Add user in LDAP from IDM

Similar Messages

• Mail folders after moving user to LDAP from Local

  I originally setup our server with Local users, rather than LDAP.  Now, we need to move everyone over (for a variety of reasons).  I'm basically doing the following for each user:
  Export individual Mail/Contacts/Calendars
  Turn off Mail/Calendars/Contacts in Server app
  Delete Local User
  Create LDAP user with the same UserID in Workgroup Manager
  Check all services for the user under User Access in Server app
  Turn on Mail/Calendars/Contacts
  Import individual Mail/Contacts/Calendars back into the apps on the client machine
  This works up until I try to reimport emails.  I get the error that the "mailbox already exists".  This makes me think it's associating the userID with the old email folder on the Server.  The problem is I don't know how to either reassociate the user with their old emails, or to remove them.  Any help is appreciated, thanks!

  Here is what happened:
  Original User's Document files were NOT stored under the User Name as they should have been. The User Name doc file was almost empty. (Nov 2007 thru Aug 1 2008). The main Documents folder was located in the Macintosh HD folder (not in User folder).
  User Name Account got corrupt and new User Name had to be created. The Documents Folder was moved to this Account. (Aug 1, 2008)
  Time Machine was not backing up the iMac because the New User had to set up TM. On Aug 4, 2008, TM was turned on and began backing up the computer AGAIN (thus process took several hours).
  My solution is:
  Delete the old back-up file (+600GB) and re-back-up iMac. Keychain from the old user will remain intact and there would only be ONE copy of Documents folder in the backup (along with the incremental backups).
  Would this work? Is there a way to remove back-ups prior to Aug4? How can I control TM so it doesn't consume my HD? I use this drive to store iTunes and iPhoto/Aperture libraries.
  Thanks

• Add Digtal cert and jpeg photo from IdM

  Hi , groovers
  I'd like to add ' digital Certificates ' and 'JpegPhoto' to LDAP from IdM.
  How do I configure in IdM5.5. or Are there any good idea??
  I Know userCertificates attribute and jpegPhoto attribute are not supported in IdM...
  micky

  I do not have an example for you which I can share with you but this has been done by a number of people. In workflows and forms you can call all JAVA you can think of.
  for userCertificate support:
  There have been a lot of requests for the support of userCertificate as an attribute in IDM. Reading from a file sync to LDAP etc. This is a feature which is planned for version 6, not for 6.0 but for a SP that will go on top of 6.0.
  Not more to tell about this since it still is in the planned phase.
  WilfredS

• Cannot Add user to CMC Group when they are a member of LDAP group

  On PreProduction Server CMC
  Softerra LDAP browser used to verify user is a member of LDAP group
  User does not show as a member of that group in the CMC
  Cannot add user to LDAP group showing in CMC, the same group shows the member in LDAP browser
  On Production Server CMC
  For kicks I logged into the CMC on Production and I found the user is correctly showing as a member of the Group
  Why doesn't the groups in CMC show what is actually showing in the LDAP browser?

  Hi,
  Check if you have also mapped in both servers the same groups. It might be that there are some groups missing in the Pre-prod.
  Also, try restarting the CMS. I have seen similar issues that are solved after forcing the recreation of the graph.
  If after the restart you still can't see the groups, check the mapping on the LDAP server. It might be that both servers do not use the same attribute mappings.
  Regards,
  Julian

• HI I am facing problem to disable user in LDAP thru SIM

  Hi,I have configured LDAP directory server in sun IDM.
  after creating the user in IDM & LDAP I am trying to disable the user both in SIM as well as LDAP,in the IDM repository it is showing as the user in LDAP got disabled but actually in LDAP the user account is in active state.
  I am not understanding why this problem is coming.Earlier when I tried to diable the user in LDAP thru IDM it was working fine but it is not working now.It is very urgent for me.Can anyone tell the reason.?Any advices will be helpfule.

  There are two ways of disabling ANY account on ANY resource through resourc adapter.
  1) use native method, if it exists.
  2) change password to some value which matches password policy AND completely forget this password.
  The first method is used for some adapters, Oracle for example.
  The second method is used more widely, for Solaris, Redhat Linux, LDAP... and many other resource.
  I believe that they made LDAPResourceAdapter using DisableUser this way so that it can be used for comunicating with non-sun directory servers as well.
  So, disabling user from Identity Manager does not disable the user through setting any native flag on JES Directory Server, but by changing and forgetting password AND marking that account as "disabled" in the Identity Manager instead.
  The user cannot log on anymore, so the "disable" is ok. Although you cannot see that the user is disabled using common ldaptools.

