LDAP Attribute for POP3 access
Dear folks,
In SUN JES subscriber LDAP information, is there any LDAP subscriber LDAP attribute that indicates the subscriber having access to POP3?
If there is, what kind/type of value can it be ?
Thanks,
T Dang
Hi,
For future reference, please always provide the version of messaging server you are using. (./imsimta version)
With regards to your question, POP access is provided unless it is denied (assuming that POP daemon is enabled). Is there a user who is being denied and you are trying to work out why?
The LDAP attribute which restricts access to POP/IMAP/HTTP access of the store is mailallowedserviceaccess
Regards,
Shane.
Similar Messages
-
LDAP attribute for user's last login time?
Hi all,
Is there an LDAP attribute that I could return (via an "ldapsearch" query) that would contain the user's last login time?
We have:
Directory Server Version: 5.2_Patch_2 ; Build number: 2004.107.0034
other...
Identity Server 2004Q2
sparc-sun-solaris2.9
Thanks in advance!Hello,
If you need this info, you will have to create a password policy that log last logon time.
But be carefull with this function, it can create a lot of cpu load.
<http://docs.sun.com/app/docs/doc/820-4809/fhkrj?l=en&n=1&a=view>
Regards
Eric. -
Help with ios LDAP setup for VPN access
I am trying to move Microsoft LDAP for my vpn setup to an ISR router with 15.1 code . It has support but very little doccumentation. Anyone configured this before? i need some help or basic config.
Ldap authentication started from 7.1 if I recall correctly along with LDAP mapping which helps you validate whether the user has the dial in attribute on or of. I would say starting from 7.1 till the latest 8.X version.
Version 6.X does not have this feature. -
LDAP Attributes for Barracuda Web Filter
I have the following setting on my filter LDAP settings, but it will not bring the groups in correctly. Can anyone help me figure out what I am doing wrong or what I need to add to get the Barracuda Filter to work with LDAP.
This past week, the Spiceworks Community talked over dreams jobs gone awry, the difficulty of taking a lunch break when everyone and their mother needs help, and the whimsical problems an IT pro faces in the First World.The community also talked over the times when whimsy gives way to restlessness (and how to give your two weeks' notice), why the computer monitors of the '80s were green, how to reclaim a company iPhone that mysteriously ends up at a pawn shop, and how many ebooks is too many for Microsoft to give out for free.Last but not least, the much talked about cyberattack on the controversial Italian company Hacking Team did more than show the world's dirty laundry – it exposed a zero-day exploit in Adobe Flash.Iwas an IT administrator for one weekCareers– Sure, I said. I'll start tomorrow, I said. After all, it sounded like a...
-
Hi guys,
Currently we have an error for LDAP attribute .
distinguishedName = (String) user.getTransientAttribute("ldap.distinguished_name");
user is of type IUser.
and it return null
where could i find the list of user attributes in LDAP? currently we have LDAP 8.8.1.Don,
you might should have a look at a LDAP Browser (eg. http://www-unix.mcs.anl.gov/~gawor/ldap/ ) which helps a lot to find out how the structure of your LDAP server is and which attributes you can access.
1) Start the tool
2) click onto the "Quick Connect"
3) enter you LDAP server
4) press "Fetch DNs"
5) Uncheck "Anonymous bind"
6) Enter your user credentials
7) Browse your LDAP structure
It helped me a lot to get the correct settings for the DBMS_LDAP calls.
Patrick
My APEX Blog: http://www.inside-oracle-apex.com
The ApexLib Framework: http://apexlib.sourceforge.net
The APEX Builder Plugin: http://apexplugin.sourceforge.net/ New! -
Windows LDAP attributes match for the Synology LDAP client profile filter.
I am having Windows server 2012 domain controller with LDAP enabled. I wish to enable LDAP client on Synology Diskstation to search for users and enable them access of shared folders of Synology. Hence, I have enabled the client which shows connected to the Windows LDAP service, but not populating any users.
Anybody figured out this? It requires profile settings. I'm finding difficult to identify the LDAP attributes match for the Synology profile filter attributes.
Refer following image.
