Dynamic LDAP Groups with WLS5.1

Similar Messages

• Dynamic LDAP groups

  Hi All,
  Weblogic Server 5.1 doesn't support dynamic LDAP groups.
  Our experience shows that the same problem is present with WLCS 3.11
  Is the problem solved in WS 6 and WLCS 3.5?
  Kind Regards,
  Panu Harkonen

  Hello J.P.,
  Note that LDAP realm v2 which is the default realm in WLS 6.1 can only show
  group names in the WLS admin console, not the group members (LDAP realm v1,
  the same realm in previous versions of WLS servers does show group members
  in admin console).
  From my understanding of dynamic groups they are still conceptually similar
  to a regular group, albeit its members are stored differently. So with this
  understanding I don't see why WLS 6.1 LDAP realm wouldn't be able to use
  dyanmic groups. You can probably run a quick test yourself to see.
  Regards,
  BEA WebLogic Support
  "Jose Perez" <[email protected]> wrote in message
  news:3c838ce2$[email protected]..
  >
  Hi all,
  Does anyone know if weblogic 6.1 supports dynamic LDAP groups?
  Thacks in advance,
  J.P.

• Dynamic Approval Group with Voting Method  First Responder Wins

  Hi all,
  i create new Approver Group with type: Dynamic, and Voting Method: First Responder Wins. and i write the query to get user_id.
  The query return the correct users, but in the approval list in the wf, it requires approval from all users in my dynamic approver group !!
  i need only one first user to approve (First Responder Wins), then must go to next approver group.
  please help me to solve this problem
  thanks all ..
  hedaya

  With Dynamic approval First Responder wins does not work, We have to use Roles in HR Manager.
  Refer Configuring Parallel Approvers Notification (Doc ID 471125.1)

• Issues creating dynamic distribution group with PowerShell

  I am trying to create a DDG with the following filters: Mailbox Users, specific OU and not member of a certain group. This script works fine (minus the exclusion):
  New-DynamicDistributionGroup -Name "1Test1" -RecipientContainer "OU=ABC,DC=xyz,DC=com" -IncludedRecipients 'MailBoxUser'
  \When I change the script to exclude members of the group the DDG is blank:
  New-DynamicDistributionGroup -Name "1Test1" -RecipientFilter {(RecipientType -eq 'UserMailbox') -and (MemberOfGroup -ne "CN=1ExcludeDynamic,OU=ExchangeGroups,DC=xyz,DC=com") -and (RecipientContainer -eq "OU=ABC,DC=xyz,DC=com")}
  Any ideas will be appreciated.

  All right. That's a good thing. Now create another new DDL using the Powershell cmdlet and the values you got from the "RecipientFilter" and "RecipientContainer" properties. Then verify that you get the same results as you do when you ran this on the one
  you created with the GUI:
  Get-DynamicDistributionGroup
  'NewGroup' | fl Name,RecipientContainer,RecipientFilter,LdapRecipientFilter
  and
  $g=Get-DynamicDistributionGroup NewGroup
  (Get-Recipient
  -RecipientPreviewFilter $g.RecipientFilter
  -OrganizationalUnit $g.RecientContainer).count
  If you do, then run a Get-DynamicDistributionGroup GROUPNAME | Set-Dynamic -RecipientFilter
  {(RecipientType -eq 'UserMailbox') -and (MemberOfGroup -ne "CN=1ExcludeDynamic,OU=ExchangeGroups,DC=xyz,DC=com")}
  Then see if it works as expected. If it doesn't try this:
  Get-DynamicDistributionGroup GROUPNAME | Set-Dynamic -RecipientFilter {(RecipientType -eq 'UserMailbox') -and -not (MemberOfGroup -eq "CN=1ExcludeDynamic,OU=ExchangeGroups,DC=xyz,DC=com")}
  --- Rich Matheisen MCSE&I, Exchange MVP

• Creating Dynamic Radio Groups with HTMLDB_ITEM

  Hi,
  I'm using HTMLDB (1.5.1.00.12) and attempting to create a Dynamic Radiogroup using the HTMLDB_ITEM package in a PL/SQL region. (It's not known until runtime whether a radiogroup should appear on the page.) I normally call to HTMLDB_ITEM and htp.p the results to the screen.
  If I was creating this radiogroup using a normal Page Item: Active/Inactive. I usually define a list of values as: STATIC:Active;A,Inactive;I
  How can I do this with HTMLDB_ITEM package, and get both radiobuttons to appear on the same line next to each other? Unfortunately this function doesn't have a p_query I can pass values to. I'm sure I'm overlooking something obvious so I'm hoping some fresh perspective on this will help.
  Thanks in advance!

