Afaria User Group question

Similar Messages

• Authenticated Users Group Question

  I have a quick question regarding the Authenticated Users "group". I used to be a systems administrator, but I'm a bit rusty since I've been a software developer for the last 10 years. A conflict with data center operations (DCO) group
  at work lead me to get another opinion.
  The question is this... is the authenticated users group a domain-level group or is there a local authenticated users group that would allow only users authenticated locally? We have a share that permits the authenticated users group access.
  My opinion is that all domain users who have authenticated successfully have access to this share. The DCO group is telling me that this is the local (to the server containing the share of course) authenticated users group only.
  Is there such a thing as a local-only authenticated users group? To me this doesn't even make sense, but I could very well be wrong.
  Nathon Dalton
  Sr. Software Engineer
  Blog: http://nathondalton.wordpress.com

  I apologize. I don't think I explained myself correctly. Let's consider the following...
  SERVER: SERVER1
  DOMAIN: DOMAIN1
  SHARE: \\SERVER1\SHARE1
  SHARE PERMISSIONS: Authenticated Users - Full Control
  Given the above information, is it possible that the Authenticated Users group will allow ONLY users that are defined on SERVER1 to access \\SERVER1\SHARE1?
  My understanding is that's not possible. There's one defined Authenticated Users group and that represents ALL users that are authenticated against DOMAIN1, whether added to local groups, shares, etc.
  What I'm being told however is that SHARE1 having Authenticated Users assigned is okay since only those user accounts defined on SERVER1 will be able to access it. All the users in the domain will NOT be able to access it. I think this is bogus. Am I wrong?
  Nathon Dalton
  Sr. Lead Developer
  Blog: http://www.nathondalton.com

• Afaria User Group

  Hi
  I'm using User Groups in Afaria based in AD group.
  I have just one problem, I don't able to see devices list when I use user group?
  What can be happening?
  Regards,
  Lucas Araujo

  You're right.
  USER groups are not shown in the link window so you can't tell if a specific policy is linked to a given device/user pair. It will be but the UI doesn't show it.
  It's a pain to debug :-(
  BR
  Peter

• OIM 9.1.0.2 - User group permission conflict issue

  Hi Gurus,
  IHAC who have faced a strange behavior about permission conflict.
  User has been assigned to a user group (ANALISTA DRSI) who have permission to disable resource of the users he administrates. The user group has been assigned to resource's administrator.
  The same use has been assigned to other user group (ANALISTA ADM DRSI) who have other permission. The user group has been not assigned to resource's administrator.
  If the user has been only assigned to ANALISTA DRSI user group the user is able to see records on Rogue Account report. If the customer has been assigned to both ANALISTA DRSI and ANALISTA ADM the user is not able to see the record on Rogue Account report. He got a display error message (You do not have permission). Both user groups have the Report menu item assigned.
  My question: if the customer is assigned to a user group who have permission to see the reports, should not the user is able to see the report even though he is also into the other group who do not have permission?
  Is there conflit in the OIM???
  Any tip will be very appreciated.

  Orgnaization > Manage > Select Org in which users are getting created > Administrative Group (Drop Down) > Select Group for which users are not coming.

• OIM 9.1.0.2 - User group permission

  Hi experts,
  IHAC that need to configure some user groups in order to perform just specifics activities. We have configured the user groups but with no sucess.
  1) Group that should see/track all the opened requests.
  Given all request permission. (The requests don´t appear)
  2) Group that should disable Resource from user thru User Detail -> Resource Profile.
  Given all resource objects permission. (Error message: No permission)
  3) Group that create/manage Attestation.
  Given all attestation permission. (The attestation is created, but it doesn´t appear to delegated user)
  Any tip on how to set the correct permission?
  Brgs,

  Hi,
  I was looking for the same questions! One of them I could make it to work...
  About quetion #3, some steps:
  1. Create a group with name, lets say: AttestationManagers
  2. Give the following permissions:
  Attestation Requests
  Attestation Process Tasks
  Attestation Data
  Attestation Process Definitions
  Attestation Process Administrator
  3. Make the users responsable of attestation process part of group: AttestationManagers
  4. Create an attestation process and in the last field: Process Owner, put AttestationManagers
  5. Click: "Run Now"
  6. This attestation should appear to the user responsable of it.
  You can find an explanation about the attestation process in the following link: http://download.oracle.com/docs/cd/E14049_01/doc.9101/e14057/attestation.htm#insertedID1 and about the Process Owner, the point 15.1.1 in the above link.
  I hope it helps!
  Regards.

