E1 LDAP

Has anyone gotten this mess to work? The instructions are not difficult, but they don't offer any solution except putting it straight into production. I don't know about other shops, but we are 24/7 with thousands of jobs running daily. I can't just turn this on in Production. I have a development enterprise server however it does share the system data source on production. I have tried creating a separate datasource and OCM for the security tables, but that didn't work. Oracle's answer was that it was a system level function and could not be done based on environment. Also seems like a like of limitations like only 1 LDAP server and 10 fields for password. Not really felling this product. E1 Version 9 toolset 8.98 running on iSeries enterprise server.

[ QUOTE ]
Has anyone gotten this mess to work? The instructions are not difficult, but they don't offer any solution except putting it straight into production. I don't know about other shops, but we are 24/7 with thousands of jobs running daily. I can't just turn this on in Production. I have a development enterprise server however it does share the system data source on production. I have tried creating a separate datasource and OCM for the security tables, but that didn't work. Oracle's answer was that it was a system level function and could not be done based on environment. Also seems like a like of limitations like only 1 LDAP server and 10 fields for password. Not really felling this product. E1 Version 9 toolset 8.98 running on iSeries enterprise server.

[/ QUOTE ]

Don't waste your time. The developers who released that functionality into E1 should be embarrassed.

This all works fine and you can configure LDAP PER Enterprise Server.

Whatever Environments are on that server will go through LDAP authentication.

You can also pint LDAP to "the cloud" and not any specific server. It just goes out, find the LDAP and validates so in this respect it is fault tolerant.

If you have to enter in a specific server name then that means you have an LDAP configuration issue.

I've likely configured this 10 times at 10 different customers and can now do it in about 4 hours start to finish.

If it's your first time count on 4 days.

Enter in some of your system config so we know what you're trying to do and where you are experiencing issues.


Colin

BTW - separate security tables are not required for LDAP.

The LDAP tables come shipped OCM'ed to DEFAULT which is Business Data and you will need to map them to System.

Since the LDAP tables are host name specific you need to use different Enterprise Server names if you want to actually test this or use multi-foundation and different port numbers.

Colin

That's what I thought too, but below is what Oracle said:

Thanks for the update.
I did some more research and found LDAP is a system level setting and it cant be setup at environment level.In your case you have 2 enterprise servers and trying to setup LDAP on just one server (Dev).

I Crated LDAP Server config to use the DEV enterprise server (security kernel). Pretty sure all information is correct there. I'm trying to authenticate against MAD. USRSRCHBAS is ou=Domain Users,dc=<domain name>,dc=domain suffix>. USRSRCHFLT is objectclass=inetOrgPerson and USRSRCHSCP is subtree. E1USRIDATR is sAMAccountName and USRSRCHATR is the same. The sAMAccountName here has the user id in it. My JDE ini Security section looks like this:

[SECURITY]
DataSource=System - 900
User=JDE
Password=<XXXXXX>
Default Role=*ALL
DefaultEnvironment=DV900
SecurityServer=<Development Enterprise Server>
ServerPswdFile=false
History=0
NumServers=1
SecurityServer1=NONE
SecurityServer2=NONE
SecurityServer3=NONE
SecurityServer4=NONE
LDAPAuthentication=true

I'm on version 9 so the LDAP table F00928, F009281 and F009282 were already mapped to the system data source. THanks. I was hoping I would not have to set up a multiple foundation. This is a little more than I want to do for this. We recently upgraded to version 9 and are still putting out fires. Oh well.

One more question...My understanding is that when LDAP is enabled, the user authenticates against AD. the security kernel on the enterprise server is responsible for passing the authentication request to AD based on the LDAP configuration. I'm assuming that the user password is housed somewhere in active ie inetOrgPerson which is the purpose of the USRSRCHSCP value? Can't get much info from Oracle on this at all and our AD people have no clue what this class is for.

when I start E1 Service, the security kernel has this in the logs:
11:09:40.705128 jdeksec.c4523
Unable to find user JDE in LDAP

427/26 MAIN_THREAD

The Meta Data Kernel has this:
erverDispatch.cpp249
INITIALIZING METADATA SERVER KERNEL

424/22 SYS:Metadata Tue Nov 22 11:09:39.737240 jdecsec.c2556
Security Server returned error: eSecUnknownUser: User Unknown

424/22 SYS:Metadata Tue Nov 22 11:09:39.737408 jdecsec.c263
Failed to validate user JDE by password

424/22 SYS:Metadata Tue Nov 22 11:09:39.737464 jdb_ctl.c4250
JDB1100015 - Failed to complete Security check by Pwd

424/22 SYS:Metadata Tue Nov 22 11:09:39.740216 jdb_omp1.c639
JDB9900246 - Failed to find existence of default OMAP for environment STARTUP

424/22 SYS:Metadata Tue Nov 22 11:09:39.740296 jdb_rq1.c2006
JDB3100011 - Failed to get location of table F00941 for environment STARTUP

424/22 SYS:Metadata Tue Nov 22 11:09:39.748040 jdb_omp1.c639
JDB9900246 - Failed to find existence of default OMAP for environment STARTUP

424/22 SYS:Metadata Tue Nov 22 11:09:39.748144 jdb_rq1.c2006
JDB3100011 - Failed to get location of table F00942 for environment STARTUP

424/22 SYS:Metadata Tue Nov 22 11:09:39.748224 SpecUtil.c5164
JDESPEC0000051 - Unable to open F00942 to load metadata cache. Fatal Error.

