WL6.0 LDAP Realm problems
I'm trying out WL6.0 (eval version) LDAP realm support and having trouble
getting it to work - basic auth just keeps popping the window up 3 times and
then giving up. Only pertinent message in the log is:
####<Mar 16, 2001 12:03:21 PM EST> <Info> <Security> <FOOBAR>
<examplesServer> <ExecuteThread: '11' for queue: 'default'> <> <> <090021>
<Locking account, user jdoe.>
No obvious LDAP info or errors in the log, despite adding the following two
to the startup script cmd line and restarting the server:
-Dweblogic.security.realm.debug=true -Dweblogic.security.ldaprealm.verbose=t
rue
The HTTP basic-auth dialog box is correctly showing me that I'm trying to
authenticate to: MyLDAPRealm
Here's the config info for MyLDAPRealm
<LDAPRealm AuthProtocol="simple"
Credential="myserverpasswd"
GroupDN="o=mycompany,c=us" GroupIsContext="false" GroupNameAttribute="cn"
GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://tug:390"
Name="MyLDAPRealm"
Principal="cn=myserver,ou=myserverstuff,o=mycompany,c=US"
UserAuthentication="local"
UserDN="o=mycompany,c=us" UserNameAttribute="uid"/>
It's a Netscape 4.1 Directory server, and I've verified that the above
server account exists AND can authenticate and retrieve account
userpasswords (yes, the server account is "cn=" while the user accounts are
"uid=" - don't ask :-)....
I've tried both "bind" and "local" and get the same results both ways.
Any ideas???
Did you use the most recent ldap patch? I could not get it to work fine
with the default wls6.0sp1, but with the ldap-patch it works fine.
AND probably even more important... change
<Realm FileRealm="..." Name=".....">
to
<Realm CachingRealm"MyCachingRealm" FileRealm="..." Name=".....">
Hope this helps...
Ronald
Sushil Pulikkal wrote:
Hi Tom,
I am using iPlanet Directory server with WL6.0 (which I presume is supported as
Netscape's is) and facing the same problem as Mike was i.e account locking after
three attempts(bottom of the message). I have created my own caching realm with
the basic realm being MyLDAPRealm.
The log gives no info other than the one about account locking.
My config.xml looks something like this -
<CachingRealm BasicRealm="MyLDAPRealm" CacheCaseSensitive="true" Name="MyCachingRealm"/>
<PasswordPolicy Name="wl_default_password_policy"/>
<LDAPRealm AuthProtocol="simple" Credential="enslaved"
GroupDN="ou=Aussies,dc=timerasolutions,dc=com"
GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://DJ-SUSHILP.timerasolutions.com:389"
Name="MyLDAPRealm"
Principal="uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot"
UserAuthentication="bind"
UserDN="ou=Aussies,dc=timerasolutions,dc=com"
UserNameAttribute="uid"/>
The browser window does pop up, but the user id doesn't get authenticated. Is
there a way to know whether WLS is actually going to the LDAP server for authentication?
Any insight into this?
Thanks in advance,
Sushil
"Tom Moreau" <[email protected]> wrote:
Mike,
I haven't had any trouble getting the LDAPRealm to work
in WLS 6.0. Could it be that while you've created the LDAPRealmMBean,
you haven't told WLS to use it?
In other words, you can create many realm configurations then
you need to activate the one you want. If you haven't, the
we just use the file realm. The file realm won't be able
to authenticate you (since you put the info in LDAP!) and
after 3 failures, will lock out the account.
The instructions for selecting the realm are at:
http://e-docs.bea.com/wls/docs60/adminguide/index.html
See:
12. Managing Security
Specifying a Security Realm
Configuring the Caching Realm
The basic idea is:
1) create your LDAP Realm (you've already done this)
2) create a CachingRealm
3) set the CachingRealm's BasicRealm to your LDAP Realm
4) set the Security Realm's CachingRealm to your Caching Realm
5) reboot
It's pretty easy to do this through the admin console.
Otherwise, you can edit config.xml by hand.
Here's how:
<Domain>
<Security
Name="mydomain"
Realm="myRealm"
/>
<Realm
Name="myRealm"
FileRealm="myFileRealm"
CachingRealm="myCachingRealm"
/>
<FileRealm
Name="myFileRealm"
/>
<CachingRealm
Name="myCachingRealm"
BasicRealm="myLDAPRealm"
/>
<LDAPRealm
Name="myLDAPRealm"
/>
-Tom
"Mike" <[email protected]> wrote:
BTW, before someone suggests it, I found Tom Moreau's
suggestion to use:
<ServerDebug Name="examplesServer" DebugSecurityRealm="true"
/>
under the <Server> element in config.xml and restarted
with this and still
no additional
info from the LDAP realm printed about why it's not working
(nothing but the
same
locking account message mentioend below).
