DIT Design -- Handling users in overlapping & changing groups/institutions

Hi Folks-
[My Apologies if there are duplicates, the forum doesn't show any sign of accepting this]
I've been working on a DIT Design to solve a set of business requirements which conflicts with most traditional approaches. I've got some (overly) complicated ideas, but I'm wondering if anyone has encountered a similar situation, and if so did you find a good solution.
Key Requirements:
(1) We have a collection of users from various institutions and groups within them.
(2) (THE MAIN WRINKLE) A certain amount of overlap and movement between institutions is expected (group overlap will be common). A user who is in overlapping institutions or moves between them MUST use a single, shared identity and SHOULD maintain a stable identity (i.e. no DN changes).
(3) Much of the user administration should be decentralized and done at the group level (within each specific institution). An administor of GroupA in Foo Institution should only be able to administer the users in GroupA at Foo, but must be able to control membership within GroupA. Special precautions are permitted to keep a Group-A/Foo administrator from hijacking an arbitrary user by adding the target user to Group-A/Foo.
(4) The number of institutions is expected to be start around 40-50, and could scale to the thousands. The number of people will probably be around 5-20 times the number of institutions. The design should accomodate that scale.
Additional Notes:
(A) I don't see any alternative to keeping any organizational information out of the users' DN's, essentially flattening the users out (I've currently got them all in one container).
(B) I can obviously setup a hierarchy of roles/groups in institutional containers to handle membership and group administrator lists. All Directory Server administration will be done by a small central team and everything can be in containers under a common root suffix.
(C) We currently have the necessary skillsets to develop scripts and programs as needed. But 2 different application families (incompatible foundations -- Java vs. Cobol+Perl) are already scheduled for deployment against this (hopefully more will follow). This means it's not very practical to use one "LDAP Superuser" id and rely on the application to enforce security policies. We really want to put as much of the security into the Directory as possible (calling for individual LDAP admins w/ the appropriate rights), but we can supplement it where we need to.
(D) It looks like I'll have to rely heavily on filters based on the values of particular attributes of each user (whether in ACI's, Filtered Roles, or the like). Unfortunately, I don't see many ways that I can actually build those filters to be dependent on attributes/values of different entries. But I'm still working on that.
(E) Because of the number of institutions (and probable continous growth), writing a master upper-level ACL which has each institution & group explicitly coded is probably unwise due to size and stability. If I have to I could have a helper program custom-code each user's ACL differently and change it as needed. But that doesn't seem like a good solution.
Right now the designs I'm tossing around are calling for combinations of (all/most of) Roles (Filtered & Nested), Groups, CoS Template & Password Policies (yeah, we need those too), Macro ACI's, and a small amount of helper scripts and programs. We're running 5.2 but can probably upgrade to 6.0 if I can cite a good enough reason.
My current design is pretty ugly and complicated but probably attainable. If people are interested enough I'll post a cleansed summary once it's working.
Has anyone tackled anything like this before, and does anyone see any cleaner approach I've missed?
Thanks,
-Scott-

