Some LDAP authentication specifics
We need to know some specifics about LDAP authentication on Portal. We are setting up an extranet that will serve several companies, each with their own user base. Ideally, we would like to set up a referral between each company's LDAP server and a central LDAP server that is set up to provide external authentication for Portal. However, this raises some questions:
1. Suppose that Company X has a user 'jdoe' whose fully-qualified LDAP entry is "o=Company X, cn=jdoe", while Company Y has a user 'jdoe' whose fully-qualified LDAP entry is "o=Company Y, cn=jdoe". This is perfectly acceptable (and expected) in LDAP, but can the Login Server handle this type of scenario?
2. Is it possible to map LDAP attributes to Portal groups so that once a user is entered into the LDAP server they are given the appropriate permissions in Portal automatically?
We have LDAP authentication successfully installed on our Portal instance, and initial testing seems to indicate that the answer to both of these questions is 'No'; however, I haven't found any detailed documentation to verify or disprove this. Any ideas?
The current version of the product will not support that without some changes. This is planned as a standard feature for the 9iAS v2 release.
In the 3.0.9 version of the Login Server, a PLSQL-based LDAP API package, SSOOID.PKB is being provided unwrapped so that it can be used as a sample app for providing such extensions as customizations. Look for this, coming soon, to see if you can customize it to your needs. SSOOID.PKB is a replacement for SSOXLDAP.PKB which leverages direct PSLQL APIs to LDAP, available in Oracle 8.1.7. With this source code, you could have the package read configuration data that uses a different search root for each company.
Similar Messages
-
LDAP Authentication - Multiple Domains
I want to be able to use the built in LDAP Authentication scheme to allow authentication against multiple AD Domains... each with it's own separate Host IP/Server, and LDAP DN String. The User ID is formated the same among all Domains, so that is not a concern. I am currently authenticating against one Domain and it scans the tree successfully.
Host: xx.xx.xx.xx
DN String: %LDAP_USER%@amer.globalco.net
(amer.globalco.net is the domain)
How can this be accomplished? Is it possible all you guru's out there?
I saw one forum thread discussing how to add a drop down list to the login page, then use the value of the page item in the DN String to specify Domain... That makes sense - HOWEVER - I also have to use a different Host Server / IP address for each domain as well.... Now that is 2 fields that need updating based on one select list.
I can build the select list using "IP/Domain" - but how do I separate the two data bits in the ITEM Value into their own field values?
Can I use the ldap_dnprep function to do text editing to create two field values from one ITEM value that I can use in the standard LDAP authentication form fields?
As you can tell - I am not a SQL/PLSQL person... and I want to avoid creating my own LDAP scheme.
Please include example/suggested SQL -
Thanks in advance...
Rich
Apex v3.2.1
Oracle 10G ExpressBased on prior post I had similar question and the result was to write custom auth scheme to read the values from the login page, perform auth against appropriate ldap, then return a valid session to proceed with login in apex app. In our case, the issue was having users is different branch nodes on the same ldap server but not being able to search from a common higher-level branch for some reason...
Another option you could try, not recommended as it would mean multiple pages to maintain, would be a separate login page per ldap/domain, maybe would even have to multiple apps with just a login page and then redirect to the main app... been a really long time since i've tried anything like it, just giving some options to try. -
ASA 8.2.5 LDAP authentication by memberof doesn't always work
I've configured LDAP authentication to allow access if members are a member of the "VPN_Users" Group. This configuration is working, but only for some users. For other users it isn't. The output of the 'debug ldap 255' shows an output of memberOf for the users that it's working for, but shows nothing for users it's not working for. I've not been able to figure out any connection or differences that are the same between those users that work and those that don't. Any idea on what might be causing this problem? Both working and non-working users will authenticate, its just some of them don't pull the memberof data in the ldap query.
Config:
aaa-server AD protocol ldap
aaa-server AD (inside) host btfs2
ldap-base-dn dc=localdomain,dc=com
ldap-scope subtree
ldap-naming-attribute samAccountName
ldap-login-password *****
ldap-login-dn [email protected]
server-type microsoft
ldap-attribute-map VPNGroup
ldap attribute-map VPNGroup
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN_Users,OU=Security Groups,OU=Company OU,DC=localdomain,DC=com" btvpn
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec svc
webvpn
svc ask none default svc
group-policy btvpn internal
group-policy btvpn attributes
banner value This is a private data network. All connections are logged and are subject to
banner value monitoring. Unauthorized access is prohibited and will be prosecuted.
