Configuring Active Directory Realm with WLP7.0

Similar Messages

• How to configure Active Directory LADP with WLS 8.1

  Hi
  somebody help me configure LDAP Active Directory with BEA WebLogic 8.1
  I can't understand what i should do.
  ThanX

  WLS 8.1 sp1 has couple of issues with Active Directory. You need to get fixes from
  BEA. sp2 is supposed to have these fixes included.
  Anant
  "Neil" <Neil-reply-in-newsgroup> wrote:
  This seems strange. I would make sure your installation is correct
  (particularly the lib/mbeantypes directory). If that is correct, I would
  test it with a new domain created with the domain configuration wizard
  to
  rule out any strange configuration possibilities. If both of those fail,
  I'd
  file a support case.
  - Neil
  "Max" <[email protected]> wrote in message
  news:[email protected]...
  Jay Zimmett <[email protected]> wrote:
  Read this:
  http://edocs.bea.com/wls/docs81/secmanage/providers.html#1172008
  Max KUlinich wrote:
  Hi
  somebody help me configure LDAP Active Directory with BEA WebLogic8.1
  I can't understand what i should do.
  ThanX
  I try do this but no god results. I get this exeption :
  java.lang.reflect.InvocationTargetException
  atweblogic.security.providers.authentication.LDAPAtnDelegate$LDAPFactory.newIn
  stance(LDAPAtnDelegate.java:3129)
  at weblogic.security.utils.Pool.getInstance(Pool.java:57)
  atweblogic.security.providers.authentication.LDAPAtnDelegate.getConnection(LDA
  PAtnDelegate.java:2646)
  atweblogic.security.providers.authentication.LDAPAtnDelegate.listUsers(LDAPAtn
  Delegate.java:1814)
  atweblogic.security.providers.authentication.LDAPAuthenticatorImpl.listUsers(L
  DAPAuthenticatorImpl.java:167)
  at sun.reflect.GeneratedMethodAccessor184.invoke(Unknown Source)
  atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl
  .java:25)
  at java.lang.reflect.Method.invoke(Method.java:324)
  atjavax.management.modelmbean.RequiredModelMBean.invoke(RequiredModelMBean.jav
  a:1304)
  atweblogic.management.commo.CommoModelMBean.invoke(CommoModelMBean.java:464)
  atcom.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1557)
  atcom.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1525)
  atweblogic.management.internal.RemoteMBeanServerImpl.invoke(RemoteMBeanServerI
  mpl.java:765)
  atweblogic.management.console.utils.Security.getUserList(Security.java:1436)
  atweblogic.management.console.actions.security.ListUsersAction.updateContents(
  ListUsersAction.java:56)
  atweblogic.management.console.actions.security.ListLWSecurityAction.getContent
  s(ListLWSecurityAction.java:85)
  atweblogic.management.console.tags.security.LWTableTag.getRowData(LWTableTag.j
  ava:462)
  atweblogic.management.console.tags.security.LWTableTag.printTable(LWTableTag.j
  ava:141)
  atweblogic.management.console.tags.security.LWTableTag.doEndTag(LWTableTag.jav
  a:133)
  atweblogic.management.console.webapp._security.__usertable._jspService(__usert
  able.java:327)
  at weblogic.servlet.jsp.JspBase.service(JspBase.java:33)
  atweblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(Servle
  tStubImpl.java:1053)
  atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :387)
  atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :305)
  atweblogic.servlet.internal.RequestDispatcherImpl$ForwardAction.run(RequestDis
  patcherImpl.java:382)
  atweblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubjec
  t.java:317)
  atweblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
  atweblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImp
  l.java:286)
  at weblogic.servlet.jsp.PageContextImpl.forward(PageContextImpl.java:151)
  atweblogic.management.console.actions.ForwardAction.perform(ForwardAction.java
  :35)
  atweblogic.management.console.actions.internal.ActionServlet.doAction(ActionSe
  rvlet.java:173)
  atweblogic.management.console.actions.internal.ActionServlet.doGet(ActionServl
  et.java:91)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  atweblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(Servle
  tStubImpl.java:1053)
  atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :387)
  atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :305)
  atweblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(W
  ebAppServletContext.java:6310)
  atweblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubjec
  t.java:317)
  atweblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
  atweblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
  ntext.java:3622)
  atweblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
  :2569)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
  Caused by: netscape.ldap.LDAPException: error result (49); 80090308:LdapErr:
  DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece;Invalid credentials
  at netscape.ldap.LDAPConnection.checkMsg(LDAPConnection.java:4852)
  at netscape.ldap.LDAPConnection.internalBind(LDAPConnection.java:1757)
  at netscape.ldap.LDAPConnection.authenticate(LDAPConnection.java:1294)
  at netscape.ldap.LDAPConnection.authenticate(LDAPConnection.java:1303)
  at netscape.ldap.LDAPConnection.bind(LDAPConnection.java:1613)
  atweblogic.security.providers.authentication.LDAPAtnDelegate$LDAPFactory.newIn
  stance(LDAPAtnDelegate.java:3108)
  ... 43 more

