Convertion of LDAP entries

We are planning to use iMT to convert our application from
NetDynamics 5.0 to iPlanet server. I would like to know if there is
an easy way to convert LDAP entries in Production without changing
user's password.
Thanks
--das
763-593-7167

Hi Wilpred,
As you will have the userID attribute you can do a search on the entryDN attribute (SUN ONE DIRECTORY SERVER - which we have used).
This attribute is formed using the user Id and not the CN.
Once you get the entryDN value of the USer entry then you can manipulate any of the values.
I am not quite sure about any such attribute existing in Active Directory, but you can find that out. For youir convienience a sample user entry for entryDN is:
entrydn=uid=tstbkr01,ou=people,o=enterpriseis.co.uk
entrydn=cn=BrokerA,ou=groups,o=enterpriseis.co.uk
The first entry is for user entries and the second one is for group entries(i.e) tstbkr01 is a user and BrokerA is a group in our system.
Hope this will help you,
Regards,
pradipg

Similar Messages

LDAP integration - "LDAP Import adapter warning: No LDAP entry was defined"

Hi,
I am trying to integrate ETPM with LDAP (Microsoft AD). I have successfully connected Weblogic and can see the AD users there; I followed the instructions in the "Oracle Utilities Application Framework Administartion User's Guide" on how to integrate with LDAP:
1) I defined the JNDI server
2) I created a mapping file as described
3) registered the file within XAIParameterInfo.xml and MPLParamaterInfo
WHen i try to import users via the LDAP Import menu the reponse is empty, in the logs I see the following message: "LDAP Import adapter warning: No LDAP entry was defined". Does anybody have had similar issues and maybe a solution to this issue?
My versions:
Customer Release V4.1.0 000 000
Oracle Enterprise Taxation Management V2.3.1.1.0 001 001
Oracle Utilities Application Framework V4.1.0.1.0 001 000
My assumption is there is something wrong with the config, as all other connection (including the one from Weblogic) are successful.
I appreciate any feedback on this.
Best regards,
Sebastian

Would have liked to post an update in my other post, but that one is locked. I found so many problems with the LDAP integration but eventually managed. If anyone runs into similar issues, here is what you need to check:
1) AD admin user password - is limited to 8 characters (nowhere mentioned in the docs!!!)
2) Be careful using cases; do NOT rely on the documentation, it is wrong! here is a sample ldapdef.xml (I highlighted the changes you need to make in comparison to the documentation):
<LDAPEntries>
<LDAPEntry name="User" baseDN="CN=Users,DC=yourdomain,DC=com" cdxEntity="User" searchFilter="(&(objectClass=user)(name=%searchParm%))">
<LDAPCDXAttrMappings>
<LDAPCDXAttrMapping ldapAttr="name" cdxName="*user*" />
<LDAPCDXAttrMapping cdxName="LanguageCode" default="ENG" />
<LDAPCDXAttrMapping cdxName="FirstName" default="fn1" />
<LDAPCDXAttrMapping cdxName="LastName" default="fn2" />
<LDAPCDXAttrMapping cdxName="DisplayProfileCode" default="NORTHAM" />
<LDAPCDXAttrMapping cdxName="ToDoEntries" default="1" />
<LDAPCDXAttrMapping cdxName="TD_ENTRY_AGE_DAYS2" default="12" />
</LDAPCDXAttrMappings>
<LDAPEntryLinks>
<LDAPEntryLink linkedToLDAPEntity="Group" linkingLDAPAttr="memberOf" />
</LDAPEntryLinks>
</LDAPEntry>
<LDAPEntry name="Group" baseDN="OU=Groups,OU=yourgroup,DC=yourdomain,DC=com" cdxEntity="*Group*" searchFilter="(&(objectClass=group)(name=%searchParm%))">
<LDAPCDXAttrMappings>
<LDAPCDXAttrMapping ldapAttr="name" cdxName="*group*" />
<LDAPCDXAttrMapping ldapAttr="description" cdxName="Description" default="Unknown" />
</LDAPCDXAttrMappings>
<LDAPEntryLinks>
<LDAPEntryLink linkedToLDAPEntity="User" linkingSearchFilter="(&(objectClass=user)(memberOf=%distinguishedName%))" linkingSearchScope="onelevel" />
</LDAPEntryLinks>
</LDAPEntry>
</LDAPEntries>
Oracle OUAF, update your documentation, please.
Regards,
Seb

