AD group caching

Similar Messages

• RDBMS and Group Cache

  We have noticed that when the group cache is reloaded, the
  RDBMSDelegate.getGroup(String) method is called for each user that is
  either logging into the system or doing some sort of role authentification
  against the group cache.
  This method in turn calls RDBMSDelegate.getGroupInternal(String, ResultSet),
  which then parses the result set of the members of the group. So, if 5
  members of the Employee group are logged into the server, the getGroup()
  method is called 5 times concurrently. These concurrent method calls seem to
  correspond with severe performance degradation since the method parses a
  resultset of 3000 records each time its called.
  We are using the example RDMBS security code and running WL6.0 sp1 on Win2K.
  Is there any modified rdbms code out there that would improve the
  performance of the group cache reload, or lock calls to the getGroups so
  that the first call is the only one that parses the recordset and concurent
  calls would be directed to the cache?
  Thanks,
  Pete

  The philosophy behind the plan is when the group is first required you
  just get any empty group object (sort of a wrapper class for a
  Hashtable), then you call the database to find out if a user is in the
  group only when you have to (this will lead to a lot more database
  calls, but only retrieve the required lines, and them only one at a
  time, as opposed to making one call which retrieves absolutely all of
  the information.)
  so RDBMSRealm.getGroup looks like this
  public Group getGroup(String name){
  RDBMSDelegate delegate = getDelegate();
  try{
  if (delegate.checkForGroup(name)){
  return new RDBMSGroup(name,this,new Hashtable());
  }else{
  return null;
  }catch (SQLException e){
  delegate.close();
  delegate = null;
  throw new RDBMSException("caught SQL exception", e);
  }finally{
  returnDelegate(delegate);
  Where RDMBSDelegate.checkForGroup just calls the database to see if
  there is a group of the name given
  And RDBMSGroup.isMember() looks like this
  public boolean isMember(Principal member){
  if (this.getName().equals("everyone")){
  //everyone is in the 'everyone' group
  return true;
  }else{
  try{
  User user = (User)member;
  //check if the member is in the Hashtable of known members
  if (members.containsValue(user)){//user is a known member
  return true;
  }else{//check the database
  if (realm.isMember(this,user)){//database says user is in this
  group
  //add member to known users list(use member's getName() rather
  than User's to avoid deprecated API)
  this.members.put(member.getName(),user);
  return true;
  }else{
  return false;
  }catch(ClassCastException e){//not castable to class User
  return false;
  Which is enough for the general operation of security.
  If you wish to be able to view all members in the group you will need
  something that resembles the original functionality
  Hope this helps. terry
  Hi,
  What do you mean by "populate the group lazily with the
  isMember() method" ? isMember()
  takes a Principal as its argument - where do you get that Principal??
  A code example would be highly appreciated!!!
  regards,
  Simen R.
  THorner <[email protected]> wrote:
  The RDBMSRealm provided (certainly with WLS5.1, but I think also 6.*)
  really isn't meant to be used for production - it is just an example.
  The matter of getGroup() is the major performance hit, and I advise you
  to treat it differently - an architecture taht works for us is to make
  getGroup just return the RDBMSGroup object, without calling the
  database, and to populate the group lazily with the isMember() method.
  so isMember looks like
  if (hasAlreadyBeenCheckedForAndIsAMember){
  return true;
  }else if (wasntAlreadyCheckedForbutIsInTheDatabase){
  addToListOfCheckedForMembers;
  return true;
  }else{
  return false;
  terry
  -----Original Message-----
  From: Jason Collins [mailto:[email protected]]
  Posted At: Fri 17 August 2001 20:33
  Posted To: weblogic.developer.interest.security
  Conversation: RDBMS and Group Cache
  Subject: Re: RDBMS and Group Cache
  Was any solution to this found? We would like to avoid
  writing the changes
  to RDMSRealm, but the current performance is pretty bad.
  Thanks,
  j
  "Pete Arvanitis" <[email protected]> wrote in message
  news:[email protected]...
  We have noticed that when the group cache is reloaded, the
  RDBMSDelegate.getGroup(String) method is called for each user that is
  either logging into the system or doing some sort of role authentification
  against the group cache.
  This method in turn calls RDBMSDelegate.getGroupInternal(String,ResultSet),
  which then parses the result set of the members of the group. So, if 5
  members of the Employee group are logged into the server, the getGroup()
  method is called 5 times concurrently. These concurrent method calls seem
  to
  correspond with severe performance degradation since the method parses a
  resultset of 3000 records each time its called.
  We are using the example RDMBS security code and running WL6.0 sp1 on
  Win2K.
  Is there any modified rdbms code out there that would improve the
  performance of the group cache reload, or lock calls to the getGroups so
  that the first call is the only one that parses the recordset andconcurent
  calls would be directed to the cache?
  Thanks,
  Pete

