Add user in LDAP from IDM
Hi,
creating a user from IDM on LDAP have the following error: "com.waveset.util.WavesetException: An error occurred adding user 'cn=pippo,ou=ac_bu,dc=atlan,dc=it' to resource 'LDAP'. javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Entry cn=pippo,ou=ac_bu,dc=atlan,dc=it violates the Directory Server schema configuration because it is missing attribute sn which is required by objectclass person] ", the 'sn' attribute, that is required, is not send.
How do I send the attribute 'sn' and give 'sn' value 'lastname' ?
Thank for you time.
In attribute mappings map lastname(in IDM side) with sn(in LDAP side).
Similar Messages
-
Mail folders after moving user to LDAP from Local
I originally setup our server with Local users, rather than LDAP. Now, we need to move everyone over (for a variety of reasons). I'm basically doing the following for each user:
Export individual Mail/Contacts/Calendars
Turn off Mail/Calendars/Contacts in Server app
Delete Local User
Create LDAP user with the same UserID in Workgroup Manager
Check all services for the user under User Access in Server app
Turn on Mail/Calendars/Contacts
Import individual Mail/Contacts/Calendars back into the apps on the client machine
This works up until I try to reimport emails. I get the error that the "mailbox already exists". This makes me think it's associating the userID with the old email folder on the Server. The problem is I don't know how to either reassociate the user with their old emails, or to remove them. Any help is appreciated, thanks!Here is what happened:
Original User's Document files were NOT stored under the User Name as they should have been. The User Name doc file was almost empty. (Nov 2007 thru Aug 1 2008). The main Documents folder was located in the Macintosh HD folder (not in User folder).
User Name Account got corrupt and new User Name had to be created. The Documents Folder was moved to this Account. (Aug 1, 2008)
Time Machine was not backing up the iMac because the New User had to set up TM. On Aug 4, 2008, TM was turned on and began backing up the computer AGAIN (thus process took several hours).
My solution is:
Delete the old back-up file (+600GB) and re-back-up iMac. Keychain from the old user will remain intact and there would only be ONE copy of Documents folder in the backup (along with the incremental backups).
Would this work? Is there a way to remove back-ups prior to Aug4? How can I control TM so it doesn't consume my HD? I use this drive to store iTunes and iPhoto/Aperture libraries.
Thanks -
Add Digtal cert and jpeg photo from IdM
Hi , groovers
I'd like to add ' digital Certificates ' and 'JpegPhoto' to LDAP from IdM.
How do I configure in IdM5.5. or Are there any good idea??
I Know userCertificates attribute and jpegPhoto attribute are not supported in IdM...
mickyI do not have an example for you which I can share with you but this has been done by a number of people. In workflows and forms you can call all JAVA you can think of.
for userCertificate support:
There have been a lot of requests for the support of userCertificate as an attribute in IDM. Reading from a file sync to LDAP etc. This is a feature which is planned for version 6, not for 6.0 but for a SP that will go on top of 6.0.
Not more to tell about this since it still is in the planned phase.
WilfredS -
Cannot Add user to CMC Group when they are a member of LDAP group
On PreProduction Server CMC
Softerra LDAP browser used to verify user is a member of LDAP group
User does not show as a member of that group in the CMC
Cannot add user to LDAP group showing in CMC, the same group shows the member in LDAP browser
On Production Server CMC
For kicks I logged into the CMC on Production and I found the user is correctly showing as a member of the Group
Why doesn't the groups in CMC show what is actually showing in the LDAP browser?Hi,
Check if you have also mapped in both servers the same groups. It might be that there are some groups missing in the Pre-prod.
Also, try restarting the CMS. I have seen similar issues that are solved after forcing the recreation of the graph.
If after the restart you still can't see the groups, check the mapping on the LDAP server. It might be that both servers do not use the same attribute mappings.
Regards,
Julian -
HI I am facing problem to disable user in LDAP thru SIM
Hi,I have configured LDAP directory server in sun IDM.
after creating the user in IDM & LDAP I am trying to disable the user both in SIM as well as LDAP,in the IDM repository it is showing as the user in LDAP got disabled but actually in LDAP the user account is in active state.
I am not understanding why this problem is coming.Earlier when I tried to diable the user in LDAP thru IDM it was working fine but it is not working now.It is very urgent for me.Can anyone tell the reason.?Any advices will be helpfule.There are two ways of disabling ANY account on ANY resource through resourc adapter.
1) use native method, if it exists.
2) change password to some value which matches password policy AND completely forget this password.
The first method is used for some adapters, Oracle for example.
