InetOrgPerson objectclass missing in OID
Hi all,
We have a serious issue in our production environment with respect to OID. We have added a custom attribute in OID using Directory Manager and attached the attribute to inetOrgPerson objectclass. We later realized that the attribute name was given wrong and deleted the attribute manually without removing reference in inetOrgPerson objectclass. After this, the inetOrgPerson objectclass is missing in OID schema due to which user creation in OIDDAS console is failing. This is highly critical for us to get fixed immediately.
Appreciate quick response.
Thanks for your help in advance.
Regards,
Mahendra.
The issue is resolved. Got the inetorgperson object details from other working instance, made minor changes like removing unncessary attributes etc., and imported to the damaged instance. Bounced the OID and OC4J processes and it started working fine.
-M
Similar Messages
-
CISCO-ENTITY-VENDORTYPE-OID-MIB missed OID
Hi,
We use CISCO-ENTITY-VENDORTYPE-OID-MIB in our HW Inventory application and I found, that there are missing one OID in this MIB.
It is "cevContainerC7200CCPA" "1.3.6.1.4.1.9.12.3.1.5.172". I can find it via SNMP object navigator, but when I look at MIB file, that there are only .171 and .173 OIDs and .172 is missing.
Do you have idea if it is broken MIB file or it is my fault?
Thank you very much.
PavelSeems like there is an older version of the MIB posted. Thanks for poitning it out. I have alerted the downstream teams to poke at it. Thanks to Joe Clarke for chasing them down.
-
OID can not display some users - java.lang.ArrayIndexOutOfBoundsException:0
We have set up AD to OID synchronization for users and groups using Import connector, and it worked fine. The users in OID can log into applications protected by OAM. But recently I found that some users that could be displayed in OID before can not be displayed now. If I click on the DN in Oracle Directory Manager, a error window pops up. It is a long error message, and the first a few lines are as follows :
0
java.lang.ArrayIndexOutOfBoundsException:0
at oracle.ldap.admin.AttrOptions.<init>(entry.jave:3151)
at Oracle.ldap.admin.Entry.getProp(entry.java:457)
I don't see any error message in the integration profile or log files. I am testing things on an account that is having this trouble, and the strange thing is that it can not log into application protected by OAM any more, but it can log into OAM console.
We use OID 10.1.2.3 on Windows, and OAM 10.1.4.0.1.
I searched in Metalink but didn't find anything helpful. Any help is appreciated. Thanks for your time.
HailiePramod,
Thank you for your reply. Please see below my answers to your questions:
-> Do you see any pattern in the users (DN) that are unable to be displayed/login?
Yes I do see some pattern. There is one change on the problem user's dn - the "\" after the last name is gone.
Before: cn=smith\, john, cn=users,dc=abc,dc=com
Now: cn=smith, john, cn=users,dc=abc,dc=com
However I check in Active directory "\" is presented. In OID if I right click on cn=smith, john and try to delete it, I got a error message "LDAP: error code 34 - Error in DN Normalization". Is that caused by the missing of "\"?
-> Does ldapsearch on these users (with all attributes) show something (special chars, etc)?
ldapsearch on cn=cn=smith, john,cn=users,dc=abc,dc=com returns no objects:
$ldapsearch -L -D "cn=orcladmin" -w "*****" -h host -p 389 -b "cn=smith, john,cn=users,dc=abc,dc=com" -s sub "objectclass=*"
ldap_search: No such object
ldap_search: matched: cn=Users, dc=abc,dc=com
Ldap search on cn=smith\, john,cn=users,dc=abc,dc=com:
$ldapsearch -L -D "cn=orcladmin" -w "*****" -h host -p 389 -b "cn=smith\, john,cn=users,dc=abc,dc=com" -s sub "objectclass=*"
dn: cn="smith, john",cn=users,dc=abc,dc=com
uid: [email protected]
employeenumber: 916963
cn: smith, john
registeredaddress: 512
krbprincipalname: [email protected]
orclsamaccountname: ABC.COM$JSmith
sn: johnsmith
displayname: John
orclobjectguid: lJO0N+8H4UW/30yHukSfsw==
orclobjectsid: AQUAAAAAAAUVAAAAohxTYWIV3XFeP55cYjwAAA==
orcluserprincipalname: [email protected]
objectclass: oblixorgperson
objectclass: inetorgperson
objectclass: orcluserv2
objectclass: person
objectclass: orcladuser
objectclass: organizationalPerson
objectclass: top
obver: 10.1.4.0
-> Do you see the same behavior when you use any generic LDAP browser (Ex: Apache Directory Studio) instead of ODM?
I don't have Apache Directory Studio installed yet. I will try that later.
-> Does the changelog for the particular synch (for the affected users) show something?
Here is what I found in ActiveChgImp.aud
(weeks ago)
97426524 : Success : MODIFY : cn=smith\, john,cn=users,dc=abc,dc=com
(Recently change - The back slach after smith was gone, and "" showed up)
97469970 : Success : MODIFY : cn="smith, john",cn=users,dc=abc,dc=com
-> If login to OAM is possible, can the user modify his/her profile, and does it save the changes? If it does, can you try logging in to apps?
This user can log into OAM identity system, but when I click on "My profile" under "User manager", I got a error message "You do not have sufficient access rights".
If I log into identity system as orcladmin, I was able to modify it and save the changes. But in OID the user is still not displayed. Same error message. When I tried to add it as administrator, I could search on it, add it, but when I press "done", it didn't show up on the admin list. The users that can be displayed in OID can be added to admin list without a problem.
Thanks,
Hailie -
DIP fails loading dynamic groups into OID
Hello,
we're trying to load groups from OeBS into OID and associate them via dynamic groups feature with user records that was loaded earlier as follows:
personid=18630,cn=dev,cn=hrsyncusers,cn=users,dc=ic,dc=lan
orcltimezone=Asia/Yekaterinburg
displayname=NOT ASCII
employeetype=NOT ASCII
givenname=NOT ASCII
postalcode=628484
orcldateofbirth=19610404000000
orclgender=F
departmentnumber=342
uid=18630
mail=HRNULL
cn=NOT ASCII
initials=NOT ASCII
street=NOT ASCII
employeenumber=4824
middlename=NOT ASCII
l=NOT ASCII
orclhiredate=20051107000000
sn=NOT ASCII
personid=18630
c=Russia
title=NOT ASCII
objectclass=inetorgperson
objectclass=person
objectclass=organizationalperson
objectclass=orcluserv2
objectclass=kapitalperson
objectclass=country
objectclass=residentialperson
objectclass=locality
objectclass=top
Among other attributes each user entity has 'departmentNumber' that indicates number of his/her department.