This topic first appeared in the Spiceworks CommunitySpecify a Dynamic Access Profile with:
Criteria: User has ALL of the following AAA attribute values...
ldap.memberOf != GroupName
cisco.tunnelgroup = TunnelGruopName
Should work
/K -
LDAP vs local login for remote access
Hi Team,
I am evaluating the best means for single factor authentication for remote access (client to site or SSL VPN). The options I see are creating local usernames and password or integration with Active Directory via LDAP. What are the pros and cons of these solutions.
I feel local logins are more secure comparitavely because the user first login using local login and password and then has to use the domain credentials for accessing corporate resources. Of course, this comes at an admistrator overload and local management of user names and passwords. Do you have any opinion on this? Any acknowledgement will be highly appreciated.Hello Manoj,
IMO, I would never consider the LOCAL DB as an option for a corporate deployment. It does not scale and it is not easy to manage.
Local DB is used in case you need to manage a number of 15 users for instance, so in this case it is managable, but when it comes to a higher number it is not an option.
Active Directory is a better solution since it is meant to handle hundred of users and allows password-management for instance. Also you can have many ASA devices, performing DB bindings and queries to check the users credentials to the AD servers, so you don't need to deal with tons of user accounts on each ASA, for instance.
If you are looking for a more secure way to authenticate your users you can consider two-factor authentication using certificates for instance:
AnyConnect Certificate Based Authentication.
Why to use AD:
Pros
Scalable.
Easy to manage.
Allows password-management.
Cons:
Expensive (not open AD solution).
HTH.
Please rate helpful posts. -
Access LDAP attribute from Webmail
Hi there,
We need to do some customizations on webmail.
One of the things we want to do is to be able to read and write an ldap attribute outside the multivalue attribute NSWMEXTENDEDUSERPREFS.
I've seen on "Webmail Express Customization Guide" that we can load on http startup other external attributes using a command like:
configutil -l -o service.http.extrauserldapattrs -v myattribute:w
on which the :w at the end means that webmail could have write access to the attribute. (Pag 71 of W.E.C. Guide)
I've done that, but the problem is that if I try to write a new value on the attribute, the value is created on the NSWMEXTENDEDUSERPREFS as myattribute=value
So .. It reads from one side but write to another! Any ideas how to write on the myattribute directly from webmail interface?!
Thanks,
Sergio SousaHi,
have you allready tryed to read the attribute directly from the BOL in the implementation class of the view, without creating any new context node? Maybe this coding might help you:
DATA: lr_entity TYPE REF TO cl_crm_bol_entity,
DATA: lv_collection TYPE REF TO if_bol_bo_col.
DATA: lv_cat type string.
lr_entity ?= me->typed_context->BTAdminH->collection_wrapper->get_current( ).
TRY.
lv_collection = lr_entity->get_related_entities( iv_relation_name = 'BTHeaderActivityExt' ).
CATCH cx_sy_ref_is_initial.
ENDTRY.
lr_entity ?= lv_collection->get_current( ).
CALL METHOD lr_entity->if_bol_bo_property_access~get_property_as_string
EXPORTING
iv_attr_name = 'CATEGORY'
RECEIVING
rv_result = lv_cat.
Best regards,
Oliver -
We started getting this error when we installed Lync Server. I already verified that the "RTCHSUniversalServices" group has “Replicating Directory Changes" permission.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A client made a DirSync LDAP request for a directory partition. Access was denied due to the following error.
Directory partition:
DC=<domain>,DC=com
Error value:
8453 Replication access was denied.
User Action
The client may not have access for this request. If the client requires it, they should be assigned the control access right "Replicating Directory Changes" on the directory partition in question.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Domain Controllers and Lync server are running on Windows 2008 SP2. Any other things that I could check?A client made a DirSync LDAP request for a directory partition. Access was denied due to the following error.
Directory partition:
DC=<domain>,DC=com
Error value:
8453 Replication access was denied.
User Action
The client may not have access for this request. If the client requires it, they should be assigned the control access right "Replicating Directory Changes" on the directory partition in question.
oas4ever -
Problem with LDAP authentication for users in a group
I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.
