response going back to the browser. Then send a redirect back to this same servlet. You then would have to add code to check to see whether the cookie was sent back.
// Servlet named myServlet
String test = request.getParameter("TEST");
Cookie cookies[] = request.getCookies();
if (test == null || !test.equals("TRUE")
if (cookies == null)
response.addCookie("testCookies","testCookies");
response.sendRedirect("myServlet?TEST=TRUE");
else
// cookies were sent in the initial request, so
// browser supports cookies
else
// This is the redirect. Check the for the presence of
// our testCookie
Hope this helps. -
Error :server-side naming service functionality during getInitialcontext op
Hi Friends,
I am trying out Java Proxies Scenario(Asynchronous).
I am facing problem with the following error:
<b>Error getting the server-side naming service functionality during getInitialContext operation.</b>
Please help out to solve the above problem.
Sudheer.Hi Sudheer
Check the following thread,
Re: Problems When recieving Jms messages from XI
cheers
Sameer -
Server-side naming service functionality
Dear all,
I have this problem on my JCA connection:
###Exception #1#com.sap.engine.services.jndi.persistent.exceptions.NamingException: Error getting the server-side naming service functionality during getInitialContext operation.
at com.sap.engine.services.jndi.InitialContextFactoryImpl.getInitialContext(InitialContextFactoryImpl.java:238)
at ...etc etc....
The problem is on this part of code:
public void doProcessBeforeOutput() throws PageException {
TestJCABean myBean = new TestJCABean();
myBean.setStr(remoteStr);
((IPortalComponentRequest)getRequest()).getServletRequest().setAttribute("myBean", myBean);
this.setForward("TestJCA.jsp");
I really don't understand, any suggestion regarding this?
I will apprecciate a lot.
VipaHi Ravi,
here my code, thanks for your help.
-----TESTJca.java
public class TestJCA extends PageProcessorComponent {
public DynPage getPage(){
return new TestJCADynPage();
public static class TestJCADynPage extends JSPDynPage{
private final static String LOGGER = "NameJCA";
private final static ILogger log = PortalRuntime.getLogger(LOGGER);
private String remoteStr = "";
public void doInitialization(){
//Accedo il portal component profile per ottente il valore del system alias configurato per l'iview
//MNT è stato configurato da portal e sul file xml
log.info(this, "[doInitialization()]comincio");
IPortalComponentRequest request = (IPortalComponentRequest) this.getRequest();
IPortalComponentContext compContext = request.getComponentContext();
IPortalComponentProfile userProfile = compContext.getProfile();
//Ritorna MNT che ho aggiunto in portalapp.xml
String sys = userProfile.getProperty("System");
log.info(this, "[doInitialization()]valore del system alias: "sys"");
//Utilizza la funzione per la connessione al sys di backend e reperimento dell'info necessarie
remoteStr = getRemoteString(request, sys);
log.info(this, "[doInitialization()]remoteStr: "remoteStr"");
public void doProcessAfterInput() throws PageException {
public void doProcessBeforeOutput() throws PageException {
TestJCABean myBean = new TestJCABean();
myBean.setStr(remoteStr);
((IPortalComponentRequest)getRequest()).getServletRequest().setAttribute("myBean", myBean);
// fill your bean with data here...
//log.info(this, "[doInitialization()]Setto il nome della jsp");
this.setJspName("TestJCA.jsp");
//this.setForward("TestJCA.jsp");
//IResource jsp = request.getResource(IResource.JSP, "pagelet/bannerOriginalle.jsp");
//response.include(request, jsp);
@param pgContext
@param response
@param compBean
@param cubeName
@param templateID
private String getRemoteString(IPortalComponentRequest request, String sapSystem) {
IConnection connection = null;
try {
// get the Connector Gateway Service
Object connectorservice = PortalRuntime.getRuntimeResources().getService(IConnectorService.KEY);
IConnectorGatewayService cgService = (IConnectorGatewayService) connectorservice;
if (cgService == null) {
log.info(this, "[getRemoteString()]Error in get Connector Gateway Service
try {
IUser user = request.getUser();
ConnectionProperties cp = new ConnectionProperties(user.getLocale(), user);
connection = cgService.getConnection(sapSystem, (ConnectionProperties) request);
} catch (Exception e) {
log.severe(this, "[getRemoteString()]Connection to SAP system failed. Exception:" +e.getLocalizedMessage());
if (connection == null) {
log.info(this, "[getRemoteString()]Connection is null
} else {
log.info(this, "[getRemoteString()]Connection succesful");
} catch (Exception e) {
log.severe(this, "[getRemoteString()]Exception occured. Exception:" +e.getLocalizedMessage());
log.info(this, "[getRemoteString()]Iview: runFunction");
try {
// Get the Interaction interface for executing the command
IInteraction ix = connection.createInteractionEx();
// Get interaction spec and set the name of the command to run
IInteractionSpec ixspec = ix.getInteractionSpec();
//String functionName = "Z_ESTRAIDATA";
String functionName = "RPL_CUSTOMER_NAME_GET";
// Put Function Name into interaction Properties.