424/22 SYS:Metadata Tue Nov 22 11:09:39.748288 SpecUtil.c5203
JDESPEC0000052 - Unable to select all records from F00942 to load metadata cache.

hummmm...I'm sitting here thinking of what could be the problem and it just occured to me that the AS400 (naturally) is not on the domain. This has to be the problem. Not sure how to work around this. If anyone has configured this on an iSeries I would think they would have the same problem. how do you get an non domain enterprise server to authenticate to an LDAP Server on a domain? I will have to research this. Hopefully someone in JDELISTville has the answer.

The LDAP setup typically has the same issue in 99% of all cases........incorrect user name.

Downlod Softerra's Fress Version of the LDAP Browser and confirm the name and OU of the bind account.

I have this running on lots of AS400's.

You should always enter the AS400 name in the DNS for simplicity and update CFGTCP option 12 with the domain into as well.

However, this is not likely the isue.


Colin

The AS400 does not need to be on/in the domain. It just has to be able to communicate with your AD server/service.

I have set this up a couple of times. Here are some things that helped me:

1. Don't use port 389 with Windows AD, use global catalog port/service on 3268. If you dont know, ask your AD admin.

2. Use the ldapsearch command from qshell to validate the bootstrap id & password in the jde.ini.
ldapsearch -h [host] -b [BaseDNforSearch] -D [BindDNUsername] -w [BindDNPassword] -L -p [Port] "[AttributesForSearch]"

An example:
ldapsearch -h server.domain.com -b "O=Organization" -D "cn=Administrator,O=Organization" -w JDEPassword -p 3268 "cn=JDE";

3. Create a separate JDE OU for E1 roles / groups.

4. Copy and OCM map the F00928* tables to environment specific dbs (BD or CT). I personally prefer this with multi-foundation because you can use multiple AD servers. Make one env per foundation the primary environment for ldap config. Maintain the LDAP settings for all environments / instances in one environment and copy the F00928* tables to the other environments. Activate & inactivate the LDAP config per foundation via SQL before you start services.

From what I can tell from this forum and just about every other site I've been to the active directory team for most companies have no clue what Oracle is wanting and Oracle support has no clue about the LDAP side. So pretty much you are SOL!

If the enterprise server is not on a domain, you either need to put it on the domain or somehow pass the domain name in the user id. I have added it to the domain. Still does not work. Also, I'm working with the AD staff. They say the only port to use is 389. I will just put in the global catalog port and see what happens. Also, it might be faster lookup to have a JDE OU, but it should work they way we are set up. I'm not about to do all this extra work to get this working. I appreciate the suggestions, but the fact that only one person is responding to this thread tells me a lot!

AS400 is already in DNS

Have you looked at our SSO solution? Would you you like to trial it? It would be much easier...

I am curious to hear how you would join an AS400 into a Windows domain. While I understand that DNS is possible, AD domains are Windows things.

I think you are missing something on the concept, LDAP is a standards-based technology. It doesn't care about domains. You give the LDAP service a few pieces of data (which is defined in F00928* tables), the user and the password. At that point it either validates successfully or does not validate successfully.

Until you get the LDAP, I wouldn't waste money on other proprietary solutions.

Here are the settings I am using with iSeries ES and Active Directory. It works.

AD Port=3268
Admin UID=CN=JDE,OU=JDE,DC=domain,DC=companyX,DC=com
Role Enabled = TRUE

Mappings
Attribute Name LDAP Attribute Required
ACNTCTLATR = userAccountControl N
ACTNAMEATR = sAMAccountName N
CMNNAME = cn N
EUSRIDATR = cn N
E1USRIDATR = sAMAccountName Y
GIVENNAME = givenName N
OBJCLASS = objectClass N
PASSWORD = unicodePwd N
ROLNAMEATR = cn Y
ROLSRCHATR = member Y
SURNAME = sn N
USRSRCHATR = sAMAccountName Y

Values
Attribute Name LDAP Attribute Value
ROLADDLOC = OU=GROUPS,OU=JDE,DC=domain,DC=companyX,DC=com
ROLSRCHBAS = OU=GROUPS,OU=JDE,DC=domain,DC=companyX,DC=com
ROLSRCHFLT = objectclass=group
ROLSRCHSCP = subtree
USRACNTCTL = 512
USRADDLOC = OU=USERS,OU=JDE,DC=domain,DC=companyX,DC=com
USRCLSHRCY = user
USRSRCHBAS = DC=companyX,DC=com
USRSRCHFLT = objectclass=user
USRSRCHSCP = subtree

You'll have to tailor this to match your environment. Let us know how you make out.

Just so everyone know you CAN NOT join an AS400 to a Windows domain.

You can simply add a DNS entry.

LDAP is LDAP and the JDE integration although functional is in it's infancey.

I've set this up 10 times and it's working 10 times on Unix, Windows and AS400 Enterprise Servers.

LDAP works .......some more documentation and out of the box configuration would be ideal but I think that will come in time.

JDE LDAP does not need to point to a specific server. It works with the "cloud".

JDE LDAP can also be configured per enterprise server so this can be phased in.

My only big request of JDE is a longer userid and password.

Colin

Just so everyone knows...YOU CAN add an AS400 to a Domain. You do it with ISeries NetServer. I am an iSeries System Analyst with 14 years experience.