• OSMF Online-only User Group Meeting -- Edwin van Rijkom  |  TODAY Wed, Jan 20 @ 12:00 NOON PST

  TODAY Wed, Jan 20 @ 12:00 NOON PST we are having the third meeting of the online-only OSMF User Group ( http://www.adobe.com/go/osmf_usergroup ).
  The online-only OSMF User Group is pleased to have a live presentation on OSMF's new features by a developer from the OSMF Team, Edwin van Rijkom, Sr. Computer Scientist at Adobe.  This meeting is open to all who are interested.  Please forward notice about this meeting to all who you think may be interested.
  The link for the online meeting room can be found in the meeting announcement link here:
  http://groups.adobe.com/posts/3e8fddb492
  Edwin will be reviewing changes and new features in OSMF delivered in Sprint 8 (released December), as well as providing an overview of new features in Sprint 9 (releasing next week).
  Topics to be covered include:
  API Refactoring Changes
  Subclip Support
  Live Streaming Support
  Flash Media Manifest File Format (F4M) Support
  Multi-BitRate (MBR) Streaming;
  Digital Rights Management (DRM) via Flash Access,
  Closed Captioning Plug-in
  Pre-Assigned Durations
  Edwin previously presented at the Adobe MAX 2009 conference as a co-presenter on the session entitled "Introduction to Adobe's Open Source Media Framework".  Following is a link for a recording of Edwin's MAX Session (Edwin's portion starting at 24:00 in the recording timecode):
  http://max.adobe.com/online/session/332
  OSMF is an open source ActionScript 3 framework for building video and media players supporting cutting edge Flash Platform features for media delivery.  If you have any curiosity about media players in Flash or Flex, this is a great forum for exploring and getting questions answered.
  If you have an ongoing interest in this area, please join this group by logging in at groups.adobe.com/groups/7af970e6e4 and selecting the "JOIN THIS GROUP" link (red graphic on right side).
  This online-only OSMF User Group meets regularly at this time and day of every month.  That is the 3rd Wednesday of every month @ 12:00 NOON PST time.  All meetings are recorded.  Links for prior meeting recordings are on the group site in various places including on the group home page under the heading "Previous Connect Sessions".
  Following are a few time zone conversions:
  London:  8:00 PM to 9:30 PM GMT
  Rome/Paris/Berlin:  9:00 PM to 10:30 PM CET
  New York:  3:00 PM to 4:30 PM EST
  Los Angeles:  12:00 NOON to 1:30 PM PST
  Sydney:  7:00 AM to 8:30 AM EDT ** THURSDAY January 21 **

  The presentation by Will Law was recorded and can be viewed online, on-demand from the following link:
  http://experts.na3.acrobat.com/p47054887/ 
  Will's presentation is an excellent introduction to HTTP Dynamic Streaming.
  This presentation is a supersized version of a presentation that Will also will be delivering at Adobe MAX 2010.  MAX session description here:
  http://bit.ly/bh77Gz 
  Supersized in that in the recording above Will spent a bit more time in ActionScript for the OSMF developers in attendance than he will with more general audiences.  Plus supersized in that Will took 1 hour 15 minutes (plus 15 minutes more on Q&A), whereas MAX sessions are 60 minutes, less a few minutes for the Q&A.,
  hth,
  g

• TFS says {oldaccount} is not a member of the Team Foundation Valid Users group, but I am

