LDAP for users / RPD for Groups. How?
I realize this has been asked before but I've not found a good explaination.
We've set up OBI to authenticate against our LDAP.
But I need to assign users to groups created in the repository.
Just adding groups in the rpd and importing ldap users and assigning them to groups does not work as their passwords are blank.
This is not surprising as the Developer's Guid on page 124 says:
"When a User exists in both the repository and in an external source (such as LDAP servers), the
local repository User definition takes precedence. This restriction allows the Oracle Business
Intelligence Server Administrator to override users that exist in an external security system."
So how to do this?
On the same page it says:
Groups are defined in the repository. However, if lists of users are stored on LDAP servers, the
group membership information must be obtained from a database table.
Problem is I just don;t have enough experience yet to understand how to set that up. Anyone have suggestion or can point to detailed info on the topic?
Thanks, E
Do as microsai says. In addition to the LDAP authentication you need to populate the GROUP variable (also shown in microsai's link). This is where the relationship between users and groups is loaded. This normally requires the USERS=>GROUPS relationship to be in an external table although there are other ways to do it from LDAP such as in [this example|http://oraclebizint.wordpress.com/2007/10/12/oracle-bi-ee-101332-and-oid-user-and-group-phase-2/].
Similar Messages
-
Problem with LDAP authentication for users in a group
I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.
I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:
[6707] memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
[6707] mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707] mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707] msNPAllowDialin: value = TRUE
I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.
ldap attribute-map AuthUsers
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN
aaa-server LDAP protocol ldap
aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
ldap-base-dn DC=COMPANY,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
server-type microsoft
ldap-attribute-map AuthUsers
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
webvpn
anyconnect ask none default anyconnect
group-policy GroupPolicy_COMPANY_SSL_VPN internal
group-policy GroupPolicy_COMPANY_SSL_VPN attributes
wins-server none
dns-server value 10.10.100.102
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value net.COMPANY.com
webvpn
anyconnect profiles value COMPANY_SSL_VPN_client_profile type user
tunnel-group COMPANY_SSL_VPN type remote-access
tunnel-group COMPANY_SSL_VPN general-attributes
address-pool COMPANY-SSL-VPN-POOL
authentication-server-group LDAP
authorization-server-group LDAP
authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
default-group-policy NOACCESS
authorization-required
tunnel-group COMPANY_SSL_VPN webvpn-attributes
group-alias COMPANY_SSL_VPN enable
tunnel-group COMPANY_SSL_VPN ipsec-attributes
ikev1 pre-shared-key *****I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.
-
LDAP: apple-user-homeurl for 10.6.7
Hi all,
I have a problem with Portable Home Directories through LDAP and AFP. The file server is running 10.6.6, and I never experienced any issues until I upgraded my client to 10.6.7. Now the HomeSync fails to sync the data.
@ FileSyncAgent-verbose.log:
EXCEPTION: Permissions Error <-[SPeerFSPHD mountPeerVolume] (Peer-FS-PHD.m:157): "'((afpAccessDenied))' error -5000"
The problem seems to be that HomeSync tries to write to a directory, without having the correct permission. I traced the problem back to the "apple-user-homeurl" entry in LDAP. Changing it from
<home_dir><url>afp://fileserver/home</url><path></path></homedir>
to
<home_dir><url>afp://fileserver</url><path>home/</path></homedir>
solved the problem.
Can anyone confirm that one has to make this change for clients running 10.6.7? How could this affect clients running older versions, like 10.5? Will updating the server to 10.6.7 change anything? Is there any Apple resource documenting this change in 10.6.7?
Thanks in advance
++In my case LDAP is running on a Linux Server, and the homes are AFP shares through a Mac OS 10.6.6 server. I simply edited the LDAP entry "apple-user-homeurl" for my user, as explained above.
In the meanwhile I tested to log on to 10.6.6 and 10.5.8 - and in both cases PHD were working with my changed LDAP account. But I haven't yet dared to update the server to 10.6.7.
