Get AD group membership doesn't work for global groups

I want to pull the group membership for OBIEE directly from AD.
This has been covered in many blogs and forums, no problem, I've found some user created functions - basically all of it uses
DBMS_LDAP package methods
with one exception that additionally to it also uses
DBMS_LDAP_UTL.get_group_membership
ALL THOSE functions work BUT I've verified it with the actual group membership from AD or adfind tool (http://www.joeware.net/freetools/tools/adfind/index.htm)
The list returned by Oracle packages doesn't match, or to be exact only partially matches the factual AD list.
I've done some research and found there are three types used for defining group's scope by AD:
Domain Local, Global, or Universal
(http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx)
leaving the first one out of the scope as we don't use it
- I've verified and found ALL missing ONES are defined as GLOBAL
All the Oracle funcitons I've found correctly pulls only UNIVERSAL group memberships and none of GLOBAL
Microsoft documentation says that both of them (Universal and Global) have forest-wide visibility....
and so AdFind can list both..
so why Oracle limits the search to UNIVERSAL ones only?
Maybe it's a matter of initialize those DBMS_LDAP packages differently or passing slightly different parameters??
I've really tried a lot of this code in different combinations but no joy
Has anyone got some ideas?

...I try to block the usage of the command prompt only on this server.
I have the same question as jrv: Why? It doesn't increase security. The command prompt is a program, not a security boundary.
Disabling the command prompt does NOT increase security
-- Bill Stewart [Bill_Stewart]

Similar Messages

  • Forgot my adminpassword, i have tried the reboot with initial disk doesn't work i can't downlad anything, I am able to log on but the name and password to get in my computer doesn't work for admin password. i am about to give up any suggestions?macbook10

    forgot my adminpassword, i have tried the reboot with initial disk didn't work, i am able to get into my computer with name and password, but this same name and password doesn't work as an administrators password when i want to download or change things.
    do you have any suggestions? Im about to give up, i can't even access wireless have to use a dsl
    pretty sad

    ... this same name and password doesn't work as an administrators password when i want to download or change things.
    It's probably that your Keychain password is not the same as your login password. If you configured your computer to log you in automatically, you may not have used your login password in so long you forgot it.
    There is no way to retrieve the "login" Keychain password, but you can reset the Keychain from the Preferences menu: select it in the Keychain Access menu and select "Reset My Default Keychain". This will create a new, empty Keychain but the old one will be saved should you ever remember its password.
    The result of this is that you will have to supply passwords for everything that requires it, since without your Keychain they will no longer automatically fill themselves. However, once you supply them and store them in your new Keychain, they will be remembered.

  • Where used list doesn't work for global data

    Hi,
    When i try to do where used list on a constant in an include, it doesn't give the results for classes.
    The class contains the include in a method that uses the constant, and the where used list for that constant doesn't find the appearance of the constant in the class.
    I tried to look for oss note that solves the problem but i couldn't find any.

    I tried to update the navigation index but it still doesn't work. from my debuging i found out that it just doesn't look in classes, all classes. I mean even in the where used itself there is not an option for used in classes. I checked it and it's a generic problem of the where used list for global data.
    Edited by: Cohen Lior on Apr 14, 2010 6:52 PM

  • Oracle client 9i doesn't work for windows ordinary user

    Hello All,
    I've installed oracle 9i client on windows xp. Client software works for user belonging to windows administrators group. it doesn't works for ordinary users not belonging to administrators group. Particularly when i run sqlplus from command line i get following error :
    Incorrect environment variable PLUS_DFLT
    Program execution error.
    i also need access to Oracle ODBC driver.
    When i try to configure ODBC source (created by user with administrator privileges) by common user i get following errors :
    The setup routines for Oracle for Oracle in OraHome9i ODBC driver couldn't be loaded due to system error code 5
    Could not load the setup or translator library
    Very appreciate for any help.
    Regards Arkadiusz Masny

    It sounds like the users on the machine do not have access to the Oracle home directory. Check the permissions of the folder by right properties, select the user and check that they have read and then select advanced. Tick the "replace permission entries....." box and apply. This will re apply all user rights in all folders and subfolders. Try again.
    HTH Mark F

  • The wifi at my school isn't very good. And I can't send iMessages through it. It works for some apps like score center and my radar app, but doesn't work for other apps like clash of clans and iMessage. How can I get it to work on that  wifi network

    The wifi at my school isn't very good. And I can't send iMessages through it. It works for some apps like score center and my radar app, but doesn't work for other apps like clash of clans and iMessage. How can I get it to work on my school wifi. I have an iPhone 4S on AT&T and iOS 7.04

    In a roaming network, your "main" router is the device that would require port mapping/forwarding to be configured in order to access the IP camera from the Internet. This router is also the one that would be provide the private IP address for the camera which you will want to be a static one.
    So as you described your network, the IP cameras should be getting an IP address or you assigned it a static one and this is the address that you would enter in the Private IP address (or equivalent depending on the router used) field when setting up port mapping.
    If you are not able to access this camera from the local network, then this should be troubleshot first.