Now trying to load list of departments as dynamic groups with the following config
files:
*** DevHRAgentGroups.cfg ***
[SELECT]
SELECT psv.version_number
, pos.name hierarchyname
, hou.organization_id depno
, poe.organization_id_parent parent_id
, REPLACE(hou2.name, '"') parentname
, poe.organization_id_child child_id
, REPLACE(hou.name, '"') orgname
, ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(depar
tmentnumber='||hou.organization_id||')' ldapuri
, hrl.meaning org_type
FROM per_organization_structures pos
, per_org_structure_versions psv
, per_org_structure_elements poe
, hr_all_organization_units hou
, hr_all_organization_units hou2
, hr_lookups hrl
WHERE pos.business_group_id = psv.business_group_id
AND pos.organization_structure_id = psv.organization_structure_id
AND pos.primary_structure_flag = 'Y'
AND psv.date_to IS NULL
AND poe.org_structure_version_id = psv.org_structure_version_id
AND poe.business_group_id = hou.business_group_id
AND poe.organization_id_child = hou.organization_id
AND poe.business_group_id = hou2.business_group_id
AND poe.organization_id_parent = hou2.organization_id
AND hrl.lookup_code = hou.type
AND hrl.enabled_flag = 'Y'
AND hrl.lookup_type = 'ORG_TYPE'
AND hrl.lookup_code NOT IN (30,40)
AND TRUNC(SYSDATE) BETWEEN hou.date_from AND NVL(hou.date_to, TO_DATE('31.12.4712','dd.mm.yyyy'))
AND hou.last_update_date >= to_date(:BINDVAR,'YYYYMMDDHH24MISS')
*** DevHRAgentGroups.map ***
DomainRules
NONLDAP:cn=DEV,cn=HRSyncGroups,cn=Groups,dc=ic,dc=lan:departmentID=%,cn=DEV,cn=HRSyncGroups,cn=Groups,dc=ic,dc=lan
AttributeRules
orgname:1: : :cn: :groupOfUniqueNames
depno:1: : :departmentID: :kapitalDepartment
ldapuri: : : :labeledURI: :orclDynamicGroup
We're getting the following error in ?/ldap/odi/log/DevHRAgentGroups.trc during HRAgent execution at mapping phase:
Normalized DN : departmentid=82,cn=dev,cn=hrsyncgroups,cn=groups,dc=ic,dc=lan
Changetype is 5
Processing modifyRadd Operation ..
Entry Not Found. Converting to an ADD op..
Processing Insert Operation ..
Performing createEntry..
Exception creating Entry : javax.naming.NamingException: [LDAP: error code 1 - Dynamic group cache update failed.]; remaining name 'departmentid=82,cn=dev,cn=
hrsyncgroups,cn=groups,dc=ic,dc=lan'
[LDAP: error code 1 - Dynamic group cache update failed.]
javax.naming.NamingException: [LDAP: error code 1 - Dynamic group cache update failed.]; remaining name 'departmentid=82,cn=dev,cn=hrsyncgroups,cn=groups,dc=i
c,dc=lan'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3028)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)
at oracle.ldap.odip.gsi.LDAPWriter.createEntry(LDAPWriter.java:1162)
at oracle.ldap.odip.gsi.LDAPWriter.insert(LDAPWriter.java:425)
at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java:822)
at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:349)
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:655)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:376)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:237)
DIP_LDAPWRITER_ERROR_CREATE
Error in executing mapping DIP_LDAPWRITER_ERROR_CREATE
DIP_LDAPWRITER_ERROR_CREATE
Please, note. Loading is successful if we commenting out mapping line for labeledURI attribute (that's loading static groups).
Loading is also successful when labeledURI is mapped to
'ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(objec
tclass=person)' but this definetly is not what we are going to get.
I don't have ideas what's wrong for example with the following generated 'labeledURI' attribute:
ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(departmentnumber=82)
Any help is appreciated
Thanks,
EdwardHi Frank,
there is something wrong with departmentnumber attribute of user records. Searching users with ldapsearch using "departmentnumber=*" filter fails with the following error:
ldap_search: DSA is unwilling to perform
ldap_search: additional info: Function Not Implemented
I think this is probably the cause of failing creation of dynamic groups.
Searching on other user attributes (cn, uid, employyenumber) works fine.
Still don't understand what's wrong with this particular attribute. -
i am able to provision users from oim to oid
but reconciliation is not working
command prompt is not showing any error when reconciliation tasks are running
following are the details
OID Lookup Reconciliation Task
LookupCodeName Lookup.OID.Organization
ITResourceName OID IT Resource
SearchContext cn=Users,dc=ad,dc=infosys,dc=com
ObjectClass OrganizationalUnit
CodeKeyLTrimStr [NONE]
CodeKeyRTrimStr ,dc=ad,dc=infosys,dc=com
ReconMode UPDATE
AttrType ou
OID User Recon Task
IsNativeQuery no
ITResourceName OID IT Resource
ResourceObjectName OID User
XLDeleteUsersAllowed false
UserContainer cn=Users,dc=ad,dc=infosys,dc=com
Keystore [NONE]
Organization Xellerate Users
Xellerate Type End-User Administrator
Role Consultant
TrustedSource true
PageSize 100
command prompt shows : (both the above task are set to run at recurring intervals of 5 minutes)
15:14:08,027 INFO [OID] tcTskOIDUserReconciliation LDAP RECONCILIATION CLASS In
stance Created
15:14:08,074 INFO [OID] Parameter Variables passed into tcUtilLDAPOperations:t
cUtilLDAPOperations(): Login Variables are:: are sServerName = 10.76.118.72, sPo
rtNo = 389, sPrincipalDN = cn=orcladmin,cn=Users,dc=ad,dc=infosys,dc=com, sProvi
derURL = ldap://10.76.118.72:389,
15:14:08,074 INFO [OID] Parameter Variables passed into tcUtilLDAPOperations:c
onnectToLDAP(s): are pContainerContext = ,
15:14:08,074 INFO [OID] Parameter Variables passed into tcUtilLDAPOperations:c
onnectToLDAP(s) provider URL before encoding: are sProviderURL = [ldap://10.76.1
18.72:389/],
15:14:08,074 INFO [OID] Parameter Variables passed into tcUtilLDAPOperations:c
onnectToLDAP(s) provider URL After encoding: are sProviderURL = [ldap://10.76.11
8.72:389],
15:14:08,090 INFO [OID] tcUtilLDAPOperationsParameter Variables passed are: pSe
archBase = [cn=Users,dc=ad,dc=infosys,dc=com], pFilterExpression = [(&(&(&(&(&(&
(objectclass=top)(objectclass=person))(objectclass=organizationalPerson))(object
class=inetOrgPerson))(objectclass=orclUser))(objectclass=orclUserV2))(modifyTime
stamp>=20100113094308Z))], pIsRelative = [true], pAttrNames = [[Ljava.lang.Strin
g;@fc0359]
15:14:08,105 INFO [OID] >>Next Page
Edited by: user12240044 on Jan 13, 2010 1:45 AMu mean to say i need to run only the user recon task and not the lookup task in case i want to reconcile oid users to xellerate users org in oim
i provided the details stated by you:
refer below:
IsNativeQuery no
ITResourceName OID IT Resource
ResourceObjectName OID User
XLDeleteUsersAllowed false
UserContainer cn=Users,dc=ad,dc=infosys,dc=com
Keystore [NONE]
Organization Xellerate Users
Xellerate Type End-User Administrator
Role Consultant
TrustedSource true
PageSize 100
but still the users are not reconciled
the command prompt shows the following :
16:52:00,047 INFO [OID] tcTskOIDUserReconciliation LDAP RECONCILIATION CLASS In
stance Created
16:52:00,109 INFO [OID] Parameter Variables passed into tcUtilLDAPOperations:t
cUtilLDAPOperations(): Login Variables are:: are sServerName = 10.76.118.72, sPo
rtNo = 389, sPrincipalDN = cn=orcladmin,cn=Users,dc=ad,dc=infosys,dc=com, sProvi
derURL = ldap://10.76.118.72:389,
16:52:00,109 INFO [OID] Parameter Variables passed into tcUtilLDAPOperations:c
onnectToLDAP(s): are pContainerContext = ,
16:52:00,109 INFO [OID] Parameter Variables passed into tcUtilLDAPOperations:c
onnectToLDAP(s) provider URL before encoding: are sProviderURL = [ldap://10.76.1
18.72:389/],
16:52:00,109 INFO [OID] Parameter Variables passed into tcUtilLDAPOperations:c
onnectToLDAP(s) provider URL After encoding: are sProviderURL = [ldap://10.76.11
8.72:389],
16:52:00,140 INFO [OID] tcUtilLDAPOperationsParameter Variables passed are: pSe
archBase = [cn=Users,dc=ad,dc=infosys,dc=com], pFilterExpression = [(&(&(&(&(&(&
(objectclass=top)(objectclass=person))(objectclass=organizationalPerson))(object
class=inetOrgPerson))(objectclass=orclUser))(objectclass=orclUserV2))(modifyTime
stamp>=20100113111800Z))], pIsRelative = [true], pAttrNames = [[Ljava.lang.Strin
g;@9cba32]
16:52:00,140 INFO [OID] >>Next Page
what does pContainercontext implies? -
Permission issue with changelog in OID
Hello,
I configured LDAP sync and the OID account got created fine when the user is created in OIM (first user). Then, for the second user, it no longer works and the log file shows this error.