• 6.1 SP2 Caching realm not caching group members

  Hello:
  We have caching realm set over LDAP security realm.
  We see caching realm never caching group members.
  Any help is appreciated.
  Thanks
  Gennadiy
  Here is the sequence we see:
  1) Search for user name - OK
  2) Search for group name - OK
  3) - ALWAYS going to LDAP to get group members even though they should be cached
  at this point.
  The question is - why does it go to LDAP at all?
  I am doing the same call a 1-2 seconds apart. The group members should be cached.
  It looks like caching realm does not actually cache the members within a group.
  The realm is configured to cache group membership:
  Enable Group Cache true
  Group Cache Size: 211
  Group Cache TTLPositive: 600
  Group Cache TTLNegative: 600
  Group Membership Cache TTL: 300
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <CachingRealm> <getUser("AppLayerRunAs")>
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <CachingRealm> <user: pos HIT AppLayerRunAs>
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <CachingRealm> <getAcl("weblogic.jndi.CCSAcctEntityBean",
  '.')>
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <CachingRealm> <getAcl("weblogic.jndi.CCSAcctEntityBean")>
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <CachingRealm> <acl: neg HIT weblogic.jndi.CCSAcctEntityBean>
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <CachingRealm> <getAcl("weblogic.jndi")>
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <CachingRealm> <acl: neg HIT weblogic.jndi>
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <CachingRealm> <getAcl("weblogic")>
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <CachingRealm> <acl: neg HIT weblogic>
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <CachingRealm> <getUser("AppLayerRunAs")>
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <CachingRealm> <user: pos HIT AppLayerRunAs>
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <CachingRealm> <getUser("AcctEntityUsers")>
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <CachingRealm> <user: neg HIT AcctEntityUsers>
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <CachingRealm> <getGroup("AcctEntityUsers")>
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <CachingRealm> <group: pos HIT AcctEntityUsers>
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <LDAPRealm> <search("ou=ldap, ou=dev_serv,
  ou=hick, o=ccs", "(&(member=cn=AppLayerRunAs,ou=LDAP
  ICK,o=CCS)(objectclass=groupofuniquenames))", base DN & below)>
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <CachingRealm> <getUser("AppLayerRunAs")>
  <Jul 17, 2002 8:53:49 AM EDT> <Debug> <CachingRealm> <user: pos HIT AppLayerRunAs>

  This has been fixed in SP3.
  -utpal

• Group Membership Cache TTL

  Hi,
  I'm using WebLogic 6.10 sp1 with an extended AbstractListableRealm (using a LDAP-Server). I'm also using a CachingRealm with GroupCaching = enabled. Actual I have about 95 Users and 4 Groups. My Problem: if I set "Group Membership Cache TTL" to 300 (default) the cache is going to be re-filled after 5-7 minutes even if I set "Group Cache TTLPositive" (and TTLNegative) to 900 sec. (= 15 Minutes). If I set "Group Membership Cache TTL" to 800 or 900, the cache works fine. Anybody any ideas why 300 Members/Group isn't enough for 95 Users?