Is the source for the LDAP realm available so I can debug
it myself or has
anybody
written their own LDAP realm that they'd be willing to
share with the group?
Thanks again,
...Mike
"Mike" <[email protected]> wrote in message
news:[email protected]...
Ok I've verified that the -Dweblogic.security.ldaprealm.verbose
probably
won't
work with 6.0 (old 5.x and previous style property),
but I can't figure
out
what
replaced it, to figure out why the LDAP realm isn't
working for me...
The property mapping guide at:
http://e-docs.bea.com/wls/docs60///////config_xml/properties.html
shows that things like weblogic.security.ldaprealm.url
changed to LDAPURL in config.xml (without telling
you that this resides as an XML attribute of
<Domain><LDAPRealm ... /></Domain> although that's
easy enough to find by looking through the example
LDAP realm.
It then says that weblogic.security.ldaprealm.verbose
has changed to "Debug" in config.xml, but doesn't
say whether that's a "Debug" XML attribute on one
of the XML elements in there, or whether it's an
XML node itself, or where in the config.xml doc
it goes... It doesn't work as an attribute of
<LDAPRealm ...> (server won't start with it there)
and it doesn't show up at all in the DTD for config.xml
so I'm assuming the mapping doc at the above url is
wrong. Anybody know what this really became in 6.0?
I've tried setting StdoutDebugEnabled="true" in config.xml
and turning the logging level all the way up to see
everything, but even
then all I
get is the account locked message, not why it's failing
to authenticate
via
LDAP...
Any other ideas?
"Mike" <[email protected]> wrote in message
news:[email protected]...
I'm trying out WL6.0 (eval version) LDAP realm support
and having
trouble
getting it to work - basic auth just keeps popping
the window up 3 times
and
then giving up. Only pertinent message in the log
is:
####<Mar 16, 2001 12:03:21 PM EST> <Info> <Security>
<FOOBAR>
<examplesServer> <ExecuteThread: '11' for queue: 'default'>
<> <>
<090021>
<Locking account, user jdoe.>
No obvious LDAP info or errors in the log, despite
adding the following
two
to the startup script cmd line and restarting the
server:
-Dweblogic.security.realm.debug=true -Dweblogic.security.ldaprealm.verbose
=t
rue
The HTTP basic-auth dialog box is correctly showing
me that I'm trying
to
authenticate to: MyLDAPRealm
Here's the config info for MyLDAPRealm
<LDAPRealm AuthProtocol="simple"
Credential="myserverpasswd"
GroupDN="o=mycompany,c=us" GroupIsContext="false"
GroupNameAttribute="cn"
GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://tug:390"
Name="MyLDAPRealm"
Principal="cn=myserver,ou=myserverstuff,o=mycompany,c=US"
UserAuthentication="local"
UserDN="o=mycompany,c=us" UserNameAttribute="uid"/>
It's a Netscape 4.1 Directory server, and I've verified
that the above
server account exists AND can authenticate and retrieve
account
userpasswords (yes, the server account is "cn=" while
the user accounts
are
"uid=" - don't ask :-)....
I've tried both "bind" and "local" and get the same
results both ways.
Any ideas???
Similar Messages
-
Hi,
I'm trying to configure Netsacape Directory Server 4.1 to work with the
LDAP Security Realm Update for WebLogic Server 6.1. The Weblogic Server
is unable to connect to NDS and there is not error message to indicate
any exception. I have connect to the NDS using a LDAP browser using the
same principal and credential in the ldaprealm.properties file and was
able to establish connection.
Has anyone encountered the same problem? Any help is appreciated.
Thank you,
PYHumm,
I have heard of different people with the same name but with the same
email address. Strange...
Will the person who did the posting below please email me. You've
already have my email address.
Han.
"Ng, Wey-Han" <[email protected]> wrote in message news:<[email protected]>...
Hi,
I'm trying to configure Netsacape Directory Server 4.1 to work with the
LDAP Security Realm Update for WebLogic Server 6.1. The Weblogic Server
is unable to connect to NDS and there is not error message to indicate
any exception. I have connect to the NDS using a LDAP browser using the
same principal and credential in the ldaprealm.properties file and was
able to establish connection.
