Identity Service LDAP with dynamic grouping

Similar Messages

• LDAP- large dynamic groups - performance

  A dynamic group is to a static group what a view is to a table
  A group is to its members what a table or view is to its records.
  When the memebrs of a dynamic group is very large are there any performance problems or is that eliminatable by some indexing means?

  Just an FYI ...
  I found out from iPlanet that this is a bug in SP3 and will be fixed in SP4.
  In the meantime, you can call tech support and get a patch.
  Matt
  "Matt Raible" <[email protected]> wrote in message
  news:9nldgs$[email protected]..
  I discovered today that the dynamic group does not seem to work for
  form-based authentication with iPlanet App Server. I have a group,
  Employees, in my LDAP server, and it has a dynamic group configured as
  ldap:///o=douglas.co.us??sub?dcRoles=ttEmployee, where each user has a
  custom attribute, dcRoles. I can test this dynamic group and expectedusers
  are found.
  However, I cannot authenticate with a user in this group when "Employees"is
  my configured role to authenticate with.
  If I open the group Employees in my LDAP Server, and under the Members,
  Static Group tab - I add a user, I can authenticate with them.
  I also tried adding "ttEmployee" as well as "Employee" to my deployment
  descriptors - but no luck. The method of adding a user (above) is the only
  way I found to work.
  Can someone shed some light on this?
  Thanks,
  Matt

• Ask the Expert: BYOD with Identity Services Engine with Cisco Expert Bern

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Identity Services Engine (ISE) and its various use scenarios and integrations such as BYOD, Active Directory, profiling, posture and radius authentication with Cisco subject matter expert Bernardo Gaspar.
  Bernardo Gaspar is Customer Support Engineer at the Technical Assistance Center at Cisco Europe especialized in wireless and authentication, authorization, and accounting (AAA). He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, NAC and Identity Services Engine as part of the escalation TAC team since 2007. He also focuses on filing technical and documentation bugs. Bernardo Gaspar holds a degree from the University of Porto.
  Remember to use the rating system to let Bernardo know if you have received an adequate response.
  Bernardo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, AAA, Identity and NAC discussion forum shortly after the event.
  This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.
  Posted by WebUser Krishnakant Dixit from Cisco Support Community App

  Feedback will be highly appreciated
  Posted by WebUser Krishnakant Dixit from Cisco Support Community App

• SUN One LDAP Retrieving Dynamic group

  Hi, I would like to know how can I retrieve the groups a user belongs to, if the groups are of dynamic type.
  can I use the attribute memberOf?
  //Create the initial directory context
  LdapContext ctx = new InitialLdapContext(env,*null*);
  //Create the search controls
  SearchControls searchCtls = new SearchControls();
  //Specify the search scope
  searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
  //specify the LDAP search filter
  String searchFilter = "(&(objectClass=user)(CN=Andrew Anderson))";
  //Specify the Base for the search
  String searchBase = "DC=antipodes,DC=com";
  //initialize counter to total the group members
  int totalResults = 0;
  //Specify the attributes to return
  String returnedAtts[]={"*memberOf*"};
  searchCtls.setReturningAttributes(returnedAtts);
  //Search for objects using the filter
  NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);

  Hello Vinay,
  when configuring multiple Ldap directories, There are a number of prerequisities that you need to
  consider.
  For example, One prerequisite for Multi domains is that logon IDs must be unique across mutliple LDAP datasources. This will cause issue if duplicate IDs exist.
  Please see the following Documentation and notes for more information on this.
  Examples of Data Source Configuration Files - Identity Management - SAP Library
  Example: Configuration of Multiple LDAP Data Sources - Identity Management - SAP Library
  1618342 - Multiple LDAP Datasources - Active Directories where logon IDs
  are not unique
  762419 - Multi-Domain Logon Using Microsoft Active Directory
  Please have a look at the above notes which documet this and also tells
  you what to do in these situations.
  Regards,
  David

• Help, error connection Cisco Identity Services Engine with AD.

