IdM SPE Ldap SSL operations hang
Hi all,
We're having a problem with IdM SPE hanging while doing LDAP operations over SSL. Has anyone encountered this before? We're under a tight deadline and any inputs/suggestions would automatically make the contributor my hero.
Description:
Our application is hanging when we try to use SPE's APIs to add some users to an LDAPS resource. We see these connections being logged in the LDAP logs, however binding never occurs. Instead these LDAP connections from SPE seem to sit until timeout.
Environment:
IdM 6.0 SPE SP1
AIX 5.2
J2RE 1.4.2 IBM AIX SP7
BEA WebLogic 8.1 SP5
SunOne Directory Server 5.2
Evaluation:
After a long period of time we see the following exception in our application logs:
javax.naming.CommunicationException: Request: 1 cancelled
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java(Inlined Compiled Code))
at com.sun.jndi.ldap.Connection.readReply(Connection.java(Compiled Code))
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:357)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2657)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:307)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:190)What we noticed is that LDAP connection (no SSL) seem to be okay. We have verified that connections can be made from our app server box to our LDAP server on the ssl port. We've also created a simple java servlet that makes LDAPS using JNDI and put this in the same container as IdM and this seems to connect okay as well. This seems to indicate that the hanging is not a SSL issue but an SPE one.
We do notice from examining the LDAP logs that the same connections are being used over and over. This is expected connection pooling behavior, but could this be an issue if we switch our connection from LDAP to LDAPs? Does the pool not get purged when we switch on SSL?
Updated findings:
We were able to duplicate this on a windows sand box environment. Again it breaks when SPE tries to do an LDAPS operation. Here's what we figured out so far.
a.) Definately not a certificate issue
b.) Almost definately not a JDK/JCE/JSSE issue
c.) Definately not an LDAP issue
d.) Not an IdM 6.0 issue (Can provision users from IdM console)
e.) Not a connection pooling issue (Turned off pooling and it still hung)
f.) Not a network issue.
It seems at this stage that the problem stems from SPE, has anyone ever gotten SPE to work with LDAP over ssl? Any suggestions?
Similar Messages
-
Can IdM make LDAP modrdn operations? (No replies = No can do)
Maybe I am flogging a dead horse, but I am trying to get idM to manage a LDAP resource where the LDAP entries may move in the Directory Information Tree... the usual situation when a person moves department/location/job etc.
I am prepared to believe it can, yet I am starting to dispair of IdM.
If anyone is prepared to answer "Yes", could they please take time to explain to an IdM novice, just how I can influence the Update user workflow so that it is aware of any changes to attributes which affect the DN, ie we need to do a modRDN on the LDAP resource.Still trying to get this to format correctly - If it doesn't appear OK this time, then reply to the above msg, then hit "Quote Original" and the true code that I added will show up.
>
Checkout the user view:
<Action id='1' name='Fetch userview'
application='com.waveset.session.WorkflowServices'
hidden='true'>
<Argument name='op' value='getView'/>
<Argument name='type' value='User'/>
<Argument name='id' value='$(accountId)'/>
<Argument name='TargetResources'>
<list>
<s>LDAP_Resource</s>
</list>
</Argument>
<Argument name='subject'
='subject' value='Configurator'/>
<Return from='view' to='user'/>
</Action>Update the 'Location' attribute
<set
name="user.accounts[LDAP-Resource].location"><ref>loca
tionVariable</ref></set>Build the new DN:
<concat>
<s>ou=</s>
<ref>locationVariable</ref>
<s>ou=people,o=company.com</s>
</concat>Checkout a Rename view to change the DN.
