Delegated admin login problem

I am running Iplanet messaging server 5.2 and am having problems loging into the delegated administrator. When I try to log in as ServiceAdmin I immediately get a screen telling me that the session has timed out and to re-authenticate.
Any ideas what is wrong?

Unknown. Not nearly enough data to guess.
Please examine your LDAP access logs, and comment.
You should be looking for BIND commands for "NDAdmin". This is the first step in logging into Delegated Admin. If this fails, no user will be able to use DA.
Do you have password expiration set up in DS? did you remove this account? Change the pw?

Similar Messages

  • Delegated administrator - Organisation admin login problem

    We uninstalled delegated admin 6.0, and we installed 6.4. Now login to old organizations, created with the old DA (6.0), using the organization admin username and password fails, and login to new organizations created with the new DA (6.4), using the organization admin username and password succeeds. We think the problem is in ACIs. Anyone has an idea ?

    Unknown. Not nearly enough data to guess.
    Please examine your LDAP access logs, and comment.
    You should be looking for BIND commands for "NDAdmin". This is the first step in logging into Delegated Admin. If this fails, no user will be able to use DA.
    Do you have password expiration set up in DS? did you remove this account? Change the pw?

  • Delegated Admin login fail

    I installed Solaris 9 05/9 and JES05Q4 in a Sun Fire V440 recently.
    I chose these components only:
    Directory server
    Administration server
    Web server
    Access manager
    Messaging server
    Delegated administrator
    Directory preparation tools
    I can use commadm to created users after installation and initial configuration, but I can't login to the delegated admin with any account. http://server.mydomain.com/da/DA/Login
    After I check the DA log file, it shows:
    WARNING: User [admin] has no valid role assigned, aborting login
    What kind of role required for da login ?
    Thanks in advance for any help.
    dx

    I recommend that you post your question to the Messaging Server forum (also listed at the bottom of the Java ES forums page):
    http://swforum.sun.com/jive/forum.jspa?forumID=15
    You might also want to search that forum for similar problem reports.

  • Delegated Admin Customization problem

    Delegated Administrator 7.0-0.00
    I'm trying to disable the ability to change the Mail & Message Quota when assigning an additional service package using Delegated Admin
    OrganizationAdminRole.WizardWindow.Wizard.WizardPage11.MailQuotaValue=NONEDITABLE
    When I enable that it won't let me past that screen keeps kicking me back.
    When I disable it lets me past the screen.
    This is all my cusomizations so you can duplicate it.
    OrganizationAdminRole.UserProperties.MailQuotaValue=NONEDITABLE
    OrganizationAdminRole.UserProperties.MailMsgQuotaValue=NONEDITABLE
    OrganizationAdminRole.WizardWindow.Wizard.WizardPage11.MailQuotaValue=NONEDITABLE
    OrganizationAdminRole.WizardWindow.Wizard.WizardPage11.MailMsgQuotaValue=NONEDITABLE
    OrganizationAdminRole.WizardWindow.Wizard.WizardPage12.CalendarHostValue=NONEDITABLE
    OrganizationAdminRole.WizardWindow.Wizard.WizardPage31.MailHostValue=NONEDITABLE
    OrganizationAdminRole.WizardWindow.Wizard.WizardPage31.MailQuotaValue=NONEDITABLE
    OrganizationAdminRole.WizardWindow.Wizard.WizardPage31.MailMsgQuotaValue=NONEDITABLE
    OrganizationAdminRole.tabs.orgproperties=INVISIBLE
    I've confirmed it on 2 servers.
    Bug? Or my config?

    Mark_Wal wrote:
    When I enable that it won't let me past that screen keeps kicking me back.
    When I disable it lets me past the screen.
    This is all my cusomizations so you can duplicate it.
    OrganizationAdminRole.WizardWindow.Wizard.WizardPage11.MailQuotaValue=NONEDITABLE
    OrganizationAdminRole.WizardWindow.Wizard.WizardPage11.MailMsgQuotaValue=NONEDITABLEI could reproduce the problem behaviour with just the above settings enabled.
    Bug? Or my config?I've logged a new bug :
    bug #6861629 - "DA7: Setting mail quota values as noneditable in assign service package causes mail step to loop"
    Please escalate via Sun Support for a fix.
    Regards,
    Shane.

