Glassfish LDAP group search results in Exception

Similar Messages

• Grouping Search Results by Parent Folder

  Hello,
  I am sure someone has come across this before. I would like to display search results grouped by Parent Folder. So all documents in FolderA would be grouped together and all documents in FolderB would be until a FolderB heading..

  Hi Craig,
  >> It is a performance issue if you don't have the right hardware ;>
  not all customers of SAP have the right hardware...
  So far there is no easy grouping possibilty. If there would be grouping, grouping for folders would be the first.
  As a workaround (and in case you really have the right hardware) you might think of placing several search iViews that execute 'Search from here' in dedicated folder branches.
  >>I know that other search engines can do it.
  Some do, but eg Google don't...
  It's also a matter of availble meta information. At many scenarios there are not to many of them.
  Anyhow in near future SAP will offer UI elements for effective filtering on meta information.
  But that's not grouping!
  Regards Matthias
  PS: Though the answer is negative, please think of rewarding. This motivates further answers.

• LDAP Log not showing external search results

  Hi,
  I'm conducting LDAP searches with a filter into the LDAP directory of OD Master. Results are as expected and authentication is correct for an LDAP user. I can see the authentication in PasswordServer.
  My question is, why doesn't the LDAP search show up in the LDAP Log (slapd.log)? All I get in this log are new user accounts when created showing a note that home directory attribute is not provided. I am not using home directories as AFP and Web services for groups are all that the user has access to. The preponderance of entries in LDAP Log are for
  "bdbsubstringcandidates: (authAuthority) index_param failed (18)"
  which has been there since 10.5 and continues despite making an index entry for authAuthority in slapd_macosxserver.conf and restarting the LDAP service.
  Can someone enlighten me on the functions of LDAP Log and what should be visible there?
  Harry

  I just discovered that if the formulation output doesn't have any entries in the cross reference section, it will not appear in eqt search results. does this make sense? Is there some config that we can adjust to make them apper even without a cross reference?
  thanks,
  David

• Search Results Query Text - Get all data, Exclude all list data except one

  Hi Experts,
  I have a situation wherein in the global search of our internal site, we have to display all results & restrict any list item except one list. Earlier we had restricted /Lists/ & People to be displayed in the results.
  But in the new search results I have to display results from only one list along with other results (documents, sites, pages etc).
  Below is the original query text entered in the Search Results Query Text editor
  {searchboxquery} -contentclass:STS_List_Links  
  -filename:allitems.aspx  -Path:/articles/Pages/default.aspx
  -filename:DispForm.aspx  -Path:/Lists/ -Path:person.aspx
  I have tried various different queries with AND, OR operator. I have researched other blogs, sites over google. But unsuccessful. I am sure this is not a rare requirement. Need your expert help.
  I have tried this query also...
  {searchboxquery} (-filename:allitems.aspx -Path:/articles/Pages/ -Path:/Lists/ -Path:/PublishingImages/) OR
  (+(+Path: /Lists/ArticleContent/ AND +filename:*.aspx) AND
  -(-Path: */Lists/* OR -filename:*.aspx))
  Vighnesh Bendre
  MCTS
  http://markviky.blogspot.com

  Vighnesh,
  You should have success using the following:
  {searchboxquery} -contentclass:STS_List_Links -filename:allitems.aspx  -Path:/articles/Pages/default.aspx -Path:person.aspx ((-filename:DispForm.aspx  -Path:/Lists/) OR Path:/Lists/ArticleContent/)
  Two things from your original query were excluding list items from your results, your exclusion of file
  DispForm.aspx and path Lists.  By using "OR" in the above query, we're creating an exception to also allow items under
  Lists/ArticleContent to be included in the results.

• Sharepoint 2013 custom search results grouping display template

  Hi,
  I am trying to implement custom grouping for search result items. I would like to group them by a managed property, but without using result blocks (query rules). The idea is to sort the results by the property and then compare the current item (ctx.CurrentItem)
  with the previous item using ctx.CurrentItem.ParentTableReference. If a new property value is detected we insert a new 'group header' (just some simple html). The problem is the ParentTableReference is undefined. Shouldn't there be such a property in current
  item object?
  I'm implementing this in a custom search result item display template...
  Thanks in advance.

