How to verify user LDAP group membership

Hi,
we are attempting to determine if a user is a member of a specific LDAP group in our directory and if the user is a member it should return TRUE else FALSE (this is done by defining the LDAP attribute 'CN' (property) which returns a result 'CN=<UserName> or returns 'getting 0 entries'. The query we have is
(&(cn=<username>)(memberOf=CN=<groupname>,DC=domain,DC=com)).
Any pointers on how to do this ?
Thank you.

You could do a couple of things...
1) Install dsquery (add remote AD tools to your box) and run something like
dsquery group -u <user name>
Username would be their login name, yours is "swaupadh" for example. This would return a listing of all the groups they are in and you could regex through that output for the group you are looking for. Use either the Execute Powershell or Execute Windows Command activity here.
2) Use powershell functions and powershell capability to check for group membership, something like this:
function Get-GroupMembership($DN,$group){
$objEntry = [adsi]("LDAP://"+$DN)
$objEntry.memberOf | where { $_ -match $group}
//EXAMPLE CALL
Get-GroupMembership "Cn=kazun,dc=contoso,dc=com" "Backup Operators"
Then you can regex through the output for the "True" or "False" word and run with that.
Either should get you what you want.

Similar Messages

Invoke an adapter on change of User's Group Membership details

Hi
I need to invoke an adapter on change of User’s Group Membership details. I am not able to figure out from where I can invoke my adapter.
Does anyone have any idea about this?
-- Another Question: what is the purpose of having “tcUSRautoGroupMembership” in User’s Object Form on Post Update. It would be nice if you give some details about this task.
-Hardew

Thanks for quick response.
What you have mentioned, is applicable for a specific value of a user’s OIM Profile filed; that means it will triggered only if a user has specified value i.e. "blah blah" for that field i.e. fieldA.
However my scenario is slightly different. Let me explain my scenario by example:-
I have N numbers of OIM groups i.e. g1, g2, g3, g4……, gn and a user called myUser. This user is a member of two groups’ g1 and g2, now if I make myUser to member of one more group i.e. g3 or remove i.e. g1; then I want to perform a custom task using adapter on this Group Membership change.
Is there any “Data Object Form” where I can associate my adapter on post-update to detect change of User’s Group Membership?
_hardew

How to create users and groups using WLST Offline with Weblogic 8.1.4

How to create users and groups using WLST Offline with Weblogic 8.1.4?
Any ideas?

Hi this is how i created a user using WLST Offline?
cd('/Security/' + domainName)
# Delete the default user name weblogic
# incase you want to remove the defualt user weblogic
delete('weblogic','User')
# Creating a new user defined
create(userName, 'User')
# Setting the password of the user you created.
cd ('/Security/' + domainName + '/User/' + userName)
cmo.setPassword(password)
Regards
Makenzo

How to import user and group at EPM11.1.2?

I found a similar topic on this at User & Groups Issue
But sounds like there is big change a tEPM11.1.2, I didn't find CSSImportExport utility at all.
Could anyone tell me how to import users and groups from flat file at this version?
Thanks
Tony

You can only use LCM from 11.1.2, it is not really that different format from the CSSImportExport utility.
I find the best way is to set up a few users and provisioning and then use LCM to export, then you get a good feel to the format of the file.
Cheers
John
http://john-goodwin.blogspot.com/

How to find users and group in sun box

Please adivce How to find users and group in sunsolaris
Thanks in advance

We can get all the group details from /etc/group file .
Similarly user details can be found in /etc/passwd .

How to prevent user or group to use 3-tier WebI and DeskI in XI 3.1

How to prevent user or group to use 3-tier WebI and DeskI in XI 3.1
This function is enable in BOE 6.5 by using Supervisor.