<Activity id='13' name='Update LDAP'>
<Action id='0' name='Modify LDAP User'
AP User'
application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='checkoutView'/>
<Argument name='subject'
='subject' value='Configurator'/>
<Argument name='authorized' value='true'/>
<Argument name='type' value='RenameUser'/>
<Argument name='id' value='$(accountId)'/>
<Argument name='toRename'
'toRename' value='[LDAP-Resource]'/>
<Argument
<Argument
name='resourceAccounts.currentResourceAccounts[LDAP-Re
source].selected' value='true'/>
<Return from='view' to='newViews'/>
</Action>
<Action id='1'>
<expression>
<block>
<invoke name='toXml'>
<ref>newViews</ref>
</invoke>
<set
<set
<set
<set
set
name='newViews.accounts[LDAP-Resource].identity'>
<ref>new_identity</ref>
</set>
<set
<set
<set
<set
name='newViews.resourceAccounts.currentResourceAccount
s[LDAP-Resource].identity'>
<ref>new_identity</ref>
</set>
<set
<set
<set
<set
name='newViews.resourceAccounts.currentResourceAccount
s[LDAP-Resource].selected'>
<s>true</s>
</set>
<invoke name='toXml'>
<ref>newViews</ref>
</invoke>
</block>
</expression>
</Action>
<Action id='2' name='Rename Checkin'
Checkin'
application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='checkinView'/>
<Argument name='view'
ame='view' value='$(newViews)'/>
<Argument name='subject'
='subject' value='Configurator'/>
</Action>--------------
Be Careful, make sure you have the business
requirements well defined, moves can be pretty
serious operations to automate.
You might think about changing the users
waveset.organization if the change in facillity also
effects their location in Identity Manager.
Matt Walters
CPSG
[email protected]
(972)824-9224
You should look at directory Junction - The premise
is that the DIT and the structure in Identity manager
should mirror one another.
Most IdM implementations have strict rules that
follow moves, job transfers and such - so they are
usually put through a custom workflow.
In this case you would need to customize the Update
workflow to handle the case when a e.g. 'location' is
changed. I've been doing this a while, and this is
how I did it at a client.
Lets say they go from
ou=location33,ou=people,o=company.com to
ou=location45,ou=people,o=company.com. What
you need to do is put a transtion (triggered by a
change in the location) that goes to an update and
rename activity.
Checkout the user view:
<Action id='1' name='Fetch userview'
application='com.waveset.session.WorkflowServices'
hidden='true'>
<Argument name='op' value='getView'/>
<Argument name='type' value='User'/>
<Argument name='id' value='$(accountId)'/>
<Argument name='TargetResources'>
<list>
<s>LDAP_Resource</s>
</list>
</Argument>
<Argument name='subject'
='subject' value='Configurator'/>
<Return from='view' to='user'/>
</Action>Update the 'Location' attribute
<set
name="user.accounts[LDAP-Resource].location"><ref>loca
tionVariable</ref></set>Build the new DN:
<concat>
<s>ou=</s>
<ref>locationVariable</ref>
<s>ou=people,o=company.com</s>
</concat>Checkout a Rename view to change the DN.
<Activity id='13' name='Update LDAP'>
<Action id='0' name='Modify LDAP User'
AP User'
application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='checkoutView'/>
<Argument name='subject'
='subject' value='Configurator'/>
<Argument name='authorized' value='true'/>
<Argument name='type' value='RenameUser'/>
<Argument name='id' value='$(accountId)'/>
<Argument name='toRename'
'toRename' value='[LDAP-Resource]'/>
<Argument
<Argument
name='resourceAccounts.currentResourceAccounts[LDAP-Re
source].selected' value='true'/>
<Return from='view' to='newViews'/>
</Action>
<Action id='1'>
<expression>
<block>
<invoke name='toXml'>
<ref>newViews</ref>
</invoke>
<set
<set
<set
<set
set
name='newViews.accounts[LDAP-Resource].identity'>
<ref>new_identity</ref>
</set>
<set
<set
<set
<set
name='newViews.resourceAccounts.currentResourceAccount
s[LDAP-Resource].identity'>
<ref>new_identity</ref>
</set>
<set
<set
<set
<set
name='newViews.resourceAccounts.currentResourceAccount
s[LDAP-Resource].selected'>
<s>true</s>
</set>
<invoke name='toXml'>
<ref>newViews</ref>
</invoke>
</block>
</expression>
</Action>
<Action id='2' name='Rename Checkin'
Checkin'
application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='checkinView'/>
<Argument name='view'
ame='view' value='$(newViews)'/>
<Argument name='subject'
='subject' value='Configurator'/>
</Action>--------------
Be Careful, make sure you have the business
requirements well defined, moves can be pretty
serious operations to automate.
