1 2 3 Previous Next 34 Replies Latest reply: Apr 14, 2011 6:37 PM by 838745 RSS

    Assigned User Profile / AD groups /

    838745
      I am new to SGD and trying to figuring out how to give permission to certain AD groups for certain applications.

      I have two AD groups Info_Portal and Info_Survey and five applications let say App1, App2, App3 and App4. I would like App1 and App2 applications available to info_portal only and App3 and App4 available to Info_survy only.

      I kind of got picture for assigne profile for applications but I am not clear how to created this new AD profile with in SGD.

      Since I am new to SGD would prefer options through Admin console.

      Thanks.

      Habib.
        • 1. Re: Assigned User Profile / AD groups /
          DeanyDean
          Hi Habib,

          The SGD Admin Guide has some good pointers on assigning applications to AD/LDAP groups. You can find the documentation on this for SGD 4.6 here:

          http://download.oracle.com/docs/cd/E19351-01/821-1926/z4000be81312457.html#z40003821318141

          Hope this helps,

          Matt
          • 2. Re: Assigned User Profile / AD groups /
            838745
            Hi Matt,

            Thanks for quick response. It was good link you provided. I have much better picture however; I am still not there yet. I have assigned each application a specific user profile (group) but I am still missing something because it is still not working. And when I said it is not working, I mean it is stills showing all the application including that I am not suppose to have it based on the AD profile.

            I am digging more with documentation but if something you could point me the right direction would be nice.

            In the mean time, I am looking at “Effective User profile” and “Editable Assignments”. In my case “Editable Assignments” are showing the appropriate groups but “Effective User profile” are either blank or showing “NT User Profile” and “LDAP Profile”. Does it mean I missed any step?

            Thanks.

            Habib.
            • 3. Re: Assigned User Profile / AD groups /
              DeanyDean
              Hi Habib,

              If you are wanting to assign an application to an AD group, you need to:

              1) Login to the SGD Admin Console
              2) Navigate to the "Applications" tab.
              3) Browse to the application you want to assign and click on it's name.
              4) In Object View, navigate to the "Assigned User Profiles" tab.
              5) Click on the "Add" button in the "Editable Assignments" section.
              6) In the "Add Assignment" window, set "Respository" to be -> "Local + LDAP" (top right).
              7) (If multiple service objects) Select "View" and choose the correct service object.
              8) Browse to the AD group (marked with a blue bar) that you are wanting to assign the application to.
              9) Check the checkbox next to that group and press the "Add" button.
              10) Back in Object View, click the "(Load LDAP Assignments)" button in the "Effective User Profiles" section.

              The users in the AD group that you assigned in step #9 should be displayed in the "Effective User Profiles" section.

              Hope this helps,

              Matt
              • 4. Re: Assigned User Profile / AD groups /
                838745
                Hi Matt,

                Thanks again for detailed step by step instruction. Sincerely appreciate it.

                I did follow every single step (earlier I was missing step -10). Looks good but unfortunately still no success. 'Effective User Profiles' look good but still not displaying the list of groups I am suppose to see as member of the AD group.

                While I was playing with groups, I realized that it doesn't do anything with AD groups but it works with 'NT User Profile' (Local Profile). If I remove this group, I don't see anything. If I add back, I could see the list of applications that assigned to this profile.

                At this point I am not sure what is this 'NT User Profile', how to avoid and what to do to rely on AD groups.

                Any suggestion would be appreciated.

                Habib.
                • 5. Re: Assigned User Profile / AD groups /
                  DeanyDean
                  Hi Habib,

                  Can you post the output of:

                  # tarantella config list login-ldap login-ad login-nt login-nt-domain

                  Thanks,

                  Matt
                  • 6. Re: Assigned User Profile / AD groups /
                    838745
                    Hi Matt,

                    Thanks a million for helping with this. Here is the output:

                    login-ad: 1
                    login-ldap: 0
                    login-nt-domain: orgds1.hs.uci.edu
                    login-nt: 1

                    Habib.
                    • 7. Re: Assigned User Profile / AD groups /
                      DeanyDean
                      Hi Habib,

                      The problem you're having is caused by the use of Windows Domain Authentication (see http://download.oracle.com/docs/cd/E19351-01/821-1926/z40000dd1305942.html) . As your users are being authenticated to the Windows domain orgds1.hs.uci.edu, they are being assigned the "NT User Profile". This mode of authentication does not support integration with Active Directory.

                      If you want Active Directory integration, your users need to be authenticated by Active Directory Authentication (see http://download.oracle.com/docs/cd/E19351-01/821-1926/z40000dd1295358.html).

