LDAP Attribute for POP3 access

Dear folks,
In SUN JES subscriber LDAP information, is there any LDAP subscriber LDAP attribute that indicates the subscriber having access to POP3?
If there is, what kind/type of value can it be ?
Thanks,
T Dang

Hi,
For future reference, please always provide the version of messaging server you are using. (./imsimta version)
With regards to your question, POP access is provided unless it is denied (assuming that POP daemon is enabled). Is there a user who is being denied and you are trying to work out why?
The LDAP attribute which restricts access to POP/IMAP/HTTP access of the store is mailallowedserviceaccess
Regards,
Shane.

Similar Messages

  • LDAP attribute for user's last login time?

    Hi all,
    Is there an LDAP attribute that I could return (via an "ldapsearch" query) that would contain the user's last login time?
    We have:
    Directory Server Version: 5.2_Patch_2 ; Build number: 2004.107.0034
    other...
    Identity Server 2004Q2
    sparc-sun-solaris2.9
    Thanks in advance!

    Hello,
    If you need this info, you will have to create a password policy that log last logon time.
    But be carefull with this function, it can create a lot of cpu load.
    <http://docs.sun.com/app/docs/doc/820-4809/fhkrj?l=en&n=1&a=view>
    Regards
    Eric.

  • Help with ios LDAP setup for VPN access

    I am trying to move Microsoft LDAP for my vpn setup to an ISR router with 15.1 code . It has support but very little doccumentation. Anyone configured this before? i need some help or  basic  config.

    Ldap authentication started from 7.1 if I recall correctly along with LDAP mapping which helps you validate whether the user has the dial in attribute on or of. I would say starting from 7.1 till the latest 8.X version.
    Version 6.X does not have this feature.

  • LDAP  Attributes for Barracuda Web Filter

    I have the following setting on my filter LDAP settings, but it will not bring the groups in correctly.  Can anyone help me figure out what I am doing wrong or what I need to add to get the Barracuda Filter to work with LDAP.

    This past week, the Spiceworks Community talked over dreams jobs gone awry, the difficulty of taking a lunch break when everyone and their mother needs help, and the whimsical problems an IT pro faces in the First World.The community also talked over the times when whimsy gives way to restlessness (and how to give your two weeks' notice), why the computer monitors of the '80s were green, how to reclaim a company iPhone that mysteriously ends up at a pawn shop, and how many ebooks is too many for Microsoft to give out for free.Last but not least, the much talked about cyberattack on the controversial Italian company Hacking Team did more than show the world's dirty laundry – it exposed a zero-day exploit in Adobe Flash.Iwas an IT administrator for one weekCareers– Sure, I said. I'll start tomorrow, I said. After all, it sounded like a...

  • User attributes for LDAP

    Hi guys,
    Currently we have an error for LDAP attribute .
    distinguishedName = (String) user.getTransientAttribute("ldap.distinguished_name");
    user is of type IUser.
    and it return null
    where could i find the list of user attributes in LDAP? currently we have LDAP 8.8.1.

    Don,
    you might should have a look at a LDAP Browser (eg. http://www-unix.mcs.anl.gov/~gawor/ldap/ ) which helps a lot to find out how the structure of your LDAP server is and which attributes you can access.
    1) Start the tool
    2) click onto the "Quick Connect"
    3) enter you LDAP server
    4) press "Fetch DNs"
    5) Uncheck "Anonymous bind"
    6) Enter your user credentials
    7) Browse your LDAP structure
    It helped me a lot to get the correct settings for the DBMS_LDAP calls.
    Patrick
    My APEX Blog: http://www.inside-oracle-apex.com
    The ApexLib Framework: http://apexlib.sourceforge.net
    The APEX Builder Plugin: http://apexplugin.sourceforge.net/ New!

  • Windows LDAP attributes match for the Synology LDAP client profile filter.

