SSL and LDAP authentication

I have installed Iplanet dirserver (5.1 sp1) on Solaris 8. I have Solaris 8 clients which should authenticate every user ssh connections with this ldap server.
I have done everything as described in LDAP setup and Configuration Guide (found that in sun.com website) and everything works fine if i don't use SSL.
What should i do to make SSL work?
I have installed ssl ceritficates etc. and when i make dir server to use ssl it works fine with iplanet console (in access log it says SSL connection) But i can't get it work from my clients.
My default port is 5001 and i have set ssl port to 5002 but everytime that i change client profile (and configuring client with ldapclient command) to use port 5002, authentication don't work anymore. Actually that ldapclient command doesn't work either. I can see in access log that client tries to take SSL connection, but server doesn't respond to it.
Can anyone help me on this?
Jani

I recently setup an iDS5.1 LDAP server as a naming service to a couple Solaris 9 clients. You must use the default SSL port (636), see http://docs.sun.com/db/doc/806-4077/6jd6blbdd?a=view .
In my case, I used a self-signed cert on the Server. I then copied the cert7.db, key3.db and secmod.db files from the server to the /var/dlap directory on the clients. The files you want from the server are in the SERVER_ROOT/alias directory. Specifically, the slapd-id-cert7.db and slapd-id-key3.db are the ones you want. Where id is the slapd server instance name, typically the host name of the computer.
HTH,
Roger S.

Similar Messages

  • XI 3.1 Client Tools and LDAP Authentication

    I have Business Objects XI 3.1 SP2 installed.  For the web clients (InfoView) single sign on and LDAP authentication are working correctly.  However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
    [repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
    Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?

    Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
    Take a look at note 1272536 (http://service.sap.com/notes)
    Regards,
    Stratos

  • Solaris 10 and LDAP Authentication

    Were trying to use LDAP authentication with Solaris 10 accounts and Sun One Java Systems Directory Server 5.2, where there won't be no /etc/passwd or /etc/group user entries, ( only entries for system accounts). The Sun One Java Systems Directory Server 5.2 is on a separate machine from the accounts. Both machines are using Solaris 10.
    I first ran the "idsconfig" utility to setup the VLV indexes, but I received an error on the "automountKey" when it was doing the index processing. It showed that the index processing had failed. All the other indexes were configured successfully. What would cause this?
    My next step is initializing the LDAP Client . Then configure the pam.conf file to use pam_ldap. Finally import all the users into LDAP with the required ObjectClasses and attributes for the authentication process, (posixAccount, shadowAccounts etc.). This also includes adding the automount entries into LDAP, which I'm really not sure how to do that. All of our users paths will be under /export/home/username.
    I'am missing any steps?
    Doese anyone have a step by step guide to use LDAP authentication for Solaris 10 accounts, where LDAP will manage the groups, passwords, automounts for each user?
    Message was edited by:
    automount
    Message was edited by:
    automount

    You may follow:
    http://web.singnet.com.sg/~garyttt/
    http://projects.alkaloid.net/content/view/15/26/
    http://blogs.sun.com/roller/resources/raja/ldap-psd.html
    http://jnester.lunarpages.com/howtos/solaris/howToSolarisLDAPAuth.html
    http://www.thebergerbits.com/unix.shtml
    http://blogs.sun.com/roller/page/baban?entry=steps_to_setup_ssl_using (SSL/TLS steps)
    http://blogs.sun.com/roller/page/rohanpinto?entry=nis_to_ldap_migration_guide (NIS to LDAP migration)
    http://blogs.sun.com/roller/page/anupcs?entry=ldap_related_documentation_at_sun
    (LDAP related docs)
    Gary

