Active Directory schema
We are about to take part in a migration from NT4 to listing and have been told that we will not be able to make schema changes necessary for unity. If we can t get an exception, Unified Messaging will be able to operate?
Thank you
Jesse
Unfortunately he didn't there any way the unit will install (or function) without the AD schema changes necessary.
Tags: Cisco Support
Similar Questions
-
eSSO - Active Directory schema
I just started to review the requirements that come with implementations of eSSO. The only thing I do not understand in the installation and administration guides is what changes will have to in Active Directory for the installation of this software.
A schema update is required? What is affected? Is it possible to make this schema to update manually and not through the eSSO-LM Console? If so, what changes should be made?
Thanks in advance for your help.
Concerning
EvangelosMost customers opt for the extension of the scheme. The pattern is all auxiliary classes, then none of the builtin object classes are changed.
You can store the information in other places, but the complexity is much more if you do this. The majority on the optimization of your directory is it's already distributed within your company and you're probably already backs up. In addition, you need to hit in any case for authentication.
What is the specific concern around schema extensions? This, many applications in a domain environment (for example, your exchange server).
For more information about the schema, see metalink for the followign article:
Schema definitions for the eSSO connection manager. [462548.1 ID]
In addition, to manually extend the schema, you can consult this article from metalink as wel (remember to check your version numbers) l:
eSSO: how to manually extend the AD schema for eSSO? [548911.1 ID]
-
What are the versions supported for active directory?
AD is still supported on Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2?
Versions of Active Directory schema
The list of the Active Directory schema versions:
- Windows 2000 RTM with all Service packs = schema version 13
- Windows Server 2003 RTM with all Service packs = schema version 30
- Windows Server 2003 R2 RTM with all Service packs = schema version 31
- Windows Server 2008 RTM with all Service packs = schema version 44
- Windows Server 2008 R2 RTM with all Service packs = schema version 47
Check the schema version in the registry:
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\
Check the version of the schema with dsquery:
dsquery * CN = Schema, CN = Configuration, DC = root-domain-Scope Base - attr objectVersion
OR
Commutabilite Active Directory schema:
13-> Windows 2000 Server
30-> Windows Server 2003 RTM, Windows 2003 with Service Pack 1, Windows 2003 with Service Pack 2
31-> Windows Server 2003 R2
44-> Windows Server 2008 RTM -
How to remove OracleContext of Active Directory
All,
We have extended our Windows 2003 Active Directory schema using the NetCA tool to test the integration of commercials with oracle 11 g. Completed trials, we are looking for a way to remove the schema extensions properly and remove OracleContext of Active Directory container. I was not able to find any documentation on this process. If anyone can help?You will probably want to consult Microsoft documentation.
I found this:
Removal of the schema information
It is not possible to remove the schema object definitions. However, object definitions can be made unusable by the deactivation process. When an object definition is disabled, it is no longer can be used to create objects in the directory. Objects whose definitions have been disabled in the schema are designated as extirpated. >
Source: how the Active Directory schema
-
Server 2008 R2 Active Directory Certificate Services does not start
Hello
I had a power failure on both of my units of WD Sentinel DX4000 running Windows Server 2008 r2. Come to fine and checked the integrity but now a unit gives me an error and does not start the Active Directory Certificate Services. I checked google and read where I need to run the eseutil.exe on the CA database, but discovered that utility is provided only with the server Exchange that I'm not running. Is there another utility that allows you to defragment and correct the Microsoft database. Here is the error I get when you try to start it:
Log name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 28/07/2014 06:01:39
Event ID: 17
Task category: no
Level: error
Keywords: Classic
User: SYSTEM
Computer: WDOffice
Description:
Certificate Services Active Directory did not start: could not initialize the connection of database for WDOFFICE-CA. Error 0xc8000147 (SEE:-327).
The event XML:
http://schemas.Microsoft.com/win/2004/08/events/event">
17
0
2
0
0
0 x 80000000000000
40337
Application
WDOffice
WDOFFICE-CA
Error 0xc8000147 (ESE:-327)
Any help would be greatly appreciated,
Thank you
Bob
BBob
This issue is beyond the scope of this site and must be placed on Technet or MSDN
-
Log Event Viewer as below.
