Associating a userid to LDAP Groups

Similar Messages

• Can an email address be a member of an LDAP group even if it isn't associated with an object in the Directory Server?

  Can an email address be a member of an LDAP group even if it isn't
  associated with an object in the Directory Server?
  <P>
  General members of a group are the members defined in the
  Directory Server. They are full-fledged members of the group who
  may have a set of permissions associated with their membership,
  a title, or other attributes. Mail-specific users are users who
  are not full-fledged members of the group, but who receive mail
  sent to the group. Mail-specific users need not be identified as
  a user in the Directory Server--an email address is sufficient.
  An example of this is a group of salespeople, all of whom are in
  the group "North American Sales Team." They have access to a
  sales-tracking database, on-line quota information, and
  competitive information. The mail-specific users of this group
  are the admins who support the members of the sales team, who need
  to get the mail that goes out to the group, but don't need access
  to the applications and information that the salespeople do.

  Hey EllyK,
  Welcome to the BlackBerry Support Community Forums.
  Thanks for the question.
  I would suggest performing this workaround and then try to login to BlackBerry Link:
  Open BlackBerry World on the BlackBerry smartphone and sign in using the BlackBerry ID. 
  Connect the BlackBerry 10 smartphone to the computer. 
  Open BlackBerry Link
  Sign in using the BlackBerry ID. 
  Let me know if the issue still persists.
  Cheers.
  -ViciousFerret
  Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
  Be sure to click Like! for those who have helped you.
  Click  Accept as Solution for posts that have solved your issue(s)!

• LDAP groups to pool assignation problem

  Hi All,
  I have created two pools "Vista" and "Ubuntu" with two LDAP group associated ("Vista" and "Ubuntu"). I have a user "XX" which is in both LDAP groups (Vista and Ubuntu).
  When I display information about user XX in WEb interface, I get the information that the user is in 2 pools. But when I try to connect, I don't get any chooser and a desktop is started (generally the last used).
  Both pools contain enough free desktops (about 10).
  I have tried to use the "vda" command to see the configuration from command line.Unfortunately, I don't succeed. The command "vda user-search" give me the answer "XX uid=XX,ou=People" and when I try to pass the command "vda user-show XX" I get the answer "user not found, try command vda user-search".
  I use VDI3 software with the latest patches.
  Any help or idea would be greatly appreciated.
  Thanks
  rhino64

  Hello,
  you can look for more information about the failing commands in the cacao log file
  /var/cacao/instances/default/logs/cacao.0
  after increasing the log level as explained in:
  [http://wikis.sun.com/pages/viewpage.action?pageId=139002331|http://wikis.sun.com/pages/viewpage.action?pageId=139002331]
  rhino64 wrote:
  root@zzz:/ # vda user-show test1
  User test1 not found. Use the user-search subcommand to search for existing
  users or groups.
  root@zzz:/ # vda user-show 10009
  User 10009 not found. Use the user-search subcommand to search for existing
  users or groups. In the two commands above, you seem to be trying to use the userid of the user. VDI uses the list of attributes defined in the global setting ldap.userid.attributes to search for users from their userid. So what is the value of the ldap.userid.attributes setting ?
  #/opt/SUNWvda/sbin/vda settings-getprops -p ldap.userid.attributes
  And then what is the value of the corresponding attribute for your user ? You should use this value as userid for your user.
  It is up to you to decide which attribute of the directory is the userid of your user, and then edit ldap.userid.attributes accordingly.
  See http://wikis.sun.com/display/VDI3/Customizing+the+LDAP+Filters+and+Attributes for more details.
  root@zzz:/ # vda user-show 'cn=test1,ou=People'
  User cn=test1,ou=People not found. Use the user-search subcommand to search for
  existing users or groups. This command would not work because as listed in the user-search command, the dn for your user is not cn=test1...
  root@zzz:/ # vda user-show 'uid=test1,ou=People'
  User uid=test1,ou=People not found. Use the user-search subcommand to search for
  existing users or groups.This command should work fine and I can't really explain why it doesn't. The only difference I can see with the result of user-search is the capitalized 'People' so maybe try:
  # vda user-show 'uid=test1,ou=people'
  Katell

