Weblogic 9.2 Embedded LDAP Login denied!
Hi,
I am trying to put together users/ groups in the Embeded ldap for LDAP authentication. I saw in the embedded LDAP, the tree as
domainName->myrealm->groups,people etc by default.
Now, under the LDAP root domainName, I created a directory structure as:
domainName->myorg->groups,users.
In the weblogic console ( myrealm is the default security realm.)
under myrealm, I created LDAP Authentication Provider and gave all the LDAP provider specific info for searching etc.
I was able to see the users using the console screen.
Now in my Web Application, using the "FORM based Authentication"(using j_username etc) I tried to login.
I saw the AdminServer log:
--getDNForUser search("ou=people,ou=myrealm,dc=domainA", "(&(uid=ldapuser2)(objectclass=person))", base DN & below)
with the following exception:
--javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User ldapuser2 denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:191)
which means, Weblogic was trying to use the LDAP params which were pointing to 'myrealm'.
I was expecting weblogic to search as I specified in the provider:
"ou=users,ou=myorg,dc=domainA" rather than "ou=people,ou=myrealm,dc=domainA".
Remember I am using Embeded LDAP.
Please let me know whether what I am trying to achieve is something that Weblogic is capable of.
By the way, when I put my users under the 'myrealm' directory it does authenticate.
Please let me know
Thank you in advance.
Azim
These are the steps that I followed to connect weblogic 9.2 with LDAP Port 636(SSL Enabled) and it worked fine.
Steps for Installation of SSL
1. Modify the Provider Specific configuration in the Admin Console to use port 636 and ‘SSL Enabled’ (OR Modify config.xml)
<wls:port>636</wls:port>
<wls:ssl-enabled>true</wls:ssl-enabled>
2. Back up the D:\apps\bea\wls92\weblogic92\server\lib directory
3. Copy the certificate (xxxx.cer) to that directory
4. Import the certificate into the keystore:
5. D:\apps\bea\wls92\jrockit_150_12\bin\keytool -v -import -alias ldapcert -keystore DemoTrust.jks -file entrust_ssl_ca.cer -storepass DemoTrustKeyStorePassPhrase
6. Add the following parameter to the JAVA_OPTIONS in the start script (setDomainEnv.cmd):
a. -Dweblogic.security.SSL.allowSmallRSAExponent=true
7. Restart WebLogic (Admin) Server
Similar Messages
-
Weblogic 8.1 & Embedded LDAP server
Hi,
Is it possible to store user attributes alongwith username & password in the Weblogic 8.1 Embedded LDAP Server?.
We have about 6 user profile attributes along with the username & password. Does weblogic's embedded LDAP Server
support this feature.
Any help will be appreciated.
thanx,
VishwaHi Vishwap,
Did you ever found out how to manipulate additional information in the embedded LDAP server?
I am in critical need to do the same.
Thanks in advance for your comments.
Zi -
How to change password for a user in WLS 7.0 embedded ldap in code?
I asked the similar question before but don't have an answer yet.
I need to change password for a user in my Java code. Any help will be
appreciated.
Here is my stack trace:
c:\Test>java -classpath . testEmbeddedLdap
attribute: uid
attribute: description
attribute: objectclass
attribute: wlsMemberOf
attribute: sn
attribute: cn
javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient
Access Rights]; remaining name
'uid=myRegularUser,ou=people,ou=myrealm,dc=mydomain'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2872)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2810)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2616)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1374)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDir
Context.java:255)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(Partial
CompositeDirContext.java:172)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(Partial
CompositeDirContext.java:161)
at
javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.