• Process flow - Active Directory integration with Enterprise Portal

  Hi
  I have seen number of documents/forum discussions on integrating Microsoft Active Directory (LDAP) with Enterprise Portal, but unable to find out the process flow for achieving the same.
  I have installed Enterprise Portal 6 (SP13) running on Web AS 640 (J2EE Standalone). The UME is currently configured to use Java database. (i.e datasourceconfiguration_database_only.xml)
  I intend to proceed as below for integrating with Active Directory and integrate with Windows authentication:
  1) Configure UME to use an LDAP Server as Data Source using Config Tool
  http://help.sap.com/saphelp_erp2004/helpdata/en/cc/cdd93f130f9115e10000000a155106/frameset.htm
  2) Configure Enterprise Portal UME i.e http://<host name>:50000/irj - System Administration - System Configuration - UM Configuration
  <b>Should I configure Data Sources & LDAP Server here as I have already configured these using J2EE Config tool (point no.1).</b>
  3) Integrate Windows authentication with EP using IISProxy module.
  I hope the above will enable me to logon to Portal without supplying username and password once you are logged on to the PC using your Windows user name and password.
  Also, any schema updates required to Activie Directory i.e What additional data is stored in A.D.
  I would appreciate your guidance on this.
  Thanks in advance,
  Chandu

  Hi Chandau,
  you wanted that some users are not taken into account by the User Management Engine (UME).
  This behavior can be established by specifying the
  ume.ldap.negative_user_filter property for the LDAP data sources in the data source configuration file. Using this property one can define that all users and accounts that
  match the defined conditions are filtered out by the UME API.
  A detailed documentation can be found in the SAP Online Help:
  http://help.sap.com/saphelp_nw04/helpdata/en/9a/f43541b9cc4c0de10000000a1550b0/
  content.htm
  In the following example of a data source configuration file for Microsoft Active Directory
  Server the attribute userPrincipalName is used as Logon ID of a portal user id (j_user).
  Here the user accounts that have one of the following Logon ID’s (index_service,
  notificator_service and cmadmin_service ) are filtered out.
  <dataSources>
  </dataSource>
  <dataSource id="CORP_LDAP">
  <privateSection>
  <ume.ldap.negative_user_filter>
  userPrincipalName=[index_service,notificator_service,cmadmin_service]
  </ume.ldap.negative_user_filter>
  </privateSection>
  </dataSource>
  </dataSources>

• Tutorial: Azure Active Directory integration with Igloo Software

  Click reply and tell us what you think:
  Tutorial: Azure Active Directory integration with Igloo Software
  Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

  Hello
  Can you be little clear, what you have tested with Airwatch MDM cloud?.. which scenarios?.. 
  1) Device Enrollment ?
  2) Access to Airwatch console?
  3) Access to Airwatch self service portal?
  By following the steps We do not get it working at all. by the way some of the steps in this tutorial are unclear and outdated;  
  I finally personally figured out how things should look like, and  make it work but only with Device Enrollment scenarios from the mobile devices itself. not from the pc and browsers or from the Access panel.