  Hi,
  According to your post, my understanding is that you want to customize search result items display template.
  I suggest you get enumerate all properties of JavaScript context object and debug you code to watch the
  ctx.CurrentItem object.
  The following articles for your reference:
  Debugging Display Templates in SharePoint 2013 Search
  http://powersearching.wordpress.com/2013/01/25/debugging-display-temlates-in-sharepoint-2013-search/
  Enumerate all properties of JavaScript context object in display templates in SharePoint 2013
  http://sadomovalex.blogspot.co.uk/2013/06/enumerate-all-properties-of-javascript.html
  How to Define a Custom Group Display Template (GroupTemplateId) for the Search Results WebPart via JavaScript
  http://www.eliostruyf.com/how-to-define-a-custom-group-display-template-for-the-search-results-webpart-via-javascript/
  Creating customized search results in SharePoint 2013
  http://www.abelsolutions.com/totm/creating-customized-search-results-in-sharepoint-2013/
  Best Regards
  Dennis Guo
  TechNet Community Support

• Grouping refinement while grouping the search results in sku based indexing

  Hi,
  We are doing sku based indexing and for a business requirement we had to group the results by product. We were able to achieve this by setting the sorting attribute in the search request.
  sorting=property
  sortProperty=string:$repositoryId:1
  But in the search response though the results are grouped by product the refinements count for the facet created on sku property is greater than the total results count. To group the refinements as well, we have used refineCount=group in the search request but did not find any difference in the response or refinements count. Even though refineCount=group is present in the search request, it is not showing up in the search response.
  Is there a way to group the refinements when the results are grouped in sku based indexing?

  Hi,
  What is your ATG version?
  Regards,
  Jai

• Paged LDAP Search Results Question

  Greetings,
  I have some code that does a dbms_ldap.search_s to create a view of all users. Everything was working fine until last week when got an error and I realized the results return exceeded the LDAPS MaxPageSizeLimit (was set to 2000, we now have 2000+ users). I was able to get the sys admins to increase the size temporarily until I can modify my code to page the search results. I've been doing some research on Page LDAP Search Results and am not finding much for dbms_ldap. Perhaps my research skills are not up to snuff. In any case, I found on oracle docs (http://docs.oracle.com/cd/E17904_01/oid.1111/e10186/ext_ldap.htm#CEGJJIAF) where it references:
  "As of Oracle Internet Directory 10g (10.1.4.0.1), you can obtain paged results from an LDAP search, as described by IETF RFC 2696. You request sorted results by passing a control of type 1.2.840.113556.1.4.319 to the search function. Details are described in RFC 2696."
  However, I'm not finding much on how to implement this using dbms_ldap.
  Can anyone point me somewhere that I can found how to implement returning pagedResults using ldap with Oracle 11g?
  Best,
  Nat
  Edited by: 899806 on Jan 10, 2012 10:23 AM

  Yes, I did read that but I don't see in that file where it references anything about dbms. I see the section on:
  RFC 2696 LDAP Control Ext. for Simple Paged Results September 1999
  pagedResultsControl ::= SEQUENCE {
  controlType 1.2.840.113556.1.4.319,
  criticality BOOLEAN DEFAULT FALSE,
  controlValue searchControlValue
  However, when I look at oracle docs, I don't see where in dbms_ldap you can specify this config. any pointers?

