Group membership problem
hi,
how can i find out to which group does the user belong to in SunONE
LDAP server? Do i need to iterate through each group in the server?
is there any memberOf attribute that is automatically set when we make
a user member of a particular group? This happens automatically in MS
Active Directory 2003.
thanks
Sachin
http://swforums.sun.com/jive/thread.jspa?threadID=20326&tstart=45
has a pointer to what worked for me..
PS
Similar Messages
-
User's Group Membership problem with enterprise domain
Hi
I have some problems synchronizing Active Directory in LiveCycle ES 8.0.1.
I'm able to import the users and groups from an active directory to a enterprise domain... but the asociation user to group is not keeped.
The problem could be why the DN of users is different to the DN of the group?
the DN users is something like this:
OU=CED,OU=CDC Utent,DC=house,DC=lan
and the DN of the group:
DC=house,DC=lan
ThanksOk, I think that is not DN value the problem... I tried with another active directory and the association user to group is keeped! But why?
In the users details of active directory that doesn't synchronize well I have 2 more attribute:
dSCorePropagationData
profilePath
But really I don't understand where is the problem. Maybe the version of Active Directory?
Does anybody else have this weird issue?
Thanks. -
Problem in AD Group membership Insert Error "Response: CURRENT_ATTRIBUTES"
Hi all,
I am using Oracle Identity and Access Management 11g (11.1.1.5.0) with Weblogic 10.3.5 and apply patch -11.1.1.5.4. I have install AD Connector (activedirectory-11.1.1.5.0) and recon Group, OU and Users as a target source Successfully. When I tried to provision user in AD user is provisioned successfully but got following error message in Group membership Insert.
Task Name - Group membership Insert
Resource Name: AD User
Description:
User: Test User 10 [?TESTUSER10?]
Status: Rejected
Response: CURRENT_ATTRIBUTES
Response Description: Unknown response received
Notes:
Assigned to User : System Administrator[?XELSYSADM?]
Error Details
Setting task status... "CURRENT_ATTRIBUTES" does not correspond to a known Response Code. Using "UNKNOWN".
Schedule Detail
Projected Start: November 7, 2012 6:14:47 PM Projected End: November 7, 2012 6:14:47 PM
Actual Start: November 7, 2012 6:14:47 PM Actual End: November 7, 2012 6:14:48 PM
Last Update: November 7, 2012 6:14:48 PM
Back to Resource Provisioning Details
OIM LOG
Running UPDATECHILDTABLEVALUES
Target Class = oracle.iam.connectors.icfcommon.prov.ICProvisioningManager
<ObjectClassInfos>
<ObjectClassInfo type='Group' container='false' embedded='false'>
</optionsByOperation>
</Schema>
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADIDCUPDATECHILDTABLEVALUES.UPDATECHILDTABLEVALUES(adpADIDCUPDATECHILDTABLEVALUES.java:111)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADIDCUPDATECHILDTABLEVALUES.implementation(adpADIDCUPDATECHILDTABLEVALUES.java:56)
at com.thortech.xl.client.events.tcBaseEvent.run(tcBaseEvent.java:196)
at com.thortech.xl.dataobj.tcDataObj.runEvent(tcDataObj.java:2492)
at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(tcScheduleItem.java:2917)
at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(tcScheduleItem.java:547)
at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
at com.thortech.xl.ejb.beansimpl.tcProvisioningOperationsBean.retryTasks(tcProvisioningOperationsBean.java:4042)
at Thor.API.Operations.tcProvisioningOperationsIntfEJB.retryTasksx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy348.retryTasksx(Unknown Source)
at Thor.API.Operations.tcProvisioningOperationsIntfEJB_4xftoh_tcProvisioningOperationsIntfRemoteImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
at Thor.API.Operations.tcProvisioningOperationsIntfEJB_4xftoh_tcProvisioningOperationsIntfRemoteImpl.retryTasksx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
at $Proxy172.retryTasksx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
at $Proxy347.retryTasksx(Unknown Source)
at Thor.API.Operations.tcProvisioningOperationsIntfDelegate.retryTasks(Unknown Source)