    I am having Windows server 2012 domain controller with LDAP enabled. I wish to enable LDAP client on Synology Diskstation to search for users and enable them access of shared folders of Synology. Hence, I have enabled the client which shows connected to the Windows LDAP service, but not populating any users.
    Anybody figured out this? It requires profile settings. I'm finding difficult to identify the LDAP attributes match for the Synology profile filter attributes.
    Refer following image.
    This topic first appeared in the Spiceworks Community

    Specify a Dynamic Access Profile with:
    Criteria: User has ALL of the following AAA attribute values...
    ldap.memberOf != GroupName
    cisco.tunnelgroup = TunnelGruopName
    Should work
    /K

  • LDAP vs local login for remote access

    Hi Team,
    I am evaluating the best means for single factor authentication for remote access (client to site or SSL VPN). The options I see are creating local usernames and password or integration with Active Directory via LDAP. What are the pros and cons of these solutions.
    I feel local logins are more secure comparitavely because the user first login using local login and password and then has to use the domain credentials for accessing corporate resources. Of course, this comes at an admistrator overload and local management of user names and passwords. Do you have any opinion on this? Any acknowledgement will be highly appreciated.

    Hello Manoj,
    IMO, I would never consider the LOCAL DB as an option for a corporate deployment. It does not scale and it is not easy to manage.
    Local DB is used in case you need to manage a number of 15 users for instance, so in this case it is managable, but when it comes to a higher number it is not an option.
    Active Directory is a better solution since it is meant to handle hundred of users and allows password-management for instance. Also you can have many ASA devices, performing DB bindings and queries to check the users credentials to the AD servers, so you don't need to deal with tons of user accounts on each ASA, for instance.
    If you are looking for a more secure way to authenticate your users you can consider two-factor authentication using certificates for instance:
    AnyConnect Certificate Based Authentication.
    Why to use AD:
    Pros
    Scalable.
    Easy to manage.
    Allows password-management.
    Cons:
    Expensive (not open AD solution).
    HTH.
    Please rate helpful posts.

  • Access LDAP attribute from Webmail

    Hi there,
    We need to do some customizations on webmail.
    One of the things we want to do is to be able to read and write an ldap attribute outside the multivalue attribute NSWMEXTENDEDUSERPREFS.
    I've seen on "Webmail Express Customization Guide" that we can load on http startup other external attributes using a command like:
    configutil -l -o service.http.extrauserldapattrs -v myattribute:w
    on which the :w at the end means that webmail could have write access to the attribute. (Pag 71 of W.E.C. Guide)
    I've done that, but the problem is that if I try to write a new value on the attribute, the value is created on the NSWMEXTENDEDUSERPREFS as myattribute=value
    So .. It reads from one side but write to another! Any ideas how to write on the myattribute directly from webmail interface?!
    Thanks,
    Sergio Sousa

    Hi,
    have you allready tryed to read the attribute directly from the BOL in the implementation class of the view, without creating any new context node? Maybe this coding might help you:
    DATA: lr_entity        TYPE REF TO cl_crm_bol_entity,
    DATA: lv_collection TYPE REF TO if_bol_bo_col.
    DATA: lv_cat type string.
    lr_entity ?= me->typed_context->BTAdminH->collection_wrapper->get_current( ).
      TRY.
      lv_collection = lr_entity->get_related_entities( iv_relation_name = 'BTHeaderActivityExt' ).
       CATCH cx_sy_ref_is_initial.
    ENDTRY.
          lr_entity ?= lv_collection->get_current( ).
      CALL METHOD lr_entity->if_bol_bo_property_access~get_property_as_string
        EXPORTING
          iv_attr_name = 'CATEGORY'
        RECEIVING
          rv_result    = lv_cat.
    Best regards,
    Oliver

  • A client made a DirSync LDAP request for a directory partition. Access was denied due to the following error

    We started getting this error when we installed Lync Server. I already verified that the "RTCHSUniversalServices" group has “Replicating Directory Changes" permission.
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    A client made a DirSync LDAP request for a directory partition. Access was denied due to the following error.
    Directory partition:
    DC=<domain>,DC=com
    Error value:
    8453 Replication access was denied.
    User Action
    The client may not have access for this request. If the client requires it, they should be assigned the control access right "Replicating Directory Changes" on the directory partition in question.
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    Domain Controllers and Lync server are running on Windows 2008 SP2. Any other things that I could check?

