Getting manager hierarchy using LDAP

Similar Messages

• Getting group members using ldap query

  I need help writing an LDAP query for iPlanet to retrieve all the members of a group. I can do it on Active Directory using the following :
  (memberof=CN=SundanceGroup,CN=Users,DC=Test,DC=com)
  But I am not able to do it with iPlanet. Please let me know how to do it.
  Thanks,
  Binu

  "memberof" attribute is not supported by iPlanet. try using "uniquemember" attribute instead. Also the users in iPlanet are generally created under "ou=people" and not "cn=users". try changing ur filter as(uniquemember=CN=SundanceGroup,ou=people,DC=Test,DC=com).
  BTW
  does anyone know how to query different servers with a common filter to get the groups of a user.

• Tables to get the hierarchy used for the global Variable

  Hello,
  we are using a characteristic Reporting Unit "ZCS_RDRUN" with a input ready variable "ZCS_RV_MM_REPUNITHIER_RDM".
  The reporting unit is a hierarchy characteristic and the variable is a hierarchical variable of type Hierarchy node variables fixed to a hierarchy we are using for this query. We do have selected a hierarchy for the input ready variable e.g. Total Group. My question would be is it possible to read out the selected hierarchy of the input ready variable from a table? If YES, from which table? I know that we could read out all input ready variables but i dont know how to read out the hierarchy selected for the input ready variable of type "Hierarchy node variable".
  I would be very thankful for all your help
  Thanks and kind regards,
  Muri

  You check the query run times and other details in the work load analysis (ST03) or using the table RSDDSTAT .
  inorder to check the information using the above two methods -make sure the Bi stats are maintained in your system
  http://wiki.sdn.sap.com/wiki/display/MaxDB/WorkloadMonitor%28ST03orST03N%29

• General Warning: could not get server configuration in ldap, using cached c

  Guys,
  desperately need some help here. I have an installation consisting of 4 mtas that speak to an ldap. I'm currently in the process of adding 2 more. I've added the fifth and there has been no problem whatsoever. I'm now trying to add the sixth. I install the software. There are no error messages as the software installs. It's able to see both the configuration and the user directories. Once this is finished I immediately go and run start-msg and for each component I get the message :
  "General Warning: could not get server configuration in ldap, using cached configuration information".
  I've tried pinging and tracerouting my ldap server with no problem, I can telnet/ssh to it. My server configuration is almost eaxctly the same as the fifth server. I make no other changes after the installation scripts finishes, yet it can't talk to the ldap.
  I running IMS5.2p1 on a Solaris 8 SPARC server.
  Thanks
  Ali

  That error message only comes up when the server can't get to the config ldap server on startup. There's no other time when you see this.
  There is either a mis-configuration of your server, or of your ldap, or you just can't get there from here.
  Why are you installing 5.2p1, now? 5.2p2 has been out for over a year. ..
  6.0 has been out for well over a year, and 6.2 has been out for many months, now. I hate to see you installing old software, when new is available.

• Managing 100s UNIX servers through OIM using LDAP,

  Hi Experts,
  I have requirement where as 100s UNIX servers need to manage through OIM using LDAP,
  Pls guide me how to implementing this through LDAP is best solution,
  Thanks.

  Take a look at:
  http://www.oracle.com/technology/products/oid/oracleauthenticationservices.html
  Oracle Authentication Services for Operating Systems

• Get UserInformation in windows using LDAP

  Hi all...
  In windows os 'net send username message' command is used to send the message to target username..
  How it get Remote machine address from username. or i need username from Remote machine address.
  I think use LDAP in net.exe for getusername and remote machine information.. i dont know exactly wheather they are using LDAP or other technique...Finally How i get remote machine information (include currently logged username) by giving input as remote machine name...
  if any body have a idea Plz Lert me Know...

  The Netxxx commands are the old LanMan/Win32 networking calls.
  IIRC When a user logged on to a workstation, that most derised of protocols, NetBIOS registered the username, machine name and possibly some other stuff with WINS. That enabled you to do something like Net Send Message and the message was actually delivered to the workstation at which the user had logged on.
  Those Win32 calls are based on DCE RPC and not on LDAP so unlikely that you can invoke them via JNDI.
  You may want to look at JCIFS, perhaps they support the equivalent of net send. I have no idea (nor interest) in what JCIFS can or cannot do.
  Good luck.

