Apply OID search filter for Active Directory Export Sync Profile

- currenlty we have active directory export profile working successfully
- the filter we apply at OID side is SynchronizeToAD!=OID
that means synchronize all ldap data that has a attribute value other than "OID"
- This works very well
Problem:
- We now need to make the export sync work based on a different condition. The condition being....
SynchronizeToAD=AD3 ( Note the equality condition here, the previous one was not equal to )
- The moment we set it to the above conditions it seems to invalidate the filter. Now it behaves as if there is no filter. All changes are synchronized regardless of the attribute value
Question:
1) Need a way to control synchronization based on attribute value.
2) So far tried the below filter value with out success
2a) (&(!(SynchronizeToAD=OID))(!(SynchronizeToAD=AD)))
2b) SynchronizeToAD=AD3
- In the directory we have 3 values for this attribute(SynchronizeToAD) - AD , AD3 and OID
Please provide us with valid search filter to accomplish the above.
The OID profile attribute that we are trying to set is odip.profile.oidfilter

Similar Messages

Connector for Active Directory Password Sync

Friends,
We have some questions about the Connector for Active Directory Password Sync:
1. There is a need to extend the AD schema when using this connector.
2. If I have 10 domain controllers and are not synchronized, the documentation tells us to install the dll in each domain controller. Is there any way to do this if necessary, to install this dll in a single domain controller?
Thanks for your help.
regards

Definitely:
For your Point-1 Look for the Preinstallation section in the AD Password Sync Connector Guide which talks nothing about extending AD schema which supports the validity of the statement.
For your Point-2 Look for Metalink Article-432727.1 which confirms that the connector has to be installed on all the DC's
Thanks
SRS

Verification of prerequisites for Active Directory preparation failed

We currently have Windows Server 2003 SBS, SP2, Domain Controller. Would like to add Windows Server 2012, Standard, 64-bit as a backup domain controller.
"Verification of prerequisites for Active Directory preparation failed. Unable to perform Exchange schema conflict check for domain sxxxx.local.
Exception: The RPC server is unavailable.
Adprep could not retrieve data from the server name.xxxxx.local through Windows Managment Instrumentation (WMI).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20130417103902-test directory for possible cause of failure."
What the log says is really:
"Adprep encountered a Win32 error. Error code: 0x6ba Error messa The RPC server is unavailable."
Can anyone has similar experience shred some lights to troubleshoot this? Have reviewed
other links that have similar probems but that doesn't help.
Many Thanks!

Of course I CANNOT remove Symnatec as Meinolf suggests. That would be out of my mind!! I tried to stop all their services though which doesn't help. I know this has nothing to do with Symantec. Here comes another test, the final one:
Test 8
This article is really good as it concludes very thoroughly about the problems about "800706BA - RPC Server Is Unavailable" and other WMI query issues:
http://goo dot gl/l2iha
I started looking at he ISA 2004 on our SBS 2003.
Tried to disable the RPF Filter:
a. Open Microsoft Internet Security and Acceleration Server 2004
b. Go to Configuration > Add-in and location RPC Filter on the right side, right-click on it and select Properties, uncheck 'Enable this filter'
c. Hit Apply....
d. Now I go back to Windows 7 and test the WMI query.
The result: it WORKS!
e. Next, I tried that on the Windows Server 2012 like so:
c:>wmic /node:sbs2003servername computersystem list brief /format:list
It also works!
f. Next also on Windows Server 2012, I continued on what was left over. I did the "Rerun prerequisites check " and no surprise - "All prerequisite checks passed successfully. Click 'Install' to begin installation"!
Well that concludes the problem of installing Windows Server 2012 (standard) as a backup domain controller to a Windows SBS 2003 domain controller and the troubleshooting process that finally led to a solution that solves my problem. Thanks for all
the discussions over the web. Every bit counts!
Well if this helps you in some way, give me some points to buy beer! I am going to have a drink with Bill, Cheers!

Query on DNS setup for Active Directory for a new data center

I have third party DNS appliances providing DNS Service for Active Directory (Windows 2008 R2) and there are also secondary DNS servers, which are MS DNS server with a secondary zone configured, for redundancy. I have to setup a new data center
and move servers/services to this data center. In this scenario, can I install a new Microsoft DNS server with a secondary zone and use this as the primary DNS Server for all the member servers at this new location ? I am aware that this new DNS server will
not be able to make any updates to the secondary zone and for that purpose, is there anyway to redirect such requests to the DNS appliances in my current data center across the WAN ? I am trying to avoid purchasing a new DNS appliance for the new data center
and want to know what are the alternatives I have.

im not entirely sure by your setup, as normally you would use AD integrated zones for DNS in an AD environment - although there are other options as you have already setup.
the fact the zone is a secondary zone in DNS server terms doesn't mean you can't point your clients to it as their primary dns server. They will quite happily resolve names using a secondary server.
so as long as your dns devices are correctly setup to support the additional secondary zone I see no reason why you couldn't do this.
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
My Blog
LinkedIn:

MOBILE ACCOUNTS ARE BROKEN!!! At least for Active directory.