*****************************************************************
Event log:
Log name: Microsoft-Windows-ServerManager/Operational
Source: Microsoft-Windows-ServerManager
Date: 07/03/2012 18:09:06
Event ID: 1600
Task category: no
Level: error
Keywords:
User: HDC\Administrator
Computer: Win2K8HDCRoot.HDC.Com
Description:
An error has occurred in the Server Manager. An unexpected exception has been found:
System.ArgumentNullException: Value cannot be null.
to Microsoft.Windows.ServerManager.ActiveDirectoryFederationServer.ActiveDirectoryFederationServerProvider.SaveRegistrySetting (Nullable 1 setToCreate, String value, String NomValeurRegistre)
at Microsoft.Windows.ServerManager.ActiveDirectoryFederationServer.ActiveDirectoryFederationServerProvider.PerformActionBeforeInstall (InstallableFeatureInformation featureInfo, DiscoveryResult discoveryResult, ChangeTracker changeTracker)
at Microsoft.Windows.ServerManager.Common.Provider.PreInstall (InstallableFeatureInformation, DiscoveryResult discoveryResult, ChangeTracker changeTracker comments)
at Microsoft.Windows.ServerManager.Common.Provider.FlushSyncPreInstall (guestsToSync from list 1, 2 syncResultMap dictionary)
at Microsoft.Windows.ServerManager.Common.Provider.FlushSync (SyncProgressHandler progressCallback)
at Microsoft.Windows.ServerManager.Common.Provider.FinalFlush (SyncProgressHandler progressCallback)
to Microsoft.Windows.ServerManager.Transformation.SyncEngine.Sync (ChangeTracker changeTracker, DiscoveryResult discoveryResult, progressUpdateIdList of list 1)
to Microsoft.Windows.ServerManager.DiscoveryResult.CommitUpdates (ChangeTracker changeTracker, ProgressUpdateCallback progressUpdateDelegate, featureIdsOfInterest of list 1)The event XML:
http://schemas.Microsoft.com/win/2004/08/events/event">
1600
0
2
0
0
0 x 1000000000000000
15
Microsoft-Windows-ServerManager/Operational
Win2K8HDCRoot.hDC.com
http://schemas.Microsoft.com/win/2004/08/events"xmlns ="Event_NS">
An unexpected exception has been found:
System.ArgumentNullException: Value cannot be null.
to Microsoft.Windows.ServerManager.ActiveDirectoryFederationServer.ActiveDirectoryFederationServerProvider.SaveRegistrySetting (Nullable 1 setToCreate, String value, String NomValeurRegistre)
at Microsoft.Windows.ServerManager.ActiveDirectoryFederationServer.ActiveDirectoryFederationServerProvider.PerformActionBeforeInstall (InstallableFeatureInformation featureInfo, DiscoveryResult discoveryResult, ChangeTracker changeTracker)
at Microsoft.Windows.ServerManager.Common.Provider.PreInstall (InstallableFeatureInformation, DiscoveryResult discoveryResult, ChangeTracker changeTracker comments)
at Microsoft.Windows.ServerManager.Common.Provider.FlushSyncPreInstall (guestsToSync from list 1, 2 syncResultMap dictionary)
at Microsoft.Windows.ServerManager.Common.Provider.FlushSync (SyncProgressHandler progressCallback)
at Microsoft.Windows.ServerManager.Common.Provider.FinalFlush (SyncProgressHandler progressCallback)
to Microsoft.Windows.ServerManager.Transformation.SyncEngine.Sync (ChangeTracker changeTracker, DiscoveryResult discoveryResult, progressUpdateIdList of list 1)
to Microsoft.Windows.ServerManager.DiscoveryResult.CommitUpdates (ChangeTracker changeTracker, ProgressUpdateCallback progressUpdateDelegate, featureIdsOfInterest of list 1)
*****************************************************************
Details of home:
Win 2K 8 R2 Enterprise
Processor: Xeon x 3440
Roles: Hyper-V, file Services
Related network configuration: 'Network Doscovery' lit with "SDDP" and "UPnP" running services. Also "DNS client" and "Function Discovery Resource Publication" are running. The firewall is turned on
Virtual machines running: 6
Total none of the network adapters: 2
1 NETWORK card: (Intel (r) 82578DM Gigabit Network Connection is connected to service internet broadback. "Statis IP" is set for my server.
