Group Provisioning in LDAP
HI,
Can I provision a 'group' in LDAP through Sun Idm? if so please let me know the steps to do that.
Thanks
Message was edited by:
Raja.Samy
Message was edited by:
Raja.Samy
Can you be a bit more specific when you say provision a group? Do you mean create a new group in LDAP, modify and existing group? Off the top of my head I believe you can use the create resource object from. On the resources Tab, under Resource Actions ( I believe) there is a selection for create resource object. That might suit your needs.
Similar Messages
-
Hi Gurus,
We are trying to figure out if we can provision a NEW user ID into LDAP (AD) through CUP? Ideally we will have a Manager enter a request into CUP that includes a user's SAP access as well as AD and have CUP autoprovision this access.
In reading the guides it seems CUP can only write groups to existing AD users.
Does anyone have any thoughts or experiences?
Thanks,
Grace RaeGrace,
CUP can provision existing LDAP groups to existing IDs, but as you said, cannot create new ones. The best method to incorporate this would be to connect CUP to an IDM system to provision the ID and access. If this is not acceptable, the other option is to create a custom connector that would communicate with a third party application (such as a macro/script) that would create the IDs through a separate process.
I know this isn't the news you want to hear, but I hope it helps!
Tyler -
Creating OAAM users and groups in external LDAP i.e. OID
Hi Experts,
I am looking for the procedure to create OAAM users and groups in external LDAP i.e. OID.
I am using 11gR2.
Any pointers would be appreciated.
Regards,
SubinCheck this link http://docs.oracle.com/cd/E27559_01/dev.1112/e27206/lcm.htm#autoId3
-
Anyconnect tunnel-group and group-policy from LDAP
Recently we've changed from LOCAL to LDAP authentication and added additional group-policies for different users to increase security.
To prevent users from selecting an incorrect group-policy, the LDAP server provides a IETF-Radius-Class value which matches the different group-policy names.
It is my understanding that the authentication method is provided by the tunnel-group.
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LDAP_AD
This all works, but for _one_ of the group policies i'd like to enable (external) two factor authentication. Two enable two factor auth a 'secondary-authentication-server-group' needs to be set in the tunnel-group.
Creating a tunnel-group which maches the name of the group-policy doesn't seem to have any effect. When listing the connected users via "show vpn-sessiondb anyconnect", it always states the correct Group Policy but also always DefaultWEBVPNGroup.
When enabling the listing of tunnel-groups for webvpn, thus allowing users to select their own tunnel-group, the two factor auth does work.
To summarize, is it possible to let LDAP decide which tunnel-group is used or is there another way to have different group policies without users being able to choose ?Fabian,
Your connection lands on a tunnel group and picks a group policy.
A typical way to overcome the problem you're indicating is by using group-url.
a URL is bound to a specific tunnel-group and allows you to land directly on the one you desire.
vide:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
M. -
Shared Services native group provision
hi can someone help me in this issue..
Shared Services.
Some Existing Native groups. Right click on group > Provision > gives error "This operation is not supported".
Have to deprovision to make this error go away. Right click properties OK, changes can be made, but cannot save, giving same error.
help needed urgently..
thanks..ok thanks a lot john.
one more question for you John.
We need to know who logs in?
When they logged in and how long?
Also can we log what they access ie: reports, planning, analysis
How can we review these logs.
i know we can see the user sessions in view statistics page in planningg. but apart from that is there a way i can know wht all reports, applications etc a user accesses. i need to keep a track. is there some log for this?
thnks,
Ricky. -
How to set up presentation service group based on groups defined in LDAP
Hello guys
we have successfully implemented LDAP authentication, and we imported 5 groups from LDAP to BI server. However, these 5 groups and their members are not displaying on presentation server under presentation catalog group, it still only has two groups "everyone" and "admin"..
To manuelly create these 5 groups and members will be too much work, so what can I do to get these 5 groups and members on presentation service with the proper data level security defined in admin tool?
Please advice
ThanksHave you created an Init Block to populate the GROUP variable? See the following post:
http://oraclebizint.wordpress.com/2007/10/12/oracle-bi-ee-101332-and-oid-user-and-group-phase-2/ -
How to remove prefix from AD group names in ldap auth. provider?
Hi all,
I'm using weblogic 10.3.5 and LDAP authentication provider for accessing microsoft AD.
