Bootstrapping from SunOne LDAP to OID

Similar Messages

• DIP synchronization from Domino LDAP to OID

  Hi,
  has anyone tried using DIP to synchronize users and groups from Lotus Domino LDAP to OID?
  There is a connector available with OIM, but since I don't need provisioning was hoping to get away without extra OIM infrastructure. (I will use OIM if I have to).
  My attempts are still in the early stage, and wanted to make sure I was going down the right road.
  Using 10.1.4.3 OID, creating an import connector using the import openLDAP template.
  Looks like I can get the mapping down and a manual bootstrap does work.
  1) Can I adapt elements of the OIM adapter to work within the DIP connector?
  2) Domino seems to store groups at the root DSE. The DIP connector does not accept empty or "" as a source domain to search for the groups. It needs that the source groups be stored in a container. Anyone run into this type of thing? Is there something to enter into the DIP connector config that will allow using the ROOT DSE of the target as search source?
  3) When I enable the connector, Synchronization delivers a success status. Reconcile is errored and unsuccessful. Can I get by with only synchronization working?
  4) Going outside of Oracle here...but is anyone aware if Lotus Domino LDAP maintains a changelog? Or does it use modify timestamps as attributes of users/groups?
  5) In the eventuality that I need to write a custom agent for Domino or custom 'Reader' or reconcile agent. Has anyone done this or have sample code to look at? Even if not for Domino, but custom for other LDAP?
  Thanks

  it's either DIP via LDAP or OIM connector via Lotus Java API. I'd go with LDAP...if DIP doesn't work, it's pretty simple to write a script to export records and then import them into OID. There are a lot of LDAP utilities, google is your friend.

• Moving from SUNONE DS to OID

  we are moving away from sunone directory server to OID
  We are looking at few things for data migration like dip ...
  If anybody have done that can you please share the challanged you have with this type of migration.

  The documentation is good if OID is setup and start the sync process ....
  We are still in the process of migrating the schema ...
  Is there a way to compare the system attributes from sunon to OID and migrate userdefined attribute

• How to integrate Objectel module (from Metasolv suite) to OID

  Hi all
  Somebody knows how to make the integration between Objectel (from Metasolv suite) to OID in order to centralize all authentication/authorization process in the OID ?
  I searched the metalink to find out how to make the Objectel uses a LDAP but I´ve been unsuccessed up to now to discover how to do it.
  Besides that somebody know any restriction to performe the same integration for OSM module (from Metasolv suite too) ?

  Thank you Marc for the quick response. But aftering reading it, I'm getting more confusing. My main issue is I cannot get the 'J2EE Server and SOA Suite' component to 'associate' with the 'Identity Management and Meta Data' component. I do not know whether I had installed it in the wrong order or something which I've overlooked or missed? The way which I noticed they were not communicating is when I bring up the SOA Launch Console, and hit the 'Application Server Control' link, the page is returned with 'The page cannot be found HTTP 404 - File not found error'. Your assistance is most appreciated.
  Kind Regards,
  John

• Db10g external password authentication from Active Directory via OID

  HI ALL
  - i have a synchronization AD-to-OID (OAS 10.1.2 (Infra)cold failover cluster, 2 nodes)
  - i have external authorization of AD users via SSO (external authorization plug-in)
  - i have RAC DB(10.1.0.3, 2 nodes) enterprise authorization of OID native users who have their passwords in OID (global schema)
  - but i cann't configure DB autorization of AD-to-OID synchronized users who don't have their passwords in OID
  error:
  ORA-28274: No ORACLE password attribute corresponding to user nickname exists.
  i.e. those users are not recognized as users with external passwords.
  Any ideas, please ...