Not virtual networks: 2
Virtual Network 1 is "External" type and connected to the NIC1. The value settings IPv4/IPv6 IP addresses and DNS automatic.
Virtual Network 2 is of the type 'internal '. IPv4/IPv6 settings is set to Auto for IP and DNS addresses.*****************************************************************
Information on the virtual machine:
Win 2K 8 R2 Standard
Roles; "Domain service active Directory", "DNS Server", "File Services" and "Web Server (IIS).
Related network configuration: 'Network Doscovery' lit with "SDDP" and "UPnP" running services. Also "DNS client" and "Function Discovery Resource Publication" are running. The firewall is turned on
None of the network adapters: 2
Network adapter 1 connected to 'Internal' with IPv4 set to a static IP address '192.168.10.1 ' and DNS set to ' 127.0.0.1'. IPv6 is disabled
Network 2 connected to 'External' and IPv4 adapter set to automatic for the IP and DNS addresses. IPv6 is disabled
Domain controller for HDC.Com.*****************************************************************
History of the virtual machine:
Initially, she felt just VS2010 and SP2010 installed without DNS and AD DS roles added. Later, we VS and SP2010 has been uninstalled via the Control Panel, as well as other programs, I can't recall. Then added roles DNS and Active Directory domain to create and control the field x ".com". After a few days, another virtual computer has been configured in the same way and 'AD FS' role added to try app based on the claims. In the coming days, all of the roles above have been removed and added to create and control the current domain ' HDC. Com'. Before this step, the self-signed certificates that have been installed as part of the App claims have been removed from MMC, and IIS services. Don't forget to change the name of the computer as well.
*****************************************************************
I'm not good at bases of the any tried out above learning, but ask the members of the scholarly community to help me solve the problem and I'm sorry if I ask some silly questions as part of this thread.Hello
Is generally answer the question you have posted in the Microsoft Answers forums. It is better suited on TechNet forum
TechNet Forums -http://social.technet.microsoft.com/Forums/en/categories/ -
Integrating Active Directory and UCS Manager
I'm looking to create an LDAP authentication provider in the UCS Manager that will authenticate users in Active Directory. I see the configuration guide UCS that a schema change is required to add a new attribute for user accounts and the guide details what the new attribute should be. However there are no detailed instructions on how to make the change to AD. I imagine some sort of import LDIFDE is required, but does anyone have more detailed steps on how to do it?
Thank you
You can ssh in your UCS, go to the NxOS prompt and test authentication as follows:
Laurel - A (nxos) # test cpaggen aaa cisco group ldap
the user has been authenticated
Laurel - A (nxos) # test aaa group ldap cpaggen cisco1
user authentication failed
Laurel - A (nxos) # test aaa group ldap foo doesntexist
user authentication failed
Laurel-a. (nxos) #Make sure that this part of work. The role assignment comes from CiscoAVPair and the value must be a shell: roles = 'admin' If you want the user to be an administrator. CiscoAVPair must be an attribute of the user object. I've attached a screenshot of Wireshark for a successful authentication and authorization.
You will also find the definition of the user and configuration of my UCS.
-
authentication Microsoft Active Directory iDRAC 7
Hello
I installed Microsoft Active Directory on iDRAC 7 with some very basic options (no certificate, no Single Sign-On, not Kerberos Keytab, the Standard schema). Everything works fine.
The problem is that we have 2 forests with full trust configured between them and iDRAC is not able to authenticate the users of both of them.
Basically, we have the single domain on 1 security group and pair the users of these two forests (1 and foret2). If I add domain (DC) IPs for two areas-forest controllers, authentication fails on the first domain controller, if the user is a different domain (check does not reach the second DC IP to verify the user). The error I get:
ERROR: failed to bind: Invalid credentials, 80090308: LdapErr: IDDM-0C0903A9, comment: AcceptSecurityContext error, 52nd data, v1db0: [email protected] host = 192.168.0.1.
[email protected] - 1 user
192.168.0.1 - foret2 DC IPDoes IDARC support AD authentication for users of forest separated couple?
Thank you
iDRAC do not support authentication Active Directory for the domain of the unique forest.
