Authentication of portal users with uid on oid/ldap

Similar Messages

• Mapping between multiple portal user with single R/3 user

  Hi,
      It is possible to map  multiple portal user to the single R/3 user? If yes, than what is procedure to achieve it? It is possible to logon same time more than one portal user which is mapped with same R/3 user in production system?
  Thanks,
  Kundan

  you can always do that using user mapping in user admin->identity management
  where for each user details you get a tab  called user mapping.
  you have to create a R3 system in system admin and a give a system alias to it
  Use this system alias in user mapping /
  You can map multiple portal users with a single R3 user and can work parallelly.
  But make sure that you have proper license in doing that.
  Raghu

• Create a portal user with a specific Organizational Unit in the OID??

  I would like to split my portal users by Organizational Units in the OID.
  e.g.:
  ou=country1, cn=user1
  ou=country1, cn=user2
  ou=country2, cn=user3
  is it possible?
  is it possible trough the administer tab of Portal?
  Any experience ?
  feedback??
  Thanks
  Didier

  I think it is feasible.
  But not through Administer tab.
  Use your own api to add users (DBMS_LDAP.add_s + WWSEC_API.add_portal_user)
  cn=user1, ou=country1, cn=user_search_base
  cn=user2, ou=country2, cn=user_search_base
  or maybe try to change dynamically user_create_base, I don't know if it is possible or not

• Create new portal-user with webservice

  Hi,
  I'm trying to develop a ejb-webservice which is creating a new Portal-User.
  The webservice is working so far, I made methods like getDisplayName() which is returning the display name to a logonId and so on. All this is working. I'm using the component sap.security.api.sda for this.
  Problem: User-creation is not working. I think the problem might be, that a webservice is not authorized to create users? Or putting it in another way: Is it possible that a webservice is "logging in" at the portal, or sohehow authorizing itself?
  Thanks and regards
  Jan Hempel

  Hi Detlev,
  thanks for Your answer.
  It seems like that the problem was caused by using array-parameters in the webservice-method?!
  Strange, but after removing the array-parameter from the method it worked! Before the webservice never returned anything, not an error or anything else.
  Well, strange enough, but I can live with that.
  regards
  Jan

• Synchronize portal users with R/3 automatically

  I am trying to find out more about how the portal will automatically create an user and assign it its relavent roles once the user has been created in R/3. I understand this is possible with ECC6? i have searched but cant seem to find what i am looking for.
  Any links/advice with be much appreciated.

  Hi,
  You can use the ABAP server as the data store for portal users. So all the user ids, roles & groups in the ERP system is available in portal.
  Please check the following link & sublinks for detail info.
  http://help.sap.com/saphelp_nw70/helpdata/en/49/9dd53f779c4e21e10000000a1550b0/frameset.htm
  Regards,
  Abhishek

• Creating portal users with owner privileges?

  Hello,
  I need to let local adminstrators create users in the portal.
  This is based on instance-specific privileges, not global.
  Setting them to 'owners' of the group in the portal should let them add users.
  Once created and I log in as one of them I do not have the privileges of being an
  'owner', eventhough it's visible in the portal that I am an owner.
  Anybody?
  /

  Hi,
  To make the problem a little clearer.
  I want to have "local adminstrators" that can manage portal users i.e; delete, insert and update portal users.
  However I do not want these "local administrators" to be "Full administrators"- too dangerous.
  The "local adminstrators" should belong to the same group as the users they are set to administer. The
  only difference between a "local administrator" and a user of a group is that the "local administrator" have privileges
  to manage the other users of the group. If I have understood the concept right an owner have these privileges.
  I made them owners of the group, but this did not enable them to manage users.
  This must be a rather common approach, to have some users being able to administer other users without being a fullfledge DBA.
  Right now I'm looking into mapping them(the local administrators) to a different database schema with rights to manage users.
  I realize that to map them to another schema, then the checkbox "Use this schema for Portal Users" have to be checked when creating the
  schema. How do I check if this was checked and if it wasn't checked can I alter it now?
  Another thought is to dynamically upon meeting certain conditions making them Full Administrators, then after finishing the task
  reinstating them as normal users.. but this.. well hmm
  Thanks.
  /

