WindowsDesktopSSO fail-through to LDAP authentication

Similar Messages

• ERROR: Ldap Authentication failed for dap during installation of iAS 6.0 SP3

  I am attempting to install ias Enterprise Edition (6.0 SP3) on solaris 2.8 using typical in basesetup. I am trying to install new Directory server as I don't have an existing one.
  During the installation I got the following error.
  ERROR: Ldap Authentication failed for url ldap://hostname:389/o=NetScape Root user id admin (151: Unknown Error)
  Fatal Slapd did not add Directory server information to config Server.
  Warning slapd could'nt populate with ldif file Yes error code 151.
  ERROR:Failure installing iPlanet Directory Server.
  Do you want to continue: ( I entered yes )
  Configuring Administration Server Segmentation fault core dumped.
  Error: Failure installing Netscape Administration Server.
  Do you want to continue:( I responded with yes).
  And during the Extraction I got the following
  ERROR:mple_bind: Can't connect to the LDAP server - No route to host
  ERROR: Unable to connect to LDAP Directory Server
  Hostname: hostname
  Port: 389
  User: cn=Directory Manager
  Password: <password-for-cn=Directory Manager
  Please make sure this Directory Server is currently running.
  You might need to run 'stop-slapd' and then
  'start-slapd' in the Directory Server home directory, in order to restart
  LDAP. When finished, press ENTER to continue, or S to skip this step:
  Start registering Bootstrap EJB...
  javax.naming.NameNotFoundException
  at java.lang.Throwable.fillInStackTrace(Native Method)
  at java.lang.Throwable.fillInStackTrace(Compiled Code)
  at java.lang.Throwable.<init>(Compiled Code)
  at java.lang.Exception.<init>(Compiled > Code)
  at javax.naming.NamingException.<init>(NamingException.java:114)
  at javax.naming.NameNotFoundException.<init>(NameNotFoundException.java: 48)
  at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
  "ldaperror" 76 lines, 2944 characters
  at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
  at com.netscape.server.jndi.RootContext.bind(Unknown Source)
  at com.netscape.server.jndi.RootContext.bind(Unknown Source)
  at javax.naming.InitialContext.bind(InitialContext.java:371)
  at com.netscape.server.deployment.EjbReg.deployToNaming(Unknown Source)
  at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
  at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
  at com.netscape.server.deployment.EjbReg.run(Compiled Code)
  at com.netscape.server.deployment.EjbReg.main(Unknown Source)
  Start registering iAS 60 Fortune Application...
  Start iPlanet Application Server
  Start iPlanet Application Server
  Start Web Server iPlanet-WebServer-Enterprise/6.0SP1 B08/20/200100:58
  warning: daemon is running as super-user
  [LS ls1] http://gedemo1.plateau.com, port 80 ready
  to accept requests
  startup: server started successfully.
  After completion of installation, I tried to start the console. But I got the following error;
  "Cant connect ot the admin server. The url is not correct or the server is not running.
  Finally,when I started the admintool(iASTT),it shows the iAS1
  was registered( marked with a red cross mark) and says "cant login. make sure the user
  name & passwdord are correct" when i click on it.
  Thanks in advance for any help
  Madhavi

  Hi,
  Make sure that the directory server is installed first. If it is running
  ok, then you can try adding an admin user, please check the following
  technote.
  http://knowledgebase.iplanet.com/ikb/kb/articles/4106.html
  regards
  Swami
  madhavi korupolu wrote:
  I am attempting to install ias Enterprise Edition (6.0 SP3) on
  solaris 2.8 using typical in basesetup. I am trying to install new
  Directory server as I don't have an existing one.
  During the installation I got the following error.
  ERROR: Ldap Authentication failed for url
  ldap://hostname:389/o=NetScape Root user id admin (151: Unknown
  Error)
  Fatal Slapd did not add Directory server information to config
  Server.
  Warning slapd could'nt populate with ldif file Yes error code 151.
  ERROR:Failure installing iPlanet Directory Server.
  Do you want to continue: ( I entered yes )
  Configuring Administration Server Segmentation fault core dumped.
  Error: Failure installing Netscape Administration Server.
  Do you want to continue:( I responded with yes).
  And during the Extraction I got the following
  ERROR:mple_bind: Can't connect to the LDAP server - No route to host
  ERROR: Unable to connect to LDAP Directory Server
  Hostname: hostname
  Port: 389
  User: cn=Directory Manager
  Password: <password-for-cn=Directory Manager
  Please make sure this Directory Server is currently running.
  You might need to run 'stop-slapd' and then
  'start-slapd' in the Directory Server home directory, in order to
  restart
  LDAP. When finished, press ENTER to continue, or S to skip this
  step:
  Start registering Bootstrap EJB...
  javax.naming.NameNotFoundException
  at java.lang.Throwable.fillInStackTrace(Native Method)
  at java.lang.Throwable.fillInStackTrace(Compiled Code)
  at java.lang.Throwable.<init>(Compiled Code)
  at java.lang.Exception.<init>(Compiled > Code)
  at javax.naming.NamingException.<init>(NamingException.java:114)
  at
  javax.naming.NameNotFoundException.<init>(NameNotFoundException.java:
  48)
  at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
  "ldaperror" 76 lines, 2944 characters
  at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
  at com.netscape.server.jndi.RootContext.bind(Unknown Source)
  at com.netscape.server.jndi.RootContext.bind(Unknown Source)
  at javax.naming.InitialContext.bind(InitialContext.java:371)
  at com.netscape.server.deployment.EjbReg.deployToNaming(Unknown
  Source)
  at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled
  Code)
  at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled
  Code)
  at com.netscape.server.deployment.EjbReg.run(Compiled Code)
  at com.netscape.server.deployment.EjbReg.main(Unknown Source)
  Start registering iAS 60 Fortune Application...
  Start iPlanet Application Server
  Start iPlanet Application Server
  Start Web Server iPlanet-WebServer-Enterprise/6.0SP1 B08/20/200100:58
  warning: daemon is running as super-user
  [LS ls1] http://gedemo1.plateau.com, port 80 ready
  to accept requests
  startup: server started successfully.
  After completion of installation, I tried to start the console. But I
  got the following error;
  "Cant connect ot the admin server. The url is not correct or the
  server is not running.
  Finally,when I started the admintool(iASTT),it shows the iAS1
  was registered( marked with a red cross mark) and says "cant login.
  make sure the user
  name & passwdord are correct" when i click on it.
  Thanks in advance for any help
  Madhavi
  Try our New Web Based Forum at http://softwareforum.sun.com
  Includes Access to our Product Knowledge Base!

