Custom LDAP Integration

Similar Messages

• UCCX 7.0.1SR5 to 8.0 upgrade while also adding LDAP integration for CUCM - what happens to agents and Historical Reporting data?

  Current State:
  •    I have a customer running CUCM 6.1 and UCCX 7.01SR5.  Currently their CUCM is *NOT* LDAP integrated and using local accounts only.  UCCX is AXL integrated to CUCM as usual and is pulling users from CUCM and using CUCM for login validation for CAD.
  •    The local user accounts in CUCM currently match the naming format in active directory (John Smith in CUCM is jsmith and John Smith is jsmith in AD)
  Goal:
  •    Upgrade software versions and migrate to new hardware for UCCX
  •    LDAP integrate the CUCM users
  Desired Future State and Proposed Upgrade Method
  Using the UCCX Pre Upgrade Tool (PUT), backup the current UCCX 7.01 server. 
  Then during a weekend maintenance window……
  •    Upgrade the CUCM cluster from 6.1 to 8.0 in 2 step process
  •    Integrate the CUCM cluster to corporate active directory (LDAP) - sync the same users that were present before, associate with physical phones, select the same ACD/UCCX line under the users settings as before
  •    Then build UCCX 8.0 server on new hardware and stop at the initial setup stage
  •    Restore the data from the UCCX PUT tool
  •    Continue setup per documentation
  At this point does UCCX see these agents as the same as they were before?
  Is the historical reporting data the same with regards to agent John Smith (local CUCM user) from last week and agent John Smith (LDAP imported CUCM user) from this week ?
  I have the feeling that UCCX will see the agents as different almost as if there is a unique identifier that's used in addition to the simple user name.
  We can simplify this question along these lines
  Starting at the beginning with CUCM 6.1 (local users) and UCCX 7.01.  Let's say the customer decided to LDAP integrate the CUCM users and not upgrade any software. 
  If I follow the same steps with re-associating the users to devices and selecting the ACD/UCCX extension, what happens? 
  I would guess that UCCX would see all the users it knew about get deleted (making them inactive agents) and the see a whole group of new agents get created.
  What would historical reporting show in this case?  A set of old agents and a set of new agents treated differently?
  Has anyone run into this before?
  Is my goal possible while keeping the agent configuration and HR data as it was before?

  I was doing some more research looking at the DB schema for UCCX 8.
  Looking at the Resource table in UCCX, it looks like there is primary key that represents each user.
  My question, is this key replicated from CUCM or created locally when the user is imported into UCCX?
  How does UCCX determine if user account jsmith in CUCM, when it’s a local account, is different than user account jsmith in CUCM that is LDAP imported?
  Would it be possible (with TAC's help most likely) to edit this field back to the previous values so that AQM and historical reporting would think the user accounts are the same?
  Database table name: Resource
  The Unified CCX system creates a new record in the Resource table when the Unified CCX system retrieves agent information from the Unified CM.
  A Resource record contains information about the resource (agent). One such record exists for each active and inactive resource. When a resource is deleted, the old record is flagged as inactive; when a resource is updated, a new record is created and the old one is flagged as inactive.

• CUBAC Enable external LDAP integration

  Hi,
  I've client where Attendant is seeing the User's Home Phone number. Customer's requirement is to show the Mobile and IP Phone extension.
  To me it seems they aren't synchronizing with CUCM but directly with Microsoft AD. Enable external LDAP integration is checked and greyed out.
  Is my doubt correct, the client is pulling the Phone information from AD directly?
  How can I uncheck the External LDAP Integration checkbox, do I need to rerun the setup or LDAPServer.exe to do it? Would there be any loss of configuration?
  If Customer wants to continue pulling the info from MS AD directly, can I add some kind of filters in CUBAC not to pick up Home phone field but Mobile Phone and IP Phone extension if those fields are populated?
  CUBAC version is 3.1.8
  Thanks,
  inner_silence

