OIM Active Directory 2008 integration

Similar Messages

• Change All User Settings in Specific OU(s) In Active Directory 2008

  I want to Change the Password of All the Users in Some OUs in active Directory 2008.
  And Also i want to Change the Attributes of all users in specific OU(s).
  What is Procedure?
  Note:- My OUs names are in Arabic Language, I feel some errors whenever i user commands in Power Shell.
  Thanks

  Hello Genius
  In addition to other expert advice about bulk modify I have to add that although my first language is not English, I personally prefer to name my OU's in English language. I experienced some problems with non-English OU's especially when it comes to reporting
  with Powershell.
  Regards.
  Mahdi Tehrani Loves Powershell
  Please Do not hesitate to click on Vote As Helpfull
  if a post helps you or Mark As Answer
  if a post answers your question.
  @Mahdi,
  PowerShell Integrated Scripting Environment (ISE) 3.0
  supports Unicode Language (Arabic, Farsi/Persian, etc.), you do not have problem with non-english. Here is example:
  New-ADUser –sAMAccountName „شنگولی“ –UserPrincipalName شنگولی@contoso.com –givenname “شنگولی” –Surname “شنگول” –displayName “شنگولی شنگول” –Name “شنگولی شنگول” –Enabled $true –Path “OU=MSFT,DC=Contoso,DC=com” –AccountPassword (ConvertTo-Securestring “Password01” –asplaintext –Force)
  More Information:
  Windows PowerShell 3.0 Integrated Scripting Environment (ISE)
  Regards

• Active Directory 2008 and Crystal Reporting

  Hello,
  My company is planning to upgrade to Active Directory 2008 R2. But before we do so, we must understand how our servers & applications interact/work with Active Directory 2008 R2. Could you please answer the following questions in regards to your application Crystal Reporting (version 10):
  1.     How does Crystal Reporting interact with Active Directory (AD)?
  2.     Is there a specific domain controller hardcoded with Crystal Reporting ?
  3.     Does Crystal Reporting support Active Directory 2008 R2?
  Your assistance and timely response with this matter is very much appreciated. Thank you.
  - Peter

  Hi Peter,
  Crystal Reports is a standalone install on the local Work Station. AD won't affect it. Unless there is some info you are telling us about how you access CR?
  Thank you
  Don

• SAP and MS Active Directory 2008

  hi all,
  i want to set up a connection between our MS Active Directory 2008 and the SAP user maintenance.
  what i've already done:
  1. setup a RFC connection with the name LDAP_{Hostname of AD}
  2. setup a ldap system user with auth. mechanism "simple bind" and credential storage "simple memory"
  3. setup a LDAP connector
  4. setup the LDAP server with port no. 389, product name = ms ad 2003 domain mode, protocol version = ldap version 3, ldap application = user, default = true, base entry = {highest level}, system logon = {the ldap system user}
  5. done the ldap server mapping. you can see it in the screenshot here: http://imageshack.us/photo/my-images/444/mappingoverview20111017.jpg
  when i now try to log in to the LDAP server, everything works fine and i get a green light.
  now when i try to search something over the  "find in directory" application i get an error message like that:
  Operation failed
  Message no. LDAPRC001
  Diagnosis
  This is an error message that is triggered by the directory server.
  It is not possible to analyze the error in the SAP system.
  Procedure
  Check the log files for the directory server (if they exist), to see if they contain more information.
  i get the same error message when i try the report RSLDAPSYNC_USER.
  can anybody help me please?
  best regards & TIA
  strobbel

  Hi...
  Red light Operation failed (Message no. LDAPRC001) - This says Opeartion failed due to fail in search
  Red light LDAP_SEARCH failed (Message no. LDAPACCESS101) - This says LDAP Search Failed due to Insufficient Privileges to connect from AD to SAP.
  So try these ...
  . While logging to the directory server did u check the option "USE SYSTEM USER" ?
  . And while searching the Seacrh parameters should be as below,
      Base Entry : OU=Users,OU=BDN,DC=bdn,DC=xyz
      Filter : (&(objectclass=*))
  . Also check for the user's privileges which is trying to connect to SAP.

