Converting CUCM user from local to LDAP synchronized

Similar Messages

• Error adding new users from local server

  Hello, BPC Gurus,
  We use BPC 7.0 MS SP4, MS SQL 2008 (Server name - BPCP01)
  In Administration Console we're trying to add user from local server (server with SQL Database), and warning window is appeared with message "The Server Is Not Operational [BPBCP01]"
  I checked Logging folder and found message:
  ==============[System Error Tracing]==============
  [System  Name] : OSoftAdminSecurity
  [Job Name]     : frmManageUser::GetAllObjectsFromDomainServer
  [DateTime]     : 2010-12-06 16:58:43
  [Exception]
      DetailMsg  : {System.Exception: The server is not operational [BPCP01]
     at Microsoft.VisualBasic.CompilerServices.LateBinding.LateGet(Object o, Type objType, String name, Object[] args, String[] paramnames, Boolean[] CopyBack)
     at OSoft.Consumers.Admin.Security50.ManageDataSet.GetAllObjectsFromDomainServer(String pDomainName, String pLDAPFullPath, Int32 pDomainObjectType, String pObjectValue, String pDomainType)
     at OSoft.Consumers.Admin.Security50.frmManageUser.GetAllObjectsFromDomainServer(String pDomainName, FILTER_TYPE pOptionType, String pOptionValue, String pDomainType)}
  ===========[System Error Tracing  End ]===========
  Any ideas?

  The installation was done with a local user or with a domain user?
  You know that BPC server can not be in the same time also domain controler.
  Are you using Windows authentication or CMS authentication.
  If you are using CMS authentication then again you can not add local users.
  If you are using Windows authentication then you have to go into server Manager
  Options - Define System User Groups
  Domain Type - Local Windows
  System User Group Name - Local Users.
  If you are using Windows 2008 make sure you addrole to have compatibility with IIS 6.because using this module bpc is adding new users.
  Regards
  Sorin Radulescu

• I want to see list of Disabled user from AD and LDAP

  Hi
  i wan see the list of disabled user from AD and LDAP and it shows in the next page as Tabular format
  having all the details of AD (Attributes)

  Hi
  i wan see the list of disabled user from AD and LDAP and it shows in the next page as Tabular format
  having all the details of AD (Attributes)

• Best way to disable a user from authing against ldap?

  We have a need to be able to disable users in out ldap server (Sun-ONE-Directory/5.2_Patch_2 B2004.107.0034).
  We are using msging and cal server together with Access manager and Comms express.
  Setting the inetUserStatus to inactive stops users logging into the comms express etc but we are now having a few remote services that are authenticating against ldap by binding as the user. This works regardless so disabled users can login to certain things.
  Whats the recommended way of temporarily disabling an account? We can't just change the password as we would need to restore it when the account it reenabled. Is there something easy to prevent the user binding? (something easy to undo again!).
  Cheers,
  Darren

  I found that if I use JNDI to set nsaccountlock to true, it does disable the user from authorizing. However, it also makes the Custom Editor unable to re-activate that user. You can press the "Activate" button, and it will tell you the user has been activated, but if you check the nsaccountlock, it will still be set to true. However, one can still use Generic Editor to delete the nsaccount lock to re-activate the user.
  In order for the Custom Editor to be able to reactivate the user, the user must be in the nsManagedDisabledRole. If you add the "cn=nsmanageddisabledrole,<larger context>" to the users nsroledn attribute, then the ldap automatically sets the nsaccountlock value to true.
  And if you later delete the nsaccountlock value, the ldap will automatically remove the nsManagedDisabledRole from the user's nsRoleDn.
  Tricky stuff,
  Christa

• Migrate existing users from local domains to Open Directory.