java:146)
at testEmbeddedLdap.main(testEmbeddedLdap.java:30)
Here is my testing code:
<PRE>
import java.util.*;
import javax.naming.*;
import javax.naming.directory.*;
public class testEmbeddedLdap {
public static void main(String[] argv) {
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:7001");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "uid=myAdministrator, ou=people,
ou=myrealm, dc=mydomain");
env.put(Context.SECURITY_CREDENTIALS, "myAdministrator");
try {
DirContext ctx = new InitialDirContext(env);
String
sUser="uid=myRegularUser,ou=people,ou=myrealm,dc=mydomain";
String sOldPassword="myRegularUser";
String sNewPassword="newpassword";
for (NamingEnumeration ae = ctx.getAttributes(sUser).getAll();
ae.hasMore(); ) {
Attribute attr = (Attribute)ae.next();
System.out.println("attribute: " + attr.getID());
ModificationItem[] mods = new ModificationItem[2];
Attribute mod0 = new BasicAttribute("userpassword",
sOldPassword);
mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,
mod0);
Attribute mod1 = new BasicAttribute("userpassword",
sNewPassword);
mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, mod1);
ctx.modifyAttributes(sUser, mods);
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
</PRE>
"Neil Smithline" <[email protected]> wrote in message
news:[email protected]...
Two things. First, I'm not exactly sure what password you are trying to
change. The LDAP server's password or a user's password in the LDAP
server. Second, could you please post a stack trace.
Thanks - Neil
K Wong wrote:
I am using (javax.naming.directory.DirContext.modifyAttributes) to
change
password to our development Weblogic 7.0 embedded LDAP.
I login as the system administrator (a user in the administratorsgroup),
but always gets the javax.naming.NoPermissionException - InsufficientAccess
Rights.
What user should I use? Any help will be appreciated.Hai,
This condition based execution requires - javascript coding.
In miscelleaneous tools bar, you have an option of SCRIPT_ITEM writer tool, drag the tool into your WAD layout, and select the properties , choose the editor option and paste your coding. that's it.
Alternate option :
in your web application design layout , you will fine XHTML coding editor , there you need to write coding and execute the same.
Hope this will help to you.
Assign Points if its really useful.
Cheers !!!
Bye
Regards,
Giri -
What is the WLS 7.0 embedded ldap admin account and password?
I am using (javax.naming.directory.DirContext.modifyAttributes) to change
password to our development Weblogic 7.0 embedded LDAP.
I login as the system administrator (a user in the administrators group),
but always gets the javax.naming.NoPermissionException - Insufficient Access
Rights.
What user should I use? Any help will be appreciated.I need to change password for a user. Any help will be appreciated.
Here is my stack trace:
c:\Test>java -classpath . testEmbeddedLdap
attribute: uid
attribute: description
attribute: objectclass
attribute: wlsMemberOf
attribute: sn
attribute: cn
javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient
Access Rights]; remaining name
'uid=myRegularUser,ou=people,ou=myrealm,dc=mydomain'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2872)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2810)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2616)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1374)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDir
Context.java:255)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(Partial
CompositeDirContext.java:172)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(Partial
CompositeDirContext.java:161)
at
javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.
java:146)
at testEmbeddedLdap.main(testEmbeddedLdap.java:30)
Here is my testing code:
<PRE>
import java.util.*;
import javax.naming.*;
import javax.naming.directory.*;
public class testEmbeddedLdap {
public static void main(String[] argv) {
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:7001");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "uid=myAdministrator, ou=people,
ou=myrealm, dc=mydomain");
env.put(Context.SECURITY_CREDENTIALS, "myAdministrator");
try {
DirContext ctx = new InitialDirContext(env);
String
sUser="uid=myRegularUser,ou=people,ou=myrealm,dc=mydomain";
String sOldPassword="myRegularUser";
String sNewPassword="newpassword";
for (NamingEnumeration ae = ctx.getAttributes(sUser).getAll();
ae.hasMore(); ) {
Attribute attr = (Attribute)ae.next();
System.out.println("attribute: " + attr.getID());
ModificationItem[] mods = new ModificationItem[2];
Attribute mod0 = new BasicAttribute("userpassword",
sOldPassword);
mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,
mod0);
Attribute mod1 = new BasicAttribute("userpassword",
sNewPassword);
mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, mod1);
ctx.modifyAttributes(sUser, mods);
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
</PRE>
"Neil Smithline" <[email protected]> wrote in message
news:[email protected]...
Two things. First, I'm not exactly sure what password you are trying to
change. The LDAP server's password or a user's password in the LDAP
server. Second, could you please post a stack trace.
Thanks - Neil
K Wong wrote:
I am using (javax.naming.directory.DirContext.modifyAttributes) to
change
password to our development Weblogic 7.0 embedded LDAP.