  This has been fixed in SP3.
  -utpal

• No value mapping in Integration Directory, but they are in the cache

  Hi,
  I recently got acquainted with the fabulous world of value mappings in PI. Until now, FixValues did the trick for me, but now I have to modify the errors in someone else's work.
  I read this article:
  https://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/00ee347e-aabb-2a10-b298-d15a1ebf43c5&overridelayout=true
  and a bunch of other help.sap.com stuff and I still don't get a very specific thing in our system. When I check the cache from the runtime workbench, the values, agencies and what have you are all ok. However, when I go to Integration Directory, disregarding the fact that I don't have any values on the search helps for Agency and Scheme, which is quite weird, when I put the correct Agencies and Schemes, I don't get any value displayed, just blanks.
  Why does this happen? Is it something wrong in the PI configuration or something that I don't see any value mapping there, altough they are in the cache?
  Thanks in advance and best regards,
  George

  Hi ,
  1. Create Value Mapping directly in ID (this cannot be seen in RWB, it can be only seen in ID)  
      *Just a corection we can see the value mappings created in Integration directory in RWB in cache monitoring.*
  Just follow these steps to refresh your cache. you will no longer be able to see deleted Val mappings and newly created entries will also shown immediately.
  1) Go to integration builder -- > Administration  --> click on Runtime tab --> cache overview
  You will find 2 things over there :
  Value Mapping Group Cache
  Value Mapping Value Cache
  Refresh both of them. I hope it will work as it always work for me :).
  Thanks
  Inder

• DIP fails loading dynamic groups into OID

  Hello,
  we're trying to load groups from OeBS into OID and associate them via dynamic groups feature with user records that was loaded earlier as follows:
  personid=18630,cn=dev,cn=hrsyncusers,cn=users,dc=ic,dc=lan
  orcltimezone=Asia/Yekaterinburg
  displayname=NOT ASCII
  employeetype=NOT ASCII
  givenname=NOT ASCII
  postalcode=628484
  orcldateofbirth=19610404000000
  orclgender=F
  departmentnumber=342
  uid=18630
  mail=HRNULL
  cn=NOT ASCII
  initials=NOT ASCII
  street=NOT ASCII
  employeenumber=4824
  middlename=NOT ASCII
  l=NOT ASCII
  orclhiredate=20051107000000
  sn=NOT ASCII
  personid=18630
  c=Russia
  title=NOT ASCII
  objectclass=inetorgperson
  objectclass=person
  objectclass=organizationalperson
  objectclass=orcluserv2
  objectclass=kapitalperson
  objectclass=country
  objectclass=residentialperson
  objectclass=locality
  objectclass=top
  Among other attributes each user entity has 'departmentNumber' that indicates number of his/her department.
  Now trying to load list of departments as dynamic groups with the following config
  files:
  *** DevHRAgentGroups.cfg ***
  [SELECT]
  SELECT psv.version_number
  , pos.name hierarchyname
  , hou.organization_id depno
  , poe.organization_id_parent parent_id
  , REPLACE(hou2.name, '"') parentname
  , poe.organization_id_child child_id
  , REPLACE(hou.name, '"') orgname
  , ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(depar
  tmentnumber='||hou.organization_id||')' ldapuri
  , hrl.meaning org_type
  FROM per_organization_structures pos
  , per_org_structure_versions psv
  , per_org_structure_elements poe
  , hr_all_organization_units hou
  , hr_all_organization_units hou2
  , hr_lookups hrl
  WHERE pos.business_group_id = psv.business_group_id
  AND pos.organization_structure_id = psv.organization_structure_id
  AND pos.primary_structure_flag = 'Y'
  AND psv.date_to IS NULL
  AND poe.org_structure_version_id = psv.org_structure_version_id
  AND poe.business_group_id = hou.business_group_id
  AND poe.organization_id_child = hou.organization_id
  AND poe.business_group_id = hou2.business_group_id
  AND poe.organization_id_parent = hou2.organization_id
  AND hrl.lookup_code = hou.type
  AND hrl.enabled_flag = 'Y'
  AND hrl.lookup_type = 'ORG_TYPE'
  AND hrl.lookup_code NOT IN (30,40)
  AND TRUNC(SYSDATE) BETWEEN hou.date_from AND NVL(hou.date_to, TO_DATE('31.12.4712','dd.mm.yyyy'))
  AND hou.last_update_date >= to_date(:BINDVAR,'YYYYMMDDHH24MISS')
  *** DevHRAgentGroups.map ***
  DomainRules
  NONLDAP:cn=DEV,cn=HRSyncGroups,cn=Groups,dc=ic,dc=lan:departmentID=%,cn=DEV,cn=HRSyncGroups,cn=Groups,dc=ic,dc=lan
  AttributeRules
  orgname:1: : :cn: :groupOfUniqueNames
  depno:1: : :departmentID: :kapitalDepartment
  ldapuri: : : :labeledURI: :orclDynamicGroup
  We're getting the following error in ?/ldap/odi/log/DevHRAgentGroups.trc during HRAgent execution at mapping phase:
  Normalized DN : departmentid=82,cn=dev,cn=hrsyncgroups,cn=groups,dc=ic,dc=lan
  Changetype is 5
  Processing modifyRadd Operation ..
  Entry Not Found. Converting to an ADD op..
  Processing Insert Operation ..
  Performing createEntry..
  Exception creating Entry : javax.naming.NamingException: [LDAP: error code 1 - Dynamic group cache update failed.]; remaining name 'departmentid=82,cn=dev,cn=
  hrsyncgroups,cn=groups,dc=ic,dc=lan'
  [LDAP: error code 1 - Dynamic group cache update failed.]
  javax.naming.NamingException: [LDAP: error code 1 - Dynamic group cache update failed.]; remaining name 'departmentid=82,cn=dev,cn=hrsyncgroups,cn=groups,dc=i
  c,dc=lan'
  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3028)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
  at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
  at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
  at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)
  at oracle.ldap.odip.gsi.LDAPWriter.createEntry(LDAPWriter.java:1162)
  at oracle.ldap.odip.gsi.LDAPWriter.insert(LDAPWriter.java:425)
  at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java:822)
  at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:349)
  at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:655)
  at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:376)
  at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:237)
  DIP_LDAPWRITER_ERROR_CREATE
  Error in executing mapping DIP_LDAPWRITER_ERROR_CREATE
  DIP_LDAPWRITER_ERROR_CREATE
  Please, note. Loading is successful if we commenting out mapping line for labeledURI attribute (that's loading static groups).
  Loading is also successful when labeledURI is mapped to
  'ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(objec
  tclass=person)' but this definetly is not what we are going to get.
  I don't have ideas what's wrong for example with the following generated 'labeledURI' attribute:
  ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(departmentnumber=82)
  Any help is appreciated
  Thanks,
  Edward

