Active Directory as readonly UME except of user's password
Hi there,
we would like to configure the portal-datasource to connect to the active directory read-only. However, (LDAP) users must be able to change there passwords. How could the xml file look like.
We checked out http://help.sap.com/saphelp_nw70/helpdata/de/46/07a02c920f4f0fe10000000a114a6b/frameset.htm, but this doesn't work. Here the portal tries to create ldap users and fails as no mandatory fields are writeable.
Also we tried to dsitriubte the active directory in one writeable and one readable. However according to help.sap.com (http://help.sap.com/saphelp_nw70/helpdata/en/4e/4d0d40c04af72ee10000000a1550b0/frameset.htm) it is not possible to assign users from one source to groups of another.
Does anybody know a solution or a hint?
Thanks a lot and regards
Stephan
Hi Michael,
thanks for your help. We finally solved the issue using the "homefor"-approach:
<dataSources>
<dataSource id="PRIVATE_DATASOURCE"
className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principals>
<principal type="group"/>
<principal type="account">
<nameSpace name="$serviceUser$">
<attribute name="SERVICEUSER_ATTRIBUTE">
<values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="$serviceUser$">
<attribute name="SERVICEUSER_ATTRIBUTE">
<values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
<principal type="team" />
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</homeFor>
<notHomeFor/>
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</responsibleFor>
<notResponsibleFor/>
<attributeMapping />
<privateSection/>
</dataSource>
<dataSource id="CORP_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principal type="account"/>
<principal type="user"/>
</homeFor>
<notHomeFor>
<principal type="user">
<nameSpace name="$serviceUser$">
<attribute name="SERVICEUSER_ATTRIBUTE">
<values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
<principal type="account">
<nameSpace name="$serviceUser$">
<attribute name="SERVICEUSER_ATTRIBUTE">
<values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
</notHomeFor>
<responsibleFor>
Thanks and regards
Stephan
Similar Messages
-
Active Directory, single sign-on and SRM Users
We are in the process of installing SRM 7.0. using the Classic Scenario. I am seeking clarification around the creation of users in that system given the following:
- My Basis colleagues are in the process of implementing single sign-on using Active Directory for our SAP Portal, SAP Business Warehouse and SRM systems.
- Single sign-on will not at this point be used for our SAP ECC 6.0 system
My questions are:
1. If active directory is being used do we need to create actual users within the SRM system?
2. If actual users in the SRM system are not required, does this have any impact on the creation of the Organizational structure in SRM from the SAP ECC HR hierarchy?
Many ThanksHi Claire,
The Single Sign On work only if user exist on every systemes.
For example :
If you connect trough portal to access ECC and SRM, your user id must exist in ECC and SRM.
For Active Directory you can synchronize your user table to AD by using LDAP option.
The best way is to configure a CUA for ECC and SRM, use the UME of Portal on ECC and synchronize the CUA to Active Directory.
Finally use the SSO certificate between Portal ECC and SRM.
Regards,
Gilles SEBBAG
Sap Technical Consultant. -
Weblogic with Active Directory Authentication provider problem: DN for user ....: null
I have a java application (SSO via SAML2) that uses Weblogic as a Identity Service Provider. All works well using users created directly in Weblogic. However, I need to add support for Active Directory. So, as per documentation:
- I defined an Active Directory Authentication provider
- changed it's order in the Authentication Providers list so that it comes first
- set the control flag to SUFFICIENT and configured the Provider Specific; here's the concerned part in config.xml:
<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
<sec:name>MyOwnADAuthenticator</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
<wls:host>10.20.150.4</wls:host>
<wls:port>5000</wls:port>
<wls:ssl-enabled>false</wls:ssl-enabled>
<wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
<wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
<wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
<wls:cache-enabled>false</wls:cache-enabled>
<wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
</sec:authentication-provider>
I configured a AD LDS instance(Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created users and one admin user "tadmin" which was added to Administrators members. I also made sure to set msDS-UserAccountDisabled property to FALSE.
