Directory Association Questions

Similar Messages

• Open Directory Migration Question

  Setup:
  My company has two servers, both running 10.5.6. We are migrating from the server Fubar (xserve) as it has had a lot of problems and we want to do a fresh install on it (I was not the admin who initially set it up).
  In order to get a 'fresh' OD going, we are recreating all the accounts on the new server Edoras (powerpc mac pro), making sure to preserve UID of the users.
  Problem:
  User A cannot change his password on Edoras after Directory Utility has been changed to point at it. He can change his password locally, but it does not propagate to Edoras, nor does a password change on Edoras affect his local machine.
  The questions I haven't been able to get answers for are:
  * Should the OD search string be different on Fubar and Edoras? Currently our search string is 'dc=fubar,dc=domain,dc=com'.
  * Are there other attributes that have to be setup in OD besides UID? I noticed when using the Target tab in Workgroup Manager that there is a GeneratedUID attribute, does this need to match?
  Thanks for any information/help.

  I did something like this recently. Unfortunately I couldn't get an answer on the Internet and had to re-configure Directory Access on the client machines manually.
  I moved our system from a POwerMac G4 with several upgrades (eSATA card, eSATA Coolgear Enclosure, 7200.11 (yeah I know, bad drives to use) Seagate drives, 1.8 GHz PPC 7447 upgrade, 1.5GB of ram) to a new Mac Pro with a Highpoint RAID controller. The old G4 was very unreliable and couldn't hand
  I had to go to each machine with ARD, open Directory Access, delete the LDAP entry and re-enter it. This was really annoying and confusing for me as the old server and the new server had:
  The same version of OSX (ok, one was a PPC version and I special ordered the Intel version from Apple Tech Support), but they both were running 10.4.11 with the newest security patches.
  The same OD Search Strings
  The same IP Address for the Server
  The same DNS name for the server
  and the same user IDs and group settings
  and I still had to re-do Directory Access using the client machines. Before re-doing the Directory Access re-binding I would try to login. The "other" icon would appear on the loging window, but when I would loging with the correct username and password the login windows would "shake it's head" and wouldn't let me login.
  The biggest pain was that portable directories didn't sync correct anymore, so I had to manually backup, then delete the account, then re-bind, then re-create and restore the portable directory on each laptop manually.
  Unfortunately I do not know the unix command to change directory binding to client computers using ARD. If such a command exists it would make things much easier for you. Does anyone know if a command exists?

• Active Directory Connector Questions in 11.1.2.1

  Hello All.  I am new to this version of IDM and I am trying to get through the setup and config.  I just installed a single instance of 11.1.2.1 with OUD, OAM, OIM.  I installed the Active Directory connector for User Management and I believe I have it configured. 
  I followed the post at Weblogic Corner: Oracle Identity Manager: The Active Directory Connector Tutorial and got a lot of questions answered with that.  First, note that I was able to follow the guide and run the lookup recon jobs as well as the user and group recon in trusted mode, then target mode to create all of the users and groups.  I am also able to create a user in OIM, add an account and have that provisioned to AD. 
  Here are my questions if you would be so kind:
  1) When I create a user in AD and I run the user recon(target), the event says "No User Match Found".  I was kind of expecting it to create a new user for me.  I was also expecting to schedule the recon job in target mode and not have to ever switch back to trusted mode after the first full sync.  What did I miss here?
  2) When I add an account to the user in OIM, the AD User form comes up with all the fields empty.  Is that the way it should work?  I was hoping that it would prepopulate some of the stuff from the OIM profile.
  3) When I modify a field in OIM, say middle name, will that sync in the next recon run, or will the admin need to open the account, update the AD form also and submit the middle name in two places?
  Thanks in advance!

  1. Identity gets created in Oracle Identity Manager from an authoritative source. in case of target recon, it will just sync with the matched account in oim.
  please have a look in the below link seccion 12.1.12
  Managing Reconciliation - 11g Release 2 (11.1.2)
  2.u can very well prepopulate filed in the process definition, even u can automate the provisioning process using  role based when provissioning process.
  3.there should be some tasks available for each field. no need run the recon task or modify the account in AD. it will be updated in AD using the tasks. check the connector process definition.

• How do I change the "Default Directory" associated with my subscription?

  I was recently added as an administrator for a client's Azure subscription.  This has caused his account AD to be the default directory I see when I log in.  So every time I log in I have to open the Subscriptions menu and change the FILTER BY
  DIRECTORY option.  How can I make my own directory the default directory when I log in?
  Note: there was an almost identical question back in Dec 2013 and the solution was to have the other user remove you as an administrator.  The marked answer suggested the questioner read some arcane description of Azure subscriptions and Active Directory.
    I need to remain an admin for the other account and the referenced document had nothing useful to say about my problem.
  Anyway, thanks in advance for your help.