  Here is the environment I'm working with:
  Small local environment (8-10) users. Everyone is on their own laptop, everyone is authenticating to their local directories. Network files are stored on a server, with everyone using a single shared user ID to authenticate and access the files.
  I have just installed a Xserve, and it is now serving DNS, DHCP, NTP, WWW. I want to setup Open Directory in Master mode, create user IDs for everyone, and then assign permissions to the shared files area.
  The one part that I'm not sure how to approach is the local laptops. If user "John Doe" has a local ID "jdoe" that he has been using on his local laptop, how does he migrate over to being "jdoe" in the OD domain, while reatining his "local" home directory and files? The problem I think I'll have is that when I create "jdoe" on the domain, he will have a UID of (say) 10001, but his local UID is 501 (as is the UID of all the other employees since they are all the first user on each of their respective laptops.) so when he logs back into his laptop after it has been attached to the OD domain, I assume that the laptop will see "jdoe" from the OD domain as a new user and create a new home for him (with the UID:10001), so now John cannot see any of his old files and such.
  Also, as a side question: I've worked with Windows ID before, and I know once you join a windows computer to a domain and then login to it, it creates a new user and caches the authentication info, so that when the laptop is not connected to the corporate network, the user can still login and work. Does Open Directory do the same on the laptops?
  Thanks for any help.

  Retaining password is a manual process of asking the user what his or her password is and then creating it in OD.
  As for migration of account, it is rather simple, provided the short name of the user remains consistent across directory systems. For example, if you have a user named Joe User and his short name is juser with a home folder in /Users/juser. And you create the same account in OD. You can do these few short actions.
  1: Bind system to the domain
  2: From the Admin account, and using Terminal from root, navigate to /var/db/dslocal/nodes/Default/users and find the plist file for the user (in our example, juser.plist).
  3: Delete the file using rm
  4: Restart the machine or restart Open Directory
  5: Log in as the admin user and change ownership of the users home folder. Recall that when the user is in the local domain, the UID was likely 502, 503, etc (you do have a standard local admin at 501 right?) Now that the user is in OD, the UID will be 4 digits, something like 1027. So understanding that user attributes and user data are independent, you now have a folder in /Users titled juser and owned by uid 50x. You need to make it owned by juser from the OD domain. User this:
  sudo chown -R juser /Users/juser
  6: Log out of the admin account
  7: Log in as the user after choosing Other at login window.
  Assuming you have your OD account set up properly, you will likely be asked to confirm the caching of the users credentials. This will path you right back into the user's home folder and all will be right with the world.
  This is simple and quick. If the shortnames are different, throw an mv into the mix to rename the home folder to match the domain shortname. If you have no local admin, then you will need to reset DSLocal and start again.

• How to remove an Inactive LDAP Synchronized User

  Hello.
  I searched the documentation and I have not found a way to remove imported users by LDAP that are no longer part of the data base. The users still in the list after some months as "Inactive LDAP Synchronized User" and the manual remove don´t work.
  The error messenge of CM 10.5 is:
  "Error occurred. One or more record did not get deleted. TypeDbErrors.ENDUSER_MODIFICATION_FAILED_SYNC_ENABLED"
  Could someone help?

  Hello,
  Try to convert this user to local and delete.
  User information synchronized from the LDAP directory can be converted to local user information so that the user information then can be edited locally on Unified CM. 
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/directry.html
  Regards
  Leonardo Santana

• Project Online - Can't Delete Resource and User from Delete Enterprise Objects

  I would like to link a resource account to a user account but I ran into an error: "The resource account
  is already in use.".  This is a known issue which I attempted to resolve by following the instructions in KB2881398.
  However when deleting the selected resource from Delete Enterprise Objects I get a message indicating success ("The
  selected Resources and Users have been deleted.") but the duplicate user is still in the listing in Delete Enterprise Objects and when attempting to link the remaining resource to a user logon account I still get the error
  "The resource account is already in use."
  Why is the user not deleted even though Delete Enterprise Objects reports success and how can I delete these duplicates to be able to successfully link the account?

  Hi,
  This might be due to your Exchange Sync issue, where your project workspace is unable to delete that user from local DB. Try following steps to diagnose the problem:
  1) Go to your Resource Pool, DELETE a resource.
  2) While resource is being Deleted, open another window 
  Server Settings -> Manage Queue Jobs
  3) Here you can view the progress of your current Resource Deletion update, check if all goes smooth and your Resource is deleted successfully by showing process completion 100% :
   ( to view any error look at the
  last column of table on Manage Queue Job page)
  4) Cross check your Resource by running Resource Availability Report.
  Basically this will give you a fair idea of your resource deletion problems and how system is responding to it.
  Regards

• Can CWMS import Local CUCM users without LDAP

  Hello,
  CWMS documentation states that CWMS integrates with LDAP via CUCM LDAP integration. My question is if the CUCM is not AD integrated will the CWMS be able to import local CUCM directory users via AXL?
  Thanks
  Aamir