[2013-11-18T15:50:10.815-07:00] [oim_server1] [ERROR] [] [oracle.iam.platform.entitymgr.provider.ldap] [tid: OIMQuartzScheduler_Worker-8] [userId: oiminternal] [ecid: 0000K9hBgfhFW715zvT4iW1IYcfJ000002,1:23495] [APP: oim#11.1.2.0.0] An error occurred while getting the change log from LDAP - {0}[[
javax.naming.NoPermissionException: Error: INSUFFICIENT_ACCESS_RIGHTS
LDAP Error 50 : [LDAP: error code 50 - Insufficient Access Rights] [Root exception is oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 50 : [LDAP: error code 50 - Insufficient Access Rights]]
Although the log shows the user as oiminternal, I don't believe OID uses this user. But I think it uses orcladmin. How can I fix this problem?
Thanks
KhanhNo, I don't use OVD.
I added the oimAdminuser through the below ldap script. However, when I ran ACI with the command:
$ORACLE_HOME/bin/ldapsearch -h pioneer -p 389 -D "cn=orcladmin" -w MYPASSWORD -b "dc=cde,dc=state,dc=co,dc=us" -s one "objectclass=*" orclaci
I don't see the permission for oimAdminUser (I searched for the string oim and the only one I found is oimReservce). What did I do wrong?
Thanks
dn: cn=oimAdminUser,cn=systemids,dc=cde,dc=state,dc=co,dc=us
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserV2
mail: oimAdminUser
givenname: oimAdminUser
sn: oimAdminUser
cn: oimAdminUser
uid: oimAdminUser
userPassword: G26tcha2
dn: cn=oimAdminGroup,cn=systemids,dc=cde,dc=state,dc=co,dc=us
changetype: add
objectclass: groupOfUniqueNames
objectclass: orclPrivilegeGroup
objectclass: top
cn: oimAdminGroup
description: OIM administrator role
uniquemember: cn=oimAdminUser,cn=systemids,dc=cde,dc=state,dc=co,dc=us
dn: cn=oimAdminUser,cn=systemids,dc=cde,dc=state,dc=co,dc=us
changetype: modify
add: orclaci
orclaci: access to entry by group="cn=oimAdminGroup,cn=systemids,dc=cde,dc=state
,dc=co,dc=us" (add,browse,delete) by * (none)
orclaci: access to attr=(*) by group="cn=oimAdminGroup,cn=systemids,dc=cde,dc=st
ate,dc=co,dc=us" (read,search,write,compare) by * (none) -
Accessing OID from an outlook client
Hi,
We are running AS 10.1.2.2.2 with OID used primarily for Single Sign On. Lately we have started pushing data from our personnel data into OID (via dbms_ldap). There is now some interest in exposing OID to our outlook mail clients - just as a source of information to start with. We have no AD/Oracle integration at all and we use exchange for mail. We were simply thinking (naively, I'm sure) that an outlook client could just read OID as an external ldap, adding it a directory with proper credentials and search base (cn=Users etc.). In a "first try" we can indeed connect, but we are not "seeing" data - our users. Our OID users are the default ones that come out of the box, ie
objectclass top
objectclass person
objectclass inetOrgPerson
objectclass organizationalPerson
objectclass orclUser
objectclass orclUserV2
Does outlook know how to read these? Is it expecting to see a certain user class?
What is the best way to approach this subject? ( Its ok to say rtfm, as long as you tell me which m.)
Thanks,
SteveWell, it does appear that I can find oid data through the advanced find in Outlook. But the data can't be browsed. I fear most users would react like me and think the directory was empty or not connected.
Is there no better support for OID possible? Is no one using OID with outlook clients?
Thanks,
Steve -
Relationship between groups and their members in LDAP directory missing
I use SAP EP 6 SPS14 with one LDAP Server as data source using this flat LDAP structure:
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: example.com
dn: ou=user,dc=example,dc=com
objectClass: organizationalUnit
description: All Users
ou: user
dn: cn=Max Mustermann,ou=user,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Max Mustermann
givenName: Max
sn: Mustermann
uid: 0001
userPassword:: bWF4
dn: cn=Max Meier,ou=user,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Max Meier
givenName: Max
sn: Meier
uid: 0002
userPassword:: bWF4
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
description: All Groups
ou: groups
dn: cn=internal,ou=groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: internal
member: uid=0001,ou=user,dc=example,dc=com
dn: cn=external,ou=groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: external
member: cn=Max Meier,ou=user,dc=example,dc=com
The private section of the LDAP entry in the dataSourceConfiguration.xml looks like:
<privateSection>
<ume.ldap.access.server_type>openLDAP</ume.ldap.access.server_type>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>inetOrgPerson</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>inetOrgPerson</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.objectclass.grup>groupofnames</ume.ldap.access.objectclass.grup>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>uid</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>uid</ume.ldap.access.auxiliary_naming_attribute.uacc>
<ume.ldap.access.naming_attribute.grup>cn</ume.ldap.access.naming_attribute.grup>
</privateSection>
The pointers in the portal are:
User Path: ou=user,dc=example,dc=com
Group Path: ou=groups,dc=example,dc=com
If I log in as SuperUser, all users and all groups of the LDAP directory are there and I could log on as one of the LDAP provided users. But the relationship between the users and the groups, defined in the member of the objectClass groupOfNames, is missing.
Whats wrong???
Message was edited by: Holger WohlhüterMeanwhile I changed the GroupOfNames to GroupOfUniqueNames in the LDAP structure and solved the problem. I had to add this line: <physicalAttribute name="null"/></b> in the User mappings.
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="*null*"></physicalAttribute>
</attribute>
</attributes>
</nameSpace>
Message was edited by: Holger Wohlhüter -
When I put in the objectclass Person then IDM was able to create a user in Novell. But if I put in either organizationalPerson or inetOrgPerson objectclass then I got the below error
Error: NWDSAddObject: 0xFFFFFDA4 (-604): ERR_NO_SUCH_CLASS
This is what the objectclass field looks like on the Resource Parameters page.
top
person
organizationalPerson
inetOrgPerson
The login ID to Novell has all privileges (read/write/modify/delete). Do you have any ideas?
Thanks
Edited by: Andrew2008 on Aug 29, 2008 4:47 PMI got it working. Just in case you want to know, the objectclass is called User. It's strange because I don't see this objectclass in the LDAP schema of Novell.
Thanks -
The Problem
Users are unable to change their password using System Preferences -> Users & Groups on a Mac that is connected to an LDAP server (specifically, OpenLDAP).
This error appears to be a result of OS X 10.7.4 now sending the username of the user rather than their full DN (e.g. it's sending bobsmith, notuid=bobsmith,ou=Users,dc=companyname,dc=com).
(a bug report for this issue has been filed with Apple and can be seen on OpenRader @http://openradar.appspot.com/11768796)
Steps to Reproduce:
Try to change the password using the System Preferences -> Users & Groups prefpane on Lion. It fails with the following error message:
The password for the account “bobsmith” was not changed. Your system administrator may not allow you to change your password or there was some other problem with your password. Contact your system administrator for help.
