Access Enforcer 5.2 - LDAP connexion fail
Hello everybody,
We realised an upgrade Access Enforcer 5.1 VP1 to Access Enforcer 5.2 with SP03 but we can't connect LDAP to AE. Before, the connexion to LDAP was ok.
However, when we test the connexion in AE 5.2, the message " Connexion successfull" appears but the connexion fails when we try to authentificate to AE for a request or when we try to search user data fo example (the AE message is "action failed").
Do you have the same error with AE5.2 ?
Thank you very much for your assistance,
Best regards,
David Heang
There is a query below that you need to list in the SQL box, but this address varies based upon your support pack. If you're up to date (or close to) on SPs, enter the following address into your web browser AFTER logging into AE: http://<server>:<port>/AE/opensql_test.jsp.
Paste the following query into the SQL box:
SELECT DISTINCT
WPHST.REQNO,
WPHST.REQPATHID,
WPHST.PATHNAME,
WPHST.STATUS AS REQUEST_STATUS,
TBLPATHSTAGE.STAGENAME
FROM
(VIRSA_AE_RQD_WPHST AS WPHST INNER JOIN VIRSA_AE_WF_PTSTG AS TBLPATHSTAGE ON (WPHST.PATHNAME = TBLPATHSTAGE.PATHNAME) AND (WPHST.CURRENTAPPRVRSEQ = TBLPATHSTAGE.STAGESEQ)) INNER JOIN VIRSA_AE_RQD_WPTRN AS WPTRN ON (TBLPATHSTAGE.STAGENAME = WPTRN.STAGE_NAME) AND (WPHST.REQNO = WPTRN.REQNO)WHERE
(WPHST.ISCURRENTFLAG = 1) AND ((WPHST.STATUS='OPEN') OR (WPHST.STATUS='HOLD'))
Similar Messages
-
Hello everyboby,
I have Access Enforcer 5.1 VP1 and I would like to know how use the LDAP mappings.
For example, I want recover the manager's name into LDAP automatically on Access Enforcer during an user request.
Thank you very much for your assistance.
David HeangHi,
First you need to connect the Connector for the LDAP when the Connector is working, You need to define the LDAP Mappings.
For Recovering the Manager Name in to Access Enforcer from LDAP (Active Directory) you need to Map the LDAP Entry classs object "<b>manager</b>" to the Access Enforcer "LDAP Mappings"
Now the Manager for the User will be picked up if the Relationsip is defiend in the LDAP Directory.
LDAP Objects are different for the Different LDAP Types.
Hope it Helps,
Vikas -
ERROR: Ldap Authentication failed for dap during installation of iAS 6.0 SP3
I am attempting to install ias Enterprise Edition (6.0 SP3) on solaris 2.8 using typical in basesetup. I am trying to install new Directory server as I don't have an existing one.
During the installation I got the following error.
ERROR: Ldap Authentication failed for url ldap://hostname:389/o=NetScape Root user id admin (151: Unknown Error)
Fatal Slapd did not add Directory server information to config Server.
Warning slapd could'nt populate with ldif file Yes error code 151.
ERROR:Failure installing iPlanet Directory Server.
Do you want to continue: ( I entered yes )
Configuring Administration Server Segmentation fault core dumped.
Error: Failure installing Netscape Administration Server.
Do you want to continue:( I responded with yes).
And during the Extraction I got the following
ERROR:mple_bind: Can't connect to the LDAP server - No route to host
ERROR: Unable to connect to LDAP Directory Server
Hostname: hostname
Port: 389
User: cn=Directory Manager
Password: <password-for-cn=Directory Manager
Please make sure this Directory Server is currently running.
You might need to run 'stop-slapd' and then
'start-slapd' in the Directory Server home directory, in order to restart
LDAP. When finished, press ENTER to continue, or S to skip this step:
Start registering Bootstrap EJB...
javax.naming.NameNotFoundException
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.fillInStackTrace(Compiled Code)
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.Exception.<init>(Compiled > Code)
at javax.naming.NamingException.<init>(NamingException.java:114)
at javax.naming.NameNotFoundException.<init>(NameNotFoundException.java: 48)
at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
"ldaperror" 76 lines, 2944 characters
at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
at com.netscape.server.jndi.RootContext.bind(Unknown Source)
at com.netscape.server.jndi.RootContext.bind(Unknown Source)
at javax.naming.InitialContext.bind(InitialContext.java:371)
at com.netscape.server.deployment.EjbReg.deployToNaming(Unknown Source)
at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled Code)
at com.netscape.server.deployment.EjbReg.run(Compiled Code)
at com.netscape.server.deployment.EjbReg.main(Unknown Source)
Start registering iAS 60 Fortune Application...