• Active directory Integration with OBIEE

  Hi all,
  Can any one send me a link for active directory integration with OBIEE.
  I have imported the users succesfully and I was able to login to analytics as an AD user.
  But SSO is not possible. Kindly help me over this.
  Thanks,
  Haree.

  Thanks for reply veeravalli.
  Me too followed the same link and successfully imported all the users from AD into OBIEE and login in is also possible.
  But my requirement is to have Single Sign On ie.., users may log on to their Windows PCs and access Oracle BI EE via a standard web browser with no further authentication required on their part.
  Thanks,
  Haree

• Can Microsoft active directory integrated with Oracle Applications

  Hi,
  Can anyone provide me any document on Microsoft Active Directory Integration with Oracle Applications(12.0.6)
  Manish

  Hi,
  It is possible, please refer to the following documents for details.
  Note: 376811.1 - Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On
  Note: 415007.1 - Oracle Application Server with Oracle E-Business Suite Release 12 FAQ
  Regards,
  Hussein

• Configuring Active Directory user to Authenticate against OSB proxy service

  Hi,
  I applied the oracle Predefined auth.xml WS-policy to the osb proxy service and that will query a web service that is running on separate weblogic server, and I configured ActiveDirectory as an Authentication Provider in the weblogic server under myrealm. when I pass the weblogic/weblogic which is an admin account in the OSB test console or soap ui to test the authentication works and I get the response back but when I pass in one of the Active directory username/password I'm getting the following Failed to assert identity with UsernameToken SOAP fault.
  Do I have to change or add any configuration In the weblogic server to make this work? such as Identity Assertion provider in the weblogic server.
  fault: <con:fault xmlns:con="http://www.bea.com/wli/sb/context">
  <con:errorCode>BEA-386201</con:errorCode>
  <con:reason>
  A web service security fault occurred[{http://www.w3.org/2003/05/soap-envelope}Sender][Failed to assert identity with UsernameToken.]
  </con:reason>
  <con:details>
  <err:WebServiceSecurityFault xmlns:err="http://www.bea.com/wli/sb/errors">
  <err:faultcode xmlns:soap="http://www.w3.org/2003/05/soap-envelope">soap:Sender</err:faultcode>
  <err:faultstring>
  Failed to assert identity with UsernameToken.
  </err:faultstring>
  </err:WebServiceSecurityFault>
  </con:details>
  <con:location>
  <con:path>request-pipeline</con:path>
  </con:location>
  </con:fault>
  Regards
  Vick

  Hi Manoj
  I have configured the weblogic server to use the Active Directory Authentication provider which is supported in weblogic server and I can see the AD users under weblogic console under users and groups tab, but if I pass in the username/password of the users in AD I'm getting the above error.
  thanks
  Vick

• Query Active Directory + Problem with thumbnailPhoto

  Hi<o:p></o:p>
  I have a problem and I don’t know if it is my SQL Query, so here goes
  <o:p></o:p>
  I have a view on my SQL server that Queries our Active Directory. I can see that there is data in the table.<o:p></o:p>
  But when I try to use the Image in some C# code I get an error on 60% of the images with the exception header missing or corrupted.
  My view is built with this Query:
  select
  * from
  openquery
  ADSI,'SELECT sAMAccountName, mail, title, displayName, telephoneNumber, mobile, sn, givenName,  department, thumbnailPhoto
  FROM ''LDAP:[REMOVED]''
  WHERE objectCategory = ''Person''
  Do you have any idea where the problem is? The photos shows up fine in Outlook, SharePoint, lync etc. I’m pretty sure that the C# code works correctly. Hope you can help.
  Regards
  If only I had time to learn everything I wanted ...