  I'm trying to check in changes to TFS using VS2013. When I hit the submit button, TFS returns the following error, "TF14002: The identity {domain} \ {oldaccount} is not a member of the Team Foundation Valid Users group."
  Background: my account name has been changed to {newaccount} from {oldaccount}.  And when the sys-admins changed my account name they did not update my computer itself, so I'm still using C:\Users\{oldaccount}. I can't believe that would make a difference
  but you never know....
  When I first started working at this company I'm almost certain I set up my TFS Workspace with my old account. But I thought I deleted all that stuff related to my old account and reset everything to my new account (Workspaces and TFS server). My lead tech
  has even shown me the account mgmnt screen with my new account name. And I've been able to check out items with my new account name.
  I performed the following steps to try to "clean out" TFS:
  • I copied all of my changed files to a back-up location.
  • I undid all changes in TFS (note that TFS has been allowing me to check out files to edit).
  • I deleted the TFS entry in Credential Manager per a suggestion online.
  • I deleted my Workspace.
  • I even deleted my TFS server.
  • I Rebooted my computer.
  • I reconnected to the TFS server.
  • I rebuilt my Workspace.
  • I restored my changed files from my back-up location.
  At this point I tried checking-in my changes again but got the same error message as above.
  Next, I deleted everything in this folder:
  C:\Users\ ...\AppData\Local\Microsoft\Team Foundation\5.0\Cache
  ... but I'm still seeing the error.
  Also, we'd been informed that a number of us need to downgrade from "Ultimate" to "Professional".  I did my downgrade to VS2013 Pro (after the steps above) but I am still seeing the same error.
  A comment on another question
  here suggested that I shelve my changes without preserving changes locally, then un-shelve and attempt to check-in.  This also did not work, I could shelve my changes and un-shelve, but doing so did not fix the original problem.
  Note that I do NOT have access to the TFS server itself - much less permissions to perform any sort of admin on it (and I don't know the person who would) - but might there be a table in the TFS database that still has an entry for my old account that could
  be joining to my computer name &/or new account name when TFS goes to look up my account info when I check in my changes? I am getting desperate for an answer!
  Any suggestions?
  Thanks,
  D. Kelley

  Hi D. Kelley,
  Thanks for the details. Based on your description, you might need to change or update the SID for users. Try identity command to change the username if you never use the new username in TFS. Check this page for more information about
  identities command in this
  page.
  You can also check the table "tbl_Identity" in the tfs_configuration database to see if the new user exists, or it has the old user. Another option is have a check on other machines to see if it works fine. Refer to links below for more information:
  https://social.msdn.microsoft.com/Forums/en-US/93568425-a877-4d21-8497-1adc4561b6d3/unable-to-check-in-code-to-tfs-due-to-tf14002-the-identity-old-user-name-is-not-a-member-of-the?forum=tfsversioncontrol
  https://social.msdn.microsoft.com/Forums/en-US/acc56859-624f-41bc-b698-cbb5e0b8f525/cant-check-in-code-the-identity-devoldusername-is-not-a-member-of-the-team-foundation-valid?forum=tfsversioncontrol
  Best regards,
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Restricting certain users groups to read only for certain folders

  Hi
  I'm not sure if this is the correct forum, but hey, hopefully someone might now the answer or direct me to the correct one.
  I'm writing a VB program to amend ACLs for specific user groups.
  Effectively, I make all prior year folders read only, whereas the default for the group is Modify, Delete etc.  This means they can continue to work in the "new year folders", but historic years is List/read only.
  I've got to the point the program does everything I want, i.e. stops folder creation7deletion, file & folder name changes, copying for the historic years, but does not prevent deletion of files in the folder.  Effectively I set Deny access on the
  historic folders.
  Testing using the Windows GUI would appear to resolve the problem is I change the Deny Special Permission (for the group) from "This folder only" to "This folder & files".
  Question then is how to I set this in VB, the default appearing to be "This folder only"
  Here's extract of my code
  Thanks
  IfvarDirectoryName.IndexOf("\"&
  Date.Now.Year) = -1
  Then
              FileAcl3.AddAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.Modify,
  AccessControlType.Deny))
              FileAcl3.AddAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.DeleteSubdirectoriesAndFiles,
  AccessControlType.Deny))
              FileAcl3.RemoveAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.ReadAndExecute,
  AccessControlType.Deny))
              FileAcl3.RemoveAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.ListDirectory,
  AccessControlType.Deny))
  Dim FileInfo3 As IO.FileInfo = New IO.FileInfo(varDirectoryName)
  Dim FileAcl3 As New FileSecurity
  If varDirectoryName.IndexOf("\" & Date.Now.Year) = -1 Then
  FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.Modify, AccessControlType.Deny))
  FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.DeleteSubdirectoriesAndFiles, AccessControlType.Deny))
  FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ReadAndExecute, AccessControlType.Deny))
  FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ListDirectory, AccessControlType.Deny))
  FileInfo3.SetAccessControl(FileAcl3)
  End If

