CustomRealm without listing Group Members
Hi,
we are considering to implement a custom security realm. We have a fixed number
of groups to be used in ACLs. Users are stored in an LDAP server.
Group membership depends on some information on the individual user which needs
to be gathered from a separate backend system. Therefore, it is not feasible to
implement the getMembers() method on the Group class since that means iterating
over all "user records" in the backend system.
Here my question:
1. Is the getMembers() method needed for Authorization and/or Authentication or
can we simply make it return an empty list? (We do not mind if we do not see group
members in the administration console.)
2. Is it a good idea at all to have this kind of group definition?
3. What about the method "getUsers" for the ListableRealm? Is this one needed
for Authorization/Authentification. This method poses a similar problem.
Regards,
Andreas
1. Is the getMembers() method needed for Authorization and/orAuthentication or
can we simply make it return an empty list? (We do not mind if we do notsee group
members in the administration console.)I think this method is not needed at all for authentication and
authorization, it's only used to list the users in the WL admin page.
3. What about the method "getUsers" for the ListableRealm? Is this oneneeded
for Authorization/Authentification. This method poses a similar problem.Same answer.
Similar Messages
-
When I send a Group message from my address book, the entire group gets listed in the "To" line. How do I get each member to receive the message individually without listing all members? Its just messy is all. Any help is greatly appreciated.
Hey Grupo Castillo,
Thanks for the question. You can actually configure this behavior from Mail preferences:
1. Choose Preferences from the Mail menu.
2. Click Composing.
3. Deselect the checkbox for "When sending to a group, show all member addresses".
When you send an email to the group, only the groups name will be seen.
Mac OS X: Mail - How to Hide Address Book Group Member Names When Sending an Email
http://support.apple.com/kb/TA21082
Thanks,
Matt M. -
I need to query NDS via PHP to get the member list of a group. I would
like to do this via an anonymous bind, but can provide credentials if
necessary. Any help would be appreciated.
JM
jmoseby
jmoseby's Profile: http://forums.novell.com/member.php?userid=35190
View this thread: http://forums.novell.com/showthread.php?t=387219jmoseby;1861509 Wrote:
> Nevermind - figured it out:
>
> >
Code:
> > <?php
>
> function getMembers($group){
> $ldap_server='10.1.10.200';
> $ldap_user='admin';
> $ldap_pw='notreallytheadminpassword!';
>
> $ldap = ldap_connect($ldap_server);
> @ldap_start_tls($ldap);
> @ldap_bind($ldap,"cn=$ldap_user,o=GSO", "$ldap_pw");
> $results = ldap_search($ldap,"o=GSO", "cn=$group");
> $user_info = ldap_get_entries($ldap, $results);
>
> foreach($user_info[0][member] as $member){
> $member_exp=explode('=',$member);
> $member_exp=explode(',',$member_exp[1]);
> if($member_exp[0]!=''){$members[]=$member_exp[0];}
> }
> ldap_close($ldap);
> return $members;
> }
>
> $members=getMembers('BalanceOnOrder');
> echo '<pre>';print_r($members);
>
> ?>
> >
Corrected code: removed single quotes around $ldap_server variable in
ldap_connect() line.
jmoseby
jmoseby's Profile: http://forums.novell.com/member.php?userid=35190
View this thread: http://forums.novell.com/showthread.php?t=387219 -
Lsgrp - list all members of a group
lsgrp is a small and fast utility written in C that does just one thing: it lists the members of a group. It can be used in scripts that need to do something for each user in a group, such as setting up directories or generating per-user configuration files. There is a section on the project page explaining why a new utility was necessary.
I agree, addressing a new message to a group using Address through the Mail program seems to fill in just the first recipient's name.
A work around is to start your new message, click on Address and select the group you wish to send the message to. Take the extra step to highlight the first person in the group and then command-A to select all. When you then click on the To: button all of the recipient's will be in the address line of your mail message.
Alternately, start your new message and then type the name of the group in the To: line (don't use the Address button at all). You don't have to get all of the name typed in before the group name is identified. When the group name has been properly identified just hit the Return key and all of the group members will be filled in the To: line. This should do what you are hoping for.