dns-server value 10.0.0.x 10.0.0.y
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittun
default-domain value localdomain.com
webvpn
svc keep-installer installed
svc rekey time 120
svc rekey method ssl
svc ask enable default svc
tunnel-group btvpn type remote-access
tunnel-group btvpn general-attributes
address-pool vpnpool
authentication-server-group AD LOCAL
default-group-policy NOACCESS
tunnel-group btvpn webvpn-attributes
group-alias webvpn enable
tunnel-group btvpn ipsec-attributes
pre-shared-key *****
Non-working user:
[1575] Session Start
[1575] New request Session, context 0xd7fbf210, reqType = Authentication
[1575] Fiber started
[1575] Creating LDAP context with uri=ldap://10.0.0.x:389
[1575] Connect to LDAP server: ldap://10.0.0.x:389, status = Successful
[1575] supportedLDAPVersion: value = 3
[1575] supportedLDAPVersion: value = 2
[1575] Binding as [email protected]
[1575] Performing Simple authentication for [email protected] to 10.0.0.x
[1575] LDAP Search:
Base DN = [dc=localdomain,dc=com]
Filter = [samAccountName=cmcbride]
Scope = [SUBTREE]
[1575] User DN = [CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com]
[1575] Talking to Active Directory server 10.0.0.x
[1575] Reading password policy for cmcbride, dn:CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com
[1575] Binding as cmcbride
[1575] Performing Simple authentication for cmcbride to 10.0.0.x
[1575] Processing LDAP response for user cmcbride
[1575] Message (cmcbride):
[1575] Authentication successful for cmcbride to 10.0.0.x
[1575] Retrieved User Attributes:
[1575] objectClass: value = top
[1575] objectClass: value = person
[1575] objectClass: value = organizationalPerson
[1575] objectClass: value = user
[1575] cn: value = Chris McBride
[1575] sn: value = McBride
[1575] l: value = Tulsa
[1575] description: value = cmcbride non-admin test account
[1575] givenName: value = Chris
[1575] distinguishedName: value = CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=co
[1575] displayName: value = Chris McBride
[1575] name: value = Chris McBride
[1575] objectGUID: value = ....5..L...[..K.
[1575] codePage: value = 0
[1575] countryCode: value = 0
[1575] primaryGroupID: value = 513
[1575] objectSid: value = ...............1...{C..2....
[1575] sAMAccountName: value = cmcbride
[1575] sAMAccountType: value = 805306368
[1575] userPrincipalName: value = [email protected]
[1575] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=localdomain,DC=com
[1575] Fiber exit Tx=616 bytes Rx=2007 bytes, status=1
[1575] Session End
Working user:
[1585] Session Start
[1585] New request Session, context 0xd7fbf210, reqType = Authentication
[1585] Fiber started
[1585] Creating LDAP context with uri=ldap://10.0.0.x:389
[1585] Connect to LDAP server: ldap://10.0.0.x:389, status = Successful
[1585] supportedLDAPVersion: value = 3
[1585] supportedLDAPVersion: value = 2
[1585] Binding as [email protected]
[1585] Performing Simple authentication for [email protected] to 10.0.0.x
[1585] LDAP Search:
Base DN = [dc=localdomain,dc=com]
Filter = [samAccountName=cmcbride_a]
Scope = [SUBTREE]
[1585] User DN = [CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com]
[1585] Talking to Active Directory server 10.0.0.x
[1585] Reading password policy for cmcbride_a, dn:CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com
[1585] Read bad password count 0
[1585] Binding as cmcbride_a
[1585] Performing Simple authentication for cmcbride_a to 10.0.0.x
[1585] Processing LDAP response for user cmcbride_a
[1585] Message (cmcbride_a):
[1585] Authentication successful for cmcbride_a to 10.0.0.x
[1585] Retrieved User Attributes:
[1585] objectClass: value = top
[1585] objectClass: value = person
[1585] objectClass: value = organizationalPerson
[1585] objectClass: value = user
[1585] cn: value = Admin Chris McBride
[1585] sn: value = McBride
[1585] description: value = PTC User, cjm 05312011
[1585] givenName: value = Chris
[1585] distinguishedName: value = CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain
[1585] instanceType: value = 4
[1585] whenCreated: value = 20110525173004.0Z
[1585] whenChanged: value = 20110619154158.0Z
[1585] displayName: value = Admin Chris McBride
[1585] uSNCreated: value = 6188062
[1585] memberOf: value = CN=VPN_Users,OU=Security Groups,OU=Company OU,DC=localdomain,DC=com
[1585] mapped to IETF-Radius-Class: value = btvpn
[1585] mapped to LDAP-Class: value = btvpn
[1585] memberOf: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=baer-t
[1585] mapped to IETF-Radius-Class: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=localdomain,DC=com
[1585] mapped to LDAP-Class: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=localdomain,DC=com
[1585] memberOf: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com
[1585] mapped to IETF-Radius-Class: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com
[1585] mapped to LDAP-Class: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com
[1585] memberOf: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com
[1585] mapped to IETF-Radius-Class: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com
[1585] mapped to LDAP-Class: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com
[1585] memberOf: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com
[1585] mapped to IETF-Radius-Class: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com
[1585] mapped to LDAP-Class: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com
[1585] memberOf: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com
[1585] mapped to IETF-Radius-Class: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com
[1585] mapped to LDAP-Class: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com
[1585] uSNChanged: value = 6560745
[1585] name: value = Admin Chris McBride
[1585] objectGUID: value = ..Kj4..E..c.VCHT
[1585] userAccountControl: value = 512
[1585] badPwdCount: value = 0
[1585] codePage: value = 0
[1585] countryCode: value = 0
[1585] badPasswordTime: value = 129531669834218721
[1585] lastLogoff: value = 0
[1585] lastLogon: value = 129532463799841621
[1585] scriptPath: value = SLOGIC.BAT
[1585] pwdLastSet: value = 129508182041981337
[1585] primaryGroupID: value = 513
[1585] objectSid: value = ...............1...{C..2. ..