  • Weblogic Server 10.3.0 and LDAP authentication Issue

    Hi - I have configured my WebLogic Server 10.3.0 for LDAP authentication (OID = 10.1.4.3.0) and so far the authentication works fine but I am having issue in terms of authorization.
    I am not able to access the default web logic administrator console app using any of the LDAP user, getting Forbiden message.
    It appears to me that the Weblogic Server is not pulling out the proper groups from the LDAP where user belongs too.
    Can anyone please point me towards the right direction to get this resolved.
    Thanks,
    STEPS
    Here are my steps I have followed:
    - Created a group called Administrators in OID.
    - Created a test user call uid=myadmin in the OID and assigned the above group to this user.
    - Added a new Authentication Provider to the Weblogic and configured it what is required to communicate with OID (the config.xml file snipet is below)
    <sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
    <sec:name>OIDAuthentication</sec:name>
    <sec:control-flag>SUFFICIENT</sec:control-flag>
    <wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
    <wls:host>pmpdeva-idm.ncr.pwgsc.gc.ca</wls:host>
    <wls:port>1389</wls:port>
    <wls:principal>cn=orcladmin</wls:principal>
    <wls:user-base-dn>ou=AppAdmins, o=gc, c=ca</wls:user-base-dn>
    <wls:credential-encrypted>removed from here</wls:credential-encrypted>
    <wls:group-base-dn>ou=IDM, ou=ServiceAccounts, o=gc, c=ca</wls:group-base-dn>
    </sec:authentication-provider>
    - Marked the default authentication provider as sufficient as well.
    - Re-ordered the authentication provide such that the OIDauthentication is first in the list and default one is the last.
    - Looking at the log file I see there are no groups returned for this user and that is the problem in my opinion.
    <LDAP Atn Login username: myadmin>
    <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
    <authenticate user:myadmin>
    <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
    <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
    <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
    <authentication succeeded>
    <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
    <LDAP Atn Authenticated User myadmin>
    <List groups that member: myadmin belongs to>
    <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
    <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
    <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
    *<search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>*
    *<Result has more elements: false>*
    <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
    <login succeeded for username myadmin>
    - I see the XACML RoleMapper getRoles() only returning the Anonymous role as oppose to Admin (because the OID user is a part of Administrators group in OID then it should be returning Admin as fars I can tell. Here is the log entry that shows that:
    <XACML RoleMapper getRoles(): returning roles Anonymous>
    - I did a ldap search and I found no issues in getting the results back:
    C:\>ldapsearch -h localhost -p 1389 -b"ou=IDM, ou=ServiceAccounts, o=gc, c=ca" -D cn=orcladmin -w "removed from here" (uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupOfUniqueNames)
    cn=Administrators,ou=IDM,ou=ServiceAccounts,o=gc,c=ca
    objectclass=groupOfUniqueNames
    objectclass=orclGroup
    objectclass=top
    END
    Here are the log entries:
    <1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
    <1291668685624> <BEA-000000> <LDAP Atn Login>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=myadmin>
    <1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
    <1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
    <1291668685624> <BEA-000000> <authenticate user:myadmin>
    <1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
    <1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
    <1291668685624> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
    <1291668685624> <BEA-000000> <[Security:090302]Authentication Failed: User myadmin denied>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@facf0b>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>
    <1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
    <1291668685624> <BEA-000000> <LDAP Atn Login>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle did not get username from a callback>
    <1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
    <1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
    <1291668685624> <BEA-000000> <authenticate user:myadmin>
    <1291668685624> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
    <1291668685671> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
    <1291668685671> <BEA-000000> <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
    <1291668685671> <BEA-000000> <authentication succeeded>
    <1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
    <1291668685686> <BEA-000000> <LDAP Atn Authenticated User myadmin>
    <1291668685686> <BEA-000000> <List groups that member: myadmin belongs to>
    <1291668685686> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
    <1291668685686> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
    <1291668685686> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
    <1291668685686> <BEA-000000> <search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>
    <1291668685686> <BEA-000000> <Result has more elements: false>
    <1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
    <1291668685686> <BEA-000000> <login succeeded for username myadmin>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login delegated, returning true>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
    <1291668685686> <BEA-000000> <LDAP Atn Commit>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
    <1291668685686> <BEA-000000> <LDAP Atn Commit>
    <1291668685686> <BEA-000000> <LDAP Atn Principals Added>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning true>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
         Principal: myadmin
    >
    <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 1
         Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
    >
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=myadmin>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
    <1291668685686> <BEA-000000> <Signed WLS principal myadmin>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1
         Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
    >
    <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user myadmin, Identity=Subject: 1
         Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
    >
    <1291668685686> <BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.isLocked(myadmin)>
    <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myadmin was not previously locked out>
    <1291668685702> <BEA-000000> <Using Common RoleMappingService>
    <1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
    <1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity will use common security service>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals)>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=myadmin>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator handles this PrincipalClass>
    <1291668685702> <BEA-000000> <Validate WLS principal myadmin returns true>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass, returning true>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals) validated all principals>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Identity=Subject: 1
         Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
    >
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
    <1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): input arguments:>
    <1291668685702> <BEA-000000> <     Subject: 1
         Principal = weblogic.security.principal.WLSUserImpl("myadmin")
    >
    <1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*, httpMethod=GET>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*, httpMethod=GET>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp, httpMethod=GET>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/, httpMethod=GET>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp>
    <1291668685702> <BEA-000000> <     Parent: type=<app>, application=consoleapp>
    <1291668685702> <BEA-000000> <     Parent: type=<url>>
    <1291668685702> <BEA-000000> <     Parent: null>
    <1291668685702> <BEA-000000> <     Context Handler: >
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AdminChannelUsers,[everyone,users]) -> false>
    <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AdminChannelUser:, 1.0 evaluates to Deny>
    <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AdminChannelUser: DENIED>
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AppTesters,[everyone,users]) -> false>
    <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AppTester:, 1.0 evaluates to Deny>
    <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AppTester: DENIED>
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(everyone,[everyone,users]) -> true>
    <1291668685702> <BEA-000000> <primary-rule evaluates to Permit>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Anonymous:, 1.0 evaluates to Permit>
    <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Anonymous: GRANTED>
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Monitors,[everyone,users]) -> false>
    <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Monitor:, 1.0 evaluates to Deny>
    <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Monitor: DENIED>
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Operators,[everyone,users]) -> false>
    <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Operator:, 1.0 evaluates to Deny>
    <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Operator: DENIED>
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(CrossDomainConnectors,[everyone,users]) -> false>
    <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:CrossDomainConnector:, 1.0 evaluates to Deny>
    <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role CrossDomainConnector: DENIED>
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Deployers,[everyone,users]) -> false>
    <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Deployer:, 1.0 evaluates to Deny>
    <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Deployer: DENIED>
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, SC=null, Value=[everyone,users]>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Administrators,[everyone,users]) -> false>
    <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Admin:, 1.0 evaluates to Deny>
    <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Admin: DENIED>
    <1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): returning roles Anonymous>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles returning [ "Anonymous" ]>
    <1291668685702> <BEA-000000> <AuthorizationManager will use common security for ATZ>
    <1291668685702> <BEA-000000> <weblogic.security.service.WLSAuthorizationServiceWrapper.isAccessAllowed>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Identity=Subject: 1
         Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
    >
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Roles=[ "Anonymous" ]>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Direction=ONCE>
    <1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
    <1291668685702> <BEA-000000> <     Subject: 1
         Principal = weblogic.security.principal.WLSUserImpl("myadmin")
    >
    <1291668685702> <BEA-000000> <     Roles:Anonymous>
    <1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
    <1291668685702> <BEA-000000> <     Direction: ONCE>
    <1291668685702> <BEA-000000> <     Context Handler: >
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:role, SC=null, Value=Anonymous>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of([Admin,Operator,Deployer,Monitor],Anonymous) -> false>
    <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U, 1.0 evaluates to Deny>
    <1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): returning DENY>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
    <1291668685702> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>