Somehow 10.6.7 seems to read the path to the home directory in a different way... I would appreciate if anyone could confirm this, and maybe add more details. -
How to force sql developer to prompt for user input for every execution ?
Hi Folks,
Environment: Oracle 11g (on Windows 7)
SQL Developer: *3.1.07*
I am executing a PL/SQL code off Sql Developer. The code uses substitution variables to prompt user for input. However,I am only prompted for the user input for the very first run of the code. For the subsequent executions, the code simply picks up the user input from the very first run. This behavior persists for all subsequent runs of the code.
I have executed the same piece of code from SQL*PLUS and the behavior seems normal (i.e. I am prompted for fresh input for every execution)
How can flush out the old user input so I can be prompted for new user input for every run of the code in sql developer?
Thanks in advance
rogers42Hi Rogers42,
1/try
undefine
undefine fred
select '&&fred' from dual;
[run this multiple times]
[prompts gere]
old:select '&&fred' from dual
new:select 'a' from dual
'A'
a
[prompts here]
old:select '&&fred' from dual
new:select 'b' from dual
'B'
b
2/try
exit (requires recent version of sql developer: tools->preferences->Database->worksheet->Re-initialize on script exit command)
select '&&fred' from dual;
exit
run this multiple times
[prompts here]
old:select '&&fred' from dual
new:select 'x' from dual
'X'
x
Commit
[prompts here]
old:select '&&fred' from dual
new:select 'y' from dual
'Y'
y
Commit
3/use &fred instead of &&fred
For background see
http://totierne.blogspot.co.uk/2010/04/substitution-and-bind-variables.html
-Turloch
SQLDeveloper team -
Security Refresh for Users in the Group
Hi John,
I assigned an user with Analytic services admin privileges in the shared services. After the refresh security from shared services through EAS console, I clicked on security and clicked on users. I could able to see that user as an administrator(user type).
But when i assigned the same analytic services admin privileges at the group level, all the users in that group are
not showing as administrators in the EAS console after security refresh.(showing as user instead of administrator).
Can you explain why?
Thanks.Hi,
If you look at the group in EAS then it should be displayed as administrator, then all the users assigned to that group will take on the administrator privileges.
It will not show each user as as administrator just as a user that is the way it works.
Cheers
John
http://john-goodwin.blogspot.com/ -
Search help for user field for WBS element
Hi,
how can I add a search help to one of the user fields for WBS elements without modification? Is there an exit which I can use? I want to have a search help for field PRPS-USR02.
Thanks for your help.Hi
Create an elementary serach help using the Table USR01 or USR03
see the steps
1) Elementary search helps describe a search path. The elementary search help must define where the data of the hit list should be read from (selection method), how the exchange of values between the screen template and selection method is implemented (interface of the search help) and how the online input help should be defined (online behavior of the search help).
2) Collective search helps combine several elementary search helps. A collective search help thus can offer several alternative search paths.
3)An elementary search help defines the standard flow of an input help.
4) A collective search help combines several elementary search helps. The user can thus choose one of several alternative search paths with a collective search help.
5)A collective search help comprises several elementary search helps. It combines all the search paths that are meaningful for a field.
6)Both elementary search helps and other search helps can be included in a collective search help. If other collective search helps are contained in a collective search help, they are expanded to the level of the elementary search helps when the input help is called.
CREATION:
Go to SE11 Tcode
select search help
give the 'z' search help name and create
select the selection method ur table name eg : 'mara'
dialog module 'display value immediately'.
add the field whatever u want and lpos = 1 and spos = 1 and check import and export parameter.
where left position when displaying and spos = search position
and then save and activate ..