  • I've bought an app called WhatsApp but I was not told that app doesn't work for ipod. So I would like to know how to turn back and get my money back.

    I've bought an app called WhatsApp but I was not told that app doesn't work for ipod. So I would like to know how to turn back and get my money back.

    Did you fail to look at the requirements before purchasing?
    All sales are final.  You can try contacting itunes support and asking for an exception

  • HT201263 Unable to update, restore or recover. Slider doesn't slide and number pad doesn't work for passcode. What next? Worked last night . Battery charged. When I push Home button I get my backgroung but can't slide slider. Device is recognized by iTune

    Unable to update, restore or recover. Slider doesn't slide and number pad doesn't work for passcode. What next? Worked last night . Battery charged. When I push Home button I get my backgroung but can't slide slider. Device is recognized by iTunes.Help! Thank you.

    Besweet, I'm having the very same problem with 60GB colour which was bought new and worked for 6 months before suddenly just not being recognised by PC. I hadn't changed anything at all.
    I've followed all troubleshooting advice and reinstalled and updated iTunes and iPod updater software but all troubleshooting routes seem to hit the dead end of either the need to access the iPod via the PC (which isn't possible as it's not showing up at all) or the iPod in disc mode stuck at "ok to disconnect".
    It's still under 1yr warranty so will have to take to a dealer.
    I'm sorry that's not much help for you but at least you know it's not a unique problem.
    PC   Windows XP  

  • How do I uninstall Firefox 4 & get previous version back? The new upgrade has problems & doesn't work for me.

    How do I uninstall Firefox 4 and get the previous version back?
    The upgrade has many problems and doesn't work for me.

    new version is the worst Firefox ever, no lip.

  • HT4527 How on earth do you get Home Sharing to work properly?  We have tried multiple times and it simply doesn't work for us!

    How on earth do you get Home SHaring to work?  We have tried numerous times and it simply doesn't work for us!

    Turn it on.
    Honestly, if you want help it is generally a good idea to ask a specific question and give some details of what problem is occurring.
    If trying to move media, using home sharing is simply a bad idea.  Follow some of the other instructions in the article from which the question was posted to move media.

  • Lighting effects in Photoshop CC doesn't work for me ... just shows ALL black .. any advice to get it to do what it is supposed to?

    Lighting effects in Photoshop CC doesn't work for me ... just shows ALL black .. any advice to get it to do what it is supposed to?

    So, you're totally new to computers?
    Go to the Help menu in Photoshop and select the System Info menu item.  Copy all that information and paste all of it here MINUS your serial number.
    Yes, Photoshop can delegate a lot of the computing tasks to the GPU on your graphics card.  You may have to disable that feature in Photoshop Preferences > Performance.

  • Policies assigned to groups - membership changes not working

    I have a single ZESM IR8 server setup.
    All security throughout my environment, ZESM and otherwise, is based on group membership.
    If I change a user from one group to another group this change does not reflect in their policy assignment.
    Scenario: GroupA = standard user policy, GroupB = power user policy.
    UserA was first in Group A and therefore got the standard user policy.
    UserA now requires the power user policy.
    Remove UserA from GroupA and add UserA to GroupB (in iManager).
    UserA does NOT get the "power user" policy that is assigned to GroupB
    Am aware that I can assign the policy at a user level but this is NOT an option in my environment. All security assignments MUST happen at a group level.