The second method is used more widely, for Solaris, Redhat Linux, LDAP... and many other resource.
I believe that they made LDAPResourceAdapter using DisableUser this way so that it can be used for comunicating with non-sun directory servers as well.
So, disabling user from Identity Manager does not disable the user through setting any native flag on JES Directory Server, but by changing and forgetting password AND marking that account as "disabled" in the Identity Manager instead.
The user cannot log on anymore, so the "disable" is ok. Although you cannot see that the user is disabled using common ldaptools. -
How can i extended attribute of user and add attribute to ldap
how can i extended attribute of user and add attribute to ldap
1.
i use spe to modified "Default User Library":add Field like
title:nation name:accounts[Lighthouse].nation
2.
modified "IDM Schema Configuration"
add <IDMAttributeConfiguration name='nation' description='default attribute from UserExtendedAttributes/UserUIConfig' syntax='STRING'/>
in <IDMAttributeConfigurations>
and
add <IDMObjectClassAttributeConfiguration name='nation' queryable='true' summary='true'/> in<IDMObjectClassConfiguration>
there is extended attribute when i create new user
3.
i create new resource to ldap,and i add nation in "Account Attributes" tab
but the new attribute not add to ldap
i am beginner,how to extended attirbute add add to ldap attribute?So, if I want to fill in blanks on a form where I need to add more pages to fill history, what program do I need? In Adobe Reader, I can edit and fill in blanks, but I cannot duplicate more blank pages.
-
Logging info about user, when deleting user from IDM
Hi,
I would like to be able create a report showing deleted users the last month.
The problem is that I also need to fetch the user fullname, and some other IDM attributes as additional columns.
This is not supported with a standard audit log report.
So I would guess that I have two options:
1. Somehow log information while the user is deleted. For example, somewhere in the "Delete User" workflow.
But I can't find the values I'm looking for there. They are not available to me. (a user view for example).
And it also seems hard to pass those values from the "Deprovision Form" to the "Delete User" workflow.
So my question is here: How do I get access to a user view in the "Delete User" workflow, is that possible?
2. I can get the values by looking directly in the audit log for each deleted user. There I can have a look at the ACCTATTRCHANGES to see what the users name was.
But if the AuditLog has been cleared, then that information might not be available.
I'm stuck..
Anyone here that has an idea of how you can fetch deleted users fullname?
Thanks & Regards,
Henrik
Edited by: user1154522 on May 24, 2011 2:18 AMHi,
One possible solution can be to add a handler in the delete user workflow.
For every user that is to be deleted, write the requird information in a file/database. In your report query the information from there and geneate it.
Note: You have to add condition to check if the users was properly deleted from IDM and resource (just to be sure) and then write/store the information in the File/table.
If you want to store the information in the auditlog only, there is a column called comments that you can use, for this also, some customizations is needed in the Delete User Flow.
Regards
Arjun -
Error: "LDAP Synch status is enabled. Cannot add users through BAT."
In 10.x it looks like Cisco has disallowed user imports (via BAT) into LDAP-integrated systems. Has anyone else run into this? Below is the error I'm receiving in the Job Status log file. The error implies that "it's a feature, not a bug". How are large companies supposed to import new phones/users when they open new branches or do a phone refresh? Breaking LDAP to do the import isn't a option because you have to blow away your LDAP directory config to do so - not to mention people wouldn't be able to log into Jabber or their user pages while it was broken. I'm hoping someone has a workaround or has already spoken with TAC about this.
Failure Details :
Device Name/User ID Error Code Error Description
LDAP Synch status is enabled. Cannot add users through BAT.
Result Summary :
INSERT for 0 PHONES passed.
INSERT for 5 PHONES failed.
INSERT for 0 USERS passed.
INSERT for 5 USERS failed.So if a company has a large CUCM deployment and adds another branch (let's say 100 phones/users), I would have to go user by user and do the phone associations, profile associations, primary extensions, etc 100 times?
Is there a better way that I'm missing? That just doesn't seem logical. In previous versions (I'm not sure about 6.x in the link. I started with 7.x) I could have sworn that I could import from BAT even if LDAP was integrated. I would get an error and only the non-LDAP fields would get changed, but the changes, associations, etc. would still go through. -
Synchronize users from IDM Idenity Store to UME
Hi experts
I would like to synchroznize my users from IDM Identity Store to UME Java, I read this document "User management for the Identity
Management User Interface" but it is only for version 7.1, I use IDM 7.2 Sp8. I can't find job templates to ume.
I would like to provide users able to access portal:5000/idm, now only administrator can logon to the portal.
