Weblogic Server 10.3.0 and LDAP authentication Issue
Hi - I have configured my WebLogic Server 10.3.0 for LDAP authentication (OID = 10.1.4.3.0) and so far the authentication works fine but I am having issue in terms of authorization.
I am not able to access the default web logic administrator console app using any of the LDAP user, getting Forbiden message.
It appears to me that the Weblogic Server is not pulling out the proper groups from the LDAP where user belongs too.
Can anyone please point me towards the right direction to get this resolved.
Thanks,
STEPS
Here are my steps I have followed:
- Created a group called Administrators in OID.
- Created a test user call uid=myadmin in the OID and assigned the above group to this user.
- Added a new Authentication Provider to the Weblogic and configured it what is required to communicate with OID (the config.xml file snipet is below)
<sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
<sec:name>OIDAuthentication</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:host>pmpdeva-idm.ncr.pwgsc.gc.ca</wls:host>
<wls:port>1389</wls:port>
<wls:principal>cn=orcladmin</wls:principal>
<wls:user-base-dn>ou=AppAdmins, o=gc, c=ca</wls:user-base-dn>
<wls:credential-encrypted>removed from here</wls:credential-encrypted>
<wls:group-base-dn>ou=IDM, ou=ServiceAccounts, o=gc, c=ca</wls:group-base-dn>
</sec:authentication-provider>
- Marked the default authentication provider as sufficient as well.
- Re-ordered the authentication provide such that the OIDauthentication is first in the list and default one is the last.
- Looking at the log file I see there are no groups returned for this user and that is the problem in my opinion.
<LDAP Atn Login username: myadmin>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<authenticate user:myadmin>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authentication succeeded>
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<LDAP Atn Authenticated User myadmin>
<List groups that member: myadmin belongs to>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
*<search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>*
*<Result has more elements: false>*
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<login succeeded for username myadmin>
- I see the XACML RoleMapper getRoles() only returning the Anonymous role as oppose to Admin (because the OID user is a part of Administrators group in OID then it should be returning Admin as fars I can tell. Here is the log entry that shows that:
<XACML RoleMapper getRoles(): returning roles Anonymous>
- I did a ldap search and I found no issues in getting the results back:
C:\>ldapsearch -h localhost -p 1389 -b"ou=IDM, ou=ServiceAccounts, o=gc, c=ca" -D cn=orcladmin -w "removed from here" (uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupOfUniqueNames)
cn=Administrators,ou=IDM,ou=ServiceAccounts,o=gc,c=ca
objectclass=groupOfUniqueNames
objectclass=orclGroup
objectclass=top
END
Here are the log entries:
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=myadmin>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <[Security:090302]Authentication Failed: User myadmin denied>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@facf0b>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle did not get username from a callback>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685671> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authentication succeeded>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <LDAP Atn Authenticated User myadmin>
<1291668685686> <BEA-000000> <List groups that member: myadmin belongs to>
<1291668685686> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685686> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685686> <BEA-000000> <search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>
<1291668685686> <BEA-000000> <Result has more elements: false>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <login succeeded for username myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <LDAP Atn Principals Added>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
Principal: myadmin
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685686> <BEA-000000> <Signed WLS principal myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user myadmin, Identity=Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.isLocked(myadmin)>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myadmin was not previously locked out>
<1291668685702> <BEA-000000> <Using Common RoleMappingService>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity will use common security service>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals)>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=myadmin>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685702> <BEA-000000> <Validate WLS principal myadmin returns true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass, returning true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals) validated all principals>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Identity=Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): input arguments:>
<1291668685702> <BEA-000000> < Subject: 1
Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> < Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp>
<1291668685702> <BEA-000000> < Parent: type=<app>, application=consoleapp>
<1291668685702> <BEA-000000> < Parent: type=<url>>
<1291668685702> <BEA-000000> < Parent: null>
<1291668685702> <BEA-000000> < Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AdminChannelUsers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AdminChannelUser:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AdminChannelUser: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AppTesters,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AppTester:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AppTester: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(everyone,[everyone,users]) -> true>
<1291668685702> <BEA-000000> <primary-rule evaluates to Permit>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Anonymous:, 1.0 evaluates to Permit>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Anonymous: GRANTED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Monitors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Monitor:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Monitor: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Operators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Operator:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Operator: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(CrossDomainConnectors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:CrossDomainConnector:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role CrossDomainConnector: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Deployers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Deployer:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Deployer: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, SC=null, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Administrators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Admin:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Admin: DENIED>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): returning roles Anonymous>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles returning [ "Anonymous" ]>
<1291668685702> <BEA-000000> <AuthorizationManager will use common security for ATZ>
<1291668685702> <BEA-000000> <weblogic.security.service.WLSAuthorizationServiceWrapper.isAccessAllowed>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Identity=Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Roles=[ "Anonymous" ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Direction=ONCE>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
<1291668685702> <BEA-000000> < Subject: 1
Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> < Roles:Anonymous>
<1291668685702> <BEA-000000> < Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> < Direction: ONCE>
<1291668685702> <BEA-000000> < Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:role, SC=null, Value=Anonymous>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of([Admin,Operator,Deployer,Monitor],Anonymous) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): returning DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>
Okay Finally the issue is resolved. Here is the findings to help others in case they ran into the same issue.