  Hello Aamir,
  the "Directory Integretion" from CWMS is based on an integretion to the CUCM user data base.
  So have to pull the data from the CUCM.
  Just go to:
  Users --> directory Integration
  Directory integration can be performed in four steps:
  Add CUCM server.
  Synchronize now and set up a synchronization schedule.
  Enable LDAP authentication.
  Notify your users.
  Hope that helps
  Best regards
  Ben

• Converting imported CUCM users to LDAP synch

  We have an existing Unity 8.x implementation that was importing users from CUCM.  We want to enable LDAP authentication for those users.  Is is possible to "convert" a CUCM-imported user into an LDAP-synched user without dropping and recreating them?  I noticed that a BAT export shows the LdapCcmUserId and CorporatePhoneNumber field end up being populated for LDAP imported users.  I haven't tried running a BAT update against these fields to see if it'll push them over to LDAP synch vs. CUCM manual synch.
  Has anyone done a migration like this before?

  Most of my deployments have been LDAP-enabled so I've not tried this but here is the related documentation on how to deal with it:
  http://www.cisco.com/en/US/docs/voice_ip_comm/connection/8x/user_mac/guide/8xcucmac105.pdf
  You have to use BAT...look for the following section:
  To change the LDAP integration status of Connection users who were created by importing from Cisco Unified Communications Manager, see the “Integrating Existing Connection User Accounts with LDAP User Accounts Using Bulk Administration Tool (Cisco Unity Connection 8.5 and Later Only)” section on page 12-6.
  Hailey
  Please rate helpful posts!

• What is involved in going from local user accounts to active directory accounts with CCM 9.1.2?

  We are currently using local user accounts with CUCM 9.1.2 and are looking at integrating it into the active directory structure.
  We do utilize the same structure for user ID's.
  I am looking to find out what the changeover will entail and if anything else needs to be done prior to the integration.
  We also have Unity syncing up with CUCM for users as well as Contact Center sync'ed up for our ACD system.
  Thanks
  Mike

  Hey Mike,
  The process is pretty straight forward.  CUCM 9.X supports the coexistence of AD integrated users and local users so you don't have to worry about local accounts disappearing if they don't have an AD account.  The biggest thing to watch out for is that if you decide to revert back for whatever reason then the accounts that were in AD will be marked for deletion (from the CUCM, not AD) and will be removed after approximately 24 hours.  
  I recommend the following if you'd like to move to AD.
  Run a DRS backup of CUCM.  This is not necessary for the integration but is good practice in my opinion.  I'd also do a full export of your users using the BAT so you can reimport users to how they were before the integration should you decide to revert for any reason.
  Determine if you want to put the user's extensions in the telephonenumber field or ipPhone field in AD.  Once you make a decision, I recommend populating that information in AD so it is available when you do the integration.  
  Make sure your local CUCM user accounts usernames are exactly the same as your domain accounts.  That way when you do the integration the local users become AD users and keep all of their phone associations, group memberships, etc.  If you need to change the usernames then be sure to notify your users ahead of time so they can start logging into UCCX or UCM user pages, etc. using their new username. 
  Create an account in AD that has read-only rights to your directory.  Set the password to never expire.  You will use this account later for the integration.  
  In CUCM, go into Serviceability and make sure the "Cisco DirSync" service is activated on the Publisher server.
  Also in CUCM, navigate to the administration page and do the following:
  Go to System > LDAP > LDAP System and Check the box to enable Synchronizing.  Confirm the LDAP server type and attribute for User ID is accurate.  This is typically Microsoft Active Directory and sAMAccountName respectively.
  Go to System > LDAP > LDAP Directory
  Click Add New
  Give it a name (whatever you want).
  Put in the Distinguished Name of the AD integration account you created earlier. For example, if you created an account called ciscoldap in the Service Accounts OU in the abc.com domain then it would look something like this... CN=ciscoldap,OU=Service Accounts,DC=abc,DC=com
  Enter the password for the account.
  Enter the search base.  This can be a specific OU where your users exist, a parent OU which contains other OUs which contain all of your users or the entire domain.  If you do the entire domain then in the abc.com example you would specify DC=abc,DC=com.
  Select the option to perform a sync with AD on periodic intervals.  The lowest interval you can set is every 6 hours.
  Select either the telephonenumber or ipPhone field to be used for the user's extensions.  This will be whatever you decided and populated in AD in an earlier step.
  Add your primary and any backup domain controllers and ports.  If they are just domain controllers and you are not using SSL then specify port 389.  If they are also global catalog servers then you can do port 3268.
  Click Save and Click the "Perform Full Sync Now" button.
  I recommend that you also use LDAP for authentication as well so you only have one username and password to remember which is all controlled by AD.  To add this do the following:Go to System > LDAP > LDAP Authentication.
  Click Add New
  Check the box to use LDAP Authentication
  Add the same Distinguished name, passwords and user seach base that you used for your integration account earlier under the synchronization section.  Also add the same primary and secondary LDAP servers and ports you used earlier.  
  Click Save
  You can go a step further and create a filter to only pull in the users within the search base you specified and apply that.  For example, maybe only pull in users that have their ipPhone field populated.  Let me know if you have any questions on that or any of the above.
  I hope this helps!