  • Visual admin login problem

    Hi,
        My visual admin is not starting.can you tell me what is the problem.it s showing warning "cannot open connection on host and port"

    Hi Venkat,
    I guess these links can help you know more about visual administrator and will also help you solve you problem:
    /people/michal.krawczyk2/blog/2005/06/28/xipi-faq-frequently-asked-questions
    http://help.sap.com/saphelp_nw04/helpdata/en/39/83682615cd4f8197d0612529f2165f/frameset.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/39/83682615cd4f8197d0612529f2165f/frameset.htm
    Regards,
    Abhy

  • Delegated admin problems with 5.2

    I just installed iMS 5.2 and the delegated admin server. i'm using Direct ldap, my ldap server is on another machine. my problem is, i cannot log into the delegated admin at all, using any account.
    my ldap error log tailed no entries.
    this is the ldap access log:
    [17/Feb/2006:09:24:00 -0500] conn=250 fd=60 slot=60 connection from 160.10.4.10 to 160.10.36.186
    [17/Feb/2006:09:24:00 -0500] conn=250 op=0 BIND dn="uid=NDAUser, ou=config, o=ida" method=128 version=3
    [17/Feb/2006:09:24:00 -0500] conn=250 op=0 RESULT err=32 tag=97 nentries=0 etime=0
    [17/Feb/2006:09:24:00 -0500] conn=250 op=1 BIND dn="" method=128 version=3
    [17/Feb/2006:09:24:00 -0500] conn=250 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
    [17/Feb/2006:09:31:31 -0500] conn=251 fd=61 slot=61 connection from 160.10.4.10 to 160.10.36.186
    [17/Feb/2006:09:31:31 -0500] conn=251 op=-1 fd=61 closed - B1
    [17/Feb/2006:09:41:31 -0500] conn=252 fd=61 slot=61 connection from 160.10.4.10 to 160.10.36.186
    [17/Feb/2006:09:41:31 -0500] conn=252 op=-1 fd=61 closed - B1
    [17/Feb/2006:09:51:30 -0500] conn=253 fd=61 slot=61 connection from 160.10.4.10 to 160.10.36.186
    [17/Feb/2006:09:51:30 -0500] conn=253 op=-1 fd=61 closed - B1
    [17/Feb/2006:10:01:30 -0500] conn=254 fd=61 slot=61 connection from 160.10.4.10 to 160.10.36.186
    [17/Feb/2006:10:01:30 -0500] conn=254 op=-1 fd=61 closed - B1
    [17/Feb/2006:10:02:49 -0500] conn=255 fd=61 slot=61 connection from 160.10.4.10 to 160.10.36.186
    [17/Feb/2006:10:02:49 -0500] conn=255 op=0 BIND dn="uid=NDAUser, ou=config, o=ida" method=128 version=3
    [17/Feb/2006:10:02:49 -0500] conn=255 op=0 RESULT err=32 tag=97 nentries=0 etime=0
    [17/Feb/2006:10:02:49 -0500] conn=255 op=1 BIND dn="" method=128 version=3
    [17/Feb/2006:10:02:49 -0500] conn=255 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
    [17/Feb/2006:10:11:31 -0500] conn=256 fd=62 slot=62 connection from 160.10.4.10 to 160.10.36.186
    [17/Feb/2006:10:11:31 -0500] conn=256 op=-1 fd=62 closed - B1
    Thanks in advance for any help anyone can give. i know i'll need to provide more detail so if you need any info i'll be happy to divulge it, i just thought this would be an ok starter. I do need some help with this, I just want to get this working.
    Thanks in advance for any help.

