Active Directory Groups - Domain Users Group

Using the AD resource adpater, I am able to assign groups and remove groups, but I noticed that the Domain Users group does not appear in the list of groups the user belongs to. Looking AD the user does belong, but in IDM it does not list this group membership. Is this normal ?

Thanks for the reply. I noticed there are quite a few issues with trying to UNC map to any share outside of the local MXE3500. I'm also seeing some issues with FTP watches on an EMC NAS, that has been FTP enabled. The problem I'm seeing now is that the watch will only work, if the watch is at the root level. If I add a file path, its accepted as valid when I save the directory watch, but looking at the fa.log its appending the last directory on twice.
So if my watch is looking at FTP Directory Path of: lifelink
The fa.log shows: .../lifelink/lifelink/
the word lifelink is displayed twice, causing an error, stating: "Error checking file size delay"
thanks,
Dave

Similar Messages

"Domain Users" group in Active Directory does not belong to any Group Membership in LC

Active Directory user belonging to "Domain Users" group does not belong to any Group Membership in LC, why does it not belong to "Domain Users" group?
Any way to correct this issue, without changing group membership on AD side?
If Active Directory user is member of "Domain Admins" or "Users" then these show same group membership in LC.
Thanks.

If you want to use the Domain Users group for the purpose of representing all the users then you can use the "All principals in domain xxx" group which is created by UM.
Coming back to Domain Users group. For determining group membership in AD UM uses "member" attribute of the group object. "Domain Users" group is treated differently by AD. It is the default primary group for all the users and normally members of the primary group are not specified using the member attribute.So when we sync the data from AD "Domain Users" membership does not get completed.

Can I get the members of Domain Users group (AD specific) with JNDI?

Hi All,
I've found these forums very helpful and full of great information, I've been able to retrieve all members of groups that I search for (from the information on this forum), and get the member's attributes such as email addresses through that.
The question I have is, is there a way to query the Domain Users group, since it's a special group in Active Directory, and retrieve the members of it? So far I have been unsuccessful. Here's a query I found that works on .Net:
(|(&({ClassFilter})(memberOf={GroupDistinguishedName}))(distinguishedName={G
roupDistinguishedName}))
I haven't been able to get it to work with JNDI however. Can anyone point me in the right direction?
thanks,
Matt

It's not so much that the Domain Users is a special group, it's more that because by default, all users have their Primary Group set to Domain Users, that it appears to behave differently.
So the query that you're trying to execute via JNDI, would be something like:String searchFilter = "(&(objectClass=user)(memberOf=CN=Domain Users,CN=Users,DC=Antipodes,DC=Com))";And of course if everything has been left to defaults, it doesn't return any results.
Similarly if you look at the member attribute of Domain Users, it will be empty.
Assuming the defaults, and every user's Primary Group is set to Domain Users, the following query would return all the user's whose primary group is Domain Users:String searchFilter = "(&(objectClass=user)(PrimaryGroupID=513))";Note that 513 is the Relative ID (RID) for Domain Users.
Now if you set a user's Primary Group to be something other than Domain Users, then the Domain Users group would now have a value
for it's member attribute and conversely the respective user would now have Domain Users as one of the values of their memberOf attribute.
So then your query would be something like:
String searchFilter = "(&(objectClass=User)(|(memberOf=CN=Domain Users,CN=Users,DC=Antipodes,DC=Com)(PrimaryGroupID=513))){code}
I guess the fundamental question, is why do you need to determine whuch users are members of Domain Users ?
If this is for usie in an application, where the user has authenticated and you are using group membership to make authorisation decisions, perhaps the constructed tokenGroups attribute may be more useful as it contains the Security Identifiers (SID) for all the groups the user is a member of ?

