cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP Autentication

Go to solution
Former Member

on ‎10-27-2006 7:52 PM

0 Kudos

Hi All,

I want to implement single sign-on in SAP xMII. I follow all steps in the help. In LDAP User Configuration windows I get the user list, but I don't know what I have to do with this results... In Policy window I setup the LDAP too, and the same trouble, I don't logon with my LDAP account...

What I have to do? What the main difference between LDAP User Configuration and Policy?

Thanks for any answer,

Vinicius

Konitech/Neoris - Brasil

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

jamie_cawley
Advisor
Advisor
‎11-07-2006 3:48 PM
0 Kudos

Hi Vinicius,

LDAP User Configuration is used to manage the users and all aspects of users on the ldap side. Policy is used only for authentication, roles and users and their attributes would be handled by xMII.

If you are interested in seting up SSO with LDAP take a look at web parts configuration in the help documentation. Try searching for 'sso' to find it. You could also use ntlm, which is a much easier setup.

Regards,

Jamie Cawley

Show replies
Show replies
Former Member
‎11-07-2006 4:29 PM
0 Kudos

Hello Joe,

I try many ways. I will discrib:

1 - Using LDAP Authentication

In the SAP xMII Admin Menu -> Security Services -> Security Manager -> User Manager -> LDAP User Configuration:

I setup the default_ldap with my settings, and wrote te "select" code in the Select User List, I receive my user list correctly.

2 - Policy

I did the same settings using LDAP, but nothing happend. One time, I made a mistake to set Control Flag to required... To correct this I need to reinstall my xMII.

I read the help, but I could find the correct way to do this: authenticate Windows (LDAP) and xMII togheter.

Thanks,

Vinicius

Former Member
‎11-07-2006 4:44 PM
0 Kudos

Vinicius,

After you set it up - are you able to log in with your LDAP information? What errors do you get?

Joe

Former Member
‎11-07-2006 5:02 PM
0 Kudos

Joe,

In LDAP User Configuration - Tab Queries:

- Select User List

select sAMAccountName from XXXX where objectCategory=user

- Select User

select sAMAccountName from XXXX where sAMAccountName=?

XXXX - is the same for both

When I login using my LDAP/Windows account I receive this message "Sorry, you entered an invalid username or password. Please try again!".

I try many codes in sql, and nothing.

Sorry for a lot of questions...

Vinicius

Former Member
‎11-07-2006 5:25 PM
0 Kudos

Vinicius,

Check your security logs - what do they tell you?

After editing the queries I assume that you tested them and they worked?

What do you have in your policy settings?

Also, did you enable the LDAP configuration?

Joe

Former Member
‎11-07-2006 5:40 PM
0 Kudos

Joe,

I watch all logs in Log Management and nothing.

Yes, this queries work correcly, bring me the list of users and when I change ? to specific user.

The LDAP is enable...

When I find the log errors that show the user try to login?

Vinicius

Former Member
‎11-07-2006 6:40 PM
0 Kudos

Vinicius,

Take a look at the logs in the Security Manager (not the ones on Log Management in the Administration Menu). These (security logs) will provide you with login information and problems.

Joe

Former Member
‎11-07-2006 6:53 PM
0 Kudos

Joe,

Follow the log error:

<i>Tue Nov 07 15:44:16 GMT-03:00 2006 WARN Login Invalid username or password</i>

<i>Tue Nov 07 15:44:16 GMT-03:00 2006 ERROR JAASHandler Could not authenticate - javax.security.auth.login.LoginException: Login Failure: all modules ignored

at com.lighthammer.cas.authentication.security.spi.LHLoginContext.invoke(Unknown Source)

at com.lighthammer.cas.authentication.security.spi.LHLoginContext.access$000(Unknown Source)

at com.lighthammer.cas.authentication.security.spi.LHLoginContext$4.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at com.lighthammer.cas.authentication.security.spi.LHLoginContext.invokeModule(Unknown Source)

at com.lighthammer.cas.authentication.security.spi.LHLoginContext.login(Unknown Source)

at com.lighthammer.cas.authentication.handler.JAASHandler.authenticate(Unknown Source)

at com.lighthammer.cas.gui.servlet.Login.service(Unknown Source)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)

at com.newatlanta.servletexec.SERequestDispatcher.forwardServlet(SERequestDispatcher.java:638)

at com.newatlanta.servletexec.SERequestDispatcher.forward(SERequestDispatcher.java:236)

at com.newatlanta.servletexec.SERequestDispatcher.internalForward(SERequestDispatcher.java:283)

at com.newatlanta.servletexec.ApplicationInfo.processApplRequest(ApplicationInfo.java:1846)

at com.newatlanta.servletexec.ServerHostInfo.processApplRequest(ServerHostInfo.java:937)

at com.newatlanta.servletexec.ServletExec.ProcessRequest(ServletExec.java:1091)

at com.newatlanta.servletexec.ServletExec.ProcessRequest(ServletExec.java:973)

at com.newatlanta.servletexec.ServletExecService.processServletRequest(ServletExecService.java:167)

at com.newatlanta.servletexec.ServletExecService.Run(ServletExecService.java:204)

at com.newatlanta.servletexec.HttpServerRequest.run(HttpServerRequest.java:487)</i>

I do nothing in Policy. Have I do something? What diference between this two modes of authentication?

Thanks again,

Vinicius

Message was edited by: Vinicius Martins

Former Member
‎11-07-2006 7:26 PM
0 Kudos

Vinicius,

You should create an LDAP policy and set the control flag to sufficient.