-
separate authentication and authorization for Active directory groups
Hi all
After a long search and failure, I write the question.
I use apex oracle 4.2 on windows server 2012 on oracle 12 c, all 64 bits.
We have configured Microsoft Active directory with LDAP.
in LDAP, we have a core group which is say A and an is down there students and the two groups.
According to the staff, there are many other groups and students, there are a lot of groups.
I created a mobile application, it has a main page that is publicly accessible without username and password.
in this home page, I have a list that contains two elements, personnel and another is a student.
When one of the list item, the login screen appears.
now I want to control when the user clicks on the staff list, only personnel should be authenticated.
If the end user is a student, it doesn't have to be authenticated.
the same goes for the student list item, if the end-user click on list of students, only students must be authenticated.
someone please guide me, I'm failed in research and testing.
Thank you.
Kind regards.
Hi Maahjoor,
Try this (it is written all the attributes for the user) by logging in to your schema to SQL Developer:
DECLARE -- Adjust as necessary. l_ldap_host VARCHAR2(256) := 'hct.org'; l_ldap_port VARCHAR2(256) := '389'; l_ldap_user VARCHAR2(256) := 'cn=hct\itnew'; l_ldap_passwd VARCHAR2(256) := 'itnew'; l_ldap_base VARCHAR2(256) := 'DC=hct,DC=org'; l_retval PLS_INTEGER; l_session DBMS_LDAP.session; l_attrs DBMS_LDAP.string_collection; l_message DBMS_LDAP.message; l_entry DBMS_LDAP.message; l_attr_name VARCHAR2(256); l_ber_element DBMS_LDAP.ber_element; l_vals DBMS_LDAP.string_collection; BEGIN -- Choose to raise exceptions. DBMS_LDAP.USE_EXCEPTION := TRUE; -- Connect to the LDAP server. l_session := DBMS_LDAP.init(hostname => l_ldap_host, portnum => l_ldap_port); l_retval := DBMS_LDAP.simple_bind_s(ld => l_session, dn => l_ldap_user||','||l_ldap_base, passwd => l_ldap_passwd); -- Get all attributes l_attrs(1) := '*'; -- retrieve all attributes l_retval := DBMS_LDAP.search_s(ld => l_session, base => l_ldap_base, scope => DBMS_LDAP.SCOPE_SUBTREE, filter => l_ldap_user, attrs => l_attrs, attronly => 0, res => l_message); IF DBMS_LDAP.count_entries(ld => l_session, msg => l_message) > 0 THEN -- Get all the entries returned by our search. l_entry := DBMS_LDAP.first_entry(ld => l_session, msg => l_message); << entry_loop >> WHILE l_entry IS NOT NULL LOOP -- Get all the attributes for this entry. DBMS_OUTPUT.PUT_LINE('---------------------------------------'); l_attr_name := DBMS_LDAP.first_attribute(ld => l_session, ldapentry => l_entry, ber_elem => l_ber_element); << attributes_loop >> WHILE l_attr_name IS NOT NULL LOOP -- Get all the values for this attribute. l_vals := DBMS_LDAP.get_values (ld => l_session, ldapentry => l_entry, attr => l_attr_name); << values_loop >> FOR i IN l_vals.FIRST .. l_vals.LAST LOOP DBMS_OUTPUT.PUT_LINE('ATTIBUTE_NAME: ' || l_attr_name || ' = ' || SUBSTR(l_vals(i),1,200)); END LOOP values_loop; l_attr_name := DBMS_LDAP.next_attribute(ld => l_session, ldapentry => l_entry, ber_elem => l_ber_element); END LOOP attibutes_loop; l_entry := DBMS_LDAP.next_entry(ld => l_session, msg => l_entry); END LOOP entry_loop; END IF; -- Disconnect from the LDAP server. l_retval := DBMS_LDAP.unbind_s(ld => l_session); DBMS_OUTPUT.PUT_LINE('L_RETVAL: ' || l_retval); END; /NOTE: The DN parameter on line 29 requires exact unique name for the user. In addition, on line 37 to filter, you can use username i.e. "cn = firstname.lastname."
