LDAP - Filter on groups (iPlanet)

We connected Weblogic to our LDAP server (iPlanet type) and successfully imported all users and groups.
No we want to filter on the users being in one group (we are not interested in all users)
With an ActiveDirectory LDAP Provider you can set at the All Users filter & User From Name filter:
(&(sAMAccountName =*)(memberOf= CN=OBIEE,OU=Security,OU=Groups,OU=COMP1,DC=COMPANY,DC=com)(objectclass=person))
With this filter in place, only users that are member of "CN=OBIEE,OU=Security,OU=Groups,OU=COMP1,DC=COMPANY,DC=com" will be able to login.
Now we are migrating the LDAP server from ActiveDirectory to iPlanet.
The structure of this system is:
GROUPS
GRP OBIEE
uniqueMember:MVL
uniqueMember:DFG
USERS
uniqueMember: MVL
The relation between users and groups is stored on group level.
Does anyone know if this is possible and what the structure of the filter is?
Thanks in advance.

Have you already found a work around?
Depending on your DIT, I'd assume you could set your base lower, and just do a search for (!(objectclass=SAccount)).
Also, you've probably checked it a number of times already, but could there be a spelling error? Have you tried using the wildcard on your ! filter, so that it reads:
(&(objectclass=customAccount)(!(objectclass=customSA*)))
Good luck!

Similar Messages

Q: UCM Ldap filter not finding groups

Hi There,
I am setting up UCM and am having problems with group(roles) being set by the ldap provider.
The users authorizes, but the ldap search returns no groups.
LDAP mapping of roles gives the following error every time...
userstorage 09.03 10:06:59.806 IdcServerThread-34 Loaded extended info for user ucm_user
userstorage 09.03 10:06:59.806 IdcServerThread-34 Loading Attributes for user ucm_user
userstorage 09.03 10:06:59.806 IdcServerThread-34 UseFullGroupName false
userstorage 09.03 10:06:59.807 IdcServerThread-34 UseGroupFilter true
userstorage 09.03 10:06:59.807 IdcServerThread-34 Searching for groups containing user CN=ucm_user,OU=city,OU=Users-Active,DC=abc,DC=com
userstorage 09.03 10:06:59.807 IdcServerThread-34 Using search filter (&(objectclass=group)(member=CN\3ducm_user\2cOU\3dcityr\2cOU\3dUsers-Active\2cDC\3dabc\2cDC\3dcom))
userstorage 09.03 10:06:59.807 IdcServerThread-34 Searching for groups based at DN ou=Users-Active,dc=abc,dc=com
userstorage 09.03 10:06:59.904 IdcServerThread-34 No groups found for user CN=ucm_user,OU=city,OU=Users-Active,DC=abc,DC=com
userstorage 09.03 10:06:59.905 IdcServerThread-34 Adding default network account '#none" to CN=ucm_user,OU=city,OU=Users-Active,DC=abc,DC=com
userstorage 09.03 10:06:59.905 IdcServerThread-34 Attributes loaded
userstorage 09.03 10:06:59.905 IdcServerThread-34 LdapProvider.checkCredentials() finished in 0.182 seconds.
Using a freeware ldap gui (ldapadmin.exe), I can run the query just fine, the groups are found.
Has anyone seen this before?
Thanks

Please see the attached link under primaryGroupID, which states that the
Domain Users group is not part of the memberOf attribute.
http://msdn.microsoft.com/en-us/library/ms677943.aspx
That explains why the mapping fails for any Domain Users as seen in the debugs