• LDAP Authentication Failed :user is not a member in any of the mapped group

  Hi,
  I tried to set up the LDAP Authentication but I failed.
  LDAP Server Configuration Summary seems to be well filled.
  I managed to add a Mapped LDAP member Group: This group appears correctly in the Group list. 
  But itu2019s impossible to create a User. Although this user is a member of the mapped group (checked with LDAP Brower) , an error message is displayed when I tried to create it (There was an error while writing data back to the server: Creation of the user User cannot complete because the user is not a member in any of the mapped groups)
  LDAP Hosts: ldapserverip:389
  LDAP Server Type: Custom
  Base LDAP Distinguished Name: dc=vds,dc=enterprise
  LDAP Server Administration Distinguished Name: CN=myAdminUser,OU=System Accounts,OU=ZZ Group Global,ou=domain1,dc=vds,dc=enterprise
  LDAP Referral Distinguished Name:
  Maximum Referral Hops: 0
  SSL Type: Basic (no SSL)
  Single Sign On Type: None
  CMS Log :
  trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
  trace message: LDAP: LdapQueryForEntries: QUERY base: dc=vds, dc=enterprise, scope: 2, filter: (samaccountname=KR50162), attribute: dn objectclass
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 2453 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
  trace message: GetParents from plugin for cn=huh\,chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise.
  trace message: LDAP: De-activating query cache
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
  trace message: LDAP: query for DSE root returned 89
  trace message: LdapQueryForEntries: incr. retries to 1
  trace message: LDAP: Updating the graph
  trace message: LDAP: Starting Graph Update...
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
  trace message: LDAP: query for DSE root returned 89
  trace message: LdapQueryForEntries: incr. retries to 1
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
  assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
  trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
  trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (&(cn=gp-asia)(objectclass=group)(member=cn=huh
  , chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise)), attribute: objectclass
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
  assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
  trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
  trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (cn=gp-asia), attribute: member objectclass samaccountname cn
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 3109 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
  trace message: LDAP: query for DSE root returned 0
  trace message: Failed to commit user 'KR50162'. Reason: user is not a member in any of the mapped groups.
  trace message: [UID=0;USID=0;ID=79243] Update object in database failed
  trace message: Commit failed.+
  Can you please help?
  Joffrey

  Please do this after you verify all permission settings for all the groups the account is associated with. Also, make sure you check the NTFS folder permissions before doing this as well.
  Since the same result happens on multiple computers, it is not the profile.
  I am recommending you delete the AD account (or rename to backup the account).
  It will not effect the users Exchange account, but you will need to link it back to the new AD user account. 
  You can also delete her profile just to remove it, for the "just in case" scenario.
  Don't forget to mark the post that solved your issue as &quot;Answered.&quot; By marking the Answer you are enabling users with similar issues to find what helped you. Lewis Renwick - IT Professional

• LDAP authentications fail in APEX

  Does 11g XE Beta support LDAP ?
  We have a number of internal apps running fine in APEX 4.0.2.00.07 installed in Oracle 10g XE.
  Once imported to a new box running 11g XE beta, LDAP authentications always fail, even though the same login processing settings are used. Anybody got LDAP working in APEX on 11g XE ?
  Colin

  Hi Colin,
  though I haven't tested with 11g XE, 11g in general still supports LDAP. However, starting with 11gR1 (and the current beta is based on 11gR2) you need to define ACLs for network access. If you haven't done this, you won't get any LDAP connection out of the database. There is quite a good example for that in the APEX Installation Guide: http://download.oracle.com/docs/cd/E17556_01/doc/install.40/e15513/otn_install.htm#BABBHCID
  I think this is a good example and can be adopted for other database users easily.
  If that's not the solution in your case, please post the error message you receive when the authentication fails.
  -Udo

• Database Table and LDAP Authentication in the same repository?

  I'm wondering if it's possible to authenticate through database tables for some users and LDAP for other users. I can configure each one separately but I'm curious if anyone has ever successfully done both in the same repository.
  Thanks,
  -Matt

  Another thing to try is this. I don't have an LDAP server here but it worked for me without LDAP. I think it should also work with LDAP as it is the same idea. I don't think there is a way to have a conditional Init Blocks. Also you can't have two init blocks setting the same variable (USER in our case). But what you can do is to have two Init Blocks, one for LDAP authentication and the other one for table authentication. So you could have this scenario:
  1) LDAP "authentication" init block sets custom variable LDAP_USER
  2) Table "authentication" init block sets custom variable TABLE_USER
  3) Final authentication init block (the real one) sets USER variable using something like this:
  SELECT CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
  ELSE ':TABLE_USER'
  END
  FROM DUAL
  WHERE CASE WHEN ':USER' = 'SOME STRING' THEN ':LDAP_USER'
  ELSE ':TABLE_USER'
  END = ':USER'
  Note how I use the CASE statement both to return the user value I want the USER variable to be set and also in the WHERE clause to make sure no rows are returned in case authentication fails (which should return no rows to denote a failed authentication). Obviously you need to set the init block dependancies correctly. I did a quick test with users coming from two separate Oracle tables in 2 init biocks and it worked fine for me. Give it a try and let me know how it goes.

