User and group handling in LDAP Realm

Hi,
I'm currently using an LDAP Realm for storing users and groups, which I need to be able to add, amend and remove at runtime.
I understand that in earlier versions of Weblogic, the methods to do the add/remove/modify were not implemented but I was told that this may change in WL6. If so, is there any documentation or examples about these methods ? If not, would I need to extend ManageableRealm to create a custom realm ?
Any help much appreciated.
Dave

Hi Dave:
In our project, we use security realm (LDAP realm) for Users and Groups authentication. We turned the CacheRealm on to optimize performance. To add and amend Users and Groups, we use a stateless EJB to talk to LDAP server. This kind of partition works fine for us to separate the user authentication
logic and user management logic.
Fun
Dave Horner wrote:
Hi,
I'm currently using an LDAP Realm for storing users and groups, which I need to be able to add, amend and remove at runtime.
I understand that in earlier versions of Weblogic, the methods to do the add/remove/modify were not implemented but I was told that this may change in WL6. If so, is there any documentation or examples about these methods ? If not, would I need to extend ManageableRealm to create a custom realm ?
Any help much appreciated.
Dave

Similar Messages

Creating OAAM users and groups in external LDAP i.e. OID

Hi Experts,
I am looking for the procedure to create OAAM users and groups in external LDAP i.e. OID.
I am using 11gR2.
Any pointers would be appreciated.
Regards,
Subin

Check this link http://docs.oracle.com/cd/E27559_01/dev.1112/e27206/lcm.htm#autoId3

Retrieving user and group information from LDAP using j_securrity_check

Hi
I am using j_security_check to authenticate users against LDAP. I have made all necessary configuration for the server to perform LDAP group search as well as mentioned in the WAS documentation of LDAP settings. Now, how can I retrieve the user and the user group info after the j_secuirty_check. Apart from the UserPrincipal object which I can get from the request which just has the user name, is there any other object which will give me the user and user group info by which I need to connect to LDAP using my java code to retrieve these informations?
Regards
Deepak

Hi
I am using j_security_check to authenticate users
against LDAP. I have made all necessary configuration
for the server to perform LDAP group search as well
as mentioned in the WAS documentation of LDAP
settings. Now, how can I retrieve the user and the
user group info after the j_secuirty_check.
Apart
from the UserPrincipal object which I can get from
the request which just has the user name, is there
any other object which will give me the user and user
group info by which I need to connect to LDAP using
my java code to retrieve these informations?Hmm, you don't need the user group info to connect to the LDAP server, right? You would need the user's Id (which you have) and password (which you don't). You could use the LDAP credentials and bind as that to look up the user info via the user id. Or if the server is set up to allow anonymous bind you could do it without credentials. But if all you want is group info then you should be able to call Security.getCurrentSubject().getPrincipals() to get the user principal as well as all groups (this is true in BEA WebLogic at least).
Good Luck
Lee

LDAP Users and Groups

Hi,

I have configured an LDAP Authenticator for an external LDAP directory in the security realm of the samples portal. User Management is working, but when I try to access the Group Management for the LDAP Authenticator I get the following error:

com.bea.p13n.usermgmt.hierarchy.TreeNotBuiltException: State: UNINITIALIZED. Tree is uninitialized. Add provider GAAD to list of providers to build. Tree is uninitialized. Add provider GAAD to list of providers to build.


It seems that this needs to be setup. How do I do this?


Some general notes on LDAP:

I think that in a production environment it is of great value to manage users and groups in a LDAP directory. For instance we have a company directory which contains all users. It seems that users from LDAP can not been added to groups which are in the DB. LDAP also has the advantage of supporting dynamic groups.
As in previous weblogic releases the LDAP authenticator is read only. It would be great if the write functionality could be added as well. Actually managing LDAP users and groups in one place would be a tremendous improvement for us.

Another thing on my wishlist are examples for delegated administration and visitor entitlements. For the sample portal these are empty. But I think it would be nice to have some out of the box examples that show what is possible and help developers and business analysts to understand the concepts and create their own roles.

It would be interesting to read what Bea and other developer think about this.

