Group Provisioning in LDAP

Similar Messages

• CUP Provisioning into LDAP

  Hi Gurus,
  We are trying to figure out if we can provision a NEW user ID into LDAP (AD) through CUP? Ideally we will have a Manager enter a request into CUP that includes a user's SAP access as well as AD and have CUP autoprovision this access.
  In reading the guides it seems CUP can only write groups to existing AD users.
  Does anyone have any thoughts or experiences?
  Thanks,
  Grace Rae

  Grace,
  CUP can provision existing LDAP groups to existing IDs, but as you said, cannot create new ones.  The best method to incorporate this would be to connect CUP to an IDM system to provision the ID and access.  If this is not acceptable, the other option is to create a custom connector that would communicate with a third party application (such as a macro/script) that would create the IDs through a separate process.
  I know this isn't the news you want to hear, but I hope it helps!
  Tyler

• Creating OAAM users and groups in external LDAP i.e. OID

  Hi Experts,
  I am looking for the procedure to create OAAM users and groups in external LDAP i.e. OID.
  I am using 11gR2.
  Any pointers would be appreciated.
  Regards,
  Subin

  Check this link http://docs.oracle.com/cd/E27559_01/dev.1112/e27206/lcm.htm#autoId3

• Anyconnect tunnel-group and group-policy from LDAP

  Recently we've changed from LOCAL to LDAP authentication and added additional group-policies for different users to increase security.
  To prevent users from selecting an incorrect group-policy, the LDAP server provides a IETF-Radius-Class value which matches the different group-policy names.
  It is my understanding that the authentication method is provided by the tunnel-group.
  tunnel-group DefaultWEBVPNGroup general-attributes
   authentication-server-group LDAP_AD
  This all works, but for _one_ of the group policies i'd like to enable (external) two factor authentication. Two enable two factor auth a 'secondary-authentication-server-group' needs to be set in the tunnel-group.
  Creating a tunnel-group which maches the name of the group-policy doesn't seem to have any effect.  When listing the connected users via "show vpn-sessiondb anyconnect", it always states the correct Group Policy but also always DefaultWEBVPNGroup.
  When enabling the listing of tunnel-groups for webvpn, thus allowing users to select their own tunnel-group, the two factor auth does work.
  To summarize, is it possible to let LDAP decide which tunnel-group is used or is there another way to have different group policies without users being able to choose ?

  Fabian, 
  Your connection lands on a tunnel group and picks a group policy. 
  A typical way to overcome the problem you're indicating is by using group-url. 
  a URL is bound to a specific tunnel-group and allows you to land directly on the one you desire. 
  vide:
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
  M.

• Shared Services native group provision

  hi can someone help me in this issue..
  Shared Services.
  Some Existing Native groups. Right click on group > Provision > gives error "This operation is not supported".
  Have to deprovision to make this error go away. Right click properties OK, changes can be made, but cannot save, giving same error.
  help needed urgently..
  thanks..

  ok thanks a lot john.
  one more question for you John.
  We need to know who logs in?
  When they logged in and how long?
  Also can we log what they access ie: reports, planning, analysis
  How can we review these logs.
  i know we can see the user sessions in view statistics page in planningg. but apart from that is there a way i can know wht all reports, applications etc a user accesses. i need to keep a track. is there some log for this?
  thnks,
  Ricky.

• How to set up presentation service group based on groups defined in LDAP

  Hello guys
  we have successfully implemented LDAP authentication, and we imported 5 groups from LDAP to BI server. However, these 5 groups and their members are not displaying on presentation server under presentation catalog group, it still only has two groups "everyone" and "admin"..
  To manuelly create these 5 groups and members will be too much work, so what can I do to get these 5 groups and members on presentation service with the proper data level security defined in admin tool?
  Please advice
  Thanks

  Have you created an Init Block to populate the GROUP variable? See the following post:
  http://oraclebizint.wordpress.com/2007/10/12/oracle-bi-ee-101332-and-oid-user-and-group-phase-2/

• How to remove prefix from AD group names in ldap auth. provider?