The OID version that we are using is not returning the groups the way Weblogic is building the ldapsearch command. We captured the ldap traffic to go deeper and noticed the filters and attributes list that wls was asking. For example, the filter was like:
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" cn
its was the "cn" attribute that was causing the result set to be empty.
from a command line we tried
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" uniquemember
and got the results back.
Then we start looking into OID configuration and one of my coworker pointed me towards the orclinmemfiltprocess attributes in cn=dsaconfig entry and told me that they had lot of issues in the past in relation to this attribute.
So as a test we removed the groupofuniquenames objectclass from the orclinmemfiltprocess attribute list and bingo it worked!
Since we needed the groupofuniquenames in this list for performance/other reasons and decided to use a different objectclass for our groups instead i.e. orclGroup.
Thanks everyone for showing interest on the problem and providing suggestions.
Similar Messages
-
Hi
For past two days I am trying to download Weblogic Server 10.3.5 and ATG 10.3.2 for 64 bit window but the download stops after downloading 30 or 40 MB and once I got network error. I dont know whats the issue. I even disabled my antivirus and firewall, still no luck. Any help is appreciated.
Thanks.I hope you are using following link to download the Oracle WebLogic Server 10.3.5
http://www.oracle.com/technetwork/middleware/ias/downloads/wls-main-097127.html
Oracle recommends to use Download manager. Download Managers can help if you are having trouble connecting, completing a download, or wish to queue up several files for unattended downloading. While Oracle does not provide or certify the use of any Download Managers, we recommend choosing one that is rated for the file size you are downloading and ensuring that it allows cookies to be passed to the download server.
Or you can also request Oracle to ship DVDs, please use following MOS notes to follow the process.
My Oracle Support Doc ID 1071023.1 ‘Requesting Physical Shipment or Download URL for Software Media'. -
XI 3.1 Client Tools and LDAP Authentication
I have Business Objects XI 3.1 SP2 installed. For the web clients (InfoView) single sign on and LDAP authentication are working correctly. However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
Take a look at note 1272536 (http://service.sap.com/notes)
Regards,
Stratos -
Hello,
We are approaching this time of the year again...
I would like to redirect you to the Support Note 1370083.1 "Oracle WebLogic Server (WLS), Time Zones, and DayLight Saving Time (DST) Changes"
This note lists what is to be expected from WebLogic Server regarding this time change period, in terms of behavior, both for the engine and the applications deployed onto WLS.
Regards,
Patrick.Probably this:
http://www.jdocs.com/castor/0.9.5.3/api/org/exolab/castor/xml/handlers/DateFieldHandler.html -
Solaris 10 and LDAP Authentication
Were trying to use LDAP authentication with Solaris 10 accounts and Sun One Java Systems Directory Server 5.2, where there won't be no /etc/passwd or /etc/group user entries, ( only entries for system accounts). The Sun One Java Systems Directory Server 5.2 is on a separate machine from the accounts. Both machines are using Solaris 10.
I first ran the "idsconfig" utility to setup the VLV indexes, but I received an error on the "automountKey" when it was doing the index processing. It showed that the index processing had failed. All the other indexes were configured successfully. What would cause this?
My next step is initializing the LDAP Client . Then configure the pam.conf file to use pam_ldap. Finally import all the users into LDAP with the required ObjectClasses and attributes for the authentication process, (posixAccount, shadowAccounts etc.). This also includes adding the automount entries into LDAP, which I'm really not sure how to do that. All of our users paths will be under /export/home/username.
