Using PAM for LDAP authentication

Similar Messages

• How to use two different LDAP authentication for my Apex application login

  Hi,
  I have 2 user groups defined in the LDAP directory and I provided the DN string for apex authentication something like the below
  cn=%LDAP_USER%,ou=usergrp1,dc=oracle,dc=com
  cn=%LDAP_USER%,ou=usergrp2,dc=oracle,dc=com
  The problem is I couln't pointout both the groups in DN string, I am trying to allow both usergroups to access the application.
  Does anyone know how to define both the group in LDAP DN String ?.
  Thanx in advance
  Vijay.

  Vijay,
  I don't think you'll be able to use the built-in LDAP authentication scheme. Just create a new authentication scheme that has its own authentication function. In that function code your calls to dbms_ldap however you need. Search the forum for dbms_ldap.simple_bind_s to find examples.
  Scott

• Configuring Oracle 9iAS for LDAP Authentication

  I have installed OID Server on my PC. Now I want to switch my Login Server to External LDAP Authentication mode. For that I run the script ssoldap.sql passing the host, port, search base, etc.. from my login server schema (portal30_sso) The script throws me the following error :
  " Bind variable "CN" not declared ".
  I even compile the package ssoxldap.pkb before that. But still this error persists.
  tnsnames.ora and listener.ora files are fine and the tnsping to the external procedure is also working properly.
  Can anyone help me in this.

  I got that problem solved. Its little bit funny solution. Instead of running the sql file using the File->open->ssoldap.sql, we should directly write the whole path i.e. @d:\oracle9i\portal30\admin\plsql\sso\ssoldap.sql
  And secondly, I also found one small change related to the installation manual. Its related to Adding entries to the LDAP Server. the manual shows this syntax:
  ldapadd -h i3dt111 -p 389 -D 'cn=orcladmin'
  -w welcome -f d:\oracle\admin\phd\udump\users.ldif
  but instead we shoud write this:
  ldapadd -h i3dt111 -p 389 -D cn=orcladmin
  -w welcome -f d:\oracle\admin\phd\udump\users.ldif
  . Just remove the single quotes in the username string.
  Anyways, thanks for your suggestions.
  null

• Possible to use http for web authentication?

  Hi All,
  We are using WLC 2500 and AP 1041 with web authentication. Due to we do not have the trusted/public certificate and want to get rid of the certificate warning during the user login. I would like to ask if this is possible to change the web authentication method from HTTPS to HTTP. Thanks.
  Rgds,
  Jacky

  Hi Jacky,
  Yes u can... But there is a  catch..
  1) If ur running WLC code below 7.2.X then the only option is to disable HTTPS globally (Meaning HTTPS management access disabled only HTTP).
  2) If you are running 7.2.X and above, then you can use HTTP for client webauth and then HTTPS for Management access.
  The command for disabling https for web authetication would be:-
  config network web-auth secureweb disable
  Hope that helps
  Regards
  Najaf
  Please rate when applicable or helpful !!!

• Oracle Portal for LDAP Authentication using Iplanet directory server

  I have oracle portal on solaries machine and Iplanet directory server 5.1 on windows NT,
  Can i user portal user authentication Iplanet LDAP.
  Regards
  srinivas

  Yes You can. You have to provide the necessary info while running the ssoldap.sql.
  Vinodh R.

• Setting up CIMC on C220 stand-alone server for LDAP authentication.

  I'm trying to setup the CIMC so that all users who require access to the console of the server have to be authenticated by Active Directory. I have placed my authenticated users in an AD group called "APAC IT Administrators".
  Here are the fields I have so far:
  Enable LDAP: Checked
  BaseDN: DC=mydomain,DC=com
  Domain: mydomain.com
  Enable Encryption: Checked
  Time Out: 60s
  Configure LDAP Servers: Checked
  Server 1: 10.0.0.100
  Port: 389
  Server 1: 10.0.0.101
  Port: 389
  Binding paramters:
  Method: Login Credentials
  Search Parameters:
  Filter Attribute: sAMAccountName
  Group Attribute: memberOf
  Attribute: CiscoAVPair
  LDAP Group Auhtorisation: Checked
  Index: 1
  Group Name: APAC IT Administrators
  Group Domain: mydomain.com
  Role: Admin
  I've read here (http://www.aaviso.com/tech/?p=94) something about having to create a new attribute for domain users then assigning the attribute to the specific users, which I have not done so far as I do not have permission to do this and needs to be done by a higher source, but would this be the reason I cannot get the CIMC logon to authenticate against AD? Is there a log I can check to see what the problem is?
  When I try to log onto the CIMC using the format "mydomain\myusername", I get the error "Login failed. Verify that your username and password are correct."
  CIMC is version 2.0(3e).
  Thanks.