  Hi Frank,
  there is something wrong with departmentnumber attribute of user records. Searching users with ldapsearch using "departmentnumber=*" filter fails with the following error:
  ldap_search: DSA is unwilling to perform
  ldap_search: additional info: Function Not Implemented
  I think this is probably the cause of failing creation of dynamic groups.
  Searching on other user attributes (cn, uid, employyenumber) works fine.
  Still don't understand what's wrong with this particular attribute.

• Performance problem...is there a way to cache query results?

  Greetings team,
  I've been deploying DS5.2 for a while now, and am on the cusp of pushing it into our production environment, however I've been noticing lately that some hosts are taking an exorbitantly long time to log in (actually, a user noted it, and I'm now investigating).
  Logins to hosts in this environment can take anywhere from 10-50 seconds. One thing that I've noticed is that any time you run a command that requires any amount of awareness of uid->username translation (i.e. if you ls -l /opt/home), queries are made to the configured directory server for this information. Is this normal? Since uid's and usernames don't often change (in most environments, anyway), is there a way this could be cached?
  I see also in my access log for my primary server (configured as a hub, btw) that there is near constant traffic to that host for LDAP info. I'm not sure why it's so chatty, but it does appear to be slowing things down a bit. The load on my LDAP host (a SunFire V210 w/ 1GHz processor, 1024MB RAM) seems to float between 1 and 12, with sar reporting an average idle time of about 44%.
  Any ideas? I'm really at a loss to explain why there's so much traffic to this host when much of it seems to come from hosts with nobody logged into them.
  Patrick