Expected Results:
The password should be changed.
Actual Results:
The error appears, and on the LDAP server, an error like the following is logged:
Jun 28 08:42:21 ldap3 slapd[7810]: conn=10518785 op=2 RESULT oid= err=21 text=Invalid DN
This error appears to be a result of OS X 10.7.4 now sending the username of the user rather than their full DN (e.g. it's sending bobsmith, notuid=bobsmith,ou=Users,dc=companyname,dc=com)
Notes: This was encountered by someone else over at the AFP548.com forums who ended up patching their LDAP server to resolve the issue. This shouldn't require patching LDAP to resolve, however. Lion needs to (at least have an option to) send the full DN of a user requesting to change their password, not the short username:
Text from above forum link (in case it is taken down):
So, I’ve got this OpenLDAP server with network home directories at home that all of my Mac machines authenticate to. Everybody can bounce around to whatever Mac is available. It works great.
Anyway, with Snow Leopard, I was able to change user passwords via System Preferences. However, that got broken when I upgraded to Lion (amongst other things). Both Snow Leopard and Lion send exop’s to the ldap server, but for whatever reason, the id is screwed up in Lion (or at least, it’s screwed up on the two machines at home I tested this with). Instead of sending the user’s DN, e.g. “uid=user,cn=users,ou=something,dc=somewhere,dc=com”, the ldap server is only sent the uid, e.g. “user”. The ldap server is expecting a DN here, so naturally, it fails with the error “Invalid DN”.
Bummer.
So, to work around that, I had to patch OpenLDAP (version 2.4.26 in this case). Now, when my server can’t resolve the id it’s given during a password change, it will look at the bind DN, and if the id string is contained within the bind DN string, it will just use the bind DN as the entry to change. I figured this would still allow me to manually specify password changes via an admin account while still giving users the ability to change their own passwords without having to point them at a webpage (lame).
I should point out that all my accounts have the uid as part of the DN… I guess if you were doing some kind of crazy SASL mappings, this might not work for you…
Anyway, here’s the patch in case anyone else is interested… If it works for you, great. If not, oh well.
-- passwd.c 2011-06-30 11:13:36.000000000 -0400 +++ passwd.lion_compatability.c 2012-02-13 22:48:54.213214617 -0500 @@ -18,4 +18,5 @@ #include +#include #include @@ -59,4 +60,5 @@ int freenewpw = 0; struct berval dn = BER_BVNULL, ndn = BER_BVNULL; + ber_int_t err; assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 ); @@ -102,11 +104,8 @@ if ( !BER_BVISEMPTY( &id ) ) { - rs->sr_err = dnPrettyNormal( NULL, &id, &dn, &ndn, op->o_tmpmemctx ); - id.bv_val[id.bv_len] = idNul; - if ( rs->sr_err != LDAP_SUCCESS ) { - rs->sr_text = "Invalid DN"; - rc = rs->sr_err; - goto error_return; - } + err = dnPrettyNormal( NULL, &id, &dn, &ndn, op->o_tmpmemctx ); + } + + if ( !BER_BVISEMPTY( &id ) && (err == LDAP_SUCCESS) ) { op->o_req_dn = dn; op->o_req_ndn = ndn; @@ -116,4 +115,16 @@ ber_dupbv_x( &dn, &op->o_dn, op->o_tmpmemctx ); ber_dupbv_x( &ndn, &op->o_ndn, op->o_tmpmemctx ); + if ( !BER_BVISEMPTY( &id ) ) { + /* See if the id matches the bind dn */ + if ( strstr( dn.bv_val, id.bv_val ) == NULL ) + { + rs->sr_err = err; /* From dnPrettyNormal */ + rs->sr_text = "Invalid DN"; + rc = rs->sr_err; + goto error_return; + } + Statslog( LDAP_DEBUG_STATS, "%s Invalid id (%s) specified; using bind DN (%s)\n", + op->o_log_prefix, id.bv_val, dn.bv_val, 0, 0 ); + } op->o_req_dn = dn; op->o_req_ndn = ndn; @@ -123,4 +134,8 @@ } + if ( !BER_BVISEMPTY( &id ) ) { + id.bv_val[id.bv_len] = idNul; + } + if( op->o_bd == NULL ) { if ( qpw->rs_old.bv_val != NULL ) { "
UPDATE (still not working, though)
I tried to change my password with dscl too, like so:
$ dscl -u bobsmith -p /LDAPv3/ldap -passwd /Users/bobsmith
...and this generated the following after I input my current password and a new one:
Password: New Password: passwd: DS error: eNotYetImplemented DS Error: -14988 (eNotYetImplemented)
On my OpenLDAP server, it generated:
Jul 3 11:47:51 ldap slapd[7810]: conn=12282745 fd=1633 ACCEPT from IP=10.0.1.3:64485 (IP=0.0.0.0:636) Jul 3 11:47:51 ldap slapd[7810]: conn=12282745 fd=1633 closed (TLS negotiation failure) Jul 3 11:47:51 ldap slapd[7810]: conn=12282746 fd=1633 ACCEPT from IP=10.0.1.3:64486 (IP=0.0.0.0:636) Jul 3 11:47:51 ldap slapd[7810]: conn=12282746 fd=1633 TLS established tls_ssf=256 ssf=256 Jul 3 11:47:51 ldap slapd[7810]: conn=12282746 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Jul 3 11:47:51 ldap slapd[7810]: conn=12282746 op=0 SRCH attr=supportedSASLMechanisms defaultNamingContext namingContexts schemaNamingContext Jul 3 11:47:51 ldap slapd[7810]: conn=12282746 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 11:47:51 ldap slapd[7810]: conn=12282746 op=1 BIND dn="uid=bobsmith,ou=Users,dc=mycompany,dc=com" method=128 Jul 3 11:47:51 ldap slapd[7810]: conn=12282746 op=1 BIND dn="uid=bobsmith,ou=Users,dc=mycompany,dc=com" mech=SIMPLE ssf=0 Jul 3 11:47:51 ldap slapd[7810]: conn=12282746 op=1 RESULT tag=97 err=0 text= Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=2 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=3 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=4 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=4 SRCH attr=objectClass apple-generateduid uid uidNumber userPassword cn Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=5 EXT oid=1.3.6.1.4.1.4203.1.11.1 Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=5 PASSMOD old Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=5 RESULT oid= err=53 text=old password value is empty Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=6 UNBIND Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 fd=1633 closed
If I run the same dscl command from a Snow Leopard machine, it works without an error:
$ dscl -u bobsmith -p /LDAPv3/myldapserver.com -passwd /Users/bobsmith Password: New Password:
It generates these logs on the server
Jul 3 12:03:29 ldap slapd[7810]: conn=12293658 fd=1283 ACCEPT from IP=10.0.1.2:51013 (IP=0.0.0.0:636) Jul 3 12:03:29 ldap slapd[7810]: conn=12293658 fd=1283 TLS established tls_ssf=256 ssf=256 Jul 3 12:03:29 ldap slapd[7810]: conn=12293658 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Jul 3 12:03:29 ldap slapd[7810]: conn=12293658 op=0 SRCH attr=supportedSASLMechanisms namingContexts dnsHostName krbName Jul 3 12:03:29 ldap slapd[7810]: conn=12293658 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 12:03:29 ldap slapd[7810]: conn=12293658 op=1 UNBIND Jul 3 12:03:29 ldap slapd[7810]: conn=12293658 fd=1283 closed Jul 3 12:03:29 ldap slapd[7810]: conn=12293659 fd=1283 ACCEPT from IP=10.0.1.2:51014 (IP=0.0.0.0:636) Jul 3 12:03:29 ldap slapd[7810]: conn=12293659 fd=1283 TLS established tls_ssf=256 ssf=256 Jul 3 12:03:29 ldap slapd[7810]: conn=12293659 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Jul 3 12:03:29 ldap slapd[7810]: conn=12293659 op=0 SRCH attr=supportedSASLMechanisms namingContexts dnsHostName krbName Jul 3 12:03:29 ldap slapd[7810]: conn=12293659 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 12:03:29 ldap slapd[7810]: conn=12293659 op=1 BIND dn="uid=bobsmith,ou=Users,dc=mycompany,dc=com" method=128 Jul 3 12:03:29 ldap slapd[7810]: conn=12293659 op=1 BIND dn="uid=bobsmith,ou=Users,dc=mycompany,dc=com" mech=SIMPLE ssf=0 Jul 3 12:03:29 ldap slapd[7810]: conn=12293659 op=1 RESULT tag=97 err=0 text= Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=2 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=2 SRCH attr=uid cn Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=3 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=3 SRCH attr=uid cn Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=4 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=5 EXT oid=1.3.6.1.4.1.4203.1.11.1 Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=5 PASSMOD id="uid=bobsmith,ou=Users,dc=mycompany,dc=com" new Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=5 RESULT oid= err=0 text= Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=6 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 12:03:32 ldap slapd[7810]: conn=12293659 op=7 UNBIND Jul 3 12:03:32 ldap slapd[7810]: conn=12293659 fd=1283 closedHi Koen,
I tried to test this, but for me its working sorry(!). Here are the details of what I did in case that helps you diagnose....
