Weblogic with Active Directory Authentication provider problem: DN for user ....: null

I have a java application (SSO via SAML2) that uses Weblogic as a Identity Service Provider. All works well using users created directly in Weblogic. However, I need to add support for Active Directory. So, as per documentation:
- I defined an Active Directory Authentication provider
- changed it's order in the Authentication Providers list so that it comes first
- set the control flag to SUFFICIENT and configured the Provider Specific; here's the concerned part in config.xml:
<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
        <sec:name>MyOwnADAuthenticator</sec:name>
        <sec:control-flag>SUFFICIENT</sec:control-flag>
        <wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
        <wls:host>10.20.150.4</wls:host>
        <wls:port>5000</wls:port>
        <wls:ssl-enabled>false</wls:ssl-enabled>
        <wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
        <wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
        <wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
        <wls:cache-enabled>false</wls:cache-enabled>
        <wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
</sec:authentication-provider>
I configured a AD LDS instance(Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created users and one admin user "tadmin" which was added to Administrators members. I also made sure to set msDS-UserAccountDisabled property to FALSE.
After restarting Weblogic I can see that the AD LDS's users and groups are correctly fetched in Weblogic. But, when I try to connect with my application, using Username:tadmin and Password:<...> it does not work.
Here's what I see in the log file:
<BEA-000000> <LDAP Atn Login username: tadmin>
<BEA-000000> <authenticate user:tadmin>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
So, I tried to look why do I have: <DN for user tadmin: null>. Using Apache Directory Studio I reproduced the ldap search request used in Weblogic and, sure enough, I get no results. But, changing the filter to only "(&(cn=tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; here's the result from Apache Directory Studio:
#!SEARCH REQUEST (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.324
# LDAP URL     : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
# command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
# baseObject   : CN=wl,DC=at,DC=com
# scope        : wholeSubtree (2)
# derefAliases : derefAlways (3)
# sizeLimit    : 1000
# timeLimit    : 0
# typesOnly    : False
# filter       : (&(cn=tadmin)(objectclass=user))
# attributes   : objectClass
#!SEARCH RESULT DONE (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.356
# numEntries : 1
(the "[email protected]" is defined as userPrincipalName in the tadmin user on AD LDS)
As you can see, "# numEntries : 1" (and I can see as result the entry "CN=tadmin,CN=wl,DC=at,DC=com" in Apache Directory Studio's interface); if I add the userAccountControl filter I get 0.
I've read that the AD LDS does not use userAccountControl but "uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute"; among those attributes is msDS-UserAccountDisabled which, as I said, I already set to FALSE.
So, my question is, how do I make it work? Why do I have "<DN for user tadmin: null>" ? Is it the userAccountControl ? If it is, do I need to do some other configuration on my AD LDS ? Or, how can I get rid of the userAccountControl filter in Weblogic?
I didn't seem to find it in config files or in the interface: I only have "User From Name Filter: (&(cn=%u)(objectclass=user))", there's no userAccountControl.
Another difference I noticed is that, even though in Weblogic I have set ssl-enabled flag to false, in the logs I see ldaps and not ldap ( I'm not looking to setup something production-ready and I don't want SSL for the moment ).
Here are some other things I tried but did not change anything:
- the other "msDS-" attributes were not set so I tried initializing them to some value
- I tried other users defined in AD LDS, not tadmin
- in Weblogic I added users that were imported from AD LDS in Roles and Policies> Realm Roles > Global Roles > Roles > Admin
- I removed all userAccountControl occurrences that I found in xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
Any thoughts?
Thanks.

I managed to narrow it down: the AD LDS does not support the userAccountControl.
Anyone knows how I can configure my Active Directory Authentication Provider in Weblogic so that it does not implicitly use userAccountControl as filter?
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>

Similar Messages

Active Directory Authentication in Weblogic 8.1

Hi,
We want to do authentication from Microsoft Active Directory using weblogic 8.1.
I have created a Active directory and
configured weblogic from console to use it. But it is still not working. Your
help with these question would be highly
appreciated.
1. Is there anyone in group who have tried this before. Please let me know how
to proceed.
2. Is there any tool by which I can get to know the different attribute asked
for configuration in Weblogic?
3. I am not able to login to my application after configuration. Is there any
other way to come to know whether it is working
or not?
There could be plethora of reason but nothing which can come to my mind. Everything
seems to be configured correctly. Here is
portion of my config.xml related with authentication:
<FileRealm Name="wl_default_file_realm"/>
<PasswordPolicy Name="wl_default_password_policy"/>
<Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
<Security GuestDisabled="false" Name="vendavo-dev"
PasswordPolicy="wl_default_password_policy"
Realm="wl_default_realm" RealmSetup="true">
<weblogic.security.providers.authentication.DefaultAuthenticator
ControlFlag="SUFFICIENT"
Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.DefaultIdentityAsserter
ActiveTypes="AuthenticatedUser"
Name="Security:Name=myrealmDefaultIdentityAsserter" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultRoleMapper
Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAuthorizer
Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAdjudicator
Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.credentials.DefaultCredentialMapper
Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
<weblogic.management.security.authentication.UserLockoutManager
Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
<weblogic.management.security.Realm
Adjudicator="Security:Name=myrealmDefaultAdjudicator"
AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaultIdentityAsserter|Security:Name
=myrealmADAuthenticator"
Authorizers="Security:Name=myrealmDefaultAuthorizer"
CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
DefaultRealm="true" DisplayName="myrealm"
Name="Security:Name=myrealm"
RoleMappers="Security:Name=myrealmDefaultRoleMapper"
UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>
<weblogic.security.providers.pk.DefaultKeyStore
Name="Security:Name=myrealmDefaultKeyStore" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
ControlFlag="SUFFICIENT" Credential="{3DES}hvEo4sy7g1E="
DisplayName="ADAuthenticator" FollowReferrals="false"
GroupBaseDN="ou=ou=Groups,dc=devdc,dc=com" Host="venper5"
Name="Security:Name=myrealmADAuthenticator"
Principal="vendev" Realm="Security:Name=myrealm" UserBaseDN="ou=Users,dc=devdc,dc=com"/>
</Security>
First, of all is it possible to use Active Directory authentication in Weblogic
without writing any custom code. If yes, how?
Thanks in advance,
Amit Tyagi