ixspec.setPropertyValue("Name", functionName);
// return structure - dovrebbe essere il nome del parametro di export della funzione
//cambiarlo di conseguenza
//String function_out = "ERRORE";
String function_out = "PE_NAME1";
String function_in_value = "1000010001";
RecordFactory rf = ix.getRecordFactory();
MappedRecord input = rf.createMappedRecord("input");
// put function input parameters
// input.put("ZSC_CUBE", cubeName);
// input.put("ZSC_PERVAL", selection);
// input.put("ZSC_UTENTE", user.getLogonUid());
input.put("PI_KUNNR", function_in_value);
//ottengo l'oggetto che mi rappresenta l'output della funzione
//lancio la RFM
MappedRecord output = (MappedRecord) ix.execute(ixspec, input);
Object rs = null;
try {
Object result = output.get(function_out);
if (result == null) {
rs = new String(" ");
} else if (result instanceof IRecordSet) {
rs = (IRecordSet) result;
log.info(this, "[getRemoteString()]rs ritornato: " + rs.toString());
return rs.toString();
// Do need all type here ?
else {
rs = result.toString();
log.info(this, "[getRemoteString()]rs ritornato: " + rs.toString());
return rs.toString();
} catch (Exception ex) {
log.severe(ex, "[getRemoteString()]Error getting function result. Exception:" +ex.getLocalizedMessage());
log.info(this, "[getRemoteString()]Codice errore ritornato: " + rs.toString());
} catch (Exception e) {
log.severe(e, "[getRemoteString()]Error getting function interaction. Exception:" +e.getLocalizedMessage());
return null;
-----TESTJcaBean.java
package ... ... ... ...
import java.io.Serializable;
public class TestJCABean implements Serializable {
private String str;
@return
public String getStr() {
return str;
@param string
public void setStr(String string) {
str = string; -
Im currently working on some code and Im really in need of a naming service, preferably one with a service provider for JNDI. In essence what Im looking for is a very basic name server, although knowing little about the suject at this point Im thinking that ldap, nis are really not well suited to my needs as my key goal is mapping names to references( under dynamic contexts), which Ive allready half implemented. As things are getting more complex and what Ive implemented of rather poor design, Im starting to feel like Im going to have a rough month or two ahead of me!! I dont want to re-invent the wheel and I know in my heart someone has allready coded the software I need!!! Unfortunately My search has been fruitless. Id greatly appreciate it if someone can steer me in the right direction. In the meantime I think Ill be pulling my hair out trying to figure out how to code the software I need.... Sorry for not fully explaining what Im after, if not enough info just let me know and Ill try to provide more detail.............
Hi Prisco,
You can go very well fo JNDI. And you can use Netscape or Iplanet Directory server as LDAP server.
Please Download the Directory Server from this URL.
http://www.iplanet.com/downloads/download/2087.html
Also here with I am giving you a simple Authentication program, which makes use of JNDI and Netscape Directory server. If you follow these steps, you will get a good idea about JNDI.
DESCRIPTION:
I am trying to use LDAP to control access to a HTML page. I want an authentication
box to pop up, allowing the user to authenticate to the HTML page through a LDAP server.
If they succesfully authenticate, I need to check their username against a list
of valid usernames that's stored in a database, then give access to the page
based on that list. How can I implement this solution?