Hi-
We're basically putting all the users in one big container making a flat space.
We then create lots of roles, each of which corresponds to a particular combination of institution, application, and access type/level (the user is implicit as it contains the nsRole). If a user has multiple types of access to an application for a given institution then they will be in multiple corresponding roles.
We have the roles grouped together in a subtree which is divided by institution (and could be further subdivided by application within each institution or placed in the reverse order). But because of the scoping restrictions on nsRole's only a nsNestedRoleDefinition can be placed at this location (using nsRoleScopeDN), the Managed and Filter "working roles" must be in a branch of the tree above all things which will be contained within them (we put it at the top of that naming suffix).
According to the docs, queries will ignore a ldapSubEntry (which all of the nsRoleDefinition's are) unless specifically requested, so the fact that there are hundreds or thousands of roles defined at the top shouldn't matter. However, all of the GUI's I've tried displayed all the roles.
Currently the application code parses the DN of the role names from the user's nsRole entry, NOT the nsRoleDN entry. There end up being a lot of intermediate roles which get ignored. It uses this to determine the access type(s) to be granted. This is really convenient since one query for the user gets everything. However it builds dependencies into the DN format which arguably probably shouldn't be depended on. I've considered defining custom schema attributes which would contain the application/institution/access tuples (which could also be helpful for building nsFilteredRoleDefinition's), but that represents another round of queries and more substantial code changes for the pilot application.
Once in place, the roles can easily be nested and combined in various ways (such as "roll-up" roles containing all users of an application). They can also be used for password policies, CoS templates, and building ACI's. The last should be very helpful in enabling decentralized administration, but that's going to be pretty dependent on your security policy.
An issue with decentralized administration and Managed Roles is that normally anyone who can modify a user's nsRoleDN attribute can place any role in there, which isn't desirable in this environment. I haven't moved forward with the ACI work yet, but it appears that the "targattrfilters" ACI keyword may allow this problem to be solved (possibly in conjunction with Macro ACI's). Using some custom attributes with filtered roles might make this easier.
So, we could have something like this very incomplete LDIF (not checked for errors), only the really important attributes are shown. Also similar entities with the same naming patterns have been omitted.
dn: cn=appusers,ou=webmail,ou=inst01,ou=institutions,o=naming-suffix
objectClass: nsNestedRoleDefinition
nsRoleDN: cn=managed-webmail-inst01-appusers,o=naming-suffix
nsRoleDN: cn=filtered-webmail-inst01-appusers,o=naming-suffix
nsRoleScopeDN: o=naming-suffix
dn: cn=managed-webmail-inst01-appusers,o=naming-suffix
objectClass: nsManagedRoleDefinition
dn: cn=filtered-webmail-inst01-appusers,o=naming-suffix
objectClass: nsFilteredRoleDefinition
nsRoleFilter: (customAppInstAccess=webmail:inst01:user)
dn: uid=jsmith,ou=users,o=naming-suffix
nsRoleDN: cn=managed-webmail-inst01-appusers,o=naming-suffix
nsRoleDN: cn=managed-webmail-inst01-appadmins,o=naming-suffix
dn: uid=jappleseed,ou=users,o=naming-suffix
nsRoleDN: cn=managed-webmail-inst01-appusers,o=naming-suffix
customAppInstAccess: blogger:inst03:user
customAppInstAccess: webmail:inst03:userSo jsmith's nsRole attribute would contain the following values (the ones above the blank line are the main entries, the others are intermediate role to be ignored):
cn=appusers,ou=webmail,ou=inst01,ou=institutions,o=naming-suffix
cn=appadmins,ou=webmail,ou=inst01,ou=institutions,o=naming-suffix
cn=managed-webmail-inst01-appusers,o=naming-suffix
cn=managed-webmail-inst01-appadmins,o=naming-suffixAnd jappleseed's nsRole attribute would contain the following values (the ones above the blank line are the main entries, the others are intermediate role to be ignored):
cn=appusers,ou=webmail,ou=inst01,ou=institutions,o=naming-suffix
cn=appusers,ou=blogger,ou=inst03,ou=institutions,o=naming-suffix
cn=appusers,ou=webmail,ou=inst03,ou=institutions,o=naming-suffix
cn=managed-webmail-inst01-appusers,o=naming-suffix
cn=filtered-blogger-inst03-appusers,o=naming-suffix
cn=filtered-webmail-inst03-appusers,o=naming-suffixIf that doesn't make sense, then you can email me details of what you're trying to do at <[email protected]>, but it may take some time before I can respond.
-Scott-

Similar Messages

Design question: Change Group membership for a AD resource via SelfService

Hi all,
based on the OIM tutorials, I designed OIM that way that an end user can successfully request a resource. Is there a way to allow end users to modify their resource "subscriptions"? For example, I would like to allow end users to change their AD group memberships after the initial provision to the resource.
From what I have learned from the tutorials, I would assume to create an AD group membership attribute in the user account profile form and propagate changes to that attribute back to AD.
Or is there a way to allow end users to change their resource data directly under "My Resources" ?

there is no concept of requesting a modification of an already provisoned account. Like you said this can be achieved thru an attribute on the user's profile and on changing that attribute, downstream applications can be propagated the new value.
Typically if changes to an already proviisoned account needs to be done in oim and through oim, an oim admin goes to the user's resource profile and clicks on edit on the process form and can edit any data there. in case of ad groups, there will be a child process form that shows the groups that the user is a member of, you can insert(add) new groups or delete existing groups from there and save the form. In the proviisoning porcess of AD you will need to write a porcess task, which should add/remove the user from the specified group in AD on the trigger when a new group is added or an existing group is removed wehn the admin is modifying the user's AD process form/process child forms in oim.

Change group of user in solaris

i have a doubt as to how to change group of a user in solaris. I want to change the group of the user. Please, do the needful.
regards

For Oracle specific questions you can try Database forum, for OS specific ones I already addressed you Create user in solaris, and Sun has its own site as well (http://www.sun.com).

How does your company handle user pwd changes?

I would like to know how other companies handle user password changes with Sun One Portal Server 6.0. Do you have an option in the portal server window itself or do you direct users to a page on the directory server?

