Initial Load of LDAP Groups

Similar Messages

• Loading LDAP groups into WLS JAAS Subject

  Hi,
  I have a 10.1.4.3 OAM webgate+OHS setup to protect weblogic 10.3.2 as described ('1st best option') in this blog below.
  http://fusionsecurity.blogspot.com/2010/01/integrating-oracle-access-manager-oam.html
  In the weblogic security realm, I have the OAM Identity Asserter (REQUIRED), OID Authentication Provider (SUFFICIENT), Default Authenticator (SUFFICIENT), Default Identity Asserter configured in that order.
  A simple JSP app with CLIENT-CERT is deployed to the WLS. After the user is authenticated at OHS Webgate, the OAM Identity asserter is correctly asserting the user (and the obSSOCookie) as can be seen from the logs. The JSP app is getting a valid (non-anoymous) JAAS Subject with a single JAAS principal (of the user).
  But I 'm not sure it is loading the LDAP groups correctly using the OID provider. Are the LDAP groups supposed to be loaded as principals into the JAAS Subject? The user is part of many LDAP groups but only one principal (user itself) is in the JAAS Subject. Are there any additional steps to 'pair' the OAM Identity Asserter with the OID authentication provider as described in the above blog?
  I 'm using weblogic.security.Security.getCurrentSubject() to get the Subject and subject.getPrincipals() to get the principals in the JSP app.
  Thanks.

  Like I said in my post, subject.getPrincipals() has only one entry, the user id. The LDAP groups aren't in the Set returned. I 'm wondering how to debug this or fix it. I 'm wondering if I need to re-associate the domain policy store with LDAP as described here before the LDAP groups will be loaded into the subject.
  http://download.oracle.com/docs/cd/E14571_01/core.1111/e10043/cfgauthr.htm#CHDIIJDB

• Error in delta load of 'Customer Group' from R/3 to CRM

  Hi Experts,
  I added new 'Customer Groups' in R/3. But this is not being updated in CRM. Do I have to trigger initial load again through R3AS or should I create new Customer Groups in CRM?
  The BP delta load BDocs are stuck in SMW01 due to this change. Also, if I need to do the Initial load of Customer Group, which object do I need to do the load for? Is it dnl_cust_sales?
  Please help as it is a Production issue.
  -- Pat

  Hi Pat,
  Use object 'DNL_CUST_SALES' to download Customer Group from R/3 to CRM.
  Use R3AS4 transaction to execute the same.
  Best Regards,
  Pratik Patel
  <b>Reward with Points!</b>

• Initial Load - AS ABAP - getting only user with a group

  Hi,
  when i start initial load, i just get users with groups. Is that standard?
  Br,
  Philip

  First of all - you'll need to familiarize yourself with the database for effective learning and debugging. I'm talking about the MS-SQL or Oracle-DB where you installed the IC-schema. It often helps me to understand whats going on behind the scenes.
  Secondly - I read some of your posts - I would advise you to install the dispatcher and everything on the server where the DB is hosted - at least as long as you're in development. The MMC can still be on your local pc/laptop, although some things won't work well there (Import, Dispatcher-Status, ...). This'll ease things a lot I suppose.
  About the service-user... SAP delivers a role you can import into PFCG (SAP_BC_SEC_IDM_.SAP-File in misc-folder of installation media). This role should be sufficient for your communication user, is updated every now and then and contains only the necessary permissions. Maybe you'll have to extend it (Z_SAP_) in case you want to read special tables not supported by the SAP framework (e.g. license data).
  I can hardly believe that the current role assigned to your user only has permissions to users with groups != empty
  By now I have no clue why you only see users in IdM with groups assigned in SU01... look up the SQL-table I mentioned if there are more users.
  BR
  Michael

• Golden Gate - Initial Load using parallel process group

  Dear all,
  I am new to GG and I was wondering if GG can support initial load with parallel process groups? I have manage to do an initial load using "Direct BULK Load" and "File to Replicat", but I have several big tables and replicat is not catching up. I am aware that GG is not ideal for making initial load, but it is complicated to explain why I am using it.
  Is it possible to user @RANGE function while performing Initial Load regardless of which method is used (file to replicat, direct bulk, ...) ?
  Thanks in advance

  you may use datapump for initial load for large tables.

• Error during LDAP reconciliation (initial load)

  Hi,
  We are using IDM 7.1. We are trying to do initial load of accounts to Identity Manager using reconciliation with LDAP (Sun Directory Server 5.2). Reconciliation is consistently failing with the following error:
  Error iterating accounts for resource CalNetDirectory:
  javax.naming.OperationNotSupportedException: [LDAP: error code 12 - Sort Response Control]
  Any inputs would be highly appreciated.
  Thanks,
  kIDMan.

