Can Active Directory authenticate to the APEX development environment

Similar Messages

• Active Directory error message "the following object is not from a domain listed in the Select location forestB\username

  Hello Community
      "forestA" is my forest it is a Windows 2008 Server Enterprise Edition
  domain controller using Active Directory and the UI.
      In my forest ("forestA") trust relationship I created a "One-Way, Out-going"
  forest trust with Forest-Wide authentication so that a different forest user(s) or
  group(s) with a different admin in a forest named “forestB” can access the resources in my “forestA”
      But also forestB needs to create a "One-way, Incoming" forest trust so that
  I can either add the user(s) or group(s) from “forestB” into to a "Global Security - Group"
  in my "forestA" or I can
   add user(s)  as  "domain user(s)" from “forestB” into my "forestA".
      The problem is that when I right click  the global group in my forestA  and then
  properties, when I click "Members" and then the "Add" button when I type
  "forestB\username" I get an error message from Active Directory stating:
      "the following object is not from a domain listed in the Select location
  dialog box, and is therefore not valid: forestB\username".
      Am I doing something wrong when creating the one-way trust in my
  “forestA” or is the one-way trust being created wrong by the other domain admin in the other “forestB”?
      Or could I possibly need to select "Change Domain" or "Change Domain Controller"
  before adding the users or Groups to my forestA from forestB?
      That is why I am asking
   how do you add an Active Directory user from one forest into another forest?
      Thank you
      Shabeaut

  Hello Denis Cooper
      That is the end result.
      What I was trying  to do was that I was trying to
   bring in the user(s) and group(s) from “forestB”  into
  my “forestA”  Global group.
      Later on I was going to add the user(s) or Global groups(s) that I brought into my dc in my forestA
   into the domain local groups  on my member servers in my forestA.
      So since the error message is:
  "the following object is not from a domain listed in the Select location dialog box, and is therefore not valid: forestB\username".
  Does your response
   mean only Global group(s) from forestB not domain user(s) from forestB have
   to been added to domain local groups in forestA?
  Or is it also possible to add Global group(s) from “forestB” to Global group(s) in my “forestA” and if so
  how without getting the above error message?
  Thank you
      Shabeaut

• Can Active Directory be used with SmartView?

  Hi,
  I wanted to know if Active Directory be used with SmartView or is it essential to have Native Directory? We are using Active Directory for all user/group creation and Shared Services for provisioning. However, we are unable to provide access to SmartView using AD.
  We are seriously looking for a workaround here and I would appreciate any insight on the same. Please let me know how? This would be greatly helpful. Thanks.

  There is nothing special to get SmartView to authenticate with Active Directory.
  SmartView will be using Shared Services to authenticate. Shared Services must be configured to communicate with Active Directory and your user id's in Native Directory and Active Directory should be different. If for instance you had two user names that were the same, it will prefer one directory over the other depending on your configuration.
  Regards,
  -John