  Hi Madhav,
  See inline COMMENTS (below)
  Bala
  "madhav" <[email protected]> wrote:
  >
  Hi,
  Context:
  I'm using SunOne Directory server as the External LDAP server for my
  application.
  Q1 ) My understanding is that the default providers provided by Weblogic
  communicate
  ONLY with the embedded LDAP server. Is this understanding correct? That
  means
  if I'm integrating with the external LDAP server, I need to have custom
  implementation
  for ALL the providers ( i.e Authentication Provider, Authorization provider,
  IDentity
  Assertion Provider, RoleMapper , Credential Mapper etc). COMMENTS :
  Your understading is correct. (for Authentication, Autherization, RoleMapper,
  CredentialMapper). But you dont need to create custom implementation for all providers.
  You can plug and play OR stack providers in the default realm (myrealm). Or you
  can create your own realm and still can add the weblogic OOTB providers, wherever
  you dont want to implement custom providers. OOTB BEA provides an Authentication
  provider which can integrate with 3rd party Directory Servers (see http://e-docs.bea.com/wls/docs81/secmanage/providers.html#1172008
  for more info). But if you wish to perform other services like Authorization,
  CredentialMapping, RoleMapping with external LDAP providers, then YES you have
  to write custom providers.
  >
  Q2) Or is there a way I can configure the weblogic to communicate with
  an External
  LDAP server so that I can use the default providers i.e when I invoke
  request.isUserInRole(....),
  the look up should be on the external LDAP NOT the internal LDAP.COMMENTS :
  No the default providers are written to look up the Embeded LDAP. But writing
  a provider is well documented (see http://e-docs.bea.com/wls/docs81/dvspisec/index.html
  more info)
  >
  Regards,
  Madhav

• LDAP integration - "LDAP Import adapter warning: No LDAP entry was defined"

  Hi,
  I am trying to integrate ETPM with LDAP (Microsoft AD). I have successfully connected Weblogic and can see the AD users there; I followed the instructions in the "Oracle Utilities Application Framework Administartion User's Guide" on how to integrate with LDAP:
  1) I defined the JNDI server
  2) I created a mapping file as described
  3) registered the file within XAIParameterInfo.xml and MPLParamaterInfo
  WHen i try to import users via the LDAP Import menu the reponse is empty, in the logs I see the following message: "LDAP Import adapter warning: No LDAP entry was defined". Does anybody have had similar issues and maybe a solution to this issue?
  My versions:
  Customer Release V4.1.0 000 000
  Oracle Enterprise Taxation Management V2.3.1.1.0 001 001
  Oracle Utilities Application Framework V4.1.0.1.0 001 000
  My assumption is there is something wrong with the config, as all other connection (including the one from Weblogic) are successful.
  I appreciate any feedback on this.
  Best regards,
  Sebastian

  Would have liked to post an update in my other post, but that one is locked. I found so many problems with the LDAP integration but eventually managed. If anyone runs into similar issues, here is what you need to check:
  1) AD admin user password - is limited to 8 characters (nowhere mentioned in the docs!!!)
  2) Be careful using cases; do NOT rely on the documentation, it is wrong! here is a sample ldapdef.xml (I highlighted the changes you need to make in comparison to the documentation):
  <LDAPEntries>
  <LDAPEntry name="User" baseDN="CN=Users,DC=yourdomain,DC=com" cdxEntity="User" searchFilter="(&amp;(objectClass=user)(name=%searchParm%))">
  <LDAPCDXAttrMappings>
  <LDAPCDXAttrMapping ldapAttr="name" cdxName="*user*" />
  <LDAPCDXAttrMapping cdxName="LanguageCode" default="ENG" />
  <LDAPCDXAttrMapping cdxName="FirstName" default="fn1" />
  <LDAPCDXAttrMapping cdxName="LastName" default="fn2" />
  <LDAPCDXAttrMapping cdxName="DisplayProfileCode" default="NORTHAM" />
  <LDAPCDXAttrMapping cdxName="ToDoEntries" default="1" />
  <LDAPCDXAttrMapping cdxName="TD_ENTRY_AGE_DAYS2" default="12" />
  </LDAPCDXAttrMappings>
  <LDAPEntryLinks>
  <LDAPEntryLink linkedToLDAPEntity="Group" linkingLDAPAttr="memberOf" />
  </LDAPEntryLinks>
  </LDAPEntry>
  <LDAPEntry name="Group" baseDN="OU=Groups,OU=yourgroup,DC=yourdomain,DC=com" cdxEntity="*Group*" searchFilter="(&amp;(objectClass=group)(name=%searchParm%))">
  <LDAPCDXAttrMappings>
  <LDAPCDXAttrMapping ldapAttr="name" cdxName="*group*" />
  <LDAPCDXAttrMapping ldapAttr="description" cdxName="Description" default="Unknown" />
  </LDAPCDXAttrMappings>
  <LDAPEntryLinks>
  <LDAPEntryLink linkedToLDAPEntity="User" linkingSearchFilter="(&amp;(objectClass=user)(memberOf=%distinguishedName%))" linkingSearchScope="onelevel" />
  </LDAPEntryLinks>
  </LDAPEntry>
  </LDAPEntries>
  Oracle OUAF, update your documentation, please.
  Regards,
  Seb

• How to allow user chaning his password in OBIEE 11g weblogic custom LDAP?