Just a little note
When you login into the portal server, you actually login to the Identity server (DSAME), and have a DSAME session, and when you logout from either amconsole or portal window you logout from the DSAME. The portal server uses Identity server for authentication purpose (if you see the login page you will notice the login action url is "/amserver/login" and the logout url is "/amserver/logout").
Sanjeev

Problem to assign a User to an AD group

Hi,
I have a problem assigning a user to an AD group on the "Edit User" (Attributes tab) page.
I can see my AD groups as "Available Groups" and I can "move" a group to "Selected Groups".
Nevertheless, after I click on "Save", I can see the changes for the user, but the assignment to the group is missing and the user therefore is not added to the group in the AD.
(One possible way to assign a user to an AD group is to edit the group manually on the Resources page.)
As you can see I am quite new on the IDM-topic and I really appreciate your help.
Thanks in advance!
Andreas

Hi,
thank you all for your replies and sorry that I did not answer. I was out of the office for some exams.
This is my gateway trace file:
07/24/2007 15.53.58.905000 [620] (../../../../src/wps/agent/logging/WSTrace.cpp,150): trace active, level: 3, file: c:\gatewaytrace.txt, maxSize: 10000 KB
07/24/2007 15.53.58.905000 [620] (../../../../src/wps/agent/logging/WSTrace.cpp,108): In WSTrace::init()
07/24/2007 15.53.58.905000 [620] (../../../../src/wps/agent/logging/WSTrace.cpp,109): Gateway version: 'Sun Java System Identity Manager 7.1'
07/24/2007 15.53.58.905000 [620] (../../../../src/wps/agent/logging/WSTrace.cpp,110): OS version: 'Windows Server 2003 Family Service Pack 2 (Build 3790)'
07/24/2007 15.53.58.921000 [888] (../../../../src/wps/agent/connect/ntsvc.cpp,95): Service::svc
07/24/2007 15.53.58.937000 [888] (../../../../src/wps/agent/connect/server.cpp,269): starting up server daemon PORT 9278
07/24/2007 15.54.35.296000 [924] (../../../../src/wps/agent/connect/client_handler.cpp,344): got 44 bytes
07/24/2007 15.54.35.296000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,264): ReceivePrivate: count: 24, 40 wrapped up rawlength 40
07/24/2007 15.54.35.296000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,273): Rightbefore decrypt:
07/24/2007 15.54.35.296000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,114): SendPrivate: count: 0 pad: 4
07/24/2007 15.54.35.296000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,474): MakeChallengeResponse(in,out):
(22,3E) (D0,70)
07/24/2007 15.54.35.296000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,476): (23,56) (E2,E2)
07/24/2007 15.54.35.296000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,114): SendPrivate: count: 16 pad: 4
07/24/2007 15.54.35.312000 [924] (../../../../src/wps/agent/connect/client_handler.cpp,344): got 36 bytes
07/24/2007 15.54.35.312000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,264): ReceivePrivate: count: 16, 32 wrapped up rawlength 32
07/24/2007 15.54.35.312000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,273): Rightbefore decrypt:
07/24/2007 15.54.35.312000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,114): SendPrivate: count: 0 pad: 4
07/24/2007 15.54.35.312000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,571): Session key :
07/24/2007 15.54.35.374000 [924] (../../../../src/wps/agent/connect/client_handler.cpp,344): got 11188 bytes
07/24/2007 15.54.35.374000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,264): ReceivePrivate: count: 11164, 11184 wrapped up rawlength 11180
07/24/2007 15.54.35.374000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,273): Rightbefore decrypt:
07/24/2007 15.54.35.374000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,114): SendPrivate: count: 0 pad: 4
07/24/2007 15.54.35.374000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,567): Enter: handleRequest
07/24/2007 15.54.35.374000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,636): command='get info'
07/24/2007 15.54.35.374000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,467): Enter: ProcessCommand
07/24/2007 15.54.35.374000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,76): Enter: sendBuffer
07/24/2007 15.54.35.374000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,114): SendPrivate: count: 378 pad: 2
07/24/2007 15.54.35.374000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,105): Exit: sendBuffer
07/24/2007 15.54.35.374000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,562): Exit: ProcessCommand
07/24/2007 15.54.35.374000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,699): Exit: handleRequest
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/connect/client_handler.cpp,344): got 11324 bytes
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,264): ReceivePrivate: count: 11300, 11320 wrapped up rawlength 11316
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,273): Rightbefore decrypt:
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,114): SendPrivate: count: 0 pad: 4
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,567): Enter: handleRequest
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,636): command='get'
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,467): Enter: ProcessCommand
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6434): Enter: getObject
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5137): Enter: openObject
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,2527): Enter: getIdentity(obj,result)
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,2564): Enter: getIdentity
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,2627): Exit: getIdentity
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,2628): return value: 'LDAP://<GUID=0b1d8258b7b2b54cb3d378e866120a0b>'
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,2551): Exit: getIdentity(obj,result)
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5152): Enter: openObject - 1
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5162): Enter: openObject - 2
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4734): Enter: login(wstring**,EncyptedData**,wstring**,WavesetResult&)
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4716): Enter: login(wstring**,EncyptedData**,wstring**,bool,HANDLE*,TOKEN_TYPE,WavesetResult&)
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/object/Extension.cpp,34): Enter: getRequiredResAttrValue
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/object/Extension.cpp,44): Exit: getRequiredResAttrValue