You might think about changing the users
waveset.organization if the change in facillity also
effects their location in Identity Manager.
Matt Walters
CPSG
[email protected]
(972)824-9224 -
IBM Websphere to ActiveDirectory ( Win 2003 ) LDAP SSL.
I am trying to connect to Win 2003 Ad LDAP from websphere Application server.
I have installed certificates Win2k in to local key store.
I used ikeyman of Websphere. Win 2k3 certificates were in .arm format ( thatz how Win2k3 admin gave me) . I succesfully installed the certificates in local keystore. and pointed to the keystoere when LDAP connection is happening.
I am getting a MalformedURLException canot parse url ldaps://xx.xx.x.x:636
Not an LDAP url .
At the same time i also tried with Sun JDK . it shows another error .
default context init failed: java.security.cert.CertificateParsingException: java.io.IOException: subject key, Unknown k
ey spec: Invalid RSA modulus size.
Please help me . I want this program to run from IBM Websphere Env.
Please find my code below
thanks in advance.
import java.util.Hashtable;
import javax.naming.*;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import java.io.*;
public class Test {
public static void main(String args[] ) {
//String userName = "CN=Renjith\\, Vasudevan";
String userName = null;
String test = ",OU=xx,OU=xx,DC=xx,DC=xxm";
String newPassword = "xxx";
String oldPassword = "xx";
Hashtable env = new Hashtable();
//Hard coded values - will be moved to properties file.
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//env.put(Context.PROVIDER_URL, "ldap://X.X.X.X:389");
env.put(Context.PROVIDER_URL, "ldaps://X.X.X.X:636");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
//env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "xxxx");
//env.put(Context.SECURITY_PROTOCOL,"ssl");
String keystore = "C:\\j2sdk1.4.2_04\\jre\\lib\\security\\cacerts";
System.setProperty("javax.net.ssl.trustStore",keystore);
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
try {
// Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
// This following code only for getting correct dn - Hardcoded dn had some tabbing/char problem.
// Renjith - begin
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
String[] strAttributes = { "sAMAccountName", "memberOf" };
//String FILTER = "(&(objectClass=user))";
String FILTER = "(&(objectClass=user)(sAMAccountName=prrev))";
String searchBase = "OU=xx,OU=xx,DC=infores,DC=xx";
constraints.setReturningAttributes(strAttributes);
NamingEnumeration results =
ctx.search(searchBase, FILTER, constraints);
System.out.println("results : " + results);
while (results != null && results.hasMore()) {
SearchResult sr = (SearchResult) results.next();
String dn = sr.getName();
//String dn = ((Context)sr.getObject()).getNameInNamespace();
if(dn.indexOf("Renjith") != -1 ) {
System.out.println("Distinguised Name : " + dn);
//System.out.println("Charg"+dn.toCharArray());
userName = dn+test;
break;
// Renjith - end.
//set password is a ldap modify operation
ModificationItem[] mods = new ModificationItem[2];
String oldQuotedPassword = "\"" + oldPassword + "\"";
byte[] oldUnicodePassword = oldQuotedPassword.getBytes("UTF-16LE");
String newQuotedPassword = "\"" + newPassword + "\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,
new BasicAttribute("unicodePwd", oldUnicodePassword));
mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd",
newUnicodePassword));
System.out.println("Trying to reset Password for: " + userName);
// Perform the update
ctx.modifyAttributes(userName, mods);
System.out.println("Reset Password for: " + userName);
ctx.close();
catch (NamingException e) {
e.printStackTrace();
System.out.println("Problem resetting password: " + e);
catch (UnsupportedEncodingException e) {
System.out.println("Problem encoding password: " + e);
}The first error you described "malformed URL" is possibly due to the fact that your JRE version 1.4 does not support the ldaps URL.