I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:
[6707] memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
[6707] mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707] mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707] msNPAllowDialin: value = TRUE
I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.
ldap attribute-map AuthUsers
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN
aaa-server LDAP protocol ldap
aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
ldap-base-dn DC=COMPANY,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
server-type microsoft
ldap-attribute-map AuthUsers
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
webvpn
anyconnect ask none default anyconnect
group-policy GroupPolicy_COMPANY_SSL_VPN internal
group-policy GroupPolicy_COMPANY_SSL_VPN attributes
wins-server none
dns-server value 10.10.100.102
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value net.COMPANY.com
webvpn
anyconnect profiles value COMPANY_SSL_VPN_client_profile type user
tunnel-group COMPANY_SSL_VPN type remote-access
tunnel-group COMPANY_SSL_VPN general-attributes
address-pool COMPANY-SSL-VPN-POOL
authentication-server-group LDAP
authorization-server-group LDAP
authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
default-group-policy NOACCESS
authorization-required
tunnel-group COMPANY_SSL_VPN webvpn-attributes
group-alias COMPANY_SSL_VPN enable
tunnel-group COMPANY_SSL_VPN ipsec-attributes
ikev1 pre-shared-key *****I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.
-
ISE 1.1.1. and additional LDAP attribute retrieval
Hello All,
I'm authenticating users against Active Directory and want to also check additionals attributes from LDAP. In ACS 5.3. it was possible to set this up via External Identity Sequence, but in ISE I don't see this possibility. I can set sequence only for authentication, but not for additional attribute retrieval.
When I set a condition in a policy that an LDAP attribute must match with some value, the attribute is not retrieved and autorization ends on default Deny Access.
Can anyone help me how this can be set on ISE?
Thanks!
Regards
Karel NavratilYes that's what I've tried as I wrote in my first post, but the ISE does not retrieve the attribute from LDAP
Here are some screenshots:
authorization rule:
ldap attribute in external identity source:
and the logs:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11105 Request received from a device that is configured with KeyWrap in ISE.
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12100 Prepared EAP-Request proposing EAP-FAST with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12102 Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12810 Prepared TLS ServerDone message
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12812 Extracted TLS ClientKeyExchange message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12149 EAP-FAST built authenticated tunnel for purpose of PAC provisioning
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12209 Starting EAP chaining
12218 Selected identity type 'User'
12125 EAP-FAST inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12212 Identity type provided by client is equal to requested
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Endpoints
22043 Current Identity Store does not support the authentication method; Skipping it
24210 Looking up User in Internal Users IDStore - test,host/test-pc
24216 The user is not found in the internal users identity store
24430 Authenticating user against Active Directory
24402 User authentication against Active Directory succeeded
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12128 EAP-FAST inner method finished successfully
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12126 EAP-FAST cryptobinding verification passed
12200 Approved EAP-FAST client Tunnel PAC request
12219 Selected identity type 'Machine'
12125 EAP-FAST inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12212 Identity type provided by client is equal to requested
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
11055 User name change detected for the session. Attributes for the session will be removed from the cache
15006 Matched Default Rule
15013 Selected Identity Store - Internal Endpoints
22043 Current Identity Store does not support the authentication method; Skipping it
24210 Looking up User in Internal Users IDStore - test,host/test-pc
24216 The user is not found in the internal users identity store
24431 Authenticating machine against Active Directory
24470 Machine authentication against Active Directory is successful
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12128 EAP-FAST inner method finished successfully
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12126 EAP-FAST cryptobinding verification passed
12201 Approved EAP-FAST client Machine PAC request
Evaluating Authorization Policy
15004 Matched rule
15016 Selected Authorization Profile - DenyAccess
15039 Rejected per authorization profile
12855 PAC was not sent due to authorization failure
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
11105 Request received from a device that is configured with KeyWrap in ISE.
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11514 Unexpectedly received empty TLS message; treating as a rejection by the client
12512 Treat the unexpected TLS acknowledge message as a rejection from the client
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
So no any information that ISE tries to retrieve something from LDAP.
Regards
Karel -
Setting Application Context Attributes for Enterprise Users Based on Roles
Hello,
We have an Oracle 11g database with a table containing data from multiple sites (a SiteID field identifies the site for a record). Since application users can have access to different subsets of sites, we would like to use Oracle's Virtual Private Database feature to enforce row-level security on the table.