After restarting Weblogic I can see that the AD LDS's users and groups are correctly fetched in Weblogic. But, when I try to connect with my application, using Username:tadmin and Password:<...> it does not work.
Here's what I see in the log file:
<BEA-000000> <LDAP Atn Login username: tadmin>
<BEA-000000> <authenticate user:tadmin>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
So, I tried to look why do I have: <DN for user tadmin: null>. Using Apache Directory Studio I reproduced the ldap search request used in Weblogic and, sure enough, I get no results. But, changing the filter to only "(&(cn=tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; here's the result from Apache Directory Studio:
#!SEARCH REQUEST (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.324
# LDAP URL : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
# command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
# baseObject : CN=wl,DC=at,DC=com
# scope : wholeSubtree (2)
# derefAliases : derefAlways (3)
# sizeLimit : 1000
# timeLimit : 0
# typesOnly : False
# filter : (&(cn=tadmin)(objectclass=user))
# attributes : objectClass
#!SEARCH RESULT DONE (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.356
# numEntries : 1
(the "[email protected]" is defined as userPrincipalName in the tadmin user on AD LDS)
As you can see, "# numEntries : 1" (and I can see as result the entry "CN=tadmin,CN=wl,DC=at,DC=com" in Apache Directory Studio's interface); if I add the userAccountControl filter I get 0.
I've read that the AD LDS does not use userAccountControl but "uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute"; among those attributes is msDS-UserAccountDisabled which, as I said, I already set to FALSE.
So, my question is, how do I make it work? Why do I have "<DN for user tadmin: null>" ? Is it the userAccountControl ? If it is, do I need to do some other configuration on my AD LDS ? Or, how can I get rid of the userAccountControl filter in Weblogic?
I didn't seem to find it in config files or in the interface: I only have "User From Name Filter: (&(cn=%u)(objectclass=user))", there's no userAccountControl.
Another difference I noticed is that, even though in Weblogic I have set ssl-enabled flag to false, in the logs I see ldaps and not ldap ( I'm not looking to setup something production-ready and I don't want SSL for the moment ).
Here are some other things I tried but did not change anything:
- the other "msDS-" attributes were not set so I tried initializing them to some value
- I tried other users defined in AD LDS, not tadmin
- in Weblogic I added users that were imported from AD LDS in Roles and Policies> Realm Roles > Global Roles > Roles > Admin
- I removed all userAccountControl occurrences that I found in xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
Any thoughts?
Thanks.I managed to narrow it down: the AD LDS does not support the userAccountControl.
Anyone knows how I can configure my Active Directory Authentication Provider in Weblogic so that it does not implicitly use userAccountControl as filter?
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)> -
MS Active Directory 2008 as UME datasource for AS Java
Hello,
We are running SAP EP on top of a SAP AS Java using LDAP certification, so users
from MS Active Directory 2003 domain are trusted by the Portal
I've now a problem with the version upgrade of MS Active Directory from 2003 to 2008,
it seems only SAP AS ABAP supports MS AD 2008, and our instance is JAVA only
Note 983808 - "Certified LDAP servers" also confirm this
Do you know if AD 2008 is supported, if any note has been released about this and
any document to help me wiith this issue?
thanks in advance!
RafaelHi Patrick, thanks for the answer
I checked the note and it refers about Windows 2008 and a scenario with SSO, that's not our case.
We just have AD as a LDAP UME datasource, users must still pass user and password which
is then checked and then login is authorized
you mentioned AD 2008 is supported for Netweaver AS Java, could you send me any document
or note with procedures or anything for configuring it ?
kind regards,
Rafael -
Hi, I'm using VS2012.
I want to use this ExtensionAttributes9 field to store date value for each user object. I use UserPrincipal class, a collection of these objects are then bind to a gridview control. Is ExtensionAttributes9 a field in AD user object?
