CUCM 8.6.2 LDAP User Delete Pending LDAP Sync Status Inactive
BE6K ver 8.6.2
Client has a user who recently got married. They changed her account information in Active Directtory to reflect her new last name. At that point CUCM shows her as
Delete Pending
LDAP Sync Status Inactive
CUC shows
LDAP User has been deleted.
The user still exists in both CUC and CUCM and is actively takign and receiving calls. User has VM access.
Shorrt of deleting the user in AD and recreating her, is there a way to force this to re-sync?
Thanks
Matt
Then that's expected to happen, for all purposes to CUCM/CUC eyes, msmith no longer exists and will be deleted, and a new user mjones now will be imported.
Depending on when the change was done and when CUCM detected this, it might take up to 48 hours maximum to delete the user
You'll need to associate everything to the new user, and also add that new user into CUC.
Or switch back her userID to the old one, and just change the surname for directory purposes.
HTH
java
if this helps, please rate
www.cisco.com/go/pdihelpdesk
Similar Messages
-
Users showing up in corporate directory that were deleted from LDAP/AD still
Has anyone seen this before?
CUCM 9.1.1a (9.1.1.20000) LDAP integrated with one directory.
There are a few users not listed in the end user directory anymore in CUCM, but on the phone corp directory and in Jabber you see these users still. The directory URL is pointing to the CUCM server and we have tried both servers in the cluster. They are not in the User Management -> End user list in CUCM at all any longer.
If we add a test user, they show up in the directory and when we delete the test user they go inactive and go away after 2-3 days when garbage collection job clears them out and the test user is no longer in the directory.
The users are no longer in LDAP anymore either. Is there a way to purge/refresh the CUCM directory? Not finding much in bug search tool yet.
If we remove the LDAP Directory and add it back think that may clear up something?Same here...I found this solution for older version, but haven't had a chance to try it yet
Problem
A user is deleted from Active Directory but still appears in Cisco Unified Communications Manger as inactive and stays there in a delete pending state. This issue occurs in a Cisco Unified Communications Manager cluster synchronized with the Active Directory .
Solution
Complete these steps in order to resolve this issue.
Choose Cisco Unified Serviceability> Tools> Control Centre - Feature Services
Choose the IP Address of the publisher.
Restart the Cisco DirSync service.
If this procedure does not resolve the issue, complete these steps:
Garbage Collection can cause this issue, so check the logs to determine if it is invoked.
Make sure that the Dirsync service is active.
Check the DirectoryPluginConfig table in the Cisco Unified Communications Manager database to see if there is an entry with pkid 54c43f99-a561-4f3a-868d-26a5547445d9.
Note: The output of the run sql select * from DirectoryPluginConfig command confirms whether the Garbage Collector pkid is present in the DirectoryPluginConfig table when the DirSync service starts.
If the pkid is not present, open a case with the TAC Service Request Tool (registered customers only) and provide a remote support account so that TAC can update the DirectoryPluginConfig table to fix the Garbage Collection row.
Restart the DirSync service. -
Question on LDAP integration & user deletion
In the "Administration Console Help" Document it states:
"You cannot invite user accounts that are mastered in an LDAP-based user directory; these accounts are created automatically when you synchronize the LDAP directory."
Does this mean that after configuring a LDAP Realm, the users specified by the filter should be automatically pulled into OnTrack? I do not see ldap users when executing a blank search from the admin console. At this point, I also cannot log into OnTrack using a valid LDAP user. I was trying to see if OnTrack worked similar to UCM where the OnTrack user acct would be created once the user logs into the application.
What I can do is go to "Create User" and enter the email address for a valid ldap user. then I see that user in the full search. that user can also log in successfully.
I wanted to know what the expected behavior was: is there expected to be a required 'registry' of ldap users into ontrack before they can auth into the app? Is there some sync process that needs to be run to pull in the ldap users?
Also, is there any current best practice of user deletion? I see in the admin console that there is a note that states: "Note: User deletion is not supported."
As always, thanks for the info!