I login as the system administrator (a user in the administratorsgroup),
but always gets the javax.naming.NoPermissionException - InsufficientAccess
Rights.
What user should I use? Any help will be appreciated. -
Weblogic.server.ServiceFailureException:com- embedded LDAP error
Hi
While starting teh weblogic server, I am getting error as
weblogic.server.ServiceFailureException: Error initialisng embedded LDAP server - with nested exception
java.lang.ClassCastException:com.octetstring.vde.backend.BackendRoot
the server is not started (I have installed it as a window service in Win2k)
Any help on this ?there are few different ways to fix this. I do this frequently
--Delete the data folder and boot the server it will fix the issue. You will lose all the users information (except admin user) need to recrate any ohter users you created.make sure backup data folder
-- Second get the data folder from domain_bak folder
Hope this will fix your problem
Thanks
ksr
Edited by: ksr11 on Nov 24, 2010 10:33 AM -
Can't connect to weblogic embedded LDAP from an init block
Hi
I am trying to use weblogic's embedded LDAP directory in an OBIEE RPD initialisation block, using 10g security model in OBIEE 11g. I need the internal user, BISystemUser, to be validated by an init block in the rpd, but I am not able to configure the weblogic LDAP in an init block, as it is done with AD, for example.
I am following the instructions on "Viewing the Contents of the Embedded LDAP Server from an LDAP Browser" section of this document, http://docs.oracle.com/cd/E21764_01/web.1111/e13707/ldap.htm#i1104934 and I am getting: "LDAP bind failure: Can't connect to LDAP server". Weblogic is up and running, I can connect to its console, OBIEE, etc.
I am using this settings on OBIEE:
Hostname: localhost (I've tried using the actual hostname)
Base DN: dc=bifoundation_domain
Bind DN: cn=Admin
Port: 7001
(I've already reset LDAP's Admin password to a known value).
The curious thing is that I can connect to the same LDAP using the same settings with LDAPExplorerTool2 opensource tool.
Does anyone have an idea what else is missing?
Thank you.i also have this problem..do u have any solution?
-
URGENT : Add & Retrieve properties from Embedded LDAP in Weblogic 9.2
I am using Embedded LDAP WebLogic 9.2 and i followed the steps mentioned in the URL below.I have nt changed anything except Server URL which points to localhost:7001.
http://e-docs.bea.com/wlp/docs92/users/appendixa.html#wp1055363
Questions:
1)How to add additional attributes to embedded LDAP? (eg email, phone etc).
2)How to read those properties from embedded LDAP using WebLogic Portal API? Any code samples?
Any help is appreaciated.this problem is due to hard-coded user/pwd in installation scripts. Here are steps
1) open file AIA_HOME/Infrastructure/install/wlscripts/FPWLCommonConfig.xml
2) reach to target CreateStartupClasses
3) there are three java tasks for com.oracle.oems.weblogic.AQJMSPasswordUtility
4) in the task for oraesb, password is hardcoded as 'oraesb' in clear text.
5) this should be password of 'ORAESB' database user.
6) change this password value; and restart the installation.
Regards,
Vaibhav -
Load balancing and failover in Embedded LDAP in weblogic
How to handle load balancing and failover in Embedded LDAP in weblogic server?
You should consider posting this to the Weblogic and/or LDAP support forums. This forum is meant for Sun Web Server questions.
Thanks
Manish -
Embedded LDAP password issue in Weblogic 7
Is this normal? Seems odd to me...
After installing weblogic 7 using the wizard and giving a new password other than "weblogic" for the "weblogic" user, and after using boot.properties to get an encrypted version, the embedded LDAP servers for both admin and managed servers do not seem to have the new password.
If I try to use JNDI to get a JMX MBean Home on the managed server, I get an exception saying I have the wrong password for "weblogic".
After using the admin console to change the password to the value it supposedly already has, the embedded LDAP servers for both the admin and consumer have a new (encrypted but presumably correct) password but the JNDI call still fails.
After undeploying and redeploying the relevant web application the JNDI call succeeds.