Start iPlanet Application Server
Start iPlanet Application Server
Start Web Server iPlanet-WebServer-Enterprise/6.0SP1 B08/20/200100:58
warning: daemon is running as super-user
[LS ls1] http://gedemo1.plateau.com, port 80 ready
to accept requests
startup: server started successfully.
After completion of installation, I tried to start the console. But I got the following error;
"Cant connect ot the admin server. The url is not correct or the server is not running.
Finally,when I started the admintool(iASTT),it shows the iAS1
was registered( marked with a red cross mark) and says "cant login. make sure the user
name & passwdord are correct" when i click on it.
Thanks in advance for any help
MadhaviHi,
Make sure that the directory server is installed first. If it is running
ok, then you can try adding an admin user, please check the following
technote.
http://knowledgebase.iplanet.com/ikb/kb/articles/4106.html
regards
Swami
madhavi korupolu wrote:
I am attempting to install ias Enterprise Edition (6.0 SP3) on
solaris 2.8 using typical in basesetup. I am trying to install new
Directory server as I don't have an existing one.
During the installation I got the following error.
ERROR: Ldap Authentication failed for url
ldap://hostname:389/o=NetScape Root user id admin (151: Unknown
Error)
Fatal Slapd did not add Directory server information to config
Server.
Warning slapd could'nt populate with ldif file Yes error code 151.
ERROR:Failure installing iPlanet Directory Server.
Do you want to continue: ( I entered yes )
Configuring Administration Server Segmentation fault core dumped.
Error: Failure installing Netscape Administration Server.
Do you want to continue:( I responded with yes).
And during the Extraction I got the following
ERROR:mple_bind: Can't connect to the LDAP server - No route to host
ERROR: Unable to connect to LDAP Directory Server
Hostname: hostname
Port: 389
User: cn=Directory Manager
Password: <password-for-cn=Directory Manager
Please make sure this Directory Server is currently running.
You might need to run 'stop-slapd' and then
'start-slapd' in the Directory Server home directory, in order to
restart
LDAP. When finished, press ENTER to continue, or S to skip this
step:
Start registering Bootstrap EJB...
javax.naming.NameNotFoundException
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.fillInStackTrace(Compiled Code)
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.Exception.<init>(Compiled > Code)
at javax.naming.NamingException.<init>(NamingException.java:114)
at
javax.naming.NameNotFoundException.<init>(NameNotFoundException.java:
48)
at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
"ldaperror" 76 lines, 2944 characters
at com.netscape.server.jndi.RootContext.resolveCtx(Unknown Source)
at com.netscape.server.jndi.RootContext.bind(Unknown Source)
at com.netscape.server.jndi.RootContext.bind(Unknown Source)
at javax.naming.InitialContext.bind(InitialContext.java:371)
at com.netscape.server.deployment.EjbReg.deployToNaming(Unknown
Source)
at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled
Code)
at com.netscape.server.deployment.EjbReg.registerEjbJar(Compiled
Code)
at com.netscape.server.deployment.EjbReg.run(Compiled Code)
at com.netscape.server.deployment.EjbReg.main(Unknown Source)
Start registering iAS 60 Fortune Application...
Start iPlanet Application Server
Start iPlanet Application Server
Start Web Server iPlanet-WebServer-Enterprise/6.0SP1 B08/20/200100:58
warning: daemon is running as super-user
[LS ls1] http://gedemo1.plateau.com, port 80 ready
to accept requests
startup: server started successfully.
After completion of installation, I tried to start the console. But I
got the following error;
"Cant connect ot the admin server. The url is not correct or the
server is not running.
Finally,when I started the admintool(iASTT),it shows the iAS1
was registered( marked with a red cross mark) and says "cant login.
make sure the user
name & passwdord are correct" when i click on it.