    A client made a DirSync LDAP request for a directory partition. Access was denied due to the following error.
    Directory partition:
    DC=<domain>,DC=com
    Error value:
    8453 Replication access was denied.
    User Action
    The client may not have access for this request. If the client requires it, they should be assigned the control access right "Replicating Directory Changes" on the directory partition in question.
    oas4ever

  • Problem with LDAP authentication for users in a group

    I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.
    I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:
    [6707]  memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
    [6707]          mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
    [6707]          mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN
    [6707]  msNPAllowDialin: value = TRUE
    I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.
    ldap attribute-map AuthUsers
      map-name  memberOf IETF-Radius-Class
      map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN
    aaa-server LDAP protocol ldap
    aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
     ldap-base-dn DC=COMPANY,DC=com
     ldap-scope subtree
     ldap-naming-attribute sAMAccountName
     ldap-login-password *****
     ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
     server-type microsoft
     ldap-attribute-map AuthUsers
    group-policy NOACCESS internal
    group-policy NOACCESS attributes
     vpn-simultaneous-logins 0
     vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
     webvpn
      anyconnect ask none default anyconnect
    group-policy GroupPolicy_COMPANY_SSL_VPN internal
    group-policy GroupPolicy_COMPANY_SSL_VPN attributes
     wins-server none
     dns-server value 10.10.100.102
     vpn-tunnel-protocol ikev1 ikev2 ssl-client
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value SPLIT-TUNNEL
     default-domain value net.COMPANY.com
     webvpn
      anyconnect profiles value COMPANY_SSL_VPN_client_profile type user
    tunnel-group COMPANY_SSL_VPN type remote-access
    tunnel-group COMPANY_SSL_VPN general-attributes
     address-pool COMPANY-SSL-VPN-POOL
     authentication-server-group LDAP
     authorization-server-group LDAP
     authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
     default-group-policy NOACCESS
     authorization-required
    tunnel-group COMPANY_SSL_VPN webvpn-attributes
     group-alias COMPANY_SSL_VPN enable
    tunnel-group COMPANY_SSL_VPN ipsec-attributes
     ikev1 pre-shared-key *****

    I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.

  • ISE 1.1.1. and additional LDAP attribute retrieval

    Hello All,
    I'm authenticating users against Active Directory and want to also check additionals attributes from LDAP. In ACS 5.3. it was possible to set this up via External Identity Sequence, but in ISE I don't see this possibility. I can set sequence only for authentication, but not for additional attribute retrieval.
    When I set a condition in a policy that an LDAP attribute must match with some value, the attribute is not retrieved and autorization ends on default Deny Access.
    Can anyone help me how this can be set on ISE?
    Thanks!
    Regards
    Karel Navratil