    Okay Finally the issue is resolved. Here is the findings to help others in case they ran into the same issue.
    The OID version that we are using is not returning the groups the way Weblogic is building the ldapsearch command. We captured the ldap traffic to go deeper and noticed the filters and attributes list that wls was asking. For example, the filter was like:
    "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" cn
    its was the "cn" attribute that was causing the result set to be empty.
    from a command line we tried
    "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" uniquemember
    and got the results back.
    Then we start looking into OID configuration and one of my coworker pointed me towards the orclinmemfiltprocess attributes in cn=dsaconfig entry and told me that they had lot of issues in the past in relation to this attribute.
    So as a test we removed the groupofuniquenames objectclass from the orclinmemfiltprocess attribute list and bingo it worked!
    Since we needed the groupofuniquenames in this list for performance/other reasons and decided to use a different objectclass for our groups instead i.e. orclGroup.
    Thanks everyone for showing interest on the problem and providing suggestions.

  • Database Table and LDAP Authentication in the same repository?

    I'm wondering if it's possible to authenticate through database tables for some users and LDAP for other users. I can configure each one separately but I'm curious if anyone has ever successfully done both in the same repository.
    Thanks,
    -Matt

    Another thing to try is this. I don't have an LDAP server here but it worked for me without LDAP. I think it should also work with LDAP as it is the same idea. I don't think there is a way to have a conditional Init Blocks. Also you can't have two init blocks setting the same variable (USER in our case). But what you can do is to have two Init Blocks, one for LDAP authentication and the other one for table authentication. So you could have this scenario:
    1) LDAP "authentication" init block sets custom variable LDAP_USER
    2) Table "authentication" init block sets custom variable TABLE_USER
    3) Final authentication init block (the real one) sets USER variable using something like this:
    SELECT CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
    ELSE ':TABLE_USER'
    END
    FROM DUAL
    WHERE CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
    ELSE ':TABLE_USER'
    END = ':USER'
    Note how I use the CASE statement both to return the user value I want the USER variable to be set and also in the WHERE clause to make sure no rows are returned in case authentication fails (which should return no rows to denote a failed authentication). Obviously you need to set the init block dependancies correctly. I did a quick test with users coming from two separate Oracle tables in 2 init biocks and it worked fine for me. Give it a try and let me know how it goes.

  • DBConsole (DBControl) and LDAP authentication

    Does anyone know if it is possible to use LDAP authentication to login to the DBConsole? I have a user "identified globally as 'cn=username,dn=...'" who can login to the database locally and remotely through SQL*Plus but gets a ORA-01017 when trying to login to the DBConsole.
    Any help greatly appreciated.
    Rgds,
    Barry Winterbottom