How can I access it and bind to the gridview?
If this field isn't available then what other field can use?
Thank you.
Thank youUserPrincipal is basically a wrapper around DirectoryEntry:
http://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry.aspx and only provides a subset of the Active Directory, although the most common, attributes that are available for the user object. The attribute that you
seek is not one of them.
By utilizing the method that I provided you a link to, it will return the underlying DirectoryEntry that was used to build the UserPrincipal object and should allow you to access the attribute that you seek.
It would be greatly appreciated if you would mark any helpful entries as helpful and if the entry answers your question, please mark it with the Answer link. -
Store signature image in Active Directory and deploy it to each users desktop
What I am trying to achieve is to have each user a hand written signature scanned in and stored in the .jpgPhoto attribute in Active Directory and then have some sort of script, like our login script, pull that information and copy the file to the users
desktop. We are wanting to be able to allow users to apply the signature image on a signature line in Office 2010 or InfoPath forms instead of typing their name. I know there has to be a way to do this but I have not found it yet and I am
not very good at scripting. Is there anyone here that has accomplished such a task and if so, how did you go about doing it?
David HoodWe already have Outlook email signatures created from AD information deployed to all users. Someone else on my team deployed that already and it works great. But that is just basic user info pulled from fields that were manually entered in
the user account. What I want to do is have a user scribble their signature on a piece of paper or a tablet, capture an image of that to crop and resize to store in the AD user account or somewhere secure that can be queried to be pushed to that users
desktop. I work at a state government agency and I have heard of another agency doing this but I have no idea how they did it. The only thing I could think of is to have a script ran during login to query the AD attribute the image is stored in,
pull it and then copy it to the users machine so when they sign a word document or .PDF with a digital signature they also have the option to place that image in the signature line.
David Hood -
The Netscape/NDS AddUser implements inetOrgPerson, and some other objects/Attributes not implemented in Active Directory Object Attributes, and I receive errors about the Attributes. Could you tell me the correct Attribute definition for the default DS, to add a user?
Unsure what you mean. iDS 5 implements the inetOrgPerson as of the RFC. It is made of 4 objects top, person, organizationPerson and inetOrgPerson. The user object in MAD using many more MS specifi attributes in the top class. (53 extras)
-
Snow leopard Active directory account taking a long time to verify password
Hi,
My mac is configured to use an active directory account (windows small biz server 2008), i configured a mobile account when i was still under leopard and it was working fine. Since i upgraded to snow leopard i started experience the following issues:
When i am out of the office (not connected on the domain), logging in to my mac take about 5min after i type the password, same thing when the mac awakes from sleep, i type my password and it says verifying password and this takes about 5 minutes to complete! Another issue i am experiencing is that whenever i put my mac to sleep, when it wakes up most of the running applications crash and i have to restart them. i was hoping 10.6.2 would fix that but it didn't.
Sorry for the long post. Thank you in advance for your support!I guess we will have to wait for someone to give us a clue, or for apple to release 10.6.3 .
-
Changing a username in Active Directory - does this update People picker, User Info List etc?
What happens in SP2013 when a user gets married and changes their name in AD?
My understanding is that after a full (?) User Profile import and a People crawl (Full/inc?) - their display name in SharePoint will be updated but in SP2013 do the entries in People picker and User Info Lists also get updated or are their manual steps
that have to be taken?
Thanks
JFirst, User Profiles will be updated after the next incremental sync. SP 2013 only does Full User Profile syncs manually. A full sync is not really required.
Second, there are two timer jobs that will sync the user profile with the user lists in each site collection. The "Quick" job only syncs new users, while the "Full" job should sync all user changes. The "Full" job
runs hourly by default.
Third, the people picker should be getting its info from AD, although there is some caching that goes on. So it should pick up the change from AD when the cached information ages out.