I did a successful proof-of-concept with database users. I created a role for each site (example: USER_SITE_A, USER_SITE_B, ...), and then assigned the appropriate site roles to each database user. I then created a package (run via a logon trigger) which set application context attributes for each site. If the current database user has been assigned a role for a given site, then the corresponding attribute named "SITE_PRIVILEGE_SiteID" is set to 'Y'... otherwise, it is set to 'N'. Here is the code which worked to set application context attributes for database users:
-- For each record in my RoleSitePrivileges table, set
-- an attribute named 'SITE_PRIVILEGE_<SiteID>'.
-- If the current user has been assigned a role matching
-- the value in the 'RoleName' field, set the corresponding
-- attribute to 'Y'... otherwise, set it to 'N'.
FOR iPrivRec IN (SELECT RoleName, SiteID
FROM RoleSitePrivileges
ORDER BY SiteID)
LOOP
SELECT COUNT(*)
INTO roleExists
FROM dba_role_privs
WHERE granted_role = UPPER(iPrivRec.RoleName)
AND grantee = USER;
IF roleExists > 0 THEN
DBMS_SESSION.set_context(
namespace => 'my_ctx',
attribute => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
value => 'Y');
ELSE
DBMS_SESSION.set_context(
namespace => 'my_ctx',
attribute => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
value => 'N');
END IF;
END LOOP;To finish things off, I created a security policy function for the table which returns the following:
RETURN 'SiteID IN (SELECT TO_NUMBER(SUBSTR(attribute, 15))
FROM session_context
WHERE attribute LIKE ''SITE_PRIVILEGE_%''
AND value = ''Y'')';This setup worked great for database users. I am now working to do a comparable proof-of-concept for enterprise users created in Oracle Internet Directory (OiD). I have Enterprise User Security (EUS) up and running with OiD, global roles created in the database, enterprise roles defined in EUS with global role assignments, and enterprise roles assigned to OiD users. The enterprise users are able to successfully login to the database, and I can see the appropriate global role assignments when I query the session_roles view.
I tried using the same application context package, logon trigger, and security policy function with the enterprise users that I had used with the database users. Unfortunately, I found that the application context attributes are not being set correctly. As you can see from the code above, the applicaiton context package was referencing the dba_role_privs view. Apparently, although this view is populated for database users, it is not populated for enterprise users.
I tried changing the application context package to use invoker's rights and to query the session_roles view instead of the dba_role_privs view. Although this package sets the attributes correctly when called manually, it does not work when called from the logon trigger. That was an oops on my part, as I didn't realize initially that a PL/SQL procedure cannot be called with invoker's rights from a trigger.
So, I am now wondering, is there another view that I could use in code called from a logon trigger to access the roles assigned to the enterprise user ? If not, is there a better way for me to approach this problem? From a maintenance standpoint, I like the idea of controlling site access from the LDAP directory service via role assignments. But, I am open to other ideas as well.
Thank you!Hello,
We have an Oracle 11g database with a table containing data from multiple sites (a SiteID field identifies the site for a record). Since application users can have access to different subsets of sites, we would like to use Oracle's Virtual Private Database feature to enforce row-level security on the table.
I did a successful proof-of-concept with database users. I created a role for each site (example: USER_SITE_A, USER_SITE_B, ...), and then assigned the appropriate site roles to each database user. I then created a package (run via a logon trigger) which set application context attributes for each site. If the current database user has been assigned a role for a given site, then the corresponding attribute named "SITE_PRIVILEGE_SiteID" is set to 'Y'... otherwise, it is set to 'N'. Here is the code which worked to set application context attributes for database users:
-- For each record in my RoleSitePrivileges table, set
-- an attribute named 'SITE_PRIVILEGE_<SiteID>'.
-- If the current user has been assigned a role matching
-- the value in the 'RoleName' field, set the corresponding
-- attribute to 'Y'... otherwise, set it to 'N'.