• DBConsole (DBControl) and LDAP authentication

  Does anyone know if it is possible to use LDAP authentication to login to the DBConsole? I have a user "identified globally as 'cn=username,dn=...'" who can login to the database locally and remotely through SQL*Plus but gets a ORA-01017 when trying to login to the DBConsole.
  Any help greatly appreciated.
  Rgds,
  Barry Winterbottom

  2009-02-25 17:09:22,824 [HTTPThreadGroup-2] ERROR eml.OMSHandshake processFailure.806 - OMSHandshake failed.(AGENT URL = https://nssdrdb01:1830/emd/main)(ERROR = INTERNAL_ERROR)(CAUSE =java.sql.SQLException: Io exception: The Network Adapter could not establish the connection)
  2009-02-25 17:09:22,853 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.352 - Io exception: The Network Adapter could not establish the connection
  2009-02-25 17:09:22,854 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17002; Cleaning up cache and retrying
  2009-02-25 17:09:22,858 [HTTPThreadGroup-2] ERROR conn.ConnectionService verifyRepositoryEx.887 - Invalid Connection Pool. ERROR = Io exception: The Network Adapter could not establish the connection
  2009-02-25 17:09:22,861 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.352 - Io exception: The Network Adapter could not establish the connection
  2009-02-25 17:09:22,863 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17002; Cleaning up cache and retrying
  2009-02-25 17:09:22,867 [HTTPThreadGroup-2] ERROR eml.OMSHandshake processFailure.806 - OMSHandshake failed.(AGENT URL = https://nssdrdb01:1830/emd/main)(ERROR = INTERNAL_ERROR)(CAUSE =java.sql.SQLException: Io exception: The Network Adapter could not establish the connection)
  2009-02-25 17:09:26,386 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.352 - Io exception: The Network Adapter could not establish the connection
  2009-02-25 17:09:26,388 [HTTPThreadGroup-2] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17002; Cleaning up cache and retrying
  2009-02-25 17:09:26,392 [HTTPThreadGroup-2] ERROR conn.ConnectionService verifyRepositoryEx.887 - Invalid Connection Pool. ERROR = Io exception: The Network Adapter could not establish the connection
  2009-02-25 17:09:26,396 [EMUI_17_09_26_/console/aboutApplication] ERROR svlt.PageHandler handleRequest.639 - java.lang.IllegalStateException: Response has already been committed
  2009-02-25 17:09:26,398 [EMUI_17_09_26_/console/aboutApplication] ERROR em.console doGet.360 - java.lang.IllegalStateException: Response has already been committed, be sure not to write to the OutputStream or to trigger a commit due to any other action before calling this method.
  2009-02-26 00:00:02,633 [JobWorker 381202:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-02-27 00:00:08,800 [JobWorker 383122:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-02-28 00:00:13,778 [JobWorker 385056:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-01 00:00:05,527 [JobWorker 386985:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-02 00:00:04,569 [JobWorker 388914:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-03 00:00:04,854 [JobWorker 390843:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-04 00:00:06,475 [JobWorker 392772:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-05 00:00:16,925 [JobWorker 394701:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-06 00:00:03,966 [JobWorker 396630:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-07 00:00:05,230 [JobWorker 398559:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-08 00:00:07,261 [JobWorker 400488:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-09 00:00:13,081 [JobWorker 402417:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-10 00:00:10,175 [JobWorker 404346:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-11 00:00:04,567 [JobWorker 406275:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-12 00:00:05,993 [JobWorker 408204:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-13 00:00:03,332 [JobWorker 410133:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-14 00:00:10,129 [JobWorker 412062:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-15 00:00:01,753 [JobWorker 413991:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-16 00:00:03,187 [JobWorker 415920:Thread-29] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-16 16:29:02,904 [shutdownThread] WARN jdbc.ConnectionCache _getConnection.352 - Closed Connection: OraclePooledConnection.getConnection() - SQLException Ocurred:Invalid or Stale Connection found in the Connection Cache
  2009-03-16 16:29:02,906 [shutdownThread] WARN jdbc.ConnectionCache _getConnection.353 - Got a fatal exeption when getting a connection; Error code = 17008; Cleaning up cache and retrying
  2009-03-16 16:30:42,529 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
  2009-03-16 16:30:42,535 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
  2009-03-16 16:30:44,381 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
  2009-03-16 16:30:50,683 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
  2009-03-16 16:30:50,686 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
  2009-03-16 16:30:50,823 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
  2009-03-16 16:30:51,219 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
  2009-03-16 16:30:51,222 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
  2009-03-16 16:30:51,225 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
  2009-03-16 16:30:51,227 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
  2009-03-16 16:30:51,230 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
  2009-03-17 00:00:06,334 [JobWorker 417849:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-18 00:00:10,641 [JobWorker 419778:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-18 11:56:58,339 [EMUI_11_56_58_/console/database/monitoring/archiveFull$target=ADM111.nss.scot.nhs.uk$type=oracle*_database] ERROR perf.space logStackTrace.359 - java.sql.SQLException: Numeric Overflow
  2009-03-19 00:00:02,843 [JobWorker 421707:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-20 00:00:03,388 [JobWorker 423631:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-21 00:00:03,407 [JobWorker 425565:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-22 00:00:06,065 [JobWorker 427494:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-23 00:00:02,580 [JobWorker 429423:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-23 15:37:15,441 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
  2009-03-23 15:37:15,447 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
  2009-03-23 15:37:17,177 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
  2009-03-23 15:37:23,172 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
  2009-03-23 15:37:23,176 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
  2009-03-23 15:37:23,311 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
  2009-03-23 15:37:23,684 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
  2009-03-23 15:37:23,702 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
  2009-03-23 15:37:23,706 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
  2009-03-23 15:37:23,708 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
  2009-03-23 15:37:23,711 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
  2009-03-23 15:41:18,591 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
  2009-03-23 15:41:18,596 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
  2009-03-23 15:41:19,872 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
  2009-03-23 15:41:24,915 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
  2009-03-23 15:41:24,918 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
  2009-03-23 15:41:24,997 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
  2009-03-23 15:41:25,296 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
  2009-03-23 15:41:25,299 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
  2009-03-23 15:41:25,301 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
  2009-03-23 15:41:25,303 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
  2009-03-23 15:41:25,305 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
  2009-03-23 15:52:29,116 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
  2009-03-23 15:52:29,122 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
  2009-03-23 15:52:30,750 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
  2009-03-23 15:52:36,541 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
  2009-03-23 15:52:36,544 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
  2009-03-23 15:52:36,629 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
  2009-03-23 15:52:36,973 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
  2009-03-23 15:52:36,976 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
  2009-03-23 15:52:36,978 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
  2009-03-23 15:52:36,980 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
  2009-03-23 15:52:36,982 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
  2009-03-24 00:00:06,712 [JobWorker 431352:Thread-25] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-24 16:51:58,193 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIIntg
  2009-03-24 16:51:58,202 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.emCLI.CLIDownloadIntg
  2009-03-24 16:51:59,946 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.eml.target.slb.common.SLBIntegration
  2009-03-24 16:52:06,485 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.asprov.ui.intg.ASProvisioningIntegration
  2009-03-24 16:52:06,487 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.paf.sample.ui.intg.PAFDemoIntegration
  2009-03-24 16:52:06,605 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.sidb.ui.intg.SIDBProvisioningIntegration
  2009-03-24 16:52:06,973 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.racprov.ui.intg.RACProvIntegration
  2009-03-24 16:52:06,983 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.ec.ui.intg.ExtendClusterIntegration
  2009-03-24 16:52:06,986 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.dn.ui.intg.DltNodeIntegration
  2009-03-24 16:52:06,989 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.common.ui.intg.ProvCommonIntegration
  2009-03-24 16:52:06,991 [OC4J Launcher] ERROR app.ContextInitializer contextInitialized.422 - Integration Class not found: oracle.sysman.pp.bpelprov.ui.intg.BPELProvisioningIntegration
  2009-03-25 00:00:05,652 [JobWorker 433276:Thread-26] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-26 00:00:02,804 [JobWorker 435194:Thread-26] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.
  2009-03-27 00:00:07,235 [JobWorker 437123:Thread-26] ERROR em.jobs executeCommand.266 - OpatchUpdateLatest: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup to set required parameters.