Filter based group - viewing contents

Hi,
I'm trying to figure out how to see if a filter defined group on a Sun One 5.2 Directory server is getting the objects required.
The filter group was defined by someone else. I've got several LDAP search tools available to me, but can't get results that I expect.
The group is defined as:
objectClass: top
objectClass: groupofuniquenames
objectClass: groupofurls
memberURL: ldap:///ou=People,dc=app,dc=sample,dc=com??sub?(&(objectclass=person)(uid=*)(ntuserdomaindi=*sample*))
cn=Employees
The group is defined in the tree as:
cn=Employees,ou=Groups,dc=app,dc=sample,dc=com
My expectation, using ldp, ldapsearch, or Softerra's LDAP Browser, is that when I attempt to open the tree looking at the 'Employees' group, I would see a list of the objects that the filter selected. I Don't see any thing.
Am I looking this in a WRONG way, or is my query not working?
TIA, Scott

That's correct, senderbase reputation filtering occurs very early on. At the IP/TCP level of a connection. To get more info on this, check out the user guide on HAT Overview.
Since senderbase reputation filtering occurs early on, even before the mail-from/rcpt-to/subject information are obtained, it is too late to enforce LDAP settings.
However, what you can do with ldap is verify if the sender or recipient are a member of a certain group and then disable anti-spam/anti-virus/content filtering from their email. You would use ldap-from-group in conjunction with incoming or outgoing mail policies.
To make an email immune from senderbase reputation filtering, you would need to know the IP/hostname/partial hostname of where their message is coming from and add that info to the whitelist sendergroup in the HAT overview.
Is it possible to completely disable the reputation filter based on whether the recipient is in a certain LDAP group?
I'm currently thinking no as LDAP groups are assigned a message filter and by this point in the pipeline the reputation filter has already been applied.
Perhaps someone more experienced can confirm/disprove this for me?

VSOM 7.0.1 LDAP Filter AD

Hello!
LDAP server settings are as follows:
Name: SFC.LOCAL
Host Name: 192.168.104.252
port: 389
Member of: %USERID%@sfc.local
Database search for users: OU=Accounts,DC=sfc,DC=local
User ID attribute: sAMAccountName
How to create a filter selecting users from a specific location in aerarhii AD?
People are on the way:
OU=SPK,OU=Offices,OU=Delegate,OU=Common,OU=Accounts,DC=sfc,DC=local
try like this:
search path: OU=Accounts,DC=sfc,DC=local
Filter: (&(sAMAccountName=%USERID%)(memberOf=CN=SPK,OU=Offices,OU=Delegate,OU=Common,OU=Accounts,DC=sfc,DC=local))
Runtime Error: The user with the given name is not found in the LDAP filter by (&(sAMAccountName=drozdov.alexander)(memberOf=CN=SPK,OU=Offices,OU=Delegate,OU=Common,OU=Accounts,DC=sfc,DC=local))
in it may be inaccurate filter configuration?

Hello Alex,
Here is the example to do LDAP serach filter configuration. Let me know if this help
•General Settings
Hostname: ds.cisco.com
Port: 389
Principal: %USERID%@cisco.com
User Search Base: ou=Cisco Users,dc=cisco,dc=com
Userid Attribute: sAMAccountName
•LDAP Search Filter:
Select a Cisco mailing list you are on from mailer.cisco.com, and substitute its name for <anyMailer> in the Filter below
Search Path: ou=Cisco Users,dc=cisco,dc=com
Filter: (&(sAMAccountName=%USERID%)(memberOf=CN=<anyMailer>,OU=Mailer,OU=Cisco Groups,DC=cisco,DC=com))
Br,
Nadeem Ahmed

Creating LDAP filter in authorization rule OAM 10G

Hi,
I want to set up a LDAP filter in Authorization rule based on which i will redirect users to specific URL's. what is the syntax to writing LDAP filters in OAM authorization policy. Any pointers to documentation will be appreciated.
Also i want to know whether authorizations always follow authentication. i.e. my redirection will be successful only after a user is authenticated in end application based on the headers we send out after successful authentication.
Please Help
Thanks
Edited by: 904630 on Dec 27, 2011 5:34 AM
Edited by: 904630 on Dec 27, 2011 5:36 AM

Open Identity server console and check the attribute's Display Name and type in Object classes section. I recently faced a similar issue and it got fixed after providing these two values.
Hope it works for your as well :)

LDAP Users and Groups

Hi,

I have configured an LDAP Authenticator for an external LDAP directory in the security realm of the samples portal. User Management is working, but when I try to access the Group Management for the LDAP Authenticator I get the following error:

com.bea.p13n.usermgmt.hierarchy.TreeNotBuiltException: State: UNINITIALIZED. Tree is uninitialized. Add provider GAAD to list of providers to build. Tree is uninitialized. Add provider GAAD to list of providers to build.