See the links:
http://help.sap.com/saphelp_nw04/helpdata/en/cf/21ee38446011d189700000e8322d00/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/cf/21ee45446011d189700000e8322d00/content.htm
https://forums.sdn.sap.com/click.jspa?searchID=3173469&messageID=2176485
https://forums.sdn.sap.com/click.jspa?searchID=3173469&messageID=3601619
pls go through this for search help creation
http://help.sap.com/saphelp_nw2004s/helpdata/en/41/f6b237fec48c67e10000009b38f8cf/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/cf/21ee2b446011d189700000e8322d00/content.htm
Search Help Exits:
Re: dynamic values for search help
Re: Dynamic search help
http://help.sap.com/saphelp_nw04/helpdata/en/cf/21ee52446011d189700000e8322d00/content.htm
http://www.sapdevelopment.co.uk/dictionary/shelp/shelp_exit.htm
https://forums.sdn.sap.com/click.jspa?searchID=4390517&messageID=1712818
Regards
Anji -
Funtion Module for user exits for variables used in BEx Queries.
Hi,
This is for BW Query customer exit variable (zvar2) for include ZXRSRU01 and exit :EXIT_SAPLRRS0_001.
Can anyone please suggest the function modules that can be used to do the following.
1)Read value of zvar1 from selection screen whatever
user enters at run time.
2)How to define the zvar2 in the include. zvar2 is the
variable created in BEx to be populated from this
customer exit.
3)How to use case statment where once the value for zvar1
is determined then,
Case zvar1.
when zvar1 = 0 , then zvar2 = 10
when zvar1 = 1 , then zvar2 = 20
3) Assign zvar2 value as computed in the case statement.
Can anyone please help with the code to achieve this.
Any information regarding function modules that can help write user exits for variable reading and input will be greatly helpful.
Thanks
Sarah.Hi Sarah,
You don't need any FM for your issue.
Please try thie sample code :
DATA: VAR_INPIUT LIKE RRRANGEEXIT.
CASE I_VNAM.
WHEN 'ZVAR2'.
CLEAR L_S_RANGE.
IF I_STEP = 2."PROCESSED AFTER VARIABLE INPUT
*Reading value of ZVAR1
LOOP AT I_T_VAR_RANGE INTO VAR_INPIUT
WHERE VNAM = 'ZVAR1'.
CASE VAR_INPIUT-LOW.
*FILLING ZVAR2
WHEN 0.
L_S_RANGE-LOW = 10.
WHEN 1.
L_S_RANGE-LOW = 20.
ENDCASE.
L_S_RANGE-SIGN = 'I'.
L_S_RANGE-OPT = 'EQ'.
APPEND L_S_RANGE TO E_T_RANGE.
EXIT.
ENDLOOP.
ENDIF.
ENDCASE.
Hope this helps
Joe -
Authorization for User Creation for Admin user
Dear All,
We have Cronacle 6.0.2.
We have a requirement where in we want to create an admin user with all access to Redwood (in order to avoid using SYSJCS). We have and created an admin role with which our criteria is almost met. After assigning this admin role to our newly created admin user, everything work except user & role authorization. I am not able to create, delete or alter any user or role with this user.
I have seen that we have the oracle system privileges related to user and role authorization (create user, alter role, etc), but when we are trying to assign the same to the admin user, its not allowing us to do so. We have tried the assignment using sysjcs from both RWE and from the shell using the SYJCS, RSI users.
How can I achieve this? with which user?
Any pointers on this would be highly appreciated.
Thanks in advance for your help.
Warm Regards
RajeetHi Rajeet,
This is because SYSJCS has the privileges to create users and roles in the database, but not the right to actually give out these privileges to other users.
For that, you need a user with the DBA role in the database, or with the "create user" and "create role" privileges "with admin option". A user with the admin option on a privilege can hand out this privilege to other users.
If you don't have any own users with these privileges yet, the SYSTEM user will work as well.
Regards,
Anton. -
Journalct works for user, not for root, or anyone in adm [WORKAROUND]
Here's a fun one...
If I'm not in adm and use my user acount, journalctl works as expected... However if I use sudo, root, or if I'm in adm group I get this...
root@oa ~ > journalctl
Failed to get cutoff: Bad message
google comes up with diddly that's relevant, same here.