If using 1.4 then you must use the following syntax:env.put(Context.PROVIDER_URL,"ldap://servername:636");If using 1.5, then it supports the syntax:env.put(Context.PROVIDER_URL,"ldaps://servername:636");I can't comment on the other error message you receive, however I am concerned at two things, one is that in your sample code you are using a "null" user name, and secondly, I have no idea what certificate you have installed. I do not recall seeing a Windows CA cert with the extension of .arm. Normally the Root CA exported trust cert has the extension of .cer -
What is the use of jpegPhoto in idm spe (8.0)
I have a IDM SPE 8.0. I am to load data into the LDAP. If profile created by idm, it has a jpegPhoto attribute created on the profile. But it seems with or with the jpegPhoto attribute, the idm is able to maintain the profile. So what is the use of the jpegPhoto attribute?
Thanks in advance for any help.This is how EM property in CSS, can be used:
*" 1em is equal to the current font size. 2em means 2 times the size of the current font. E.g., if an element is displayed with a font of 12 pt, then '2em' is 24 pt. The 'em' is a very useful unit in CSS, since it can adapt automatically to the font that the reader uses".*
Sample:
To show a label with twice the size of the actual font-size:
<af:form id="f1">
<af:outputLabel value="outputLabel1" id="ol1"
inlineStyle="background-color:red; font-size:2em;"/>
</af:form>
Thanks,
Navaneeth -
EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility
Hello everyone,
Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
Here's what happens:
1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
http://discussions.apple.com/thread.jspa?messageID=5967023
http://discussions.apple.com/message.jspa?messageID=5982070
these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
Thanks,
AndrewHard to tell what is happening without looking at the application
source, knowing what OS & hardware you're using etc. You might want to
try running with different JVM versions to see if it's actually the VM
that is the problem. If you have a support contract with BEA you could
ask support to help you diagnose this.
Regards,
/Helena
Ayub Khan wrote:
I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
seems to happen on loading the machine..the performance progressively gets worse
and after a couple of seconds, all the threads stop responding. I checked the
heap, cpu and the idle threads in the execute queue and there is nothing there
to trigger alarms...there are quite a few idle threads still and the heap and
the cpu utilization seem OK. On doing a thread dump, Is see that all the other
threads seem to be in a state where they are waiting for data from LDAP and it
is basically read only data that they are waiting on.
Does anyone know what it is going on and help point me in the right direction.
-Ayub -
Convergence with LDAP SSL Failure
Hello,
I'm now having a problem securing connections between Convergence and my LDAP server.
Once I set it in iwcadmin, ugldap.enablessl to true and change the port to 636, the following error occurs and convergence just couldn't authenticate.
server.log in Glassfish 2.1.1, enterprise profile using NSS keystore
[#|2010-11-12T20:17:15.208+0000|SEVERE|sun-appserver2.1|com.sun.comms.shared.ldap|_ThreadID=19;_ThreadName=Thread-114;_RequestID=f4814afe-c0b0-4245-b21b-64be2d4a39e3;|LDAPS:Error occured during SSL handshake java.lang.RuntimeException: Could not parse key values|#]
[#|2010-11-12T20:17:15.209+0000|SEVERE|sun-appserver2.1|com.sun.comms.shared.ldap.LDAPSingleHostPool|_ThreadID=19;_ThreadName=Thread-114;_RequestID=f4814afe-c0b0-4245-b21b-64be2d4a39e3;|buildConnection: got LDAPException while connecting to Pool number:0. Host=<ldaphost> :netscape.ldap.LDAPException: Error occured during SSL handshake java.lang.RuntimeException: Could not parse key values (91)|#]
HTTP SSL connections to Webmail server and calendar servers are fine. I tried deploying the same configuration using developer profile with JKS keystore, the SSL authentication goes through then, but I need clustering for high availability.