• OBIEE Groups - RPD Groups, Catalog Groups, LDAP Groups

  Greeting Experts
  I am trying to get a clear understanding of how these different groups play out in the OBIEE world.  Ideally I am looking to get clarity around what the boundaries are for these groups (what they control and don't). Really appreciate if someone could enlighten me
  Thank you very much.

  will LDAP Group security takes precedence over Catalog Group security
  Yes
  when it comes to LDAP security, can it be extended to control Authorizations besides, just User Authentication ?
  Basically LDAP groups are associated with the users and those groups are again associated to Application Roles so Authorization and authentication can be done using Application role rather than a group
  But if you have catalog groups (default 10g security model) you can still assign application roles for those catalog group and enable the object level security (Goto Administrator ---> Manage Catalog Groups ---> select any default 10g group there you can search and add applicatoin roles)
  thanks,
  Saichand

• Use of LDAP group external authentication in Essbase v7.16

  Hello Experts,
  One of my customer wants an answer for his query -
  They currently use LDAP external authentificaiton with userid only and would like to use LDAP groups. Is this supported in version 7.1.6 (Heard that It is a known limitation in version 7.x that LDAP / MSAD groups are not supported. MSAD groups are supported in System 9.x)
  My Research:
  I read in the Essbase v7 documentation the following 2 examples of using groups, under Essbase.CFG Configuration Settings > AUTHENTICATIONMODULE
  Can you explain how this works
  Thank you
  Example 1
  The entries in this example allow users in the group Engineers from domain yahoo.com to be authenticated on host Gorky, via port number 389, with a timeout period of 30 seconds.
  AuthenticationModule LDAP essldap.dll 30 cn=Engineers, ou=Groups, dc=yahoo, dc=com@Gorky:389
  Example 2
  The entries in this example allow users in the group Engineers from domain yahoo.com to be authenticated on host 129.63.140.122, via port number 389, with a timeout period of 45 seconds.
  AuthenticationModule MSAD essmsad.dll essmsad.lib 45 cn=Engineers, ou=Groups, dc=yahoo, dc=[email protected]:389
  Regards,
  Sonal
  Edited by: 637223 on Oct 23, 2009 7:16 PM

  I do not believe using LDAP groups is supported in 716.

• LDAP Group

  Is there a way to control the depth TES 6.1 can query AD Groups?          
  For example, I created AD sec groups TESScheduler, TESMIgrators, TESOperator and TESInquiry. 
  Inside AD group TESScheduler, I want to add another AD security group instead of an AD Account (user).
  When I tried it, TES 6.1 will not recognize the AD security group inside the AD security group, it only works when I put in users.
  Also, since moving the security policy to be associated to the LDAP Group, I can no longer impersonate the users.  I may have read this somewhere (probably since sec policy is no longer associated with user) does someone remember where this way mentioned?

  Thanks for the response - I just wanted to check if maybe thre is a configuration setting that can be tweaked currently.  I will log a case since this will make it easier for me to get away from managing users.
  Did have a followup question to get idea on how everyone else is using the LDAP group capability.    We are a very distributed in terms of the teams/workgroups - each team has total autonomy over their jobs and objects they own and job activity functions.
  With help of consultants, this is what we have deviced and outline the challenges with it:
  First we decided to use team's existing AD sec group to control the functional aspect of security (as in workgroup they have access to).  This ensures that Tidal access to workgroups  is always up to date - in case someone joins the team or leaves the team.
  We then create an LDAP group for each workgroup (associating runtime users and agents on the LDAP group).  We took out any userse and agents out of the workgroups and moved them to LDAP group.
  Then we created four new AD sec group to control what users can with the objects they have access to.
  - TESScheduler
  - TESOperator
  - TESMigrator
  - TESInquiry
  Lastly in Tidal, we create the 4 LDAP groups for the security policy access linking it to the new AD sec groups.
  So that for example, if Pete belongs to the Finance team and is a scheduler.  He is automatically in the Finance team AD sec group as soon as he is hired.  Then someone (TIdal Admind) adds him manually to the TESScheduler AD sec group - then voila he can log into Tidal with the appropriate access.
  Challenges with this (aside from the bug I encounter when adding LDAP group to workgroup >_<):
  - it wold be nice if I can add the team's AD sec group into TESScheduler (as mentioned in my orignal post)
  - I am still having to be in the picture whenevr someone needs Tidal access granted or revoked because a central body needs to make sure that user is not in more than one of the sec policy AD group (TESScheduler, TESOperator, ...)  We have sold this LDAP group thing as a way for teams to finally control their own access but that is not the case really.
  We have decided to live with this model but wondered if other implementations with distributed user bases have other ways to deal with this.  I can obviously open the 4 new sec policies for the teams to edit on their own but I cannot guarantee they will check for duplicates and not accidentally delete other folks etc.  Also, some folks who belong to multiple workgroup have to be handled differently since they may want to be schedulers for Finance but Marketing requires them to be operator only - which means they really can't be a scheduler.  In this case, they have to be an operator only to belong in both groups or not be in Marketing at all to get Scheduler privs.  Kind of goes against the cumulative access model that TIDAL 6 is based on.