• Active Directory authentication works in apex 3.2 - fails in apex 4.0.2

  I'm attempting to implement an AD authentication function which works for many of our apex 3.2 based apps in a 4.0 based one (both versions of apex installed in 10.2.0.4 DB) and it fails with this error -
  h4. ORA-01400: cannot insert NULL into ("APEX_040000"."WWV_FLOW_USER_ACCESS_LOG2$"."SECURITY_GROUP_ID") ERR-10480 Unable to run authentication credential check function.
  h5. Location: f?p=128:101:3059364335985257&notification_msg=Invalid%20Login%20Credentials/BC024DDF77AEE643E81F807FB74C83E6/
  I'm having trouble researching this issue as all the links for OID/DBMS_LDAP documentation at oracle.com are broken on http://www.oracle.com/technetwork/documentation/oid-089101.html
  I've read similar threads in the forum but either did not clearly understand the prescribed suggestions or did not ascertain I was experiencing the same issue.
  I've tested the function in the apex 4.0/10.2.0.4 schema using SQL Developer and the function works fine at this level so I have to presume something fundamental changed in the way apex implements authentication.
  Any suggestions as to a cause/resolution? My AD authentication function code follows;
  create or replace
  FUNCTION        "STRAININTEREST_AUTH_AD" (
        p_username IN VARCHAR2,
        p_password IN VARCHAR2 )
      RETURN BOOLEAN
    IS
      l_ldap_user   VARCHAR2 (256);
      l_ldap_base   VARCHAR2 (256) := 'DC=domain,DC=org';
      l_ldap_server VARCHAR2 (256) := 'adhostname.domain.org';
      l_ldap_port   NUMBER         := 389;
      l_domain      VARCHAR2 (256) := 'domain.org';
      l_retval      PLS_INTEGER;
      l_session     DBMS_LDAP.SESSION;
      l_attrs       DBMS_LDAP.string_collection;
      l_message     DBMS_LDAP.MESSAGE;
      l_entry       DBMS_LDAP.MESSAGE;
      l_vals        DBMS_LDAP.string_collection;
      l_dn          VARCHAR2(256);
      l_attr_name   VARCHAR2(256);
      l_ber_elmt    DBMS_LDAP.ber_element;
      l_org_unit    VARCHAR2(256) :='CN=GRP-StrainInterestApex_Users,OU=Domain_Local,OU=Groups,DC=domain,DC=org';
      l_org_unit_test VARCHAR2(2) := 0;
      attr_index    PLS_INTEGER;
      entry_index   PLS_INTEGER;
    BEGIN
      l_ldap_user             := p_username || '@' || l_domain;
      l_session               := DBMS_LDAP.init (l_ldap_server, l_ldap_port);
      l_retval                := DBMS_LDAP.simple_bind_s (l_session, l_ldap_user, p_password);
      DBMS_LDAP.use_exception := TRUE;
      l_attrs (1)             := '*';
      l_retval                := DBMS_LDAP.search_s ( ld => l_session, base => l_ldap_base, scope => DBMS_LDAP.scope_subtree, filter => '(sAMAccountName='||p_username||')', attrs => l_attrs, attronly => 0, res => l_message );
      l_entry                 := DBMS_LDAP.first_entry ( ld => l_session, msg => l_message );
      l_dn                    := DBMS_LDAP.get_dn(l_session, l_entry);
      WHILE l_entry IS NOT NULL
      LOOP
        l_attr_name       := DBMS_LDAP.first_attribute(l_session,l_entry,l_ber_elmt);
        attr_index        := 1;
        WHILE l_attr_name IS NOT NULL
        LOOP
        BEGIN
          l_vals := DBMS_LDAP.get_values (l_session, l_entry,l_attr_name);
          exception
             when others then
                null;
        END;
        if l_vals.COUNT > 0 then
          FOR i IN l_vals.FIRST..l_vals.LAST
          LOOP
            IF l_attr_name = 'mail' THEN
               APEX_UTIL.SET_SESSION_STATE('F111_USER_EMAIL',l_vals(i));
            END IF;
             --DBMS_OUTPUT.PUT_LINE('ATTR  IS: '||l_attr_name);
             --DBMS_OUTPUT.PUT_LINE('VALUE IS: '||l_vals(i));
            IF l_vals(i) = l_org_unit THEN
              l_org_unit_test := 1;
            END IF;
          END LOOP;
          end if;
          l_attr_name := DBMS_LDAP.next_attribute(l_session,l_entry,l_ber_elmt);
          attr_index  := attr_index+1;
        END LOOP;
        l_entry     := DBMS_LDAP.next_entry(l_session, l_entry);
        entry_index := entry_index+1;
      END LOOP;
      l_retval          := DBMS_LDAP.unbind_s (l_session);
      IF l_org_unit_test = 0 THEN
        RETURN FALSE;
      END IF;
      RETURN TRUE;
    EXCEPTION
    WHEN OTHERS THEN
      l_retval := DBMS_LDAP.unbind_s (l_session);
      RETURN FALSE;
    END STRAININTEREST_AUTH_AD;

  DOH. Too much copy/paste.
  In my code, I was setting an application variable to contain the email address I was retrieving from AD. Once commented out, it worked fine.
            IF l_attr_name = 'mail' THEN
               APEX_UTIL.SET_SESSION_STATE('F111_USER_EMAIL',l_vals(i));
            END IF;

• Removing Exchange 2007 from SBS 2008 (In an Exchange 2010 Coexistance Scenario) - In order to remove 2007 Mailbox Objects from Active Directory and remove the SBS2008 server completely

  I'm trying to remove Exchange 2007 from an SBS 2008 server
  (Server 2008 Standard FE).  My ultimate goal is to completely remove the SBS 2008 Server from the network environment.
  We have an Exchange 2010 Coexistence Scenario and Mailboxes/Public Folders/etc have been moved over to the 2010 mail server, on Server 2008 R2.
  I have moved all Shares, FSMO roles, DHCP, DNS, etc over to their respective servers.  We have two full blown DC's in the environment.
  I'm ready to remove Exchange 2007 from SBS 2008 and DCPROMO the server.  I can NOT seem to find a TechNet article that shows me how
  to proceed in this kind of scenario.  I am trying to use the TechNet article:
  http://technet.microsoft.com/en-us/library/dd728003(v=ws.10).aspx
  This article references Disabling Mailboxes, Removing OAB, Removing Public Folder Databases, then uninstalling Exchange using the Setup Wizard. 
  When I go to Disable Mailboxes I get the following error:
  Microsoft Exchange Error
  Action 'Disable' could not be performed on object 'Username (edited)'.
  Username (edited)
  Failed
  Error:
  Object cannot be saved because its ExchangeVersion property is 0.10 (14.0.100.0), which is not supported by the current version 0.1 (8.0.535.0). You will need a later version of Exchange.
  OK
  I really don't see why I need to Disable Mailboxes, Remove OAB and Public Folder Databases since they have been moved to 2010.  I just want
  to remove Exchange 2007 and DCPROMO this server (actually I just want to remove any lingering Exchange AD Objects referring to the SBS 2008 Server, using the easiest and cleanest method possible).
  Can someone point me in the right direction?
  Thanks!