[1585] adminCount: value = 1
[1585] accountExpires: value = 9223372036854775807
[1585] logonCount: value = 90
[1585] sAMAccountName: value = cmcbride_a
[1585] sAMAccountType: value = 805306368
[1585] userPrincipalName: value = [email protected]
[1585] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=localdomain,DC=com
[1585] dSCorePropagationData: value = 20110525174152.0Z
[1585] dSCorePropagationData: value = 16010101000000.0Z
[1585] lastLogonTimestamp: value = 129529717185508866
[1585] msTSExpireDate: value = 20110803160858.0Z
[1585] msTSLicenseVersion: value = 393216
[1585] msTSManagingLS: value = 92573-029-5868087-27549
[1585] Fiber exit Tx=633 bytes Rx=3420 bytes, status=1
[1585] Session EndAs far as your configuration is concerned it looks perfectly fine. As you mentioned that the difference between the working and non working debugs is that in the non working debugs we do not see memberof attribute being retrieved.
the main reason could be that the username "[email protected]" with which you are performing the LDAP bind does not have sufficient privileges to retreive all the attributes from all the users in the AD. This looks like permission issue at the AD user level.
One thing you can try on the AD is to "Delegate Control" to this user ([email protected]) to "Read all properties" for all users and not just a subset of users. Please get in touch with AD Admin before making such a change on the AD.
Here is an external link just to give an idea about delegation of control to "Read all properties"
http://www.advproxy.net/ldapads.html -
LDAP AUTHENTICATION- PLEASE HELP
My client wants me use LDAP for authentication. I new to this: I have written a Authentication bean. As follows.
//Used to authenticate user from LDAP directry.
import javax.naming.*;
import javax.naming.directory.*;
import java.util.*;
import java.lang.*;
public class AuthBean {
private boolean attempted;
private String userName;
private String password;
public AuthBean() {
attempted = false;
userName = "";
password = "";
//Getter methods.
public String getUserName() {
return this.userName;
public String getPassword() {
return this.password;
//Setter methods.
public void setUserName (String userName) {
this.userName = userName;
if (!this.userName.equals("") && !this.password.equals(""))
attempted = true;
else
attempted = false;
public void setPassword(String password) {
this.password = password;
if (!this.userName.equals("") && !this.password.equals(""))
attempted = true;
else
attempted = false;
//Checks to see if attempted.
public boolean isAttempted() {
return this.attempted;
* Given a username and password, authenticates to the directory
* Takes a String for username, String for password.
* Calls getDn for the method.
public boolean ldapAuthenticate (String username, String pass) {
if ( username == null || pass == null ) {
System.out.println(" im here in the method");
System.out.println(" user" + username);
System.out.println(" pass" + pass);
return false;
String dn = getDN(username);
System.out.println(" dn" + dn);
if ( dn == null)
return false;
dn = dn + ",o=hcfhe";
//dn = dn + ",o=mu";
System.out.println(dn);
String ldap_url = "ldap://10.1.1.199:389/ou=it,o=hcfhe";
//set variables for context
Hashtable env = new Hashtable();
env.put("com.sun.naming.ldap.trace.ber", System.err);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldap_url);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, dn);
env.put(Context.SECURITY_CREDENTIALS, pass);
DirContext ctx;
//make connection, catch errors thrown
try {
ctx = new InitialDirContext(env);
} catch (AuthenticationException e) {
System.out.println("Authentication Exception");
return false;
} catch (NamingException e) {
e.printStackTrace();
return false;
//close connection
try {
ctx.close();
} catch (NamingException ne) {
System.out.println(ne);
return true;
* This methods cheks for the username from the LDAP directory.
* Takes a String.
public String getDN(String username) {
String dn = "";
String ldap_url = "ldap://10.1.1.199:389/ou=it,o=hcfhe";
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldap_url);
DirContext ctx;
try {
ctx = new InitialDirContext(env);
SearchControls ctls = new SearchControls();
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String filter = "(uid=" + username + ")"; // Search for objects with these matching attributes
NamingEnumeration results = ctx.search("",filter,ctls);
if ( results != null && results.hasMoreElements()) {
SearchResult sr = (SearchResult)results.nextElement();
dn = sr.getName();
} else dn = null;
ctx.close();
} catch (AuthenticationException e) {
System.out.println("Authentication Exception");
return null;
} catch (NamingException e) {
e.printStackTrace();
return null;
return dn;
I also done a validate. jsp as follows.
