Delegated Admin and Class of Service

Similar Messages

• Roles, Groups and Class of Service

  Hi,
  I am new to LDAP, have a good RDBMs background. I have read the Sun documentation to understand the concepts. Can someone recommend a good source that provide examples on how to set up Roles, Groups and Class of Services.
  Thanks,
  Bala.

  Directory Server documentation set contains the best examples to my knowledge.
  You may want to start with the Deployment Guide for introduction to the concepts and Administration Guide for setting them up and examples.
  Regards,
  Ludovic.

• Delegated Admin and non-flat user/group structures

  Hello, I am trying to build a directory structure with several containers under an organization used to store different portions of userdata and group data (i.e. not only ou=people and ou=group, but also a few ou's like them). Server software is from OUCS 7u2 release. Users in "other" containers are populated into LDAP (ODSEE 11) by replication, filling in all the same attributes as a freshly DA-created account has.
  The Delegated Admin interface and other parts of the software accept this and work okay with this setup, displaying user information, allowing logins and so on - except for attempts to edit user accounts in the alternate containers in the DA (i.e. add/remove service packages, change quotas, etc.). First I've verified that this is not an LDAP problem - I can use both command-line ldapmodify and an LDAPBrowser GUI to edit the entries with no hiccups.
  I tracked that when trying to save account information for accounts in non-standard containers, the DA still tries to use a hard-coded path (i.e. uid=USERNAME,ou=people,o=DOMAINNAME,dc=DOMAIN,dc=NAME) despite the fact that the user account is (and DA displayed it from) uid=USERNAME,ou=morePeople,o=DOMAINNAME,dc=DOMAIN,dc=NAME.
  Possibly, this "hardcoding" stems from DA configuration in WEB-INF/classes/sun/comm/cli/server/servlet/serverconfig.properties which does list components of the LDAP structure:
  # Ldap configuration.
  # List of ldap hosts. Form is <ldaphost>:<portnumber>. (Default port = 389)
  # add additional hosts with ldaphost-<consecutive number>
  # Schema type is either "1" or "2".
  # Reconnect interval is in seconds
  # Group and people container is dn from organization dn (e.g ou=people)
  ldaphost-1=oucsldap01:389
  ldaphost-2=oucsldap02:389
  ldaphost-suffix=dc=DOMAIN,dc=NAME
  ldaphost-dcsuffix=dc=DOMAIN,dc=NAME
  ldaphost-maxcount=50
  ldaphost-schematype=2
  ldaphost-reconnectinterval=60
  ldaphost-peoplecontainer=ou=People
  ldaphost-groupcontainer=ou=Groups
  ldaphost-orgadminrole=cn=Organization Admin Role
  While the organization root dn is not explicit here (and shouldn't be), the default people container is... I might guess a coding error logic like this: indeed, the "ou=People" container should be used by default when creating a user via DA; as a likely error, it might also be used when editing existing users - instead of their existing full DN/parent DN.
  Questions:
  1) Does anyone have a working configuration with several user/group containers within an organization like this? Would you care to share details and workarounds, if were needed?
  2) I think that possibly the "shared domain/organization hosting" mode might help here - at least it is expected to have several LDAP trees with their delegated administrators performing as a single e-mail domain. Before I go and reconfigure everything, I'd love to hear if there are any success stories with this route? Is it a proper solution (or THE solution) for such config?
  Thanks,
  //Jim Klimov