  Ho Rohn
  Your right, when I added the flags I got the following error at execution
  {"No flags can be set. Parameter name: inheritanceFlags"}
  I've developed a work around, which gives me exactly - subject to further testing - what I want.  I simply mark each file in the relevant folders with a Deny Delete option.
  I will however explore the DirectorySecurity class option, but initial review of the www seems a little shy on VB examples.
  Thanks
  Perry
  You should be able to use FileSecurity and DirectorySecurity the same way (they have identical methods). Since this is a scripting forum, I'll provide a PowerShell example (which is fairly close to C# and VB; they all use the exact same classes):
  $varDirectoryName = "c:\folder"
  $GroupAdmin = "Admin Group"
  $FileInfo3 = New-Object System.IO.DirectoryInfo $varDirectoryName
  $FileAcl3 = $FileInfo3.GetAccessControl()
  $FileAcl3.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule (
  $GroupAdmin,
  [System.Security.AccessControl.FileSystemRights]::Modify,
  ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit),
  [System.Security.AccessControl.PropagationFlags]::None,
  [System.Security.AccessControl.AccessControlType]::Allow
  $FileInfo3.SetAccessControl($FileAcl3)
  I could have taken a lot of shortcuts when using the enumerations, but I think keeping it verbose helps show how similar the code can be.
  Does that make sense?

• Is there a way in 10.8 Profile Manager to assign certain users the sole right of adding/removing users to user groups?

  Hello,
  I want to assign certain network users the ability to login via browser to the profile manager for 10.8.x server and add/remove other users from user groups.  Think teachers managing their class rosters, if the class was a group and the users their students.  I do not want any other admin funtionality beyond that for them.
  Suggestions?

  Well thank you for being so polite.  Yes, on looking on my 10.8 server, I have the same thing.  How annoying.  I have no idea how to answer your question.  If the management abilities are no longer in Workgroup Manager then there's a change that the server doesn't pay any attention to the settings, so manually changing settings in LDAP won't have any effect either.
  At least I can verify that it's not just you who gets that result.  I wonder what happened and how we're meant to do this now.

• Windows NT-2000-XP User Group Policies - Clarification - broke?

  Environment ZFD 4.01 ir6
  We use to use the Windows NT-2000-XP User Group Policies as a catch all for
  our Windows 2000, XPsp1 and XPsp2 policies. Since applying ir6, I've
  noticed it does not let me use this option anymore. Could someone clarify
  my questions.
  Does this mean..
  I must use a Windows 2000 machine to configure the Windows 2000 policies and
  save those group policies files in a different network location? Likewise,
  should I use a WinXP sp1 machine, configure and save those group policies
  files to a separate folder than W2K files? And then use a WinXP sp2 machine
  and repeat the above? It seems that I when I use a WinXP sp2 machine to
  configure the policies, my XPsp1 machines don't read the policies.
  Thanks

  Greg,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at
  http://support.novell.com.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://support.novell.com/forums)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Delegated Admin and non-flat user/group structures