  Ingo thanks very much for replying..
  We called up BusinessObjects Service to ask where we can download the SAP Integration Kit for Crystal XI but they had didnt have a solid answer for us.
  We have the SAP GUI and also installed the Crystal Reports Designer XI from the CD.  Also the installation of Crystal XI prompted me to download SP1 from internet and we did that.
  As a result of the Service Pack installation another SAP component got installed called the "SAPInteractiveXL1" which is excel based.  There is a connection SAP icon toolbar in SAPInteractiveCl1 but when the SAP GUI pops up and I input my logon information it just says says "Connecting..." and the excel just hangs....
  So right now I have no clue where to get
  - Client components from the BusinessObjects SAP Integration Kit

• Oracle Portal for LDAP Authentication(Iplanet)

  Oracle portal installed on Solaries machine and LDAP (iplanet) installed on windows NT machine.I am able to take ldif file from portal30 user and add to ldap.( under o=oracle tree)
  Completed all step mentioned in document conf_ldap.pdf as follows
  1. created library pointing to ssoxldap.so in portal30_sso schema
  2. made change to listner.ora and tnsnames.ora file and able tnsping also.
  - tnsping extproc_connection_data
  3. ssoldap.sql also ran in portal30_sso schema with all LDAP information.
  (like ----
  Host: challasv
  Port: 389
  Search Base: cn=Login Server (portal30_sso),o=oracle
  Unique Attribute: cn
  Bind DN: cn=Portal Login
  Bind Password: portal30
  If I am try to login through browser in say Unexpected errors (WWC-41400). Is I am doing any thing wrong.
  Also i am albe run ldapsearch from another machines working fine.user following command
  - ldapsearch -b "cn=Login Server (portal30_sso),o=oracle" -h challasv -p 389 -D "cn=Poral Login" -w portal30 cn=portal30
  my questions is Iplanet(LDAP) can integrate with Portal or any steps missed.
  Please help in this regard,
  Challa

  You may want to use ssoxoid.pkb package that comes with Portal/Login Server 3.0.9 which simplifies the configuration.
  Also, you will not have to run the external procdure listener. Please refer to the Login Server Admin. guide for more details.
  NOTE:
  the 3.0.9.8.0 version of ssoxoid.pkb is not good. You need to download 3.0.9.8.2 patch and get the ssoxoid.pkb file from there.
  Also, you may want to turn on debug for SSO Server to see debug msg.
  DEBUG
  ========
  You need to loginto the Login Server schema and run following commands to see debug msg.
  sqlplus portal30_sso/password
  TO TURN ON DEBUG
  1. Create debug proceure
  CREATE OR replace PROCEDURE debug_print (str VARCHAR2) AS
  PRAGMA autonomous_transaction;
  BEGIN
  INSERT INTO wwsso_log$ VALUES
  (wwsso_log_pk_seq.nextval,
  substr(str, 1, 1000),
  sysdate,
  dbms_session.unique_session_id
  commit;
  END debug_print;
  show errors;
  TO SEE THE DEBUG LOG
  2. Try to login using portal login link
  and see the error msg from the log table
  select msg from wwsso_log$ order by id;
  TO STOP THE DEBUG LOG
  3. Delete the log
  delete from wwsso_log$ ;
  commit;
  4. Turn off debugging
  CREATE OR replace PROCEDURE debug_print (str VARCHAR2)
  AS
  BEGIN
  null;
  END debug_print;
  show errors;