  Hi,
  How to allow user chaning his password in OBIEE 11g weblogic custom LDAP?
  I need to give user an option to do so, without the intervention of any Administrator. I also do not want to make user a Administrator else he will be able to login in weblogic and can do any damages unknowingly.....
  Regards,
  Rahul

  Hi,
  Replace the line in the instantconfig.xml
  <WebMessage name=”kmsgChangePasswordLink”><!–<HTML><sawm:messageRef name=”kmsgUIChangePassword”/></HTML>–></WebMessage>
  with
  <WebMessage name=”kmsgChangePasswordLink”><HTML><sawm:messageRef name=”kmsgUIChangePassword”/></HTML></WebMessage>

• Enterprise Portal - MDM - LDAP integration

  We are succesfully able to integrate Portal to MDM with a trusted connection and with portal users existing in LDAP and mdm users existing in MDM console.
  We also successfully integrated MDM with LDAP so that we dont have to store users in console, but manage them in LDAP. But once we did the LDAP integration, portal to MDM connection was lost saying mdm user details could not be retrieved.
  Has anybody faced this issue? what key steps to taken care during MDM-LDAP integration.

  Hi goerge,
  When ever we integrate MDM with LDAP, we need to make a setting in MDS.ini file.
  Please check the "User Identifier" setting in MDS.ini file.
  Typically this should be The name of the LDAP id field which will match the value the user provides as the Username at logon.
  Make the entry in MDS.ini like User Identifier = cn or SamAccountName.
  If that is done, please verify other parameters corresponding to LDAP in MDS.ini as per the table 91 in Page no 291 in MDM Console referece guide.
  Or refer to the SAP note 1635338 for reference which is pointing to same issue.
  This should solve your problem.
  Regards,
  Sravan

• LDAP Integration with CUCM 9.0

  We would like to use LDAP to sync all of our users from Active Directory.  All of our current CM Users are local, the problem is that they have the same user names as our Active Directory users.  From what I understand this is going to be a problem because:
  "If accounts from LDAP match an existing Unified CM account that is not marked as an LDAP synchronized account, then these accounts are ignored."
  Does that mean we will have to delete all our existing CM users in order to sync the LDAP users correctly?  Is there a best practice for this?  Once we syncronize the LDAP users how to I ensure that the user gets associated with the proper phone?  Or do I have to visit each user individually? 

  I just did a quick test for this, my lab CUCM 9 is already LDAP integrated, but I created a local user, then I created that same local user in my LDAP OU, and performed a full sync.
  The user is no longer showing as a local active user, but as an active LDAP synchronized user.
  Which was my thought, there's only one conversion, from LDAP to local.
  The behavior is just as with any previous release, local users who match an LDAP user after you enable it, are just updated, and kept with all their configurations.
  I checked the option to turn it back again into a local user, did a full sync, and it's again an active LDAP user.
  HTH
  java
  if this helps, please rate
  www.cisco.com/go/pdihelpdesk

• ISE and LDAP Integration

  Hello,
  I have a question about the LDAP integration with the ISE:
  Since the ISE has a limitation of reading only 100 groups, I cannot find the groups that I need to use on the authorization, and also the ISE cannot find group if I search for it directly.
  What I mean here, that I can fetch the first 100 groups from the top of the directory, but when I search as example for any group (appear on the list or not) the ISE did not find it.
  Even I tried to change the base DN and the search DN but without luck.
  The ISE version is 1.1.4 installed on VM and the LDAP schema is AD.
  Is there any missing information/tips required in such integration?