• SharePoint 2010 with LDAP authentication, using NOVELL eDirectory

  One of my customers needs a SharePoint application that allows people to authenticate with either an Active Directory account (internal staff) or a Novell eDirectory account (external customers).
  Using the following article as a base guide (http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx)
  I configured a claims-based test application that had Windows authentication enabled and Forms based authentication (FBA) enabled (this is on a Windows 2008 server and not a domain controller)
  In the Membership provider name text box I entered "LdapMember"
  In the Role provider name  text box I entered "LdapRole"
  In the web.config for the SharePoint Central Admin, I modified/added the following details right before </system.web>
  <membership>
  <providers>
  <add name="LdapMember"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
  <providers>
  <add name="LdapRole"
  type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="sAMAccountName"
  dnAttribute="distinguishedName"
  groupFilter="((ObjectClass=group)"
  userFilter="((ObjectClass=person)"
  scope="Subtree" />
  </providers>
  </roleManager>
  I modified the SecurityTokenServiceApplication web.config with these details
  <system.web>
  <membership>
  <providers>
  <add name="LdapMemebr"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager enabled="true">
  <providers>
  <add name="LdapRole"
  type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="sAMAccountName"
  dnAttribute="distinguishedName"
  groupFilter="(&amp;(ObjectClass=group))"
  userFilter="(&amp;(ObjectClass=person))"
  scope="Subtree" />
  </providers>
  </roleManager>
  </system.web>
  I modified the web.config of the test application I created with these details
  <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
  <providers>
  <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
  <add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="cn"
  dnAttribute="dn"
  groupFilter="(&amp;(ObjectClass=group))"
  userFilter="(&amp;(ObjectClass=person))"
  scope="Subtree" />
  </providers>
  </roleManager>
  <membership defaultProvider="i">
  <providers>
  <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
  <add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  useDNAttribute="true"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  With all of this configured, I can go to the new test site, I do see the form where I can choose either Windows authentication or Forms authentication. I can successfully login with Windows authentication, but forms authentication gives me me an error.
  The server could not sign you in. Make sure your user name and password are correct, and then try again.
  I can successfully login to a LDAP management tool, using the same credentials I entered on the form, so I know the username and password being submitted are correct. I get the following items in the event viewer
  8306 - SharePoint Foundation - The security token username and password could not be validated.
  in the SharePoint trace logs - Password check on 'testuser' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. and
  then this:
  Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
  at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
  I monitored the LDAP server and did a packet-trace on the communication happening between the SharePoint server and the LDAP server and it is a bit odd. It goes like this:
  The SharePoint server successfully connects to the LDAP server, binding the ldapserviceid+password
  The LDAP server tells the SharePoint server it is ready to communicate
  the SharePoint server sends an LDAP query to the LDAP server, asking if the name entered in the form authentication page can be found.
  The LDAP server does the query, successfully finds the entered name and sends a success message back to SharePoint
  The LDAP server sends notification that it is done and is closing the connection that was bound to theldapserviceid+password
  The SharePoint server acknowledges the connection is closing
  ... and then nothing happens, except the error on SharePoint
  What I understand is that the SharePoint server, once it gets confirmation that the submitted username exists in LDAP, should attempt to make a new LDAP connection, bound to the username and password submitted in the form (rather than the LDAP service account
  specified in the web.config). That part does not seem to be happening.
  I am at a standstill on this and any help would be greatly appreciated.

  OK, our problem was resolved by removing any information about the ASP.NET role manager. Initially, we had information about a role manager defined in three different web.config files, as well as in the SharePoint Central Administration site, where there
  is the checkbox to Enable Forms Based Authentication (you see this when you first create the new SharePoint app, or afterwards by modifying the Authentication Provider for the app.) In either case, you will see two text boxes, underneath the checkbox item
  for enabling Forms Based Authentication:
  "ASP.NET Membership provider name"
  "ASP.NET Role manager name"
  We entered a name for Membership provider, and left Role manager blank.
  In the web.config for the SharePoint Central Administration site, the SecurityTokenServiceApplication app, and the web app we created with FBA enabled, we entered the following:
  <membership>
  <providers>
  <add name="LdapMember"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword="validpassword"
  useDNAttribute="false"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager>
  <providers>
  </providers>
  </roleManager>
  useDNAttribute="false" turned out to be important as well.
  So, for us to get LDAP authentication working between SharePoint 2010 and Novel eDirectory, we had to:
  leave anything related to the role provider blank
  configure the web.config in three different applications, with the proper connection information to reach our Novel eDir
  Ensure that useDNAttribute="false" was used in all three on the modified web.config files.
  Since our eDir is flat and used pretty much exclusively for external users, we had never done any sort of advanced role management configuration in eDir. So, by having role manager details in the web.config files, SharePoint was waiting for information from
  a non-existent role manager.