FOR iPrivRec IN (SELECT RoleName, SiteID
FROM RoleSitePrivileges
ORDER BY SiteID)
LOOP
SELECT COUNT(*)
INTO roleExists
FROM dba_role_privs
WHERE granted_role = UPPER(iPrivRec.RoleName)
AND grantee = USER;
IF roleExists > 0 THEN
DBMS_SESSION.set_context(
namespace => 'my_ctx',
attribute => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
value => 'Y');
ELSE
DBMS_SESSION.set_context(
namespace => 'my_ctx',
attribute => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
value => 'N');
END IF;
END LOOP;To finish things off, I created a security policy function for the table which returns the following:
RETURN 'SiteID IN (SELECT TO_NUMBER(SUBSTR(attribute, 15))
FROM session_context
WHERE attribute LIKE ''SITE_PRIVILEGE_%''
AND value = ''Y'')';This setup worked great for database users. I am now working to do a comparable proof-of-concept for enterprise users created in Oracle Internet Directory (OiD). I have Enterprise User Security (EUS) up and running with OiD, global roles created in the database, enterprise roles defined in EUS with global role assignments, and enterprise roles assigned to OiD users. The enterprise users are able to successfully login to the database, and I can see the appropriate global role assignments when I query the session_roles view.
I tried using the same application context package, logon trigger, and security policy function with the enterprise users that I had used with the database users. Unfortunately, I found that the application context attributes are not being set correctly. As you can see from the code above, the applicaiton context package was referencing the dba_role_privs view. Apparently, although this view is populated for database users, it is not populated for enterprise users.
I tried changing the application context package to use invoker's rights and to query the session_roles view instead of the dba_role_privs view. Although this package sets the attributes correctly when called manually, it does not work when called from the logon trigger. That was an oops on my part, as I didn't realize initially that a PL/SQL procedure cannot be called with invoker's rights from a trigger.
So, I am now wondering, is there another view that I could use in code called from a logon trigger to access the roles assigned to the enterprise user ? If not, is there a better way for me to approach this problem? From a maintenance standpoint, I like the idea of controlling site access from the LDAP directory service via role assignments. But, I am open to other ideas as well.
Thank you! -
Address Book now showing all LDAP attributes
The Address Book does not provide access to all LDAP attributes. For example
homePhone
homePostalAddress
labeledURI
are some of the fields currently left out. It would be nice if it was possible to configure the schema mapping, similar to thunderbird which allows the mapping off all the field it know about to corresponding LDAP attributes. Also inetOrgPerson, even though it is the defacto standard is rather due for redesign.
I am just wondering if anybody else if having this problem and if they found a solution?the script did not work for me
python fixBirthdays
Traceback (most recent call last):
File "fixBirthdays", line 6, in <module>
import AddressBook
ImportError: No module named AddressBook
further, the particular one vcard that is misbehaving - i exported it, and opened in Tedit.
this is what isee for the date field.
item1.X-ABDATE;type=pref:2003-06-17
year is not negative either.
i unchecked and checked birthday calendar in iCal. exited iCal after uncheck, relaunched iCal and checked that option.
no show of the birthdate.
stumped. -
Using Static Variable against Context Attribute for Holding IWDView
Dear Friends,
I have a method which is in another DC which has a parameter of the type IWDView. In my view, I will have an action which will call the method in another component by passing the value for the view parameter. Here, I can achieve this in 2 types. One is - I declare a static variable and assign the wdDoModifyView's view as parameter value and I can pass this variable as parameter whenever calling that method or the second way - create an attribute and assign the same wdDoModifyView's view parameter as its value. Whenever I call this method, I can pass this attribute as parameter. What is the difference between these two types of holding the value since I am storing the same value i.e., wdDoModifyView's view parameter. But when I trigger the action from different user sessions, the first type of code (using static variable) prints the same value in both the sessions for view.hashCode() and View.toString(), but the same is printing the different values when I pass the attribute which holds the view parameter.
Clarification on this is highly appreciated
The problem I face is when I use static variable to get the view instance and export the data using the UI element's id, the data belonging to different user sessions is mixed up where as when I use Context Attribute, the same problem doesn't arise. I want to know the reason why it is so. Is there any other place or way where I can get the current view instance of each session instead of wdDoModifyView?Hi Sujai ,
As you have specified the problem that we face when we use static attributes, when end users are using the application .
