Accounts in UCM 11g from external LDAP provider

Hi,
We are developing an application using UCM 11g. For authentication and authorization we are using external LDAP. Following are the steps followed to configure the UCM 11g for external LDAP.
1) Created User and Groups directory in LDAP
2) Created user and group in LDAP.
3) Assigned users to the groups.
3) Created accounts in group directory .Account name start with @ and ends with (RW)
4) Created a new provider in WLS.
5) Created a new JpsProvider in UCM.
Now, roles(groups in LDAP) and user are coming properly form LDAP. but the accounts are populating in UCM.
Can anybody tell me the solution for this problem
Thanks in advance..
Regards,
Nitin

In theory there is no limit, but as with most of the products and features inside the Content Server it comes down to design and size impacting performance.
So there is no simple answer.
The more complex answer is you need to try to keep things as simple as possible while still completing your goals.
For instance the Folders component in 11g is limited (hard coded) to 1000 files per folder maximum due to performance degradation if you put more in your folders. Many people just try to put more in and before the hard coded limit in 11g people did and their folders browsing became almost unusable due to slow browsing of the folder structure and files in side.
Similarly with Security we can impact performance with too many security groups, badly designed Roles to access security groups or badly designed Account structures. Notice I only said "too many" on Security groups but not "too many" on Accounts. You should try never to go above 25 security groups (this is not a hard coded limit just a best practice) and the "badly designed" part of roles and accounts can lead to bad performance and even broken security.
It comes down to DB performance, DB limitations and code limits.
First off be aware that there is a limit on how long a query in the DB can be. Commands and SQL in the DB are not endlessly long, there is a maximum number of characters. Keep that in mind as we go along into the next parts.
Second be aware that if you make a badly built query it will take a long long time.
Third be aware that when you are building security models in UCM these security structures go DIRECTLY to DB queries and remember the above 2 points.
So every search in UCM is a query when you take it back to the DB level, and every search requires a behind the scenes security check to make sure you can read the documents you are searching for. So any query built in the search interface gets an additional set of parameters automatically when executed (security).
So now we need to also think about your Metadata and not just the Security on that limited length DB back end. Do your users have 99 metadata fields (I hope not) and if they do do they use most of them while searching? How long will that query be before you add the security query?
Back to the security parts with accounts.
If you have your users having only a few roles providing only access to a small number of security groups and those same users only having a few accounts then searches will get a short security access query added since the number of additional checks for security are small. If the roles and group accesses and account accesses are very large (to the extreme limit) again this will be easy to make a short query due to the small number of excluded security roles and accounts.
BUT and this is a biggie. IF the users are given a number of roles and accounts that is middle of the road for number of total accesses then the query is as long as it can be and if the metadata is complex and large too then you may be running into the limit of Query string in the DB and your query may get truncated which results in a broken security model maybe.
That is not even talking about the efficiency of the query and how long it takes.....
Sorry for the book like reply to your simple question, but it really is not a simple question. :)

Similar Messages

  • Fetching properties from external LDAP

    Hi,
    I have configured ActiveDirectoryAunthenticator to link to my external LDAP
    provider. I am trying to fetch some properties/attributes related to the
    profile such as company and other contact details.
    I have not configured UUP as Im using weblogic's default user store.
    Now, when I access "com.bea.p13n.controls.profile.UserProfileControl", to
    fetch the properties I get null values.
    Is there some other configuration required ?
    Please let me know the solution or the approach.
    Thanks in advance ,
    Regards,
    Arun