Has anyone encountered the same problem? Any help is appreciated.
Thank you,
PY -
Problem configure Ldap realm with multi master Ldap server
I have a multimaster Directory Server (Ldap) eg: LdapMaster01 & LdapMaster02.
I configured the realm Ldap:
realm= myLdapRealm
class name =com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
jaas-context = myLdapRealm
directory = ldap://LdapMaster01:389
base-dn = ou=my_APP, ou=Applications, dc=devinc, dc=com
search-bind-dn = cn=Directory Manager
search-bind-password = 99999999So how can i configure realm to automatically switch to LdapMaster02 when the LdapMaster01 is not up?
Thanks in advanceProbably you need an external intelligent
loadbalancer unit, that receives all requests for an
DNS like 'LdapMaster' and reroutes the traffic to
LdapMaster01 or LdapMaster02.
If one LdapMaster ist not available then the
loadbalancer is responsible to route all requests
only to the available server.Thank you very much. :)
I found other post on the internet about this, and yes, probably the only way is a loadbalancer.
Another way is to write a custum realm impl that receives the server list and try to connect until an available server is found. -
Ldap realm won't recognise group members...
I've modified the defaultLDAPRealmForNovellDirectoryServices to talk to
Novell e-directory v8.6.
The Weblogic console correctly displays my Ldap groups. I have custom ACL's
defined (in the filerealm, (Jerry - I'm also baffled how to do this in
Ldap)) with permissions granted to my Ldap groups of which my Ldap user is a
memeber. This user is authenticated (can logon) correctly but can't perform
actions that their group permissions permit. (Users defined in the file
realm with this permission have no problem).
I can only think that the Ldap group is not recognising its members. This
is, of course, impossible to test as listing members of a group has been
disabled in Ldap realm v2....
If anyone has encountered such a problem, or can see an obvious solution,
cheers, very grateful.
<CustomRealm
ConfigurationData="user.filter=(&(cn=%u)(objectclass=person));user.dn=ou
=people, dc=ftid,
dc=com;server.principal=cn=Admin,dc=ftid,dc=com;membership.filter=(&(uni
queMember=%M)(objectclass=groupOfNames));group.filter=(&(cn=%g)(objectcl
ass=groupOfNames));server.host=localhost
server.port=389;server.ssl=false;group.dn=ou=Groups, dc=ftid, dc=com"
Name="defaultLDAPRealmForNovellDirectoryServices"
Notes="No notes" Password="{3DES}q4+IymeHqO2H/zvRdQK5oA=="
RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm"/>
Ldif export for my group.
dn: cn=LdapUpdaterPrincipal, ou=Groups, dc=ftid, dc=com
equivalentToMe: cn=tom,ou=people,dc=ftid,dc=com
objectClass: groupOfNames
objectClass: top
uniqueMember: cn=tom,ou=people,dc=ftid,dc=com
uniqueMember: cn=andy,ou=people,dc=ftid,dc=com
ACL: 2#entry#[Root]#uniqueMember
cn: LdapUpdaterPrincipal
I'm using wl6.1 sp2.
Cheers,
Alan.solved, sorry, it was a problem with the principal-name in the
weblogic-ejb-jar file not mapping to the correct group name...
Alan
"Alan Phillips" <alan.phillips@|remove|ftid.com> wrote in message
news:3c690985$[email protected]..
I've modified the defaultLDAPRealmForNovellDirectoryServices to talk to
Novell e-directory v8.6.
The Weblogic console correctly displays my Ldap groups. I have customACL's
defined (in the filerealm, (Jerry - I'm also baffled how to do this in
Ldap)) with permissions granted to my Ldap groups of which my Ldap user isa
memeber. This user is authenticated (can logon) correctly but can'tperform
actions that their group permissions permit. (Users defined in the file
realm with this permission have no problem).
I can only think that the Ldap group is not recognising its members. This
is, of course, impossible to test as listing members of a group has been
disabled in Ldap realm v2....
If anyone has encountered such a problem, or can see an obvious solution,
cheers, very grateful.
