WLS 10.0: Security: LDAP Authenticator
hi,
I'm using WLS 10.0 with the following security providers:
- SQL Authenticator (for weblogic console users like system)
- Identity Asserter (custom developed, takes care for AUTHENTICATION only)
- LDAP Authenticator (out of the box, takes care for AUTHORIZATION only against a SUN ONE LDAP).
everything works fine except for the queries that the LDAP Authenticator provider generates:
For each login, the providers performs these queries:
a)
2007-11-26 14:57:08,410] conn=241357 op=10893 SRCH base="ou=people,ou=intranet,dc=novartis,dc=com" scope=2 filter="objectclass=person"
[2007-11-26 14:58:56,369] conn=241357 op=10893 RESULT err=4 tag=0 nentries=15000 etime=107959 mem=43481184/172441600 as you can see, the query returns 15'000 entires (which is the max items for results inside SUN ONE LDAP).
b)
[2007-11-22 12:04:31,943] conn=256293 op=12611 SRCH base="ou=people,ou=intranet,dc=novartis,dc=com" scope=2 filter="(&(uid=ADLERAI1)(objectclass=person))"
[2007-11-22 12:04:32,031] conn=256293 op=12611 RESULT err=0 tag=0 nentries=1 etime=88 mem=14583600/46768128
this is the real query returning one single entry for the logged in user.
Does anyone know why LDAP AUthentication provider generates the first query?
cheers
balz
Edited by bschreier at 11/27/2007 1:44 AM
Edited by bschreier at 11/27/2007 1:45 AM
Hi
1. Looking carefully at the following 3 lines in server statup logs, after 2:20:39 PM GST, server waited like for 16 mts like 2:36:43 and invoked the Force Shutdown. Possible reasons I gave below.
####<Feb 14, 2010 2:20:37 PM GST> <Info> <netuix> <ePIMSEDMS2> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <1266142837729> <BEA-423101> <[console] Initializing the NetUIx container>
####<Feb 14, 2010 2:20:39 PM GST> <Info> <netuix> <ePIMSEDMS2> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <1266142839433> <BEA-423120> <WEB-INF/client-classifications.xml file not found at uri [webapp]. Classifications functionality not enabled.>
####<Feb 14, 2010 2:36:43 PM GST> <Notice> <WebLogicServer> <ePIMSEDMS2> <AdminServer> <Thread-1> <<WLS Kernel>> <1266143803604> <BEA-000388> <JVM called WLS shutdown hook. The server will force shutdown now>
2. Since you mentioned this worked fine and nothing else is changed over a year, the possible cause may be like this. Looks like you have some Documentum stuff (or webapp or modules) loaded on this server. I am not much familiar with EMC Documentum stuff, except that we use that as external Content Management repository for Portal Applications. Looking at the full thread dump for thread 0, looks like documentum code is trying to publish something or interact with its documentum server and may be it is not getting the response back. So make sure if any external systems that this WLS interacts are all up and running.
HTH
Ravi Jegga
Similar Messages
-
Problem with WLS LDAP Authentication Provider
We have configured WLS LDAP Authentication provider on an Oracle Service Bus domain, which is used to authenticate WS-Security Username Token and SAML Tokens against an external LDAP Directory (Sun Directory Server). After configuring this, we see that the "Users & Groups" page on the WLS Admin console is getting populated with all the user ids available in LDAP. The organization corporate directory has thousands of user ids, and WLS is executing a generic query against LDAP to fetch all the users. This query would have a major performance impact on the LDAP Directory? Is there any way to prevent this generic query from happening? Any suggestions would help.
Edited by: Ramakrishnan Venkataraman on Feb 1, 2011 11:46 AMYes, you can apply filters on the Providers configuration, also u can select the DN from where to feth the users, you can fetch users with special attributes.
Whole lot of things can be done, review the options under providers.
Let me know if you have any doubts.
HTH,
-Faisal
http://www.weblogic-wonders.com -
LDAP Authentication / User-Role in a database (Weblogic Security)
Hi,
I would like to configure the Authentication with an LDAP Server (LDAP Authenticator) and the mapping between users and roles in an external database.
I saw the following post, http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html.
According to the previous post, I created an LDAP Authenticator (trying to use embedded LDAP) and a SQL Authenticator.
The problem is that it doesn't uses LDAP Authentication, it only uses SQL Authentication.
I'm looking for a solution where password would remain in the LDAP Server and the username/role mapping would be in the database tables.
Consider I'm using WLS 10.3 and JDeveloper 11g.
Any suggestions?
Thanks in advance,
OlgaHi,
Check following forum thread.
Re: custome role maper example
Regards,
Kal -
Weblogic Server 10.3.0 and LDAP authentication Issue
Hi - I have configured my WebLogic Server 10.3.0 for LDAP authentication (OID = 10.1.4.3.0) and so far the authentication works fine but I am having issue in terms of authorization.
I am not able to access the default web logic administrator console app using any of the LDAP user, getting Forbiden message.
It appears to me that the Weblogic Server is not pulling out the proper groups from the LDAP where user belongs too.
Can anyone please point me towards the right direction to get this resolved.
Thanks,
STEPS
Here are my steps I have followed:
- Created a group called Administrators in OID.
- Created a test user call uid=myadmin in the OID and assigned the above group to this user.
- Added a new Authentication Provider to the Weblogic and configured it what is required to communicate with OID (the config.xml file snipet is below)
<sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
<sec:name>OIDAuthentication</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:host>pmpdeva-idm.ncr.pwgsc.gc.ca</wls:host>
<wls:port>1389</wls:port>
<wls:principal>cn=orcladmin</wls:principal>
<wls:user-base-dn>ou=AppAdmins, o=gc, c=ca</wls:user-base-dn>
<wls:credential-encrypted>removed from here</wls:credential-encrypted>
<wls:group-base-dn>ou=IDM, ou=ServiceAccounts, o=gc, c=ca</wls:group-base-dn>
</sec:authentication-provider>
- Marked the default authentication provider as sufficient as well.
- Re-ordered the authentication provide such that the OIDauthentication is first in the list and default one is the last.
- Looking at the log file I see there are no groups returned for this user and that is the problem in my opinion.