<%@page import="register.AuthBean"%>
<jsp:useBean id ="AuthBean" class="register.AuthBean" scope="session"/>
<%
//boolean valid = false;
String username = request.getParameter("user");
//System.out.println("The username" + username);
String password = request.getParameter("password");
//System.out.println("The username" +password);
%>
<jsp:setProperty name="AuthBean" property="userName" param="user" />
<jsp:setProperty name="AuthBean" property="password" param= "password" />
<%
//boolean validate = false;
String nn = AuthBean.getUserName();
System.out.println(nn);
String dn = AuthBean.getDN(username);
System.out.println(dn);
boolean validate = AuthBean.ldapAuthenticate(username, password);
if(validate) {
response.sendRedirect("../admin/Adminindex.jsp");
} else {
response.sendRedirect("Login.html");
%>
At current I keep getting 'false' for validate. But there are no errors. I m using tomcat and apache, do I need to configure any of these to LDAP. If so can you show me some examples.
Many thanks.Hi Irene,
I am posting my LDAP Authentication code for you to look at. If you have any more questions, please respond to this posting. I have just three days ago implemented this for my client. It works on Web Sphere against Microsoft Active Directory.
=====================================================================
import javax.naming.directory.*;
import javax.naming.ldap.*;
import javax.naming.*;
import java.util.*;
import java.io.*;
import java.lang.*;
import java.math.*;
* Insert the type's description here.
* Creation date:
* @author: Sajjad Alam
public final class LDAPConn {
public static java.lang.Object Conn;
* LDAPConn constructor comment.
public LDAPConn() {
super();
* Insert the method's description here.
* @return java.lang.Object
public static DirContext getConn() throws Exception {
//Declarations of variables
Hashtable env = new Hashtable(11);
InitialLdapContext ctx = null;
//==============LDAP Authentication of a given user stored in Active Directory=============
System.out.println("Entered constructor for Ldap Context");
//Initialize the Context Factory.
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://XXX.XXX.XX.XXX:389/dc=domainURL1,dc=domainURL2,dc=com");
try {
The following syntax is a standard way of authenticating users stores in LDAP
when JNDI api is used.
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "password");
System.out.println("Issuing request to authenticate the user and create an LDAP context");
ctx = new InitialLdapContext(env, null);
System.out.println("Got handle on Ldap Context");
//==============Completed Authentication of user=============
//==============Retrieving attribute data about a user stored in Active Directory==========
//Here we will retrieve attributes of one of the users in LDAP ("cn=");
//Declarations of variables
String userInfo = "cn=someUserName ,ou=Users,ou=something,ou=something";
Attributes userAttr = ctx.getAttributes(userInfo);
Attribute orgUnitAttr = null;
//Looping through the enumeration to obtain attribute data
for (NamingEnumeration ae = userAttr.getAll(); ae.hasMore();) {
Attribute attr = (Attribute) ae.next();
if (attr.getID().equals("distinguishedName"))
orgUnitAttr = attr;
System.out.print(" Attribute: " + attr.getID());
//Print each value
for (NamingEnumeration e = attr.getAll(); e.hasMore();) {
System.out.println(" Value: " + e.next());
//============== Done retrieving attribute data about user==========
//==============To find which organizational unit a user belongs provided we pass the user==========
//This section of code uses the value from the "distinguishedName" attribute
System.out.println("");
Object parseOutOrgUnit = (Object) orgUnitAttr;
System.out.println("We can obtain the organizational unit (Role) from the " + parseOutOrgUnit.toString());
//======================================Done=============================
// Close the context when we're done or you can close the connection where you are using this object.
String grInfo = "CN=Sales-Administrator,OU=Java Application Accounts,OU=something,OU=something";
Attributes grAttr = ctx.getAttributes(grInfo);
//Looping through the enumeration to obtain attribute data
for (NamingEnumeration ae = grAttr.getAll(); ae.hasMore();) {
Attribute attr = (Attribute) ae.next();
System.out.print(" Attribute: " + attr.getID());
//Print each value
for (NamingEnumeration e = attr.getAll(); e.hasMore();) {
System.out.println(" Value: " + e.next());
//============== Done retrieving attribute data about user==========
//==============To find which organizational unit a user belongs provided we pass the user==========
//This section of code uses the value from the "distinguishedName" attribute
System.out.println("");
//======================================Done=============================
ctx.close();
catch (Exception e) {
System.out.println(e.getLocalizedMessage());
return ctx; -
MS Active Directory LDAP Authentication/Locking Issue.
Dear All,
We are a software company; we have implemented feature of LDAP Authentication in our product using Java API and its working fine from our network environment.
We have used following things with LDAP feature.
1. User Authentication.
2. Locking account after exceed the maximum attempts that has configured in window server.
Main our issue is: The LDAP feature is not working properly from our client side. They are able to authenticate their LDAP user but do not able to lock user account however they have exceeded the maximum attempts from login dialog of our products but it still working in our side.