You can specify a specific attribute must be extracted from the user in order by changing line 33 of the:
l_attrs(1) := '*';
TO
l_attrs(1) := 'title';
Then you can write a function based on above the code to extract the attribute LDAP user as follows:
create or replace function fnc_get_ldap_user_attr_val ( p_username in varchar2 , p_password in varchar2 , p_attrname in varchar2 ) return varchar2 as -- Adjust as necessary. l_ldap_host VARCHAR2(256) := 'hct.org'; l_ldap_port VARCHAR2(256) := '389'; l_ldap_user VARCHAR2(256) := 'cn='||p_username; l_ldap_passwd VARCHAR2(256) := p_password; l_ldap_base VARCHAR2(256) := 'DC=hct,DC=org'; l_retval PLS_INTEGER; l_session DBMS_LDAP.session; l_attrs DBMS_LDAP.string_collection; l_message DBMS_LDAP.message; l_entry DBMS_LDAP.message; l_attr_name VARCHAR2(256); l_attr_value VARCHAR2(256); l_ber_element DBMS_LDAP.ber_element; l_vals DBMS_LDAP.string_collection; BEGIN -- Choose to raise exceptions. DBMS_LDAP.USE_EXCEPTION := TRUE; -- Connect to the LDAP server. l_session := DBMS_LDAP.init(hostname => l_ldap_host, portnum => l_ldap_port); l_retval := DBMS_LDAP.simple_bind_s(ld => l_session, dn => l_ldap_user||','||l_ldap_base, passwd => l_ldap_passwd); -- Get specific attributes l_attrs(1) := p_attrname; l_retval := DBMS_LDAP.search_s(ld => l_session, base => l_ldap_base, scope => DBMS_LDAP.SCOPE_SUBTREE, filter => l_ldap_user, attrs => l_attrs, attronly => 0, res => l_message); IF DBMS_LDAP.count_entries(ld => l_session, msg => l_message) > 0 THEN -- Get all the entries returned by our search. l_entry := DBMS_LDAP.first_entry(ld => l_session, msg => l_message); << entry_loop >> WHILE l_entry IS NOT NULL LOOP -- Get all the attributes for this entry. DBMS_OUTPUT.PUT_LINE('---------------------------------------'); l_attr_name := DBMS_LDAP.first_attribute(ld => l_session, ldapentry => l_entry, ber_elem => l_ber_element); << attributes_loop >> WHILE l_attr_name IS NOT NULL LOOP -- Get all the values for this attribute. l_vals := DBMS_LDAP.get_values (ld => l_session, ldapentry => l_entry, attr => l_attr_name); << values_loop >> FOR i IN l_vals.FIRST .. l_vals.LAST LOOP DBMS_OUTPUT.PUT_LINE('ATTIBUTE_NAME: ' || l_attr_name || ' = ' || SUBSTR(l_vals(i),1,200)); l_attr_value := l_vals(i); END LOOP values_loop; l_attr_name := DBMS_LDAP.next_attribute(ld => l_session, ldapentry => l_entry, ber_elem => l_ber_element); END LOOP attibutes_loop; l_entry := DBMS_LDAP.next_entry(ld => l_session, msg => l_entry); END LOOP entry_loop; END IF; -- Disconnect from the LDAP server. l_retval := DBMS_LDAP.unbind_s(ld => l_session); DBMS_OUTPUT.PUT_LINE('L_RETVAL: ' || l_retval); DBMS_OUTPUT.PUT_LINE('Attribute value: ' || l_attr_value); return l_attr_value; END fnc_get_ldap_user_attr_val; /Then create an Application AI_USER_AD_TITLE tell you item request-> shared components.
Create following procedure to define the point of application on the connection of the user in your APEX application:
create or replace procedure ldap_post_auth as l_attr_value varchar2(512): begin l_attr_value := fnc_get_ldap_user_attr_val ( p_username => apex_util.get_session_state('P101_USERNAME') , p_password => apex_util.get_session_state('P101_PASSWORD') , p_attrname => 'title' ); apex_util.set_session_state('AI_USER_AD_TITLE', l_attr_value); end ldap_post_auth;Change the "name of procedure after authentication' in your 'ldap_post_auth' authentication scheme
Then modify the process in charge on your homepage to your application of PORTALS to:
begin if :AI_USER_AD_TITLE = 'Student' then apex_util.redirect_url(p_url=>'f?p=114:1'); else apex_util.redirect_url(p_url=>'f?p=113:1'); end if; end;I hope this helps!