• Login window hides user with UID 1000

  I had to change my primary user's UniqueID to 1000 to access NFS shares on a linux box.
  Ever since then the account became "hidden" in the sense that regardless of the login window's option of "show list of users" I can only log in by selecting the "Other" option and supplying the username+password.
  I have researched extensively and some people over different forums reported this behaviour as well specific to UID 1000. Nevertheless this "feature" is absolutely undocumented.
  Would anyone know of a plist option that puts this user back to the login screen list?
  I suppose alternatively I could change the UID back to 501 on both the Mac and the linux box so they'd be in sync...

  Thanks for the responce.
  I realize that I need to chown some user specific folderes and files. I also did that on my current system.
  Nevertheless...some thinges are still not working properly. I belive im not quite there yet.
  I would like to know how to do this the simple but correct way....in LION
  I think its a bit overkill to use your scripts, due to all the LDAP stuff.
  There must be a specific way to add users with specific UID on LION on a single OSX installation.
  I have found lots of halv way there solutions on the net..but would realy like to see something more official!
  I kind of made a workaround with my NFS share on my linux sever, using a special way to mount them avoiding hte UID problems.
  On the linux box in etc/exports...i export the NFS share linke this.
  /media/RAID5/xxxx *(rw,async,no_subtree_check,insecure,anonuid=1000,anongid=1000,all_squash)
  And ...in Finder...on the mac ...i right click and "Connect to server" like this
  nfs://xxxIPxxxxx/media/RAID5/xxxx
  xxxx= some folder do share.
  All my linux users are as standard UID 1000, but if anyone with a drifferent UID mounts the nfs share ...they are regarded as uid 1000 in any case avoidnig file premission conflicts.
  NFS is not the only reason I would like to use same UID on all systems. 
  Sharing files on harddisks, and dualboot systems with linux/osx are another reason.
  Linux has read/write to HFS+ if not journaled..!!
  (I know this is more info than needed, but if someone else reads this...having NFS issues..thay may pick up some idears ;o)

• List of Portal users with the assigned Roles.....

  Hello All,
  I am working on EP6 SP9 and want to know from where can I get a list of all Portal users along with the assigned roles for each of them.
  One way I found is by searching for all users in User Administration role and along with the searched users, there is also an icon for Assigned roles.
  Apart from the above mentioned way, is there any other way by which I can get a direct list of the same. Is there a Java sample code for this.....?
  Please help.
  Awaiting Reply.
  Thanks and Warm Regards,
  Ritu R Hunjan

  Hi Ritu,
  Yes it is possible to get the roles of the users. You can try the following java code.
  package com.hcl.user;
  import java.util.Iterator;
  import java.util.Vector;
  import com.sap.security.api.IRole;
  import com.sap.security.api.IRoleFactory;
  import com.sap.security.api.IRoleSearchFilter;
  import com.sap.security.api.ISearchResult;
  import com.sap.security.api.IUser;
  import com.sap.security.api.IUserAccount;
  import com.sap.security.api.IUserFactory;
  import com.sap.security.api.UMFactory;
  import com.sapportals.portal.prt.component.AbstractPortalComponent;
  import com.sapportals.portal.prt.component.IPortalComponentRequest;
  import com.sapportals.portal.prt.component.IPortalComponentResponse;
  public class role_member extends AbstractPortalComponent {
  public void doContent(
  IPortalComponentRequest request,
  IPortalComponentResponse response) {
  try {
  IUserFactory userfactory = UMFactory.getUserFactory();
  IRoleFactory rolefactory = UMFactory.getRoleFactory();
  IRoleSearchFilter rolefltr = rolefactory.getRoleSearchFilter();
  rolefltr.setMaxSearchResultSize(2000);
  ISearchResult result = rolefactory.searchRoles(rolefltr);
  while (result.hasNext()) {
  response.write("<table border=0>n");
  String uniqueid = (String) result.next();
  IRole role = rolefactory.getRole(uniqueid);
  response.write("<tr><td bgcolor=Red>"+ role.getDisplayName()+ "</tr></td>n");
  Iterator users = role.getUserMembers(true);
  while (users.hasNext()) {
  String unique_user = (String) users.next();
  IUser user = userfactory.getUser(unique_user);
  IUserAccount account[] = user.getUserAccounts();
  response.write(
  "<tr><td>" + account[0].getLogonUid() + "</tr></td>n");
  response.write("</table>n");
  response.write("</br>n");
  } catch (Exception e) {
  This code gives you the list of all the users of your portal along with the roles assigned to them.
  Apart from this if you want you want to know all the roles assigned to the user on portal itself then the way you mentioned is the correct method.
  Regards
  Pravesh
  PS: Please consider awarding points.