Domain Users Group is a Protected Group on the Domain

I'm having an issue where I set some permissions for a particular users mailbox, but when I come back later the permissions later they have been removed. I have done some digging around and I believe the issue is a result of the Domain Users group being
protected, which has led me to the AdminSDHolder object in the System OU. Does anyone know if it possible to amend the the security permissions, so that the group is no longer protected as it is causing some major issues for me.
Any suggestions would be appreciated
Thanks in Advance

I just want to add to make sure that the user is not part of another group that may be nested in another group that is protected.
I had that issue with a customer, a police dept, after I migrated them to Exchange 2010 when some, but not all users, had issues with their mobile devices accessing Exchange ActiveSync. I found it was previously created users and
not new users, that had the problem. They had a number of users in administrative groups when they had one server that was a DC (previously SBS), and everyone in the organization had access to it, which required users to have administrative
rights, at least that's how they did it back then by the previous administrator, to provide them local logon rights.
With the help of a tool from Joe Richards, I had to hunt down each nested administrative group the users were in to remove them or change the AdminCount attribute to 0 before setting to allow inheritance otherwise it would set itself back when
AdminSDHolder runs every hour.
This was all discussed in the following TechNet thread:
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/269e0ab2-6e65-4001-abcb-3c89f6f938fd/issues-with-adminsdholder?forum=winserverDS
Also, take a look at this PW script that is supposed to look for all of that, at least that was my last discussion with the author mentioning that each group that a user is part of must be checked, when he posted the script to the ADDS group
in FB (https://www.facebook.com/groups/ADDSForum/):
Exchange Checkbox of Doom
http://www.dexterposh.com/2014/12/powershell-exchange-checkbox-of-doom.html
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Allowing the domain users Group to SCCM 2012 Remote Control

Hi There,
been working on this issue for the last few days now and its frustrating the crap out of me. My company has requested for all Domain users to be allowed to Remote Control to everyone's computer. This is so that users will be able to show each other how to
use in house application. In SCCM 2012 console, I've added the Domain users to the Premitted viewer tab. I've also added the domain user group to the administrative user section, added the Remote operator role and assigned the
ALL security scope to it. On another machine, i run the CMRCviewer to this machine and it prompts for username advising me the one i provided isn't authorized. when i check on the targeted machine, i can see domain users populated in the ConfigMgr
remote control user group
It seems only domain admins have rights to Remote control in. i've only got one client setting defined (default policy).
the interesting thing is the following layout
WINDOWS XP ---> WINDOWS 7 prompts for username
WINDOWS 7 -----> WINDOWS XP works
WINDOWS XP -----> WINDOWS XP works
WINDOWS 7 ------> WINDOWS 7 prompts for username

Hi Dave,
1) yes domain users is part of the configMgr remote control users". CMRCSERVICE.log shows the following
=== Starting security handshake ===
CmRcService
11/03/2013 10:44:29 AM
4808 (0x12C8)
HandshakeWorker failed..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Security filter server: DoHandshake failed..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
m_pSecFilter DoHandshake() failed. CmRcService
11/03/2013 10:44:29 AM 4808 (0x12C8)
DoHandshake failed on server side.
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to do Handshake in Server.
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to create security context.. Security Handshake failed.
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to validate Security requirement..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to complete the RDP connection..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
i've confirmed this user is part of domain users as well.

Impact on roaming profile accounts if we Change User logon Name to Employee Number format in Active Directory for all User accounts

I want to understand if we change User logon Name to Employee Number format in Active Directory for all User accounts, then what would be the impact on existing profile. Whether we need to change it manualy or it will connect to same profiles in terminal
session.
As i observed it create new profile after logon name changed to employee number where existing users profile settings get fails to load and prompt for new settings (such as outlook reconfiguration, share drive mapping etc.).
Kindly let me know the proper process to overcome with this, how to connect same existing roaming profile with employee number format change.

Hi,
What if we change the user name of user account, will it have impact on roaming profiles.
Yes, it will affect roaming profiles. Please rename the roaming profile folder as the new user account name, in addition, change the profile path in ADUC.
Here is an related article below for you:
How to Rename a Windows 7 User Account and Related Profile Folder
http://social.technet.microsoft.com/wiki/contents/articles/19834.how-to-rename-a-windows-7-user-account-and-related-profile-folder.aspx
Best Regards,
Amy

Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

Hi,
I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
Error is enclosed & here is the port configuration.
Port Configuration.
interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30
Please help.

