AD and adding group members via CFLDAP

I posted this over in Advanced techniques with only one
brave, yet
unfortunately uninformed taker...
Anyone here have a clue as to why I'd get the error described
in the
text below???
[Only Response...]
Thank you for your response... I probably should explain
better what
this code does...
It queries a data source (DB2 database) for a list of about
2000 names
(specifically their Employee number).
Then it queries the MS Active directory for a list of anyone
who has an
attribute of employeeNumber that
is not an empty string.
Next, it uses a QofQ to join the two record sets together,
tossing out
any records that do not match from
both of the data sources.
Then I loop over that list of employees adding them into a
group.
This operation dos nothing to modify a users password.
Thanks,
D.
Ian Skinner wrote:
> This came off of another CF related list. Not sure if it
applies to
> your situation or not.
>
> * You cannot change passwords unless you have a SSL cert
setup for the
> CF server and the AD domain controller.
>
> I have not first hand experience with this, so all I can
offer is to
> pass along the above comment.
>
> dnagel wrote:
>> So, this is the advanced techniques group... and no
one feels the
>> least bit challenged?
>> Theres got to be someone who enjoys delving into
LDAP out there...
>>
>> D.
I'm having a bit of trouble getting the CFLDAP Modify query
to execute
after
I tied it into the CFLOOPed query... When I ran it with my
own users DN it
worked great... it does not work with any other DN. My
account has Domain
Adminis on this sandboxed server and is capable of making the
change by hand
using the AD tools inside of MMC... Any suggestions? Thanks,
D.
<cfset servername = "AD.TESTSITE.com">
<cfset username = "[email protected]">
<cfset password = "PASSWORD">
<cfset domain = "TESTSITE">
<cfset OU = "ou=Granite">
<cfoutput>
<CFSet GroupName="TestDistribution">
<CFSet GroupDN =
"cn=#GroupName#,cn=Users,dc=#domain#,dc=com">
<CFQuery name="Users" datasource="GCI_Workforce">
Select cast (WBAN8 as varchar(10)) as WBAN8, wbemal from
WTWDSECPJ1 where WBEXEMPT ='Y'
</CFQuery>
<cfldap
action="query"
server = "#servername#"
username = "#username#"
password = "#password#"
start = "#OU#,dc=#domain#,dc=com"
attributes = "dn,employeeNumber"
filter = "employeeNumber=*"
name = "adDNLookup"
scope = "subtree"
>
<CFQuery Name="JoinUsers" DBType="Query">
Select
adDNLookup.DN, adDNLookup.employeeNumber
from
adDNLookup,
Users
Where
adDNLookup.employeeNumber = Users.wban8
</CFQuery>
<CFLoop Query="JoinUsers">
<CFTry>
<!---<CFSet UserDN = "member=cn=Dennis
Nagel,CN=Users,DC=TESTSITE,DC=com">--->
<CFSet UserDN = "member=#DN#">
<CFSet UserName="#employeeNumber#">
#UserName# #UserDN#<br>
<cfldap
action="modify"
server = "#servername#"
username = "#username#"
password = "#password#"
modifytype="add"
attributes = "#UserDN#"
dn="#GroupDN#"
separator=";"
>
<cfoutput>#UserName# has been added to the group
(#GroupName#).</cfoutput>
<cfcatch type="any">
<cfif FindNoCase( "ENTRY_EXISTS", cfcatch.message )>
<cfoutput>
#UserName# is already assigned to the group
(#GroupName#).
</cfoutput>
<cfelse>
<cfoutput>
Unknown error : #cfcatch.detail#")
</cfoutput>
<cfabort>
</cfif>
</cfcatch>
</CFTry>
</CFLoop>
</cfoutput>
heres the trace info...
110028 member=CN=Mary Chalfa, OU=PSP_Indio, OU=PSP,
OU=GC_Branches,
ou=Granite, dc=TESTSITE, dc=com
Unknown error : One or more of the required attributes may be
missing/incorrect or you do not have permissions to execute
this
operation on the server")
Debugging Information ColdFusion Server Enterprise
6,1,0,63958
Template /JDE-AD-Sync/JDE-AD-Groups.cfm
Time Stamp 22-Jun-06 12:02 PM
Locale English (US)
User Agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;
SV1; .NET
CLR 1.1.4322; .NET CLR 1.0.3705)
Remote IP 127.0.0.1
Host Name 127.0.0.1
Execution Time
Total Time Avg Time Count Template
687 ms 687 ms 1
C:\Inetpub\wwwroot\JDE-AD-Sync\JDE-AD-Groups.cfm
0 ms 0 ms 1 C:\Inetpub\wwwroot\JDE-AD-Sync\Application.cfm
0 ms STARTUP, PARSING, COMPILING, LOADING, & SHUTDOWN
687 ms TOTAL EXECUTION TIME
red = over 250 ms average execution time
Exceptions
12:02:45.045 - Application Exception - in
C:\Inetpub\wwwroot\JDE-AD-Sync\JDE-AD-Groups.cfm : line 67
An error has occured while trying to execute modify :[LDAP:
error code 49 - 80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 525, vece].
SQL Queries
Users (Datasource=GCI_Workforce, Time=47ms, Records=2203) in
C:\Inetpub\wwwroot\JDE-AD-Sync\JDE-AD-Groups.cfm @
12:02:44.044
Select cast (WBAN8 as varchar(10)) as WBAN8, wbemal from
WTWDSECPJ1 where WBEXEMPT ='Y'
JoinUsers (Datasource=, Time=16ms, Records=996) in
C:\Inetpub\wwwroot\JDE-AD-Sync\JDE-AD-Groups.cfm @
12:02:45.045
Select
adDNLookup.DN, adDNLookup.employeeNumber
from
adDNLookup,
Users
Where
adDNLookup.employeeNumber = Users.wban8
Scope Variables
Application Variables:
applicationname=JDE-AD-Sync
ds=GCI_WFD
Cookie Variables:
JSESSIONID=36301107041151000811062
Server Variables:
COLDFUSION=Struct (8)
OS=Struct (5)
Session Variables:
cfid=831
cftoken=54562187
sessionid=JDE-AD-SYNC_831_54562187
urltoken=CFID=831&CFTOKEN=54562187
Debug Rendering Time: 63 ms