  Hello Rupam,
  Abort the load of that object in txn:R3AM1.
  Also, delete the queue entries like R3AI_<OBJECT_NAME> in txn:SMQ2.
  This would let you to restrart the load again.
  If again it goes to WAIT state , then it means that you do not have enough number of work processes to handle this load.
  It happens if several other load are running.So you have to wait till other loads get finished or you need to increase the work process, if your hardware supports.
  Hope this helps!
  Best Regards,
  Shanthala Kudva.

• Connection Refused Error while running AS ABAP Initial Load

  All,
  I've never connected SAP NW IdM to an actual SAP system before, and I feel like I'm missing some obvious step of configuration, but I can't figure out what.
  We are in the process of trying provision user accounts to our SAP ABAP systems. My first step was to try to read all of the existing accounts from the ABAP system:
  Our Basis team created me a Communication user with the proper authorizations (I ensured that the authorizations included in SAP_BC_SEC_IDM_COMMUNICATION)
  I created a repository using the SAP NewWeaver AS ABAP (Specific Application Server) Repository Template (No CUA, No SNC) using that user's credentials
  I then used the Job Wizard and used the job template AS ABAP - Initial Load, specifying my repository above.
  When I run the job I get the following:
  Initializing SAP connection with parameters:
  com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to message server failed Connect_PM MSHOST=<IPADDRESS>, R3NAME=<SID>, GROUP=PUBLIC LOCATION CPIC (TCP/IP) on local host ERROR partner not reached (host <IPADDRESS>, service sapms<SID>) TIME Wed Jun 01 13:54:36 201 RELEASE 640 COMPONENT NI (network interface) VERSION 37 RC -10 MODULE nixxi_r.cpp LINE 8840 DETAIL NiPConnect2 SYSTEM CALL SiPeekPendConn ERRNO 10061 ERRNO TEXT WSAECONNREFUSED: Connection refused COUNTER 1
  Error Init failed
  I'm running SAP NW IdM 7.1 SP5 on Windows Server 2003 with MSSQL 2005. The ABAP server is on a UNIX box with an Oracle 10.2 dB.
  Is there additional configuration that needs to take place on the ABAP side to accept the connection?
  I've tried to find documentation on this, but have been unsuccessful. If someone could point me to the correct documents, or at least point me in the right direction for troubleshooting, it would be greatly appreciated.

  Ankur,
  Looks like the endpoint URL of the webservice is not updated and still pointing to the localhost. Try changing it to http://<ip_addres_of_your_server>:7101..... and see if it works fine then.
  -Arun

• Initial Load of IS-U business partners to CRM - wrong business partner cat

  Hi Gurus,
  when donwloading CUSTOMER_MAIN from R/3 to CRM
  Where is determined that the business partner in CRM should be created in the business partner category 'Person'?
  We have the problem that all our business partners in CRM are now 'Organizations' (but were sold-to-parties in R/3 with account group DEBI)
  PIDE - setting is:
  R/3 account group DEBI  ---> classisifaction 'B' ('Customer')
  In the customizing of the business partner roles for the role type CRM000 (and for all the others) Organization, Person and Group is all allowed by default.
  The download itself and the number ranges work fine.

  The reason for the problem is unknown but a workaround is to first initial load BUPA_MAIN instead of CUSTOMER_MAIN, then the right business partner category is taken by the system

• Initial load of mview on a prebuilt table

  We are using 9i Advanced Replication, materialized views. The situation is, we have a number of tables utilizing FAST or FORCE on PREBUILT TABLE. The master site database is already loaded and the mview logs have been created.
  The initial creation of these materialized views does not result in the population of the prebuilt tables as expected. Only an update of the master site table will trigger a replication.
  Is there a way to trigger a replication event that would provide the initial load on a prebuilt table?

  You will need to set you mv refresh to COMPLETE, refresh your group then set them back to FAST.
  Depending on you data volumes, this might use a lot of rollback since the group is done in a single txn. Also make sure the refresh interval isn't so small that it tries another FULL refresh straight away - before you change them back to FAST.