<LDAP Atn Login username: myadmin>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<authenticate user:myadmin>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<authentication succeeded>
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<LDAP Atn Authenticated User myadmin>
<List groups that member: myadmin belongs to>
<getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
*<search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>*
*<Result has more elements: false>*
<returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<login succeeded for username myadmin>
- I see the XACML RoleMapper getRoles() only returning the Anonymous role as oppose to Admin (because the OID user is a part of Administrators group in OID then it should be returning Admin as fars I can tell. Here is the log entry that shows that:
<XACML RoleMapper getRoles(): returning roles Anonymous>
- I did a ldap search and I found no issues in getting the results back:
C:\>ldapsearch -h localhost -p 1389 -b"ou=IDM, ou=ServiceAccounts, o=gc, c=ca" -D cn=orcladmin -w "removed from here" (uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupOfUniqueNames)
cn=Administrators,ou=IDM,ou=ServiceAccounts,o=gc,c=ca
objectclass=groupOfUniqueNames
objectclass=orclGroup
objectclass=top
END
Here are the log entries:
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=myadmin>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685624> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
<1291668685624> <BEA-000000> <[Security:090302]Authentication Failed: User myadmin denied>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@facf0b>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>
<1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
<1291668685624> <BEA-000000> <LDAP Atn Login>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
<1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle did not get username from a callback>
<1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
<1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685624> <BEA-000000> <authenticate user:myadmin>
<1291668685624> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685671> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685671> <BEA-000000> <authentication succeeded>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <LDAP Atn Authenticated User myadmin>
<1291668685686> <BEA-000000> <List groups that member: myadmin belongs to>
<1291668685686> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
<1291668685686> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
<1291668685686> <BEA-000000> <search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>
<1291668685686> <BEA-000000> <Result has more elements: false>
<1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
<1291668685686> <BEA-000000> <login succeeded for username myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
<1291668685686> <BEA-000000> <LDAP Atn Commit>
<1291668685686> <BEA-000000> <LDAP Atn Principals Added>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
Principal: myadmin
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685686> <BEA-000000> <Signed WLS principal myadmin>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
<1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user myadmin, Identity=Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.isLocked(myadmin)>
<1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myadmin was not previously locked out>
<1291668685702> <BEA-000000> <Using Common RoleMappingService>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
<1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity will use common security service>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals)>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=myadmin>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator handles this PrincipalClass>
<1291668685702> <BEA-000000> <Validate WLS principal myadmin returns true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass, returning true>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals) validated all principals>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Identity=Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): input arguments:>
<1291668685702> <BEA-000000> < Subject: 1
Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> < Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/, httpMethod=GET>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp, contextPath=/console>
<1291668685702> <BEA-000000> < Parent: type=<url>, application=consoleapp>
<1291668685702> <BEA-000000> < Parent: type=<app>, application=consoleapp>
<1291668685702> <BEA-000000> < Parent: type=<url>>
<1291668685702> <BEA-000000> < Parent: null>
<1291668685702> <BEA-000000> < Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AdminChannelUsers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AdminChannelUser:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AdminChannelUser: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AppTesters,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AppTester:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AppTester: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(everyone,[everyone,users]) -> true>
<1291668685702> <BEA-000000> <primary-rule evaluates to Permit>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Anonymous:, 1.0 evaluates to Permit>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Anonymous: GRANTED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Monitors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Monitor:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Monitor: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Operators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Operator:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Operator: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(CrossDomainConnectors,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:CrossDomainConnector:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role CrossDomainConnector: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Deployers,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Deployer:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Deployer: DENIED>
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, SC=null, Value=[everyone,users]>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Administrators,[everyone,users]) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Admin:, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Admin: DENIED>
<1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): returning roles Anonymous>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles returning [ "Anonymous" ]>
<1291668685702> <BEA-000000> <AuthorizationManager will use common security for ATZ>
<1291668685702> <BEA-000000> <weblogic.security.service.WLSAuthorizationServiceWrapper.isAccessAllowed>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Identity=Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Roles=[ "Anonymous" ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Direction=ONCE>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
<1291668685702> <BEA-000000> < Subject: 1
Principal = weblogic.security.principal.WLSUserImpl("myadmin")
>
<1291668685702> <BEA-000000> < Roles:Anonymous>
<1291668685702> <BEA-000000> < Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> < Direction: ONCE>
<1291668685702> <BEA-000000> < Context Handler: >
<1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:role, SC=null, Value=Anonymous>
<1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of([Admin,Operator,Deployer,Monitor],Anonymous) -> false>
<1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
<1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U, 1.0 evaluates to Deny>
<1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): returning DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
<1291668685702> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value>
<1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>Okay Finally the issue is resolved. Here is the findings to help others in case they ran into the same issue.
The OID version that we are using is not returning the groups the way Weblogic is building the ldapsearch command. We captured the ldap traffic to go deeper and noticed the filters and attributes list that wls was asking. For example, the filter was like:
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" cn
its was the "cn" attribute that was causing the result set to be empty.
from a command line we tried
"(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" uniquemember
and got the results back.
Then we start looking into OID configuration and one of my coworker pointed me towards the orclinmemfiltprocess attributes in cn=dsaconfig entry and told me that they had lot of issues in the past in relation to this attribute.
So as a test we removed the groupofuniquenames objectclass from the orclinmemfiltprocess attribute list and bingo it worked!
Since we needed the groupofuniquenames in this list for performance/other reasons and decided to use a different objectclass for our groups instead i.e. orclGroup.
Thanks everyone for showing interest on the problem and providing suggestions. -
Error:- weblogic.security.SecurityInitializationException: Authentication
Hi,
I am getting below error when ever i am trying to start the Managed server in cluster environment(unix).
I am able to start the server on local machine but in case of remote machine its not gettig started.
I have tried most of the steps as mentioned below:-
1) Changed the weblogic passowrd.
2) Delete boot.properties.