• Unable to map the portal user with back end user through web dynpro coding

  Hi All,
  I 've a portal user which is mapped to back end user by  system in the portal.
  i 'm able to get the portal user from web dynpro application.
  But unable to get the mapped back end user
  this is my code
  String systemalias = "SAP_CRM_PROD";
  Map mapattr = new HashMap();
            //     IPrincipal principal = (IPrincipal) request.getUser();
  //   get user user mapping information
  IUserMappingData userMapping =
                 //(IUserMappingData) UMFactory.getUserMapping().getUserMappingData(systemalias, principal, mapattr);
                 (IUserMappingData) UMFactory.getUserMapping().getUserMappingData(systemalias,principal,mapattr );
  //                  For testing purposes only
                 //mappingData = userMapping;
                 HashMap map = new HashMap();
                 userMapping.enrich(map);
                 mappedPassword = map.get(UMAP_KEY_PASSWORD).toString(); //String "user"
                 mappedUserId = map.get(UMAP_KEY_USER).toString(); /
  following is the error reported .
  The project was not built since its classpath is incomplete. Cannot find the class file for javax.xml.soap.SOAPMessage. Fix the classpath then try rebuilding this project.
  please help.

  Hi Sanjay,
     request component need to be initialized before using it. Include these lines before ur code.
  IPortalComponentRequest request = (IPortalComponentRequest) this.getRequest();
  String mappedPassword = null;
  String mappedUserId = null;
  Also check these threads for ur help.
  Accessing Mapped Username / Password
  How to access user id and password via UserMapping ?
  Reward points for helpful answers.
  Regards,
  Harini S

• Authenticating, Authorizing VPN user with AAA

  Hello,
  I have ACS1113(4.2) solution Engine and ASA 5550 which have been integrated with ACS. I need to authenticate and authorize the VPN users form ACS.
  Also I need to have different access for different group in ACS
  please help me in this.
  Thanks
  Ritesh

