Continuing delegated admin issues

Similar Messages

• XI3.1 and delegated admin?

  hi,
  we have two distinct project. each project must have delegated admin (manage user and group) : each admin must see only its users and groups...
  we have apply this :
  1/create specific admin groups
  2/ create specific acces level (view object/general +add objects/content folder all rights/system user all rights/system usergroup)
  3/ on user and groups/manage top level security/all group :
  add the two admin groups and apply acces level
  4/ on each group and subgroup remove acces on the admin group that does not (because each admin group is  in inherited rigth...)
  this work, but not for for user level, delegated admin can't create user and if we apply top level security acces level , the admingroup can see ALL user. it's not that we want...
  have you ideas?
  thank's

  Hi Phil!
  I think it is designed as is - but did you try to use Windows AD Groups.
  You can enable specific windows AD groups to BO. These will be created automatically the first time they logon, or you can trigger an AD refresh. So the users are created automatically.
  You admins could then have the rights to see the users only and  to see/edit their own set of Groups, where they can put these users to. Also you can define which admin sees which objects (reports, universes, connections, ...)
  But: you will get an issue if you loose/change your AD connection to your server, then everything must be redone.
  ciao Hakan

• Appserver dies (Delegated Admin)

  Hi,
  Running an instance of the Messaging Q12005. No additional patches installed after installation. The problem we are facing is that periodically (once or more a day) the Delegated Admin web access is not reachable. It seems that the App. Server process dies because when I try to stop the App server using asadmin , it replies that it is not running, so after restarting the App server and the Access Manager admin server also restarted, the Delegated Admin Web access works again.
  Any idea why this is hapenning ?

  Alas, I don't know much about troubleshooting App Server. Last time I even looked at it, I vaguely remember that it should be restarting itself.
  I use the web server, as a container for DA,and have no such issues.
  Does App Server dump core? Are you configured so it can? Have you opened a tech support case for this?

• IPlanet Delegated Admin .... Comm Express

  Hi,
  I am trying to checkout the SJMS 2005Q1...
  The classical iMS 5.2 used to have web based Delegated Admin....
  This would let me keep a DA admin for each domain...and each domain would easily access the DA page from web.
  in SJMS ....i.e. Comm express DA....this is a GUI...
  how can I give access to the DA over internet??
  What are the improvements of this new DA vs the old.
  Cheers
  msg_admin

  Hi,
  I am trying to checkout the SJMS 2005Q1...
  The classical iMS 5.2 used to have web based
  Delegated Admin....We called it, iPlanet Delegated Admin
  This would let me keep a DA admin for each
  domain...and each domain would easily access the DA
  page from web.
  in SJMS ....i.e. Comm express DA....this is a GUI...
  how can I give access to the DA over internet??Provide access to the DA port through your firewall.
  >
  What are the improvements of this new DA vs the old.It's a little more limited, actually....
  The real "improvement" is that it works with Schema 2. If you decide to run your new server under Schema 1 configuration, you can continue to use the old iDA.\
  >
  Cheers
  msg_admin