Thanks ben6073 for posting your link to the solution. It worked for me as well.
I did a clean install of SL, joined the machine to the AD domain using Directory Utility. Restarted and when the other user option finally came up in the login screen it would just shake after entering my credentials. As if I was using the wrong password. I then logged in with the local admin account and using the Directory Utility disabled the mobile account option. I then restarted and was able to log in using my credentials.
MOBILE ACCOUNTS ARE BROKEN!!! At least for Active directory.
Thanks ben6073 for the link to a fix. And thank you Rich for the post on google.
http://groups.google.com/group/macenterprise/browse_thread/thread/2c2502b08bb84c 7a?pli=1
G

Greg Plassmeyer1 wrote:
Thanks ben6073 for posting your link to the solution. It worked for me as well.
MOBILE ACCOUNTS ARE BROKEN!!! At least for Active directory.
I had this problem this morning. It went away after I rebooted and ran applejack in "auto pilot" mode. The machine is a macbook pro running Snow Leopard. The account is a mobile account tied to a windows active directory server. Applejack is available from http://applejack.sourceforge.net/. The auto pilot mode cleans out the system caches is /Library and /System/Library - perhaps this is what provides the fix? Just a guess.

Setting disk quota on Mac server for Active Directory users

I'm having trouble setting disk quotas for Active Directory users with home folders on our Mac server.
I've enabled disk quotas on the disk I'm putting home folders on, and I can set disk quotas for local users on the server just fine. But it doesn't seem to work for Active Directory users. I've tried setting disk quotas via Workgroup Manager and via the command line using edquota. But when I use the repquota command there is no quota entry for the AD user. I've run quotacheck and that didn't help either.
I also understand there's a setquota command but there's no man page on how that works.
Has anyone got disk quota for AD users working.
Better still has someone got a shell or perl script for setting quotas they could post.
Thanks
- Cameron

sorry.. I am soooooo stupid... I have to activate "File Sharing" as well.. for the user everything was already pre-activated, not for the AD users, I just saw the Time Machine checkbox grayed out ...

Is there a FIND search filter for SHARED folders?

I believe Archiving will only archive the users emails not any messages displayed in a shared folder.
But when I do a FIND search by date, I still see all those messages from shared folders that other users own.
Is there a FIND search filter for SHARED folders?
Further is there a way to differentiate or filter in a FIND search for shared folders that only I own, or shared folders that are owned by other people?

condor wrote:
> The Archiving process knows not to move messages from folders that are owned
> by other people. How does it know?
The archiving process isn't "allowed" to move messages from folders that are
owned by others. This is a different matter altogether. Archiving systems
typically use either IMAP or SOAP for their access, and cannot access folders
shared by other users (Nexic Discovery is different in this if you use the API
version of it, because it can see shared folders, and will archive if you
request it).
You are comparing apples and oranges unfortunately, and the client was built to
be able to manage shared folders unlike the archiving program.
As Michael says, you can choose to not "look in" shared folders if you do not
want them to show up in a find results.
Danita
Novell Knowledge Partner
Moving GroupWise to Linux?
http://www.caledonia.net/gwmove.html