• LDAP Group Membership

  I need help.  I have a case where an LDAP group shows users as members but some of these users do not show the group in their "Member Of" listing when looking under the Home -> Users-> <userid> listing.  What could be causing this.  The LDAP group was recently added to the server.  Thanks.

  Stephen,
  One returns an array (table) of groups and the other returns a ":" delimited string. Describing them from SQL Plus returns:
  FUNCTION MEMBER_OF RETURNS TABLE OF VARCHAR2(32767)
  Argument Name                  Type                    In/Out Default?
  P_USERNAME                     VARCHAR2                IN     DEFAULT
  P_PASS                         VARCHAR2                IN     DEFAULT
  P_AUTH_BASE                    VARCHAR2                IN
  P_HOST                         VARCHAR2                IN
  P_PORT                         VARCHAR2                IN     DEFAULT
  FUNCTION MEMBER_OF2 RETURNS VARCHAR2
  Argument Name                  Type                    In/Out Default?
  P_USERNAME                     VARCHAR2                IN     DEFAULT
  P_PASS                         VARCHAR2                IN     DEFAULT
  P_AUTH_BASE                    VARCHAR2                IN
  P_HOST                         VARCHAR2                IN
  P_PORT                         VARCHAR2                IN     DEFAULTThanks,
  Tyler

• Error while adding LDAP group

  Hi, I configured LDAP authentication on BOXI R2 SP3 on IIS. The settings are as given below.
  To change a setting, click on the value to start the LDAP Configuration Wizard.  I have replaced few entries with XXXX and YYYY due to security.
  LDAP Hosts: nccXXX.XXX.YYYY.XX.YY:636
  LDAP Server Type: Novell eDirectory
  Base LDAP Distinguished Name: ou=XXXXX,dc=YY
  LDAP Server Administration Distinguished Name: cn=XXX,o=YYYYY
  LDAP Referral Distinguished Name: ""
  Maximum Referral Hops: 0
  SSL Type: Server Authentication
  Server Side SSL Strength: Always accept server certificate
  Single Sign On Type: None
  When I add any new group then its not added and I get below error message in the Logging directory  for WCA.
  Error: 2009-08-24 14:56:30, Thread:161, WriteData::_Flush catch unexcepted exception, source: System.Web, message: Specified argument was out of the range of valid values.
  Parameter name: offset, stack:    at System.Web.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 count)
     at BusinessObjects.Enterprise.WebComponentAdapter.WriteData._Flush(IntPtr handle)
  Can anyone help to find if LDAP is configured correctly before adding group?
  Thanks,