at com.thortech.xl.webclient.actions.ResourceProfileProvisioningTasksAction.retryTasks(ResourceProfileProvisioningTasksAction.java:702)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:269)
at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(tcLookupDispatchAction.java:133)
at com.thortech.xl.webclient.actions.tcActionBase.execute(tcActionBase.java:894)
at com.thortech.xl.webclient.actions.tcAction.execute(tcAction.java:213)
at org.apache.struts.chain.commands.servlet.ExecuteAction.execute(ExecuteAction.java:58)
at org.apache.struts.chain.commands.AbstractExecuteAction.execute(AbstractExecuteAction.java:67)
at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:305)
at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at com.thortech.xl.webclient.security.CSRFFilter.doFilter(CSRFFilter.java:76)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.iam.platform.auth.web.PwdMgmtNavigationFilter.doFilter(PwdMgmtNavigationFilter.java:121)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.iam.platform.auth.web.OIMAuthContextFilter.doFilter(OIMAuthContextFilter.java:107)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused by: java.lang.NoSuchFieldError: CURRENT_ATTRIBUTES
at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.getCurrentAttributes(ICProvisioningManager.java:408)
at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.updateChildTableValues(ICProvisioningManager.java:485)
... 104 more
com.thortech.xl.dataobj.util.tcAdapterTaskException: CURRENT_ATTRIBUTES
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADIDCUPDATECHILDTABLEVALUES.UPDATECHILDTABLEVALUES(adpADIDCUPDATECHILDTABLEVALUES.java:117)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADIDCUPDATECHILDTABLEVALUES.implementation(adpADIDCUPDATECHILDTABLEVALUES.java:56)
at com.thortech.xl.client.events.tcBaseEvent.run(tcBaseEvent.java:196)
at com.thortech.xl.dataobj.tcDataObj.runEvent(tcDataObj.java:2492)
at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(tcScheduleItem.java:2917)
at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(tcScheduleItem.java:547)
at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
at com.thortech.xl.ejb.beansimpl.tcProvisioningOperationsBean.retryTasks(tcProvisioningOperationsBean.java:4042)
at Thor.API.Operations.tcProvisioningOperationsIntfEJB.retryTasksx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy348.retryTasksx(Unknown Source)
at Thor.API.Operations.tcProvisioningOperationsIntfEJB_4xftoh_tcProvisioningOperationsIntfRemoteImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
at Thor.API.Operations.tcProvisioningOperationsIntfEJB_4xftoh_tcProvisioningOperationsIntfRemoteImpl.retryTasksx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
at $Proxy172.retryTasksx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
at $Proxy347.retryTasksx(Unknown Source)
at Thor.API.Operations.tcProvisioningOperationsIntfDelegate.retryTasks(Unknown Source)
at com.thortech.xl.webclient.actions.ResourceProfileProvisioningTasksAction.retryTasks(ResourceProfileProvisioningTasksAction.java:702)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:269)
at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(tcLookupDispatchAction.java:133)
at com.thortech.xl.webclient.actions.tcActionBase.execute(tcActionBase.java:894)
at com.thortech.xl.webclient.actions.tcAction.execute(tcAction.java:213)
at org.apache.struts.chain.commands.servlet.ExecuteAction.execute(ExecuteAction.java:58)
at org.apache.struts.chain.commands.AbstractExecuteAction.execute(AbstractExecuteAction.java:67)
at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:305)
at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at com.thortech.xl.webclient.security.CSRFFilter.doFilter(CSRFFilter.java:76)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.iam.platform.auth.web.PwdMgmtNavigationFilter.doFilter(PwdMgmtNavigationFilter.java:121)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.iam.platform.auth.web.OIMAuthContextFilter.doFilter(OIMAuthContextFilter.java:107)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)Hello