Dale -
List Local Group members with PowerShell 5
This script:
$Server="."
$LocalGroup = "Administrators"
$Group= [ADSI]"WinNT://$Server/$LocalGroup,group"
$Members = @($Group.psbase.Invoke("Members"))
$Members | ForEach-Object {
$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
works fine in powershell 2 (windows 7), but fails on powershell 5
"Error while invoking GetType. Could not find member."
It returns only domain groups. No local groups or local users or domain users.
Is there a reason why? And can it be modified for powershell 5?
ThanksTry it like this:
$group=[ADSI]"WinNT://$env:COMPUTERNAME/Administrators,group"
$group.Members() |
ForEach-Object {
($_.GetType()).InvokeMember('Name', 'GetProperty', $null, $_, $null)
¯\_(ツ)_/¯ -
How to show logged-in Line Group Members in a Hunt Pilot (CUCM V7.1.3)
I have configured a Hunt Pilot with a Hunt List which points to a Line Group with some DNs as Line Group Members. Additionally i gave the affected Users the option to log-in or log-out from the Hunt Pilot by configuring the "Hunt Group Logout" Button in the corresponding Phone Button Template.
Is there a way to find out who is logged-in or logged-out from the Hunt Pilot?Hi Bill,
thanks for your very interesting hint .
I run the query you posted and actually got the following output. But the displayed linegroups are only a subset from my configured 79 linegroups . Is there a possibility to display all linegroups with all corresponding DNs and can i display this information for only one linegroup?
When i know the queery that satisfy my claims, i will write a small web application that uses the AXL-SOAP API.
Regards, Robert
admin:run sql select lg.name as LineGroup,n.dnorpattern,dhd.hlog from linegroup as lg inner join linegroupnumplanmap as lgmap on lgmap.fklinegroup=lg.pkid inner join numplan as n on lgmap.fknumplan = n.pkid inner join devicenumplanmap as dmap on dmap.fknumplan = n.pkid inner join device as d on dmap.fkdevice=d.pkid inner join devicehlogdynamic as dhd on dhd.fkdevice=d.pkid order by lg.name
linegroup dnorpattern hlog
============================== =============== ====
LG_A-Ulr4_Augsburg_9965077_235 \+498215075234 f
LG_A-Ulr4_Augsburg_9965077_235 \+498215075209 f
LG_A-Ulr4_Augsburg_9965077_235 \+498215075224 f
LG_A-Ulr4_Augsburg_9965077_235 \+498215075226 f
LG_A-Ulr4_Augsburg_9965077_235 \+498215075227 f
LG_A-Ulr4_Augsburg_9965079_300 \+498215075327 f
LG_A-Ulr4_Augsburg_9965079_300 \+498215075306 f
LG_AB-Fried17_9965006 \+496021391713 f
LG_AB-Fried17_9965006 \+496021391714 f
LG_AB-Fried17_9965006 \+496021391721 f
LG_AB-Fried17_9965006 \+496021391727 f
LG_AM-Mar9_9965004 \+499621474921 f
LG_BT-Sch9_9965010 \+4992189423 f
LG_DD-Fet29_9965014 \+493514459055 t
LG_HO-Bah1_9965020 \+4992818194122 f
LG_KE-Moz31_9965024 \+498315215110 f
LG_LA-Dre11_9965025 \+498714308419 f
LG_LA-Dre12_9965026 \+498719239113 f
LG_Mue-Sta41_9965029 \+498631386227 f
LG_N-KOEN11_9965034 \+4991124039112 f
LG_N-KOEN11_9965034 \+4991124039142 f
LG_N-KOEN11_9965034 \+4991124039110 f
LG_N-Ste6_9965057_400 \+499112428403 f
LG_N-Ste6_9965058_450 \+499112428455 f
LG_NES-Sie2_9965008 \+499771610413 f
LG_NES-Sie2_9965008 \+499771610421 f
LG_NM-Bah12_9965030 \+499181293312 f
LG_PA-Kle13_9965035 \+498519594109 f
LG_PA-Kle13_9965035 \+498519594113 f
LG_PAN-Drb12_9965036 \+498561961225 t
LG_PAN-Drb12_9965036 \+498561961224 f
LG_R-Her2_9965068_400 \+499413783414 f
LG_TS-Bah26_9965040 \+498619887312 f
LG_Voicemail 997005 t
LG_Voicemail 997006 t
LG_Voicemail 997007 t
LG_Voicemail 997008 t
LG_Voicemail 997009 t
LG_Voicemail 997010 t
LG_Voicemail 997011 t
LG_Voicemail 997012 t
LG_Voicemail 997013 t
LG_Voicemail 997014 t
LG_Voicemail 997015 t
LG_Voicemail 997016 t
LG_Voicemail 997017 t
LG_Voicemail 997018 t
LG_Voicemail 997019 t