Thanks,
-ryan
Ryan Sullivan | ECMconsultant
http://www.ecmconsultant.net/Ryan,
It sounds like you figured this out.
There is NOT an explicit sync of users from LDAP into On Track. The On Track user object is created when the LDAP user first logs in (or when added to a Conversation by another user). After that point, the user will be visible in the admin console. (Note, however, that from the client, you can search for an LDAP user and add them to a Conversation's membership even if that user has not yet logged in to On Track. It does this by searching for the user in the LDAP directory, as well as in On Track's known users. This is a great way to "invite" other people in the organization to participate in On Track.
As for your other questions:
- The recommended way to "delete" a user is to mark the user "Disabled" in On Track. This will prevent that user from logging in and from showing up as a valid user in the client.
- Once a user "[email protected]" exists, it should not be possible to create another "[email protected]" user, even if the first one is disabled, and regardless of which realm those users are in.
--Dan -
How to force a new password in portal with LDAP user? external users
With an external portal (used by agents that do not work for you or reside in your office), company policy is for password to be changed every qtr.
If the users are creating as LDAP users how to force them to change their password when required?
Is this a custom application that needs to be written so when they log into the portal if the qtr has expired the portal ask them to enter a new password that becomes valid for the next qtr.
Versus internally deleting and emailing all the users a new password?Hi Glenn,
We are getting one problem when we are creating user in LDAP and login with that user in Portal that time we are getting Password change screen , but when we create a user in LDAP and change the password of that user in LDAP then when the user tries to Login to portal that time we are not able to see the password change screen.
But again if we change the password of that user through Portal we are able to see change password screen.
can you help on this how we can force the user to change password when we are changing password in LDAP or in SAP System.
Regards
Trilochan -
LDAP user no longer able to log in
We have CQ 5.3 set up using LDAP authentication. We have one user who has been using CQ with her AD Userid/password for over a year with no issues, but she came in one day and now it's saying her user id and password don't match.
We've tried on multiple different instances of CQ and she gets the same message every time. She is able to log into other applicaitons that use LDAP for authentication just fine. We have tried resting CQ to see if that resolves the issue and it hasn't. I originally thought it was some sort of issue with her LDAP account, but because she can log into other apps, I'm wondering if not? Or maybe there WAS an issue with her account, but it was resolved (she thought maybe her account was locked, so she ran an unlock procedure), but CQ just hasn't caught up to that fact? This started happening a week ago.Hi Jennifer,
Have you tried running a manual LDAP User sync for the single user (http://localhost:4502/crx/config/ldap.jsp)? Since the user can login to other systems via LDAP, the problem is most likely with their account in CQ. Maybe try deleting their account in CQ and re-creating/re-sync via LDAP User sync.
Hope this helps.
Ron -
Error while configuring external LDAP user store with weblogic
Hi,
I have weblogic 10.3 installed and I can access weblogic admin console using weblogic (admin) user. I want to use external ldap user store to access admin console with users present in external ldap.
To do this, I have configured authentication provider and provided all the required details to connect to ldap.
For example:
Base DN: cn=admin,cn=Administrators,cn=dscc (user with which we will connect to LDAP)
User DN: ou=People,dc=test,dc=com
Group DN: ou=Groups,dc=test,dc=com
This authentication provider is set to SUFFICIENT mode. I have deleted the default authentication provider.
In the boot.properties file I have given the user name and password of the user with which LDAP instance was created something like below.
password=xxxxxxx
username=admin
Now while starting the admin weblogic server, I am getting the below error:
<Jul 25, 2012 2:22:28 PM IOT> <Critical> <Security> <BEA-090402> <Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.>
<Jul 25, 2012 2:22:28 PM IOT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
Truncated. see log file for complete stacktrace
Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User admin javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User admin denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Truncated. see log file for complete stacktrace
>
<Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Jul 25, 2012 2:22:28 PM IOT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
Can anyone please suggest how to resolve this problem? If, anyone can suggest the exact steps to configure external ldap store to manage admin console via ldap users.
Regards,
Neeraj Tati.Hi,
Please refer the below content that I found for Oracle 11g in the docs.
