Active directory to oid sync

Similar Messages

• Active directory vs OID

  Hi,
  Can anyone please give me pros and cons of using active directory vs OID.
  We are in process of centralizing tnsnames.ora.
  Thanks in advance!

  Not sure about windows, but on the solaris end, there is a command line app called 'schemasynch' that will do what you want. It is located in $ORACLE_HOME/bin.
  It's a one shot deal program. ie: it doesn't keep directories in synch.
  Instructions for it can be found in the OID Admin Guide.
  http://otn.oracle.com/docs/products/oracle9i/doc_library/release2/network.920/a96574/syntax.htm#639824
  For a continuous synch' approach there is
  http://otn.oracle.com/docs/products/oracle9i/doc_library/release2/network.920/a96574/odip_age.htm#115461
  Cheers
  Kevin

• Active Directory & Keychain Password Sync

  We've been introducing some Macs into our Active Directory environment and I'm a little confused about how best to handle the local Keychain password.  We're joining systems to the domain so that users can use their network password to login to their Macs (accounts are setup as Admin, Managed, Mobile) and so far that is working great.
  It's my understanding that the password on the default login keychain is set automatically when the user account is created, so it would match the password the user first used to login to the Mac.  However, we have a password expiration policy here, so users are changing their passwords at least every 3 months. As I understand it, by default the login keychain password is static, so I'm concerned that users are going to either forget the keychain password, or assume it is the same as their network password, and be unable to unlock the keychain should they even be prompted.
  I've tried enabling the "synchronize login keychain password with account" setting in Keychain Access, but this causes another issue.  When the user changes their network password, the next time they login to the Mac they receive a Keychain prompt asking them to enter their old keychain password in order to keep the keychain pass in sync.
  Is there any way to keep the keychain password synchronized to a user's AD account password without prompting them at all?  Or is their an accepted "best practice" regarding the keychain in active directory?
  Thanks

  I've also written a blog post about this Topic:
  http://sccmfaq.wordpress.com/2014/01/23/azure-directory-sync-initial-configuration/
  www.sccmfaq.ch

• Db10g external password authentication with Active Directory via OID

  HI ALL
  - i have the synchronization AD-to-OID
  - i have the external authorization of AD users via SSO (external authorization plug-in)
  - i have the DB10g enterprise authorization of OID native users who have their password in OID (global schema)
  - but i cann't configure the DB10g autorization of AD-to-OID synchronized users who don't have their password in OID
  error:
  ORA-28274: No ORACLE password attribute corresponding to user nickname exists.
  i.e. those users are not recognized as users with external passwords.
  Any ideas, please ...

  Funny thing - LDAP (OID and Active Directory) defines a generic heirachical database. Like any other generic database, you need to define the schema to define what data is to be captured.
  Each LDAP application expects a certain schema. That includes Enterprise User Security (part of the Advanced Security Option).
  To accomplish what you want to do
  1) get familiar with the Enterprise User Security capability (see the EUS documentation at tahiti)
  2) learn to configure SQLNet / Oracle Networking to use LDAPthat is responsib (''cause it's Oracle Networking responsible for the login)
  3) Reverse the schema from OID and transport it to AD
  Aside from that, it's a no-brainer.

• Oracle forms authentication with active directory without OID

  Hi Gurus,
  I need to implement active directory authentication in oracle forms.
  My scenario is this:
  1. The user is created in active directory
  2. The user is imported in our aplication, and then I assign the roles in Oracle, and create the user in my aplicattion.
  When the user logs, the system have to validate the password with MS-AD. If the password is right, then, the system start a session in Oracle.
  My questions are:
  1. How can I validate the password in AD ? Is it in clear text, unix crypt, AES ?
  2. In case the user has changed the password in AD, how can obtain he logs in oracle with the new password ?
  We use oracle enterprise edition, but we don't have oracle applications, so i can't use identity management.
  Thanks in advance for your help

  You will need Oracle SSO and OID to implement Active Directory authentication for Oracle Forms. It comes with Oracle Application Server. You will need to read up on how to use AD instead of OID as the user store for Oracle Single Sign-on (SSO). Forms will use SSO to login not really knowing which user store is used so there is no config needed on the Forms side (except enabling SSO).