• How to get user attributes from LDAP authenticator

  I am using an LDAP authenticator and identity asserter to get user / group information.
  I would like to access LDAP attributes for the user in my ADF Taskflow (Deployed into webcenter spaces).
  Is there an available api to get all the user attributes through the established weblogic authenticator provider or do i have to directly connect to the LDAP server again?
  Any help would be appreciated

  Hi Julián,
  in fact, I've never worked with BSP iViews and so I don't know if there is a direct way to achieve what you want. Maybe you should ask within BSP forum...
  A possibility would be to create a proxy iView around the BSP iView (in fact: before the BSP AppIntegrator component) which reads the user names and passes this as application params to the BSP component. But this is
  Beginner
  Medium
  Advanced
  Also see http://help.sap.com/saphelp_nw04/helpdata/en/16/1e0541a407f06fe10000000a1550b0/frameset.htm
  Hope it helps
  Detlev

• LDAP Authentication Scheme - Multiple LDAP Servers?

  How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.

  How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.

• Weblogic Server 10.3.0 and LDAP authentication Issue

  Hi - I have configured my WebLogic Server 10.3.0 for LDAP authentication (OID = 10.1.4.3.0) and so far the authentication works fine but I am having issue in terms of authorization.
  I am not able to access the default web logic administrator console app using any of the LDAP user, getting Forbiden message.
  It appears to me that the Weblogic Server is not pulling out the proper groups from the LDAP where user belongs too.
  Can anyone please point me towards the right direction to get this resolved.
  Thanks,
  STEPS
  Here are my steps I have followed:
  - Created a group called Administrators in OID.
  - Created a test user call uid=myadmin in the OID and assigned the above group to this user.
  - Added a new Authentication Provider to the Weblogic and configured it what is required to communicate with OID (the config.xml file snipet is below)
  <sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
  <sec:name>OIDAuthentication</sec:name>
  <sec:control-flag>SUFFICIENT</sec:control-flag>
  <wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
  <wls:host>pmpdeva-idm.ncr.pwgsc.gc.ca</wls:host>
  <wls:port>1389</wls:port>
  <wls:principal>cn=orcladmin</wls:principal>
  <wls:user-base-dn>ou=AppAdmins, o=gc, c=ca</wls:user-base-dn>
  <wls:credential-encrypted>removed from here</wls:credential-encrypted>
  <wls:group-base-dn>ou=IDM, ou=ServiceAccounts, o=gc, c=ca</wls:group-base-dn>
  </sec:authentication-provider>
  - Marked the default authentication provider as sufficient as well.
  - Re-ordered the authentication provide such that the OIDauthentication is first in the list and default one is the last.
  - Looking at the log file I see there are no groups returned for this user and that is the problem in my opinion.
  <LDAP Atn Login username: myadmin>
  <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <authenticate user:myadmin>
  <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <authentication succeeded>
  <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <LDAP Atn Authenticated User myadmin>
  <List groups that member: myadmin belongs to>
  <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  *<search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>*
  *<Result has more elements: false>*
  <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <login succeeded for username myadmin>
  - I see the XACML RoleMapper getRoles() only returning the Anonymous role as oppose to Admin (because the OID user is a part of Administrators group in OID then it should be returning Admin as fars I can tell. Here is the log entry that shows that:
  <XACML RoleMapper getRoles(): returning roles Anonymous>
  - I did a ldap search and I found no issues in getting the results back:
  C:\>ldapsearch -h localhost -p 1389 -b"ou=IDM, ou=ServiceAccounts, o=gc, c=ca" -D cn=orcladmin -w "removed from here" (uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupOfUniqueNames)
  cn=Administrators,ou=IDM,ou=ServiceAccounts,o=gc,c=ca
  objectclass=groupOfUniqueNames
  objectclass=orclGroup
  objectclass=top
  END
  Here are the log entries:
  <1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
  <1291668685624> <BEA-000000> <LDAP Atn Login>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=myadmin>
  <1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
  <1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  <1291668685624> <BEA-000000> <authenticate user:myadmin>
  <1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685624> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  <1291668685624> <BEA-000000> <[Security:090302]Authentication Failed: User myadmin denied>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@facf0b>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>
  <1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
  <1291668685624> <BEA-000000> <LDAP Atn Login>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle did not get username from a callback>
  <1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
  <1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685624> <BEA-000000> <authenticate user:myadmin>
  <1291668685624> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685671> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <1291668685671> <BEA-000000> <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <1291668685671> <BEA-000000> <authentication succeeded>
  <1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685686> <BEA-000000> <LDAP Atn Authenticated User myadmin>
  <1291668685686> <BEA-000000> <List groups that member: myadmin belongs to>
  <1291668685686> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685686> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685686> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <1291668685686> <BEA-000000> <search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>
  <1291668685686> <BEA-000000> <Result has more elements: false>
  <1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685686> <BEA-000000> <login succeeded for username myadmin>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login delegated, returning true>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
  <1291668685686> <BEA-000000> <LDAP Atn Commit>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
  <1291668685686> <BEA-000000> <LDAP Atn Commit>
  <1291668685686> <BEA-000000> <LDAP Atn Principals Added>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning true>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
       Principal: myadmin
  >
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=myadmin>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
  <1291668685686> <BEA-000000> <Signed WLS principal myadmin>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user myadmin, Identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.isLocked(myadmin)>
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myadmin was not previously locked out>
  <1291668685702> <BEA-000000> <Using Common RoleMappingService>
  <1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
  <1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity will use common security service>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals)>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=myadmin>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator handles this PrincipalClass>
  <1291668685702> <BEA-000000> <Validate WLS principal myadmin returns true>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass, returning true>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals) validated all principals>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): input arguments:>
  <1291668685702> <BEA-000000> <     Subject: 1
       Principal = weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp>
  <1291668685702> <BEA-000000> <     Parent: type=<app>, application=consoleapp>
  <1291668685702> <BEA-000000> <     Parent: type=<url>>
  <1291668685702> <BEA-000000> <     Parent: null>
  <1291668685702> <BEA-000000> <     Context Handler: >
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AdminChannelUsers,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AdminChannelUser:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AdminChannelUser: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AppTesters,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AppTester:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AppTester: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(everyone,[everyone,users]) -> true>
  <1291668685702> <BEA-000000> <primary-rule evaluates to Permit>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Anonymous:, 1.0 evaluates to Permit>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Anonymous: GRANTED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Monitors,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Monitor:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Monitor: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Operators,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Operator:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Operator: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(CrossDomainConnectors,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:CrossDomainConnector:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role CrossDomainConnector: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Deployers,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Deployer:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Deployer: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, SC=null, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Administrators,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Admin:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Admin: DENIED>
  <1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): returning roles Anonymous>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles returning [ "Anonymous" ]>
  <1291668685702> <BEA-000000> <AuthorizationManager will use common security for ATZ>
  <1291668685702> <BEA-000000> <weblogic.security.service.WLSAuthorizationServiceWrapper.isAccessAllowed>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Roles=[ "Anonymous" ]>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Direction=ONCE>
  <1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
  <1291668685702> <BEA-000000> <     Subject: 1
       Principal = weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <     Roles:Anonymous>
  <1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Direction: ONCE>
  <1291668685702> <BEA-000000> <     Context Handler: >
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:role, SC=null, Value=Anonymous>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of([Admin,Operator,Deployer,Monitor],Anonymous) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): returning DENY>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>