• Sample code for LDAP authentication throwing exception

  i got sample code (13kb zip file from
  http://java.ittoolbox.com/browse.asp?c=JAVAPeerPublishing&r=%2Fpub%2FBK072703D%2Epdf) having MyCallbackHandler,LdapAuthenticator,SampleLoginModule 2 policy files and config files). i copied and compiled succesfully all java files placing them in bin of j2sdk1.4 . But when i give following command(as told in the pdf article ,url is given above) exception is thrown each time i enter username n password(three trials are allowed by the code)
  java -Djava.security.auth.login.config=D:\j2sdk1.4\bin\sample_jaas.config -
  Dldap.properties.config=ldap.properties SampleAcn
  SampleAcn is also one of the java files i compiled in bin.
  i m new to this area . so guide me for following
  do i need to do something with the 2 policy files as nothing is told anywhere about there configuration or there configuration is not needed at all.
  i havent configured anything on windows 2000 server having active directory except for creating a user named testUser/testPassword as mentioned in code that this is the username/password v can try for succesfull loging thorugh sample.
  do i need to cofigure some other things for using LDAP

  I think I have just answered your questions at the following post:
  [http://forums.sun.com/thread.jspa?threadID=5407841&tstart=0].
  This should work on any OS that supports Java, including AIX. The following link also can be helpful (includes code sample):
  [http://alextch.members.winisp.net/ResetADPasswordFromJava/SetADPasswordFromJava.htm]
  Good luck!
  Sergei.
  [http://hitech.com.ua/en/]

• Is anyone using PAM for archiving e-mail? I am having trouble opening archived e-mail attachments using Firefox. I know the reason for this is part of the url gets left out when using Firefox. Works fine with Internet Explorer.

  This part of the path https://mail.domain.org/owa/ (see below) when place in allows Firefox to open the attachment.

  Autodiscover service on Exchange seems to be ok from the result of testing. We might change our mind and check if this is a network issue.
  If you are using Windows 7 or higher version OS, try to run the following command in CMD to disable the Autotuning function:
  Netsh interface tcp set global autotuning=disabled
  For more information, please visit here:
  http://slowpctexpert.blogspot.com/2010/12/speed-up-windows-7-disable-autotuning.html
  Tony Chen
  TechNet Community Support

• LDAP Authentication for Application APEX 3.2

  Dear All,
  I have created an application in APEX 3.2 for that i am using the below code for authentication all my domain users
  create or replace
  FUNCTION              "ADS_LDAP_AUTHENTICATE"
  (p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN AS
    c_Directory   VARCHAR2(50) ;
    c_Port        NUMBER(4);
    c_BaseDN      VARCHAR2(200);
    c_InitUser    VARCHAR2(200);
    c_InitPass    VARCHAR2(32);
    l_session     DBMS_LDAP.SESSION;
    l_success     PLS_INTEGER;
    l_attributes  DBMS_LDAP.STRING_COLLECTION;
    l_result      DBMS_LDAP.MESSAGE;
    l_userdn      VARCHAR2(2000);
    CURSOR get_authentication_dtls
    IS
    SELECT  domain_name,server_port,server_base_dn,server_principal,server_credentials
    FROM    PS_TB_SYSTEM_ADS_CONFIG_DICT;
  BEGIN
    OPEN get_authentication_dtls;
    LOOP
    FETCH get_authentication_dtls INTO c_Directory,c_port,c_baseDN,c_InitUser,c_InitPass;
    EXIT WHEN get_authentication_dtls%NOTFOUND;
    --Open initial lookup session.
    l_session := DBMS_LDAP.INIT(c_Directory,c_Port);
    l_success := DBMS_LDAP.SIMPLE_BIND_S(l_session, c_InitUser,c_InitPass);
    IF l_success = DBMS_LDAP.SUCCESS THEN
      l_attributes(1) := NULL;
      l_success := NULL;
      l_success := DBMS_LDAP.SEARCH_S(ld => l_session,
                                     base => c_BaseDN,
                                     scope => dbms_ldap.scope_subtree,
                                     filter => '(|(sAMAccountName=' ||p_Username || ')(mailNickname=' || p_Username || '))',
                                     attrs => l_attributes,
                                     attronly => 0,
                                     res => l_result);
      IF l_success = DBMS_LDAP.SUCCESS THEN
        l_userdn := dbms_ldap.get_dn(l_session,dbms_ldap.first_entry(l_session,l_result));
        IF l_userdn IS NOT NULL THEN
          l_success := dbms_ldap.unbind_s(l_session);
          l_session := dbms_ldap.init(c_Directory,c_Port);
          l_success := dbms_ldap.simple_bind_s(l_session, l_userdn,NVL(p_password, 'QWERTASDFZXC'));
        END IF;
      END IF;
    else
      return FALSE;
    END IF;
    IF l_success = DBMS_LDAP.SUCCESS THEN
    CLOSE get_authentication_dtls; /* Close cursor before returning */
      RETURN TRUE;
    END IF;
    END LOOP;
    CLOSE get_authentication_dtls;
     RETURN FALSE; /* if the success has not happened till all servers processed, then return FALSE */
  EXCEPTION
    WHEN OTHERS THEN
      RETURN FALSE;
  END;
  Now i dont want to allow all the domain user to access my application. So we planned to create a user group in active directory.
  Can anyone suggest me how to allow only a set of users to access my application using LDAP.
  Thanks in Advance.
  Cheers,
  San.