  Hi,
  Based on your description, it seems that you are in a migration process (migrate SBS 2008 to Windows Server
  2008 R2). Now, you want to remove Exchange Server and demote server. If anything I misunderstand, please don’t hesitate to let me know.
  On current situation, please refer to following articles and check if can help you.
  Transition
  from Small Business Server to Standard Windows Server
  Removing SBS 2008 –
  Step 1: Exchange 2007
  Removing SBS 2008 – Step 2:
  ADCS
  Removing
  SBS 2008 – Step 3: remove from domain / DCPROMO
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
  does not guarantee the accuracy of this information.
  Hope this helps.
  Best regards,
  Justin Gu

• Can I get the Mac address in Audit logs of Active directory server for the user's machine which connect to the network/Domain

  Hello All,
  I am trying to get the information of all the user's who connect to our Domain network by signing in using the domain account. For this I am using the Windows audit group policies ( I am not sure of there is any other way). I can see when the user tries
  to login to the network there is a audit event created on the AD/DC server. I can see the Kerberos authentication and logon/logoff events in the audit events under event viewer.  
            However the info which is being populated in these events include :- Hostname, IP address, Username and so on... But I can't see the MAC address of the user machine/system. Is there any way I can
  get the Mac address of the endpoint system as its one of the important criteria for our project.
  Any inputs on this would be appreciated, incase if there is any other way other than group policies please suggest.
  Thanks,
  Kavish

  > include :- Hostname, IP address, Username and so on... But I can't see
  > the MAC address of the user machine/system. Is there any way I can get
  > the Mac address of the endpoint system as its one of the important
  > criteria for our project.
  If you use DHCP, you can query the DHCP server. There's no builtin
  method to get the MAC address directly.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Reading and Updating MS Active Directory (AD) through Oracle APEX

  Hi All,
  Has anyone ever read and update the AD components using Oracle APEX?
  I know we can have APEX build in LDAP Authentication, but that is for the Authentication, what about reading other attributes like phone no., department, office etc. from MS AD; and about updating the same information.
  Is Oracle Identity Management the only solution?
  Windows 2008 R2 Server provide SOAP based AD web services (ADWS), has anyone used that with APEX (11g R2 with EPG configuration)?
  Is it possible to have a C# code (through external procedure) which could read and write MS AD; can we use only "C" code in oracle as external proc or C# as well?
  Any pointers would be of great help.
  Thanks,
  Ash

  Ash,
  It's possible to query data from the LDAP server, but it's not as easy as you'd like. I don't know about updating, but fopr querying, you're looking at creating a package using DBMS_LDAP and a pipelined function to get the data. Here's one example from a quick google search; there are others.
  One thing to be aware of that burned me: the default LDAP setting limits requests to 1,000 records. If your search gives more than that, you get an error (and no data at all). So you may find yourself having to use unions to get the full data, which slows things down a bit.
  -David

• Unable to see Active Directory Groups in the User Profile Database after Profile Import