• Java Exception during we click the item short description in search result

  Hi Experts,
  We are in SRM-MDM Catalog 3.0.
  When we click a item's short description in catalog search result list to open the item detail, the new screen opened with a internal server error. And the error summary is "java.lang.NullPointerException: The relationship ID is not an optional parameter." I have validated the XML mapping, I can not find any fields which were used for the "relationship ID".
  The SAP notefound  in a forum is for SRM MDM Catalog 3.0 SP02 but we are using SRM MDM Catalog 3.0 SP09.Can anyone
  please advise.
  Below is error
  500 Internal Server Error
  SAP NetWeaver Application Server 7.00/Java AS 7.00
  Failed to process request. Please contact your system administrator.
  Hide
  Error Summary
  While processing the current request, an exception occured which could not be handled by the application or the framework.
  If the information contained on this page doesn't help you to find and correct the cause of the problem, please contact your system administrator. To facilitate analysis of the problem, keep a copy of this error page. Hint: Most browsers allow to select all content, copy it and then paste it into an empty document (e.g. email or simple text file).
  Root Cause
  The initial exception that caused the request to fail, was:
  java.lang.NullPointerException: The relationship ID is not an optional parameter. at com.sap.mdm.data.commands.RetrieveRelationshipsCommand.execute(RetrieveRelationshipsCommand.java:91)
  at com.sap.mdm.extension.data.commands.RetrieveRelationshipsExCommand.execute(RetrieveRelationshipsExCommand.java:43)
  at com.sap.srm.mdm.Model.getRelationships(Model.java:3510)
  at com.sap.srm.mdm.Model.updateRecordRelationships(Model.java:3683)
  at com.sap.mdm.srmcat.uiprod.ItemDetails.displayFixedItemDetails(ItemDetails.java:6047)
  ... 34 more
  Regards
  Sunil

  Hi Sunil,
  There is only one cause for Nullpointer exception. The connectivity between the source and target system no longer exist .
  Please restart the MDM server once this might help .
  Regards,
  Vignesh

• How to get webui search result only a group data?

  Dear Friends,
  In BP_HEAD we have enhanced with custom logic. we are registering group of customers under field bu_group in but000. component BP_HEAD_SEARCH we are getting all the data in BUT000. how to show only group data under field bu_group in search result.
  Thanks & Regards
  Deva

  Hello Thomas,
  I need to make data searched only created by the user. how to make BUT000-CRUSER default in background in Search.
  I have used the below  insert, but the search options are been effected which are in display,
  CALL METHOD Lv_QS->INSERT_SELECTION_PARAM
      EXPORTING
        IV_INDEX     = '1'
        IV_ATTR_NAME = 'CREATION_USER'
        IV_SIGN      = 'I'
        IV_OPTION    = 'EQ'
        IV_LOW       = sy-uname
  Thank and  Regards
  Deva

• Problem with Search Results do not appear consistantly except for farm administrator

  We have Server farm with multiple web applications hosted on 443 port, all of them available over internet for the authenticated company users to use.
  When a user searches for a content on the search box on the visited page, some/many users get no results for the first time clicking on the search box, if they refresh the page or search again, it might return the results. Again clicking on next page or
  page number button it goes empty. Refreshing the page shows the current page. When Farm Administrator searches, consistantly he gets the results (though the count of results increases/decreases as he changes the page number.
  Web application is on Windows Claims and Only (Default Zone) entry in Alternative Access Mapping is
  https://subdomain.domain.com, this is same for all applications.
  1)  Can I get rid of the issue by / Effect of adding local IP Addresses on Intranet Zone?
  2) Will Crawl have any effect on using the Public Domain for Crawling?
  Kindly Advise.

  Hi Vasudev,
  Based on your description, my understanding is that there are no search results when the users search for the first time.
  I recommend to check the things below:
  Use the public URL of the default zone in the content source in Search Service application.
  Use fiddler or F12 tool to check the requests when doing search in SharePoint site to see if the query request has been sent successfully.
  Check ULS log to see more detailed error message. For SharePoint 2013, by default, ULS log is at C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS.
  You do not need to add the local IP address on the intranet zone.
  If you use Public domain URL for crawling, then the results returned will show with the URL of public zone even if you do search in the internal zone.
  https://technet.microsoft.com/en-us/library/dn535606(v=office.15).aspx#BKMK_CrawlDefaultZone
  Thanks,
  Victoria
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Victoria Xia
  TechNet Community Support

• Retrieve nested LDAP groups independent from the network env. (five different approaches)