• Db10g external password authentication from Active Directory via OID

  HI ALL
  - i have a synchronization AD-to-OID (OAS 10.1.2 (Infra)cold failover cluster, 2 nodes)
  - i have external authorization of AD users via SSO (external authorization plug-in)
  - i have RAC DB(10.1.0.3, 2 nodes) enterprise authorization of OID native users who have their passwords in OID (global schema)
  - but i cann't configure DB autorization of AD-to-OID synchronized users who don't have their passwords in OID
  error:
  ORA-28274: No ORACLE password attribute corresponding to user nickname exists.
  i.e. those users are not recognized as users with external passwords.
  Any ideas, please ...

  I've gone through that thread a few times already, but it only covers infrastructure based on Sun JDS, which seems to pose less problems than Active Directory. Many others refer only to hand-compiled OpenLDAP installations which are quite different to configure... sigh
  I have, however, managed to get the base system running - meaning I can see Solaris ask LDAP for locally unknown user and group names - but all I get back is Unknown Object.
  Here's a snoop dump of one of the failed requests, in hope someone here can shed some light on the problem:
  request from my server to the LDAP box:
  LDAP: [Base Object]
  LDAP: ou=people,OU=Austria,DC=AT,DC=OurADdomain,DC=com
  LDAP: [Scope]
  LDAP: wholeSubtree
  LDAP: Equality Match *[3]
  LDAP: [Attr Descr]
  LDAP: objectClass
  LDAP: [Value]
  LDAP: posixAccount
  LDAP: *[3]
  LDAP: [OctetString]
  LDAP: uid
  LDAP: [OctetString]
  LDAP: myusername
  reply from the LDAP server:
  LDAP: [Error Message]
  LDAP: 0000208D: NameErr: DSID-031001CD
  LDAP: , problem 2001 (NO_OBJECT), data
  a) our Active Directory 2003 R2 with the default Unix schema does not seem to implement the objectClass=posixAccount attribute, although the documentation on MSDN suggests that attribute should be there. I'm atm about to get some MS guy to solve this..
  b) The base object DN seems to always get prefixed with ou=people - why? I didn't enter that field with ldapclient, and that orgunit does not exist in AD per default. How can I prevent Solaris from modifying my search path in that way? I think this is one of the reasons why I keep getting no-object-errors.
  c) Our AD doesn't seem to offer a way to create/modify the unix object classes shadowExpire, shadowFlag and others for password management. Are those strictly necessary - i.e. will I run into new problems with those if I managed to solve a) and b)?

• Active Directory exports to OID (concerning password storage)

  I dont know if this is answered somewhere else but I am hoping to get an answer from people who have synchronized OID to active directory already.
  My question is do the AD passwords get stored in OID along with all the other user information during the sync? I know you must use an external plugin to authorize users against their passwords that come from AD.
  I am just curious about this since it will probably be an issue for me down the line. Thanks!

  Hi Seth
  Its your choice. If you are using the External Authentciation feature in OID it is not necessary to store AD passwords in OID.
  Keep this in mind about password synchronization between OID and AD. Currently all attributes are capable of two way synchronization between OID and AD except one. That is the users password. It is possible to synchronize a password from OID to AD but not from AD to OID.
  This is primarily becaue Microsoft uses proprietary password hashing called "Unicode Password Hash" which as I said is proprietary to Microsoft. OID like most other LDAP servers supports open source password hashing such as MD5, MD4, SHA, SSHA and Crypt to name a few. Microsoft does not support any of these to my knowledge. So even if you could pass a user password from Active Directory to OID OID does not support MS password hashing.
  We are however able to synchronize passwords from OID to AD over SSL. This is done with a feature called "Reversible Encrypted Password". By default this feature is turned off. When you enable this feature OID will store the users password in two different attributes. One is the traditional "userpassword" attribute which uses the hashing schemes I mentioned earlier. The other is a password attribute that stores the users password in an encrypted format that can be reversible to clear text. This clear text password can then be sent over SSL using a wallet to the AD server.
  In version 10.1.3 (Mid 2005)of OID we plan to release a feature that will allow passwords from AD to be synched with OID. Until then Passwords can only be synched from OID to AD.
  Jay