Hi,
You can explicitly deny access to these applications from the CMC in BOE 3.1. Open the CMC, click on BusinessObjects Enterprise Application and then select the WebI.
From the right hand side click on the 'Net Access' section for that group and disable the 'Log on to Web-Intelligence and view this object in CMC.'
This will prevent the option of the WebI for that group.
I hope this helps you.
Regards,
Prashant

OIM 10G OID user account / group membership reconciliation

Hello
I have an OID environment that is used for OAM access to applications within the environment. I need to be able to reconcile users from OID into OIM along with their group membership so that roles for users are maintained and updated. I have ORM integrated within the environment so entitlements would need to flow to orm to document that users are members of a role / OIM group. Not sure if this is possible through the trusted reconciliation or if there is a user / group target reconciliation that can be used for this. Any help you can give for this would be appreciated.
Thanks

When i use ADCS timestamp as 0 (to capture changes from the beginning and not necessarily after the group change event occured on the AD side) and run AD user target recon this is getting updated. Is this correct and if so how can i always default ADCS timestamp as 0 in the scheduled task and are there any side effects for this sort of approach.
Prasad.
Edited by: Prasad on Nov 7, 2011 12:31 PM

Prepopulating users LDAP Group Information

Hi
When i provsion a user using sun connector manually, i am having an option to select from lookup the group to which the user must be a member.
How do i prepoulate this information based on the users' organization
sas

refer to this link for the solution.
Provisioning OIM Users to LDAP Groups
Thank you
sas

How to add users to group which is present in another AD domain?

Hi,
Using JNDI how to add user as a member of group which is present in another AD domain?
For example: In AD forest test.com their are two domain a.test.com and b.test.com. Group is present in a.test.com and I want to add user present in b.test.com as a member of the group.
Any pointer around this would be great help.

See the below link to get an idea on group types.
http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx
If the group is a universal group, you can just add members similar to local group even if user and group are in different domains. That is by setting the member attribute of the group.

How to reset users and groups in Server.app?

Recently after change settings in the Server.app (like turn off/on open directory, delete/add certificates), I got a strange problem:
In the users and groups list, it display all local users and groups (looks like system users and groups, about 100 users and groups, but this is a new server)
I tried reset the server.app by following
howto reinstall/reinitialize os x server
http://support.apple.com/kb/HT200271?viewlocale=en_US
These users and groups still showing there.
Have you seen this before and how can I completely reset the server.app to factory default so that I can start over the set up?

In theory, that should restore the users. You can do some surgery if you are really brave. But the reinstall generally should be enough.
These accounts are in the DSLocal data store. Basically, this is very similar to the any OS X machine. Apple keeps a default copy of the Local Database here:
/System/Library/DirectoryServices/DefaultLocalDB/Default
Should you need to reset a machine to the default local database, you can remove the current database (/var/db/dslocal/nodes/Default) and then copy the default one to the same location. I would not go this far unless the reinstall was unsuccessful.
To check, you can run this command:
dscl . list /Users
That will list all the Users in the local DB. To get a count, pipe to wc
dscl . list /Users | wc -l
On a Server that I just jumped on, I see 79 users and 111 groups (dscl . list /Groups | wc -l) But this is a system will man SACL groups so I likely have more than the default.
Hope this continues to help. Probably more info that you want.
Reid
Apple Consultants Network
Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store
Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store

Select list populated with ldap group membership attributes

Is it possible to query an LDAP group and retrieve all the members of the group?
For example, if I have an LDAP group with members' login name, I want to retrieve all login names and populate a select list so the end-user can choose a login name from the group.
Thanks, alan.

The problem is the second query. I would guess that the TO_CHAR(co) is not unique for each account, but is the same for the accounts. And as the second item in the select-list is the listitems values, all your listitem-entries have the same value. therefore, of you select any entry, the list will always go the the first entry again.
Adjust your query.

LDAP Group Membership

I need help. I have a case where an LDAP group shows users as members but some of these users do not show the group in their "Member Of" listing when looking under the Home -> Users-> <userid> listing. What could be causing this. The LDAP group was recently added to the server. Thanks.