• Moving Mail Users from a Local Directory to Open Directory

  Hi,
  We have been running a standalone mail server for a few years. We have recently upgraded to 10.5 for all of our servers. We have also been running an Open Directory server for the last year or so. Now I am trying to move my email users from the Local Directory on the Mail server to the LDAP server. Obviously we do not want to change account names, so I find I need to delete the local user and then enable the user through the LDAP. This works fine, but I need to bring the original IMAP files/folders forward.
  My question is what is the best practice? I thought backing up the Mail folder in each user's Library and reimporting it would work, but it won't take the IMAP mbox (I can see all the .emlx files in the backup of the user's Mail folder).
  So again, I had a user called user1 in my mail server Local directory say server1. I also have an Open Directory server2 with the same username on it. I have bound server1 to server2. I can see the server2 (OD) accounts on the server1 (mail). I then need to delete user1 from Local server1 directory in order to enable mail to user1 from the OD. This does work, but again, I need bring the mail files/folders to the new OD account on server1.
  thanks,
  mike

  Tony,
  Let me check of the migration manual, thank you!
  I really thought this was going to easier than this. The current accounts are IMAP, and therefore when I "hook up" the new OD account, which doesn't really need anything done on the client side because it is the same username and password and server as the current Local account. When it syncs, the old emails on the IMAP account in the user's Mail program clear since the new OD account is empty on the server.
  I just really thought duplicating the Mail folder in the client's home Library would allow me to import the emails back in. I have tried highlighting the mailboxes (Inbox, and personal folders), archiving them, and then reimporting seemed to work, but I need to beat it up before I start working on live accounts. One account I did try lets me read the emails from the user, but when I try dragging them to the IMAP folders from the import folder, I get a NULL character problem on IMAP append error. NOT to chase that, but it was something else that tripped me up.
  You do bring up a good point, I think the accounts were originally setup as POP and IMAP. I'll chase some ideas about that.
  Let me play around, you've been great considering my awful explanation of this different situation.
  thanks again,
  mike

• HT4837 3rd Party LDAP users in local groups aren't recognized by wiki

  Having followed the KB article on setting up wiki webauth to allow 3rd party LDAP users to authenticate (http://support.apple.com/kb/HT4837) I have found that while individual users can be given permissions to access certain wikis, but LDAP users placed into local groups cannot.  Is this a bug?
  To be more specific:
  - Directory Access setup to allow authentication from LDAP server (this works fine for all other services like File Sharing)
  - Directions followed in the KB article which basically enables plain text authentication and turns off inline login window (http://support.apple.com/kb/HT4837)
  - Local groups created in Server.app -- Accounts -> Groups
  - LDAP users placed into those local groups
  - Services like file sharing recognize proper permissions based on the groups the LDAP users are in
  - Configure a wiki to allow access from a single LDAP user (Gear Icon -> Wiki Settings...) ... this works fine
  - Configure a wiki to allow access from the local groups containing LDAP users (again, Gear Icon -> Wiki Settings) ... this appears like it is going to work, but it in fact will fail to give permissions to LDAP users of the respective group upon that user's login.  A local user (Server.app -> Accounts -> Users) added to one of these local groups with LDAP people in it works fine and receives proper access to the wiki as expected.
  Any ideas before I submit this as a bug?