• Delegated Admin and non-flat user/group structures

  Hello, I am trying to build a directory structure with several containers under an organization used to store different portions of userdata and group data (i.e. not only ou=people and ou=group, but also a few ou's like them). Server software is from OUCS 7u2 release. Users in "other" containers are populated into LDAP (ODSEE 11) by replication, filling in all the same attributes as a freshly DA-created account has.
  The Delegated Admin interface and other parts of the software accept this and work okay with this setup, displaying user information, allowing logins and so on - except for attempts to edit user accounts in the alternate containers in the DA (i.e. add/remove service packages, change quotas, etc.). First I've verified that this is not an LDAP problem - I can use both command-line ldapmodify and an LDAPBrowser GUI to edit the entries with no hiccups.
  I tracked that when trying to save account information for accounts in non-standard containers, the DA still tries to use a hard-coded path (i.e. uid=USERNAME,ou=people,o=DOMAINNAME,dc=DOMAIN,dc=NAME) despite the fact that the user account is (and DA displayed it from) uid=USERNAME,ou=morePeople,o=DOMAINNAME,dc=DOMAIN,dc=NAME.
  Possibly, this "hardcoding" stems from DA configuration in WEB-INF/classes/sun/comm/cli/server/servlet/serverconfig.properties which does list components of the LDAP structure:
  # Ldap configuration.
  # List of ldap hosts. Form is <ldaphost>:<portnumber>. (Default port = 389)
  # add additional hosts with ldaphost-<consecutive number>
  # Schema type is either "1" or "2".
  # Reconnect interval is in seconds
  # Group and people container is dn from organization dn (e.g ou=people)
  ldaphost-1=oucsldap01:389
  ldaphost-2=oucsldap02:389
  ldaphost-suffix=dc=DOMAIN,dc=NAME
  ldaphost-dcsuffix=dc=DOMAIN,dc=NAME
  ldaphost-maxcount=50
  ldaphost-schematype=2
  ldaphost-reconnectinterval=60
  ldaphost-peoplecontainer=ou=People
  ldaphost-groupcontainer=ou=Groups
  ldaphost-orgadminrole=cn=Organization Admin Role
  While the organization root dn is not explicit here (and shouldn't be), the default people container is... I might guess a coding error logic like this: indeed, the "ou=People" container should be used by default when creating a user via DA; as a likely error, it might also be used when editing existing users - instead of their existing full DN/parent DN.
  Questions:
  1) Does anyone have a working configuration with several user/group containers within an organization like this? Would you care to share details and workarounds, if were needed?
  2) I think that possibly the "shared domain/organization hosting" mode might help here - at least it is expected to have several LDAP trees with their delegated administrators performing as a single e-mail domain. Before I go and reconfigure everything, I'd love to hear if there are any success stories with this route? Is it a proper solution (or THE solution) for such config?
  Thanks,
  //Jim Klimov

  I wanted to follow up that reconfiguring the directory structure according to shared domain hosting, with branches for ISW-synchronized accounts as one of the sub-organizations which share the domain, and manually created OUCS-only accounts being in another sub-organization. This works for both messaging components and the DA, as long as UIDs are in ou=People in their organization. Somewhat unfortunately, ISW config seems to allow only one DSEE target branch and puts groups (CN) there as well. Well, for our needs to edit user attributes and service packages via DA, this suffices. Sometimes there are hiccups (Can not save changes), but they are intermittent and harder to trace debug; usually go away with restart of the DA web container. The DSEE LDAP instances are configured with plugins to enforce uid uniqueness across the organization and uniqueness of values of messaging email address attributes (mail, mailAlternateAddress, mailEqiuvalentAddress) to avoid mixups between user accounts in different branches.
  Also, we had a problem with Calendar server after migrating the LDAP entries: since our deployment used the nsUniqueID for calendar user identification, relocation of entries (the way we did it) generated new values for new entries and users got new empty caledar databases. On this POC this was not a major problem, and newer OUCS releases with a davUniqueID attribute should specifically be immune to this problem. However, for others trodding this path I can suggest that they export the LDAP database into LDIF including the unique IDs, recreate the suffixes as needed (the ISW target organization in DSEE should be a separate LDAP database suffix), change the LDIF entry pathnames, and import the LDIF anew. This would wipe old LDAP data and should add old nsUniqueIDs to relocated entries (unlike recreation via ldapadd or relocation via ldapmodrdn).
  We have also hit a problem with DA refusing to render the list of accounts (returning 0 or 25 empty entries in a table). The LDAP logs showed that on the LDAP side all is ok, and expected amount of replies was located. Pattern searches often produced the proper table with a subset of users in DA. Ultimately, we linked the problem to ISW binary base64-encoded attributes (dspswuserlink et al; some of those values also garbaged output of commadmin queries in a terminal) and created an LDAP ACI which forbade our DA-admin user to read,search,compare these attributes. This solved the problem for us. I wonder if a more generic solution is possible, so as to apply this ACI not to an explicitly named admin user but to any users with DA admin privileges (by group or role? which string, to cover them all in advance)? Or, perhaps, nobody except the ISW user account should see these ISW attributes?
  Hope this report helps others who would try to pioneer this path of messaging integration
  //Jim Klimov