The error message means that Active Directory server Reject the authentication attempt
as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
Event Logs why did the user account got locked.
Under Even Viewers, You can find it out
Regards
Minakshi (Do rate the helpful posts)

Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

Hi,
Since we implemented Cisco ISE we receive the following failure on several Notebooks:
Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
Why is this happening?
Thanks,
Marc

The possible causes of this error message are:
1.] If the end user entered an incorrect username.
2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
In your cases, the 3rd option seems to be the most closest one.
Jatin Katyal
- Do rate helpful posts -

Problem authenticating user in Active Directory cross domain

Hi,
We have two different AD servers serving our London and Tokyo networks. My application runs in London network but used by both London and Tokyo users.
The two ADs have domain trust setup between them. I have groups defined in London AD to which users from both the London and Tokyo ADs are assigned.
'm trying to connect to London AD using the "users credentials" and retrieve the groups they are assigned to.
I can connect to the London AD using any of the London user and I could retrieve the groups. But when I use a Tokyo user credentials to connect using the London AD server 'm getting Security exception with a code indicating "User Not Found".
The code I use which is very basic is given below . The code below run as such gives me the following error,
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece.
If I change in the code below, Provider URL to Tokyo AD Server URL then it works but I can't use that due to security restrictions. As per the Windows Team the domain trust should allow me to connect/bind to the London AD Server with the Tokyo credentials.
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "london ldap server url");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.REFERRAL, "follow");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "password");
env.put(LdapContext.CONTROL_FACTORIES, "com.sun.jndi.ldap.ControlFactory");
ctx = new InitialLdapContext(env, null);
I would like to know how to authenticate a user in a cross domain Active Directory environment. I read in one of the blogs that the "simple bind" will not work for cross domain user authentication. Unfortunately the blogger didn't mention what would work :( . Any help is much appreciated.
Please bear with me if my query is a naive one and point me in the right direction.
Thanks
Jothi

Hi Praveen,
to avoid losing data when user objects are moved to new locations in the LDAP server, it is possible to configure the User Management Engine to use the value of a specific unique attribute as part of the unique ID instead of the distinguished name.
For this, you have to change the following UME properties:
For user objects: ume.ldap.unique_user_attribute=<attributename>
For account objects: ume.ldap.unique_uacc_attribute=<attributename>
For group objects: ume.ldap.unique_grup_attribute=<attributename>
Be aware that the attribute (i.e. cn or uid) must be unique in the configured user/group path.
Please read SAPNote 777640 for more information regarding this problem and the way to change the UME properties.
Best regards,
Robert

BPC 7.5 - Domain User Group Not Work - Configuration Server Manager

Hi Guys,
I install BPC 7.5 from NW. From the PC client only work ok with the same user OWNER the BPC .NET. In Server Manger -> Option
-> Define Systems User Group, add the follow data:
- System user group name= Domain Users
- Domain Type=Active Directory
- Domain Name = BAIRES
Is correct the Syntax? or need use the form OU=xxxx?
Thanks.

Ok, thanks, and So I have other problem. I need Add User from different Domains, How configure this?
Tks

Local User Group pointing to Domain users group

Is there a specific terminology in the active directory area for having local groups that contains domain groups? want to find more information on this technique so i can understand/learn more about it.

> Is there a specific terminology in the active directory area for having
> local groups that contains domain groups? want to find more information
Maybe you are thinking of AGDLP (or AGGUDLP)?
http://en.wikipedia.org/wiki/AGDLP
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

Cannot delegate Reporting Services Web access to domain user / group, User does not have required permissions

Hi
I have an SCCM 2012 SP1 CU3 installation on a Server 2008 R2 + SQL 2008 R2.
I'm having trouble delegating Reporting Services Web Access to a standard domain user.
I have followed the instructions from these blogs:
http://blog.coretech.dk/kea/creating-the-reporting-user-role-in-configmgr-2012/
http://www.wolffhaven45.com/blog/sccm/assigning-users-to-configmgr-reportusers-group-in-sccm-2012/
No matter how I try, I cannot get the reports to show for a standard domain user. In the console no reports are showing and in the web access I get
"User domain\user does not have required permissions........"
The only thing that is consistenly working when I test is to put the AD Group on the Security Role "Full Administrator".
Then everything will show up.
Any ideas on how to troubleshoot this?

