LDAP group query failure during per-recipient scanning, poss
I am trying to figure out what this is referring to:
LDAP group query failure during per-recipient scanning, possible LDAP misconfiguration or unreachable server
I can still send test messages from my e-mail.
Is it possible tht a user is trying to send in corectly..hmmm
If you create a LDAP debug log from within the GUI, this will give you a more in depth look into the query that is being sent to your LDAP server and also more important any errors that are being returned.
Great log for troubleshooting any LDAP related issues.
Similar Messages
-
Cisco WSA S170 AsynOS 7.5.2 LDAP group query debug
Dear support forum members,
I have some problems with the Cisco WSA S170 (AsynOS 7.5.2). It looks like a bug. I have two users in my Active Directory(AD), both of them are members of the InternetGrp6 AD group, both of them are in the same organization unit in the AD tree, but WSA could not identify that one of them member of the InternetGrp6.
I understand that WSA do this over the LDAP query to AD controller, but I could not found the way how do I debug LDAP query. This will give me ability to find out what happened during the user group LDAP query.
Thanks in advance!
Best regards,
Alexander.
P.S. Sorry for my English.Hi,
First of all I would like to thank you for assistance!
It is a pity, but I received "Unknown command: ldapsearch" in the SSH CLI session.
AsyncOS 7.5.2 for Web build 304 installed.
Best regards,
Alexander. -
I would like to know if it is possible to set up a Inbound filter that will stop media files from being delivered unless the receipant is a member of a LDAP group.
I don't want media files (mpeg, avi, Divx, PPS, MOV) being delivered to everyone but the members of a Distribution group called Media_Access.
Does this need to be a distribution group or an mail enabled security group.
We are using Active Directory.
ThanksThough you could accomplish this with message filters, my vote would be for using ldap group query with the incoming mail policy. You can have the Media-policy that checks if the recipients are a member of the Media group. If recipients aren't members of the group, they will use the Default policy. This is called message splintering by the way.
Then, once things have splintered into their appropriate incoming mail policies, you can have incoming content filters that drop the media attachments for the default policy while the Media policy allows them through.
Have you tried to create a policy allowing these file types and checking the recipients using LDAP group query ?
Then, insert a policy below this (the mentioned above) not allowing these file type for non-group members. -
Using LDAP with query on groups
Hi,
I configured our SAP Portal with LDAP authentification(+UME) successfully - so far so good. I used the standard configuration file (dataSourceConfiguration_ads_readonly_db.xml).
Now I would like to filter the LDAP users and grant access only to users within a LDAP group.
Is there a way to build a query for this case (datasource configuration file, etc...)?
Thanks for your help...
Bernd HülsebuschHi Shantanu,
thanks for your fast reply!
The problem is, that we have about 5.000 users in our LDAP system (Exchange), this includes several system users and also special users for e.g. domain administration, etc. Only about 2000 users are really respective portal users and only these users should have access to the portal generally. The intention is to filter the redundant users, so we won't have problems with SAP licenses for users who never should be able use the portal.
I didn't mean how to provide access to some content within the portal. I know that this is this is realized with roles and groups in the portal.
Best regards, Bernd Hülsebusch -
Retrieve nested LDAP groups independent from the network env. (five different approaches)
Hi all,
I want to retrieve a list of nested LDAP groups per user from the Active Directory. I have been searching google for half a day now, but I'm still not sure what approach to use. I have the following requirements:
* The script/program must run in different network environments (I can't be sure if there is a global catelog or AD DS or AD LDS, etc). I will write my own program.
* The membership info will be used in combination with directory ACL's and must be as complete as possible (global groups, universal groups, local groups, perhaps different domains). Distribution groups are not really necessary, because they are not used in
the directory ACL's.
* It would be nice to support other LDAP implementations than Active Directory using the same code, but that not a hard requirement. I could use another approach to support a different LDAP.
Now I have figured out five possible approaches (info comes from different sites, please correct me if I'm wrong):
1) tokengroups attribute:
- The attribute contains Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine.
- Returns a list of SIDs which will have to be translated to group names
- The tokenGroups attribute exists on both AD DS and AD LDS
- For AD DS, the tokenGroups attribute is not present if no GC server is available to evaluate the transitive reverse memberships.