  Hello, I am trying to build a directory structure with several containers under an organization used to store different portions of userdata and group data (i.e. not only ou=people and ou=group, but also a few ou's like them). Server software is from OUCS 7u2 release. Users in "other" containers are populated into LDAP (ODSEE 11) by replication, filling in all the same attributes as a freshly DA-created account has.
  The Delegated Admin interface and other parts of the software accept this and work okay with this setup, displaying user information, allowing logins and so on - except for attempts to edit user accounts in the alternate containers in the DA (i.e. add/remove service packages, change quotas, etc.). First I've verified that this is not an LDAP problem - I can use both command-line ldapmodify and an LDAPBrowser GUI to edit the entries with no hiccups.
  I tracked that when trying to save account information for accounts in non-standard containers, the DA still tries to use a hard-coded path (i.e. uid=USERNAME,ou=people,o=DOMAINNAME,dc=DOMAIN,dc=NAME) despite the fact that the user account is (and DA displayed it from) uid=USERNAME,ou=morePeople,o=DOMAINNAME,dc=DOMAIN,dc=NAME.
  Possibly, this "hardcoding" stems from DA configuration in WEB-INF/classes/sun/comm/cli/server/servlet/serverconfig.properties which does list components of the LDAP structure:
  # Ldap configuration.
  # List of ldap hosts. Form is <ldaphost>:<portnumber>. (Default port = 389)
  # add additional hosts with ldaphost-<consecutive number>
  # Schema type is either "1" or "2".
  # Reconnect interval is in seconds
  # Group and people container is dn from organization dn (e.g ou=people)
  ldaphost-1=oucsldap01:389
  ldaphost-2=oucsldap02:389
  ldaphost-suffix=dc=DOMAIN,dc=NAME
  ldaphost-dcsuffix=dc=DOMAIN,dc=NAME
  ldaphost-maxcount=50
  ldaphost-schematype=2
  ldaphost-reconnectinterval=60
  ldaphost-peoplecontainer=ou=People
  ldaphost-groupcontainer=ou=Groups
  ldaphost-orgadminrole=cn=Organization Admin Role
  While the organization root dn is not explicit here (and shouldn't be), the default people container is... I might guess a coding error logic like this: indeed, the "ou=People" container should be used by default when creating a user via DA; as a likely error, it might also be used when editing existing users - instead of their existing full DN/parent DN.
  Questions:
  1) Does anyone have a working configuration with several user/group containers within an organization like this? Would you care to share details and workarounds, if were needed?
  2) I think that possibly the "shared domain/organization hosting" mode might help here - at least it is expected to have several LDAP trees with their delegated administrators performing as a single e-mail domain. Before I go and reconfigure everything, I'd love to hear if there are any success stories with this route? Is it a proper solution (or THE solution) for such config?
  Thanks,
  //Jim Klimov

  I wanted to follow up that reconfiguring the directory structure according to shared domain hosting, with branches for ISW-synchronized accounts as one of the sub-organizations which share the domain, and manually created OUCS-only accounts being in another sub-organization. This works for both messaging components and the DA, as long as UIDs are in ou=People in their organization. Somewhat unfortunately, ISW config seems to allow only one DSEE target branch and puts groups (CN) there as well. Well, for our needs to edit user attributes and service packages via DA, this suffices. Sometimes there are hiccups (Can not save changes), but they are intermittent and harder to trace debug; usually go away with restart of the DA web container. The DSEE LDAP instances are configured with plugins to enforce uid uniqueness across the organization and uniqueness of values of messaging email address attributes (mail, mailAlternateAddress, mailEqiuvalentAddress) to avoid mixups between user accounts in different branches.
  Also, we had a problem with Calendar server after migrating the LDAP entries: since our deployment used the nsUniqueID for calendar user identification, relocation of entries (the way we did it) generated new values for new entries and users got new empty caledar databases. On this POC this was not a major problem, and newer OUCS releases with a davUniqueID attribute should specifically be immune to this problem. However, for others trodding this path I can suggest that they export the LDAP database into LDIF including the unique IDs, recreate the suffixes as needed (the ISW target organization in DSEE should be a separate LDAP database suffix), change the LDIF entry pathnames, and import the LDIF anew. This would wipe old LDAP data and should add old nsUniqueIDs to relocated entries (unlike recreation via ldapadd or relocation via ldapmodrdn).
  We have also hit a problem with DA refusing to render the list of accounts (returning 0 or 25 empty entries in a table). The LDAP logs showed that on the LDAP side all is ok, and expected amount of replies was located. Pattern searches often produced the proper table with a subset of users in DA. Ultimately, we linked the problem to ISW binary base64-encoded attributes (dspswuserlink et al; some of those values also garbaged output of commadmin queries in a terminal) and created an LDAP ACI which forbade our DA-admin user to read,search,compare these attributes. This solved the problem for us. I wonder if a more generic solution is possible, so as to apply this ACI not to an explicitly named admin user but to any users with DA admin privileges (by group or role? which string, to cover them all in advance)? Or, perhaps, nobody except the ISW user account should see these ISW attributes?
  Hope this report helps others who would try to pioneer this path of messaging integration
  //Jim Klimov