Thanks everyone for helping me with tips. I have now solved the problem. It was the permissions from SCCM that did not replicate to the Reporting Server.
In srsrp.log I got these error messages:
Could not retrieve the reporting service name for instance 'MSSQLSERVER'
Invalid class
Could not stop the reporting serviceAfter googling a litte I found these 2 sites with similiar problems:http://social.technet.microsoft.com/Forums/en-US/d4a7f93a-506f-4e3f-b5fc-bd2b087277da/ssrs-permissions-do-not-add?forum=configmanagergeneral
http://www.microtom.net/microsoft-system-center/software-distribution/sccm-2012-reporting-services-do-not-install
So I ran the command for SQL 2008 R2: mofcomp.exe C:\Program Files (x86)\Microsoft SQL Server\100\Shared\sqlmgmproviderxpsp2up.mof
and BAAM, everything started to work =)
/ALX

Orchestrator Active Directory Add Computer to Group

Having trouble with the Add Computer to Group activity. I can't seem to find the right reference for an OU in my active directory forest (/Servers/KC). Any help?
William Busby, PMP

Hi William,
you can use the "Get Computer" and "Get Group" Activities to get all the information for the Group and Computer including the Distinguished Name. In the Filter tab of the two "Get-Activities" you can filter with name and other things.
The you can right click on the field for the Distinguished Names in the "Add Computer To Group" Activity and click Subscribe -> Publihed Data and choose the Distinguished Names you get as result from the Activities before.
Regards,
Stefan
German Orchestrator Portal ,
My blog in English

Context Directory Agent maps the Active Directory Anti-Virus user

Hi,
Today I was able to join a couple of CDA's to our Active Directory domain (2008 R2 DC's) using a non-privileged account and the CDA maps (most) users to IP addresses.
I would like to use the CDA solely for building up firewall policies based on AD details whenever possible
as maintaining granular firewall policies on 8 different ASA's is too time consuming as we are not a large IT organization.
But, after deploying the first "AD Group" based rule, it turned out, that the AD user-account mapped to the IP address of my PC was actually a domain user, running the local anti-virus engine, and not my own.
It makes total sense that the the anti-virus user is logged on to the PC before any user, so it can do "its thing",
but my own user-account is never mapped.
CDA was able to map certain users to an IP address, even though the anti-virus user is actually logged on to the PC before them.
Has anyone deployed Identity Based Firewalling and experienced something which resembles this scenario and were you able to do any workarounds?
I looked into filtering out the logon events (for the Sophos user-account) from the Windows Security logs,
so the CDA will not be able to map these, but it seems a bit far fetched, and would probably violate a security policy or two :)
Cheers, Søren Elleby Sørensen

I opened a case and they refer me to bug CSCun10631.
(CDA doesn't support 2012R2).
the good news is that a new patch (3) should be release this month (July) and will include support.

Authentication Plug-ins for active directory Multiple Domains(oidspad2.sh)