<CustomRealm
ConfigurationData="user.filter=(&(cn=%u)(objectclass=person));user.dn=ou
=people, dc=ftid,
dc=com;server.principal=cn=Admin,dc=ftid,dc=com;membership.filter=(&(uni
>
queMember=%M)(objectclass=groupOfNames));group.filter=(&(cn=%g)(objectcl
ass=groupOfNames));server.host=localhost
server.port=389;server.ssl=false;group.dn=ou=Groups, dc=ftid, dc=com"
Name="defaultLDAPRealmForNovellDirectoryServices"
Notes="No notes" Password="{3DES}q4+IymeHqO2H/zvRdQK5oA=="
RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm"/>
Ldif export for my group.
dn: cn=LdapUpdaterPrincipal, ou=Groups, dc=ftid, dc=com
equivalentToMe: cn=tom,ou=people,dc=ftid,dc=com
objectClass: groupOfNames
objectClass: top
uniqueMember: cn=tom,ou=people,dc=ftid,dc=com
uniqueMember: cn=andy,ou=people,dc=ftid,dc=com
ACL: 2#entry#[Root]#uniqueMember
cn: LdapUpdaterPrincipal
I'm using wl6.1 sp2.
Cheers,
Alan. -
I am using Netscape Directory Service 4.2. I want to use LDAP realm for authentication from Weblogic 5.1. I have created a principal(kevink - username and cambridge - group) in NDS. I have created a servlet and registered in Weblogic giving permission to execute the servlet to the above username and group. I have the following entry in my weblogic properties file weblogic.allow.execute.weblogic.servlet.helloWorld=\ kevink, cambridge
I have also created the LDAPRealm.properties file in my weblogic home directory.
When I start weblogic with the LDAP debug mode on, I get the following messages
Mon May 01 14:38:52 EDT 2000:<W> <CachingRealm> ACL "weblogic.servlet.helloWorld" contains non existent principal "kevink" - ignoring principal ******** Error: ACL "weblogic.servlet.helloWorld" contains non-existent principal "kevink" - i noring principal
Mon May 01 14:38:52 EDT 2000:<W> <CachingRealm> ACL "weblogic.servlet.helloWorld" contains non- existent principal "cambridge" - ignoring principal ******** Error: ACL "weblogic.servlet.helloWorld" contains non-existent principal "cambridge" - ignoring principal
Any ideas to solve this problem are welcome RamYep. And if your LDAP realm is hooked up correctly, you'll see groups from your ldap realm
in the weblogic console, under the Security->Groups tab on the frame to the left.
Keep in mind that you will not see users from your LDAP server under the Security->Users
tab. This is expected behavior. But if you see the groups, then you've most likely hooked
up the LDAP realm the right way ...
Joe Jerry
Vishwanath Kumar wrote:
Hello Kumar,
I am attaching a small portion of config.xml which contains LDAP settings . Please change
this according to your LDAP server configuration and test it . I hope this should help
you out.
You also need to create a caching realm and then hook up that caching realm to this LDAP
realm .
For more information this URL should be helpful:
http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1071872
here is portion of config.xml
<LDAPRealm AuthProtocol="simple" Credential="dropdead"
GroupDN="o=beasys.com,ou=Groups" GroupIsContext="false"
GroupNameAttribute="cn" GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://mmanson:389"
Name="defaultLDAPRealmForNetscapeDirectoryServer"
Notes="This is provided as an example. Before enabling this Realm, you must edit
the configuration parameters as appropriate for your environment."
Principal="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
UserAuthentication="bind" UserDN="o=beasys.com,ou=People"
UserNameAttribute="uid" UserPasswordAttribute="userpassword"/>
kumar wrote:
Hi,
I have tried to configure LDAP realm in weblogic, but I think it is not configured
correctly. And I don't know how to test it. Can anybody send me the sample config.xml
having LDAP realm configured correctly. Please send me a sample program to access
LDAP realm via weblogic.
Thx--
Vishwanath Kumar
Developer Relations Engineer
BEA Systems, Inc. -
I'm runing WLS6.0 SP2 and I'm trying to set up a LDAP realm to talk to a openldap
server. I'm on Win2k and have it installed as a service.
I can connect to the server via a ldap browser, and I have a user in the ldap
tree with a clear text password.
I created a LDAP realm but I can't find where to configure WebLogic to use that
LDAP realm for authentication.
thanks
joeI guess they don't use the LDAP Realm in Weblogic, you should create your custom
realm that access to AD and return user/group enumerations, acl's, etc...
I'm able to access to AD using jdk1.4, and I have my custom realm, the only
problem is wl uses jdk1.3 (+jaas) and I couldn't connect to AD with the old jaas,
because it didn't support kerberos authentication. A more complete jaas it's included
in jdk1.4
Regards,
Marc
"Roy Cornell" <[email protected]> wrote:
Great news, Scott. I hope you don't mind answering the three questions
below:
1. Which LDAP realm ***version*** did you use : V1 or V2?
2. Which LDAP realm type did you specify during the configuration: "MS
Site
Server" or other ?
