Using LDAP on ACS 4.1.1 appliance
I would like to configure the appliance to use our LDAP server as opposed to configuring a seperate Windows devices - ACS agent. Can this be done? Is there a document out there that will allow me to do this and does the group recommend updating to 4.2 prior to configuring this?
Thanks
Dwane
Using AD as LDAP, will allow you to not to install any Agent for AD user authentication. But by doing that you may loose some feature that you get by using it as a Windows Database on ACS.
As it would be LDAP, please consult following matrix for the features available,
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp857274
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp858207
Other then that, configure AD as a normal LDAP, only change the default LDAP port from 389 to 3268 (Global Catalog).
User directory and group directory subtree would be your AD root.
<--for example-->
User Directory Subtree : DC=domain,DC=com
Group Directory Subtree : DC=domain,DC=com
<--below info is common for all AD-->
UserObjectType : samaccountname
UserObjectClass : person
GroupObjectType : cn
GroupObjectClass : group
Group Attribute Name : memberof
Hostname :
Port : 3268
Admin DN : [email protected]
Password :
If this is a new installation, then go for 4.2 :)
Regards,
Prem
Please rate if it helps!
Similar Messages
-
Authentication Problem with ACS 5.2 Using LDAP
HI!
I want to use LDAP for connecting to active directory but I get this Error from ACS 5.2 ( 22056 subject not found in the applicable identity stores).Is there anyone who can HELP me?
I used this configuration in ACS 5.2:
Users and Identity Stores / External identity store / ldap / Directory Organization
Subject ObjectClass : User
Subject Name attribute ; sAMAccountName
Group ObjectClass : Group
Group Map Attribute : MemberOfTwo questions:
- did you press "Test Bind to Server" from LDAP "Server Connection" tab and "Test Configuration" from "Directory Organization" tab?
- did you select the LDAP database as the result in the identity policy? -
Java ftp server which can use LDAP, how to integrate with WLS' implementation of LDAP?
Howdy.
I'm setting up a java ftp server
(http://www.mycgiserver.com/~ranab/ftp/index.html) which is capable of using
LDAP for it's user security. I would like to integrate this ftp server with
wls' implementation of LDAP so I only have to admin one user list.
Does wls put it's user list in the LDAP or in it's own proprietary setup? I
tried playing around with it, but the users don't seem to appear in the JNDI
tree. Is this where the LDAP stuff is located? I thought it was in there?
If it's in it's own setup, is there a way to propagate the users to LDAP?
If these look like newbie Q&A, I guess they kind of are, I'm new to LDAP.
Thanks for any input you might have.Peter,
If you are talking about using the embedded LDAP server in WLS 7.0 for this purpose
I think you are going done the wrong path.
Look at the following URL on how to use an external LDAP server for your custom
application
http://e-docs.bea.com/wls/docs70/secmanage/realm.html#1172008
Chuck Nelson
DRE
BEA Technical Support -
How do I use LDAP with iMQ 2.0?
I am looking for an example to see how to use LDAP with iMQ 2.0.
I was able to set up the config settings to access a local LDAP,
but iMQ authentication still rejects valid logins.
Let me know if I can find more info someplace.You can also find an example I put togther in the Sun One knowledge base.
If you go here:
http://knowledgebase.iplanet.com/NASApp/ikb/index.jsp
Search for article 7772
Alternatively here is the direct link
http://knowledgebase.iplanet.com/ikb/kb/articles/7772.html -
Any issues with using LDAP on LINUX for GRC 5.2 UME?
Our company is converting our LDAP servers from AIX to LINUX. The DNS name used in our UME connection should not change. Are there any issues with using LDAP on LINUX? We are currently on GRC 5.2 SP9 (in the middle of upgrading to SP12).
Also, I have been trying to connect our test UME system to a test LDAP box that has already been converted to LINUX but keep getting a 'connection failed' error when I try to test it.
Do you have to reboot the server to test changing the LDAP connections? I've been trying it by going into UME, pulling up the LDAP tab, hitting the Modify button, entering the new userid and password for test LDAP, and hitting the Test Connection button. I've verified that this userid and password is correct for test LDAP.
Is there a way to get more information about why the connection failed?
Thanks.I've been told by our LDAP Support group that none of the other configuration settings should have to be changed. I should only have to change the id and password to connect to a test version of LDAP instead of our regular connection to the production LDAP.
Can you test a connection for a different userid/password without having to reboot/restart the server? Do I need to change these two settings, save then, reboot/restart, and then do the Test Connection button?