  Having followed the KB article on setting up wiki webauth to allow 3rd party LDAP users to authenticate (http://support.apple.com/kb/HT4837) I have found that while individual users can be given permissions to access certain wikis, but LDAP users placed into local groups cannot.  Is this a bug?
  To be more specific:
  - Directory Access setup to allow authentication from LDAP server (this works fine for all other services like File Sharing)
  - Directions followed in the KB article which basically enables plain text authentication and turns off inline login window (http://support.apple.com/kb/HT4837)
  - Local groups created in Server.app -- Accounts -> Groups
  - LDAP users placed into those local groups
  - Services like file sharing recognize proper permissions based on the groups the LDAP users are in
  - Configure a wiki to allow access from a single LDAP user (Gear Icon -> Wiki Settings...) ... this works fine
  - Configure a wiki to allow access from the local groups containing LDAP users (again, Gear Icon -> Wiki Settings) ... this appears like it is going to work, but it in fact will fail to give permissions to LDAP users of the respective group upon that user's login.  A local user (Server.app -> Accounts -> Users) added to one of these local groups with LDAP people in it works fine and receives proper access to the wiki as expected.
  Any ideas before I submit this as a bug?

• 3 million user on Local AD to be synchronized with Office 365 FID issue

  Hello everyone,
  I have a customer (University) Who has an issue with DirSync. They have 3 million users on Local AD they want to synchronize with Office 365 to enable
  these users for Exchange online. 
  Now they have users "Students" enabled for Exchange online and management and staff are enabled on the On-premises Exchange servers. 
  Dirsync during the day synchronize 2 times fine without any error and again 2 times doesn't synchronize and gives error with no details. the error
  is "Stopped Extension-dll exception" 
  More errors shown as below 
  Directory Synchronization:
  An unknown error occurred with the Microsoft Online Services Sign-in Assistant. Contact Technical Support. SetCredential() failed. Contact Technical
  Support.  (0x8009000B)
  I am attaching other errors as well
  at Microsoft.Online.Coexistence.ProvisionHelper.GetLiveCompactToken(String userName, String userPassword)
  at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.Initialize()
  at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.Import(Byte[] syncCookie, Boolean isFullImport)
  at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntriesCore()
  at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntries(GetImportEntriesRunStep getImportEntriesRunStep)
  Forefront Identity Manager 4.1.3465.0"
  FIMSynchronizationService:
  The management agent "Windows Azure Active Directory Connector" failed on run profile "Delta Import Delta Sync" because the server encountered errors.
  FIMSynchronizationService:
  The management agent "Windows Azure Active Directory Connector" step execution completed on run profile "Delta Import Delta Sync" but the watermark was not saved.
  Additional Information
  Discovery Errors : "0"
  Synchronization Errors : "0"
  Metaverse Retry Errors : "0"
  Export Errors : "0"
  Warnings : "0"
  User Action
  View the management agent run history for details.
  Directory Synchronization:
  The Management Agent Windows Azure Active Directory Connector failed on execution. Error returned is 'stopped-extension-dll-exception'. If the problem persists, contact Technical Support.
  Customer have tried to involve Microsoft with them through a third party technical support company but microsoft was not able to apply anything since they have tried to apply some scripts but those scripts would take
  3 days without finishing.
  The first time the Dirsync was applied it took 1 week without finishing until now they were not able to apply a full import and export sync.
  What have really got me interested is that Microsoft did not suggest to the customer to upgrade his FIM (ForeFront Identity Manager)'s old version
  to the latest one. 
  Customer is using Full SQL deployment on a dedicated server and DirSync (FID) on a separate server too. The deployed servers are virtual and have 32
  GB ram and 200 GB HDD size and 4 cores.
  I have recommended to this customer that we do not touch this current deployment since Microsoft themselves couldn't do anything in regard, but what
  we could do is take a virtual snapshot and then apply the upgrade and see if this resolves the issue or not?
  Note:
  Microsoft talked to them about a limited number of synchronized items to their Azure site per week! I am not sure about this but what the customer
  said is that they change approximately about 25,000 user object per day. 
  Could this issue happens because of this limit?
  Thanks