    What you observed is the expected behavior.
    ZESM doesn't updates group membership in real time once a policy has been published. I've described this behavior on previous posts.
    What the MC does behind the scenes when you click "Publish" on a container or group object is to assign the policy individually to each member/user. For groups, it resolves membership at the time the policy is published then the MC iterates among each member assigning the policy to each of them. That's why you don't see updates once the policy is published.
    Try Updating the published policy to see if that works. From the docs:
    Updating a Published Policy
    Once a policy has been published to the user(s) or computer(s), simple updates can be maintained by editing the components in a policy, and re-publishing. For example, if the ZENworks Endpoint Security Management Administrator needs to change the WEP key for an access point, the adminstrator only needs to edit the key, save the policy, and click Publish. The affected end-users and computers receive the updated policy (and the new key) at their next check-in.
    >>>
    From: laurabuckley<[email protected]>
    To:novell.support.zenworks.endpoint-security-management
    Date: 12/15/2009 7:16 AM
    Subject: Policies assigned to groups - membership changes not working
    I have a single ZESM IR8 server setup.
    All security throughout my environment, ZESM and otherwise, is based on
    group membership.
    If I change a user from one group to another group this change does not
    reflect in their policy assignment.
    Scenario: GroupA = standard user policy, GroupB = power user policy.
    UserA was first in Group A and therefore got the standard user policy.
    UserA now requires the power user policy.
    Remove UserA from GroupA and add UserA to GroupB (in iManager).
    UserA does NOT get the "power user" policy that is assigned to GroupB
    Am aware that I can assign the policy at a user level but this is NOT
    an option in my environment. All security assignments MUST happen at a
    group level.
    laurabuckley
    laurabuckley's Profile: http://forums.novell.com/member.php?userid=122
    View this thread: http://forums.novell.com/showthread.php?t=395870

  • Apache Sling JCR Resource Resolver doesn't work for the anchor tags which is been rendered through j

    Certainly I realized that Apache Sling JCR Resource Resolver doesn't work for the anchor tags which is been rendered through jquery or javascript.
    e.g.
    In Felix Console , in Apache Sling JCR Resource Resolver configuration I have added following mapping.
    /content/myproject/-/
    So If any anchor tag is there like <a href="/content/myproject/en.html"> click me </a> then it will be mapped to "/en.html" automatically.
    But the problem is there in following scenario.
    I have an anchor tag as follows.
    <a href="#" id="test"> click here </a>
    And I am assigning the href to anchor through JQUERY.
    <script>
    $("#test").attr("href","/content/myproject/en.html");
    </script>
    Ideally this should have been mapped to "/en.html".
    But it is not mapping to "/en.html". It still shows "/content/myproject/en.html".
    How to resolve this.
    Thanks,
    Sai

    In a servlet you have access to the resourceResolver so if you know which attributes contain links then it's relatively easy to apply resourceResolver.map to those links.
    Your challenge is clearly how do you know which attributes are links and which aren't. Its is the same challenge that makes parsing the response and rewriting it on the way out difficult - the JSON doesn't have any semantic meaning so how do identify which attributes require rewriting. There really is no good answer ot that question in my experience - all the options have down sides.
    Create some convention - all attributes matching this pattern X get mapped before being converted to JSON (could be attributes whose name ends in link, or it could a convention applied to the value of the attribute - if the attribute is a string that starts with /content apply the resource resolver mapping. In this case you have train your developers to follow this convention which is the down side.
    Create some configurable list of attribute names that require mapping. This is brittle, requires training and is easy to break.
    Implement a client side version of the resource resolver mapping. It wouldn't be as full proof as server side mapping (because that takes into account but you could make it work for simple logic like stripping of /content/site/en. If ou are just trying to solve the simple version of this issue - stripping off the top of the repository path this might be your best option.
    Not worry about it and set up Apache 301 redirects that catch any long URLs and redirect them to short URLs (so configure apache to look for any URL matching /content/site/en and strip off /content/site/en and do a 301 redirect to the shortened URL. You end up with a lot of extra HTTP request because of all the 301s but it would work (I wouldn't recommend this option - but it is possible).

  • CAS SSO not working for VPN Group

    Hello,
    I am trying to get SSO working for a CAS/CAM in a inband virtual gateway for VPN users coming in off a ASA5520. There are two VPN groups each with its own group policy and tunnel group. One group uses a Windows IAS Radius Server and the other a token based RADIUS RSA device.
    Users use the AnyConnect client to connect to the ASA where they are dumped into a vlan. SSO works for the group that uses the Winodws radius server. On the CAS the Cisco VPN Auth server has the Unauthenticated Group as the default group, and then I use mapping rules (Framed_IP_Address) to get the different vpn groups into the right roles. This works for the one group, but since SSO is not working on the second group the CAS never gets the chance to assign them into the correct role.
    The only thing I got is this from the ASA:
    AAA Marking RADIUS server billybob in aaa-server group cas_accounting as ACTIVE
    AAA Marking RADIUS server billybob in aaa-server group cas_accounting as FAILED
    I am so close but cant call this done yet....