3) deleted $DOMAIN_DIR\servers\<admin-server-name>\data\ldap
4) Followed below post also but nothing worked:-
https://forums.oracle.com/forums/thread.jspa?threadID=956750&start=30&tstart=0
####<Nov 14, 2011 7:41:28 PM IST> <Info> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1321279888310> <BEA-000000> <WebLogic Server "soa_server2" version:
WebLogic Server 10.3.5.0 Fri Apr 1 20:20:06 PDT 2011 1398638 Copyright (c) 1995, 2009, Oracle and/or its affiliates. All rights reserved.>
####<Nov 14, 2011 7:41:28 PM IST> <Notice> <Log Management> <infva05177.vshodc.lntinfotech.com> <> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1321279888419> <BEA-170019> <The server log file /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/servers/soa_server2/logs/soa_server2.log is opened. All server side log events will be written to this file.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Log Management> <infva05177.vshodc.lntinfotech.com> <> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1321279888426> <BEA-170023> <The Server Logging is initialized with Java Logging API implementation.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Diagnostics> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888494> <BEA-320001> <The ServerDebug service initialized successfully.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888560> <BEA-002622> <The protocol "t3" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888560> <BEA-002622> <The protocol "t3s" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888560> <BEA-002622> <The protocol "http" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888560> <BEA-002622> <The protocol "https" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888561> <BEA-002622> <The protocol "iiop" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888562> <BEA-002622> <The protocol "iiops" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888562> <BEA-002622> <The protocol "ldap" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888562> <BEA-002622> <The protocol "ldaps" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888564> <BEA-002622> <The protocol "cluster" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888565> <BEA-002622> <The protocol "clusters" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888568> <BEA-002622> <The protocol "snmp" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888568> <BEA-002622> <The protocol "admin" is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888569> <BEA-002624> <The administration protocol is "t3s" and is now configured.>
####<Nov 14, 2011 7:41:28 PM IST> <Info> <RJVM> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279888583> <BEA-000570> <Network Configuration for Channel "soa_server2"
Listen Address 172.17.103.42:8101
Public Address N/A
Http Enabled true
Tunneling Enabled false
Outbound Enabled false
Admin Traffic Enabled true>
####<Nov 14, 2011 7:41:29 PM IST> <Info> <Server> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279889336> <BEA-002609> <Channel Service initialized.>
####<Nov 14, 2011 7:41:29 PM IST> <Info> <Socket> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279889410> <BEA-000436> <Allocating 4 reader threads.>
####<Nov 14, 2011 7:41:29 PM IST> <Info> <Socket> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279889412> <BEA-000446> <Native IO Enabled.>
####<Nov 14, 2011 7:41:29 PM IST> <Info> <IIOP> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279889612> <BEA-002014> <IIOP subsystem enabled.>
####<Nov 14, 2011 7:41:32 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279892649> <BEA-090894> <Successfully loaded the OPSS Policy Provider using oracle.security.jps.internal.policystore.JavaPolicyProvider.>
####<Nov 14, 2011 7:41:33 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279893102> <BEA-000000> <Starting OpenJPA 1.1.1-SNAPSHOT>
####<Nov 14, 2011 7:41:33 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279893224> <BEA-000000> <StoreServiceImpl.initJDO - StoreService is initialized with Id = ldap_qMT60FRl3kIPYftFoWhBFbhSxuY=>
####<Nov 14, 2011 7:41:33 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279893501> <BEA-000000> <BootStrapServiceImpl.loadLDIFTemplate - Did not find /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/servers/soa_server2/data/ldap/XACMLAuthorizermyrealmInit.initialized, will load full LDIFT.>
####<Nov 14, 2011 7:41:33 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279893509> <BEA-090074> <Initializing Authorizer provider using LDIF template file /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/XACMLAuthorizerInit.ldift.>
####<Nov 14, 2011 7:41:33 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279893921> <BEA-090075> <The Authorizer provider has had its LDIF information loaded from: /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/XACMLAuthorizerInit.ldift>
####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894240> <BEA-000000> <BootStrapServiceImpl.loadLDIFTemplate - Did not find /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/servers/soa_server2/data/ldap/DefaultCredentialMappermyrealmInit.initialized, will load full LDIFT.>
####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894240> <BEA-090827> <LDIF template file /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/DefaultCredentialMapperInit.ldift was empty. The WebLogic provider CredentialMapper has been bootstrapped but has not been initialized with any LDIF data.>
####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894250> <BEA-000000> <BootStrapServiceImpl.loadLDIFTemplate - Did not find /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/servers/soa_server2/data/ldap/XACMLRoleMappermyrealmInit.initialized, will load full LDIFT.>
####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894251> <BEA-090074> <Initializing RoleMapper provider using LDIF template file /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/security/XACMLRoleMapperInit.ldift.>
####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894265> <BEA-090075> <The RoleMapper provider has had its LDIF information loaded from: /home/oracle/Oracle/Middleware/user_projects/domains/domain_cluster/security/XACMLRoleMapperInit.ldift>
####<Nov 14, 2011 7:41:34 PM IST> <Info> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894442> <BEA-090093> <No pre-WLS 8.1 Keystore providers are configured for server soa_server2 for security realm myrealm.>
####<Nov 14, 2011 7:41:34 PM IST> <Notice> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894442> <BEA-090082> <Security initializing using security realm myrealm.>
####<Nov 14, 2011 7:41:34 PM IST> <Critical> <Security> <infva05177.vshodc.lntinfotech.com> <soa_server2> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1321279894594> <BEA-090403> <Authentication for user weblogic denied>
####<Nov 14, 2011 7:41:34 PM IST> <Critical> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <soa_server2> <Main Thread> <<WLS Kernel>> <> <> <1321279894596> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:965)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused By: javax.security.auth.login.FailedLoginException: [Security:090303]Authentication Failed: User weblogic weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090295]caught unexpected exception
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:251)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy28.login(Unknown Source)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:89)
at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy46.authenticate(Unknown Source)
at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:348)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:929)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
>
####<Nov 14, 2011 7:41:34 PM IST> <Notice> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <soa_server2> <Main Thread> <<WLS Kernel>> <> <> <1321279894605> <BEA-000365> <Server state changed to FAILED>
####<Nov 14, 2011 7:41:34 PM IST> <Error> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <soa_server2> <Main Thread> <<WLS Kernel>> <> <> <1321279894605> <BEA-000383> <A critical service failed. The server will shut itself down>
####<Nov 14, 2011 7:41:34 PM IST> <Notice> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <soa_server2> <Main Thread> <<WLS Kernel>> <> <> <1321279894608> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
####<Nov 14, 2011 7:41:34 PM IST> <Info> <WebLogicServer> <infva05177.vshodc.lntinfotech.com> <soa_server2> <Main Thread> <<WLS Kernel>> <> <> <1321279894618> <BEA-000236> <Stopping execute threads.>
Please help.
thanks in advanceI've tried every trick in the book but no luck and finally I found a solution for this problem. Maybe it is not the best practice but it works:
1-Uninstall JDeveloper.
2-Delete Oracle Middleware file located in C:\Oracle
3-Delete the JDeveloper file located in C:\Users\MyUser\AppData\Roaming (Because the integrated Weblogic server is actually there)
4-Reinstall JDeveloper
That solved the issue.