Kind regards
Kiran
-
We look for details user for all users directly from Active Directory in a webcenter portal application?
Hi again.
Is not just WebCetnerDS in WebLogic... If it's a CustomPortal you had created a CustomPortalDS.
You need to do a DB connection in your y JDeveloper Portal App than a link to the WebCenterDS schema.
Deployment and testing of your WebCenter Portal: Application Framework - 11g Release 1 (11.1.1.7.0)
Follow the links provided by Vinay on the WLST.
Kind regards.
-
vRO 7 Active Directory plugin return objects of computer when type is set to 'user '.
First of all, I would like to say that so far its looking like the AD plugin provided with vRO 7 actually work with our directory. The last time I tested, it was still too slow and unstable. I don't know if it's something on our end or the result of the changes made vRO team but its promising.
I'm curious to know if I'm testing something wrong however. Looks like using functions return types of objects other than "User" when I specify this type of ActiveDirectory.search*. I certainly see computer objects. If I specify "ComputerAD" as the type search filtering seems to work because I see only the computers.
Also, is there a way to specify the field to search? We created a workflow that is enveloping the dsquery command and query against specific fields. Is there a way to format the query string for target field?
> I'm curious if I'm testing something wrong but. Looks like using functions return types of objects other than "User" when I specify this type of ActiveDirectory.search*. I certainly see computer objects. If I specify "ComputerAD" as the type search filtering seems to work because I see only the computers.
If you check the schema Active directory, you will see that, for example, the computer object is subclass of the user. What makes the user object type.
If you look at the property of a user object's objectClass, you will find the following object classes "person; organizationalPersion, high; user ".
If you look at the objectClass for a computer object property, you will find the following object classes "high; person; organizationalPersion; computer user.
When AD plugin runs the query for user objetcs, it limited the result based on the object class by asking all objects that have at least after classes "person; organizationalPersion, high; user", but does not specify that class of the object hierarchy does not contain others. That's why he also returns in the form of the user computer.
We maintain this behavior for bakward compatibility with the old version of the plugin, but I agree that it wise to limit your search only to the objects 'User '. You can open a request from client for the appropriate follow-up.
> Also, is there a way to specify the field to search? We created a workflow that is enveloping the dsquery command and query against specific fields. Is there a way to format the query string for target field?
As much as I know there is no such possibiliy in current plguin. There are several requests about the generic search method allowing the use of the LDAP syntax directly to mark against ad server. We are considering adding these features to the plugin, but it is a metter of priorities. Somethig like AdHost.search (ldpa_query_string)
Not sure if this will solve your use cases. Could you give a little more detais arround it. Example of workflow will also help.
-
WebLogic with problem supplier Active Directory Authentication: < DN for user...: null >
I have a java application (SSO via SAML2) using Weblogic as an identity provider. Everything works fine using created users directly in Weblogic. However, I need to add support for Active Directory. Thus, according to the documents:
-J' set an Active Directory authentication provider
-changed it's order in the list of authentication providers so that it is first
-l' control indicator value SUFFICIENT and configured the specific provider; Here's the part concerned in the config.xml file:
<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType"> <sec:name>MyOwnADAuthenticator</sec:name> <sec:control-flag>SUFFICIENT</sec:control-flag> <wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception> <wls:host>10.20.150.4</wls:host> <wls:port>5000</wls:port> <wls:ssl-enabled>false</wls:ssl-enabled> <wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal> <wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn> <wls:credential-encrypted>{AES}deleted</wls:credential-encrypted> <wls:cache-enabled>false</wls:cache-enabled> <wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn> </sec:authentication-provider>I configured an instance of AD LDS (Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created the users and a user admin "tadmin" that has been added to the members directors. I've also made sure to set the msDS-UserAccountDisabled property.
After the restart Weblogic, I see that users and groups in AD LDS are properly recovered in Weblogic. But, when I try to connect to my application using Username:tadmin and the password: <>... it doesn't.