    The old iPlanet Delegated Admin uses a special account itself, rather than the one you use to log in as.
    I see that login failing:
    [17/Feb/2006:10:02:49 -0500] conn=255 op=0 BIND dn="uid=NDAUser, ou=config, o=ida" method=128 version=3
    [17/Feb/2006:10:02:49 -0500] conn=255 op=0 RESULT err=32 tag=97 nentries=0 etime=0
    err=32 means, "no such object". This means that this user, NDAUser has been deleted, as have some of the entries above that.
    A failure to bind or locate an entry is not "an error" to Directory Server, it's a failed lookup or failure to bind. Nothing like this is going to be logged into the errors log.
    It's still clearly the problem....
    The password for NDAUser is in clear text in your iDA config file, "resource.properties" Likely, you could create the user and password, or you coule reinstall Delegated Admin.
    If you haven't downloaded the later version, 1.2p2, I STRONGLY recommend that you uninstall the version that came with Messaging 5.2, and install the later one.

  • Delegated admin 6.3 Invalid login ID or password, please try again

    Dear Oracle,
    I am having problem login to delegated admin. previously the login was OK
    until recently not sure what cause the login fail.
    Please advice where should i start to t/s
    Cheer
    Sam

    Dear Oracle,
    I found the DA fail might related to access manager not functioning
    after several time restart webserver for da & amserver
    the error log shown as below
    20/Nov/2010:14:17:31      failure      Click to view more details for this
    message WebModule[amserver]StandardWrapper.Throwable
    java.lang.NullPointerException at
    com.sun.identity.authentication.UI.LoginLogoutMapping.initializeAuth(LoginLogoutMapping.java:89)
    at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:74)
    at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1165)
    at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:994)
    at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4731)
    at org.apache.catalina.core.StandardContext.start(StandardContext.java:5123)
    at com.sun.webserver.connector.nsapi.WebModule.start(WebModule.java:182)
    at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1224)
    at org.apache.catalina.core.StandardHost.start(StandardHost.java:924)
    at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1224)
    at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:520)
    at org.apache.catalina.startup.Embedded.start(Embedded.java:917) at
    com.sun.enterprise.web.PwcWebContainer.onStartup(PwcWebContainer.java:70)
    at com.sun.webserver.connector.nsapi.WebContainer.start(WebContainer.java:472)
    at com.sun.webserver.init.J2EERunner.confPostInit(J2EERunner.java:304)
    20/Nov/2010:14:17:31      failure      Click to view more details for this
    message WebModule[amserver]PWC1396: Servlet /amserver threw load()
    exception
    0/Nov/2010:14:11:03      failure      Click to view more details for this
    message for host 10.0.1.28 trying to GET /amserver/UI/Login,
    service-j2ee reports: WebModule[amserver][ERROR] Uncaught application
    exception
    java.util.MissingResourceException: Can't find resource for bundle
    java.util.PropertyResourceBundle, key at
    java.util.ResourceBundle.getObject(ResourceBundle.java:325) at
    java.util.ResourceBundle.getObject(ResourceBundle.java:322) at
    java.util.ResourceBundle.getString(ResourceBundle.java:285) at
    com.sun.identity.authentication.client.AuthClientUtils.getErrorVal(AuthClientUtils.java:1389)
    at com.sun.identity.authentication.client.AuthClientUtils.getErrorTemplate(AuthClientUtils.java:453)
    at com.sun.identity.authentication.UI.LoginViewBean.setErrorMessage(LoginViewBean.java:1650)
    at com.sun.identity.authentication.UI.LoginViewBean.forwardTo(LoginViewBean.java:373)
    at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
    at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
    at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:796) at
    javax.servlet.http.HttpServlet.service(HttpServlet.java:917) at
    org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:398)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
    at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:86)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:217)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
    at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:255)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:188)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:556)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:187)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:556)
    at com.sun.webserver.connector.nsapi.NSAPIProcessor.service(NSAPIProcessor.java:160)
    20/Nov/2010:14:11:03      failure      Click to view more details for this
    messagefor host 10.0.1.28 trying to GET /amserver/UI/Login,
    service-j2ee reports: StandardWrapperValve[LoginServlet]: PWC1406:
    Servlet.service() for servlet LoginServlet threw exception
    Cheers
    Sam