Thanks in advance for any help
Madhavi
Try our New Web Based Forum at http://softwareforum.sun.com
Includes Access to our Product Knowledge Base! -
Access enforcer and User Data Source for HR
We are on Access Enforcer 5.2 - service pack 2:
My problem is that when creating a new request in AE, I able to get a list of all users when I point my User Data Source to either SAP or UME. However when I attempt to create a request whilst pointing the User Data Source at the SAPHR system, I do not get any users back (and we have user set up in the SAP HR system).
Ive changed the connector to YES under the HR System box, Ive changed the Data Source Type and Details Source Type to point at the SAPHR and still it fails to fetch any users.
I've tried looking at the log, but can't get much out of it.
I would appreciate it, if anyone could provide any assistance.
Thanks you in advance.
Amarjit
Message was edited by:
amarjit singhHi Micheal,
Thanks for your reply.
I'm pointing both Data Source Type and Details Source Type to the same system SAPHR and to the same system name (which is our dev system)
Regards,
Amarjit -
Connector problem with access enforcer
Hi Guys,
I am facing a really strange problem with my connectors.
We have a test installation of GRC which was down for about 3 months.
During this time we migrated our central SLD to another system so I needed to change the connection after getting the system up again.
Anyhow I still can't modify, test or even create a new connector for access enforcer.
The only error I get is "Action failed".
I tried to analyze the logs but found no help there too.
2007-06-18 20:41:56,833 [SAPEngine_Application_Thread[impl:3]_4] ERROR java.lang.NullPointerException
java.lang.NullPointerException
at com.virsa.ae.dao.sqlj.SAPConnectorDAO.iterToDTO(SAPConnectorDAO.sqlj:75)
at com.virsa.ae.dao.sqlj.SAPConnectorDAO.findByConnectorName(SAPConnectorDAO.sqlj:15)
at com.virsa.ae.configuration.bo.ConnectorsBO.findSAPConnectorDetails(ConnectorsBO.java:76)
at com.virsa.ae.configuration.actions.ManageConnectorsAction.testConnection(ManageConnectorsAction.java:163)
at com.virsa.ae.configuration.actions.ManageConnectorsAction.execute(ManageConnectorsAction.java:66)
at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:229)
at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:412)
at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code))
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
at java.security.AccessController.doPrivileged1(Native Method)
at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
Did anybody here face a problem like that?
Kind regards,
Bastian
Message was edited by:
Bastian Schneider
Message was edited by:
Bastian SchneiderI had a simular problem with CC and I had to contact SAP. They gave me a script to run against the database that remove the connector. The problem seemed somewhat common for CC 5.1. Not sure if this applies to AE.
-
Error in Risk Analyzer of Access Enforcer
We are getting the below error in Risk analyzer of access enforcer in the GRC system that we have
Risk analysis failed: Exception in getting the results from the web service : Service call exception; nested exception is: com.sap.engine.services.webservices.jaxrpc.exceptions.XmlUnmarshalException: XML Deserialization Error. Invalid parser state. This exception is caused when deserializing XML type [http://www.w3.org/2001/XMLSchema] and wrong XML node is found.
The version of the system is AE 5.2 SP11 (Build-59112)
could come one help on this?
Regards
Bharathwaj VHi alpesh,
Thanks for your answers.
We were able to sort out the problem.The problem was with the load balancing at java level.
We had 2 server nodes and only 1 server node was taking all the requests and so it was choked up.
Bharathwaj V -
Risk Analysis Error - Access Enforcer
Hi Experts,
I am getting error while running risk analysis in Access Enforcer and the error is
<b>Risk analysis failed: Exception in getting the results from the web service : Service call exception; nested exception is: java.lang.Exception: Incorrect content-type found 'text/html'
</b>
We are using seperate RFC IDs for Access Enforcer connector and Comlaince Calibrator connector.
Please help me.
Thanks&Regards,
VijayReddy,
The user must indeed be created in the UME as a Compliance Calibrator user.
I don't know exactly which role he should be assigned, usually I indicate there my CC admin user-id and password.
When you see it is working with that user-id, you can try to re-fine the roles.
Some more info regarding what needs to be set in the URI in case the one I inducated in my previous answer is not working:
"There are two selectable versions of Compliance Calibrator. If you select 5.0 Web Service, three additional fields appear (URI, UserName, and Password). For the URI field, you need to navigate to the SAP NetWeaver Web Application Server Home page > Web Services Navigator > CCRiskAnalysisService > WSDLs > Standard link of Document, where you will see a list of all web services in the server. Select the desired URI address. If you select Compliance Calibrator 4.0, there is no need to connect to a URI address."