Mails shows picture of Addressbook entry but not for LDAP entries

We have a LDAP server working nicely in the company, its integrated into Addressbook and works well when composing new mail.
But... for incoming mails, Mail.app does show the picture of the sender IF AND ONLY IF the server has a addressbook entry. Thats nice, but does not work for LDAP entries.
I would really appreciate Mail supporting to retrieve pictures from LDAP as well (e.g. querying it with senders email address) - does anybody a plugin for Mail.app supporting this or will Apple support this one day?
Cheers, Martin

Does this thread help http://discussions.apple.com/thread.jspa?threadID=1711038&tstart=15
I have experienced this and it was because I removed the placeholder and just added the image on the entry page. I duplicate blog entries and delete content to add new stuff so don't have to reformat every time, if you do that don't remove the image just add on the top - it should replace the previous image. Hope this helps, it is frustrating at times but the more you learn the easier it becomes.

Access the oparational attribute 'entryUUID' of an ldap entry

How can I access the oparational attribute 'entryUUID' of an ldap entry? Does someone have a sample code fragment?

Attributes attribs = initLdapCtx.getAttributes(fullName, new String[]{"+"});
This is for OpenLDAP only, because it's the only server I know which supports "+" meaning "all Attributes".
For other Servers you might need to specify the entryUUID Attibute explicitly in the String Array. But be aware that this Attribute might have different Names on different Servers.
Cheers,
Peter

How do I delete an LDAP entry and all of its child entries via PL/SQL

I need to be able to delete (via PL/SQL) an entry and all of its child entries on my OID LDAP Server. None of the the procedures in the provided DBMS_LDAP package seem to bable to do this. For example, the delete_s procedure can only delete entries that are leaf nodes (no children). This will not work for me.
I realize that I can execute the bulk delete shell script to do this, but this is via the command line, not PL/SQL.
While I think I could write some PL/SQL code to parse through each entry using the "search_s" procedure and delete them one by one using the "delete_s" procedure, this doesn't seem very efficient. It seems like this should be a fairly common request and Oracle should have already addressed it.

Sorry, to be clear, it's form fields on a web page that bring up all previously entered information.... I want to deleted some of these individually, but not all

Browsing attributes of ldap entries never finds "cn"

Hello,
newbie here testing how JNDI interacts with a Novell NDS eDirectory LDAP server...
I've created a few test users in the directory, all with "cn" attributes. However, when I run a my JNDI test program, it always finds all the attributes except "cn". I was wondering if anyone ran into this problem before or if it may be some sort of ldap server misconfiguration.
I've included the source code to show how it's working...
************ Start of Source code
import java.util.Hashtable;
import java.util.Enumeration;
import javax.naming.*;
import javax.naming.directory.*;
public class GetAttributes {
          public static String INITCTX = "com.sun.jndi.ldap.LdapCtxFactory";
          public static String MY_SERVICE = "ldap://192.168.0.208:389";
          public static String ENTRYDN = "cn=testcn,ou=TESTOU,o=TESTO";
          public static void main (String[] args) {
               try {
                    Hashtable env = new Hashtable(5, 0.75f);
                    env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
                    /* Specify host and port to use for directory service */
                    env.put(Context.PROVIDER_URL, MY_SERVICE);
                    /* get a handle to an Initial DirContext */
                    DirContext ctx = new InitialDirContext(env);
                    BasicAttributes basicAttributes = (BasicAttributes) ctx.getAttributes(ENTRYDN, null);
                    System.out.println(basicAttributes.size());
                    NamingEnumeration ne = basicAttributes.getAll();
                    BasicAttribute basicAttribute = null;
                    while (ne.hasMore()) {
                         basicAttribute = (BasicAttribute) ne.next();
                         System.out.println(basicAttribute.toString());
               catch (Exception e) {
                    System.out.println(e.toString());
************ End of Source code
************ Start of Results
2
objectClass: person, ndsLoginProperties, top
sn: LastNameOfTest
************ End of Results
Thanks.

