Automatic federation from ldap to ldap

Similar Messages

• LDAP : retreive the password from LDAP

  Hi,
  I am trying to authenticate the user with the password that is entered by him with the password in LDAP. Basically i have to do a String comparison. I am able to retreive all the attributes set for that user but the password is retrieved as:
  [B@867e89
  I did a toString() for that but no change.
  String s=attr.get().toString();I even tried to convert this String to a byte and then compare:
  byte[] newUnicodePassword=null;
                               try {
                                     newUnicodePassword = s.getBytes("UTF-16LE");
                                     System.out.println("Checking 2  :" + newUnicodePassword.toString());
                                } catch (UnsupportedEncodingException e) {
                                     // TODO Auto-generated catch block
                                     e.printStackTrace();
                                }But of no use.When i converted this byte array to a string it is the same encrypted characters.
  So i could not compare with the password that is entered by the user.
  Can anyone please tell why this is happening. And how i have to get the password from LDAP.
  Thanks in advance.

  You do not retrieve you passcode.
  Connect the iOS device to your computer and restore via iTunes. Place the iOS device in Recovery Mode if necessary to allow the restore.
  If recovery mode does not work try DFU mode.
  How to put iPod touch / iPhone into DFU mode « Karthik's scribblings
  For how to restore:
  iTunes: Restoring iOS software
  To restore from backup see:
  iOS: How to back up
  If you restore from iCloud backup the apps will be automatically downloaded. If you restore from iTunes backup the apps and music have to be in the iTunes library since synced media like apps and music are not included in the backup of the iOS device that iTunes makes.
  You can redownload iTunes purchases by:
  Downloading past purchases from the App Store, iBookstore, and iTunes Store

• GRC 5.3 CUP SP16 - User info not loading from LDAP into CUP

  Hello,
  We have multiple LDAPS that we needed to connect to our CUP system to authenticate the userids before a request can be created for them. And also to bring in Manager ID and manager email from LDAP as the first level approver for requests.
  My client hasn't maintained the actual LDAP userids, Manager and manager email fields correctly, so we utlized three other custom fields in LDAP and then did field mapping in CUP for those fields. But even when the connection to all the LDAPs is successful, there's no user information being pulled in from LDAP into CUP.  I noticed that when I use our backend SAP QA system as 'User Data Source' while using multiple LDAPS for 'User Detail Source Data' , it only reads data from SAP QA system SU01 area and even when I'm trying to create requests, no Manager info is being pulled from LDAPS for that user id. 
  SAP does not allow the use of multiple LDAPS for the configuration-->User Data Source , top option.  So, if a client has userids in multiple systems, it can only read from one data source.  But even when I temporarily assigned one active directory LDAP to the 'user data source' option, it stated, no records found. So, something is up that no data is being pulled from LDAPs even when the connection to those systems is successful. I just asked our AD guy to temporarily assign domain admin rights to that LDAP connection ID to see if it's access issue, and still I am not getting any LDAP data to read into GRC CUP.
  Anyone else has had this issue? Is there especial access that the LDAP connection id needs access in LDAP to be able to retreive data into GRC? Is there any jobs that need to be run to read LDAP data. I thought it should be live as the system is connected to LDAPs. I don't understand if the connection is successful, why the user info is not being pulled from there and even after the LDAP custom field mapping is done, those field values are not showing up on requests.
  We need the following to happen:
  1). Authenticate the custom userid field in LDAPs to ensure this user exist as an employee b4 request can be created for the user. For this I have configured the multiple LDAPS for the 'Authentication'. But it doesn't seem to confirm that option when creating a request for a user.
  2). The user details info source should bring in the custom manager id and manager email into the request to send the first level of approval via workflow to that manager. Since SAP doesn't give the option to define approvers per user group values in CUP, we had to actually map all the User Owner approvers this way since their direct managers are not aware of  what to request as the User owner approvers per user group are.  So, we added custom fields for Manager id and Manager EMail into LDAP to be ready automatically into the request when reading user id while creating request.
  I will greatly appreciate anyone's help on how they got the LDAP field values to be read into GRC CUP for request processing and what type of encripted access can a LDAP connection id have without assigning it complete domain admin rights on an open port 389 for LDAP and GRC CUP connection.
  Thanks and Regards,
  Alley