• How can i extended attribute of user and add attribute to ldap

  how can i extended attribute of user and add attribute to ldap
  1.
  i use spe to modified "Default User Library":add Field like
  title:nation name:accounts[Lighthouse].nation
  2.
  modified "IDM Schema Configuration"
  add <IDMAttributeConfiguration name='nation' description='default attribute from UserExtendedAttributes/UserUIConfig' syntax='STRING'/>
  in <IDMAttributeConfigurations>
  and
  add <IDMObjectClassAttributeConfiguration name='nation' queryable='true' summary='true'/> in<IDMObjectClassConfiguration>
  there is extended attribute when i create new user
  3.
  i create new resource to ldap,and i add nation in "Account Attributes" tab
  but the new attribute not add to ldap
  i am beginner,how to extended attirbute add add to ldap attribute?

  So, if I want to fill in blanks on a form where I need to add more pages to fill history, what program do I need? In Adobe Reader, I can edit and fill in blanks, but I cannot duplicate more blank pages.

• Logging info about user, when deleting user from IDM

  Hi,
  I would like to be able create a report showing deleted users the last month.
  The problem is that I also need to fetch the user fullname, and some other IDM attributes as additional columns.
  This is not supported with a standard audit log report.
  So I would guess that I have two options:
  1. Somehow log information while the user is deleted. For example, somewhere in the "Delete User" workflow.
  But I can't find the values I'm looking for there. They are not available to me. (a user view for example).
  And it also seems hard to pass those values from the "Deprovision Form" to the "Delete User" workflow.
  So my question is here: How do I get access to a user view in the "Delete User" workflow, is that possible?
  2. I can get the values by looking directly in the audit log for each deleted user. There I can have a look at the ACCTATTRCHANGES to see what the users name was.
  But if the AuditLog has been cleared, then that information might not be available.
  I'm stuck..
  Anyone here that has an idea of how you can fetch deleted users fullname?
  Thanks & Regards,
  Henrik
  Edited by: user1154522 on May 24, 2011 2:18 AM

  Hi,
  One possible solution can be to add a handler in the delete user workflow.
  For every user that is to be deleted, write the requird information in a file/database. In your report query the information from there and geneate it.
  Note: You have to add condition to check if the users was properly deleted from IDM and resource (just to be sure) and then write/store the information in the File/table.
  If you want to store the information in the auditlog only, there is a column called comments that you can use, for this also, some customizations is needed in the Delete User Flow.
  Regards
  Arjun

• Error: "LDAP Synch status is enabled. Cannot add users through BAT."

  In 10.x it looks like Cisco has disallowed user imports (via BAT) into LDAP-integrated systems.  Has anyone else run into this?  Below is the error I'm receiving in the Job Status log file.  The error implies that "it's a feature, not a bug".  How are large companies supposed to import new phones/users when they open new branches or do a phone refresh?  Breaking LDAP to do the import isn't a option because you have to blow away your LDAP directory config to do so - not to mention people wouldn't be able to log into Jabber or their user pages while it was broken.  I'm hoping someone has a workaround or has already spoken with TAC about this.   
  Failure Details :
  Device Name/User ID Error Code Error Description
  LDAP Synch status is enabled. Cannot add users through BAT.
  Result Summary :
  INSERT for 0 PHONES passed.
  INSERT for 5 PHONES failed.
  INSERT for 0 USERS passed.
  INSERT for 5 USERS failed.

  So if a company has a large CUCM deployment and adds another branch (let's say 100 phones/users), I would have to go user by user and do the phone associations, profile associations, primary extensions, etc 100 times? 
  Is there a better way that I'm missing?  That just doesn't seem logical.  In previous versions (I'm not sure about 6.x in the link.  I started with 7.x) I could have sworn that I could import from BAT even if LDAP was integrated.  I would get an error and only the non-LDAP fields would get changed, but the changes, associations, etc. would still go through.