(WORKAROUND)
Also of note, (i've been busy at work, and now xfce doesn't wanna work so i'm doing this in twm) while "journalctl" doesnt work as root, "journalctl -q" does. So that's at least a workaround till that patch gets pushed through.
Last edited by HalJordan (2012-07-21 23:29:47)Just for comparison, what you should get from calling journal as a user is:
journalctl
Showing user generated messages only. Users in the group 'adm' can see all messages. Pass -q to turn this message off.
Maybe "man systemd-journald.service" can help You. -
Security Right 'Resource' id for 'User Impersonation For Seller' right
Hi,
Can someone tell me whats the RESOURCE id for security right 'User Impersonation For Seller'?
I need this to populate the workbook. None of the standard roles have this in E-Sourcing 5.1, so the standard workbook doesnt contain this right.
Manually this right can be set in the security profile in drop down 'Users and sercurity'.
Thanks & Regards,
SrivatsanHi
RESOURCE ID for security right "user impersonation" is usermgmt.impersonation
Regards
Mudit Saini -
$LS_COLORS stopped working (for user, not for root)
Good day.
Some time ago, "ls" stopped paying attention to my color settings when coloring output for my user, while still working for root. For both root and my user, I set $LS_COLORS through ~/.bashrc as "eval $(dircolors -b)" but while this works fine for root, it at some point stopped working for my user, simply since the "eval" doesn't seem to work anymore. That is, what could be the reason for the below behavior?
(note: I also have colored ls output without $LS_COLORS; just not the colors that I want, and which root does have).
===
[rene@e600 ~]$ echo $LS_COLORS
[rene@e600 ~]$ dircolors -b
LS_COLORS='rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:';
export LS_COLORS
[rene@e600 ~]$ eval $(dircolors -b)
[rene@e600 ~]$ echo $LS_COLORS
[rene@e600 ~]$
===
bash is 4.2.045-5 (coreutils is 8.21-2)
Regards,
ReneI happens to have the same problem of yours after logging in to Gnome but i didn't test for root.
I've followed what comment #40 says at
https://bugs.launchpad.net/ubuntu/+sour … bug/549727 and the problem
seems to gone.
try removing ~/.gconf/desktop/gnome/peripherals/touchpad ? -
Need Help for User Exit for Pricing
Dear ABAPers
I created a user exit for pricing where I am comparing a condition type (manually entered(ZD01)) to another condition type(YD01). If the entered value is more than the other condition type than pricing should not be updated.
RATE = 0.
IF KOMP-ZZVBTYP = 'C'.
IF KOMP-PRSFD = 'X' OR
KOMP-PRSFD = 'A'.
IF KOMV-KSCHL = 'ZD01'.
LOOP AT XKOMV WHERE KSCHL EQ 'YD01'.
KOMP-KZWI2 = ( XKOMV-KBETR / 10 ).
ENDLOOP.
RATE = KOMV-KBETR / 10.
IF ( RATE <> 0 ) AND ( RATE < KOMP-KZWI2 ).
MESSAGE W991. "Maximum Allowed Discount Has Exceeded !!!!
CLEAR KOMV-KBETR.
CLEAR KOMV-KWERT.
MODIFY SCREEN.
ENDIF.
ENDIF.
ENDIF.
ENDIF.
It is giving me the message but it is also updating the pricing. I want not to be updated. So in place of modify screen i need to reset pricing procedure.
I need a function module or a abap key word which can reset the pricing procedure.
Thanks in Advance.
regards,
MAMas per i can understand you are coding in user-exits ,.. so if you are giving that
message 'Maximum Allowed Discount Has Exceeded !!!!' type 'E'.
i think it will work. I think there is no way to stop the processing without type e.
regards
shiba dutta -
OID: How to search for users in nested groups
Hi All,
I have three groups:
cn=ParentGroup
uniquemember: cn=ChildGroup1
uniquemember: cn=ChildGroup2
uniquemember: uid=user1
cn=ChildGroup1
uniquemember: uid=user2
cn=ChildGroup2
uniquemember: uid=user3
Now, as per my requirement, I have to do ldapsearch on ParentGroup and all the members(direct & indirect) i.e., user1, user2 and user2 however I am getting only user1.