Group names in AD are created and look like this: PREFIX_basic_user, PREFIX_advanced_user...
but enterprise roles in ADF application are created like this: basic_user, advanced_user...
Is there a way to map AD groups to enterprise roles trough LDAP Authentication provider without adding PREFIX_ on enterprise roles in ADF application?
Thanks in advancePowershell (or vbscript if you want to be old school).
You can trigger a powershell script which will remove the offending user(s) easily enough with out resorting to a TOLDAP pass. Nearly any script type thing would work but powershell is preferred. It can be triggered separately from the TO AD stuff and will take multiple objects to run in one pass if you can construct the command line (or create a text file and feed it in).
Otherwise, TOLDAP is the way to write to AD...
Peter -
Wishlist for groups administration in LDAP server console
I wonder why there is no basic support in administration of
groups in the Directory Server console. What I and others
are missing is:
- search for users in large static groups
- sort columns in group member display by clicking on column titles
- search and display of group memberships of an user entry
and - if I'm at it - display the DN of
a user entry if found through the register tab 'users and groups' search dialog of the first console window to see where the user is located in the directory tree.
Yes, we could buy another software to manage that, if we had the budget and write it by ourselfs if we had the budget. But normally the console is sufficient and I want to
administrate everything in one place. Other tools may not understand Sun LDAP roles so I would have to use two or more tools.
Frerk MeyerSharmila,
Have you gone through http://docs.oracle.com/cd/E13222_01/wls/docs92/secmanage/atn.html#wp1198953
Configure a new LDAP Auth Provider and use the appropriate values to your LDAP.
Then if you navigate to Global Roles -> Deployer within Admin Console, you can add the particular group to this role.
Thanks,
Paz -
Retrieving user and group information from LDAP using j_securrity_check
Hi
I am using j_security_check to authenticate users against LDAP. I have made all necessary configuration for the server to perform LDAP group search as well as mentioned in the WAS documentation of LDAP settings. Now, how can I retrieve the user and the user group info after the j_secuirty_check. Apart from the UserPrincipal object which I can get from the request which just has the user name, is there any other object which will give me the user and user group info by which I need to connect to LDAP using my java code to retrieve these informations?
Regards
DeepakHi
I am using j_security_check to authenticate users
against LDAP. I have made all necessary configuration
for the server to perform LDAP group search as well
as mentioned in the WAS documentation of LDAP
settings. Now, how can I retrieve the user and the
user group info after the j_secuirty_check.
Apart
from the UserPrincipal object which I can get from
the request which just has the user name, is there
any other object which will give me the user and user
group info by which I need to connect to LDAP using
my java code to retrieve these informations?Hmm, you don't need the user group info to connect to the LDAP server, right? You would need the user's Id (which you have) and password (which you don't). You could use the LDAP credentials and bind as that to look up the user info via the user id. Or if the server is set up to allow anonymous bind you could do it without credentials. But if all you want is group info then you should be able to call Security.getCurrentSubject().getPrincipals() to get the user principal as well as all groups (this is true in BEA WebLogic at least).
Good Luck
Lee -
Getting group members using ldap query
I need help writing an LDAP query for iPlanet to retrieve all the members of a group. I can do it on Active Directory using the following :
(memberof=CN=SundanceGroup,CN=Users,DC=Test,DC=com)
But I am not able to do it with iPlanet. Please let me know how to do it.
Thanks,
Binu"memberof" attribute is not supported by iPlanet. try using "uniquemember" attribute instead. Also the users in iPlanet are generally created under "ou=people" and not "cn=users". try changing ur filter as(uniquemember=CN=SundanceGroup,ou=people,DC=Test,DC=com).
BTW
does anyone know how to query different servers with a common filter to get the groups of a user. -
OIM - OID (11g) auto-provision thru ldap sync
Hi,
I have configured ldap sync. I have following questions
1. We have created custom attributes in OID and referred to custom object class. Now when I try to create user in OIM, user is auto-provisioned to OID. But the custom attributes in OIM are not getting provisioned to OID (unable to see the custom attributes in user object of OID, unless we refer manually the custom object class). Can any one let me know how to auto-provision the custom attribtues into OID?
2. When user is auto-provisioned to OID, it is not showing any resource profile details of OID in OIM? Is it the expected behavior? But create, udpate, delete are happening as expected.