    2009-02-25 17:09:22,824 [HTTPThreadGroup-2] ERROR eml.OMSHandshake processFailure.806 - OMSHandshake failed.(AGENT URL = https://nssdrdb01:1830/emd/main)(ERROR = INTERNAL_ERROR)(CAUSE =java.sql.SQLException: Io exception: The Network Adapter could not establish the connection)
    2009-02-25 17:09:22,853 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.352 - Io exception: The Network Adapter could not establish the connection
    2009-02-25 17:09:22,854 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17002; Cleaning up cache and retrying
    2009-02-25 17:09:22,858 [HTTPThreadGroup-2] ERROR conn.ConnectionService verifyRepositoryEx.887 - Invalid Connection Pool. ERROR = Io exception: The Network Adapter could not establish the connection
    2009-02-25 17:09:22,861 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.352 - Io exception: The Network Adapter could not establish the connection
    2009-02-25 17:09:22,863 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17002; Cleaning up cache and retrying
    2009-02-25 17:09:22,867 [HTTPThreadGroup-2] ERROR eml.OMSHandshake processFailure.806 - OMSHandshake failed.(AGENT URL = https://nssdrdb01:1830/emd/main)(ERROR = INTERNAL_ERROR)(CAUSE =java.sql.SQLException: Io exception: The Network Adapter could not establish the connection)
    2009-02-25 17:09:26,386 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.352 - Io exception: The Network Adapter could not establish the connection
    2009-02-25 17:09:26,388 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17002; Cleaning up cache and retrying
    2009-02-25 17:09:26,392 [HTTPThreadGroup-2] ERROR conn.ConnectionService verifyRepositoryEx.887 - Invalid Connection Pool. ERROR = Io exception: The Network Adapter could not establish the connection
    2009-02-25 17:09:26,396 [EMUI_17_09_26_/console/aboutApplication] ERROR svlt.PageHandler handleRequest.639 - java.lang.IllegalStateException: Response has already been committed
    2009-02-25 17:09:26,398 [EMUI_17_09_26_/console/aboutApplication] ERROR em.console doGet.360 - java.lang.IllegalStateException: Response has already been committed, be sure not to write to the OutputStream or to trigger a commit due to any other action before calling this method.
    2009-02-26 00:00:02,633 [JobWorker 381202:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-02-27 00:00:08,800 [JobWorker 383122:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-02-28 00:00:13,778 [JobWorker 385056:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-01 00:00:05,527 [JobWorker 386985:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-02 00:00:04,569 [JobWorker 388914:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-03 00:00:04,854 [JobWorker 390843:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-04 00:00:06,475 [JobWorker 392772:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-05 00:00:16,925 [JobWorker 394701:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-06 00:00:03,966 [JobWorker 396630:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-07 00:00:05,230 [JobWorker 398559:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-08 00:00:07,261 [JobWorker 400488:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-09 00:00:13,081 [JobWorker 402417:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-10 00:00:10,175 [JobWorker 404346:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-11 00:00:04,567 [JobWorker 406275:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-12 00:00:05,993 [JobWorker 408204:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-13 00:00:03,332 [JobWorker 410133:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-14 00:00:10,129 [JobWorker 412062:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-15 00:00:01,753 [JobWorker 413991:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-16 00:00:03,187 [JobWorker 415920:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-16 16:29:02,904 [shutdownThread] WARN jdbc.ConnectionCache _getConnection.352 - Closed Connection: OraclePooledConnection.getConnection() - SQLException Ocurred:Invalid or Stale Connection found in the Connection Cache
    2009-03-16 16:29:02,906 [shutdownThread] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17008; Cleaning up cache and retrying
    2009-03-16 16:30:42,529 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
    2009-03-16 16:30:42,535 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
    2009-03-16 16:30:44,381 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
    2009-03-16 16:30:50,683 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
    2009-03-16 16:30:50,686 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
    2009-03-16 16:30:50,823 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
    2009-03-16 16:30:51,219 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
    2009-03-16 16:30:51,222 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
    2009-03-16 16:30:51,225 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
    2009-03-16 16:30:51,227 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
    2009-03-16 16:30:51,230 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
    2009-03-17 00:00:06,334 [JobWorker 417849:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-18 00:00:10,641 [JobWorker 419778:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-18 11:56:58,339 [EMUI_11_56_58_/console/database/monitoring/archiveFull$target=ADM111.nss.scot.nhs.uk$type=oracle*_database] ERROR perf.space logStackTrace.359 - java.sql.SQLException: Numeric Overflow
    2009-03-19 00:00:02,843 [JobWorker 421707:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-20 00:00:03,388 [JobWorker 423631:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-21 00:00:03,407 [JobWorker 425565:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-22 00:00:06,065 [JobWorker 427494:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-23 00:00:02,580 [JobWorker 429423:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-23 15:37:15,441 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
    2009-03-23 15:37:15,447 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
    2009-03-23 15:37:17,177 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
    2009-03-23 15:37:23,172 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
    2009-03-23 15:37:23,176 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
    2009-03-23 15:37:23,311 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
    2009-03-23 15:37:23,684 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
    2009-03-23 15:37:23,702 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
    2009-03-23 15:37:23,706 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
    2009-03-23 15:37:23,708 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
    2009-03-23 15:37:23,711 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
    2009-03-23 15:41:18,591 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
    2009-03-23 15:41:18,596 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
    2009-03-23 15:41:19,872 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
    2009-03-23 15:41:24,915 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
    2009-03-23 15:41:24,918 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
    2009-03-23 15:41:24,997 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
    2009-03-23 15:41:25,296 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
    2009-03-23 15:41:25,299 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
    2009-03-23 15:41:25,301 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
    2009-03-23 15:41:25,303 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
    2009-03-23 15:41:25,305 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
    2009-03-23 15:52:29,116 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
    2009-03-23 15:52:29,122 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
    2009-03-23 15:52:30,750 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
    2009-03-23 15:52:36,541 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
    2009-03-23 15:52:36,544 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
    2009-03-23 15:52:36,629 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
    2009-03-23 15:52:36,973 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
    2009-03-23 15:52:36,976 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
    2009-03-23 15:52:36,978 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
    2009-03-23 15:52:36,980 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
    2009-03-23 15:52:36,982 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
    2009-03-24 00:00:06,712 [JobWorker 431352:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-24 16:51:58,193 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
    2009-03-24 16:51:58,202 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
    2009-03-24 16:51:59,946 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
    2009-03-24 16:52:06,485 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
    2009-03-24 16:52:06,487 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
    2009-03-24 16:52:06,605 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
    2009-03-24 16:52:06,973 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
    2009-03-24 16:52:06,983 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
    2009-03-24 16:52:06,986 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
    2009-03-24 16:52:06,989 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
    2009-03-24 16:52:06,991 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
    2009-03-25 00:00:05,652 [JobWorker 433276:Thread-26] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-26 00:00:02,804 [JobWorker 435194:Thread-26] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
    2009-03-27 00:00:07,235 [JobWorker 437123:Thread-26] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.