3. Did you encounter any problems during the integration?
Thanks a lot.
Roy
"Scott Harger" <[email protected]> wrote in message
news:3b794a7c$[email protected]..
We have been able to get the LDAP realm (6.0 SP1) to work with Active
Directory.
Scott
"Roy Cornell" <[email protected]> wrote in message
news:3b72eb32$[email protected]..
I've got the same question (posted it yesterday). Please, Please,
Please,
could somebody reply.
"Andrew Wallace" <[email protected]> wrote in message
news:3b72ce38$[email protected]..
Somehow my last message got truncated. Here's the full deal:
We're trying to setup an LDAP realm in a microsoft-centric environment
(Windows 2000). All the documentation from BEA that I've found
talks
about MS Site Server, which, as near as I can find, is not an LDAPserver.
So - can I use MS Active Directory on Win2k? Is it functionally
the
same
thing? Does the MS template in LDAP Realm V2 support it? Does anyone
have success or horror stories about using AD?
thanks,
andy -
LDAP realm with Active Directory
Hello,
In the sun one app server admin console i have set the security role to LDAP.
I have set up security roles in my web.xml such as this:
<security-role>
<description>This role represents administrators of the system, see actor administrators</description>
<role-name>administrators</role-name>
</security-role>
..and mapped the roles to groups in sun-application as follows:
<security-role-mapping>
<role-name>administrators</role-name>
<group-name>CMS_PM</group-name>
<principal-name>rlancett</principal-name>
</security-role-mapping>
My user and group information is stored in Active Directory so I have tried to configure the ldap realm in the admin console to get it working. These are the settings i have put in:
directory: ldap://earth.tier2consulting.com:389
base-dn: cn=Users,dc=tier2consulting,dc=com
jaas-context: ldapRealm
search-bind-dn: cn=administrator,cn=Users,dc=domain,dc=com
search-bind-password: ******
search-filter: sAMAccountName=%s
I get the error message :javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
WARNING: va:850)
FINEST: JAAS authentication aborted.
INFO: SEC5046: Audit: Authentication refused for [administrator].
I am pretty stuck on this having looked arounds all the forums:
Has anyone got sun one app server using Active Directory to get user/group information for security roles?
Thanks.Howdy,
I don't have a solution to your problem, but maybe this tid-bit will help in debugging with Active Directory error messages. I'm new to AD, so excuse me if everyone already knows this, but...
The error message you get back from the directory contains an error code in hexidecimal:
LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
If you translate '525' from hex to decimal you get '1317' which is the error message you can look up here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/system_error_codes.asp
1317 - ERROR_NO_SUCH_USER - The specified user does not exist.
It took me a while to find this tip, so I thought I'd share it. Oh, and the easy way to get decimal from hexidecimal is:
System.out.println( "Here is 525 in decimal: " + Integer.parseInt("525", 16));
Okay, hope this helps somebody.
Now it's up to you to find out why it can't find the administrator!
Craig -
LDAP realm for authentication and ACL in Database
We are thinking of using LDAP realm for authentication and we want to use ACL from a Database. But the documentation says: "WebLogic Server defers to the LDAP realm for authentication, but not for authorization. Authorization is accomplished with access control lists (ACLs), which are defined in the weblogic.properties file"
Can we use LDAP realm for authentication and manage our ACL from a Database? or do we have to use the weblogic.properties file? Do the weblogic security API help in the above scenario? Thanks RamUnfortunately, there is no easy way to do this in wls 6.0.
The only way to handle it is to write your own custom realm
that uses ldap for users and groups and a database for acls -
probably not a viable alternative.
-Tom
"kevin doherty" <[email protected]> wrote:
>
Jeffrey Hirsch <[email protected]> wrote:
You should be able to use the DelegatedRealm interface to utilize the authentication methods from LDAP and the authorization methods from RDBMSRealm...
I'm trying to do this too, but we are using WL6 and I see that the DelegatedRealm interface has been deprecated in this version. I'd greatly appreciate more information on doing this in WL6.
Thanks!
-kd -
BASIC/LDAP Realm Authentication
I am trying to protect access to my Web Application using BASIC
Authentication based on an LDAPRealm that I have configured. I want all
users that try to access anything in my Web App to have to log in first,
based on their information in the LDAP server.