  • Can't login to Delegated Admin after redeploy

    I originally had Delegated Admin 6.4 running on port 80 in Webserver 7u3 along with AM, and UWC. I needed to move DA off of port 80 so I created another Webserver instance on port 81 and then uninstalled and reinstalled Delegated Admin against the new instance. In the configurator I specified port 80 where it asked about Access Manager and port 81 where it asked to deploy DA. Now I cannot login to DA. It keeps telling me: "Invalid login ID or password, please try again". The ID and password are correct. No LDAP traffic is being generated during the attempted login. I turned on DA logging and this is what I get:
    Aug 23, 2008 4:43:39 PM com.sun.comm.da.security.DALoginManager login
    INFO: Login failed, login id [admin]
    com.sun.comm.jdapi.DAException: Moved Temporarily: Moved Temporarily
    at com.sun.comm.jdapi.DAConnection.liveAuth(DAConnection.java:88)
    at com.sun.comm.jdapi.DAConnection.authenticate(DAConnection.java:130)
    at com.sun.comm.da.security.DALoginManager.login(DALoginManager.java:209)
    at com.sun.comm.da.view.LoginViewBean.handleLoginButtonRequest(LoginViewBean.java:212)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
    at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
    at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
    at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
    at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
    at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
    at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
    at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:816)
    at com.sun.comm.da.DAServlet.service(DAServlet.java:152)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:917)
    at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:398)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
    at com.sun.comm.da.LoginFilter.doFilter(LoginFilter.java:133)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:217)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
    at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:255)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:188)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:556)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:187)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:556)
    at com.sun.webserver.connector.nsapi.NSAPIProcessor.service(NSAPIProcessor.java:160)
    Here is a sample of what I get when I run commadmin:
    ./commadmin -v search domain o=xyz.com
    [Debug]: DBG:Object = search ; task = domain
    [Debug]: default domain from Properties: xyz.com
    [Debug]: IShost from Properties: webmail.xyz.com
    [Debug]: ISPort from Properties: 80
    Enter login ID: admin
    Enter login password:
    [Debug]: Contacting : http://webmail.xyz.com:80/commcli/auth
    [Debug]: To servlet: domain=xyz.com&username=admin&password=xxxxxxxx&charsetenc=UTF-8
    [Debug]: Http Error recvd: Moved Temporarily
    Moved Temporarily: Moved Temporarily
    Invalid value for Identity server host name: webmail.xyz.com
    Invalid value for Identity server port: 80
    Enter Identity server port[80]:
    Any ideas?

    sheger77 wrote:
    I originally had Delegated Admin 6.4 running on port 80 in Webserver 7u3 along with AM, and UWC. I needed to move DA off of port 80 so I created another Webserver instance on port 81 and then uninstalled and reinstalled Delegated Admin against the new instance. In the configurator I specified port 80 where it asked about Access Manager and port 81 where it asked to deploy DA.As per the administration guide, Delegated Administrator server needs to be installed in the same web-container/instance as Access Manager.
    http://docs.sun.com/app/docs/doc/819-4438/acfck?a=view
    "The Delegated Administrator server uses the same Web container as Access Manager. The configuration program asks for Web container information after it asks for the Access Manager base directory."
    [Debug]: IShost from Properties: webmail.xyz.com
    [Debug]: ISPort from Properties: 80The commadmin client is trying to contact the DA server which is supposed to be installed in the same Web container as Access Manager
    (hence the use of IShost/ISPort):
    [Debug]: Contacting : http://webmail.xyz.com:80/commcli/auth
    [Debug]: To servlet: domain=xyz.com&username=admin&password=xxxxxxxx&charsetenc=UTF-8
    [Debug]: Http Error recvd: Moved TemporarilyCan't contact DA server so attempt fails.
    Regards,
    Shane.