Paul Stork SharePoint Server MVP
Principal Architect: Blue Chip Consulting Group
Blog: http://dontpapanic.com/blog
Twitter: Follow @pstork
Please remember to mark your question as "answered" if this solves your problem. -
Need Help creating new user in Active Directory
I am trying to create a new user in active directory via a java application. I have included the code that I am using. I am able to successfully bind to Active Directory. I have been able to change passwords, and delete users, but I have not been able to create a user.
ldapHost : "mta101.DOM101.CEL.ACC.AF.MIL"
domainName: "dc=dom101,dc=cel,dc=acc,dc=af,dc=mil"
existing account: CN=Brett K. Humpherys,OU=Users,OU=CEL
I get the following error on the createSubcontext statement:
javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - 00000057: LdapErr: DSID-0C09098B, comment: Error in attribute conversion operation, data 0, v893 ; remaining name 'CN=test1,OU=Users,OU=CEL'
I have commented out the password portion and change the ObjectCategory to a 32 and get the same error.
public GblStatus createAccount7(DbaDb dbConn,
String jsrcName,
String personName,
String username,
String password)
Hashtable ldapEnv = new Hashtable(11);
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
ldapEnv.put(Context.PROVIDER_URL, "ldap://" + this.ldapHost + ":636");
ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
ldapEnv.put(Context.SECURITY_PROTOCOL, "ssl");
ldapEnv.put(Context.REFERRAL, "ignore");
ldapEnv.put(Context.SECURITY_PRINCIPAL,"cn=" + this.adminAcct + ",cn=users," + this.domainName);
ldapEnv.put(Context.SECURITY_CREDENTIALS, this.adminPwd);
try
// Create the initial context
DirContext ctx = new InitialDirContext(ldapEnv);
BasicAttributes attrs = new BasicAttributes();
BasicAttribute ocs = new BasicAttribute("objectclass");
ocs.add("top");
ocs.add("person");
ocs.add("organizationalPerson");
ocs.add("user");
attrs.put(ocs);
BasicAttribute gn = new BasicAttribute("givenName", "test1");
attrs.put(gn);
BasicAttribute sn = new BasicAttribute("sn", "");
attrs.put(sn);
BasicAttribute cn = new BasicAttribute("cn", "test1");
attrs.put(cn);
BasicAttribute uac = new BasicAttribute("userAccountControl", "66048");
attrs.put(uac);
BasicAttribute sam = new BasicAttribute("sAMAccountName", "test1");
attrs.put(sam);
BasicAttribute disName = new BasicAttribute("displayName", "test1");
attrs.put(disName);
BasicAttribute userPrincipalName = new BasicAttribute
("userPrincipalName", "[email protected]");
attrs.put(userPrincipalName);
BasicAttribute instanceType = new BasicAttribute("instanceType", "4");
attrs.put(instanceType);
BasicAttribute objectCategory = new BasicAttribute
("objectCategory","CN=User,CN=Schema,CN=Configuration," + domainName);
attrs.put(objectCategory);
String newVal = new String("\"password\"");
byte _bytes[] = newVal.getBytes("Unicode");
byte bytes[] = new byte[_bytes.length - 2];
System.arraycopy(_bytes, 2, bytes, 0, _bytes.length - 2);
BasicAttribute attribute = new BasicAttribute("unicodePwd");
attribute.add((byte[]) bytes);
attrs.put(attribute);
ctx.createSubcontext("CN=test1,OU=Users,OU=CEL", attrs);
ctx.close();
catch (NameAlreadyBoundException nex)
System.out.println("User ID is already in use, please select a different user ID ...");
catch (Exception ex)
System.out.println("Failed to create user account... Please verify the user information...");
ex.printStackTrace();
return new GblStatus();
Any help would be much appreciated.Hi .,
me too got up with same problem., can anyone help me.??