Here's what I see in the log file:
<BEA-000000> <LDAP Atn Login username: tadmin> <BEA-000000> <authenticate user:tadmin> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}> <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)> <BEA-000000> <DN for user tadmin: null> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}> <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)> <BEA-000000> <DN for user tadmin: null> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}> <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229) at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)So, I tried to watch why did I: < DN for user tadmin: null >. The Apache Directory Studio I have reproduced the ldap search request used in Weblogic, and of course, I get no results. But, change filter only "(& (cn = tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; Here is the result of Apache Directory Studio:
#!SEARCH REQUEST (145) OK #!CONNECTION ldap://10.20.150.4:5000 #!DATE 2014-01-23T14:52:09.324 # LDAP URL : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user)) # command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass" # baseObject : CN=wl,DC=at,DC=com # scope : wholeSubtree (2) # derefAliases : derefAlways (3) # sizeLimit : 1000 # timeLimit : 0 # typesOnly : False # filter : (&(cn=tadmin)(objectclass=user)) # attributes : objectClass #!SEARCH RESULT DONE (145) OK #!CONNECTION ldap://10.20.150.4:5000 #!DATE 2014-01-23T14:52:09.356 # numEntries : 1
(the "[email protected]" is defined as userPrincipalName in the tadmin on AD LDS user)
As you can see, ' numEntries #: 1 "(and I can see as a result the entry ' CN = tadmin, CN = wl, DC = in, DC = com ' in Apache Directory Studio interface); If I add the userAccountControl filter I get 0.
I read the AD LDS does not use userAccountControl but "uses several individual attributes to store the information contained in the userAccountControl attribute flags"; Among these attributes is msDS-UserAccountDisabled, which, as I said, I already have the value FALSE.
So, my question is, how do I run? Why do I get "< DN for user tadmin: null >"? What is the userAccountControl? If this is the case, should I do a different configuration on my AD LDS? Or, how can I get rid of the userAccountControl filter into Weblogic?
I don't seem to find the configuration files or in the interface: I don't have that "user of the name filter: (& (cn = %u)(objectclass=user))", there is no userAccountControl.»
Another difference is that, even if in Weblogic, I put compatible ssl false flag, the newspaper I see ldaps and ldap, I noticed (I don't mean to install something ready for production and I don't want SSL for the moment).
Here are some other things I tried, but doesn't change anything:
-other attributes '-FS' were not resolved, so I tried their initialization to a value
-J' tried other users defined in AD LDS, not tadmin
-in Weblogic, I added users who were imported from AD LDS into the policies and roles > Kingdom roles > Global roles > roles > Admin
-J' removed all occurrences of userAccountControl I found xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
Any thoughts?
Thank you.
In the case of some other poor soul will fall on this issue: I did this job by configuring a generic ldap authenticator.
See also:
Re: could not connect to the WLS console with the user of the directory
-
Autenticateing Oracle with Active Directory database
I installed Oracle database 11.2.0.3.0 on Windows 2008 Server R2 64 bit. The company uses Microsoft Active Directory and I need to set up access to the Oracle database for users that are stored in Active Directory. Do I need another product in addition to the database to do? If so, what version of the product would need?To bind the user to Oracle database for users that are stored in Active Directory, and you must create the Oracle schema objects and an Oracle context.
You can see the chapter on "Requirements for using Oracle with Active Directory database"
http://docs.Oracle.com/CD/B28359_01/win.111/b32010/active_dir.htm#CDECHCBC -
LDAP to Active Directory = 'invalid login credentials.
Hello
I am looking to set up Active Directory authentication in the APEX, so I'm changing the authentication to the LDAP directory service scheme
I finished the host, no port, NO SSL, etc. on the settings tab
Host: IP address of the ad server
Port: 389
Use SSL: No SSL
Distinguished Name (DN) string: domain\%LDAP_USER%
Just use the distinguished name (DN): Yes
However, when you try to run the application and entering my details it keeps bring "invalid identifiers.
What I missed
I came across the following code on another thread, but where would this go in the PL/SQL code?
DECLARE
vSession DBMS_LDAP.session;
vResult PLS_INTEGER;
BEGIN
DBMS_LDAP.use_exception: = TRUE;
vSession: = DBMS_LDAP.init
(host name = > 'CREDPWY01SDCG01')
portnum = > 389
);
vResult: = DBMS_LDAP.simple_bind_s
(ld = > vSession)
", dn = > ' CN = < user name >, dc = credit, dc = com"
, passwd = > NULL
);
DBMS_Output.put_line ('authenticated user!');
vResult: = DBMS_LDAP.unbind_s (vSession);
END;
I'm not able to authenticate at all when using apex_ldap without worrying if I pass NULL for the password, or use the real password.