• Identity Server has not been configured for this new user/group suffix

  Hi all
  I am having a problem trying to configure the Directory Server (5.2) for Messaging Server.
  My configuration is as follows:
  SJES Q12005
  Server 1 - Directory Server 5.2
  Server 1 - Access Manager (formerly Identity Server)
  Server 1 - Web Server 6.1
  I have successfully installed the above and can login to Access Manager.
  I next installed Calendar & Messengar Server on "Server 1". Upon running "comm_dssetup.pl" from /opt/SUNWcomds/sbin, I get the following error:
  "Identity Server has not been configured for this new user/group suffix"
  Copy and paste of what I entered:
  bash-2.05# perl comm_dssetup.pl
  Welcome to the Directory Server preparation tool for
  Sun Java(tm) System communication services.
  (Version 6.3 Revision 1.0)
  This tool prepares your directory server for use by the
  communications services which include Messaging, Calendar and their components.
  The logfile is /var/tmp/dssetup_20050830165940.log.
  Do you want to continue [y]:
  Please enter the full path to the directory where the Sun ONE
  Directory Server was installed.
  Directory server root [var/opt/mps/serverroot] : /opt/mps/serverroot
  Please select a directory server instance from the following list:
  [1] slapd-sunldap
  Which instance do you want [1]:
  Please enter the directory manager DN [cn=Directory Manager]: cn=DirMan
  Password:
  Detected DS version 5.2
  Will this directory server be used for users/groups [Yes]:
  Please enter the Users/Groups base suffix [dc=samplecompany-dev,dc=co,dc=uk] : ou=infrastructure,o=sampletown,dc=samplecompany-dev,dc=co,dc=uk
  There are 3 possible schema types:
  1 - schema 1 for systems with iMS 5.x data
  1.5 - schema 2 compatibility for systems with iMS 5.x data
  that has been converted with commdirmig
  2 - schema 2 native for systems using Identity Server
  Please enter the Schema Type (1, 1.5, 2) [1]: 2
  Identity Server has not been configured for this new user/group suffix
  You can opt to continue, but you will not be able to use
  features that depend on Identity Server
  Are you sure you want this schema type? [n]:
  I have entered my user group suffix exactly as specified during the Access Manager install (hence I am able to login as "amadmin").
  Looking at the LDAP logs to try and figure out whats going wrong I see its not getting hits on all searches it is performing:
  [30/Aug/2005:16:41:18 +0100] conn=299 op=159 msgId=161 - SRCH base="ou=services,ou=infrastructure,o=northampton,dc=dataforce-
  dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectClass=ldapsubentry)))(obj
  ectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServer)(objectClass=netscape
  Resource)(objectClass=domain))" attrs="dn"
  [30/Aug/2005:16:41:18 +0100] conn=299 op=159 msgId=161 - RESULT err=4 tag=101 nentries=1 etime=0
  [30/Aug/2005:16:41:18 +0100] conn=299 op=160 msgId=162 - ABANDON targetop=NOTFOUND msgid=161
  [30/Aug/2005:16:41:18 +0100] conn=299 op=161 msgId=163 - SRCH base="ou=people,ou=infrastructure,o=northampton,dc=dataforce-de
  v,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectClass=ldapsubentry)))(objec
  tClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServer)(objectClass=netscapeRe
  source)(objectClass=domain))" attrs="dn"
  [30/Aug/2005:16:41:18 +0100] conn=299 op=161 msgId=163 - RESULT err=0 tag=101 nentries=0 etime=0
  [30/Aug/2005:16:41:18 +0100] conn=299 op=162 msgId=164 - SRCH base="ou=clientdata,ou=infrastructure,o=northampton,dc=dataforc