• Active Directory Not Syncing Correctly in ES2

  Hello,
  We had our Active Directory 2003 synced up using Adobe Livecycle ES.  There would be around 30,000 users that would be synced and this would take around 3 - 4 1/2 minutes to run.  This worked perfectly for us for the past half of a year or so.
  Last week we upgraded to ES2 and moved all of our processes over.  We removed ES and did a fresh install of ES2.  Everything seems to be working fine now except the Active Directory isn't syncing properly.  When we run the sync, different numbers of users will be fetched.  Sometimes it's around three thousand, sometimes seven thousand, sometimes ten thousand, but it never seems to get through them all.  In the server log it does say that the directory synchronization completed successfully though even though the number fetched is changing.  We made sure the settings are exactly the same as they were before, and we even tried a few different settings, but it still doesn't get all the users.  For testing purposes, we tried changing the search filter to pick specific people that aren't showing up during the normal sync and it will show up fine, so I'm wondering if there is something stopping it from going all the way through?
  We also have another enterprise domain connected which has around 2,000 users on it and have not had this problem with it.
  Here are some of the sync statistics from the past few syncs: (The active directory name has been stripped for security purposes).  If you need any more information please feel free to ask.  We would like to have this resolved as soon as possible.
  2010-05-30 21:02:51,366 INFO  [com.adobe.idp.um.businesslogic.synch.DomainSynchronizer]
  ========== Synch Statistics for ============
  Total User Fetched - 5633
  Total Group Fetched - 0
  Total Members Fetched - 0
  Total time taken is 110 sec
  [100.00%] [100.00%]Domain Synchronizer(2 runs) : Total 110,375 ms, Max 110359 ms, Min 16 ms, Avg 55187 ms
  --[99.99%] [99.99%]User and group phase(1 runs) : Total 110,359 ms, Max 110359 ms, Min 110359 ms, Avg 110359 ms
  ----[95.78%] [95.80%]Users synch from (6 runs) : Total 105,719 ms, Max 19141 ms, Min 14281 ms, Avg 17619 ms
  ------[1.18%] [1.23%]Provider (31 runs) : Total 1,298 ms, Max 109 ms, Min 31 ms, Avg 41 ms
  --[0.01%] [0.01%]Memberhsip phase(1 runs) : Total 16 ms, Max 16 ms, Min 16 ms, Avg 16 ms
  -------Persistence Statistics-------
  Users ->
  added = 8
  removed = 2568
  updated = 5625
  unchanged = 0
  renamed = 0
  failed = 0
  UniqueId changed = 0
  Groups ->
  added = 0
  removed = 0
  updated = 0
  unchanged = 0
  failed = 0
  UniqueId changed = 0
  Emails ->
  added = 8515
  removed = 106
  unchanged (In changed Principals) = 16784
  Group Members ->
  added = 0
  removed = 0
  unchanged = 0
  unknown = 0
  failed = 0
  -------Batch Statistics-------
  Successful User Batches = 113
  Failed User Batches = 0
  Successful Group Batches = 0
  Failed Group Batches = 0
