IDM: Implementing Password Synchronization only
Hello to everyone.
We are currently implementing IDM (7.2) by phases.
For the first phase, we are planing to cover u201Cpaswword synchronizationu201D only. Therefore we are going to continue administrating user accounts in a descentralized way (Active Directory and CUA separately)
Also, this task must be selfservice, meaning, the users will change their own passwords by answering a few questions defined previously
Is it posible to do so?...... how?.... what options do I have?
Any help would much appreciated.
Thanks a lot in advance
Gabriela
Maria,
Please take a look at this document:
http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/502c39b9-02e8-2d10-18a7-d32fade7b18b
Matt
Similar Messages
-
Issue with GPO "WSE Group Policy Password Synchronization"
When I started my migration of SBS2011 to 2012r2 with essentials service I noticed this GPO appear which I assume is for passwords to be synced to the cloud however when I implemented group policy from essentials the dashboard crashed and the typical
GPO's that it creates weren't there and only the folder-redirection was present it was also blank so I deleted it (I didnt delete the GPO "WSE Group Policy Password Synchronization" )
I then re-launched the dashboard and ran through the process again, it worked what a treat! except the GPO for "WSE Group Policy Password Synchronization"
appears to be blank, I remember it pointing to a ps file but I dont know what ps file and how to recreate it, along with to confirm what it does. Sadly I have no GPO backup to go back to.
any help on this would be much appreciated
CheersHi,
à
however when I implemented group policy from essentials the dashboard crashed
Based on your description, I understand that Dashboard crashed when implemented group policies (some WSE Group
Policy).
àthe typical
GPO's that it creates weren't there and only the folder-redirection was present it was also blank so I deleted it (I didnt delete the GPO "WSE Group Policy Password Synchronization")
Did you mean that deleted the ‘WSE Group Policy Folder Redirection’? Would you please let me know whether do
any operation for the ‘WSE Group Policy Password Synchronization’? Meanwhile, please check if other WSE Group Policy also was
No Settings defined in Settings tab (as your ‘WSE Group Policy Password Synchronization’ picture showed).
àSadly I have
no GPO backup to go back to.
Please start a BPA scan and check if find relevant issue. If no GPO backup, it seems that not be able to help
us to restore group policy objects. By the way, did you have a Full server backup?
If anything I misunderstand or any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu -
SAP ECC 6.0 / Active Directory Password synchronization
Hello,
We have a need to synchronize our users Windows passwords (AD) to our SAP systems (ECC 6.0, BW 3.5, and SCM 5.0). We do not use CUA and currently do not use a Portal and are not looking at doing SSO. We simply want to have one repository (AD) that will manage passwords for our Windows apps as well as our SAP systems. So far, we have not found a way to do this. SAP Note 603208 says this kind of synchronizing is not possible due to encryptions, among other things. However, we did find a white paper that stated the following:
~snip
<i>The Management Agents delivered with MIIS generally support password management: <b>they can take a password from some source (either from a user password change from the Windows interface, or from a self-service web-based password reset interface) and can set the same password in the various connected systems</b>. The Management Agent developed by Oxford is no exception. To change a password in an R/3 System the Susr_User_Change_Password_Rfc function can be used, but this is only possible if the old password is known and the SAP system allows the password change for this user. In cases where the old password is not known (for example the setting of an initial password) the password can be reset using the BAPI_User_change function.</i>~snip
Does anyone have any information on how we can achieve the password synchronization between Active Directory and Abap-based SAP Systems?
I very much appreciate your time and help.
PaulPaul,
You can achieve this using "common authentication". Since Active Directory uses Kerberos, if you allow your SAP systems to support Kerberos authentication as well, then you will be able to logon to Windows workstation, and use the Kerberos credentials issued by Active Directory during this logon to log the user onto SAP.
This is common, and easy to acheive. You need to use the SNC capability which is provided in SAP GUI and also in SAP ABAP engine, and you also need a GSS-API library for both workstations and for the SAP servers that implements the Kerberos protocol. If your SAP server is running on Windows Servers then you can get this GSS-API library from SAP, but if (like many companies) you are running SAP ECC, BW, SCM etc. on UNIX or Linux servers then you need to license a third-party product which provides the GSS-API library etc. I represent a vendor (CyberSafe) that provides this exact product, but you can also find other vendors by looking on SAP partner website, under SNC certified products list. If you want to find out more about our product, please ask me offline by getting my email address from my business card.