  Use the below link for Ldap Authentication
  LDAP (MS AD) Group Authentication

• Weblogic Server 10.3.0 and LDAP authentication Issue

  Hi - I have configured my WebLogic Server 10.3.0 for LDAP authentication (OID = 10.1.4.3.0) and so far the authentication works fine but I am having issue in terms of authorization.
  I am not able to access the default web logic administrator console app using any of the LDAP user, getting Forbiden message.
  It appears to me that the Weblogic Server is not pulling out the proper groups from the LDAP where user belongs too.
  Can anyone please point me towards the right direction to get this resolved.
  Thanks,
  STEPS
  Here are my steps I have followed:
  - Created a group called Administrators in OID.
  - Created a test user call uid=myadmin in the OID and assigned the above group to this user.
  - Added a new Authentication Provider to the Weblogic and configured it what is required to communicate with OID (the config.xml file snipet is below)
  <sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
  <sec:name>OIDAuthentication</sec:name>
  <sec:control-flag>SUFFICIENT</sec:control-flag>
  <wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
  <wls:host>pmpdeva-idm.ncr.pwgsc.gc.ca</wls:host>
  <wls:port>1389</wls:port>
  <wls:principal>cn=orcladmin</wls:principal>
  <wls:user-base-dn>ou=AppAdmins, o=gc, c=ca</wls:user-base-dn>
  <wls:credential-encrypted>removed from here</wls:credential-encrypted>
  <wls:group-base-dn>ou=IDM, ou=ServiceAccounts, o=gc, c=ca</wls:group-base-dn>
  </sec:authentication-provider>
  - Marked the default authentication provider as sufficient as well.
  - Re-ordered the authentication provide such that the OIDauthentication is first in the list and default one is the last.
  - Looking at the log file I see there are no groups returned for this user and that is the problem in my opinion.
  <LDAP Atn Login username: myadmin>
  <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <authenticate user:myadmin>
  <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <authentication succeeded>
  <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <LDAP Atn Authenticated User myadmin>
  <List groups that member: myadmin belongs to>
  <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  *<search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>*
  *<Result has more elements: false>*
  <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <login succeeded for username myadmin>
  - I see the XACML RoleMapper getRoles() only returning the Anonymous role as oppose to Admin (because the OID user is a part of Administrators group in OID then it should be returning Admin as fars I can tell. Here is the log entry that shows that:
  <XACML RoleMapper getRoles(): returning roles Anonymous>
  - I did a ldap search and I found no issues in getting the results back:
  C:\>ldapsearch -h localhost -p 1389 -b"ou=IDM, ou=ServiceAccounts, o=gc, c=ca" -D cn=orcladmin -w "removed from here" (uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupOfUniqueNames)
  cn=Administrators,ou=IDM,ou=ServiceAccounts,o=gc,c=ca
  objectclass=groupOfUniqueNames
  objectclass=orclGroup
  objectclass=top
  END
  Here are the log entries:
  <1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
  <1291668685624> <BEA-000000> <LDAP Atn Login>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=myadmin>
  <1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
  <1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  <1291668685624> <BEA-000000> <authenticate user:myadmin>
  <1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685624> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  <1291668685624> <BEA-000000> <[Security:090302]Authentication Failed: User myadmin denied>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@facf0b>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>
  <1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
  <1291668685624> <BEA-000000> <LDAP Atn Login>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle did not get username from a callback>
  <1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
  <1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685624> <BEA-000000> <authenticate user:myadmin>
  <1291668685624> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685671> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <1291668685671> <BEA-000000> <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <1291668685671> <BEA-000000> <authentication succeeded>
  <1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685686> <BEA-000000> <LDAP Atn Authenticated User myadmin>
  <1291668685686> <BEA-000000> <List groups that member: myadmin belongs to>
  <1291668685686> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685686> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685686> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <1291668685686> <BEA-000000> <search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>
  <1291668685686> <BEA-000000> <Result has more elements: false>