I'am missing any steps?
Doese anyone have a step by step guide to use LDAP authentication for Solaris 10 accounts, where LDAP will manage the groups, passwords, automounts for each user?
Message was edited by:
automount
Message was edited by:
automountYou may follow:
http://web.singnet.com.sg/~garyttt/
http://projects.alkaloid.net/content/view/15/26/
http://blogs.sun.com/roller/resources/raja/ldap-psd.html
http://jnester.lunarpages.com/howtos/solaris/howToSolarisLDAPAuth.html
http://www.thebergerbits.com/unix.shtml
http://blogs.sun.com/roller/page/baban?entry=steps_to_setup_ssl_using (SSL/TLS steps)
http://blogs.sun.com/roller/page/rohanpinto?entry=nis_to_ldap_migration_guide (NIS to LDAP migration)
http://blogs.sun.com/roller/page/anupcs?entry=ldap_related_documentation_at_sun
(LDAP related docs)
Gary -
Configuring Weblogic Server for X.509 Smart Card Authentication
0 down vote favorite
share [g+] share [fb] share [tw]
I am running Oracle Weblogic 11g (10.3.6) and attempting to configure two-way SSL (client certificate requested and enforced). The client certificate is on a smart card.
I have enabled "basic" ssl in the weblogic server, and used keytool to import the relevant root CA certificates into the DemoTruststore.jks file. I have set the Two-way client cert behavior to Client Certs Requested and Enforced for the server.
Unfortunately, attempting to access my application causes the following:
<pre>
<Certificate chain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
<NO_CERTIFICATE alert was received from 127.0.0.1 - 127.0.0.1. Verify the SSL configuration has a proper SSL certificate chain and private key specified.>
<Certificate chain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
</pre>
The ActivClient dialog never appears to select a certificate from the Smart Card, and a pin is never requested. Therefore, I think I misconfigured something.
Help would be greatly appreciated.
JasonHello Mukunthan Damodharan,
this means that the SSL Server Certificate has not his fully quallified name in the subject alternative name extension of the X.509 certificate.
You can create a valid one or disbale that check in the Secure Login Client.
How does the configuration gets to the clients?
With the Policy Download you can disable that check over the Secure Login Server Administration console in the corresponding authentication profile.
If manually you can change the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\profiles\<profile name>
"sslHostAlternativeNameCheck"=dword:00000000
the value 0 disable that check on the client.
best regards
Alexander Gimbel -
Database Table and LDAP Authentication in the same repository?
I'm wondering if it's possible to authenticate through database tables for some users and LDAP for other users. I can configure each one separately but I'm curious if anyone has ever successfully done both in the same repository.
Thanks,
-MattAnother thing to try is this. I don't have an LDAP server here but it worked for me without LDAP. I think it should also work with LDAP as it is the same idea. I don't think there is a way to have a conditional Init Blocks. Also you can't have two init blocks setting the same variable (USER in our case). But what you can do is to have two Init Blocks, one for LDAP authentication and the other one for table authentication. So you could have this scenario:
1) LDAP "authentication" init block sets custom variable LDAP_USER
2) Table "authentication" init block sets custom variable TABLE_USER
3) Final authentication init block (the real one) sets USER variable using something like this:
SELECT CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END
FROM DUAL
WHERE CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
ELSE ':TABLE_USER'
END = ':USER'
Note how I use the CASE statement both to return the user value I want the USER variable to be set and also in the WHERE clause to make sure no rows are returned in case authentication fails (which should return no rows to denote a failed authentication). Obviously you need to set the init block dependancies correctly. I did a quick test with users coming from two separate Oracle tables in 2 init biocks and it worked fine for me. Give it a try and let me know how it goes. -
OBIEE 11g installation - Weblogic server on one host and obiee on another
Hi
I am doing obiee11g installation with the following topology:
1. Weblogic on one Linux Host
2. OBIEE on another Linux server
I am able to successfully complete the weblogic installation and i started the obiee on the another machine. The installation fails at the following point:
Specify Installation Location :
Oracle Middleware Home: /u01/app/oracle(This is the where i have the question - This should be weblogic server location where you hosted on another machine. It should ask me for host name or ip address)
Oracle Home Directory
Any one did the installation with the above and how to overcome the above issue.. Should i share the drive using nfs mount or any other solutions. Your help is appreciated.