# add the 2 test users
ldapadd -h $my_ldaphost -p $my_ldapport -D $my_adminuid -w $my_adminpwd <<EOF
dn: cn=TEST_A, cn=Users, dc=myco,dc=com
sn: TEST_A
mail: [email protected]
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserv2
objectclass: organizationalperson
objectclass: person
objectclass: top
uid: TEST_A
cn: TEST_A
dn: cn=TEST_B, cn=Users, dc=myco,dc=com
sn: TEST_B
mail: [email protected]
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserv2
objectclass: organizationalperson
objectclass: person
objectclass: top
cn: TEST_B
uid: TEST_B
EOF
# reset the passwords
sqlplus /nolog <<EOF
conn orasso/${orclpasswordattribute}@${my_sid}
set serveroutput on
exec wwsso_oid_integration.reset_passwd(p_user => 'TEST_A', p_subscriber_nickname => null, p_newpwd => 'password1');
exec wwsso_oid_integration.reset_passwd(p_user => 'TEST_B', p_subscriber_nickname => null, p_newpwd => 'password1');
exit
EOF
[oracle@myhost bin]$ ldapbind -D cn=TEST_A,cn=Users,dc=myco,dc=com -w password1
bind successful
[oracle@myhost bin]$ ldapbind -D cn=TEST_B,cn=Users,dc=myco,dc=com -w password1
bind successful -
How to restore a user's calendar agenda
How to restore a user's Calendar agenda
When you delete users from LDAP and then re-add them to a Calendar node, they
will be assigned new nscalxitemid's.
However, if you have not run any of the tools for removing these
"orphan" entries, the old
nscalxitemid's should
still exist in the Calendar database.
<P>
To restore a user's agenda from the Calendar database, use the following steps:
<P>
<OL>
<LI>Use ldapsearch to
locate the user entries for the user who you are trying to restore.
<P>
Depending on what version of Directory Server you have, the
ldapsearch command line
utility will be in one of the following locations:
<P>
(Directory Server 3.x): <I>
ServerRoot</I>/bin/slapd/server
<P>
(Directory Server 4.x): <I>
ServerRoot</I>/shared/bin
To search for the user with the UserID "bbunny," the syntax for
ldapsearch would be as follows:
<P>
ldapsearch -D "cn=directory manager" -w <I>password</I>
-b o=netscape.com uid=bbunny | more (All on one line)
<P>
It is also possible to dump the output of this command into a file, as in the
following example:
<P>
ldapsearch -D "cn=directory manager" -w <I>password</I>
-b o=netscape.com uid=bbunny > bbunny.txt (All on one line)
<P>
The LDAP entry for a Calendar user would appear something as follows (<B>Note:
</B> The Calendar attribute, nscalxitemid
is in <B>bold</B>, and the ID number
is in <B>red</B>):
<P>
dn: uid=bbunny,o=netscape.com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: nsLicenseUser
objectclass: mailRecipient
objectclass: nsCalUser
givenname: Bugs
sn: Bunny
cn: Bugs Bunny
uid: bbunny
nslicensedfor: mail
nslicensedfor: calendar
mail: [email protected]
mailhost: st-thomas.netscape.com
multilinedescription: I'm da wabbit!
maildeliveryoption: mailbox
<B>nscalxitemid: 10000:</B><B>00257</B>
nscalflags: 0
nscallanguageid: 0
nscalsysopcanwritepassword: 0
nscalpasswordrequired: 1
nscaldefaultnotereminder: 0:0
nscaldefaultreminder: 0:10
nscaldefaulttaskreminder: 0:0
nscaldisplayprefs: 4:480:1080:1:30:190:2
nscaloperatingprefs:
0:255:0:0:0:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:14
40:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440
nscalrefreshprefs: 1:60
nscalnotifmechanism: 1
nscaltimezone: 0
<P>
In the line <B>nscalxitemid: 10000:</B><B>00257</B>
, "<B>10000</B>" is the node number and
"<B>00257</B>" is the
calID number.
The number you will need to change is the
calID number,
"<B>00257</B>".
<P>
<LI>From the /unison/bin
directory for Calendar, run
unidsdiff
or ctxdirdiff (whichever
is available) to find the Calendar agenda that is missing an LDAP entry.
<P>
The syntax for these utilities will be as follows:
<P>
unidsdiff -n 10000
or
ctxdirdiff -n 10000
<P>
These utilities should list any entries that don't have a matching directory
entry, usually in the following format:
<P>
nscalxItemid="10000:<B>00256</B>" (S="Bunny",G="Bugs")
<P>
The ID number in <B>red</B> is the ID that you will
use to replace the ID number in the LDAP entry.
<P>
<LI>Use one of the following two options to update the LDAP entry:
<P>
<B>Option#1:</B>
<P>
<LI>Edit the file from the ldapsearch
output by changing the
nscalxitemid in this
file to the correct <B>ID</B> from the
unidsdiff/ctxdirdiff
output (from step 2 above).
<LI>Delete the user from LDAP.
<LI>Use ldapmodify to
re-add the user from the file you edited.
(ldapmodify is located
in the same directory as ldapsearch
<P>
For example,
<P>
ldapmodify -D "cn=directory manager" -w <I>password</I> -a -f <I>filename</I>
</UL>
<B>Option#2:</B>
<P>
<LI>Edit the file from the ldapsearch
output using update statements that
will update the LDAP entry without having to delete it.
<P>
For example, you can edit the output in step 1 above so that the file contains
only the following lines with the correct
nscalxitemid:
<P>
dn: uid=bbunny,o=netscape.com
changetype: modify
replace: nscalxitemid
nscaxitemid: 10000:00256
<P>
<LI>Use ldapmodify to
update the entry in the file, as follows:
<P>
ldapmodify -D "cn=directory manager" -w <I>password</I> -f <I>filename</I>
</UL>
</OL>
After performing the above steps, you can use
ldapsearch to locate
the entry and verify that it was changed. The user should now be
able to log into the Calendar Client and see her previous agenda entries.How to restore a user's Calendar agenda
When you delete users from LDAP and then re-add them to a Calendar node, they
will be assigned new nscalxitemid's.