Amit,
We have successfully used WLS 8.1 sp1 with AD - but not without our share of ups
and downs though.
|
|
1) First, make sure you are sending right LDAP queries to AD. To verify this,
we used free 3rd party LDAP browser from Softerra. There is also java based free
browser from Univ of Michigan. Personally, I like Softerra's LDAP browser better.
Play with your LDAP settings using this and make sure AD is returning the right
data.
|
2) AD has some default settings that makes it return only the top 1000 users.
Use ntdsutil.exe to modify these default settings
|
3) AD needs to have the right set of users and groups. To configure this, refer
to WLS docs. This is very well documented in WLS docs. Also refer to this article
http://dev2dev.bea.com/products/wlportal/whitepapers/wlp70_MSADS.jsp as additional
reference
|
4) Also, there are some bugs with 8.1 portal sp1 and AD. It cannot take more than
one Authentication provider. sp2 is supposed to have fixed it. For sp1 we used
another product AD/AM (AD in Application Mode) in combination with MIIS server.
But if you are using sp2, you shouldn't be worry about this.
|
5) In your providers, you might want to get rid of the DefaultAuthentication provider,
once you are able to establish a connection with your ActiveDirectoryAuthentication
provider. The DefaultAuthentication provider causes some problems and does not
let ActiveDirectoryAuthentication provider to behave properly. We haven't fully
investgated the root of this prob. When we deleted DefaultAuthentication provider,
everything worked normally - so we didn't really care that much :-)
|
6) Make sure you have your JAAS options set to OPTIONAL initially and make sure
your are able to authenticate talk to your AD.
|
These are the ones I could think of. Hope this helps..
Regards,
Anant
"Amit" <[email protected]> wrote:
>
Hi,
We want to do authentication from Microsoft Active Directory using weblogic
8.1.
I have created a Active directory and
configured weblogic from console to use it. But it is still not working.
Your
help with these question would be highly
appreciated.
1. Is there anyone in group who have tried this before. Please let me
know how
to proceed.
2. Is there any tool by which I can get to know the different attribute
asked
for configuration in Weblogic?
3. I am not able to login to my application after configuration. Is there
any
other way to come to know whether it is working
or not?
There could be plethora of reason but nothing which can come to my mind.
Everything
seems to be configured correctly. Here is
portion of my config.xml related with authentication:
<FileRealm Name="wl_default_file_realm"/>
<PasswordPolicy Name="wl_default_password_policy"/>
<Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
<Security GuestDisabled="false" Name="vendavo-dev"
PasswordPolicy="wl_default_password_policy"
Realm="wl_default_realm" RealmSetup="true">
<weblogic.security.providers.authentication.DefaultAuthenticator
ControlFlag="SUFFICIENT"
Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.DefaultIdentityAsserter
ActiveTypes="AuthenticatedUser"
Name="Security:Name=myrealmDefaultIdentityAsserter" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultRoleMapper
Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAuthorizer
Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAdjudicator
Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.credentials.DefaultCredentialMapper
Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
<weblogic.management.security.authentication.UserLockoutManager
Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
<weblogic.management.security.Realm
Adjudicator="Security:Name=myrealmDefaultAdjudicator"
AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaultIdentityAsserter|Security:Name
=myrealmADAuthenticator"
Authorizers="Security:Name=myrealmDefaultAuthorizer"
CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
DefaultRealm="true" DisplayName="myrealm"
Name="Security:Name=myrealm"
RoleMappers="Security:Name=myrealmDefaultRoleMapper"
UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>
<weblogic.security.providers.pk.DefaultKeyStore
Name="Security:Name=myrealmDefaultKeyStore" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
ControlFlag="SUFFICIENT" Credential="{3DES}hvEo4sy7g1E="
DisplayName="ADAuthenticator" FollowReferrals="false"
GroupBaseDN="ou=ou=Groups,dc=devdc,dc=com" Host="venper5"
Name="Security:Name=myrealmADAuthenticator"
Principal="vendev" Realm="Security:Name=myrealm" UserBaseDN="ou=Users,dc=devdc,dc=com"/>
</Security>
First, of all is it possible to use Active Directory authentication in
Weblogic
without writing any custom code. If yes, how?
Thanks in advance,
Amit Tyagi

WLS 7.0 Active Directory authenticator - problems starting managed server (Solaris 8)

Has anyone managed to setup a WLS 7.0 Active Directory authenticator and booted
a managed server using the node manager? I can boot the server without the AD
authenticator and I can also boot the server using a script and successfully authenticate
through AD. My AD control flag is set to OPTIONAL and I have also setup a default
authenticator to boot weblogic - the control flag here is set to SUFFICIENT. This
configuration works fine with weblogic running on W2K, but not on Solaris (it
looks like the control flag is being ignored). Errors as follows
####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01> <main>
<kernel identity> <> <000000> <FileLo
gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
<kernel identity> <> <000415> <System
has file descriptor limits of - soft: 1,024, hard: 1,024>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
<kernel identity> <> <000416> <Using e
ffective file descriptor limit of: 1,024 open sockets/files.>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
<kernel identity> <> <000418> <Allocat
ing: 3 POSIX reader threads>
####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine> <server01>
<main> <kernel identity> <> <0003
64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
Problem instantiating
Authentication Providerjavax.management.RuntimeOperationsException: RuntimeException
thrown by the getAttribute method of the Dynam
icMBean for the attribute Credential>
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)
####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine> <server01>
<main> <kernel identity> <> <000
342> <Unable to initialize the server: Fatal initialization exception
Throwable: weblogic.security.service.SecurityServiceRuntimeException: Problem
instantiating Authentication Providerjavax.management.
RuntimeOperationsException: RuntimeException thrown by the getAttribute method
of the DynamicMBean for the attribute Credential
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)

Solved the problem. The 'domain root' directory specified in the remote start configuration,
must contain a copy of the file 'SerializedSystemIni.dat' that was created along
with the domain, in order to boot when an AD authenticator is configured. If an
AD authenticator is not configured, no file is required. This was not a platform
specific issue; on Win2K I had configured the 'domain root' remote start parameter
to point to an existing domain root and not a new directory.
"Andrew Walker" <[email protected]> wrote:
>
Has anyone managed to setup a WLS 7.0 Active Directory authenticator
and booted
a managed server using the node manager? I can boot the server without
the AD
authenticator and I can also boot the server using a script and successfully
authenticate
through AD. My AD control flag is set to OPTIONAL and I have also setup
a default
authenticator to boot weblogic - the control flag here is set to SUFFICIENT.
This
configuration works fine with weblogic running on W2K, but not on Solaris
(it
looks like the control flag is being ignored). Errors as follows
####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01>
<main>
<kernel identity> <> <000000> <FileLo
gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
<main>
<kernel identity> <> <000415> <System
has file descriptor limits of - soft: 1,024, hard: 1,024>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
<main>
<kernel identity> <> <000416> <Using e
ffective file descriptor limit of: 1,024 open sockets/files.>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
<main>
<kernel identity> <> <000418> <Allocat
ing: 3 POSIX reader threads>
####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine>
<server01>
<main> <kernel identity> <> <0003
64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
Problem instantiating
Authentication Providerjavax.management.RuntimeOperationsException:
RuntimeException
thrown by the getAttribute method of the Dynam
icMBean for the attribute Credential>
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of
the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)
####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine>
<server01>
<main> <kernel identity> <> <000
342> <Unable to initialize the server: Fatal initialization exception
Throwable: weblogic.security.service.SecurityServiceRuntimeException:
Problem
instantiating Authentication Providerjavax.management.
RuntimeOperationsException: RuntimeException thrown by the getAttribute
method
of the DynamicMBean for the attribute Credential
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of
the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)