  Hi Patrick,
  Thank you for your reply I have done this as follows.
  function getTermdetailsQuerySuccsess(sender, args) {
    var listEnumerator = Termsitems.getEnumerator();
    // var datatable = document.getElementById("TermList");
    var i =0;
    while (listEnumerator.moveNext()) {
     i=i+1;
     var Question = listEnumerator.get_current().get_item('Title');
     var QuestionNumbers = listEnumerator.get_current().get_item('questionnumber');
     if (QuestionNumbers == 1) {
     $("#questiontable1 tbody").append("<tr>");
     $("#questiontable1 tbody").append("<td align='left'>"+ Question +" </td>");
     $("#questiontable1 tbody").append("<td align='Center'><input type='radio' name='question1Radio"+i+"' id='Question1Radio"+i+"'></td>");
     $("#questiontable1 tbody").append("<td align='Center'><input type='radio' name='question1Radio"+i+"' id='Question1Radio"+i+"'></td>");
     $("#questiontable1 tbody").append("<td align='Center'><input type='radio' name='question1Radio"+i+"' id='Question1Radio"+i+"'></td>");
     $("#questiontable1 tbody").append("<td align='Center'><input type='radio' name='question1Radio"+i+"' id='Question1Radio"+i+"'></td>");
     $("#questiontable1 tbody").append("<td align='Center'><input type='radio' name='question1Radio"+i+"' id='Question1Radio"+i+"'></td>");
     $("#questiontable1 tbody").append("<td align='Center'><input type='radio' name='question1Radio"+i+"' id='Question1Radio"+i+"'></td>");
     $("#questiontable1 tbody").append("<td align='Center'><input type='text' name='question1Text"+i+"' id='Question1Text"+i+"'></td>");
     $("#questiontable1 tbody").append("</tr>");
  d.n weerasinghe

• Select list populated with ldap group membership attributes

  Is it possible to query an LDAP group and retrieve all the members of the group?
  For example, if I have an LDAP group with members' login name, I want to retrieve all login names and populate a select list so the end-user can choose a login name from the group.
  Thanks, alan.

  The problem is the second query. I would guess that the TO_CHAR(co) is not unique for each account, but is the same for the accounts. And as the second item in the select-list is the listitems values, all your listitem-entries have the same value. therefore, of you select any entry, the list will always go the the first entry again.
  Adjust your query.

• Mapping LDAP Groups to SAP Roles

  Hi there,
  i am trying to build up a synchron usermanagement with a LDAP-Server between EP, Web AS Java and Web AS ABAP.
  My thought is to administrate the users in the LDAP-Directory. The users will be assigned to groups.
  In EP and Web AS Java its no problem to assign these groups to roles and then just change the Users in the LDAP-Group and reach a synchron usermanagement.
  In Web AS ABAP it seems impossible to assign roles to groups.
  <b>The question is, is it possible to map ldap groups with the ldap connector of the web AS ABAP to Roles in an ABAP System?</b>
  Or is there another way to administrate users in different systems?
  Thanks alot for your answers,
  stefan

  Hi
  in this case u have to use the concept of central user administration. use the following links
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-biti-03/cua with sap webas, ldap and third party software
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/user management and authorizations overview.pdf
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/integration of sap central user administration into microsoft active directory.pdf
  hope this helps u to get fair bit of idea
  don,t forget to give points
  With regards
  subrato kundu

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• Two groups with the same name in File and LDAP realms

  Hi,
  I configured WLS 6.0 SP1 to use an LDAP caching realm
  as default one. In the LDAP server (Netscape Directory)
  I have a group called Administrators. There is a group
  with the same name in WLS own File Realm. When I click
  on the Groups menu item in the administration console
  I only get the Administrators group from the File Realm
  listed. Is that expected? What will happen if I protect
  a resource ti the Administrators group? Which one will
  prevail - the one from the LDAP or the one from File
  Realm? Or maybe the two will be merged?
  Regards,
  Plamen Petrov
  AstraZeneca
  Sweden

  Hi
  First of all I want to know that where you created your class, In SE24 or in any programm.
  if in SE24, then go to se24 open that class go to methods tab and check if that method name accurs at two places, if not, then
  click on that method and check the code.
  or if in a program.
  then you must have defined like
  class <class name> definition.
  public section
  method <method name>
  endclass.
  class <class name> implementation.
  method <method name>
    code for that method.
  endclass.
  It might be possible you have set the implementation part twice for that particular method, So please check and delete one implementation for that method.
  Thanks
  Lalit Gupta

• Can an email address be a member of an LDAP group even if it isn't associated with an object in the Directory Server?