  • Web Service, SSL and Client Authentication

    I tried to enable SSL with client authentication over a web service. I am using App Server 10.1.3.4.
    The test page requires my certificate (firefox asks me to choose the certificate) the response page of the web service returns this error:
    java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Bad response: 405 Method Not Allowed
    Has anyone used web services with SSL client authentication?
    Any clue why?
    Regards

    Any comment?
    Thank you.

  • Interface creation and LDAP authentication ...

    Hi...All SAP friends,
    i have to work on an interface creation with the following specifications:
    1. SAP Enterprise Portal gives us an URL which contains UserID
    2. You have to create an interface to read the URL,
    3. Connect to LDAP server...from there come to know whether it is external or internal user, meaning if it exist in LDAP it is internal otherwise it is external user
    4. If the user id is internal, interface has to create a file and place it at a particular location & create a webservice for this and expose to EP
    5. if not it should give an alert saying it is an external user id
    Please help me out how to start and what to do..!
    Thank you.

    Hi,
    These are the main steps,
    ***Assume that you know basic of authentication methods and how to define those in Apex
    01. Create a function to authenticate the user
    a. Check on the database whether user is exists
    b. If exists then authenticate that user with LDAP
    c. If user doesnot exists or authenticate failed then return false
    d. If user exists and authentication success then return trueSignature of the function
    FUNCTION <fucntion name> (p_username VARCHAR2, p_password VARCHAR2)
    RETURN BOOLEAN;
    * Makesure that you do both inside the one procedure
    02. Create another function to check the page level authorization(if you need pagelevel verification. But if all users has same permissions on the aplication this is not necessary)
    03. Create a new authentication
    a.Go to Application Builder
    b.Shared Component
    c. Authentication Schemes(under Security)
    d. Click "Create"
    e. Select "From Scratch"
    f. Proceed with the wizard and define "*Page Sentry Function*" (Only when you ahve page level authorization- BAove 2) and "*Authentication Function*"04. Set new authentication schema to current
    a. Goto "*Change Current*" Tab
    b. Sleect the new schema from the list
    c. Click Next and proceed with wizard.
    Thanks,

  • AIR-WLC2106-K9 and ldap authentication

          Is it possible to authenticate wireless clients using a external openldap server running on CentOS?