- quote from site "Now that I have had a chance to test it though I can definitely say that tokenGroups WILL get the Universal groups from the other domains even if is NOT a GC. I just did it in my test lab."
- Token Groups cannot be retrieved if no Global Catalog is present to retrieve the transitive reverse memberships.
2) tokenGroupsGlobalAndUniversal
- A subset of the tokenGroups attribute. Only the global and universal group SIDs are included.
- If you want consistent results, read tokenGroupsGlobalAndUniversal that will return the same result no matter which DC you are connected to. However, it will not include local groups.
- other source says "tokenGroups will give you all the security groups this user belongs to, including nested groups and domain users, users, etc tokenGroupsGlobalAndUniversal will include everything from tokenGroups AND distribution groups". Not
sure if this is correct, I think it doesn't contain local groups.
- The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS.
3) LDAP_MATCHING_RULE_IN_CHAIN / 1.2.840.113556.1.4.1941
- Use a recursive search query which returns all nested groups for user at once.
- Returns all groups except for the primary group
- It's a fast approach, see performance test from Richard Mueller:
http://social.technet.microsoft.com/Forums/fr-FR/f238d2b0-a1d7-48e8-8a60-542e7ccfa2e8/recursive-retrieval-of-all-ad-group-memberships-of-a-user?forum=ITCG
- It only works on Active Directory, not for other LDAP implementations
4) Recursive retrieval of the memberOf attribute
- Retrieves all groups except the primary group. (also local groups from other domains??)
- works for all LDAP implementations
- executes a lot of queries to the LDAP, especially if you want to scan all users/groups (perhaps limited on OU, but still)
5) Store memberOf attribute in local database and calculate the nested groups using recursive queries to the local database
- No heavy load to the LDAP
- Needs space to store the user/group info locally (embedded Derby database perhaps)
- Performs fast since the queries are executed locally
- Works for all LDAP implementations
My thoughts on these different approaches:
* appreach 1) I understand that the tokengroups attribute is not present if no GC server is available. In how many network environments is this the case? This option won't work because I want to support different network environments.
* approach 2) The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS. Same here, in how many network environments is this the case? I don't think I can rely on this approach.
* approach 3) Seems to be a good option. How will it perform compared to approach 5 (local recursive queries)? Won't work for other LDAP implementations
* approach 4) I don't think I want to execute that many queries to the LDAP. I can limit the scan on OU, but still companies can have thousands of users and groups.
* approach 5) Perhaps the best approach. I want to store user/group info locally for fast filtering / reporting (only group DNs, user names, databse id's and membership info as id-id pairs). I only need the memberOf attribute of users and groups, recursive
loops are done locally. It will work for all LDAP implementations.
What do you guys think? I'm not a network admin, but a programmer, so I'm no expert in network setups and when to use AD DS or AD LDS. The thing is I want to use this code at different customers without knowing their network setup (except for the domain name(s),
LDAP host/port and bind user to connect to LDAP).
Thanks a lot!
PaulI want to write a tool that can answer questions like "what users from group ABC have delete permission in all the (sub)directories of server MyDataServer?". This results in a list of directories and users and includes nested group membership. So it's about
effective permissions. That's why I want all information in a SQL database so I can answer these questions with a single query in milliseconds. Otherwise, in order to answer these questions, I would have to get all members from group ABC and determine the
nested groups for all these members (which can be thousands) for every report. Using a SQL database I can retrieve this information once a night for all the members.
But I guess I will use the LDAP_MATCHING_RULE_IN_CHAIN syntax which gives me all nested groups for a member and should work for all AD installations from W2K3 SP2 and higher. When I want to support other LDAPs I will use another method for that specific
LDAP.
Again - note that this question has nothing to do with LDAP or AD. It just asks what group has permissions on what resources.
I really think you would do well to spend time understanding the NTFS and its security along with how we sue security in Windows. By assuming this has something to do with AD you are making it a bigger issue than needed. AD is a repository for
accounts and trusts and manages authentication and security group membership. All file security is managed by the OS that hosts the files and not by AD. Users are not normally granted access to resources through direct inclusion in the DACL but
are given access through membership in one or more groups. Loading AD into a SQLL database will not help you.
¯\_(ツ)_/¯ -
LDAP accept query (space within email) got pass
Version: 5.1.2-005
ldap accept query is very effective here and have been using since day-1.