Does anyone have any ideas?
Thanks so much in advance!
MathewHard to tell what is happening without looking at the application
source, knowing what OS & hardware you're using etc. You might want to
try running with different JVM versions to see if it's actually the VM
that is the problem. If you have a support contract with BEA you could
ask support to help you diagnose this.
Regards,
/Helena
Ayub Khan wrote:
I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
seems to happen on loading the machine..the performance progressively gets worse
and after a couple of seconds, all the threads stop responding. I checked the
heap, cpu and the idle threads in the execute queue and there is nothing there
to trigger alarms...there are quite a few idle threads still and the heap and
the cpu utilization seem OK. On doing a thread dump, Is see that all the other
threads seem to be in a state where they are waiting for data from LDAP and it
is basically read only data that they are waiting on.
Does anyone know what it is going on and help point me in the right direction.
-Ayub -
LDAP SSL requirement and setup
Can someone point me the direction on setting up LDAP SSL in Apex 2.2?
Is there any documentation available? Thank you.I have same request. Only information i could find was here: LDAP Authentication Failed
-
Spreadsheet Operation Hangs and Cannot Be Terminated
My issue is twofold:
I am having Excel spreadsheet operations hang for several minutes, eventually users are terminating the operation themselves by closing Excel, however the request still lingers on the server. (Issue 1- why is this happening? this problem has affected various apps/dbs at various times of day, various users, i.e. no clear pattern. Sometimes we go for weeks and this doesn't happen. Instances are not associated with synchronization of security with Shared Services.)
Secondly, whether I kill the request in EAS or in MaxL, the request shows as "terminating" in EAS indefinitely. The database in question can still be logged into, but the original hang/termination just causes any user who queries subsequent to hang too/again. When I try to forcibly log off a user with a "terminating" request, I get a failure message "timeout while waiting for requests to die". (Issue 2 - why won't these hung requests terminate with a kill command? Would they ever terminate? Is there some kind of config file setting I am missing that is causing/contributing to hung sessions?)
Log files do not reveal any abnormalities upon user login, warnings or otherwise.
Thanks for reading this.
Version 9.3.1Stepanie:
with the details what you have given me:
Check :
if the users are not doing mutiple instance of Excel book - this might have worked in legacy version but wont work in 9
Secondly
test the issue using smart view ideally you could advice the users to use the smart view and perform the operation and see if they still face the issue to isolate it to Essbase sever side or client related issue
Check on the users box if ARBOR PATH and ESSLANG are defined correctly
ESSLANG of the Server should match the client
Going by the Best practise and Hyperion Recommandation "Use the same version of addin against the version of server"
Can you isolate this to one particular DB/APPLICATION?
can we try to see if we remove the Existing Excel Addin then Reboot the box to clear the REGISTRY ENTRY and then install the latest 9.3.1.3 excel addin
TIP:
If you have a CSI Number that your company signed up for, Then use METALINK3 and search for latest version of Excel add for your Operating system Platform and install it
Else use http://edelivery.oracle.com
The latest one is 9.3.1.3 with Download Number V14763-01
I hope this helps
- Sriram Kalyanaraman -
I am putting an rodc on the DMX in a separate forest than the internal network
On the DMZ, I have a Read/write 2012 DC in 2008R2 mode. Then I added a RODC in the same DMZ forest.
I want to open up 636 to the RODC from the public for ldap ssl.
Is this ok? How would I go about setting up the ldap ssl over the public internet? I guess I will need a public certHello,
maybe you can describe the reason which requires LDAP over SSL access?
In the meanwhile see
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
You can also work with self-signed certificates
http://gregtechnobabble.blogspot.de/2012/11/enabling-ldap-ssl-in-windows-2012-part-1.html
It depends on the service/application requirement.