    You can do that either with local EAP where LDAP as a backend server OR a web-authentication where LDAP is the backend auth server.

  • Acrobat JavaScript Doc.SaveAs using "CHTTP", SSL, and PKI Authentication

    I'd like to load a client PKI certifricate into a Doc.SaveAs() SSL URL.  IE and Firefox do this fairly easily.  How can Acrobat do it?
    Thanks for reading.

    HI, Irosenth,
    from the API document, it does say
    saveAs
    5.0
    S
    S
    Saves the file to the device-independent path specified by the required parameter, cPath. The file is not saved optimized for the web. Beginning with Acrobat 6.0, the document can be converted to another file type (other than PDF) and saved as specified by the value of the cConvID parameter.
    Note: This method can only be executed during a batch or console event. See Privileged versus non-privileged context for details. The event object contains a discussion of JavaScript events.
    (Adobe Reader S): This method is available in Adobe Reader for documents that have Save usage rights.
    What does the underlined sentence mean? does it mean it should work on reader as well?

  • How do I bind to directory server with SSL and authentication?

    I'm running Lion Server 10.7.3, Open Directory master. In Open Directory/Settings/LDAP, I've checked the box to Enable SSL and selected a (self-signed) certificate. In Policies/Binding, I've checked the box to Enable Authenticated Directory Binding.
    Testing with a client computer on which Snow Leopard has been freshly installed and fully updated, I went to System Prefs/Accounts to bind to the new directory server. The good news is, the binding was successful, and when the client initiates an AFP connection with the server, it uses Kerberos, creating a ticket as expected. (Which doesn't work with Lion clients, alas, but that's a seperate matter.)
    Here are the problems:
    1) It looks like the binding did not use SSL. By which I mean that when I opened Directory Utility and examined the LDAPv3 entry, the SSL checkbox was not checked. (If I then check the box, everything looks fine until I restart the client, after which I have a red dot. So I'm guessing that checking the box does nothing until after restart, and that it breaks the binding.)
    2) I was never prompted to authenticate for the directory binding.
    So I get that literally I'm *enabling* SSL and Authenticated Directory Binding, but it seems like the defaults are to bind without SSL or authentication, and there's no obvious-to-me way to force the binding to use those things. How do I do that?
    What I'd really like to do is *require* SSL and Authenticated Directory Binding. I want this because my belief (correct me if I'm wrong) is that if authentication is required to bind to the server, no one will be able to bind to my server without my permission, and that SSL offers a more secure connection to my server than not-SSL. How do I require these things, or do I not really want to?
    Thank you.

    You cannot connect to databases via Muse at the moment. Please refer: http://forums.adobe.com/message/5090145#5090145
    Cheers,
    Vikas

  • EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility

    Hello everyone,
    Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
    Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
    I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
    Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
    However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
    This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
    Here's what happens:
    1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
    2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
    3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
    4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
    5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
    Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
    http://discussions.apple.com/thread.jspa?messageID=5967023
    http://discussions.apple.com/message.jspa?messageID=5982070
    these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
    If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
    Thanks,
    Andrew