  Hello,
  I found a cisco doc that provides resolution of Key Features of Integration of Cisco ISE and LDAP .I hope this helps!
  This section contains the following:
  •Directory  Service
  •Multiple  LDAP Instances
  •Failover
  •LDAP  Connection Management
  •User  Authentication
  •Authentication  Using LDAP
  •Binding  Errors
  •User  Lookup
  •MAC  Address Lookup
  •Group  Membership Information Retrieval
  •Attributes  Retrieval
  •Certificate  Retrieval
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059913

• SSO with Custom LDAP

  This is the landscape :-
  Web Application / Portal at Oracle Web Center Suite (WCS).
  SAP BO 4.0
  Authentication using Custom LDAP & SSO with Trusted Authentication.
  Used OpenLDAP for authentication via RadiantOne VDS as the proxy.
  Activities :
  Authenticate the BO users with OpenLDAP via RadiantOne.
  Synchronize the BO user group from OpenLDAP via RadiantOne.
  Used openDocument.jsp to open WEBI reports.
  Problems :
  We configure the LDAP as Custom. Attributes mapping as default.
  When BOE trying to connect the RadiantOne VDS & create user u201Cuser01u201D which already exists in the OpenLDAP server. It throws the exception :
  "An internal error has occurred in the secLdap plugin.u201D
  When trying to create user that does not exist in LDAP. It throws the exception :
  u201CThe secLdap plugin failed to get the dn for the user notuser.u201D
  Please advise us how to resolved this internal error if we want to SSO with custom LDAP !!
  Thanks & regards,
  Herries E

  Hi,
  Herrie, Roland is correct, OpenLDAP is not supported and you can run into problems if you want to escalate issues in the future. The customer must have that into account.
  However, LDAP is pretty standard and usually you just need to make sure that the attribute mappings is correct.
  Are users correctly created when you map an LDAP group?
  Are you able to manually authenticate using LDAP? You can use the CMC page and select authentication LDAP
  When you have confirmed that LDAP manual authentication is working, you can set up Trusted Authentication. Check first that the system is working just using QUERY_STRING:
  https://service.sap.com/sap/support/notes/1593628
  When trusted auth is confirmed to work, you can configure the parameters that Radiant users to pass the user: cookies, web session, etc.
  Regards,
  Julian

• Custom ldap authenticator to retrieve user bean ldap profile

  Hi,
  Wondering if we could use a custom ldap authenticator to get the user profile from Ldap and put the data bean into session.
  This will allow to use the same connection to Ldap and to benefit from Bea security authentication configuration.
  Any input on this ?
  Thank you

  Increasing the search limit is the only practical solution. Really, ~2000 entries is not that many.

• Error in Custom Ldap Authentication

  Hi All,
  I was trying to use the custom LDAP authentication( [Earlier Post|http://forums.oracle.com/forums/thread.jspa?threadID=2251976&stqc=true] ) but was not successful in making it work with our AD LDAP server. Thats when I came across post [ http://forums.oracle.com/forums/thread.jspa?messageID=916185&#916185|http://forums.oracle.com/forums/thread.jspa?messageID=916185&#916185]
  I used the same function
  create or replace function authenticate_aduser(
  p_username in varchar2,
  p_password in varchar2)
  return boolean
  is
  l_user varchar2(256);
  l_ldap_server varchar2(256) := '<Hostname>';
  l_domain varchar2(256) := '<Domain Name>';
  l_ldap_port number := 389;
  l_retval pls_integer;
  l_session dbms_ldap.session;
  l_cnt number;
  begin
  l_user := p_username||'@'||l_domain;
  l_session := dbms_ldap.init( l_ldap_server, l_ldap_port ); -- start session
  l_retval := dbms_ldap.simple_bind_s( l_session, l_user, p_password ); -- auth as user
  l_retval := dbms_ldap.unbind_s( l_session ); -- unbind
  return true;
  exception when others then
  l_retval := dbms_ldap.unbind_s( l_session );
  return false;
  end;Test it by giving correct password
       SQL> declare
  begin
  if authenticate_aduser('<username>','<correct password>') then
  dbms_output.put_line('Test Successful');
  else
  dbms_output.put_line('Test Failed');
  end if;
  end; 2 3 4 5 6 7 8
  9 /
  Test Successful
  PL/SQL procedure successfully completed.Tested it by giving wrong password
  SQL> declare
  begin
  if authenticate_aduser('<user name>','<wrong password>') then
  dbms_output.put_line('Test Successful');
  else
  dbms_output.put_line('Test Failed');
  end if;
  end; 2 3 4 5 6 7 8
  9 /
  Test Failed
  PL/SQL procedure successfully completed.So the fundtion is working perfectly with LDAP server.
  I am trying to create a custom authentication scheme with the above function.
  Shared Components -> Authentication Schemes -> create ->From Scratch ->
  In Autentication Function -> return authenticate_aduser(:P101_USERNAME,:P101_PASSWORD);
  In Logout URL -> wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&amp;p_next_flow_page_sess=4155:PUBLIC_PAGE
  Then after setting this as the current authentication scheme. Whenever I try to login with correct credentials it is giving me error
  Invalid Login Credentials
  Kindly let me know were I am going wrong here.
  Thanks & Regards,
  Vikas Krishna