• Can't login to Delegated Admin after redeploy

  I originally had Delegated Admin 6.4 running on port 80 in Webserver 7u3 along with AM, and UWC. I needed to move DA off of port 80 so I created another Webserver instance on port 81 and then uninstalled and reinstalled Delegated Admin against the new instance. In the configurator I specified port 80 where it asked about Access Manager and port 81 where it asked to deploy DA. Now I cannot login to DA. It keeps telling me: "Invalid login ID or password, please try again". The ID and password are correct. No LDAP traffic is being generated during the attempted login. I turned on DA logging and this is what I get:
  Aug 23, 2008 4:43:39 PM com.sun.comm.da.security.DALoginManager login
  INFO: Login failed, login id [admin]
  com.sun.comm.jdapi.DAException: Moved Temporarily: Moved Temporarily
  at com.sun.comm.jdapi.DAConnection.liveAuth(DAConnection.java:88)
  at com.sun.comm.jdapi.DAConnection.authenticate(DAConnection.java:130)
  at com.sun.comm.da.security.DALoginManager.login(DALoginManager.java:209)
  at com.sun.comm.da.view.LoginViewBean.handleLoginButtonRequest(LoginViewBean.java:212)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:585)
  at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
  at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
  at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
  at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
  at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
  at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
  at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
  at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:816)
  at com.sun.comm.da.DAServlet.service(DAServlet.java:152)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:917)
  at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:398)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
  at com.sun.comm.da.LoginFilter.doFilter(LoginFilter.java:133)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:217)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
  at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:255)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:188)
  at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:556)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:187)
  at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:556)
  at com.sun.webserver.connector.nsapi.NSAPIProcessor.service(NSAPIProcessor.java:160)
  Here is a sample of what I get when I run commadmin:
  ./commadmin -v search domain o=xyz.com
  [Debug]: DBG:Object = search ; task = domain
  [Debug]: default domain from Properties: xyz.com
  [Debug]: IShost from Properties: webmail.xyz.com
  [Debug]: ISPort from Properties: 80
  Enter login ID: admin
  Enter login password:
  [Debug]: Contacting : http://webmail.xyz.com:80/commcli/auth
  [Debug]: To servlet: domain=xyz.com&username=admin&password=xxxxxxxx&charsetenc=UTF-8
  [Debug]: Http Error recvd: Moved Temporarily
  Moved Temporarily: Moved Temporarily
  Invalid value for Identity server host name: webmail.xyz.com
  Invalid value for Identity server port: 80
  Enter Identity server port[80]:
  Any ideas?

  sheger77 wrote:
  I originally had Delegated Admin 6.4 running on port 80 in Webserver 7u3 along with AM, and UWC. I needed to move DA off of port 80 so I created another Webserver instance on port 81 and then uninstalled and reinstalled Delegated Admin against the new instance. In the configurator I specified port 80 where it asked about Access Manager and port 81 where it asked to deploy DA.As per the administration guide, Delegated Administrator server needs to be installed in the same web-container/instance as Access Manager.
  http://docs.sun.com/app/docs/doc/819-4438/acfck?a=view
  "The Delegated Administrator server uses the same Web container as Access Manager. The configuration program asks for Web container information after it asks for the Access Manager base directory."
  [Debug]: IShost from Properties: webmail.xyz.com
  [Debug]: ISPort from Properties: 80The commadmin client is trying to contact the DA server which is supposed to be installed in the same Web container as Access Manager
  (hence the use of IShost/ISPort):
  [Debug]: Contacting : http://webmail.xyz.com:80/commcli/auth
  [Debug]: To servlet: domain=xyz.com&username=admin&password=xxxxxxxx&charsetenc=UTF-8
  [Debug]: Http Error recvd: Moved TemporarilyCan't contact DA server so attempt fails.
  Regards,
  Shane.