  It is great that you have found the root cause of
  your issue.
  nscd is by default started at boottime by a usual OS
  install. There is a /etc/nscd.conf but I doubt that
  anyone will change anything there as the default
  settings are good for most cases.
  I think LDAP search performance is affected by the
  existence of Search Indexes also.
  I have observed that if the user home directory is
  NFS mounted especially over a WAN, be it via
  /etc/fstab or automount maps, the login process will
  be very slow, it will take a while to obtain a
  command prompt at the home directory level.
  GaryGary et al,
  In my environment nscd has been explicitly disabled for some historical reasons, none of which are still a problem. So, I'm going to enable it for only passwd and group caching, with the default values for those caches.
  I'm in the process of working out my performance tuning plan for my LDAP servers, but I'm definitely going to have an eye on indices and caches. Those will probably have the least impact on search times and such for the moment since my directory is so tiny (261 entries!), but preventing that traffic from hitting the server at all will be a huge savings.
  I can definitely see why WAN mounted homedirs would cause things to lag. That's not the case here since NFS is a big no-no.
  Patrick

• Oracle TimesTen In-Memory Database VS Oracle In-Memory Database Cache

  Hi,
  What is difference in Oracle TimesTen In-Memory Database VS Oracle In-Memory Database Cache.
  For 32 bit on windows OS i am not able to insert data's more than 500k rows with 150 columns (with combinations of CHAR,BINARY_DOUBLE,BINARY_FLOAT, TT_BIGINT,REAL,DECIMAL,NUMERIC etc).
  [TimesTen][TimesTen 11.2.2.2.0 ODBC Driver][TimesTen]TT0802: Database permanent space exhausted -- file "blk.c", lineno 3450, procedure "sbBlkAlloc"
  I have set Perm size as 700 mb,Temp size as 100mb
  What is the max size we can given for PermSize,TempSize,LogBufMB for 32 bit on windows OS.
  What is the max size we can given for PermSize,TempSize,LogBufMB for 64 bit on windows OS.
  What is the Max configuration of TT for 32 bit what i can set for Perm size Temp size.
  Thanks!

  They are the same product but they are licensed differently and the license limits what functionality you can use.
  TimesTen In-Memory Database is a product in its own right allows you to use TimesTen as a standalone database and also allows replication.
  IMDB Cache is an Oracle DB Enterprise Edition option (i.e. it can only be licensed as an option to an Oracle DB EE license). This includes all the functionality of TImesTen In-Memory Database but adds in cache functionality (cache groups, cache grid etc.).
  32-bit O/S are in general a poor platform to try and create an in-memory database of any significant size (32-bit O/S are very limited in memory addressing capability) and 32-bit Windows is the worst example. The hard coded limit for total datastore size on 32-bit O/S is 2 GB but in reality you probably can;'t achieve that. On Windows the largest you can get is 1.1 GB and most often less than that. If you need something more than about 0.5 Gb on Windows then you really need to use 64-bit Windows and 64-bit TimesTen. There are no hard coded upper limit to database size on 64-bit TimesTen; the limit is the amount of free physical memory (not virtual memory) in the machine. I have easily created a 12 GB database on a Win64 machine with 16 GB RAM. On 64-bit Unix machines we have live database of over 1 TB...
  Chris

• Flush the Access Server cache automatically

  Hello,
  I'm trying to follow Oracle® Access Manager Deployment Guide 10g (10.1.4.3) and note ID 403899.1 to allow the user/group cache to update when we call the userservcenter and groupservcenter functions in OAM. I've seen other threads about this, but could derive an answer to my question.
  The instructions say:
  4. Add a dummy AccessGate using the configureAccessGate command line tool, as follows:
  configureAccessGate -i COREid_install_dir/identity/ AccessServerSDK -t AccessGate
  Question: Am I really adding an accessGate here, or am I configuring the one I already have (which is really being used as a WebGate I guess since it's protecting web resources)?
  Thanks!

  I went ahead and used the current AccessGate/WebGate with the configureAccessGate command line tool and that seemed to work, but I'm still not getting the result that I'd like.
  1. I can access a page protected by OAM because I'm in a LDAP group.
  2. I use IdentityXML call to unsubscribe me from the group.
  3. I refresh the page, and can still access the page.
  Is it possible get this to flush the cache when the IdentityXML function is called?
  I changed the doAccessServerFlush to true, used the configureAccessGate to configure the AccessGate/WebGate, changed the Access Management Service on the AccessGate and Access Server to On, and bounced everythying.
  THanks!