  Resolved. It was due to wrong LDAP group given to me.
  Thanks,

• Add userid to user group in Windows Vista OS

  The operating system is WINDOWS VISTA on my machine. I successfully installed Oracle 10 R2 10.2.0.3 and upgraded it to 10.2.0.4.
  I have the following issue after upgrading to 10.2.0.4:
  From the DOS command prompt, I ran as "Run as Administrator" and then did I did sqlplus /nolog.
  I have the following issue when I CONNECT / AS SYSDBA:
  When I do sqlplus /nolog and CONNECT / AS SYSDBA, I get the following error:
  SQL&gt; connect / as sysdba
  ORA-01031 insufficient privileges
  {color:#0000ff}I should be able to CONNECT / AS SYSDBA without using the SYS password to do exports and imports.
  Oracle suggests that I could ADD my userid on my machine to the ORA_DBA group (Windows Group) and this could fix the issue.
  Please let me know where I can find the ORA_DBA group (Windows Group) in WINDOWS VISTA.
  How do I add my userid to the ORA_DBA group in Windows Vista?
  {color}
  Thanks!

  Duplicate Thread.
  Add userid to user group in

• Mapping LDAP Groups to SAP Roles

  Hi there,
  i am trying to build up a synchron usermanagement with a LDAP-Server between EP, Web AS Java and Web AS ABAP.
  My thought is to administrate the users in the LDAP-Directory. The users will be assigned to groups.
  In EP and Web AS Java its no problem to assign these groups to roles and then just change the Users in the LDAP-Group and reach a synchron usermanagement.
  In Web AS ABAP it seems impossible to assign roles to groups.
  <b>The question is, is it possible to map ldap groups with the ldap connector of the web AS ABAP to Roles in an ABAP System?</b>
  Or is there another way to administrate users in different systems?
  Thanks alot for your answers,
  stefan

  Hi
  in this case u have to use the concept of central user administration. use the following links
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-biti-03/cua with sap webas, ldap and third party software
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/user management and authorizations overview.pdf
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/integration of sap central user administration into microsoft active directory.pdf
  hope this helps u to get fair bit of idea
  don,t forget to give points
  With regards
  subrato kundu

• LDAP groups and WebLogic Roles - Urgent ( weblogic 6.1 sp1, iPLanet 5.1)

  I have 2 questions and these are very urgent :-
  1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
  2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
  contractactors and employess. How do I map LDAP group contractors to weblogic security
  Role contractors? Similarly for employees ?
  2. I have not defined contarctors and employeees under People container in IPlanet.
  e.g. The RDN for contractor is
  uid=1234,ou=dir,dc=orams,dc=com
  Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
  under People ) OR I have to write my own custom code ?
  3. I am planning to use Roles insetad of groups to manage the logical grouping in
  iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
  parameters ?)
  This is very urgent ....so if any of you can throw any hints that will be greatly
  appreciated.
  --Sunita

  Hi Ariel,
  The driver is bundled with the product in WLS 6.1sp1. you don't have to
  download any additional driver. Use it as you normally would only thing to
  remember is if you are trying to write standalone java code then you have to
  have weblogic.jar in your classpath. For the rest of the info follow the wls
  docs for 6.1
  HTH
  sree
  "Ariel" <[email protected]> wrote in message
  news:3bb4a643$[email protected]..
  We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
  downloaded the JDriver from bea.com, but all the istructions that camewith
  it are for WLserver 5.1.
  What has to be done to do this with 6.1 sp1?
  Thanks,
  Ariel

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• LDAP Groups Authorization

  Hi,
  I have read some of the forum threads about LDAP Group Authorization - I remain confused. Here's the problem I am trying to solve.
  I was successfull in setting my Authentication to "Based on authentication scheme from gallery:Existing Login Page: Use LDAP Directory Credentials" -
  That works fine, But I would not like all users in my OID LDAP directory to log into my application- Which is why I have created a group for the user I want to include in my OID directory.
  Now at the " Builder->Application...->Security->Authorization Schemes->
  I have created an Authorization Scheme as "PL/SQL Function returing a booloean" .
  My Scheme Source(Identify Query or PL/SQL) is as follows and is set to "once Per session"
  return wwv_flow_ldap.is_member
  (:APP_USER,
  null,
  'cn=users,dc=wellesley,dc=edu',
  'jadeland.wellesley.edu',
  '389',
  'wcd_HTMLDB',
  'cn=portal.040323.1220,cn=Groups, dc=wellesley,dc=edu');
  where in my LDAP directory, 'wcd_HTMLDB' is the subgroup under group "portal.040323.1220" -
  I have included 3 users in the group 'wcd_HTMLDB' .
  Still the login page allows all LDAP user ( and not just the 3 from the 'wcd_HTMLDB' group.
  Where did I go wrong -?
  What 's the proper way to authorise only LDAP users in a group ?
  Any help would be really appreciated.
  Thanks .