• Synchronize users from IDM Idenity Store to UME

  Hi experts
  I would like to synchroznize my users from IDM Identity Store to UME Java, I read this document "User management for the Identity
  Management User Interface" but it is only for version 7.1, I use IDM 7.2 Sp8. I can't find job templates to ume.
  I would like to provide users able to access portal:5000/idm, now only administrator can logon to the portal.
  I looking forward for your reply

  Hello Bartosz
  For logging to IDM UI , IDM would match the MX_PESON with the UME user and allow the user to access IDM UI if both matches.
  Please give idm.authenticated action access via any UME Role or group to users, You can add this action to Everyone group in UME.
  For creating users in JAVA UME, You need to create one repository for UME as AS JAVA and choose standard job Create AS JAVA users from SAP Provisioning framework to create users.
  Let me know in case any further information is required, I am also on IDM 7.2 SP8
  Regards
  Deepak Gupta

• How to add multiple groups in a single user in ldap

  I have problem with ldap ,Please clarify the following problem.
  My request is --> send the multiple groups at a time with single user.
  My code contain single user and single group is working.
  Please see the source file ,please solve my problem. i tried , but i did not get.
  package com.ldap;
  import java.util.Hashtable;
  import javax.naming.AuthenticationException;
  import javax.naming.Context;
  import javax.naming.NameAlreadyBoundException;
  import javax.naming.NamingException;
  import javax.naming.directory.Attribute;
  import javax.naming.directory.Attributes;
  import javax.naming.directory.BasicAttribute;
  import javax.naming.directory.BasicAttributes;
  import javax.naming.directory.DirContext;
  import javax.naming.directory.InitialDirContext;
  * This class provides methods for the user management
  * @author sudhakar
  public class LdapUserMgr {
       public final static String USER_ID = "uid";
       public final static String COMMONNAME = "cn";
       public final static String SURNAME = "sn";
       public final static String MEMBEROF = "wlsMemberOf";
       public final static String MEMBEROF1 = "wlsMemberOf";
       public final static String PASSWORD = "userpassword";
       public final static String EMAIL = "mail";
       * This method creates new user in the embedded ldap registry
       * @return
       * @throws Exception
       public void createUser() throws Exception {
            DirContext ctx = getLDAPConnection();
            String userId="sudhakar";
            String userName="sudhakar";
            String userRole="Assessor";
            String password="sudhakar123";
            String email="[email protected]";
            try{
                      Attributes attrNew = new BasicAttributes(true);
                      Attribute objclass = new BasicAttribute("objectclass");
                      String group = "ou=groups,ou=myrealm,dc=sudhakar_domain";
                      String people = "ou=people,ou=myrealm,dc=sudhakar_domain";
                      // add all the object classes required for the user profile
                      objclass.add("top");
                      objclass.add("person");
                      objclass.add("organizationalPerson");
                      objclass.add("inetOrgPerson");
                      objclass.add("wlsUser");
                      // put all the attributes required as part of the user profile
                      // add object classes
                      attrNew.put(objclass);
                      // add user Id
                      attrNew.put(USER_ID, userId);
                      // add user common name
                      attrNew.put(COMMONNAME, userName);
                      // add user surname
                      attrNew.put(SURNAME, userName);
                      // prepare the group path for the user
                      String role = COMMONNAME + "=" + userRole + "," + group;
                      // add user to a group
                      attrNew.put(MEMBEROF,role);
                      System.out.println("user role is "+role);
  // i want to pass multiple user roles at a time
                      // add user password
                      attrNew.put(PASSWORD, password);
                      // add user mail Id
                      attrNew.put(EMAIL, email);
                      // Prepare the query string to add the user to the embedded ldap
                      String query = USER_ID + "=" + userId+ "," + people;
                      System.out.println("user query is "+query);
                      // add the user to the LDAP directory
                      ctx.createSubcontext( query, attrNew );
                      System.out.println("user" + userId+ "created");
            catch ( NameAlreadyBoundException nabe ){
                 System.out.println(nabe.getMessage());
                 throw new NameAlreadyBoundException("User by this name already exits");
            catch (NamingException namEx) {
                 System.out.println(namEx.getMessage());
            catch(Exception ex){
                 System.out.println(ex.getMessage());
            finally{
                 closeLDAPConnection(ctx);
       public DirContext getLDAPConnection() throws Exception{
            DirContext ctx = null;
            try{
                 Hashtable<String,String> env = new Hashtable<String,String>();
                 env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
                 env.put(Context.PROVIDER_URL, "ldap://192.168.100.84:7030/");
                 env.put(Context.SECURITY_AUTHENTICATION, "simple");
                 env.put(Context.SECURITY_PRINCIPAL, "cn=Admin");
                 env.put(Context.SECURITY_CREDENTIALS,"admin");
                 // Create the initial directory context
                 ctx = new InitialDirContext(env);
       return ctx;
            catch (AuthenticationException authEx){
                 System.out.println(authEx.getMessage());
            throw new AuthenticationException("Authentication failed");
            catch (NamingException namEx) {
                 System.out.println(namEx.getMessage());
            throw new NamingException("Naming Exception");
            catch(Exception ex){
                 System.out.println(ex.getMessage());
            throw new Exception("Exception Occured");
       * This method closes the LDAP connection
       * @param ctx
       public void closeLDAPConnection(DirContext ctx){
            try{
                 ctx.close();
            catch(NamingException nex){
                 System.out.println(nex.getMessage());
            catch(Exception ex){
                 System.out.println(ex.getMessage());
       public static void main(String s[])throws Exception{
            LdapUserMgr ldapUserMgr = new LdapUserMgr();
            ldapUserMgr.createUser();
  Edited by: sudhakar_kavuru on Jun 16, 2009 1:58 AM