ok, I found it... re-use of the vaiable username... : -)
Damn ambiguous error messages.
Thanks to Ian for taking a look.
D.

Similar Messages

  • Import Pickup Group Members via BAT?

    Hey guys,
    I'm a little bit confused, but is there any way to import group members via BAT into existing pickup groups???
    Unfortunately my colleague already created the groups but he didn't insert the members at all.
    I'm talking about 200 groups with different parameters and I have to insert over 2000 members. So I wonder about how to import.
    Please gimme a hint.
    Thanks                  

    Hi Patrick,
    Yes you can add lines with this option on bat excel sheet
    Call   Pickup Group 1
    [String[50]OPTIONAL]
    Regards
    Haitham

  • List group members via PHP

    I need to query NDS via PHP to get the member list of a group. I would
    like to do this via an anonymous bind, but can provide credentials if
    necessary. Any help would be appreciated.
    JM
    jmoseby
    jmoseby's Profile: http://forums.novell.com/member.php?userid=35190
    View this thread: http://forums.novell.com/showthread.php?t=387219

    jmoseby;1861509 Wrote:
    > Nevermind - figured it out:
    >
    > >
    Code:
    > > <?php
    >
    > function getMembers($group){
    > $ldap_server='10.1.10.200';
    > $ldap_user='admin';
    > $ldap_pw='notreallytheadminpassword!';
    >
    > $ldap = ldap_connect($ldap_server);
    > @ldap_start_tls($ldap);
    > @ldap_bind($ldap,"cn=$ldap_user,o=GSO", "$ldap_pw");
    > $results = ldap_search($ldap,"o=GSO", "cn=$group");
    > $user_info = ldap_get_entries($ldap, $results);
    >
    > foreach($user_info[0][member] as $member){
    > $member_exp=explode('=',$member);
    > $member_exp=explode(',',$member_exp[1]);
    > if($member_exp[0]!=''){$members[]=$member_exp[0];}
    > }
    > ldap_close($ldap);
    > return $members;
    > }
    >
    > $members=getMembers('BalanceOnOrder');
    > echo '<pre>';print_r($members);
    >
    > ?>
    > >
    Corrected code: removed single quotes around $ldap_server variable in
    ldap_connect() line.
    jmoseby
    jmoseby's Profile: http://forums.novell.com/member.php?userid=35190
    View this thread: http://forums.novell.com/showthread.php?t=387219

  • Using Stored Procedure w/Parameter and adding another parameter via CR

    I have a situation where I am using a SQL Stored Procedure that contains one Date Parameter. 
    I am pulling that Stored Procedure fwd into a Crystal Report, but as soon as I add another Parameter via Crystal Reports (in addition to the Parameter that was pulled fwd from the Stored Procedure) Two parameters prompts now appear for the Stored Procedure Parameter.
    I need to have the Crystal Report display the Stored Procedure Parameter only once.