• Search for a Criteria in cache

  My task is to maintain an aggregation of many endpoint-contributions in cache, but the challenge is to subtract the value for devices that stop communication.
  There are 2 classes in the model:
  class Group
  string Key { get; set; }
  long Total { get; set; }
  class Machine
  string Key { get; set; }
  int Contribution { get; set; }
  We have a Simple Web.Api, where the endpoints post a "contribution".
  The controller invokes to the group cache "Increment" and also saves in cache the machine last contribution with a TimeToLive = 30 seconds
  The goal was to register a notification for RemoveItem and when the object duration expires, subtract the value to the Group totalizer.
  But there are 2 problems:
  The notifications only invoke the callback every 5 minutes (can't go faster no matter what I use for TTL or the pollInterval on the cache client)
  The callback returns the "keys" not the objects, therefore I know what object was removed but I don't know the contribution.
  Q1) MSFT experts, could you assert if registering a callback can trigger as fast as 30 seconds?
  Q2) Can Anyone suggest how to bring from cache "only the expired" records? In other words can I write a filter to query cache based on a particular attribute:
  Next a hypothetical example where I am using a TSQL query, but it can be LINQ, or anything to filter
  var machines = _cache.Get<Machine>("Select * where DateDiff(LastUpdate, Now) > 30_SEC");

  Hello,
  Thanks for posting!
  Base on my experience, you could set the "pollInterval" or "ttlvalue" value in your cache node. By default, polling interval is every 300 seconds. So you may need to wait 5 minutes. I recommend you could refer to this page(http://msdn.microsoft.com/en-us/library/windowsazure/dn386128.aspx
  ) about Notification part . And you could refer to how to configure its value, please see this page (
  http://msdn.microsoft.com/en-us/library/windowsazure/hh916611.aspx ).
  Please try it.
  Regards,
  Will
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Public Folder permissions to groups not working

  Hello Together,
  I have some problems with permission of Exchange 2010 (SP2) public folders. Although I can't find an TechNet article which describes the procedure to add a group to a public Folder client permission list, it should be possible because the
  Add-PublicFolderClientPermission cmd-let will accept Users and groups as parameter for -user.
  But if I give permissions to groups the members of the Groups can't access the public folders.
  What I exactly do is this:
  - Create a Distribution Group for example TEST (Universal Distribution Group)
  - Add User "Testuser" to this Group
  - Add public folder Clientpermissions to the Group "Test" which autmatically changes the group type to Universal Security Group (there is no difference if I do this with the GUI or management shell)
  Result: No Access for User "Testuser"
  If I add the User directly to the Public folder he can acces the folder.
  I can reproduce this problem in my test- and my Productionenvironment.
  Any ideas?
  Best regards
  Hans Moggert
  Hans Moggert Technical Account Manager Geschäftsbereich Technologie & Service Allgeier IT Solutions GmbH

  Hi Martina,
  thank you for your very fast answer, but this was exactly what I had done ...
  But Today, if I tried to access the Public Folder again everything works as expected, so I tried to find out why I have to wait so long until the expected permissions work and now I think I have found the reason:
  - Exchange 2010 uses Universal Groups for Distribution and Security Groups
  - Universal Groups are the only Grouptypes which saves the member list at the Global Catalog server
  - the default Global Catalog Caching interval is 1440 Minutes (24 hours)
  So if you change membership of universal Groups you have to wait 24 hours until Exchange recognizes this change!
  If you want to force this you can do one of the following steps:
  - reduce the "Cached Membership Refresh Interval (minutes)"
  http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work(v=ws.10).aspx
  - Use the following VB-Script:
  set objRoot = GetObject("LDAP://rootDSE")
  objRoot.Put "UpdateCachedMemberships", 1
  objRoot.SetInfo
  msgbox "Universal Group Cache refreshed!"
  This forces the Group members to refresh immediatly.
  I think I am not the only person who had this problem so I hope I can help others with this solution ...
  Best regards and thx
  Hans Moggert Technical Account Manager Geschäftsbereich Technologie & Service Allgeier IT Solutions GmbH