LG_Voicemail 997020 t
LG_Voicemail 997021 t
LG_Voicemail 997022 t
LG_Voicemail 997023 t
LG_Voicemail 997024 t
LG_Voicemail 997025 t
LG_Voicemail 997026 t
LG_Voicemail 997027 t
LG_Voicemail 997028 t
LG_WEN-Buer16_9965041 \+499614820413 t
LG_WEN-Buer16_9965041 \+499614820415 f
LG_WM-Puet35_9965042 \+49881922927 f
admin: -
Task Assignment to Ggroup - Group Members Not Getting Email
I have a process with an approval activity with initial user selection set to a group rather than a specific user. I want all selected users to receive an email notification that a new task awaits them. When I assign to a specific user, the custom email template is sent to the user. When I assign to a group, the group members don't get the task assignment email.
How do I change that so that group members will receive email notification of task assignment?
Thanks in advance!
EricOne possible solution:
You can use our Group Lookup component to get a comma-separated list of the emails of the members of the group. Then, in the step before the User>assignTask step, send the group an email. The only problem is that you won't be able to embed a link directly to the task, because the task doesn't exist yet.
Doc: http://avoka.dnsalias.com/confluence/display/Public/Lookup+DSC
Download: http://www.avoka.com/avoka/escomponents.shtml
To work around this problem, you can use the technique outlined here:
http://blogs.avoka.com/2008/10/20/customize-user-task-escalation-after-assignment/
http://avoka.dnsalias.com/confluence/display/Public/Customize+User+Task+Escalation+After+A ssignment
If you need more assistance, contact info-at-avoka.com
Howard -
Missing group members in ADSI & LDAP
Hi there. I have an AD problem here (obviously :))
It started by wanting to list all members of a group (recursivly, but that does not matter for now, the problem occurs on a single group).
I tried this in Powershell, but our AD is still on 2003, so no AD web services, so no powershell.
In PHP & Java I got the same results: It only shows 3 members, where there should be 23.
In Active Directory Computers & Users, these 23 (including a group) are listed on the member tab.
In ADSI I see only the 3 entries mentioned above in the attribute "member", and the other users don't have the membersOf attribute backlink.
dsget group -members (-expand) works properly.
Where do Active Directory Computers & Users and dsget get their information regarding group members from, and how can I access that programmatically via LDAP access from php or Java?Sorry, forgot about the Domain Users or the Domain Admins group over the link/image upload issue.
No, it wasn't these groups.
But: you were on the right path. The term primary group is what I was missing.
The group is for one of our roadwarrior subsidiaries, and they are not Domain users as primary group, but the one shown here.
Do you happen to know which LDAP attributes represent the primary group association?
The primaryGroupID attriute store the RID of the group that is assigned as the primary group. This was to work around the limitation in Windows 2000 before LVR (Linked-Value Replication) so that more than 5000 users could be member of the same group. (It also
plays a role for POSIX - Services for Mac clients)
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog -
I create 5 Dynamic Group and 1 Universal Distribution Group. I add 5 Dynamic Group in 1 Universal Distribution Group. If i view members in every all correct, but if i run in powershell Get-DynamicDistributionGroup/Get-Recipient -recipientPreviewFilter
- i view all users in domain with mailbox. How fix this?Hi,
Do you mean that you can use EAC to view members in 5 dynamic distribution groups respectively and the preview shows correct users, but shows wrong when using EMS?