  <1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685686> <BEA-000000> <login succeeded for username myadmin>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login delegated, returning true>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
  <1291668685686> <BEA-000000> <LDAP Atn Commit>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
  <1291668685686> <BEA-000000> <LDAP Atn Commit>
  <1291668685686> <BEA-000000> <LDAP Atn Principals Added>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning true>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
       Principal: myadmin
  >
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=myadmin>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
  <1291668685686> <BEA-000000> <Signed WLS principal myadmin>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user myadmin, Identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.isLocked(myadmin)>
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myadmin was not previously locked out>
  <1291668685702> <BEA-000000> <Using Common RoleMappingService>
  <1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
  <1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity will use common security service>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals)>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=myadmin>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator handles this PrincipalClass>
  <1291668685702> <BEA-000000> <Validate WLS principal myadmin returns true>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass, returning true>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals) validated all principals>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): input arguments:>
  <1291668685702> <BEA-000000> <     Subject: 1
       Principal = weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp>
  <1291668685702> <BEA-000000> <     Parent: type=<app>, application=consoleapp>
  <1291668685702> <BEA-000000> <     Parent: type=<url>>
  <1291668685702> <BEA-000000> <     Parent: null>
  <1291668685702> <BEA-000000> <     Context Handler: >
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AdminChannelUsers,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AdminChannelUser:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AdminChannelUser: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AppTesters,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AppTester:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AppTester: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(everyone,[everyone,users]) -> true>
  <1291668685702> <BEA-000000> <primary-rule evaluates to Permit>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Anonymous:, 1.0 evaluates to Permit>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Anonymous: GRANTED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Monitors,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Monitor:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Monitor: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Operators,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Operator:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Operator: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(CrossDomainConnectors,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:CrossDomainConnector:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role CrossDomainConnector: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Deployers,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Deployer:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Deployer: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, SC=null, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Administrators,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Admin:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Admin: DENIED>
  <1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): returning roles Anonymous>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles returning [ "Anonymous" ]>
  <1291668685702> <BEA-000000> <AuthorizationManager will use common security for ATZ>
  <1291668685702> <BEA-000000> <weblogic.security.service.WLSAuthorizationServiceWrapper.isAccessAllowed>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Roles=[ "Anonymous" ]>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Direction=ONCE>
  <1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
  <1291668685702> <BEA-000000> <     Subject: 1
       Principal = weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <     Roles:Anonymous>
  <1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Direction: ONCE>
  <1291668685702> <BEA-000000> <     Context Handler: >
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:role, SC=null, Value=Anonymous>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of([Admin,Operator,Deployer,Monitor],Anonymous) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): returning DENY>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>