• Initial Load of customers stopped

  Hello,
  I started download of customer_main in CRM 4.0 and as a sales group couldn´t be found (which is also deleted in R3, but still to find in customer masters; also R3 gives an error if you go into VD02 because of this) an BDOC was generated, what is quite ok.
  BUT - the problem is that the initial load was stopped completely.
  In Rel. 3.0 we got also BDoc for errors BUT the download always finished. So afterwards errors were cleaned up.
  Has somebody an idea whether this is normal behaviour in Rel.4.0 or what I can maybe do that download runs further after stop?
  I´d be happy if I´d get some hints.
  Kind regards
  Christina

  Hello,
  it´s difficult to filter out customers as I don´t know upfront which one run into error, as I don´t know which sales group, offices have been deleted in R3 and are still existing in customer master.
  We found note 823594 and it seems that with this the check of sales group+offices is simply ignored, what means the initial load will run through smoothly.
  Problem can be that you get no BDOC anymore if a saes group is missing and then inconsistency of systems increase.
  The error message was
  "CRM_BUPA_MAPPING_30110 - No CRM sales office can be determined fr R3 sales group THS".
  So the error shows what to do basically. But why the whole download is stopping is not clear.
  If someboy knows about please reply on this.
  Kind regards
  Christina

• Initial load of inventory level from csv - double datarows in query

  Hello everybody,
  a query result shown in a web browser seems strange to me and I would be very glad, if anyone can give me some advice how to solve the problem. As I do not think that it is related to the query, I posted it into this forum.
  The query refers to an InfoCube for inventory management with a single non-cumulative key figure and two other cumulative key figures for increase and decrease of inventory. The time reference characteristic is 0CALDAY. The initial load has been processed reading from a flat file (CSV), the structure looks like this:
  Product group     XXX
  Day               20040101
  Quantity          1000
  Increase          0
  Decrease          0
  Unit               ST
  The initial load runs fine, the system fills all the record sets into the InfoCube. Unfortunately I do not know how to look at the records written into the cube, because only the cumulative key figures are shown in InfoCube-> Manage-> Contents.
  Well, when executing the query, a really simple one, the result is just strange, because somehow there are now two rows for each product group with different dates, one with the 1st of January, 2004 and the other for the 31st of December, 2003 containing both 1000 units. The sum is 2000.
  It became more confusing, when I loaded the data for increase and decrease: now the quantities and sums      are correct, but the date of the initial load is a few days later than before, the data table in the query does not contain the 1st of January.
  Does anybody know, what I did wrong or where there is information about how to perform an initial load of inventory from csv in a better way?
  Kind regards
  Peter

  Peter,
  Inventory is not that straight forward to evaluate as it is non-cumulative. Basically it means that one KF is derived from one/two other KFs. You cannot see non-cumulative KFs in manage infocube.
  Have you uploaded opening balances separately? If so, your data for 31st of december is explained.
  In non-cumulative cubes, there need not be a posting for a particular day for a record to exist. For e.g. if you have stock as 10 units on 1st and then no posting for 2nd and 3rd and then increase 10 units on 4th, even for 2nd and 3rd, the non-cumulative KF will report as 10 units (stock on 1st rolled forward).
  There is a how to...inventory management document on service market place that explains this quite nicely.
  Cheers
  Aneesh

• Handling password while initial load process

  Dear Experts,
  This is about password handling in IDM. While doing initial load, I do not want to bring passwords from my target systems (AD/SAP) into IDM.
  So which password(s) the users will use to login into target systems (AD/SAP) after initial load ? What can be achieved with pass "update system privilege trigger attribute" which is available in initial load job ?
  Is it something like, IDM creates a default password on initial load which is sent back to target systems(from which initial load was done) which changes the password for the target systems to this new default password ?
  Can we handle this default password being sent to target systems with the help of this pass "update system privilege trigger attribute" in initial load? so that this default password is not sent to target systems ??
  So if the default password is not sent back to target systems after initial load, then users will keep using their existing passwords for their login in the target systems. After that, If I need to assign UMEJAVA only privilege to the users, the password for the target systems will be changed with the default password being sent on email to the users. Since the password on AD is now changed, how the users gonna login into AD to check their emails for the
  new password ?
  It seems I have written a BIG query here .... sorry for that. But please let me know if any thing above does not make any sense.
  Also please share your views/expertise/best practice on the same.
  Many thanks in advance!
  Naveen
  Version: IDM 7.2