If you use SearchControls you can specify the attributes you get back. Maybe you should try explicitly returning the cn to see if the entries are being searched correctly.
SearchControls ctls = new SearchControls();
String[] attrs = { "cn" };
ctls.setReturningAttributes(attrs);Then pass the controls when you search:
results = context.search("",filter,ctls);
//where filter is a string that has your search criteria--Nicole

Rename an LDAP entry and all child

I have an entry in an LDAP tree with the dn
dn=ou=Customer, c=country, o=Company
This entry has some child entries. Now I want to rename
this entry from ou=Customer to ou=Customer_1 and the children
should move to the new ou.
Does anyone know how I can do this with the LDAPv2 protocol ?
Java: 1.4.1_02
LDAP: Sun Directory Server 5.x
Thanks

Hello Matt,
I found an example to do this thing without the move command.
It is a recursive function. The function do the following:
- copy entry from old URL to new URL
- search for subentries of the old URL and call this
function with old and new URL of all subentries.
- delete the old URL
Thats all.
The move command is only implemented in some LDAP servers, so I can
not use this.
Regards,
Volker

Ldap entries

I am a bit confused about ldap.
Is the schema the structure that I populate my data to?
I also read that you can store information in three ways:
1. Store the java objects themselves
2. Store a reference to the object
3. Store information as attributes
I am just trying to load data to active directory or populate the directory with data. what is the best or simplest method to do this?

I've been playing with the Oracle version OID, which may not be completely typical but, so far, the only objects in the system are stored as Contexts, including leaf elements like users and the actual data (passwords, e-mail addresses etc.) is store as attributes attached to the lead Contents.
Group elements contain an attribute which has an entry for each user, consisting of their full path.
I suppose if more specialised objects were used it wouldn't help with accesing the directory from outside of Java.
Each node is named something like "cn=Joe Blogs" and the paths are presented in local-first order, separated by commas.

Converting a single entry within an array into 16 entries within a new array. Building an array without knowing the exact amount of array entries.

I'm developing a VI that reads a text file and does a manipulation on the data it reads. The VI does the following: First, it reads all the ASCII characters from a text file, converts them to 8-bit words, until EOF occurs. Then I do some simple conversion to each byte. The result is that each bit entry of the byte now gives 2 3-bit entries, making a total of 16 3-bit values returned for each byte within the original array. For example, when I read element #0 of the byte array, I get the byte value of 1011000. My VI then converts this to 16 seperate 3-bit values. I can do the conversion just fine. My pro
blem is figuring out how to put these 16 elements into an array to be written out of my 6534 card. I know how to do the DIO write part, but the problem is how do I combine the 16 elements into an array for thousands of bytes read from the text file? Also, the size of the file that I read is unknown until it is read, so I may have to output many sucessive outputs as described above. The first element read would give 16 3-bit elements for the new array, the second byte read would give another 16 3-bit elements and so on upto N values in the original array. Any ideas ?

Place a for loop, wire N with your readed string lenght, pass the string inside and wire it to string subset, with the lenght entry wired to 1 and the offset entry to the loop counter (i). Then, you can play with every character inside the loop, and have an output array composed with the result of every character.
Hope this helps

WGM creates ldap entries but dscl doesn't

I can successfully create users and groups in Workgroup manager on my Xserve running 10.5.7 server when bound to my local LDAP directory (127.0.0.1) as the newly created diradmin user but when I try to do the same using dscl in a terminal as the same user I get an error as follows:
/LDAPv3/127.0.0.1/Groups > create . test_group
<main> attribute status: eDSPermissionError
<dscl_cmd> DS Error: -14120 (eDSPermissionError)
I don't wish to use sudo to create the entries as I intend creating users and groups from an external script - but since I can successfully create entries using the same user in WGM, how is it I can't using the same credentials in a terminal?
Any thoughts greatly appreciated...
(I also tried changing the password type of the diradmin from OD to crypt but it doesn't seem to have changed anything...)