Active Directory Not Syncing Correctly in ES2

Hello,
We had our Active Directory 2003 synced up using Adobe Livecycle ES. There would be around 30,000 users that would be synced and this would take around 3 - 4 1/2 minutes to run. This worked perfectly for us for the past half of a year or so.
Last week we upgraded to ES2 and moved all of our processes over. We removed ES and did a fresh install of ES2. Everything seems to be working fine now except the Active Directory isn't syncing properly. When we run the sync, different numbers of users will be fetched. Sometimes it's around three thousand, sometimes seven thousand, sometimes ten thousand, but it never seems to get through them all. In the server log it does say that the directory synchronization completed successfully though even though the number fetched is changing. We made sure the settings are exactly the same as they were before, and we even tried a few different settings, but it still doesn't get all the users. For testing purposes, we tried changing the search filter to pick specific people that aren't showing up during the normal sync and it will show up fine, so I'm wondering if there is something stopping it from going all the way through?
We also have another enterprise domain connected which has around 2,000 users on it and have not had this problem with it.
Here are some of the sync statistics from the past few syncs: (The active directory name has been stripped for security purposes). If you need any more information please feel free to ask. We would like to have this resolved as soon as possible.
2010-05-30 21:02:51,366 INFO [com.adobe.idp.um.businesslogic.synch.DomainSynchronizer]
========== Synch Statistics for ============
Total User Fetched - 5633
Total Group Fetched - 0
Total Members Fetched - 0
Total time taken is 110 sec
[100.00%] [100.00%]Domain Synchronizer(2 runs) : Total 110,375 ms, Max 110359 ms, Min 16 ms, Avg 55187 ms
--[99.99%] [99.99%]User and group phase(1 runs) : Total 110,359 ms, Max 110359 ms, Min 110359 ms, Avg 110359 ms
----[95.78%] [95.80%]Users synch from (6 runs) : Total 105,719 ms, Max 19141 ms, Min 14281 ms, Avg 17619 ms
------[1.18%] [1.23%]Provider (31 runs) : Total 1,298 ms, Max 109 ms, Min 31 ms, Avg 41 ms
--[0.01%] [0.01%]Memberhsip phase(1 runs) : Total 16 ms, Max 16 ms, Min 16 ms, Avg 16 ms
-------Persistence Statistics-------
Users ->
added = 8
removed = 2568
updated = 5625
unchanged = 0
renamed = 0
failed = 0
UniqueId changed = 0
Groups ->
added = 0
removed = 0
updated = 0
unchanged = 0
failed = 0
UniqueId changed = 0
Emails ->
added = 8515
removed = 106
unchanged (In changed Principals) = 16784
Group Members ->
added = 0
removed = 0
unchanged = 0
unknown = 0
failed = 0
-------Batch Statistics-------
Successful User Batches = 113
Failed User Batches = 0
Successful Group Batches = 0
Failed Group Batches = 0
Successful Member Batches = 0
Failed Member Batches = 0
======================================
2010-06-02 21:03:43,692 INFO [com.adobe.idp.um.businesslogic.synch.DomainSynchronizer]
========== Synch Statistics for ============
Total User Fetched - 7140
Total Group Fetched - 0
Total Members Fetched - 0
Total time taken is 165 sec
[100.00%] [100.00%]Domain Synchronizer(2 runs) : Total 164,781 ms, Max 164750 ms, Min 31 ms, Avg 82390 ms
--[99.98%] [99.98%]User and group phase(1 runs) : Total 164,750 ms, Max 164750 ms, Min 164750 ms, Avg 164750 ms
----[96.78%] [96.79%]Users synch from (8 runs) : Total 159,469 ms, Max 26719 ms, Min 3500 ms, Avg 19933 ms
------[1.01%] [1.05%]Provider (42 runs) : Total 1,667 ms, Max 109 ms, Min 15 ms, Avg 39 ms
--[0.02%] [0.02%]Memberhsip phase(1 runs) : Total 31 ms, Max 31 ms, Min 31 ms, Avg 31 ms
-------Persistence Statistics-------
Users ->
added = 8
removed = 5
updated = 7132
unchanged = 0
renamed = 1
failed = 0
UniqueId changed = 0
Groups ->
added = 0
removed = 0
updated = 0
unchanged = 0
failed = 0
UniqueId changed = 0
Emails ->
added = 3340
removed = 105
unchanged (In changed Principals) = 33761
Group Members ->
added = 0
removed = 0
unchanged = 0
unknown = 0
failed = 0
-------Batch Statistics-------
Successful User Batches = 142
Failed User Batches = 1
Successful Group Batches = 0
Failed Group Batches = 0
Successful Member Batches = 0
Failed Member Batches = 0
======================================
2010-06-03 08:56:43,286 INFO [com.adobe.idp.um.businesslogic.synch.DomainSynchronizer]
========== Synch Statistics for ============
Total User Fetched - 2960
Total Group Fetched - 0
Total Members Fetched - 0
Total time taken is 68 sec
[100.00%] [100.00%]Domain Synchronizer(2 runs) : Total 67,984 ms, Max 67921 ms, Min 63 ms, Avg 33992 ms
--[99.91%] [99.91%]User and group phase(1 runs) : Total 67,921 ms, Max 67921 ms, Min 67921 ms, Avg 67921 ms
----[96.37%] [96.46%]Users synch from (3 runs) : Total 65,516 ms, Max 23016 ms, Min 19766 ms, Avg 21838 ms
------[4.00%] [4.15%]Provider (17 runs) : Total 2,719 ms, Max 844 ms, Min 31 ms, Avg 159 ms
--[0.09%] [0.09%]Memberhsip phase(1 runs) : Total 63 ms, Max 63 ms, Min 63 ms, Avg 63 ms
-------Persistence Statistics-------
Users ->
added = 2
removed = 6632
updated = 2958
unchanged = 0
renamed = 0
failed = 0
UniqueId changed = 0
Groups ->
added = 0
removed = 0
updated = 0
unchanged = 0
failed = 0
UniqueId changed = 0
Emails ->
added = 3
removed = 1
unchanged (In changed Principals) = 10035
Group Members ->
added = 0
removed = 0
unchanged = 0
unknown = 0
failed = 0
-------Batch Statistics-------
Successful User Batches = 60
Failed User Batches = 0
Successful Group Batches = 0
Failed Group Batches = 0
Successful Member Batches = 0
Failed Member Batches = 0
======================================

We do have quite a few that are missing an attribute, specifically:
2010-06-06 21:05:47,579 WARN [com.adobe.idp.um.businesslogic.synch.LdapHelper] Record [xxxx] is missing required attribute [objectSID] for canonicalName i.e uniqueIdentifier field
This is something that was on our old system as well:
2010-05-25 03:02:35,559 INFO [com.adobe.idp.um.provider.directoryservices.LDAPDirectoryPrincipalProviderImpl] UserM:: [Thread Hashcode: 3010887] This record is missing a required attribute and cannot be used. Specifically CanonicalName is null. Common Name: xxxx
We have many users in our active directory with just email accounts so that users are able to search for a name and find the email address in outlook. I have checked through these and they look fine (though there are fewer entries in ES2 since there are fewer users being fetched).
As for the locked users, here is what we received:
2010-06-06 21:05:47,579 INFO [com.adobe.idp.um.businesslogic.synch.LdapPrincipalProvider] Found [1257] locked users while synching. These users were ignored
This sounds about right for the amount of users that were fetched.
If you have any more questions or ideas, please let us know. We would like to have this resolved as soon as possible. Thanks.

Sharepoint 2013 - Active Directory Import User Profile Property manager fields

Hi there,
I juste encountered actually a little issue regarding the Active Directory Import User Profil.
Importation seems to work well but I have a little problem regarding the Manager field.
When I verify a user profil through the sharepoint admin page ("Manage user profil") , I can see the manager field is correctly populated, but if I want to check my profil as a user (personal information), the manager field is not visible.
With Sharepoint Admin and Manage Profil Properties, I haven't the possibility to modify some settings for the manager.
For example, Policy parameters is greyed.
The only way I found to show this field in a user profil is to give the permission "allow users to Edit values ...".... setting I don't want to set.
Have you already this sort of issue ?
Thanks for your help/idea.

Hi Michael,
I don't remember well what I did exactly regarding this issue because I played a lot with user profil.
I know I used this powershell script from Sheyia which in fact help me a lot to clean and create a good profil setting.
http://blogs.technet.com/b/sheyia/archive/2013/10/09/sharepoint-2013-another-way-to-change-order-for-user-profile-properties-via-powershell.aspx
For example, this script help me to resolve some double entries.
Let-me know if it help you (or not of course)

Active Directory exports to OID (concerning password storage)

I dont know if this is answered somewhere else but I am hoping to get an answer from people who have synchronized OID to active directory already.
My question is do the AD passwords get stored in OID along with all the other user information during the sync? I know you must use an external plugin to authorize users against their passwords that come from AD.
I am just curious about this since it will probably be an issue for me down the line. Thanks!