I hope this helps. Of course, if there are any questions for me related to this which are appropriate for public viewing then please ask them via this forum instead of via email.
Regards,
Tim -
Password synchronization problem
Hi All,
We have configured password synchronization in our SUN IDM Environment.Now we are facing problem with expired Passwords.
Password synchronization is not working with expired passwords.Normal users are able change their password and password change is reflecting on all the configured resources.
Please suggest me on this.
Thanks in Advance
MadhuHi Joshua,
Does this mean that I need to install the core and sub component but no need to install the DS and AD connectors. No!!! Core must only be installed on one machine! Here is a short summary of the steps during an installation having sun ONE LDAPs in multi-master replication (taking ldap2 as the machine, whrere core is installed):
1. Install core on ldap2
2. start console and configure your directory sources. For the sun directory source enter ldap2 as the preferred and ldap1 as the secondary ldap. Configure the rest: attribute-mapping, modification flow, AD-source, SULs, etc. save the configuration.
3. on ldap2 run idsync prepds untill you get the SUCCESS message in the following way (be sure to specify the secondary ldap with -j and -r options):
idsync prepds -h <ldap2> -p <ldap2port> -j <ldap1> -r <ldap1port> -D "cn=directory manager" -w <passwort> -s <configuration_registry_suffix>4. Run the install binaries again on ldap2. Install DS Connector on ldap2, install DS-Subcomponent (preferred) on ldap2. Install AD-Connector.
5. Copy over install binaries to ldap1. Run the install binaries on ldap1. Give ldap2 as configuration directory URL When you are asked, what components to install, select subcomponent. Select the suffix. When you are asked, what type of ldap, select secondary.
6. Copy over install binaries to any ldap slave in your replication topology and install the subcomponent there, choosing "other" as the ldap type.
Good luck again...
Jakob. -
Password synchronization between OID and AD - 10.1.2
Hi,
I've some questions about the following issue:
I've tried to setup the password synchronization between OID 10.1.2 and active directory, with the intent of exporting ldap users from OID to AD..
Well, the bootstrap gone fine, but when I tried to activate the export of password in the activexp.map configuration file,
I've obtained this:
*Writer Thread - 0 - [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0*
for each entry I tried to export...
I've opened a SR on metalink and I've received the following answer:
_" As shown by the synchronization profile, currently you have a mapping for the password from OID to AD._
_userpassword: : :person:unicodepwd: :person:_
_According to the documentation, password synchronization requires the directories to be configured for SSL mode:_
_http://download-uk.oracle.com/docs/cd/B14099_12/idmanage.1012/b14085/odip_actdir003.htm#CHDEFIED_
_18.3.2.8 Synchronizing Passwords_
_You can synchronize Oracle Internet Directory passwords with Active Directory._
_You can also make passwords stored in Microsoft Active Directory available in Oracle Internet Directory._
_Password synchronization is possible only when the directories run in SSL mode 2, that is, server-only authentication."_
The SSL setup is the only way to achieve this, or there's another alternative?
ThanksYes. It needs to be in SSL.
http://download-uk.oracle.com/docs/cd/B14099_12/idmanage.1012/b14085/odip_actdir003.htm#CHDCJHHB
Some excerpts:
Active Directory Connector uses SSL to secure the synchronization process. Whether or not you synchronize in the SSL mode depends on your deployment requirements. For example, synchronizing public data does not require SSL, but synchronizing sensitive information such as passwords does. To synchronize password changes between Oracle Internet Directory and Microsoft Active Directory, you must use SSL mode with server-only authentication, that is, SSL Mode 2.
-shetty2k -
Password Synchronization from OIM to target systems
Hi All,
Is there any OOTB functionality in OIM9.1.0.1 for password synchronization.
I have a user with multiple IT resources provisioned into his account. Now whenever user changes his password in OIM, I want that to be updated on particular target system which user selects. For ex. If a user has 5 IT resources configured and whenever he changes his password that has to be updated on only 3 IT resources and not all.
As per my understanding each IT resource configured will have some process task for updating the password on target system(Password Update in case of iPlanet resource) which will be triggered if an entry for this is present in USR_TRIGGERS. If I use this kind of approach it will update on all IT resources.