  • From schema 1 to schema 2 migration delegated admin problem

    I want migrate from schema 1 to schema 2 the messaging server 6.2 ( jes 2005q1).
    I have install access manager and delegated admin.
    With the commdirmig I migrate the domain and schema , the messaging work correctly.
    I have a problem with the delegated admin web interface.
    The delegated don't view my domain. If I add the sundelegatedorganization objectclass I can view my domain on delegated admin but I can view user and group.
    Any Idea?
    TIA
    Bye Giovanni

    There are two very different products called "deletaged admin". The old iPlanet Delegated Admin (iDA) only works with Schema 1. The current Delegated Admin, that comes with JES3 only works with Schema 2.
    If you're using the old iDA that worked with schema 1, it won't work with schema 2. You have to install the new DA for that.
    It doesn't work with groups/lists, only with users and domains.

  • Keychain "login" Problems   Can't remember my Keychain password.  Admin Password also does not help. Mac Mini(Late 2012) OS 10.10.2

    Series of Keychain "Login" Problems.
    Hardware: Mac Mini (Late 2012)  2.5 GHz Intel COre i5,  4GB 1600 MHz DDR3
    OS X : 10.10.2 upgraded yesterday
    Mail wants to use "login" keychain.   I enter Password but no success.
    CalendarAgent wants to use "login" keychain.   I enter Password but no success.
    Com.apple.internetaccounts.xpc wants to you "login" keychain. Password, not successful.
    At some point in past days I was offered to rename Keychain, so I did.
    In Keychain Access, I deleted "Login"    and selected Delete references.
    Just now I went into ~/Library/Keychains and found Login.Keychain and Login_renamed.Keychain.
    I have renamed Login.keychain -> Login-old.keychain.
    I renamed Login_renamed.keychain-> Login.Keychain.
    In Keychain Access, I added "Login" back.  This should be the renamed keychain.
    Original problems still persist.  No noticeable changes.
    Keychain wants to use the "Login" keychain.   Can't remember my password or it is incorrect.
    Help?
    TITLprods

    I turned off and turned on the computer.  When restarting it said that it could not use the Login and did I want to create a new or use and alternate?  I created new and for the moment things seem to be working under the command of the "New Login"
    That still doesn't really alleviate the problem of the old login.

  • Delegated Admin and non-flat user/group structures

    Hello, I am trying to build a directory structure with several containers under an organization used to store different portions of userdata and group data (i.e. not only ou=people and ou=group, but also a few ou's like them). Server software is from OUCS 7u2 release. Users in "other" containers are populated into LDAP (ODSEE 11) by replication, filling in all the same attributes as a freshly DA-created account has.
    The Delegated Admin interface and other parts of the software accept this and work okay with this setup, displaying user information, allowing logins and so on - except for attempts to edit user accounts in the alternate containers in the DA (i.e. add/remove service packages, change quotas, etc.). First I've verified that this is not an LDAP problem - I can use both command-line ldapmodify and an LDAPBrowser GUI to edit the entries with no hiccups.
    I tracked that when trying to save account information for accounts in non-standard containers, the DA still tries to use a hard-coded path (i.e. uid=USERNAME,ou=people,o=DOMAINNAME,dc=DOMAIN,dc=NAME) despite the fact that the user account is (and DA displayed it from) uid=USERNAME,ou=morePeople,o=DOMAINNAME,dc=DOMAIN,dc=NAME.
    Possibly, this "hardcoding" stems from DA configuration in WEB-INF/classes/sun/comm/cli/server/servlet/serverconfig.properties which does list components of the LDAP structure:
    # Ldap configuration.
    # List of ldap hosts. Form is <ldaphost>:<portnumber>. (Default port = 389)
    # add additional hosts with ldaphost-<consecutive number>
    # Schema type is either "1" or "2".
    # Reconnect interval is in seconds
    # Group and people container is dn from organization dn (e.g ou=people)
    ldaphost-1=oucsldap01:389
    ldaphost-2=oucsldap02:389
    ldaphost-suffix=dc=DOMAIN,dc=NAME
    ldaphost-dcsuffix=dc=DOMAIN,dc=NAME
    ldaphost-maxcount=50
    ldaphost-schematype=2
    ldaphost-reconnectinterval=60
    ldaphost-peoplecontainer=ou=People
    ldaphost-groupcontainer=ou=Groups
    ldaphost-orgadminrole=cn=Organization Admin Role
    While the organization root dn is not explicit here (and shouldn't be), the default people container is... I might guess a coding error logic like this: indeed, the "ou=People" container should be used by default when creating a user via DA; as a likely error, it might also be used when editing existing users - instead of their existing full DN/parent DN.
    Questions:
    1) Does anyone have a working configuration with several user/group containers within an organization like this? Would you care to share details and workarounds, if were needed?
    2) I think that possibly the "shared domain/organization hosting" mode might help here - at least it is expected to have several LDAP trees with their delegated administrators performing as a single e-mail domain. Before I go and reconfigure everything, I'd love to hear if there are any success stories with this route? Is it a proper solution (or THE solution) for such config?
    Thanks,
    //Jim Klimov