• Problem with setting custom attribute and it being searchable

  I'm having an issue with setting a custom attribute and having it be searchable using Portal 10.1.4. The situation that we have is that we initially added a bunch of files to Oracle Portal using webdrive. Later on, we decided that we needed another custom attribute called "Pinned Item" that will be used for searching (boolean value) and gave it a default value of false. The attribute was then added to the "File" item type in the "Shared Objects" group.
  It appears that since this attribute wasn't initially available on the file object, we couldn't search on it so we decided to set it programatically. First, I tried using wwsbr.set_attribute but it errored out seemingly because the value wasn't set in the first place. If I set a value first by using the web front end, I could then use the set_attribute procedure.
  So, I moved on to using wwsbr_api.modify_item and it appears to set it (although everything is being set to false until I changed it to "text" instead of "boolean" which is OK because that's what I wanted anyway... see metalink bug 390618.1). I'm using the method outlined in metalink doc 413079.1. When I do set it to a "1", and edit the item the check box is checked indicating that it is set correctly. And if I just click "OK" to save the attributes after I open it everything works like it should.
  However, the advanced search (and custom search portlet) and the search APIs are not picking it up. I'm not sure if I'm hitting Metalink bug ID 5592472 or not as that's using the "set_attribute" procedure instead of the modify_item procedure. And their "workaround" of setting the attribute in the UI isn't really feasible for a couple thousand files.
  So far I've tried the following things to get it working:
  1. I am calling wwpro_api_invalidation.execute_cache_invalidation
  2. I have executed wwv_context.sync
  3. I cleared the page group cache
  4. I invalidated all of the web cache
  Does anyone else have any other suggestions?

  I'm having an issue with setting a custom attribute and having it be searchable using Portal 10.1.4. The situation that we have is that we initially added a bunch of files to Oracle Portal using webdrive. Later on, we decided that we needed another custom attribute called "Pinned Item" that will be used for searching (boolean value) and gave it a default value of false. The attribute was then added to the "File" item type in the "Shared Objects" group.
  It appears that since this attribute wasn't initially available on the file object, we couldn't search on it so we decided to set it programatically. First, I tried using wwsbr.set_attribute but it errored out seemingly because the value wasn't set in the first place. If I set a value first by using the web front end, I could then use the set_attribute procedure.
  So, I moved on to using wwsbr_api.modify_item and it appears to set it (although everything is being set to false until I changed it to "text" instead of "boolean" which is OK because that's what I wanted anyway... see metalink bug 390618.1). I'm using the method outlined in metalink doc 413079.1. When I do set it to a "1", and edit the item the check box is checked indicating that it is set correctly. And if I just click "OK" to save the attributes after I open it everything works like it should.
  However, the advanced search (and custom search portlet) and the search APIs are not picking it up. I'm not sure if I'm hitting Metalink bug ID 5592472 or not as that's using the "set_attribute" procedure instead of the modify_item procedure. And their "workaround" of setting the attribute in the UI isn't really feasible for a couple thousand files.
  So far I've tried the following things to get it working:
  1. I am calling wwpro_api_invalidation.execute_cache_invalidation
  2. I have executed wwv_context.sync
  3. I cleared the page group cache
  4. I invalidated all of the web cache
  Does anyone else have any other suggestions?

• Unable to replicate oracle data into timesten

  I have created CACHE GROUP COMPANY_MASTER
  Cache group :-
  Cache Group TSLALGO.COMPANY_MASTER_TT:
    Cache Group Type: Read Only
    Autorefresh: Yes
    Autorefresh Mode: Incremental
    Autorefresh State: On
    Autorefresh Interval: 1 Minute
    Autorefresh Status: ok
    Aging: No aging defined
    Root Table: TSLALGO.COMPANY_MASTER
    Table Type: Read Only
  But whenever I start timesten server the following lock seen in ttxactadmin <dsn_name>
  Program File Name: timestenorad
  30443   0x7fab902c02f0        7.22     Active      Database  0x01312d0001312d00   IX    0
                                                     Table     1733200              S     4221354128           TSLALGO.COMPANY_MASTER
                                                     Row       BMUFVUAAAAaAAAAFBy   S     4221354128           SYS.TABLES
                                                     Row       BMUFVUAAACkAAAALAF   Sn    4221354128           SYS.CACHE_GROUP
  Due to the following lock oracle data is not replicated in timesten.
  When we check sqlcmdid it shows following output
  Query Optimizer Plan:
  Query Text: CALL ttCacheLockCacheGp(4, '10752336#10751968#10751104#10749360#', 'S', '1111')
    STEP:             1
    LEVEL:            1
    OPERATION:        Procedure Call
    TABLENAME:
    TABLEOWNERNAME:
    INDEXNAME:
    INDEXEDPRED:
    NONINDEXEDPRED:
  Please suggest why timesten take lock on following table.