We use for example an external access to our network but work with self-signed certificates for password change if accounts are required to change the password.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights. -
Push User account from IDM to LDAP
Hi,
I need to push the new users created in IDM to LDAP. I created a rule library specifying the attributes that need to bu pushed and am calling that library in create user workflow.
However, the new user and related attributes are not being pushed to LDAP. Can somebody point out the mistake in my code?
Here is the Rule Library:
<Extension>
<Library>
<Comments>rule library that contains all rules</Comments>
<Rule name='RULE_create_LDAP_Acct'>
<RuleArgument name=''/>
<block trace='true'>
<set name='user.accounts[LDAP1].firstname'>
<ref>firstname</ref>
</set>
<set name='user.accounts[LDAP1].lastname'>
<ref>lastname</ref>
</set>
<set name='user.accounts[LDAP1].accountId'>
<ref>accountId</ref>
</set>
<set name='user.accounts[LDAP1].email'>
<ref>user.waveset.email</ref>
</set>
</block>
</Rule>
</Library>
</Extension>
<MemberObjectGroups>
<ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
</MemberObjectGroups>
</Configuration>
Here is the change i made to provision activity in create user workflow:
<Activity id='4' name='Provision'>
<Comments>
 Perform the standard Lighthouse provisioning process.
 </Comments>
<Action id='0' process='Data Transformation'>
<Comments>Apply any defined data transformations</Comments>
<Argument name='ruleName'>
<ref>transforms.preProvisionRule</ref>
</Argument>
<Argument name='formName'>
<ref>transforms.preProvisionForm</ref>
</Argument>
</Action>
<Action id='1'>
<expression>
<cond>
<eq>
<ref>sunrise.createResourceAccounts</ref>
<s>true</s>
</eq>
<block>
<set name='options.targets'>
<List>
<String>LDAP1</String>
</List>
</set>
<set name='user.waveset.resources'>
<filterdup>
<appendAll>
<ref>user.waveset.resources</ref>
<list>
<s>LDAP1</s>
</list>
</appendAll>
</filterdup>
</set>
</block>
</cond>
</expression>
</Action>
<Action id='2' name='Create LDAP Account'>
<rule name='RULE-LIB-xxx:RULE_create_LDAP_Acct'>
<argument name ='firstname' value='$(firstname)'/>
<argument name='lastname' value='$(lastname)'/>
<argument name='email' value='(email)'/>
</rule>
</Action>
Any help is appreciated.
Thanks,Ankush,
I am having this problem only when trying to assign LDAP to a user through the WF. No problems whatsoever while doing it manually.
I tried creating a contained users under people and modified identity template accordingly. But no luck..the same Error Code 32.
I have 3 required attributes in the mapping, cn,sn and uid. The obejct classes i ahve are top,person,organizational person and inetOrgPerson.
The only modification i made to create user WF is add this action under provision:
<Action id='2' name='Create LDAP Account'>
<rule name='Create LDAP Account'>
<argument name ='firstname' value='$(firstname)'/>
<argument name='lastname' value='$(lastname)'/>
<argument name='email' value='$(email)'/>
</rule>
</Action>
The Rule is as follows:
<block>
<set name='user.waveset.accountId'>
<ref>accountId</ref>
</set>
<set name='user.accounts[Lighthouse].accountId'>
<ref>accountId</ref>
</set>
<set name='user.waveset.resources'>
<filterdup>
<appendAll>
<ref>user.waveset.resources</ref>
<s>LDAP1</s>
</appendAll>
</filterdup>
</set>
<set name='user.waveset.assignedLhPolicy'>
<s>LighthouseAccountPolicy</s>
</set>
<set name='user.waveset.firstname'>
<ref>firstname</ref>
</set>
<set name='user.waveset.lastname'>
<ref>lastname</ref>
</set>
<!-- <set name='user.waveset.email'>
<ref>email</ref>
</set> -->
<set name='user.waveset.organization'>
<s>Top</s>
</set>
<set name='user.waveset.accounts[LDAP1].created'>
<s>true</s>
</set>
</block>
</Rule>
Please let me know if something is wrong with this.