    Yes that's what I've tried as I wrote in my first post, but the ISE does not retrieve the attribute from LDAP
    Here are some screenshots:
    authorization rule:
    ldap attribute in external identity source:
    and the logs:
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    Evaluating Service Selection Policy
    15048  Queried PIP
    15048  Queried PIP
    15004  Matched rule
    11507  Extracted EAP-Response/Identity
    12100  Prepared EAP-Request proposing EAP-FAST with challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12102  Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
    12800  Extracted first TLS record; TLS handshake started
    12805  Extracted TLS ClientHello message
    12806  Prepared TLS ServerHello message
    12807  Prepared TLS Certificate message
    12810  Prepared TLS ServerDone message
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    12812  Extracted TLS ClientKeyExchange message
    12804  Extracted TLS Finished message
    12801  Prepared TLS ChangeCipherSpec message
    12802  Prepared TLS Finished message
    12816  TLS handshake succeeded
    12149  EAP-FAST built authenticated tunnel for purpose of PAC provisioning
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    12209  Starting EAP chaining
    12218  Selected identity type 'User'
    12125  EAP-FAST inner method started
    11521  Prepared EAP-Request/Identity for inner EAP method
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    12212  Identity type provided by client is equal to requested
    11522  Extracted EAP-Response/Identity for inner EAP method
    11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity Store - Internal Endpoints
    22043  Current Identity Store does not support the authentication method; Skipping it
    24210  Looking up User in Internal Users IDStore - test,host/test-pc
    24216  The user is not found in the internal users identity store
    24430  Authenticating user against Active Directory
    24402  User authentication against Active Directory succeeded
    22037  Authentication Passed
    11824  EAP-MSCHAP authentication attempt passed
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response
    11814  Inner EAP-MSCHAP authentication succeeded
    11519  Prepared EAP-Success for inner EAP method
    12128  EAP-FAST inner method finished successfully
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    12126  EAP-FAST cryptobinding verification passed
    12200  Approved EAP-FAST client Tunnel PAC request
    12219  Selected identity type 'Machine'
    12125  EAP-FAST inner method started
    11521  Prepared EAP-Request/Identity for inner EAP method
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    12212  Identity type provided by client is equal to requested
    11522  Extracted EAP-Response/Identity for inner EAP method
    11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
    Evaluating Identity Policy
    11055  User name change detected for the session. Attributes for the session will be removed from the cache
    15006  Matched Default Rule
    15013  Selected Identity Store - Internal Endpoints
    22043  Current Identity Store does not support the authentication method; Skipping it
    24210  Looking up User in Internal Users IDStore - test,host/test-pc
    24216  The user is not found in the internal users identity store
    24431  Authenticating machine against Active Directory
    24470  Machine authentication against Active Directory is successful
    22037  Authentication Passed
    11824  EAP-MSCHAP authentication attempt passed
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response
    11814  Inner EAP-MSCHAP authentication succeeded
    11519  Prepared EAP-Success for inner EAP method
    12128  EAP-FAST inner method finished successfully
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    12126  EAP-FAST cryptobinding verification passed
    12201  Approved EAP-FAST client Machine PAC request
    Evaluating Authorization Policy
    15004  Matched rule
    15016  Selected Authorization Profile - DenyAccess
    15039  Rejected per authorization profile
    12855  PAC was not sent due to authorization failure
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    11514  Unexpectedly received empty TLS message; treating as a rejection by the client
    12512  Treat the unexpected TLS acknowledge message as a rejection from the client
    11504  Prepared EAP-Failure
    11003  Returned RADIUS Access-Reject
    So no any information that ISE tries to retrieve something from LDAP.
    Regards
    Karel