  Hi all,
  I want to retrieve a list of nested LDAP groups per user from the Active Directory. I have been searching google for half a day now, but I'm still not sure what approach to use. I have the following requirements:
  * The script/program must run in different network environments (I can't be sure if there is a global catelog or AD DS or AD LDS, etc). I will write my own program.
  * The membership info will be used in combination with directory ACL's and must be as complete as possible (global groups, universal groups, local groups, perhaps different domains). Distribution groups are not really necessary, because they are not used in
  the directory ACL's.
  * It would be nice to support other LDAP implementations than Active Directory using the same code, but that not a hard requirement. I could use another approach to support a different LDAP.
  Now I have figured out five possible approaches (info comes from different sites, please correct me if I'm wrong):
  1) tokengroups attribute:
  - The attribute contains Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine.
  - Returns a list of SIDs which will have to be translated to group names
  - The tokenGroups attribute exists on both AD DS and AD LDS
  - For AD DS, the tokenGroups attribute is not present if no GC server is available to evaluate the transitive reverse memberships.
  - quote from site "Now that I have had a chance to test it though I can definitely say that tokenGroups WILL get the Universal groups from the other domains even if is NOT a GC. I just did it in my test lab."
  - Token Groups cannot be retrieved if no Global Catalog is present to retrieve the transitive reverse memberships.
  2) tokenGroupsGlobalAndUniversal
  - A subset of the tokenGroups attribute. Only the global and universal group SIDs are included.
  - If you want consistent results, read tokenGroupsGlobalAndUniversal that will return the same result no matter which DC you are connected to. However, it will not include local groups.
  - other source says "tokenGroups will give you all the security groups this user belongs to, including nested groups and domain users, users, etc tokenGroupsGlobalAndUniversal will include everything from tokenGroups AND distribution groups". Not
  sure if this is correct, I think it doesn't contain local groups.
  - The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS.
  3) LDAP_MATCHING_RULE_IN_CHAIN / 1.2.840.113556.1.4.1941
  - Use a recursive search query which returns all nested groups for user at once.
  - Returns all groups except for the primary group
  - It's a fast approach, see performance test from Richard Mueller:
  http://social.technet.microsoft.com/Forums/fr-FR/f238d2b0-a1d7-48e8-8a60-542e7ccfa2e8/recursive-retrieval-of-all-ad-group-memberships-of-a-user?forum=ITCG
  - It only works on Active Directory, not for other LDAP implementations
  4) Recursive retrieval of the memberOf attribute
  - Retrieves all groups except the primary group. (also local groups from other domains??)
  - works for all LDAP implementations
  - executes a lot of queries to the LDAP, especially if you want to scan all users/groups (perhaps limited on OU, but still)
  5) Store memberOf attribute in local database and calculate the nested groups using recursive queries to the local database
  - No heavy load to the LDAP
  - Needs space to store the user/group info locally (embedded Derby database perhaps)
  - Performs fast since the queries are executed locally
  - Works for all LDAP implementations
  My thoughts on these different approaches:
  * appreach 1) I understand that the tokengroups attribute is not present if no GC server is available. In how many network environments is this the case? This option won't work because I want to support different network environments.
  * approach 2) The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS. Same here, in how many network environments is this the case? I don't think I can rely on this approach.
  * approach 3) Seems to be a good option. How will it perform compared to approach 5 (local recursive queries)? Won't work for other LDAP implementations
  * approach 4) I don't think I want to execute that many queries to the LDAP. I can limit the scan on OU, but still companies can have thousands of users and groups.
  * approach 5) Perhaps the best approach. I want to store user/group info locally for fast filtering / reporting (only group DNs, user names, databse id's and membership info as id-id pairs). I only need the memberOf attribute of users and groups, recursive
  loops are done locally. It will work for all LDAP implementations.
  What do you guys think? I'm not a network admin, but a programmer, so I'm no expert in network setups and when to use AD DS or AD LDS. The thing is I want to use this code at different customers without knowing their network setup (except for the domain name(s),
  LDAP host/port and bind user to connect to LDAP).
  Thanks a lot!
  Paul