Kind regards,

Kai


Marcus,
Yes, I am using 9.2 TP.
We are already using LDAP for user management with 8.1.
Now, I try to configure 9.2 as well. I am running 9.2 installations on different machines. When I click on Service Administration in the Admin Portal, I get the following error message for each installation:
java.lang.NullPointerException at com.bea.jsptools.serviceadmin.ads.ToolAdServiceBean.cloneFromAdServiceBean(ToolAdServiceBean.java:190) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdContentProviderNodes(ServiceAdminTreeBuilder.java:769) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdServiceBranch(ServiceAdminTreeBuilder.java:746) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.createTreeElement(ServiceAdminTreeBuilder.java:184) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:234) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:235) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildTree(TreeService.java:122) at util.tree.TreeController.constructTree(TreeController.java:142) at util.tree.TreeController.buildTree(TreeController.java:422) at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source) at java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown Source) at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:852) at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:782) at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:456) at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:285) at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:336) at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:48) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:1984) at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:90) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2055) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:535) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:821) at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:625) at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:156) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414) at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1178)
java.lang.NullPointerException
java.lang.NullPointerException
at com.bea.jsptools.serviceadmin.ads.ToolAdServiceBean.cloneFromAdServiceBean(ToolAdServiceBean.java:190)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdContentProviderNodes(ServiceAdminTreeBuilder.java:769)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdServiceBranch(ServiceAdminTreeBuilder.java:746)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.createTreeElement(ServiceAdminTreeBuilder.java:184)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:234)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:235)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildTree(TreeService.java:122)
at util.tree.TreeController.constructTree(TreeController.java:142)
at util.tree.TreeController.buildTree(TreeController.java:422)
at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source)
at java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown Source)
at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:852)
at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:782)
at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:456)
at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:285)
at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:336)
at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:48)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:1984)
at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:90)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2055)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:535)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:821)
at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:625)
at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:156)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1178)

Admin Console not displaying new Users and Groups from LDAP

We created a new Realm in WebLogic, which specifies the location of the Netscape
LDAP server. Our Weblogic application, called TGSLC, is able to find the ldap
server to use for authentication. My problem is this- the Admin Console is not
displaying the new users and groups from the LDAP server. Shouldn't the WebLogic
Admin Console display any users and groups specified in the ldap server, which
is referenced in the customized Realm?

Hi Andy,
I am not sure why you are unable to see the users and groups through the
console., you should be able to. Can you post the config.xml?
thanks,
-satya
Andy Levy <[email protected]> wrote in message
news:3b700c36$[email protected]..
>
We're running WLS 6.0 Sp2 on Windows 2000 Professional.
"Satya Ghattu" <[email protected]> wrote:
Andy,
Could you please tell us what Version of Weblogic you are running?
thanks,
-satya
Andy Levy <[email protected]> wrote in message
news:[email protected]..
We created a new Realm in WebLogic, which specifies the location ofthe
Netscape
LDAP server. Our Weblogic application, called TGSLC, is able to findthe
ldap
server to use for authentication. My problem is this- the Admin
Console
is not
displaying the new users and groups from the LDAP server. Shouldn'tthe
WebLogic
Admin Console display any users and groups specified in the ldap
server,
which
is referenced in the customized Realm?

LDAP User and Group import

My client has OAM as SSO provider. They want the LDAP Agent to import only users and groups but not the group memberships.
What setting should I Use for LDAP authentication ?

I have below changes in files
1] In jps-config.xml
-- Added identity store and selected it from drop down in Security Context tab.
2] In weblogic-application.xml
In Security tab --> Role assignment mapped valid-users to principle name.
<security>
<realm-name>myrealm</realm-name>
<security-role-assignment>
<role-name>valid-users</role-name>
<principal-name>DERDev</principal-name>
</security-role-assignment>
</security>
3] Same thing done in weblogic.xml . I do not know the difference between weblogic-application.xml and weblogic.xml configuartion and which will work.
4] Added security role "DERDev" along with the default/automatically added role "valid users"
<security-role>
<role-name>DERDev</role-name>
</security-role>
Still no luck ...... i am missing again ? I referred many links but found not a single document mentioning all steps
Mukesh

LDAP user and group configuration in ADF application

Hi All,
I have to use LDAP user and groups in my ADF application. I have configured the LDAP on WLS server successfully and can see all users/groups under tab "User and Groups". I have added the Enterprise Role in jazn-data.xml matching the name of groups. Created Application role in jazn-data.xml and assigned a role of Enterprise Role.
However not added any user in jazn-data.xml. Which i guess not required because it will picked from LDAP.
Now how to configure the JDeveloper to use those users ? What changes need to make in jazn-data.xml ? or in jps-config.xml / web.xml/ weblogic-application.xml
Am i missing nay configuration step. i have referred ADF Security set up - step by step tutorial - quick question but not found useful
I am using JDeveloper 11.1.1.5.
Thanking you all in advance.
Mukesh.