  I wanted to follow up that reconfiguring the directory structure according to shared domain hosting, with branches for ISW-synchronized accounts as one of the sub-organizations which share the domain, and manually created OUCS-only accounts being in another sub-organization. This works for both messaging components and the DA, as long as UIDs are in ou=People in their organization. Somewhat unfortunately, ISW config seems to allow only one DSEE target branch and puts groups (CN) there as well. Well, for our needs to edit user attributes and service packages via DA, this suffices. Sometimes there are hiccups (Can not save changes), but they are intermittent and harder to trace debug; usually go away with restart of the DA web container. The DSEE LDAP instances are configured with plugins to enforce uid uniqueness across the organization and uniqueness of values of messaging email address attributes (mail, mailAlternateAddress, mailEqiuvalentAddress) to avoid mixups between user accounts in different branches.
  Also, we had a problem with Calendar server after migrating the LDAP entries: since our deployment used the nsUniqueID for calendar user identification, relocation of entries (the way we did it) generated new values for new entries and users got new empty caledar databases. On this POC this was not a major problem, and newer OUCS releases with a davUniqueID attribute should specifically be immune to this problem. However, for others trodding this path I can suggest that they export the LDAP database into LDIF including the unique IDs, recreate the suffixes as needed (the ISW target organization in DSEE should be a separate LDAP database suffix), change the LDIF entry pathnames, and import the LDIF anew. This would wipe old LDAP data and should add old nsUniqueIDs to relocated entries (unlike recreation via ldapadd or relocation via ldapmodrdn).
  We have also hit a problem with DA refusing to render the list of accounts (returning 0 or 25 empty entries in a table). The LDAP logs showed that on the LDAP side all is ok, and expected amount of replies was located. Pattern searches often produced the proper table with a subset of users in DA. Ultimately, we linked the problem to ISW binary base64-encoded attributes (dspswuserlink et al; some of those values also garbaged output of commadmin queries in a terminal) and created an LDAP ACI which forbade our DA-admin user to read,search,compare these attributes. This solved the problem for us. I wonder if a more generic solution is possible, so as to apply this ACI not to an explicitly named admin user but to any users with DA admin privileges (by group or role? which string, to cover them all in advance)? Or, perhaps, nobody except the ISW user account should see these ISW attributes?
  Hope this report helps others who would try to pioneer this path of messaging integration
  //Jim Klimov

• Error Starting Admin and Default Server Services.

  I just installed Jrun on a Windows 2003 server and cannot
  connect to the Admin server. When i look in services msc, i see
  that neither the Admin or the default service are started. When i
  start them, i get an error and when i look at the system log, the
  following showes up.
  The Macromedia JRun Admin Server service terminated with
  service-specific error 2 (0x2).
  I am not familiar with JRun so any help would be
  appriciated.

  Hi Faisal -
  is your domain in development mode or production mode?
       - While configuring my domian , I had selected Prod Mode, but pon start up when I see in admin server console, it is starting in developement mode already ?
  Any idea how, why ?
  if its production mode you can switch to development mode, change all the credentials in the config.xml and configurations under sub folders to cleartext and start the server..
  - Let me still try these and get back to you.
  Thanks,
  SK

• Delegated Admin and User Management in WLP 9.2

  Hi,
  I've made Delegated Administrator role and a user for it. The user is Delegated Admin for our users and groups. Still that user cannot create new users, only new groups.
  The error message that shows when creating new user is "The subject does not have access to the specified group".
  What should I do to make it work ?
  Regards,
  Tanja

  Unfortunately, you've run into a bug in the product. See CR282051 in the WLP 9.2 release notes.
  http://edocs.bea.com/wlp/docs92/relnotes/relnotes.html#wp1147925
  If you have a support contract, you might be able contact BEA Support to see if a patch might be available.

• Delegated Admin and Number of Users

  Recently we deleted about 3K users using: commadmin domain purge, and while
  it appears to have successfully deleted the users -- ldapsearch doesn't yield any
  output. The lower number of users is NOT reflected in the field "Number of Users"
  on the Delegated Admin page. It still shows the same number of users >11K we
  "had" prior to the deletion process.
  Any ideas to explain this discrepancy?
  -- Bob

  rkbunca wrote:
  Recently we deleted about 3K users using: commadmin domain purge, and while
  it appears to have successfully deleted the users -- ldapsearch doesn't yield any
  output. The lower number of users is NOT reflected in the field "Number of Users"
  on the Delegated Admin page. It still shows the same number of users >11K we
  "had" prior to the deletion process.
  Any ideas to explain this discrepancy?The number of users displayed in the DA GUI is recorded in the "sunNumUsers" attribute associated with the domain e.g.
  dn: o=aus.sun.com,dc=aus,dc=sun,dc=com
  sunNumUsers: 11
  This is to avoid having to do an ldapsearch across the domain to get a count. You can manually update this attribute to get the number back-in-sync.
  The commadmin domain purge should have updated this value -- I couldn't find any pre-existing bugs to explain why it didn't happen in your case. I suggest you log a support case to get this looked into further.
  You may also want to check your directory audit logs to see if an attempt was made to update this attribute but failed for some reason.
  Regards,
  Shane.