Killing and restarting the admin and managed servers does not seem to be relevant. Setting the read replica on startup flag doesn't seem to help. This is mostly on testing on the petstore example. This may be relevant since at some point BEA changed the user/password for it to "weblogic/weblogic"
QUESTIONS:
Does anybody understand why this is happening?
Any ideas for fixes that avoid bouncing and redeployment?
---Paul ONever mind...
I think I have solved this with the help of an LDAP browser and a custom JNDI/JMX password tester.
One problem that threw me off was that changes that were thought to be happening in testing were not really "taking"
due to precompilation of JSPs. I had thought that redeploying made the correct password "take" but actually it was helping changes in the code to take effect. Another problem that I believe but have yet to verify contributed to the confusion and a related failure to log is that once a user is rejected repeatedly, Weblogic locks the account for a half hour by default.
The bottom line is it really pays to use instruments that tell you what the actual state of affairs is as conjectures are often wrong for unexpected reasons.
---Paul O
Paul O'Rorke wrote:
Is this normal? Seems odd to me...
After installing weblogic 7 using the wizard and giving a new password
other than "weblogic" for the "weblogic" user, and after using
boot.properties to get an encrypted version, the embedded LDAP servers
for both admin and managed servers do not seem to have the new password.
If I try to use JNDI to get a JMX MBean Home on the managed server, I
get an exception saying I have the wrong password for "weblogic".
After using the admin console to change the password to the value it
supposedly already has, the embedded LDAP servers for both the admin and
consumer have a new (encrypted but presumably correct) password but the
JNDI call still fails.
After undeploying and redeploying the relevant web application the JNDI
call succeeds.
Killing and restarting the admin and managed servers does not seem to be
relevant. Setting the read replica on startup flag doesn't seem to
help. This is mostly on testing on the petstore example. This may be
relevant since at some point BEA changed the user/password for it to
"weblogic/weblogic"
QUESTIONS:
Does anybody understand why this is happening?
Any ideas for fixes that avoid bouncing and redeployment?
---Paul O -
can someone please confirm - can the embedded ldap server within weblogic handle password policies like min length, max expiry etc... I can't believe that it can't do things like this which seem fundamental to any security set-up.
If it doesn't can anyone recommend a good 3rd party ldap solution to use with weblogic ?
cheers,
BrentHi, Brent.
Internal ldap properties you can change will be in the file vde.prop. However, you've hit the nail on the head, this is a basic implementation. There are more discussions of it here: http://monduke.com/ Note that you cannot remove this without causing problems. Leave it there, and just add another provider for your normal users.
I recommend that you configure an alternate authentication provider, which can stitch you to one of many robust providers, like OpenLDAP or ActiveDirectory.
Cheers,
-Adrian -
Embedded LDAP on Weblogic Server
Hi Everyone
i'm currently using the embedded LDAP available in Weblogic for Security for SOA 11g
The users are getting updated on the system-jazn.xml file.But i dont know where the email information is getting stored. Does anyone know where it is stored.
Is there way i would download the users,roles and user properties from the embedded LDAP.
Regards
SabirHi Sabir
1. By default, as far as I know, from pure WLS point of view, we can create new users with just username and password like from WLS Admin Console.
2. I am not much familiar with "The users are getting updated on the system-jazn.xml file". Is this like External Authentication Provider that you configured with WLS.
3. For example, WLS can be configured with any External LDAP sources that has full User Profile and username and password etc. Then for say Weblogic Portal Applications, we have some procedure, to view the entire profile. Even for out of box Embedded LDAP in case of Weblogic Portal Appliations only we can View/Edit the full User Profile from something called Portal Admin Console. But this is all specific to Weblogic Portal Applications only.
If you can give more details on this "system-jazn.xml" file, we can look into it. But when it comes to core WLS, all you can do, configure it with any External Security Provider from Weblogic Console. And additionally create your own custom Authentication Provider. Coming to Profile, I know for Weblogic Portal Applications deployed on this WLS + portal modules, we can View/Edit full Profile.
HTH
Ravi Jegga -
Changelog.data size growing too big in embedded LDAP /weblogic
Hi Team,
We have embedded LDAP.
We are having issues in setting the no of entries for changelog.data.