Hi Seth
Its your choice. If you are using the External Authentciation feature in OID it is not necessary to store AD passwords in OID.
Keep this in mind about password synchronization between OID and AD. Currently all attributes are capable of two way synchronization between OID and AD except one. That is the users password. It is possible to synchronize a password from OID to AD but not from AD to OID.
This is primarily becaue Microsoft uses proprietary password hashing called "Unicode Password Hash" which as I said is proprietary to Microsoft. OID like most other LDAP servers supports open source password hashing such as MD5, MD4, SHA, SSHA and Crypt to name a few. Microsoft does not support any of these to my knowledge. So even if you could pass a user password from Active Directory to OID OID does not support MS password hashing.
We are however able to synchronize passwords from OID to AD over SSL. This is done with a feature called "Reversible Encrypted Password". By default this feature is turned off. When you enable this feature OID will store the users password in two different attributes. One is the traditional "userpassword" attribute which uses the hashing schemes I mentioned earlier. The other is a password attribute that stores the users password in an encrypted format that can be reversible to clear text. This clear text password can then be sent over SSL using a wallet to the AD server.
In version 10.1.3 (Mid 2005)of OID we plan to release a feature that will allow passwords from AD to be synched with OID. Until then Passwords can only be synched from OID to AD.
Jay

Authentication Plug-ins for active directory Multiple Domains(oidspad2.sh)