My web.xml file looks as such.
<web-app>
<display-name>LDAPSpike</display-name>
<servlet>
<servlet-name>TestServlet</servlet-name>
<servlet-class>test.TestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TestServlet</servlet-name>
<url-pattern>/test</url-pattern>
</servlet-mapping>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ActiveDirectoryCachingRealm</realm-name>
</login-config>
</web-app>
Do I need to setup a <security-constraint> tag or a <security-role> tag? if
so what role do I use? I just want ANY user the be authenticated by using
the LDAP Realm (in this case ActiveDirectory as an LDAP Server)
Thanks in advance for the help...
Frank
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Frank Febbraro
Senior Software EngineerPlamen Petrov wrote:
I am having similar problem. I managed to grant access
to individual users and groups in the LDAP server, but
what I want to do is to give access to everyone in
the LDAP directory without explicitly specifiyng his
name or group membership.Create a group "everyone" in LDAP as a workaround.
Cheers,
Alexander Petrushko
mailto:[email protected]
Consulting Services available
Freemarker vs JSP:
http://javaworld.com/javaworld/jw-01-2001/jw-0119-freemarker.html -
HTTP Basic Autnetication - LDAP Realm
Hi,
I have developed a SOAP webservice in BPEL 2.0 [ JBI ] and added the HTTP basic authentication on top of it ( added the policy ). I have used LDAP realm to authenticate the users from the LDAP server and its working fine.
Below is the code snippet of the WSDL used to point to LDAP realm.
<service name="casaService1">
<port name="casaPort1" binding="tns:casaBinding1">
<soap:address
location="http://localhost:9080/SOAPWSService/SOAPWS"/>
<wsp:PolicyReference URI="#HttpBasicAuthBindingLdapRealmPolicy"/>
</port>
</service>
<wsp:Policy wsu:Id="HttpBasicAuthBindingLdapRealmPolicy">
<mysp:MustSupportBasicAuthentication on="true">
<mysp:BasicAuthenticationDetail>
<mysp:Realm realmName="LdapRealm" />
</mysp:BasicAuthenticationDetail>
</mysp:MustSupportBasicAuthentication>
</wsp:Policy>
The LDAP realm details from the Glassfish Server are as below:
JAAS Context - ldapRealm
Directory - ldap://localhost:389
Based DN - dc=example,dc=com
Bind DN - cn=Directory Manager
Password - ldap123
Now i would like to provide access to only users in a particular group. I have updated the Assigned Groups in the LDAP realm ( admin console ) to the group for which i would like to provide access to. But its not working.
For webservices developed using EJB,we can use the web.xml , sun-web.xml,deployment descriptor files to add roles and map groups to this roles.
But how do we implement the same in OpenESB ( service assemblies ). Do we have to modify the WSDL ? Please share some info if anyone has worked on this before.
Thanks,
Kris.Plamen Petrov wrote:
I am having similar problem. I managed to grant access
to individual users and groups in the LDAP server, but
what I want to do is to give access to everyone in
the LDAP directory without explicitly specifiyng his
name or group membership.Create a group "everyone" in LDAP as a workaround.
Cheers,
Alexander Petrushko
mailto:[email protected]
Consulting Services available
Freemarker vs JSP:
http://javaworld.com/javaworld/jw-01-2001/jw-0119-freemarker.html -
User and group handling in LDAP Realm
Hi,
I'm currently using an LDAP Realm for storing users and groups, which I need to be able to add, amend and remove at runtime.
I understand that in earlier versions of Weblogic, the methods to do the add/remove/modify were not implemented but I was told that this may change in WL6. If so, is there any documentation or examples about these methods ? If not, would I need to extend ManageableRealm to create a custom realm ?
Any help much appreciated.
DaveHi Dave:
In our project, we use security realm (LDAP realm) for Users and Groups authentication. We turned the CacheRealm on to optimize performance. To add and amend Users and Groups, we use a stateless EJB to talk to LDAP server. This kind of partition works fine for us to separate the user authentication
logic and user management logic.
Fun
Dave Horner wrote:
Hi,
I'm currently using an LDAP Realm for storing users and groups, which I need to be able to add, amend and remove at runtime.
I understand that in earlier versions of Weblogic, the methods to do the add/remove/modify were not implemented but I was told that this may change in WL6. If so, is there any documentation or examples about these methods ? If not, would I need to extend ManageableRealm to create a custom realm ?