Recently, we discover some backend mta log that rejecting invalid address.
We haven't change ironport or the backend ldap software for a while. So it is not something that due to recent change.
Here is a funny finding, note the space.
> ldaptest
Select which LDAP query to test:
1. MXLDAP.accept
2. MXLDAP.smtpauth
3. VDELDAP.accept
4. group
[1]> 1
Address to use in query:
[]> sys [email protected]
LDAP query test results:
Query: MXLDAP.accept
Address: sys [email protected]
Action: pass
LDAP query test finished.
I run a ldapsearch on the backend LDAP server and the ldapsearch does not return the 'sys [email protected]' as valid LDAP entry. So it seems it is not related to LDAP.
This is our ldap accept query
(&(|(mail={a})(mailalternateaddress={a}))(mailboxstatus=A)
Our ldap backend is Openwave MX LDAP directory.
We do considering upgrading to 5.5 version but it was not due to this problem. but rather than try to keep our version reasonably up-to-date.In the latest version it is also accepting addresses that contain spaces. However, the exact behavior depends on how address parsing is configured on your listener.
If it is set to "loose parsing", it accepts but actually delivers the message to .
When using "strict parsing", it doesn't alter the recipient address and the message gets delivered to .
In the LDAP accept query however, it seems to ignore that setting. It always strips spaces from the address before it sends the query (you can see this in ldap debug).
I don't know whether all this is by design or not. Especially the ldapaccept part looks more like a bug to me, i'd expect it to check the address its going to use to deliver the mail. Its probably best to create a support request for this. -
Hi,
I have read some of the forum threads about LDAP Group Authorization - I remain confused. Here's the problem I am trying to solve.
I was successfull in setting my Authentication to "Based on authentication scheme from gallery:Existing Login Page: Use LDAP Directory Credentials" -
That works fine, But I would not like all users in my OID LDAP directory to log into my application- Which is why I have created a group for the user I want to include in my OID directory.
Now at the " Builder->Application...->Security->Authorization Schemes->
I have created an Authorization Scheme as "PL/SQL Function returing a booloean" .
My Scheme Source(Identify Query or PL/SQL) is as follows and is set to "once Per session"
return wwv_flow_ldap.is_member
(:APP_USER,
null,
'cn=users,dc=wellesley,dc=edu',
'jadeland.wellesley.edu',
'389',
'wcd_HTMLDB',
'cn=portal.040323.1220,cn=Groups, dc=wellesley,dc=edu');
where in my LDAP directory, 'wcd_HTMLDB' is the subgroup under group "portal.040323.1220" -
I have included 3 users in the group 'wcd_HTMLDB' .
Still the login page allows all LDAP user ( and not just the 3 from the 'wcd_HTMLDB' group.
Where did I go wrong -?
What 's the proper way to authorise only LDAP users in a group ?
Any help would be really appreciated.
Thanks .Indira,
The public synonym (and grant execute) must be created after that package is compiled which can happen after catldap is run in your database. This is only a problem if catldap has not been run before HTML DB is installed. That's described in the flows/doc/ldap.html file in the distribution directory (not very prominently, we know).
When you initially attached the authorization scheme to your login page and it wouldn't let you in, the reason is that it was using the value of APP_USER to drive your lookup function. But when the login page is rendered, APP_USER is null because you haven't logged in yet. So a user-based authorization scheme on a login page can never work.
When you changed the ldap username edit function the way you did, you achieved the goal of preventing an unauthorized user from using the login page to authenticate. Looks like the way it's set up is to give unauthorized users an authentication error, which is a little misleading (saying their credentials are invalid when in fact they are valid but they aren't authorized to use your application), but if it suits your purpose, great. You should consider that if you change the authentication method to, say Single Sign-On, you'll then want to use authorization schemes to keep unauthorized users out. So the authorization scheme that you first set about using would be fine in that case, so long as you adjust the code to allow for visits to public pages prior to authentication (v('APP_USER') = 'HTMLDB_PUBLIC_USER'). However, you'd want to attach that scheme to the application itself (Edit Application Attributes->Authorization) so it fires on every page. Evaluating a scheme like that on every page view rather that once per session probably works best, even better if you cache the result of the evaluation yourself for performance reasons, e.g., set an application item to some value the first time the authenticated user passes the ldap membership test, then using that item as an 'already passed' flag for subsequent invocations.