I'm experiencing the same issue; I can create/add users to groups in WGM but not on the command line. I get
<main> attribute status: eDSPermissionError
<dscl_cmd> DS Error: -14120 (eDSPermissionError)

How To Display User Photo (jpegphoto attribute) From OID LDAP Entry

Hello everyone,
I've spent a few days looking for a solution to this problem with no luck.
I have a PLSQL database package that generates an organisation chart of users. It works fine but I am struggling to retrieve the users photo.
I have tried linking to the jpg files in my /oiddas/ui/oracle/ldap/das/Images/users/ folder but these files do not always exist so this is unreliable. These files only appear to be created if a user has previously viewed their profile in Self Service Console. Even if the files exist they are often out of date and don't reflect the photo held in OID.
I know the photo is stored in the jpegphoto attribute and I have been using DBMS_LDAP calls to retrieve other user details but I just can not find a definitive answer to how I send this image to the browser.
If anyone has any ideas, sample code or web links it would be appreciated.
Thanks,
Matt

The idea would be to get the attribute value from OID using DBMS_LDAP or Java (whatever is easyer for you) and dump it in a file. Then generate the URL to the file.
When you initiate the LDAP connection to get the picture, remember to specify jpegphoto as a binary attribute.
Octavian

Where is this ldap entry stored?

Direcory Server: 5.2
I am looking for the file where cn=schema entry value isstored. I would like to change one of the attribute values. Console edit gives protocol error.
Help is apprecitated,
Thanks

1. modifyTimeStamp is an operational attribute. Many operational attributes can only be changed by the server itself. I suspect modifyTimeStamp is one of them, and that's why you get protocol error.
2. If in your cn=schema entry there are multiple values of modifyTimeStamp, then the entry must have been damaged as the attribute is defined as single-valued.
3. Theoetically (I'm guessing here) the cn=schema entry should be in the database file: <slapd-instance>/db/NetscapeRoot/id2entry.db3. But I have no idea how you can fix it.

Need help masking or hiding sensitive data in LDAP entries.

I am currently working on a schema for holding user account information
in LDAP. We are storing user SSN information as part of the custom
schema that we have created and need help hiding that data from people
who may be browsing the directory, either using the console or other
means. The end result we are trying to achieve is the same as the way
that the userPassword attribute is stored in the directory. When viewed
it appears as all asterisks but it can still be passed and read normally
elsewhere. If anyone has any information on how to do this it would be
greatly appreciated.
Thanks
Robert LaBarre
[email protected]
Dewpoint Inc.

Read the section in the manual on access control. Personally, if you have an
SQL database that contains information about individuals as well, you might
want to consider putting the SSNs in there and not in the directory for
security reasons. i.e. I just read a CERT advisory about buffer overflows in
the Beta version of iPlanet 5.0 (supposed to be fixed in the release
version) which basically means full system compromise. Personally, I would
not recommend putting SSNs in the directory at all if the directory is
accessible over the Internet. There's always security holes here and there
and I doubt that you want to leak this kind of information onto the
Internet.
Jon
"Robert LaBarre" <[email protected]> wrote in message
news:[email protected]..
I am currently working on a schema for holding user account information
in LDAP. We are storing user SSN information as part of the custom
schema that we have created and need help hiding that data from people
who may be browsing the directory, either using the console or other
means. The end result we are trying to achieve is the same as the way
that the userPassword attribute is stored in the directory. When viewed
it appears as all asterisks but it can still be passed and read normally
elsewhere. If anyone has any information on how to do this it would be
greatly appreciated.
Thanks
Robert LaBarre
[email protected]
Dewpoint Inc.

How do you convert a date entry to a numeric value?

In Excel, I used to use the MAX() function on a range of dates to get the latest date from the range. This does not work in Numbers.
Here is the function I used in Excel:
=IF(OR(TODAY()-MAX(J4:J56)>179,'Sheet 1 - Table 1'!I2-MAX(I4:I56)>4999),"NEED OIL CHANGE","")
J4:J56 is a list of dates.