  Hi Latheesh
  I've tried with this script:
  SELECT ISNULL(ROW_NUMBER() OVER ( ORDER BY department ), -999) 'id' ,
  CONVERT(NVARCHAR(25), givenName) AS Fornavn ,
  CONVERT (NVARCHAR(50), sn) AS Efternavn ,
  CONVERT(CHAR(5), UPPER(SUBSTRING(mail, CHARINDEX(mail, N'@'),
  CHARINDEX(N'@', mail)))) AS 'initialer' ,
  CONVERT(NVARCHAR(255), mail) AS Mail ,
  CONVERT(NVARCHAR(75), title) AS Stilling ,
  CONVERT(NVARCHAR(120), department) AS Afdeling ,
  CONVERT(NVARCHAR(13), telephoneNumber) AS Fastnet ,
  CONVERT(NVARCHAR(13), mobile) AS Mobil ,
  CASE WHEN userAccountControl = 2 THEN 'Account is Disabled'
  WHEN userAccountControl = 16 THEN 'Account Locked Out'
  WHEN userAccountControl = 17
  THEN CONVERT (VARCHAR(48), 'Entered Bad Password')
  WHEN userAccountControl = 32
  THEN CONVERT (VARCHAR(48), 'No Password is Required')
  WHEN userAccountControl = 64
  THEN CONVERT (VARCHAR(48), 'Password CANNOT Change')
  WHEN userAccountControl = 512 THEN 'Normal'
  WHEN userAccountControl = 514 THEN 'Disabled Account'
  WHEN userAccountControl = 544
  THEN 'Account Enabled - Require user to change password at first logon'
  WHEN userAccountControl = 8192
  THEN 'Server Trusted Account for Delegation'
  WHEN userAccountControl = 524288
  THEN 'Trusted Account for Delegation'
  WHEN userAccountControl = 590336
  THEN 'Enabled, User Cannot Change Password, Password Never Expires'
  WHEN userAccountControl = 65536
  THEN CONVERT (VARCHAR(48), 'Account will Never Expire')
  WHEN userAccountControl = 66048
  THEN 'Enabled and Does NOT expire Paswword'
  WHEN userAccountControl = 66050
  THEN 'Normal Account, Password will not expire and Currently Disabled'
  WHEN userAccountControl = 66064
  THEN 'Account Enabled, Password does not expire, currently Locked out'
  WHEN userAccountControl = 8388608
  THEN CONVERT (VARCHAR(48), 'Password has Expired')
  ELSE CONVERT (VARCHAR(248), userAccountControl)
  END AS 'Disabled' ,
  CONVERT(NVARCHAR(75), givenName + ' ' + sn) AS 'DisplayName' ,
  CONVERT (VARBINARY(MAX), thumbnailPhoto) AS 'Photo'
  INTO ##adTemptable
  FROM openquery
  ADSI,'SELECT sAMAccountName, mail, title, displayName, telephoneNumber, mobile, sn, givenName, department, thumbnailPhoto,userAccountControl
  FROM ''[REMOVED]''
  WHERE objectCategory = ''Person''
  WHERE department IS NOT NULL
  But i still gets the same error on MANY rows
  OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 6846 and truncated data length is 4000.
  OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 7006 and truncated data length is 4000.
  OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 6496 and truncated data length is 4000.
  If only I had time to learn everything I wanted ...

• No longer have appropriate privileges to "Active Directory" servers with Lion

  Hi:
  Our University maintains protected disk storage space that we can access from any computer in the hospital. This is an incredibly convenient and secure method for moving information in our enterprise.
  Our enterprise is somewhat Mac-averse, but under Leopard and Snow Leopard we were able to access these folders from our office Macs (all public computers are PCs). With the upgrade to Lion we now only have read access to files on these folders, whereas with Leopard and Snow Leopard we had full, i.e., read and write, access to files on these folders.
  Here’s what we do:
  Go to University VPN access webpage.
  Click “Start” next to “Network Connect” under “Client Application Sessions”
  Answer “Trust” to “Do you want to accept this certificate from the web site ‘myvpnmyuniversity.edu’ for the purpose of exchanging encrypted information? Publisher authenticity can not be verified’
  Menu Command: Go>Connect to Server>cifs//name
  Dialog: “Enter your name and password for the server “name”
  Navigate to my folder on the university’s system.
  Here’s what’s changed: in the past, using Leopard and Snow Leopard, those of us with Macs in the department now had the folder mounted on our desktops with full access. With the upgrade to Lion we only have read access: Get Info under Sharing and Permissions says “You can only read”.
  This has happened to many of us, so it’s not just an issue on my computer or network.
  Our local computer help guy, who is incredibly nice but not Mac knowledgeable, says “It is something that MAC has done that is preventing you to access our Active Directory servers”. He is aware that this is something unique to Lion, since it worked on Leopard and Snow Leopard.
  His bosses, who know more, are, enuf said, not Mac “friendly”.
  Read and write access continue to work just fine when accessing from the many PCs running XP throughout the enterprise.
  Hence we’re looking for some help here. Is there something we end users can do differently, or is there something we can share with our local friendly but not Mac knowledgeable computer help guy that he can do, to get us write access?
  Thank you!
  OS 10.7.4