  • Setting Application Context Attributes for Enterprise Users Based on Roles

    Hello,
    We have an Oracle 11g database with a table containing data from multiple sites (a SiteID field identifies the site for a record). Since application users can have access to different subsets of sites, we would like to use Oracle's Virtual Private Database feature to enforce row-level security on the table.
    I did a successful proof-of-concept with database users. I created a role for each site (example: USER_SITE_A, USER_SITE_B, ...), and then assigned the appropriate site roles to each database user. I then created a package (run via a logon trigger) which set application context attributes for each site. If the current database user has been assigned a role for a given site, then the corresponding attribute named "SITE_PRIVILEGE_SiteID" is set to 'Y'... otherwise, it is set to 'N'. Here is the code which worked to set application context attributes for database users:
    -- For each record in my RoleSitePrivileges table, set
    --   an attribute named 'SITE_PRIVILEGE_<SiteID>'.
    --   If the current user has been assigned a role matching
    --   the value in the 'RoleName' field, set the corresponding
    --   attribute to 'Y'... otherwise, set it to 'N'.
    FOR iPrivRec IN (SELECT RoleName, SiteID
                       FROM RoleSitePrivileges
                       ORDER BY SiteID)
       LOOP
          SELECT COUNT(*)
            INTO roleExists
            FROM dba_role_privs
            WHERE granted_role = UPPER(iPrivRec.RoleName)
              AND grantee = USER;
          IF roleExists > 0 THEN
             DBMS_SESSION.set_context(
                         namespace   => 'my_ctx',
                         attribute   => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
                         value       => 'Y');
          ELSE
             DBMS_SESSION.set_context(
                         namespace   => 'my_ctx',
                         attribute   => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
                         value       => 'N');
          END IF;
       END LOOP;To finish things off, I created a security policy function for the table which returns the following:
    RETURN 'SiteID IN (SELECT TO_NUMBER(SUBSTR(attribute, 15))
                         FROM session_context
                         WHERE attribute LIKE ''SITE_PRIVILEGE_%''
                            AND value = ''Y'')';This setup worked great for database users. I am now working to do a comparable proof-of-concept for enterprise users created in Oracle Internet Directory (OiD). I have Enterprise User Security (EUS) up and running with OiD, global roles created in the database, enterprise roles defined in EUS with global role assignments, and enterprise roles assigned to OiD users. The enterprise users are able to successfully login to the database, and I can see the appropriate global role assignments when I query the session_roles view.
    I tried using the same application context package, logon trigger, and security policy function with the enterprise users that I had used with the database users. Unfortunately, I found that the application context attributes are not being set correctly. As you can see from the code above, the applicaiton context package was referencing the dba_role_privs view. Apparently, although this view is populated for database users, it is not populated for enterprise users.
    I tried changing the application context package to use invoker's rights and to query the session_roles view instead of the dba_role_privs view. Although this package sets the attributes correctly when called manually, it does not work when called from the logon trigger. That was an oops on my part, as I didn't realize initially that a PL/SQL procedure cannot be called with invoker's rights from a trigger.
    So, I am now wondering, is there another view that I could use in code called from a logon trigger to access the roles assigned to the enterprise user ? If not, is there a better way for me to approach this problem? From a maintenance standpoint, I like the idea of controlling site access from the LDAP directory service via role assignments. But, I am open to other ideas as well.
    Thank you!

    Hello,
    We have an Oracle 11g database with a table containing data from multiple sites (a SiteID field identifies the site for a record). Since application users can have access to different subsets of sites, we would like to use Oracle's Virtual Private Database feature to enforce row-level security on the table.
    I did a successful proof-of-concept with database users. I created a role for each site (example: USER_SITE_A, USER_SITE_B, ...), and then assigned the appropriate site roles to each database user. I then created a package (run via a logon trigger) which set application context attributes for each site. If the current database user has been assigned a role for a given site, then the corresponding attribute named "SITE_PRIVILEGE_SiteID" is set to 'Y'... otherwise, it is set to 'N'. Here is the code which worked to set application context attributes for database users:
    -- For each record in my RoleSitePrivileges table, set
    --   an attribute named 'SITE_PRIVILEGE_<SiteID>'.
    --   If the current user has been assigned a role matching
    --   the value in the 'RoleName' field, set the corresponding
    --   attribute to 'Y'... otherwise, set it to 'N'.
    FOR iPrivRec IN (SELECT RoleName, SiteID
                       FROM RoleSitePrivileges
                       ORDER BY SiteID)
       LOOP
          SELECT COUNT(*)
            INTO roleExists
            FROM dba_role_privs
            WHERE granted_role = UPPER(iPrivRec.RoleName)
              AND grantee = USER;
          IF roleExists > 0 THEN
             DBMS_SESSION.set_context(
                         namespace   => 'my_ctx',
                         attribute   => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
                         value       => 'Y');
          ELSE
             DBMS_SESSION.set_context(
                         namespace   => 'my_ctx',
                         attribute   => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
                         value       => 'N');
          END IF;
       END LOOP;To finish things off, I created a security policy function for the table which returns the following:
    RETURN 'SiteID IN (SELECT TO_NUMBER(SUBSTR(attribute, 15))
                         FROM session_context
                         WHERE attribute LIKE ''SITE_PRIVILEGE_%''
                            AND value = ''Y'')';This setup worked great for database users. I am now working to do a comparable proof-of-concept for enterprise users created in Oracle Internet Directory (OiD). I have Enterprise User Security (EUS) up and running with OiD, global roles created in the database, enterprise roles defined in EUS with global role assignments, and enterprise roles assigned to OiD users. The enterprise users are able to successfully login to the database, and I can see the appropriate global role assignments when I query the session_roles view.
    I tried using the same application context package, logon trigger, and security policy function with the enterprise users that I had used with the database users. Unfortunately, I found that the application context attributes are not being set correctly. As you can see from the code above, the applicaiton context package was referencing the dba_role_privs view. Apparently, although this view is populated for database users, it is not populated for enterprise users.
    I tried changing the application context package to use invoker's rights and to query the session_roles view instead of the dba_role_privs view. Although this package sets the attributes correctly when called manually, it does not work when called from the logon trigger. That was an oops on my part, as I didn't realize initially that a PL/SQL procedure cannot be called with invoker's rights from a trigger.
    So, I am now wondering, is there another view that I could use in code called from a logon trigger to access the roles assigned to the enterprise user ? If not, is there a better way for me to approach this problem? From a maintenance standpoint, I like the idea of controlling site access from the LDAP directory service via role assignments. But, I am open to other ideas as well.
    Thank you!