  Dear all,
  I have Cisco Indentity Services Engine, that  connected to Active Directory. When I test connection detailed,
  the result is error, said:
  Test Connection Results
  This dialog shows the detailed logs for the operation for: idsv0018.
  Status: FAILED: Global Catalog port status error.
  Can anyone help?
  I believe,  because this error, I can't search group of AD, at Cisco ISE.
  FYI: the connection from Cisco ISE to AD, joined with successful result.
  Thanks,
  Jerri

  Hello Jerri,
  Please follow these steps:
  1.    Make sure that ISE can connect to the Global Catalog (by Default  it is Domain Controller) on the following ports (see table below)
  2.    Check Windows Event Viewer > System Events on your Domain  Controller and locate any errors / warning. Note down Event ID
  3.    If there are any errors, other client computers in your AD domain  are likely to experience problems locating User groups, Printers etc.
  4.    If the above steps are confirmed, then you need to fix  .msdcs.ad-domain.xyz and the records, on your primary DNS (Master Domain  Controller by default)
  5.    To fix those records, you may refer to the following link for more  guidance on how to do it. Or your Windows AD Administrator should  fix it
  How DNS Support for Active Directory Works
  http://technet.microsoft.com/en-us/library/cc759550
  Otherwise let me know about the detail on Event IDs you notice in your Windows Event Viewer
  Service Name
  UDP
  TCP
  LDAP
  3268 (global catalog)
  LDAP
  3269 (global catalog Secure Sockets Layer [SSL])
  LDAP
  389
  389
  LDAP
  636 (SSL)
  RPC/REPL
  135 (endpoint mapper)
  Kerberos
  88
  88
  DNS
  53
  53
  SMB over IP
  445
  445