Please let me know if any one know the solution.Hi,
Where you able to achieve this?? i have similar requirment where, i have added 5 custom attributes in both OIM and OID, when i create the users these attributes doesnot get updated on OID....should i add these UDF in any objectclass which OIM understands??please suggest
Thanks in advance -
Shared Services Group Provisioning
Hi,
I am using Hyperion Shared Services 9.3.1. I am running a script to provision users under one group.
I am running it through importexport utility.
. I have tested the script with 2 users and it has provisioned those. that means script is correct. My problem is this time, I am running the script to provision 200+ users in one group
Is there a way I can check through logs how much its finished or how many users it has provisioned. I am going under that group in Shared services, over there its not showing those users.
Please help me.
Thanks in advance.
Pankaj Mehta.Hi,
In the property file you can enable tracing by specifing trace log file in ExportImport properties file. enable the following properties:
importexport.enable.console.traces=true( Indicates whether trace information should be displayed in the console where the Import/Export utility is executed)
importexport.trace.events.file=<LogFileLocation>( TraceLogFile)
importexport.errors.log.file=<LogFileLocation>( errors during the operation is logged to this file)
Hope this helps!
Nra -
How to change the DN of a user when provisioning to LDAP (iPlanet User)
When I provision a new user to iPlanet User (LDAP) resource, it creates the account with DN = uid=<user login>,ou=people,dc=test,dc=com
How can I change it so that it will create the account with DN = cn=<Fullname>, ou=people,dc=test,dc=com ?
I don't see the DN field defined in the iPlanet User form.Is this a live environment? I would suggest setting this from the start, and not trying to change later. Most likely its using this prefix for both pre and post name so when you change it in the middle, one of them won't be found.
-Kevin -
User and group handling in LDAP Realm
Hi,
I'm currently using an LDAP Realm for storing users and groups, which I need to be able to add, amend and remove at runtime.
I understand that in earlier versions of Weblogic, the methods to do the add/remove/modify were not implemented but I was told that this may change in WL6. If so, is there any documentation or examples about these methods ? If not, would I need to extend ManageableRealm to create a custom realm ?
Any help much appreciated.
DaveHi Dave:
In our project, we use security realm (LDAP realm) for Users and Groups authentication. We turned the CacheRealm on to optimize performance. To add and amend Users and Groups, we use a stateless EJB to talk to LDAP server. This kind of partition works fine for us to separate the user authentication
logic and user management logic.
Fun
Dave Horner wrote:
Hi,
I'm currently using an LDAP Realm for storing users and groups, which I need to be able to add, amend and remove at runtime.
I understand that in earlier versions of Weblogic, the methods to do the add/remove/modify were not implemented but I was told that this may change in WL6. If so, is there any documentation or examples about these methods ? If not, would I need to extend ManageableRealm to create a custom realm ?
Any help much appreciated.
Dave -
Bulk provisioning to LDAP using sun connector
Hi guys,
I am able to provision only single OIM user at time to LDAP directory using sun connector.
Could any one please suggest me the approach of how to provision multiple users at a time.
divyaWhat Octavian has said is right have 2 it resources and then have a ItResourceLookup Field in your process form. You can either have it to default to any one of the ItResource (OID server) or you can allow the admin to select this during direct provisioning. Depends on how you are doing provisioning i.e. direct or request based or policy based.
Maybe you are looking for
-
Converting video clips already edited in timeline?
Hey guys, excuse my noobiness, I am in fact one. I recently have learned that before importing my footage from my canon g20 into FCPX it's best to convert the files to .mov. first of all, is that correct? assuming it is i got the brorsoft video conve
-
I have a virus that has taken over Safari and will not allow me to browse of even shut down the computer. The request is to send $1,000 to a "green dot" address to get the virus removed. Help! lawrencefromchatham
-
Processing finished in server proxie
Hello Experts, i have a file to server proxy scenario. after server proxy has finished his job i have to start an report on the business system. is there any way to figure out when message processing to server proxy is really finished?? Quality of se
-
Can't open mov files on my ipad
Since one of the last IOS updates, I can't open Mov files sent from my own IPhone via email. I have had a new ipad swapped under warranty, and have reloaded all software from scratch. When I get the email with the video file. The file is an attachme
-
A colleague has asked me to upgrade his old mac mini to 10.5 from 10.4.11 so he can load more recent software. is there an easy way to do this - I have spent an hour looking for the appropriate support page but it is hiding among the detritus of a mi