Please use the following command in EMS to preview the list of members of your dynamic distribution group:
To view Group1:
$Group1 = Get-DynamicDistributionGroup "Group1"
Get-Recipient -RecipientPreviewFilter $Group1.RecipientFilter
To view Group2:
$Group2 = Get-DynamicDistributionGroup "Group2"
Get-Recipient -RecipientPreviewFilter $Group2.RecipientFilter
Please check the results with the preview in EAC:
1. In the EAC, navigate to Recipients > Groups.
2. Select a dynamic distribution group.
3. In the details pane under Membership, the number of people who received the last message sent to the dynamic distribution group is displayed.
Regards,
Winnie Liang
TechNet Community Support -
Migrate network object group members; risk
We upgraded to new 5555 hardware and jumped from 8.2 to 9.1 last year. Our objects listing is now a bit messy. I have never run the "Migrate Network Object Group Members" menu option in asdm. I see what it is going to do, I am not sure it really helps me clean old objects, it seems low risk, but when I walk up to execution, there are a lot of changes it wants to make. We always save backup configurations but, if there are "gotchas" I don't want to put the company in that position. What has been the communities, Cisco's experience? Thanks for any feedback. jc
John,
if you feel that is risky, you can always go for plan B.
- you can take closure look at the object groups and decide new object naming convention policy.
- from ASDM or CSM, you can see overlapped or duplicate rules, so you can start with reducing them
- you can see same services used in couple of rules with different service groups.
- like object-group service WEB-PORTS tcp
port-object eq http
port-object eq https
object-group service APPLICATION-PORTS tcp
port-object eq http
port-object eq https
object-group service APPS-PORT tcp
port-object eq www
port-object eq https
- you can replace all these different object-group with one object group. like WEB-PORTS.
- same way you can do excercise for network group as well.
hope this helps.
JD... -
How to specify which group members have wiki write permissions
In the 10.5 Workgroup Manager, Basic tab, there are two drop down boxes after the checked boxes for enbabling wiki, blog, mailing lists, web calendar, et al -
Allow [group members only | some group members | authenticated users | anyone]
to write to these services.
If I select "some group members" how do I actually say which group members? I see nowhere that I can specify that.
Specifically this is in regards to the wiki.Unless I'm missing something, the directory.app only lets me do the same thing the Server Admin does, add people to a group and enable services to that group.
For example I have a group called Techs, they have a mailing list and wiki.
Some of the junior techs I only want to have read access, others write access.
I don't see how I can specify user1 has read only access but user2 and user3 have write access. -
This may be a problem of my not understanding how Groups work, but here's the question:
I just created a new buddy Group. I added members to it by dragging from my current Buddies list; some members were online, and some were offline (and viewable in the Offline group). The online buddies now show up in my new Group, but the offline members don't show up anywhere. I dragged them from "Offline" to "New Group" and the drag appeared successful (New Group was selected when I dragged into it), but those buddy names just disappeared altogether. Is there some way to retrieve them? Are offline group members supposed to show up in the Buddy List if you have "Show Offline Buddies" selected (which I do)?
Thanks for any help.Ok,
Yes Off-Line Buddies will appear in the group they are allocated to IF
1) the Show Off-line Buddies is Selected
2) the Show Off-line Buddies as Group is NOT selected.
I have only used Show Off-Line Buddies with the Groups they belong to.
It is such a long time ago (iChat 2) that I set groups that I have never considered adding a Group and moving people in the manner you describe.
As a first step I would trun Off groups and see if you have all your Buddies.
6:13 PM Friday; January 4, 2008 -
Route with weight group and without weight group
Hello All
I have created two same routes as per user requirement one with weight group and other is without weight group.once the delvery is created the route is picked up.But how do i know whether this route is with weight group or without weight group.
Could you please clarify so that i can proceed for testing.
Regards
T.SrikanthDear Srikanth,
Try this
Go to SE16 enter LIKP table then execute here you enter your delivery number then go to menu>Settings>Format list-->Clik on Choose fields here you deselect all the fields you select
VBELN - Delivery
GRULG - Weight group
PERFK - Route then execute now you can get the details about the delivery number , weight group and Route.
If system displays only Delivery and Route you can understand there is no involvement of weight group in the route determination.