hi ,
i have use note 294791.1 from metalink to try link to active directory i have 2 one is staff and another is student
i first ran oidspadi.sh to create plugin for staff it works then i edit the 2 script to oidspad2.pls and oidspad2.sh with the require changes inside the files then i ran it it work but now the problem is the first ad now cant work this is my changes below
FOR oidspad2.pls
Rem
Rem $Header: oidspada.pls 02-aug-2004.04:45:11 saroy Exp $
Rem
Rem oidspads.pls
Rem
Rem Copyright (c) 2002, 2004, Oracle. All rights reserved.
Rem
Rem NAME
Rem oidspada.pls - 9.0.4 OID Password Active Directory
Rem External Authentication Plug-in
Rem
Rem
Rem NOTES
Rem <other useful comments, qualifications, etc.>
Rem
Rem MODIFIED (MM/DD/YY)
Rem saroy 08/02/04 - Fix for bug 3807482
Rem qdinh 01/27/04 - bug 3374115
Rem dlin 01/08/04 - pingan perf
Rem dlin 08/22/03 - 3111770 bug fix
Rem dlin 08/27/03 - change the way to get name
Rem dlin 08/13/03 - bug 2962082 fix
Rem dlin 02/21/03 - plug-in install changes
Rem dlin 02/13/03 - dlin_bug-2625027
Rem dlin 02/05/03 - fix ssl & failover
Rem dlin 01/31/03 - dlin_adextauth1
Rem dlin 01/30/03 - Created
Rem
SET echo off;
SET serveroutput off;
SET feedback off;
SET verify off;
CREATE OR REPLACE PACKAGE OIDADPSW2 AS
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
AD_HANDLE DBMS_LDAP.session DEFAULT NULL;
END OIDADPSW2;
SHOW ERROR
CREATE OR REPLACE PACKAGE BODY OIDADPSW2 AS
SUBTYPE LDAP_SESSION IS RAW(32);
SUBTYPE LDAP_MESSAGE IS RAW(32);
SUBTYPE LDAP_BER_ELEMENT IS RAW(32);
SUBTYPE ATTRLIST IS DBMS_LDAP.STRING_COLLECTION;
SUBTYPE MOD_ARRAY IS RAW(32);
SUBTYPE BERLIST IS DBMS_LDAP.BERVAL_COLLECTION;
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_bind_replace()');
DBMS_LDAP.USE_EXCEPTION := FALSE;
result := 49;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := 1;
plg_debug('Can not get ADUserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_bind_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_bind_replace() ===');
RETURN;
END IF;
plg_debug( 'Go to AD for authentication');
-- externally authenticate user
IF ('&1' = 'n') THEN
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&2', &3);
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
-- Should free the old session if retry logic kept failing
-- to cause the number of outstanding sessions exceeding the
-- limit session number
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&4', &5);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
     plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
     OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
ELSE
-- SSL bind
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&6', &7);
     plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
     retval := DBMS_LDAP.open_ssl(my_session,
                         'file:' || '&8', '&9', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM
-- or LDAP_UNAVAILABLE
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&10', &11);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.open_ssl(my_session1,
                         'file:' || '&12', '&13', 2);
     IF (retval != 0) THEN
     plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session1);
     plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
     plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
     OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
     END IF;
     END IF;
END IF;
-- for failover to connect to the secondary server
IF ('&14' = 'y' AND retval != 0) THEN
IF ('&15' = 'n') THEN
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&16', &17);
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&18', &19);
     plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
     plg_debug( 'retry simple_bind_res again: ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
          OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
          plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
     END IF;
     END IF;
ELSE
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&20', &21);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
     retval := DBMS_LDAP.open_ssl(my_session,
                         'file:' || '&22', '&23', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&24', &25);
     plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.open_ssl(my_session1,
                         'file:' || '&26', '&27', 2);
     IF (retval != 0) THEN
     plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
     plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
          OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
     END IF;
END IF;
IF (retval = 0) THEN
result := 0;
plg_debug('AD auth return TRUE');
ELSE
     result := retval;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_bind_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
     retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
     OIDADPSW2.AD_HANDLE := NULL;
     plg_debug( ' exception unbind_res returns ' || TO_CHAR(retval));
errormsg := 'Exception: when_bind_replace plugin';
plg_debug( 'Exception in when_bind_replace(). Error code is ' ||
          TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
END;
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_compare_replace()');
result := DBMS_LDAP.COMPARE_FALSE;