"If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. Do one of the following in the LDAP directory:
By default in WebLogic Server, the Admin role includes the Administrators group. Create an Administrators group in the LDAP directory, if one does not already exist. Make sure the LDAP user who will boot WebLogic Server is included in the group.
The Active Directory LDAP directory has a default group called Administrators. Add the user who will be booting WebLogic Server to the Administrators group and define Group Base Distinguished Name (DN) so that the Administrators group is found.
If you do not want to create an Administrators group in the LDAP directory (for example, because the LDAP directory uses the Administrators group for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the Admin role."
Now in my LDAP directory, setup is in such a way that Administrators is a group created under following heirarchy " cn=Administrators,ou=Groups,dc=test,dc=com" and there is one user added in this Administrators group.
The problem that I am having is when I modify the Admin role in which Administrators group should be added what exaclty I should give in Admin role. Whether I should give only Administrators or full DN: cn=Administrators,ou=Groups,dc=test,dc=com ???
When i give full DN, it takes every attribute as different, i mean cn=Administrators as different and ou=Groups as different and shows a message that cn=Administrators does not exist.
Here not sure what to do.
Also if external ldap authentication provider is the only provider then I need to give the user information in boot.properties file also for weblogic to boot properly. Now, what should I give there in user? still complete DN ??
Regards,
Neeraj Tati. -
Hi,
I have configured LDAP on NetWeaver WebAs ABAP using LDAP transaction. It is working fine and I am able to sync users from Microsoft AD to SAP Database. But the problem is It is also synchronizing the terminated users from the company, which are not useful. We have 2 entries under base entry need to be synced excluding the terminated users. If I use base entry it taking all users instead I want to sync only users under those two DNs. Is there any way to do this?
One more Question is I have synchronized all users later I have mapped some fields. For new users I am getting the mapped field updates but not for the already synced users when I run the sync report. Can I update already synced user fields also or do I need to delete all users and start re-sync again?
Thanks,
Ajay.Hi Ajay,
Let me see if I understand you correctly:
1. You're running an LDAPSYNC from AD to ABAP?
The ldap connector works using the "subtree" method by defaul. It scans all OUs under the BaseDN you specified. If you wish to perorm this scan only on two specific DNs, ou=department1,ou=users,dc=ldap,dc=corp and ou=department2,ou=users,dc=ldap,dc=corp and not the whole ou=users,dc=ldap,dc=corp, then you need to create two entries in trans. LDAPMAP.
If you copy your existing entry, it will copy the attribute mappings as well.
This will require you to run the RSLDAPSYNC_USER report for each of the server settings.
2. For a one time update, you can run the RSLDAPSYNC_USER report and choose "ignore timestamp" in the "objects that exist both in directory and database".
This will update the user's info, provided you set the "import" flag for the attributes in the 'synchronization' section for the server (trans. LDAPMAP).
Best regard,
Eric -
How do I delete "Pending Available Downloads" from my queue?
How do I delete "Pending Available Downloads" from the list permanently? I got a full season of a TV show, and all the HD versions won't go away!
Hi. I googled How to Delete Pending Downloads in iTunes and I found this info on answers.com. It worked for me. I had 35 pending downloads and every time I tried to delete them, they reappear every time I open iTunes and automatically start downloading to my pc. So annoying! Good luck...
On PC, go to /Users/yourUserName/Music/iTunes/iTunes Media/Downloads/
Delete any folder for the download you want to remove
Delete the file list.plist
When you next start iTunes or update apps the unwanted download will not start
If you interrupt a download in the future a new list.plist will be created containing the interrupted download and the original unwanted download
http://wiki.answers.com/Q/How_do_you_remove_pending_downloads_from_iTunes -
User disabled in LDAP triggers disable identity in IDM?
IDM 7.0 on Sun JES Stack
Authoritative Source is LDAP, Sun Directory Server 5.2
This pertains to Termination e.g. Employee/Contractor gets terminated.