  Hi,
   Thank you for posting.
   I hope you find the following link helpful.
   http://itproguru.com/expert/2014/07/change-azure-subscriptionsgo-directly-to-a-specific-subscription-in-windows-azurestep-by-step/
  Regards,
  Nithin Rathnakar.

• Active Directory Structure Questions

  I recently started working for a company that offers cloud services for our clients where we host our software as a service and we also migrate any other applications the client is using onto the servers that we host for them.
  My concern is that every client we have is in our domain. The structure of our servers is that our domain is the top of the organization and each client has their own dc and that dc is listed as an organizational unit in our AD. I have never seen anything
  like it. Most of the clients have their own domains and web sites but we do not migrate that portion of their IT into our cloud. We do however bring everything else over and we offer O365 to many of them.
  Imagine if you will opening ad users and computers and under the root all the OU's are named after clients and actually represent their servers all of which are dc's.
  I was wondering what if any precedent would support this type of configuration? I am just asking.
  Thanks
  Richard Tamboli

  No Special hardware is required for Active Directory
  Active Directory is builtin feature for most of the Windows Servers such as Windows Server 2003, 2008,2008R2,2012.
  It is a feature and part of Windows Server.
  Hope this may answer your questions.
  http://en.wikipedia.org/wiki/Active_Directory

• OracleInventory directory location question

  During installation of any Fusion Middleware component for a fresh install,
  the installer asks for home directory for oracleInventory
  and once entered the installation proceeds.
  Please confirm if following is true
  1. This oracleInventory directory is used to keep log of the installs
  However, after deinstall and re-installing, the installer does not ask for
  oracleInventory directory. It uses the one previously used.
  2. Question: How does or where does the installer record the home directory for
  oracleInventory
  3. Question: If one were to chane this directory location for oracleInventory, for a fresh install,
  then how to guide the installer to use ask for a new location for oracleInventory?
  4. Question: Is it ok to delete the oracleInventory directory after an install is completed?
  Or would it affect normal operation of the installed product?

  I suppose it’s done to your individual requirement. There’s no reason why you can’t. We keep them on a different disk, but because of our daily SOCS checks and GRID notification email, we know when it’s getting full/etc

• The old 90 day association question

  This one just keeps on coming back.  I think it's because most people don't know or find out about it until it's too late.  There have been so many threads and questions from exasperated users that I really feel that it needs to be adressed.
  This is the issue as described by Apple "Once a device or computer is associated with your Apple ID, you cannot associate that device or computer with another Apple ID for 90 days."
  What this means is that if you download a purchase from iTunes using one Apple ID you can't download your old purchases from iTunes using your original Apple ID for 90 days.  So your old purchases are now inaccessible but you can make new purchases.  If you're not confused by now well read this thread from
  Lunky;
  Feb 6, 2013 12:34 PM
  I bought a new MacBook Pro.  Created separate user profiles for family members (total of four of us).  Each person has their own iTunes account.  I was able to download purchases for two of the iTunes accounts but when I tried to do the third it stated that I had to wait 90 days because there is already an Apple ID associated with the computer.  I thought the user profiles were separate...like having four computers in one?  So now I have to wait 90 days to download purchases for the third profile and then another 90 days for the fourth profile???  So the last profile has to wait 6 months before their purchases can be downloaded into their profile on this computer??  That's insane.  There has to be a way around this.
  My question is why 90 days?  Who came up with such a prohibitive time frame?  Surely 24 hrs would be bad enough or even 7 days.
  I purchased a second hand iPhone on eBay which was not returned to factory settings I still have 45 days to wait befor I can associate it with my iTunes account and in the mean time I still see all of the previous owners music library on iCloud in Music.  If I wanted I could download her music onto the phone surely this defeats the whole point.
  A girl in another forum gave her girlfriend a $25 iTunes gift card so they logged into her iTunes account to choose purchases and then found that her laptop was now associated with her friends account for 90 days. 
  Why not just allow people to be associated with thier accounts instead of machines.  If it's about protecting property rights there are enough third party app out there to get around this annoying rule.  For the honest user it's just a huge inconvenience.

  Hi MorrisSoak,
  Did you authorize the Mac for each individual Apple ID? (just askin')
  Cheers,
  GB

• Repairing directory associations for disassociated Library files.