Thanks -
Open LDAP Authenticator Configuration on WLSSP5
I have problems in the open LDAP authenticator configuration on Weblogic Server with Service Pack 5. I have users on OpenLDAP Server that do not belong to any group. My LDIF file contents are as given below.
dn: dc=my-domain,dc=com
dc: my-domain
objectClass: dcObject
objectClass: organization
o: MYABC, Inc
dn: cn=Manager, dc=my-domain,dc=com
userPassword:: c2VjcmV0
objectClass: person
sn: Manager
cn: Manager
dn: cn=myabcsystem, dc=my-domain,dc=com
userPassword:: dmVuZGF2b3N5c3RlbQ==
objectClass: person
sn: myabcsystem
cn: myabcsystem
dn: cn=Philippe, dc=my-domain,dc=com
userPassword:: UGhpbGlwcGU=
objectClass: person
sn: Philippe
cn: Philippe
dn: cn=mlrick, dc=my-domain,dc=com
userPassword:: bWxyaWNr
objectClass: person
sn: mlrick
cn: mlrick
All these users appear in the Users tab after configuration on the console only if LDAP Server is up. While I select group tab, I get errors indicating BAD SEARCH Filter.
Inspite of me not having any groups in the ldap as indicated in ldif contents.
While I try to login t the application with this LDAP configuration, I do not get any errors. LDAP authentication is not happening with just the LDAP authenticator in place. Even if I stop the LDAP server, I do nto get any exceptions while trying ot login. The config params for the Open LADP are as given below
<weblogic.security.providers.authentication.OpenLDAPAuthenticator
AllGroupsFilter="objectclass=*"
Credential="{3DES}rGCpYmhaIorI99BjZ2u6Fg=="
GroupBaseDN="dc=my-domain,dc=com"
GroupFromNameFilter="(cn=%u)"
Name="Security:Name=MYABCAuthenticationOpenLDAPAuthenticator"
Principal="cn=myabcsystem,dc=my-domain,dc=com"
Realm="Security:Name=MYABCAuthentication"
StaticGroupDNsfromMemberDNFilter=""
StaticGroupNameAttribute="" StaticGroupObjectClass=""
StaticMemberDNAttribute="" UserBaseDN="dc=my-domain, dc=com"/>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP ATN LoginModule initialized>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login username: bob>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <authenticate user:bob>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getDNForUser search("ou=people,ou=MYABCAuthentication,dc=myabc", "(&(uid=bob)(objectclass=person))", base DN & below)>
####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
CAN ANYONE HELP ME IDENTIFY WHAT IS THE ISSUE. Why is the authentication not happening?Hi Amol,
I've seen this happen at least two times in 11.1.1.1 installs. You can safely restart and then add the service back again. Suggest you reboot after you re-add the service back or cycle all the Hyperion services.
I was not aware you could install the service with that command.
I used the below command instead:
sc create OpenLDAP-slapd start= auto binPath= "D:\Hyperion\...\slapd.exe service" DisplayName= "Hyperion Shared Services OpenLAP"
Regards,
-John -
LDAP authenticator setting in Weblogic 10
Hi there,
I am a newbie to weblogic. I am migrating an application from OAS to Weblogic 10. The application is using LDAP for login. I am havng a trouble to set up those users in weblogic console.
Here is what I did:
in web.xml:
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>*</url-pattern>
<http-method>*</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>UserRole</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>RegularUser</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<role-name>UserRole</role-name>
</security-role>
In Weblogic.xml
<?xml version="1.0" encoding="windows-1252"?>
<weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-web-app http://www.bea.com/ns/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd" xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app">
<security-role-assignment>
<role-name>UserRole</role-name>
<externally-defined/>
</security-role-assignment>
</weblogic-web-app>
In Weblogic console, I created a new realm called RegularUser and setup LDAP authenticator. User Base DN is ou=axxx,dc=bxxx,dc=cxx. I can see those users already in the user list.
Did I miss any step?
ThanksThanks, Faisal.
Here is my config.xml. Do I need to select Custom Roles at the time of deployment? I manually deployed the application in console.
<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
<name>myTestDomain</name>
<domain-version>10.3.3.0</domain-version>
<security-configuration>
<name>myTestDomain</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
<sec:name>RegularUsers</sec:name>
<sec:control-flag>OPTIONAL</sec:control-flag>
<wls:host>holdap1.abc.org</wls:host>
<wls:user-object-class>user</wls:user-object-class>
<wls:user-name-attribute>sAMAccountName</wls:user-name-attribute>
<wls:principal>ldapviewsd</wls:principal>
<wls:user-base-dn>ou=a,dc=b,dc=c</wls:user-base-dn>
<wls:credential-encrypted>{AES}5dVfr76v1nSUvb8iMBO5e1WxZG5BA/M3MWZvNxDVMO4=</wls:credential-encrypted>
<wls:user-from-name-filter>(&(sAMAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
<wls:group-base-dn>ou=a,dc=b,dc=c</wls:group-base-dn>
<wls:group-from-name-filter>(&(cn=%g)(objectclass=group))</wls:group-from-name-filter>
<wls:static-group-object-class>group</wls:static-group-object-class>
<wls:static-member-dn-attribute>member</wls:static-member-dn-attribute>
<wls:static-group-dns-from-member-dn-filter>(&(member=%M)(objectclass=group))</wls:static-group-dns-from-member-dn-filter>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
<sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
<sec:name>SystemPasswordValidator</sec:name>
<pas:min-password-length>8</pas:min-password-length>
<pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
</sec:password-validator>
</realm>
<realm>
<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
<sec:name>RewardsUser</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:host>holdap1.abc.org</wls:host>
<wls:user-name-attribute>sAMAccountName</wls:user-name-attribute>
<wls:principal>ldapviewsd</wls:principal>
<wls:user-base-dn>ou=a,dc=b,dc=c</wls:user-base-dn>
<wls:credential-encrypted>{AES}6mfAIvAqFASMkZ4yHygBe3AODqNyzYyLLePzCI2HTE0=</wls:credential-encrypted>
<wls:user-from-name-filter>(&(sAMAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
<wls:group-base-dn>ou=a,dc=bdc=c</wls:group-base-dn>
<wls:max-sid-to-group-lookups-in-cache>1500</wls:max-sid-to-group-lookups-in-cache>
</sec:authentication-provider>
<sec:deploy-role-ignored>false</sec:deploy-role-ignored>
<sec:deploy-policy-ignored>false</sec:deploy-policy-ignored>
<sec:deploy-credential-mapping-ignored>false</sec:deploy-credential-mapping-ignored>
<sec:security-dd-model>CustomRoles</sec:security-dd-model>
<sec:combined-role-mapping-enabled>true</sec:combined-role-mapping-enabled>
<sec:name>RewardsUser</sec:name>
<sec:delegate-m-bean-authorization>false</sec:delegate-m-bean-authorization>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{AES}AOnncmyo+t9U78VAJHcbv8uiDUVggDlU55WY5xh6NukBIg3m2MK0In76UwCRuKdlVzHp9uWx/4uYZpkVQmq9Hqk3fTRZRx4dIuyU07siwupmYdq1UHttcgTIwqqKoaWn</credential-encrypted>
<node-manager-username>weblogic</node-manager-username>