  • Address Book now showing all LDAP attributes

    The Address Book does not provide access to all LDAP attributes. For example
    homePhone
    homePostalAddress
    labeledURI
    are some of the fields currently left out. It would be nice if it was possible to configure the schema mapping, similar to thunderbird which allows the mapping off all the field it know about to corresponding LDAP attributes. Also inetOrgPerson, even though it is the defacto standard is rather due for redesign.
    I am just wondering if anybody else if having this problem and if they found a solution?

    the script did not work for me
    python fixBirthdays
    Traceback (most recent call last):
    File "fixBirthdays", line 6, in <module>
    import AddressBook
    ImportError: No module named AddressBook
    further, the particular one vcard that is misbehaving - i exported it, and opened in Tedit.
    this is what isee for the date field.
    item1.X-ABDATE;type=pref:2003-06-17
    year is not negative either.
    i unchecked and checked birthday calendar in iCal. exited iCal after uncheck, relaunched iCal and checked that option.
    no show of the birthdate.
    stumped.

  • Using Static Variable against Context Attribute for Holding IWDView

    Dear Friends,
    I have a method which is in another DC which has a parameter of the type IWDView. In my view, I will have an action which will call the method in another component by passing the value for the view parameter. Here, I can achieve this in 2 types. One is - I declare a static variable and assign the wdDoModifyView's view as parameter value and I can pass this variable as parameter whenever calling that method or the second way - create an attribute and assign the same wdDoModifyView's view parameter as its value. Whenever I call this method, I can pass this attribute as parameter. What is the difference between these two types of holding the value since I am storing the same value i.e., wdDoModifyView's view parameter. But when I trigger the action from different user sessions, the first type of code (using static variable) prints the same value in both the sessions for view.hashCode() and View.toString(), but the same is printing the different values when I pass the attribute which holds the view parameter.
    Clarification on this is highly appreciated
    The problem I face is when I use static variable to get the view instance and export the data using the UI element's id, the data belonging to different user sessions is mixed up where as when I use Context Attribute, the same problem doesn't arise. I want to know the reason why it is so. Is there any other place or way where I can get the current view instance of each session instead of wdDoModifyView?

    Hi Sujai ,
    As you have specified the problem that we face when we use  static attributes, when end users are using the application .
    Static means i  have n number of objects but the static variable value will remain same every where.
    when it is context attribute for every object i.e nth object you have a nth context attribute i mean nth copy of the context attribute.
    so every user has a unique Iview parameter , when context is used and
    when static is used  , assume you have userA , his iview is set this intially  and u have another user B , when he is using  , since the variable is static and when you access this variable you will get the value of userA.
    Regards
    Govardan Raj