Problems with Active Directory and Windows 2003

Hello,
I'm using Mac OS X Server 10.4.9 with Active Directory bound to a Windows 2003 Active Directory Domain. I can bind successfully to the domain using the graphical interface. Then in Samba I can access shared directories using Windows users. However, after some time somehow there are problems and Windows users aren't authenticated anymore on the Mac. I've looked at the firewall and there are no denied packets from the Mac. There are two servers in the domain, all clocks are synchronized and domain information is up to date. When I unbind the Mac, I can see the machine account being deleted on both domain servers and created too on both machines when I bind to the domain.
Problems occur when I try login in using ssh or samba do I think this is a problem with the AD module.
I turned on debugging messages on DirectoryServices:
sudo killall -USR1 DirectoryService
When in Windows, using the Administrator user I try:
net use \\10.0.0.1 /user:domain\Administrator
Where 10.0.0.1 is the Mac.
In the Mac I get from
tail -f /Library/Logs/DirectoryService/DirectoryService.debug.log |grep ADPlug
2007-06-27 10:48:37 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:37 CDT - ADPlugin: Searching domain domain.com.mx for User administrator
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:37 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:37 CDT - ADPlugin: Adding Search for Attribute displayName containing DOMAIN\administrator
2007-06-27 10:48:37 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=DOMAIN\\administrator)), limit 1
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:37 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:37 CDT - ADPlugin: Searching domain domain.com.mx for User administrator
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:37 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:37 CDT - ADPlugin: Adding Search for Attribute displayName containing domain\administrator
2007-06-27 10:48:37 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=domain\\administrator)), limit 1
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:37 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:37 CDT - ADPlugin: Searching domain domain.com.mx for User ADMINISTRATOR
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:37 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:37 CDT - ADPlugin: Adding Search for Attribute displayName containing domain\administrator
2007-06-27 10:48:37 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=DOMAIN\\ADMINISTRATOR)), limit 1
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:37 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:37 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=administrator)(sAMAccountName=administrator)(dis playName=administrator)(mail=administrator)(userPrincipalName=administrator)(use rPrincipalName=administrator@*)))
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:37 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:37 CDT - ADPlugin: Adding Search for Attribute displayName containing ADMINISTRATOR
2007-06-27 10:48:37 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=administrator)), limit 1
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:37 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:37 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=ADMINISTRATOR)(sAMAccountName=ADMINISTRATOR)(dis playName=ADMINISTRATOR)(mail=ADMINISTRATOR)(userPrincipalName=ADMINISTRATOR)(use rPrincipalName=ADMINISTRATOR@*)))
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=ADMINISTRATOR)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=administrator)(sAMAccountName=administrator)(dis playName=administrator)(mail=administrator)(userPrincipalName=administrator)(use rPrincipalName=administrator@*)))
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=administrator)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=ADMINISTRATOR)(sAMAccountName=ADMINISTRATOR)(dis playName=ADMINISTRATOR)(mail=ADMINISTRATOR)(userPrincipalName=ADMINISTRATOR)(use rPrincipalName=ADMINISTRATOR@*)))
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=ADMINISTRATOR)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Searching domain domain.com.mx for User administrator
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing DOMAIN\administrator
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=DOMAIN\\administrator)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Searching domain domain.com.mx for User administrator
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing domain\administrator
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=domain\\administrator)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Searching domain domain.com.mx for User ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing DOMAIN\ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=DOMAIN\\ADMINISTRATOR)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=administrator)(sAMAccountName=administrator)(dis playName=administrator)(mail=administrator)(userPrincipalName=administrator)(use rPrincipalName=administrator@*)))
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=administrator)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=ADMINISTRATOR)(sAMAccountName=ADMINISTRATOR)(dis playName=ADMINISTRATOR)(mail=ADMINISTRATOR)(userPrincipalName=ADMINISTRATOR)(use rPrincipalName=ADMINISTRATOR@*)))
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=ADMINISTRATOR)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=administrator)(sAMAccountName=administrator)(dis playName=administrator)(mail=administrator)(userPrincipalName=administrator)(use rPrincipalName=administrator@*)))
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=administrator)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=ADMINISTRATOR)(sAMAccountName=ADMINISTRATOR)(dis playName=ADMINISTRATOR)(mail=ADMINISTRATOR)(userPrincipalName=ADMINISTRATOR)(use rPrincipalName=ADMINISTRATOR@*)))
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=ADMINISTRATOR)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling OpenDirNode
2007-06-27 10:48:38 CDT - ADPlugin: Opening Specific Node domain.com.mx
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16833877 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=administrator)(sAMAccountName=administrator)(dis playName=administrator)(mail=administrator)(userPrincipalName=administrator)(use rPrincipalName=administrator@*)))
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16833877 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling CloseDirNode
2007-06-27 10:48:42 CDT - ADPlugin: Calling OpenDirNode
2007-06-27 10:48:43 CDT - ADPlugin: Opening Specific Node domain.com.mx
2007-06-27 10:48:43 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:43 CDT - ADPlugin: 16833881 - Calling GetRecordList Routine
2007-06-27 10:48:43 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:43 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:43 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=administrator)(sAMAccountName=administrator)(dis playName=administrator)(mail=administrator)(userPrincipalName=administrator)(use rPrincipalName=administrator@*)))
2007-06-27 10:48:43 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:43 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:43 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:43 CDT - ADPlugin: 16833881 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:43 CDT - ADPlugin: Calling CloseDirNode
I really don't know what to do. The Windows Event log shows no messages. The link used to work and there have been no changes in the domain servers.
The key line seems to be:
2007-06-27 10:48:43 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
But I don't know what that ADSEngine.mm is.
XServe G5 Mac OS X (10.4.9)