If anybody has any experienced about it then please reply with positvie solution or any other information like require do the specific configuration for different version of Windows and Active Directory Server etc.
Can any body know what are the possibilities for identifying and resolving this issue?
Please help us if anybody has any experienced about it.
Please do the needful.
Thanks,
Mehul.Hi,
Thanks for your reply.
We have used java package of javax.naming.* and javax.naming.directory.* for LDAP Authentication.
Following code for checking whether ADS User is valid or not.
* Function checks whether ADSUser is valid user or not
* @returns int value indicating result.
public int isValidADSUser() {
Hashtable env = new Hashtable(5);
Vector adsInfoVec = getADSInfo();
env.put("java.naming.referral", "ignore");
// env.put("java.naming.security.authentication", "simple");
env.put(Context.SECURITY_AUTHENTICATION,"simple");
String provider = "com.sun.jndi.ldap.LdapCtxFactory";
env.put("java.naming.factory.initial", provider);
//For handling Uncontinued reference found message of partial result exception
env.put(Context.REFERRAL, "follow");
env.put("java.naming.ldap.derefAliases", "always");
env.put("java.naming.ldap.deleteRDN", "false");
env.put("java.naming.ldap.attributes.binary", "");
env.put(Context.PROVIDER_URL,
"ldap://" + (String) adsInfoVec.elementAt(0) + ":" +
(String) adsInfoVec.elementAt(1));
// env.put("java.naming.security.principal",
// userNameStr + "@" + (String) adsInfoVec.elementAt(0));
env.put(Context.SECURITY_PRINCIPAL,
userNameStr + "@" + (String) adsInfoVec.elementAt(0));
if (userPassStr == null) {
userPassStr = "";
// env.put("java.naming.security.credentials", userPassStr);
env.put(Context.SECURITY_CREDENTIALS, userPasswordStr);
try {
DirContext ctx = new InitialDirContext(env);
ctx.lookup("");
//System.out.println(ctx.lookup(""));
ctx.close();
catch (javax.naming.AuthenticationException ex) {
//System.out.println();
ex.printStackTrace();
return AUTHENTICATION_ERROR;
catch (javax.naming.PartialResultException pex) {
pex.printStackTrace();
return COMMUNICATION_ERROR;
catch (javax.naming.CommunicationException pex) {
pex.printStackTrace();
return COMMUNICATION_ERROR;
catch (NamingException e) {
System.out.println("Failed to connect to ");
e.printStackTrace();
return COMMUNICATION_ERROR;
return SUCCESS;
Result of this code from our company: We are able to Authenticate LDAP user and also Lock User Account after exceed the Max Failure Attempt that configured from Windows Server.
Result of this code from our client side: They are able to Authenticate LDAP user but they can't User Accout Lock however exceed the Max Failure Attemp that configured from their Windows Server.
Can u please help us if any experience about it and suggest if any other configuration require from Windows Server / Active Directory Server OR also if some other implementation require for resolving this issue.
Your optimistic reply is much appreciated.
Thanks,
Mehul Garnara.
Edited by: [email protected] on Mar 6, 2008 10:24 PM
Edited by: [email protected] on Mar 6, 2008 10:25 PM
Edited by: [email protected] on Mar 6, 2008 10:25 PM -
OBIEE 11.1.1.5.0 ldap authentication provider
Hi all,
We are having problem with OBIEE 11.1.1.5.0 .. We create a role and give some permissions to a folder in the catalog with that role. Then we login with a user in that role, the user is not able to see the contents of the folder until we restart the server.. We have LDAP authentication provider.. Could this be related to that ?Hi,
@weblogic Home >Summary of Security Realms >myrealm >Providers >LDAPAuthenticator>Provider Specific>Users
I tried something like :
All Users Filter:(&(memberOf=cn=LDAPGroupName,cn=Users,dc=xxxx,dc=yyy,dc=com))
User From Name Filter: (&(cn=%u)(objectclass=user))
the original was:
All Users Filter: (&(uid=*)(objectclass=person))
User From Name Filter: (&(uid=%u)(objectclass=person))
and restarted the server but it did not work ... -
Database Table and LDAP Authentication in the same repository?
I'm wondering if it's possible to authenticate through database tables for some users and LDAP for other users. I can configure each one separately but I'm curious if anyone has ever successfully done both in the same repository.
Thanks,
-MattAnother thing to try is this. I don't have an LDAP server here but it worked for me without LDAP. I think it should also work with LDAP as it is the same idea. I don't think there is a way to have a conditional Init Blocks. Also you can't have two init blocks setting the same variable (USER in our case). But what you can do is to have two Init Blocks, one for LDAP authentication and the other one for table authentication. So you could have this scenario:
1) LDAP "authentication" init block sets custom variable LDAP_USER
2) Table "authentication" init block sets custom variable TABLE_USER
3) Final authentication init block (the real one) sets USER variable using something like this:
SELECT CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END
FROM DUAL
WHERE CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END = ':USER'
Note how I use the CASE statement both to return the user value I want the USER variable to be set and also in the WHERE clause to make sure no rows are returned in case authentication fails (which should return no rows to denote a failed authentication). Obviously you need to set the init block dependancies correctly. I did a quick test with users coming from two separate Oracle tables in 2 init biocks and it worked fine for me. Give it a try and let me know how it goes. -
I followed the "Configuring Oracle9iAS Portal for LDAP configuration" from the December2000 white paper and I couldn't get the LDAP authentication to work using Oracle's OID. It just won't start.