    Hi Arun
    Migration of data is possible
    Export the data from external server and import into your domain server
    Here is the steps
    To export and import security data:
    1.     Expand the Security-->Realms nodes.
    2.     Click the name of the realm you are configuring (for example, TestRealm).
    3.     Click the Migration-->Export tab.
    4.     Specify the directory and filename in which to export the security data in
    the Export Directory on Server attribute.
    Note: You can specify a directory and file location on another server.
    5.     Click Export.
    6.     Expand the Realms node.
    7.     Click the name of the security realm in which the security data is to be imported.
    8.     Click the Migration-->Import tab.
    9.     Specify the directory location and file name of the file that contains the
    exported security data in the Import Directory on Server attribute.
    10.     Click Import.
    To verify the security data was imported correctly:
    1.     Expand the Security-->Realms nodes.
    2.     Click the name of the realm into which the security data was imported.
    3.     Click Users.
    4.     Users from the security realm from which you exported the security data should
    appear in the Users table.
    Cheers
    Surya
    "Arun A.G." <[email protected]> wrote:
    Hi,
    I have configured ActiveDirectoryAunthenticator to link to my external
    LDAP
    provider. I am trying to fetch some properties/attributes related to
    the
    profile such as company and other contact details.
    I have not configured UUP as Im using weblogic's default user store.
    Now, when I access "com.bea.p13n.controls.profile.UserProfileControl",
    to
    fetch the properties I get null values.
    Is there some other configuration required ?
    Please let me know the solution or the approach.
    Thanks in advance ,
    Regards,
    Arun

  • Get Message Notification in BPM 10G from External JMS Provider

    Hello,
    Can anyone provide me the steps how to get a message from the queue (external JMS provider) in BPM 10G.
    I have been looking into this for couple of days now and I'm not able to figure it out. Any input on this would be greatly appreciated.
    Thanks
    NC

    Hi,
    Please find the steps below and change the necessary parameter according to your requirement.
    JMS Configuration and read the message from queue a
    1) Configure a J2EE Configuration in External Resources with the following details.
    Where
    Name: J2EEConfiguration
    Initial Context Factory: weblogic.jndi.WLInitialContextFactory
    URL: t3://localhost:7001
    Principal: weblogic
    Credentials: weblogic
    2) Configure a JMS Configuration in External Resources with the following details
    Where
    Name: JMSConfiguration
    J2EE: J2EEConfiguration
    Destination Type: Queue
    Lookup Name: com.bibhu.queue – Refer to JMS configuration in Weblogic Server
    Connection Factory Lookup Name: com.bibhu.cf – Refer to JMS configuration
    3) Configure a Java Configuration in External Resources with the following details
    Add weblogic.jar, wsclient.jar, and jms.jar files
    4) Create a process and add a Global automatic Activity with the following configuration
    5) Add the following code for different purpose
    // The below code is meant for reading a message/messages from Queue
    logMessage("JMS message retrieved from queue: \n" + message.textValue);
    // The below code is meant for sending message to the Queue Where,
    // JMSConfiguration: is the External Resource Configuration for JMS
    // Bibhu: is the message body
    String externalResourceId = "JMSConfiguration";
    String msgBody = "Bibhu";
    JmsMessage jmsMsg = JmsMessage(type : JmsMessageType.TEXT);
    jmsMsg.textValue = msgBody;
    jmsMsg.expiration = 'now' + '5m'; // expires in 5 minutes
    sendMessage(DynamicJMS, configuration : externalResourceId, message : jmsMsg);
    hope the above will help you.
    Bibhu

  • Not authenticated from external ldap in a cluster

    I am having trouble getting authenticated from an Iplanet LDAP, when the weblogic is configured in a Cluster.
    -I can authenticate with Embedded LDAP domain wide
    -I can authenticate on the external LDAP if I send the request to Admin server
    Here is my cluster configuration (all with Weblogic 7.0 SP4)
    *Admin Server Port: 9209
    *Cluster server 1 : 7209
    *Cluster server 2 : 8209
    *Proxy server     : 9090 (configured with HttpClusteredServlet)
    http://myserver.com:9090/j_security_check fails
    http://myserver.com:9209/j_security_check works
    Please let me know what is wrong?