  Hi Alley,
  1). Authenticate the custom userid field in LDAPs to ensure this user exist as an employee b4 request can be created for the user. For this I have configured the multiple LDAPS for the 'Authentication'. But it doesn't seem to confirm that option when creating a request for a user.
  This is not possible. You can have only 1 LDAP. Why you want to authenticate the user in different sources?? CUP looks at only one user source, not many. The below wiki explains you the configuration part:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b089fb71-a3b7-2a10-64a2-8c77243b0664
  2). The user details info source should bring in the custom manager id and manager email into the request to send the first level of approval via workflow to that manager. Since SAP doesn't give the option to define approvers per user group values in CUP, we had to actually map all the User Owner approvers this way since their direct managers are not aware of what to request as the User owner approvers per user group are. So, we added custom fields for Manager id and Manager EMail into LDAP to be ready automatically into the request when reading user id while creating request.
  Based on user group is not possible. However, if you wish to maintain the Manager's Field, ensure that the CUP mapping is done correctly from the Configuration, Field Mapping, LDAP Mapping.
  While defining the workflow, take the approver determinator as Manager. This will route the request to the users manager. Also, ensure that LDAP is the source in all the confiuration areas in CUP.
  Check note 1228996 for more information.
  Hope this helps!!
  Regards,
  Raghu

• How i get user info from ldap using java after authenticating user with SSO

  Hi
  I have one jsp/bean application as a partner application with SSO.
  It works fine.
  Now i need to get other attributes of user from LDAP who has logged into the application through SSO.
  using SSO java APIs i only get username, userDN, subscriber info.
  To get user's other attribute i have to user LDAP APIs for that i have to create on Directory Context, for the same i need userpassword.
  so here i my question, how do i get user password after he has logged in thro SSO.
  regards..
  and thanking u in advance
  samir

  Valentina,
  there's no way to get the password value from the directory (it's one way). Of course you can get the hashed (MD4,MD5,SHA-1) base64 encoded value (i.e. the value you see in OiD) but not the 'password'.
  --Olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

• How to get user information from ldap - bpm11g

  hi all,
  i need know how to do get information from ldap, but using adf bean for show user data in adf form.
  anyone knows about this ?
  tks.

  Neal wrote:
  >
  Hi,
  I am using WLS default authentication to protect my JSP pages. Can someone tell
  me if it is possible to add more fields to the default login box (in addition
  to login and password boxes, I want to ask user the department name). In additional,
  can WLS propogate this information (department name) along with other security
  credentails to other J2EE components such as EJBs? In my EJBs I want to be able
  to get the department name that user provided during login and then use that for
  conditional business logic.
  Any insights on this subject will be greatly appreciated.
  TIA,
  -NealYou can't do this with the default simple authentication. That can only handle a
  username / password combination.
  You should be able to do this with JAAS. You could write a LoginModule that
  populates the department as a Principal or public Credential on the Subject in
  addition to the normal authentication. You would have to do a callback handler
  that passed through the department info to it.
  This link has more on WLS's stab at JAAS:
  http://e-docs.bea.com/wls/docs61/security/prog.html#1039659
  Once you have associated the Subject with the access control context by invoking
  a doAs() you should be able to get it back at any point with
  Subject.getSubject(AccessController.getContext()) to get access to the
  department info.
  It will all be a bit of a chore, mind.

• How to read data from LDAP

  Hi All,
  I have a requirement to read data from LDAP. Currently i am using function module - LDAP_READ to access the data in the ABAP code but there is no data populated using this FM.
  Please advice if anyone know about any FM to populate the LDAP data.
  Thanks and Regards
  Syed Samdani

  try : LDAP_OBJECT_READ

• Problem with activesync provisioning user from  ldap to red hat

  hello,
  i am using activesync to provision the user from ldap to red hat linux . i am getting the following error message
  An error occurred adding user '#########' to resource 'Red Hat Linux'.
  Script failed waiting for " PASSWORD:" in response "passwd: Only one user name may be specified.
  _,)#+(:"
  Script processor timed out with nothing to read and the following unprocessed text: "passwd: Only one user name may be specified.
  _,)#+(:".
  when to try to assign redhat resource to a user from the idm the user is getting provisioned to redhat successfully .active sync form is working for all the other resource except the redhat.
  can anyone give me solution for the above problem
  thanks in advance.

  Have you set the xhost as ROOT (xhost +hostname), and then as the ORACLE user type "export DISPLAY:0.0" (without the quotes of course) ? This needs to be done prior to running the installer. Try this site for further information - http://www.puschitz.com/OracleOnLinux.shtml

• Logical identifiant for User Notes synchronized from LDAP

  After a synchronization from LDAP to Notes,
  The user entry is created, all attributes are OK
  The certificate is created and named with %uid%.id
  BUT the logical name of the user in the Notes database is constructed as "%givenname%SPACEd/DOMAIN".
  I don't understand the SPACE and the character d ?
  Thanks for your help !
  BRs
  Vincent