Norman,
Numbers has data types. With regard to:
TODAY()-MAX(J4:J56)>179
TODAY() returns a date/time value
MAX(J4:J56) also returns a date/time value
TODAY()-MAX(J4:J56) returns a duration
179 is a number NOT a duration. 179 I think is supposed to be 179 days which you would enter as "179d". a duration is expressed in weeks, days, hours, minutes, seconds, milliseconds. So "179d" is short for "179d 0h 0m 0s 0ms"
This may work better for you:
=IF(OR(TODAY()−MAX(J4:J56)>"179d",F1−MAX(I4:I56)>4999),"NEED OIL CHANGE","")
note that I changed "'Sheet 1 - Table 1'!I2" to "F1" for my test as I do not have that table. "'Sheet 1 - Table 1'!I2" looks like an excel reference that will not work in Numbers. you should replace this by removing, then locating and selecting the correct cell in Numbers.
Said another way... select that part of the formula, delete, then click the cell where that resides in a Numbers table

Why does the LDAP/AD RA convert adds to modifies. How do I prevent this!

hellos.
I have noticed that if I attempt to add an LDAP entry which has the same DN as an existing entry, then the default Provisioning workflow SILENTLY converts this add to a modify.
template: cn=$fullname$,ou=people,dc=company1,dc=com
so if 2 different persons with same first and lastnames are entered into IdM first one gets added Ok but then gets hijacked by the second 'addition'.
ok. I understand that I have to cater for this eventuality, but isnt the whole point of using an intelligent system like IdM to trap these events automatically.
I would rather see an error message like "error code 68: object already exists" on the screen after screen entry + save than end up with 2 different Idm entities pointing to the same LDAP entry!!
Is it possible to set a switch (waveset property?) allowing/denying the convert add to modify when the target already exists?
Must I have to either rewrite the provisioning workflow or plug in some fullname validation on the form?

It does not matter what you intend to do or not: the identity template is there to tell IDM how the resource account should be identified. The software has no "knowledge" of your intentions. It uses the configuration you gave it to create the account you are requesting. If that should not happen in all cases then you will have to handle that.
The fact that you provision to the resource also shows that you do not see the resource as the authoritive source of data.
IDM does not assume or preempt that the account already exists on the resource. If it finds that the account already exists when it checks the resource it has to follow what you have configured it to do. In this case that is create the account you wanted it to create. To make sure that the account contains the information you want it to contain it will modify/add the values which are missing and or different.
The fact that the resource account is already there is not an error situation and will never be one. It is considered as being a normal case with a normal solution: IDM takes hold of the account. If it would be an error case there would be no need for reconciliation or active sync. You can even go a step further and state that the account on LDAP should not have existed if you try to create the user this way, reconcile or active sync should take care of these kinds of accounts.
For the sharing part: IDM understands that resources can contain shared accounts, it even has a state for them in the reconciliation. But when you create an user in IDM and assign resources the accounts on the resources automatically belong to the user in IDM. This has to be enforced otherwise there would never be a guarantee that an user whom has a resource assigned also really has the account.
If you want IDM to fail in situations like this then you have to code that yourself and customise the workflow or forms used for the provisioning process. By doing that you will create a huge amount of manual intervention to create the accounts in a later stage unless you can make the work flow smart enough to cycle through a number of possible resource account Id values if the account already exists on the resource.
This will almost certainly also kill any possibilities to run a reconcile against that resource because you can not catch this in correlation rules or confirmation rules.
Then a user form does not go out and see if the account already exists. The form provides logic and a display template for information. The provisioner and the userviewer will do al the processing.
If you really want to leave the existing account alone then there are two options you can set as form properties, only one can be used at anytime:
"NoLinking"
"InteractiveLinking"
like this:
<Form .....>
<Properties>
<Property name='InteractiveLinking' value='true'/>
</Properties>
If you specify "NoLinking" the provisioning will go ahead and the user will get accounts on all resources where there were no conflicts, no intercation possible.
If you specify "InteractiveLinking" your checkin of the userview will fail and you will be returned to the GUI. At that point you will have to fix the issues that were found before any provisioning will take place. This requires custom forms and all handling needs to be done by the user. Have a look for DiscoveredAccountFields in the libraries
This was build into the product after a push from one customer and has never been documented outside of one release note. It will become part of the standard docs from version 7 onwards. However it is still considered as a bad solution but if you want it you can use it.
WilfredS

Convertion of LDAP entries

Similar Messages

Maybe you are looking for