• Cakll Manager 4.1 compatibility with Active Directory 2008

  I need to know the compatibility
  between windows 2008 Active Directory and Call Manager 4.1. I was told Call Manager
  4.1 was incompatibile with windows 2008 AD. Is that Active Directory
  2008 Domain and Forest functional level? I'm moving forw
  ard with replacing all our windows 2003 DCs with Windows 2008 DCs. The question is will
  call manager 4.1 be compatible? Need actual windows 2003 DC or can WIndows 200
  3 forest and domain functional level enough?

  Hello gentlemen,
  I just wanted to let you know that we actually got everything working again on our test bed environment.The DC is running on a virtualized Windows Server 2008 but with the forest and domain functional levels at 2003. What we had to do to resolve the ICM issues (Roggers, PGs and AW/HDS) was for all of the services that wouldn't automatically start, we had to update the 'log on as' settings to re-add those accounts and re-enter the passwords. Also, when running the ICMSetup util, it came back with an error saying that it couldn't see the 'Call Center Applications' OU even though it existed. To resolve that, we ran ICMSetup again, added the ICM instance, then upon going back to the main screen, exiting then re-running ICMSetup, everything worked again and the error did not re-occur. We were able to click on the various instance components (PG1A, CG1A, etc) where as before doing that, those instances were greyed out.
  For our CallManager server 4.1(3) we didn't need to resolve anything on it. It appears to be running ok and phones are registered to it as well.
  Mind you, this is a test bed environment, and the old test bed DC was created a few years ago, and with this new one being a copy of our existing production DC, there were many changes and updates done to it, so that's probably why the old accounts weren't recognized and new ones were created.
  We don't think that will happen in our production environment, but even so, we're not going to upgrade our production DCs to Windows Server 2008 just yet.
  Thanks for the feed back.
  Joe

• OIM 9.1.0 Integration with Active Directory 2008 R2

  Hi,
  My customer is running Root/Child AD structure based on windows 2003 w/SP2, OIM 9.1.0 deployed under one of the child domains, and integrated with child domains controllers which runs windows server 2003 as well.
  My customer has decided to upgrade his AD to Windows Server 2008 R2 domain controllers across the entire AD Forest and still wants to integrate the current OIM v9.1.0 with AD for all of his Users provisioning and password synchronizations.
  Am not sure if current OIM version of OIM 9.1.0 is compatible and supported by OIM v9.1.0 under active directory version 2008 / R2, and not sure if it can be integrated with such AD version.
  Any guidance is really appreciated.
  Also I was thinking of such scenario but also not sure of its support ability and if OIM will keep working on such scenario, the scenario is to upgrade only the AD root domain to Windows 2008 R2 while keeping the child domain holding the OIM 9.1.0 at Windows 2003 version.
  Is this a working and supported scenario by OIM v9.1.0 ?

  I believe you question should be if the connector supports this architecture. Check out the versions supported for the connector you are using and you should be good.
  -Bikash

• Microsoft Active Directory 2008 - Day CQ Integration.

  Hi All,
  We have integrated AD with CQ for authentication purpose (JAAS config, LDAPLoginModule).
  We are registering user from our website and storing them directly on AD (using day ldap client APIs - day-commons-ldapclient-1.1.6.jar). Now the problem is that the created user are disabled by default, to overcome this we have set an attribute "userAccountControl" while registering.
  This solved the disable issue, but another issue is that user can not login unless his/her password is being reset from AD admin interface.
  The password is set in "userPassword" attribute and AD is not treating this as a password so it enable the flag for reset password mechanism.
  There is another attribute which needs to be set for this and is called "unicodePwd", but to set this the connection should be encrypted(at least 128 bit SSL/TLS) and LDAPS should be used and not LDAP.
  Please refer the MS article at http://msdn.microsoft.com/en-us/library/cc223248%28v=prot.10%29.aspx
  So the question is that can it be achieved with with LDAP protocol itself, if not then how big is the effort to go via LDAPS approach.
  Has anybody achieved something similar and throw some light?
  Any pointer will be helpful.
  Thanks in Advance,
  Rakesh