  Okay Finally the issue is resolved. Here is the findings to help others in case they ran into the same issue.
  The OID version that we are using is not returning the groups the way Weblogic is building the ldapsearch command. We captured the ldap traffic to go deeper and noticed the filters and attributes list that wls was asking. For example, the filter was like:
  "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" cn
  its was the "cn" attribute that was causing the result set to be empty.
  from a command line we tried
  "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" uniquemember
  and got the results back.
  Then we start looking into OID configuration and one of my coworker pointed me towards the orclinmemfiltprocess attributes in cn=dsaconfig entry and told me that they had lot of issues in the past in relation to this attribute.
  So as a test we removed the groupofuniquenames objectclass from the orclinmemfiltprocess attribute list and bingo it worked!
  Since we needed the groupofuniquenames in this list for performance/other reasons and decided to use a different objectclass for our groups instead i.e. orclGroup.
  Thanks everyone for showing interest on the problem and providing suggestions.

• Can't logon to directory through sync_user, but can through Tx LDAP - Find

  Hi,
  I'm trying to import users into SAP from MS Active Directory using RSLDAPSYNC_USER. When running it I get the error "Could not logon to directory" with the diagnosis "The combination of user name (DN) and password transferred to the directory was not accepted by the directory."
  My settings in RSLDAPSYNC_USER is:
  Connection: the only server and connector I have created
  User: no information entered here
  Both Dir and DB: Ignore
  Only Dir: Create in DB
  Only DB: Ignore
  Time meas: no information entered here
  I have not extended the schema since I don't want to change anything in AD, only copy the users from AD into SAP. I have set Import Mapping, and Import Synch on all my fields in LDAPMAP, and one field with the additional indicators Filter, Export mapping, RDN Mapping (since theses apparently are required, even if you don't want to write anything in the AD?).
  I can however logon to the server using Tx LDAP, and I manage to get search results using Find in Tx LDAP. I have only created one LDAP server, one System User and one LDAP Connector in Tx LDAP.
  I have tried to use both Simple Memory and Secure Storage as the Credential Storage for the System User. I have entered the password for the user in credentials. When I for testing purporses choose Simple Memeory and also remove the credentials for the System User, and try to run RSLDAPSYNC_USER again, I get the following messaged:
  <green> Conenction created to server AD_X
  <red> Operation Failed
  <red> LDAP_SEARCH failed
  <red> The system could not create the directory object ppol
  <green> Connection to server AD_X terminated
  Can I interpret this error message in some way? Logically I think my first try should work since I'm using the same server/user/connector when running RSLDAPSYNC_USER and it fails, as I do when I run a Find through Tx LDAP and it works.
  Is there something I'm missing?
  Thanks, Oscar

  The order of the DN of the user was wrong... it worked when I switched places of the DCs...

• Ldap authentication not working for Solaris 8 host - Help!

  Greetings folks,
  I just recently migrated a host to use LDAP authentication. The only difference between this host and the rest of the hosts in the environment that I've converted to use LDAP is that this one is running Solaris 8.
  Here's the steps I took to migrate it (though, I used the same steps for another Sol8 host in another environment and it works fine):
  ldapclient -P stg -d mydomain.com -D cn=proxyagent,ou=profile,dc=mydomain,dc=com -w secret 192.168.1.69
  My /etc/nsswitch.conf looks like this:
  passwd: files ldap
  group: files ldap
  My /etc/pam.conf looks like this:
  login auth requisite pam_authtok_get.so.1
  login auth required pam_dhkeys.so.1
  login auth sufficient pam_unix_auth.so.1
  login auth required pam_ldap.so.1
  sshd auth requisite pam_authtok_get.so.1
  sshd auth sufficient pam_unix_auth.so.1
  sshd auth required pam_ldap.so.1
  other auth requisite pam_authtok_get.so.1
  other auth required pam_dhkeys.so.1
  other auth sufficient pam_unix_auth.so.1
  other auth required pam_ldap.so.1
  passwd auth sufficient pam_passwd_auth.so.1
  passwd auth required pam_ldap.so.1
  I've also cleared out the local user accounts for my human users, so there aren't any more passwd or shadow entries (yes, I ran pwconv). I also cleaned out the /etc/group entries for the same users. The machine appears to be configured properly, because I can run various DS commands that indicate this:
  hostname# getent passwd user1
  user1::1001:1001:User 1:/opt/home/user1:/bin/bash
  hostname# ldaplist -l passwd user1
  dn: uid=user1,ou=people,dc=mydomain,dc=com
  shadowFlag: 0
  userPassword: {crypt}(removed)
  uid: user1
  objectClass: posixAccount
  objectClass: shadowAccount
  objectClass: account
  objectClass: top
  cn: user1
  uidNumber: 1001
  gidNumber: 1001
  gecos: User 1
  homeDirectory: /opt/home/user1
  loginShell: /bin/bash
  However, in the end, actual logins to this host fail via ssh. Snooping the traffic reveals that all the right info is being handed back to the client, including the crypt'ed password hash, uid, etc. just like I see with other hosts that work.
  Any ideas?
  Thanks!
  Patrick