• How to log on to visual admin and create destination service

  Hi all,
  I see this statement everywhere while trying to configure adobe forms.
  *it was only the HTTP destination FPICF_DATA_<SID> that was not created in the Visual Admin under Cluster -> Services -> Destinations*_
  I got 2 questions here:-
  1. the programs "FP_CHECK_DESTINATION_SERVICE" runs fine w/o destination check box. andwith the check box it gives the error "ADS: Request start time: Thu Nov 26 12:07:42 ........". SO how to resolve this. I have checked the blogs before and I did everything so far and stuck at the statement given above in bold.
  2. What  is this destination fp_icf_data_sid........... where to look for, I understand u need to log on to visual adm. But how is there a sap transaction "AL11" or from the web url.   if it is web url  ...   "http://server_name:port/ ....." then I am lost after this I dont see anything called cluster and services anywhere....
  And if am looking for visual admin at wrong places please provide step by step guide. I have seen steps to log on to visual admin on wesites but i dont know what am i doing, thats not clear. If someone can help from here.
  Thanks,
  Anu.

  The Visual Administrator is a Java tool installed during the installation of a Java AS. It is a separate tool that can be copied and used remotely if desired. On a system running Java AS it can be found under /usr/sap/<SID>/JC00/j2ee/admin - just run 'go' under Linux/Unix or 'go.bat' under Windows. You must have Java installed on your remote system.
  Once you have logged into your Java AS system using the Visual Administrator you can then setup your "Destinations", located under Server -> Services.
  Check Note 944221 - Troubleshooting if problems occur in forms processing ...which will make clear the errors you are experiencing and help you solve them.
  Nelis

• What function/purpose does the User to be Billed and Class of Service fields serve in the IDA?

   

  The user does not have to be the owner of the cwm2 objects to access them. Access to cwm2 objects is based on database security. Therefore, if the user is not the owner of the object (if user is the owner, they obviously have access to the object), then as long as the user has been granted access to the underlying physical object (i.e., the table the dimension or cube has been mapped to), the user will be able to access the object.

• Policy map/ class map/ service policy for IOS xr

  Hi,
  I need to create a policy map and class map/service policy to limit the amount of bandwidth that can be used on one interface both in and out.
  I need the cap for the bandwidth to traverse this circuit to ne 10 Meg.
  the IOS xr version we are using is 4.3.4
  I was hoping someone could help me out by giving me a configuration example I could follow.
  Thank you.

  for instance like this:
  policy-map police-in
  class class-default
  police rate 10 mpbs <optionally set burst>
  policy-map shape-out-parent
  class class-default
  shape 10 mpbs <optional burst config>
  service-policy shape-out-child
  policy-map shape-out-child
  class class-default
  queue-limit 10 packets
  int g 0/0/0/0
  service-policy police-in in
  service-policy shape-out-parent out
  also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
  and the support forum article of "asr9000 quality of service architecture"
  xander

• Using class of service to manage password policy

  We implemented password policy on our old DS across the board, which entailed finding all of the special administrative accounts used by software and setting an expiration date at the end of the epoch. I was wondering if a smarter way to do this is to create a class of service template for normal and special accounts and tie those into our user accounts. Has anyone done this?
  Thanks.

  Sun DS 5.2 supposedly has support for the latest LDAP password policy internet draft which allows you to explicitly setup password policy on a subtree or user basis. It uses roles and class of service under the covers. I would use that instead of rolling your own.

• While installing IMS on p4, the delegated admin, MTA and IWS6.0 could not be started

  I am installing IMS 5.1 NT version on a p4 machine and my MTA services are not starting, i searched for the IMTA.conf file but that was not found. Also the IWS 6.0 that was installed additionally for the upgraded JVM is not getting started , and the delegated admin through the browser could not be accessed

  I am installing IMS 5.1 NT version on a p4 machine and my MTA services are not starting, i searched for the IMTA.conf file but that was not found. Also the IWS 6.0 that was installed additionally for the upgraded JVM is not getting started , and the delegated admin through the browser could not be accessed

• Using Mail, Calendar and Delegated Admin

  I�ve installed mail, calendar and delegated admin for one of the domains I�m hosting.
  I can�t figure out where I can adjust the settings for service packages ex earth. I�d like to have 60 mb mail box in stead of 6. (Changing this on user level in LDAP is not an option.)
  Any one who can give me some tips about where to change this?
  Tnx.
  Kristian

  Sounds like you need to change one of your Service Package templates. Alas, I've not had time to dive into that.
  There is a default config setting for quota, that's global. If you set that, and don't put anything into the user's individual ldap entries, then everybody gets that quota:
  store.defaultmailboxquota
  http://docs.sun.com/app/docs/doc/819-2651/6n4u5ce7i?a=view