hi ,
i have use note 294791.1 from metalink to try link to active directory i have 2 one is staff and another is student
i first ran oidspadi.sh to create plugin for staff it works then i edit the 2 script to oidspad2.pls and oidspad2.sh with the require changes inside the files then i ran it it work but now the problem is the first ad now cant work this is my changes below
FOR oidspad2.pls
Rem
Rem $Header: oidspada.pls 02-aug-2004.04:45:11 saroy Exp $
Rem
Rem oidspads.pls
Rem
Rem Copyright (c) 2002, 2004, Oracle. All rights reserved.
Rem
Rem NAME
Rem oidspada.pls - 9.0.4 OID Password Active Directory
Rem External Authentication Plug-in
Rem
Rem
Rem NOTES
Rem <other useful comments, qualifications, etc.>
Rem
Rem MODIFIED (MM/DD/YY)
Rem saroy 08/02/04 - Fix for bug 3807482
Rem qdinh 01/27/04 - bug 3374115
Rem dlin 01/08/04 - pingan perf
Rem dlin 08/22/03 - 3111770 bug fix
Rem dlin 08/27/03 - change the way to get name
Rem dlin 08/13/03 - bug 2962082 fix
Rem dlin 02/21/03 - plug-in install changes
Rem dlin 02/13/03 - dlin_bug-2625027
Rem dlin 02/05/03 - fix ssl & failover
Rem dlin 01/31/03 - dlin_adextauth1
Rem dlin 01/30/03 - Created
Rem
SET echo off;
SET serveroutput off;
SET feedback off;
SET verify off;
CREATE OR REPLACE PACKAGE OIDADPSW2 AS
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
AD_HANDLE DBMS_LDAP.session DEFAULT NULL;
END OIDADPSW2;
SHOW ERROR
CREATE OR REPLACE PACKAGE BODY OIDADPSW2 AS
SUBTYPE LDAP_SESSION IS RAW(32);
SUBTYPE LDAP_MESSAGE IS RAW(32);
SUBTYPE LDAP_BER_ELEMENT IS RAW(32);
SUBTYPE ATTRLIST IS DBMS_LDAP.STRING_COLLECTION;
SUBTYPE MOD_ARRAY IS RAW(32);
SUBTYPE BERLIST IS DBMS_LDAP.BERVAL_COLLECTION;
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_bind_replace()');
DBMS_LDAP.USE_EXCEPTION := FALSE;
result := 49;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := 1;
plg_debug('Can not get ADUserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_bind_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_bind_replace() ===');
RETURN;
END IF;
plg_debug( 'Go to AD for authentication');
-- externally authenticate user
IF ('&1' = 'n') THEN
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&2', &3);
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
-- Should free the old session if retry logic kept failing
-- to cause the number of outstanding sessions exceeding the
-- limit session number
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&4', &5);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
     plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
     OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
ELSE
-- SSL bind
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&6', &7);
     plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
     retval := DBMS_LDAP.open_ssl(my_session,
                         'file:' || '&8', '&9', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM
-- or LDAP_UNAVAILABLE
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&10', &11);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.open_ssl(my_session1,
                         'file:' || '&12', '&13', 2);
     IF (retval != 0) THEN
     plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session1);
     plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
     plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
     OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
     END IF;
     END IF;
END IF;
-- for failover to connect to the secondary server
IF ('&14' = 'y' AND retval != 0) THEN
IF ('&15' = 'n') THEN
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&16', &17);
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&18', &19);
     plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
     plg_debug( 'retry simple_bind_res again: ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
          OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
          plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
     END IF;
     END IF;
ELSE
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&20', &21);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
     retval := DBMS_LDAP.open_ssl(my_session,
                         'file:' || '&22', '&23', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&24', &25);
     plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.open_ssl(my_session1,
                         'file:' || '&26', '&27', 2);
     IF (retval != 0) THEN
     plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
     plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
          OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
     END IF;
END IF;
IF (retval = 0) THEN
result := 0;
plg_debug('AD auth return TRUE');
ELSE
     result := retval;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_bind_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
     retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
     OIDADPSW2.AD_HANDLE := NULL;
     plg_debug( ' exception unbind_res returns ' || TO_CHAR(retval));
errormsg := 'Exception: when_bind_replace plugin';
plg_debug( 'Exception in when_bind_replace(). Error code is ' ||
          TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
END;
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_compare_replace()');
result := DBMS_LDAP.COMPARE_FALSE;
DBMS_LDAP.USE_EXCEPTION := FALSE;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('Can not get ADuserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_compare_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_compare_replace() ===');
RETURN;
END IF;
-- externally authenticate user
IF ('&28' = 'n') THEN
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&29', &30);
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&31', &32);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
     plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
     OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
ELSE
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&33', &34);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
     retval := DBMS_LDAP.open_ssl(my_session,
                         'file:' || '&35', '&36', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&37', &38);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.open_ssl(my_session1,
                         'file:' || '&39', '&40', 2);
IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
     plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
     OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
END IF;
-- for failover to connect to the secondary AD
IF ('&41' = 'y' AND retval != 0) THEN
IF ('&42' = 'n') THEN
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&43', &44);
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&45', &46);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
     plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
          OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
     ELSE
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&47', &48);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
     retval := DBMS_LDAP.open_ssl(my_session,
                         'file:' || '&49', '&50', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&51', &52);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.open_ssl(my_session1,
                         'file:' || '&53', '&54', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session1);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
     plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
          OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
     END IF;
END IF;
IF (retval = 0) THEN
result := DBMS_LDAP.COMPARE_TRUE;
plg_debug('AD auth return TRUE');
ELSE
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_compare_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
errormsg := 'Exception: when_compare_replace plugin';
plg_debug( 'Exception in when_compare_replace(). Error code is ' ||
          TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
     retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
     OIDADPSW2.AD_HANDLE := NULL;
END;
END OIDADPSW2;
SHOW ERRORS
EXIT;
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
FOR oidspadi.sh
#!/bin/sh
# $Header: oidspadi.sh 13-may-2005.13:48:51 saroy Exp $
# oidspadi.sh
# Copyright (c) 2002, 2005, Oracle. All rights reserved.
# NAME
# oidspadi.sh - AD external authentication plug-in install
# DESCRIPTION
# <short description of component this file declares/defines>
# NOTES
# <other useful comments, qualifications, etc.>
# MODIFIED (MM/DD/YY)
# saroy 05/13/05 - Fix for bug 4233817
# saroy 02/18/05 - Fix for bug 4054414
# saroy 11/02/04 - Fix for bug 3980370
# qdinh 01/19/04 - bug 3374115
# dlin 07/10/03 - turn off debug
# dlin 02/21/03 - plug-in install changes
# dlin 02/13/03 - dlin_bug-2625027
# dlin 07/22/02 - Creation
ADHOST="A"
ADPORT="1"
ADSSLPORT="1"
WALLETLOC="A"
WALLETPWD="A"
WALLETPWD2="A"
CONNECT="A"
ODSPWD="A"
ODSPWD2="A"
OIDHOST="A"
OIDPORT="1"
ORCLADMINPWD="A"
ORCLADMINPWD2="A"
PRGDN="A"
SCUSB="A"
EP="A"
ISSSL="n"
ISFAILOVER="n"
ISFAILOVERSSL="n"
SECADHOST="A"
SECADPORT="1"
SECADSSLPORT="1"
SECWALLETLOC="A"
SECWALLETPWD="A"
SECWALLETPWD2="A"
clear
echo "---------------------------------------------"
echo " OID Active Directory Plug-in Configuration"
echo "---------------------------------------------"
echo " "
echo "Please make sure Database and OID are up and running."
echo " "
LDAP_DIR=${ORACLE_HOME}/ldap
LDAP_LOG=${LDAP_DIR}/log
## ORACLE_HOME
if [ -z $ORACLE_HOME ] ; then
echo " ORACLE_HOME must be set for this installation script"
exit 0
fi
# gather required information
if [ ${ADHOST} = "A" ] ; then
printf "Please enter Active Directory host name: "
read ADHOST
fi
## active directory host name is required
if [ "${ADHOST}" = "" ]
then
echo "Active Directory host name is required";
exit 1;
fi
printf "Do you want to use SSL to connect to Active Directory? (y/n) "
read ISSSL
if [ "${ISSSL}" = "n" ]
then
if [ ${ADPORT} = "1" ] ; then
printf "Please enter Active Directory port number [389]: "
read ADPORT
if [ "${ADPORT}" = "" ]
then
ADPORT="389"
fi
fi
fi
if [ "${ISSSL}" = "y" ]
then
if [ ${ADSSLPORT} = "1" ] ; then
printf "Please enter Active Directory SSL port number [636]: "
read ADSSLPORT
if [ "${ADSSLPORT}" = "" ]
then
ADSSLPORT="636"
fi
fi
if [ ${WALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read WALLETLOC
fi
## wallet location is required
if [ "${WALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${WALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read WALLETPWD ; stty echo ; echo
fi
if [ "${WALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${WALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read WALLETPWD2 ; stty echo ; echo
fi
if [ "${WALLETPWD}" != "${WALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
if [ ${CONNECT} = "A" ] ; then
echo " "
printf "Please enter DB connect string: "
read CONNECT
fi
if [ ${ODSPWD} = "A" ] ; then
printf "Please enter ODS password: "
stty -echo ; read ODSPWD ; stty echo ; echo
fi
## password is required
if [ "${ODSPWD}" = "" ]
then
echo "ODS password is required";
exit 1;
fi
if [ ${ODSPWD2} = "A" ] ; then
printf "Please enter confirmed ODS password: "
stty -echo ; read ODSPWD2 ; stty echo ; echo
fi
if [ "${ODSPWD}" != "${ODSPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
if [ "${CONNECT}" = "" ]
then
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD} "
else
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD}@${CONNECT} "
fi
# Check if ODS password and connect string is correct
${ORACLE_HOME}/bin/sqlplus -L ods/${ODSPWD}@${CONNECT} << END 1>/dev/null 2>/dev/null
exit;
END
if [ $? -ne 0 ]; then
echo "Incorrect connect string or ODS password specified"
exit 1;
fi
if [ ${OIDHOST} = "A" ] ; then
echo " "
printf "Please enter OID host name: "
read OIDHOST
fi
## oid host is required
if [ "${OIDHOST}" = "" ]
then
echo "OID host name is required";
exit 1;
fi
if [ ${OIDPORT} = "1" ] ; then
printf "Please enter OID port number [389]: "
read OIDPORT
if [ "${OIDPORT}" = "" ]
then
OIDPORT="389"
fi
fi
# Check if OID host and port is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect OID host or port specified"
exit 1;
fi
if [ ${ORCLADMINPWD} = "A" ] ; then
printf "Please enter orcladmin password: "
stty -echo ; read ORCLADMINPWD ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" = "" ]
then
echo "orcladmin password is required";
exit 1;
fi
if [ ${ORCLADMINPWD2} = "A" ] ; then
printf "Please enter confirmed orcladmin password: "
stty -echo ; read ORCLADMINPWD2 ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" != "${ORCLADMINPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
# Check if orcladmin password is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect orcladmin password specified"
exit 1;
fi
echo " "
if [ ${SCUSB} = "A" ] ; then
printf "Please enter the subscriber common user search base [orclcommonusersearchbase]: "
read SCUSB
if [ "${SCUSB}" = "" ]
then
SCUSB=`${ORACLE_HOME}/bin/ldapsearch -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} -s base -b 'cn=common,cn=products,cn=oraclecontext' -L 'objectclass=*' orclcommonusersearchbase | head -2 | grep -v 'dn:' | awk '{printf $2}'`
fi
fi
if [ ${PRGDN} = "A" ] ; then
printf "Please enter the Plug-in Request Group DN: "
read PRGDN
fi
if [ ${EP} = "A" ] ; then
printf "Please enter the exception entry property [(!(objectclass=orcladuser))]: "
read EP
if [ "${EP}" = "" ]
then
EP='(!(objectclass=orcladuser))'
fi
fi
echo " "
printf "Do you want to setup the backup Active Directory for failover? (y/n) "
read ISFAILOVER
if [ "${ISFAILOVER}" = "y" ]
then
if [ ${SECADHOST} = "A" ] ; then
printf "Please enter the backup Active Directory host name: "
read SECADHOST
if [ "${SECADHOST}" = "" ]
then
echo "Backup Active Directory host name is required";
exit 1;
fi
fi
printf "Do you want to use SSL to connect to the backup Active Directory? (y/n) "
read ISFAILOVERSSL
if [ "${ISFAILOVERSSL}" = "n" ]
then
if [ ${SECADPORT} = "1" ] ; then
printf "Please enter the backup Active Directory port number [389]: "
read SECADPORT
if [ "${SECADPORT}" = "" ]
then
SECADPORT="389"
fi
fi
fi
if [ "${ISFAILOVERSSL}" = "y" ]
then
if [ ${SECADSSLPORT} = "1" ] ; then
printf "Please enter the backup Active Directory SSL port number [636]: "
read SECADSSLPORT
if [ "${SECADSSLPORT}" = "" ]
then
SECADSSLPORT="636"
fi
fi
if [ ${SECWALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read SECWALLETLOC
fi
## wallet location is required
if [ "${SECWALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${SECWALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read SECWALLETPWD ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${SECWALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read SECWALLETPWD2 ; stty echo ; echo
fi
     if [ "${SECWALLETPWD}" != "${SECWALLETPWD2}" ]
     then
     echo "The input passwords are not matched";
     exit 1;
     fi
fi
fi
# install the plug-in PL/SQL packages
echo " "
echo "Installing Plug-in Packages ..."
echo " "
# install plug-in debug tool
cp $ORACLE_HOME/ldap/admin/oidspdsu.pls $LDAP_LOG
chmod +w $LDAP_LOG/oidspdsu.pls
echo "EXIT;" >> $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$LDAP_LOG/oidspdsu.pls
rm $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspdof.pls
# install plug-in packages
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
#stty -echo; eval ${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# register the plug-ins
echo " "
echo "Registering Plug-ins ..."
echo " "
$ORACLE_HOME/bin/ldapadd -h ${OIDHOST} -p ${OIDPORT} -D cn=orcladmin -w ${ORCLADMINPWD} << EOF
dn: cn=adwhencompare2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapcompare
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhencompare2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginattributelist:userpassword
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
dn: cn=adwhenbind2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapbind
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhenbind2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
EOF
cat <<DONE
Done.
DONE