• OAM11g R2 Internet Identity Services Integration with Facebook fails

  Hi,
  I have configured OAM11g R2 to use Facebook as an Internet Identity Provider by following the steps mentioned in the link : http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/oicconfiginetidentitysrvcs.htm#BEIDCHAJ
  Below are the quick steps I followed.
  Configuration :
  1. Created an App in FB to generate a Consumer Key and Consumer Secret @ https://developers.facebook.com/apps
  2. In Basic info of the App specified the "App Domains" as company.com
  3. In the App Set the "Website with Facebook Login" to http://OAM-HOST:ManagedServerPort
  4. Copied "App ID" and "App Secret"
  5. On OAM Side, Updated the Internet Identity Provider profile for FB by specifying "Consumer Key" and "Consumer Secret" with "App ID" and "App Secret" retrieved in #4
  6.a) Created an Application Profile with the same name as the registered 10g webgate partner.
  b) Used OAMServiceProviderInterface as "Service Provider Interface"
  c) Selected Facebook as "Application User Attribute Vs Internet Identity Provider User Attributes Mapping"
  d) In Application Profile Properties add property "colocated.oam" with value "true"
  7. Protected an app using webgate with OOTB OICScheme.
  8. Enable "Mobile and Social Service" form System Configuration-> Available Service
  9. Configure WebLogic Server for Facebook Identity Provider Compatibility
       a) Open the WebLogic Console.
  http://host:port/console
  b) Choose Domain > Environment > Servers > Managed Server.
  c) Click the SSL tab, then click Advanced.
  d) Click Lock and Edit configuration.
  e) Change the Host Name Verifier to None.
  f) Restart the Managed Server.
  Issue :
  1. Access the resource which is protected by OICScheme
  2. Click on Facebook
  3. Provide facebook creds
  An Error page is thrown on the browser with below exception on managed server
  <Sep 17, 2012 2:35:19 PM IST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <Sep 17, 2012 2:35:19 PM IST> <Error> <Net> <BEA-000903> <Failed to communicate with proxy: proxy.proxy.com/80. Will try connection graph.facebook.com/443 now.
  java.net.UnknownHostException: proxy.proxy.com
  at java.net.InetAddress.getAllByName0(InetAddress.java:1157)
  at java.net.InetAddress.getAllByName(InetAddress.java:1083)
  at java.net.InetAddress.getAllByName(InetAddress.java:1019)
  at java.net.InetAddress.getByName(InetAddress.java:969)
  at weblogic.socket.ChannelSocketFactory.createSocket(ChannelSocketFactory.java:37)
  Truncated. see log file for complete stacktrace
  <Sep 17, 2012 2:35:19 PM IST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  java.net.SocketTimeoutException: connect timed out
  at java.net.PlainSocketImpl.socketConnect(Native Method)
  at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351)
  at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213)
  at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200)
  at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
  at java.net.Socket.connect(Socket.java:529)
  at weblogic.net.http.HttpsClient.openWrappedSSLSocket(HttpsClient.java:555)
  at weblogic.net.http.HttpsClient.openServer(HttpsClient.java:286)
  at weblogic.net.http.HttpsClient.openServer(HttpsClient.java:363)
  at weblogic.net.http.HttpsClient.New(HttpsClient.java:518)
  at weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:239)
  at oracle.security.idaas.rp.http.HttpUtils.send(HttpUtils.java:144)
  <Sep 17, 2012 2:35:22 PM IST> <Error> <oracle.idaas.rp> <BEA-000000> <There is an error while getting access token for the user from the identity provider
  oracle.security.idaas.rp.RPException: Request failed:
  at oracle.security.idaas.rp.http.HttpUtils.send(HttpUtils.java:204)
  at oracle.security.idaas.rp.oauth.provider.FacebookImpl.execHttpRequest(FacebookImpl.java:384)
  at oracle.security.idaas.rp.oauth.provider.FacebookImpl.getAccessToken(FacebookImpl.java:227)
  at oracle.security.idaas.rp.IDPResponseHandler.getAccessToken(IDPResponseHandler.java:488)
  at oracle.security.idaas.rp.IDPResponseHandler.processIDPResponse(IDPResponseHandler.java:131)
  at oracle.security.idaas.rp.RPReturnServlet.processRequest(RPReturnServlet.java:97)
  at oracle.security.idaas.rp.RPReturnServlet.doGet(RPReturnServlet.java:129)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
  at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
  <Sep 17, 2012 2:35:22 PM IST> <Error> <oracle.idaas.rp> <BEA-000000> <Exception in processRequest method
  oracle.security.idaas.rp.RPException: oracle.security.idaas.rp.RPException: Request failed:
  at oracle.security.idaas.rp.oauth.provider.FacebookImpl.getAccessToken(FacebookImpl.java:247)
  at oracle.security.idaas.rp.IDPResponseHandler.getAccessToken(IDPResponseHandler.java:488)
  at oracle.security.idaas.rp.IDPResponseHandler.processIDPResponse(IDPResponseHandler.java:131)
  at oracle.security.idaas.rp.RPReturnServlet.processRequest(RPReturnServlet.java:97)
  at oracle.security.idaas.rp.RPReturnServlet.doGet(RPReturnServlet.java:129)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
  at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
  at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
  at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
  at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
  Any Help/Pointers to resolve this issues will be Highly Appreciated
  ~Sagar

  Hi Sagar,
  To resolve this issue, do the following:
  1. Click on System Configuration Tab at the top.
  2. Click Mobile & Social on the Left Hand Side.
  3. Click Mobile & Social Settings.
  4. On the right hand side, you will see proxy server settings. You can remove the www-proxy.us.oracle.com from the proxy hostname and 80 from the port field.
  Let me know if you still see issues.
  Regards
  Parag

• Help, error connection Cisco Identity Services Engine with AD, global catalog port status error

  Dear all,
  I have Cisco Indentity Services Engine, that  connected to Active Directory. When I test connection detailed,
  the result is error, said:
  Test Connection Results
  This dialog shows the detailed logs for the operation for: idsv0018.
  Status: FAILED: Global Catalog port status error.
  Can anyone help?
  I believe,  because this error, I can't search group of AD, at Cisco ISE.
  FYI: the connection from Cisco ISE to AD, joined with successful result.
  Thanks,
  Jerri

  It's clears that when ISE tries to  find the GC using the _gc._tcp. DNS query. It doesn't find that  information on the Domain controller. The GC information is missing on  the DC.
  gc._tcp.DnsForestName
  Allows a client to locate a Global Catalog (gc) server for this domain.
  Jatin Katyal
  - Do rate helpful posts -

• Web Service Proxy with Dynamic IP and Port

  hi,
  I am currently looking at the Web Service Proxy generation in JDev 11g. I can generate proxies fine, but the proxies are generated with static host and port. I want to substitute the host and port during runtime if required, for instance read the values from a database. I need to do this to avoid compiling the application for every deployment we make dev, test and production. Is there an easy way to set the generated proxy host and port? Are there any examples?
  Thanks in advance!
  Stephen