Someone help me to create attributes in AD using LDAP
package LDAPpack;
import javax.naming.*;
import javax.naming.directory.*;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import java.util.Hashtable;
class CreateAttrs {
public static void main(String[] args) {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://10.242.6.166:389/");
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL, "CN=cname,OU=Users,OU=Dealer,OU=Community,DC=test2,DC=org");
env.put(Context.SECURITY_CREDENTIALS, "password-1");
LdapContext ctx =null;
try {
//ctx = new InitialLdapContext(env,null);
try {
ctx = new InitialLdapContext(env,null);
catch(NamingException e) {
System.out.println("Login failed");
System.exit(0);
if(ctx!=null){
System.out.println("Login Successful");
byte[] buf = new byte[] {0, 1, 2, 3, 4, 5, 6, 7}; // same data
// Create a multivalued attribute with 4 String values
BasicAttribute oc = new BasicAttribute("objectClassNew", "topNew");
oc.add("personNew");
oc.add("organizationalPersonNew");
// Create an attribute with a byte array
BasicAttribute photo = new BasicAttribute("jpegPhotoNew", buf);
// Create attribute set
BasicAttributes attrs = new BasicAttributes(true);
attrs.put(oc);
attrs.put(photo);
Attributes attrs1 = ctx.getAttributes("CN=cname,OU=Users,OU=Dealer,OU=Community,DC=test2,DC=org");
System.out.println(attrs1);
Context result = ctx.createSubcontext("CN=cname,OU=Users,OU=Dealer,OU=Community,DC=test2,DC=org", attrs);
//i got error here; i attach the error below.
ctx.close();
System.out.println("close");
catch(NamingException e){
e.printStackTrace();
ERROR:
Login Successful
javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090B38, comment: Error in attribute conversion operation, data 0, vece
ANYONE HELP ME PLS.
Edited by: vencer on Jun 19, 2008 12:38 AM -
Using PowerShell to import CSV data from Vendor database to manipulate Active Directory Users
Hello,
I have a big project I am trying to automate. I am working in a K-12 public education IT Dept. and have been tasked with importing data that has been exported from a vendor database via .csv file into Active Directory to manage student accounts.
My client wants to use this data to make bulk changes to student user accounts in AD such as moving accounts from one OU to another, modifying account attributes based on State ID, lunchroom ID, School, Grade, etc. and adding new accounts / disabling
accounts for students no longer enrolled.
The .csv that is exported doesn't have headers that match up with what is needed for importing in AD, so those have to be modified in this process, or set as variables to get the correct info into the correct attributes in AD or else this whole project is
a bust. He is tired of manually manipulating the .csv data and trying to get it onto AD with few or no errors, hence the reason it has been passed off to me.
Since this information changes practically daily, I need a way to automate user management by accomplishing the following on a scheduled basis.
Process must:
Check to see if Student Number already exists
If yes, then modify account
Update {School Name}, {Site Code}, {School Number}, {Grade Level} (Variables)
Add correct group memberships (School / Grade Specific)
Move account to correct OU (OU={Grade},OU=Students,OU=Users,OU={SiteCode},DC=Domain,DC=net)
Remove incorrect group memberships (School / Grade Specific)
Set account status (enabled / disabled)
If no, create account
Import Student #
Import CNP #
Import Student name
Extract First and Middle initial
If duplicate name exists
Create log entry for review
Import School, School Number, Grade Level
Add to correct Group memberships (School / Grade Specific)
Set correct OU (OU={Grade},OU=Students,OU=Users,OU={SiteCode},DC=Domain,DC=net)
Set account Status
I am not familiar with Powershell, but have researched enough to know that it will be the best option for this project. I have seen some partial solutions in VB, but I am more of an infrastructure person instead of scripting / software development.
I have just started creating a script and already have hit a snag. Maybe one of you could help.