  • Error while doing the Ldap sync for UDFs

    Hi All,
    I am doing LDAP sync for UDFs,
    Created users in OID.
    assigned to orclIDXPerson object modified the ldapconfig.props and created the input file.
    Now I am running the ldapsyncudf.sh then I getting the below error.
    Exception in thread "main" java.lang.NullPointerException
    at oracle.ods.virtualization.schema.AttributeTypeDefinition.getOID(AttributeTypeDefinition.java:117)
    at oracle.ods.virtualization.jndi.OVDSchemaContext.convertAttrDefnToJNDIAttrs(OVDSchemaContext.java:655)
    at oracle.ods.virtualization.jndi.OVDSchemaContext.getAttributes(OVDSchemaContext.java:137)
    at oracle.ods.virtualization.jndi.OVDSchemaContext.getAttributes(OVDSchemaContext.java:109)
    at oracle.iam.configservice.impl.LDAPUDFSyncImpl.isAttrExistsInLDAP(LDAPUDFSyncImpl.java:555)
    at oracle.iam.configservice.impl.LDAPUDFSyncImpl.validateOVDSchema(LDAPUDFSyncImpl.java:519)
    at oracle.iam.configservice.impl.LDAPUDFSyncImpl.addUDFwithLDAP(LDAPUDFSyncImpl.java:1082)
    at oracle.iam.configservice.api.LDAPUDFSyncEJB.addUDFwithLDAPx(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
    at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
    at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
    at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
    at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
    at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
    at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
    at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
    at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
    at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
    at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
    at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
    at $Proxy631.addUDFwithLDAPx(Unknown Source)
    can anyone please unblock me.
    Thanks,
    Valli

    Hi,
    Please see if these help (for 11gR2)
    Export the LDAPUser.xml file from MDS using weblogicExportMetatdata.bat. This xml contains the attributes mapping between OIM and OID for LDAP synchronization.
    Include the entry for OIM attribute (if entry does not exist for the attribute in the XML) under entity-attributes node. For e.g. use the following xml snippet to add the entry for ISD Code for Phone attribute
    <entity-attributes><attribute name=”ISD Code for Phone”> <type>string</type> <required>false</required> <attribute-group>Extended </attribute-group> <searchable>true</searchable> </attribute> </entity-attributes>
    Include the entry for OID attribute under target-fields node. For e.g. use the following xml snippet to add the entry for CountryCode
    <target-fields><field name=”CountryCode”><type>String</type> <required>false</required> </target-fields>
    Now map the OIM attribute with the OID attribute using the following xml snippet under attribute-maps node
    <attribute-maps><attribute-map> <entity-attribute> ISD Code for Phone </entity-attribute> <target-field>CountryCode</target-field> </attribute-map></attribute-maps>
    Save the changes and import the file back into MDS using WebLogic import utilities.

Maybe you are looking for

  • Solaris 10, Ultra20m2 random crashdumps

    Hi, I have quite strange problem with S10U6 with latest updates and from time to time completly crashed, reboots a starting up normally. I have Sun Ultra20m2. I've found a few crashdumps in /var/crash and here are the first and the latest one. ======

  • How to report on 2 different dates in one report?

    Hello, I need to have Date in a sales report represent both Actual Goods Issue Date and Planned Goods Issue Date depending on the  sales order status (i.e. shipped or still in process). The report format is like: Date--Sales-- Orders Jan 1           

  • How to flatten a Heirarchy

    Hai, The End-user doesnt want a Hierarchy but a flat table out of a Heirarchy so I want to know where and how I can loop through a Hierarchy table to create a flat structure. Please let me know if you have any standard FMs that can do that? At what s

  • URGENT:problems with installation of HeadStart

    After installing Oracle HeadStart R2.1.2 on a common driver and then Server-Side as explained in the file inst_oi.htm I have launched the program Start->Program->HeadStart Designer R 2.1.2-> HeadStart Utilities Administration. Then it appears to me t

  • Rectangle Tool Not Working Right

    I have looked around for a few days and have not been able to fix this stupid problem I have. When I try to use the rectangle tool, I can not make a shape the size I want.  As soon as I click, a rectangle pops up.  I can not click and drag to make th