  Hi,
  Maybe you should have a look on XML Catalogs feature, but I am not sure if JDeveloper support it and how to support it.
  -LJ

• Flex Advanced DataGrid with dynamic grouping

  Can we implement something similiar as in below link, using flex 3.
  http://demos.telerik.com/aspnet-ajax/grid/examples/groupby/grouploadmodeclient/defaultcs.a spx
  I am not sure if flex 3 allows grouping of columns based on drag - drop component. Plus how to show the pictorial view of grouped columns, same as in the above example.
  Any help greatly appreciated.

  This blog post seems to answer your question:
  http://blog.flexgeek.in/2007/06/tips-tricks-adding-a-combobox-to-a-datagrid-header-as-head errenderer/
  http://omalraj.com/2009/06/flex-datagrid-header-with-a-combobox-filter/
  http://franto.com/custom-header-in-datagrid-part-2/
  http://blogs.adobe.com/aharui/2007/03/thinking_about_item_renderers_1.html
  If this post answers your question or helps, please mark it as such. Thanks!
  http://www.stardustsystems.com
  Adobe Flex Development and Support Services

• Problem with dynamic group

  I am running iPlanet process manager 6 SP3. There is an approval group imported from corporate LDAP in an Application, which is running in production mode.
  I have added a new member into this approval group in LDAP, but it appears that this change was not applied in the process? Does process manager perform a real time look up into the LDAP? If not, how long will it take to refresh the role/group infos? or Do I have to restart the app server to refresh the role/group infos?
  Thanks!

  How do I handle this?

• Flex DataGrid with Dynamic Grouping

  Does anyone know of any examples of Flex datagrids that have
  grouping features comparable to the numerous grid components
  available in the ASP.NET world? I’m thinking of .NET
  component vendors such as Telerik, Infragistics, Component Art,
  DevExpress, etc.
  The way these .NET controls generally work is that you drag
  the header of a column to a bar above the grid, which causes the
  grid to redraw based on the new grouping you just specified.
  This is an example of a grid component that I am currently
  using:
  Telerik
  Grid
  Thank you,
  Mike Chabot

  The renderer's data property is the data for the entire row so you can get the column1 data and assign the combobox's dataprovider accordingly.
  Alex Harui
  Flex SDK Developer
  Adobe Systems Inc.
  Blog: http://blogs.adobe.com/aharui

• Dynamic group membership Query based on alert description - IS package failed

  Hi there all good people,
  Ive got the following case:
  i need to filter out some of the alerts raised bij the is package failed Alert rule.
  All allerts raised need a override accept two alerts with a specific description. example:
  Alert description: Package "Full Back-Up" failed.  should still raise an alert also the
  Alert description: Package "Full Db Back-Up" failed.
  I.m playing arround with dynamic groups. Can somebody give me some pointers?
  Or do i need to create an new alert rule? en override this one for all objects?
  I hope the question is clear, im no native english speaking

  Hi,
  I would like to suggest you override this one for all objects and then create a new alert rule based on your requirement.
  Regards,
  Yan Li
  Regards, Yan Li

• Using dynamic groups for j2ee security

  Hi all,
  I have my realm setup in server.xml and my standard and sun-specific deployment descriptors setup for j2ee security.
  Everything seems to work fine for groups defined via uniquemember attributes (all users are specified), but I'm having trouble with dynamic groups (defined with the memberurl attribute)
  How do I configure my realm in my server.xml to get this working?

  Hi,
  I got an official answer from SUN.
  "Dynamic Groups" are not (longer) supported with SJS AS 7!
  It will probably be supported with SJS AS 8 SE.
  If you have a iPlanet 6.5 application that is running with dynamic groups, just wait a little bit before you migrate.