  Okay Finally the issue is resolved. Here is the findings to help others in case they ran into the same issue.
  The OID version that we are using is not returning the groups the way Weblogic is building the ldapsearch command. We captured the ldap traffic to go deeper and noticed the filters and attributes list that wls was asking. For example, the filter was like:
  "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" cn
  its was the "cn" attribute that was causing the result set to be empty.
  from a command line we tried
  "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" uniquemember
  and got the results back.
  Then we start looking into OID configuration and one of my coworker pointed me towards the orclinmemfiltprocess attributes in cn=dsaconfig entry and told me that they had lot of issues in the past in relation to this attribute.
  So as a test we removed the groupofuniquenames objectclass from the orclinmemfiltprocess attribute list and bingo it worked!
  Since we needed the groupofuniquenames in this list for performance/other reasons and decided to use a different objectclass for our groups instead i.e. orclGroup.
  Thanks everyone for showing interest on the problem and providing suggestions.

• MS Active Directory LDAP Authentication/Locking Issue.

  Dear All,
  We are a software company; we have implemented feature of LDAP Authentication in our product using Java API and its working fine from our network environment.
  We have used following things with LDAP feature.
  1. User Authentication.
  2. Locking account after exceed the maximum attempts that has configured in window server.
  Main our issue is: The LDAP feature is not working properly from our client side. They are able to authenticate their LDAP user but do not able to lock user account however they have exceeded the maximum attempts from login dialog of our products but it still working in our side.
  If anybody has any experienced about it then please reply with positvie solution or any other information like require do the specific configuration for different version of Windows and Active Directory Server etc.
  Can any body know what are the possibilities for identifying and resolving this issue?
  Please help us if anybody has any experienced about it.
  Please do the needful.
  Thanks,
  Mehul.

  Hi,
  Thanks for your reply.
  We have used java package of javax.naming.* and javax.naming.directory.* for LDAP Authentication.
  Following code for checking whether ADS User is valid or not.
  * Function checks whether ADSUser is valid user or not
  * @returns int value indicating result.
  public int isValidADSUser() {
  Hashtable env = new Hashtable(5);
  Vector adsInfoVec = getADSInfo();
  env.put("java.naming.referral", "ignore");
  // env.put("java.naming.security.authentication", "simple");
  env.put(Context.SECURITY_AUTHENTICATION,"simple");
  String provider = "com.sun.jndi.ldap.LdapCtxFactory";
  env.put("java.naming.factory.initial", provider);
  //For handling Uncontinued reference found message of partial result exception
  env.put(Context.REFERRAL, "follow");
  env.put("java.naming.ldap.derefAliases", "always");
  env.put("java.naming.ldap.deleteRDN", "false");
  env.put("java.naming.ldap.attributes.binary", "");
  env.put(Context.PROVIDER_URL,
  "ldap://" + (String) adsInfoVec.elementAt(0) + ":" +
  (String) adsInfoVec.elementAt(1));
  // env.put("java.naming.security.principal",
  // userNameStr + "@" + (String) adsInfoVec.elementAt(0));
  env.put(Context.SECURITY_PRINCIPAL,
  userNameStr + "@" + (String) adsInfoVec.elementAt(0));
  if (userPassStr == null) {
  userPassStr = "";
  // env.put("java.naming.security.credentials", userPassStr);
  env.put(Context.SECURITY_CREDENTIALS, userPasswordStr);
  try {
  DirContext ctx = new InitialDirContext(env);
  ctx.lookup("");
  //System.out.println(ctx.lookup(""));
  ctx.close();
  catch (javax.naming.AuthenticationException ex) {
  //System.out.println();
  ex.printStackTrace();
  return AUTHENTICATION_ERROR;
  catch (javax.naming.PartialResultException pex) {
  pex.printStackTrace();
  return COMMUNICATION_ERROR;
  catch (javax.naming.CommunicationException pex) {
  pex.printStackTrace();
  return COMMUNICATION_ERROR;
  catch (NamingException e) {
  System.out.println("Failed to connect to ");
  e.printStackTrace();
  return COMMUNICATION_ERROR;
  return SUCCESS;
  Result of this code from our company: We are able to Authenticate LDAP user and also Lock User Account after exceed the Max Failure Attempt that configured from Windows Server.
  Result of this code from our client side: They are able to Authenticate LDAP user but they can't User Accout Lock however exceed the Max Failure Attemp that configured from their Windows Server.
  Can u please help us if any experience about it and suggest if any other configuration require from Windows Server / Active Directory Server OR also if some other implementation require for resolving this issue.
  Your optimistic reply is much appreciated.
  Thanks,
  Mehul Garnara.
  Edited by: [email protected] on Mar 6, 2008 10:24 PM
  Edited by: [email protected] on Mar 6, 2008 10:25 PM
  Edited by: [email protected] on Mar 6, 2008 10:25 PM

• Database Table and LDAP Authentication in the same repository?

  I'm wondering if it's possible to authenticate through database tables for some users and LDAP for other users. I can configure each one separately but I'm curious if anyone has ever successfully done both in the same repository.
  Thanks,
  -Matt

  Another thing to try is this. I don't have an LDAP server here but it worked for me without LDAP. I think it should also work with LDAP as it is the same idea. I don't think there is a way to have a conditional Init Blocks. Also you can't have two init blocks setting the same variable (USER in our case). But what you can do is to have two Init Blocks, one for LDAP authentication and the other one for table authentication. So you could have this scenario:
  1) LDAP "authentication" init block sets custom variable LDAP_USER
  2) Table "authentication" init block sets custom variable TABLE_USER
  3) Final authentication init block (the real one) sets USER variable using something like this:
  SELECT CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
  ELSE ':TABLE_USER'
  END
  FROM DUAL
  WHERE CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
  ELSE ':TABLE_USER'
  END = ':USER'
  Note how I use the CASE statement both to return the user value I want the USER variable to be set and also in the WHERE clause to make sure no rows are returned in case authentication fails (which should return no rows to denote a failed authentication). Obviously you need to set the init block dependancies correctly. I did a quick test with users coming from two separate Oracle tables in 2 init biocks and it worked fine for me. Give it a try and let me know how it goes.