Finally, I assume you are using the built-in ldap_dnprep function because you need to replace '.' with '_' in the username value entered by the user. If that is not your requirement, let's talk.
Scott -
Glassfish LDAP group search results in Exception
I'm trying to get my group search running but I keep getting the same exception
java.lang.NullPointerException
at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.groupSearch(LDAPRealm.java:705)
at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:497)
at com.sun.enterprise.security.auth.login.LDAPLoginModule.authenticate(LDAPLoginModule.java:108)
at com.sun.enterprise.security.auth.login.PasswordLoginModule.authenticateUser(PasswordLoginModule.java:117)
at com.sun.appserv.security.AppservPasswordLoginModule.login(AppservPasswordLoginModule.java:148)
There's only on post on the web with the same problem and there is is not fixed.
This is the domain.xml
<auth-realm name="EpsLdapRealm" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
<property name="directory" value="ldap://myldap:389"></property>
<property name="base-dn" value="ou=Users,o=xxx"></property>
<property name="jaas-context" value="ldapRealm"></property>
<property name="search-bind-dn" value="cn=saepsman,ou=Users,ou=e-Directory,ou=Services,o=xxx"></property>
<property name="search-bind-password" value="xxxxx"></property>
<property name="search-filter" value="(&(objectClass=user)(uid=%s))"></property>
<property description="null" name="assign-groups" value="USER"></property>
<property name="group-search-filter" value="(&(objectClass=groupOfNames)(member=%d))"></property>
<property name="group-base-dn" value="ou=AccessControl,o=xxx"></property>
</auth-realm>
Authentication works fine, but group assignments do not work. When I remove the group-search-filter I get no error but then also no groups are assigned.
The group I am trying to map is
cn=cug-EPSManager-Administrators,ou=AccessControl,o=xxx
And I do the following mapping in glassfish-web.xml
<security-role-mapping>
<role-name>ADMIN</role-name>
<group-name>cug-EPSManager-Administrators</group-name>
</security-role-mapping>
I also have used
-Djava.naming.referral=follow
EDIT:
I also get the following log message indicating that the search-bin-dn and password are OK. I can also browse the LDAP tree with the credentials in Softerra LDAP Browser.
Error during LDAP search with filter [(&(objectClass=groupOfNames)(member=cn=cdamen,ou=Users,o=xxx))].|#]
When I look at the look at the LDAPRealm source code I see it is failing on the following statement
int sz = grpAttr.size();
This looks like to me that it means that some group was found but there are no group attributes. But there are when I query with Softerra, strange...
* Search for group membership using the given connection.
private List groupSearch(DirContext ctx, String baseDN,
String filter, String target)
List groupList = new ArrayList();
try {
String[] targets = new String[1];
targets[0] = target;
SearchControls ctls = new SearchControls();
ctls.setReturningAttributes(targets);
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration e = ctx.search(baseDN,
filter.replaceAll(Matcher.quoteReplacement("\\"), Matcher.quoteReplacement("\\\\")), ctls);
while(e.hasMore()) {
SearchResult res = (SearchResult)e.next();
Attribute grpAttr = res.getAttributes().get(target);
int sz = grpAttr.size();
for (int i=0; i<sz; i++) {
String s = (String)grpAttr.get(i);
groupList.add(s);
} catch (Exception e) {
_logger.log(Level.WARNING, "ldaprealm.searcherror", filter);
_logger.log(Level.WARNING, "security.exception", e);
return groupList;
Hope anyone knows the solution.
CoenHi Jeong
Can you explain exactly what you're tyring to achieve.
Howard
http://www.avoka.com -
432 4.2.0 STOREDRV.Deliver; Agent transient failure during message resubmission
I am having an issue where emails to specific users internal to internal are being successfully delivered, but [a duplicate is?] also getting stuck in the "SMTP Delivery to mailbox" queue, with the sender getting a "Delivery is delayed to
these recipients or groups:" "Remote Server returned '400 4.4.7 Message delayed" This only happens with emails to specific people in the organization, they get the email immediately after being sent, and everyone else works fine. This issue
started after we migrated the users mailboxs from Exchange 2007 to Exchange 2013 CU5, we did not notice the issue until we finished moving all user mailboxes to 2013.