    "Bob" <[email protected]> wrote in message
    news:3f9fd466$[email protected]..
    I am having trouble getting authenticated from an Iplanet LDAP, when theweblogic is configured in a Cluster.
    -I can authenticate with Embedded LDAP domain wide
    -I can authenticate on the external LDAP if I send the request to Adminserver
    Here is my cluster configuration (all with Weblogic 7.0 SP4)
    *Admin Server Port: 9209
    *Cluster server 1 : 7209
    *Cluster server 2 : 8209
    *Proxy server     : 9090 (configured with HttpClusteredServlet)
    http://myserver.com:9090/j_security_check fails
    http://myserver.com:9209/j_security_check works
    Please let me know what is wrong?Are you sure that the ldap authentication is actually occuring? I would
    define the
    DebugSecurityAtn="true" attribute on the ServerDebug mbean for the cluster
    server members and then look at the log and the ldap_trace.log files to see
    what is happening with LDAP.

  • How to learn UCM 11g from scratch

    From where should I learn UCM 11g I am new to this product.WebCenter Content

    Hemant,
    You will need a test system, use VirtualBox as you can undo any disasters by taking snapshots. If you don't know how to configure and administer managed servers in Weblogic Server then learn that first - just how to configure UCM and Node Manager so you can start and stop it from the Admin Server console.
    It is worth learning to install Webcenter Content on Linux ( I recommend Oracle 6.6) and also on Windows if you want to use Enterprise Capture with Recognition but if you are impatient to start with UCM, Oracle have a ready-made VM with just about everything you need installed.  Oracle WebCenter Portal 11.1.1.8 Virtual Machine | Oracle Technology Network | Oracle. You may need to patch the installation, I don't know what patch level it is set to.
    When reading the Oracle documentation Make sure you get the WCC UCM documentation not the IPM documentation. Make lots of bookmarks and when you see "for more information on..." open the link in a new tab or you will get lost seven levels down when you realise you are back to the same page you started from.
    Learn the security model, a group in Weblogic Server with the same names as a Role in UCM will be granted the Role's access, how to use content types, rules and profiles. if you have experience with any other DM systems, know that metadata fields in UCM are not attributes of a document class, they are attributes of the system and present for all documents unless you filter them out with Rules.
    Know also that there are two Web UIs so when you read the latest documentation the screenshots are from the latest Web UI. I don't know if it has been installed in the Portal VM but if you want to install it, read the Support article 1618305.1, it is not simple.
    Martin

  • Public Folder Hierarchy From 2003 - LDAP Provider Error

    I am in the process of moving the public folders.  Currently all data from within the folders has been migrated over and the old servers have been removed from replication.  My next step is to move the Hierarchy, when I drag the folder from the
    2003 Administrative group to the 2010 Administrative group I receive the following:
    Exchange System Manager
    The server is unwilling to process the request.
    Facility: LDAP Provider
    ID no: 80072035
    Exchange System Manager
    OK  
    I have gone through the permissions for the ADSI objects and folders.  According to them the user that is performing the action has the rights to do so.

    Hi,
    In order to troubleshoot the issue more efficiently, I need to clarify some information.
    1. Could you expand the public folder hierarchy in Exchange 2003?
    2. Is there any error messages in the application log?
    3. Could you please run EXBPA to check the health of the Exchange 2003? What's the result?
    Here is an article about migrating public folders from Exchange 2003 to Exchange 2010, could you please follow that to check the result?
    How to Move Public Folder from Exchange 2003 to Exchange 2010
    http://blogs.technet.com/b/agobbi/archive/2010/08/04/how-to-move-public-folder-from-exchange-2003-to-exchagne-2010.aspx
    If there is any update, please feel free to post here for further research.
    Best regards,
    Belinda
    Belinda Ma
    TechNet Community Support

  • Gett 403 error code when trying to access UCM 11g from Admin console -- deployment

    We have deployed UCM 11g in cluster mode. When I test the application via the admin conssole --> deployment --> UCM.   I can access  UCM only on one member of the cluster.  The other member gives me a 403 error code.. 

    Please, take a look at https://blogs.oracle.com/proactivesupportWCC/entry/clustering_and_high_availability_for (and contact the support group as advised)

  • How to access ucm table from external application?