Static means i have n number of objects but the static variable value will remain same every where.
when it is context attribute for every object i.e nth object you have a nth context attribute i mean nth copy of the context attribute.
so every user has a unique Iview parameter , when context is used and
when static is used , assume you have userA , his iview is set this intially and u have another user B , when he is using , since the variable is static and when you access this variable you will get the value of userA.
Regards
Govardan Raj -
Error while doing the Ldap sync for UDFs
Hi All,
I am doing LDAP sync for UDFs,
Created users in OID.
assigned to orclIDXPerson object modified the ldapconfig.props and created the input file.
Now I am running the ldapsyncudf.sh then I getting the below error.
Exception in thread "main" java.lang.NullPointerException
at oracle.ods.virtualization.schema.AttributeTypeDefinition.getOID(AttributeTypeDefinition.java:117)
at oracle.ods.virtualization.jndi.OVDSchemaContext.convertAttrDefnToJNDIAttrs(OVDSchemaContext.java:655)
at oracle.ods.virtualization.jndi.OVDSchemaContext.getAttributes(OVDSchemaContext.java:137)
at oracle.ods.virtualization.jndi.OVDSchemaContext.getAttributes(OVDSchemaContext.java:109)
at oracle.iam.configservice.impl.LDAPUDFSyncImpl.isAttrExistsInLDAP(LDAPUDFSyncImpl.java:555)
at oracle.iam.configservice.impl.LDAPUDFSyncImpl.validateOVDSchema(LDAPUDFSyncImpl.java:519)
at oracle.iam.configservice.impl.LDAPUDFSyncImpl.addUDFwithLDAP(LDAPUDFSyncImpl.java:1082)
at oracle.iam.configservice.api.LDAPUDFSyncEJB.addUDFwithLDAPx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy631.addUDFwithLDAPx(Unknown Source)
can anyone please unblock me.
Thanks,
ValliHi,
Please see if these help (for 11gR2)
Export the LDAPUser.xml file from MDS using weblogicExportMetatdata.bat. This xml contains the attributes mapping between OIM and OID for LDAP synchronization.
Include the entry for OIM attribute (if entry does not exist for the attribute in the XML) under entity-attributes node. For e.g. use the following xml snippet to add the entry for ISD Code for Phone attribute
<entity-attributes><attribute name=”ISD Code for Phone”> <type>string</type> <required>false</required> <attribute-group>Extended </attribute-group> <searchable>true</searchable> </attribute> </entity-attributes>
Include the entry for OID attribute under target-fields node. For e.g. use the following xml snippet to add the entry for CountryCode
<target-fields><field name=”CountryCode”><type>String</type> <required>false</required> </target-fields>
Now map the OIM attribute with the OID attribute using the following xml snippet under attribute-maps node
<attribute-maps><attribute-map> <entity-attribute> ISD Code for Phone </entity-attribute> <target-field>CountryCode</target-field> </attribute-map></attribute-maps>
Save the changes and import the file back into MDS using WebLogic import utilities.
Maybe you are looking for
-
Solaris 10, Ultra20m2 random crashdumps
Hi, I have quite strange problem with S10U6 with latest updates and from time to time completly crashed, reboots a starting up normally. I have Sun Ultra20m2. I've found a few crashdumps in /var/crash and here are the first and the latest one. ======
-
How to report on 2 different dates in one report?
Hello, I need to have Date in a sales report represent both Actual Goods Issue Date and Planned Goods Issue Date depending on the sales order status (i.e. shipped or still in process). The report format is like: Date--Sales-- Orders Jan 1
-
Hai, The End-user doesnt want a Hierarchy but a flat table out of a Heirarchy so I want to know where and how I can loop through a Hierarchy table to create a flat structure. Please let me know if you have any standard FMs that can do that? At what s
-
URGENT:problems with installation of HeadStart
After installing Oracle HeadStart R2.1.2 on a common driver and then Server-Side as explained in the file inst_oi.htm I have launched the program Start->Program->HeadStart Designer R 2.1.2-> HeadStart Utilities Administration. Then it appears to me t
-
Rectangle Tool Not Working Right
I have looked around for a few days and have not been able to fix this stupid problem I have. When I try to use the rectangle tool, I can not make a shape the size I want. As soon as I click, a rectangle pops up. I can not click and drag to make th