<node-manager-password-encrypted>{AES}Yx0pabvYpXxQr7K7YRVB5B0f3Kyy8Lpn0cu1WQCXve8=</node-manager-password-encrypted>
</security-configuration>
<server>
<name>AdminServer</name>
<server-debug>
<debug-scope>
<name>weblogic.security.atn</name>
<enabled>true</enabled>
</debug-scope>
<debug-scope>
<name>weblogic.security.atz</name>
<enabled>true</enabled>
</debug-scope>
<debug-security-atn>true</debug-security-atn>
<debug-security-atz>true</debug-security-atz>
<debug-security-saml-atn>true</debug-security-saml-atn>
<debug-security-saml2-atn>true</debug-security-saml2-atn>
</server-debug>
<listen-address></listen-address>
</server>
<embedded-ldap>
<name>myTestDomain</name>
<credential-encrypted>{AES}Iidvc9S3UqScbvwktaeOZMYr4V9BQ4aU/T5z+npeFwiYEzUZi6iLF59pfpCNI0DQ</credential-encrypted>
</embedded-ldap>
<configuration-version>10.3.3.0</configuration-version>
<app-deployment>
<name>rewards</name>
<target>AdminServer</target>
<module-type>ear</module-type>
<source-path>servers\AdminServer\upload\rewards.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<admin-server-name>AdminServer</admin-server-name>
</domain> -
SharePoint 2010 with LDAP authentication, using NOVELL eDirectory
One of my customers needs a SharePoint application that allows people to authenticate with either an Active Directory account (internal staff) or a Novell eDirectory account (external customers).
Using the following article as a base guide (http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx)
I configured a claims-based test application that had Windows authentication enabled and Forms based authentication (FBA) enabled (this is on a Windows 2008 server and not a domain controller)
In the Membership provider name text box I entered "LdapMember"
In the Role provider name text box I entered "LdapRole"
In the web.config for the SharePoint Central Admin, I modified/added the following details right before </system.web>
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="((ObjectClass=group)"
userFilter="((ObjectClass=person)"
scope="Subtree" />
</providers>
</roleManager>
I modified the SecurityTokenServiceApplication web.config with these details
<system.web>
<membership>
<providers>
<add name="LdapMemebr"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
</system.web>
I modified the web.config of the test application I created with these details
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="cn"
dnAttribute="dn"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
useDNAttribute="true"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
With all of this configured, I can go to the new test site, I do see the form where I can choose either Windows authentication or Forms authentication. I can successfully login with Windows authentication, but forms authentication gives me me an error.
The server could not sign you in. Make sure your user name and password are correct, and then try again.
I can successfully login to a LDAP management tool, using the same credentials I entered on the form, so I know the username and password being submitted are correct. I get the following items in the event viewer
8306 - SharePoint Foundation - The security token username and password could not be validated.
in the SharePoint trace logs - Password check on 'testuser' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. and
then this:
Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
I monitored the LDAP server and did a packet-trace on the communication happening between the SharePoint server and the LDAP server and it is a bit odd. It goes like this:
The SharePoint server successfully connects to the LDAP server, binding the ldapserviceid+password
The LDAP server tells the SharePoint server it is ready to communicate
the SharePoint server sends an LDAP query to the LDAP server, asking if the name entered in the form authentication page can be found.
The LDAP server does the query, successfully finds the entered name and sends a success message back to SharePoint
The LDAP server sends notification that it is done and is closing the connection that was bound to theldapserviceid+password
The SharePoint server acknowledges the connection is closing
... and then nothing happens, except the error on SharePoint
What I understand is that the SharePoint server, once it gets confirmation that the submitted username exists in LDAP, should attempt to make a new LDAP connection, bound to the username and password submitted in the form (rather than the LDAP service account
specified in the web.config). That part does not seem to be happening.
I am at a standstill on this and any help would be greatly appreciated.OK, our problem was resolved by removing any information about the ASP.NET role manager. Initially, we had information about a role manager defined in three different web.config files, as well as in the SharePoint Central Administration site, where there
is the checkbox to Enable Forms Based Authentication (you see this when you first create the new SharePoint app, or afterwards by modifying the Authentication Provider for the app.) In either case, you will see two text boxes, underneath the checkbox item
for enabling Forms Based Authentication:
"ASP.NET Membership provider name"
"ASP.NET Role manager name"
We entered a name for Membership provider, and left Role manager blank.
In the web.config for the SharePoint Central Administration site, the SecurityTokenServiceApplication app, and the web app we created with FBA enabled, we entered the following:
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword="validpassword"
useDNAttribute="false"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager>
<providers>
</providers>
</roleManager>
useDNAttribute="false" turned out to be important as well.
So, for us to get LDAP authentication working between SharePoint 2010 and Novel eDirectory, we had to:
leave anything related to the role provider blank
configure the web.config in three different applications, with the proper connection information to reach our Novel eDir
Ensure that useDNAttribute="false" was used in all three on the modified web.config files.
Since our eDir is flat and used pretty much exclusively for external users, we had never done any sort of advanced role management configuration in eDir. So, by having role manager details in the web.config files, SharePoint was waiting for information from
a non-existent role manager. -
ASA 8.2.5 LDAP authentication by memberof doesn't always work
I've configured LDAP authentication to allow access if members are a member of the "VPN_Users" Group. This configuration is working, but only for some users. For other users it isn't. The output of the 'debug ldap 255' shows an output of memberOf for the users that it's working for, but shows nothing for users it's not working for. I've not been able to figure out any connection or differences that are the same between those users that work and those that don't. Any idea on what might be causing this problem? Both working and non-working users will authenticate, its just some of them don't pull the memberof data in the ldap query.