Hi,
This is a problem that is not made clear in the note. What is probably happening here is that both plugins are being fired when a user logs in. OID will only read the value returned from the final plugin to fire. This can be a problem if the user authenticates correctly against the first plug-in but fails on the second. This is entirely legitimate as this note tells you to configure this way but the OID only observes the final result. The note doesn't tell us this.
Here's an example:
We've two OID User users in different containers: cn=Al is in container cn=usersA,dc=oracle,dc=com and cn=BOB is in container cn=usersB,dc=oracle,dc=com.
We have two plugins: pluginA and PluginB. Installed in that order.
When Al logs in the two plugins fire. pluginA finds Al and returns a true, but then pluginB fires and returns a false undoing the good result. OID only accepts the final answer and so rejects the user. When Bob logins in both plugins fire again but it's the second plugin that returns the answer again. This is true and bob gets in.
There's a couple of ways around this and one of the more effective ways is to associate the plugin with the dn. So in our example, we associate the pluginA to fire only for the dn cn=usersA,dc=oracle,dc=com and pluginB only to fire when a user is in cn=usersB,dc=oracle,dc=com. This gets around the problem of mulitple plugins firing and giving conflicting answers as the appropriate plugin only fires once.
I've used this solution in a realtime environment when connecting and provisioning multiple ADs into one OID and found it to be extremely effective.
Another solution is to associate the plugins with groups.
Both of these options may be configured easily by modifying the plugin properties in ODM. Don't forget to restart OID after you've made the changes.
HTH!
Phil.
If

