LDAP changing, ACL maintaining

Similar Messages

• Error when changing ACL

  I have following problem:
  Non admin users in IFS can't change ACL of document (file) - using WebUI.
  When I choose ApplyACL command from drop down menu I get an error in HTML script. In line 69:
  <SCRIPT> alert("IFS-10406: Invalid AttributeValue conversion (DIRECTORYOBJECT to Java DirectoryObject)"); </SCRIPT>
  history.back();
  It seems that I have an general problem with this error. Similar error appears when I try to upload file with non admin user via Browse (see: http://technet.oracle.com:89/ubb/Forum36/HTML/000951.html)
  null

  For a user to modify an object's access control list, they must either be the owner of the document, an administrator, or have been granted the 'Grant' permission to the document. The 'Grant' permission allows users to grant and revoke access permissions for other users.
  First, ensure that the non-admin user has been given the Grant permission in the document's current ACL. Subsequently, the user should be able to apply a new ACL to the document.
  null

• Change LDAP, mantaining ACLs

  Hi All,
  we have SAP EP6 SP19. UME is against LDAP.
  For business reasons, we need to change the LDAP name, mantaining the same schema, with the same ou, users and groups.
  Is there a way to update unique ID in the UME, updating only LDAP name and without having impacts on KM ACL, roles assignements and PCD permissions?
  Thanks in advance
  Antonio

  hi,
  The reason for such occurrence was that, the UME (User Management Engine) assigns unique IDs to the LDAP users. By Default the unique ID contains the distinguished name of the user.
  If the user is moved to a different location in the LDAP Directory, its distinguished name changes.
  For example the unique ID of a user is
  USER.CORP_LDAP.cn=testuser, ou=people, o=mycompany
  If this user is changed to a different location for which ou=admins then the unique ID of the user is changed to
  USER.CORP_LDAP.cn=testuser, ou=admins, o=mycompany
  In this case the UME can no longer find any data associated with the user under the old unique ID and the data (role assignment or user mappings) stored in database for such users gets lost. So in this regard we have changed the configuration of the UME so that it no longer uses the distinguished name in the unique ID, instead we use a unique attribute that is never changed in the LDAP directory.
  please follow the SAP note: 777640
  This will resolve ur issue.
  Thanks and regards,
  Kris

• Why can't I change ACL permissions of a volume on mac os x 10.6

  Hello,
  I'm currently working with a Mac OS X 10.6.8 Server with 2x1TB drive installed in RAID configuration (/Volumes/LTRK) and 1x2TB installed as a regular volume (/Volumes/LTRK2/). For both volumes I could set all permissions perfectly, but recently, I cannot change the permissions on the 2TB volume. I have the following current permissions:
  ACL:
  Group of regular division members (read + all descendants)
  Group of ICT co-workers (read/write + all descendants)
  Administrators (read/write + all descendants)
  Everyone (read + all descendants)
  POSIX:
  The admin user account (read/write + this folder)
  The 'staff' group which is automatically there (read/write + this folder)
  Others (read + this folder)
  If I compare to the drive where I can change the permissions and where everything works correctly (the RAID config), the only difference is that the 'Everyone' group permissions are not set to be inherited for the working drive (so only on the volume level). I wanted to check whether this was the source of my problems and tried to change the permissions of the 'Everyone' group. However, as soon as I click Save in Server Admin, it automatically reverts to all descendants.
  The results of the failure to reset the permissions, leads to the fact that I don't have write access anymore with the admin user accound (I guess due to counteracting permissions). I also tried to delete all permissions from the volume with "chmod -R -N /Volumes/LTRK2" but this gives me a list of every file on that volume, with the error message: "chmod: Filed to clear ACL on file filename: Invalid argument"
  Does anyone have any suggestions on how to solve this issue?
  Kind regards

  Welcome to iMovie Discussions.
  See my 2nd reply to 'getzcreative', here.