  More info from one of our IT guys:
  "I know that there have been several different people looking into this.  Found several people complaining about it, but no answers.  You can sometimes get connection and be able to copy a file or save it once or twice, but usually it tells you that you can only read it."
  For me at least, it's been consistent, i.e., never any write access, just read.

• Automate the creation of Active Directory users with organization/address information

  On one of our Domain Controllers we regularly have to create new users with fully populated organisation/address information, as they use a server-side application which appends email signatures at the end of all of their emails created from this information.
  At the moment we have to fill this information out manually and it can sometimes cause inconsistencies if the information is not uniform or is typed incorrectly.
  Is there any way to automate this/do it in bulk?

  This is another Powershell script that can be used:
  http://www.wictorwilen.se/how-to-use-powershell-to-populate-active-directory-with-plenty-enough-users-for-sharepoint
  Note that you have two ways to do that:
  Create a new User account Provisioning script and include the Street update as part of it
  Have a daily scheduled script that will run against your users OUs and update the Street address for user accounts having it wrong or missing
  From my point of view, option 2 would be the best as it will make a Bulk update and Bulk correction if required.
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• Creating active directory users with dscl

  Our mac workstations (OSX 10.8) are bound to a 2008 Active Directory server.  We are attempting to use some existing dscl scripts on the mac client computer to create Active directory users.  We can successfully read and change AD attributes of an existing user with dscl, but creating new users or new attributes for an existing user gives us an error.  Here are some examples.
  SUCCESSFUL READ OF AD USER ATTRIBUTE:
  root# dscl -u administrator  "/Active Directory/CXAD/All Domains" -read /Users/jholmes SMBHomeDrive
  Password:
  SMBHomeDrive: H:
  root#
  SUCCESSFUL DELETE OF ABOVE USER ATTRIBUTE
  root# dscl -u administrator  "/Active Directory/CXAD/All Domains" -delete /Users/jholmes SMBHomeDrive
  Password:
  root#
  FAILED ATTEMPT AT RE-CREATING THE DELETED ATTRIBUTE
  root# dscl -u administrator "/Active Directory/CXAD/All Domains" -create /Users/jholmes SMBHomeDrive
  Password:
  <main> attribute status: eDSInvalidRecordType
  <dscl_cmd> DS Error: -14130 (eDSInvalidRecordType)
  root#
  The same error occurs when attempting to create a new user.  Any ideas?  Thanks in advance for any suggestions.

  In the end I could not find them; account info is ONLY stored locally in Open Directory when they have mobile accounts.
  However, I found I could migrate their user directories in Terminal via ditto ( I connected the old macs via Firewire Target mode) , and when they log in all their stuff and settings are there.
  the command is: ditto /Volumes/<old mac hard drive>/Users/<username> /Users/<username>