I looking forward for your replyHello Bartosz
For logging to IDM UI , IDM would match the MX_PESON with the UME user and allow the user to access IDM UI if both matches.
Please give idm.authenticated action access via any UME Role or group to users, You can add this action to Everyone group in UME.
For creating users in JAVA UME, You need to create one repository for UME as AS JAVA and choose standard job Create AS JAVA users from SAP Provisioning framework to create users.
Let me know in case any further information is required, I am also on IDM 7.2 SP8
Regards
Deepak Gupta -
How to add multiple groups in a single user in ldap
I have problem with ldap ,Please clarify the following problem.
My request is --> send the multiple groups at a time with single user.
My code contain single user and single group is working.
Please see the source file ,please solve my problem. i tried , but i did not get.
package com.ldap;
import java.util.Hashtable;
import javax.naming.AuthenticationException;
import javax.naming.Context;
import javax.naming.NameAlreadyBoundException;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.BasicAttributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
* This class provides methods for the user management
* @author sudhakar
public class LdapUserMgr {
public final static String USER_ID = "uid";
public final static String COMMONNAME = "cn";
public final static String SURNAME = "sn";
public final static String MEMBEROF = "wlsMemberOf";
public final static String MEMBEROF1 = "wlsMemberOf";
public final static String PASSWORD = "userpassword";
public final static String EMAIL = "mail";
* This method creates new user in the embedded ldap registry
* @return
* @throws Exception
public void createUser() throws Exception {
DirContext ctx = getLDAPConnection();
String userId="sudhakar";
String userName="sudhakar";
String userRole="Assessor";
String password="sudhakar123";
String email="[email protected]";
try{
Attributes attrNew = new BasicAttributes(true);
Attribute objclass = new BasicAttribute("objectclass");
String group = "ou=groups,ou=myrealm,dc=sudhakar_domain";
String people = "ou=people,ou=myrealm,dc=sudhakar_domain";
// add all the object classes required for the user profile
objclass.add("top");
objclass.add("person");
objclass.add("organizationalPerson");
objclass.add("inetOrgPerson");
objclass.add("wlsUser");
// put all the attributes required as part of the user profile
// add object classes
attrNew.put(objclass);
// add user Id
attrNew.put(USER_ID, userId);
// add user common name
attrNew.put(COMMONNAME, userName);
// add user surname
attrNew.put(SURNAME, userName);
// prepare the group path for the user
String role = COMMONNAME + "=" + userRole + "," + group;
// add user to a group
attrNew.put(MEMBEROF,role);
System.out.println("user role is "+role);
// i want to pass multiple user roles at a time
// add user password
attrNew.put(PASSWORD, password);
// add user mail Id
attrNew.put(EMAIL, email);
// Prepare the query string to add the user to the embedded ldap
String query = USER_ID + "=" + userId+ "," + people;
System.out.println("user query is "+query);
// add the user to the LDAP directory
ctx.createSubcontext( query, attrNew );
System.out.println("user" + userId+ "created");
catch ( NameAlreadyBoundException nabe ){
System.out.println(nabe.getMessage());
throw new NameAlreadyBoundException("User by this name already exits");
catch (NamingException namEx) {
System.out.println(namEx.getMessage());
catch(Exception ex){
System.out.println(ex.getMessage());
finally{
closeLDAPConnection(ctx);
public DirContext getLDAPConnection() throws Exception{
DirContext ctx = null;
try{
Hashtable<String,String> env = new Hashtable<String,String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://192.168.100.84:7030/");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "cn=Admin");
env.put(Context.SECURITY_CREDENTIALS,"admin");
// Create the initial directory context
ctx = new InitialDirContext(env);
return ctx;
catch (AuthenticationException authEx){
System.out.println(authEx.getMessage());
throw new AuthenticationException("Authentication failed");
catch (NamingException namEx) {
System.out.println(namEx.getMessage());
throw new NamingException("Naming Exception");
catch(Exception ex){
System.out.println(ex.getMessage());
throw new Exception("Exception Occured");
* This method closes the LDAP connection
* @param ctx
public void closeLDAPConnection(DirContext ctx){
try{
ctx.close();
catch(NamingException nex){
System.out.println(nex.getMessage());
catch(Exception ex){
System.out.println(ex.getMessage());
public static void main(String s[])throws Exception{
LdapUserMgr ldapUserMgr = new LdapUserMgr();
ldapUserMgr.createUser();
Edited by: sudhakar_kavuru on Jun 16, 2009 1:58 AMHi Sudhakar,
try some thing like this.Here I have enclosed the code snippet.