SharePoint 2013 Workflow (SPD 2013) fails for Active Directory Group members

Hi
I have a SharePoint 2013 site called "Team Meetings". There are a number of lists and an InfoPath form library.
The site's SharePoint Group "Team Meeting Members" has two Active Directory groups (All Club Managers and All Club Police) as members. Those two AD groups contain all the people that I want to have access to the library and list, except for
a few additional folk who I have made individual members.
My PROBLEM:
I have created a SharePoint 2013 Workflow using SPD 2013 associated with the Form Library. Workflow is set to start on new or modified item. The first action is to write to history list, then determine the status (Submitted or Pending) of
the form and go to different Stages depending on that status.
The workflow works perfectly for any user who has been added directly to the SharePoint group (Team Meetings Members) BUT FAILS at the very first action for anyone who is a member of one of the AD groups. I know the Workflow is fine because I've tested it
with numerous people who are direct members of the SharePoint Group, but whenever a person who is a member of the AD group tries it the Workflow just fails.
Here's a print of the info from the Workflow Status page (I don't have access to server logs):
RequestorId: 4494760f-92ff-2e8c-90d2-cc7df0e6baa4. Details: System.ApplicationException: HTTP 401 {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPRequestGuid":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"request-id":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"MicrosoftSharePointTeamServices":["15.0.0.4420"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1;
RequireReadOnly"],"Cache-Control":["max-age=0, private"],"Date":["Mon, 10 Mar 2014 01:31:42 GMT"],"Server":["Microsoft-IIS\/8.0"],"WWW-Authenticate":["NTLM"],"X-AspNet-Version":["4.0.30319"],"X-Powered-By":["ASP.NET"]}
The HTTP response content could not be read. 'Error while copying content to a stream.'. at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance
instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor
Members of the SharePoint Group "Team Meetings Members" have Contribute Access to both the form library and another list that the workflow writes to as well as the Workflow History list (which in SP 2013 uses the credentials of the
user who started the workflow, unlike 2010 which used System Account).
All members of the Team Meetings Members group, whether they are individual members or part of one of the AD groups, have no problems opening and saving forms etc. It's just the Workflow that doesn't like them...
I am stumped. I've spent many hours searching for a reason for this. There are about 200 people in the two AD groups so I really don't want to have to add them all individually - especially when these groups are managed in AD for a whole bunch of other reasons
and using the AD groups means I'll basically never have to worry about modifying the SharePoint access permissions.
Does anyone have any ideas why this is happening and what I can try to fix it?
Mark

Hi Lars,
I'm afraid not so far but we are trying a few things today so I will post back with results.
First thing we are doing is making the AD Group universal because one of our (external provider) gurus remembers seeing something about that. He also sent me a link to a post where they were talking about earlier
versions but having similar issues and their solution was to make sure the app pool account has sufficient permissions in AD::
http://social.msdn.microsoft.com/Forums/sharepoint/en-US/27a547da-5cc0-49d7-8056-6eb40b4c3242/failed-to-start-workflow-access-is-denied-exception-from-hresult-0x80070005-eaccessdenied
This part of that thread looks interesting but we haven't checked it yet as were trying the universal setting first:
"If the users participating in the workflows have been added to the SharePoint site via Active Directory groups, SharePoint has to update the user’s security token periodically by connecting to
the domain controller. By default, the token times out every 24 hours. But if the application pool account did not have the right permissions on the domain controller to update the user’s token, user will keep getting the access denied error. The error was
intermittent because when the user browsed to any page other than the workflow form, the token was getting updated successfully.
You can try to fix it through granting the application pool account the appropriate permission by adding the account to the group “Windows Authorization Access Group” in Active Directory."
I'll update when we try these ideas. If you have any luck please do the same.
Mark
(sorry about formatting - using my phone....)
Mark

Resetting ActiveSync Adapter for Active Directory

I would like my Active Directory ActiveSync adapter to detect change made only after it is initially started and to disregard any changes prior to that time. The ActiveSync setup appears to allow this by checking the box labeled "When reset, ignore past changes".
That doesn't appear to be happening, however. Whenever the adapter is started and stopped, it still goes back and appears to search through modifications made well before the adapter was started.
The help item for that checkbox has this little bit of advice: "To reset the adapter, edit the XmlData object SYNC_resourceName to remove the MapEntry for the desired synchronization process, e.g. ActiveSync.", but doing that has made no difference at all.
What is the trick to completely resetting the AD ActiveSync adapter and getting it recognize only changes made from the point in time at which it was started?

steps.
Restart your server with the active sync in Manual mode, and then check the box "When reset, ignore past changes" and also delete the IAPI_Resource_name.
now start the active sync, and change the manual mode if required / as well remove the reset check box.
This is what i did when i faced with the same issue. and it worked for me.