SOLUTION:
The best way is to use Basic Authentication solution with JNDI and LDAP server,
Netscape Directory server(for example) with a simple servlet program. Java Naming
and Directory Interface (JNDI) API is standardized, and enable to use different
directory services such as Netscape Directory server. LDAP server can be used
for storing some common data's used in the sample solution.
It can be done through a servlet to check the user and its password which is
stored in the LDAP server.
In order to demonstrate a sample solution, I will use the Netscape Directory
Server 4.13 as the LDAP server, which is loaded my own LDIF file with customized
attributes. The basic authentication algorithm will be used in this sample
solution.
The following steps are to implement this sample solution:
1. Creating our own LDAP data Interchange format (LDIF) file.
2. Loading(Import) the Ldif file in Netscape Directory Server.
3. Creation of user schema files for customized attributes.
4. Load the user schema files in the Netscape Directory Server.
5. Restart the Directory Server
6. A simple servlet program for basic authentication.
7. A sample HTML file is given last, used in servlet program.
Here are the detail description of the above steps:
STEP 1: Creating our own LDAP data Interchange format (LDIF) file:
Here is the LDIF (LDAP data Interchange format) file is a text based format used to work
on LDAP data, with both our application and end users.
Through this LDIF file, I am having an attribute "customerid: timb" for which I will
be preparing the authentication, which will have its own password
"userpassword: bakrudeen", through which it can be maintained in a common place.
Here again in the same LDIF file, other information related to the "customerid: timb"
such as common name "cn: Tim Briggs", sur name "sn: Briggs" etc are maintained.
The data in LDAP is organized in a tree, called a Directory Information tree(DIT).
Each leaf in DIT is called an entry. The first entry in DIT is called the root entry.
Here is a sample LDIF File which is used in our sample solution:-
Here the DIT is maintained in such a way data is organized in LDAP, is fairly simple. In this
sample we store all of our entries in a common root o=fedup.com, with the following branches
Customers - Customer Entries with " customer id: timb" , userpassword: bakrudeen, and other
information related to this customer is kept in a common place.
dn: uid=timb,ou=Customers,o=fedup.com
changetype:add
objectclass: customer
objectclass: inetorgperson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: Tim Briggs
uid: timb
givenname: Tim
customerid: timb
sn: Briggs
facsimiletelephonenumber: 4101
telephonenumber: 4145
creatorsname: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
createtimestamp: 20000501084001Z
aci: (target="ldap:///uid=timb,ou=Customers,o=fedup.com")(targetattr="*")(version 3.0; acl "unknown"; allow (all)(userdn = "ldap:///anyone");)
ou: Customers
mail:
userpassword: bakrudeen
modifiersname: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
modifytimestamp: 20000605084001Z
STEP 2: Loading(Import) the Ldif file in Netscape Directory Server:-
Once after creating the above sample LDIF File, it should be added in Netscape Directory Server.
It should be imported in order to add the neccessary atributes in the Netscape Directory server,
so that we can make use of the Common data.
Steps for Importing the LDIF file in the Directory Server:-
1) Create an instance of the Directory Server.
2) Bind it to the different port with different organizational unit
(Here in this program, it is 1124).
3) Press the Configuration from the menu.
4) Then select import from the Console menu.
5) Choose the LDIF file you are going to import.
6) There also you have to provide a file for rejected entries, ie it will list all the entries
which is not added while loading.
STEP 3: Creation of our own USER SCHEMA Files:-
It is necessary for adding the attributes which are not defined in the
Netscape directory server. In the above, customerid which is defined in ldif
file is not existing in the directory server.
Here is the Schema file for attributes:(ie for defining for eg customer id).
The name of the file is slapd.user_at.conf:-
attribute customerid customerid-oid cis single
attribute packageid packageid-oid cis single
attribute receivedate receivedate-oid cis single
attribute shipdate shipdate-oid cis single
attribute shipperid shipperid-oid dn single
attribute receiveid receiveid-oid dn single
#Java Attributes
# Schema for storing java objects and java object references
attribute javaClassName 1.3.6.1.4.1.42.2.27.4.1.1 ces single
attribute javaCodebase 1.3.6.1.4.1.42.2.27.4.1.6 ces
attribute javaSerializedData 1.3.6.1.4.1.42.2.27.4.1.7 bin single
attribute javaRemoteLocation 1.3.6.1.4.1.42.2.27.4.1.8 ces single
attribute javaFactory 1.3.6.1.4.1.42.2.27.4.1.4 ces single
attribute javaReferenceAddress 1.3.6.1.4.1.42.2.27.4.1.3 ces
Here is Schema file for your own object classes:-
The name of the file is Slapd.user_oc.conf:-
In the similar way as above there are no "customer" class in the object classes
defined in the LDAP, so we will have to create our own "customer" Object class.