    Hi All.
    Is it possible to access an ucm table (configuration manager-> tables) from of the other external application?
    If yes, how to do it?
    Regards,
    Diovani

    It's just another DB table so JDBC would work fine.
    You can connect to the UCM schema using a free tool like Oracle SQLDeveloper and look at the tables this alos uses a JDBC connection.
    HOWEVER
    I would not really recommend you use this approach without knowing a lot more. Certainly you should not have an external application making changes to the UCM DB. If you just want to read data SQL over JDBC is fine
    BUT
    It is better really to use the existing UCM services to access the data - if there is not a service that does what you want then you create it. This keeps you within the same design pattern of UCM and means you can continue to benefit from security and other rich services that UCM provides over and obove JDBC
    Tim

  • Problem assigning an account for sending mail from external mail app

    Good morning , i have an IPhone 4s 16gb with IOS 7.0.6 and even in setting-mail and calendar i have setup the default account to use for sending mail outside mail app it use ICloud mail account.
    if i select Icloud account and then my gmail account sometimes works but after some days it start again to use the other account...i don't know if it is when i power off the IPhone...if i look into settings-mail and calendar account selected is gmail even the account used is the ICloud.
    i think is a IOS bug.
    please let me know.
    Best regards

    Jun T. wrote:
    But there is a (high) possibility that Gmail's server requires authentication (or certification) to connect to it.
    I wonder if they're simply silently dropping emails in certain cases. I forgot earlier that I have a Gmail account. If I send an email from the command line on my home computer, which is on Comcast, the mail log shows that I successfully connect to Gmail, the message is sent and accepted by Gmail, but the email never arrives in my inbox. I've tried several times with the same result.
    However, emails from a web server from work get through to Gmail without a problem. So I'd bet it's a case of them not delivering mail from Comcast IP addresses.
    For grins, I also tried sending to my Yahoo email account from my home computer and their server at least refuses the connection and I get an error message stating that it's because it's a residential IP address.
    In this case you need an SMTP client (=a software which directly sends the mail to the Gmail server) which supports authentication.
    I think this might also be possible with Postfix by editing the configuration files. I know I had to set up authentication to send emails to my work address directly from my home computers, but I haven't been able to get the same thing to work with Gmail yet. If I get a chance, I'll look into it again later tonight.
    charlie

  • External LDAP user only has search priviledge in UCM

    After I have configed external LDAP successfully in weblogic console, I can see all user from external LDAP. And external LDAP user can login UCM successfully, but these users only has search priviledge. I want external LDAP user has Admin priviledge as weblogic(Default in embed LDAP). How to solve it. Any help will be appreciated greatly! Otherwise, I refer to Oracle's ducument,
    51.1.14 LDAP Users Not Receiving Some Administrator Privileges
    UCM inspects for the group "Administrators" on each user's login to grant UCM roles. If a user should have access to the UCM admin server, the UCM server requires that the user be a member in a group named "Administrators."
    How to add external LDAP user to the group of Administrators.

    Hi ,
    You can use Credential Maps to be achieve the requirement:
    Steps for the same are :
    1. Login to UCM - Administration - Credential Maps .
    2. Create the map name and the following mapping :
    <ldap role> , admin
    3. Save the changes
    4. Navigate to <domain_home>/ucm/cs/data/providers/jpsuserprovider/provider.hda
    add the following variable there :
    ProviderCredentialsMap=<map name created in step 2>
    5. Save the changes and restart ucm server .
    After that login with the user who has the ldap role that is mapped in stpe 2 , this user will have the ucm admin role .
    Hope this helps .
    Thanks
    Srinath

  • Authentication in weblogic portal server 8.1 sp2 using external LDAP

    Hi,
    I am trying to use external LDAP for authentication.
    I have configured the ActiveDirectoryAuthenticator giving the necessary
    values
    ( and added
    "-Dcom.bea.p13n.usermgmt.AuthenticationProviderName=ActiveDirectoryAuthentic
    ator" in startWeblgoic.cmd )
    and can see the users and the groups from my LDAP provider in the admin
    console and in the admin portal's "users and groups".
    A set of users are given permission to access the restricted site and those
    users are visible in the global role with the permission.
    The web.xml is configured for BASIC auth-method, and the role is
    <externally-defined/> in weblogic.xml.
    Now when I access a restricted page, I am shown a dialog prompt to key in
    the username and password.
    Even when I key in the valid credentials, the restricted page is not shown
    and an "Unauthorized xxx" 401 access error is thrown.
    Any clue, on what i am missing.?
    Please let me know if any suggestion / idea.
    Regards,
    Arun.