  For analyze, we have synchronized 15 LDAP Users to Notes
  FirstName, Lastname and login attributes are from 1 to 15 characters lenght as following :
  givenname, lastname, UID
  1,1,1
  F2,L2,ID
  F33,L33,ID3
  F444,L444,ID44
  F5555,L5555,ID555
  F66666,L66666,ID6666
  F777777,L777777,ID77777
  F8888888,L8888888,ID888888
  F99999999,L99999999,ID9999999
  Faaaaaaaaa,Laaaaaaaaa,IDaaaaaaaa
  Fbbbbbbbbbb,Lbbbbbbbbbb,IDbbbbbbbbb
  Fccccccccccc,Lccccccccccc,IDcccccccccc
  Fdddddddddddd,Ldddddddddddd,IDddddddddddd
  Feeeeeeeeeeeee,Leeeeeeeeeeeee,IDeeeeeeeeeeee
  Fffffffffffffff,Lffffffffffffff,IDfffffffffffff
  Between 6 and 8 characters, le logical Name of the user is correct
  He is constructed as %fistname% %lastname%/DOMAIN
  Less than 6 or more than 8 characters, the logical name is not correct
  We can show the partial path of the lotus's data directory.
  I can send screenshot to an email Adress if you want
  Why this ? It's not usable
  PS : All certificates can be viewed without provide password !
  Why the LDAP password of the user's entry is not used to open the ID ?
  Thanks for your help.
  BRs
  Vincent

• Server 2012 errors for timeout -- LDAP error number: 55 -- LDAP error string: Timeout Failed to get server error string from LDAP connection

  Hello, currently getting below error msg's utilizing software thru which LDAP is queried for discovering AD objects/path and resource enumeration and tracking.
  Have ensured firewalls and port (389 ) relational to LDAP are not closed, thus causing hanging.
  I see there was a write up on Svr 2003 ( https://support.microsoft.com/en-us/kb/315071 ) not sure if this is applicable, of if the "Ntdsutil.exe" arcitecture has changed much from Svr 03. Please advise. 
  -----------error msg  ----------------
  -- LDAP error number: 55
  -- LDAP error string: Timeout Failed to get server error string from LDAP connection

  The link you shared is still applicable. You can adjust your LDAP policy depending on your software requirements.
  I would also recommend that you in touch with your software vendor to get more details about the software requirements.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Disconnect from ldap

  Hi
  i have used jndi to connect and use active directory and openldap.
  So i wanna have a disconnect routine.
  how can i disconnect jndi from ldap ?
  thanks

  close the context returned by the bind operation
  sudarshan

• Replication of data from LDAP to Oracle 10g Database

  Hi All,
  in our application we are using Oracle Identity manager, and Oracle 10g database.
  we are storing the user,profile and privilages in LDAP and due to some reason we have to create user table in the 10g database.
  this user table values and LDAP user table values must be same.
  here the source is LDAP and destination is Oracle.
  so is there any way we can synchoronize or replicate the data from LDAP to 10g database?
  since oracle identity manager is integrated with LDAP,
  i feeel this must be possible.
  but really dont know how?
  kindly suggest me.
  and if any examples available please let me know, i will be very greatful to you.
  Thanks in advance

  Check out thread How synchronize OID user to a table?
  The title of the thread is: How synchronize OID user to a table?

• Retrieve parameters from LDAP using authentication module

  I have existing LDAP that contains organization people and their attributes. I have several web applications that use existing LDAP for authentication and authorization. My goal is to deploy single sign-on with openSSO so that users are authenticated against existing LDAP. Changing of the existing LDAP is forbidden.
  I deployed newest stable OpenSSO and Apache2 + newest policy agents to web service servers.
  OpenSSO server uses LDAP authentication module to authenticate users against existing LDAP. It uses flat file data repository and realm attributes -> user profile is ignored.
  This basic setup works fine. The next step is to integrate existing web applications to single sign-on system. The authentication part works fine. I just disabled old mechanism from web applications that did the LDAP authentication. OpenSSO and Apache Policy agent are handling that part.
  The existing web applications are still querying existing LDAP other attributes there than uid and userpassword. Is it possible to configure OpenSSO to forward LDAP attributes to web application as cookie or header value? Or is the forwarding feature only for attributes in Data Store?
  If the forwarding is not possible what is the next best alternative ?