However, if you have not run any of the tools for removing these
"orphan" entries, the old
nscalxitemid's should
still exist in the Calendar database.
<P>
To restore a user's agenda from the Calendar database, use the following steps:
<P>
<OL>
<LI>Use ldapsearch to
locate the user entries for the user who you are trying to restore.
<P>
Depending on what version of Directory Server you have, the
ldapsearch command line
utility will be in one of the following locations:
<P>
(Directory Server 3.x): <I>
ServerRoot</I>/bin/slapd/server
<P>
(Directory Server 4.x): <I>
ServerRoot</I>/shared/bin
To search for the user with the UserID "bbunny," the syntax for
ldapsearch would be as follows:
<P>
ldapsearch -D "cn=directory manager" -w <I>password</I>
-b o=netscape.com uid=bbunny | more (All on one line)
<P>
It is also possible to dump the output of this command into a file, as in the
following example:
<P>
ldapsearch -D "cn=directory manager" -w <I>password</I>
-b o=netscape.com uid=bbunny > bbunny.txt (All on one line)
<P>
The LDAP entry for a Calendar user would appear something as follows (<B>Note:
</B> The Calendar attribute, nscalxitemid
is in <B>bold</B>, and the ID number
is in <B>red</B>):
<P>
dn: uid=bbunny,o=netscape.com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: nsLicenseUser
objectclass: mailRecipient
objectclass: nsCalUser
givenname: Bugs
sn: Bunny
cn: Bugs Bunny
uid: bbunny
nslicensedfor: mail
nslicensedfor: calendar
mail: [email protected]
mailhost: st-thomas.netscape.com
multilinedescription: I'm da wabbit!
maildeliveryoption: mailbox
<B>nscalxitemid: 10000:</B><B>00257</B>
nscalflags: 0
nscallanguageid: 0
nscalsysopcanwritepassword: 0
nscalpasswordrequired: 1
nscaldefaultnotereminder: 0:0
nscaldefaultreminder: 0:10
nscaldefaulttaskreminder: 0:0
nscaldisplayprefs: 4:480:1080:1:30:190:2
nscaloperatingprefs:
0:255:0:0:0:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:14
40:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440:0:0:1440:0:1440
nscalrefreshprefs: 1:60
nscalnotifmechanism: 1
nscaltimezone: 0
<P>
In the line <B>nscalxitemid: 10000:</B><B>00257</B>
, "<B>10000</B>" is the node number and
"<B>00257</B>" is the
calID number.
The number you will need to change is the
calID number,
"<B>00257</B>".
<P>
<LI>From the /unison/bin
directory for Calendar, run
unidsdiff
or ctxdirdiff (whichever
is available) to find the Calendar agenda that is missing an LDAP entry.
<P>
The syntax for these utilities will be as follows:
<P>
unidsdiff -n 10000
or
ctxdirdiff -n 10000
<P>
These utilities should list any entries that don't have a matching directory
entry, usually in the following format:
<P>
nscalxItemid="10000:<B>00256</B>" (S="Bunny",G="Bugs")
<P>
The ID number in <B>red</B> is the ID that you will
use to replace the ID number in the LDAP entry.
<P>
<LI>Use one of the following two options to update the LDAP entry:
<P>
<B>Option#1:</B>
<P>
<LI>Edit the file from the ldapsearch
output by changing the
nscalxitemid in this
file to the correct <B>ID</B> from the
unidsdiff/ctxdirdiff
output (from step 2 above).
<LI>Delete the user from LDAP.
<LI>Use ldapmodify to
re-add the user from the file you edited.
(ldapmodify is located
in the same directory as ldapsearch
<P>
For example,
<P>
ldapmodify -D "cn=directory manager" -w <I>password</I> -a -f <I>filename</I>
</UL>
<B>Option#2:</B>
<P>
<LI>Edit the file from the ldapsearch
output using update statements that
will update the LDAP entry without having to delete it.
<P>
For example, you can edit the output in step 1 above so that the file contains
only the following lines with the correct
nscalxitemid:
<P>
dn: uid=bbunny,o=netscape.com
changetype: modify
replace: nscalxitemid
nscaxitemid: 10000:00256
<P>
<LI>Use ldapmodify to
update the entry in the file, as follows:
<P>
ldapmodify -D "cn=directory manager" -w <I>password</I> -f <I>filename</I>
</UL>
</OL>
After performing the above steps, you can use
ldapsearch to locate
the entry and verify that it was changed. The user should now be
able to log into the Calendar Client and see her previous agenda entries. -
How to assign "Public Group" and "Privilege" to user create with ldapadd
Hello,
We create users with ldapadd and a ldif file.
The ldif file is like that :
dn: cn=user1,cn=users,dc=def,dc=eau,dc=cgeaux,dc=fr
sn: user1
cn: user1
userPassword: user1
mail: [email protected]
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: orcluser
objectClass: orcluserv2
It works but Public Group" and "Privilege" aren't assigned.
How can I assign these privileges without using Portal admin interface ?
Thanks.
Best Regards.
Luc PonelleHi Luc..
we now are trying the same thing..
We managed to create one user...
but, when we check in the OID "http"//ourserver:7777/oiddas
we cannot see the user?
Why?..
We now try to create user automatically by batch..
and did you find the solution yet to ur problem?
Thanks. -
Im currently working on some code and Im really in need of a naming service, preferably one with a service provider for JNDI. In essence what Im looking for is a very basic name server, although knowing little about the suject at this point Im thinking that ldap, nis are really not well suited to my needs as my key goal is mapping names to references( under dynamic contexts), which Ive allready half implemented. As things are getting more complex and what Ive implemented of rather poor design, Im starting to feel like Im going to have a rough month or two ahead of me!! I dont want to re-invent the wheel and I know in my heart someone has allready coded the software I need!!! Unfortunately My search has been fruitless. Id greatly appreciate it if someone can steer me in the right direction. In the meantime I think Ill be pulling my hair out trying to figure out how to code the software I need.... Sorry for not fully explaining what Im after, if not enough info just let me know and Ill try to provide more detail.............
Hi Prisco,
You can go very well fo JNDI. And you can use Netscape or Iplanet Directory server as LDAP server.
Please Download the Directory Server from this URL.
http://www.iplanet.com/downloads/download/2087.html
Also here with I am giving you a simple Authentication program, which makes use of JNDI and Netscape Directory server. If you follow these steps, you will get a good idea about JNDI.
DESCRIPTION:
I am trying to use LDAP to control access to a HTML page. I want an authentication
box to pop up, allowing the user to authenticate to the HTML page through a LDAP server.
If they succesfully authenticate, I need to check their username against a list
of valid usernames that's stored in a database, then give access to the page
based on that list. How can I implement this solution?
SOLUTION:
The best way is to use Basic Authentication solution with JNDI and LDAP server,
Netscape Directory server(for example) with a simple servlet program. Java Naming
and Directory Interface (JNDI) API is standardized, and enable to use different
directory services such as Netscape Directory server. LDAP server can be used
for storing some common data's used in the sample solution.
It can be done through a servlet to check the user and its password which is
stored in the LDAP server.
In order to demonstrate a sample solution, I will use the Netscape Directory
Server 4.13 as the LDAP server, which is loaded my own LDIF file with customized
attributes. The basic authentication algorithm will be used in this sample
solution.