    Assuming your application is a WebLogic Portal application, then yes you would definitely need to install WLP 8.1. WLP version 8.1 is the only version of WLP that will run on WLS/WLW version 8.1.
    In order to obtain the product installer, you'll need to contact Oracle Support and file a request. It is not available for download from any Oracle public site. Only version 10.3 is available for download.
    Brad

  • External LDAP for UCM

    Hi.
    Is it possible to use external LDAP server for my UCM server without using external LDAP server for my admin server?
    That is I have a domain with admin server and UCM server.
    My admin server doesn't have external LDAP.
    So is it possible to use external LDAP server for my UCM server in such situation?
    And if it is possible, could you give me some information about it?
    (sorry for my english)

    First of all, thank you for links.
    But I have a problem: I configured my own LDAP provider and I can see that 'Connection State' is good (5 out of 5 connections are good), but I can not log in into UCM with users in my LDAP (Invalid Credentials. Please try entering your user name and password again.).
    Here is my LDAP provider configuration:
    Provider Name:      MyLDAP
    Provider Description:      MyLDAP
    Connection State:      5 out of 5 connections are good
    Last Activity Date:      12/17/12 4:23 PM
    Provider Type:      ldapuser
    Provider Class:      intradoc.provider.LdapUserProvider
    Provider Connection:      intradoc.provider.LdapConnection
    Source Path:      MyLDAP
    LDAP Server:      localhost
    LDAP Suffix:      dc=example,dc=com
    LDAP Port:      10389
    Number of connections:      5
    Connection timeout:      10
    Priority:      1
    Credential Map:      
    SSL Enabled:      No
    Attribute Map:      uid:dFullName
    Role Prefix:      ou=groups
    Default Network Roles:      guest
    Filter Groups:      Yes
    Use Full Group Name:      No
    LDAP Admin DN:      uid=admin,ou=system
    And my LDAP structure:
    "dc=example,dc=com"
    _____"ou=groups,dc=example,dc=com"
    __________"cn=Administrators,ou=groups,dc=example,dc=com"
    __________"cn=admin,ou=groups,dc=example,dc=com"
    _____"ou=people,dc=example,dc=com"
    __________"uid=asdasd,ou=people,dc=example,dc=com"
    __________"uid=qweqwe,ou=people,dc=example,dc=com"
    In 'cn=Administrators' entry I have 'uniqueMember:uid=asdasd,ou=people,dc=example,dc=com' property
    In 'cn=admin' entry I have 'uniqueMember:uid=qweqwe,ou=people,dc=example,dc=com' property
    Nevertheless I can't log in into UCM with users in my LDAP (Invalid Credentials. Please try entering your user name and password again.).
    Could you show me my mistake?
    Edited by: Michael Baygeldin on Dec 17, 2012 5:34 AM

  • AD Integration with UCM 11g - Selecting users from multiple OU

    Hi All,
    I have integrated AD with UCM 11g and able to login with AD username/password to UCM application.
    The one problem I face, the users of this application are scattered in different OUs in AD. Like OUs are created for different locations and users are present in that OU. I'm unable to select all the users of this application from different OU's.
    Like the users are present in below OUs.
    OU=Users,OU=America,DC=compnay,DC=net
    OU=Users,OU=Canada,DC=compnay,DC=net
    In User Base DN - What should i give? When i give any one of the above I get the users properly.
    Also is it possible to select users by querying a security group in AD and getting all the members (Users) of it. Because in our application we have only three roles (mapped to the corresponding three security group in AD), and all users of this application are assigned one of that role. So, I could get all the users by querying the security group. But I do not know if that is possible.
    Please advise.
    Kind Regards,
    Selvam S