Karim -
Hi,
I have experiance on CC &FF and never installed Access enforcer.So our company planned to go Access enforcer on exising landscape.
So how I can implement access enforcer, is there a step-by-step document?
Can I implement on same system where we are running CC?
Do I need to install any additional add-ons or components ?
How long will it take to implement for this compoenet?
Please give your thoughts.
- JimJim,
As it is suggested by Frank, need to have the product knowledge thorughly before going to management.
As implementation of CUP will require lot of understanding of other areas including your landscape design, workflows with different modules & configuration HR trigerrs.
Please find the few features from CUP :->
1) Automates, accelerates and tracks the user access request process using workflow for SAP and non-SAP systems
2) Integrated risk analysis and mitigation capabilities keep the system clean during compliant provisioning
3) User authentication from either LDAP or SAP systems
4) Password Self Service for end users
5) Automated email notification to appropriate parties
6)Actually provisions user accounts and access changes into the backend SAP systems -
Access Enforcer (error in creating a request)
Hi All,
when i am creating a new request in Access Enforcer . After filling alll the details and clicking the submit button it is showing a error in creating request .Path not found.Hello,
You must have to select at least one condition attribute while creating your initiator. It seems initiator condition not meeting the details you are filling in your request. So it is not able to trigger the workflow initiator.
For simple scenario, if you are filling your company details in your request then change your initiator condition attribute to "Company".(Don't include more condition attributes for now). Once it works out then change initiator details back to your requirements.
Please let me know if this will not resolve your issue.
Thanks
Himadama -
Access Enforcer(error in approving the request) and import roles
Dear all,
error in approving the request at security stage(last)
manager and role owner are successfully approved.
and also importing roles into access enforcer was not successful.
imortstatus : 0 roles imported of 28 records found.
please find the system log:
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.messaging.MessageFormatter : parseDesc : : INTO the method : desc :Please specify a file to import.paramNames :paramsMap :{FIELD_NAME=#_!FIELD_NAME#_!}
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle : : INTO the method : en
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle : : INTO the method : en
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle : : INTO the method : en
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle : : INTO the method : en
2008-09-05 13:01:34,625 [SAPEngine_Application_Thread[impl:3]_8] DEBUG com.virsa.ae.service.cache.AECacheUtil : getResourceBundle : : INTO the method : en
2008-09-05 13:02:28,234 [Thread-47] DEBUGIn Addition to my previous response:
I meant to include the following:
Some of the fields that need to be properly defined with attributes are:
System: must have the know SAP system defined here
Role Approver (i presently are using most of the roles without having need for approval; I created a user called NOAPPRV in AE)
Functional Area: need to have all the areas defined that roles will be assigned to
Company: I only have one company so that's an easy one
Some areas I presently do not use but found they must ne coded and coded properly:
ResponsibilityID: N/A (coded as is)
CommentsMandatory: NO (coded as is)
Parent Role Owner: NO
Business Process: NA (I believe I originally coded N/A and it did not like that)
Sub Process: NA (again N/A I believe error on me)
Reaffirm Period: presently I am using 0 (zero)
LastReaffirm: presently using 12/31/9999
Hope this helps a bit
I wanted to include an attachment with a sample of my Role Import spreadsheet but I'm not sure exactly how to do that; if I figure that out or someone can provide me the process I will include it
Jerry Synoga
Ryerson Inc.
630-758-2021 -
Validity date issue: Access Enforcer
Hi All,
There is a request in Access Enforcer wherein there are total 4 stages of approval, the first 2 stages have been properly approved however when the same arrived to the 3rd stage of approval, the validity date for the request was over and therefore the approvers tried to extend the same, but the "more" tab is not appearing and therefore the approvers are not able to approve the request by extensing the validity date.
Can you please help with this issue?
Thanks
VaniVani,
Go to the stage level settings for this particular stage via configuration -> workflow -> stage. Change the option of 'Change request content' to 'Yes' and the approver in this stage should be able to change the vailidity dates.
Regards,
Alpesh -
Auto Email generation in multiple language in Access Enforcer 5.2
Hi All,
We have configured workflow in Access Enforcer 5.2 for autoprovisioning of users in the system. Requestor gets an email in english with the userid and password once the user is provisioned in the system. Now the requirment is to send these emails in different language, which is specific to the user. Like a spanish user should receive the email in spanish language.