• Pam.conf does not use ldap for password length check when changing passwd

  I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
  I have dsee 6.0 installed on a solaris 10 server (client).
  I have a solaris 9 server (server) set up to use ldap authentication.
  bash-2.05# cat /var/ldap/ldap_client_file
  # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_SERVERS= X, Y
  NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
  NS_LDAP_AUTH= tls:simple
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SEARCH_SCOPE= one
  NS_LDAP_SEARCH_TIME= 30
  NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
  NS_LDAP_CACHETTL= 43200
  NS_LDAP_PROFILE= tls_profile
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
  NS_LDAP_BIND_TIME= 10
  bash-2.05# cat /var/ldap/ldap_client_cred
  # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
  NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
  NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
  bash-2.05# cat /etc/nsswitch.conf
  # /etc/nsswitch.ldap:
  # An example file that could be copied over to /etc/nsswitch.conf; it
  # uses LDAP in conjunction with files.
  # "hosts:" and "services:" in this file are used only if the
  # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
  # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
  passwd: files ldap
  group: files ldap
  # consult /etc "files" only if ldap is down.
  hosts: files dns
  ipnodes: files
  # Uncomment the following line and comment out the above to resolve
  # both IPv4 and IPv6 addresses from the ipnodes databases. Note that
  # IPv4 addresses are searched in all of the ipnodes databases before
  # searching the hosts databases. Before turning this option on, consult
  # the Network Administration Guide for more details on using IPv6.
  #ipnodes: ldap [NOTFOUND=return] files
  networks: files
  protocols: files
  rpc: files
  ethers: files
  netmasks: files
  bootparams: files
  publickey: files
  netgroup: ldap
  automount: files ldap
  aliases: files ldap
  # for efficient getservbyname() avoid ldap
  services: files ldap
  sendmailvars: files
  printers: user files ldap
  auth_attr: files ldap
  prof_attr: files ldap
  project: files ldap
  bash-2.05# cat /etc/pam.conf
  #ident "@(#)pam.conf 1.20 02/01/23 SMI"
  # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
  # Use is subject to license terms.
  # PAM configuration
  # Unless explicitly defined, all services use the modules
  # defined in the "other" section.
  # Modules are defined with relative pathnames, i.e., they are
  # relative to /usr/lib/security/$ISA. Absolute path names, as
  # present in this file in previous releases are still acceptable.
  # Authentication management
  # login service (explicit because of pam_dial_auth)
  login auth requisite pam_authtok_get.so.1 debug
  login auth required pam_dhkeys.so.1 debug
  login auth required pam_dial_auth.so.1 debug
  login auth binding pam_unix_auth.so.1 server_policy debug
  login auth required pam_ldap.so.1 use_first_pass debug
  # rlogin service (explicit because of pam_rhost_auth)
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth binding pam_unix_auth.so.1 server_policy
  rlogin auth required pam_ldap.so.1 use_first_pass
  # rsh service (explicit because of pam_rhost_auth,
  # and pam_unix_auth for meaningful pam_setcred)
  rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth required pam_unix_auth.so.1
  # PPP service (explicit because of pam_dial_auth)
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_dial_auth.so.1
  ppp auth binding pam_unix_auth.so.1 server_policy
  ppp auth required pam_ldap.so.1 use_first_pass
  # Default definitions for Authentication management
  # Used when service name is not explicitly mentioned for authenctication
  other auth requisite pam_authtok_get.so.1 debug
  other auth required pam_dhkeys.so.1 debug
  other auth binding pam_unix_auth.so.1 server_policy debug
  other auth required pam_ldap.so.1 use_first_pass debug
  # passwd command (explicit because of a different authentication module)
  passwd auth binding pam_passwd_auth.so.1 server_policy debug
  passwd auth required pam_ldap.so.1 use_first_pass debug
  # cron service (explicit because of non-usage of pam_roles.so.1)
  cron account required pam_projects.so.1
  cron account required pam_unix_account.so.1
  # Default definition for Account management
  # Used when service name is not explicitly mentioned for account management
  other account requisite pam_roles.so.1 debug
  other account required pam_projects.so.1 debug
  other account binding pam_unix_account.so.1 server_policy debug
  other account required pam_ldap.so.1 no_pass debug
  # Default definition for Session management
  # Used when service name is not explicitly mentioned for session management
  other session required pam_unix_session.so.1
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  other password required pam_dhkeys.so.1 debug
  other password requisite pam_authtok_get.so.1 debug
  other password requisite pam_authtok_check.so.1 debug
  other password required pam_authtok_store.so.1 server_policy debug
  # Support for Kerberos V5 authentication (uncomment to use Kerberos)
  #rlogin auth optional pam_krb5.so.1 try_first_pass
  #login auth optional pam_krb5.so.1 try_first_pass
  #other auth optional pam_krb5.so.1 try_first_pass
  #cron account optional pam_krb5.so.1
  #other account optional pam_krb5.so.1
  #other session optional pam_krb5.so.1
  #other password optional pam_krb5.so.1 try_first_pass
  I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
  May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
  May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
  May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
  May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
  May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
  May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
  May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
  May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
  May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
  May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
  May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
  May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
  May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
  May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
  May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
  If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
  bash-2.05$ passwd
  passwd: Changing password for VV
  Enter existing login password:
  New Password:
  passwd: Password too short - must be at least 8 characters.
  Please try again
  May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
  May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
  May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
  May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
  May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
  May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
  May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
  May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
  May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
  May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
  May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
  I am using the default policy on the directory server which states a minimum password length of 6 characters.
  server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
  pwd-accept-hashed-pwd-enabled : N/A
  pwd-check-enabled : off
  pwd-compat-mode : DS6-mode
  pwd-expire-no-warning-enabled : on
  pwd-expire-warning-delay : 1d
  pwd-failure-count-interval : 10m
  pwd-grace-login-limit : disabled
  pwd-keep-last-auth-time-enabled : off
  pwd-lockout-duration : disabled
  pwd-lockout-enabled : off
  pwd-lockout-repl-priority-enabled : on
  pwd-max-age : disabled
  pwd-max-failure-count : 3
  pwd-max-history-count : disabled
  pwd-min-age : disabled
  pwd-min-length : 6
  pwd-mod-gen-length : 6
  pwd-must-change-enabled : off
  pwd-root-dn-bypass-enabled : off
  pwd-safe-modify-enabled : off
  pwd-storage-scheme : CRYPT
  pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
  pwd-strong-check-enabled : off
  pwd-strong-check-require-charset : lower
  pwd-strong-check-require-charset : upper
  pwd-strong-check-require-charset : digit
  pwd-strong-check-require-charset : special
  pwd-supported-storage-scheme : CRYPT
  pwd-supported-storage-scheme : SHA
  pwd-supported-storage-scheme : SSHA
  pwd-supported-storage-scheme : NS-MTA-MD5
  pwd-supported-storage-scheme : CLEAR
  pwd-user-change-enabled : off
  Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
  . It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
  I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
  Edited by: ericduggan on Sep 8, 2008 5:30 AM