Config:
aaa-server AD protocol ldap
aaa-server AD (inside) host btfs2
ldap-base-dn dc=localdomain,dc=com
ldap-scope subtree
ldap-naming-attribute samAccountName
ldap-login-password *****
ldap-login-dn [email protected]
server-type microsoft
ldap-attribute-map VPNGroup
ldap attribute-map VPNGroup
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN_Users,OU=Security Groups,OU=Company OU,DC=localdomain,DC=com" btvpn
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec svc
webvpn
svc ask none default svc
group-policy btvpn internal
group-policy btvpn attributes
banner value This is a private data network. All connections are logged and are subject to
banner value monitoring. Unauthorized access is prohibited and will be prosecuted.
dns-server value 10.0.0.x 10.0.0.y
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittun
default-domain value localdomain.com
webvpn
svc keep-installer installed
svc rekey time 120
svc rekey method ssl
svc ask enable default svc
tunnel-group btvpn type remote-access
tunnel-group btvpn general-attributes
address-pool vpnpool
authentication-server-group AD LOCAL
default-group-policy NOACCESS
tunnel-group btvpn webvpn-attributes
group-alias webvpn enable
tunnel-group btvpn ipsec-attributes
pre-shared-key *****
Non-working user:
[1575] Session Start
[1575] New request Session, context 0xd7fbf210, reqType = Authentication
[1575] Fiber started
[1575] Creating LDAP context with uri=ldap://10.0.0.x:389
[1575] Connect to LDAP server: ldap://10.0.0.x:389, status = Successful
[1575] supportedLDAPVersion: value = 3
[1575] supportedLDAPVersion: value = 2
[1575] Binding as [email protected]
[1575] Performing Simple authentication for [email protected] to 10.0.0.x
[1575] LDAP Search:
Base DN = [dc=localdomain,dc=com]
Filter = [samAccountName=cmcbride]
Scope = [SUBTREE]
[1575] User DN = [CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com]
[1575] Talking to Active Directory server 10.0.0.x
[1575] Reading password policy for cmcbride, dn:CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com
[1575] Binding as cmcbride
[1575] Performing Simple authentication for cmcbride to 10.0.0.x
[1575] Processing LDAP response for user cmcbride
[1575] Message (cmcbride):
[1575] Authentication successful for cmcbride to 10.0.0.x
[1575] Retrieved User Attributes:
[1575] objectClass: value = top
[1575] objectClass: value = person
[1575] objectClass: value = organizationalPerson
[1575] objectClass: value = user
[1575] cn: value = Chris McBride
[1575] sn: value = McBride
[1575] l: value = Tulsa
[1575] description: value = cmcbride non-admin test account
[1575] givenName: value = Chris
[1575] distinguishedName: value = CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=co
[1575] displayName: value = Chris McBride
[1575] name: value = Chris McBride
[1575] objectGUID: value = ....5..L...[..K.
[1575] codePage: value = 0
[1575] countryCode: value = 0
[1575] primaryGroupID: value = 513
[1575] objectSid: value = ...............1...{C..2....
[1575] sAMAccountName: value = cmcbride
[1575] sAMAccountType: value = 805306368
[1575] userPrincipalName: value = [email protected]
[1575] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=localdomain,DC=com
[1575] Fiber exit Tx=616 bytes Rx=2007 bytes, status=1
[1575] Session End
Working user:
[1585] Session Start
[1585] New request Session, context 0xd7fbf210, reqType = Authentication
[1585] Fiber started
[1585] Creating LDAP context with uri=ldap://10.0.0.x:389
[1585] Connect to LDAP server: ldap://10.0.0.x:389, status = Successful
[1585] supportedLDAPVersion: value = 3
[1585] supportedLDAPVersion: value = 2
[1585] Binding as [email protected]
[1585] Performing Simple authentication for [email protected] to 10.0.0.x
[1585] LDAP Search:
Base DN = [dc=localdomain,dc=com]
Filter = [samAccountName=cmcbride_a]
Scope = [SUBTREE]
[1585] User DN = [CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com]
[1585] Talking to Active Directory server 10.0.0.x
[1585] Reading password policy for cmcbride_a, dn:CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com
[1585] Read bad password count 0
[1585] Binding as cmcbride_a
[1585] Performing Simple authentication for cmcbride_a to 10.0.0.x
[1585] Processing LDAP response for user cmcbride_a
[1585] Message (cmcbride_a):
[1585] Authentication successful for cmcbride_a to 10.0.0.x
[1585] Retrieved User Attributes:
[1585] objectClass: value = top
[1585] objectClass: value = person
[1585] objectClass: value = organizationalPerson
[1585] objectClass: value = user
[1585] cn: value = Admin Chris McBride
[1585] sn: value = McBride
[1585] description: value = PTC User, cjm 05312011
[1585] givenName: value = Chris
[1585] distinguishedName: value = CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain
[1585] instanceType: value = 4
[1585] whenCreated: value = 20110525173004.0Z
[1585] whenChanged: value = 20110619154158.0Z
[1585] displayName: value = Admin Chris McBride
[1585] uSNCreated: value = 6188062
[1585] memberOf: value = CN=VPN_Users,OU=Security Groups,OU=Company OU,DC=localdomain,DC=com
[1585] mapped to IETF-Radius-Class: value = btvpn
[1585] mapped to LDAP-Class: value = btvpn
[1585] memberOf: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=baer-t
[1585] mapped to IETF-Radius-Class: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=localdomain,DC=com
[1585] mapped to LDAP-Class: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=localdomain,DC=com
[1585] memberOf: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com
[1585] mapped to IETF-Radius-Class: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com
[1585] mapped to LDAP-Class: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com
[1585] memberOf: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com
[1585] mapped to IETF-Radius-Class: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com
[1585] mapped to LDAP-Class: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com
[1585] memberOf: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com
[1585] mapped to IETF-Radius-Class: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com
[1585] mapped to LDAP-Class: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com
[1585] memberOf: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com
[1585] mapped to IETF-Radius-Class: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com
[1585] mapped to LDAP-Class: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com
[1585] uSNChanged: value = 6560745
[1585] name: value = Admin Chris McBride
[1585] objectGUID: value = ..Kj4..E..c.VCHT
[1585] userAccountControl: value = 512
[1585] badPwdCount: value = 0
[1585] codePage: value = 0
[1585] countryCode: value = 0
[1585] badPasswordTime: value = 129531669834218721
[1585] lastLogoff: value = 0
[1585] lastLogon: value = 129532463799841621
[1585] scriptPath: value = SLOGIC.BAT
[1585] pwdLastSet: value = 129508182041981337
[1585] primaryGroupID: value = 513
[1585] objectSid: value = ...............1...{C..2. ..