ThanksHi,
Can u clarify below questions?
Do u have both servers on the same network?
Thanks. -
Weblogic server 9.2 security and administartion
hi all,
i have few questions in my mind can anybody answer for these.
1> in weblogic server 9.2 can existing infrastrcture allow to generate auto alert on going down the server instance or due to any erroe during running and that should be available to the adminstrator anywhere?if yes then how?
2>Can we administrator decide the previlieges/access to be given to the client by setting proxy with username and passoword?If yes how?
3>For security purpose as user logs out can we make provision to shut down the browser instead of just signing out?
4>If i need to deploye j2ee applciation on weblogic server that is created using by some another IDE,what is the steps/points to be considered as premigration study?
i will be thankful if anybody try to answer these questions.
with regards
santoh.rHello User,
You can find the application under below path
Domain_name - Expand "Environment" and Select " Deployments " - here your application will show which are deployed in this domain.
Please refer -http://docs.oracle.com/cd/E13222_01/wls/docs100/intro/console.html
Regards
Laksh -
Weblogic server: how to send (and receive) mail directly
Hi everyone,
As the subject, I want to configure weblogic server to send ( and receive) notification message to user email address. Is it possible?
Any suggestion is appriciated.
Thanks.Hi Mr. Nimphius,
I have created the mail session with the integrated weblogic server with the following properties:
mail.debug=false;
mail.smtp.password=xxxxx;
mail.smtp.starttls.enable=true;
mail.smtp.user=[email protected];
mail.smtp.host=smtp.gmail.com;
mail.smtp.auth=true;
mail.smtp.port=587;
mail.disable=false;
mail.verbose=true;
mail.transport.protocol=smtp;
and here is the result:
avax.mail.MessagingException: Can't send command to SMTP host;
nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Do you have any ideas to resolve this Exception? -
Admin training for WebLogic Server - just the Forms and Reports parts
We will be upgrading our Forms & Reports application from 10gR2 to 11g. Our customers (well their DBAs) will need to install and manage WebLogic Server. So I'm looking for a training course where they can learn how to do that. The WebLogic Server admin course is 5 days, and another 4 for Advanced System Admin, which seems a lot as they are only going to use the parts required for Forms and Reports.
I have read through the tutorial Using Oracle Enterprise Manager to Administer Forms Services. Is this the extent of what they need to know, or is there another chunk of the iceberg under the water? Can you recommend a training course please.Hi,
After installing forms, the installer itself configures the WLS with the domains etc and also deploys the forms. Once after this, it is similar to that of 10g Application Server. All the maintenance of the forms is done using Enterprise Manager (EM Console). So, the section you mentioned should suffice.
-Arun -
DBConsole (DBControl) and LDAP authentication
Does anyone know if it is possible to use LDAP authentication to login to the DBConsole? I have a user "identified globally as 'cn=username,dn=...'" who can login to the database locally and remotely through SQL*Plus but gets a ORA-01017 when trying to login to the DBConsole.
Any help greatly appreciated.
Rgds,
Barry Winterbottom2009-02-25 17:09:22,824 [HTTPThreadGroup-2] ERROR eml.OMSHandshake processFailure.806 - OMSHandshake failed.(AGENT URL = https://nssdrdb01:1830/emd/main)(ERROR = INTERNAL_ERROR)(CAUSE =java.sql.SQLException: Io exception: The Network Adapter could not establish the connection)
2009-02-25 17:09:22,853 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.352 - Io exception: The Network Adapter could not establish the connection
2009-02-25 17:09:22,854 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17002; Cleaning up cache and retrying
2009-02-25 17:09:22,858 [HTTPThreadGroup-2] ERROR conn.ConnectionService verifyRepositoryEx.887 - Invalid Connection Pool. ERROR = Io exception: The Network Adapter could not establish the connection
2009-02-25 17:09:22,861 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.352 - Io exception: The Network Adapter could not establish the connection
2009-02-25 17:09:22,863 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17002; Cleaning up cache and retrying
2009-02-25 17:09:22,867 [HTTPThreadGroup-2] ERROR eml.OMSHandshake processFailure.806 - OMSHandshake failed.(AGENT URL = https://nssdrdb01:1830/emd/main)(ERROR = INTERNAL_ERROR)(CAUSE =java.sql.SQLException: Io exception: The Network Adapter could not establish the connection)
2009-02-25 17:09:26,386 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.352 - Io exception: The Network Adapter could not establish the connection
2009-02-25 17:09:26,388 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17002; Cleaning up cache and retrying
2009-02-25 17:09:26,392 [HTTPThreadGroup-2] ERROR conn.ConnectionService verifyRepositoryEx.887 - Invalid Connection Pool. ERROR = Io exception: The Network Adapter could not establish the connection
2009-02-25 17:09:26,396 [EMUI_17_09_26_/console/aboutApplication] ERROR svlt.PageHandler handleRequest.639 - java.lang.IllegalStateException: Response has already been committed
2009-02-25 17:09:26,398 [EMUI_17_09_26_/console/aboutApplication] ERROR em.console doGet.360 - java.lang.IllegalStateException: Response has already been committed, be sure not to write to the OutputStream or to trigger a commit due to any other action before calling this method.