  you can try passwd -r ldap for changing the ldap passwds...

• How can I get properties from my ldap server?

  urgent,I don't know
  how to use the getproperties to get the properties
  from ldap server,anyone help?

  Hi Kevin,
  You could write a portlet that uses the <um:getProfile> and
  <um:getProperty> tag (
  http://edocs.bea.com/wlp/docs40/p13ndev/jsptags.htm#1058056 )
  Or you can do an easier test that requires no coding: If you use the EBCC
  to create metadata about your ldap property set, then you can use the JSP
  portal admin tool to see your LDAP properties for a user. I think if you go
  through the UUP example on dev2dev.bea.com it has instructions for doing
  this with a UUP. Basically, create a property set (a.k.a. "user profile")
  named "ldap" in the EBCC and create properties that match the ones you want
  to retrieve ("telephoneNumber", etc...CASE SENSITIVE). Then access the JSP
  portal admin tool. If you are not using the LDAPRealm as your alternate
  security realm then create a user that you know exists in LDAP and then hit
  the link for the user and search the "ldap" property set and you will see
  their property values. If you are using the LDAPRealm for authentication,
  then this is not a ManageableRealm so you cannot create users (they are
  managed in your LDAP server). So, if you are using the LDAP realm, just
  create the "ldap" property set in the EBCC and go to the user mgmt tools in
  the JSP admin tools and you will see your user. Then search the "ldap"
  property set for your user and you will see the property values.
  Ture Hoefner
  BEA Systems, Inc.
  www.bea.com
  "Kevin" <[email protected]> wrote in message
  news:[email protected]...
  >
  Hello,
  We're trying to retrieve an arbitrary profile and it's attributes from
  a Novell NDS ldap server. I've configured the ldapprofile.jar as
  described in the portal doc:
  http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824
  but the article doesn't go on to describe how to use the configuration
  to actually access the properties.
  I'm unsure as to how to use the com.bea.p13n.usermgmt.profile.ldap
  package to retrieve the information I need.
  Is there some step by step instructions to achieve this as well as
  some sample code to run in a jsp to test this functionality?
  Thanks for any help.
  Kevin
  Ture Hoefner <[email protected]> wrote:
  Hi Eric,
  The LdapPropertyManager handles that for you. All you have to do is
  deploy it. (I'm talking about Portal 4.0). See the docs at "Accessing
  Properties from an LDAP Server" (
  http://edocs.bea.com/wlp/docs40/p13ndev/users.htm#1131824 )
  You will need to deploy the LDAPPropertyManager EJB, located in
  ldapprofile.jar. It is shipped with the product in
  <wlportal4.0-install-dir>/lib/p13n/ejb/ldapprofile.jar.
  Eric Nie wrote:
  urgent,I don't know
  how to use the getproperties to get the properties
  from ldap server,anyone help?--
  Ture Hoefner
  BEA Systems, Inc.
  2590 Pearl St.
  Suite 110
  Boulder, CO 80302
  www.bea.com