I get the following errors when I try to login using the sys account:
Server is not up and running: blah.blah.com/389
oracle.ldap.admin.common.SaveChangeException: server is not up and running: blah.blah.com/389
at oracle.ldap.admin.Root.saveChanges(Root.java:805)
at oracle.ldap.admin.Root.saveChanges(root.java:805)
at oracle.ldap.admin.common.AdminPropView.saveChanges(adminPropView.java:710)
at oracle.ldap.admin.client.propEditors.TabView.commit(Compiled Code)
at oracle.ldap.admin.client.AdminUtil$logonCmds.run(AdminUtil.java:727)
at java.lang.Thread.run(Thread.java:466)
And after I try to log back in, it gives me a new set of errors:
Server is not up and running: blah.blah.com/389
oracle.ldap.admin.common.SaveChangeException: server is not up and running: blah.blah.com/389
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.Exception.<init>(Complied Code)
at oracle.ldap.admin.common.PropertyExcetion.<init>(PropertyExcetion.java:78)
at oracle.ldap.admin.common.PropertyExcetion.<init>(PropertyExcetion.java:90)
at oracle.ldap.admin.common.PropertyExcetion.<init>(SaveChangeException.java.java:39)
at oracle.ldap.admin.common.PropertyExcetion.<init>(SaveChangeException.java.java:43)
at oracle.ldap.admin.Root.saveChanges(root.java:805)
at oracle.ldap.admin.common.AdminPropView.saveChanges(adminPropView.java:710)
at oracle.ldap.admin.clientpropEditors.TabView.commit(compiled Code)
at oracle.ldap.admin.client.propEditors.TabView.commit(Compiled Code)
at oracle.ldap.admin.client.AdminUtil$logonCmds.run(AdminUtil.java:727)
at java.lang.Thread.run(Thread.java:466)
Can anyone help me out? I want to get the LDAP work with external authentication.May be some other LDAP(Directory) server is running on the same port 389, and now this installer could not bind the same port. Hence the error, I guess. Please stop any other Directory servers running on the same port 389. And uninstall/remove the partially installed iAS. Then install again, this should work.
Please get back for any further information. Thanks for using our web forum.
Rakesh. -
WLS 10.0: Security: LDAP Authenticator
hi,
I'm using WLS 10.0 with the following security providers:
- SQL Authenticator (for weblogic console users like system)
- Identity Asserter (custom developed, takes care for AUTHENTICATION only)
- LDAP Authenticator (out of the box, takes care for AUTHORIZATION only against a SUN ONE LDAP).
everything works fine except for the queries that the LDAP Authenticator provider generates:
For each login, the providers performs these queries:
a)
2007-11-26 14:57:08,410] conn=241357 op=10893 SRCH base="ou=people,ou=intranet,dc=novartis,dc=com" scope=2 filter="objectclass=person"
[2007-11-26 14:58:56,369] conn=241357 op=10893 RESULT err=4 tag=0 nentries=15000 etime=107959 mem=43481184/172441600 as you can see, the query returns 15'000 entires (which is the max items for results inside SUN ONE LDAP).
b)
[2007-11-22 12:04:31,943] conn=256293 op=12611 SRCH base="ou=people,ou=intranet,dc=novartis,dc=com" scope=2 filter="(&(uid=ADLERAI1)(objectclass=person))"
[2007-11-22 12:04:32,031] conn=256293 op=12611 RESULT err=0 tag=0 nentries=1 etime=88 mem=14583600/46768128
this is the real query returning one single entry for the logged in user.
Does anyone know why LDAP AUthentication provider generates the first query?
cheers
balz
Edited by bschreier at 11/27/2007 1:44 AM
Edited by bschreier at 11/27/2007 1:45 AMHi
1. Looking carefully at the following 3 lines in server statup logs, after 2:20:39 PM GST, server waited like for 16 mts like 2:36:43 and invoked the Force Shutdown. Possible reasons I gave below.