How can I make this dynamic so that the changes are done only to a list of specific IT resources selected by user.
Thanks & Regards,
MahanteshThere is no OOTB functionality for the end user to decide which resources get their password changed and when. The OOTB functionality lets you use the Lookup.USR_PROCESS_TRIGGER to define which USR table fields have triggers configured for modification. Then you can create the task associated with the field in any provisioning process definition to insert that task when the field changes.
If you want the user to be able to pick and choose which fields get propagated to which targets, it becomes custom coding.
Off hand, to be able to decide which passwords get propagated to which targets, i might suggest some way for the end user to set the targets before hand because when a user changes their password, it's only the password that is being changed. You are going to need a field somewhere that says "yes this resource will propagate the password". You have 2 locations i can think of to do this, on the USR form as a UDF, or a field no the user's resource profile. Next you need a way to fill in these values. If it's on the USR form, you could put these on the user's self modification page to be able to check and uncheck these per resource. Or you can create a self requestable resource, or organization type requestable that has the list of targets, and the user can choose which ones they want to propagate the password to. You cannot have a dynamic list of targets though of the resource form. It has to be a set defined list. You could however create a child table with a list of all available objects and have them just add them in. Once the selection is done, you will either have these checked, or the provisioning side will update the values.
Now, when the password is changed, and you have your "Change User Password" task running, your adapter will have an input that maps to the UDF field to check if it should pass the new password to the Password Field on the form to trigger the Password Updated task, or return the existing password.
Or you create a custom page that lets you do whatever you want :)
-Kevin -
Password changes in AD - Password Synchronization Connector Issue
Hey all,
Newbie question/problem... I have the 9.1.1.0 version of the AD Password Synchronization Connector installed on all domain controllers in my AD. My OIM system is IDM 9.1.0.1 running with JBoss.
When a password is changed on the target machine that OIM is connected to, the password synchronizes across to OIM fine.
When I change a password on another DC, the password does not synchronize. I check the logs and instead get an error saying... User not found. This shows in the AD eventlog as well saying... user not found in AD, please verify the configuration parameters.
The weird thing is... if I change my OIM host to point to the 2nd DC that threw that error and change the Password Synchronization Connector to point to itself as the host, the password change will now work and synchronize back to OIM. The password change on the original DC will now throw the same error, user not found.
I am totally stumped on this one... any help would be greatly appreciated.
Thanks in advance.
-BWell finally figured it out... each password synchronization connector on each domain controller must:
for the host entry: use the IP of the current Domain controller box you are installing on
for the OIM host: enter the OIM server's hostname (not ip)
Just wanted to share my pains and struggles so others wouldn't have to. -
Password Synchronization Connector in HA
Hello friends,
As I can configure the Password Synchronization plug idm Oracle Identity Manager on Oracle WebLogic Server deployed in Cluster (2 nodes)
Thanks.Yes, you can configure it for 2 nodes in clustered environment. Refer http://docs.oracle.com/cd/E11223_01/doc.904/e10450.pdf 2.3 4. You need to install connector on one node and configure it on both, if it is 11g.
regards,
GP -
Password synchronization between two domains
Hey everybody,
we have currently the situation, where we comes to password synchronization between Domain A and Domain B. Trust relationships are not possible caused we need separated authentications between productive network and user tools.
So we would sync from Domain A (windows 2008 R2) --> Domain B (windows 2008 R2)
Domain B would also replicate per Okta to Office365 Cloud.
Now my question, could anyone point me in the right direction, what tools are usefully on the market to accomplish these issues.
Sorry for my limited english.
Best and thanksYou can try using FIM with PCNS to sync passwords from Domain A to Domain B: https://technet.microsoft.com/en-us/library/jj590203(v=ws.10).aspx
As for Office 365, you can simply implement an ADFS platform and federate it so that your users will be using their AD passwords. It is also possible to sync passwords with DirSync.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
I dropped my iPhone 5s yesterday and then I picked it up but I couldn't unlock it. I have a password but only half of the screen is working I couldn't press anything on the right half. So I turned it of and on but it is still the same. The screen look perfectly fine but I can press the numbers 3 6 9 or cancel
Take it to your closest Apple store and have them look at it.