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/object/Extension.cpp,34): Enter: getRequiredResAttrValue
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/object/Extension.cpp,44): Exit: getRequiredResAttrValue
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4727): Login: 1
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4728): Exit: login(wstring**,EncyptedData**,wstring**,bool,HANDLE*,TOKEN_TYPE,WavesetResult&)
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4737): Login: 1
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4738): Exit: login(wstring**,EncyptedData**,wstring**,bool,HANDLE*,TOKEN_TYPE,WavesetResult&)
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5176): ADsGetObject for LDAP://<GUID=0b1d8258b7b2b54cb3d378e866120a0b>
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/object/Extension.cpp,73): Enter: getOptionalResAttrValue
07/24/2007 15.54.35.390000 [924] (../../../../src/wps/agent/object/Extension.cpp,77): Exit: getOptionalResAttrValue
07/24/2007 15.54.35.983000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5223): Bound with GID, rebinding with dn. ADsGetObject for CN=Alice Anderson,CN=Users,DC=SunIM,DC=test
07/24/2007 15.54.35.983000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,2564): Enter: getIdentity
07/24/2007 15.54.35.983000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,2627): Exit: getIdentity
07/24/2007 15.54.35.983000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,2628): return value: 'LDAP://CN=Alice Anderson,CN=Users,DC=SunIM,DC=test'
07/24/2007 15.54.35.983000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5266): Exit: openObject - 2
07/24/2007 15.54.35.983000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5155): Exit: openObject - 1
07/24/2007 15.54.35.983000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5146): Exit: openObject
07/24/2007 15.54.35.983000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6503): Enter: buildObject
07/24/2007 15.54.36.015000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6957): Unable to get attribute 'co': GetEx(): 0X8000500D: E_ADS_PROPERTY_NOTFOUND,
07/24/2007 15.54.36.015000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6957): Unable to get attribute 'company': GetEx(): 0X8000500D: E_ADS_PROPERTY_NOTFOUND,
07/24/2007 15.54.36.015000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6957): Unable to get attribute 'department': GetEx(): 0X8000500D: E_ADS_PROPERTY_NOTFOUND,
07/24/2007 15.54.36.015000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6957): Unable to get attribute 'division': GetEx(): 0X8000500D: E_ADS_PROPERTY_NOTFOUND,
07/24/2007 15.54.36.015000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6957): Unable to get attribute 'employeeID': GetEx(): 0X8000500D: E_ADS_PROPERTY_NOTFOUND,
07/24/2007 15.54.36.015000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6957): Unable to get attribute 'facsimileTelephoneNumber': GetEx(): 0X8000500D: E_ADS_PROPERTY_NOTFOUND,
07/24/2007 15.54.36.015000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6957): Unable to get attribute 'groupMembershipSAM': GetEx(): 0X8000500D: E_ADS_PROPERTY_NOTFOUND,
07/24/2007 15.54.36.015000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6957): Unable to get attribute 'homePhone': GetEx(): 0X8000500D: E_ADS_PROPERTY_NOTFOUND,
07/24/2007 15.54.36.015000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6957): Unable to get attribute 'l': GetEx(): 0X8000500D: E_ADS_PROPERTY_NOTFOUND,
07/24/2007 15.54.36.015000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6957): Unable to get attribute 'manager': GetEx(): 0X8000500D: E_ADS_PROPERTY_NOTFOUND,
07/24/2007 15.54.36.015000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6957): Unable to get attribute 'middleName': GetEx(): 0X8000500D: E_ADS_PROPERTY_NOTFOUND,
07/24/2007 15.54.36.015000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6957): Unable to get attribute 'mobile': GetEx(): 0X8000500D: E_ADS_PROPERTY_NOTFOUND,
07/24/2007 15.54.36.015000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6957): Unable to get attribute 'postalCode': GetEx(): 0X8000500D: E_ADS_PROPERTY_NOTFOUND,
07/24/2007 15.54.36.015000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6957): Unable to get attribute 'st': GetEx(): 0X8000500D: E_ADS_PROPERTY_NOTFOUND,
07/24/2007 15.54.36.015000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6957): Unable to get attribute 'streetAddress': GetEx(): 0X8000500D: E_ADS_PROPERTY_NOTFOUND,
07/24/2007 15.54.36.015000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6957): Unable to get attribute 'telephoneNumber': GetEx(): 0X8000500D: E_ADS_PROPERTY_NOTFOUND,
07/24/2007 15.54.36.015000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6957): Unable to get attribute 'title': GetEx(): 0X8000500D: E_ADS_PROPERTY_NOTFOUND,
07/24/2007 15.54.36.687000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,7108): Exit: buildObject
07/24/2007 15.54.36.702000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,76): Enter: sendBuffer
07/24/2007 15.54.36.702000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,114): SendPrivate: count: 10894 pad: 6
07/24/2007 15.54.36.812000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,105): Exit: sendBuffer
07/24/2007 15.54.36.812000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,6479): Exit: getObject
07/24/2007 15.54.36.812000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,562): Exit: ProcessCommand
07/24/2007 15.54.36.812000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,699): Exit: handleRequest
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/connect/client_handler.cpp,344): got 7964 bytes
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,264): ReceivePrivate: count: 7942, 7960 wrapped up rawlength 7958
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,273): Rightbefore decrypt:
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,114): SendPrivate: count: 0 pad: 4
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,567): Enter: handleRequest
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,636): command='list all'
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,467): Enter: ProcessCommand
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/object/Extension.cpp,73): Enter: getOptionalResAttrValue
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/object/Extension.cpp,77): Exit: getOptionalResAttrValue
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,9788): Enter: directorySearch