It seems that this needs to be setup. How do I do this?


Some general notes on LDAP:

I think that in a production environment it is of great value to manage users and groups in a LDAP directory. For instance we have a company directory which contains all users. It seems that users from LDAP can not been added to groups which are in the DB. LDAP also has the advantage of supporting dynamic groups.
As in previous weblogic releases the LDAP authenticator is read only. It would be great if the write functionality could be added as well. Actually managing LDAP users and groups in one place would be a tremendous improvement for us.

Another thing on my wishlist are examples for delegated administration and visitor entitlements. For the sample portal these are empty. But I think it would be nice to have some out of the box examples that show what is possible and help developers and business analysts to understand the concepts and create their own roles.

It would be interesting to read what Bea and other developer think about this.

Kind regards,

Kai


Marcus,
Yes, I am using 9.2 TP.
We are already using LDAP for user management with 8.1.
Now, I try to configure 9.2 as well. I am running 9.2 installations on different machines. When I click on Service Administration in the Admin Portal, I get the following error message for each installation:
java.lang.NullPointerException at com.bea.jsptools.serviceadmin.ads.ToolAdServiceBean.cloneFromAdServiceBean(ToolAdServiceBean.java:190) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdContentProviderNodes(ServiceAdminTreeBuilder.java:769) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdServiceBranch(ServiceAdminTreeBuilder.java:746) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.createTreeElement(ServiceAdminTreeBuilder.java:184) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:234) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:235) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildTree(TreeService.java:122) at util.tree.TreeController.constructTree(TreeController.java:142) at util.tree.TreeController.buildTree(TreeController.java:422) at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source) at java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown Source) at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:852) at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:782) at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:456) at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:285) at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:336) at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:48) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:1984) at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:90) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2055) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:535) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:821) at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:625) at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:156) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414) at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1178)
java.lang.NullPointerException
java.lang.NullPointerException
at com.bea.jsptools.serviceadmin.ads.ToolAdServiceBean.cloneFromAdServiceBean(ToolAdServiceBean.java:190)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdContentProviderNodes(ServiceAdminTreeBuilder.java:769)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdServiceBranch(ServiceAdminTreeBuilder.java:746)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.createTreeElement(ServiceAdminTreeBuilder.java:184)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:234)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:235)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildTree(TreeService.java:122)
at util.tree.TreeController.constructTree(TreeController.java:142)
at util.tree.TreeController.buildTree(TreeController.java:422)
at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source)
at java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown Source)
at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:852)
at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:782)
at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:456)
at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:285)
at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:336)
at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:48)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:1984)
at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:90)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2055)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:535)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:821)
at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:625)
at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:156)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1178)

I set in prefferances plug-ins. Show all filter gallery groups and names, but they are still light gray and not selectable

I set in preferences plug-ins. Show all filter gallery groups and names, but they are still light gray and not selectable

They are being shown. When Photoshop gray out items it means in the documents current state that item is not supported, Get the document into a state that the grayed out filters can be used. Some filters mat not support some modes like CMYK. 32bit color, Lab etc. They seem to be listed but nor currently applicable. Note whem no document is open all are grayed out the when a simple clipboard image is open all are available.