  I want to write a tool that can answer questions like "what users from group ABC have delete permission in all the (sub)directories of server MyDataServer?". This results in a list of directories and users and includes nested group membership. So it's about
  effective permissions. That's why I want all information in a SQL database so I can answer these questions with a single query in milliseconds. Otherwise, in order to answer these questions, I would have to get all members from group ABC and determine the
  nested groups for all these members (which can be thousands) for every report. Using a SQL database I can retrieve this information once a night for all the members.
  But I guess I will use the LDAP_MATCHING_RULE_IN_CHAIN syntax which gives me all nested groups for a member and should work for all AD installations from W2K3 SP2 and higher. When I want to support other LDAPs I will use another method for that specific
  LDAP.
  Again - note that this question has nothing to do with LDAP or AD.  It just asks what group has permissions on what resources.
  I really think you would do well to spend time understanding the NTFS and its security along with how we sue security in Windows.  By assuming this has something to do with AD you are making it a bigger issue than needed.  AD is a repository for
  accounts and trusts and manages authentication and security group membership.  All file security is managed by the OS that hosts the files and not by AD.  Users are not normally granted access to resources through direct inclusion in the DACL but
  are given access through membership in one or more groups.  Loading AD into a SQLL database will not help you.
  ¯\_(ツ)_/¯

• Ldap group lookups very slow

  We are currently testing Solaris 11 on one of our servers. We are encountering the problem that
  ldap group lookups are very slow. This didn't occur under Solaris 10. The ldap information is held
  in Active Directory with all unix information held in a relatively small separate branch, except for passwd information,
  which is held in the main very large part of AD (using the same user object for unix as used for the equivalent Windows user but
  with the added unix posixAccount attributes). What appears to be happening is that the first search is very
  quick when it accesses posixGroup information from the unix branch but it then tries to perform a memberOf
  search which must be using the passwd search base which then searches the whole of the AD and it is this
  part which is extremely slow. Is there any way of disabling the memberOf search ?
  The following snoop information is an example of the problem search ....
  LDAP: Operation *[APPL 3: Search Request]
  LDAP: [Base Object]
  LDAP: ou=uol,dc=livad,dc=liv,dc=ac,dc=
  LDAP: uk
  LDAP: [Scope]
  LDAP: wholeSubtree
  LDAP: [DerefAliases]
  LDAP: derefAlways
  LDAP: [SizeLimit]
  LDAP: [TimeLimit]
  LDAP: [TypesOnly]
  LDAP: Extensible Match *[9]
  LDAP: MatchingRule [1]
  LDAP: 1.2.840.113556.1.4.1941
  LDAP: Type [2]
  LDAP: memberOf
  LDAP: MatchValue [3]
  LDAP: CN=eme,OU=Group,OU=Unix,OU=UOL
  LDAP: ,DC=livad,DC=liv,DC=ac,DC=uk
  LDAP: dnAttributes [4]
  LDAP: *[Sequence]
  LDAP: [OctetString]
  LDAP: sAMAccountName
  LDAP: [OctetString]
  LDAP: objectClass
  LDAP: Controls List *[0]
  LDAP: *[Control]
  LDAP: [LDAP OID]
  LDAP: 1.2.840.113556.1.4.473
  LDAP: [Criticality]
  LDAP: [Control value]
  LDAP: *[Control]
  LDAP: [LDAP OID]
  LDAP: 2.16.840.1.113730.3.4.9
  LDAP: [Criticality]
  LDAP: [Control value]
  This is our ldap_client_file
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_AUTH= simple
  NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
  NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
  NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
  NS_LDAP_SEARCH_BASEDN= ou=unix,ou=uol,dc=livad,dc=liv,dc=ac,dc=uk
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=uol,dc=livad,dc=liv,dc=ac,dc=uk?sub
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,ou=unix,ou=uol,dc=livad,dc=liv,dc=ac,dc=uk?sub
  NS_LDAP_BIND_TIME= 5
  NS_LDAP_SEARCH_SCOPE= sub
  NS_LDAP_SERVERS= bhdc01.livad.liv.ac.uk
  NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn
  NS_LDAP_ATTRIBUTEMAP= passwd:uid=sAMAccountName
  NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
  NS_LDAP_ATTRIBUTEMAP= shadow:uid=sAMAccountName
  NS_LDAP_SEARCH_TIME= 8
  NS_LDAP_CACHETTL= 0

  Are you testing on the same machine?? or you're testing the SQL*Plus on the database machine directly??
  Tony