Thanks. -
Custom Realm using LDAP?
Hi,
has anyone implemented a custom realm using LDAP? I was suprised to learn that
ACLs are not supported in the LDAPRealm. Our corporate direction is to have a
central LDAP security store - including ACLs. Unfortunately the LDAP server is
MS SiteServer! Anyway, I assume this means I need to implement a custom realm
- unless there is an alternative.
-chrisYou are correct - you'll need to write a custom
realm to do this.
-Tom
"Chris Jones" <[email protected]> wrote:
>
Hi,
has anyone implemented a custom realm using LDAP? I was suprised to
learn that
ACLs are not supported in the LDAPRealm. Our corporate direction is
to have a
central LDAP security store - including ACLs. Unfortunately the LDAP
server is
MS SiteServer! Anyway, I assume this means I need to implement a custom
realm
- unless there is an alternative.
-chris -
How to use LDAP with Oracle forms 10g on Oracle application server
Hi,
I need some help on this. I have developed oracle forms 10g on application server 9iAS. The client want to use the existing LDAP authentication to the software we wrote. I do not know how I could configure to use the existing LDAP authentication . If anyone know how would I use the existing LDAP on different server to use when they logon to our menu in 10g to validate the user. Do I need to add any varibales in formweb.cfg or any other method. Please help.
Thanks
LukshI am not quite sure if this works out of the box. According to an Oracle FAQ:
4.2 Can I use LDAP to authenticate Forms Services?
Not directly. However, Oracle Login Server is able to authenticate against a LDAP directory and thus a Forms application can take advantage of this in a SSO environment. But you cannot use access control information stored in a LDAP directory with Forms. -
ASA WebVPN. How do you restrict access to users in an AD group using LDAP?
Hi All,
I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership. This has been very difficult, even though I beleive it should be easy.
The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
There are two other portals that I would like to restrict access to based on AD group membership. I have set these up to be selected by URL.
The biggest problem is, I have no way of knowing how to go about this. The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
I can only do an all or nothing scenario.
It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use. So how do I go about using them in this scenario? Turning off the aliases or URLs is not really an option right now.
Scenario 1 would work the best for me. Restrict access to profiles/groups based on AD group membership using LDAP.
Scenario 2 would be an ideal longer term solution.
Any thoughts, ideas or assitance would be greatly appreciated.
CheersThis is exactly what i was looking for, and Nelson is correct. When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression. The guide (ther is a button to access this) is really helpful, with a couple of examples. This is what i used:
assert(function()
if ( (type(aaa.ldap.distinguishedName) == "string") and
(string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
then
return true
end
return false
end)()
from the debug dap you can see what Users relates to;
DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
My admin account fails to get me in to the same profile:
DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
Thanks
Andrew -
How can I use LDAP searching from OSX Lion Server to Mozilla Thunderbird?
How can I use LDAP searching from OSX Lion Server to Mozilla Thunderbird? We have a super awesome contacts server that works great for our Mac users. About 30% of our company are on PCs, and I would like to use the Mozilla Thunderbird mail client for them. I see that in Thunderbird I can set up LDAP searching, and would like to have this feature point to our contacts server. I've tried several different settings, and looked all over the web, but could not find the proper way to configure this. Does anyone know if this can be done, or if not, would have a better suggestion? Thank you for your time!!
try double clicking keychain acces should launch and ask if you want to install login, system, System roots
A dialog box will launch asking where to install the cert since your configuring a vpn I would put the certificate it in system. -
Pam.conf does not use ldap for password length check when changing passwd
I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
I have dsee 6.0 installed on a solaris 10 server (client).
I have a solaris 9 server (server) set up to use ldap authentication.
bash-2.05# cat /var/ldap/ldap_client_file
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= X, Y
NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_BIND_TIME= 10
bash-2.05# cat /var/ldap/ldap_client_cred
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
bash-2.05# cat /etc/nsswitch.conf
# /etc/nsswitch.ldap:
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
hosts: files dns
ipnodes: files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: ldap [NOTFOUND=return] files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
sendmailvars: files
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
bash-2.05# cat /etc/pam.conf
#ident "@(#)pam.conf 1.20 02/01/23 SMI"
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1 use_first_pass
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
other auth requisite pam_authtok_get.so.1 debug
other auth required pam_dhkeys.so.1 debug
other auth binding pam_unix_auth.so.1 server_policy debug
other auth required pam_ldap.so.1 use_first_pass debug
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy debug
passwd auth required pam_ldap.so.1 use_first_pass debug
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1 debug
other account required pam_projects.so.1 debug
other account binding pam_unix_account.so.1 server_policy debug
other account required pam_ldap.so.1 no_pass debug
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password required pam_authtok_store.so.1 server_policy debug
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
bash-2.05$ passwd
passwd: Changing password for VV
Enter existing login password:
New Password:
passwd: Password too short - must be at least 8 characters.