• LDAP Change in Upgrade from CRS XI to CRS 2008

  We are in the process of upgrading from Crystal Reports Server XI R1 to Crystal Reports Server 2008 R1.  Both systems are up and operational on separate Windows virtual servers.  The old XI installation was using LDAP authentication from a SUN server.  The new 2008 installation is using LDAP authentication from an IBM Directory Server.
  The question that I have is related to using the Import Wizard.  Since we have different third party LDAP authentication vendors and both are operating correctly right now, can we export all of the users, groups, folders, objects, instances, etc from the XI box to the 2008 box?  I know we have to import everything together in order to preserve security, but will it work with different types of LDAP users?  The LDAP group is different and I wasn't sure if CRS 2008 would recognize the users from the other LDAP group.  I cannot find any documentation on changing LDAP server types for an import.

  Sorry for the confusion, I did not state that question very clearly.  That is exactly what I meant.  There is only one group for LDAP that we are not using for security.  We have Enterprise groups that we have created that we are using for the bulk of our security setup.  I'd like to import the Enterprise groups then assign the new users to imported Enterprise groups.
  Thanks so much for your response.  It was very helpful!

• LDAP changes effect the TLN of user

  hi,
  We have EP7.0 and we have users who use the Portal for there daily tasks.
  Every user has been provided some roles/worksets based on which the TLN looks fir that user.
  Now the problem is there had been some changes done at the LDAP level, so consequently the users are not able to see there assigned roles/worksets in the TLN.
  Can anyone help us as how to work on this.
  Thanks in advance.
  kris

  Hi Kris,
  I do not have documents on my setup but I will explain my setup of our Portal with LDAP.
  1) We have setup SSO between LDAP and Portal, and UME datasource comes from LDAP, thus all Security Groups and users from LDAP will also be available in Portal.
  2) In Portal, LDAP Security Groups are known as "Groups" in UM tab.
  3) We created Portal Roles (ESS, MSS etc) in CA and assign these Roles to the Groups (LDAP Security Groups) via UM
      Example: Portal Role (ESS) is assigned to Group (ESS). Naming convention is very important !!
  4) We assign users in LDAP to the Security Groups (all these are done in LDAP..not Portal). Thus this assignments will result automatically that the have the necessary Portal Roles (due to the relationship created between the Portal Role and the Security Group).
  Thus, all user assignments for Portal access are done via LDAP. In the Portal, you only management the relationship between Portal Roles to that of the Groups (LDAP Security Groups)...meaning minimun or no maintenance for users management in Portal.
  Hope that helps and I hope my remarks above and give you some idea for your situation. I also make sure that the LDAP do not change any activities that relates to Portal without Portal Admin approvals.
  I do welcome more points for helpful suggestions 
  Ray

• LDAP AND ACL

  Can we use the weblogic LDAP realm in any way to access the ACL which are stored in a netscape directory server.

  It's not clear to me. I'm not familiar with how Process Integrator uses the
  security in WLS since
  they have implemented their own security schemes.
  If Process Integrator just uses the LDAP realm provided in WebLogic Server
  without modifications,
  then your custom realm should be able to be used by Process Integrator. If
  it provides its own,
  then it is highly unlikely that it will work.
  Paul Patrick
  "Vibhu " <[email protected]> wrote in message
  news:3a4cbb55$[email protected]..
  >
  Will this custom realm be able to function with process integrator.
  "Paul Patrick" <[email protected]> wrote:
  The current LDAP realm implementation does not support the use retrieval
  of
  ACLs, in any form,
  from an LDAP directory server. You could develop your own LDAP-basedcustom
  realm to
  handle this.
  Paul Patrick
  "Vibhu S" <[email protected]> wrote in message
  news:3a4b980d$[email protected]..
  Can we use the weblogic LDAP realm in any way to access the ACL which
  are
  stored in a netscape directory server.