Also it extends inetOrgPerson to add some new attributes such as "customerid".
The object class of an entry specifies what attributes are required and what
attributes are allowed in a particular entry.
Also for eg, Package classes in the object class is created.
Here is the sample file for creating the above:-
objectclass package
oid package-oid
superior top
requires
packageid,
receiveid,
shipdate,
shipperid
allows
description,
ou,
receivedate
objectclass customer
oid customer-oid
superior inetorgperson
requires
customerid
allows
c
#JAVA Schema
# Schema for storing java objects and java object references
objectclass javaContainer
oid 1.3.6.1.4.1.42.2.27.4.2.1
superior top
requires
cn
objectclass javaObject
oid 1.3.6.1.4.1.42.2.27.4.2.4
superior top
requires
javaClassName
allows
javaCodebase
objectclass javaSerializedObject
oid 1.3.6.1.4.1.42.2.27.4.2.5
superior javaObject
requires
javaSerializedData
objectclass javaRemoteObject
oid 1.3.6.1.4.1.42.2.27.4.2.6
superior javaObject
requires
javaRemoteLocation
objectclass javaNamingReference
oid 1.3.6.1.4.1.42.2.27.4.2.7
superior javaObject
requires
javaReferenceAddress,
javaFactory
STEP 4: Loading the USER SCHEMA files in Directory Server:-
All the attributes created above should be added to the corresponding directory server,
in order to make it as a common attribute.
Steps for adding the User Schema files to the Directory Server:-
1. Copy the above user schema files to the appropriate instance of Netscape Directory Server
created above so that the existing LDIF file which is used in the Netscape directory
server is not appended or overwritten.
2. For eg, put it in "NetscapeServer/slapd-HostName/config" to replace the empty
files "slapd.user_at.conf" and "slapd.user_oc.conf" by default.
3. Then restart the Directory Server.
STEP 5: Simple Servlet Program for BASIC AUTHENTICATION.
Here is the simple servlet program for Basic Authentication:-
Here the way the LDAP authentication works is by attempting to the server with a
DN and a password. No user in their right mind will remember their DN, so we use
some other attribute such as user-id. Then we search in the LDAP server to find
an entry that contains the attribute. Here we are maintaining SUBTREE_SCOPE using
JNDI, which starts its search starting from the base entry, and searches
everything below it including the base entry. Also I am maintaining Global
variables for LDAP setting.
// Importing the necessary Packages
import java.io.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
import javax.naming.*;
import javax.naming.directory.*;
public class AuthServ extends HttpServlet {
// Here are our global variables of our LDAP Settings.
public static String MY_CUSTOMER_BASE = "ou=Customers,o=fedup.com";
public static String INITCTX = "com.sun.jndi.ldap.LdapCtxFactory";
public static int MY_PORT = 1124;
public static String MY_HOST = "ldap://sundts1.india.sun.com:" + MY_PORT;
public static String MY_MGR = "cn=Directory Manager";
public static String MY_PWD = "password";
public static String MY_SEARCHBASE = "o=fedup.com";
Hashtable env = new Hashtable();
// Using the Get Method of Servlet
public void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
res.setContentType("text/html");
// To Check to See if there is any data in the "Authorization" Http header from the browser.
// If not it will prompt for username and password.