Whether this has anything to do with language setting while user creation.
Please suggest.
Thanks & Regards,
PravinHi Pravin,
It has nothing to do with the language settings for the user. This configuration has to be done in closing section of Email reminders under workflow. As per my experience with AE 5.2/CUP 5.3, I don't think this is possible as of now. This could be a good functionality, so you can open an enhancement request with SAP.
Regards,
Alpesh -
Multi User request in Access Enforcer
Is anyone aware of a user limit in an access enforcer multi user request?
We get errors when we submit a multi user access enforcer request with more than 25 users.
ThanksHi
There is no standard limit even though we advice to keep the user to max of 20 .
The limit depends upon the email content you have configured .
In case in your email notifications you have taken the argument USERID then mulitple user creation request causes issue and the limit gets set to anything between 20-25 , again depending on content of the email .
Thanks -
Why Access Enforcer 5.2 considers u201CCritical Transactionu201D as a SOD Risk ?
Hello,
When I submit a request with Critical Transaction and no SOD conflict, Access Enforcer forwards my request to the SOD Manager.
I have a Detour Path triggered by the condition u201CSOD Violationsu201D.
The settings are in:
- Access Enforcer 5.2: Configurations -> Risk Analysis -> Default Analysis Type: Object Level
- Compliance Calibrator 5.2:
Configuration -> Risk Analysis -> Default Values -> Default report type for risk analysis: Permission Level
I am wondering why Access Enforcer 5.2 considers u201CCritical Transactionu201D as a SOD Risk
Thank you.
AbderrahimHi,
As per my knowledge even though you set the risk analysis to be done at a single level, AE will do at all the levels, i.e., at SoD, critical action, and critical permission. If you want to have only SOD risks, you need to either deactivate all critical action rules in RAR, or create a new ruleset and assign all the SOD risks to it and use it with AE.
This will help you to address the issue.
Best Regards,
Raghu -
Upload of role in Access Enforcer 5.2.
Hi All,
I need to upload roles in Access Enforcer from SAP ECC system. Actually i have uploaded the roles in Access Enforcer, but all unwanted roles have also got uploaded.
Now i need some way, first to clean entire uploaded roles & then upload selected roles.
Please suggest.
Thanks & Regards,
PravinHi Pravin,
Here are the steps:
1) Download all the roles into an excel spreadsheet:
Go to configuration -> Roles- Search roles -> Click on 'Export' button. This CUP, go to 'Search Roles'. Click on 'Search' button without providing any search criteria. This will return all the roles available in CUP. Now, click on Export button. CUP will export all the roles into Excel spreadsheet in the format which CUP understands.
2) Delete all the roles from CUP: Now, in the same screen as above, select all the roles and delete them.
3) Delete not needed roles from spreadsheet and upload it into CUP:
Now, delete all the unwanted roles from CUP and play with the spreadsheet to manipulate other parameters like role approvers, systems, business process etc and upload that spreadsheet into CUP.
Regards,
Alpesh
SAP GRC Manager (PwC)
Maybe you are looking for
-
Hi I have an issue with the SAP report FAGLL03. There is a document posted in the system with the posting date in previous year but document date in the current year. I can see this document in the document display and BSEG but when I go to FAGLL03,
-
How do i set up multiple ipods on the same account
I have two Ipod touch, each child has their own. I am unable to figure out how to set them up as seperate devices on my itunes acct. Any advice would be great.
-
Tour Sync Issues with Outlook 2003 and Error Code 0x8004fceb
Hello, I have a Tour with DM 5.0, which I sync with Outlook 2003 on my laptop running Vista O/S. I am having a problem deleting items from the Tour that I've previously added via a sync with Outlook. Some time after syncing, I delete the items from
-
Ever want to create a BIOS flash/rescue disk yourself?
Well, here is the trick: First you have to reflash your BIOS at least one time with life update. During that process you get the question where to save the new version. It should something like this: X:\Program Files\Setup Files\MS-6702 v1.70 Where X
-
OSPF down-bit set for a route originated as static?
If remote PE is redistributing a static route to VRF, local PE will get this route via BGP. Now suppose this local PE and CE is running OSPF and BGP VPNv4 route is redistributed to OSPF, will this PE set down-bit for type 5 LSAs advertised to CE? I a