####<Feb 14, 2010 2:20:37 PM GST> <Info> <netuix> <ePIMSEDMS2> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <1266142837729> <BEA-423101> <[console] Initializing the NetUIx container>
####<Feb 14, 2010 2:20:39 PM GST> <Info> <netuix> <ePIMSEDMS2> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <1266142839433> <BEA-423120> <WEB-INF/client-classifications.xml file not found at uri [webapp]. Classifications functionality not enabled.>
####<Feb 14, 2010 2:36:43 PM GST> <Notice> <WebLogicServer> <ePIMSEDMS2> <AdminServer> <Thread-1> <<WLS Kernel>> <1266143803604> <BEA-000388> <JVM called WLS shutdown hook. The server will force shutdown now>
2. Since you mentioned this worked fine and nothing else is changed over a year, the possible cause may be like this. Looks like you have some Documentum stuff (or webapp or modules) loaded on this server. I am not much familiar with EMC Documentum stuff, except that we use that as external Content Management repository for Portal Applications. Looking at the full thread dump for thread 0, looks like documentum code is trying to publish something or interact with its documentum server and may be it is not getting the response back. So make sure if any external systems that this WLS interacts are all up and running.
HTH
Ravi Jegga -
Query related to LDAP Authentication
Hi ,
We are using LDAP Authentication . I found some users are not able to see particular dashboards.
Users are telling they have the position and Setup everything is ok. But still facing problems in getting in dashboards and answars.
Please provied some solution.
Thanks
Kishor sethy
PTP,BangaloreQuery related to LDAP Authentication
-
Anybody got LDAP Authentication working?
Hi all,
I'm not sure if I am understanding the concept correctly, so I hope someone here can help clarify for me:
1. I'm trying to get all my Linux desktops and servers to authenticate against eDirectory on my OES server. This is a new network (actually a lab network), and so the desktops (running OpenSUSE 12.2) and servers (running SLES11SP1) are newly installed, with no local users except for root.
2. I setup LDAP authentication on desktops and servers using YaST and using the LDAP browser, I can see and browse the tree.
3. When I login as an eDirectory/LDAP user, I assumed that a Home Directory and local user account would be created on the desktop and server, but this does not happen. Instead, I get an Authentication Failure.
4. On OpenSUSE 12.2, which uses SSSD instead, I do not see any incoming LDAP request, so of course, that fails.
5. On SLES11SP1, I also get an authentication failure (I have not done a DSTRACE to see if any incoming LDAP requests are received by the eDirectory/LDAP/OES11 server).
So, my question is: do I need to create the user and/or home directory locally first (and the local user's username and password should match the eDirectory/LDAP one?), or is the local account created once LDAP authentication is successful? Or is there some other mechanism here?
Thanks in advance for any help, and Happy Lunar New Year to all!You should not need to create the user first afaik, and while creating the
home directory may be required the system may handle that as well; in any
case, lacking a home directory is not a reason to normally prevent a
successful login (though lacking one, if the system does not create one
automatically, the user will probably get an error about not being able to
change into their home directory).
You did not mention LUM-enabling the relevant users; if not already done
perhaps this is the problem since a user that is not LUM-enabled will not
have the uidNumber, gidNumber, loginShell, or other attributes associated
with the poaix* auxiliary classes, and therefore will not be valid users
to the Linux machines. You mentioned not having done the ndstrace yet;
start there as it should give you a good clue.
Good luck. -
Why we use the LDAP Authentication over the DB authentication?
Hi All,
Why we use the LDAP Authentication over the DB authentication?
Any specific region is for that?
When we use LDAP do we need DB authentication again or it will be optional?
In same case in ADSI do the DB authentication is optional or compulsory .
Thanks in advance
TusarLDAP / AD authentication is useful if you already use it in your organisation and you'll find that most orgs have some form of user authentication already in place.
Do users in your company have to log into to their machines every morning? If so, why not use those credentials to control access to Siebel? It's a way of providing a single directory of employee authentication information available across applications, keeping maintenance and change costs down.
When you use LDAP authentication, you specify an AD object that contains a set of DB authentication details so that the component can access the Siebel database. In Siebel 8, you can directly specify those details in the security profile. As such, you only then have to maintain a single set of DB specific authentication details: much easier to manage. You can always switch back to DB authentication if you want to, but you'd have to go through all users accounts and create them with the same login and password specified in AD. -
LDAP authentication in BO XI3.1
Hi All,
We are using Bo XI R3.1 with FP 1.6. We are using LDAP authentication and have successfully implemented this in our Production environment. We are in the middle of testing a new LDAP "tree" that will be used in a different environment, and we are finding that the group search is not working correctly.
It seems that even though we specify the Base LDAP Distinguished Name, BO seems to be ignoring that setting and starting at the LDAP ROOT to search for the group. This is causing an issue because when searching from the root, BO is finding some virtual directories which we don't want it to find.
We were expecting BO to start searching from the base DN, but it is not. Is that something that should be working?
For example we have set the Base LDAP Distinguished Name to "ou=mkt,dc=test123,dc=com". But, BO is starting from the top root level instead of searching only in the "mkt" tree
Thanks in advance for your help.When we try to add a new group and run the update, we get this error: "The LDAP server could not complete this action because it requires more than the allowable number of referral hops. Please increase the maximum number of referral hops and click Update. Then, try again"
I realize there is a setting that controls how many referral hops are used, but even if we set that to a very high number (in the thousands and hundreds of thousands), we still get the same error.
So, it seems almost like it hits a loop due to the virtual directories.