    Hard to tell what is happening without looking at the application
    source, knowing what OS & hardware you're using etc. You might want to
    try running with different JVM versions to see if it's actually the VM
    that is the problem. If you have a support contract with BEA you could
    ask support to help you diagnose this.
    Regards,
    /Helena
    Ayub Khan wrote:
    I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
    application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
    seems to happen on loading the machine..the performance progressively gets worse
    and after a couple of seconds, all the threads stop responding. I checked the
    heap, cpu and the idle threads in the execute queue and there is nothing there
    to trigger alarms...there are quite a few idle threads still and the heap and
    the cpu utilization seem OK. On doing a thread dump, Is see that all the other
    threads seem to be in a state where they are waiting for data from LDAP and it
    is basically read only data that they are waiting on.
    Does anyone know what it is going on and help point me in the right direction.
    -Ayub

  • Crystal Report LDAP authentication with SSL to Business Objects XI 3.1 SP3

    Hi,
    Here is the issue
    Business Objects XI 3.1 SP3
    Crystal report 2008
    LDAP is configured with SSL and working great within BO.
    In Crystal report 2008, enterprise authentication worked, but not LDAP with SSL, I got "Security plugin error: Failed to set parameters on plugin.
    If I try with LDAP with no SSL, everythingu2019s fine.  Do I have to setup something on the "workstation" side to be able to user LDAP with SSL ?
    *I already tried to disable firewall
    Thanks for your help

    Hi,
    check SAP Notes 1320510 and 1272536
    Hope that helps.
    Regards
    -Seb.

  • WWSAPI - Cannot connect to web service via SSL and HTTP proxy authentication with NTLM, errorCode 0x803d0016, HTTP status 407

    Hi,
    I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
    0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
    In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
    a second request with NTLMSSP_AUTH is sent.
    Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
    I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
    Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
    WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
    Any idea?
    Thanks

    Hi,
    I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
    0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
    In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
    a second request with NTLMSSP_AUTH is sent.
    Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
    I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
    Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
    WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
    Any idea?
    Thanks

  • Authenticating against both RDBMS and LDAP in WL6.0

    Hi,
    We are designing a webapp that will be accessible to both internal and
    external users. For internal users, we would like to authenticate via LDAP;
    for external users we would like to use RDBMS. In WL5.1, this looked to be
    possible with the DelegatingRealm, however this has been removed in WL6.0.
    Two questions:
    1) Why was it removed?
    2) How can we get this functionality in WL6.0?
    Thanks much for your help,
    -jt

    We are currently deployed on WL5.1 with a similar situation as you and in
    the process of migrating to WL6. We are Authenticating against LDAP and
    Authorizing against RDBMS. But I can't see how you could tell it to go
    one way for certain users and another for other users.
    The delegatingrealm in WL5 was intended to split the responsibility of
    Authenticating to one source and Authorization to another. To make this
    work for your Application of splitting internal and external users
    security, I suppose you can do it if you can somehow pass the information
    to the Security Realm the type of the user that is logging in. Maybe you
    can make this code a part of the userid such as ext_uersID or int_userID.
    Doing this will allow you to filter the where the users are coming from
    and Direct them to the appropriate security realm.
    As far as WL6 goes, the Delegating realm class is no longer available
    since the security model for WL6 is different from WL5. But you can take
    a look at what they did with the RDBMSrealm example and use that. This is
    what we did to make our Security work in WL6. However, you can no longer
    store ACLs in the RDBMS realm in WL6.
    Hopes this helps.
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    You will need to create a Custom Realm which delegates to both your RDBMS
    and LDAP perhaps using the Weblogic supplied RDBMS and LDAP realms
    "Jonathan Thompson" <[email protected]> wrote in message
    news:3accf1a3$[email protected]..
    Hi,
    We are designing a webapp that will be accessible to both internal and
    external users. For internal users, we would like to authenticate viaLDAP;
    for external users we would like to use RDBMS. In WL5.1, this looked tobe
    possible with the DelegatingRealm, however this has been removed in WL6.0.
    >
    Two questions:
    1) Why was it removed?
    2) How can we get this functionality in WL6.0?
    Thanks much for your help,
    -jt
    [att1.html]

Maybe you are looking for