1. Download the latest version of Connector Server.
2. Stop OIM
3. Take from Connector Server Distr:
connector-framework.jar
connector-framework-internal.jar
to
$XEL_HOME\apps\oim.ear\APP-INF\lib
$XEL_HOME\ext\internal
4. Delete temporary cached libs from:
$DOMAIN_HOME\servers\$WEBLOGIC_NAME\tmp\_WL_user\oim_11.1.2.0.0\*
5. Start OIM-server
Записки на полях внедрения: java.lang.NoSuchFieldError: CURRENT_ATTRIBUTES -
Weblogic 10.3.0 - Security Violation when Group Membership Lookup enabled
Dear Admins,
We're running a Weblogic 10.3.0 cluster with our own software deployed.
We're using SQL authentication (JDBC to Oracle DB) to authenticate users.
Recently we've been tuning our WL cluster to improve performance, and have enabled Group Membership Lookup Hierarchy Caching.
Sometimes users log into our application and get inssuficient rights (or some other error). This appears to happen at random. Most of the times they can log in without problems.
We determined it's not something to do with the cluster, although it can happen on one node and the other node will work as normal.
In the Managed server we see this error (with test user):
Managed7Server.out00011:java.rmi.AccessException: [EJB:010160]Security Violation: User: 'test' has insufficient permission to access EJB: type=<ejb>, application=leanapps, module=process_general.jar, ejb=LaLifeProcessController,
method=create, methodInterface=Home, signature={}.
When we disable Group Membership Lookup Hierarchy Caching, this error never occurs.
Our settings (Security Realms -> myrealm -> Providers -> SQL Authenticator -> Performance):
Max Group Hierarchies In Cache: 5000 (we have approx. 2000 groups)
Group Hierarchy Cache TTL: 3600
provider specific settings :
Group Membership Searching: unlimited
Max Group Membership Search Level: 0
Also in Myrealm -> Performance we have set :
Enable WebLogic Principal Validator Cache
Max WebLogic Principals In Cache: 5000
If we put the TTL really low (default 60 seconds), the error hardly ever occurs. But we want to have cache that lasts longer then one minute.
This might be a bug, as we have other clusters running on WL 10.3.5, 12c where we use the same cache settings. This issue does not occur there.
I'm more then willing to provide more info or config files
Edited by: user5974192 on 21-nov-2012 5:17This is fixed now. Someone had defined a Servlet for the web service in web.xml that was preventing the EJB container to kick in.
Edited by: user572625 on Aug 25, 2011 11:54 PM -
ACS 3.3 Windows group mapping problem
Hi,
I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships between all domains are established (AD Domain Controllers are w2k3 srv). I need to add Windows AD group mapping and that's no problem in domains X & Y. But when I'm trying to map some groups from Z domain, the "Failed to enumerate Windows groups. If you are using Active Directory consult the installation guide for information." error appears. In ACS documentation I have found information "ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication." As I understand it's impossible to add mapping from the second forest? Am I right? If problem is solved in newer versions of ACS (4.0, 4.1)? Are there any fixes that can help?
Thanks,
PeterYou need to set up proxy.
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
Look for "Cross-Forest Authentication" in above link. And you get the Idea of what I mean. Though in above link its depicted with IAS server, but same is possible with ACS, as both can act as Radius server.
There is a known bug, CSCsi04187
PEAP MS-CHAP machine authentication will fail with machine not found if host/ format is sent from client. This only happens if the machine is autenticating to a domain forest that the ACS is not a member of.
Conditions:
The Machine authenticating to ACS is in a different domain forest then the ACS and the supplicant is using host/ as the machine name format. You also have to be using PEAP MS-CHAPv2.
Workaround:
If the supplicant has the option you can send the macine name in hos/ format.
Many supplicants do not have this option.
It is to be fixed for ACS 4.2 release.