Hello.
Thanks for your reply.
I tried the net use with a drive letter with and without the /user switch. When I use a domain user domain\user1 I can't connect. When I use a user local to the XServe it works.
When I use
net use x: \\10.0.0.1\share /user:domain\user1
I get prompted for a password, but it doesn't work.
I checked the firewall and all packets to or from the mac are accepted, no denied or dropped packages.
I already went through the MS document on fw ports. Before I opened to Kerberos ports the binding failed. No the binding work OK.
Some users who were authenticated yesterday still can access files using the Windows domain accounts. It's new users trying to connect those who have problems.
This is what the Samba log.smbd log shows:
[2007/07/04 14:58:45, 2] /SourceCache/samba/samba-100.7/samba/source/smbd/sesssetup.c:setupnew_vcsession(662)
setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
[2007/07/04 14:58:45, 2] /SourceCache/samba/samba-100.7/samba/source/smbd/sesssetup.c:setupnew_vcsession(662)
setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
[2007/07/04 14:58:46, 0] /SourceCache/samba/samba-100.7/samba/source/auth/authutil.c:make_server_infoinfo3(1138)
makeserver_infoinfo3: pdbinitsam failed!
[2007/07/04 14:58:46, 0] pdbods.c:odssamgetsampwnam(2329)
odssam_getsampwnam: [0]getsam_recordattributes dsRecTypeStandard:Users no account for 'user1'!
[2007/07/04 14:58:46, 2] /SourceCache/samba/samba-100.7/samba/source/auth/auth.c:checkntlmpassword(367)
checkntlmpassword: Authentication for user [user1] -> [user1] FAILED with error NTSTATUS_NO_SUCHUSER
This is what the DS log shows:
2007-07-04 14:58:46 CDT - ADPlugin: 16892201 - Calling GetRecordList Routine
2007-07-04 14:58:46 CDT - ADPlugin: Search Records called in ADSWrapper
2007-07-04 14:58:46 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-07-04 14:58:46 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=user1)(sAMAccountName=user1)(displayName=user1)( mail=user1)(userPrincipalName=user1)(userPrincipalName=user1@*)))
2007-07-04 14:58:46 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-07-04 14:58:46 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-07-04 14:58:46 CDT - ADPlugin: Returning 0 Results
2007-07-04 14:58:46 CDT - ADPlugin: 16892201 - Put 0 records in Buffer for RecordList
XServe G5 Mac OS X (10.4.9)

Active Directory - Authentication Problem

Hi Guys,
I'm seeing something really weird in my Environment.
For example, we have two users as example below in our Active Directory:
jonesp - Paul Jones
jonesph - Phillip Jones
These users can't login into any Mac connected in Active Directory, on PCs the login goes fine.
But when I renamed the login jonesp to jonespa, both users can login in the Macs.
Anyone have this issue too? There is a KB telling about this behavior?
This happens on Macs running 10.7.* and 10.8.*.
Thanks

Sorry CT,
The problem isn't with Active Directory, this only happens on Macs.
The problem doesn't happens with Windows and Linux, only on Macs.
Anyway thanks for your help.
Regards

OS X Server + Active Directory Authentication Issue with Wikis

Hello,
I recently purchased an Apple XServe with Snow Leopard installed. The purpose of this server is to enable students and teachers to create Wikis and Blogs.
The majority of my environment is MS, with Active Directory as our LDAP provider.
I have joined the server to my domain and can add domain accounts to the Wiki creation access list without issue, but whenever I try to login to the server's web interface with one of those accounts the login screen shakes and prompts for another set of credinitals.
What am I doing wrong? Open Directory seems to be setup properly and has been kerberitized as it requested when I joined the box to the domain.
Thank you all for your help,
David
Message was edited by: DHeath_WJCC

please ask in the Snow leopard server forum
http://discussions.apple.com/category.jspa?categoryID=96

WebLogic 10.3.3.0 MS Active Directory Authentication steps

Hi everyone.
I'm trying to configure WLS with Active Directory provider, to give my application security.
For now I can see the users and the groups correctly in the administration console, but when i go to my application I can`t login with any user of my active directory.
I think i miss some step.
Please can some one giveme the steps to configure the securityrealm.
Thanks in Advance.
Cristian.

Hi Cristian
1. I hope you already restarted the server after configuring the AD.
2. When you restarted, please make sure there NO errors in the log files and in the command window from where you run startWeblogic.cmd. Just incase if you miss or give wrong info for AD like host, port, username, pwd etc, you should see errors like could NOT connect to LDAP etc. Incase if you DO NOT see any errors, then only things you need to cross check are userbasedn and groupbasedn values. These are the important values that actually bring the users/groups from these heirarchies. So if possible using any open source LDAP client first connect to AD and for couple of users and groups get full dn and cross check with what you configured in WLS console.
3. Just for reference here are some old posts. Hopefully you did all this, if not please refer these posts of mine:
Re: LDAP Configuration
Thanks
Ravi Jegga

Oracle forms authentication with active directory without OID

Hi Gurus,
I need to implement active directory authentication in oracle forms.
My scenario is this:
1. The user is created in active directory
2. The user is imported in our aplication, and then I assign the roles in Oracle, and create the user in my aplicattion.
When the user logs, the system have to validate the password with MS-AD. If the password is right, then, the system start a session in Oracle.
My questions are:
1. How can I validate the password in AD ? Is it in clear text, unix crypt, AES ?
2. In case the user has changed the password in AD, how can obtain he logs in oracle with the new password ?
We use oracle enterprise edition, but we don't have oracle applications, so i can't use identity management.
Thanks in advance for your help

You will need Oracle SSO and OID to implement Active Directory authentication for Oracle Forms. It comes with Oracle Application Server. You will need to read up on how to use AD instead of OID as the user store for Oracle Single Sign-on (SSO). Forms will use SSO to login not really knowing which user store is used so there is no config needed on the Forms side (except enabling SSO).

Authentication with Active Directory Group in WLS 10.0

Hi,
By using the Active Directory authenticator in WLS 10.0, I managed to get connected to the AD and can see the groups and users in the administration console.
But, I am having troubles setting up the security role(s) in my web app. I can't figure out how to configure it so that I can actually sign in to my web app using an AD group.
Here are the web.xml & weblogic.xml files:
web.xml
<web-app>
<welcome-file-list>
<welcome-file>/SecuredPage.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name/>
<web-resource-collection>
</web-resource-collection>
<auth-constraint>
<description>Constraint for aduser</description>
<role-name>aduser</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>

<security-role>
<description>Users of myADgroup</description>
<role-name>aduser</role-name>
</security-role>
</web-app>
weblogic.xml
<weblogic-web-app>
<security-role-assignment>
<role-name>aduser</role-name>
<principal-name>ADUserGroup</principal-name>
</security-role-assignment>
</weblogic-web-app>
For the above config, my intention is to give access only the members of ADUserGroup to my webapp. This group is listed in myrealm at WLS as well as members of this group (ADUserGroup). But while trying to login as any members of this group, got 403 error!
Any siggestion!!
Thanx in advance!
Any help would be appreciated!