The following steps are to implement this sample solution:
1. Creating our own LDAP data Interchange format (LDIF) file.
2. Loading(Import) the Ldif file in Netscape Directory Server.
3. Creation of user schema files for customized attributes.
4. Load the user schema files in the Netscape Directory Server.
5. Restart the Directory Server
6. A simple servlet program for basic authentication.
7. A sample HTML file is given last, used in servlet program.
Here are the detail description of the above steps:
STEP 1: Creating our own LDAP data Interchange format (LDIF) file:
Here is the LDIF (LDAP data Interchange format) file is a text based format used to work
on LDAP data, with both our application and end users.
Through this LDIF file, I am having an attribute "customerid: timb" for which I will
be preparing the authentication, which will have its own password
"userpassword: bakrudeen", through which it can be maintained in a common place.
Here again in the same LDIF file, other information related to the "customerid: timb"
such as common name "cn: Tim Briggs", sur name "sn: Briggs" etc are maintained.
The data in LDAP is organized in a tree, called a Directory Information tree(DIT).
Each leaf in DIT is called an entry. The first entry in DIT is called the root entry.
Here is a sample LDIF File which is used in our sample solution:-
Here the DIT is maintained in such a way data is organized in LDAP, is fairly simple. In this
sample we store all of our entries in a common root o=fedup.com, with the following branches
Customers - Customer Entries with " customer id: timb" , userpassword: bakrudeen, and other
information related to this customer is kept in a common place.
dn: uid=timb,ou=Customers,o=fedup.com
changetype:add
objectclass: customer
objectclass: inetorgperson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: Tim Briggs
uid: timb
givenname: Tim
customerid: timb
sn: Briggs
facsimiletelephonenumber: 4101
telephonenumber: 4145
creatorsname: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
createtimestamp: 20000501084001Z
aci: (target="ldap:///uid=timb,ou=Customers,o=fedup.com")(targetattr="*")(version 3.0; acl "unknown"; allow (all)(userdn = "ldap:///anyone");)
ou: Customers
mail:
userpassword: bakrudeen
modifiersname: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
modifytimestamp: 20000605084001Z
STEP 2: Loading(Import) the Ldif file in Netscape Directory Server:-
Once after creating the above sample LDIF File, it should be added in Netscape Directory Server.
It should be imported in order to add the neccessary atributes in the Netscape Directory server,
so that we can make use of the Common data.
Steps for Importing the LDIF file in the Directory Server:-
1) Create an instance of the Directory Server.
2) Bind it to the different port with different organizational unit
(Here in this program, it is 1124).
3) Press the Configuration from the menu.
4) Then select import from the Console menu.
5) Choose the LDIF file you are going to import.
6) There also you have to provide a file for rejected entries, ie it will list all the entries
which is not added while loading.
STEP 3: Creation of our own USER SCHEMA Files:-
It is necessary for adding the attributes which are not defined in the
Netscape directory server. In the above, customerid which is defined in ldif
file is not existing in the directory server.
Here is the Schema file for attributes:(ie for defining for eg customer id).
The name of the file is slapd.user_at.conf:-
attribute customerid customerid-oid cis single
attribute packageid packageid-oid cis single
attribute receivedate receivedate-oid cis single
attribute shipdate shipdate-oid cis single
attribute shipperid shipperid-oid dn single
attribute receiveid receiveid-oid dn single
#Java Attributes
# Schema for storing java objects and java object references
attribute javaClassName 1.3.6.1.4.1.42.2.27.4.1.1 ces single
attribute javaCodebase 1.3.6.1.4.1.42.2.27.4.1.6 ces
attribute javaSerializedData 1.3.6.1.4.1.42.2.27.4.1.7 bin single
attribute javaRemoteLocation 1.3.6.1.4.1.42.2.27.4.1.8 ces single
attribute javaFactory 1.3.6.1.4.1.42.2.27.4.1.4 ces single
attribute javaReferenceAddress 1.3.6.1.4.1.42.2.27.4.1.3 ces
Here is Schema file for your own object classes:-
The name of the file is Slapd.user_oc.conf:-
In the similar way as above there are no "customer" class in the object classes
defined in the LDAP, so we will have to create our own "customer" Object class.
Also it extends inetOrgPerson to add some new attributes such as "customerid".
The object class of an entry specifies what attributes are required and what
attributes are allowed in a particular entry.
Also for eg, Package classes in the object class is created.
Here is the sample file for creating the above:-
objectclass package
oid package-oid
superior top
requires
packageid,
receiveid,
shipdate,
shipperid
allows
description,
ou,
receivedate
objectclass customer
oid customer-oid
superior inetorgperson
requires
customerid
allows
c
#JAVA Schema
# Schema for storing java objects and java object references
objectclass javaContainer
oid 1.3.6.1.4.1.42.2.27.4.2.1
superior top
requires
cn
objectclass javaObject
oid 1.3.6.1.4.1.42.2.27.4.2.4
superior top
requires
javaClassName
allows
javaCodebase
objectclass javaSerializedObject
oid 1.3.6.1.4.1.42.2.27.4.2.5
superior javaObject
requires
javaSerializedData
objectclass javaRemoteObject
oid 1.3.6.1.4.1.42.2.27.4.2.6
superior javaObject
requires
javaRemoteLocation
objectclass javaNamingReference
oid 1.3.6.1.4.1.42.2.27.4.2.7
superior javaObject
requires
javaReferenceAddress,
javaFactory
STEP 4: Loading the USER SCHEMA files in Directory Server:-
All the attributes created above should be added to the corresponding directory server,
in order to make it as a common attribute.
Steps for adding the User Schema files to the Directory Server:-
1. Copy the above user schema files to the appropriate instance of Netscape Directory Server
created above so that the existing LDIF file which is used in the Netscape directory
server is not appended or overwritten.
2. For eg, put it in "NetscapeServer/slapd-HostName/config" to replace the empty
files "slapd.user_at.conf" and "slapd.user_oc.conf" by default.
3. Then restart the Directory Server.
STEP 5: Simple Servlet Program for BASIC AUTHENTICATION.
Here is the simple servlet program for Basic Authentication:-
Here the way the LDAP authentication works is by attempting to the server with a
DN and a password. No user in their right mind will remember their DN, so we use
some other attribute such as user-id. Then we search in the LDAP server to find
an entry that contains the attribute. Here we are maintaining SUBTREE_SCOPE using
JNDI, which starts its search starting from the base entry, and searches
everything below it including the base entry. Also I am maintaining Global
variables for LDAP setting.
// Importing the necessary Packages
import java.io.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
import javax.naming.*;
import javax.naming.directory.*;
public class AuthServ extends HttpServlet {
// Here are our global variables of our LDAP Settings.
public static String MY_CUSTOMER_BASE = "ou=Customers,o=fedup.com";
public static String INITCTX = "com.sun.jndi.ldap.LdapCtxFactory";
public static int MY_PORT = 1124;
public static String MY_HOST = "ldap://sundts1.india.sun.com:" + MY_PORT;
public static String MY_MGR = "cn=Directory Manager";
public static String MY_PWD = "password";
public static String MY_SEARCHBASE = "o=fedup.com";
Hashtable env = new Hashtable();
// Using the Get Method of Servlet
public void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
res.setContentType("text/html");
// To Check to See if there is any data in the "Authorization" Http header from the browser.
// If not it will prompt for username and password.