DBMS_LDAP.USE_EXCEPTION := FALSE;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('Can not get ADuserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_compare_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_compare_replace() ===');
RETURN;
END IF;
-- externally authenticate user
IF ('&28' = 'n') THEN
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&29', &30);
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&31', &32);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
     plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
     OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
ELSE
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&33', &34);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
     retval := DBMS_LDAP.open_ssl(my_session,
                         'file:' || '&35', '&36', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&37', &38);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.open_ssl(my_session1,
                         'file:' || '&39', '&40', 2);
IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
     plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
     OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
END IF;
-- for failover to connect to the secondary AD
IF ('&41' = 'y' AND retval != 0) THEN
IF ('&42' = 'n') THEN
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&43', &44);
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&45', &46);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
     plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
          OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
     ELSE
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&47', &48);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
     retval := DBMS_LDAP.open_ssl(my_session,
                         'file:' || '&49', '&50', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&51', &52);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.open_ssl(my_session1,
                         'file:' || '&53', '&54', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session1);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
     plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
          OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
     END IF;
END IF;
IF (retval = 0) THEN
result := DBMS_LDAP.COMPARE_TRUE;
plg_debug('AD auth return TRUE');
ELSE
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_compare_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
errormsg := 'Exception: when_compare_replace plugin';
plg_debug( 'Exception in when_compare_replace(). Error code is ' ||
          TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
     retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
     OIDADPSW2.AD_HANDLE := NULL;
END;
END OIDADPSW2;
SHOW ERRORS
EXIT;
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
FOR oidspadi.sh
#!/bin/sh
# $Header: oidspadi.sh 13-may-2005.13:48:51 saroy Exp $
# oidspadi.sh
# Copyright (c) 2002, 2005, Oracle. All rights reserved.
# NAME
# oidspadi.sh - AD external authentication plug-in install
# DESCRIPTION
# <short description of component this file declares/defines>
# NOTES
# <other useful comments, qualifications, etc.>
# MODIFIED (MM/DD/YY)
# saroy 05/13/05 - Fix for bug 4233817
# saroy 02/18/05 - Fix for bug 4054414
# saroy 11/02/04 - Fix for bug 3980370
# qdinh 01/19/04 - bug 3374115
# dlin 07/10/03 - turn off debug
# dlin 02/21/03 - plug-in install changes
# dlin 02/13/03 - dlin_bug-2625027
# dlin 07/22/02 - Creation
ADHOST="A"
ADPORT="1"
ADSSLPORT="1"
WALLETLOC="A"
WALLETPWD="A"
WALLETPWD2="A"
CONNECT="A"
ODSPWD="A"
ODSPWD2="A"
OIDHOST="A"
OIDPORT="1"
ORCLADMINPWD="A"
ORCLADMINPWD2="A"
PRGDN="A"
SCUSB="A"
EP="A"
ISSSL="n"
ISFAILOVER="n"
ISFAILOVERSSL="n"
SECADHOST="A"
SECADPORT="1"
SECADSSLPORT="1"
SECWALLETLOC="A"
SECWALLETPWD="A"
SECWALLETPWD2="A"
clear
echo "---------------------------------------------"
echo " OID Active Directory Plug-in Configuration"
echo "---------------------------------------------"
echo " "
echo "Please make sure Database and OID are up and running."
echo " "
LDAP_DIR=${ORACLE_HOME}/ldap
LDAP_LOG=${LDAP_DIR}/log
## ORACLE_HOME
if [ -z $ORACLE_HOME ] ; then
echo " ORACLE_HOME must be set for this installation script"
exit 0
fi
# gather required information
if [ ${ADHOST} = "A" ] ; then
printf "Please enter Active Directory host name: "
read ADHOST
fi
## active directory host name is required
if [ "${ADHOST}" = "" ]
then
echo "Active Directory host name is required";
exit 1;
fi
printf "Do you want to use SSL to connect to Active Directory? (y/n) "
read ISSSL
if [ "${ISSSL}" = "n" ]
then
if [ ${ADPORT} = "1" ] ; then
printf "Please enter Active Directory port number [389]: "
read ADPORT
if [ "${ADPORT}" = "" ]
then
ADPORT="389"
fi
fi
fi
if [ "${ISSSL}" = "y" ]
then
if [ ${ADSSLPORT} = "1" ] ; then
printf "Please enter Active Directory SSL port number [636]: "
read ADSSLPORT
if [ "${ADSSLPORT}" = "" ]
then
ADSSLPORT="636"
fi
fi
if [ ${WALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read WALLETLOC
fi
## wallet location is required
if [ "${WALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${WALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read WALLETPWD ; stty echo ; echo
fi
if [ "${WALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${WALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read WALLETPWD2 ; stty echo ; echo
fi