  Hi Naveen,
  Firstly to answer your query on what basis we decide he backend type for your UMEJAVA repository, its the business. If you want users to authenticate against AD, when they try to login to IDM UI, you have to configure the LDAP as backend and you have to choose datasource as Microsoft ADS (Deep Hierarchy) + Database (ume database).
  If you want the Users to authenticate against UME database, by default ume points to UME database and you need to create the users in the UME database.
  So, if you have configured AS JAVA with ADS+Database, in IDM you have to select the repository as SAP netweaver as Java (ldap backend)
  In the repository constants, there is an attribute called BACKED_REPOSITORY which should be your AD repository name that is configured.
  If you have a look at the AS JAVA connectors in the provisionign framework, in the create user plugin, IDM first checks for backend type. If it is LDAP backend, it just sets the JAVA account attibute, If the backend type is DB, IDM will create the user in the UME database.
  Considering your system details, i would suggest you the below approach.
  1. Configure your UMEJAVA with Microsoft ADS (Deep Hierarchy) + Database (ume database). For more information on how to configure your     
      UMEJAVA with LDAP backend refer to this link
  2. So, now the users who try to login to IDM UI or any app on AS Java, will be authenticated against your active directory.
  3. Perform the initial load from HR.
  4. Perform the initial load from AD.
  5. Perform the initial load from you AS UMEJAVA.
  6. Now, all the user information/role assignment information is loaded to IDM.
  7. Now lets discuss about password management. There are two things here
    a. Change password (by user)  - User changes password in IDM --> password changes are provisioned to AD and user can login with new password.
    b .Password reset self service. - User resets password in IDM --> password changes in AD (as UME is configured to use AD)
  Change password (by user)
  By default the users who are successfully authenticated when they try to login to IDM UI, will get access to self-services tab. To allow users to change the password on their own, you create the corresponding ordered tasks and maintain the access control tab for selfservice.
  So that when users wants to change their passwords, they can change on their own.
  How IDM will provision the new password to target system is something you have to configure the logic. For example, my sandbox looks like this.
  Password reset self-service.
  The user can reset their password on their own if they cannot remember their password. To implement this, look at this document. http://scn.sap.com/docs/DOC-17111
  Hope this helps. please let me know for any further queries.
  ~ Krishna.

• LDAP Groups Authorization

  Hi,
  I have read some of the forum threads about LDAP Group Authorization - I remain confused. Here's the problem I am trying to solve.
  I was successfull in setting my Authentication to "Based on authentication scheme from gallery:Existing Login Page: Use LDAP Directory Credentials" -
  That works fine, But I would not like all users in my OID LDAP directory to log into my application- Which is why I have created a group for the user I want to include in my OID directory.
  Now at the " Builder->Application...->Security->Authorization Schemes->
  I have created an Authorization Scheme as "PL/SQL Function returing a booloean" .
  My Scheme Source(Identify Query or PL/SQL) is as follows and is set to "once Per session"
  return wwv_flow_ldap.is_member
  (:APP_USER,
  null,
  'cn=users,dc=wellesley,dc=edu',
  'jadeland.wellesley.edu',
  '389',
  'wcd_HTMLDB',
  'cn=portal.040323.1220,cn=Groups, dc=wellesley,dc=edu');
  where in my LDAP directory, 'wcd_HTMLDB' is the subgroup under group "portal.040323.1220" -
  I have included 3 users in the group 'wcd_HTMLDB' .
  Still the login page allows all LDAP user ( and not just the 3 from the 'wcd_HTMLDB' group.
  Where did I go wrong -?
  What 's the proper way to authorise only LDAP users in a group ?
  Any help would be really appreciated.
  Thanks .

  Indira,
  The public synonym (and grant execute) must be created after that package is compiled which can happen after catldap is run in your database. This is only a problem if catldap has not been run before HTML DB is installed. That's described in the flows/doc/ldap.html file in the distribution directory (not very prominently, we know).
  When you initially attached the authorization scheme to your login page and it wouldn't let you in, the reason is that it was using the value of APP_USER to drive your lookup function. But when the login page is rendered, APP_USER is null because you haven't logged in yet. So a user-based authorization scheme on a login page can never work.
  When you changed the ldap username edit function the way you did, you achieved the goal of preventing an unauthorized user from using the login page to authenticate. Looks like the way it's set up is to give unauthorized users an authentication error, which is a little misleading (saying their credentials are invalid when in fact they are valid but they aren't authorized to use your application), but if it suits your purpose, great. You should consider that if you change the authentication method to, say Single Sign-On, you'll then want to use authorization schemes to keep unauthorized users out. So the authorization scheme that you first set about using would be fine in that case, so long as you adjust the code to allow for visits to public pages prior to authentication (v('APP_USER') = 'HTMLDB_PUBLIC_USER'). However, you'd want to attach that scheme to the application itself (Edit Application Attributes->Authorization) so it fires on every page. Evaluating a scheme like that on every page view rather that once per session probably works best, even better if you cache the result of the evaluation yourself for performance reasons, e.g., set an application item to some value the first time the authenticated user passes the ldap membership test, then using that item as an 'already passed' flag for subsequent invocations.
  Finally, I assume you are using the built-in ldap_dnprep function because you need to replace '.' with '_' in the username value entered by the user. If that is not your requirement, let's talk.
  Scott