  I've gone through that thread a few times already, but it only covers infrastructure based on Sun JDS, which seems to pose less problems than Active Directory. Many others refer only to hand-compiled OpenLDAP installations which are quite different to configure... sigh
  I have, however, managed to get the base system running - meaning I can see Solaris ask LDAP for locally unknown user and group names - but all I get back is Unknown Object.
  Here's a snoop dump of one of the failed requests, in hope someone here can shed some light on the problem:
  request from my server to the LDAP box:
  LDAP: [Base Object]
  LDAP: ou=people,OU=Austria,DC=AT,DC=OurADdomain,DC=com
  LDAP: [Scope]
  LDAP: wholeSubtree
  LDAP: Equality Match *[3]
  LDAP: [Attr Descr]
  LDAP: objectClass
  LDAP: [Value]
  LDAP: posixAccount
  LDAP: *[3]
  LDAP: [OctetString]
  LDAP: uid
  LDAP: [OctetString]
  LDAP: myusername
  reply from the LDAP server:
  LDAP: [Error Message]
  LDAP: 0000208D: NameErr: DSID-031001CD
  LDAP: , problem 2001 (NO_OBJECT), data
  a) our Active Directory 2003 R2 with the default Unix schema does not seem to implement the objectClass=posixAccount attribute, although the documentation on MSDN suggests that attribute should be there. I'm atm about to get some MS guy to solve this..
  b) The base object DN seems to always get prefixed with ou=people - why? I didn't enter that field with ldapclient, and that orgunit does not exist in AD per default. How can I prevent Solaris from modifying my search path in that way? I think this is one of the reasons why I keep getting no-object-errors.
  c) Our AD doesn't seem to offer a way to create/modify the unix object classes shadowExpire, shadowFlag and others for password management. Are those strictly necessary - i.e. will I run into new problems with those if I managed to solve a) and b)?

• Swf file wont play from httpserver, windows opens up but doesn't play, but works fine from SunOne

  We currently migrating over to http server from SunOne web server.  When you run the launch.html file an additional browser window opens but the swf doesn't not start playing.
  The new http server is using exactly the same doc root as SunOne.
  I have swf in the mime types and i've checked all the permissions .
  Conf File
  Include /opt/IBM/WebSphere/HTTPServer/conf/httpd.conf
  Listen 1xxxx
  DocumentRoot "/www/edc/docs"
  <Directory />
      Options FollowSymLinks
      AllowOverride None
  </Directory>
  <Directory "/www/edc/docs">
      Options FollowSymLinks
  </Directory>
  ######### DirectoryIndex ############################################
  directoryIndex index.html index.htm
  IndexOptions FancyIndexing VersionSort
  ########## Pidfile location,Error and Access Logs #####################
  PidFile /opt/IBM/WebSphere/HTTPServer/logs/edc/httpd.pid
  ErrorLog "|/opt/IBM/WebSphere/HTTPServer/bin/rotatelogs /opt/IBM/WebSphere/HTTPServer/logs/edc/error_%Y-%m-%d-%H:%M 86400 -360"
  CustomLog /opt/IBM/WebSphere/HTTPServer/logs/edc/access_log common
  CustomLog "|/opt/IBM/WebSphere/HTTPServer/bin/rotatelogs /opt/IBM/WebSphere/HTTPServer/logs/edc/access_%Y-%m-%d-%H:%M 86400 -360" common
  LogLevel warn
  # The following directives define some format nicknames for use with a CustomLog directive
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  LogFormat "%h %l %u %t \"%r\" %>s %b" common
  LogFormat "%{Referer}i -> %U" referer
  LogFormat "%{User-agent}i" agent
  Alias /icons/ "/opt/IBM/WebSphere/HTTPServer/icons/"
  <Directory "/opt/IBM/WebSphere/HTTPServer/icons">
      Options Indexes MultiViews
      AllowOverride None
      Order allow,deny
      Allow from all
  </Directory>

  Hi,
  I would suggest you read the following thread:
  Windows Media Server Did not Accept HTTP or RTSP streams??? 
  http://social.technet.microsoft.com/Forums/en-US/winservermedia/thread/b3f4f8c9-ac36-49e6-adc7-21e744d2e28f
  In addition, please check whether the following blog could help:
  Play "mms" and "rtsp" Streams in Windows Media Player
  Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Thanks,
  Vincent Wang
  TechNet Community Support

• URGENT : Add & Retrieve properties from Embedded LDAP in Weblogic 9.2

  I am using Embedded LDAP WebLogic 9.2 and i followed the steps mentioned in the URL below.I have nt changed anything except Server URL which points to localhost:7001.
  http://e-docs.bea.com/wlp/docs92/users/appendixa.html#wp1055363
  Questions:
  1)How to add additional attributes to embedded LDAP? (eg email, phone etc).
  2)How to read those properties from embedded LDAP using WebLogic Portal API? Any code samples?
  Any help is appreaciated.