2009-02-26 00:00:02,633 [JobWorker 381202:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-02-27 00:00:08,800 [JobWorker 383122:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-02-28 00:00:13,778 [JobWorker 385056:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-01 00:00:05,527 [JobWorker 386985:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-02 00:00:04,569 [JobWorker 388914:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-03 00:00:04,854 [JobWorker 390843:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-04 00:00:06,475 [JobWorker 392772:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-05 00:00:16,925 [JobWorker 394701:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-06 00:00:03,966 [JobWorker 396630:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-07 00:00:05,230 [JobWorker 398559:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-08 00:00:07,261 [JobWorker 400488:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-09 00:00:13,081 [JobWorker 402417:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-10 00:00:10,175 [JobWorker 404346:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-11 00:00:04,567 [JobWorker 406275:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-12 00:00:05,993 [JobWorker 408204:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-13 00:00:03,332 [JobWorker 410133:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-14 00:00:10,129 [JobWorker 412062:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-15 00:00:01,753 [JobWorker 413991:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-16 00:00:03,187 [JobWorker 415920:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-16 16:29:02,904 [shutdownThread] WARN jdbc.ConnectionCache _getConnection.352 - Closed Connection: OraclePooledConnection.getConnection() - SQLException Ocurred:Invalid or Stale Connection found in the Connection Cache
2009-03-16 16:29:02,906 [shutdownThread] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17008; Cleaning up cache and retrying
2009-03-16 16:30:42,529 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
2009-03-16 16:30:42,535 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
2009-03-16 16:30:44,381 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
2009-03-16 16:30:50,683 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
2009-03-16 16:30:50,686 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
2009-03-16 16:30:50,823 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
2009-03-16 16:30:51,219 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
2009-03-16 16:30:51,222 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
2009-03-16 16:30:51,225 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
2009-03-16 16:30:51,227 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
2009-03-16 16:30:51,230 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
2009-03-17 00:00:06,334 [JobWorker 417849:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-18 00:00:10,641 [JobWorker 419778:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-18 11:56:58,339 [EMUI_11_56_58_/console/database/monitoring/archiveFull$target=ADM111.nss.scot.nhs.uk$type=oracle*_database] ERROR perf.space logStackTrace.359 - java.sql.SQLException: Numeric Overflow
2009-03-19 00:00:02,843 [JobWorker 421707:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-20 00:00:03,388 [JobWorker 423631:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-21 00:00:03,407 [JobWorker 425565:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-22 00:00:06,065 [JobWorker 427494:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-23 00:00:02,580 [JobWorker 429423:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-23 15:37:15,441 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
2009-03-23 15:37:15,447 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
2009-03-23 15:37:17,177 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
2009-03-23 15:37:23,172 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
2009-03-23 15:37:23,176 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
2009-03-23 15:37:23,311 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
2009-03-23 15:37:23,684 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
2009-03-23 15:37:23,702 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
2009-03-23 15:37:23,706 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
2009-03-23 15:37:23,708 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
2009-03-23 15:37:23,711 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
2009-03-23 15:41:18,591 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
2009-03-23 15:41:18,596 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
2009-03-23 15:41:19,872 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
2009-03-23 15:41:24,915 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
2009-03-23 15:41:24,918 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
2009-03-23 15:41:24,997 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
2009-03-23 15:41:25,296 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
2009-03-23 15:41:25,299 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
2009-03-23 15:41:25,301 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
2009-03-23 15:41:25,303 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
2009-03-23 15:41:25,305 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
2009-03-23 15:52:29,116 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
2009-03-23 15:52:29,122 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
2009-03-23 15:52:30,750 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