• Jes3 and Delegated Admin

  I'm setting up a demo of JES3 Messaging for a customer with the Delegated Admin. It seems to work for I can create users with the correct attributes. These users can log into Messagent express and can see their mail but cannot send outgoing mail. Also I can't pop from the command line fror any of these users but sending mail to them from he command line does work. This seems to be probles with MailAllowed Services, but it seems ok on a ldapsearch (see below).
  Synopsis of results:
  I can send mail to these users with a telnet to port 25. But MExpress canot send mail from any of these users.
  Messaging Express smtp error:
  "Not authorized to sned messages"
  But MExpress get's incoming mail for these users.
  Messager Express gets mail for the users but pop fails:
  Telnet <server> 110
  User testuser2
  pass password
  "-ERR [AUTH] Not authorized to login as specified user"
  ldapsearch output for testuser2
  uid=testuser2,ou=People,o=myjazz.com,dc=myjazz,dc=com
  psIncludeInGAB=true
  uid=testuser2
  iplanet-am-modifiable-by=cn=Organization Admin Role,o=myjazz.com,dc=myjazz,dc=com
  givenName=Test
  [email protected]
  mailUserStatus=active
  sn=User2
  cn=Test User2
  inetCOS=gold
  preferredLocale=en
  mailHost=bigun.myjazz.com
  objectClass=userpresenceprofile
  objectClass=top
  objectClass=iplanet-am-managed-person
  objectClass=iplanet-am-user-service
  objectClass=inetadmin
  objectClass=organizationalperson
  objectClass=person
  objectClass=inetuser
  objectClass=inetlocalmailrecipient
  objectClass=iplanetpreferences
  objectClass=ipuser
  objectClass=inetorgperson
  objectClass=inetsubscriber
  objectClass=inetmailuser
  inetUserStatus=Active
  userPassword={SSHA}I8oftLKYhg0DzYAzCh1UfzaluWNuKVNIjXO7RQ==
  mailDeliveryOption=mailbox
  preferredLanguage=en
  nswmExtendedUserPrefs=meDraftFolder=Drafts
  nswmExtendedUserPrefs=meSentFolder=Sent
  nswmExtendedUserPrefs=meTrashFolder=Trash
  nswmExtendedUserPrefs=meInitialized=true
  pabURI=ldap://bigun.myjazz.com:389/ou=testuser2,ou=People,o=myjazz.com,dc=myjazz,dc=com,o=pab
  mailAllowedServiceAccess=+imaps:ALL$+pops:ALL$+smtps:ALL$+http:ALL
  mailMsgMaxBlocks=700
  mailMsgQuota=3000
  mailQuota=8000000

  I had the same problem. When I created a user account through the Delegated Admin interface the user could log into Communications Express, but was unable to send outgoing email. I then created another user account using the command below and this user is able to send email. I have not quite figured out the significany difference yet.
  ./commadmin user create -D admin -w <password> -X host.domain.com -n domain.com -d hosteddomain.com -l test5 -F Test5 -L User -W pass -S mail,cal -k legacy -E [email protected] -H host.domain.com

• OEM12c - Can you delete a service (db, schema) as a Cloud admin and not as the user that requested it?

  I configured the OEM 12c to provide DBaaS, ans Schema as a Service in a test environment.
  I was able to configure all the necessary settings, created the pools, admin users and end users.
  I created database and schema requests that were created successfully.
  My question is, Can the Cloud admin user delete the service that any user requested Via OEM or always has to be done by the end user that created the service via the Self Service Portal?
  Thanks,
  Daniel

  Will,
  The answer varies from service to service. For example, you can make simple
  changes to the catalog schema by editing the wlcs-catalog.properties file.
  Please refer to the documentation for more details.
  Sincerely,
  Daniel Selman
  "Will Young" <[email protected]> wrote in message
  news:3c8e30fa$[email protected]..
  >
  Hello,
  I've been combing through the docs, but I can't realy find a definitiveanswer
  for this. If I have an existing Order, Customer, Product catalog, etc.schema,
  can I integrate WL Portal 4.0 with it and not use the WLCS_* tables?
  As for as I can tell, I could re-write ALL the Pipeline Components thatdeal with
  data access. Is that the only way? Is that even advised?
  Thanks,
  Will Young

• Shared Services Delegated Admin

  Hi,
  I am trying to create a delegated administrator role in Shared Services for HFM. I have created the delegated list in Shared Services and assigned a manager to the group. However when I log-in as that user I am only able to view the groups I have assigned to the delegated list, I am not able to provision users to those groups.
  Any ideas on what needs to be done so that group manager can provision users to the groups?

  You want to look at the Hyperion Security Administration Guide to understand Shared Service, Provisioning and External Authentication.
  http://download.oracle.com/docs/cd/E10530_01/doc/epm.931/hyp_security_guide.pdf
  Brian Chow