  From what I understand, you are attempting to synchronize your users from CQ into your active directory instance. To me, it sounds like you should really get LDAPS set up, as opposed to attempting to work aroud it.
  Here is a link to the part of the document Day wrote on how to configure LDAP for CQ5:
  http://dev.day.com/docs/en/crx/current/administering/ldap_authentication.html#Configuring LDAP over SSL
  Additionally, if you take a look at the forum topic I posted about this very problem, there is a nice list of resources for what you are trying to do: http://forums.adobe.com/thread/1068151?tstart=0
  Hope that helps! Good luck!

• MS Active Directory 2008 as UME datasource for AS Java

  Hello,
  We are running SAP EP on top of a SAP AS Java using LDAP certification, so users
  from MS Active Directory 2003 domain are trusted by the Portal
  I've now a problem with the version upgrade of MS Active Directory from 2003 to 2008,
  it seems only SAP AS ABAP supports MS AD 2008, and our instance is JAVA only
  Note 983808 - "Certified LDAP servers" also confirm this
  Do you know if AD 2008 is supported, if any note has been released about this and
  any document to help me wiith this issue?
  thanks in advance!
  Rafael

  Hi Patrick, thanks for the answer
  I checked the note and it refers about Windows 2008 and a scenario with SSO, that's not our case.
  We just have AD as a LDAP UME datasource, users must still pass user and password which
  is then checked and then login is authorized
  you mentioned AD 2008 is supported for Netweaver AS Java, could you send me any document
  or note with procedures or anything for configuring it ?
  kind regards,
  Rafael

• Windows Active Directory 2008 And Java

  Hi,
  I need to do the following.
  1. Integrate my application's authentication module with Microsoft Windows Active Directory (Server 2008 Edition).
  2. Need to use Kerberos authentication.
  Can you please let me know what api can I use? Is there a good tutorial for this ?
  Regards,
  Pradeep.
  Edited by: user10502962 on Oct 9, 2011 12:51 AM

  Finally managed to resolve the problem.
  I tried to do a lot of things reading forums. But this is what worked.
  1. create a key store using $ keytool -genkey -keystore /home/rohan/mystore -keysize 1024 -keyalg RSA --- created "mystore" key store. From the cert file I got the information on RSA and encryption of 1024 bits.
  2. import the certificate the keystore - $ keytool -import -keystore /home/rohan/mystore -alias primarydc -file DC2K8.cer
  3. In the code just added these lines
  env.put(Context.PROVIDER_URL, "ldap://myldapserver:389"); // Port 389 on Windows Domain Controller
  String keystore = "/home/rohan/mystore";
  System.setProperty("javax.net.ssl.trustStore",keystore);
  System.setProperty("javax.net.ssl.keyStorePassword","password");
  4. Change of Password (code provided by stevead )
  StartTlsResponse tls = (StartTlsResponse)ctx.extendedOperation(new StartTlsRequest());
                 tls.negotiate();
                 ModificationItem[] mods = new ModificationItem[2];
  String newQuotedPassword = "\""+password+"\"";
                 byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
                 mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
                 mods[1] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("userAccountControl",Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWD_NOTREQD)));
                 ctx.modifyAttributes(userName, mods);
  Useful links
  http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
  http://blog.smartkey.co.uk/2010/09/working-around-a-sslhandshakeexception/
  http://www.thinkplexx.com/learn/howto/security/tools/understanding-java-keytool-working-with-crt-files-fixing-certificate-problems
  Thanks to stevead and handat for helping.
  Rohan