  I assume you have applied lastest kernel patch and 108993 to this Solaris8 machine, and its nss_ldap.so.1 and pam_ldap.so.1 are the same as the other Solaris8 LDAP clients that are working for ssh via LDAP auth.
  1) Please replace "objectClass: account" with "objectClass: person", I know SUN ONE DS5.2 likes "person".
  2) Did you test and verify telnet/ftp/su working? but SSH not working?
  3) If telnet/ftp/su all worked, and SSH (SUN-SSH or OpenSSH), make sure you have "UsePAM yes" in sshd_config and restart sshd.
  4) It is not a must I think but normally I will add "shadow: files ldap" to /etc/nsswitch.conf, restart nscd after that.
  5) Whenever ldapclient command is run and ldap_cachemgr is restarted, I usually also restart nscd and sshd after that, if not testing result may not be accurate as nscd is still remembering OLD stuffs cached which could be very misleading.
  6) You may use "ssh -v userid@localhost" to watch the SSH communications, on top of your usual "snoop"ing of network packets.
  7) Use the sample pam.conf that is meant for pam_ldap from Solaris 10 system admin guide with all the pam_unix_cred.so.1 lines commented out. This works for me, there is no sshd defintions as it will follow "other".
  http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
  Gary

• Solaris 10 and LDAP Authentication

  Were trying to use LDAP authentication with Solaris 10 accounts and Sun One Java Systems Directory Server 5.2, where there won't be no /etc/passwd or /etc/group user entries, ( only entries for system accounts). The Sun One Java Systems Directory Server 5.2 is on a separate machine from the accounts. Both machines are using Solaris 10.
  I first ran the "idsconfig" utility to setup the VLV indexes, but I received an error on the "automountKey" when it was doing the index processing. It showed that the index processing had failed. All the other indexes were configured successfully. What would cause this?
  My next step is initializing the LDAP Client . Then configure the pam.conf file to use pam_ldap. Finally import all the users into LDAP with the required ObjectClasses and attributes for the authentication process, (posixAccount, shadowAccounts etc.). This also includes adding the automount entries into LDAP, which I'm really not sure how to do that. All of our users paths will be under /export/home/username.
  I'am missing any steps?
  Doese anyone have a step by step guide to use LDAP authentication for Solaris 10 accounts, where LDAP will manage the groups, passwords, automounts for each user?
  Message was edited by:
  automount
  Message was edited by:
  automount

  You may follow:
  http://web.singnet.com.sg/~garyttt/
  http://projects.alkaloid.net/content/view/15/26/
  http://blogs.sun.com/roller/resources/raja/ldap-psd.html
  http://jnester.lunarpages.com/howtos/solaris/howToSolarisLDAPAuth.html
  http://www.thebergerbits.com/unix.shtml
  http://blogs.sun.com/roller/page/baban?entry=steps_to_setup_ssl_using (SSL/TLS steps)
  http://blogs.sun.com/roller/page/rohanpinto?entry=nis_to_ldap_migration_guide (NIS to LDAP migration)
  http://blogs.sun.com/roller/page/anupcs?entry=ldap_related_documentation_at_sun
  (LDAP related docs)
  Gary

• LDAP AUTHENTICATION- PLEASE HELP

  My client wants me use LDAP for authentication. I new to this: I have written a Authentication bean. As follows.
  //Used to authenticate user from LDAP directry.
  import javax.naming.*;
  import javax.naming.directory.*;
  import java.util.*;
  import java.lang.*;
  public class AuthBean {
       private boolean attempted;
       private String userName;
       private String password;
       public AuthBean() {
            attempted = false;
            userName = "";
            password = "";
       //Getter methods.
       public String getUserName() {
            return this.userName;
       public String getPassword() {
            return this.password;
       //Setter methods.
       public void setUserName (String userName) {
            this.userName = userName;
            if (!this.userName.equals("") && !this.password.equals(""))
            attempted = true;
       else
                 attempted = false;
       public void setPassword(String password) {
            this.password = password;
            if (!this.userName.equals("") && !this.password.equals(""))
                 attempted = true;
            else
                 attempted = false;
       //Checks to see if attempted.
       public boolean isAttempted() {
            return this.attempted;
       * Given a username and password, authenticates to the directory
       * Takes a String for username, String for password.
       * Calls getDn for the method.
       public boolean ldapAuthenticate (String username, String pass) {
            if ( username == null || pass == null ) {
                 System.out.println(" im here in the method");
                 System.out.println(" user" + username);
                 System.out.println(" pass" + pass);
                 return false;
            String dn = getDN(username);
                 System.out.println(" dn" + dn);
                 if ( dn == null)
                 return false;
                 dn = dn + ",o=hcfhe";
                 //dn = dn + ",o=mu";
                 System.out.println(dn);
                 String ldap_url = "ldap://10.1.1.199:389/ou=it,o=hcfhe";
                 //set variables for context
                 Hashtable env = new Hashtable();
                 env.put("com.sun.naming.ldap.trace.ber", System.err);
                 env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
                 env.put(Context.PROVIDER_URL, ldap_url);
                 env.put(Context.SECURITY_AUTHENTICATION, "simple");
                 env.put(Context.SECURITY_PRINCIPAL, dn);
                 env.put(Context.SECURITY_CREDENTIALS, pass);
                 DirContext ctx;
                 //make connection, catch errors thrown
                 try {
                      ctx = new InitialDirContext(env);
                 } catch (AuthenticationException e) {
                           System.out.println("Authentication Exception");
                           return false;
                 } catch (NamingException e) {
                      e.printStackTrace();
                      return false;
            //close connection
            try {
                 ctx.close();
            } catch (NamingException ne) {
                      System.out.println(ne);
            return true;
       * This methods cheks for the username from the LDAP directory.
       * Takes a String.
       public String getDN(String username) {
            String dn = "";
            String ldap_url = "ldap://10.1.1.199:389/ou=it,o=hcfhe";
            Hashtable env = new Hashtable();
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, ldap_url);
            DirContext ctx;
            try {
                 ctx = new InitialDirContext(env);
                 SearchControls ctls = new SearchControls();
                 ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                 String filter = "(uid=" + username + ")"; // Search for objects with these matching attributes
                 NamingEnumeration results = ctx.search("",filter,ctls);
                 if ( results != null && results.hasMoreElements()) {
                      SearchResult sr = (SearchResult)results.nextElement();
                      dn = sr.getName();
                 } else dn = null;
                           ctx.close();
            } catch (AuthenticationException e) {
                      System.out.println("Authentication Exception");
                      return null;
            } catch (NamingException e) {
                      e.printStackTrace();
                      return null;
                 return dn;
  I also done a validate. jsp as follows.
  <%@page import="register.AuthBean"%>
  <jsp:useBean id ="AuthBean" class="register.AuthBean" scope="session"/>
  <%
            //boolean valid = false;
            String username = request.getParameter("user");
            //System.out.println("The username" + username);
            String password = request.getParameter("password");
            //System.out.println("The username" +password);
  %>
       <jsp:setProperty name="AuthBean" property="userName" param="user" />
       <jsp:setProperty name="AuthBean" property="password" param= "password" />
  <%
                 //boolean validate = false;
                 String nn = AuthBean.getUserName();
                 System.out.println(nn);     
                 String dn = AuthBean.getDN(username);
                 System.out.println(dn);
                 boolean validate = AuthBean.ldapAuthenticate(username, password);
                 if(validate) {
                      response.sendRedirect("../admin/Adminindex.jsp");
                 } else {
                      response.sendRedirect("Login.html");
  %>
  At current I keep getting 'false' for validate. But there are no errors. I m using tomcat and apache, do I need to configure any of these to LDAP. If so can you show me some examples.
  Many thanks.