  Can an email address be a member of an LDAP group even if it isn't
  associated with an object in the Directory Server?
  <P>
  General members of a group are the members defined in the
  Directory Server. They are full-fledged members of the group who
  may have a set of permissions associated with their membership,
  a title, or other attributes. Mail-specific users are users who
  are not full-fledged members of the group, but who receive mail
  sent to the group. Mail-specific users need not be identified as
  a user in the Directory Server--an email address is sufficient.
  An example of this is a group of salespeople, all of whom are in
  the group "North American Sales Team." They have access to a
  sales-tracking database, on-line quota information, and
  competitive information. The mail-specific users of this group
  are the admins who support the members of the sales team, who need
  to get the mail that goes out to the group, but don't need access
  to the applications and information that the salespeople do.

  Hey EllyK,
  Welcome to the BlackBerry Support Community Forums.
  Thanks for the question.
  I would suggest performing this workaround and then try to login to BlackBerry Link:
  Open BlackBerry World on the BlackBerry smartphone and sign in using the BlackBerry ID. 
  Connect the BlackBerry 10 smartphone to the computer. 
  Open BlackBerry Link
  Sign in using the BlackBerry ID. 
  Let me know if the issue still persists.
  Cheers.
  -ViciousFerret
  Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
  Be sure to click Like! for those who have helped you.
  Click  Accept as Solution for posts that have solved your issue(s)!

• Webcenter dicussion forum - Ldap Group Integration with JSSO

  Hi,
  We want to implement LDAP Group integration for the authorization purposes in
  webcenter Jive Disucussions deployed in our IAS 10.1.3.2 application server.
  Though jive provides support for the same, yet the JIve documentation says
  that we need to implement the JIve's LDAP User authentication steps in order
  to leverage LDAP Groups integration. In case of Webcenter if we use Java SSO
  for the authentication purpose, we need opt for the 'Default' in the Jive
  Admin's authentication page instead of LDAP settings. Opting for 'Default'
  scheme doesn't allow us to configure the LDAP group settings. We are not able
  find any documentation for LDAP Group Integration along with Java SSO. Could
  provide us the steps required for the same? Or has anyone tried the same?
  Thanks and Regards,
  ABhijit

  Hi Abhijit,
  You can ignore 'Default', and implement your own user authentication mechanism, which can include LDAP group settings. You will have to follow:
  - OC4J security documentation for using Java SSO in your own implementation (I think this is the right link - confirm the version numbers - http://download.oracle.com/docs/cd/B32110_01/web.1013/b28957/javasso.htm#BABEJFDI)
  - Jive documentation for implementing user authentication
  Navneet.

• Create SCOM Group with dynamic members about 10minutes !

  in our SCOM 2012 SP1 (CU3) environment with about 800 Windows Agents.
  OperationsDB on a Windows Cluster (2 physical server with 2 processors (six cores). Datawarehouse on separate cluster.
  When i create a group with dynamic members, it took about 10min. During this period all the consoles are busy and freezing. 
  Is that normal ?
  Regards
  Lehugo

  on the management server i got follow eventlog error durung this time: 
  OpsMgr Management Configuration Service failed to execute 'ConfigStoreStatsUpdate' engine work item due to the following exception
  Microsoft.EnterpriseManagement.ManagementConfiguration.DataAccessLayer.DataAccessException: Data access operation failed
     at Microsoft.EnterpriseManagement.ManagementConfiguration.DataAccessLayer.DataAccessOperation.ExecuteSynchronously(Int32 timeoutSeconds, WaitHandle stopWaitHandle)
     at Microsoft.EnterpriseManagement.ManagementConfiguration.SqlConfigurationStore.ConfigurationStore.ExecuteOperationSynchronously(IDataAccessConnectedOperation operation, String operationName)
     at Microsoft.EnterpriseManagement.ManagementConfiguration.SqlConfigurationStore.ConfigurationStore.WorkItemCompleted(IConfigServiceEngineWorkItemHandle workItemHandle, IConfigServiceEngineWorkItemResult workItemResult)
     at Microsoft.EnterpriseManagement.ManagementConfiguration.Interop.SharedWorkItem.ExecuteWorkItem()
     at Microsoft.EnterpriseManagement.ManagementConfiguration.Interop.ConfigServiceEngineWorkItem.Execute()
  System.Data.SqlClient.SqlException (0x80131904): Sql execution failed. Error 50000, Level 16, State 1, Procedure WorkItemMarkCompleted, Line 61, Message: Failed to report work item completion. Work item with id 1888748 is not assigned to service instance 'XXXXXX\Default'
     at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
     at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning()
     at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
     at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
     at System.Data.SqlClient.SqlCommand.CompleteAsyncExecuteReader()
     at System.Data.SqlClient.SqlCommand.EndExecuteNonQuery(IAsyncResult asyncResult)
     at Microsoft.EnterpriseManagement.ManagementConfiguration.DataAccessLayer.NonQuerySqlCommandOperation.SqlCommandCompleted(IAsyncResult asyncResult)