  this problem is due to hard-coded user/pwd in installation scripts. Here are steps
  1) open file AIA_HOME/Infrastructure/install/wlscripts/FPWLCommonConfig.xml
  2) reach to target CreateStartupClasses
  3) there are three java tasks for com.oracle.oems.weblogic.AQJMSPasswordUtility
  4) in the task for oraesb, password is hardcoded as 'oraesb' in clear text.
  5) this should be password of 'ORAESB' database user.
  6) change this password value; and restart the installation.
  Regards,
  Vaibhav

• Reading/Writing the "wpproperty" from portal LDAP

  Hi,
  We want to read/write the "wpproperty" from portal LDAP. I found the code for EP60.
  IUser user = request.getUser();
  String itar[] = user.getAttribute("com.sap.security.core.usermanagement","wpproperty");
  newUser.setAttribute("com.sap.security.core.usermanagement",
  "wpproperty", value);
  Does anybody have an example for <b>EP50</b> code?
  Kind regards,
  Onno

  I think the answers you got over [url http://forum.java.sun.com/thread.jsp?thread=524137&forum=54]here were excellent. You should now know that Java is a terrible language for this kind of thing. You would be much better off with some kind of a native language like C++. Even then, you are going to have to get heavily into the internal Windows system to get what you want from another application and I can't even imagine what you would have to go through to get it out of IE.
  Anyway, I doubt you are going to find what you are looking for in the 'New To Java Technology' forum. You might be able to find something like this if you found a 'Hacker Forum' with people on it who had spent the time to find out how to steal information from other programs (probably at least a couple of years) and didn't mind if they got invovled with someone who might be talking to the FBI shortly.
  Your only other option would be to spend the year or two it would take you to learn enough to do it yourself.
  Good Luck.

• How can I get properties from my ldap server?

  urgent,I don't know
  how to use the getproperties to get the properties
  from ldap server,anyone help?

  Hi Kevin,
  You could write a portlet that uses the <um:getProfile> and
  <um:getProperty> tag (
  http://edocs.bea.com/wlp/docs40/p13ndev/jsptags.htm#1058056 )
  Or you can do an easier test that requires no coding: If you use the EBCC
  to create metadata about your ldap property set, then you can use the JSP
  portal admin tool to see your LDAP properties for a user. I think if you go
  through the UUP example on dev2dev.bea.com it has instructions for doing
  this with a UUP. Basically, create a property set (a.k.a. "user profile")
  named "ldap" in the EBCC and create properties that match the ones you want
  to retrieve ("telephoneNumber", etc...CASE SENSITIVE). Then access the JSP
  portal admin tool. If you are not using the LDAPRealm as your alternate
  security realm then create a user that you know exists in LDAP and then hit
  the link for the user and search the "ldap" property set and you will see
  their property values. If you are using the LDAPRealm for authentication,
  then this is not a ManageableRealm so you cannot create users (they are
  managed in your LDAP server). So, if you are using the LDAP realm, just
  create the "ldap" property set in the EBCC and go to the user mgmt tools in
  the JSP admin tools and you will see your user. Then search the "ldap"
  property set for your user and you will see the property values.
  Ture Hoefner
  BEA Systems, Inc.
  www.bea.com
  "Kevin" <[email protected]> wrote in message
  news:[email protected]...
  >
  Hello,
  We're trying to retrieve an arbitrary profile and it's attributes from
  a Novell NDS ldap server. I've configured the ldapprofile.jar as
  described in the portal doc:
  http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824
  but the article doesn't go on to describe how to use the configuration
  to actually access the properties.
  I'm unsure as to how to use the com.bea.p13n.usermgmt.profile.ldap
  package to retrieve the information I need.
  Is there some step by step instructions to achieve this as well as
  some sample code to run in a jsp to test this functionality?
  Thanks for any help.
  Kevin
  Ture Hoefner <[email protected]> wrote:
  Hi Eric,
  The LdapPropertyManager handles that for you. All you have to do is
  deploy it. (I'm talking about Portal 4.0). See the docs at "Accessing
  Properties from an LDAP Server" (
  http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824 )
  You will need to deploy the LDAPPropertyManager EJB, located in
  ldapprofile.jar. It is shipped with the product in
  <wlportal4.0-install-dir>/lib/p13n/ejb/ldapprofile.jar.
  Eric Nie wrote:
  urgent,I don't know
  how to use the getproperties to get the properties
  from ldap server,anyone help?--
  Ture Hoefner
  BEA Systems, Inc.
  2590 Pearl St.
  Suite 110
  Boulder, CO 80302
  www.bea.com

• Integration of CC&B and SunOne LDAP v3

  Hi,
  I am new to CC&B. I have been requested to investigate how to configure CC&B (on top of Weblogic server) to integrate with SunOne LDAP. Could anyone please help.
  Thank you.
  Best regards,
  Jeff

  Hi again,
  just to precise that i do not currently possess access to metalink. I know that there is metalink note 774783.1 that explains how to do it. So if you could please help explaining it to me by this forum, it will be greatly appreciated.
  Thank you.
  Best regards.