  Successful Member Batches = 0
  Failed Member Batches = 0
  ======================================
  2010-06-02 21:03:43,692 INFO  [com.adobe.idp.um.businesslogic.synch.DomainSynchronizer]
  ========== Synch Statistics for ============
  Total User Fetched - 7140
  Total Group Fetched - 0
  Total Members Fetched - 0
  Total time taken is 165 sec
  [100.00%] [100.00%]Domain Synchronizer(2 runs) : Total 164,781 ms, Max 164750 ms, Min 31 ms, Avg 82390 ms
  --[99.98%] [99.98%]User and group phase(1 runs) : Total 164,750 ms, Max 164750 ms, Min 164750 ms, Avg 164750 ms
  ----[96.78%] [96.79%]Users synch from (8 runs) : Total 159,469 ms, Max 26719 ms, Min 3500 ms, Avg 19933 ms
  ------[1.01%] [1.05%]Provider (42 runs) : Total 1,667 ms, Max 109 ms, Min 15 ms, Avg 39 ms
  --[0.02%] [0.02%]Memberhsip phase(1 runs) : Total 31 ms, Max 31 ms, Min 31 ms, Avg 31 ms
  -------Persistence Statistics-------
  Users ->
  added = 8
  removed = 5
  updated = 7132
  unchanged = 0
  renamed = 1
  failed = 0
  UniqueId changed = 0
  Groups ->
  added = 0
  removed = 0
  updated = 0
  unchanged = 0
  failed = 0
  UniqueId changed = 0
  Emails ->
  added = 3340
  removed = 105
  unchanged (In changed Principals) = 33761
  Group Members ->
  added = 0
  removed = 0
  unchanged = 0
  unknown = 0
  failed = 0
  -------Batch Statistics-------
  Successful User Batches = 142
  Failed User Batches = 1
  Successful Group Batches = 0
  Failed Group Batches = 0
  Successful Member Batches = 0
  Failed Member Batches = 0
  ======================================
  2010-06-03 08:56:43,286 INFO  [com.adobe.idp.um.businesslogic.synch.DomainSynchronizer]
  ========== Synch Statistics for ============
  Total User Fetched - 2960
  Total Group Fetched - 0
  Total Members Fetched - 0
  Total time taken is 68 sec
  [100.00%] [100.00%]Domain Synchronizer(2 runs) : Total 67,984 ms, Max 67921 ms, Min 63 ms, Avg 33992 ms
  --[99.91%] [99.91%]User and group phase(1 runs) : Total 67,921 ms, Max 67921 ms, Min 67921 ms, Avg 67921 ms
  ----[96.37%] [96.46%]Users synch from (3 runs) : Total 65,516 ms, Max 23016 ms, Min 19766 ms, Avg 21838 ms
  ------[4.00%] [4.15%]Provider (17 runs) : Total 2,719 ms, Max 844 ms, Min 31 ms, Avg 159 ms
  --[0.09%] [0.09%]Memberhsip phase(1 runs) : Total 63 ms, Max 63 ms, Min 63 ms, Avg 63 ms
  -------Persistence Statistics-------
  Users ->
  added = 2
  removed = 6632
  updated = 2958
  unchanged = 0
  renamed = 0
  failed = 0
  UniqueId changed = 0
  Groups ->
  added = 0
  removed = 0
  updated = 0
  unchanged = 0
  failed = 0
  UniqueId changed = 0
  Emails ->
  added = 3
  removed = 1
  unchanged (In changed Principals) = 10035
  Group Members ->
  added = 0
  removed = 0
  unchanged = 0
  unknown = 0
  failed = 0
  -------Batch Statistics-------
  Successful User Batches = 60
  Failed User Batches = 0
  Successful Group Batches = 0
  Failed Group Batches = 0
  Successful Member Batches = 0
  Failed Member Batches = 0
  ======================================