LDAP user and group configuration in ADF application

Hi All,
I have to use LDAP user and groups in my ADF application. I have configured the LDAP on WLS server successfully and can see all users/groups under tab "User and Groups". I have added the Enterprise Role in jazn-data.xml matching the name of groups. Created Application role in jazn-data.xml and assigned a role of Enterprise Role.
However not added any user in jazn-data.xml. Which i guess not required because it will picked from LDAP.
Now how to configure the JDeveloper to use those users ? What changes need to make in jazn-data.xml ? or in jps-config.xml / web.xml/ weblogic-application.xml
Am i missing nay configuration step. i have referred ADF Security set up - step by step tutorial - quick question but not found useful
I am using JDeveloper 11.1.1.5.
Thanking you all in advance.
Mukesh.

I have below changes in files
1] In jps-config.xml
-- Added identity store and selected it from drop down in Security Context tab.
2] In weblogic-application.xml
In Security tab --> Role assignment mapped valid-users to principle name.
<security>
<realm-name>myrealm</realm-name>
<security-role-assignment>
<role-name>valid-users</role-name>
<principal-name>DERDev</principal-name>
</security-role-assignment>
</security>
3] Same thing done in weblogic.xml . I do not know the difference between weblogic-application.xml and weblogic.xml configuartion and which will work.
4] Added security role "DERDev" along with the default/automatically added role "valid users"
<security-role>
<role-name>DERDev</role-name>
</security-role>
Still no luck ...... i am missing again ? I referred many links but found not a single document mentioning all steps
Mukesh

How to create LDAP filter-based rule to check Group membership in OAM

Hi folks,
I'm having hard time creating an authorization rule to verify ldap group membership. I've followed "Configure User Authorization" article from Oracle website (http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2authz.htm#BABHBFEJI) and created an Authorization scheme w ldap_attribute_name as User Parameter and ruleExpression as Required Parameter. Then, inside my policy I created an Authorization Rule based on my Authz scheme w Allow Access attrib filter-based Rule which looks like this:
ldap://ldap_server:port/ou=People,o=Company,c=US??sub?(ldap_attribute_name=ldap_attribute_value)
This works fine.
Now, I've added another filter-based rule under the same Authz Rule/Allow Access:
ldap://ldap_server:port/ou=Groups,o=Company,c=US?uniqueMember?sub?(&(objectClass=groupOfUniqueNames)(cn=ldap_group_name))
While query looks somewhat correct and works as a command-line argument (slightly modified format), it does not work in OAM (meaning people w out req-d group membership can still login).
Can someone steer me to the right direction as to what do I need to do:
1. Change/fix the ldap query
2. Create new Authz scheme with uniqueMember userParameter; create new Authz rule based on new authz scheme; create new Allow Access filter rule with the ldap query I have
3. Do smth else
Any help is greatly appreciated.
Thank you, Roman

You can create two authorization rules
First for user with attribute
and second for group
and then in authorization expression you can have AND of these two.
Regarding your query...
First ... If your requirement is to give access to all the members of a particular group then you don't require any ldap filters
All you have to do is in the authorization rule -> Allow access -> Select People (here you have to select group so click on the group tab, its little hard to see but its there in light blue color on dark blue tab) -> select the group you want to give access
Second.. If your requirement is such that you want to give access to a member of a group which has certain attribute lets say group with status active ( In this case you are not aware of the name of the group because user can be a member of any group but you want to give access only to the group with specific attribute.) then you have to write custom authorization plugin.
If the option is second let me know i can give you a solution which will work for a single domain without any effort of developing a major plugin.
Hope this helps,
Sagar

SUN One LDAP Retrieving Dynamic group

Hi, I would like to know how can I retrieve the groups a user belongs to, if the groups are of dynamic type.
can I use the attribute memberOf?
//Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,*null*);
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(CN=Andrew Anderson))";
//Specify the Base for the search
String searchBase = "DC=antipodes,DC=com";
//initialize counter to total the group members
int totalResults = 0;
//Specify the attributes to return
String returnedAtts[]={"*memberOf*"};
searchCtls.setReturningAttributes(returnedAtts);
//Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);