• Active Directory LDAP integration; can not see the XMLP_ groups/roles

  We have configured XMLP 10.1.3.3 to use "LDAP" as the Security model. The LDAP server is Active Directory running under Windows Server 2003.
  It is working to a certain extent:
  Users can log on to the XML Publisher using login/password as defined in AD.
  -When logged in as administrator, groups (roles) are visible in Admin/Roles and Permissions and can have assigned folders and data sources.
  Problems/questions:
  The required roles ("XMLP_ADMIN, etc) can not be seen in Admin/Roles and Permissions. Is this as expected or is it an error?
  -When logging in as a user who is member of the group/role XMLP_ADMIN, I do not get any administrator privileges (I have not tested the other XMLP_* roles defined in AD yet). So all administration has to be done as the local superuser.
  Is there any way to monitor the login process to try and see what goes wrong?
  -Roald
  -Roald

  The problem has been solved, it was self inflicted, typo in the config file:
  <property name="LDAP_PROVIDER_USER_DN" value="Cn=Users;dc=company,dc=com"/>
  (semicolon instead of comma after Users).
  It is a little surprising that this typo lead to problems with group matching, though. It took some time before this part of the config got enough attention.
  -Roald

• Active Directory, SSO, Integrated Windows Authentication

  Hi,
  I have to setup a NW BPM environment using Windows/Active Directory SSO.
  In the desired scenario, I would use UME to create BPM specific roles and/or groups and then I would associate:
  - specific AD users to UME groups or roles, and/or
  - associate AD groups to UME groups or roles.
  Is it possible? I would really appreciate any directions/hints on how to do that.
  Thanks in advance,
  Ricardo Giacomin

  It is possible you have the xml configuration file in the administration of ume and  you need to edit that one in order to link it to your AD. if you're using LDAPs to connect you will also have to load the certificates in NWA before the first connection.

• How can I capture delete user event in Active Directory 2008 using Powershell command

  Hi,
  In my Active Directory every user have own home drive in the file server. When I delete user I also need to delete folder from the server. 
  My target is make the process automated, so that when I delete user account form AD, the folder associate with user also delete.
  Can I write any power shell script to grep the delete event  and remove folder from file server.
  Thanks
  Tamim Khan

  You can setup event viewer to provide alerts (email alerts) for event id 630.
  Find an existing Event ID 630 entry, right click on it and "Attach Task To This Event...."
  Follow the wizard.
  ** Event ID Sample **
  Event ID: 630
  Type: Success Audit
  Description: User Account Deleted:
  Target Account Name: %1 Target Domain: %2
  Target Account ID: %3 Caller User Name: %4
  Caller Domain: %5 Caller Logon ID: %6
  Privileges: %7
  - Chris Ream -
  **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**

• Kerberos based authentication from AS 10.1.2 to Active Directory 2008

  Hello,
  just a short question: Has anyone achieved to authenticate via kerberos to a Windows 2008 domain?
  Info: We like to continue to use the SSO and Windows Native Authentication feature. It worked with our Windows 2003 domain. But our domainserver was updated and we cannot make a connection from our Oracle application server (10.1.2.0.2) to the new domain via kerberos. The ktpass shows errors (according pType) while creating the sso.keytab. The keytab file is created. The kinit-tool (for testing the keytab file) shows errors again. Also the OPMN log shows during startup an error.
  Any hint would be appreciated,
  regards
  Joerg

  unzip in a new folder and start jdev, it'll ask if you want to copy the configurations from an earlier version. after that you only need to install custom extensions:
  copy all files from old_version_jdev\jdev\lib\ext to new_version_jdev\jdev\lib\ext which are in old_version_jdev\jdev\lib\ext but not in new_version_jdev\jdev\lib\ext
  better to first shut down jdev!
  if everything works in the new version you can delete the old one.
  if you are using an OC4J standalone or ias remember to update the adf version there too!