-
Synchronization only works with Administrator user
I've been using Blackberry Desktop Software for about 18 months to synchronize organizer data held in Microsoft Outlook 2010, under Windows XP Professional SP3, via a USB connection.
I recently upgraded the BB desktop to v7.1.0 B42. In order to get a functional installation, I needed to remove the previous version and all associated data, and reinstall from scratch. After this, synchronization only works when the Windows account has Administrator privileges. This is true for both USB and Bluetooth connection.
Has anyone else had this problem?I believe I do have it setup for all users - the printer shows up in "print setup utility" for the other accounts. When I get home I'll go ahead and reinstall the Stylus C86 driver.
Since I'm at work, I attempted to print to a network printer I also have installed - I get the same error when I print from the other admin account (not mine) or the managed user account.
Here's another tidbit: From the other admin account I navigated to the CUPS interface (127.0.0.1:631) and was able to successfully print a test page from there.
Could this be some kind of user permission issue? -
I'm getting repeated prompts to enter my password, but only for calendars
I'm getting repeated prompts to enter my password, but only for iCal. In iCal I see an alert, and when I bring it up I get this:
My other iCloud functions seem to be working fine. I'm iMessaging, etc.I've seen a couple reports on here, and mine has been down for an hour or more. However, as usual there is no indication of issues on the iCloud status page.
Edit
https://www.apple.com/ca/support/systemstatus/ -
How to implement password policy for a software in oracle (sql) forms & reports 6i ?
Hi all , I have to implement password policy for an already existing software which was created 2 to 3 years before.
What exactly i want to do is I must alert the user every month to change his/her password. I have no idea about it.
Can anyone help me how to start with it? Or can you provide me the links where i can learn & implement in the software?
Oracle Forms & Reports Builder 6i.
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production.
Thank You.You can try this:
Establishing Security Policies
Using database policy, you can force user to change password with Oracle forms 6i.
Regards -
im trying to type my password but only zero and nine work I tried restarting but it still wont work have any ideas please answer ASAP
Have you tried resetting your iPad?
Reset: Press the Home and On/Off buttons at the same time and hold them until the Apple logo appears (about 10 seconds).
No data will be lost. -
Password can only be changed once
Suddenly on our system users can only change their password once. That means:
1) Administrator creates account in WGM with OpenDirectory-Password "xxx1".
2) User can login with password "xxx1"
3) User changes password to "xxx2".
4) User can login with password "xxx2"
5) Some time later user changes password again, this time to "xxx3".
6) User cannot login with the new password "xxx3", but he can still login with the old password "xxx2"!!!
7) Administrator changes password in WGM to "xxx3".
8) User can still not login with password "xxx3", only the old password "xxx2" works!
9) The only way to change the password at this time, is to delete the user in WGM and recreate it with the new password.
We suspect that it has something to do with Kerberos. If the user tries after step 6) (from above) to get a Kerberos ticket using /System/Library/CoreServices/Kerberos.app, he can only get a ticket using the new password "xxx3"!
So for us it looks like the OpenDirectory- and Kerberos-Passwords are somehow getting out of sync.
Our configuration:
Server: 10.4.7 (PPC)
Clients: 10.4.7 and 10.4.9 (both PPC)
Thanks for any help.
Best regards from Switzerland
David ScheinerCheck your password policy in Server Admin > Open Directory.
Maybe you are looking for
-
Auto Update of characteristic values in PO from SRM.
Hi, For Configurable material we have characteristics values. Material is configurable material with material type as services. Same ECC material is replicate in SRM. Create Shopping cart in portal SRM EBP for Multiple line item for material. Each ma
-
can only get my Ipod shuffle to play in alphabetical order rather than in the order of the downloaded playlist, is this possible or will it only shuffle or play alphabetically?
-
Won't let me connect with nikeplus to download my workouts
when I go to "visit nike.com" it won't connect my email address and connect to my nike account. When I contacted nike/ipod they tell me it is a problem with firefox 5
-
Optimum settings for video playback on 5800 Xpress...
Hello. I want to find out what are the best setting to use for converting videos for watching on the 5800. I will be converting from EyeTV files using a Mac. I can use either the 'Export' function from EyeTV or VisualHub – both have a huge range of f
-
Who many people are waiting for White iPhone 4?
?