Regards,
~JG -
Getting list of all users and their group memberships from Active Directory
Hi,
I want to retrieve a list of all the users and their group memberships through JNDI from Active Directory. I am using the following code to achieve this:
==================
import javax.naming.*;
import java.util.Hashtable;
import javax.naming.directory.*;
public class GetUsersGroups{
public static void main(String[] args){
String[] attributeNames = {"memberOf"};
//create an initial directory context
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://172.19.1.32:389/");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "p8admin");
try {
// Create the initial directory context
DirContext ctx = new InitialDirContext(env);
//get all the users list and their group memberships
NamingEnumeration contentsEnum = ctx.list("CN=Users,DC=filenetp8,DC=com");
while (contentsEnum.hasMore()){
NameClassPair ncp = (NameClassPair) contentsEnum.next();
String userName = ncp.getName();
System.out.println("User: "+userName);
try{
System.out.println("am here....1");
Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should be returned
System.out.println("am here....2");
Attribute groupsAttribute = attrs.get(attributeNames[0]); // memberOf
System.out.println("-----"+groupsAttribute.size());
if (groupsAttribute != null){
// memberOf is a multi valued attribute
for (int i=0; i<groupsAttribute.size(); i++){
// print out each group that user belongs to
System.out.println("MemberOf: "+groupsAttribute.get(i));
}catch(NamingException ne){
// ignore for now
System.err.println("Problem encountered....0000:" + ne);
//get all the groups list
} catch (NamingException e) {
System.err.println("Problem encountered 1111:" + e);
=================
The following exception gets thrown at every user entry:
User: CN=Administrator
am here....1
Problem encountered....0000:javax.naming.NamingException: [LDAP: error code 1 -
000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
]; remaining name 'CN=Administrator'
I think it gets thrown at this line in the code:
Attributes attrs = ctx.getAttributes(userName, attributeNames);
Any idea how to overcome this and where am I wrong?
Thanks in advance,
Regards.In this sentence:
Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should
It seems Ok when I add "CN=Users,DC=filenetp8,DC=com" after userName, just as
userName + ",CN=Users,DC=filenetp8,DC=com"
But I still have some problem with it.
Hope it will be useful for you. -
Good morning all,
I need some help achieving the following in our Exchange 2013 Environment. First off, we have Exchange 2013, but all our clients have Outlook 2010.
Here's what I would like to be able to do:
1) create/manage public calendars / rooms in exchange 2013
2) force these shared public calendars / rooms to users' calendars who are members of particular security groups
3) give edit permissions / "booking" permissions for the shared calendars so select users are able to make changes to the shared calendars, as well as accept/deny requests to "book" shared room calendars
Any one got any resources they can give to point me in the right direction?
I have already created two mailbox room resources, and have them set up in a room list in AD. But need to know the above as far as creating a shared calendar for events, and forcing these calendars / room lists out to users based on security group
membership.
I don't want my users to have to know how to add a shared calendar...that would be a nightmare explaining. I just want it to show up.
Any help on this is greatly appreciated, thank you!1) I recommend using Room Mailboxes for resource calendars because it just works better.
2) This is a standard feature of a Room Mailbox.
3) You're pretty specific here, but I think this is also more or less available with a Room Mailbox combined with folder rights.
I don't know any way to just make them "show up". You'll have to teach them. Well written instructions can work wonders.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." -
Not inheriting group membership / users not showing in workgroup "Everyone"
Hi,
In the new OS X Lion Server Profile Manager, there is a default group called Everyone, that should contain all users.
However, it only shows the first user I created (UID 1025).
Users created after that are not automatically added to the group Everyone
I can assign these newer users to a Workgroup I created myself, but since they are absent in the Everyone group, I cannot assign devices to these users, and thus not properly manage these users and their devices.
Using Workgroup Manager to check on the membership of the users with UID>1025 I see that the inherited workgroup membership of Users (GID 403) is missing.