If the system displays Delivery,weight group and route then you can understand that thre is weight group involvement in the route determination.
I hope this will help you,
Regards,
Murali.
Edited by: Murali Mohan.Tallapaneni on Nov 5, 2008 6:51 AM -
Can't remove static members using "Manage Group Members"
Using the OAM 10.1.4.2 Group Manager app, I can remove static members from a group by modifying the Member property, but I can't remove members using the "Manage Group Members" page.
When I search for members using that page, I get a list of the current members with an unselected checkbox for each. If I check the box next to a member and click Save, the member is not removed from the group. I turned on trace-level logging and saw that the correct user is being passed to the Identity server to be removed, but I haven't yet found anything to indicate why the removal doesn't work.
Has anyone else run into this issue?
Thanks,
MatthewHi Vinod,
I'm running on Window 2003 against a Microsoft ADAM directory. I turned on diagnostics and re-ran the test using both "Manage Group Members" and modifying the property directly-- from what I can tell, the ldap modify only happens when I modify the property.
(I had also noticed the problem with the instructions, but I eventually figured it out-- if I can get this working, I'll have to fix the verbiage before I deploy.)
Any ideas? What platform and directory are you using?
Thanks,
Matthew -
How to write a SQL Query without using group by clause
Hi,
Can anyone help me to find out if there is a approach to build a SQL Query without using group by clause.
Please site an example if is it so,
RegardsI hope this example could illuminate danepc on is problem.
CREATE or replace TYPE MY_ARRAY AS TABLE OF INTEGER
CREATE OR REPLACE FUNCTION GET_ARR return my_array
as
arr my_array;
begin
arr := my_array();
for i in 1..10 loop
arr.extend;
arr(i) := i mod 7;
end loop;
return arr;
end;
select column_value
from table(get_arr)
order by column_value;
select column_value,count(*) occurences
from table(get_arr)
group by column_value
order by column_value;And the output should be something like this:
SQL> CREATE or replace TYPE MY_ARRAY AS TABLE OF INTEGER
2 /
Tipo creato.
SQL>
SQL> CREATE OR REPLACE FUNCTION GET_ARR return my_array
2 as
3 arr my_array;
4 begin
5 arr := my_array();
6 for i in 1..10 loop
7 arr.extend;
8 arr(i) := i mod 7;
9 end loop;
10 return arr;
11 end;
12 /
Funzione creata.
SQL>
SQL>
SQL> select column_value
2 from table(get_arr)
3 order by column_value;
COLUMN_VALUE
0
1
1
2
2
3
3
4
5
6
Selezionate 10 righe.
SQL>
SQL> select column_value,count(*) occurences
2 from table(get_arr)
3 group by column_value
4 order by column_value;
COLUMN_VALUE OCCURENCES
0 1
1 2
2 2
3 2
4 1
5 1
6 1
Selezionate 7 righe.
SQL> Bye Alessandro
Maybe you are looking for
-
How do I configure dual monitors on JDS?
I just have installed Solaris 10u5 on a Dell E521 with an ATI Radeon X1300 Pro graphics card. This card has 2 connectors onto which I connect a FlexScan S1911 (DVI) and an Acer AL1916 (VGA). I now have 2 problems: 1. the resolution is beyond usage (i
-
When downloading iTunes 11.0.3 I get an error 'Error writing to file C:\Config.Msi\1c6fd5.rbf. Verify that you have access to this directory' what do I do? Appreciate any help thanks, Will
-
Soap Reciver Time out connection
hai, iam doing idoc to soap. iam send the data from sap side this data is going xi server but problem is reciver side is connection time out. iam check the monitoring in sxmb_moni the status is block flag status is successful going to xi server and x
-
Date format for import sub-folder destination
Greetings, I have been using a trial version of LR 4 and would like to know if LR can use the format of "MM-DD-YY" for the subfolder of the destination folder. My many years of files are organized by the "YYYY" top folder then "MM-YY" then by date of
-
Disk Size Increasing very Fast
I am facing very critical issue, disk size, where E2k13 is installed reducing its free space daily near 1 GB and on other hand database file is not taking too much size over the Disk. please suggest me some good option to sort it . BRAT