Could anyone of you help as how could we set the treshold for changelog.data .
we are using Linux server and weblogic as app server.
Thanks In Advance..Thanks..
But that doesnt seemed to be working.
I have set following parameter in startup
-javaagent:/app/platform/wily/current//Agent.jar -Dcom.wily.introscope.agentProfile=/app/platform/wily/current/IntroscopeAgent.profile - Dcom.wily.introscope.agent.agentName=Cramer-Dev0-RM-Admin -Dweblogic.security.ldap.changeLogThreshold=10 -Dweblogic.security.ldap.maxSize=1048576
Now prior to setting 10 ,I had set it to 30 cleared changelog.data and restarted .It got generated with 28mb size.
After setting 10 also its the same size of changelog that i could see.
could you tell me what went wrong..
Thanks -
"ming qin" <[email protected]> wrote in message news:[email protected]..
I would like to have entries as users.There are a few issues that arise as the number of users increases. The
first is management
of all these users. Will you be able to load/update/manage all of the users
via the WLS console?
You can certainly use external LDAP tools to manage the data in the WLS
embedded LDAP
server, but using an external LDAP server may offer better tools for
management than those
offered in WLS.
The second is performance. Since the ldap server embedded within WLS uses
in-memory
indices, the time to load the indices and the memory required for storing
them increases as
the number of users increases. 20-50K seems to have reasonable performance.
The last is extensibility. The WLS default authenticator stores user,
description, and password.
You may have different requirements and want to store additional
information. -
How to configure human workflow using embedded ldap in standalone weblogic
I am trying to use embedded ldap to select users for a human workflow. I have created an application server instance using soa server details but the realm field in human workflow remains empty.
Please let me know what would be right steps.Can you provide more details about the context of where this happens? Are you selecting users in the Organization editor in BPM studio? Is this on 11.1.1.3 or 11.1.1.4?
-
BIP 10.1.3.4 with WLS Embedded LDAP
Hi All,
Details of my setup.
1. BIP installed in weblogic
2. BIP Security model setup to point to LDAP (wls embedded). The following details I specified:
a. cn=Admin/passwd
b. Distinguished Name for Users:
ou=people,ou=myrealm,dc=base_domainname
c. Distinguished Name for Groups
ou=groups,ou=myrealm,dc=base_domainname
d. Rest all left blank.
3. I created the XMLP_* (all 5 groups to in the wls myrealm).
4. I created the users and assigned them the above 5 groups as well as all other groups that were present.
5. I did create the Super User also.
I am able to login using the LDAP users but I am not able to see the Reports (as well as Admin tab etc), whenever I click on the Shared folders I get an "Unauthorized Access: Contact Admin" error.
I suspect BIP is not able to resolve the groups for the users.
Could anyone tell me where I am wrong and what needs to be done. I think I have not provided the group details like search filter, group attribute name etc.
I am a bit new to weblogic and not sure what are the details that I should provide for the embedded ldap in BIP.
Any help is much appreciated.
ThanksThis information is available in the "Certification" tab in My Oracle Support. One assumes that this verification is done before you actually perform the database upgrade
HTH
Srini
Maybe you are looking for
-
Content does not display when page first opened
Hi All; I have a contenta are/region which I have divided into multiple tabbed areas. I have two main tabs that divide the content into two major topics. Within each of these main areas I have added 4 to five tabs. One set for example holds a calenda
-
Why won't my charger fit in my iPhone 5
I went to charge my iPhone 5 this morning and the charger just wouldn't sit in place it's really weird!!
-
HI, down payment request amount is should not more than PO value (base amounttaxfright charges) how to maintain in validation. could you please send me the steps and formulas. Plese help me any one. Thanks, Samudra.
-
My iPad is locked up, the message "iCloud backup hasn't been backed up in 2 weeks, needs to be plugged in, locked and connected to WiFi." It is unresponsive to the "ok" command to move forward with the backup. It is stuck.
-
How do I reinstall Creative Suite 4
I AM SURE YOU ARE RIGHT - I AM SO ANNOYED I COULD SPIT! I want to download cs4 and there seems to be no way to get it. i have it locked in a dead computer and the only solution i have been given is to buy CS6. I just want to reactivate my CS4