Hello Vinay,
when configuring multiple Ldap directories, There are a number of prerequisities that you need to
consider.
For example, One prerequisite for Multi domains is that logon IDs must be unique across mutliple LDAP datasources. This will cause issue if duplicate IDs exist.
Please see the following Documentation and notes for more information on this.
Examples of Data Source Configuration Files - Identity Management - SAP Library
Example: Configuration of Multiple LDAP Data Sources - Identity Management - SAP Library
1618342 - Multiple LDAP Datasources - Active Directories where logon IDs
are not unique
762419 - Multi-Domain Logon Using Microsoft Active Directory
Please have a look at the above notes which documet this and also tells
you what to do in these situations.
Regards,
David

LDAP Filter to exclude a sub OU?

I have a need to exclude a sub OU from a search base. CUCM is LDAP integrated to Active Directory. The directory search basically OU=Users, DC=company,DC=local. There is a couple of OU's located under the Users container (OU=service, OU=special). A third party manages this companies AD and is not willing to make any changes to the structure. Does anyone have a suggestion for a filter that will work to filter out the users in the OU=special? I have tried several things but the ones i thought would work are:
1. (&(objectClass=user)(!(OU=special))) have tried this with the full search base as well
2. (!(&(objectClass=user)(OU=special)))
Any help would be appreciated.

Hi gpword,
I dont think you can exlcude a sub OU, at least I could never get it working.
A few options you can use.
1. Add all the users in the "Special" OU to a group and then exclude that group - I use this option and it works
(&(ipPhone=*)(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(memberOf=cn=GrouptoExclude,ou=XXXX,ou=XXXXX,DC=domain,DC=local)))
2. As above you could utilise the ipPhone field and only sync users who have this set or only sync users who are a member of a particular group below
(&(ipPhone=*)(objectclass=user)(memberOf=cn=USERStoSYNC,ou=XXXX,ou=XXXX,DC=domain,DC=local)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
The above examples also exclude disabled accounts, computer objects and inlcude only users with the ipPhone field set.
Thanks,

Identity Service LDAP with dynamic grouping

Hi all,
We are developing an enterprise application with oc4j and bpel.
First we managed to handle user management with XML based JAZN tool.
After that,we managed to connect identity service with iPlanet LDAP server and get users and roles(with static groups defined.)
But our client wanted static and dynamic groups together in their LDAP server,because of the complexity of their current user base.
When we try this,we cannot get the roles that are assigned with dynamic groups.But we can get the roles that are statically defined.
We check the roles from the worklist application (integration/worklistapp... thing..) and we se the static groups where we cannot see dynamic one's.
There is a section in is_config.xml like:
<roleControls>
<property name="nameattribute" value="cn"/>
<property name="objectclass" value="groupOfUniqueNames"/>
<property name="membershipsearchscope" value="onelevel"/>
<property name="memberattribute" value="uniquemember"/>
<search searchbase="ou=Groups,dc=dummy,dc=com,dc=tr" scope="onelevel" maxSizeLimit="1000" maxTimeLimit="120"/>
</roleControls>
I think the property uniquemember has an effect in this situation but I cannot find any sample configurations using dynamic groups in LDAP.
Hope somebody has already done that..

I find a solution here:
http://download.oracle.com/docs/cd/E15523_01/integration.1111/e10226/hwf_config.htm
I am currently using weblogic's defaultAuthentication to test BPM 11g.
I do not know if this approach works in production environment.

LDAP- large dynamic groups - performance

A dynamic group is to a static group what a view is to a table
A group is to its members what a table or view is to its records.
When the memebrs of a dynamic group is very large are there any performance problems or is that eliminatable by some indexing means?