• Active Directory integration with call manager

  Hi,
  I am facing issues while Integrating the CCM to my Active Directory using AD Plug-in.
  SITE SETUP:
  1. Windows 2003 Parent Domain Controller located remotely with GC.
  2. Windows 2003 Child Domain for the Parent DC located Locally with GC.
  3. Cisco CallManager 4.1.3 sr3b
  My Requirement is to integrate CCM with my Windows 2003 AD.
  My Questions are:
  1. Do I need to Provide the Parent Domain name or the Child Domain name while performing the AD Plug-in Setup?
  2. Does my Call Manager need to have the Forest access of the Active Directory (i.e., Does it perform some modifications in the Parent Domain)?
  3. Does the user account (which is used for Directory Integration) need to have direct members of Schema Admins or thru some other domain admin groups (i.e., Admin user -> Child Domain Admins Groups -> Parent Domain and Schema Admin Groups)?
  Can anyone can help me on this?
  Thanks,
  V.Kumar

  1. Do I need to Provide the Parent Domain name or the Child Domain name while performing the AD Plug-in Setup?
  Use the root domain, in this case the Parent domain.
  Cisco does not recommend having a Cisco Unified CallManager cluster service users in different domains because response times while user data is being retrieved might be less than optimal if domain controllers for all included domains are not local.
  2. Does my Call Manager need to have the Forest access of the Active Directory (i.e., Does it perform some modifications in the Parent Domain)?
  Yes, actually all domains in the forest share the same Schema, which will be modified after running the AD plugin.
  3. Does the user account (which is used for Directory Integration) need to have direct members of Schema Admins or thru some other domain admin groups (i.e., Admin user -> Child Domain Admins Groups -> Parent Domain and Schema Admin Groups)?
  Account should be a member of the Schema Admins group in Active Directory, try the one in parent domain.
  Correct permissions for CCMAdministration and similar example for your setup:
  http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a00806e8c04.html#wp1043057
  HTH

• Active Directory integration with Service Desk and Busines Partners

  We have populated the business partners in Service Desk with data from Windows Active Directory, but this was a one-time import.
  At the moment if there are any changes to Active Directory then the business partner records need to be updated manually.
  Does anybody know if anyway to integrate Active Directory with the business partner records in Service Desk?
  Thanks
  Simon

  This was also our problem.
  We have multiple user sources (an LDAP, ADS, different SAP systems). I'm not aware of any automated way of doing that.
  If you want to use issue management/service desk all the users need to also be created as SU01-users to be able to use the workcenters. The SU01-Users have also to be assigned to the appropriate business partner. There is no automation for this.
  For us this drawback was so big that we stopped using the service desk.
  Markus

• Ms-Active Directory integration with SAP 4.7 SR2 through LDAP Connector

  Dear Gurus,
  Let me clarify the scenario:
  At our end, we are planning for SSO, we are integrating Microsoft ADS with SAP 4.7 IDES
  Following are the system details:
  SAP: IDES 4.7, on Windows 2000 Advance Server, Oracle 8.1.7.,Kernel-620
  MS-Active Directory: Windows 2003 Enterprise Edition, with Service Pack-1
  With the above mentioned landscape we have integrated
  LDAP-Connector on MS-Active Directory, on MS-Active Directory OS
  side we have tested the command (ldap_rfc –a LDAP_ADS –g
  ides.ho.com –x sapgw00) then we are testing it through an
  RFC in SAP 4.7(IDES), with result success.
  Everything is fine Im able to Log ON thru the User but when I try to search objects in LDAP(ie. ADS) thru "FIND", but getting Error message "operation Failed".
  Referred note 511141 for the error.
  Can't find anything more.
  Required help...
  Regards,
  SHAH

  Dear Juergen,
  As of we have applied the SP-level till 40.
  Through LDAP tcode we are able to Logon to the Directory server, and we
  are also able to search, through FIND,
  the system displays all entries below the specified base entry.
  After that we are trying to Synchronize it, using report RSLDAPSYNC_USER through SE38, but its showing following errors:
  Connection created to Server LDAP_ADS (successfully with Green)
  Operation Failed (Error with Red)
  Error message: LDAPRC001
  LDAP_SEARCH failed (Error with Red)
  Error message: LDAPACCESS101
  The System could not create directory objects pool (Error with Red)
  Error message: LDAPSYNC005
  Connection to LDAP_ADS server terminated
  As for first Error: Error message: LDAPRC001, we referred Note 511141,
  Response: "This error msg does not mean that the SAP System sent incorrect data".
  For Error message: LDAPACCESS101 and Error message: LDAPSYNC005, we refferred 696021 and 695026
  Response: to apply the correction change, as our SP level is above the requirement, we have
  level-40.
  Unable to get further, any solution/suggestion.
  Bye for now.
  Regards,
  Shaibaz

• What is involved in going from local user accounts to active directory accounts with CCM 9.1.2?