  ***Major Update - I have finally been able to get the direct attention of the folks responsible for the User Profile Service on the SharePoint Product Team.  Long story short, they have reproduced the error and identified as an actual mistake
  that needs to be fixed, so it is now officially in the bug pipeline and will be fixed.  The current estimate is some time in the summer.  They will keep me updated with timeframes, which I am allowed to share as time goes on.
  SharePoint Server 2010 Enterprise RTM. W2K8R2 w/multi-server setup:
  AD/DNS
  SQL 2008
  WFE
  APP
  Claims Mode Web App only using Windows Integrated Auth
  So, this was never a problem in 2007, and I didn't even realize it was a problem in 2010 until I started to build a solution that utilized my blog article:
  InfoPath - User Roles in Browser-Enabled Forms Using AD Groups.  I went to utilize the same web method of the same web service, but I noticed that no data was showing up at all.  Typically,
  the GetUserMembership/GetCommonMembership methods return the specified user's memberships: AD Security Groups, AD Distribution Lists, and SharePoint Sites (not SharePoint Groups, though).
  My user profile sync is working.  All AD users are pulled in with the proper profile data.
  "Users and Groups" is selected in the Synchronization Entities section of my Sync Settings.
  Security groups are working for permissions and audience targeting.  Confirmed my users are affected properly by the use of Security Groups.
  My query to the GetUserMemberships web method (and GetCommonMemberships) is running (not failing), but it's not returning anything even though my user is in some Security Groups and has explicit membership to multiple sites.
  The GetUserProfileByName method of the same UserProfileService.asmx web service
  returns all the regular profile data like expected, so the web service works and my profile database is populated
  Basically, I'm not seeing my AD groups or any membership data populated in the profile database.  I did use MIISCLIENT.exe to see what I could find, and here is what I saw:
  Using the Metaverse Search, I searched for the "person" type and saw all of the users in my profile sync connection (single OU)
  Using the same tool, I searched for the "group" type and saw nothing, but the message said 4 items were retrieved
  I realized that the only column showing was displayName, and they were blank, so I added other columns to be sure
  objectGUID, objectType, distinguishedName all showed values, and I could now see all the Security Groups from the OU where I'm doing my profile sync
  My "person" objects all have displayNames showing but none of the groups do.  In SharePoint, the GetUserMemberships method relies on displayName and accountName, but neither are coming through the profile import
  So, it does seem like the groups are coming in with the profile import, but I can't see them.  I also can't verify that the groups are being associated with my users in the profile database, because doing a query to the membership methods returns nothing...not
  even blank rows.
  ***Edit:  New information!  Regular AD Distribution Lists _do_ work properly.  I just never bothered testing them until folks on my blog notified me.  DLs come through the profile sync, are visible in the profile database, and show up
  when using the GetUserMemberships method.
  ***Edit: Ok, now we're getting somewhere.  I checked my last profile sync with the MIISCLIENT, and this is what I found:
  Here are the properties of my Distribution List:
  Here are the properties of my Security Group:
  Notice that the groupType value of the DL is a normal integer (2), but the groupType value of the SG is some crazy negative number.  Both types are still lacking DisplayNames for some reason, but when I retrieve the DL via GetUserMemberships, it DOES
  show the proper DisplayName despite nothing showing in the MIISCLIENT.
  SharePoint Architect || Microsoft MVP ||
  My Blog

  Hello Clayton,
  I have same problem with SP 2010 and now I am testing SP 2013 and seems that the problem still.aa
  Probably I have some configuration problem, but all seems work, except this.
  SharePoint 2013 has no improvements on this. Until seeing this thread, I thought it was an issue within my farm configuration or AD Service account for User Profile Sync. And I've dug far and wide for any other possible settings which would prevent users
  from populating in the site people-picker. This might be flagged as off-topic, but I'll beg differ. How can I expect SharePoint to retrieve AD Users and Groups for accuracy in the sites which rely on this server??? Frustrating. I've spent hours and days on
  this! I have 3 SP2013 farms with multiple clients (different OU's/containers and security groups). Testing in a separate QA DEV farm with the same config. NO luck yet!
  This is where I'm at with it (posted this as a question recently on SharePoint Stack Exchange):
  "Help.... Please.... Users from AD groups are not populating in the site people picker. I've set up a SharePoint 2013 site collection permissions group with only AD groups in it, no users added directly. Whether or not I give this SharePoint group permissions
  to the site content, I still get none of the AD users showing up in the people picker. I have done the iisreset after adding the groups.
  I've checked all of the people picker properties in stsadm to be sure there are no constraints in effect on the web app or site collections.  User profiles are synching and I've tried both AD import and User Profile Sync.  The AD groups are security
  groups, though not email-enabled.  The AD service account has all the special permissions. My web app is claims based. My app pool runs with Network Service account.  No policies in place to restrict users, checked CA and the site collection settings.
  What am I missing? I've read in multiple places that this is a supported/working config. So why can't I get these users to populate in people picker for things like Assigned To in a tasks list, or attendees of an event? "
  There is some pretty good insight here, but no real hope:
  User profile
  synchronization: importing users and security groups in SharePoint 2010
  Other Properties that I checked, before realizing this was an issue with the Profile Import...
  stsadm -o getproperty -pn siteuseraccountdirectorypath -url https://URL
  stsadm -o getproperty -propertyname peoplepicker-activedirectorysearchtimeout -url https://URL
  stsadm -o getproperty -propertyname peoplepicker-distributionlistsearchdomains -url https://URL
  stsadm -o getproperty -propertyname peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode -url https://URL
  stsadm -o getproperty -propertyname peoplepicker-onlysearchwithinsitecollection -url https://URL
  stsadm -o getproperty -propertyname peoplepicker-searchadcustomfilter -url https://URL
  stsadm -o getproperty -propertyname peoplepicker-searchadcustomquery -url https://URL
  stsadm -o getproperty -propertyname peoplepicker-searchadforests -url https://URL
  stsadm -o getproperty -propertyname peoplepicker-serviceaccountdirectorypaths -url https://URL
  Hope we find a better answer, as it IS very misleading. User Profile Import specifies Users, or Users and Groups. Nothing is said about Containers or Distribution Groups, worse yet there lacks any clear disclosure about how "Groups" will not
  actually import if they are a Global Security Group and the users contained within them exclusively will NOT be included in your profiles,
  nor in any compiled Audiences. Which was another BIG bummer!
  I'm hoping to see future improvements on the Group imports.