Okay, guys, now it seems working as I changed group type from distrubtion to security in Active Directory.
Edited by ronobi at 02/18/2008 6:27 AM

Unable to find user list in Active Directory Authenticator

Hi all,
I am using weblogic 10.3 and want to configure ActiveDirectory Authenticator for my weblogic application. We have one managed srever under admin server . I have configured a Active Directory Authenticator named "ADAuthenticator" and made following changes as per the below values:
I set the control flag to "OPTIONAL" .
Security Realms-->myrealm-->Providers-->ADAuthenticator-->Provider Specific
UserName Attribute : ServiceBEA
Principal : ServiceBEA
Host : xxxxxx
User Search Scope : subtree
Group From Name Filter : (&(ServiceBEA=%g)(objectclass=group))
Credential : xxxxxx
Confirm Credential : xxxxxx
User From Name Filter : (&(ServiceBEA=%u)(objectclass=user))
Static Group Name Attribute : ServiceBEA
User Base DN : values provided as per requirement
Port : 389
User Object Class : user
Use Retrieved User Name as Principal : checked
Group Base DN : same values as per User Base DN
Static Group Object Class : group
Group Membership Searching : unlimited
Max Group Membership Search Level : 0
These are my AD settings. After doing this i click on save and then activate changes and then restarted the admin server.
But the problem is when i login to weblogic console to check the user list under "User and Group" i am unble to find any Active Directory users.
I don't know where i made the mistake. Can some make me out of this trouble.
Any help is highly appreciated.
Thanks in advance !

Hi Sean,
Actually we have already a Active Directory with username "ServiceBEA" in our windows server. So i used this "ServiceBEA" as UserName Attribute in weblogic console while creating a Active Directory Authenticator.
You mean to say that we should go for "sAMAccountName" or what? If that is the case then i have also tested with following values, but still no luck.
UserName Attribute : sAMAccountName
Principal : ServiceBEA
Host : xxxxxx
User Search Scope : subtree
Group From Name Filter : (&(sAMAccountName=%g)(objectclass=group))
Credential : xxxxxx
Confirm Credential : xxxxxx
User From Name Filter : (&(sAMAccountName=%u)(objectclass=user))
Static Group Name Attribute : sAMAccountName
User Base DN : values provided as per requirement
Port : 389
User Object Class : user
Use Retrieved User Name as Principal : checked
Group Base DN : same values as per User Base DN
Static Group Object Class : group
Group Membership Searching : unlimited
Max Group Membership Search Level : 0
Please advise what to be place in case of User Name Attribute.
Any help is highly appreciated.
Thanks in advance !

Setting up Wiki Calendars in iCal with Active Directory Accounts

I'm Having a little trouble wrapping my head around our Wiki Calendar Solution,
Id like to find a way to get the 10.6 Wiki Server Calendar's in iCal Client - using our active directory authentication.
I have a test 10.6 Server bound to our Active Directory with Wiki's up and running and am able to log in with AD account's and view and manage the Wiki Calendar - I can see how to subscribe to the calendar's - But I need full integration with iCal and maybe even Outlook - subscribing only provides read access.
anyone have any idea how his can be accomplished in and active directory setting - my searches have lead me to OD solutions and thats not going to work.

I don't know how much I'll be able to help, but I do have AD accounts using wiki services. Can you verify a few things:
1. The AD group is listed in the "Wiki Creators" box in Server Admin, yes?
2. If you open Terminal and run "sudo serveradmin settings teams:enableClearTextAuth", does it return "teams:enableClearTextAuth = yes"?
3. If you open System Preferences -> Accounts and then edit the directory servers, does the AD domain show as working normally?
Also, have you worked to isolate the problem? Have you tried creating an OD user to test against the wiki? Are the logs showing anything?

Issue in ldap-sync with active directory - OIM11gR2

Hi Expert,
I have enabled the ldap-sync with Active Directory in OIM11gR2. I followed the below document to enable the ldap-sync.
Enabling LDAP Synchronization in Oracle Identity Manager - 11g Release 2 (11.1.2)
For testing if ldap sync is working on not . I run the LDAPSync Post Enable Provision Users to LDAP schedule job. While running the job i encounter below exception in log. Please provide me some pointer to solve my issue. How we can sure ldap sync is configure properly? Please provide me some steps to test it out?
<Jul 31, 2013 9:51:25 AM PDT> <Warning> <JMS> <BEA-040442> <While attempting to bind JNDI name jms/b2b/B2BEventQueue for destination SOAJMSModule!dist_B2BEventQueue_auto_1_auto in module null a JNDI name conflict was found. This destination has not been bound into JNDI.>
<Jul 31, 2013 9:51:25 AM PDT> <Error> <oracle.iam.platform.entitymgr.provider.ldap> <BEA-000000> <An error occurred while searching the entity in LDAP, and the corresponding error is - {0}
javax.naming.NameNotFoundException: Error: NO_SUCH_OBJECT
LDAP Error 32 : No Such Object [Root exception is oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 32 : No Such Object]
at oracle.ods.virtualization.jndi.OVDUtil.mapErrorCode(OVDUtil.java:151)
at oracle.ods.virtualization.jndi.OVDContext.search(OVDContext.java:439)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:257)
at oracle.iam.platform.entitymgr.provider.ldap.LDAPUtil.search(LDAPUtil.java:1073)
at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.search(LDAPDataProvider.java:1218)
at oracle.iam.ldapsync.impl.util.CommonNamePolicyUtil.isUserExists(CommonNamePolicyUtil.java:84)
at oracle.iam.ldapsync.impl.util.CommonNameGenerationUtil.isCommonNameExistingOrReserved(CommonNameGenerationUtil.java:192)
at oracle.iam.ldapsync.impl.plugins.FirstNameLastNamePolicy.getCommonNameFromPolicy(FirstNameLastNamePolicy.java:157)
at oracle.iam.ldapsync.impl.util.CommonNameGenerationUtil.generateCommonName(CommonNameGenerationUtil.java:116)
at oracle.iam.ldapsync.impl.util.CommonNameGenerationUtil.generateCommonName(CommonNameGenerationUtil.java:82)
at oracle.iam.oimtoldap.impl.SeedOIMDataInLDAPImpl.createUserInLDAP(SeedOIMDataInLDAPImpl.java:182)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy710.createUserInLDAP(Unknown Source)
at oracle.iam.oimtoldap.api.SeedOIMDataInLDAPEJB.createUserInLDAPx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.oracle.pitchfork.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:34)
at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
at com.oracle.pitchfork.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:42)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy709.createUserInLDAPx(Unknown Source)
at oracle.iam.oimtoldap.api.SeedOIMDataInLDAP_8d8qil_SeedOIMDataInLDAPRemoteImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
at oracle.iam.oimtoldap.api.SeedOIMDataInLDAP_8d8qil_SeedOIMDataInLDAPRemoteImpl.createUserInLDAPx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
at $Proxy163.createUserInLDAPx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
at $Proxy707.createUserInLDAPx(Unknown Source)
at oracle.iam.oimtoldap.api.SeedOIMDataInLDAPDelegate.createUserInLDAP(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy708.createUserInLDAP(Unknown Source)
at oracle.iam.oimtoldap.scheduletasks.user.SeedOIMUsersInLDAP.execute(SeedOIMUsersInLDAP.java:59)
at oracle.iam.scheduler.vo.TaskSupport$1.processWithoutResult(TaskSupport.java:135)
at oracle.iam.platform.tx.OIMTransactionCallbackWithoutResult.process(OIMTransactionCallbackWithoutResult.java:9)
at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:13)
at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:6)
at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:128)
at oracle.iam.platform.tx.OIMTransactionManager.execute(OIMTransactionManager.java:22)
at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:116)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.iam.scheduler.impl.quartz.QuartzJob$TaskExecutionAction.run(QuartzJob.java:266)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:75)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
Caused By: oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 32 : No Such Object
at oracle.ods.virtualization.operation.SearchOperation.process(SearchOperation.java:209)
at oracle.ods.virtualization.operation.SearchOperation.process(SearchOperation.java:47)