  We do have quite a few that are missing an attribute, specifically:
  2010-06-06 21:05:47,579 WARN  [com.adobe.idp.um.businesslogic.synch.LdapHelper] Record [xxxx] is missing required attribute [objectSID] for canonicalName i.e uniqueIdentifier field
  This is something that was on our old system as well:
  2010-05-25 03:02:35,559 INFO  [com.adobe.idp.um.provider.directoryservices.LDAPDirectoryPrincipalProviderImpl] UserM:: [Thread Hashcode: 3010887] This record is missing a required attribute and cannot be used. Specifically CanonicalName is null. Common Name: xxxx
  We have many users in our active directory with just email accounts so that users are able to search for a name and find the email address in outlook.  I have checked through these and they look fine (though there are fewer entries in ES2 since there are fewer users being fetched).
  As for the locked users, here is what we received:
  2010-06-06 21:05:47,579 INFO  [com.adobe.idp.um.businesslogic.synch.LdapPrincipalProvider] Found [1257] locked users while synching. These users were ignored
  This sounds about right for the amount of users that were fetched. 
  If you have any more questions or ideas, please let us know.  We would like to have this resolved as soon as possible.  Thanks.

• Oracle 9i/10G DB authentication using Active Directory (with out OID)

  Hello All,
  We want to use a Single-Password authentication scheme using the Active
  Directory as the primary source for userId/Password.
  We don't want to use the Active Directory and OID bridge.
  As we have many databases and would like to configure all Databases to use Active
  Directory for Authentication. Our goal is to have single id/password across all
  the databases and any user should be able to login from any computer using their
  windows id/password, note that we don't want to use the OSAuthentication.
  We have read the documents provided by oracle for authentication using Active
  Directory, we were able to create Oracle Schema in Active Directory and were
  also able to register a DB with Active Directory and then created user as global
  user in Oracle Database and provided the DN of the user. When we tried
  authenticate with all this setup it comes back and says invalid ID/Password !!!
  And with 10G database we get the Oracle Error ORA-03113: end-of-file on communication channel !!
  Has any one tried or have information on Integrating Oracle to Auth against Active Directory?
  Envoirnment:
  Oracle DB Version: 9.2.0 and also tried on 10.0.1 with same results
  Operating System: Windows 2000/ Windows 2000 Server
  Constraint: We don't want to user OID ( as we don't have license for this
  product ! )

  I have a thread started similar to your request.
  OS Authenication on Windows
  Somewhere I read this. It works on Oracle 9i on Linux, but I have not tried it with Oracle 9i on Windows.
  SHOW PARAMETER OS_AUTHENT_PREFIX;
  SHOW PARAMETER REMOTE_OS_AUTHENT;
  CREATE USER OPS$SOMEUSER IDENTIFIED EXTERNALLY;
  GRANT CREATE SESSION TO OPS$SOMEUSER;
  For the username, I wonder if we are supposed to put the Windows Domain name as part of the username? Such as, for a Windows domain user MyDomain\SomeUser
  CREATE USER OPS$MYDOMAIN\SOMEUSER IDENTIFIED EXTERNALLY;
  I really wish Oracle or somebody created a guide or book on how to do this.

• Integrating Oracle Portal & Microsoft Active Directory

  Dear friends
  I Integrated Oracle Portal & Microsoft Active Directory without any error or problems but it just integrate the users under Users Container in active directory, I have some OU,Groups and policies and I categorized my users under them, so when I run "sh oidspadi.sh" and set "cn=...." with other values except "Users" it can not add all of the users under specific groups or policies.
  Please let me know how can I add all of my users in active directory to OID?
  Thanks
  Babak Saraie

  I'm not familiar with iPlanet, but if it can allow basic
  authentication and connect to AD, it should be possible to do what
  you want.
  Personally, I would rather that the browser did not
  automatically log me in. For example, if someone was having
  problems with their "view" on the intranet web site, if they
  visited your office, you would have to log off, let them log on
  (and wait while their profile was created) just to let them open a
  browser.
  Is it really asking too much for them to enter their
  username/password into a browser prompt once each day? Heck, most
  browsers will remember usernames and passwords so you don't have to
  type it. You just click OK.
  That's just my perspective.
  M!ke

• Apply OID search filter for Active Directory Export Sync Profile

  - currenlty we have active directory export profile working successfully
  - the filter we apply at OID side is SynchronizeToAD!=OID
  that means synchronize all ldap data that has a attribute value other than "OID"
  - This works very well
  Problem:
  - We now need to make the export sync work based on a different condition. The condition being....
  SynchronizeToAD=AD3 ( Note the equality condition here, the previous one was not equal to )
  - The moment we set it to the above conditions it seems to invalidate the filter. Now it behaves as if there is no filter. All changes are synchronized regardless of the attribute value
  Question:
  1) Need a way to control synchronization based on attribute value.
  2) So far tried the below filter value with out success
  2a) (&(!(SynchronizeToAD=OID))(!(SynchronizeToAD=AD)))
  2b) SynchronizeToAD=AD3
  - In the directory we have 3 values for this attribute(SynchronizeToAD) - AD , AD3 and OID
  Please provide us with valid search filter to accomplish the above.
  The OID profile attribute that we are trying to set is odip.profile.oidfilter

  - currenlty we have active directory export profile working successfully
  - the filter we apply at OID side is SynchronizeToAD!=OID
  that means synchronize all ldap data that has a attribute value other than "OID"
  - This works very well
  Problem:
  - We now need to make the export sync work based on a different condition. The condition being....
  SynchronizeToAD=AD3 ( Note the equality condition here, the previous one was not equal to )
  - The moment we set it to the above conditions it seems to invalidate the filter. Now it behaves as if there is no filter. All changes are synchronized regardless of the attribute value
  Question:
  1) Need a way to control synchronization based on attribute value.
  2) So far tried the below filter value with out success
  2a) (&(!(SynchronizeToAD=OID))(!(SynchronizeToAD=AD)))
  2b) SynchronizeToAD=AD3
  - In the directory we have 3 values for this attribute(SynchronizeToAD) - AD , AD3 and OID
  Please provide us with valid search filter to accomplish the above.
  The OID profile attribute that we are trying to set is odip.profile.oidfilter

