This content has been marked as final. Show 12 replies
Which scheme are you following to authenticate against LDAP ?
This error generally comes when particular scheme of authentication is disbaled at LDAP end and you are trying to authenticate via that scheme.
Have you tried with Enabling Anonymous Bind at your LDAP end ?
Actually its a client environment and I am in touch with the Client's IT team to enable the anonymous binds. By the way when you say "scheme" what are you referring to? Are you referring to the Environment Variables being set before loading the Initial Directory Context?
Thanks for the help.
Edited by: 858919 on May 15, 2011 12:53 AM
You use different schemes for authentication like Simple, SSL etc.
I use a Simple SCHEME. We have to implement SSO.
What you are doing is that you are taking user in OID anonymously and OID 11g by default is disabled for anoymous bind . You have two options
1. Enable anoymous bind in OID as mentioned in my blog
OID attribute orclanonymousbindflag value to 1 for entry cn=oid1, cn=osdldapd, cn=subconfigsubentry
Option 2: take user to authenticate via existing user (not anonymously)
- Book "OAM/OIM 11g for Administrators" -> http://onlineappsdba.com/index.php/2011/02/23/my-book-oracle-identity-access-manager-11g-for-administrators-is-now-available-in-raw-format/
Thanks for the reply.
Can you please throw more light on
Option 2: take user to authenticate via existing user (not anonymously).
Can somebody please guide me as to how do I authenticate user in OID when anonymous binding is disabled?
Appreciate some help.
You create a user entry in OID specifically to be used by your java application. Some folks refer to this type of user entry as a proxy or service or utility account. You may not want this service account to be located in your cn=users,dc=acme,dc=com container with the reset of your normal user entries. You may want to create a cn=serviceAccount,dc=acme,dc=com container (as an example) for all of these types of accounts. Or you can put it in your cn=users container, that's fine as well.1 person found this helpful
Then your java app gets configured to use this account to perform an authenticated bind/search (in lieu of the anonymous bind/search) to find the full DN of the user logging into your java app. Most ldap enabled applications ask the user to provide only the common name (cn) or unixID (uid) and password at the application login prompt.
1. The app then performs an anonymous bind/search for the full user entry DN of the user attempting to authenticate into the application.
2. The app then performs an authenticated bind/search (using the service account) for the full user entry DN of the user attempting to authenticate into the application.
...once the app receives back the full user entry DN, the app takes that full DN (dn: cn=gatesb,cn=users,dc=acme,dc=com) and the password provided by the user and attempts the user authentication.
Hope this helps.....
Thanks very much for all your help.
I have been able to do the workaround by removing the anonymous binding. However I am not able to retrieve attributes like password expiry date, grace login period, account locked/unlocked status etc. I believe these are all non-operational attributes. Can you suggest me how to obtain such attributes from the OID?
If you've turned off anonymous binds, then the only way to get data from OID is to have your apps do authenticated binds. Refer to my previous post, you will need to use a service account.
I did authenticated binds. But right now I have different issue that is of retrieving non-operational attributes to get information like grace login time, password expiration date, account lock/unlock status etc...
My experience (understanding) has been, when your search parameter does not include a list of attributes, you get back only the "Application Attributes" and no "Operational Attributes". My guess would be the attributes you are after are considered "Operational Attributes" of a user entry and thus, your ldapsearch must specifically ask for them. Per some testing and other Oracle OID reading:
Searching for all user attributes and specified operational attributes
The following command retrieves all user attributes and the createtimestamp, orclguid and pwdchangedtime operational attributes:
ldapsearch ......................... "(cn=smithjb)" "*" createtimestamp orclguid pwdchangedtime