String auth = req.getHeader("Authorization");
// Do we allow the user
if (!allowedUser(auth) ) {
// Not Allowed, so report unauthorized
res.setStatus(res.SC_UNAUTHORIZED);
res.setHeader("WWW-Authenticate", "BASIC realm=\"users\"");
// User is allowed in
else
// Using SSI to include and display the content of a Simple HTML Page
RequestDispatcher rd= this.getServletContext().getRequestDispatcher("/auth.html");
rd.include(req,res);
// This method checks to see whether the user exist in the LDAP database.
protected boolean allowedUser(String auth) throws IOException {
Hashtable env = new Hashtable();
boolean status = false;
try {
// No Authorization
if (auth == null) return false;
// Basic Authentication is Handled, Other possibilities are MD5 hash or SSL Certificates.
if (!auth.toUpperCase().startsWith("BASIC ")) {
return false; //only do BASIC
// Get encoded user and password, comes after BASIC
String userpassEncoded = auth.substring(6);
// Decode it, using any base 64 decoder
sun.misc.BASE64Decoder dec = new sun.misc.BASE64Decoder();
String userpassDecoded = new String(dec.decodeBuffer(userpassEncoded));
StringTokenizer st = new StringTokenizer(userpassDecoded,":");
String customerid = st.nextToken();
String pwd = st.nextToken();
Please Note:
LDAP Authentication works by attempting to bind to the server with a DN and a password.
No user will remember their DN so we use some other attribute such as user-id.
Then we search in the LDAP server to find an entry in the LDAP server to find an entry
that contains the attribute.
For a Secure System, we should use an attribute that will be unique per entry such as
uid, in our case the "customerid" attribute.
// Prepare for context
env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
env.put(Context.PROVIDER_URL, MY_HOST);
// Get a reference to a directory context
DirContext ctx = new InitialDirContext(env);
// Specify the scope of the search
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
// Perform the actual search
// We give it a searchbase, a filter and the constraints
// containing the scope of the search
NamingEnumeration results =
ctx.search(MY_CUSTOMER_BASE, "(customerid=" + customerid + ")", constraints);
String dn = null;
If it does not throw an exception,
then it is considered to be an Successful Authentication
// Now step through the search results
while (results != null && results.hasMore()) {
SearchResult sr = (SearchResult) results.next();
dn = sr.getName() + "," + MY_CUSTOMER_BASE;
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, dn);
env.put(Context.SECURITY_CREDENTIALS, pwd);
try {
DirContext ctx2 = new InitialDirContext(env);
status = true;
} catch (AuthenticationException e) {
log(e.toString());
} catch (NamingException x) {
log(x.toString());
return status;
STEP 6: Simple HTML file used in Servlet Program:-
Here is the Simple HTML File we are including in RequestDispatcher of the above program:-
<html>
<head>
<title> Authorisation</title>
</head>
<body>
<h1> Your Authorisation is Successful </h1>
</body>
</html>
I hope this will help you.
Thanks
Bakrudeen -
Hi,
Could someone please provide me with a good link for understanding Naming services and reportServer? And troubleshooting steps, logs to refer etc.
ThanksPlease briefly describe your problem. We'll try to indicate which forum will help you the most.
Typically 'Naming Service' means "translate the computer host name to an IP address" so that we can find the computer that contains some service we want to use. And typically, that is done by a translation file (/etc/hosts or C:\windows\system32\drivers\etc\hosts.) or by DNS (Dynamic Naming Services), which is a distributed-software database application that does the translation. Troubleshooting techniques will vary based on a lot of factors, including your network configuration.
However, the term may also be used 'find the right database' using Oracles "Transparent Network Substrate" as described in the 3 Oracle Networking books at http://www.oracle.com/pls/db102/portal.portal_db?selected=3#index-NET, with the TNSADMIN.ORA (in the Reference) being the most important one.
Your report server problem could fall either in the 'host name' or the 'database name' translation. If the latter, check 'Part 3' of the "Net Services Administrator's Guide"
Maybe you are looking for
-
How do I change my NAT settings?
WRT54GS router How do I change my NAT settings?
-
Which MacBook Pro is best for an online MBA program and face to face classes?
I'm going back to school for an MBA and going to pick up some certifications first. I'll be attending online classes and some face to face classes. How much MacBook Pro do I need? I'm in the HR community, and my MBA is in Global Managment if that
-
hi I need to pan an image horizontally to left instead of to right , is this possible ?
-
Could someone help me restore my photos? I was trying to "restore my database" in iPhoto when it shut down - now my thumbnails are distorted, logged under a new name, and when you click on a thumbnail it opens as another photo. I was following anot
-
Hi experts, Currently we are working as per below sequence Semifinished Goods (SFG) ->BOM ->MRP->Production Order->Material issue (261)->Order confirnation->Settlement->Issue to Prooduction Order of Finished goods (FG)(261) Some times users who confi