    I wanted to follow up that reconfiguring the directory structure according to shared domain hosting, with branches for ISW-synchronized accounts as one of the sub-organizations which share the domain, and manually created OUCS-only accounts being in another sub-organization. This works for both messaging components and the DA, as long as UIDs are in ou=People in their organization. Somewhat unfortunately, ISW config seems to allow only one DSEE target branch and puts groups (CN) there as well. Well, for our needs to edit user attributes and service packages via DA, this suffices. Sometimes there are hiccups (Can not save changes), but they are intermittent and harder to trace debug; usually go away with restart of the DA web container. The DSEE LDAP instances are configured with plugins to enforce uid uniqueness across the organization and uniqueness of values of messaging email address attributes (mail, mailAlternateAddress, mailEqiuvalentAddress) to avoid mixups between user accounts in different branches.
    Also, we had a problem with Calendar server after migrating the LDAP entries: since our deployment used the nsUniqueID for calendar user identification, relocation of entries (the way we did it) generated new values for new entries and users got new empty caledar databases. On this POC this was not a major problem, and newer OUCS releases with a davUniqueID attribute should specifically be immune to this problem. However, for others trodding this path I can suggest that they export the LDAP database into LDIF including the unique IDs, recreate the suffixes as needed (the ISW target organization in DSEE should be a separate LDAP database suffix), change the LDIF entry pathnames, and import the LDIF anew. This would wipe old LDAP data and should add old nsUniqueIDs to relocated entries (unlike recreation via ldapadd or relocation via ldapmodrdn).
    We have also hit a problem with DA refusing to render the list of accounts (returning 0 or 25 empty entries in a table). The LDAP logs showed that on the LDAP side all is ok, and expected amount of replies was located. Pattern searches often produced the proper table with a subset of users in DA. Ultimately, we linked the problem to ISW binary base64-encoded attributes (dspswuserlink et al; some of those values also garbaged output of commadmin queries in a terminal) and created an LDAP ACI which forbade our DA-admin user to read,search,compare these attributes. This solved the problem for us. I wonder if a more generic solution is possible, so as to apply this ACI not to an explicitly named admin user but to any users with DA admin privileges (by group or role? which string, to cover them all in advance)? Or, perhaps, nobody except the ISW user account should see these ISW attributes?
    Hope this report helps others who would try to pioneer this path of messaging integration
    //Jim Klimov