    Hey Faisel,
    Thanks for the question.
    This is the stange thing. For days Group A (Windows Radius Server) was working and Group B (RSA Radius Server)  would not work. Then for some reason I had to reboot the CAS and BOOM...Group B started working and Group A STOPPED working.
    So on the ASA I now get these:
    AAA Marking RADIUS server cas2-hvn-3515 in aaa-server group cas_accounting2 as ACTIVE
    AAA Marking RADIUS server cas2-hvn-3515 in aaa-server group cas_accounting2 as FAILED
    Where cas_accounting2 is the AAA server group for Group A
    On the ASA I can see that the FW sends a packet to the cas:
    "send pkt cas2-hvn-3515/1813"
    but the FW never gets an answer back from the CAS for Group A whereas with Group B I can see the response from the CAS.
    "rad_vrfy() : response message verified"
    What can I look for in the CAS logs to see where the problem is. I will try and setup a packet capture on the CAS and debug it too.

  • Get e-mail button doesn't work

    The only way I can get Thunderbird 24.5.0 to get this messages is to hit the drop down arrow and click on each of the two accounts separately. Even the get all new messages doesn't work. I've tried to delete the inbox & inbox.mfg (?) folders for each account and the local folder, resetting Thunderbird, tried to remove icons during customizing tool bar, then restoring defaults without any luck. I don't think something is set up correctly. What I am trying to get Thunderbird to do is to check both accounts with the get mail button and put all the massages in the same inbox. It worked that way on the version I had on XP and I have moved to WIn 7 can't figure this out. Any help would be greatly appreciated!

    ''check both accounts with the get mail button''
    Tools (Alt-T) - Account Settings - Server Settings - Advanced
    Check 'Include this server when getting new mail.'
    ''... put all the massages in the same inbox.''
    http://kb.mozillazine.org/Global_Inbox

  • The enclosure in RSS feed doesn't work for Itune

    I subscribed to my podcast rss feed to ITune, which was valid and had been tested successfully with other aggregator such as Ipodder, however, it doesn't work for ITune. When I hit "get" button next to my podcast name, I always get "!" sign in front of the name, and when I clicked it, I got error message "There was a problem downloading 'XXXXX'. The network connection could not be made".
    I'm not sure if this problem resulted from the "rewrite" function I used on my podcasting server in order to track the downloading. Here is how it works: When a mp3 file is requested, my web server will redirect the request to another asp.net program to do something and then redirect to the real mp3 file for downloading. Can it be problem in Itune? But I can use this enclosure url to download this mp3, and also the Ipodder works file with this rss feed.
    Any help will be appreciated.
    Leo
      Windows XP  

    Thanks for your reply.
    However, according to the iTune specs as following,
    Tracking Usage
    Please note that iTunes does not provide usage statistics. Some podcasters have created mechanisms for tracking the number of times that each episode has been downloaded. iTunes does not provide support in how to track downloads, but the following notes may be helpful:
    * 302s will be followed to a depth of 5 redirects and will not update the feed URL in the directory.
    * The URL before the GET-style form values (before the first ?) must end in a media file extension (e.g. mp3). To work around this, the feed provider can alter their URL from this:
    http://www.podcaster.com/load.php?f=&Wipeout.php
    to this:
    http://www.podcaster.com/load.mp3?f=&Wipeout.mp3
    Notice how it says load.mp3 instead of load.php. It should be possible to accomplish this via various means, such as web server rewrites. iTunes looks at the extension of the path part of the url, i.e. the part before the”?”.
    The http request redirection is allowed as long as the appropriate file extension such as ".mp3" is used.
    By the way, I tested it with "no redirection" version, which worked fine.
    Leo

Maybe you are looking for

  • How do i use my MAC as a TV?

    I'm not too system savvy and so need a little help.  thank you for whatever help you give.

  • Changing Date Format in ALV List for VKM1 transaction

    Hi All, I have to change date format to MM/DD/YY in the ALV list display of VKM1 transaction. There are user exits available. I am trying to use EDIT_MASK option of the field catalog.. Without changing the code, I give value as __:__:__ or MM/DD/YY i

  • My slow motion effect won't work... HELP ME!!!

    I really need some help here. The original version of Imovie that came with my OS X worked great when it came to adding the effect of slow motion with the little bar at the bottom. I just recently purchased the Ilife 05 package and was all excited to

  • How do I print from gmail on my samsung galaxy 4

    I was using a blackberry bold and the eprint app worked perfectly.  now that I switched to the samsung galaxy 4 I cannot find the eprint option.

  • Need help with phone number keypad please

    I have found when using my iPhone to call certain phone numbers requiring me to enter an extension number, I'll get a message that it's an invalid extension and try again, I try at least 2-3 times and still get the same message. Well I'll call back o