Any help much appreciated.
Dave -
I have problems running WebLogic 5.1 SP10 with a LDAP realm configured
I have used the script supplied with my OptimizeIt installation, but WebLogic can't find the ldaprealm.properties file but instead assumes the LDAP hostname ldapserver:389We ran into a similar situation where our users were stored in SiteMinder/LDAP.
So we are going to bulk load all the users into WLI and then synchronize the users
nightly for any activated and deactivated users. We kept the roles in LDAP different
from the roles in WLI though. Would like to know if you guys addresses this differently
Thanks
Sreeram
"Peter Giesin" <[email protected]> wrote:
>
I am curious to know if anyone is actually running WLI with a LDAP Realm.
I would
like to know how you dealt with the fact that the users still need to
be defined
in the WLI database so that they can be added to the organization.
Thanks,
Pete -
My environment is WL 6.1 SP2.
I am currently using the LDAP Realm V1 (deprecated) and would like to switch to LDAP
Realm V2. The problem is that my WL console does not give me the option to configure
a LDAP Realm V2 when creating a new security realm. The only options I get are: LDAP
Realm V1, NT Realm, UNIX Realm, RDBMS Realm and Custom Realm.
I would appreciate it if anybody can tell me what needs to be done to get the configure
LDAP Realm V2 option.
Thanks
CharlI have had a custom realm that handles ACLs since 5.1. My question is I want to
mix it with the out-of-the box ldaprealm v2. I was hoping for a failover mechanism
where I can supply a custom realm that knows how to authorize and leave it up
to the canned ldaprealm to authenticate. The filerealm behaves in such a manner,
does it not.
I will try your idea about extending the ldaprealm. But, the challenge will be
in dealing with the delegate.
"Utpal" <[email protected]> wrote:
If you extend the weblogic.security.ldaprealmv2.LDAPRealm and implements
newAcl, deleteAcl, newPermission,
setPermission etc, I think it's doable.
=========
public class weblogic.security.ldaprealmv2.LDAPRealm extends
weblogic.security.a
cl.AbstractListableRealm implements weblogic.security.acl.DebuggableRealm
=========
-utpal
"Utpal" <[email protected]> wrote in message
news:[email protected]..
Why don't you use the Custom Security Realm? You can construct an ACLin a
custom seecurity realm.
http://edocs.beasys.com/wls/docs61/security/prog.html#1042361
-utpal
"Ziad Kurdi" <[email protected]> wrote in message
news:3c9b4c80$[email protected]..
Is there a way in 6.1 to use the supplied LDAP Realm V2 for
authentication
and
managing groups, but enhance it with ACL's (stored in a database)
for
authorization?
Obviously, I would like to take advantage of the server's caching
realm
capabilities.
I currently running a custom realm (from 5.1 which works in 6.1)
that
mixes LDAP
authentication, group management, and DB ACL's for authorization,
but I
no
longer
wish to capture the user's password (due to sorporate policies) and
would
like
to avoid maitaining the authentication code.
Thanks in advance for any assistance. -
Unable to access Admin Tools for portal after configuring LDAP realm
After setting weblogic to use the LDAP realm I am unable to access the Administration Tools. It does not take the username "administrator" and password "password". I've created the SystemAdministrator Group in LDAP as well as the appropriate "administrator" user but it still does not let me access the Administratotion Tools.
This thread is being discussed in the weblogic.developer.interest.portal
newsgroup under the same title. You can cross-post to multiple groups in
the future so that the thread develops in all newsgroups that you posted to.
"Wendy Kajiyama" <[email protected]> wrote in message
news:[email protected]..
After setting weblogic to use the LDAP realm I am unable to access theAdministration Tools. It does not take the username "administrator" and
password "password". I've created the SystemAdministrator Group in LDAP as
well as the appropriate "administrator" user but it still does not let me
access the Administratotion Tools. -
Setting up LDAP realm with WLI 7
Any pointer to Step by step instruction on to how to set up LDAP realm for Access Control with Weblogic integration 7
Pramit Basu <[email protected]> wrote:
Any pointer to Step by step instruction on to how to set up LDAP realm
for Access Control with Weblogic integration 7In order to use LDAP realm with WLI 7.0, you need to do the following steps:
1) In WebLogic server level, you need to create a Caching Realm and a LDAP realm.
First, please backup your original config.xml file. Then, you can start configure
the realms. You can do this by modifying the config.xml file, or through WLS console.