Thanks, -
How to configure LDAP SSL using auto login wallet?
Hello,
I need to enable authentication over LDAP SSL.
I've configured a wallet (auto login) containing required certificates and set accordingly WALLET_PATH and WALLET_PWD settings using apex_instance_admin.set_parameter method.
With this, everything is working fine and LDAP over SSL is working well. It confirms that the wallet is properly configured, valid and usable.
So, the wallet was created with auto login option and it seems to work well without specifying password when calling utl_http.
Proof of properly configured auto login wallet (without password).
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- test without wallet
BEGIN show_html_from_url('https://www.verisign.com/'); END;
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1527
ORA-29261: bad argument
ORA-06512: at "TEST01.SHOW_HTML_FROM_URL", line 25
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-29024: Certificate validation failure
ORA-06512: at line 1TEST01@DB11G> exec utl_http.set_wallet('file:/u01/app/oracle/product/11.2.0/dbhome_1/network/admin'); -- set wallet info for use without password (autologin)
PL/SQL procedure successfully completed.
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- It works!
PL/SQL procedure successfully completed.
So, when I configure WALLET_PATH without WALLET_PWD, it not seems to work as it should with my auto login wallet...
What am I missing? Is it APEX not handling auto login wallets correctly?
Apex Version: 4.2.0.00.27
OS: OEL 6.4
DB: 11.2.0.3 x64
Thanks
Bruno LavoieHello,
I need to enable authentication over LDAP SSL.
I've configured a wallet (auto login) containing required certificates and set accordingly WALLET_PATH and WALLET_PWD settings using apex_instance_admin.set_parameter method.
With this, everything is working fine and LDAP over SSL is working well. It confirms that the wallet is properly configured, valid and usable.
So, the wallet was created with auto login option and it seems to work well without specifying password when calling utl_http.
Proof of properly configured auto login wallet (without password).
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- test without wallet
BEGIN show_html_from_url('https://www.verisign.com/'); END;
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1527
ORA-29261: bad argument
ORA-06512: at "TEST01.SHOW_HTML_FROM_URL", line 25
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-29024: Certificate validation failure
ORA-06512: at line 1TEST01@DB11G> exec utl_http.set_wallet('file:/u01/app/oracle/product/11.2.0/dbhome_1/network/admin'); -- set wallet info for use without password (autologin)
PL/SQL procedure successfully completed.
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- It works!
PL/SQL procedure successfully completed.
So, when I configure WALLET_PATH without WALLET_PWD, it not seems to work as it should with my auto login wallet...
What am I missing? Is it APEX not handling auto login wallets correctly?
Apex Version: 4.2.0.00.27
OS: OEL 6.4
DB: 11.2.0.3 x64
Thanks
Bruno Lavoie -
Could anyone please tell me which API's used in SUN IDM SPE for different purposes.
Please send the link for all the APIs of SUN IDM SPE.
Thanks in advance!Hi there,
Not sure if this is what you want, but if I understand your message right the javadocs that explain the Sun IDM Api's are in REF/javadocs in the IDM software download. -
Hello:
I try to connect IDM 6.0 SP1 wiht Sun Directory Server 5 (LDAP) using LDAP adapter. If i use non-secure port (389) it is OK and the connection work fine.
But if i try to use ssl port (636) i obtain error.
Directory Server is configure to work with both ports (389 and 636), it has enabled ssl and have a certificate (self-signed). Other aplication (ldap browser) can connect to ssl port without problem.
Is there another thing to do in machine running IDM? (for example, install the LDAP certificate) How i do this?
Both machines are Solaris 10 x86 and they are in same dns domain.
ThankTo connect to an SSL resource, you must have a certificate trust chain defined in the Java Virtual Machine in which the IDM is running. Not knowing what web server you are running IDM on, I must be general in my reply. You need to include the following system property definition in the java parameters for your JVM:
-Djavax.net.ssl.trustStore=<fully qualified path to a JKS keystore containing the trust chain for your self signed server cert>
e.g.