I talked with my LDAP team, as they did some tracing when we tried to add a group in. I asked them if what they saw was that BO was "looping". Here is what they are saying:
"Yes, the BO query is looping. VDS presents a virtual view of the directory that merges in the Top Secret information. The problem is because BO is starting its search at the root of the tree, it is seeing both the original copy of the directory and the virtual copy that VDS presents."
Thanks,
V -
LDAP authentication in AD (users from other trusted domain)
Hi
I have two domain: my - DOMAINA.LOCAL and other trusted - DOMAINB.LOCAL
I use LDAP authentication in AD for authentication users (AnyConnect).
Now, I need to authenticate few users from other trusted domain (DOMAINB.LOCAL).
I do not want direct connect with the domain contoller in the trusted domain.
My domain controller (DOMAINA.LOCAL), can authenticate users from other trusted domain (if I use username "DOMAINB\userindomainb"), if I try to connect by RDP client to some server (for example, to my domain controller).
But if I try to test aaa-server authentication from ASA
I get error.
I think, I must use username like "DOMAINB\userindomainb" but this not work.
Help me please.
Thanks!
My config:
aaa-server ADA protocol ldap
aaa-server ADA (inside) host 10.0.0.1
ldap-base-dn dc=domaina, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Cisco ASA, ou=ServiceAccounts, ou=Services, dc=domaina, dc=local
server-type microsoftHello!
I see in console (debug LDAP):
Request for [email protected] returned code (10) Referral
Does ASA support authentication via LDAP referrals?
I read old thread:
https://supportforums.cisco.com/discussion/11132591/cisco-asa-and-ldap-authentification
And see: CSCsj32153 Symptom:the ASA/PIX doesn't currently support LDAP Referall searches.
But I use:
Cisco Adaptive Security Appliance Software Version 9.2(3)
Device Manager Version 7.3(3)
Compiled on Mon 15-Dec-14 05:10 PST by builders
System image file is "disk0:/asa923-smp-k8.bin"
Thanks! -
LDAP authentication in XI 3.1 FP 1.2
Hi All,
We are using Business Objects XI 3.1 FP 1.2 & configured LDAP Authentication on Win2003 OS.
We have around 2800 groups & 13000 users. After restarting SIA it takes around 4hrs for the LDAP graph to refresh. When we try to login to Infoview or CMC using LDAP Authentication it gives error "Account Information Not Recognized: Timeout.". But enterprise authentication works fine immediately after restarting SIA. And subsequently after 4 hrs LDAP authentication also works fine.
We have similar kind of setup in XIR2 & it works fine after 20-25 mins of restarting CMS.
We are have users across the world logging in and 4hrs downtime is not acceptable.
Could you please help in this regard.
Thanks in advance for your help.
V
Edited by: BO ADMIN on Feb 19, 2009 3:57 PMYou will need to work an issue like this through support. We will need CMS traces and maybe packet scans.
I have not seen any issues with LDAP in XI 3.1 that would cause a 8X reduction in performance.
Some tips that would help
1) limit the use or avoid using dynamic or nested groups (they always reduce performance)
2) If using multiple LDAP hosts use a load balancer or DNS redirect. Our failover delay is aound a minute due to the fact that the CMS needs to maintain several live connections to the LDAP server.
3) Reduce your total groups. managing 2800 groups in the CMC is going to be a major undertaking for resources, as you mentioned in XIR2 the graph still took over 20 minutes. Many of our customers create a few groups in their directory servers that match up with BO roles or enterprise groups. I know this isn't necessarrily possible but it would keep things less problematic in the long run. If you can stay under say 500 groups (no dynamic or nested) the graph should finish in a minute or 2 tops.
I don't think the 13K users is a problem I've seen many more than that.
If none of the above is helpful then you will have to have an incident created in order to escalate in support.
Regards,
Tim
Maybe you are looking for
-
hi there can anyone tell me why in all java IDEs it is impossible to let the Code editor to invoke the code insight list whenever any char is typed. this disability exist in all java IDEs. I use netbeans and eclipse and they both never allow you to e
-
Hi all, XI is sending messages (several interfaces) to an external system. For some interfaces this external system needs a lot of time to return the http response back. Thus the waiting queues are generated on AE. From log files I see that there are
-
Personal Information Manager Problem [SOLVED]
I have a little problem with this that I can not save personal info in it...It is seen on screenshot. Do maybe have someone solution for this? PS: I'm new to Arch. Last edited by kalcho (2011-02-04 18:39:14)
-
I have a MacBook Pro OS X 10.4.11. Can I upgrade it to run Photoshop CS6?
I have a MacBook Pro OS X 10.4.11. Can I upgrade it to run Photoshop CS6? CS6 requires OS X v10.6.8 or better.
-
What do you do with postdata.att?
I have created in Dreamweaver a form. It work just fine. What doesn't work just fine is the email I receive. The email I get has a "postdata.att" file. Yes this is just a script file that opens up in wordpad. The results are not good. "--------------