Let me know if this helps.

Joe

Former Member
‎11-07-2006 8:26 PM
0 Kudos

Joe,

Yes, I did this. When I press Load Users, the pop-up show-me all users from LDAP server.

I don't have no idea about what is wrong in my confs. I follow all steps in help.

What is the sequence to authenticate used by xMII? Is a problem with my LDAP Server?

Thanks a lot your help...

Vinicius

Former Member
‎11-08-2006 5:30 PM
0 Kudos

Vinicius,

I assume that you are getting the same errors in your log files after you added the policy?

You may need to contact support as I am unable to re-create your issue.

Joe

Former Member
‎11-08-2006 7:06 PM
0 Kudos

Joe,

I called to Exton and talked with Jamie Cawley. I show my settings with WeBex.

I disable the LDAP User Authentication, and in the Policy I import the users.

Follow the log in the General Log:

<i>Timestamp Level Class Name Message

2006-11-08 16:34:39,386 WARN Login Invalid username or password

2006-11-08 16:34:39,386 ERROR JAASHandler Could not authenticate javax.security.auth.login.LoginException: Could not login into LDAP System at com.lighthammer.cas.authentication.security.spi.LdapLoginModule.doAuthenticate(Unknown Source) at com.lighthammer.cas.authentication.security.spi.AbstractLoginModule.login(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at com.lighthammer.cas.authentication.security.spi.LHLoginContext.invoke(Unknown Source) at com.lighthammer.cas.authentication.security.spi.LHLoginContext.access$000(Unknown Source) at com.lighthammer.cas.authentication.security.spi.LHLoginContext$4.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.lighthammer.cas.authentication.security.spi.LHLoginContext.invokeModule(Unknown Source) at com.lighthammer.cas.authentication.security.spi.LHLoginContext.login(Unknown Source) at com.lighthammer.cas.authentication.handler.JAASHandler.authenticate(Unknown Source) at com.lighthammer.cas.gui.servlet.Login.service(Unknown Source) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at com.newatlanta.servletexec.SERequestDispatcher.forwardServlet(SERequestDispatcher.java:638) at com.newatlanta.servletexec.SERequestDispatcher.forward(SERequestDispatcher.java:236) at com.newatlanta.servletexec.SERequestDispatcher.internalForward(SERequestDispatcher.java:283) at com.newatlanta.servletexec.ApplicationInfo.processApplRequest(ApplicationInfo.java:1846) at com.newatlanta.servletexec.ServerHostInfo.processApplRequest(ServerHostInfo.java:937) at com.newatlanta.servletexec.ServletExec.ProcessRequest(ServletExec.java:1091) at com.newatlanta.servletexec.ServletExec.ProcessRequest(ServletExec.java:973) at com.newatlanta.servletexec.ServletExecService.processServletRequest(ServletExecService.java:167) at com.newatlanta.servletexec.ServletExecService.Run(ServletExecService.java:204) at com.newatlanta.servletexec.HttpServerRequest.run(HttpServerRequest.java:487)

2006-11-08 16:34:39,386 FATAL LdapLoginModule javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893]</i>

I will try to setup in another enviromment.

What I don't undertand is when I press the Load User, the xMII bring me the list of users... In the LDAP User Authentication -> Select User List, the select bring the same list. Why I have problem with password only in the authentication process, not in the select process?

Vinicius

Former Member
‎11-08-2006 7:16 PM
0 Kudos

Check that your license has a "true" setting for external users.

Also - what version and build are you using?

I did a google search on the error ([LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B) and found that this error could be caused by not using a full DN.

Not sure why the full list of name would come back though.

Joe

Former Member
‎11-08-2006 8:48 PM
0 Kudos

Bingo!!!!

This is correct, I found the same tip in Google. The DN Suffix in my network in not simple, I talk with the network administrator and he told me true value.

Now, I have another question. Have I to edit all import users to add the Roles? What I have to do when the user open the browser, put the xMII URL, and the xMII open with your Windows/LDAP Logon Permissions?

Thanks so much your attention, pacient and good answers.

Best Regards,

Vinicius

Former Member
‎11-08-2006 9:16 PM
0 Kudos

Vinicius,

I believe you are managing your users externally? In External mode, you do not define users in Security Manager. You define “queries” against an LDAP system or against a database that store your users, roles, and role membership information. You effectively “map” Security Manager to the third party provider.

For you logon question - search Programmatic login in the help. That may have the imformation that you need.

Joe

Answers (1)

Answers (1)

salvatore_castro
Advisor
Advisor
‎11-01-2006 6:48 PM
0 Kudos

Vinicius,

Please search on the SDN for 'xMII SSO'. This document was written by Jamie Cawley of the xMII Support Team and will give you the 'How-To' steps that you are looking for.

Regards,

Salvatore Castro

xMII Consulting and Field Enablement

Show replies
Show replies
Former Member
‎11-07-2006 1:41 PM
0 Kudos

Salvatore,

I found one with name "Setting up Single Sign On between xMII and Enterprise Portal.pdf", this is the correct document?

This document talk about the SSO betwenn xMII and EP. I want to use LDAP or Windows Domain with the logon windows... I can't figure out what I have to do with this document in my case.

Regards,

Vinicius Martins

Former Member
‎11-07-2006 1:49 PM
0 Kudos

Hello Vinicius,

After following the steps in the help docs, how are you logging in? How many policies do you have set up and what types are they?

Thanks,

Joe Montagna

Infodat International, Inc.

Ask a Question