if [ "${WALLETPWD}" != "${WALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
if [ ${CONNECT} = "A" ] ; then
echo " "
printf "Please enter DB connect string: "
read CONNECT
fi
if [ ${ODSPWD} = "A" ] ; then
printf "Please enter ODS password: "
stty -echo ; read ODSPWD ; stty echo ; echo
fi
## password is required
if [ "${ODSPWD}" = "" ]
then
echo "ODS password is required";
exit 1;
fi
if [ ${ODSPWD2} = "A" ] ; then
printf "Please enter confirmed ODS password: "
stty -echo ; read ODSPWD2 ; stty echo ; echo
fi
if [ "${ODSPWD}" != "${ODSPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
if [ "${CONNECT}" = "" ]
then
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD} "
else
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD}@${CONNECT} "
fi
# Check if ODS password and connect string is correct
${ORACLE_HOME}/bin/sqlplus -L ods/${ODSPWD}@${CONNECT} << END 1>/dev/null 2>/dev/null
exit;
END
if [ $? -ne 0 ]; then
echo "Incorrect connect string or ODS password specified"
exit 1;
fi
if [ ${OIDHOST} = "A" ] ; then
echo " "
printf "Please enter OID host name: "
read OIDHOST
fi
## oid host is required
if [ "${OIDHOST}" = "" ]
then
echo "OID host name is required";
exit 1;
fi
if [ ${OIDPORT} = "1" ] ; then
printf "Please enter OID port number [389]: "
read OIDPORT
if [ "${OIDPORT}" = "" ]
then
OIDPORT="389"
fi
fi
# Check if OID host and port is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect OID host or port specified"
exit 1;
fi
if [ ${ORCLADMINPWD} = "A" ] ; then
printf "Please enter orcladmin password: "
stty -echo ; read ORCLADMINPWD ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" = "" ]
then
echo "orcladmin password is required";
exit 1;
fi
if [ ${ORCLADMINPWD2} = "A" ] ; then
printf "Please enter confirmed orcladmin password: "
stty -echo ; read ORCLADMINPWD2 ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" != "${ORCLADMINPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
# Check if orcladmin password is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect orcladmin password specified"
exit 1;
fi
echo " "
if [ ${SCUSB} = "A" ] ; then
printf "Please enter the subscriber common user search base [orclcommonusersearchbase]: "
read SCUSB
if [ "${SCUSB}" = "" ]
then
SCUSB=`${ORACLE_HOME}/bin/ldapsearch -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} -s base -b 'cn=common,cn=products,cn=oraclecontext' -L 'objectclass=*' orclcommonusersearchbase | head -2 | grep -v 'dn:' | awk '{printf $2}'`
fi
fi
if [ ${PRGDN} = "A" ] ; then
printf "Please enter the Plug-in Request Group DN: "
read PRGDN
fi
if [ ${EP} = "A" ] ; then
printf "Please enter the exception entry property [(!(objectclass=orcladuser))]: "
read EP
if [ "${EP}" = "" ]
then
EP='(!(objectclass=orcladuser))'
fi
fi
echo " "
printf "Do you want to setup the backup Active Directory for failover? (y/n) "
read ISFAILOVER
if [ "${ISFAILOVER}" = "y" ]
then
if [ ${SECADHOST} = "A" ] ; then
printf "Please enter the backup Active Directory host name: "
read SECADHOST
if [ "${SECADHOST}" = "" ]
then
echo "Backup Active Directory host name is required";
exit 1;
fi
fi
printf "Do you want to use SSL to connect to the backup Active Directory? (y/n) "
read ISFAILOVERSSL
if [ "${ISFAILOVERSSL}" = "n" ]
then
if [ ${SECADPORT} = "1" ] ; then
printf "Please enter the backup Active Directory port number [389]: "
read SECADPORT
if [ "${SECADPORT}" = "" ]
then
SECADPORT="389"
fi
fi
fi
if [ "${ISFAILOVERSSL}" = "y" ]
then
if [ ${SECADSSLPORT} = "1" ] ; then
printf "Please enter the backup Active Directory SSL port number [636]: "
read SECADSSLPORT
if [ "${SECADSSLPORT}" = "" ]
then
SECADSSLPORT="636"
fi
fi
if [ ${SECWALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read SECWALLETLOC
fi
## wallet location is required
if [ "${SECWALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${SECWALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read SECWALLETPWD ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${SECWALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read SECWALLETPWD2 ; stty echo ; echo
fi
     if [ "${SECWALLETPWD}" != "${SECWALLETPWD2}" ]
     then
     echo "The input passwords are not matched";
     exit 1;
     fi
fi
fi
# install the plug-in PL/SQL packages
echo " "
echo "Installing Plug-in Packages ..."
echo " "
# install plug-in debug tool
cp $ORACLE_HOME/ldap/admin/oidspdsu.pls $LDAP_LOG
chmod +w $LDAP_LOG/oidspdsu.pls
echo "EXIT;" >> $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$LDAP_LOG/oidspdsu.pls
rm $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspdof.pls
# install plug-in packages
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
#stty -echo; eval ${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# register the plug-ins
echo " "
echo "Registering Plug-ins ..."
echo " "
$ORACLE_HOME/bin/ldapadd -h ${OIDHOST} -p ${OIDPORT} -D cn=orcladmin -w ${ORCLADMINPWD} << EOF
dn: cn=adwhencompare2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapcompare
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhencompare2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginattributelist:userpassword
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
dn: cn=adwhenbind2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapbind
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhenbind2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
EOF
cat <<DONE
Done.
DONE

