1 2 Previous Next 25 Replies Latest reply on Nov 2, 2011 2:50 PM by Matt Carter-Oracle Go to original post
      • 15. Re: Not able to login to /oamconsole and /console
        Matt Carter-Oracle
        Have you tried logging into the /oamconsole as one of the AD administrators? What is the user attribute in the identity store, uid? Are you mapping AD User to Inetorgperson? If yes, and yes, you would login with your samaccountname as user id. If cn and no, it would be CN ("First Last" usually in AD)
        • 16. Re: Not able to login to /oamconsole and /console
          852757
          Yes Matt, I tried logging into the /oamconsole as all the members from that AD Admins group.
          The user attribute in the identity store is uid and we are mapping AD User to Inetorgperson. We tried login with samaccountname as user id but in vain.

          -PS
          • 17. Re: Not able to login to /oamconsole and /console
            Presto
            I recall that the last thing I did before I couldn't login with orcladmin anymore was navigate to (servername):14100/oam/server/logout while testing some SSO stuff.
            • 18. Re: Not able to login to /oamconsole and /console
              Matt Carter-Oracle
              Hitting OAM logout service shouldn't affect this.

              Can you post the contents of your identity stores from <domain>/config/fmwconfig/oam-config.xml? Something like

              <Setting Name="AD" Type="htf:map">
              <Setting Name="0D05636AF4DBB6DC31" Type="htf:map">
              <Setting Name="SECURITY_PRINCIPAL" Type="xsd:string">cn=oamLDAP, cn=Users,dc=my,dc=org</Setting>
              <Setting Name="GROUP_SEARCH_BASE" Type="xsd:string">cn=Groups,dc=my,dc=org</Setting>
              <Setting Name="USER_NAME_ATTRIBUTE" Type="xsd:string">uid</Setting>
              <Setting Name="IsSystem" Type="xsd:boolean">true</Setting>
              <Setting Name="IsPrimary" Type="xsd:boolean">true</Setting>
              <Setting Name="Name" Type="xsd:string">OIMIDStore</Setting>
              <Setting Name="SECURITY_CREDENTIAL" Type="xsd:string">{AES}A423A80149A41B0E3487388660DC91D6</Setting>
              <Setting Name="RoleMappings" Type="htf:map">
              <Setting Name="Role Security Admin" Type="htf:map">
              <Setting Name="Groups" Type="xsd:string">OAMAdministrators</Setting>
              </Setting>
              </Setting>
              • 19. Re: Not able to login to /oamconsole and /console
                Presto
                Yes I'll do that.

                Btw, restarted the managed server, and tried to login with weblogic user, got this:



                     
                Access Denied

                Access to administration console is restricted.
                the page it forwards to is authzerror.jspx
                • 20. Re: Not able to login to /oamconsole and /console
                  Presto
                  Some of these are wrong. Can I change this and restart OAM for the changes to take effect?