  OpenSSO forum is quite silent so I'm back with you guys.
  I managed to solve the agent error log problem I mentioned before. The problem was about nonexisting attributes in AMAgent.properties com.sun.am.policy.agents.config.profile.attribute.map. I removed extra attributes and the authentication against LDAP started to work again.
  The problem is that no attributes are forwarded from LDAP to web application. I have tried HTTP_COOKIE and HTTP_HEADER settings in AMAgent.properties and com.sun.am.policy.agents.config.profile.attribute.map is set to cn|common-name,mail|email.
  My LDAP looks like this:
  # testuser, pollo.fi
  dn: cn=testuser,dc=pollo,dc=fi
  cn: testuser
  objectClass: organizationalPerson
  objectClass: inetOrgPerson
  givenName: Test
  sn: User
  ou: People
  uid: testuser
  mail: [email protected]
  And my datastore configuration:
  LDAP server->localhost:389
  LDAP bind DN->cn=admin,dc=pollo,dc=fi
  LDAP organization DN->dc=pollo,dc=fi
  Attribute name mapping->empty
  LDAP3 Plugin supported types and operations->agent,group,realm,user all read,create,edit,delete
  LDAP3 Plugin search scope->scope_sub
  LDAP Users Search Attribute->uid
  LDAP Users Search Filter->(objectclass=inetorgperson)
  LDAP User Object Class->organizationalPerson
  LDAP User Attributes->uid, userpassword
  Create User Attribute Mapping->empty
  Attribute Name of User Status->inetuserstatus
  User Status Active Value->Active
  User Status Inactive Value->inactive
  LDAP Groups Search Attribute->cn
  LDAP Groups Search Filter->(objectclass=groupOfUniqueNames)
  LDAP Groups container Naming Attribute->ou
  LDAP Groups Container Value->groups
  LDAP Groups Object Class->top
  LDAP Groups Attributes->cn,description,dn,objectclass
  Attribute Name for Group Membership->empty
  Attribute Name of Unqiue Member->uniqueMember
  Attribute Name of Group Member URL->memberUrl
  LDAP People Container Naming Attribute->ou
  LDAP People Container Value->people
  LDAP Agents Search Attribute->uid
  LDAP Agents Container Naming Attribute->ou
  LDAP Agents Container Value->agents
  LDAP Agents Search Filter->(objectClass=sunIdentityServerDevice)
  LDAP Agents Object Class->sunIdentityServerDevice,top
  LDAP Agents Attributes->empty
  Identity Types That Can Be Authenticated->Agent,User
  Authentication Naming Attribute->uid
  Persistent Search Base DN->dc=pollo,dc=fi
  Persistent Search Filter->(objectclass=*)
  Persistent Search Maximum Idle Time Before Restart->0
  Should I enable some setting still to get the forwarding going on? Any ideas for debugging?

• Using additional userprofile attributes from LDAP

  Hi,
  my users are inside an OpenDS LDAP-Server connected to SSGD 4.41 - all works fine.
  I would like to store some additional SGD attributes like
  UserProfile.Multiple = yes/no
  (Multiple: Whether someone may log in using this user profile and whether this user profile will be shared by multiple users in the form of a "guest" account.)
  also inside the LDAP (extending my own LDAP-schema).
  Question: How can i tell SSGD to use this attribute UserProfile.Multiple from LDAP instead of looking into the
  local repository ?
  regards
  Danny

  Hi Danny,
  I don't think you can do this, as user profile data is never read from the LDAP directory. LDAP users always have to be mapped to a local profile (from the SGD datastore), meaning that any attributes on the user object from the LDAP directory wouldn't be considered when evaluating a user's profile.
  Does anyone else have a take on this?
  -- DD

• Deleting user from LDAP

  How to delete the user permanently from LDAP. I want to delete the user's mail and calendar services also.

  Hi,
  It is generally not a best practice to touch your directory server directly. If you're just playing around for learning purposes its ok. Otherwise, from an implementation perspective, do not try accessing DS directly.
  I will try giving u a solution if u use legacy mode of AM. I'm still learning about realm mode, but i guess such scenarios are mostly common between the two.
  You can use the amadmin command found in /opt/SUNWam/bin or in windows c:\program files\sun\javaes5\identity\bin. You have sample XML file pcDeleteRequests. You could use this to delete just one or few users.
  The sample is
  <Requests>
  <PeopleContainerRequests DN="ou=People1,dc=example,dc=com">
       <DeleteUsers>
       <DN>uid=dpUser,ou=People1,dc=example,dc=com</DN>
       </DeleteUsers>
  </PeopleContainerRequests>
  </Requests>
  Make an XML, run this command : amadmin -u "uid=amadmin,ou=people,dc=example,dc=com" -w <password> -t <your_file>

• Fetching ROLES from LDAP

  Hi Experts,
  I need to fetch roles assigned to a user from LDAP. The requirement is such that I need to put the USERID in a search box and on the basis of the USERID, I need to fetch all the roles from LDAP that are assigned to that USERID.
  Any code snippets, links will be appreciated.
  Thanx
  Bhardwaj

  <a href="https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/2073">Check this blog by Prakash Singh</a>