• Re: Scaling up the Express Development Environment

  Paul,
  We have two BM's and two AM's.
  We had two full-time developers and 2 part-time.
  BM1: 25 classes
  BM2: 8 classes
  AM1: 65 windows
  AM2: 22 windows
  2-3 classes in each BM had to be duplicated becauses of the problem that
  you mentioned.
  What we did to make the AM's and BM's more accessible was to create a
  workspace in which the changes to the models would be made and the
  classes re-generated and integrated but no other development was done. This way, a user
  that needs to create a new class or window can be in and out of the workspace
  in a relatively short period of time. The user then updates his own workspace
  to get the changes created by the changes/additions to the models. Otherwise,
  if a user checks out an AM and BM in their own workspace, makes the changes
  and then continues to customize the windows, it may take a while before they
  integrate and allow others to check the models out. In your case, you may want
  to create a workspace for each AM/BM pair. You may also want to create a script
  to update the workspaces of each of your users and force a compile on each workspace
  on a nightly basis to reduce the amount of time wasted during the day updating and compiling. Another
  thing we did to decrease wasted time waiting for updates, integrates and compiles was
  to have each user create multiple workspaces(2-3) dedicated to different areas of
  development so that while one workspace was busy updating, compiling etc..., they
  could continue developing in another. This will increase the size of your repository
  but disk space is cheap! Also, make sure everyone creates a shadow repository on their
  machine to reduce hitting the main repository.
  Hope this helps.
  Peter Kelly
  [email protected] wrote:
  >
  I'd like to get some opinions on the best way to handle medium to large scale
  Express development. By this I mean more than 2 teams working concurrently on
  applications that have dependencies.
  The scenario:
  BM - business model
  AM1 - application model that uses subset of BM1
  AM2 - application model that uses subset of BM1 and windows from AM1
  Team1 - will enhance AM1 during month 1-6
  Team2 - will enhance AM2 during month 1-12, incorporating the work from Team1
  Both teams wish to change the business model. Does it make sense to split the
  model up? Express doesn't provide a mechanism for linking business models. If
  you define a class in BM1, you can't draw an association to it from BM2.
  Therefore the generated windows will not be able to reference the object as the
  association is not defined. You could duplicate the classes that are common to
  both (Forte Technical Support recommends this) but redundancy is never a good
  thing. Something would probably have to be done to get the services coordinated
  for load balancing, transaction mgmt of aggregate updates, etc.
  It is possible to link application models together (window in AM2 linked to
  window in AM1) but the link invokes only the defined start window of AM. You
  can get around this for lookup links and command links by defining a proxy
  window and overriding the link code to instantiate a window of the correct
  type. Alternatively you can change the super class of the window to point to
  the correct class. Any additional customizations (additional links, folders,
  etc.) that were defined in the original base window will be lost. What appears
  to be much more difficult is adding an additional folder to a window that is
  defined in another application model. Ideally in AM2 you would define a link to
  a window in AM1 that inherited all the folders etc defined in AM1 plus any
  additionally defined in AM2 (sounds like something an OO tool should do).
  Of course, there is nothing in Forte that would prevent you from doing this
  yourself. However Express relies a lot on code generation rather than reusable
  classes so you would have to duplicate a lot of code and window widgets to
  achieve this. I would like to see Express evolve away from code generation. To
  do that Forte would probably need to become more dynamic. Then Express could
  have create an ExpressWindow class that could dynamically register as a folder
  window in any parent without the need for a static declaration in the
  application model.
  Even if all the technical issues are solved you still have to deal with all the
  configuration mgmt issues involved in doing concurrent development. With
  everyone wanting to change the models you need some form of version control. A
  simple mechanism is to have multiple repositories and do a periodic manual
  merge of the models.
  I'd be interested in hearing how other groups are handling this. Any comments
  or suggestions are welcome. Thanks.
  Paul Krinsky
  Price Waterhouse--
  ____ \ / ____ CrossKeys Systems Corporation
  ___ \ X / ___
  \ X X / Crosskeys Centre Peter Kelly
  X X X 350 Terry Fox Drive Software Designer
  ___/ X X \___ Kanata, Ontario
  ____/ X \____ Canada K2K 2W5 [email protected]
  _____/ \_____ (613) 591-1600 Ext. 8247