  • Delegated Admin Woes

    We are running SunOne Messaging 5.2 Hotfix 1.21 with SunOne Directory 5.2 and are having trouble with the delegated admin console.
    In general (For 620 out of 621 domains) it is working fine and everything is OK.
    The domain that isn't working is one which has been migrated from our test server which was running Iplanet Messaging 5.2 (not sure which version of the directory). When you login to an account created through the DA you get a 'page not found' error. The address in the bar at the top also shows http://mailstore.domain.ac.uk for this domain whereas for the others it shows http://webmail.domain.ac.uk.
    If I create a user in the domain which doesn't work then it appears in the directory like follows:
    uid=testa, ou=people, o=subdomain.domain.ac.uk,o=base
    objectClass=top
    objectClass=person
    objectClass=organizationalPerson
    objectClass=inetOrgPerson
    objectClass=inetUser
    objectClass=ipUser
    objectClass=nsManagedPerson
    objectClass=userPresenceProfile
    objectClass=inetMailUser
    objectClass=inetLocalMailRecipient
    [email protected]
    mailUserStatus=active
    dataSource=NDA 4.5 Delegated Administrator
    mailHost=mailstore.domain.ac.uk
    givenName=test
    cn=test usera
    uid=testa
    nsdaCapability=mailListCreate
    sn=usera
    mailDeliveryOption=mailbox
    preferredLanguage=en
    inetUserStatus=active
    but if i create one for any other domain it appears like this:
    uid=testa, ou=people, o=subdomain2.domain.ac.uk,o=base
    pabURI=ldap://ds0.domain.ac.uk:389/ou=testa,ou=people,o=subdomain2.domain.ac.uk,o=base,o=pab
    nswmExtendedUserPrefs=meDraftFolder=Drafts
    nswmExtendedUserPrefs=meSentFolder=Sent
    nswmExtendedUserPrefs=meTrashFolder=Trash
    nswmExtendedUserPrefs=meInitialized=true
    preferredLanguage=en
    mailDeliveryOption=mailbox
    objectClass=top
    objectClass=person
    objectClass=organizationalPerson
    objectClass=inetOrgPerson
    objectClass=inetUser
    objectClass=ipUser
    objectClass=nsManagedPerson
    objectClass=userPresenceProfile
    objectClass=inetMailUser
    objectClass=inetLocalMailRecipient
    [email protected]
    mailUserStatus=active
    dataSource=NDA 4.5 Delegated Administrator
    mailHost=mailstore.domain.ac.uk
    givenName=test
    cn=test usera
    uid=testa
    nsdaCapability=mailListCreate
    sn=usera
    inetUserStatus=active
    There are a few differences.
    Which ones (if any) could be causing problems?
    How do I change the way that the DA creates the accounts to stop it happening?
    Any other ideas?
    Thanks in advance

    There is no way to "change the way Delegated Admin creates accounts".
    The trick is to figure out what's wrong with the domain as created already, and fix that.
    Suggeste comparing your domain data with what's in the "provisioning guide":
    http://docs.sun.com/source/816-6018-10/domains.htm

  • Jes3 and Delegated Admin

    I'm setting up a demo of JES3 Messaging for a customer with the Delegated Admin. It seems to work for I can create users with the correct attributes. These users can log into Messagent express and can see their mail but cannot send outgoing mail. Also I can't pop from the command line fror any of these users but sending mail to them from he command line does work. This seems to be probles with MailAllowed Services, but it seems ok on a ldapsearch (see below).
    Synopsis of results:
    I can send mail to these users with a telnet to port 25. But MExpress canot send mail from any of these users.
    Messaging Express smtp error:
    "Not authorized to sned messages"
    But MExpress get's incoming mail for these users.
    Messager Express gets mail for the users but pop fails:
    Telnet <server> 110
    User testuser2
    pass password
    "-ERR [AUTH] Not authorized to login as specified user"
    ldapsearch output for testuser2
    uid=testuser2,ou=People,o=myjazz.com,dc=myjazz,dc=com
    psIncludeInGAB=true
    uid=testuser2
    iplanet-am-modifiable-by=cn=Organization Admin Role,o=myjazz.com,dc=myjazz,dc=com
    givenName=Test
    [email protected]
    mailUserStatus=active
    sn=User2
    cn=Test User2
    inetCOS=gold
    preferredLocale=en
    mailHost=bigun.myjazz.com
    objectClass=userpresenceprofile
    objectClass=top
    objectClass=iplanet-am-managed-person
    objectClass=iplanet-am-user-service
    objectClass=inetadmin
    objectClass=organizationalperson
    objectClass=person
    objectClass=inetuser
    objectClass=inetlocalmailrecipient
    objectClass=iplanetpreferences
    objectClass=ipuser
    objectClass=inetorgperson
    objectClass=inetsubscriber
    objectClass=inetmailuser
    inetUserStatus=Active
    userPassword={SSHA}I8oftLKYhg0DzYAzCh1UfzaluWNuKVNIjXO7RQ==
    mailDeliveryOption=mailbox
    preferredLanguage=en
    nswmExtendedUserPrefs=meDraftFolder=Drafts
    nswmExtendedUserPrefs=meSentFolder=Sent
    nswmExtendedUserPrefs=meTrashFolder=Trash
    nswmExtendedUserPrefs=meInitialized=true
    pabURI=ldap://bigun.myjazz.com:389/ou=testuser2,ou=People,o=myjazz.com,dc=myjazz,dc=com,o=pab
    mailAllowedServiceAccess=+imaps:ALL$+pops:ALL$+smtps:ALL$+http:ALL
    mailMsgMaxBlocks=700
    mailMsgQuota=3000
    mailQuota=8000000