I have below changes in files
1] In jps-config.xml
-- Added identity store and selected it from drop down in Security Context tab.
2] In weblogic-application.xml
In Security tab --> Role assignment mapped valid-users to principle name.
<security>
<realm-name>myrealm</realm-name>
<security-role-assignment>
<role-name>valid-users</role-name>
<principal-name>DERDev</principal-name>
</security-role-assignment>
</security>
3] Same thing done in weblogic.xml . I do not know the difference between weblogic-application.xml and weblogic.xml configuartion and which will work.
4] Added security role "DERDev" along with the default/automatically added role "valid users"
<security-role>
<role-name>DERDev</role-name>
</security-role>
Still no luck ...... i am missing again ? I referred many links but found not a single document mentioning all steps
Mukesh

Example of creating a valid LDAP user and group in the Portal tree

I need to create (via bulk LDIP or API) fresh users AND groups into OID that can be used by Portal. In theory it sounds easy - just create an appropriate LDIF file.
What is the best way to achieve this?
I don't the know the structure that should be used in the LDIF file that would create the correct structure held for all the Portal users and groups in OID.
I've looked through the OID admin and dev guides but am still confused as to what exactly I have to do. It seems that Portal accounts are synchronised by a method called Provisioning.
All I want to do is bulk upload Portal compatible users into the repository.
Can somebody please assist.
Cheers,
John

I have below changes in files
1] In jps-config.xml
-- Added identity store and selected it from drop down in Security Context tab.
2] In weblogic-application.xml
In Security tab --> Role assignment mapped valid-users to principle name.
<security>
<realm-name>myrealm</realm-name>
<security-role-assignment>
<role-name>valid-users</role-name>
<principal-name>DERDev</principal-name>
</security-role-assignment>
</security>
3] Same thing done in weblogic.xml . I do not know the difference between weblogic-application.xml and weblogic.xml configuartion and which will work.
4] Added security role "DERDev" along with the default/automatically added role "valid users"
<security-role>
<role-name>DERDev</role-name>
</security-role>
Still no luck ...... i am missing again ? I referred many links but found not a single document mentioning all steps
Mukesh

Unable to initialize LDAP (No LDAP server is configured)show in the admin server of iWS6.0 users and group

When I goto web server administration in users and group tab it alway show me Unable to initialize LDAP (No LDAP server is configured) Is it cause the effect to use web server because I use iWS with ias .
If it cause some effect ,Please let me know how to configured LDAP server.

Run this Command from the Exchange Server
Net time \\ADServerName /Set
and confirm the action,
and then you need to restart the service
Microsoft Exchange Active Directory Topology Service
and confirm you are not getting the Error 4001 in the event Viewer.
Thank you, it resolved my issue after being sweating looking for solution.
How can I prevent this from happening? I cannot restart services on each server reboot nor lose 5 years of my life!!!
Sokratis Laskaridis MCP, MCTS, MCITP, Small Business Specialist Netapp ASAP, Symantec STS

Using users and groups from LDAP in ADF application

Hi there,
I'm using WebLogic Server 10.3.5.0 and JDev 11.1.2.3.0.
I configured my WL server to use the users and groups defined in my LDAP server (they display when I select the Users or Groups tab). So this works fine (I think).
Now I want to use 1 group, let's call the group ApplicationGroup, and all it's users to give them access to my ADF Application.
But I can't find proper/up-to-date info about how to do this.
I tried 2 major things:
1) I configured ADF Security to use Authentication and Authorization. Defined an Enterprise Role with the same name as in my WL server (so ApplicationGroup) then defined a
Application Role with a custom name and added the Enterprise Role to it. That Application Role I gave access to all my TF's and Web Pages. When I deploy this, It just doesn't work (Migrate Users and Groups is not checked).
2) Used the Authentication option in the ADF Security and the rest is the same as in 1). This works +-, I can login with all users so the role mapping isn't configured right I guess?
Any help or documentation that could help me?

Since we aren't using EM I had to find an other way. And I found it.
In web.xml ADF Security (I suppose) automaticly adds 'valid-users'. In my weblogic.xml I added my enterprise role as a principal to 'valid-users' and this works for me.
Thanks for the help.

Webcenter spaces user and group and WLS security realm

I want to configure external ORACLE DB,
I configed the security realm in WLS, and I can see the user and group list in WLS page, But I cant find any of them in webcenter spaces,
and also can not login with those users.
I added a user with WLS, it works well.
do I need to do other configrations?

First you need to create a Administrator for this new identity stores. Weblogic user is not identified now because its not mapped by first authenticator. See Oracle WebCenter Admin Guide, section 28.4.1.1 Granting the WebCenter Spaces Administrator Role Using FusionMiddleware Control. Once you have done this step, do the same steps for other application user. For this you have to give Application role to other user so that they can login and use WebCenter Space.See Oracle WebCenter Admin Guide, Section 28.4.2.1 Granting Application Roles Using Fusion Middleware Control.
After doing above steps, restart WC_Spaces managed server.

Create worklist user and group's in 11G...