[1585] adminCount: value = 1
[1585] accountExpires: value = 9223372036854775807
[1585] logonCount: value = 90
[1585] sAMAccountName: value = cmcbride_a
[1585] sAMAccountType: value = 805306368
[1585] userPrincipalName: value = [email protected]
[1585] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=localdomain,DC=com
[1585] dSCorePropagationData: value = 20110525174152.0Z
[1585] dSCorePropagationData: value = 16010101000000.0Z
[1585] lastLogonTimestamp: value = 129529717185508866
[1585] msTSExpireDate: value = 20110803160858.0Z
[1585] msTSLicenseVersion: value = 393216
[1585] msTSManagingLS: value = 92573-029-5868087-27549
[1585] Fiber exit Tx=633 bytes Rx=3420 bytes, status=1
[1585] Session EndAs far as your configuration is concerned it looks perfectly fine. As you mentioned that the difference between the working and non working debugs is that in the non working debugs we do not see memberof attribute being retrieved.
the main reason could be that the username "[email protected]" with which you are performing the LDAP bind does not have sufficient privileges to retreive all the attributes from all the users in the AD. This looks like permission issue at the AD user level.
One thing you can try on the AD is to "Delegate Control" to this user ([email protected]) to "Read all properties" for all users and not just a subset of users. Please get in touch with AD Admin before making such a change on the AD.
Here is an external link just to give an idea about delegation of control to "Read all properties"
http://www.advproxy.net/ldapads.html -
How to do LDAP authentication in OC4J instance?
Need to configure third party LDAP authentication for an application deployed in OC4J instance. How to configure this?
Hi,
I think that links will be useful to you!
http://download-uk.oracle.com/docs/cd/B15904_01/web.1012/b14013/configoc4j.htm
http://www.oracle.com/technology/sample_code/tech/java/codesnippet/security/jaznldap/index.html
Afonso -
XI 3.1 Client Tools and LDAP Authentication
I have Business Objects XI 3.1 SP2 installed. For the web clients (InfoView) single sign on and LDAP authentication are working correctly. However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
Take a look at note 1272536 (http://service.sap.com/notes)
Regards,
Stratos -
WLS 7.0 Active Directory authenticator - problems starting managed server (Solaris 8)
Has anyone managed to setup a WLS 7.0 Active Directory authenticator and booted
a managed server using the node manager? I can boot the server without the AD
authenticator and I can also boot the server using a script and successfully authenticate
through AD. My AD control flag is set to OPTIONAL and I have also setup a default
authenticator to boot weblogic - the control flag here is set to SUFFICIENT. This
configuration works fine with weblogic running on W2K, but not on Solaris (it
looks like the control flag is being ignored). Errors as follows
####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01> <main>
<kernel identity> <> <000000> <FileLo
gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
<kernel identity> <> <000415> <System
has file descriptor limits of - soft: 1,024, hard: 1,024>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
<kernel identity> <> <000416> <Using e
ffective file descriptor limit of: 1,024 open sockets/files.>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
<kernel identity> <> <000418> <Allocat
ing: 3 POSIX reader threads>
####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine> <server01>
<main> <kernel identity> <> <0003
64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
Problem instantiating
Authentication Providerjavax.management.RuntimeOperationsException: RuntimeException
thrown by the getAttribute method of the Dynam
icMBean for the attribute Credential>
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)
####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine> <server01>
<main> <kernel identity> <> <000
342> <Unable to initialize the server: Fatal initialization exception
Throwable: weblogic.security.service.SecurityServiceRuntimeException: Problem
instantiating Authentication Providerjavax.management.
RuntimeOperationsException: RuntimeException thrown by the getAttribute method
of the DynamicMBean for the attribute Credential
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)Solved the problem. The 'domain root' directory specified in the remote start configuration,
must contain a copy of the file 'SerializedSystemIni.dat' that was created along
with the domain, in order to boot when an AD authenticator is configured. If an
AD authenticator is not configured, no file is required. This was not a platform
specific issue; on Win2K I had configured the 'domain root' remote start parameter
to point to an existing domain root and not a new directory.
"Andrew Walker" <[email protected]> wrote:
>
Has anyone managed to setup a WLS 7.0 Active Directory authenticator
and booted
a managed server using the node manager? I can boot the server without
the AD
authenticator and I can also boot the server using a script and successfully
authenticate
through AD. My AD control flag is set to OPTIONAL and I have also setup
a default
authenticator to boot weblogic - the control flag here is set to SUFFICIENT.
This
configuration works fine with weblogic running on W2K, but not on Solaris
(it
looks like the control flag is being ignored). Errors as follows
####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01>
<main>
<kernel identity> <> <000000> <FileLo
gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
<main>
<kernel identity> <> <000415> <System
has file descriptor limits of - soft: 1,024, hard: 1,024>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
<main>
<kernel identity> <> <000416> <Using e
ffective file descriptor limit of: 1,024 open sockets/files.>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
<main>
<kernel identity> <> <000418> <Allocat
ing: 3 POSIX reader threads>
####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine>
<server01>
<main> <kernel identity> <> <0003
64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
Problem instantiating
Authentication Providerjavax.management.RuntimeOperationsException:
RuntimeException
thrown by the getAttribute method of the Dynam
icMBean for the attribute Credential>
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of
the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)
####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine>
<server01>
<main> <kernel identity> <> <000
342> <Unable to initialize the server: Fatal initialization exception
Throwable: weblogic.security.service.SecurityServiceRuntimeException:
Problem
instantiating Authentication Providerjavax.management.
RuntimeOperationsException: RuntimeException thrown by the getAttribute
method
of the DynamicMBean for the attribute Credential
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of
the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31) -
Connect to secure LDAP server from iWS 4.1
I am trying to connect to a secure LDAP server that is expecting client authentication. I installed a client cert (provided by the LDAP admin) on the iWS admin server, and I can search/view user records housed on the LDAP server.
However, when I try to use an iWS webserver to restrict access to a resource using the LDAP, it appears that I have to install the client cert on that webserver as well. The problem is, that if the webserver is not a secure webserver, there appears to be no way to do this. That is, I cannot use a non-secure webserver (not running https) to access the secure LDAP server.