I have checked the OIM vs AD attribute mapping. now I am getting below error. I have also attached the LDAPUsers.xml file . I don't know what went wrong .. How to test ldap-sync is configure properly? I created the user in OIM but in AD user is not getting created. I am not able to see any thing log file liek (dignostic and nohup log) .. Any idea where I can see the log to identify the issue??
g 1, 2013 8:15:15 AM PDT> <Warning> <JMS> <BEA-040442> <While attempting to bind JNDI name jms/b2b/B2BEventQueue for destination SOAJMSModule!dist_B2BEventQueue_auto_1_auto in module null a JNDI name conflict was found. This destination has not been bound into JNDI.>
<Aug 1, 2013 8:15:15 AM PDT> <Warning> <oracle.ods.virtualization.engine.backend.jndi.LDAP1.ConnectionHandle> <OVD-40082> <Could not modify entry.
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
<?xml version='1.0' encoding='UTF-8'?>
<tns:entity-definition xmlns:tns="http://www.oracle.com/schema/oim/entity" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/entity ../entity.xsd ">
<entity-type child-entity="false">LDAPUser</entity-type>
<provider-instance>
<repository-instance>Directory Server</repository-instance>
<provider-type>LDAPDataProvider</provider-type>
<parameters>
<parameter name="base">
<value>dc=cgtest,dc=adtest,dc=com</value>
</parameter>
<parameter name="rdnattribute">
<value>cn</value>
</parameter>
<parameter name="objectclass">
<value>orclIDXPerson</value>
</parameter>
<parameter name="idattribute">
<value>objectGUID</value>
</parameter>
<parameter name="entityIdentifierObjectclass">
<value>inetorgperson</value>
</parameter>
<parameter name="excludeObjectclass">
<value>orclappiduser</value>
</parameter>
</parameters>
</provider-instance>
<container-capability>
<enabled>false</enabled>
</container-capability>
<entity-attributes>
<attribute name="User Login">
<type>string</type>
<required>true</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="First Name">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="Last Name">
<type>string</type>
<required>true</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="Middle Name">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="Display Name">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
<multi-represented>true</multi-represented>
</attribute>
<attribute name="usr_password">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>false</searchable>
</attribute>
<attribute name="LDAP GUID">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="LDAP DN">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Role">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Email">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Start Date">
<type>date</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="End Date">
<type>date</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="usr_timezone">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="usr_manager_key">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Country">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Department Number">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Description">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Common Name">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="Employee Number">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Fax">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Generation Qualifier">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="Hire Date">
<type>date</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Home Phone">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Home Postal Address">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Locality Name">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Mobile">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Pager">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Postal Address">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="Postal Code">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="PO Box">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="usr_locale">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="State">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="Street">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Telephone Number">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Title">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="Initials">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="LDAP Organization">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="LDAP Organization Unit">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="User Status">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Lock Status">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Accessibility Mode">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Color Contrast">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Font Size">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Number Format">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Currency">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Date Format">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Time Format">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Embedded Help">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="FA Language">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="FA Territory">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="User Name Preferred Language">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
</entity-attributes>
<target-fields>
<field name="uid">
<type>string</type>
<required>true</required>
</field>
<field name="givenname">
<type>string</type>
<required>false</required>
</field>
<field name="sn">
<type>string</type>
<required>true</required>
</field>
<field name="middleName">
<type>string</type>
<required>false</required>
</field>
<field name="cn">
<type>string</type>
<required>true</required>
</field>
<field name="userPassword">
<type>string</type>
<required>false</required>
</field>
<field name="objectGUID">
<type>string</type>
<required>false</required>
</field>
<field name="dn">
<type>string</type>
<required>false</required>
</field>
<field name="employeeType">
<type>string</type>
<required>false</required>
</field>
<field name="mail">
<type>string</type>
<required>false</required>
</field>
<field name="orclActiveStartDate">
<type>date</type>
<required>false</required>
</field>
<field name="orclActiveEndDate">
<type>date</type>
<required>false</required>
</field>
<field name="orclTimeZone">
<type>string</type>
<required>false</required>
</field>
<field name="manager">
<type>string</type>
<required>false</required>
</field>
<field name="c">
<type>string</type>
<required>false</required>
</field>
<field name="departmentNumber">
<type>string</type>
<required>false</required>
</field>
<field name="description">
<type>string</type>
<required>false</required>
</field>
<field name="employeeNumber">
<type>string</type>
<required>false</required>
</field>
<field name="facsimileTelephoneNumber">
<type>string</type>
<required>false</required>
</field>
<field name="orclGenerationQualifier">
<type>string</type>
<required>false</required>
</field>
<field name="orclHireDate">
<type>date</type>
<required>false</required>
</field>
<field name="homePhone">
<type>string</type>
<required>false</required>
</field>
<field name="homePostalAddress">
<type>string</type>
<required>false</required>
</field>
<field name="l">
<type>string</type>
<required>false</required>
</field>
<field name="mobile">
<type>string</type>
<required>false</required>
</field>
<field name="pager">
<type>string</type>
<required>false</required>
</field>
<field name="postalAddress">
<type>string</type>
<required>false</required>
</field>
<field name="postalCode">
<type>string</type>