  e-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectClass=ldapsubentry)))(o
  bjectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServer)(objectClass=netsca
  peResource)(objectClass=domain))" attrs="dn"
  [30/Aug/2005:16:41:18 +0100] conn=299 op=162 msgId=164 - RESULT err=0 tag=101 nentries=1 etime=0
  [30/Aug/2005:16:41:18 +0100] conn=299 op=163 msgId=165 - ABANDON targetop=NOTFOUND msgid=164
  [30/Aug/2005:16:41:20 +0100] conn=299 op=164 msgId=166 - SRCH base="ou=services,ou=infrastructure,o=northampton,dc=dataforce-
  dev,dc=co,dc=uk" scope=1 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="objectClass numSubordinates ref aci"
  [30/Aug/2005:16:41:20 +0100] conn=299 op=164 msgId=166 - RESULT err=0 tag=101 nentries=41 etime=0
  [30/Aug/2005:16:41:28 +0100] conn=299 op=165 msgId=167 - SRCH base="ou=services,ou=infrastructure,o=northampton,dc=dataforce-
  dev,dc=co,dc=uk" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="objectClass numSubordinates ref aci"
  [30/Aug/2005:16:41:28 +0100] conn=299 op=165 msgId=167 - RESULT err=0 tag=101 nentries=1 etime=0
  [30/Aug/2005:16:41:28 +0100] conn=299 op=166 msgId=168 - SRCH base="ou=services,ou=infrastructure,o=northampton,dc=dataforce-
  dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectClass=ldapsubentry)))(obj
  ectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServer)(objectClass=netscape
  Resource)(objectClass=domain))" attrs="objectClass numSubordinates ref aci"
  [30/Aug/2005:16:41:29 +0100] conn=299 op=166 msgId=168 - RESULT err=0 tag=101 nentries=41 etime=1
  [30/Aug/2005:16:41:29 +0100] conn=299 op=167 msgId=169 - SRCH base="ou=iplanetamauthservice,ou=services,ou=infrastructure,o=n
  orthampton,dc=dataforce-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectC
  lass=ldapsubentry)))(objectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServ
  er)(objectClass=netscapeResource)(objectClass=domain))" attrs="dn"
  [30/Aug/2005:16:41:29 +0100] conn=299 op=167 msgId=169 - RESULT err=0 tag=101 nentries=1 etime=0
  [30/Aug/2005:16:41:29 +0100] conn=299 op=168 msgId=170 - ABANDON targetop=NOTFOUND msgid=169
  [30/Aug/2005:16:41:29 +0100] conn=299 op=169 msgId=171 - SRCH base="ou=iplanetamauthldapservice,ou=services,ou=infrastructure
  ,o=northampton,dc=dataforce-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(obj
  ectClass=ldapsubentry)))(objectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscape
  Server)(objectClass=netscapeResource)(objectClass=domain))" attrs="dn"
  [30/Aug/2005:16:41:29 +0100] conn=299 op=169 msgId=171 - RESULT err=0 tag=101 nentries=1 etime=0
  [30/Aug/2005:16:41:29 +0100] conn=299 op=170 msgId=172 - ABANDON targetop=NOTFOUND msgid=171
  [30/Aug/2005:16:41:29 +0100] conn=299 op=171 msgId=173 - SRCH base="ou=iplanetampolicyconfigservice,ou=services,ou=infrastruc
  ture,o=northampton,dc=dataforce-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)
  (objectClass=ldapsubentry)))(objectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=nets
  capeServer)(objectClass=netscapeResource)(objectClass=domain))" attrs="dn"
  [30/Aug/2005:16:41:29 +0100] conn=299 op=171 msgId=173 - RESULT err=0 tag=101 nentries=1 etime=0
  [30/Aug/2005:16:41:29 +0100] conn=299 op=172 msgId=174 - ABANDON targetop=NOTFOUND msgid=173
  [30/Aug/2005:16:41:29 +0100] conn=299 op=173 msgId=175 - SRCH base="ou=iplanetamauthenticationdomainconfigservice,ou=services
  ,ou=infrastructure,o=northampton,dc=dataforce-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(
  --More--(83%)
  The list goes on.
  Can anyone give me any pointers?
  Thanks