SMB access for Active Directory users

Hi there,
My server is an OD Master bound to AD for authentication and my institution's Kerberos realm.
When I try to share files from the server via SMB and connect as an Active Directory user I get the following error in the logs:
[2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
adsverifyticket: smbkrb5_parse_name(myserver$) failed (Configuration file does not specify default realm)
[2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
I've read something vague about having to Kerberize the SMB service seperately so I'm not sure if that's the problem.
My smb.conf file is as follows:
; Configuration file for the Samba software suite.
; ============================================================================
; For the format of this file and comprehensive descriptions of all the
; configuration option, please refer to the man page for smb.conf(5).
; The following configuration should suit most systems for basic usage and
; initial testing. It gives all clients access to their home directories and
; allows access to all printers specified in /etc/printcap.
; BEGIN required configuration
; Parameters inside the required configuration block should not be altered.
; They may be changed at any time by upgrades or other automated processes.
; Site-specific customizations will only be preserved if they are done
; outside this block. If you choose to make customizations, it is your
; own responsibility to verify that they work correctly with the supported
; configuration tools.
[global]
debug pid = yes
log level = 1
server string = Mac OS X
printcap name = cups
printing = cups
encrypt passwords = yes
use spnego = yes
passdb backend = odsam
idmap domains = default
idmap config default: default = yes
idmap config default: backend = odsam
idmap alloc backend = odsam
idmap negative cache time = 5
map to guest = Bad User
guest account = nobody
unix charset = UTF-8-MAC
display charset = UTF-8-MAC
dos charset = 437
vfs objects = darwinacl,darwin_streams
; Don't become a master browser unless absolutely necessary.
os level = 2
domain master = no
; For performance reasons, set the transmit buffer size
; to the maximum and enable sendfile support.
max xmit = 131072
use sendfile = yes
; The darwin_streams module gives us named streams support.
stream support = yes
ea support = yes
; Enable locking coherency with AFP.
darwin_streams:brlm = yes
; Core files are invariably disabled system-wide, but attempting to
; dump core will trigger a crash report, so we still want to try.
enable core files = yes
; Configure usershares for use by the synchronize-shares tool.
usershare max shares = 1000
usershare path = /var/samba/shares
usershare owner only = no
usershare allow guests = yes
usershare allow full config = yes
; Filter inaccessible shares from the browse list.
com.apple:filter shares by access = yes
; Check in with PAM to enforce SACL access policy.
obey pam restrictions = yes
; Don't be trying to enforce ACLs in userspace.
acl check permissions = no
; Make sure that we resolve unqualified names as NetBIOS before DNS.
name resolve order = lmhosts wins bcast host
; Pull in system-wide preference settings. These are managed by
; synchronize-preferences tool.
include = /var/db/smb.conf
[printers]
comment = All Printers
path = /tmp
printable = yes
guest ok = no
create mode = 0700
writeable = no
browseable = no
; Site-specific parameters can be added below this comment.
; END required configuration.
Any help would be much appreciated!!
Thanks.

I am now having the same problem - a Windows server trying to access a file share on the Mac Server is presented with the same error message in the log files:
[2009/06/29 21:34:56, 2, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:setupnew_vcsession(1260)
setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
[2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
adsverifyticket: smbkrb5_parsename(vifile$) failed (Configuration file does not specify default realm)
[2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
Workgroup manager can read from Active Directory - seems to be jiving correctly - my server (SMB) is in Domain Member mode...
When I try to access system from \\UNC command, I am presented with username/password prompt and nothing works.
Not feeling the Mac OS X love tonight.
Bill
System is bound to active directory - green light in Directory Utility

Date and Time Sync at boot for Active Directory/Open Directory Authenticati

All the macs in my school district are set to automatically sync their time with a network time server. They do not do this unless the system preference is opened. This poses a problem as all our users must authenticate against an Active Directory and an Open Directory server. If the time is out of sync they can not login, and therefore can not fix the time. I must then login in with a local admin account set the time and then the network account can login. I have tried using direct IP addresses for the NTP server. That doesn't work either. I have adjusted the tolerance of the AD server to accept a large discrepancy in time (did not work). Set the users to be mobile accounst (local home folders), did not work. The only fix will be to ensure that the time does sync at boot, before login. Is there a way to force the computer to sync at boot to a given NTP server, prior to the login window appearing?

I have come up with my own solution for this issue. It is a two part solution. We found that the computers are experiencing time drift and that after they get out of sync by 5 minutes they can no longer login. One would think that the setting in the Date and Time system preference to automatically synchronize the time would take care of this. That however is not the case that check mark does not affect the ntp service at all. It merely eliminates the need to click a button when entering the system preference. How did we discover this? well that is part of the solution. We used webmin (http://www.webmin.com) to look at the ntp configuration. No matter what changes we made with the Date & Time preferences nothing changed in the system ntp settings. So on to the solution: Install webmin, and configure the ntp protocol manually to sync at your desired interval (I did hourly). This stops time drift. Next create a startup item and associated plist to force time sync at boot (be sure to loop it as different machines initialize their network cards slower). I have made ours available for download (http://www.manheimcentral.org/~getzt/netTime.zip). I hope this helps others. We have found that this works fairly well.

Apply OID search filter for Active Directory Export Sync Profile

Similar Messages

Maybe you are looking for