<required>false</required>
</field>
<field name="postOfficeBox">
<type>string</type>
<required>false</required>
</field>
<field name="preferredLanguage">
<type>string</type>
<required>false</required>
</field>
<field name="st">
<type>string</type>
<required>false</required>
</field>
<field name="street">
<type>string</type>
<required>false</required>
</field>
<field name="telephoneNumber">
<type>string</type>
<required>false</required>
</field>
<field name="title">
<type>string</type>
<required>false</required>
</field>
<field name="initials">
<type>string</type>
<required>false</required>
</field>
<field name="o">
<type>string</type>
<required>false</required>
</field>
<field name="ou">
<type>string</type>
<required>false</required>
</field>
<field name="displayName">
<type>string</type>
<required>false</required>
</field>
<field name="orclAccountEnabled">
<type>string</type>
<required>false</required>
</field>
<field name="orclAccountLocked">
<type>string</type>
<required>false</required>
</field>
<field name="orclAccessibilityMode">
<type>string</type>
<required>false</required>
</field>
<field name="orclColorContrast">
<type>string</type>
<required>false</required>
</field>
<field name="orclFontSize">
<type>string</type>
<required>false</required>
</field>
<field name="orclNumberFormat">
<type>string</type>
<required>false</required>
</field>
<field name="orclCurrency">
<type>string</type>
<required>false</required>
</field>
<field name="orclDateFormat">
<type>string</type>
<required>false</required>
</field>
<field name="orclTimeFormat">
<type>string</type>
<required>false</required>
</field>
<field name="orclEmbeddedHelp">
<type>string</type>
<required>false</required>
</field>
<field name="orclFALanguage">
<type>string</type>
<required>false</required>
</field>
<field name="orclFATerritory">
<type>string</type>
<required>false</required>
</field>
<field name="orclDisplayNameLanguagePreference">
<type>string</type>
<required>false</required>
</field>
</target-fields>
<attribute-maps>
<attribute-map>
<entity-attribute>User Login</entity-attribute>
<target-field>uid</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>First Name</entity-attribute>
<target-field>givenname</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Last Name</entity-attribute>
<target-field>sn</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Middle Name</entity-attribute>
<target-field>middleName</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Common Name</entity-attribute>
<target-field>cn</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>usr_password</entity-attribute>
<target-field>userPassword</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>LDAP GUID</entity-attribute>
<target-field>objectGUID</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>LDAP DN</entity-attribute>
<target-field>dn</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Role</entity-attribute>
<target-field>employeeType</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Email</entity-attribute>
<target-field>mail</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Start Date</entity-attribute>
<target-field>orclActiveStartDate</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>End Date</entity-attribute>
<target-field>orclActiveEndDate</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>usr_timezone</entity-attribute>
<target-field>orclTimeZone</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>usr_manager_key</entity-attribute>
<target-field>manager</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Country</entity-attribute>
<target-field>c</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Department Number</entity-attribute>
<target-field>departmentNumber</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Description</entity-attribute>
<target-field>description</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Employee Number</entity-attribute>
<target-field>employeeNumber</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Fax</entity-attribute>
<target-field>facsimileTelephoneNumber</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Generation Qualifier</entity-attribute>
<target-field>orclGenerationQualifier</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Hire Date</entity-attribute>
<target-field>orclHireDate</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Home Phone</entity-attribute>
<target-field>homePhone</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Home Postal Address</entity-attribute>
<target-field>homePostalAddress</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Locality Name</entity-attribute>
<target-field>l</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Mobile</entity-attribute>
<target-field>mobile</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Pager</entity-attribute>
<target-field>pager</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Postal Address</entity-attribute>
<target-field>postalAddress</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Postal Code</entity-attribute>
<target-field>postalCode</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>PO Box</entity-attribute>
<target-field>postOfficeBox</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>State</entity-attribute>
<target-field>st</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Street</entity-attribute>
<target-field>street</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Telephone Number</entity-attribute>
<target-field>telephoneNumber</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Title</entity-attribute>
<target-field>title</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Initials</entity-attribute>
<target-field>initials</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>LDAP Organization</entity-attribute>
<target-field>o</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>LDAP Organization Unit</entity-attribute>
<target-field>ou</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Display Name</entity-attribute>
<target-field>displayName</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>User Status</entity-attribute>
<target-field>orclAccountEnabled</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Lock Status</entity-attribute>
<target-field>orclAccountLocked</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Accessibility Mode</entity-attribute>
<target-field>orclAccessibilityMode</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Color Contrast</entity-attribute>
<target-field>orclColorContrast</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Font Size</entity-attribute>
<target-field>orclFontSize</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Number Format</entity-attribute>
<target-field>orclNumberFormat</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Currency</entity-attribute>
<target-field>orclCurrency</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Date Format</entity-attribute>
<target-field>orclDateFormat</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Time Format</entity-attribute>
<target-field>orclTimeFormat</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Embedded Help</entity-attribute>
<target-field>orclEmbeddedHelp</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>FA Language</entity-attribute>
<target-field>orclFALanguage</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>FA Territory</entity-attribute>
<target-field>orclFATerritory</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>User Name Preferred Language</entity-attribute>
<target-field>orclDisplayNameLanguagePreference</target-field>
</attribute-map>
</attribute-maps>
<control-attributes>
<attribute name="container">
<type>LDAPContainer</type>
<required>false</required>
</attribute>
</control-attributes>
</tns:entity-definition>