• Error in Custom Ldap Authentication

  Hi All,
  I was trying to use the custom LDAP authentication( [Earlier Post|http://forums.oracle.com/forums/thread.jspa?threadID=2251976&stqc=true] ) but was not successful in making it work with our AD LDAP server. Thats when I came across post [ http://forums.oracle.com/forums/thread.jspa?messageID=916185&#916185|http://forums.oracle.com/forums/thread.jspa?messageID=916185&#916185]
  I used the same function
  create or replace function authenticate_aduser(
  p_username in varchar2,
  p_password in varchar2)
  return boolean
  is
  l_user varchar2(256);
  l_ldap_server varchar2(256) := '<Hostname>';
  l_domain varchar2(256) := '<Domain Name>';
  l_ldap_port number := 389;
  l_retval pls_integer;
  l_session dbms_ldap.session;
  l_cnt number;
  begin
  l_user := p_username||'@'||l_domain;
  l_session := dbms_ldap.init( l_ldap_server, l_ldap_port ); -- start session
  l_retval := dbms_ldap.simple_bind_s( l_session, l_user, p_password ); -- auth as user
  l_retval := dbms_ldap.unbind_s( l_session ); -- unbind
  return true;
  exception when others then
  l_retval := dbms_ldap.unbind_s( l_session );
  return false;
  end;Test it by giving correct password
       SQL> declare
  begin
  if authenticate_aduser('<username>','<correct password>') then
  dbms_output.put_line('Test Successful');
  else
  dbms_output.put_line('Test Failed');
  end if;
  end; 2 3 4 5 6 7 8
  9 /
  Test Successful
  PL/SQL procedure successfully completed.Tested it by giving wrong password
  SQL> declare
  begin
  if authenticate_aduser('<user name>','<wrong password>') then
  dbms_output.put_line('Test Successful');
  else
  dbms_output.put_line('Test Failed');
  end if;
  end; 2 3 4 5 6 7 8
  9 /
  Test Failed
  PL/SQL procedure successfully completed.So the fundtion is working perfectly with LDAP server.
  I am trying to create a custom authentication scheme with the above function.
  Shared Components -> Authentication Schemes -> create ->From Scratch ->
  In Autentication Function -> return authenticate_aduser(:P101_USERNAME,:P101_PASSWORD);
  In Logout URL -> wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&amp;p_next_flow_page_sess=4155:PUBLIC_PAGE
  Then after setting this as the current authentication scheme. Whenever I try to login with correct credentials it is giving me error
  Invalid Login Credentials
  Kindly let me know were I am going wrong here.
  Thanks & Regards,
  Vikas Krishna

  I was able to fix this.
  I used the same function authenticate_aduser
  and then followed blog http://www.talkapex.com/2009/03/custom-authentication-status.html to create a custom authentication. It worked finally.
  Thanks to Martin for his wonderful post.
  Thanks & Regards,
  Vikas Krishna

• Built-in LDAP Authentication Problem

  Hi All,
  I have used Built-in LDAP Authentication Method for my application authentication which works fine,but i need to have an database authentication as well in combination to LDAP one.
  I tried putting a database authentication function (Returning Boolean) in the post authentication process but without success.
  Please suggest how to go about this.
  cheers
  Dhrubo

  You really didn't explain much more than in your first post.
  For Example ,LDAP verifies all users now,but i would like to enable persons with their role as managers to have access priviledge for my application.Right now, managers do have access privilege so that requirement does not make sense.
  For this Manager problem i need a database level authentication.What does that mean? You can't just make up terms like that.
  I think you are mixing up authentication and authorization. Please search this forum and read the User's Guide for more info about how these are differrent.
  We can show you how to do both authentication and authorization, you just need to work harder stating your exact requirements.
  Scott