String auth = req.getHeader("Authorization");
// Do we allow the user
if (!allowedUser(auth) ) {
// Not Allowed, so report unauthorized
res.setStatus(res.SC_UNAUTHORIZED);
res.setHeader("WWW-Authenticate", "BASIC realm=\"users\"");
// User is allowed in
else
// Using SSI to include and display the content of a Simple HTML Page
RequestDispatcher rd= this.getServletContext().getRequestDispatcher("/auth.html");
rd.include(req,res);
// This method checks to see whether the user exist in the LDAP database.
protected boolean allowedUser(String auth) throws IOException {
Hashtable env = new Hashtable();
boolean status = false;
try {
// No Authorization
if (auth == null) return false;
// Basic Authentication is Handled, Other possibilities are MD5 hash or SSL Certificates.
if (!auth.toUpperCase().startsWith("BASIC ")) {
return false; //only do BASIC
// Get encoded user and password, comes after BASIC
String userpassEncoded = auth.substring(6);
// Decode it, using any base 64 decoder
sun.misc.BASE64Decoder dec = new sun.misc.BASE64Decoder();
String userpassDecoded = new String(dec.decodeBuffer(userpassEncoded));
StringTokenizer st = new StringTokenizer(userpassDecoded,":");
String customerid = st.nextToken();
String pwd = st.nextToken();
Please Note:
LDAP Authentication works by attempting to bind to the server with a DN and a password.
No user will remember their DN so we use some other attribute such as user-id.
Then we search in the LDAP server to find an entry in the LDAP server to find an entry
that contains the attribute.
For a Secure System, we should use an attribute that will be unique per entry such as
uid, in our case the "customerid" attribute.
// Prepare for context
env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
env.put(Context.PROVIDER_URL, MY_HOST);
// Get a reference to a directory context
DirContext ctx = new InitialDirContext(env);
// Specify the scope of the search
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
// Perform the actual search
// We give it a searchbase, a filter and the constraints
// containing the scope of the search
NamingEnumeration results =
ctx.search(MY_CUSTOMER_BASE, "(customerid=" + customerid + ")", constraints);
String dn = null;
If it does not throw an exception,
then it is considered to be an Successful Authentication
// Now step through the search results
while (results != null && results.hasMore()) {
SearchResult sr = (SearchResult) results.next();
dn = sr.getName() + "," + MY_CUSTOMER_BASE;
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, dn);
env.put(Context.SECURITY_CREDENTIALS, pwd);
try {
DirContext ctx2 = new InitialDirContext(env);
status = true;
} catch (AuthenticationException e) {
log(e.toString());
} catch (NamingException x) {
log(x.toString());
return status;
STEP 6: Simple HTML file used in Servlet Program:-
Here is the Simple HTML File we are including in RequestDispatcher of the above program:-
<html>
<head>
<title> Authorisation</title>
</head>
<body>
<h1> Your Authorisation is Successful </h1>
</body>
</html>
I hope this will help you.
Thanks
Bakrudeen -
LDAP user sync - CanonicalName is null
Hi!
I need to setup user sync from LDAP to LiveCycle. It seems to be very intuitive and easy, but ...
I can connect LDAP well, but no users are transfered. I found the LDAP query was OK and LDAP response was OK. LiveCycle complains about:
This record is missing a required attribute and cannot be used. Specifically CanonicalName is null. Common Name: Adam Agama
The LDAP entry is:
dn: cn=Adam Agama, ou=Users, o=My org,c=CZ
o: My org
givenName: Adam
sn: Agama
ou: Users
mail: [email protected]
userCertificate;binary:: MIIIODCCB....
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: opencaEmailAddress
objectClass: pkiUser
uid: [email protected]
cn: Adam Agama
What does the LiveCycle mean by CanonicalName? I have not seen such an attribute anywhere.
Any help would be appreciated.
--- Jaroslav PavlicekI reply myself:
When configuring LDAP connection, there are predefined templates for various LDAP types: SunOne, ActiveDirectory, IBM Domino, ...
You probably must select one. If you don't, "Unique identifier" field would not appear on following page and you are not allowed to edit it. And also you would have no idea, what the Unique identifier is expected to be :) -
dears,
is there a way or script that i can use so i can add a mailbox, calender and assigne a portal to users on OID why do i have to add a mailbox, calendar and assigne a portal for every user created on OID alone it taks time. or is there a portal for administarato that he can login and creat the user on oid and a mailbox, calendar and assigne a portal for him form one place onlyThere are three main comand Line programms that you need to use
The first is LDAPADD and LDAPMODIFY, you can look these up to see how its done but below is a couple of examples
ldapadd -p 4032 -h www.mymachine.org -D "cn=orcladmin" -w <orcl password> -f newuser.ldif -x
The newuser.dif file looks like
dn: cn=jinky.jenkins, cn=users, dc=mydomain, dc=org
userpassword: m0nday
mail: [email protected]
objectclass: top
objectclass: person
objectclass: inetorgperson
objectclass: organizationalperson
objectclass: orcluser
objectclass: orcluserv2
orclactivestartdate: 20031020000000z
sn: jinky.jenkins
cn: jinky.jenkins
You need to also run ldapmodify using the same flags but with the following LDIF file
dn: cn=OCS_PORTAL_USERS, cn=Groups, dc=hubsdale, dc=org
changetype :modify
add: uniquemember
uniquemember: cn=jinky.jenkins, cn=users, dc=hubsdale, dc=org
To add an calendar user simple run
unidssearch
this will output all of the OID users who are not calendar users
example
A DID=cn=jason.gardiner,cn=users,dc=hubsdale,dc=org
A DID=cn=julian.lintell-smith,cn=users,dc=hubsdale,dc=org
A DID=cn=robert.chubb,cn=users, dc=hubsdale,dc=org
A DID=cn=lecturer,cn=users, dc=hubsdale,dc=org
A DID=cn=student,cn=users, dc=hubsdale,dc=org
A DID=cn=PORTAL_ADMIN,cn=users,dc=hubsdale,dc=org
A DID=cn=PORTAL,cn=users,dc=hubsdale,dc=org
A DID=cn=PUBLIC,cn=users,dc=hubsdale,dc=org
Next what you need to do is
uniuser -add "DID=cn=James Alexander, ou=Research, o=Acme, c=US" -n 134
Obviously put cut and paste the DID info for your user into the -add command
Notes can be found at the following URL
http://bigip-steltor.oracle.com/notes/corptime-server/5_4/admin/chapter6.htm#1019416
Finally you need to add the email user...
To do this you need to create a file of the following structure
[email protected]
orclmailquota=400000000
baseuserdn=cn=who.ever,cn=users,dc=mydomain,dc=org
I called the file email_user_details
Then you just
oesucr email_user_details
and that should do it
We www.xicon.com spent 3 days writing a java utility that adds either one user and reads a file of usernames and passwords and then creates them all so it might be an idea for you to do the same.
Cheers
Paul
Maybe you are looking for
-
How to create an External Alias for a Portal URL ?
Hi Gurus, Can anybody tell me how to create an external alias for a portal link(URL). Actually, my problem is i want to send this Portal URL(link) thru' a SendMail step to the user so that when he clicks on it, it will take him to his UWL(Ofcourse af
-
Keyboard shortcuts in Photo CS6 not working correctly.
Keyboard shortcuts are working sporadically. For instance, when using select all, copy, paste shortcuts to copy from one image to another in a different tab it can take 2 presses of the keyboard to get them to work. This also makes actions unuseable.
-
24" Imac intel outer screen scratched
Just wanted to know if the outer screen of the LCD can be replaced? I accidently scratched it with a metal ruler and now I have a 4" scratch (grove) on the screen. Thanks
-
Custom barcode component not working properly
package jpicedt.graphic.view; import jpicedt.graphic.model.*; // all elements + drawing import jpicedt.graphic.PECanvas; import jpicedt.graphic.PicPoint; import jpicedt.graphic.PicVector; import jpicedt.graphic.PEToolKit; import jpicedt.graphic.event
-
Automatic Purging of Recyclebin
Hi, Anybody can tell me when recyclebin is purged automatically in Oracle 10g. I was trying to insert some records using a database link in production DB, I am also using an audit table to track all DDL operations by using DDL trigger). At the time o