1) When an employee is terminated, her user LDAP record is deleted from LDAP (authoritative source)
2) When a contractor is terminated, her user obuseraccountcontrol = DISABLED in LDAP (authoritative source)
Based on the above two criteria, how do I trigger the Disable User workflow in IDM so that the user's IDM Identity gets disabled?
I've been exploring the LDAP Activation Method/Parameter?
com.waveset.adapter.util.ActivationByAttributePullDisablePushEnable
But am unsure on how to approach this. Has anyone successfully implemented this? Documentation is pretty unclear. Thanks in advance.Given the below scenarios:
1) When an employee is terminated, her user LDAP record is deleted from LDAP (authoritative source)
2) When a contractor is terminated, her user obuseraccountcontrol = DISABLED in LDAP (authoritative source)
We've resolved #2 using MetaView and Rule. On the LDAP resource adapter itself, we used:
LDAP Activation Method: nsaccountlock
LDAP Activation Parameter: accountLockAttr
(where this is your IDM system attrib specified in resource schema)
In MetaView, for attrib "accountLockAttr", Source: Rule: Is obuseraccountcontrol disabled, Target: IDM, All Resources
In MetaView > Identity Events, we set the Disable event,
Based on that, we believe we can resolve #1 to trigger the Disable User Workflow. The problem is, how do you Re-Enable a user if the user's LDAP record is deleted from the authoritative source (LDAP)? -
User status shows active in portal for inactive LDAP users
Hi all,
Users listed in the LDAP as deleted or inactive are still listed in EP
User Management as valid active users.
1) is there any process or OSS note which can help us to get users
inactive in portal user management to the corresponding LDAP inactive
users?
2) is there any chance that any inactive or deleted entries in LDAP
should not be searchable from User admin Portal search?
Any solution for the above problem?
Please reply.
Regards,
haroonHello there,
i have the same problem: We have several domains that sometimes contain users with the same user-id. This happens, if a user is "moved" from one domain to another: A new user with the same user-id is created in the new domain and the user-status of the user in the old domain is set to "inactive".
But SAP NetWeaver Portal (7.0 EHP 1) ignores this user-status flag and thus login (with SPNego / Integrated Windows Authentication, which does not send the domain of an identified user to the portal) fails.
Is there a possibility to get the portal to "ignore" LDAP users (meaning no longer list them in the UME) that have their user-status flag set to "inactive"?
Thanks for a reply in advance!
Regards,
René -
Automatically added User rights to LDAP imported Users
Hi folks
I'm working on a fresh install of CUCM 10.5.2 with local and LDAP End Users.
Now I like to add at least End User Rights automatically to the newly imported LDAP Users.
Even if I add an new local user, I like that they have "Standard CCM End User Rights" added per default, if it's possible.
Every help is more than welcome. Thank you very much.
Kind regards
P.BlumenthalNavigate to System -> LDAP -> LDAP Directory and then select your LDAP syncronization agreement. A little more than halfway down the page there is a "Group Information" section where you can assign the "default rights" given to each LDAP user that gets imported.
Thanks,
rh -
SMQ1 - Pending Requests - NOSEND Status - BW User Requests
Dear Support,
In our SAP ERP2005 system, under transaction code SMQ1, we are seeing 3 QRFC Outbound queues. In each of these queues, there are several hundreds of user requests. The line items were suppose to processed around 2 to 3 months back. Unfortunately, we don't why these requets were pending with the status NOSEND.
Here my questions are:
> Do we need to process these requets or delete these requests? If so, what might be the reason behind it...
> How can we avoid these pending queues moving further?
Thnak you,
NikeeNikke,
If its your PRD system dont delete anything its a loss of data.
If you find QRFC in nosend mode try to activate them again. You can also try tcode SMQR or SMQS for inbound, outbound queues.
QRFC are configured with DIA work process, so it might possible all work process got occupied at that time.
To find out cause check SM50,SM66 for status of Work Processes ,SM21,ST22, DB01,SM12,SM37 for any long running job. -
Problem with Afaria and LDAP user authentication in Android device
Hi all,
I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
I follow the next steps:
1-Create a new tenant
2- Configure LDAP integration
3-Create a inventory policy with authentication required
4-Create a static group associated to the inventory policy
5-Create a enrolment policy associated to the static group.