• Start-msg: could not get server configuration in ldap

  Hello,
  I am trying to get iPlanet Messaging Server 5.2 Patch 1 running, but when I run start-msg
  I get the following error message:
  General Warning: could not get server configuration in ldap, using cached configuration information
  Note: I created this system using a ufsdump and ufsrestore combination on the instance directory.
  Other file systems were not copied over.
  My guess is that something else may be missing?
  I ran ns-slapd first before starting the messaging server.
  Thanks in advance.
  Tim

  Thanks for the response. I have some followup
  questions:
  > I have done this with Messaging Server.
  Several
  things to do:
  1. Go into Console, and change it there. Youneed
  to change hostname and ip for admin server,Directory
  server, and messaging server.
  When I bring up the console, it asks for a user nameThe default user's name is "admin". The password was assigned during installation. You can also use, "cn=Mirectory Manager", but again, the password was assigned on install.
  >
  and password. Well, the admin quit and left no
  documentation, so I don't have any idea on what to
  use. Any ideas?
  >
  2. Edit your mappings file, to reflect the new ip
  address.
  Where is this mappings file?<install directory>/msg-<name of your server>/imta/config
  >
  > 3. Change the setting for "mailhost" for every
  user
  to reflect the new hostname. If you don't dothis,
  nobody will get any mail.>
  I interpret this to mean:
  (1) use db2ldif and then use and editor to do a
  global
  search and replace on the mail hostname.yes
  >
  > It may turn out to be easier to "migrate" your
  data,
  rather than "fix" by changing hostname/ip.
  to migrate:
  install new application on new box, with correct
  hostname/ip
  Unfortunately, I tried this and did not have much
  success. I gave up and went with
  ufsdump/ufsrestore.That's very much the hard way. . .
  >
  > Use MoveUser to migrate users and mailboxes from
  old
  to new, or
  Use imsbackup/imsrestore to move the mailboxes.
  Export the data from ldap in ldif format, then usea
  a text editor to change the mailhost value for all
  the users, and then import that new data to thenew
  directory server
  I think I will have to do this anyways, right.
  Assuming my new box is offline for a while and
  users are still using the old box.You can certainly use imsbackup/imsrestore to move all new mails. . .

• Access Enforcer - Manager Approvers from LDAP

  Hello
  We have AE tied to LDAP, from which its gets user, requester and manager information.
  Today we use Customer Approver Determinator, to configure the approvers.
  We would like to enable 'manager approval' in AE.
  Does AE support 'Manager Approver' from LDAP.
  Thanks

  Thanks for your answer.
  Like I mentioned we have LDAP as the user data source.
  But in Custom Approver Determinator, there is no way to set up the LDAP manager as approver.
  Can you please shed more light on this?
  Thanks again.

• Need to know about SSO using LDAP

  Hi Everyone,
  Thank you very much to help me to come out from my all problems i faced in the past.. I really appreciate your efforts and valuable time you have given to me. and I'm sure that You all will always help all newbies and help seekers like me in future too.. Thanks for your kind efforts..
  I am very new to ADF securities, I was thinking to built an Enterprise application with Multiple small sub application using ADF in JDev... No big deal but the My problem is i want use SSO for user authentication using LDAP.. But i really have no idea that where to start and how to start.. Which Softwares do i need to Download?
  For my all past problem there must be a sample example for help i found.. and learned a lot from that.. and also i tried a lot to find a little example for this as i required.. but I failed to find any example for SSO using LDAP(Like Oracle SSO)...
  So i need your guidance to get my solution...and i hope that as usual i'll get the right solution..
  Thanks
  Fizzz...