    I had the same problem. When I created a user account through the Delegated Admin interface the user could log into Communications Express, but was unable to send outgoing email. I then created another user account using the command below and this user is able to send email. I have not quite figured out the significany difference yet.
    ./commadmin user create -D admin -w <password> -X host.domain.com -n domain.com -d hosteddomain.com -l test5 -F Test5 -L User -W pass -S mail,cal -k legacy -E [email protected] -H host.domain.com

  • Continuing delegated admin issues

    Folks,
    I have install nda on our production machine. When I try to login as ServiceAdmin (which is the mail admin in ldap) it says invalid credentials.
    I have more problems with delegated admin -- I am starting to hate it....

    The command line is your friend. Learn it, use it, love it. :-)
    Seriously, for account creation/deletion, I've written scripts for doing that. Much easier than the GUI. Besides, the GUI doesn't delete PAB entries (last I checked). I also have a script for setting a user's password.
    I do have one question: Why doesn't the iDA allow me to modify a user's mail filter? I can do other stuff, but not that.
    Roger S.

  • Whenever I launch firfox through non admin login, I get an alert message.

    Whenever I open firefox through non admin login, I get following alert message. "Could not initialize the application's security component. The most likely cause is problems with files in your application's profile directory. Please check that this directory has no read/write restrictions and your hard disk is not full or close to full. It is recommended that you exit the application and fix the problem. If you continue to use this session, you might see incorrect application behaviour when accessing security features."
    After this, firfox opens but whenever I go to any web page having secure connection like orkut, facebook etc. firefox crashes. It works normally through admin login.
    == This happened ==
    Every time Firefox opened
    == I suppose this started when I updated it to latest version i.e. 3.6.8 ==
    == User Agent ==
    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)

    Thankyou, for contacting Mozilla Firefox, Please join us on live chat so we can better assist you with your issue.

Maybe you are looking for

  • MB_DOCUMENT_BADI not triggring in ECC 6.0 version

    Hi All, We are upgrading our SAP R3 from 4.6c to ECC 6.0. In the new system, Transaction SE18 now has two options 1. Enhancement spot 2. BAdI Name When I display my BADI MB_DOCUMENT_BADI Attributes tab shows BAdI migrates to enhancement spot MB_GOODS

  • InDesign CS4 quotation marks problems in epub

    I use InDesign CS4 to create epub files.  Occassionally I will have what I guess you would call a translation error from the InDesign file to the epub file.  Quotation marks and apostrophe marks do not translate at all.  It doesn't happen with every

  • Deskjet 1050 won't print alignment page

    I am mad as hell at HP tech support.  After changing my black cartridge the printer would not print out the alignment page.  After much consult with "Dylan, from India" I was told to buy another cartridge and try that.  If that did not correct the pr

  • How do i remove the latest Java update?

    Yesterday Software Update installed a new version of Java which breaks my Juniper Network Connect VPN client. How do i undo this software update? Thanks.

  • MY TOP BUTTON IS STUCK FOR THE SECOND TIME, WHAT SHOULD I DO?

    This phone has had no problems whats so ever,  but my top button isn't working anymore.  This happened to my other iphone and Im trying to avoid going to a store.  What can I do to fix it?