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,9848): Searching container: 'LDAP://cn=Users,dc=sunim,dc=test'
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5162): Enter: openObject - 2
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4734): Enter: login(wstring**,EncyptedData**,wstring**,WavesetResult&)
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4716): Enter: login(wstring**,EncyptedData**,wstring**,bool,HANDLE*,TOKEN_TYPE,WavesetResult&)
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/object/Extension.cpp,34): Enter: getRequiredResAttrValue
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/object/Extension.cpp,44): Exit: getRequiredResAttrValue
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/object/Extension.cpp,34): Enter: getRequiredResAttrValue
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/object/Extension.cpp,44): Exit: getRequiredResAttrValue
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4727): Login: 1
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4728): Exit: login(wstring**,EncyptedData**,wstring**,bool,HANDLE*,TOKEN_TYPE,WavesetResult&)
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4737): Login: 1
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4738): Exit: login(wstring**,EncyptedData**,wstring**,bool,HANDLE*,TOKEN_TYPE,WavesetResult&)
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5176): ADsGetObject for LDAP://cn=Users,dc=sunim,dc=test
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/object/Extension.cpp,73): Enter: getOptionalResAttrValue
07/24/2007 15.54.40.421000 [924] (../../../../src/wps/agent/object/Extension.cpp,77): Exit: getOptionalResAttrValue
07/24/2007 15.54.40.437000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5266): Exit: openObject - 2
07/24/2007 15.54.40.437000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,10243): Search query: '(&(objectClass=group))'
07/24/2007 15.54.40.437000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,9922): Getting first row
07/24/2007 15.54.40.452000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,10021): Closing search handle
07/24/2007 15.54.40.452000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,10118): Exit: directorySearch
07/24/2007 15.54.40.452000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,76): Enter: sendBuffer
07/24/2007 15.54.40.452000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,114): SendPrivate: count: 1996 pad: 8
07/24/2007 15.54.40.452000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,105): Exit: sendBuffer
07/24/2007 15.54.40.452000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,562): Exit: ProcessCommand
07/24/2007 15.54.40.452000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,699): Exit: handleRequest
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/connect/client_handler.cpp,344): got 7964 bytes
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,264): ReceivePrivate: count: 7942, 7960 wrapped up rawlength 7958
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,273): Rightbefore decrypt:
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,114): SendPrivate: count: 0 pad: 4
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,567): Enter: handleRequest
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,636): command='list all'
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,467): Enter: ProcessCommand
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/object/Extension.cpp,73): Enter: getOptionalResAttrValue
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/object/Extension.cpp,77): Exit: getOptionalResAttrValue
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,9788): Enter: directorySearch
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,9848): Searching container: 'LDAP://cn=Users,dc=sunim,dc=test'
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5162): Enter: openObject - 2
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4734): Enter: login(wstring**,EncyptedData**,wstring**,WavesetResult&)
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4716): Enter: login(wstring**,EncyptedData**,wstring**,bool,HANDLE*,TOKEN_TYPE,WavesetResult&)
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/object/Extension.cpp,34): Enter: getRequiredResAttrValue
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/object/Extension.cpp,44): Exit: getRequiredResAttrValue
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/object/Extension.cpp,34): Enter: getRequiredResAttrValue
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/object/Extension.cpp,44): Exit: getRequiredResAttrValue
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4727): Login: 1
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4728): Exit: login(wstring**,EncyptedData**,wstring**,bool,HANDLE*,TOKEN_TYPE,WavesetResult&)
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4737): Login: 1
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4738): Exit: login(wstring**,EncyptedData**,wstring**,bool,HANDLE*,TOKEN_TYPE,WavesetResult&)
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5176): ADsGetObject for LDAP://cn=Users,dc=sunim,dc=test
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/object/Extension.cpp,73): Enter: getOptionalResAttrValue
07/24/2007 15.54.43.937000 [924] (../../../../src/wps/agent/object/Extension.cpp,77): Exit: getOptionalResAttrValue
07/24/2007 15.54.43.952000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5266): Exit: openObject - 2
07/24/2007 15.54.43.952000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,10243): Search query: '(&(objectClass=group))'
07/24/2007 15.54.43.952000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,9922): Getting first row
07/24/2007 15.54.43.968000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,10021): Closing search handle
07/24/2007 15.54.43.968000 [924] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,10118): Exit: directorySearch
07/24/2007 15.54.43.968000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,76): Enter: sendBuffer
07/24/2007 15.54.43.968000 [924] (../../../../src/wps/agent/connect/RASecureConnection.cpp,114): SendPrivate: count: 1996 pad: 8
07/24/2007 15.54.43.968000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,105): Exit: sendBuffer
07/24/2007 15.54.43.968000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,562): Exit: ProcessCommand
07/24/2007 15.54.43.968000 [924] (../../../../src/wps/agent/object/RequestHandler.cpp,699): Exit: handleRequest