How can fix a problem with the inherited group membership of users?
Thanks in advance.
Patrickdid you configure the people picker
http://technet.microsoft.com/en-us/library/gg602075(d=lightweight,v=office.14).aspx#section4
http://jaredmatfess.wordpress.com/2013/02/26/sharepoint-2010-people-picker-is-having-a-hard-time-finding-people/
Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog
No need to configure the People Picker in a full trust between domains of the same forest.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Get AD group membership doesn't work for global groups
I want to pull the group membership for OBIEE directly from AD.
This has been covered in many blogs and forums, no problem, I've found some user created functions - basically all of it uses
DBMS_LDAP package methods
with one exception that additionally to it also uses
DBMS_LDAP_UTL.get_group_membership
ALL THOSE functions work BUT I've verified it with the actual group membership from AD or adfind tool (http://www.joeware.net/freetools/tools/adfind/index.htm)
The list returned by Oracle packages doesn't match, or to be exact only partially matches the factual AD list.
I've done some research and found there are three types used for defining group's scope by AD:
Domain Local, Global, or Universal
(http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx)
leaving the first one out of the scope as we don't use it
- I've verified and found ALL missing ONES are defined as GLOBAL
All the Oracle funcitons I've found correctly pulls only UNIVERSAL group memberships and none of GLOBAL
Microsoft documentation says that both of them (Universal and Global) have forest-wide visibility....
and so AdFind can list both..
so why Oracle limits the search to UNIVERSAL ones only?
Maybe it's a matter of initialize those DBMS_LDAP packages differently or passing slightly different parameters??
I've really tried a lot of this code in different combinations but no joy
Has anyone got some ideas?...I try to block the usage of the command prompt only on this server.
I have the same question as jrv: Why? It doesn't increase security. The command prompt is a program, not a security boundary.
Disabling the command prompt does NOT increase security
-- Bill Stewart [Bill_Stewart] -
AD Group Membership revoked on adding new group through role and acespolicy
Hi all,
when a user is created in OIM, it is provisioned with Default Role say CONTRACTS which will provision AD Account and a default AD group membership.
when I assign a new role membership say BILLING, to assign additional AD group memberships through access policies, it is removing the default AD group membership from the user. But still the user is having both the roles CONTRACTS and BILLING.
The ootb AD task, remove user from group is triggered.
The problem is happening only in Testing environment.
In development envi it is working fine.
it is not removing the default group memberships.
any ideas? thoughts? which I need to check.
my oim server is 11.1.1.3.0, with weblogic setup.
Edited by: Venu on Dec 2, 2011 1:06 PMDo one thing:
Take New User
Assign First BILLING
Assign Second Group
And then ASSIGN CONTRACT
Update the results.
It is happening in one env so you might have done some configuration or it could be env issue as well. -
Group Memberships not Flowing into Metaverse
Hello,
I'm trying to figure out why the group member attributes in the CS are not flowing into the MV. Here's what I have:
An HR system running on SQL Server
A staging database that extract data from the HR system
The staging database has a table representing person object
The stating database has a table representing person multi-valued attributes (i.e location, job code, etc)
The staging database has a table representing group objects
The staging database has a table representing group memberships (mult-valued)
A SQLMA connected to the person and person multi tables
A SQLMA connected to the group and group membership tables
All group memberships are based on job codes and locations. There are no approval process in place. If they have this job code, they get certain groups. That's all calculated in the staging database and the memberships are in the group membership
table
This system does connect to AD (and a few other things), but I'm not concerned with that, right now.
I've read 100 articles on this, most of them over 5 years old, and tried the ones that made sense. The flow from the database into the CS works well. No issues there.
But, a search of the metaverse for the group shows an empty member attribute. The sync process is not throwing any errors. At least they're not showing up in the sync service app or the event logs.
Where allowed, I'm using rules extensions for everything. I can't use a rules extension to set the member attribute because it's an rdn.