String query = USER_ID + "=" + user.getUserId()+ "," + people;
// add the user to the LDAP directory
// ctx.createSubcontext( query, attrNew );
Attribute att1 = new BasicAttribute(MEMBEROF);
String roleName=user.getUserRoleList().get(0);
String role1 = COMMONNAME + "="+roleName+"," + group;
att1.add(role1);
attrNew.put(att1);
DirContext dirContext =ctx.createSubcontext( query, attrNew );
for (int i = 1; i < user.getUserRoleList().size(); i++) {
Attributes att2 = new BasicAttributes();
String roleNameStr=user.getUserRoleList().get(i);
log.debug("roleNameStr--->"+roleNameStr);
String role2 = COMMONNAME + "="+roleNameStr+"," + group;
log.debug("role2-->"+role2);
att2.put(MEMBEROF,role2);
dirContext.modifyAttributes("", DirContext.ADD_ATTRIBUTE, att2);
} -
Error while creating user in LDAP (MS ADS) from SAP Portal 7.0
Hi,
Is it obliged to use SSL connection to create new user in LDAP (MS ADS) from SAP Portal 7.0 ?
I've configured the UME with ldap server adress and port 389. And use configuration file "dataSourceConfiguration_ads_writeable_db.xml"
I succeed to view users existing in LDAP but when I try to create new user I've the following error message:
LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0)
Thanks and regardscheck this link
http://help.sap.com/saphelp_nw70/helpdata/EN/37/cfd93f130f9115e10000000a155106/frameset.htm
and at the end of the page there is a qoute "We strongly recommend that you configure SSL between the UME and the LDAP directory. Some LDAP directories, such as Microsoft Active Directory Server, require an SSL connection if you want to create users on the LDAP directory"
hence follow this link to configure SSL
http://help.sap.com/saphelp_nw70/helpdata/EN/7d/77fa735e5f47a2a50b5336fd1b5a61/frameset.htm
hope this helps..
[Rahul|http://rahulursportal.blogspot.com/] -
How to migrate user from IDM 5.5 to 6
Our current users in IDM 5.5 have many attributes, admin roles and defer tasks. Does anyone know what is the best way to migrate the users withought missing user information from 5.5 database to 6?
hi,
u need to export each each user xml from idm 5.5 and import that idm 6.0. thats all i know.
if anything we can do other than this plz let me know. -
How to add users from person or group field in a sharepoint list to sharepoint group
Hi,
How to add users(single or multiple) from person or group field in a sharepoint list to sharepoint group programmatically?
Any suggestions would be appreciated.
Thank you,
AA.Hello,
Use SPGroup.AddUser() method to add user in group. I have just written sample code in notepad so it is not tested:
SPSecurity.RunWithElevatedPrivileges(delegate()
using(SPSite Site = new SPSite(SPContext.Current.Site.Url))
Using(SPWeb Web = Site.OpenWeb())
SPList list = web.Lists["ListName"];
SPQuery query=new SPQuery ();
query.Query = "<Where><Eq><FieldRef Name='Title' /><Value Type='Text'>Test</Value></Eq></Where>";
SPListItemCollection items = list.GetItems(query);
if(items.Count > 0)
foreach(SPListItem item in items)
//Get USers from person or group column
SPFieldUser userField = (SPFieldUser)item.Fields.GetField("Users");
SPFieldUserValueCollection userFieldValueCollection = (SPFieldUserValueCollection)userField.GetFieldValue(item["Users"].ToString());
SPGroup spGroup = spSite.RootWeb.Groups[groupName];//group name
if (users.Count != 0)
bool isUserInGroup = false;
foreach (SPFieldUserValue user in users)
foreach (SPUser item in spGroup.Users)
string itemUserName = item.LoginName;
string UserName = user.User.LoginName;
if (itemUserName == UserName)
isUserInGroup = true;
break;
if (!isUserInGroup)
spGroup.AddUser(user.User);
The above code will query list item and then get users from "Users" column. Now it will check whetehr user is already in group not, if not then add user in group.
http://rajanijilla.blogspot.sg/2012/09/add-users-to-group-programmatically.html
Hope it could help
Hemendra:Yesterday is just a memory,Tomorrow we may never see
Please remember to mark the replies as answers if they help and unmark them if they provide no help -
How to add user to external LDAP programmatically?
Hello.