Unable to push user profiles to AD groups with Profile Manager since upgrade to Server v3

Since upgrading our OS X Mac server from 10.8.5 to 10.9.1, and OS X Server app to v3 (now 3.0.2) I have been unable to push or modify user profiles to AD groups (or AD users) using Profile Manager. This was working fine on OS X 10.8.5. Pushing device profiles is still working OK after the upgrade.
From what I can see from the logs on the client side and server side, it seems related to a problem with the mdm authtoken.
In the client console I can see this entry:
27/01/14 14:30:15.844 mdmclient[38557]: *** ERROR *** [Agent:636102071] Unable to proceed with connection to: https://ourserver.ourdomain/devicemanagement/api/device/mdm_connect (com.apple.mdmconfig.mdm) because don't have valid MDM AuthToken
On the server, in the php.log I can see the corresponding attempt to authenticate:
1::Jan 27 14:29:50.930 [158] <192.168.28.171> {require_once (mdm_checkin.php:11)} vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv - PUT mdm_checkin
0::Jan 27 14:29:50.931 [158] <192.168.28.171> checkin: 'UserAuthenticate'
1::Jan 27 14:29:50.936 [158] <192.168.28.171> {Target_for_incoming_request (target.php:209)} Found target NETWORK LS: <User[156]@ourclientmachine>
0::Jan 27 14:29:50.937 [158] <192.168.28.171> {LabSession_validate_auth_token (mdm_checkin.php:22)} Failed auth for target NETWORK LS: <User[156]@Device[1697]>, incoming_request={
0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'MessageType'=>'UserAuthenticate',
0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'UDID'=>'17aff5c5a40f51acbbd78023d0028c80',
0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'UserID'=>'A5EA25B7-7CCD-4EF4-B240-F23DED275EEC'
0::Jan 27 14:29:50.937 [158] <192.168.28.171> }
1::Jan 27 14:29:50.965 [158] <192.168.28.171> {SendFinalOutput (mdm_checkin.php:145)} Sent Final Output (407 bytes)
1::Jan 27 14:29:50.965 [158] <192.168.28.171> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - /devicemanagement/mdm/mdm_checkin
0::Jan 27 14:29:50.965 [158] <192.168.28.171> {SendFinalOutput (mdm_checkin.php:145)} Completed in 34ms | 200 OK [https://ourserver.ourdomain/devicemanagement/api/device/mdm_checkin]
So I can see there is a failure to authenticate, but don't really know how to troubleshoot this further. Or maybe this is just a bug in the new server app?
I have tried to remove and re-enroll clients in Profile Manager but no joy there.
In the client's Keychain I can see an MDM user AuthToken linked to the correct user account.
Thanks in advance for any help or suggestions