• Webcenter dicussion forum - Ldap Group Integration issue

  Hi All,
  I am trying to implement LDAP Group integration in our jive forums 5.1.0 installed in an Oracle IAS 10.1.3.2 server.
  I have followed the steps mentioned in the LDAP documentation and setup the following system properties:
  ldap.groupNameField cn
  ldap.groupMemberField uniquemember
  ldap.groupDescriptionField description
  ldap.groupSearchFilter (cn={0})
  I just restarted the server after setting up these , but the forums instance is not coming up in the server. Throwing the following error:
  08/01/21 14:52:33.550 jiveforums: http://CompressingFilter/1.4.4 CompressingFilter has initialized
  08/01/21 15:23:04.597 jiveforums: Servlet error
  java.io.IOException: An established connection was aborted by the software in your host machine
  at sun.nio.ch.SocketDispatcher.write0(Native Method)
  at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:33)
  at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:104)
  at sun.nio.ch.IOUtil.write(IOUtil.java:75)
  at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:302)
  at java.nio.channels.Channels.write(Channels.java:60)
  at java.nio.channels.Channels.access$000(Channels.java:47)
  at java.nio.channels.Channels$1.write(Channels.java:134)
  at com.evermind.server.http.AJPOutputStream.endRequest(AJPOutputStream.java:117)
  at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:309)
  at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:190)
  at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
  at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
  at java.lang.Thread.run(Thread.java:595)
  08/01/21 15:25:59.956 jiveforums: Exception thrown during contextDestroyed
  java.lang.ExceptionInInitializerError
  at com.jivesoftware.forum.database.DbForumFactory.getAttachmentManager(DbForumFactory.java:798)
  at com.jivesoftware.forum.database.DbForumFactory.destroy(DbForumFactory.java:410)
  at com.jivesoftware.forum.database.DbForumFactory.shutdown(DbForumFactory.java:381)
  at com.jivesoftware.forum.util.ForumsLifeCycleListener.contextDestroyed(ForumsLifeCycleListener.java:88)
  at com.evermind.server.http.HttpApplication.destroyContextListeners(HttpApplication.java:5877)
  at com.evermind.server.http.HttpApplication.destroy(HttpApplication.java:5843)
  at com.evermind.server.http.HttpSite.destroy(HttpSite.java:877)
  at com.evermind.server.http.HttpServer.destroy(HttpServer.java:548)
  at com.evermind.server.ApplicationServer.destroy(ApplicationServer.java:2030)
  at com.evermind.server.ApplicationServerShutdownHandler.run(ApplicationServerShutdownHandler.java:93)
  at java.lang.Thread.run(Thread.java:595)
  Caused by: java.lang.IllegalStateException: Timer already cancelled.
  at java.util.Timer.sched(Timer.java:354)
  at java.util.Timer.scheduleAtFixedRate(Timer.java:296)
  at com.jivesoftware.util.TaskEngine.scheduleTask(TaskEngine.java:218)
  at com.jivesoftware.util.TaskEngine.scheduleTask(TaskEngine.java:202)
  at com.jivesoftware.forum.database.DbAttachmentManager.<init>(DbAttachmentManager.java:160)
  at com.jivesoftware.forum.database.DbAttachmentManager.<clinit>(DbAttachmentManager.java:48)
  Can anyone please throw a light?
  Thanks and regards,
  ABhijit

  Hi Guneet,
  We are using jive 5.5.9 instead of 5.1.0 that comes with webcenter.
  Also we are just trying to validate the JIve's authorization scheme so didn't integrate the Java SSO part. Jive forum is just a standalone OC4J instance in the IAS server and we are using the LDAP configuration in the User,Groups Authentication page instead or default which is required for Java SSO.
  Thanks,
  ABhijit

• Cannot import LDAP group through Import Wizard.

  Hello,
  We have a issue where we are unable to import Ldap group if we use cluster name while logging into Import Wizard.
  we are able to import the LDAP users/groups if we use the primary CMS name while logging into Import Wizard
  Is this a known issue in XI R2 SP 3 or are we missing out something?
  Please help!!!
  Thanks...

  I'm really surprised the import wizard even works with a clustername. Considering it's design is to migrate from 1 CMS to another it should require a CMS name and not a clustername. I don't think using clusternames was ever part of its design. It's even more bizarre that a clustername would conflict with LDAP. SP3 had several other LDAP bugs that are fixed in SP4 but other than that I'm not sure. What's the issue with using just 1 CMS name. This should be desirable so you can control which CMS gets the added load from the IW, otherwise it would just randomly select one.
  Regards,
  Tim