How to create worklist user's and group's in standart 11G instalation...
Thanks...

hI Raj,
It is very easy to create users,groups,roles in soa suite 11g manually .Just login to the weblogic console and you find a security realms tab click on that then next a page will open with my realms then click on it you will find a users and groups tab on top click on that then lock and edit the session and from there you can create users groups and also assign roles.You can also use external ldap if you want,Please let me know if this clarifies your doubt

User and group management

I just installed an evaluation version of weblogic commerce and personalization server. I understand we can create users and groups and assign users to different groups. But I am wondering who has the privilege to do this, developer or end-user? In paticular, is it possible for a super user (should be end-user) in one group to manager all other users in the same group. This feature would be especially useful for B2B portal because usually we would allow a company administrator manage all users within that company. Thanks in advance.Zhe

Hi Steve,
What's the plan to provide ASP support in WLPS in the future ? Is there
any examples of WLPS that uses a 3rd party user management server (such
as LDAP)?
Thanks,
Leo
6th Dimension-
Steve Willcox wrote:
>
We only support a single administrator for a 'realm' of users. We don't have an admin permission mechanism on a group of users basis. The feature you are looking for more fits the ASP model and not an enterprise application model.
However, since WLPS/WLCS uses the WebLogic security realm to access users and groups, you can use a 3rd party user management tool that supports the permissions you are looking for in order to create users and groups. This would require the 3rd party user management tool to have an implementation of the WebLogic Security Realm class that works with this 3rd party user management server.
Zhe Liu wrote:
I just installed an evaluation version of weblogic commerce and personalization server. I understand we can create users and groups and assign users to different groups. But I am wondering who has the privilege to do this, developer or end-user? In paticular, is it possible for a super user (should be end-user) in one group to manager all other users in the same group. This feature would be especially useful for B2B portal because usually we would allow a company administrator manage all users within that company. Thanks in advance.Zhe--
Steve Willcox
BEA Systems, Inc.
ECommerce Application Components R&D
Architect
mailto:[email protected]
http://www.bea.com

How to change default /Users and /Groups to different Volume?

Users are created in /Volumes/<boot>/Users and groups in /Volumes/<boot>/Groups.
We need these to be created on a different volume, eg., /Volumes/External/Users, and /Volumes/External/Groups.
Setup Assistant correctly put user Backups into */Volumes/External/Shared Items/Backups* and also correctly put web services on /Volumes/External/ServiceData -- we want to do the same for Groups and Users.
Groups are the most critical, as the group needs bulk storage. Users we could leave as is if it can't be done.
How can this be configured? We've read File Server Admin, Open Directory Admin, and Advanced Server admin from http://www.apple.com/server/macosx/resources/documentation.html without finding an answer.
Thanks in advance.

1. Create new folders on the external volume to hold users and groups, but to prevent confusion name them something other than "Users" and "Groups". /Volumes/External/NetUsers and /Volumes/External/NetGroups would be reasonable choices.
2. Share both of these folders (in Server Admin -> server name in sidebar -> File Sharing -> Volumes & Browse modes -> select each folder -> click Share near the top right).
3. Enable both folders for automounting on clients (Server Admin -> server name in sidebar -> File Sharing -> Share Points-> select each folder -> Share Point tab under that -> Enable Automount option) with the default options (Directory: /LDAPv3/127.0.0.1, Protocol: AFP, Use for: User home folders and group folders). Be sure to click Save (not just OK in the dialog).
4. To migrate users, run Workgroup Manager, and change the home location for the users you want to move (select Accounts in the toolbar -> /LDAPv3/127.0.0.1 from the hidden pop-up menu under that -> User icon tab at the left -> select the user(s) you want to change -> Home tab on the right -> select the NetUsers option from the "Where" list). Then, for each user, run this command on the server: "sudo cp -Rp /Users/username /Volumes/External/NetUsers".
5. Similarly, move Group folders in WGM (Accounts -> /LDAP... -> Groups icon on left -> select groups to move -> Group Folder tab on right -> NetGroups in the list). Then, for each group, run "sudo cp -Rp /Groups/groupname /Volumes/External/NetGroups".
6. Test to make sure all is working before deleting the old user and group folders from /Users and /Groups (do NOT delete /Users and /Groups themselves, just the individual folders from under them).

Assigning Roles to Users and Groups

Hi,
We have installed EP 5.0 SP4...with Content Management...we configured the LDAP to Portal......all the users are maintained through LDAP only...the problem is assigning the Role's to user..here in portal how to assign the roles to the users...we are not getting the Role assignment option under Portal Admin TAB..is there any way to configure the roles to User's are Group's.....
it is an urgent assignment for me..help can be appreciated...
sudhir

Sudhir,
You can assign the roles to users and groups as below.
1. Select the System Administration in the top level navigtion
2. Select user administration
3. You can search for a specific user or a group from this iView.
4. Use the edit button to edit the profie of the user or group.
5. Search for the role in the search iView.
6. Add the role to the user of group and save.

User and group handling in LDAP Realm

Similar Messages

Maybe you are looking for