• How to change funcionality "Maintain Master Data" to RSA1 instead WebDympro (BW 7.4)

  Hello Gurus,
  Someone could help me?
  In SAP BW 7.4 (Support Package 7) the BW master data maintain function moved from SAP GUI into web dynpro screen.
  Can we use it (maintain master data) in SAP GUI RSA1 like SAP BW 7.3?
  Is it a configuration in SPRO?
  Thank you guys.
  PS: It is my first project with SAP BW 7.4

  Hi Gareth,
  I have made the code changes as suggested by you but there is some kind of inconsistency.
  After maintaining master data ,If I go back one step it works fine
  But if I type /nRSA1 or any other tcode on the same screen,it gives a dump.
  Below is the dump.
  Short Text
      The current application has triggered a termination with a short dump.
  What happened?
      The current application program has detected a situation that should
      not occur. A termination with short dump has therefore been triggered
      by the key word MESSAGE (type X).
  What can you do?
      Note down which actions and inputs caused the error.
      To process the problem further, contact you SAP system
      administrator.
      Using Transaction ST22 for ABAP Dump Analysis, you can look
      at and manage termination messages, and you can also
      keep them for a long time.
  Error analysis
      Short text of the error message:
      ControlFrameWork: Maximum number of sessions reached
      Long text of the error message:
      Technical information about the message:
      Message class....... CNDP
      Number.............. 011
      Variable 1..........
      Variable 2..........
      Variable 3..........
      Variable 4.......... " "
  How to correct the error
      Probably the only way to eliminate the error is to correct the program.
      If the error occurs in a non-modfied SAP program, you might be able to
      find a solution in the SAP Notes system. If you have access to the SAP
  Notes system, check there first using the following keywords:
  "MESSAGE_TYPE_X"
  "SAPLOLEA" bzw. LOLEAU02
  "AC_SYSTEM_FLUSH"
  If you cannot solve the problem yourself, please send the following
  information to SAP:
  1. This description of the problem (short dump)
  To do this, choose  System -> List -> Save -> Local File (unconverted)
  on the screen you are in now.
  2. A suitable system log
  To do this, call the system log in transaction SM21. Restrict the time
  interval to ten minutes before the short dump and five minutes after
  it. In the display, choose System -> List -> Save -> Local File
  (unconverted).
  3. If these are programs of your own, or modified SAP programs: Source
  code of these programs
  To do this, choose  More Utilities -> Upload/Download -> Download in
  the Editor.
  4. Details regarding the conditions under which the error occurred or
  which actions and input caused the error.
  System environment
  SAP Release..... 740
  SAP Basis level 0009
  Application server... saps009
  Network address...... 137.33.22.24
  Operating system... Windows NT
  Release.............. 6.0
  Hardware type....... 4x AMD64 Level
  Character length..... 16 Bits
  Pointer length........ 64 Bits
  Work process number... 11
  Shortdump setting. full
  Database server... SAPS009
  Database type..... MSSQL
  Database name..... BID
  Database user ID bid
      Terminal.......... GDNL2180
      Character set C
      SAP kernel....... 742
      Created on....... Jan 30 2015 22:06:39
      Created at....... NT 6.1 7601 x86 MS VC++ 16.00
      Database version SQL_Server_9.00