Beginners guide to integration with Active Directory?

Hi (complete beginner to this, but a quick learner)
I don't know where to start with regards to getting the Macs on our network connecting like the PCs. Currently we have about 100 Macs on 10.4.x that are bound to the AD using Directory Access - users can log in, but that's about as far as integration goes. Their home folders do not "map" to the corresponding folders on the Macs, and we (as administrators) have no control over the Mac network users like we would have the local Mac users.
I've been asked to look into this issue, and along with creating new modular 10.5.x system builds for all our Macs (different hardware, different software needs, different physical locations), I need to know what the next steps are. I have no experience of using Mac OS X Server or Active Directory. Besides telling me to ask the IT department to hire a Mac professional, what should I be looking into next?
So far, this is how I think the process goes:
1) Ensure I have solid modular system builds ready to go for the different macs/different classrooms.
2) Get an Xserve for IT.
3) Have Open Directory integrate with Active Directory, so that the same access controls/permissions are applied to the Mac users as they are the Windows users (including Finder access controls, Application controls, folder mapping etc) - *this is where I need guidance*.
4) Push out the system builds to the Macs on the network
5) Connect the Macs using Open Directory...
6) ...
As you can see, my knowledge kind of peters out towards the end there; is this a realistic undertaking for me (a classroom technician who happens to use Macs - NOT trained in any of this) and the Mac-phobic IT department (who would prefer switching all of our workstations to PC)? Are we going to have to bite the bullet and get some expensive consultants in?

pisto_grih wrote:
Hi (complete beginner to this, but a quick learner)
I don't know where to start with regards to getting the Macs on our network connecting like the PCs. Currently we have about 100 Macs on 10.4.x that are bound to the AD using Directory Access - users can log in, but that's about as far as integration goes. Their home folders do not "map" to the corresponding folders on the Macs, and we (as administrators) have no control over the Mac network users like we would have the local Mac users.
And that is about as far as the Apple plugin will take you. In order to do more you need to either extend schema (very scary), look at third party products like Centrify (very expensive), or look at getting an OS X Server and implementing the "magic triangle" in which OS X attributes are managed in OD while users, groups, and password are managed by AD.
I've been asked to look into this issue, and along with creating new modular 10.5.x system builds for all our Macs (different hardware, different software needs, different physical locations), I need to know what the next steps are. I have no experience of using Mac OS X Server or Active Directory. Besides telling me to ask the IT department to hire a Mac professional, what should I be looking into next?
If you go the route of OS X Server and MCX settings, make life easy on yourself and build one common build. Then limit app access based on your groups. That way you can simplify the number of images you maintain down to one (provided you have appropriate licensing).
So far, this is how I think the process goes:
1) Ensure I have solid modular system builds ready to go for the different macs/different classrooms.
See above. But if you need to, look at InstaDMG
2) Get an Xserve for IT.
Yep. But if you are only doing MCX you might want to look for a cheeper alternative. The Xserve can offer some nice additions, including software update server and Netinstall server among others.
3) Have Open Directory integrate with Active Directory, so that the same access controls/permissions are applied to the Mac users as they are the Windows users (including Finder access controls, Application controls, folder mapping etc) - *this is where I need guidance*.
Yep. You are on the money.
4) Push out the system builds to the Macs on the network
Push huh. Look at Radmind. Then take a summer off to learn it. Then become god.
5) Connect the Macs using Open Directory...
Actually, connect the macs to both AD and OD. This will allow authentication and instantiating through AD and management through OD. Works very well.
6) ...
As you can see, my knowledge kind of peters out towards the end there; is this a realistic undertaking for me (a classroom technician who happens to use Macs - NOT trained in any of this) and the Mac-phobic IT department (who would prefer switching all of our workstations to PC)? Are we going to have to bite the bullet and get some expensive consultants in?
It is learnable especially with the summer and available hardware. However, supporting the consulting industry is always nice http://consultants.apple.com
Hope this helps

LDAP realm with Active Directory

Hello,
In the sun one app server admin console i have set the security role to LDAP.
I have set up security roles in my web.xml such as this:
<security-role>
<description>This role represents administrators of the system, see actor administrators</description>
<role-name>administrators</role-name>
</security-role>
..and mapped the roles to groups in sun-application as follows:
<security-role-mapping>
<role-name>administrators</role-name>
<group-name>CMS_PM</group-name>
<principal-name>rlancett</principal-name>
</security-role-mapping>
My user and group information is stored in Active Directory so I have tried to configure the ldap realm in the admin console to get it working. These are the settings i have put in:
directory: ldap://earth.tier2consulting.com:389
base-dn: cn=Users,dc=tier2consulting,dc=com
jaas-context: ldapRealm
search-bind-dn: cn=administrator,cn=Users,dc=domain,dc=com
search-bind-password: ******
search-filter: sAMAccountName=%s
I get the error message :javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
WARNING: va:850)
FINEST: JAAS authentication aborted.
INFO: SEC5046: Audit: Authentication refused for [administrator].
I am pretty stuck on this having looked arounds all the forums:
Has anyone got sun one app server using Active Directory to get user/group information for security roles?
Thanks.

Howdy,
I don't have a solution to your problem, but maybe this tid-bit will help in debugging with Active Directory error messages. I'm new to AD, so excuse me if everyone already knows this, but...
The error message you get back from the directory contains an error code in hexidecimal:
LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
If you translate '525' from hex to decimal you get '1317' which is the error message you can look up here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/system_error_codes.asp
1317 - ERROR_NO_SUCH_USER - The specified user does not exist.
It took me a while to find this tip, so I thought I'd share it. Oh, and the easy way to get decimal from hexidecimal is:
System.out.println( "Here is 525 in decimal: " + Integer.parseInt("525", 16));
Okay, hope this helps somebody.
Now it's up to you to find out why it can't find the administrator!
Craig

10.6 home directory mounting with active directory and open directory integration

Hi guys i am having some issues in my new mac environment. I have a windows network with an server 2008 active directory. I have just recentlly created a "magic triangle" setup with active directory and open directory. When my users login via windows their home folders mount perfect. When any user logs in to any iMac in the building it does not work. They login perfectly fine, but their home folders do not mount. When i try mounting them manually with smb, i get a prompt for credentials. I am thinking this is my issue, my Single sign on with kerbos is working but for some reason is not logging in correctly. If i type in my credentials with my domain first then my name it works.
For example DOMAIN\jsmith works, but the way i think the mac and active directory is doing it now is just jsmith without the DOMAIN.
I feel like this is the problem with the home folders not mounting.
Can anyone provide some help with this?
Thanks,
Dani

Hi dani190,
are you using the fully qualified domain name of the network server? ie if your server is bob. and your domain is domain.company.com. then the FQDNS would typically be bob.domain.company.com or bob.company.com.
If the FQDNS works, then have you checked in the AD to make sure the path to the network home folder uses the FQDNS?
For the contact search path, did you put the AD at the top the list? (in directory utility)
Did you set the WINS work group on your client computer to your domain?
ie:Apple Menu, System Preferences, Network, Active Network Port (ethernet and or airport) , Advanced Button, WINS Tab, set workgroup to the name of your domain. ie domain.company.com and or company.com

Weblogic with Active Directory Authentication provider problem: DN for user ....: null

Similar Messages

Maybe you are looking for