Hi,
This is a problem that is not made clear in the note. What is probably happening here is that both plugins are being fired when a user logs in. OID will only read the value returned from the final plugin to fire. This can be a problem if the user authenticates correctly against the first plug-in but fails on the second. This is entirely legitimate as this note tells you to configure this way but the OID only observes the final result. The note doesn't tell us this.
Here's an example:
We've two OID User users in different containers: cn=Al is in container cn=usersA,dc=oracle,dc=com and cn=BOB is in container cn=usersB,dc=oracle,dc=com.
We have two plugins: pluginA and PluginB. Installed in that order.
When Al logs in the two plugins fire. pluginA finds Al and returns a true, but then pluginB fires and returns a false undoing the good result. OID only accepts the final answer and so rejects the user. When Bob logins in both plugins fire again but it's the second plugin that returns the answer again. This is true and bob gets in.
There's a couple of ways around this and one of the more effective ways is to associate the plugin with the dn. So in our example, we associate the pluginA to fire only for the dn cn=usersA,dc=oracle,dc=com and pluginB only to fire when a user is in cn=usersB,dc=oracle,dc=com. This gets around the problem of mulitple plugins firing and giving conflicting answers as the appropriate plugin only fires once.
I've used this solution in a realtime environment when connecting and provisioning multiple ADs into one OID and found it to be extremely effective.
Another solution is to associate the plugins with groups.
Both of these options may be configured easily by modifying the plugin properties in ODM. Don't forget to restart OID after you've made the changes.
HTH!
Phil.
If

Active Directory Groups - Domain Users Group

Similar Messages

Maybe you are looking for