                  <Setting Name="LDAP" Type="htf:map">
                  <Setting Name="UserIdentityStore" Type="htf:map">
                  <Setting Name="Name" Type="xsd:string">UserIdentityStore1</Setting>
                  <Setting Name="Type" Type="xsd:string">LDAP</Setting>
                  <Setting Name="LDAP_URL" Type="xsd:string">ldap://ldap-host:7001</Setting>
                  <Setting Name="SECURITY_PRINCIPAL" Type="xsd:string">cn=Admin</Setting>
                  <Setting Name="SECURITY_CREDENTIAL" Type="xsd:string">{AES}F8E3A9FAD9D662F753D842979423ED3D</Setting>
                  <Setting Name="USER_SEARCH_BASE" Type="xsd:string">ou=people,ou=myrealm,dc=base_domain</Setting>
                  <Setting Name="GROUP_SEARCH_BASE" Type="xsd:string">ou=groups,ou=myrealm,dc=base_domain</Setting>
                  <Setting Name="USER_NAME_ATTRIBUTE" Type="xsd:string">uid</Setting>
                  <Setting Name="LDAP_PROVIDER" Type="xsd:string">EMBEDDED_LDAP</Setting>
                  <Setting Name="UserIdentityProviderType" Type="xsd:string">OracleUserRoleAPI</Setting>
                  <Setting Name="IsPrimary" Type="xsd:boolean">false</Setting>
                  <Setting Name="IsSystem" Type="xsd:boolean">false</Setting>
                  <Setting Name="RoleMappings" Type="htf:map">
                  <Setting Name="Role Security Admin" Type="htf:map">
                  <Setting Name="Groups" Type="xsd:string">Administrators</Setting>
                  <Setting Name="Users" Type="xsd:string">weblogic</Setting>
                  </Setting>
                  <Setting Name="Role System Monitor" Type="xsd:string">Monitors</Setting>
                  <Setting Name="Role Application Administrator" Type="xsd:string">Operators</Setting>
                  <Setting Name="Role System Manager" Type="xsd:string">Deployers</Setting>
                  </Setting>
                  </Setting>
                  <Setting Name="E6F2094BB4B6B097BA" Type="htf:map">
                  <Setting Name="SECURITY_PRINCIPAL" Type="xsd:string">cn=orcladmin</Setting>
                  <Setting Name="Description" Type="xsd:string"></Setting>
                  <Setting Name="GROUP_SEARCH_BASE" Type="xsd:string">ou=groups,ou=external,---(edited out )))/Setting>
                  <Setting Name="ConnectionRetryCount" Type="xsd:integer">3</Setting>
                  <Setting Name="USER_NAME_ATTRIBUTE" Type="xsd:string">uid</Setting>
                  <Setting Name="IsSystem" Type="xsd:boolean">false</Setting>
                  <Setting Name="GroupCacheEnabled" Type="xsd:boolean">false</Setting>
                  <Setting Name="IsPrimary" Type="xsd:boolean">false</Setting>
                  <Setting Name="ConnectionWaitTimeout" Type="xsd:integer">120</Setting>
                  <Setting Name="Name" Type="xsd:string">oidUserStore</Setting>
                  <Setting Name="SECURITY_CREDENTIAL" Type="xsd:string">{AES}EED5A60FBF5C42C77C58F2F44372B371</Setting>
                  <Setting Name="SearchTimeLimit" Type="xsd:integer">0</Setting>
                  <Setting Name="MIN_CONNECTIONS" Type="xsd:integer">10</Setting>
                  <Setting Name="LDAP_PROVIDER" Type="xsd:string">OID</Setting>
                  <Setting Name="GROUP_NAME_ATTR" Type="xsd:string"></Setting>
                  <Setting Name="ENABLE_PASSWORD_POLICY" Type="xsd:boolean">true</Setting>
                  <Setting Name="USER_SEARCH_BASE" Type="xsd:string">cn=users,(edited out)</Setting>
                  <Setting Name="LDAP_URL" Type="xsd:string">ldap:/(Server):port</Setting>
                  <Setting Name="ReferralPolicy" Type="xsd:string">follow</Setting>
                  <Setting Name="MAX_CONNECTIONS" Type="xsd:integer">50</Setting>
                  <Setting Name="GroupCacheTTL" Type="xsd:integer">0</Setting>
                  <Setting Name="UserIdentityProviderType" Type="xsd:string">OracleUserRoleAPI</Setting>
                  <Setting Name="GroupCacheSize" Type="xsd:integer">10000</Setting>
                  </Setting>
                  <Setting Name="F63B4393D72298ED35" Type="htf:map">
                  <Setting Name="SECURITY_PRINCIPAL" Type="xsd:string">cn=orcladmin</Setting>
                  <Setting Name="Description" Type="xsd:string"></Setting>
                  <Setting Name="GROUP_SEARCH_BASE" Type="xsd:string">cn=groups(edited out)</Setting>
                  <Setting Name="ConnectionRetryCount" Type="xsd:integer">3</Setting>
                  <Setting Name="USER_NAME_ATTRIBUTE" Type="xsd:string">uid</Setting>
                  <Setting Name="IsSystem" Type="xsd:boolean">true</Setting>
                  <Setting Name="GroupCacheEnabled" Type="xsd:boolean">false</Setting>
                  <Setting Name="IsPrimary" Type="xsd:boolean">true</Setting>
                  <Setting Name="ConnectionWaitTimeout" Type="xsd:integer">120</Setting>
                  <Setting Name="Name" Type="xsd:string">OVDStore</Setting>
                  <Setting Name="SECURITY_CREDENTIAL" Type="xsd:string">{AES}EED5A60FBF5C42C77C58F2F44372B371</Setting>
                  <Setting Name="SearchTimeLimit" Type="xsd:integer">0</Setting>
                  <Setting Name="MIN_CONNECTIONS" Type="xsd:integer">10</Setting>
                  <Setting Name="RoleMappings" Type="htf:map">
                  <Setting Name="Role Security Admin" Type="htf:map">
                  <Setting Name="Groups" Type="xsd:string">Administrators</Setting>
                  <Setting Name="Users" Type="xsd:string">orcladmin</Setting>
                  </Setting>
                  </Setting>
                  <Setting Name="LDAP_PROVIDER" Type="xsd:string">OVD</Setting>
                  <Setting Name="GROUP_NAME_ATTR" Type="xsd:string">cn</Setting>
                  <Setting Name="ENABLE_PASSWORD_POLICY" Type="xsd:boolean">true</Setting>
                  <Setting Name="USER_SEARCH_BASE" Type="xsd:string">cn=users(removed)</Setting>
                  <Setting Name="LDAP_URL" Type="xsd:string">ldap://server:port</Setting>
                  <Setting Name="ReferralPolicy" Type="xsd:string">follow</Setting>
                  <Setting Name="MAX_CONNECTIONS" Type="xsd:integer">50</Setting>
                  <Setting Name="GroupCacheTTL" Type="xsd:integer">0</Setting>
                  <Setting Name="UserIdentityProviderType" Type="xsd:string">OracleUserRoleAPI</Setting>
                  <Setting Name="GroupCacheSize" Type="xsd:integer">10000</Setting>
                  </Setting>
                  </Setting>
                  </Setting>