  Split the business model, and duplicate the classes.
  If you think of a business class the same way you think of and deal with
  views, it will make accepting the redundancy more palatable. A view is a
  virtual table created to support an application's "view" of a table or set
  of tables. The BM business class is a similar conceptual object. Actually,
  it is often useful to map a BM class to a declared view (if your update
  requirements and your DBMSs view update capabilities permit). Using views
  also allows you to map several business classes to the same table, which
  Express normally would not allow you to do.
  The issue of which tables should be in which business model is a schema
  partitioning issue. For a small database (say five tables), even if you
  have a hundred apps, the problem won't arise. You simply have one BM for
  all the apps. For a very large database (say 300 tables), but very simple
  apps (one or two tables) the problem still won't arise. You simply have one
  BM for each app with the one or two tables the app needs. For large
  applications on large databases the problem does arise. If you have a 300
  table database with a 1000 screen system (40-50 app models), the problem
  would arise, and would need a systematic clean solution. In such a system,
  you can follow a data-centered design, where you partition based on the
  data shared, which will lead you to a set of BMs that don't have duplicate
  tables. Or you would partition based on functionality (more likely to
  please the user community), in which case you would find that you would
  have to duplicate tables across BMs.
  Hope that helps.
  -Nabil
  At 04:49 PM 2/5/97 PST, [email protected] wrote:
  I'd like to get some opinions on the best way to handle medium to largescale
  Express development. By this I mean more than 2 teams working concurrentlyon
  applications that have dependencies.
  The scenario:
  BM - business model
  AM1 - application model that uses subset of BM1
  AM2 - application model that uses subset of BM1 and windows from AM1
  Team1 - will enhance AM1 during month 1-6
  Team2 - will enhance AM2 during month 1-12, incorporating the work from Team1
  Both teams wish to change the business model. Does it make sense to splitthe
  model up? Express doesn't provide a mechanism for linking business models.If
  you define a class in BM1, you can't draw an association to it from BM2.
  Therefore the generated windows will not be able to reference the objectas the
  association is not defined. You could duplicate the classes that arecommon to
  both (Forte Technical Support recommends this) but redundancy is never agood
  thing. Something would probably have to be done to get the servicescoordinated
  for load balancing, transaction mgmt of aggregate updates, etc.
  It is possible to link application models together (window in AM2 linked to
  window in AM1) but the link invokes only the defined start window of AM. You
  can get around this for lookup links and command links by defining a proxy
  window and overriding the link code to instantiate a window of the correct
  type. Alternatively you can change the super class of the window to point to
  the correct class. Any additional customizations (additional links, folders,
  etc.) that were defined in the original base window will be lost. Whatappears
  to be much more difficult is adding an additional folder to a window that is
  defined in another application model. Ideally in AM2 you would define alink to
  a window in AM1 that inherited all the folders etc defined in AM1 plus any
  additionally defined in AM2 (sounds like something an OO tool should do).
  Of course, there is nothing in Forte that would prevent you from doing this
  yourself. However Express relies a lot on code generation rather thanreusable
  classes so you would have to duplicate a lot of code and window widgets to
  achieve this. I would like to see Express evolve away from codegeneration. To
  do that Forte would probably need to become more dynamic. Then Express could
  have create an ExpressWindow class that could dynamically register as afolder
  window in any parent without the need for a static declaration in the
  application model.
  Even if all the technical issues are solved you still have to deal withall the
  configuration mgmt issues involved in doing concurrent development. With
  everyone wanting to change the models you need some form of versioncontrol. A
  simple mechanism is to have multiple repositories and do a periodic manual
  merge of the models.
  I'd be interested in hearing how other groups are handling this. Anycomments
  or suggestions are welcome. Thanks.
  Paul Krinsky
  Price Waterhouse
  ==================================================
  Nabil Hijazi Optimum Solutions, Inc.
  [email protected] 11654 Plaza America Drive
  Phone: (703) 435-3530 #501
  Fax: (703) 435-9212 Reston, Va 20190
  --------------------------------------------------

• [b]Hacking the APEX Builder IDE[/b]

  Hi,
  some may have already read it on my APEX blog, but for all the others which do not read my blog regularly.
  I have started to develop another small tool to increase the productivity of the APEX development environment. This time it's an enhancement for the APEX Builder itself, called APEX Builder Plugin.
  You can read more about it at
  http://inside-apex.blogspot.com/2007/02/hacking-apex-builder-part-3.html and
  http://inside-apex.blogspot.com/2007/02/hacking-apex-builder-part-1.html
  On the blog you will also find some videos demonstrating the features of the plugin.
  If you have some good ideas enhancing the plugin, let me know!
  Have fun using it
  Patrick
  Check out my APEX-blog: http://inside-apex.blogspot.com