  Here's one I haven't been able to find a solution to, and would appreciate some input.
  My iTunes library files are disassociated from my current iTunes directory.
  By example, my current directory for my iTunes library is:
  C:\Users\Public\Music\Itunes
  All new purchases are in this file, which is clean with no duplicates. However I note that the Library files:
  iTunes library.itl
  iTunes Music Library.xml'Itunes Library Extras.itdb
  iTunes Library Genius.itdb
  are not updating.
  I have an old Itunes Library:
  C:/Robert/Music/Itunes
  which is a complete iTunes file I no longer reference, kind of a dated backup. However,I note that the library files noted above in this directory are up to date. So iTunes appears to updating into this file instead of my new file.
  I am unsure if I want to try consolidate as I know there are duplicates and differently named artist folders in the old iTunes directory? Won't consolidation add them into my new preferred folder?
  My question. How do I get iTunes to routinely associate with and update the files in the preferred iTunes directory above?
  Thanks, BobMack

  If you would like to try pointing iTunes to another library, start iTunes while pressing the Shift key. You will then be asked to either create or choose a library. Click the "Choose library..." button then select the library (the itl file in the correct folder) you wish to use.
  The Advanced preference indicated above changes the folder to place your music files, it has nothing to do with the library files (itl, itb, xml, etc.).

• Netbeans 4.1 project directory - noob question

  Hi all
  I have the following code to load a properties file to a webapplication, the file is located inside the default package, on the Source Packages item of an Web Application project in Netbeans 4.1.
  Properties env = new Properties();
  env.load(new FileInputStream("webapp.properties"));
  My question is how to refer the load method to get the file without indicanting the full path.
  Sorry the bad english, thanks in advance....

  Yes, but this way isn't workingThen the file is not in the "root" directory. I don't know how Netbeans organizes its files. Try placing it in the project root.

• Active directory change question regarding affects on exchange 2013

  Good day,
    I have some universal security groups that are meant to be distribution groups in a 2008 R2 active directory forest.  These groups are being utilized by exchange 2013, I plan on turning these groups into global distribution groups in active
  directory (all changes will be made in active directory only, not in exchange).
    Question is; What will happen to the mail boxes using this group? Will it break the mailbox? How will users be affected?
   I plan on doing testing of my own but if someone else has already done this and has ran into issues this will help me out greatly.

  Hi ,
  Mail enabled security groups can be used for two purposes.
  1.Used to distribute emails to its members.
  2.Unlike mail enabled Distribution groups , Mail enabled security groups will have SID value , so it can be mapped on any resources (for eg : share folder ) to get the access permissions to it members.
  In your case ,You would like to change the scopes for the mail enabled security groups ,Before changing the group scopes just have a look in to the following link which states clearly about the group scopes and its usage.
  http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx
  Please feel to reply me if you have any queries.
  Thanks & Regards S.Nithyanandham

• Open Directory Configuration Question

  I've got a Mac-Mini based server running Mountain Lion (10.8.3) and Server.app (2.2.1).  The server was migrated from Lion some weeks ago, the Server works OK, but seeing odd CPU usage and fairly frequent non-specific error reports which suggests that there are still a few odd gremlins lurking around that I'm trying to track down.  So I'm trying to find things that appear odd.  I've found one such in the reported configuration for Open Directory.
  The server is configured to be an Open Directory master, and is the only Open Directory server we have.  The panel for Open Directory in Server.app lists the single entry as follows:
  * www.2gc.org (master)
  * 10.0.1.2, 10.211.55.2, 10.37.129.2
  The first IP address is the IP address of the server on our LAN.  I have no idea what the second and third IP addresses are - they do not appear to have anything to do with any network we have configured.  They are from the "private" address space - so I'm guessing they are non-functional since we don't have a network using either with these IP ranges within them - but they must have come from somewhere.
  It is also not clear where / how these entries are set within ML.
  It may be that this is all perfectly normal, or maybe symptomatic of something that can be cleaned up. 
  Would value any thoughts.
  Thanks in advance.

  Hi Simon
  Thanks for the thoughts.  There are no other servers on the network - this is an isolated computer parked on a fixed IP with no downstream LAN - the 10.0.1.2 address is the one assigned it by the router that connects it to the outside world - but no other devices are connected to the sub-net the machine sits on: all services are provided through the fixed IP to machines accessing it directly from internet via FQDN.
  All of which makes the presence of the other two IPs curious, and apparently unnecessary.
  Good housekeeping suggests they could be removed - but unclear how these entries are set.  But in the interim good to know that the presence of these IPs is probalby harmless.