  Hi Irene,
  I am posting my LDAP Authentication code for you to look at. If you have any more questions, please respond to this posting. I have just three days ago implemented this for my client. It works on Web Sphere against Microsoft Active Directory.
  =====================================================================
  import javax.naming.directory.*;
  import javax.naming.ldap.*;
  import javax.naming.*;
  import java.util.*;
  import java.io.*;
  import java.lang.*;
  import java.math.*;
  * Insert the type's description here.
  * Creation date:
  * @author: Sajjad Alam
  public final class LDAPConn {
       public static java.lang.Object Conn;
  * LDAPConn constructor comment.
  public LDAPConn() {
       super();
  * Insert the method's description here.
  * @return java.lang.Object
  public static DirContext getConn() throws Exception {
       //Declarations of variables
       Hashtable env = new Hashtable(11);
       InitialLdapContext ctx = null;
       //==============LDAP Authentication of a given user stored in Active Directory=============
       System.out.println("Entered constructor for Ldap Context");
       //Initialize the Context Factory.
       env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
       env.put(Context.PROVIDER_URL, "ldap://XXX.XXX.XX.XXX:389/dc=domainURL1,dc=domainURL2,dc=com");
       try {
            The following syntax is a standard way of authenticating users stores in LDAP
            when JNDI api is used.
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
            env.put(Context.SECURITY_CREDENTIALS, "password");
            System.out.println("Issuing request to authenticate the user and create an LDAP context");
            ctx = new InitialLdapContext(env, null);
            System.out.println("Got handle on Ldap Context");
            //==============Completed Authentication of user=============
            //==============Retrieving attribute data about a user stored in Active Directory==========
            //Here we will retrieve attributes of one of the users in LDAP ("cn=");
            //Declarations of variables
            String userInfo = "cn=someUserName ,ou=Users,ou=something,ou=something";
            Attributes userAttr = ctx.getAttributes(userInfo);
            Attribute orgUnitAttr = null;
            //Looping through the enumeration to obtain attribute data
            for (NamingEnumeration ae = userAttr.getAll(); ae.hasMore();) {
                 Attribute attr = (Attribute) ae.next();
                 if (attr.getID().equals("distinguishedName"))
                      orgUnitAttr = attr;
                 System.out.print(" Attribute: " + attr.getID());
                 //Print each value
                 for (NamingEnumeration e = attr.getAll(); e.hasMore();) {
                      System.out.println(" Value: " + e.next());
            //============== Done retrieving attribute data about user==========
            //==============To find which organizational unit a user belongs provided we pass the user==========
            //This section of code uses the value from the "distinguishedName" attribute
            System.out.println("");
            Object parseOutOrgUnit = (Object) orgUnitAttr;
            System.out.println("We can obtain the organizational unit (Role) from the " + parseOutOrgUnit.toString());
            //======================================Done=============================
            // Close the context when we're done or you can close the connection where you are using this object.
            String grInfo = "CN=Sales-Administrator,OU=Java Application Accounts,OU=something,OU=something";
            Attributes grAttr = ctx.getAttributes(grInfo);
            //Looping through the enumeration to obtain attribute data
            for (NamingEnumeration ae = grAttr.getAll(); ae.hasMore();) {
                 Attribute attr = (Attribute) ae.next();
                 System.out.print(" Attribute: " + attr.getID());
                 //Print each value
                 for (NamingEnumeration e = attr.getAll(); e.hasMore();) {
                      System.out.println(" Value: " + e.next());
            //============== Done retrieving attribute data about user==========
            //==============To find which organizational unit a user belongs provided we pass the user==========
            //This section of code uses the value from the "distinguishedName" attribute
            System.out.println("");
            //======================================Done=============================
            ctx.close();
       catch (Exception e) {
            System.out.println(e.getLocalizedMessage());
       return ctx;

• XI 3.1 Client Tools and LDAP Authentication

  I have Business Objects XI 3.1 SP2 installed.  For the web clients (InfoView) single sign on and LDAP authentication are working correctly.  However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
  [repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
  Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?

  Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
  Take a look at note 1272536 (http://service.sap.com/notes)
  Regards,
  Stratos