• Dynamic groups

  Folks,
  Dynamic groups do not work in my add event window in calendar. I can search and select the group but nothing is done. I have run a search with the search filter from the group and it works as expected.
  keith

  Hi Rob,
  I've been told by engineering that Dynamic Groups aren't supported by ZESM. A reference to this will be added into the known issues section.
  Sorry for the delay,
  Daniel
  >>>
  From: rbannerman<[email protected]>
  To:novell.support.zenworks.endpoint-security-management
  Date: 2/26/2010 5:46 PM
  Subject: Dynamic Groups
  Hi,
  I have setup a couple of dynamic groups as I wanted to setup security
  policy based on employee title. I assigned and published the policy but
  the published icon only appears next to the dynamic group. I did test
  and the policy is not applies to users.
  Does endpoint 4.1 work with dynamic group and if so what do I need to
  do to make work?
  Rob
  rbannerman
  rbannerman's Profile: http://forums.novell.com/member.php?userid=10471
  View this thread: http://forums.novell.com/showthread.php?t=403159

• Dynamic Group Resolution Limit?

  We recently created a few dynamic groups to assign certain roles and access automatically. I have it set up to resolve these groups via a script that runs at the end of a maintenance job.
  The issue we encountered upon our initial load was that it would only add 1000 users at a time via the script. Is there a setting somewhere in the console that puts this limit in place?
  Alternatively, I tried to resolve the group from the group properties themselves. This also failed as it gave me a time out message; however it would not allow me to retry because a process to resolve the group was already running! Has anyone encountered this and found a way to terminate that process?
  I was just wondering if anyone else had encountered these issues and how they resolved them.
  Thanks,
  Jared

  Yes, on the initial load, they will only load 1000 at a time. We ran into this problem too (had one group of 12,000 people) but just ran it 13 times using Right Click -> Recalculate.
  When they crash or deadlock, they will claim to still be running for a long time. This is because of the way they do locking:
  1) When the recalculation starts, it chcecks the ModifyTime column on the attribute "MX_DG_AUTORESOLVE_INTERVAL" for that Dynamic Group. If it is in the past, it continues to step two, otherwise it aborts with the error saying it is already running.
  2) It sets the ModifyTime on that attribute to a future date (I forget how long exactly, but we're talking about DAYS in the future).
  3) It does the calculations.
  4) It sets the ModifyTime to the time it finished.
  So, you see the problem -- when it crashes, the time remains far in the future.
  You mentioned you run the update from a script, and that is what we do too. There is supposed to be a way to trigger the calculation based on an Attribute Change, but the feature does not work as documented in the manual. Frustrating...
  Anyway, this is how I get around the issue in our script:
  function recalcInternetGroups(Par){
       uSleep(10000); //Give any previous attempts at least 10 seconds to finish resolving
       importPackage(Packages.com.valero.idm);
       var sqlClass = new SQLServerConnection();
       var SQL = "Select MSKEY FROM dbo.MXIV_SENTRIES WHERE searchvalue LIKE 'INTERNET_LEVEL_%' AND attrname = 'MSKEYVALUE'"
       groups = uSelect(SQL);
       var result = groups.split('!!');  //We have 9 INTERNET_LEVEL groups, refresh them all
       for (var i=0; i<result.length; i++) {
            dynamic_group = result<i>;
            // Manually set the date into the past (picked the date I wrote this script, as it doesn't matter how far in the past)
            var sql2 = "update MXI_VALUES set Modifytime = '2010-10-15 00:00:00.000' where MSKEY = " + dynamic_group + " and Attr_ID = 33";
            var resultUpdate = '' + sqlClass.uUpdate(sql2);
            recalc = uIS_ResolveDynamicGroup(dynamic_group);
            if (recalc.indexOf("ERROR")>0) {
                 uError("Recalculating " + uIS_GetValue(dynamic_group, uGetIDStore(), "MSKEYVALUE"));
                 uError(recalc);
            } else {
                 uWarning("Recalculating " + uIS_GetValue(dynamic_group, uGetIDStore(), "MSKEYVALUE") + ' ' + recalc);
  You'll note we have our own function to allow us to run database updates in Javascript, which is required for this to work, since uSelect() won't perform updates. Anyway, doing that solves the problem. I guess you could do the same thing if you just made a To Database pass that runs before this and does these changes.
  If you pick up any other tips or tricks on dealing with Dynamic Groups, let me know, as we use them fairly extensively and still find them somewhat frustrating at times.