BEGIN
IF APEX_LDAP.authenticate
(p_username = > "<>username")
, p_password = > NULL
", p_search_base = > ' dc = credit, dc = com"
, p_host = > 'CREDPWY01SDCG01 '.
p_port = > 389
)
THEN
DBMS_Output.put_line ('ok');
ON THE OTHER
DBMS_Output.put_line ('not ok');
END IF;
END;
Published by: Rambo79 on November 5, 2012 03:44It is one thing to AD configuration setting, which allows or prohibits the anonymous binds. It is not on the side of the apex. Try asking your AD administrator why this is so.
As you need a password anyway in your apex application, make sure that the password field is required / add validation, like suggested Christian. -
APEX_LDAP. AUTHENTICATE - using Microsoft Active Directory
Request Express 4.1.1.00.23
Internet Explorer - 8
Oracle Database 11 g Enterprise Edition Release 11.2.0.3.0 - 64 bit Production
Hi very new at the Apex and try to get the authenticaqtion work against our active directory. I installed an authentication scheme for my application chossing the schema type in the LDAP directory... my settings are the following:
Host: *.
Port: 389
Use SSL: No SSL
Distinguished Name (DN) string: domain\%LDAP_USER%
Just use the distinguished name (DN): Yes
This works perfect, and authenticates the user in active directory. The problem is when I try to do the following in the database that I really want to implement a custom authentication scheme, it just doesn't work.
Begin
IF apex_ldap.authenticate)
p_username = > "testusername",.
p_password = > "testpassword";
p_search_base = > 'domain\%LDAP_USER% ',.
p_host = > ' *',
p_port = > 389) THEN
dbms_output.put_line ('True');
On the other
dbms_output.put_line ('False');
End If;
End;
No matter what I do it always returns false. I created a function based on the same code and created a custom authentication scheme that calls the function but I still have a fake. Not sure why it works one way and not the other. Also really appreciate it if someone could help me get the code above to work or help correct.
I looked through the forum and tried many different research base channels, but nothing seems to work.
Concerning
AshHey Ash,
you could use the built-in LDAP authentication scheme and use authentication according to load the group information in some parts of the application. A scheme of application-level authorization can permit or deny access to the app, based on these values. In the post-auth feature, you should even have access to the elements of connection (P101_USERNAME, P101_PASSWORD) If you need.
You can also base your authentication scheme directly custom DBMS_LDAP, if you want to avoid our API not supported.
Kind regards
Christian
Maybe you are looking for
-
How to prevent the jump aound words while typing the text of the e-mail...
I susas a clean mind. pect of the processor.What I typed was, I think that the processor has a clean mind.It is a real pain.Help, please.Thank youGRSNPguy
-
HP Pavilion HPE h9 - 1120-t Phoenix - PC suddenly starts turning Off after a few Minutes of use
Posted this on the Forum for questions of another office before I reduced the problem. No one answered: http://h30434.www3.HP.com/T5/other-desktop-PC-questions/HP-Pavilion-HPE-H9-1120t-Phoenix-PC-suddenly... Announcing this computer from July 2012 a
-
Problem upgrading to a6120n PCI-e video card
I have a HP Pavilion a6120n desktop with Vista 32 bit fully implemented to date. I bought a Diamond Radeon HD5450 graphics card. Based on the advice of their manufacturer, I replaced the power supply original 250w with a Rhino Panther 450w power su
-
My stored user names and passwords are removed several times each time the computer restarts. ______
My "XP Home Edition' Service Pack 3 > stored user names and passwords are removed several times each time the computer restarts. Please check the LINK for the process that I'm going through, but nothing helped. http://www.box.NET/shared/zcokjesxx3 Th
-
Exception code: c0000005 relating to its program RzNumpad.exe
I use a Windows 7 64-bit SP1 retail on a Bootcamp partition and everything is truly and generally fine with fewer errors on a single standard PC machine. However, I just aqquired keyboard "Razer Walker deadly ultimate" rather nice and impressive that