  Hi Sudhakar,
  try some thing like this.Here I have enclosed the code snippet.
       String query = USER_ID + "=" + user.getUserId()+ "," + people;
                      // add the user to the LDAP directory
  //                    ctx.createSubcontext( query, attrNew );
                      Attribute att1 = new BasicAttribute(MEMBEROF);
                      String roleName=user.getUserRoleList().get(0);
                      String role1 = COMMONNAME + "="+roleName+"," + group;
                      att1.add(role1);
                      attrNew.put(att1);
                      DirContext dirContext =ctx.createSubcontext( query, attrNew );
                      for (int i = 1; i < user.getUserRoleList().size(); i++) {
                           Attributes att2 = new BasicAttributes();
                           String roleNameStr=user.getUserRoleList().get(i);
                           log.debug("roleNameStr--->"+roleNameStr);
                           String role2 = COMMONNAME + "="+roleNameStr+"," + group;
                           log.debug("role2-->"+role2);
                           att2.put(MEMBEROF,role2);
                           dirContext.modifyAttributes("", DirContext.ADD_ATTRIBUTE, att2);
                      }

• Error while creating user in LDAP (MS ADS) from SAP Portal 7.0

  Hi,
  Is it obliged to use SSL connection to create new user in LDAP (MS ADS) from SAP Portal 7.0 ?
  I've configured the UME with ldap server adress and port 389. And use configuration file "dataSourceConfiguration_ads_writeable_db.xml"
  I succeed to view users existing in LDAP but when I try to create new user I've the following error message:
  LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0)
  Thanks and regards

  check this link
  http://help.sap.com/saphelp_nw70/helpdata/EN/37/cfd93f130f9115e10000000a155106/frameset.htm
  and at the end of the page there is a qoute "We strongly recommend that you configure SSL between the UME and the LDAP directory. Some LDAP directories, such as Microsoft Active Directory Server, require an SSL connection if you want to create users on the LDAP directory"
  hence follow this link to configure SSL
  http://help.sap.com/saphelp_nw70/helpdata/EN/7d/77fa735e5f47a2a50b5336fd1b5a61/frameset.htm
  hope this helps..
  [Rahul|http://rahulursportal.blogspot.com/]

• How to migrate user from IDM 5.5 to 6

  Our current users in IDM 5.5 have many attributes, admin roles and defer tasks. Does anyone know what is the best way to migrate the users withought missing user information from 5.5 database to 6?

  hi,
  u need to export each each user xml from idm 5.5 and import that idm 6.0. thats all i know.
  if anything we can do other than this plz let me know.

• How to add users from person or group field in a sharepoint list to sharepoint group

  Hi,
  How to add users(single or multiple) from person or group field in a sharepoint list to sharepoint group programmatically?
  Any suggestions would be appreciated.
  Thank you,
  AA.

  Hello,
  Use SPGroup.AddUser() method to add user in group. I have just written sample code in notepad so it is not tested:
  SPSecurity.RunWithElevatedPrivileges(delegate()
  using(SPSite Site = new SPSite(SPContext.Current.Site.Url))
  Using(SPWeb Web = Site.OpenWeb())
  SPList list = web.Lists["ListName"];
  SPQuery query=new SPQuery ();
  query.Query = "<Where><Eq><FieldRef Name='Title' /><Value Type='Text'>Test</Value></Eq></Where>";
  SPListItemCollection items = list.GetItems(query);
  if(items.Count > 0)
  foreach(SPListItem item in items)
  //Get USers from person or group column
  SPFieldUser userField = (SPFieldUser)item.Fields.GetField("Users");
  SPFieldUserValueCollection userFieldValueCollection = (SPFieldUserValueCollection)userField.GetFieldValue(item["Users"].ToString());
  SPGroup spGroup = spSite.RootWeb.Groups[groupName];//group name
  if (users.Count != 0)
  bool isUserInGroup = false;
  foreach (SPFieldUserValue user in users)
  foreach (SPUser item in spGroup.Users)
  string itemUserName = item.LoginName;
  string UserName = user.User.LoginName;
  if (itemUserName == UserName)
  isUserInGroup = true;
  break;
  if (!isUserInGroup)
  spGroup.AddUser(user.User);
  The above code will query list item and then get users from "Users" column. Now it will check whetehr user is already in group not, if not then add user in group.
  http://rajanijilla.blogspot.sg/2012/09/add-users-to-group-programmatically.html
  Hope it could help
  Hemendra:Yesterday is just a memory,Tomorrow we may never see
  Please remember to mark the replies as answers if they help and unmark them if they provide no help