#Connect to Active Directory
Import-Module ActiveDirectory
# Import iNOW user information
$Users = import-csv C:\ADUpdate\INOW_export.csv
#Check to see if the account already exists in AD
ForEach ( $user in $users )
#Assign the content to variables
$Attr_employeeID = $users."Student Number"
$Attr_givenName = $users."First Name"
$Attr_middleName = $users."Middle Name"
$Attr_sn = $users."Last Name"
$Attr_postaldeliveryOfficeName = $users.School
$Attr_company = $users."School Number"
$Attr_department = $users."Grade Level"
$Attr_cn = $Attr_givenName.Substring(0,1) + $Attr_middleName.Substring(0,1) + $Attr_sn
IF (Get-ADUser $Attr_cn)
{Write-Host $Attr_cn already exists in Active DirectoryThank you for helping me with that before it became an issue later on, however, even when modified to be $Attr_sAMAaccountName i still get errors.
#Connect to Active Directory
Import-Module ActiveDirectory
# Import iNOW user information
$Users = import-csv D:\ADUpdate\Data\INOW_export.csv
#Check to see if the account already exists in AD
ForEach ( $user in $users )
#Assign the content to variables
$Attr_employeeID = $users."Student Number"
$Attr_givenName = $users."First Name"
$Attr_middleName = $users."Middle Name"
$Attr_sn = $users."Last Name"
$Attr_postaldeliveryOfficeName = $users.School
$Attr_company = $users."School Number"
$Attr_department = $users."Grade Level"
$Attr_sAMAccountName = $Attr_givenName.Substring(0,1) + $Attr_middleName.Substring(0,1) + $Attr_sn
IF (Get-ADUser $Attr_sAMAccountName)
{Write-Host $Attr_sAMAccountName already exists in Active Directory
PS C:\Windows\system32> D:\ADUpdate\Scripts\INOW-AD.ps1
Get-ADUser : Cannot convert 'System.Object[]' to the type 'Microsoft.ActiveDirectory.Management.ADUser'
required by parameter 'Identity'. Specified method is not supported.
At D:\ADUpdate\Scripts\INOW-AD.ps1:28 char:28
+ IF (Get-ADUser $Attr_sAMAccountName)
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADUser], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgument,Microsoft.ActiveDirectory.Management.Commands.GetAD
User -
Active Directory: user has admin rights when logs in for the first time
I have an Xserve server running OS X server 10.5.8 and trying to host _open and active directory_ for both Mac and PC machines. The open directory works fine but what happens on the active directory side is that, when a user logs in from a windows machine he/she can access all the other users folders. In other words, he/she almost has *admin rights*. Is this normal or there is some settings that I can look into to fix this?
Details: The first time user logs in, his only effect on the server is the password change. What this means is that his changes dont get uploaded to the server. It is only the second time the user logs in from ANOTHER computer that the server starts saving the his profile. Also, after the second login the user doesnt have admin rights anymore.
Thanks,
MRIf you've just changed your login password in Recovery mode, follow these instructions. Otherwise, see below.
At some point, you may have reset your keychain to default in Keychain Access. That action would have caused your login keychain to be renamed.
Back up all data before proceeding.
In Keychain Access, delete the login keychain from the keychain list. Choose Delete References when prompted, not Delete References & Files.
Triple-click anywhere in the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/Keychains
In the Finder, select
Go ▹ Go to Folder...
from the menu bar, paste into the box that opens (command-V), and press return. A folder will open. Rename the file "login.keychain" in that folder to something like "login-old.keychain". Rename the file "login_renamed_1.keychain" to "login.keychain". You can then close the folder.