• How to transfer passwords from Oracle DB into OID?

  We need to find a way to move our users passwords into OID. We will use OID with Oracle SSO and we wish to consolidate our passwords so that the users only have one (they currently login to forms against their DB username/password). Also, going forward we would like for OID's user's passwords to be syncrhonized with the DB passwords. We are already planning to use LDIF/ldapadd to add username/roles from the DB to OID and we did not see any way to get passwords in from this..

  Database authentication (database) and Web authentication (OAM) are different things. The good thing is that nowadays there is ways of integrating Web authentication with database authentication.
  How this integration will be done totally depends on your requirements and current technologies/applications. There is a lot of different ways of propagating user credentials from application server to database. So you have to understand the whole picture to get to a conclusion of which implementation is best for your case.
  There is no way of giving you a direct response without knowing your requirements and current situation. So I would suggest you to look at a few database concepts (EUS, client_identifier) to get a better understanding of what you could be using.

• Using Spamassassin With The SunONE LDAP Server

  Has anyone out there integrated the Spamassassin the SunOne LDAP server?
  Thanks,
  AFR

  Thx man, now i have my spamassassin working whith my ims server.
  i have installed :
  SpamAssassin Versin 3.0.2
  running on Perl version 5.8.2
  ims version 5.2 p2
  i have just some problems.
  first i can't add or chage hearder information of the message identified as spam. I have set my option.dat file as here :
  Brightmail_string_action=data:,require ["addheader"]; addheader "Spam-test: $U";
  and here is my spamassassin.opt config file:
  host=127.0.0.1
  port=783
  mode=1
  verdict=spam
  debug=1
  I have tryed all combinations of mode=1, mode=0,.. and all combination of brightmail action ( require "header", require [header] ...) but it doesn't work :(
  The only action that works is the fileinto action. i made it in my option.dat file like this :
  Brightmail_string_action=data:,require "fileinto"; fileinto "spam";
  that worked very well, but i prefere to chage the subject of the message rather that file it into a separate folder.
  last thing, it will be really great if u can tell me how can i add/remove email adresses/domains to a balcklist/whitelist. what i have tryed is with the spamassassin command :
  # spamassassin --add-adr-to-black-list=*@promo.co
  and of corse many other combination.
  thanx in advance.

• How to retrieve null-valued attributes from a LDAP server?

  (I posted this in the ES board but then thought this is more of a programmer's question, sorry for the duplication).
  I am using JNDI api to do search operations on a Java Directory Server( part of SunOne).
  However, I found all the attributes that do not have values are automatically filtered out from the search result.
  NamingEnumeration answer = ctx.search(ctxName, filterExpr, cons);
                 while(answer.hasMore()){
                      SearchResult sr = (SearchResult)answer.next();
                      Attributes attrs = sr.getAttributes();
                      for(NamingEnumeration ne = attrs.getIDs();ne.hasMore();){
                           System.out.println("ids:"+ne.next());
                      System.out.println("-------------------------------------------------------");
                     for (NamingEnumeration ae = sr.getAttributes().getAll(); ae.hasMore();) {
                         Attribute attr = (Attribute)ae.next();
                         System.out.println("attrName:"+attr.getID());
                         //System.out.println("attribute: " + attr.getID());
                         NamingEnumeration e = attr.getAll();
                         while(e.hasMore()){
                               System.out.println("  attrVal:"+e.next());
                     }Is there anything I did wrong here?
  Here are a couple of things I noticed,
  1. in a Softerra LDAP browser, those no-valued attributes are not present either. But in JXplorer, I can see the full list that includes the attributes that do not have a value.
  2. I had Schema disabled in the server console.
  Thank you in advance.