  I was able to fix this.
  I used the same function authenticate_aduser
  and then followed blog http://www.talkapex.com/2009/03/custom-authentication-status.html to create a custom authentication. It worked finally.
  Thanks to Martin for his wonderful post.
  Thanks & Regards,
  Vikas Krishna

• MDM LDAP Integration

  Hi,
  We have integrated MDM with LDAP, by creating LDAP Roles & mapping them with MDM Roles. We are having log entries for Admin user for all repositories after every 10 milli-seconds. Any idea why these entries, how to stop this?
  2010-03-03T22:56:22.978,1096    ,23,"Log-on failure: LDAP Error, userName = Admin  User not found",MDSPublicServer@AuthorizeSessionForRepository,CatMgrDatabase.cpp,1866,,,1155,Admin,REPO 1<dbserver\DEV [SQL_Server]>,,,
  2010-03-03T22:56:22.994,1096    ,14,"GetUserInfo: Unspecified Exit Point",Horizontal@LDAP,<file not specified>,,GetUserInfo,,1155,Admin,REPO1 <dbserver\DEV [SQL_Server]>,End,,
  Thanks,
  Ketan

  Ketan,
  Please refer this document for MDM LDAP Integration Process Step by Step,
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/8054d5e1-1000-2c10-a09e-a168973f74b5?quicklink=index&overridelayout=true
  Also refer SAP Notes, Note 1279785 - LDAP users connect to MDM with Fallback setting
                                      Note 1096642 - Check-in/out does not work with LDAP user authentication
  Hope it helps...
  Thanks and Regards,
  Mandeep Saini

• CM 7.1 LDAP integration not updating

  I have an LDAP integration that worked at 1 time to import all the users but now when I make a change to a user in AD, it never gets to CM.  The sync process seems to just sit there and the only option is to "Cancel Sync".  I can update the LDAP fields without error so the user/pass and search space all appear t obe correct.  I have looked for issues online but cant find anything to matches this issue, they are usually a search base issue.

  I'm facing the same problem.
  I have set up a lab for  LDAP integration and after setting up for the first time worked but one  user that exists on CUCM and do not exists on AD was flaged as active i  decided to remake ldap settings after that nothing works anymore, it  sayd that users are active even if they do not exist on AD.
  If i add a new ldap directory does not sync and users are not added.
  Any idea?
  already restarted server...no joy

• Messages tr. BP customer / vendor integration

  Hi, we are implementing customer/vendor integration with business partner, but messages of the user-exit of vendor /customer(SAPMF02K, SAPMF02D), are not showing in tr. BP. Anybody knows if is possible to get this messages in transaction BP?
  Thanks in advance.

  Hi, we are implementing customer/vendor integration with business partner, but messages of the user-exit of vendor /customer(SAPMF02K, SAPMF02D), are not showing in tr. BP. Anybody knows if is possible to get this messages in transaction BP?
  Thanks in advance.

• COBRAS Import for Unity Connection 8.5 and Subscriber LDAP Integration Status

  Using COBRAS Import for Unity Connection 1.1 Build 212 with Unity 4.2 Voicemail Only and Connection 8.5(1)SU1 with LDAP Directory Integration
  When I run COBRAS the old alias matches the new alias and my desire is for subscribers being moved to be LDAP inegrated.  However after COBRAS runs, the radio box for LDAP Integration Status on the subscriber is set to Do Not Integrate with LDAP Directory. Is there a way for COBRAS to select Integrate with LDAP Directory when the alias matches on LDAP?

  Hi ben,
  If you are just importing from and not authenticating against LDAP, then the PIN comes
  from the Connection Template you used to build the users;
  Note that no passwords or PINs are copied from the LDAP directory to the Connection database. If
  you want Connection users to authenticate against the LDAP directory, see the “LDAP
  Authentication” section on page 9-7.
  http://www.cisco.com/en/US/docs/voice_ip_comm/connection/8x/design/guide/8xcucdg040.html
  Cheers!
  Rob
  "Show a little faith, there's magic in the night" - Springsteen