  Hi
  Thanks for your reply!
  I did mis-type, my mistake - sorry about that.
  If I dont over-ride the default it works, I've pretty much got the whole setup working now but I'm not particularly over the moon about the way the ldap tree is setup, I'd like finer granuality as we are going to attempt to get syncronization working with AD.
  I have an idea about how I'd like to set up our Mail/Calendar/LDAP infrastructure the 2nd time around (I'm just testing at the mo) - so I might have a question or two for you if you dont mind taking a look when you have a minute?
  Thanks Jay

• Re:User group,info set and Query combination table

  Hi,
    I would like to know the combination table of User group,info set and Query.
  Can any body please respond to my question?
  Regards,
  Suresh Kumar.

  Hi,
  Check the tables starting with AQG*.
  Reward points if useful.
  Regards,
  Atish

• How to create more than 2000 users/groups in a good way.

  Hi, guys.I want to create more than 2000 users/groups with Java API. Now I use a regular method to implement this function, login; create a domain; open a maxlsession ; and then call a maxl statement to create a user or a group . I find that the performance of this way is very bad. Can I write a funcation or a marco, which can create these users/groups? If it works, How do I need to write these codes?I have looked over all Java API document, it seems that ESSBASE API don't provide some related api which enables developer to generate a function or a marco. If you know the answer to this question, please tell me. thanks in advance.

  Dear Frank,
  Thank you so much for your answer. Beside the save point functionality to save the state and values on the screen, do you know other ways to do the same function? Once again, thank you so much.
  Linh Nguyen.

• WLCS USer/Group Management

  Hi,
  I am having a problem with the WLCS3.1 UserManagement part.
  The application we are buildin basically consists of two pieces, Internet
  and extranet( site
  accessible to our customers/partners by logging in).
  The internet part has couple of forms that our prospect customers submit and
  this user profile information gets stored in Oracle.
  The second piece isour extranet, which works in sync with our Customer
  Relationship Management appliction. The users information is put into
  Netscape DirectoryServer(NDS) by our CRM application ans we just use it for
  authentication and single sign on into both the application.
  Since the User Management system works in conjunction with the WebLogic
  Server's security realm (which happens to be LDAP for us), we cannot store
  user/groupes anymore into oracle by using JSP taglibraries.
  My question is, if we can store just the user (and password) in NDS LDAP and
  the
  GROUP and profile in WebLogic and personalize the content based on this
  info.?
  If so, what is the best workaround for this..
  Any help is greatly appreciated.
  Thanks
  -sarath

  Hi Tracy,
  Are you trying to create property sets?
  If you are trying to create a user/group property set, then you do that with the EBCC tool. See the "Site Infrastructure" tab and
  use
  File --> New --> Site Infrastructure --> User Profile to create a new one. See "Creating a Property Set Definition" at
  http://edocs.bea.com/wlp/docs70/dev/usrgrp.htm#998997 .
  Tracy Ward wrote:
  How do you assign Property sets in the user group management - the set shows in users and groups - but not in the management window--
  Ture Hoefner
  BEA Systems, Inc.
  4001 Discovery Drive
  Suite 340
  Boulder, CO 80303
  www.bea.com