  There are only two ways to read data from Directory Server:
  1. a. just fetch the entry
  b. display the content
  2. a. fetch the entry
  b. parse the entry and figure what object classes it is of
  c. lookup each object class definition in the schema and retrieve the attribute list
  d. combine the attributes of the entry with all the "possible" attributes of its object classe(s)
  e. display the content
  Here's for an easy example we can relate to:
  I have the following entry in my DS
    cn=the_duuuuuude,dc=forum,dc=sun,dc=com
    objectClass: person
    cn: the_duuuuuude
    sn: arnaudIf you use method 1, you will get just what is stored in the db. That is:
    cn=the_duuuuuude,dc=forum,dc=sun,dc=com
    objectClass: person
    cn: the_duuuuuude
    sn: arnaudif you use method 2, you will get:
    cn=the_duuuuuude,dc=forum,dc=sun,dc=com
    objectClass: person
    cn: the_duuuuuude
    sn: arnaud
    description:
    seeAlso:
    telephoneNumber:
    userPassword:because when you looked up the 'person' object class you got this:
  objectClasses: ( 2.5.6.6 NAME 'person' DESC 'Standard LDAP objectclass' SUP top MUST ( sn $ cn ) MAY ( description $ seeAlso $ telephoneNumber $ userPassword ) X-ORIGIN 'RFC 2256' )Now the important thing to note is that physically in the database, the attributes description, seeAlso, telephoneNumber and userPassword are NOT stored. It's not that they have a 'null' value. They're just not there. It doesn't stop you from looking up the schema.
  Optimally, in your client, you would fetch the whole server schema and cache it so you have to do the extra round trip for every entry you process.
  The difference you observe with various LDAP browsers might simply be that one uses method 1 and the other method 2.
  Hope this helps wrap your mind around this.
  -=arnaud=-

• LDAP and OID

  FYI: I am new to Oracle (<1 month), and new to APEX (<3 weeks) so forgive me if I am asking the obvious.
  I would like to have APEX authenticate against LDAP (active directory), and went about trying to set that up. Got all AD settings from our sys admin, and then tried them in the LDAP test tool. I kept getting " Authentication failed!" no matter what I did. Due to the detailed nature of that error message, I started trying to track down every possible avenue so I talked to one of our DBA's about DBMS_LDAP.SIMPLE_BIND_S. The answer I got back was that we don't have access to it because it is part of OIN which we would have to pay outrageous amounts of money for if we wanted to use it. Not likely to happen, so I was hoping that there was another way to authenticate APEX via LDAP.
  Any suggestions would be most helpful.

  John - DBMS_LDAP is not part of OID so you can use it as part of your existing database product installation. Search this forum for LDAP and AD and you'll find lots of discussions about what you are trying to do.
  Also, just to clarify, you're not trying to authenticate Application Express using AD, you'll be authenticating users to your application (essentially a PL/SQL application in the database) using account information stored in AD. The authentication code that gets executed will belong to your application.
  Scott

• OIM 11g LDAP sync from different LDAP containers

  Hi,
  I have been setting up OIM 11g R2 (11.1.2) to use LDAP Sync to OID.
  As of now the sync works (both ways) for this container:
  cn=users,cn=oracleAccounts,dc=mycompany,dc=com (configured while doing the OIM config)
  Would it be possible to sync users in other containers as well? For example:
  cn=users,cn=otherAccounts,dc=mycompany,dc=com
  cn=users,cn=moreAccounts,dc=Otherstuff,dc=com
  By editing the file LDAPContainerRules.xml I can setup where the users are created when I create them through IDM.
  But that will not make the sync work for those containers.
  Any ideas where I should start to accomplish the above?
  Thanks & Regards,
  Henrik

  Okay, I think I have found an answer to how to sync users from different OU:s in my OID to different OIM organizations.
  Hopefully this will help others.
  We can use a PostProcess Event handler like this:
  1. Implement the method --> public BulkEventResult execute()
  This is used during recon actions.
  2. Get the user hashmap with attributes and set the "act_key" value with the OIM organizations ID.
  You also needs to build the logic to fetch the users "LDAP DN", which is also fetched from the map.
  From that attribute we can decide which Organization to put the user in.
  This is the best solution we have found yet..
  Docs & tips:
  http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/oper.htm#CCHFBGAA
  http://fusionsecurity.blogspot.se/2011/09/oim-11g-event-handler-example.html (thank you Daniel Gralewski)
  Regards,
  Henrik