I'm going to move forward with this by extending the metaverse schema and adding a multi-valued string attribute named "memberOf" to the person object. Then, I'll modify my existing MA to use that attribute instead of the member attribute.
I'm not sure what kind of issues I'm going to run into when exporting that to AD. I'll cross that bridge when I come to it. I don't anticipate that being an issue as the dns for all these objects will be calculated by the ADMA based on locations,
group functions and person types (bascially, I don't care about the MV rdn).
Anyway, I'm looking for some real world insight on this. This whole effort is to migrate off an existing IDM system that works very, very well but quite expensive to license.
Thanks,
Greg WilkersonHey Cameron,
I have total control of all the DB tables FIM is accessing. I build them up as part of IDM process.
I've read this article, along the many others that address the "manager" scenario. This really doesn't apply in this case as the user and group objects are loaded in separate MAs. Getting reference values to flow with both object live in the
same CS shouldn't be an issue.
I also saw a solution where the group and user objects were in the same table and differentiated by the "object_type" value (user, group). That solution solved the issue of the groups and user being in the same CS. As I grow tired of my daily
FIM beatdown, that solution is growing more attractive. That's a major DB redesign, and seems quite inefficient.
The multi-value table for group memberships already exists in the DB. For FIM purposes, I transferred that data into the user object multi-value table. See screen shot. I can certainly configure the group MA to access that multi-value table
and load the group members as references. But, because the group MA CS will not contain the user objects, I don't see how the references will be set. If the reference value isn't set in the CS, it's not going to flow into the MV (at least I haven't
figured out a way to set the an reference value for an object in the MV - my problem all along.
This whole "setting a reference value" encompasses much more than just group memberships in my implementation. Telephone resources and physical access (key cards, etc) are provisioned through the existing eDirectory system. These objects exist
in our current IDM system and are associated with users based on rules. So, the reference value process is something I need to figure out, if I'm going to use this product.
Maybe I could use a stripped down ECMA2 as a "staging" CS, export the users and groups into this CS and assign the reference values, then import the groups back into the MV, memberships intact. I'm not sure that would get me where I want to go, and
it seems like a lot of extra "stuff" to solve what should be a simple problem. Hmmmmmm. Or, connect the ECMA2 directly to my group membership multi-value table in the DB. Hmmmmmm. I'd still have to export the groups and users into that
CS, but the import might be much more straight forward. Hmmmmmm.
The structure of my GroupMembership table (both columns are anchors or directly translatable to anchors):
EmployeeGroups
GroupName varchar(50) not null,
EmployeeID nvarchar(50) not null,
ID int identity(1,1) not null -
ADMT 3.2 Intraforest Computer Migration Group Membership
Hello friends,
I'm performing an Intraforest migration. I'm in the testing phase with Computer Migrations. The fact is that the computers belong to Universal Groups in the source domain and also in the target domain. Some of the groups are used to apply GPOs. Problem:
when I do the migration from the source domain to the target domain, ADMT do not include the migrated computer to the same groups it was in the source domain. ADMT is able to include the migrated computer on groups that are not used for GPOs. Does somebody
know why is this happening? What can I do in order to mantain the group membership of my computer?
Thank you!Hi,
Usually, it is recommended that we perform migration in the following steps:
Group migration
Users account migration
Services account migration
Security Translation
Computers account migration
To perform an intra-forest migration, the following article can be referred to as reference.
Checklist: Performing an Intra-forest Migration
http://technet.microsoft.com/en-us/library/cc974337(v=ws.10).aspx
Best regards,
Frank Shen -
How to create Nested Group membership in OAM?
Hello,
I am facing a problem now about creating nested group membership in OAM. Although all documents mention that nested group membership is available in OAM and the "uniquemember" attribute's target object class covers both "inetorgperson" and "groupofUniqueNames", I still cannot find the option in Selector to add "group" members.
Please kindly suggest.