    I have a Parameter within the SP that is for a Date entry.  So I pass the SP Parameter through the Command to CR.
    Then I have added some other Parameters that I have the users populating but they are only used in formulas and I donu2019t have those in the Select Records.
    Then I add another Parameter that would be for Supplier Selection.  As soon as I add this 4th Parameter for the Supplier Select within the Select Record, is when I then encounter the duplicate display of the SP Parameter.
    The first prompt is a Date field but for some reason is displaying in the Right hand corner SUPNAME (which is my Supplier Name field)  Then the next set of Parameters display is properly showing in the right hand corner all of my actually Parameters.
    Why would the first occurrence be associated with the Supplier Name? 
    I have tried adding a Supplier parameter to the SP itself, but then I am limited to a single entry, it will not allow me to set it to Multiple Values. 
    Any additional suggestions or information would be greatly appreciated.

  • Family sharing set up and adding family members

    I am setting up family sharing and I have everything ready to go. I am not able to find any family members to add once I get to that step in setting it up. How do I invite or add my husband if I can't find them when I start to add them? I have read all of the articles for setting up family sharing and have not yet found the answer I am looking for. Please help!!!

    I'm not sure what the problem would be.  Try contacts iTunes store support for assistance by by going to https://expresslane.apple.com, then click See All Products & Services>iTunes>iTunes Store>Purchases, Billing & Redemption>The topic is not listed.  The call should be free of charge.

  • Grant access to help desk users to add members to distribution and security groups

    Hello,
    I am trying to create a set of help desk users that has full access to add or remove members from distribution and security groups as well as update users.  We want it to bypass owner approval and essentially allow this group to add or remove members
    in the FIM Portal and flow it down to ADS.
    This obviously works fine if one is a member of the Administrators set, but we want a second tier of power users with limitied rights compared to FIM Admins.  We have added the help desk team to the  Security Group Users and Group Users set as
    well as MPR "Security group management: Users can read selected attributes of group resources".
    The help desk users can update users in the Portal with no issue.  The can search groups with no issue but when they try to add members to a group they get the error "Access Denied".
    Any help is greatly appreciated.
    Thanks!

    I'm having very similar problem - I have users with delegated right to modify group membership only. User can add someone to group and it works fine, but when the same user is trying to remove and user from a group (even if this is the same user
    which was added a minute ago) he gets Access Denied:
    The
    request included members which the requestor is not authorized
    to add and/or remove from this group."
    It is caused by default MPR:
    Group management workflow: Validate requestor on remove member
    Question is how this activity validates this request - any insight?

  • Would Like to Get Report of Daily Emails In and Out from Members to a DL Exchange version : 2007 I am the supervisor for the group and want to quantify this information. I do not need to see the content, just quantity is it possible ?

    Would Like to Get Report of Daily Emails In and Out from Members to a DL
    Exchange version : 2007
    I am the supervisor for the group and want to quantify this information. I do not need to see the content, just quantity
    is it possible ?

    Well, distribution groups don't really have a concept of "in" or "out". They only serve to distribute messages sent to them -- unless you're asking to know who was a member of the distribution group at the time a message was sent to the DL.
    Message tracking logs hold the information you want, though. You'd have to look for EXPAND events that reference the distribution group and take the sender's e-mail address from that event. If the DL is a simple one that's not a member of any other groups
    you could also look for RECEIVE events sent to the e-mail address of the group and get the sender's name from that event.
    You can use Powershell extract the rows of data from the logs, but you'll have to write the code to get the data out of those rows and into a format you want. Perhaps LogParser could be useful in place of Powershell?
    --- Rich Matheisen MCSE&I, Exchange MVP

  • How can I set up an SMS group so that all group members can dial a group number and have a text sent out to all members of the group

    How can I set up an SMS group so that all group members can dial a group number and have a text sent out to all members of the group
    This would be an SMS group similar to an email listserv but running on the SMS network
    I have seen private individuals offering this service
    It seems strange to me that no internet site like Apple, Yahoo or Google offers this as a free service much as the email group services are free services.
    Steve

    I think the app GroupMe might do what you want. You might also try contacting your carrier. My carrier offered some fancy group texting service for a while but they never really advertised it so, unless you asked, you never would have known. But, GroupMe is available in the app store. There are lots of other apps that also do group texting but it seems to be the one that gets recommended the most.