  Hi all,
  I'm using weblogic 10.3.5 and LDAP authentication provider for accessing microsoft AD.
  Group names in AD are created and look like this: PREFIX_basic_user, PREFIX_advanced_user...
  but enterprise roles in ADF application are created like this: basic_user, advanced_user...
  Is there a way to map AD groups to enterprise roles trough LDAP Authentication provider without adding PREFIX_ on enterprise roles in ADF application?
  Thanks in advance

  Powershell (or vbscript if you want to be old school).
  You can trigger a powershell script which will remove the offending user(s) easily enough with out resorting to a TOLDAP pass.  Nearly any script type thing would work but powershell is preferred.  It can be triggered separately from the TO AD stuff and will take multiple objects to run in one pass if you can construct the command line (or create a text file and feed it in).
  Otherwise, TOLDAP is the way to write to AD...
  Peter

• Wishlist for groups administration in LDAP server console

  I wonder why there is no basic support in administration of
  groups in the Directory Server console. What I and others
  are missing is:
  - search for users in large static groups
  - sort columns in group member display by clicking on column titles
  - search and display of group memberships of an user entry
  and - if I'm at it - display the DN of
  a user entry if found through the register tab 'users and groups' search dialog of the first console window to see where the user is located in the directory tree.
  Yes, we could buy another software to manage that, if we had the budget and write it by ourselfs if we had the budget. But normally the console is sufficient and I want to
  administrate everything in one place. Other tools may not understand Sun LDAP roles so I would have to use two or more tools.
  Frerk Meyer

  Sharmila,
  Have you gone through http://docs.oracle.com/cd/E13222_01/wls/docs92/secmanage/atn.html#wp1198953
  Configure a new LDAP Auth Provider and use the appropriate values to your LDAP.
  Then if you navigate to Global Roles -> Deployer within Admin Console, you can add the particular group to this role.
  Thanks,
  Paz

• Retrieving user and group information from LDAP using j_securrity_check

  Hi
  I am using j_security_check to authenticate users against LDAP. I have made all necessary configuration for the server to perform LDAP group search as well as mentioned in the WAS documentation of LDAP settings. Now, how can I retrieve the user and the user group info after the j_secuirty_check. Apart from the UserPrincipal object which I can get from the request which just has the user name, is there any other object which will give me the user and user group info by which I need to connect to LDAP using my java code to retrieve these informations?
  Regards
  Deepak

  Hi
  I am using j_security_check to authenticate users
  against LDAP. I have made all necessary configuration
  for the server to perform LDAP group search as well
  as mentioned in the WAS documentation of LDAP
  settings. Now, how can I retrieve the user and the
  user group info after the j_secuirty_check.
  Apart
  from the UserPrincipal object which I can get from
  the request which just has the user name, is there
  any other object which will give me the user and user
  group info by which I need to connect to LDAP using
  my java code to retrieve these informations?Hmm, you don't need the user group info to connect to the LDAP server, right? You would need the user's Id (which you have) and password (which you don't). You could use the LDAP credentials and bind as that to look up the user info via the user id. Or if the server is set up to allow anonymous bind you could do it without credentials. But if all you want is group info then you should be able to call Security.getCurrentSubject().getPrincipals() to get the user principal as well as all groups (this is true in BEA WebLogic at least).
  Good Luck
  Lee

• Getting group members using ldap query

  I need help writing an LDAP query for iPlanet to retrieve all the members of a group. I can do it on Active Directory using the following :
  (memberof=CN=SundanceGroup,CN=Users,DC=Test,DC=com)
  But I am not able to do it with iPlanet. Please let me know how to do it.
  Thanks,
  Binu

  "memberof" attribute is not supported by iPlanet. try using "uniquemember" attribute instead. Also the users in iPlanet are generally created under "ou=people" and not "cn=users". try changing ur filter as(uniquemember=CN=SundanceGroup,ou=people,DC=Test,DC=com).
  BTW
  does anyone know how to query different servers with a common filter to get the groups of a user.