I just wanted to update my post, as this issue for me is resolved.
I uninstalled and reinstalled the Server.app on our Mac server, since then I've been able to push profiles to AD Users and Groups. I guess that in my case the Server app got into a bit of a mess when it was upgraded to v3.
Now the next headache I have is that my AD Groups which are displayed in Profile Manager are not syncing any recent changes. I think I'm probably seeing the same issue as described in this post
https://discussions.apple.com/message/25420919#25420919

Unable to change group text name or add person to some group texts in iOS 8

I really like the ability to change group text names as it helps me separate work group texts from personal especially when I have coworkers that have separate business phones. I'm unable to change the name of some group texts as the option is not there when I go into details. I'm also unable to add contact to the same group texts that I'm unable to change the name on. Is this a glitch or am I missing something?

Hi CaliWingsFan,
If you are having issues with renaming and adding users to group texts, you may want to try some things to troubleshoot.
First, quit all running applications and test again -
iOS: Force an app to close
Next, I would try restarting the iPhone -
Turn your iOS device off and on (restart) and reset
If the issue is still present, you may want to restore the iPhone as a new device -
iOS: How to back up your data and set up your device as a new device
Thanks for using Apple Support Communities.
Best,
Brett L

Adding and removing current user from one SharePoint group to another with event receiver

hi friends
i need to change current user from one SharePoint group to another with list item adding event receiver.
please help me

Hi Malli,
Greetings. Its nt possible
http://sharepoint.stackexchange.com/questions/42286/event-receivers-on-add-remove-users
Please remember to click 'Mark as Answer' on the answer if it helps you

How to add a user to an existing group????

Can't seem to find how to add a user to an existing group (staff). I am trying to share data (rw) between my admin account (root) and a development user. On any other UNIX system I would just add the user name in the /etc/group file & logout/login in. It don't work here!
Suggestions??
thanx
mt

OS X doesn't use /etc/groups. This file is present but does nothing AFAIK.
Leopard uses directory services to handle groups and users.
membership in groups with GID>500 can be handled from GUI in system preferences->accounts. other groups can be handled from terminal with dscl (directory services command line). do man dscl for details.
to add a user to a group you'd do
sudo dscl . append /groups/groupname GroupMembership username
However, there should be no need to do it with "staff". every user with an account on your computer is a member of staff by default.

Type the name and password of a user in the "(null)" group to allow this.

To connect to wifi while in the recovery partition, I'm asked to authenticate the wlan's certificate, and in order to do that I'm asked for "the name and password of a user in the "(null)" group" to make changes to the Certificate Trust Settings. Anyone know what or which user may this be?
I'm not able to pass from the initial apple screen when I boot, so I wanted to repair or reinstall Lion, but in order to do that I need to connet to the WLAN to download it.

Hi, I called Apple Support this day, and the answer is that enterprise WPA wireless is NOT supported by Lion Internet Recovery.
You can find the supported configurations and protocols on Apple site:
http://support.apple.com/kb/HT4718?viewlocale=en_US

Shared Calendars / Room Lists and automatically forcing them to users based on Security Group Membership

Good morning all,
I need some help achieving the following in our Exchange 2013 Environment. First off, we have Exchange 2013, but all our clients have Outlook 2010.
Here's what I would like to be able to do:
1) create/manage public calendars / rooms in exchange 2013
2) force these shared public calendars / rooms to users' calendars who are members of particular security groups
3) give edit permissions / "booking" permissions for the shared calendars so select users are able to make changes to the shared calendars, as well as accept/deny requests to "book" shared room calendars
Any one got any resources they can give to point me in the right direction?
I have already created two mailbox room resources, and have them set up in a room list in AD. But need to know the above as far as creating a shared calendar for events, and forcing these calendars / room lists out to users based on security group
membership.
I don't want my users to have to know how to add a shared calendar...that would be a nightmare explaining. I just want it to show up.
Any help on this is greatly appreciated, thank you!

1) I recommend using Room Mailboxes for resource calendars because it just works better.
2) This is a standard feature of a Room Mailbox.
3) You're pretty specific here, but I think this is also more or less available with a Room Mailbox combined with folder rights.
I don't know any way to just make them "show up". You'll have to teach them. Well written instructions can work wonders.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Where does Designer stores user defined custom colors?