  Hi,
  I am finding one problem. Well I have done the configurations in ASA for Authentication through ACS but when attempt to autehnticate through user then i get autehentication message. here is the command configure in ASA and debug msg
  Command:
  aaa-server ACSCHN protocol radius
  aaa-server ACSCHN (WAN) host 10.132.15.26
  key _____
  aaa authentication telnet console ACSCHN LOCAL
  aaa authentication enable console ACSCHN LOCAL
  Debug Msg:
  Initiating authentication to primary server (Svr Grp: ACSCHN)
  AAA FSM: In AAA_BindServer
  AAA_BindServer: Using server:
  AAA FSM: In AAA_SendMsg
  User: wipro
  Resp:
  In localauth_ioctl
  Local authentication of user wipro
  callback_aaa_task: status = -1, msg =
  AAA FSM: In aaa_backend_callback
  aaa_backend_callback: Handle = 868, pAcb = 1a3363f8
  aaa_backend_callback: Error: sorry
  AAA task: aaa_process_msg(185f00e8) received message type 1
  AAA FSM: In AAA_ProcSvrResp
  Back End response:
  Authentication Status: -1 (REJECT)
  AAA FSM: In AAA_NextFunction
  AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
  AAA_NextFunction: authen svr = ACSCHN, author svr = , user pol = , tunn pol =
  AAA_NextFunction: New i_fsm_state = IFSM_DONE,
  AAA FSM: In AAA_ProcessFinal
  AAA FSM: In AAA_Callback
  user attributes:
  None
  user policy attributes:
  None
  tunnel policy attributes:
  None
  Auth Status = REJECT
  aaai_internal_cb: handle is 868, pAcb is 1a3363f8, pAcb->tq.tqh_first is 1841ce20
  AAA API: In aaa_close
  AAA task: aaa_process_msg(185f00e8) received message type 3
  In aaai_close_session (868)
  Please help why it authenticated with internal server not with ACS server.
  Regards
  Ritesh

• CUC 8 - converting local users with VM's to LDAP users - what is the best method?

  Evening all
  We are running a new Unity Connect 8.0 environment. Initially the users were either manually imported and created individually. The standard naming convention for the Alias names are first initial + surname.
  I have integrated LDAP synch so now I can see all the users in the users OU. I want to be able to utilise the LDAP synch to its full potential. I want to create new users from LDAP. But my primary objective is to convert all local users to domain users. The only main issue which we identified is that domain users Alias length is set to 8 characters max in length whereas the local accounts are full length.
  What would be the best way to migrate the users to LDAP, preserve the voicemails and update Alias names to be the same length as domain users?
  I was thinking of the following:
  Backup up system using COBRAS
  Delete all local users from CUC
  Do a bulk import of all users from LDAP into CUC as fresh accounts
  Use COBRAS import tool to load backup
  Amend the alias names manually to the correct length (8 letters)
  Import all users and VM's back in
  Pray it works!
  Any more efficient suggestions welcome
  Thanks in advance
  Mus

  There is a far easier way to do this using the Bulk Administration Tool in Connection.
  Perform an export operation to get everything into a CSV file.
  Delete all the columns except Alias, EmailAddress, MailName, and LdapCcmUserId.
  Populate the LdapCcmUserId to match the user's sAMAccountName attribute from AD.
  NOTE: Spot-check to be sure that you can find this user's account using the Import Users section. The account must have a Last Name value populated, be within the search base, and satisfy any filters you have applied to the syncrhoization agreement.
  Update the MailName to match the LdapCcmUserId. If you are using VMO or Single Inbox also set the EmailAddress to match the user's real email address. When you do the Update operation the Alias should get corrected to match the LdapCcmUserId if memory serves [read: test this!].
  NOTE: If you are setting the EmailAddress you also want the CreateSmtpProxyFromCorp column to be set to 1. This will ensure that the value is copied to the SMTP Proxy Address and can be utilized by the Unified Messaging integration.
  Save your modified CSV file and run an update operation. I suggest starting with a batch of only a few accounts at first to get comfortable with the process. Be sure to specify a filename for failed objects; you almost always have a few and this will give you a little guidence on what failed.

• Import not authenticating portal user

  I am using Portal 10.1.4 and am trying to import a portal from another Portal 10.1.4 instance. I have retrieved the import/export script from the web interface from the source system (in Navigator when selecting Export for the relevant Page Group).
  However, no matter what portal user and portal password I put on the command line, I am getting an authentication error:
  D:\>export107.bat -mode IMPORT -d export107.dump -c ORCL -s PORTAL -p <schema password> -company MyCompany -pu portal -pp <portalpassword>
  Verifying the environment variables...
  Verifying the Oracle Client version...
  IMPORT Mode Selected
  Verifying the portal schema passed...
  Verifying the availability of transport set...
  Verifying the status of transport set...
  Calling Oracle exp or imp utility based on the mode of operation....
  PL/SQL procedure successfully completed.
  Checking for privileges...
  Checking for version compatibility...
  Setting the Context...
  Error: Authentication failed for portal
  Cannot proceed with Import
  I have checked that the portal user is in the OID and that they have a portal profile (using the Portal Admin web interface).
  How do I properly set up a user which can be used in the import script? (i.e. the pu and pp command parameters)?
  Thanks