• Cannot install Windows Azure Active Directory Sync tool on Server 2012 w/ SQL Server 2012

  I went to change a user password on the server today and after changing the password I logged into the SQL server to run “Import-module dirsync” & “Start-onlinecoexistencesync” in powershell in order to sync the new password with Exchange Online. After
  waiting ten minutes I tried setting up the email on the user’s PC but the new password was not being accepted. I logged into Office 365 and I got the following warning.
  "Warning: Last synced more than 3 days ago | Troubleshoot"
  So I pressed troubleshoot and the site installed a tool on the server to try and find out what the issue was. After the tool ran it told me that the version of dirsync.exe was out of date and that I should download the new one and install it. So I downloaded
  the new dirsync.exe (version 7020 I believe) and tried installing it. I kept getting error after error, different ones to boot.
  First it told me I wasn’t part of the FIMSyncAdmins group (so I added myself), then it told me that it could not connect to MIIS server,  so I tried starting it and windows said that there was a problem with the sign on used by the service so I had
  to reset the password for the local user named “AAD_bfd1d6f0cef7” which was being used by that service. The service started successfully and when I went to install it told me I could not and if the problem persisted I should uninstall the old version and reinstall.
  Looking in the log file, before I even install the software I see the following Information...
  Level: Information
  Date: 2015-03-24 12:49:17 PM
  Source: Directory Synchronization
  Event ID: 0
  Task Category: None
  "The current configuration of the Windows Azure Active Directory Sync tool is invalid. Please reinstall the Windows Azure Active Directory Sync tool."
  So I tried to reinstall (i even manually uninstalled the old version and removed the folder in C:\Program Files\ called "Windows Azure Active Directory Sync") and on reinstall I get as far as "Installing Components" and then after a little
  while it errors out with the error "The install was unable to setup a required component. Check the event logs for more information. Please try the installation again and if the error persists, contact Technical Support. "
  Looking at the log file there are a bunch of new entries, created by the installer. There's over 300 new entries and I can not post them all here due to character count restriction. you can find the log file here...
  www.clarkfreightways.com/wp-content/uploads/2015/03/dirsync_log.txt
  Can anyone tell me what is going on, I've been looking through the log files and I can see errors but I'm not sure what to do to fix it.

  Greetings!
  Wanted to know if you've hosted the DirSync tool (latest version) on a VM? Also, if this is deployed in a Production or Lab environment? If it's a lab setup, you may
  try installing the DirSync on a new VM / Server (suspecting that it could be some machine related issues).
  Here's a Support KB helping with different errors:
  http://support.microsoft.com/en-us/kb/2684395
  If its a production environment, would suggest to raise a
  Technical Support Ticket for assisting further with break-fix.
  Thank you,
  Arvind 

• SAP R/3 Enterprise 4.7 Sync with Active Directory on Win2k3 server

  All,
  I'm having a nightmare with this and I'm hoping someone can either confirm my problem or solve it for me.
  We are running R/3 Enterprise 4.7 (Web AS 6.20) and would like to sync the users with Micsoroft Active Directory 2003.
  We are exploring the option of using full Active Directory schema expansion for the SAP sync.  i.e. so we have all SAP related fields in AD.
  According to the SAP notes, I need the WEB AS 6.10 installation CD so that I can run R3SETUP to perform the Active Directory schema modifications.
  I have tried to download this from the SWDC with no luck.
  So I guess my questions are:
  1, Do I really need the 6.10 install cd (it seems it's only the ADSINIT.R3S file).
  2, If I do, where can I get it from?, do I need to order it through our SAP contract manager?
  In the meantime, I have tried performing the manual schema extension using the RSLDAPSCHEMAEXT report, uploading this to the AD server and running "ldifde" command.
  This has extended the schema (or so it says), but I can't see any SAP icon in the AD tree.  Have I missed something?
  Any help appreciated.
  Thanks,
  Darryl