  • I made a imovie out of a group of photos and added music. When I burned to DVD on iDVD and played back the disc all of the photos were larger than the frame could accommodate and the sides were cut off. I also tried resizing from 16 9 to 4 3 and no better

    I made and iMovie out of a group of photos and added music. When I burned to I DVD the pictures came out to wide to fit into the frame. I tried again by changing the size from 16 9 to 4 3 and it didn't make any difference. Would going to share to browser rather than directly to share to IDVD make a difference?

    What do the photos look like if you play the movie within iMovie?  Sounds like adjusting Ken Burns would help.

  • Getting All Local Groups, Group Members and Local accounts on all Servers

    Hello Everyone,
    Sorry if this has been covered already, but I didnt see anything that quite answered my question.
    I've been given the task of generating an Access Control List here at work and I've managed to piece together a few scripts that gets me so close it's frustrating.
    The script I have now will parse through a text file with all my Windows servers listed in it and it does output in the console the server name, all of the groups on the server (Administrators, Remote Users, Backup Operators, etc.) and all the individual
    members of those groups and nested groups.
    However, I can't seem to get it to export to a CSV for easy digestion.  I've tried to pipe the export-csv command, but the csv it gives me doesnt have any useful information in it.
    Here is the script:
    $list =@()
    $Servers=Get-Content ListOfComputers.txt
    foreach($server in $Servers) {
    $server | % {
    $server = $_
    $server
    $computer = [ADSI]"WinNT://$server,computer"
    $computer.psbase.children | where { $_.psbase.schemaClassName -eq 'group' } | foreach {
    "`tGroup: " + $Group.Name
    $group =[ADSI]$_.psbase.Path
    $group.psbase.Invoke("Members") | foreach {
    $us = $_.GetType().InvokeMember("Adspath", 'GetProperty', $null, $_, $null)
    $us = $us -replace "WinNT://",""
    $class = $_.GetType().InvokeMember("Class", 'GetProperty', $null, $_, $null)
    $list += new-object psobject -property @{Group = $group.Name;Member=$us;MemberClass=$class;Server=$server}
    "`t`tMember: $us ($Class)"
    The format it pumps out to the console is good, other than it's somewhat upside down, the members are all listed above the group name such as below, where there's no members in the Administrators group, but User1, 2 and 3 are part of the Remote Desktop Group.
     This isn't horrible as I can cut and paste it out of the console and into a spreadsheet, but then i have to shift things up a row and doing that for the entire list is going to be way more work than I'd like.
    Server01
    Administrators
    User1
    User2
    User3
    Remote Desktop Users
    When I use export-csv on the script above I get a bunch of numbers rather than groups or members like this:
    Length
    13
    51
    40
    35
    63
    63
    35
    32
    Hopefully, there's someone out there who can help me tweak this script so that I can just dump it all to a csv and be done, with little to no massaging of the data afterward.
    Thanks in advance,
    Tyler

    Sure. After you've run the script, type this in the console:
    $list | Export-Csv .\groupInformation.csv -NoTypeInformation
    You'll then have a CSV file in the directory, open that with Excel and see if that gives you the information you're after.
    Don't retire TechNet! -
    (Don't give up yet - 13,085+ strong and growing)

  • TS3899 I have IPod Touch and always get gmail username and password is incorrect when I try to access gmail.  I tried deleting and adding new account, checked account via laptop which is good, checked network connections which is okay. Not sure what to do

    I have an iPod touch and cannot access gmail.  I always get username or password for gmail is incorrect.  I am able to access gmail via my Windows laptop just fine.  I tried deleting and adding a new account, verified that my network connections are working, bebooted my iPod, and verified that imap is enabled on my laptop.  Not sure what else to do.  Please help!!!

    Try going to this link and see if the instructions there help.
    https://www.google.com/accounts/DisplayUnlockCaptcha
    B-rock

  • [Consideration] redo logs groups and it's members?

    hello Gurus,
    Well, the theory written in the book maybe different on the real situation, different company different configuration...
    How we determine how many redo logs groups it's should be? And how many members each groups better?
    What are the considerations?
    Regards,
    Nia..