  Besides the large number of objects in the system, which I am not sure DirSync can handle, I suggest you separate the failing step from other steps in the RunProfile.
  So, if you have a step that does Delta Import and Delta Sync, separate into 2 steps;
  Best,
  Nosh
  Nosh Mernacaj, Identity Management Specialist

• LDAP authentication in AD (users from other trusted domain)

  Hi
  I have two domain: my - DOMAINA.LOCAL and other trusted - DOMAINB.LOCAL
  I use LDAP authentication in AD for authentication users (AnyConnect).
  Now, I need to authenticate few users from other trusted domain (DOMAINB.LOCAL).
  I do not want direct connect with the domain contoller in the trusted domain.
  My domain controller (DOMAINA.LOCAL), can authenticate users from other trusted domain (if I use username "DOMAINB\userindomainb"), if I try to connect by RDP client to some server (for example, to my domain controller).
  But if I try to test aaa-server authentication from ASA
  I get error.
  I think, I must use username like "DOMAINB\userindomainb" but this not work.
  Help me please.
  Thanks!
  My config:
  aaa-server ADA protocol ldap
  aaa-server ADA (inside) host 10.0.0.1
   ldap-base-dn dc=domaina, dc=local
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn cn=Cisco ASA, ou=ServiceAccounts, ou=Services, dc=domaina, dc=local
   server-type microsoft

  Hello!
  I see in console (debug LDAP):
  Request for [email protected] returned code (10) Referral
  Does ASA support authentication via LDAP referrals?
  I read old thread:
  https://supportforums.cisco.com/discussion/11132591/cisco-asa-and-ldap-authentification
  And see: CSCsj32153  Symptom:the ASA/PIX doesn't currently support LDAP Referall searches. 
  But I use:
  Cisco Adaptive Security Appliance Software Version 9.2(3)
  Device Manager Version 7.3(3)
  Compiled on Mon 15-Dec-14 05:10 PST by builders
  System image file is "disk0:/asa923-smp-k8.bin"
  Thanks!

• Query list of users from LDAP

  Hi Gurus,
  I am trying to programatically query the list of users belonging to a particular user-group, from LDAP.
  LDAP is deployed on Weblogic as a 'provider'.
  I have the following details of the LDAP instance - host:port, security principal (CN=aaa,OU=bbb,OU=ccc,DC=ddd,DC=com), LDAP password (credential), User Base DN.
  I tried the following using BPEL:
  <sequence name="main">
      <!-- Receive input from requestor. (Note: This maps to operation defined in BPELProcess1.wsdl) -->
      <receive name="receiveInput" partnerLink="bpelprocess1_client" portType="client:BPELProcess1" operation="process" variable="inputVariable" createInstance="yes"/>
      <!-- Generate reply to synchronous request -->
      <assign name="Assign1">
        <copy>
          <from>ora:getContentAsString(ldap:listUsers('people','ou=people'))</from>
          <to>$outputVariable.payload/client:result</to>
        </copy>
      </assign>
      <reply name="replyOutput" partnerLink="bpelprocess1_client" portType="client:BPELProcess1" operation="process" variable="outputVariable"/>
    </sequence>
  </process>
  and following is the content of the directories.xml that I have created:
  <?xml version="1.0" ?>
  <directories>
  <directory name='people'>
  <property name="java.naming.provider.url">ldap://<host>:<port></property>
  <property
  name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</property>
  <property name="java.naming.security.principal">CN=aaa,OU=bbb,OU=ccc,DC=ddd,DC=com</property>
  <property name="java.naming.security.authentication">simple</property>
  <property name="java.naming.security.credentials">password</property>
  <property name="entryDN">User Base DN</property>
  </directory>
  </directories>
  When I run this BPEL process, I get a blank value on my output variable -
  <outputVariable>
  <part  name="payload">
  <processResponse>
  <result><users xmlns="http://schemas.oracle.com/bpel/ldap"/></result>  
  </processResponse>
  </part>
  </outputVariable>
  Is there something I am missing here?
  Regards,
  Arindam

  slight change in my approach here:
  I would like to use welogic provider to connect to this LDAP
  so... instead of MyProgram --> LDAP, it should now be MyProgram --> Weblogic/SecurityRealms/myrealm/Providers/myAuthenticator --> LDAP
  in this guess, i wont be using LDAP connection details, instead the weblogic host/port and Authenticator name should be sufficient
  How can I programatically query the list of users using this approach?