      Patch level....... 37
      Patch text.......
      Database............. MSSQL 9.00.2047 or higher
      SAP database version. 742
      Operating system... Windows NT 6.0, Windows NT 6.1, Windows NT 6.2, Windows NT
       6.3
      Memory consumption
      Roll.... 0
      EM...... 45930944
      Heap.... 0
      Page.... 40960
      MM used. 29493280
      MM free. 16431408
  User and Transaction
      Client................. 100
      User.................. GDNJAINI
      Language key.......... E
      Transaction......... RSA1
      Transaction ID...... EECAFAE4F51BF1F6B2DD005056950066
      EPP whole context ID...... 0050569500661EE4BED95AD6937632DD
      EPP connection ID........ DFCAFAE4BC6CF115B2DD005056950066
      EPP call counter......... 1
      Program.............. SAPLOLEA
      Screen.............. SAPLRSAWBN_MAIN                         1000
      Screen line.......... 0
      Active debugger..... "none"
  RFC Caller Information
  Information on caller of Remote Function Call (RFC):
  System.............. BID
  Installation number 0020244352
  Database Release..... 740
  Kernel Release...... 742
  Connection type..... 3  (2=R/2, 3=ABAP-System, E=External,
  R=Reg.External) call type....... synchronous and non-transactional (emode 0,
  imode 0)
  Inbound TID..........
  Inbound queue name...
  Outbound TID.........
  Outbound queue name..
  Client................. 100
  User.................. GDNJAINI
  Transaction......... RSA1
  Call program...........CL_RSDMD_RSAWBN_TOOL==========CP
  Function module..... RSNDI_MD_ATTR_TEXTS_MAINTAIN
  Call destination..... NONE
  Source server...... saps009_BID_00
  Source IP address.. 137.33.22.24
  Additional information on RFC logon:
  Trusted relationship..
  Logon return code.... 0
  Trusted return code.. 0
  Remarks:
  In Releases prior to 4.0, information about the RFC caller might be
  missing or incomplete.
  - The installation number is provided in caller Release 700 and higher.
  rmation on where terminated
  The termination occurred in ABAP program "SAPLOLEA", in "AC_SYSTEM_FLUSH". The
  main program
  was "RSAWBN_START".
  In the source code, the termination point is in line 38 of (Include)
  program "LOLEAU02".
  Line  SourceCde
      8 *"      CNTL_ERROR
      9 *"----------------------------------------------------------------------
     10   data: sysubrc like sy-subrc.
     11
     12   CALL FUNCTION 'AC_FLUSH_CALL'
     13        EXPORTING
     14             SYSTEM_FLUSH = 'X'
     15             CALLED_BY_SYSTEM = CALLED_BY_SYSTEM
     16        IMPORTING
     17             MESSAGE_NR   = sysubrc
     18             MESSAGE_TEXT = SY-MSGLI.
     19
     20   sy-subrc = sysubrc.
     21
     22   CASE SY-SUBRC.
     23     WHEN 0.
     24     WHEN 1.
     25 *     system_error
     26       MESSAGE ID 'CNDP' TYPE 'X' NUMBER 007 RAISING CNTL_SYSTEM_ERROR.
     27     WHEN 2.
     28 *     method_call_error
     29       MESSAGE ID 'CNDP' TYPE 'X' NUMBER 006 RAISING CNTL_ERROR.
     30     WHEN 3.
     31 *     property_set_error
     32       MESSAGE ID 'CNDP' TYPE 'X' NUMBER 006 RAISING CNTL_ERROR.
     33     WHEN 4.
     34 *     property_get_error
     35       MESSAGE ID 'CNDP' TYPE 'X' NUMBER 006 RAISING CNTL_ERROR.
     36     WHEN 8.
     37 *     maximal number of modi reached
  >>>>>       MESSAGE ID 'CNDP' TYPE 'X' NUMBER 011 RAISING CNTL_SYSTEM_ERROR.
     39     WHEN OTHERS.
     40       RAISE CNTL_ERROR.
     41   ENDCASE.
     42
     43 ENDFUNCTION.
  Thanks