  We are currently using local user accounts with CUCM 9.1.2 and are looking at integrating it into the active directory structure.
  We do utilize the same structure for user ID's.
  I am looking to find out what the changeover will entail and if anything else needs to be done prior to the integration.
  We also have Unity syncing up with CUCM for users as well as Contact Center sync'ed up for our ACD system.
  Thanks
  Mike

  Hey Mike,
  The process is pretty straight forward.  CUCM 9.X supports the coexistence of AD integrated users and local users so you don't have to worry about local accounts disappearing if they don't have an AD account.  The biggest thing to watch out for is that if you decide to revert back for whatever reason then the accounts that were in AD will be marked for deletion (from the CUCM, not AD) and will be removed after approximately 24 hours.  
  I recommend the following if you'd like to move to AD.
  Run a DRS backup of CUCM.  This is not necessary for the integration but is good practice in my opinion.  I'd also do a full export of your users using the BAT so you can reimport users to how they were before the integration should you decide to revert for any reason.
  Determine if you want to put the user's extensions in the telephonenumber field or ipPhone field in AD.  Once you make a decision, I recommend populating that information in AD so it is available when you do the integration.  
  Make sure your local CUCM user accounts usernames are exactly the same as your domain accounts.  That way when you do the integration the local users become AD users and keep all of their phone associations, group memberships, etc.  If you need to change the usernames then be sure to notify your users ahead of time so they can start logging into UCCX or UCM user pages, etc. using their new username. 
  Create an account in AD that has read-only rights to your directory.  Set the password to never expire.  You will use this account later for the integration.  
  In CUCM, go into Serviceability and make sure the "Cisco DirSync" service is activated on the Publisher server.
  Also in CUCM, navigate to the administration page and do the following:
  Go to System > LDAP > LDAP System and Check the box to enable Synchronizing.  Confirm the LDAP server type and attribute for User ID is accurate.  This is typically Microsoft Active Directory and sAMAccountName respectively.
  Go to System > LDAP > LDAP Directory
  Click Add New
  Give it a name (whatever you want).
  Put in the Distinguished Name of the AD integration account you created earlier. For example, if you created an account called ciscoldap in the Service Accounts OU in the abc.com domain then it would look something like this... CN=ciscoldap,OU=Service Accounts,DC=abc,DC=com
  Enter the password for the account.
  Enter the search base.  This can be a specific OU where your users exist, a parent OU which contains other OUs which contain all of your users or the entire domain.  If you do the entire domain then in the abc.com example you would specify DC=abc,DC=com.
  Select the option to perform a sync with AD on periodic intervals.  The lowest interval you can set is every 6 hours.
  Select either the telephonenumber or ipPhone field to be used for the user's extensions.  This will be whatever you decided and populated in AD in an earlier step.
  Add your primary and any backup domain controllers and ports.  If they are just domain controllers and you are not using SSL then specify port 389.  If they are also global catalog servers then you can do port 3268.
  Click Save and Click the "Perform Full Sync Now" button.
  I recommend that you also use LDAP for authentication as well so you only have one username and password to remember which is all controlled by AD.  To add this do the following:Go to System > LDAP > LDAP Authentication.
  Click Add New
  Check the box to use LDAP Authentication
  Add the same Distinguished name, passwords and user seach base that you used for your integration account earlier under the synchronization section.  Also add the same primary and secondary LDAP servers and ports you used earlier.  
  Click Save
  You can go a step further and create a filter to only pull in the users within the search base you specified and apply that.  For example, maybe only pull in users that have their ipPhone field populated.  Let me know if you have any questions on that or any of the above.
  I hope this helps!