  966234 wrote:
  Unable to download Oracle Data Integrator with version 11.1.1.6.Hope this could be resolved ASAP.What is the file you are trying to download? Is it for Windows or Linux or All Platforms?
  Thanks,
  Hussein

• Queries related to Replication concepts

  Hi,
  I have following queries w.r.t. replications
  1) What is subscriber database and whta's the purpose of this.
  2) What' the difference between the Standby database and Subscriber database.
  3) if I have a standby database then why do we need subscriber database
  4) Can i have more then one standby database.
  Regards,
  Harmeet Kaur

  The A/S pair concept goes as follows:
  - Two 'master' databases as a tightly coupled pair; at any moment one has the 'active' role and the other has the 'standby' role.
  - There can only ever be two master databases within the overall configuration
  - Updates are only allowed at the active, the standby is read only
  - Cache tables (if used) are present in both masters as actual cache groups
  - Cache autorefresh drives into the active master and is replicated to the standby, updates to AWT cache groups happen at the active and are replicated to the standby; the standby propagates them to Oracle
  - Role switch within the pair is easy and can be as a result of a failover or a managed switchover
  - The two masters must be on the same LAN or at least the same network with LAN characteristics and their system clocks must be aligned to within 250 ms
  - Replication between the masters can be asynchronous, return receipt (on request) or return twosafe (on request)
  - Subscribers are optional. You can have 0 to 128 of them.
  - Subscribers are always read only
  - Subscribers can reside on the same LAN as the masters or remotely (e.g. across a WAN)
  - Replication to the subscribers is always asynchronous
  - Cache tables (if used) are present on the subscribers as regular (non-cache) tables
  - While it is possible to convert a subscriber to a master this will mean that it is no longer part of this A/S pair setup. Thsi is usually only done in a DR scenario where a remote master is being used to instantiate a new A/S pair at the disaster recovery site.
  I hope this clarifies the use of subscribers. They are primarily used for:
  1. Read scale out (reader farm)
  2. Simple DR
  3. Oracle/AWT DR (advanced use case)
  Chris

• IDoc extension not passing to PI at runtime

  Hello Gurus,
  We have a DELVRY05 IDoc which was extended with a new segment.  This has been working very well and is in our production environment.  We are now in develpment with a new modification and have added two new fields to the extended segment.  We are able to import the IDoc and complete the mapping changes in PI using the new fields. However, when we test the changes, we do not see the new fields being populated in the Inbound Message Payload.
  I have searched through many of the existing forums which led me to perform cache updates.  Still we have the issue.
  We are using ECC and PI 7.0.
  The new fields are visible in WE02.
  The new fields do not show in the Inbound Message Payload in PI.
  We have updated the following:
  Java VM Cache Refresh:SLD Cache
  Java VM Cache Refresh:Value Mapping Guid Cache
  Java VM Cache Refresh:Value Mapping Group Cache
  Java VM Cache Refresh:Value Mapping Value Cache
  Java VM Cache Refresh:Cache for Softwarecomponents
  Java VM Cache Refresh:Adapter metadata
  Our Basis guy then did these:
  Xi Data Cache Refresh: http://<system>/CPACache/refresh?mode=partial
  Xi Data Cache Refresh: http://<system>/CPACache/refresh?mode=full
  Any assistance that can be provided will be greatly appreciated.
  Thomas

  Hi,
  Have you tried IDX2??
  Mark the idoc type for which you have added extension and delete it.
  The first time you send the idoc through it will be added to IDX2 again and have the new fields.