  Indira,
  The public synonym (and grant execute) must be created after that package is compiled which can happen after catldap is run in your database. This is only a problem if catldap has not been run before HTML DB is installed. That's described in the flows/doc/ldap.html file in the distribution directory (not very prominently, we know).
  When you initially attached the authorization scheme to your login page and it wouldn't let you in, the reason is that it was using the value of APP_USER to drive your lookup function. But when the login page is rendered, APP_USER is null because you haven't logged in yet. So a user-based authorization scheme on a login page can never work.
  When you changed the ldap username edit function the way you did, you achieved the goal of preventing an unauthorized user from using the login page to authenticate. Looks like the way it's set up is to give unauthorized users an authentication error, which is a little misleading (saying their credentials are invalid when in fact they are valid but they aren't authorized to use your application), but if it suits your purpose, great. You should consider that if you change the authentication method to, say Single Sign-On, you'll then want to use authorization schemes to keep unauthorized users out. So the authorization scheme that you first set about using would be fine in that case, so long as you adjust the code to allow for visits to public pages prior to authentication (v('APP_USER') = 'HTMLDB_PUBLIC_USER'). However, you'd want to attach that scheme to the application itself (Edit Application Attributes->Authorization) so it fires on every page. Evaluating a scheme like that on every page view rather that once per session probably works best, even better if you cache the result of the evaluation yourself for performance reasons, e.g., set an application item to some value the first time the authenticated user passes the ldap membership test, then using that item as an 'already passed' flag for subsequent invocations.
  Finally, I assume you are using the built-in ldap_dnprep function because you need to replace '.' with '_' in the username value entered by the user. If that is not your requirement, let's talk.
  Scott

• Cannot Add user to CMC Group when they are a member of LDAP group

  On PreProduction Server CMC
  Softerra LDAP browser used to verify user is a member of LDAP group
  User does not show as a member of that group in the CMC
  Cannot add user to LDAP group showing in CMC, the same group shows the member in LDAP browser
  On Production Server CMC
  For kicks I logged into the CMC on Production and I found the user is correctly showing as a member of the Group
  Why doesn't the groups in CMC show what is actually showing in the LDAP browser?

  Hi,
  Check if you have also mapped in both servers the same groups. It might be that there are some groups missing in the Pre-prod.
  Also, try restarting the CMS. I have seen similar issues that are solved after forcing the recreation of the graph.
  If after the restart you still can't see the groups, check the mapping on the LDAP server. It might be that both servers do not use the same attribute mappings.
  Regards,
  Julian

• Webcenter dicussion forum - Ldap Group Integration with JSSO

  Hi,
  We want to implement LDAP Group integration for the authorization purposes in
  webcenter Jive Disucussions deployed in our IAS 10.1.3.2 application server.
  Though jive provides support for the same, yet the JIve documentation says
  that we need to implement the JIve's LDAP User authentication steps in order
  to leverage LDAP Groups integration. In case of Webcenter if we use Java SSO
  for the authentication purpose, we need opt for the 'Default' in the Jive
  Admin's authentication page instead of LDAP settings. Opting for 'Default'
  scheme doesn't allow us to configure the LDAP group settings. We are not able
  find any documentation for LDAP Group Integration along with Java SSO. Could
  provide us the steps required for the same? Or has anyone tried the same?
  Thanks and Regards,
  ABhijit

  Hi Abhijit,
  You can ignore 'Default', and implement your own user authentication mechanism, which can include LDAP group settings. You will have to follow:
  - OC4J security documentation for using Java SSO in your own implementation (I think this is the right link - confirm the version numbers - http://download.oracle.com/docs/cd/B32110_01/web.1013/b28957/javasso.htm#BABEJFDI)
  - Jive documentation for implementing user authentication
  Navneet.