• Migrate Active Directory 2008 to 2012 but need to keep the same ip address and server name

  Hi,
  Current setup is 2 DCs in one site running 2008 R2 AD.
  We are planning to migrate from 2008 R2 to 2012 R2 but need to keep the same ip address and server name. I have came up two plans to do this and hope someone can tell me which one would be the best approach. What is the pros
  and cons in Plan A and B or may be plan C if there is a better one?
  First, I was planning to do plan A but just had a second thought of Plan B.  My concern in Plan A is about changing the server name when the new 2012 R2 already running as DC.  Plan B would be changing all the old server
  name and ip before they become member sever and DC. 
  Any information and suggestion would be very appreciated.
  Plan A
  Run adprep /forestprep on 2008 R2 DC
  Build a new 2012 R2 server and promote it as 3rd DCs in current Domain
  Transfer FSMO from 2008 R2 to 2012 R2
  Run Repadmin /syncall to force replication
  Rename the demoted 2008 R2 DC to something else
  Change the demoted 2008 R2 ip address to something else
  Restart the demoted 2008 R2 server to take effect
  Now, run Netdom computername command to change the new 2012 R2 server name to the old 2008 R2 DC server name
  Change the new 2012 R2 DC's ip to old 2008 R2 DC's ip
  Run ipconfig /flushdns
  Run ipconfig /registerdns
  DCDIAG to see any error
  Plan B
  Build 2 new 2012 R2 standalone servers
  In 2008 R2 ServerA transfer FSMO to 2008 R2 ServerB
  Demote 2008 R2 ServerA to become member server
  Rename 2008 R2 ServerA to something else and change the ip address to something else and shut it down
  Now, rename one of the new 2012 R2 standalone server to the old demoted 2008 R2 ServerA name
  Change the new 2012 R2 standalone server ip to the old demoted 2008 R2 ServerA's ip address
  Add the new 2012 R2 standalone server (now with the old 2008 R2 ServerA name and ip) to become member server
  Run adprep /forestprep on the 2008 R2 ServerB
  Promote the new 2012 R2 (now with the old 2008 R2 ServerA name and ip) as DC
  Transfer 2008 R2 ServerB FSMO to the new 2012 R2 DC (now with the old 2008 R2 ServerA name and ip)
  Demote 2008 R2 ServerB as member server
  Rename 2008 R2 ServerB to something else and change the ip address to something else and shut it down
  Now, rename the 2nd new 2012 R2 standalone server to the old demoted 2008 R2 ServerB name
  Change the new 2012 R2 standalone server ip to the old demoted 2008 R2 SeverB 's ip address
  Add the 2nd new 2012 R2 standalone server to become member server
  Promote it as DC
  Run DCDIAG to check error
  Thanks.

  Hi,
  Renaming a Domain Controller is a risky operation which may lead to issues, therefore, I would suggest you go with the Plan B, rename the server before it becomes DC.
  Here is a blog below which could be helpful to you:
  Remove an Old DC and Introduce a New DC with the Same Name and IP Address
  http://blogs.msmvps.com/acefekay/2010/10/09/remove-an-old-dc-and-introduce-a-new-dc-with-the-same-name-and-ip-address/
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• Integrating Active directory  with oracle EBS 12.1.3 with 11g R2 database

  Hi,
  can any one let me know Integrating Active directory windows 2009 R2 with oracle EBS 12.1.3 with 11g R2 database software requirements and document ids for integrating.
  Is windows 2008 active directory is cerfied with 10g OID??
  regards,
  chandrasekhar.

  Hi
  I found exact note
  Is OID 10g/11g DIP Compatible / Certified With Microsoft Active Directory 2008 / Windows 2008 R1/R2? [ID 944298.1]
  From note:
  DIP 10g latest version (10.1.4.3) and DIP 11g up to PS4 / 11.1.1.5 Patchset releases integrations are certified with MS AD 2008 R1 only.
  DIP 11g certification with AD 2008 R2 is supported only with DIP 11g PS5 / 11.1.1.6 Patchset or higher.
  Note: Although DIP below 11.1.1.6 integration (synchronization, external authentication, etc.) with MS Windows / AD 2008 R2 may work, it is not officially compatible / certified. See also Note 1076018.1.
  Regard
  Helios