Please try again
May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
I am using the default policy on the directory server which states a minimum password length of 6 characters.
server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
pwd-accept-hashed-pwd-enabled : N/A
pwd-check-enabled : off
pwd-compat-mode : DS6-mode
pwd-expire-no-warning-enabled : on
pwd-expire-warning-delay : 1d
pwd-failure-count-interval : 10m
pwd-grace-login-limit : disabled
pwd-keep-last-auth-time-enabled : off
pwd-lockout-duration : disabled
pwd-lockout-enabled : off
pwd-lockout-repl-priority-enabled : on
pwd-max-age : disabled
pwd-max-failure-count : 3
pwd-max-history-count : disabled
pwd-min-age : disabled
pwd-min-length : 6
pwd-mod-gen-length : 6
pwd-must-change-enabled : off
pwd-root-dn-bypass-enabled : off
pwd-safe-modify-enabled : off
pwd-storage-scheme : CRYPT
pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
pwd-strong-check-enabled : off
pwd-strong-check-require-charset : lower
pwd-strong-check-require-charset : upper
pwd-strong-check-require-charset : digit
pwd-strong-check-require-charset : special
pwd-supported-storage-scheme : CRYPT
pwd-supported-storage-scheme : SHA
pwd-supported-storage-scheme : SSHA
pwd-supported-storage-scheme : NS-MTA-MD5
pwd-supported-storage-scheme : CLEAR
pwd-user-change-enabled : off
Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
. It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
Edited by: ericduggan on Sep 8, 2008 5:30 AMyou can try passwd -r ldap for changing the ldap passwds...
-
How to delete / remove a group in AD using LDAP?
Can anyone please point me in the right direction to code the ability to delete or remove a group from AD using LDAP? Is this even possible? I'm surprised I cannot find anything related to this action.
How would you delete any other object using LDAP ?
Why do you think deleting a group is any different ?
String groupName = "CN=Idiots,OU=Developers,DC=Antipodes,DC=Com";
// Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
// Delete the group, and wishfully all the idiots that ask stupid questions
ctx.destroySubcontext(groupName); -
Filtering Groups on Windows Active Directory using LDAP Authentication
Hi All,
I have small module that filters the groups from the Windows AD using LDAP attributes and flushes the data into the DB[code below].
This module was developed and tested on weblogic 8.1[on windows]and works fine.
Now the same is moved to another environment- Websphere on Linux Suse. The code fails to retreieve any value from the Windows AD.
Please note no exception is aslo thrown.
env.put(Context.INITIAL_CONTEXT_FACTORY,ldapCtxFactory);
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,authentication);
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//connect to my domain controller
env.put(Context.PROVIDER_URL, domainController);
// Create the initial directory context
try {
dirCtx = new InitialDirContext(env);
// Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"member"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
int totalResults = 0;
int iteration=0;
// Search for objects using the filter
NamingEnumeration results = ctx.search(searchBase, searchFilter, searchCtls);
In the above code the method exits even before the try block[i could detect this using Sysout's]
Below is the property file from which the values are read.
admin=username
password=password
#AD search attributes
searchBase=DC=domainname,DC=domainname
searchFilter=(&(objectClass=group) (CN=value*))
#JNDI context attributes
ldapCtxFactory=com.sun.jndi.ldap.LdapCtxFactory
authentication=simple
domainController=ldap://address
groupPattern=pattern
Please Assit,
Thanks in Advance
Message was edited by:
radiant
Message was edited by:
radiantAssuming it is the same Active Directory environment and only your Java platform has changed, the I can only assume that if no exception is thrown, and no data is returned, then the credentials you are using on the new Java platform are being mapped to an anonymous user (perhaps a blank password ?). By default, Windows Server 2003 domains, do not return any results to anonymous users.
-
Hi,
Our goal is to use LDAP(Iplanet Directory Server 5.0) as a security Realm
for Weblogic Personalization and Commerce 3.5.