2009-03-23 15:52:36,541 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
2009-03-23 15:52:36,544 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
2009-03-23 15:52:36,629 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
2009-03-23 15:52:36,973 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
2009-03-23 15:52:36,976 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
2009-03-23 15:52:36,978 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
2009-03-23 15:52:36,980 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
2009-03-23 15:52:36,982 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
2009-03-24 00:00:06,712 [JobWorker 431352:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-24 16:51:58,193 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
2009-03-24 16:51:58,202 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
2009-03-24 16:51:59,946 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
2009-03-24 16:52:06,485 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
2009-03-24 16:52:06,487 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
2009-03-24 16:52:06,605 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
2009-03-24 16:52:06,973 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
2009-03-24 16:52:06,983 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
2009-03-24 16:52:06,986 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
2009-03-24 16:52:06,989 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
2009-03-24 16:52:06,991 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
2009-03-25 00:00:05,652 [JobWorker 433276:Thread-26] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-26 00:00:02,804 [JobWorker 435194:Thread-26] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
2009-03-27 00:00:07,235 [JobWorker 437123:Thread-26] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters. -
Server 4.0: Client and Computer Authentication
Hello. In Active Directory we have Domain Controllers. Is there any way I can make the Mac OS Server the authentication and authorization server for all Macs on a remote LAN. -Rather than installing another DC. At this time they're authenticating via WAN VLAN tunnel to one of our DCs.
Thanks in advance!If you're using only OD you can set up a master OD and have other MOSX servers bound to that master OD (or it's replicas). The same thing should be possible to do by binding your MOSX server(s) to AD and then having clients authenticating towards the server(s) with AD accounts. It is really pesky to have to sets of users. We are at a transfer state from OD to AD and, well, it's a little messy so I definitely prefer having one user directory.
If you have the possibility to set up a test server (virtualised is wonderful with snapshots and everything, could be possible to do on your own desktop/laptop even, VMWare/ESXi only) I would definitely try to bind the server(s) to AD if that's already existing and see if it works as expected before setting up another user directory. -
I hope someone can help me with these issues:
ISSUE 1
I am attempting to get WebLogic to authenticate to NDS via LDAP. Currently this is
working but only by using the "bind" option for User Authentication when setting
up the LDAP realm. The issue that I am having is that I need NDS to perform the authentication
for me and to return just a "yes" or "no" answer. This would imply that the user
authentication method to use is "external". However, everytime we setup "external"
on the LDAP Realm, WebLogic DOES NOT startup - it complains of an invalid user authentication
mechanism.
ISSUE 2
The second issue involves setting up the WebLogic LDAPRealm to cater for more than
one group.
The NDS server consists of a tree with about 5 organisational units. Each of the
organisational unit (OU) is a logical division of the business. Users that will use
the product we are implementing will fall into two of the five OUs. There seems to
be no way in WebLogic 6.0 to specifiy more that one group in the LDAP realm settings.
This implies that the WebLogic groups need to lie at root level, which make absolutely
no sense structurally. Also given that there are 2000 users on the system and they
all have different NDS contexts, searching for users when authenticating is going
to affect the performance and response time of WebLogic.
How can I setup various contexts in WLS' LDAPRealm?I hope someone can help me with these issues:
ISSUE 1
I am attempting to get WebLogic to authenticate to NDS via LDAP. Currently this is
working but only by using the "bind" option for User Authentication when setting
up the LDAP realm. The issue that I am having is that I need NDS to perform the authentication
for me and to return just a "yes" or "no" answer. This would imply that the user
authentication method to use is "external". However, everytime we setup "external"
on the LDAP Realm, WebLogic DOES NOT startup - it complains of an invalid user authentication
mechanism.
ISSUE 2
The second issue involves setting up the WebLogic LDAPRealm to cater for more than
one group.
The NDS server consists of a tree with about 5 organisational units. Each of the
organisational unit (OU) is a logical division of the business. Users that will use
the product we are implementing will fall into two of the five OUs. There seems to
be no way in WebLogic 6.0 to specifiy more that one group in the LDAP realm settings.
This implies that the WebLogic groups need to lie at root level, which make absolutely
no sense structurally. Also given that there are 2000 users on the system and they
all have different NDS contexts, searching for users when authenticating is going
to affect the performance and response time of WebLogic.