• LDAP groups to pool assignation problem

  Hi All,
  I have created two pools "Vista" and "Ubuntu" with two LDAP group associated ("Vista" and "Ubuntu"). I have a user "XX" which is in both LDAP groups (Vista and Ubuntu).
  When I display information about user XX in WEb interface, I get the information that the user is in 2 pools. But when I try to connect, I don't get any chooser and a desktop is started (generally the last used).
  Both pools contain enough free desktops (about 10).
  I have tried to use the "vda" command to see the configuration from command line.Unfortunately, I don't succeed. The command "vda user-search" give me the answer "XX uid=XX,ou=People" and when I try to pass the command "vda user-show XX" I get the answer "user not found, try command vda user-search".
  I use VDI3 software with the latest patches.
  Any help or idea would be greatly appreciated.
  Thanks
  rhino64

  Hello,
  you can look for more information about the failing commands in the cacao log file
  /var/cacao/instances/default/logs/cacao.0
  after increasing the log level as explained in:
  [http://wikis.sun.com/pages/viewpage.action?pageId=139002331|http://wikis.sun.com/pages/viewpage.action?pageId=139002331]
  rhino64 wrote:
  root@zzz:/ # vda user-show test1
  User test1 not found. Use the user-search subcommand to search for existing
  users or groups.
  root@zzz:/ # vda user-show 10009
  User 10009 not found. Use the user-search subcommand to search for existing
  users or groups. In the two commands above, you seem to be trying to use the userid of the user. VDI uses the list of attributes defined in the global setting ldap.userid.attributes to search for users from their userid. So what is the value of the ldap.userid.attributes setting ?
  #/opt/SUNWvda/sbin/vda settings-getprops -p ldap.userid.attributes
  And then what is the value of the corresponding attribute for your user ? You should use this value as userid for your user.
  It is up to you to decide which attribute of the directory is the userid of your user, and then edit ldap.userid.attributes accordingly.
  See http://wikis.sun.com/display/VDI3/Customizing+the+LDAP+Filters+and+Attributes for more details.
  root@zzz:/ # vda user-show 'cn=test1,ou=People'
  User cn=test1,ou=People not found. Use the user-search subcommand to search for
  existing users or groups. This command would not work because as listed in the user-search command, the dn for your user is not cn=test1...
  root@zzz:/ # vda user-show 'uid=test1,ou=People'
  User uid=test1,ou=People not found. Use the user-search subcommand to search for
  existing users or groups.This command should work fine and I can't really explain why it doesn't. The only difference I can see with the result of user-search is the capitalized 'People' so maybe try:
  # vda user-show 'uid=test1,ou=people'
  Katell

• Create Authorization Scheme for LDAP Groups

  I have installed APEX 4.0 in my staging environment and got the LDAPS to finally work. I can now login to the application with my LAN user name and password. The only problem is so can everyone else on the LAN. So I wanted to create an authorization scheme that would only allow a certain group or groups of LDAP users into the application rather than everyone.
  I am at the Create Authorization Scheme page and am kind of stuck. Has anyone done this before and can share some SQL or knowledge?