  Fizzz,
  Oracle SSO is part of Oracle Identity Management. You can find the download link [url http://www.oracle.com/technology/software/products/ias/htdocs/101310.html]here. It's "bigger than a breadbox," however - installing enough bits to get to Oracle SSO will ensue creating a new repository (aka database) together with a middle-tier app server instance for the SSO server. I'm not sure if there are any OBE's (Oracle by Example), but I do know there is an identity management forum.
  Best,
  John

• How to Get Additional Info from LDAP

  I have an application that is using LDAP authentication. Its working great but I would like to know if its possible to extract additional information about the user at the the point of authentication. For example when the user logs in and is authenticated it would be nice to be able to get their email address, phone, etc. at that time. Is this possible with the existing authentication scheme? I didn't see anything mentioned in the Help text.
  Thanks.
  David

  Tom,
  Have a look at the code I posted in this thread -
  Re: help with htmldb_ldap.is_member function
  Whilst that thread is more related to using the is_member function, the code I posted shows how you can query the attributes for a particular DN in an LDAP server.
  So....I don't want to put the cart before the horse, but if it helps your case to make Apex (as it's known now rather than HTMLDB) "the winner", then I would stress that this feature is definitely achievable (but how difficult it is will depend on your exact requirements).
  In short....definitely do-able....

• Any issues with using LDAP on LINUX for GRC 5.2 UME?

  Our company is converting our LDAP servers from AIX to LINUX.  The DNS name used in our UME connection should not change.  Are there any issues with using LDAP on LINUX?  We are currently on GRC 5.2 SP9 (in the middle of upgrading to SP12).
  Also, I have been trying to connect our test UME system to a test LDAP box that has already been converted to LINUX but keep getting a 'connection failed' error when I try to test it. 
  Do you have to reboot the server to test changing the LDAP connections?  I've been trying it by going into UME, pulling up the LDAP tab, hitting the Modify button, entering the new userid and password for test LDAP, and hitting the Test Connection button.  I've verified that this userid and password is correct for test LDAP.
  Is there a way to get more information about why the connection failed?
  Thanks.

  I've been told by our LDAP Support group that none of the other configuration settings should have to be changed.  I should only have to change the id and password to connect to a test version of LDAP instead of our regular connection to the production LDAP.
  Can you test a connection for a different userid/password without having to reboot/restart the server?  Do I need to change these two settings, save then, reboot/restart, and then do the Test Connection button?
  Thanks.

• How to get Manager id automatically when Employee Id is given.

  How to get Manager id automatically when Employee Id is given.
  1) I created a simple BO with two elements namely
      1.Employee Id
      2.Manager id
  How to get employee's first name and last name?
  And how will i get manager id  automatic when i click employee id in element field.
  Anbu.

  Have you tried to use "APPS.FND_CONCURRENT" API?
  http://etrm.oracle.com/pls/trm11510/etrm_pnav.show_object?c_name=FND_CONCURRENT&c_owner=APPS&c_type=PACKAGE
  http://etrm.oracle.com/pls/trm11510/etrm_pnav.show_object?c_name=FND_CONCURRENT&c_owner=APPS&c_type=PACKAGE%20BODY
  Thanks,
  Hussein

• ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

  Hi All,
  I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership.  This has been very difficult, even though I beleive it should be easy.
  The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
  There are two other portals that I would like to restrict access to based on AD group membership.  I have set these up to be selected by URL.
  The biggest problem is, I have no way of knowing how to go about this.  The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
  I can only do an all or nothing scenario.
  It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use.  So how do I go about using them in this scenario?  Turning off the aliases or URLs is not really an option right now.
  Scenario 1 would work the best for me.  Restrict access to profiles/groups based on AD group membership using LDAP.
  Scenario 2 would be an ideal longer term solution.
  Any thoughts, ideas or assitance would be greatly appreciated.
  Cheers

  This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:
  assert(function()
     if ( (type(aaa.ldap.distinguishedName) == "string") and
          (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
  then
         return true
     end
     return false
  end)()
  from the debug dap you can see what Users relates to;
  DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
  My admin account fails to get me in to the same profile:
  DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
  Thanks
  Andrew