• From schema 1 to schema 2 migration delegated admin problem

  I want migrate from schema 1 to schema 2 the messaging server 6.2 ( jes 2005q1).
  I have install access manager and delegated admin.
  With the commdirmig I migrate the domain and schema , the messaging work correctly.
  I have a problem with the delegated admin web interface.
  The delegated don't view my domain. If I add the sundelegatedorganization objectclass I can view my domain on delegated admin but I can view user and group.
  Any Idea?
  TIA
  Bye Giovanni

  There are two very different products called "deletaged admin". The old iPlanet Delegated Admin (iDA) only works with Schema 1. The current Delegated Admin, that comes with JES3 only works with Schema 2.
  If you're using the old iDA that worked with schema 1, it won't work with schema 2. You have to install the new DA for that.
  It doesn't work with groups/lists, only with users and domains.

• While installing IMS on p4, the delegated admin, MTA and IWS6.0 could not be started

  I am installing IMS 5.1 NT version on a p4 machine and my MTA services are not starting, i searched for the IMTA.conf file but that was not found. Also the IWS 6.0 that was installed additionally for the upgraded JVM is not getting started , and the delegated admin through the browser could not be accessed

  I am installing IMS 5.1 NT version on a p4 machine and my MTA services are not starting, i searched for the IMTA.conf file but that was not found. Also the IWS 6.0 that was installed additionally for the upgraded JVM is not getting started , and the delegated admin through the browser could not be accessed

• Delegated Admin reports strange number of users

  I recently noted that our Delegated Admin (Delegated Administrator 6.4-2.05, B2008-04-29) Organizations page
  (the one which lists the hosted domains and particularly their "Number of Users") lists this number plain wrong.
  For many organizations it is reported as 0 or 1, for one there's a blank line, and only one seemingly has 39 users.
  When I click on organizations however, I see their full lists of users (I believe, ones which have a non-empty mail
  attribute set in LDAP) and there are tens in most orgs and over a hundred accounts in the larger org.
  What is wrong? Does DA's Organization-List page use some other means of counting the users than the individual
  Organization's page?

  JimKlimov wrote:
  In fact, while importing our old server, I did initialize most domains' users via
  ldapclient queries as discussed on-list in mid-2008. Nobody said that there
  are other static values outside of a user's account data :)The sunnumusers: attribute is commonly overlooked -- primarily because it is for admin-interface purposes only and doesn't impact on the operation of user accounts.
  Is it possible to replace this value of sunnumusers by a dynamic search (or
  counter), either in the GUI code or perhaps in the LDAP attribute?No. Any such dynamic search would have an adverse performance impact on the DA interface for large environments.
  What is the logically correct value, the count of users with mail attribute set?If you want the sunnumusers: to match the number of users displayed when you click on the organisation in the "Organizations" tab then you would count the users which matched the following search for the domain:
  ""(&(uid=*)(&(objectClass=inetuser)(|(inetUserStatus=active)(inetUserStatus=inactive))))""
  Regards,
  Shane.

• Delegated admin login problem

  I am running Iplanet messaging server 5.2 and am having problems loging into the delegated administrator. When I try to log in as ServiceAdmin I immediately get a screen telling me that the session has timed out and to re-authenticate.
  Any ideas what is wrong?

  Unknown. Not nearly enough data to guess.
  Please examine your LDAP access logs, and comment.
  You should be looking for BIND commands for "NDAdmin". This is the first step in logging into Delegated Admin. If this fails, no user will be able to use DA.
  Do you have password expiration set up in DS? did you remove this account? Change the pw?

• How do I suite Delegated admin to my LDAP structure

  Hello All
  I've been working in a customer's Mail server (messaging 5.1, Directory 4.16) and I am having a problem with ida.
  All the users are on:
  ou=001,o=Student, o=People, o=acme.com,o=acme.com
  And, the user's mail is [email protected]
  Now, with Branch ou=998, o=Student, .....
  They want all the users to have an e-mail address of the form [email protected] (DONE) and they want to have an administrator to handle the users in this ou
  I tried to setup a mail domain with Delegated admin but, I see no way of mapping this new domain to this ou (ida expects things to be in the dc= subtree that doesn't even exist)
  Anyone has any ideas?
  Thanks
  //JaimeC

  The image which appears in the Store page is referenced in the 'itunes:image' tag. This tag is present in your feed but the URL is of your website. You need to create an image, which should be 1400 x 1400 and either JPG or PNG, and reference it in this tag. I don't know anything about 'Podcast Suite': probably it has somewhere to enter the image details.