                      My advise would be to disable Windows Domain Authentication:

                      # tarantella config edit --login-nt 0

                      And then follow the Active Directory Authentication docs (see http://download.oracle.com/docs/cd/E19351-01/821-1926/z40000dd1295358.html) to correctly configure your SGD server for AD integration.

                      Hope this helps,

                      Matt

                      Edited by: DeanyDean on 02-Mar-2011 09:11
                      • 8. Re: Assigned User Profile / AD groups /
                        838745
                        Hi Matt,

                        Sorry, you must be wondering what happened to me. Well, I had an injury and end up taking LOA. Just came back to work.

                        Thank you for your suggestions. I went through the document and made required changes. I guess I missed something since I can’t login to SGD at all now.

                        Here is the output of:

                        # ./tarantella config list login-ldap login-ad login-nt login-nt-domain

                        login-ad: 1
                        login-nt-domain: orgds2.hs.uci.edu
                        login-nt: 0
                        login-ldap: not found

                        My krb.conf file is as follows:

                        [logging]
                        default = FILE:/var/log/krb5libs.log
                        kdc = FILE:/var/log/krb5kdc.log
                        admin_server = FILE:/var/log/kadmind.log

                        [libdefaults]
                        default_realm = HS.UCI.EDU
                        dns_lookup_realm = true
                        dns_lookup_kdc = true
                        ticket_lifetime = 24h
                        forwardable = yes

                        [realms]
                        EXAMPLE.COM = {
                        kdc = kerberos.example.com:88
                        admin_server = kerberos.example.com:749
                        default_domain = example.com
                        }

                        HS.UCI.EDU = {
                        kdc = hs.uci.edu:88
                        admin_server = hs.uci.edu:749
                        }

                        UCI.EDU = {
                        kdc = kerberos.service.uci.edu:88
                        admin_server = kerberos.service.uci.edu:749
                        }

                        [domain_realm]
                        .example.com = EXAMPLE.COM
                        example.com = EXAMPLE.COM

                        hs.uci.edu = HS.UCI.EDU
                        .hs.uci.edu = HS.UCI.EDU
                        uci.edu = UCI.EDU
                        .uci.edu = UCI.EDU
                        [appdefaults]
                        pam = {
                        debug = false
                        ticket_lifetime = 36000
                        renew_lifetime = 36000
                        forwardable = true
                        krb4_convert = false
                        }

                        What did I miss?

                        Thanks again for all the help.

                        Habib.
                        • 9. Re: Assigned User Profile / AD groups /
                          DeanyDean
                          Hi Habib,

                          "login-ldap: not found" worries me a little as it was present in your previous posts. Any idea why this might have being removed?

                          Also, to try and gauge your AD env, can you provide the output of the following command (obfuscated as required):

                          # ./tarantella service list

                          Thanks,

                          Matt
                          • 10. Re: Assigned User Profile / AD groups /
                            838745
                            Hi Matt,

                            I am not clear about this issue but I guess because earlier it was setup for ldap and now i changed to ad? Before I made changes selection was under ldap and URL was ldap://hs.uci.edu. Now I have changed this to ad with URL ad://hs.uci.edu.

                            Regarding

                            # ./tarantella service list

                            I couldn't run it. It give me error complaining that 'service' is not available command and it gives me list of command from archive, array and config through version, webserver and webtopsession.

                            Seems like I missed something very obvious?

                            Thanks.
                            • 11. Re: Assigned User Profile / AD groups /
                              DeanyDean
                              Hi Habib,

                              Are you using SGD 4.50 or earlier? The service list command was only introduced in 4.60, so this might explain why it's missing.

                              Matt
                              • 12. Re: Assigned User Profile / AD groups /
                                838745
                                Hi Matt,

                                True, we are using version 4.5.933. Any equivalent to service command? Any other suggestion?

                                Thansk.

                                Habib.
                                • 13. Re: Assigned User Profile / AD groups /
                                  DeanyDean
                                  OK, sorry about that, was assuming (wrongly) you were using 4.60.

                                  In 4.50, can you get the output of:

                                  # tarantella config list --login-ldap-url

                                  Thanks,

                                  Matt
                                  • 14. Re: Assigned User Profile / AD groups /
                                    838745
                                    Sorry, it is my mistake, I should have mentioned in very beginning.

                                    Here is the output of tarantella config list --login-ldap-url

                                    login-ldap-url: ad://hs.uci.edu

                                    Thanks again Matt. I sincerely apprecite all the help and guidance.

                                    Habib.
                                    1 2 3 Previous Next