• OIM - OID (11g) auto-provision thru ldap sync

  Hi,
  I have configured ldap sync. I have following questions
  1. We have created custom attributes in OID and referred to custom object class. Now when I try to create user in OIM, user is auto-provisioned to OID. But the custom attributes in OIM are not getting provisioned to OID (unable to see the custom attributes in user object of OID, unless we refer manually the custom object class). Can any one let me know how to auto-provision the custom attribtues into OID?
  2. When user is auto-provisioned to OID, it is not showing any resource profile details of OID in OIM? Is it the expected behavior? But create, udpate, delete are happening as expected.
  Please let me know if any one know the solution.

  Hi,
  Where you able to achieve this?? i have similar requirment where, i have added 5 custom attributes in both OIM and OID, when i create the users these attributes doesnot get updated on OID....should i add these UDF in any objectclass which OIM understands??please suggest
  Thanks in advance

• Shared Services Group Provisioning

  Hi,
  I am using Hyperion Shared Services 9.3.1. I am running a script to provision users under one group.
  I am running it through importexport utility.
  . I have tested the script with 2 users and it has provisioned those. that means script is correct. My problem is this time, I am running the script to provision 200+ users in one group
  Is there a way I can check through logs how much its finished or how many users it has provisioned. I am going under that group in Shared services, over there its not showing those users.
  Please help me.
  Thanks in advance.
  Pankaj Mehta.

  Hi,
  In the property file you can enable tracing by specifing trace log file in ExportImport properties file. enable the following properties:
  importexport.enable.console.traces=true( Indicates whether trace information should be displayed in the console where the Import/Export utility is executed)
  importexport.trace.events.file=<LogFileLocation>( TraceLogFile)
  importexport.errors.log.file=<LogFileLocation>( errors during the operation is logged to this file)
  Hope this helps!
  Nra

• How to change the DN of a user when provisioning to LDAP (iPlanet User)

  When I provision a new user to iPlanet User (LDAP) resource, it creates the account with DN = uid=<user login>,ou=people,dc=test,dc=com
  How can I change it so that it will create the account with DN = cn=<Fullname>, ou=people,dc=test,dc=com ?
  I don't see the DN field defined in the iPlanet User form.

  Is this a live environment? I would suggest setting this from the start, and not trying to change later. Most likely its using this prefix for both pre and post name so when you change it in the middle, one of them won't be found.
  -Kevin

• User and group handling in LDAP Realm

  Hi,
  I'm currently using an LDAP Realm for storing users and groups, which I need to be able to add, amend and remove at runtime.
  I understand that in earlier versions of Weblogic, the methods to do the add/remove/modify were not implemented but I was told that this may change in WL6. If so, is there any documentation or examples about these methods ? If not, would I need to extend ManageableRealm to create a custom realm ?
  Any help much appreciated.
  Dave

  Hi Dave:
  In our project, we use security realm (LDAP realm) for Users and Groups authentication. We turned the CacheRealm on to optimize performance. To add and amend Users and Groups, we use a stateless EJB to talk to LDAP server. This kind of partition works fine for us to separate the user authentication
  logic and user management logic.
  Fun
  Dave Horner wrote:
  Hi,
  I'm currently using an LDAP Realm for storing users and groups, which I need to be able to add, amend and remove at runtime.
  I understand that in earlier versions of Weblogic, the methods to do the add/remove/modify were not implemented but I was told that this may change in WL6. If so, is there any documentation or examples about these methods ? If not, would I need to extend ManageableRealm to create a custom realm ?
  Any help much appreciated.
  Dave

• Bulk provisioning to LDAP using sun connector

  Hi guys,
  I am able to provision only single OIM user at time to LDAP directory using sun connector.
  Could any one please suggest me the approach of how to provision multiple users at a time.
  divya

  What Octavian has said is right have 2 it resources and then have a ItResourceLookup Field in your process form. You can either have it to default to any one of the ItResource (OID server) or you can allow the admin to select this during direct provisioning. Depends on how you are doing provisioning i.e. direct or request based or policy based.