    Hi,
    You can query v$log_history to check the log switch frequency.
    SELECT * FROM ( SELECT * FROM ( SELECT TO_CHAR(FIRST_TIME, 'DD/MM') AS "DAY"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '00', 1, 0)), '99') "00:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '01', 1, 0)), '99') "01:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '02', 1, 0)), '99') "02:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '03', 1, 0)), '99') "03:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '04', 1, 0)), '99') "04:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '05', 1, 0)), '99') "05:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '06', 1, 0)), '99') "06:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '07', 1, 0)), '99') "07:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '08', 1, 0)), '99') "08:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '09', 1, 0)), '99') "09:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '10', 1, 0)), '99') "10:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '11', 1, 0)), '99') "11:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '12', 1, 0)), '99') "12:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '13', 1, 0)), '99') "13:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '14', 1, 0)), '99') "14:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '15', 1, 0)), '99') "15:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '16', 1, 0)), '99') "16:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '17', 1, 0)), '99') "17:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '18', 1, 0)), '99') "18:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '19', 1, 0)), '99') "19:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '20', 1, 0)), '99') "20:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '21', 1, 0)), '99') "21:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '22', 1, 0)), '99') "22:00"
    , TO_NUMBER(SUM(DECODE(TO_CHAR(FIRST_TIME, 'HH24'), '23', 1, 0)), '99') "23:00"
    FROM V$LOG_HISTORY
    WHERE extract(year FROM FIRST_TIME) = extract(year FROM sysdate)
    GROUP BY TO_CHAR(FIRST_TIME, 'DD/MM')
    ) ORDER BY TO_DATE(extract(year FROM sysdate) || DAY, 'YYYY DD/MM') DESC
    ) WHERE ROWNUM < 8
    regards
    jaffy
    Edited by: Jaffy on May 14, 2010 12:33 PM

  • Just got my first iPhone, an iPhone5. I added the contacts via my Mac, but the phone on its own added my 5000 Facebook friends as contacts and won't let me delete them. How can I delete them? Thanks.

    I just got my first cell phone, an iPhone5.  I added my contacts via my Mac.  But the phone on its own imported the contact info of all 5000 of my Facebook "friends."  When I go to one of them, hit edit, and try to delete them, the phone tells me that I cannot delete a Facebook friend.  This is a nightmare.  Please, I beg you, tell me how I can get these Facebook friends off of my contacts list.  Thank you!

    Settings>Facebook>Contacts>Off.

  • Using ios 7.0.4 can a group email be sent either from icloud or iPhone by a means other than selecting the individual Contact, ie; can the group be selected and then an email composed that will send the message to all group members.

    Using ios 7.0.4 can a group email be sent either from icloud or iPhone by a means other than selecting the individual Contact, ie; can the group be selected and then an email composed that will send the message to all group members.

    Hi Richard, 
    Thanks for the reply - I think I've sorted it though and there isn't actually an issue.
    The whole group wasn't receiving the NDR, only the group manager which I setup a few weeks prior. This is a new feature so it complies with certain RFC's, basically the group manager will recieive the NDR to let them know there is a problem.
    Something to do with mass mailing and unsolicited mail.
    Ta
    Ian

  • I have shared my icalendars with family members via icloud and now my calendar on my computer has been stuck saying "Moving calendars to server account" for literally 5 days.  What do I do?

    I have shared my icalendars with family members via icloud and now my calendar on my computer has been stuck saying "Moving calendars to server account" for literally 5 days.  What do I do?

    Hi, Confused As Always CB. 
    Thank you for visiting Apple Support Communities.
    Hopefully I can help resolve this issue for you.  Try removing the preference to sync calendar events in iCloud preferences.  Once this is down enable the preference again and see if this resolves the issue.
    Turn iCloud Calendars off and back on:
    Quit Calendar (or iCal).
    Choose Apple () menu > System Preferences, then select iCloud.
    Deselect the checkbox next to Calendars.
    Close System Preferences and wait about a minute.
    Open System Preferences and select iCloud.
    Replace the checkmark next to Calendars.
    Close System Preferences.
    Open Calendar (or iCal) and test to see if the issue is resolved.
    Restart your computer. This may sound simple, but it reinitializes your network and application settings and can frequently resolve issues.
    If the issue persists, try all remaining steps in the article below.
    iCloud: Troubleshooting iCloud Calendar
    http://support.apple.com/kb/TS3999
    Regards,
    Jason H.

Maybe you are looking for