• SAP security - changing check maintain setting for security objects

  I am trying to change the check maintain indicator for a couple of transactions
  to alow me to manage access based on security objects that are not currently defined as check maintain.  Specifically, I have updated the check indicator
  (using SU24) to check maintain for object c_stue_ber on transactions MD11 and MD12 (planned order create/change).  The transactions still do not check this object as expected.  Does anything else need to be done to enable checking an
  object that is not set up as check maintain originally?
  Any help is appreciated.
  Thanks,
  Doug Scott

  Hello Kerstin,
  I also wrote a message to SAP and got the following response.  Looks like there are no security checks for this object in these transactions.
  Regards,
  Doug
  Response from SAP
  03.04.2007 - 12:48:38 CET    SAP    Reply 
  Dear Doug,
  An authority check on C_STUE_BER is not possible for the transactions
  CO02, CO03, MD11, MD12, CO26, CO27, CO28, COOIS, COHV, CO05, CO05N,
  CO04N, COMAC or CO46.
  In CO01 we check if the user has the authority to resolve the BOM
  (C_STUE_BER). After resolving the BOM we don't check any longer with
  C_STUE_BER since we don't work with the BOM but with a component list
  in the order (which is actually a copy or the BOM).
  For this component list there is no authority check.
  The component list is visible in CO02, CO03, CO26, CO27, CO28, COOIS,
  COHV, CO05N, CO04N, COMAC, CO46.
  For production orders we use authority C_AFKO_AWA. With this
  authority you can limit the access to CO02, CO03 and the change of
  production orders by other transactions.
  But please note that there are still transactions
  that will display the orders and its components without authority
  checks. For example infosystem transactions (COOIS, COHV, CO26, CO27,
  ...) and other processing transactions (COGI, ...). For those
  transactions you would have to limit access.
  For the creation of planned orders MD11, the authority check C_STUE_BER
  is not used. Here you can use M_MTDI_ORG to check on a MRP controller.
  So you should enter the same MRP controller in the material master
  of the troublesome products and only this MRP controller will be able
  to create a planned order for this material.
  I am sorry not to be able to offer you any better solution for this
  problem.
  Kind Regards
  Eoin Donnelly
  SAP Support Consultant (SCM)
  SAP GSC Ireland

• LDAP Realm & ACLs

  i'm using WL510sp8 with a Netscape Dir Server...
  when i start weblogic with the LDAP Realm configured it takes forever (20+ minutes) to start up because weblogic goes to the realm and ldap to check other acls in weblogic.properties like "everyone" and "system"...
  how can i get around having these other acls checked in the ldap server??? subclass LDAPRealm and stop it manually? delegating realm with both ldap and wlproperties???
  thanks
  mal

  "Mike Westaway" <[email protected]> wrote in message
  news:[email protected]..
  >
  My weblogic web application is configured to authenticate against a groupin an ldap
  realm using basic authentication.
  This all works just fine.
  But now I want to query the LDAP server in the context of the current userto find
  out what directory entries I have read/write acecss to.
  I don't believe there is any method in the LDAP realm that would allow you
  to do your own
  queries against the LDAP server.

• Dynamically changing ACLs

  Hi!
  I've got a question concerning the IPS module.
  How is it possible for the IPS to dynamically change any of the existing ACLs on the firewall module in case of an attack e.g.?
  The reason i ask is, because there seems no possibilty for me to script any commands on a linux pc and then execute them remotely on the FWSM like i can do it on a Router via rsh.
  So if a user can't execute any command remotely on the FWSM, how can the IPS do it when it has to change an ACL on the FWSM?
  Thanks.

  An IPS sensor will log into a FWSM and put in and take down host blocks when it shuns a host. If you set the IPS to telnet for it's connection to the FWSM, you can capture the session (Ethereal has a wonderful "follow TCP session" for seeing this) and see the exact commands and logic employed. There is no reason you can not script a telnet or ssh session from your linux host to change host blocks. However, if you have more than one device doing this, you can get into some problems. The IPS sensor assumes it is the only blocking device and will clear all blocks that it didn't create.

• LDAP Change Monitoring Tools

  I'm trying to capture what all changes are happening to a SSO Config/Policy Data Store. The requirement is not only knowing the changes but would need to know what exact value changed.
  If any changes are made to LDAP Objects, I would like to know
  1) What LDAP Object changed
  2) What was the value prior to change
  3) What is the new value to the object
  Does any one know if I can achieve this with any 3rd party tool ? Any suggestions/recommendations will be appreciated.
  Thanks

  Hi,
  The only way that I can think about it is using the retro changelog plug-in. Many applications that need to know what changes are done in the directory use the changelog. Another alternative is some kind of script that will gather that information from the audit log. This log (if it's enable) track all changes done to the directory.
  In any case, the only part that I don't think you will be able to get with any of this method is what was the value prior the change.
  Last option could be to write your own plug-in, but that very complex and may not be easy, especially if you are trying to capture the value prior the change.
  Rgds,
  Federico