  Rainer,
  Thanks for that.
  I have been re-reading note 793191 and question 14 says exactly that.
  I will checkout JXplorer.
  I have found a couple of MS technet articles on how to add your own context menus to the snap-in but it seems like a lot of effort for no real gain.
  Thanks again.
  ps. awarded points

• Date and Time Sync at boot for Active Directory/Open Directory Authenticati

  All the macs in my school district are set to automatically sync their time with a network time server. They do not do this unless the system preference is opened. This poses a problem as all our users must authenticate against an Active Directory and an Open Directory server. If the time is out of sync they can not login, and therefore can not fix the time. I must then login in with a local admin account set the time and then the network account can login. I have tried using direct IP addresses for the NTP server. That doesn't work either. I have adjusted the tolerance of the AD server to accept a large discrepancy in time (did not work). Set the users to be mobile accounst (local home folders), did not work. The only fix will be to ensure that the time does sync at boot, before login. Is there a way to force the computer to sync at boot to a given NTP server, prior to the login window appearing?

  I have come up with my own solution for this issue. It is a two part solution. We found that the computers are experiencing time drift and that after they get out of sync by 5 minutes they can no longer login. One would think that the setting in the Date and Time system preference to automatically synchronize the time would take care of this. That however is not the case that check mark does not affect the ntp service at all. It merely eliminates the need to click a button when entering the system preference. How did we discover this? well that is part of the solution. We used webmin (http://www.webmin.com) to look at the ntp configuration. No matter what changes we made with the Date & Time preferences nothing changed in the system ntp settings. So on to the solution: Install webmin, and configure the ntp protocol manually to sync at your desired interval (I did hourly). This stops time drift. Next create a startup item and associated plist to force time sync at boot (be sure to loop it as different machines initialize their network cards slower). I have made ours available for download (http://www.manheimcentral.org/~getzt/netTime.zip). I hope this helps others. We have found that this works fairly well.

• Ldap Sync: User is not able to create in Active Directory through OIM

  Hi ,
  I have enabled the ldap sync between OIM and Active Directory.
  Option 1: with password
  While creating the new user in OIM , I am getting the below error .
  80eeb34d89d5ed80:18bc05bb:1403be9d7e6:-8000-000000000008f710,0] [APP: oim#11.1.2.0.0] Could not modify entry.[[
  javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
  remaining name 'cn=ADTESTLDAp10F ADTESTLDAp10LL,cn=Users,dc=cgtest,dc=adtest,dc=com'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3140)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
    at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1458)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
    at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:153)
    at oracle.ods.virtualization.engine.backend.jndi.ConnectionHandle.modify(ConnectionHandle.java:301)
    at oracle.ods.virtualization.engine.backend.jndi.BackendJNDI.modify(BackendJNDI.java:781)
  [2013-08-04T17:06:58.840-07:00] [oim_server1] [ERROR] [OVD-60600] [oracle.ods.virtualization.engine.util.ADUtilities] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 80eeb34d89d5ed80:18bc05bb:1403be9d7e6:-8000-000000000008f710,0] [APP: oim#11.1.2.0.0] Cannot set password : LDAP Error 53 : [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0[[
  Looks like password is not able to set properly. But I am able to create the same user in AD using the same password.
  Option 1: without password
  Another testing, I have also tried to create user without password.  There is no error coming to log file. and I am able to see the below message in log file
  oracle.iam.ldapsync.impl.eventhandlers.user.UserCreateLDAPPreProcessHandler] [APP: oim#11.1.2.0.0] [SRC_METHOD: createUser] User created in LDAP with GUID 9dc8f6f4b8564216a5d75d86f7cad0a2
  But user is not created in AD . this is another issue.
  Thanks,
  Amit

  Thanks for your reply.
  I have seen sample xml and my target looks the same
  <wlserver dir="${weblogic.domain.dir}"
                           port="${weblogic.domain.admin.server.port}"
                           servername="${weblogic.domain.admin.server.name}"
                           username="${weblogic.domain.admin.user}"
                           domainname="${weblogic.domain.name}"
                           password="${weblogic.domain.admin.password}"
                           configFile="config.xml"
                           generateConfig="true"
                           action="start"
                           beahome="${env.BEA_HOME}"/>
  my requirement is to use ant task.. otherwise I am able to create through configuration wizard
  Thanks