Stephen,
One returns an array (table) of groups and the other returns a ":" delimited string. Describing them from SQL Plus returns:
FUNCTION MEMBER_OF RETURNS TABLE OF VARCHAR2(32767)
Argument Name                  Type                    In/Out Default?
P_USERNAME                     VARCHAR2                IN     DEFAULT
P_PASS                         VARCHAR2                IN     DEFAULT
P_AUTH_BASE                    VARCHAR2                IN
P_HOST                         VARCHAR2                IN
P_PORT                         VARCHAR2                IN     DEFAULT
FUNCTION MEMBER_OF2 RETURNS VARCHAR2
Argument Name                  Type                    In/Out Default?
P_USERNAME                     VARCHAR2                IN     DEFAULT
P_PASS                         VARCHAR2                IN     DEFAULT
P_AUTH_BASE                    VARCHAR2                IN
P_HOST                         VARCHAR2                IN
P_PORT                         VARCHAR2                IN     DEFAULTThanks,
Tyler

User's Group Membership problem with enterprise domain

Hi
I have some problems synchronizing Active Directory in LiveCycle ES 8.0.1.
I'm able to import the users and groups from an active directory to a enterprise domain... but the asociation user to group is not keeped.
The problem could be why the DN of users is different to the DN of the group?
the DN users is something like this:
OU=CED,OU=CDC Utent,DC=house,DC=lan
and the DN of the group:
DC=house,DC=lan
Thanks

Ok, I think that is not DN value the problem... I tried with another active directory and the association user to group is keeped! But why?
In the users details of active directory that doesn't synchronize well I have 2 more attribute:
dSCorePropagationData
profilePath
But really I don't understand where is the problem. Maybe the version of Active Directory?
Does anybody else have this weird issue?
Thanks.

How to assign users to group during upload ?

Hi all,
we have to upload a lot of users into our EP6.
according to the documentation it is possible to assign those users to roles during the upload, but we want to use Group-Assignments instead of directly assigning roles to users.
Is there any possibility to assign groups instead of roles during a user-upload ?
The doc shows in the Standard-File-Format" the parameters <namespace>:<name> , may those be used for this purpose, when yes, then how ?
Thanx for any hints...
Stefan

Hi,
do you mean uploading role-group assignments or user-group assignments?
User-group assignments can be uploaded using the following format (extraxt from UME documentation - section: Standard Format):
[Group]
gid=HappyBuyers
gdesc=This is a group of all satisfied buyers
user=MarcPeters;JackSmith;Alan_Fox
Make sure that you upload the groups in a second step after you have already uploaded the users. The userIds you name in the property "user" must exist.
For uploading role-group assignments I don't know a way but usually you so not have that many ...
Best regards,
Oliver

How to verify user data through an unhelpful DBA

I'm a developer. My organization is large and has separation of duties... i.e. I'm not allowed to touch the production system. The DBA exhibits some sort of anti-social traits and is unhelpful to the point of being harmful. If we request him to run an sql statement and it fails, he offers no insights as to why. Instead, we are left to try and request query after query to try and resolve the issue--which can take days when he could speak up and resolve the issue in seconds.
But my organizations DBA problem isn't yours... instead, here's my current dilema.
Our projects are supposed to get 3 generic accounts that we the developers then alter to suit the application. Those users are named:
<projectname>USR
<projectname>ADM
<projectname>DBA
(I'll use the project name "TEST" in this post)
We requested the rows from DBA_SYS_PRIVS to see that these generic accounts existed and received the following:
GRANTEE                        PRIVILEGE                                ADM
TESTADM                        CREATE SESSION                           NO
TESTDBA                        CREATE SESSION                           NO
TESTUSR                        CREATE SESSION                           NOWe requested an alter user on TESTDBA and it worked fine.
We then requested an alter user on TESTUSR and it returned:
ALTER USER "TESTUSR"
ERROR at line 1:
ORA-01918: user 'TESTUSR' does not existThe only explanation I can think of is that TESTUSR was mistakenly created as a role instead of a user. I'm planning on requesting the contents of the DBA_USERS table and the DBA_ROLES table and see where TESTUSR is located. But what I'm asking here in this forum is if there is a better set of sql statements I could request to be more definitive in researching what happened.
Thank in advance,
Darren

In the actual dump that you got from DBA_SYS_PRIVS, were the GRANTEE names all upper case? Or were some characters lower case as well?
Oracle is normally case insensitive. But if you double-quote identifiers, those identifiers become case sensitive. The failing DDL
ALTER USER "TESTUSR"is using double-quotes so TESTUSR would need to be a case-sensitive match to the user name. Is there any chance that is not the case in your environement?
Barring that, getting a listing from DBA_USERS and DBA_ROLES is probably the way to go.
Justin

How to verify user LDAP group membership

Similar Messages

Maybe you are looking for