• Beat Mapping/Changing Tempo & Maintaining Automation Timing

  If you've ever changed the tempo in a song (beat mapping or other kind of re-clocking), you probably know that it's extremely important to SMPTE-lock your regions before attemping those operation (this way you can adjust the tempo/metronome to conform to real-time performaces not done to a click, etc. etc. etc. without affecting/changing the relative positions of regions/notes/events).
  The problem with these kinds of operations is that changing the tempo after automation has been written totally screws up the timing of the automation moves, because the spacing between individual automation events will move according to the changes you make to the tempo.
  So... the solution I've come up with is to not only lock regions prior to beat mapping/reclocking, but to also lock the automation data. This is accomplished in the automation arrange page (details below). Once you're done with your beat mapping/reclocking/tempo changing, re-open the automation arrange page and un-lock the automation regions.
  So far this seems to work like a charm. Here's how you do it:
  Assign a key command to open the automation event editor (on any track that contains automation). Hit CMD-1 to open the automation arrange window, CMD-A, and then SMPTE-lock. (having SMPTE-lock on a key command is very handy).
  To unlock the automation data, follow the same procedure, except this time CMD-A and un-SMPTE-lock the regions (also handy to have on a key command).

  Nice tip, Los Schwartzos!

• SG300, FW 1.2.7.76, "Entry already exists" when changing ACL's

  Hello,
  I am getting very frustrated trying to modify/create ACL's on my SG300-20 switch.
  I have the switch in L3 mode. I have created several VLAN's and ACL's for each VLAN controlling their access to each other. After the initial setup, I have started trying to create more VLAN ACL rules to allow more access between the VLAN's. The problem I keep running in to is that when I go to modify the ACE's in the ACL, I keep getting the error message "Entry already exists". For example, I go to modify the port ranges to tighten them up, and try to save the ACE after modifying it, and I get that error message.
  I have gotten frustrated and deleted ACE's, and then tried recreating them, and I get the same error message! I noticed that if I wait long enough (many minutes, hours?) I can go in and create the ACE again. The ACE definitely doesn't exist but the web interface won't let me create it. I've even tried using a completely different Priority value which isn't used in any of the ACL's, that didn't work either.
  Why is this happening? At this point I am finding it next to impossible to configure this thing. Frustrating...

  Here is a screenshot of one of my ACL's. This ACL is being applied to every port which is in the VLAN with the IP range 10.0.0.0/24
  http://imgur.com/C6iQk
  I just tried to add a new rule which failed with the same error:
  Priority 89
  Action: Permit
  Source IP Address: 10.0.0.21
  Source IP Mask: 0.0.0.0
  Destination IP Address: 10.1.0.0
  Destination IP Mask: 0.0.0.255
  Source Port Range: 8080
  Destination Port Range: 49152-65535
  So I am trying to allow anything from the 10.1.0.0/24 network to talk to port 8080 on 10.0.0.21. This failed with the "Entry already exists" error.

• Cisco Unity Connection ViewMail Password manual reset after LDAP change

  Unity Connection 8.5.1, Viewmail 8.5.4 and Exchange 2010 with 2008 AD
  We are migrating to Unity Connection from Unity 7.0.2 and have discovered that when we change our passwords in AD (scheduled every 40 days) this does not get synchronized with viewmail.  Users then receive an error indicating the user ID or password is incorrect and then call the helpdesk to find out where to change this setting.  Has anyone found a way around this.  It is becomking a huge issue with 1200+ employees. 
  Hopefully it is on a roadmap for cisco as well?
  Thanks
  Liz

  'its really a different user experience' you are telling me!!!
  I like the other features that 8.5 brings but the outlook viewmail single sign on design fault is a big mistake. It even effects cupc client as you have to  update the voicemail password in their...
  I did read all the documentation carefully, it doesnt mention that the passwords do no sync. From a end user point of view, this is a disator. 95% of our users manage the voicemail through outlook, if the password doesnt update in viewmail then they can not retrieve their voicemail.
  anyway, i ve spent alot of time and money building the new connection server, but i have no option but to stick to our unity 5 solution. Luckily i noticed this before i changed/migrated people groupwide.
  Thanks a million Cisco, I now have to explain this to our IT director....