My OID version is 11.1.1.6.0
Please help.
Regards,
SunnyHi Sunny,
A Shell script or a JAVA program can solve this problem.
Regards,
SOADreams -
How to get users' login logout time for user IDs for a specific date?
Dear All,
There is a case I being requested to retrieve the Userid, User Name,
User Group, User Dept, Date, Login Time, Logout Time in a specific date, for example, 21.05.2009.
How should I retrieve the information? The user want to input specific date and user group then return the details that mentioned above.
I try with SUIM->Users->By Logon Date and Password Change... but I can't specific the date that I want ...
I try with SM19 (Security Audit Log), but unfortunately in my system this is not activated.
I've seek for SAP's advise, and they say need to ask abaper to developr a report in order to get such details....
Do you guys have any other methods?
Do you guys know which tables will contain the details as mentioned above?
Best Regards,
KenUnfortunately without the audit log, you're going have a hard time finding this information. As mentioned, ST03N will give you some information. If your systems daily workload aggregation goes back to the date you require then you'll be able to get a list of all users who logged on that day. ST03N doesn't keep time stamps just response times.
My only idea is VERY labor intensive. If your DB admin can retrieve a save of the database from that day then table USR02 will hold a little more information for you. It will contain last login times for that day. If your system backup policy happened to have saved the contents of folder "/usr/sap/<SID>/<instance>/data" then you potentially have access to all the data you require. The stat file will have recorded every transaction that took place during that day. If that file is restored you could use program RSSTAT20 to query against it.
Good luck and turn on the audit log as it makes your life much easier! -
How to set NTFS and share permissions for Users share for home directories in Server 2012
I have a new Server 2012 server, and I want to set up a Users share, that will contain subfolders of each user's username and contain their home directory. But what do I set the share and NTFS permissions as on the root level, lets call the folder
Users? Is the following older article the correct permissions I need?
https://support.microsoft.com/kb/274443Hi RJO22,
You can choose configure the Folder Redirection, Folder Redirection enables you to redirect the location of specific folders within user profiles to a new location, such as
a shared network location. Folder redirection is used in the process of administering user profiles and roaming user profiles. You can configure Folder Redirection using the Group Policy Management Console to redirect specific user profile folders, as well
as edit Folder Redirection policy settings.
The related KB:
Folder Redirection Overview
http://technet.microsoft.com/en-us/library/cc732275.aspx
Specify the Location of Folders in a User Profile
http://technet.microsoft.com/en-us/library/cc771969.aspx
I’m glad to be of help to you!
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
Maybe you are looking for
-
Two iPhone, One iTunes Music Library?
Hi there! New here so thanks in advance for any help you can give me. Both my husband and I have iPhone 3Gs. We do not want to sync everything since we both have different apps as well as different items in contacts, calendars, notes, etc. All I'd li
-
Photoshop Elements Update 9.0.3 problems (Vista 64-bit)
I have attempted several time to process the Photoshop Elements Update 9.0.3 but it always ends with the following message: "Patch cannot be applied. Please Contact Product Support." I have not had any success searching for this issue under support
-
In my ipod touch 5th generation facebook contacts not sync with ipod contacts. guide me
-
Please help me out with something simple.
I know this is simple probably to figure out but I really want to make sure that I do this correctly. So please if someone could tell me exactly how to get my ipod working. Do I need to re-install itunes if I had it on here for my old ipod? And when
-
Macbook Air froze/turned it off to restart. Will not restart just goes to gray screen like it is reloading and then shuts off. Have tried everything. When trying to reapir it says incorrect number of thread records, should be 108456 instead of 108