How can I setup various contexts in WLS' LDAPRealm? -
VDI 3.1 and SSGD authentication Issues
Hi all, I have two servers with brand new VDI 3.1 installation plus SSGD.
Everything is configured, and working ok only for SOME users, awesome L
My krb5.conf file looks like the following:
[libdefaults]
default_realm = DOMAIN.COM
default_checksum = rsa-md5
[realms]
DOMAIN.COM = {
kdc = server1
kdc = server2
admin_server = server1
kpasswd_server = server1
kpasswd_protocol = SET_CHANGE
[domain_realm]
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.
period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
versions = 10
[appdefaults]
kinit = {
renewable = true
forwardable= true
gkadmin = {
help_url =
http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
Kinit authentication works for ALL users, but only some users will
authenticate SSGD (configured for AD) and Sun Ray.
Even trying /opt/SUNWvda/lib/vda-client u USER will work only for some
users, and other not.
If I create a test user in AD, it will not work.
Restarting servers, cacaoadm, etc... does not solve the issue...
If enabling debug on cacaoadm, here is the result:
03/01/2010 15:04:39 com.sun.vda.service.client.ClientRequestWorker run
FINEST: thr#19 Received request from vda-client (127.0.0.1): start(user=USER)
03/01/2010 15:04:39 com.sun.vda.service.ldap.UserDirConnection searchForUser
FINEST: thr#19 start searchForUser authenticate=true changePwd=false
03/01/2010 15:04:39 com.sun.vda.service.ldap.UserDirConnection searchForUser
FINEST: thr#19 start loginHelper.authenticate for username=USER
03/01/2010 15:04:39 com.sun.sgd.directoryservices.core.DirectoryServiceContext authenticate
FINE: thr#19 Authenticating USER to com.sun.sgd.directoryservices.core.service.ADForestService#ad://DOMAIN.COM/dc=DOMAIN,dc=COM
03/01/2010 15:04:39 com.sun.sgd.directoryservices.core.error.ErrorHandler handleError
FINE: thr#19 Processing javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
03/01/2010 15:04:39 com.sun.sgd.directoryservices.core.error.ErrorHandler handleError
FINEST: thr#19 Handling error:
javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
Working users give "completed kerberos auth for WORKINGUSER"
Checked working users against non working users with ldp.exe on windows domains, and are identical.
Any ideas? I can test at nights, as this is in production with old version
(using Virtual Machines)
Thanks a lot!
Edited by: viktu_Pons on Jan 3, 2010 6:10 AMHi there,
I found a similar error on the Kerberos/Java forums:
[http://forums.sun.com/thread.jspa?messageID=10845449|http://forums.sun.com/thread.jspa?messageID=10845449]
The solution is to use the RC4-hmac enctype in your krb5.conf file:
[libdefaults]
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
Does this resolve the problem? Can you confirm that your DC is running at "Windows 2003 Server Forest Functional Level". I have three forests of Win2008 servers and all DCs are running at Windows 2008 Server Forest Functional Level" and I do no not see this problem.
Hope this helps,
-- DD
Edited by: DeanyDean on Jan 8, 2010 1:57 AM
Maybe you are looking for
-
I installed Sunbird in one computer and my calendar has all my infos, events, and task that i would like to see on another computer that i just downloaded Sunbird into. Also, is it possible I can access Sunbird on my iphone? Thank you in advance,
-
How to recover deleted back-up file(s) from iTunes?
I'm needing to figure out a way to recover back-up files that iTunes removed during the recent install to the update 11.0.1. I went to back up my phone manually. (Which I've been doing for years) I've never used or enabled auto-sync. Before I start a
-
Adobe Photoshop CS6 64bit version no longer shows under program
A few days ago I somehow acquired a virus on my windows 7 laptop. With virus protection software I was able to quickly identify it and delete it from my system. After I deleted the virus I noticed that my Photoshop CS6 64bit shorcut disappeared from
-
when i include stdafx header it says you can not include windows.h as it is already defined. I need to design my plugin with better fonts and styles but these features are limited in windows.h can anme.....??
-
Issue Loading Specific Web Pages Using the Airport Extreme Base Station
I see that several other members have had this same issue - has anyone resolved their problem? Here is my issue: It all started when my wife tried to load her favorite Web page at http://hpana.com - the site now takes well over 5 minutes to load. Thi