After you have done this, your config.xml file should contain the following:
<LDAPRealm AuthProtocol="none"
Credential="{3DES}rYiW/DkUxq4UPwR0XLbM9w=="
GroupDN="o=beasys.com,ou=Groups" GroupIsContext="false"
GroupNameAttribute="cn" GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://jpengdesk:389"
Name="LDAPRealmForNetscapeDirectoryServer" Principal="cn=admin"
UserAuthentication="bind" UserDN="o=beasys.com,ou=People"
UserNameAttribute="uid" UserPasswordAttribute="userpassword"/>
--- You can also do this in Console. Please make sure the "UserDN" and "GroupDN"
values are correct according to the groups and users stored on your LDAP server.
In my example here, "beasys.com" is my root entry, and I have all the users created
underneath of OU "People", and I have all the groups created in OU "Groups".
<CachingRealm BasicRealm="LDAPRealmForNetscapeDirectoryServer" Name="MyCaching
Realm"/>
--- You can do this in console by clicking on "Caching Realms", then click on
the link of "Configure a new Caching Realm". Name it as "MyCaching Realm", and
select "LDAPRealmForNetscapeDirectoryServer" as the BasicRealm.
<Realm CachingRealm="MyCaching Realm" FileRealm="myFileRealm" Name="myRealm"/>
--- you can do this in console by clicking on "Compatibility Security", then click
on the "Filerealm" tab, then, in the "Caching Realm" field, select MyCaching Realm"
from the pull down comb box.
Please make sure all the names are related. See above example, the value in blue
color should match, and the value in red color should match too.
Please see the attached config.xml file for reference.
2) Create the users in LDAP server. In my example, I simply created 3 users underneath
of OU “People”, they are:
weblogic
wlisystem
admin
“weblogic” is the user I used as my system administrator user, which
I used to boot my WLS server and access my WLS console.
“wlisystem” and “admin” are the users created for WLI
component.
3) Create 11 groups in LDAP server. In my example, as I mentioned above, I create
all these groups underneath of OU “Groups”. These groups are:
ConfigureComponents
Administrators
wlpiUsers
MonitorInstance
ExecuteTemplate
CreateTemplate
UpdateTemplate
DeleteTemplate
AdminsterUser
ConfigureSystem
wlpiAdministrators
Also, add the users created in step 2 into all of these groups.
4) Clean up the fileRealm.properties file.
Backup your original fileRealm.properties file. Then, remove all the entries starting
with “user.xxx” and “group.xxx”, only leave those entries
starting with “acl.xxx”.
Please see the attached “fileRealm.properties” file for reference.
5) Restart your WLI server. Verify the users and groups you defined in LDAP server
are displayed in WLS console correctly. You can see the user and group information
in “Compatibility Security” à “Users”, and “Compatibility
Security” à “Groups” respectively.
6) Start your studio to design a simple Workflow. When you login, the authentication
of your username and password is against the LDAP server, since you don’t
have any user entries in your fiel realm any more.
7) Start your Worklist to execute the workflow. Also, When you login, the authentication
of your username and password is against the LDAP server, since you don’t
have any user entries in your fiel realm any more.
Once you execute the workflow, you can verify that workflow instance in Studio.
You can monitor the instance, and delete the instance.
Maybe you are looking for
-
Logical OR: Result in Amount
Hello experts, I have 2(AMT1 & AMT2) amount fields. only one AMT occurs for product type. so I have created CKF: AMT1 OR AMT2. Note:used Logical OR in output i see result as 1. i need to see the amount. Regards, KV Edited by: K V on Feb 23, 2009 3:0
-
Acrobat 9.0 product download link
I have a license for Acrobat 9.0 Pro Arabic Version Win Full, and I need the product download link?
-
Hi May be a simple question, but I can't figure out how actually. When I'm doing this var obj:Object = new Object(); obj.test = "My Test"; for(var i:* in obj) trace(i + " : " + obj[i]); The output is -> test : My Test My problem comes when I
-
Problem with "Show Format" bar in Mail
The bold, italic, and underline buttons are not working on my "Show Format" bar in Mail. NOTHING will make them work: clicking on a button before I type: selecting/highlighting and then clicking on a button after I type; choosing command+I, command+B
-
Oracle Business Intelligence EE Linux installation
Hi, i´m trying to install the linux Oracle Business Intelligence EE on Enterprise Linux, but the installation hangs, I already read another similar thread on winXP, but it didn´t help. Anyone have installed OBI EE on a Linux with jdk1.6.0? Thanks