                  Edited by: Presto on Nov 1, 2011 3:55 PM

                  Edited by: Presto on Nov 1, 2011 3:56 PM
                  • 21. Re: Not able to login to /oamconsole and /console
                    Matt Carter-Oracle
                    So OVD is the primary store and it looks like you have group 'Administrators' and user 'orcladmin' as admins for OAM. Is the group Administrators under the group search "cn=groups,dc=we,dc=dirsrv,dc=com"? I think AD sometimes puts it's groups under CN=Users. It does look like orcladmin should be able to access the console as well. Do you get the same Authorization error if you try to access /oamconsole with oam_server1 managed server on when you login with orcladmin?
                    • 22. Re: Not able to login to /oamconsole and /console
                      852757
                      Hello Matt,

                      My case is a bit different from Presto. I just tried login with weblogic user and the users from AD group but not orcladmin.

                      PS
                      • 23. Re: Not able to login to /oamconsole and /console
                        Presto
                        Yes, the group is in that container.

                        No, orcladmin just gets an error "incorrect username or password" and the log shows "authentication failed"

                        Edited by: Presto on Nov 1, 2011 4:59 PM
                        • 24. Re: Not able to login to /oamconsole and /console
                          Presto
                          To change oam-config.xml, do I modify it then restart?
                          • 25. Re: Not able to login to /oamconsole and /console
                            Matt Carter-Oracle
                            I cannot say for sure whether changing oam-config.xml manually to set the primary back to the Default is a safe process. I have updated manually in 11.1.1.3 for other purposes, but I haven't tried this in 11.1.1.5.
                            1 2 Previous Next