    Hi Selvam,
    Just put User Base DN: DC=compnay,DC=net
    This will pull all users from both OU, along with some unwanted entries like computers on the domain. Another, possibly silly proposal, would be to create two Ldap authenticators with different User Base DN. Both should be on the top of authenticators list with Sufficient flags.
    Regards,
    Boris

  • Problem invoking UCM 11g Web services from ODI 11g

    We have a running UCM 11g instance with its web services (GenericRequest) properly configurated.
    The wsdl is published in the url http://ucmt:16200/idcws/GenericSoapPort?WSDL and reacheble from any web browser.
    The service can be easily invoked from external applications such as soapUI 4.5.1 returning the correct SOAP response. Here is a sample request returning correct results:
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ucm="http://www.oracle.com/UCM">
    <soapenv:Header/>
    <soapenv:Body>
    <ucm:GenericRequest webKey="cs">
    <ucm:Service IdcService="DOC_INFO">
    <ucm:User></ucm:User>
    <ucm:Document><ucm:Field name="dID">27099</ucm:Field></ucm:Document>
    </ucm:Service>
    </ucm:GenericRequest>
    </soapenv:Body>
    </soapenv:Envelope>
    The problem occurs when we invoke it from the ODI assistant, when we type the WSDL URL and click in "Connect to WSDL" button,
    we get the following error in the middle pane : Invalid Request : java.lang.NullPointerException+
    The port combo and the operation pane are correctly populated
    UCM version is: 11gR1-11.1.1.6.0-idcprod1-121115T130554 (Versión Interna:7.3.3.183)
    ODI version is: 11.1.1.6.0
    Java(TM) Platform     1.6.0_30

    I would suggest contacting support channel to analyze such NPE if there is a product bug causing it.

  • Can't use my custom claims provider when access to my site from external url

    Hi,
    I just created a clean SP 2013 (15.0.4641.1000) environment and I have a site collection up and running with access from internal url (http://my_server_name/) and external url (http://cloudshare_external_url/).
    When I access from internal url (with the local administrator account) I can add users to site groups:
    But if I access from external url (with the local administrator account, too) the people picker does not work:
    And if I put the email directly, I get the following error: "Sorry, you are not allowed to share this with external users"
    What am I doing wrong? Am I missing something?

    Hi Sebasl,
    Based on your description, my understanding is that the users cannot be resolved when accessing the site using external URL.
    I recommend to check the authentication provider for the external zone of the web application to see if the custom claims provider is selected.
    Please go to Central Administration > Application Management > Manage web applications > highlight the corresponding web application and then click Authentication Providers in the ribbon > click the external zone.
    Best regards.
    Thanks
    Victoria Xia
    TechNet Community Support

Maybe you are looking for

  • SAP NetWeaver 2004s Java Trial Version installation problem

    I am trying to install SAP NetWeaver 2004s Java Trial Version in my windows xp machine. I have the following error. Nothing is written in to my E:\usr\sap folder which I have share as saploc and sapmnt. I read the forum threads on this. I still do no

  • PO GR/IR control

    Dear all, How we can set up over delivery and under delivery tolerance value fields automatically in PO. also in me22 when i try to check GR based invoice box, its not allowing me. its a disabled field. Moderator message: Locked. Reason: basic questi

  • How do I print an e mail from an I pad

    How do I print an e mail from an I pad

  • [SOLVED] nvidia, missing openGL extensions

    I am trying to get steam to work properly. Some games run but their performance sucks. Others complain about missing extensions and never start. I have gtx 770 and nvidia driver installed so this should not be the case. What I have installed $ pacman

  • How to poke with response using DDE

    I am trying to communicate with a windows application using the antiquated DDE interface, I know this interface has been overtaken by ActiveX but the application i am talking to (ZEMAX – optical modelling software) doesn't implement it. I have manage