  The problem turned out to be an incorrect value for the company parameter. I think this is what was suggested above - and it works. Just use the default value for company when executing the import script

• Terminate Portal User Login with JSessionID or MYSAPSSO2 Cookie

  Dear All,
  I know using Visual Administrator , we can terminate the session.
  Is it possible for the administrator to terminate a logged in portal user with his/her  JsessionID or MYSAPSSO2 cookie value or User Id programmatically.?
  Is it possible for portal admin to forcibly exit (logoutl) an active user login  without logging onto visual administrator?
  Regards,
  Eben Joyson

  The only complete mitigation for session hijacking is to run the entire site as SSL. This is Oracle's recommendation if you need a complete mitigation solution. And example of an ATG site running in full SSL is Dennis Kirk (denniskirk.com).
  The problem with doing so is that SSL (a) takes more processing power in the system running the client's browser and (2) incurs latency that degrades the perceived page performance. This is particularly true for consumers running Internet Explorer, where speed-up measures like SPDY are either incomplete or don't work. And for a hard core eComemrce site, slower page performance means that you make less money.
  Most sites, including those that you mention, use a mixture of SSL and non-SSL pages to overcome this. They use non-SSL for those areas of the site where penetration does not have a material negative impact. Browsing catalog pages as an anonymous user, for example. If someone hijacks my session and I'm browsing the catalog anonymously, they're welcome to it. There's nothing private in my session. Even robots can access that content.
  Once I login or go to pages where private information is being exchanged, then you have to secure the session. That's where the protocol switcher servlet comes in. As you authenticate, you switch the user to SSL.
  I've tried a number of additional mitigation steps. Unfortunately I can't discuss them here at this time.
  And none of the servlets that you mention have any benefit with mitigating session hijacking.

• Hi everyone, to use the portal with many users using the same portal user?

  I have an another question is possible to use the portal with many users using the same portal user with diferent roles in the same time?
  thanks

  Hi Israel,
  It is possible to have same user logged in through differnt terminals or browser windows. However if there are say 10 roles assigned to that user, all 10 will be visible in all the windows. However you may open and work on different roles.. in the different windows.
  Note that the real time collaboration features shall not be available if the same user logs in multiple times.
  Hope this is useful.
  Regards,
  Anagha

• Create new user with specific UID

  I have posted this question in the 10.4 group but I need to do it on Leopard, too.
  Creating a new user from the Accounts GUI creates users with UID's 502 onwards. How do I create a user from scratch with a specific UID, e.g. 1234?
  I know that modifying user 502 won't work because trash files etc. are set up with 502 in their path names.
  Any help, links to help etc. appreciated.

  Peter,
  In Leopard, UIDs can be changed just as Baltwo described. I do not know if this will also change the UID of files in the user's HOME folder, but you can do that yourself. In fact, it would be a good idea to do so, manually, in any case.
  Go ahead and change the UID for the user as described. This should be done from a different, admin account. Then, open /Applications/Utilities/Terminal. Type the following, followed by a <RETURN>:
  <pre style="overflow:auto; font-family: 'Monaco'; font-size: 10px">sudo chown -R username /Users/username</pre>
  In the above text, you will replace all instances of "username" with the short name for the user in question. If the short name is "fred," for example, you would type the following exactly:
  <pre style="overflow:auto; font-family: 'Monaco'; font-size: 10px">sudo chown -R fred /Users/fred</pre>
  When you press <RETURN>, you will be asked for your admin password. Enter it (it will not be echoed) and again press <RETURN>.
  Scott