Thank you.
Liu PengLiu,
You've been very helpful, so I thought that I'd try to "return the favor" :)...
If you want to change the background color of that bar that contains the "Users Groups" to something other than dark blue, you can do it by editting the following file (this path is on Windows):
C:\Program Files\NetPoint\identity\oblix\lang\shared\sltr_navbar.xsl
I changed the line:
<table width="100%" border="0" bgcolor="#006699" cellpadding="0" cellspacing="0">
TO:
<table width="100%" border="0" bgcolor="#CCCCCC" cellpadding="0" cellspacing="0">
which, on my system, changes the bar background color from dark blue to gray.
Obviously, you can change the color to whatever you feel is appropriate, but the gray background definitely makes the links more visible :)!!
Here's a website that'll let you experiment with the color codes:
http://colorcombos.com/combotester.html
or choose a color visually:
http://www.liu.edu/cwis/CWP/library/colors.htm
You'll need to restart the OAM servers after making the change for it to become effective.
Thanks for your help!
Jim -
Samba winbind and group membership.
I have a Solaris 10 (update 4) box (x86) that is joined to an active directory via samba/winbind.
The users are working fine however their group membership is not.
Users that should be members of certain groups do not seem to be: in that if I run
"groups" and check the group member ship for myself I am missing entry of some groups yet I can verify that I should be a member of that group by running getent group "domain\\group name" and seing my username entered.
winbind has the following parameters set
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
I am at a loss as to why it picks up some groups and not others.
Has anyone come across something similar or know how to solve this issue?
Regards,
JamesHi,
I know this thread is very old but unfortunately I'm facing exactly the same problem under Solaris 10 Sparc. Any ideas? Maybe this issue was solved?
Regards,
Oliver -
Calculate Set membership based on Group Membership
I know this has been asked before, but I haven't really found a clear answer to the problem - so here's me re-igniting the fire!
I want to calculate set membership based on group membership? So, I have a set called "My Set" - its members should be all the members of the group "My Group" (The group is a Manual group, not a criteria based one). I know that Sets cannot
refer to Groups when using "Resource ID" - bummer!
I guess this can be done using a custom action WF which triggers whenever a member is added to the Group and goes and it goes and updates the Set with the ExplicitMember reference, but I'm wondering if there's a more elegant solution using some OOTB activities?
ThanksI've done this using a custom WF, but still curious to see if there is some other way around it.
For those interested, the custom workflow gets the member being added from the request, and adds it to the set - fairly simple really. I'm using the FIM PowerShell WF activity for this, in conjunction with the fantastic FIM PowerShell Module
Maybe you are looking for
-
Copying files failed. An unknown error occurred (-50)
I currently have a PC (Samsung Q330 running Windows 7) and I am getting a Macbook Pro in a few days! Therefore I am transferring my iTunes (10.6) library to an external hardrive (Hitachi X250). While I was doing this I received an error message that
-
Ripped DVD's Not Playable on a PS3
Hello again everyone. I posted earlier about ripping all of my DVD collection into AVI files. I have ran the following script and it works very well: http://wiki.archlinux.org/index.php/Dvd2Avi However, for some reason I cannot play the ripped AVI on
-
Custom Push button on CAT2 t-code
Hi Experts, There is a requirement in my project, where we need to add a custom push button in the application tool bar of CAT2 transaction.(This push button must be placed right next to the additional fields push button). When this push button is pr
-
How can I use MapQuest API in Adobe Flash CC?
Hi all, Since Google Maps API will be deprecated in 3 months I'm trying to use MapQuest instead. (MapQuest Developer Network: Map APIs, SDKs and Web Services - MapQuest Developer Network) But I can't import the component MQFlashMapsAPI_7.1.5_MQ_MOBIL
-
How to call static files?
I have uploaded two documents, one MSWord and the other excel, to Shared Components / Static Files. Can someone tell me how to call these from a linked list? Thanks