• Open Directory authentication question

  I have 2 Apple servers.  One is running 10.6 (server), the other is running 10.5 (server).  I have my Open Directory on the 10.6 server, and I have the 10.5 server use it via LDAP for user authentication.  What I'd like to do is to assign a home directory on the 10.5 server for users in the 10.6 Open Directory.  Any ideas?

  mickey13 wrote:
  I have 2 Apple servers.  One is running 10.6 (server), the other is running 10.5 (server).  I have my Open Directory on the 10.6 server, and I have the 10.5 server use it via LDAP for user authentication.  What I'd like to do is to assign a home directory on the 10.5 server for users in the 10.6 Open Directory.  Any ideas?
  This should work the same way as normal.
  Define the user accounts in Open Directory as normal via Workgroup Manager
  On the 10.5 Server, set up a share point, usually AFP is used as the protocol, this is done in Server Admin
  On the 10.5 Server, set up that share point to be an Automounted share for user home directories, this will register that share in Open Directory assuming you have already successfully connected the 10.5 Server to Open Directory system, this is also done in Server Admin
  Go back to Workgroup Manager select a user account you want to store on the 10.5 server, click on the Home tab, you should now see the 10.5 share point listed as an available choice for storing home directories.
  Click on the 10.5 share point and save the user account.
  I normally now click on create Home directory, although this happens automatically when a user logs in for the first time.
  It is perfectly ok to mix 10.5 and 10.6 servers in this manner. The client machines can also be a different version e.g. 10.4
  What you are doing above even though you are mixing 10.5 and 10.6 servers, is the same as you would do to spread the workload of user home directories across multiple servers. While handling user home directories does not cause a massive amount of CPU activity (or memory use) it does cause a significant amount of disk activity and therefore at a certain level spreading user accounts across multiple servers is recommended.

• Open Directory Keychain Question

  I have set up open directory on my domain but I am having trouble with Keychain access over the network when users logging into network accounts. Whenever I log in using open directory, I can open all of my applications, however each time I log in to my user account all of my keychain passwords are reset. I can look into the user preferences file and see the keychain file, but for some reason whenever a user logs out the changes to it are lost.
  Is Keychain access supported when network mounting user folders? If so, what is the proper way to implement keychain access?

  mickey13 wrote:
  I have 2 Apple servers.  One is running 10.6 (server), the other is running 10.5 (server).  I have my Open Directory on the 10.6 server, and I have the 10.5 server use it via LDAP for user authentication.  What I'd like to do is to assign a home directory on the 10.5 server for users in the 10.6 Open Directory.  Any ideas?
  This should work the same way as normal.
  Define the user accounts in Open Directory as normal via Workgroup Manager
  On the 10.5 Server, set up a share point, usually AFP is used as the protocol, this is done in Server Admin
  On the 10.5 Server, set up that share point to be an Automounted share for user home directories, this will register that share in Open Directory assuming you have already successfully connected the 10.5 Server to Open Directory system, this is also done in Server Admin
  Go back to Workgroup Manager select a user account you want to store on the 10.5 server, click on the Home tab, you should now see the 10.5 share point listed as an available choice for storing home directories.
  Click on the 10.5 share point and save the user account.
  I normally now click on create Home directory, although this happens automatically when a user logs in for the first time.
  It is perfectly ok to mix 10.5 and 10.6 servers in this manner. The client machines can also be a different version e.g. 10.4
  What you are doing above even though you are mixing 10.5 and 10.6 servers, is the same as you would do to spread the workload of user home directories across multiple servers. While handling user home directories does not cause a massive amount of CPU activity (or memory use) it does cause a significant amount of disk activity and therefore at a certain level spreading user accounts across multiple servers is recommended.

• Directory structure question...

  I've been w/ three different companies doing Java development now, and each time I've come in once the project is already in progress and the directory structure is set up. What I see is a similarity:
  com.<company name>.<project>.<sub-units>
  examples:com.delta.kiosk.server
  com.delphi.shipping.guiIs this a common way of laying out directories and if so, what is the benefit (other than standardization)?

  I always figures that it was primarily a namespace issue.
  org.apache.ecs.Attributes
  org.xml.sax.Attributes
  are examples of class names that would have resulted in a collision without the prefixes. A full class name has the package name before it so
  String
  java.lang.String
  are the same thing, String is just shorthand for the latter. But if there are two of the same class then the prefix will help the compiler know where the class is supposed to come from. com.<company name>.<project>.<class> is a good way to ensure that you will not encounter a collision.

• Home Directory Script Question

  Im not sure if this is the right area but i figured people in the automator section would know the most about this........anyways im trying to write a script and i need to know how to make the file path go to the non-specific users home directory
  for example ill use a package maker example
  i dont want the install path to be /Users/Eric/Desktop
  i want it to be /Users/(Home directory|non-specific )/Desktop
  what could i replace my name(eric) with to make the path go to the user directory on any computer

  I think it depends on the scripting environment.
  ~/ is a shortcut to the Home directory, but I don't know if it will work in all environments. As mentioned, the $HOME environment variable should work in most (all) shells.
  Applescript has 'path to desktop folder' which returns the full path to the folder.