-Djavax.net.ssl.trustStore=/myapps/idm/truststore.jks
You can create the truststore using the keytool utility that comes with the Sun Java JDK (<JAVA_HOME>/bin/keytool) Hope this helps.
FYI - your browser queries to LDAP work because you have the trust chain stored in your browser certificate cache. -
I am unable to get SSL or Secure LDAP connection to work.
These are my settings for Directory-service:
name: TEST
description: TEST
login-prefix: TEST
type: GenericLdap
last-sync: (no value)
last-sync-error: The server is not operational.
users: (no value)
groups: (no value)
Connection settings
host: ldap.xon-ionx.****.se
port: 636
top-directory: ou=USER_CONTAINER,o=ROOT
binding-type: Secure
synchronization-account: cn=ZAV_User,ou=external,o=ROOT
password: ********
Schema settings
user-filter: (objectClass=inetOrgPerson)
user-class: inetOrgPerson
user-login-name: cn
user-first-name:
user-last-name:
user-full-name: cn
group-filter: (objectClass=groupOfNames)
group-class: groupOfNames
group-name: cn
group-description: description
group-members: member
Message from server is not saying much: Not synchronized (error: The server is not operational.)
Debug log output as follows:
05-07-2013 08:47:09.9960 - Critical - 0x0C5C: Directory service TEST could not be completely synced. Connection settings: host ldap.xon-ionx.****.se, port 636, top ou=USER_CONTAINER,o=ROOT, user cn=ZAV_User,ou=external,o=ROOT, type Secure, ufilter (objectClass=inetOrgPerson), uclass inetOrgPerson, uuname cn, ufname , ulname , uflname cn, gfilter (objectClass=groupOfNames), gclass groupOfNames, gdescription description, gmembership member
The server is not operational.
at System.DirectoryServices.DirectoryEntry.Bind(Boole an throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObj ect()
at System.DirectoryServices.DirectorySearcher.FindAll (Boolean findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindAll ()
at Spoon.Server.Common.Data.Library.DirectoryService. _SyncNode(LibraryDataContext dc, DirectoryServiceNode dsn, Dictionary`2 dictUsers, Dictionary`2 dictGroups, Dictionary`2 dictUsersToInclude, Dictionary`2 dictGroupsToInclude, Int32& iUsersAdded, Int32& iGroupsAdded)
at Spoon.Server.Common.Data.Library.DirectoryService. Sync()
/MathiasDo other binding options function as expected (Simple, Anonymous)? I'm also working on setting up a test environment to try and reproduce this. If I find something that can help, I'll update the thread.
The support team could open a proper ticket with Spoon about this, but it requires that you open an SR first. -
Hi,
Does idm supports as LDAP as repostiory ??
Regards,
madhusrinivasThat is logical also. since IDM does so many read write operations if we start using LDAP for that it will be very slow as write operation in any hiererchical database is slow.
Maybe you are looking for
-
How to read a string from file & assign the val to a variable in batch file
Hi, How to read a string from a file and assign the value to a variable then return the value to the screen in windows batch file? Any suggestions? thanks.
-
How is playbook debut ? What is first day sale? 19.04.2011 playbook summary?
How is playbook debut ? What is first day sale? 19.04.2011 playbook summary?
-
File system IS journaled extended
New iMac. And the file system is Mac Journaled extended, but getting the famous "wrong file system" error message when loading up iPhoto for the first time. It is the default settings, so iPhoto Library resides on my harddrive. Any reason why I'm get
-
Message Server in place of Application Server in DS Datastore
Hi, I'm trying to configure my SAP Application Datastore, linking it to the SAP message server instead of one of the four SAP application nodes available. The idea is to let the message server manage on which node the DS abap will be executed. I trie
-
why every time when im going to install games that cannot be installed and asking for newest version of iphone software, how can i upgrade newest version of iphone software?