When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
I have seen the log and seem the problem is that Afaria can't authenticate this user.
I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
Could you please help to solve this problem?
Thanks in advance.Hi all,
I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
I follow the next steps:
1-Create a new tenant
2- Configure LDAP integration
3-Create a inventory policy with authentication required
4-Create a static group associated to the inventory policy
5-Create a enrolment policy associated to the static group.
When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
I have seen the log and seem the problem is that Afaria can't authenticate this user.
I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
Could you please help to solve this problem?
Thanks in advance. -
Hello, any help would be much appreciated on this one!
I have a Dual 2.3Ghz Xserve G5 running OSX Server 10.4.9 with a 700Gb Xserve RAID. All users home directories are stored on the RAID. I had 1361 users on the LDAP Open Directory system and all was running perfectly. I tried to add another 10 users, all added fine into Workgroup Manager, but I was then getting "User already Logged In" messages, when the users were not logged in. If I turn on "multiple logins" the user can login but the home directory is not created!! Is this a limitation of LDAP OD? A problem with the OS and the Finder not handling more than 1361 directories??? Any help would be excellent!!!!!!
Dual 2.3Ghz G5 Xserve & Xserve RAID Mac OS X (10.4.9) Latest updates installed!Hi
Wow! I wonder what the load on the CPU would be?
I’ve read somewhere that OSX Server as an Open Directory Master can host up to 10,000 users and by implication – you would assume – the same amount of home folders.
What you’ve got ask yourself is whether the network can cope with that amount of users? If you have the budget you should really be looking to balance the load with more than one server, probably 3 at the least. One to run DNS and DHCP Services, another to run Open Directory and another to run simple file services such as AFP, Windows, Print etc. It would be a good idea in the environment you describe to think about a fallover (replica) server also. -
Assigning roles to LDAP users through BIP API
Hi.
My customer has BIP 11g and OIM 9.1.0.2 running on the same weblogic server (11g). Both authenticate against the same LDAP server.
One of our desired next steps is to provision from OIM the BIP roles to each LDAP user so every user gets the correct roles (and access to the correct reports) according to the groups he has on OIM.
I've been searching for info regarding this without success. The BIP API doc does not show any info about assigning roles to users.
We don't need to manage LDAP users, BIP roles, etc... through OIM. We only need to assign BIP roles to LDAP users.
Is it possible to make that assignments through BIP API?
If not, any other ideas? New ideas or different approaches are welcome.
Thanks in advance.In OBIEE 11g which includes BIP the application roles are applied to LDAP users and groups using the Enterprise Manager Fusion Control.
During the upgrade process from OBIEE 10g to OBIEE 11g the groups do get assigned to these roles transparently so there must be some API to leverage this functionality.
I would start there, http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10541/admin_api.htm
There are no specific instructions on accomplishing what you seek but if you have some WLST or Java Skills you should be able to get something prototyped.
Let me know if that helps.
Maybe you are looking for
-
Remote Desktop Session Host USB Redirection with Windows 8.1
Hello all, I've currently setup this environment (both OS/Client are fully up to date as of today). I am using one server as the Gateway, Web Access, Connection Broker and RD Session Host with one collection. I am trying to get USB redirection setup
-
I have heard of a number of issues with PS CS4 & SL. Not all like mine of course but mine is really becoming a nuisance. I can load and use both PS and Illustrator CS4 with SL but after a period of using PS, my short key functions just stop working
-
Finder sidebar error 8058 when try to delete
I have two old files in my finder sidebar that I can't delete . I am running in Lion. when I restart in 10.6.8 they are gone. but when I go back to Lion, they are still there and I cannot move them to trash. I get error code 8058 when I try to move t
-
HT5498 how to identify original apple adapter?
how to identify original apple adapter?
-
Trying to publish an event to fb from iPhoto '09, 8.1.2. Getting error message: "Line 22: Opening and ending tag mismatch: meta line 0 and head". Never had any trouble before. What in the world?