  If you have some good ideas enhancing the plugin, let me know!
  Patrick: As always, great work! There are some areas in the Builder that definitely need some productivity enhancements. And Greasemonkey (and its CSS companion Stylish) are the ultimate "self empowerment" tools! Don't like something about a website, fire up GM and change it!
  [I am sure the APEX team is paying close attention and will incorporate some of these enhancements into upcoming versions of the product]
  My pet peeve is re-ordering columns on the Report Attributes page (4000:420). The up/down arrows introduced in 2.2 are a welcome enhancement over the earlier versions where every up/down incurred a page refresh, but re-ordering items in a list is a task that just has to be done via drag-and-drop! I agree with http://pages.citebite.com/x1q1a3g0v2ony
  What I usually do is just fire up the Javascript shell bookmarklet http://www.squarefree.com/shell/ from the page I need and type away, loading other JS libraries as needed.
  For this particular case, what I do is http://i9.tinypic.com/499ipsp.jpg
  Loading up those 3 Scriptaculous libraries and making the relevant TBODY a "Sortable" is all that is needed.
  Works like a charm, I can re-order the rows by dragging anywhere on the row. The visual feedback is not very intuitive (ghosting:false) but as per the Scriptaculous folks, this is a limitation with current browsers (that TABLE, TBODY, etc block elements are not able to be properly moved around the DOM). See http://pages.citebite.com/t1j1m3v0j1qwd
  After all the dragging and dropping is done, just call that "reorder_set()" function to reset the internal array before clicking Apply Changes. Works like a charm. Yes, that reorder_set() function should be called automatically via one of the "drag stop" callback hooks provided by the Sortable object, I tried using the onUpdate but it didn't quite work.
  [I tried doing this using the Interface plugin for the jQuery toolkit but it doesn't quite work right, see http://www.nabble.com/forum/ViewPost.jtp?post=7527146&framed=y for details]
  See if you can integrate this into your framework if you get a chance.
  Thanks

• BO XI 3.1 : Active Directory Authentication failed to get the Active Directory groups

  Dear all 
          In our environment, there are 2 domain (domain A and B); it works well all the time. Today, all the user belong to domain A are not logi n; for user in domain B, all of them can log in but BO server response is very slowly. and there is error message popup when opening Webi report for domain B user. Below are the error message: 
         " Active Directory Authentication failed to get the Active Directory groups for the account with ID:XXXX; pls make sure this account is valid and belongs to an accessible domain"
        Anyone has encountered similar issue?
     BO version: BO XI 3.1 SP5
     Authenticate: Windows AD
  Thanks and Regards

  Please get in touch with your AD team and verify if there are any changes applied to the domain controller and there are no network issues.
  Also since this is a multi domain, make sure you have 2 way transitive forest trust as mentioned in SAP Note : 1323391 and FQDN for Directory servers are maintained in registry as per 1199995
  http://service.sap.com/sap/support/notes/1323391
  http://service.sap.com/sap/support/notes/1199995
  -Ambarish-

• Can you use *Active Directory* in *Linux* as a directory server?

  This is a simple question that I just couldn't find a straight answer to on Google, Oracle forums, Metalink, etc. ... when I use the Net Configuration Assistant on my Linux server, the only option that exists for Directory Usage Configuration -> Directory Type is Oracle Internet Directory. In Windows, however, OID and Active Directory appear as the available options. I can't find an obvious answer to whether AD will work in Linux as a directory option. Does it? If not, is there an add-on or option that I'm missing? Our company only uses Linux hosts for Oracle purposes, and only has Active Directory for directory usage.
  I was also thinking of tweaking ldap.ora and sqlnet.ora to utilize our Active Directory server(s), but I wasn't sure how to manually configure those. Is there a paper out there for more information on such a thing?
  My intention is to synchronize our users in Oracle with AD, so there will be no password and maintenance discrepancies. All of our other applications (Windows, websites, GUIs, etc.) authenticate against AD, and I wanted to tie Oracle in to wrap up user maintenance up in a nice, neat package.
  Thanks ahead of time.

  Any thoughts on this? I'm kind of bumping it back to the top, because I still can't find any definitive evidence regarding this anywhere on the 'net. Am I phrasing something in a hazy manner? Is there something I can clarify?
  Thanks.

• What do I need to do to enable Active Directory users to authenticate to AFP shares in 10.8 server?

  We recently upgraded from 10.6 server to 10.8 server and are having trouble with AFP shares and Active Directory.  We have shares on each of our OS X servers that should be mountable by any Active Directory user at the site the server resides.  In 10.6, this worked beautifully.  Simply adding the appropriate AD groups with appropriate permissions to the ACL of the folder(s) being shared worked without a hitch.  In 10.8 server, this is not working.  Permissions are defined correctly (as far as I can tell), the server is bound to AD, but yet no AD user who should have access can mount the share.  When attempting to mount the share on a 10.6 client, the user gets the short and simple "You entered an invalid username or password.  Please try again."  On a 10.7 client, the window shakes. 
  What confuses me even more is that no local users can mount the share as well.  I try as our admin account, I receive the following error message on our 10.6 clients:
  Actually, as I was forumulating this post, logging in as the server administrator account is now working...???!!!
  This was the error message we were receiving on 10.7 clients before it magically started working:
  In any case, authenticating as an AD user is still no go.  Any ideas?