• Using Mail, Calendar and Delegated Admin

  I�ve installed mail, calendar and delegated admin for one of the domains I�m hosting.
  I can�t figure out where I can adjust the settings for service packages ex earth. I�d like to have 60 mb mail box in stead of 6. (Changing this on user level in LDAP is not an option.)
  Any one who can give me some tips about where to change this?
  Tnx.
  Kristian

  Sounds like you need to change one of your Service Package templates. Alas, I've not had time to dive into that.
  There is a default config setting for quota, that's global. If you set that, and don't put anything into the user's individual ldap entries, then everybody gets that quota:
  store.defaultmailboxquota
  http://docs.sun.com/app/docs/doc/819-2651/6n4u5ce7i?a=view

• Delegated Admin and User Management in WLP 9.2

  Hi,
  I've made Delegated Administrator role and a user for it. The user is Delegated Admin for our users and groups. Still that user cannot create new users, only new groups.
  The error message that shows when creating new user is "The subject does not have access to the specified group".
  What should I do to make it work ?
  Regards,
  Tanja

  Unfortunately, you've run into a bug in the product. See CR282051 in the WLP 9.2 release notes.
  http://edocs.bea.com/wlp/docs92/relnotes/relnotes.html#wp1147925
  If you have a support contract, you might be able contact BEA Support to see if a patch might be available.

• Delegated Admin login fail

  I installed Solaris 9 05/9 and JES05Q4 in a Sun Fire V440 recently.
  I chose these components only:
  Directory server
  Administration server
  Web server
  Access manager
  Messaging server
  Delegated administrator
  Directory preparation tools
  I can use commadm to created users after installation and initial configuration, but I can't login to the delegated admin with any account. http://server.mydomain.com/da/DA/Login
  After I check the DA log file, it shows:
  WARNING: User &#91;admin&#93; has no valid role assigned, aborting login
  What kind of role required for da login ?
  Thanks in advance for any help.
  dx

  I recommend that you post your question to the Messaging Server forum (also listed at the bottom of the Java ES forums page):
  http://swforum.sun.com/jive/forum.jspa?forumID=15
  You might also want to search that forum for similar problem reports.

• Cpu high while installing delegated admin 2nd instance.

  Hi,
  I am using Sun JES 2005Q1 on Solaris9 sparc platform.
  AM, Delegated Admin & MEM are running on 1 host which is working perfectly.
  I have installed another instance of AM on another host which is also working perfect.
  Whenever I try to install 2nd instance of Delegated Admin, the cpu utilization of my ldap server goes very high (98%) and installation doesnt proceed.
  I have increased the nsslapd-allidthreshold value from 4000 to 15000.
  Also indexing of attributes are already done.
  But still no luck for me.
  I am getting error logs on ldap server "search is not indexed".
  Can anyone help me out ?
  Regards,
  Shujaat Nazir Khan
  Senior System Engineer
  Cyber Internet Services (Pvt.) Ltd.

  The access manager has the same "oversight" but it was easy enough to fix by adding WS_ADMINHOST=admin.dom.tld to the amsamplesilent, and sed -i 's/--host=$WS_HOST/--host=$WS_ADMINHOST/g' to amws70config and amconfigupdate, and things actually worked when I did this (with a little more hackery, like manually editing mime.types and server.policy). This DA configurator is less straight forward, and when I fixed up the files and reran the failed scripts, things didn't work.
  Does it make sense to run the administration server in its own zone/machine from an architectural standpoint? There has to be at least one admin server, so is the point AM/DA makes "it may as well be running on the node that _requires_ it to be running" versus "separate services into logical partitions?" It seems to me the first option is "good enough" while the second makes sense, but I'm looking for confirmation or further input.