Hi,
Everytime I restart Designer, all my custom colors are reset to white. Which is pretty annoying. So I want to export them to a file at least.
I figured, that user defined custom colors in Windows are stored in the Registry in:
[HKEY_CURRENT_USER\Control Panel\Custom Colors]
or alternatively in:
[HKEY_USERS\.DEFAULT\Control Panel\Colors]
But apparently they are not. Changes made to the custom color palette in Designer are not stored in the registry. Those values still remain FFFFFF.
Does anyone know, where Designer stores user defined custom colors? Is there a 'secret' undocumented .ini-file I missed?
Regards,
Steve

Does anyone know where the information added by Java reside?Essentially, in the directory.
Is there any way to query this information using VC++ dll or some other way?Yes, there are operating system APIs for it. That's how Java does it.
Does anyone know which windows dll or classes are used by Java to add these custom attributes
I tried lot by digging into code by decompiling java NIO classes but could not get it.I would try looking up the Windows API myself.

How do you Change Group Sort Direction using Report Client

It looks like there should be a sort direction property on the ISCRGroupOptions object but there is none. So how do you set the sort direction of the group?

I tried that and it did not work. Here's the code to change the grouping, note I also change the associated sort object. I did notice that if you go into the crystal reports designer and bring up the Record Sort Export and select the group's corresponding sort that the Sort Direction radio buttons are disabled. The question is how to change the sort direction shown on the Change Group Options dialog?
        public bool GroupModify(short GroupIndex, string TableName, string ColumnName, SortDirection SortDirection)
            bool result = false;
            if ((_ReportClient != null) && (GroupIndex >= 0) && (GroupIndex < this.GroupCount()))
                CrystalDecisions.CrystalReports.Engine.Group docGroup = _ReportDocument.DataDefinition.Groups[GroupIndex];
                ISCRField field = _ReportClient.DataDefController.FindFieldByFormulaForm(docGroup.ConditionField.FormulaName);
                if (field != null)
                    Group group = _ReportClient.DataDefController.GroupController.FindGroup(field);
                    if (group != null)
                        Group newGroup = group.Clone();
                        newGroup.ConditionField = FieldGet(TableName, ColumnName);
                        if ((newGroup.ConditionField != null) && (_ReportClient.DataDefController.GroupController.CanGroupOn(newGroup.ConditionField)))
                            _ReportClient.DataDefController.GroupController.Modify(group, newGroup);
                            result = this.SortSet(TableName, ColumnName, SortDirection);
            return result;
        public bool SortSet(string TableName, string ColumnName, SortDirection SortDirection)
            bool successful = false;
            if (_ReportClient != null)
                ISCRField field = FieldGet(TableName, ColumnName);
                if (field != null)
                    ISCRSort sort = _ReportClient.DataDefController.SortController.FindSort(field);
                    if (sort != null)
                        _ReportClient.DataDefController.SortController.ModifySortDirection(sort, CRSortDirection(SortDirection));
            return successful;
        public int GroupCount()
            int count;
            if (_ReportClient != null)
                count = _ReportClient.DataDefController.DataDefinition.Groups.Count;
            else
                count = 0;
            return count;

Restricting end user to one specific group with anyconnect

Hello all
I just started configuring AnyConnect with ASA 5520 that uses Cisco SecureACS to pass radius authentication. I configured two profiles with different split tunnel restrictions and what I discovered is that when the client connects to the ASA, they are provided a choice of these two groups (I guess there is no way to restrict this) and I can log into either one with any user account. How do I restrict this so that the user can only use one profile? Currently users capable of VPN would be placed in one specifc AD group so that is what SecureACS checks. Is there a sample configuration guide to handle multiple profiles with different levels of access?

Alternatively, you can use Radius authorization to place user into a specific group-policy:
- Configure the Group-Policy attribute under Radius to be OU=
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_extserver.html#wp1605475
On the ASA, just configure 1 tunnel-group, and depending on the authentication, the user will be placed into the correct group-policy specified under the ACS server.

Forms 10g Design Rich User Interface

Dear All,
i would link to design rich user interface in forms 10g.
for example : the button shape is circle , not only
rectangle.
Is it possible to do that in forms 10g or import some java object from third party tools.
best regards
borisys

Borisys,
the concept of Pluggable Java Comnponents (PJC) allows you that. PJC only change the UI of a component without affecting its functionality.
The Forms demos that are available on otn.oracle.com/products/forms contain enhanced buttons in teh form of mouse over effects.
Frank

DIT Design -- Handling users in overlapping & changing groups/institutions

Similar Messages

Maybe you are looking for