When I install the client cert on the non-secure webserver, I have to create a Trust Database, providing a password. I can then install the client cert that I need to access the LDAP server, but when I go to restart the non-secure webserver, it complains that it can't read the cert database ("NSS initialization failed: -8177"), and attempts to authenticate users fail.
If the webserver is running https, a secure webserver, that is, everything works fine: I can install the client cert, and use the LDAP to authenticate users.
Is there any way to configure a non-secure iWS webserver so that it can read its Trust Database? Or some way to store client certs that does not require a Trust Database?I don't believe so. As far as I know, this capability was first introduced in iPlanet Web Server 6.0.
-
AD LDAP authentication or authorization
Hi,
It really drives me crazy because I can't seem to find the right solution for my issue.
I'm trying to use the LDAP authentication for my apex applications.
So far, straight forward LDAP authentication works just fine, but EVERYBODY who has a user account can log into any application.
I'm using the %LDAP_USER% string to validate the users and that's just fine.
But I want to restrict somehow users from logging into my applications.
Either way by ldap groups or an users table in every application.
Can someone please help me with this, or give me directions/examples of login functions/schemes?
Thanks so much!
Regards, BasWhat you have done so far is called Authentication. It's the question of "who am I?"
What you want to add is called Authorization, which is the "what can I do?"
So, you need to create an Authorization Scheme to secure components of your application. An authorization scheme can secure almost any component of an APEX app including:
- The application
- Pages
- Tabs
- Regions
- List items
- Items
- Columns in reports
- More that I'm not thinking of
Look at the doc on authorization schemes. You have 2 primary options that I can think of:
1) Use LDAP groups by using the APEX_LDAP package to lookup information about a user. I'm not sure if the member_of function works against AD or just OID, you might need to use the get_attribute function instead. In short, you query AD, then return true or false based on the attributes of the user. Once they are logged in you can reference the username with the :APP_USER APEX variable
2) A table of usernames (not passwords). You authorization scheme could just be an "Exists query" such as:
select 1 from valid_users where username = :APP_USEROnce you decide on an authorization scheme and create it, you then edit the security attributes of your app / page / region / etc and apply it
Tyler Muth
http://tylermuth.wordpress.com
"Applied Oracle Security: Developing Secure Database and Middleware Environments": http://sn.im/aos.book -
ASA LDAP authentication trouble
Hi,
I have a weird situation when using LDAP (MS AD) to authenticate logon to ASDM.
I've created the setup and map the ASAAdmin group membership to Privilege level 15. (see lines from config)
ldap attribute-map ADAuth
map-name memberOf Privilege-Level
map-value memberOf CN=ASAAdmin,CN=Users,DC=chapel,DC=orbdata,DC=com 15
It works fine when I login. See extract from the debugs:
[732] memberOf: value = CN=ASAAdmin,CN=Users,DC=chapel,DC=orbdata,DC=com
[732] mapped to Privilege-Level: value = 15
1 User-Name(1) 11 "zsolt.fejer"
2 User-Password(2) 8 (hidden)
3 AAA-AVP-Table(4243) 1993 "[C9][07][00][00],[00][00][00][B8][01][00][00][CF][01]"
4 Privilege Level(4316) 4 15
5 Privilege Level(4316) 4 0
6 Privilege Level(4316) 4 0
7 Privilege Level(4316) 4 0
8 Privilege Level(4316) 4 0
9 Privilege Level(4316) 4 0
10 Privilege Level(4316) 4 0
I'm authenticated and can work properly.
But when I try to login as Administrator (other users have the same issue), I get the message that the Privilege level is only 0 which isn't enough to start ASDM. The Administrator also member of the said group. See the extract from the debug.
user attributes:
1 User-Name(1) 13 "administrator"
2 User-Password(2) 9 (hidden)
3 AAA-AVP-Table(4243) 1925 "[85][07][00][00])[00][00][00][A0][01][00][00][B7][01]"
4 Privilege Level(4316) 4 0
5 Privilege Level(4316) 4 0
6 Privilege Level(4316) 4 0
7 Privilege Level(4316) 4 15
8 Privilege Level(4316) 4 0
9 Privilege Level(4316) 4 0
10 Privilege Level(4316) 4 0
11 Privilege Level(4316) 4 0
12 Privilege Level(4316) 4 0
13 Privilege Level(4316) 4 0
Also when I add myself to another more group I'm locked out of the ASDM.
Why does it happen? How can I prevent it?
Thanks!Hi Steve,
The admin user should have full read-only access to query/read the full directory/structure.
This is what you need to enable password change feature for VPN users on ASA.
LDAP configuration on ASA
aaa-server LDAP-AD protocol ldap
aaa-server LDAP-AD host server-port 636
ldap-base-dn
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-dn
ldap-login-password
ldap-over-ssl enable
server-type Microsoft
NOTE: This will only work with secure LDAP TCP 636
VPN configuration on ASA
tunnel-group DefaultWEBVPNGroup type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LDAP-AD
default-group-policy DfltGrpPolicy
password-management password-expire-in-days
Settings on the LDAP server
We can create a new user account with password settings "user must change password at next logon" or specific number of days whenever you allow users to change their password.
HTH
Regards,
JK
Maybe you are looking for
-
I've moved my music folder and now iTunes can't "find" my music
I recently moved my iTunes folder of music (46 gigs) from an external drive back to my iMac's internal drive. The music files are all on my iMac now (in the music folder), and I've changed the preferences in order to map iTunes to the new location. B
-
"Can I use Logic Pro in my new imac with 2.66 intel core 2 duo"
Can I use Logic Pro in my new imac with 2.66 intel core 2 duo? With the new leopard operating system? I have a 002 rack from digidesign, that should be good running with a logic pro 8 DAW.
-
HCM Associate level certification
Hi Experts, I am having 8 years of experience in SAP ABAP Development in HR module. I have done ABAP Associate certification in 2010. Now i am planning to do HCM Associate level certification. for that i have collected the below documents from some o
-
Jsf-1.0 Final Release and tomcat 5.019
I post again to say that is works well finally. To make it works: - download jsf-1.0 FR - in your application .war put in WEB-INF/lib/: common-digester.jar, jsf-api.jar, jsf-impl.jar, common-beanutils.jar and jstl.jar. (libs of jsf + lib of jsp). - d
-
Why does my calender reset to gmt instead of local time?
my calendar on my iPhone (5s, 8.0.2) resets to gmt instead of local time. This started after I upgraded to ios8 time zone override is off