  I had something similar to this. In the name field put in DOMAIN\username rather than just the name.

• Saving the password of a user in active directory using java

  Hello, i am trying to use java to build a class that creates a user in Active directory 2012.But the problem is that when the user is created the password is not being saved.
  Can anybody help on this knowing that i tried to save in the fields userPassword and unicodePwd.
  Thanks.

  DirContext ctx = new InitialDirContext(pr);
            BasicAttributes entry = new BasicAttributes(true);
            String entryDN = "cn=CharbelHad,ou=test users,dc=test,dc=dev";
            Attribute cn = new BasicAttribute("cn", "ChHad");
            Attribute street = (new BasicAttribute("streetAddress", "Ach"));
            Attribute loginPreW2k = (new BasicAttribute("sAMAccountName", "[email protected]"));
            Attribute login = (new BasicAttribute("userPrincipalName", "[email protected]"));
            Attribute sn = (new BasicAttribute("sn", "Chl"));
            Attribute pwd = new BasicAttribute("unicodePwd", "\"Ch@341\"".getBytes("UTF-8"));
  Attribute userAccountControl = new BasicAttribute("userAccountControl", "512");
            Attribute oc = new BasicAttribute("objectClass");
            oc.add("top");
            oc.add("person");
            oc.add("organizationalPerson");
            oc.add("user");
            // build the entry
            entry.put(cn);
            entry.put(street);
            entry.put(sn);
            entry.put(userAccountControl);
            entry.put(pwd);
            entry.put(login);
            entry.put(loginPreW2k);
            entry.put(oc);
            ctx.createSubcontext(entryDN, entry);

• Problem during the changing of  Password in Active Directory

  Hello All !
  I am facing a problem during the password modification
  in active directory, i got the same exception as other are getting i.e
  javax.naming.OperationNotSupportedException: [LDAP: error code  53 - 00002077: SvcErr: DSID-03190959, problem 5003 (WILL_NOT_PERFORM), data 0
                     Can any body help me how i will come to know that 128 bit
    Encryption is done successfully. Although i Installed the  MS High Encryption  Pack but it's registry is not done in Conrol Panel.
  is this a problem(as i think) ?
      I am giving the code please check it out->
                        import java.util.Hashtable;
  import javax.naming.*;
  import javax.naming.ldap.*;
  import javax.naming.directory.*;
  //import java.io.*;
  //import javax.net.ssl.*;
  //import java.security.*;
  import java.io.UnsupportedEncodingException;
  public class setpassword
       public static void main (String[] args)
            Hashtable env = new Hashtable();
            String adminPassword = "";
            String userName = "ou=MCA,ou=Trainee,dc=ControlsNet,dc=local";
            String newPassword = "yadav";
            String keystore = "D:\\j2sdk1.4.2_12\\jre\\lib\\security\\cacerts";
            System.setProperty("javax.net.ssl.trustStore",keystore);
            env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.SECURITY_AUTHENTICATION,"simple");
            env.put(Context.SECURITY_PRINCIPAL,"[email protected]");
            env.put(Context.SECURITY_CREDENTIALS,adminPassword);
            env.put(Context.SECURITY_PROTOCOL,"ssl");
            String ldapURL = "ldap://gateway.ControlsNet.local:636/";
            env.put(Context.PROVIDER_URL,ldapURL);
            try {
                 LdapContext ctx = new InitialLdapContext(env,null);
            ModificationItem[] mods = new ModificationItem[1];
                 String newQuotedPassword = "\"" + newPassword + "\"";
                 byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
                 mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
                 ctx.modifyAttributes(userName, mods);
            System.out.println("Reset Password for: " + userName);     
                 ctx.close();
            catch (NamingException e) {
                 System.out.println("Problem resetting password: " + e);
            catch (UnsupportedEncodingException e) {
                 System.out.println("Problem encoding password: " + e);
  Please reply me immideiately as soon as you see this problem.
  I think some of u already solved this problem. thanks in advance.

  Believe it or not, looks similar to the problem in the post http://forum.java.sun.com/thread.jspa?threadID=580113&tstart=0
  More unbelievable is the huge security hole in your network !String adminPassword = "";
  env.put(Context.SECURITY_PRINCIPAL,"[email protected]");
  env.put(Context.SECURITY_CREDENTIALS,adminPassword);An administrator with a blank password !
  The ldap standard (rfc 2251) defines an anonymous user as a user with a null passsword. By default, Active Directory does not allow anonymous users to perform searches against the directory, let alone reset a user's password.