  hi larosejh
  If you want to do that you must write your own procedures using the dbms_ldap package. I found some code a while back that searches the LDAP. Maybe you can use this to create a function for your authentication.
  DECLARE
  retval PLS_INTEGER;
  my_session DBMS_LDAP.session;
  my_attrs DBMS_LDAP.string_collection;
  my_message DBMS_LDAP.message;
  my_entry DBMS_LDAP.message;
  entry_index PLS_INTEGER;
  my_dn VARCHAR2(256);
  my_attr_name VARCHAR2(256);
  my_ber_elmt DBMS_LDAP.ber_element;
  attr_index PLS_INTEGER;
  i PLS_INTEGER;
  my_vals      DBMS_LDAP.STRING_COLLECTION ;
  ldap_host VARCHAR2(256);
  ldap_port VARCHAR2(256);
  ldap_user VARCHAR2(256);
  ldap_passwd VARCHAR2(256);
  ldap_base VARCHAR2(256);
  BEGIN
  retval := -1;
  -- Please customize the following variables as needed
  ldap_host := 'host';
  ldap_port := '389';
  -- In case of update/insert/delete need change ldap_user to other.
       -- ldap_user := 'cn=orcladmin';
       -- ldap_passwd:= 'welcome';
  -- set User and password to NULL for anonymous user.
  ldap_user := 'user';
  ldap_passwd:= 'password';
  ldap_base := 'CN=Users,DC=ee,DC=intern';
  -- end of customizable settings
  -- Start output Header--
  DBMS_OUTPUT.PUT_LINE('+++++++++++++++++++++++++++++++++++++++++++++++++++');
  DBMS_OUTPUT.PUT('> DBMS_LDAP Search Example ');
  DBMS_OUTPUT.PUT_LINE('');
  DBMS_OUTPUT.PUT_LINE(RPAD('> LDAP Host ',25,' ') || ': ' || ldap_host);
  DBMS_OUTPUT.PUT_LINE(RPAD('> LDAP Port ',25,' ') || ': ' || ldap_port);
  -- Choosing exceptions to be raised by DBMS_LDAP library.
  DBMS_LDAP.USE_EXCEPTION := TRUE;
  my_session := DBMS_LDAP.init(ldap_host,ldap_port);
  DBMS_OUTPUT.PUT_LINE (RPAD('> Ldap session ',25,' ') || ': ' ||
  RAWTOHEX(SUBSTR(my_session,1,8)) ||
  '(returned from init)');
  -- bind to the directory
  retval := DBMS_LDAP.simple_bind_s(my_session,
  ldap_user, ldap_passwd);
  DBMS_OUTPUT.PUT_LINE(RPAD('> simple_bind_s Returns ',25,' ') || ': '
  || TO_CHAR(retval));
  -- issue the search
  my_attrs(1) := 'dn'; -- retrieve all attributes
  retval := DBMS_LDAP.search_s(my_session, ldap_base,
  DBMS_LDAP.SCOPE_SUBTREE,
  'objectclass=*',
  my_attrs,
  0,
  my_message);
  DBMS_OUTPUT.PUT_LINE(RPAD('> search_s Returns ',25,' ') || ': '
  || TO_CHAR(retval));
  DBMS_OUTPUT.PUT_LINE (RPAD('> LDAP message ',25,' ') || ': ' ||
  RAWTOHEX(SUBSTR(my_message,1,8)) ||
  '(returned from search_s)');
  -- count the number of entries returned
  retval := DBMS_LDAP.count_entries(my_session, my_message);
  DBMS_OUTPUT.PUT_LINE(RPAD('> Number of Entries ',25,' ') || ': '
  || TO_CHAR(retval));
  DBMS_OUTPUT.PUT_LINE('+++++++++++++++++++++++++++++++++++++++++++++++++++');
  -- End output Heading --
  -- get the first entry
  my_entry := DBMS_LDAP.first_entry(my_session, my_message);
  entry_index := 1;
  -- Loop through each of the entries one by one
  while my_entry IS NOT NULL loop
  -- print the current entry
  my_dn := DBMS_LDAP.get_dn(my_session, my_entry);
  -- DBMS_OUTPUT.PUT_LINE (' entry #' || TO_CHAR(entry_index) ||
  -- ' entry ptr: ' || RAWTOHEX(SUBSTR(my_entry,1,8)));
  DBMS_OUTPUT.PUT_LINE (' dn: ' || my_dn);
  my_attr_name := DBMS_LDAP.first_attribute(my_session,my_entry,
  my_ber_elmt);
  attr_index := 1;
  while my_attr_name IS NOT NULL loop
  my_vals := DBMS_LDAP.get_values (my_session, my_entry,
  my_attr_name);
  if my_vals.COUNT > 0 then
  FOR i in my_vals.FIRST..my_vals.LAST loop
  DBMS_OUTPUT.PUT_LINE(' ' || my_attr_name || ' : ' ||
  SUBSTR(my_vals(i),1,200));
  end loop;
  end if;
  my_attr_name := DBMS_LDAP.next_attribute(my_session,my_entry,
  my_ber_elmt);
  attr_index := attr_index+1;
  end loop;
  my_entry := DBMS_LDAP.next_entry(my_session, my_entry);
  DBMS_OUTPUT.PUT_LINE(' --------------------------------------------------- ');
  entry_index := entry_index+1;
  end loop;
  -- unbind from the directory
  retval := DBMS_LDAP.unbind_s(my_session);
  DBMS_OUTPUT.PUT_LINE(RPAD('unbind_res Returns ',25,' ') || ': ' ||
  TO_CHAR(retval));
  -- Start Output Footer --
  DBMS_OUTPUT.PUT_LINE('Directory operation Successful .. exiting');
  -- Start Output Footer --
  -- Handle Exceptions
  EXCEPTION
  WHEN OTHERS THEN
  DBMS_OUTPUT.PUT_LINE(' Error code : ' || TO_CHAR(SQLCODE));
  DBMS_OUTPUT.PUT_LINE(' Error Message : ' || SQLERRM);
  DBMS_OUTPUT.PUT_LINE(' Exception encountered .. exiting');
  END;
  /