I have portal application in JDeveloper. Here is code that adds user to WLS embedded LDAP:
JpsContextFactory jps = JpsContextFactory.getContextFactory();
JpsContext jpsContext = jps.getContext();
IdentityStoreService storeService = jpsContext.getServiceInstance(IdentityStoreService.class);
IdentityStore is = storeService.getIdmStore();
UserManager mn = is.getUserManager();
RoleManager rm = is.getRoleManager();
Principal p = mn.createUser(username,password.toCharArray()).getPrincipal();
Role r = is.searchRole(is.SEARCH_BY_NAME, "Administrators");
rm.grantRole(r, p);
But I also have external LDAP on my WLS. How can I add users to external LDAP programmaticaly?System Preferences > Users & Groups > Unlock the lock on the bottom left > click the plus sign on the bottom left
-
Using a User Store different from LDAP to identify users
Hello everybody,
I've developed a couple of authentication classes in Access Manager and
I found the constrain to use a LDAP user store very limitative.
I have to develop a class that check the credential against a table in
a database. I've no LDAP user store at all. I find all the relevant
information in the db. So I can correctly authenticate the user but I
can't "say" to the Identity Server that the user is also correctly
identified. In the code I can create a new NIDPPrincipal object with a
(null UserAuthority) setting its properties for the authenticated user.
It works but anyway I've to add a "fake" LDAP User store to be able to
check the "identify user" option in the method definition in the
Administration Console. And I presume that the Identity Server can
became unstable because it can not find the User in the user store.
I've looked at the LDAP Plugin extesion, trying to create a "wrapper"
to the db, but the documented API is only about the LDAP definition and
does not expose any interface to catch ldap search or read (or whatever
else the Indentity Server may ask to the User store) so I guess that the
LDAP access is hard-wired in the Identity server code. This approach
seems very strange because the modular architecture of the NAM solution
could work very well with other type of user stores than LDAP. I
expected to find an interface to abstract the User Authority.
I'm missing something or my argumentations are very wrong?
Thanks
Giovanni
cannata_g
cannata_g's Profile: http://forums.novell.com/member.php?userid=17484
View this thread: http://forums.novell.com/showthread.php?t=422784cannata g wrote:
>
> Hello everybody,
> I've developed a couple of authentication classes in Access Manager
> and I found the constrain to use a LDAP user store very limitative.
>
> I have to develop a class that check the credential against a table in
> a database. I've no LDAP user store at all. I find all the relevant
> information in the db. So I can correctly authenticate the user but I
> can't "say" to the Identity Server that the user is also correctly
> identified. In the code I can create a new NIDPPrincipal object with a
> (null UserAuthority) setting its properties for the authenticated
> user. It works but anyway I've to add a "fake" LDAP User store to be
> able to check the "identify user" option in the method definition in
> the Administration Console. And I presume that the Identity Server can
> became unstable because it can not find the User in the user store.
>
> I've looked at the LDAP Plugin extesion, trying to create a "wrapper"
> to the db, but the documented API is only about the LDAP definition
> and does not expose any interface to catch ldap search or read (or
> whatever else the Indentity Server may ask to the User store) so I
> guess that the LDAP access is hard-wired in the Identity server code.
> This approach seems very strange because the modular architecture of
> the NAM solution could work very well with other type of user stores
> than LDAP. I expected to find an interface to abstract the User
> Authority.
>
> I'm missing something or my argumentations are very wrong?
I'm probably not really the right person but the way I see it is that
NAM supports LDAP userstores therefore it kinda makes why the LDAP code
is so heavily embedded. Maybe log an enhancement request to see if JDBC
can be supported as an authentication mechanism.
Cheers,
Edward
Maybe you are looking for
-
How can I force purchases from one apple id to another?
We bought my childrens music under my wife's apple ID but now we are split up. I can transfer the purchases to my itunes and make all new purchases under my apple id but cannot update those purchased under her apple id, I guess it remembers where it
-
Offline Instantiation of a Materialized View Site Using Export/Import
Has anyone had any success performing offline instantiation of a materialized view site using export/import in Oracle9?
-
My operating system is Mac OS X 10.6.8 and when I'm surfing the web, it tells me I need to update my browser however when I check for updates, nothing comes up. What do I need to do to get Mac OS X Lion v10.7?
-
AIA FP 2.4 on SOA suit 10.3.1.4 clustered environment
Hi I am trying to install the FP on top of my SOA 10.1.3.4 MLR5. This is a clustered environment. As described, one should install the FP with ant on the admin member, with ant --noconfig FPInstall.xml But it keeps failng at deploy AIAReadJMSNotifica
-
Categories and Item Level Security
Hi, We have implemented item level security on our pages. We also use Categories so that a user can retrieve all content that falls into a particular category easily e.g. address books or Policies and Procedures. The desire is that if a user clicks o