Using the WLCS console, I've modified the config.xml file and following
elements are added:
<LDAPRealm AuthProtocol='simple' Credential='admin'
GroupDN='ou=groups,dc=netnumina,dc=com' GroupIsContext='false'
GroupUsernameAttribute='uniquemember'
LDAPURL='ldap://sanand.netnumina.com:389' Name='wlcsLDAPRealm'
Principal='uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot'
UserAuthentication='local' UserDN='ou=people,dc=netnumina,dc=com'
UserNameAttribute='uid'/>
<CachingRealm BasicRealm='wlcsLDAPRealm' CacheCaseSensitive='true'
Name='wlcsCachingRealm'/>
But when we try to restart the WLCS, it throws java exceptions that context
is not initialized and I get the following error
<Jun 15, 2001 3:41:28 PM EDT> <Emergency> <Server> <Unable to initialize the
ser
ver: 'Fatal initialization exception
Throwable: weblogic.security.ldaprealm.LDAPException: could not get
context - wi
th nested exception:
[java.lang.reflect.InvocationTargetException - with target exception:
[javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid
Credential
s]]]
weblogic.security.ldaprealm.LDAPException: could not get context - with
nested e
xception:
I tried using Windows NT as a security realm but that gave me errors too.
Does anyone has any experience using anything other than the default Realm?
Any help would be appreciated. Thanks!
Asim Raja
[email protected]I'm not sure, but I suspect you can't
since this would create a circular dependency -
your realm would rely on the upper level security
checking calls but those calls would rely on your
realm.
My suggestion is to give it a try and see what
happens.
-Tom
Ozcan ADIYAMAN <[email protected]> wrote:
Hi ,
I am implementing a simple custom security realm using LDAP as the
security store and I can see the users, groups and acls from the admin
console.
My question is (a custom realm newbie question) ;
Is it possible to use weblogic.security.acl.Security with my custom
realm to check permissions, get the current user,etc.,
OR
is this class ONLY used with default realms (when ACL is stored in a
file) ?
Thanks
Ozcan -
Solaris 2.6 or 7 using LDAP Auth
I know Solaris 8 support LDAP for Auth. However, there is some 3rd party applications which support in running on Solaris 2.6 only. The existing name service is NIS. Is there any solution for Solaris 2.6 using LDAP (Netscape Directory Server 4.1x) Auth??
Jolene,
The drivers are available free of charge at Openlink Software's
web site - http://www.openlinksw.com. You should download the
Multi-Tier components where JDK1.2 is your client platform and
Oracle 7 is your database engine. This will involve an install
on the client machine as well as the server, but will provide
for maximum flexibility and performance down the road. You will
simply need to point CLASSPATH on your client to the newly
downloaded "opljdbc2.jar" file - the Openlink driver class
archive.
Best regards,
Stephen
Jolene (guest) wrote:
: Hi,
: Can anybody please tell me which driver I can use to connect to
: an Oracle database(7.1) from a Java application running on
: Solaris 2.6 using the 1.2 version of the JDK? Where can I get
it
: from and do I have to put it in a specific place?
: Thanks in advance,
: Jolene
null -
Cons of using LDAP Sync in OIM
Hi Experts,
We are planning to use LDAP Sync to create users into OID as soon as they get created on OIM. Can you esperts please let me know the cons/limitations of enabling LDAP Sync and a small comparision on using this against provisioning to OID from OIM.
Thanks,
ParthaThis link may be useful
https://forums.oracle.com/thread/2482749?tstart=0
Maybe you are looking for
-
I performed a time machine backup without plugging my labtop into a power source. My computer died and all the settings were changed, ie the clock and date were changed back to 2001. So I tried to restore my computer using a previous time machine bac
-
Sent messages not reaching destination
Mail sent through .mac account does not reach destination, but everything looks completely normal. Messages sent using mail but from another mail account reach their destinations just fine. I still have tons of space on my .mac mail account and absol
-
No of minuts in McuJoinsAndLeaves and session tables ????
Hi All, I am trying to find out the No. of minutes in McuJoinsAndLeaves table(lcscdr DB) and session table(Qoeetrics DB) are exactly same or not..?? if no. of minutes are same in both table............please tell me conditions ???? Thanks Brij
-
How to Fetch Data into internal table column wise?
The internal table contains huge set of data. Normally we fetch the data row wise using insert and select statements in work area. But, the requirement is on fetching the data column wise for each field from the database. So,can anyone help me on thi
-
Migration between two environments which can't communicate with each other
My customer is intending to do migration from test environment to production environment using CCM. But the two environments are not in the same network. The environments' setting is as blew. BO TEST Repository can communicate with Web BO Server. BO