Just an FYI ...
I found out from iPlanet that this is a bug in SP3 and will be fixed in SP4.
In the meantime, you can call tech support and get a patch.
Matt
"Matt Raible" <[email protected]> wrote in message
news:9nldgs$[email protected]..
I discovered today that the dynamic group does not seem to work for
form-based authentication with iPlanet App Server. I have a group,
Employees, in my LDAP server, and it has a dynamic group configured as
ldap:///o=douglas.co.us??sub?dcRoles=ttEmployee, where each user has a
custom attribute, dcRoles. I can test this dynamic group and expectedusers
are found.
However, I cannot authenticate with a user in this group when "Employees"is
my configured role to authenticate with.
If I open the group Employees in my LDAP Server, and under the Members,
Static Group tab - I add a user, I can authenticate with them.
I also tried adding "ttEmployee" as well as "Employee" to my deployment
descriptors - but no luck. The method of adding a user (above) is the only
way I found to work.
Can someone shed some light on this?
Thanks,
Matt

LDAP members of groups

Hello. I am using Iplanet Directory Service. I have set up my LDAP schema like:
dc = edu
dc = test
ou = state
ou = city
cn = university
cn = students
cn = volunteers
The actual student names are defined at state level, so the dn for student1 would be:
uid=student1,ou=state,dc=test,dc=edu
I can get all the attributes for student1 but if I want to see what groups student1 is part of, what do I need to do? In example above, student1 happens to be part of subgroup student and sub group volunteer. This is what I have so far and it never goes in the while loop.
Attributes at = new BasicAttributes(true);
at.put(new BasicAttribute("uniquemember",
"uid=student1,ou=state,dc=test,dc=edu"));
NamingEnumeration ne = ctx.search("dc=test,dc=edu", at);
while (ne.hasMore()) {
SearchResult sr = (SearchResult) answer.next();
String GroupName = sr.getName();
System.out.println("GroupName: " + GroupName);
}

Hi
this is eliyas here can you please help me out for the following. For SunOne Directory Server
1) To connect and Authenticate with Sunone Directory server using simple as realm using JNDI
2) After authentication. I would like to have the Groups that the user is member of (group membership)
if any code snippet would be a great help to me
thanks
eliyas

LDAP Data Set - Group Membership / Multivalued attributes

Hello
I am attempting to get a list of groups and for which a user is a member in LDAP. I have created an LDAP datasource, and am attempting to create a new dataset.
Details are as follows:
Name: Roles
Datasource: LDAP Server
Searchbase: ou=people,dc=example,dc=com
Attributes: cn, description, uid, mail, isMemberOf
Filter: (objectclass=inetOrgPerson)
When I look at the Data in Tree View for this, I do not get what I am expecting. What is see is:
DATA_DS
-ROLES
--Description: Description goes here
--CN: My Name
--mail: [email protected]
--uid: [email protected]
--isMemberOf: role1DNRole2DNRole3DNRole4DNRole5DN (notice they are not splitting on space etc etc)
--isMemberOf: role1DNRole2DNRole3DNRole4DNRole5DN (notice they are not splitting on space etc etc)
--isMemberOf: role1DNRole2DNRole3DNRole4DNRole5DN (notice they are not splitting on space etc etc)
--isMemberOf: role1DNRole2DNRole3DNRole4DNRole5DN (notice they are not splitting on space etc etc)
--isMemberOf: role1DNRole2DNRole3DNRole4DNRole5DN (notice they are not splitting on space etc etc)
If I have 5 roles, I see 5 isMemberOf attributes, but each value has all 5 memberships in it.
Is there something special that I need to do with multi valued ldap attributes?
Thank you.

Chris,
Brilliant! I had already enabled extended logging in OpenLDAP, but it didn't give me the answers I was looking for. I setup an OID instance (didn't want to get into packet sniffing when it's someone else's directory), captured the packets with ethereal, and there it was! I'm going to post more details about this (more on the process than the result), but here's my answer:
Filter: (|(uniquemember=cn=user1,cn=users,dc=demo1,dc=com)(member=cn=user1,cn=users,dc=demo1,dc=com))There's more to the process, but that's the answer I needed.
Thanks again for putting me back on track,
Tyler

LDAP - Filter on groups (iPlanet)

Similar Messages

Maybe you are looking for