• How to add user to external LDAP programmatically?

  Hello.
  I have portal application in JDeveloper. Here is code that adds user to WLS embedded LDAP:
  JpsContextFactory jps = JpsContextFactory.getContextFactory();
  JpsContext jpsContext = jps.getContext();
  IdentityStoreService storeService = jpsContext.getServiceInstance(IdentityStoreService.class);
  IdentityStore is = storeService.getIdmStore();
  UserManager mn = is.getUserManager();
  RoleManager rm = is.getRoleManager();
  Principal p = mn.createUser(username,password.toCharArray()).getPrincipal();
  Role r = is.searchRole(is.SEARCH_BY_NAME, "Administrators");
  rm.grantRole(r, p);
  But I also have external LDAP on my WLS. How can I add users to external LDAP programmaticaly?

  System Preferences > Users & Groups > Unlock the lock on the bottom left > click the plus sign on the bottom left

• Using a User Store different from LDAP to identify users

  Hello everybody,
  I've developed a couple of authentication classes in Access Manager and
  I found the constrain to use a LDAP user store very limitative.
  I have to develop a class that check the credential against a table in
  a database. I've no LDAP user store at all. I find all the relevant
  information in the db. So I can correctly authenticate the user but I
  can't "say" to the Identity Server that the user is also correctly
  identified. In the code I can create a new NIDPPrincipal object with a
  (null UserAuthority) setting its properties for the authenticated user.
  It works but anyway I've to add a "fake" LDAP User store to be able to
  check the "identify user" option in the method definition in the
  Administration Console. And I presume that the Identity Server can
  became unstable because it can not find the User in the user store.
  I've looked at the LDAP Plugin extesion, trying to create a "wrapper"
  to the db, but the documented API is only about the LDAP definition and
  does not expose any interface to catch ldap search or read (or whatever
  else the Indentity Server may ask to the User store) so I guess that the
  LDAP access is hard-wired in the Identity server code. This approach
  seems very strange because the modular architecture of the NAM solution
  could work very well with other type of user stores than LDAP. I
  expected to find an interface to abstract the User Authority.
  I'm missing something or my argumentations are very wrong?
  Thanks
  Giovanni
  cannata_g
  cannata_g's Profile: http://forums.novell.com/member.php?userid=17484
  View this thread: http://forums.novell.com/showthread.php?t=422784

  cannata g wrote:
  >
  > Hello everybody,
  > I've developed a couple of authentication classes in Access Manager
  > and I found the constrain to use a LDAP user store very limitative.
  >
  > I have to develop a class that check the credential against a table in
  > a database. I've no LDAP user store at all. I find all the relevant
  > information in the db. So I can correctly authenticate the user but I
  > can't "say" to the Identity Server that the user is also correctly
  > identified. In the code I can create a new NIDPPrincipal object with a
  > (null UserAuthority) setting its properties for the authenticated
  > user. It works but anyway I've to add a "fake" LDAP User store to be
  > able to check the "identify user" option in the method definition in
  > the Administration Console. And I presume that the Identity Server can
  > became unstable because it can not find the User in the user store.
  >
  > I've looked at the LDAP Plugin extesion, trying to create a "wrapper"
  > to the db, but the documented API is only about the LDAP definition
  > and does not expose any interface to catch ldap search or read (or
  > whatever else the Indentity Server may ask to the User store) so I
  > guess that the LDAP access is hard-wired in the Identity server code.
  > This approach seems very strange because the modular architecture of
  > the NAM solution could work very well with other type of user stores
  > than LDAP. I expected to find an interface to abstract the User
  > Authority.
  >
  > I'm missing something or my argumentations are very wrong?
  I'm probably not really the right person but the way I see it is that
  NAM supports LDAP userstores therefore it kinda makes why the LDAP code
  is so heavily embedded. Maybe log an enhancement request to see if JDBC
  can be supported as an authentication mechanism.
  Cheers,
  Edward