Back in Keychain Access, select
File ▹ Add Keychain...
from the menu bar. Add back the file now named "login.keychain". If any of your needed keychain items are missing from it, also add back the file you named "login-old.keychain". I suggest you transfer any needed items from that keychain to the login keychain, then delete it. The transfers are made by drag-and-drop in Keychain Access. You'll need to enter your password for each item transferred. -
801.x WLANs authenticated via Radius and Active Directory permit any user access any WLAN
Hi,
I have configured several WLANs with WPA2 and 8021.x which authenticate users through Radius server (Windows Internet authentication service) that conects with an Active Directory, into the AD exists one user group for each WLAN but the problem is that any user that was added to some group can get access to any WLAN, does anyboby know if I need some configuraion on the WLC to restric that?
thanks for your help.Hi Scott,
I have done some test modifying the Radius Policy to look at called station ID and test too looking at the NAS-ID, In the first case, I change the Call Station ID Type into WLC RADIUS Authentication Servers configuration to AP MAC Address:SSID and AP Name:SSID and into the Radius Server using .*:SSID-NAME$ and SSID-NAME$ ,but it blocks access for any user. In the second case, I change the NAS-ID into WLC WLAN and interface confguration and into the radius server Policy to match all, but it doesn´t have any impact, what other test could I try?
thanks for your help. -
Active Directory, created users not showing up in list of all users
I created a user name "test". However, when I look at a list of all users I only have the 4 users that were created on installation. When I search for "test"
it shows up. Why isn't my user showing up in the list of users?
I am looking in Active Directory Administrative Center:
<my Domain> (local) -> Users
Global Search
Sorry I cannot provide pictures; I am waiting for my account to be activated.You need to look to your search criteria to understand what might be wrong.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Active Directory exports to OID (concerning password storage)
I dont know if this is answered somewhere else but I am hoping to get an answer from people who have synchronized OID to active directory already.
My question is do the AD passwords get stored in OID along with all the other user information during the sync? I know you must use an external plugin to authorize users against their passwords that come from AD.
I am just curious about this since it will probably be an issue for me down the line. Thanks!Hi Seth
Its your choice. If you are using the External Authentciation feature in OID it is not necessary to store AD passwords in OID.
Keep this in mind about password synchronization between OID and AD. Currently all attributes are capable of two way synchronization between OID and AD except one. That is the users password. It is possible to synchronize a password from OID to AD but not from AD to OID.
This is primarily becaue Microsoft uses proprietary password hashing called "Unicode Password Hash" which as I said is proprietary to Microsoft. OID like most other LDAP servers supports open source password hashing such as MD5, MD4, SHA, SSHA and Crypt to name a few. Microsoft does not support any of these to my knowledge. So even if you could pass a user password from Active Directory to OID OID does not support MS password hashing.
We are however able to synchronize passwords from OID to AD over SSL. This is done with a feature called "Reversible Encrypted Password". By default this feature is turned off. When you enable this feature OID will store the users password in two different attributes. One is the traditional "userpassword" attribute which uses the hashing schemes I mentioned earlier. The other is a password attribute that stores the users password in an encrypted format that can be reversible to clear text. This clear text password can then be sent over SSL using a wallet to the AD server.
In version 10.1.3 (Mid 2005)of OID we plan to release a feature that will allow passwords from AD to be synched with OID. Until then Passwords can only be synched from OID to AD.
Jay
Maybe you are looking for
-
How can i See NBA on my Apple tv in Germany?
How can i See NBA on my Apple tv in Germany?
-
Bridge Search finds no results
I looked at a few previous posts and didn't find the solution. Here is the problem. I do a Find in Bridge for files on a server. I have both checkboxes checked (subfolders and non-indexed files). It goes through all my files very fast and then return
-
I have removed and re installed I tunes and all related apple products. 5 times and still get message not installed correctly or error 7 or to install english version. I give up help
-
Service Contracts for Professional Services
What is the best way to add a service contract to a partner so we can open service calls and know what the service contract covers? some customers have multiple service contracts and some have none. it is important for the tech that opens a service c
-
New subscription but dont want instal
Hi I have searched the forum but cant find an answer to this. I just moved into a new ground floor flat - the building is 5 high so i understand i would need to pay a special install cost and get a special team out The problem i have is there is a go