• Help with dynamic distribution group exclusion

  Hi all,
  Having a strange trouble with a dynamic distribution group filtering on the user being a member of a particular group
  Recipient Filter  is:
  ((((((((RecipientType -eq 'UserMailbox') -and (-not(Title -like '[]*')))) -and (MemberOfGroup -ne 'CN =ExcludeFromMoitorigList,OU=Mail Redirect,OU=System Accounts,OU=New Objects,DC=test,DC=local'))) -and (-not(UserAccountControl -eq 'AccountDisabled, NormalAccount, DoNotExpirePassword')))) -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox')))
  If I make a preview of this distribution list I get expected result. Users included in ExcludeFromMoitorigList group don't appear. But they continue receive emails sent to dynamic distribution group.
  Any help is much appreciated

  I'm not sure what all of the settings you are adding are for, but operating under the assumption that they are necessary, try this:
  ((((RecipientType -eq 'UserMailbox') -and (-not(Title -like '[]*')) -and (-not(MemberOfGroup -eq 'CN =ExcludeFromMoitorigList,OU=Mail Redirect,OU=System Accounts,OU=New Objects,DC=test,DC=local')))) -and (-not(UserAccountControl -eq 'AccountDisabled, NormalAccount, DoNotExpirePassword')))
  If that doesn't work, try this:
  ((RecipientType -eq 'UserMailbox') -and (-not(Title -like '[]*')) -and (-not(MemberOfGroup -eq 'CN =ExcludeFromMoitorigList,OU=Mail Redirect,OU=System Accounts,OU=New Objects,DC=test,DC=local')) -and (-not(UserAccountControl -eq 'AccountDisabled, NormalAccount, DoNotExpirePassword')))
  FYI, the reason for those suggestions is because I got this working on Exchange 2013 running on Server 2012 Datacenter by taking the existing RecipientFilter and adding the -not MemberOfGroup section, but noticed that all of this was then duplicated:
  -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox'))
  As such, I re-created it without that, and that's what I've done with your string.  I also changed the -ne to a -not(-eq) and in the second example, got rid of some extra parenthesis that I'm not sure you need.
  Also, note that in my working scenario, I used this command and put the filter I was setting where I have indicated <filter> (I left the double quotes in the command):
  Set-DynamicDistributionGroup -Identity <Group> -RecipientFilter "<filter>"

• Dynamic Distribution Groups not working with Office365 Mailboxes

  Ok so my problem is this. I am creating new dynamic distribution lists based on office location with the option to look at the notes section in AD and add an additional office if a user needs to be on both lists.
  We have recently started using Office365 for some users and they need to get the emails too.
  When I create the group initially using:
  New-DynamicDistributionGroup -Name "Location-London UK" -OrganizationalUnit "domain.net/Groups/Email Groups/Locations" -RecipientContainer "domain.net/Our Users" -RecipientFilter {(RecipientType -eq 'MailUser') -or (RecipientType
  -eq 'UserMailbox') -and (Office -eq 'London') -or (Notes -eq 'London')}
  It creates the group limiting to the Accounts with London as their office but it includes every Office365 mailbox we have also.
  There is a DDG in our EMC for an office in Hong Kong but I am not aware of who created it.
  Its filter says:
  ((((((RecipientType -eq 'MailUser') -or (RecipientType -eq 'UserMailbox'))) -and (Office -eq 'HongKong'))) -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue
  -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox')))
  This group includes only the users with Hong Kong as well as Office365 users with Hong Kong as their office location
  Ive tried to recreate this DG but cant as using Powershell still makes groups with the Office265 users in them.
  The only way ive successfully created a London DG is by using ADSIedit to copy the msExchQueryFilter from Hong Kong to London and change the Office Name to London
  Any help would be appreciated

  For your recipient filter, use the following:
  {((RecipientType -eq 'MailUser') -or (RecipientType -eq 'UserMailbox')) -and
  ((Office -eq 'London') -or (Notes -eq 'London'))}
  See if that works ... that's effectively how the Hong Kong one is built.  Make sure you get the extra parentheses (I bolded them), they should make the difference.

• VPN with RSA and LDAP Groups

  I'm tryin to rebuild our VPN environment with a pair of 5520. WE're going to use Anyconnect mobility exclusively with SSL. No IPSec and no SSL Webvpn.
  We have a large number of contractors using the VPN to access specific internal resources so I would like to use different IP subnets for each contractor assigned through group policy. I don't want to have a different URL for each contractor so I want to assign the group policy through LDAP group memebership. However, primary authentication will be via RSA 2 factor.
  How do I get the ASA to check group membership and hense assign the right group when primary authentication is through RSA?
  Thanks for any help.

  yes you can do the Authentication to an RSA server and the Authorization to the LDAP server.
  Please configure LDAP as an authorization server.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
  Do let me know how it goes.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**