• Group Search- How?

  Hello Gurus,
  Our UME is tied to Active Directory with read-only option. I am presently trying to clean up groups which involves identifying groups stored in Portal Database (not in AD) and then possibly deleting them.
  If I search for groups, the results show groups from both the Portal Database and AD. How can I get a list of groups stored only in the Portal Database?
  Any pointers are appreciated.
  Thanks,
  Kiran

  With EP7, it's easy - the user admin tool allows you to select this.
  EP6 is a bit messier. You need to use the role assignment tool in the portal and select your group there. Now when you use the Edit button, you get the full name of the group, which will show if it's LDAP or not.
  Or, you could write some code which does a group search and returns the unique name. This is similar, but was designed for users, not groups...
  Cheers
  package com.sap.anz;
  import java.util.Collections;
  import java.util.Iterator;
  import java.util.LinkedList;
  import java.util.List;
  import com.sap.security.api.ISearchAttribute;
  import com.sap.security.api.ISearchResult;
  import com.sap.security.api.IUser;
  import com.sap.security.api.IUserFactory;
  import com.sap.security.api.IUserSearchFilter;
  import com.sap.security.api.UMException;
  import com.sap.security.api.UMFactory;
  import com.sapportals.htmlb.Form;
  import com.sapportals.htmlb.page.DynPage;
  import com.sapportals.htmlb.page.PageException;
  import com.sapportals.portal.htmlb.page.PageProcessorComponent;
  import com.sapportals.portal.prt.component.IPortalComponentRequest;
  import com.sapportals.portal.prt.component.IPortalComponentResponse;
  public class UserListing extends PageProcessorComponent {
    public DynPage getPage() {
      return new UserListingDynPage();
    public static class UserListingDynPage extends DynPage {
       * Initialization code executed once per user.
      public void doInitialization() {
       * Input handling code. In general called the first time with the second page request from the user.
      public void doProcessAfterInput() throws PageException {
       * Create output. Called once per request.
      public void doProcessBeforeOutput() throws PageException {
            IPortalComponentRequest request = (IPortalComponentRequest) this.getRequest();
            IPortalComponentResponse response = (IPortalComponentResponse) this.getResponse();
        Form myForm = this.getForm(); // get the form from DynPage
         IUserFactory userFact = UMFactory.getUserFactory();
         try {
              IUserSearchFilter groupFilt = userFact.getUserSearchFilter();
              groupFilt.setSearchAttribute(
                   "com.sap.security.core.usermanagement",
                   "uniquename",
                   ISearchAttribute.LIKE_OPERATOR,
                   false);
              ISearchResult result = userFact.searchUsers(groupFilt);
              List list = new LinkedList();
  //            Iterator currentMembers = null;
              while (result.hasNext()) {
                   String name = (String) result.next();
                      list.add(name);
            Collections.sort(list);
            Iterator iter = list.iterator();
            response.write("<table border = "1">");
                   while (iter.hasNext()) {
                      IUser testUser = userFact.getUser(iter.next().toString());
                      String dispUser = testUser.getUniqueName();
                      response.write("<tr><td>"+dispUser+"</td><td>"+testUser.getUniqueID()+"</td></tr>");
            response.write("</table>");
       } catch (UMException e) {
            response.write("<br>Searching failed - " + e.getLocalizedMessage());
        // create your GUI here....