Delivery Report of email to affected user:
Delivered
6/30/2014 11:20 AM mail.domain.com
The message was successfully delivered.
Pending
6/30/2014 11:20 AM
The message has been queued on server 'mail.domain.com' since 6/30/2014 11:20:15 AM (UTC-06:00) Central Time (US & Canada). The last attempt to send the message was at 6/30/2014 11:21:09 AM (UTC-06:00) Central Time (US & Canada) and generated the error
'[{LRT=};{LED=432 4.2.0 STOREDRV.Deliver; Agent transient failure during message resubmission[Agent: Mailbox Rules Agent]};{FQDN=};{IP=}]'.
-Strange time stamp
Original message headers:
Received: from mail.domain.com (172.22.220.68) by
mail.domain.com (172.22.220.68) with Microsoft SMTP Server (TLS)
id 15.0.913.22; Sun, 29 Jun 2014 21:36:34 -0500
Received: from mail.domain.com ([fe80::1554:6e6f:4ca5:85be]) by
mail.domain.com ([fe80::1554:6e6f:4ca5:85be%12]) with mapi id
15.00.0913.011; Sun, 29 Jun 2014 21:36:34 -0500
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary
From: T S <[email protected]>
To: M M <[email protected]>
CC: D M <[email protected]>
Subject: FW: Migration Complete
Thread-Topic: Migration Complete
Thread-Index: Ac+UAzn/W6u8OF7qRG2V93cDeqU24wACDqXL
Date: Sun, 29 Jun 2014 21:36:33 -0500
Message-ID: <[email protected]>
References: <[email protected]>
In-Reply-To: <[email protected]>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: <[email protected]>
MIME-Version: 1.0
X-Originating-IP: [71.170.174.74]
Return-Path: [email protected]
Update 7/2/14:
Checked event viewer, and found that event ID 1051, erroring multiple times per second with message:
"Agent 'Mailbox Rules Agent' caused an unhandled exception 'StoreDriverAgentTransientException: Store Driver Agent was unable to send email.' while handling event 'OnDeliveredMessage'"
Ran Test-MailFlow on my mailbox, and the two know non-working mailboxes, For me it returned as successful, but showed as a Failure on the two other accounts.
The test emails were actually delivered to the user mailboxes even though it shows as a Failure with the Test-MailFlow command:
From Exchange Queue viewer you can see the test emails stuck in retry, with the following information:
Identity: mail\3112\1395864371267
Subject: Test-Mailflow 8f33ae76-fdd9-4528-8e73-5b9f2481a333 66c7004a-6860-44b2-983a-327aa3c9cfec
Internet Message ID: <[email protected]>
From Address: SystemMailbox{658b82cc-efc2-4407-8c92-8303213c63e2}@domain.com
Status: Retry
Size (KB): 8
Message Source Name: SMTP:Default mail
Source IP: 172.22.220.68
SCL: 0
Date Received: 7/1/2014 9:52:12 PM
Expiration Time: 7/3/2014 9:52:12 PM
Last Error: 432 4.2.0 STOREDRV.Deliver; Agent transient failure during message resubmission[Agent: Mailbox Rules Agent]
Queue ID: mail\3112
Recipients: [email protected];3;3;[{LRT=};{LED=432 4.2.0 STOREDRV.Deliver; Agent transient failure during message resubmission[Agent: Mailbox Rules Agent]};{FQDN=};{IP=}];0;CN=Mailbox Database 2111459242,CN=Databases,CN=Exchange Administrative
Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=LCS,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com;0Hi S Calkin,
According to the error messages, I find following information for your reference:
1. About Event ID 1051
This warning event indicates that the transport agent referenced in the event description has encountered an unhandled exception while handing the event.
More details in the following article:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=1051&EvtSrc=MSExchange+Extensibility
2. About "432 4.2.0 STOREDRV.Deliver; Agent transient failure during message resubmission[Agent: Mailbox Rules Agent]"
I suggest double check whether you have enough space. I find a similar case that caused by the low space, please see this:
432 4.2.0 STOREDRV.Deliver; Agent transient failure during message resubmission[Agent: Mailbox Rules Agent]
http://social.technet.microsoft.com/Forums/exchange/en-US/750d89fb-1832-4aaf-b095-c2b9defec977/432-420-storedrvdeliver-agent-transient-failure-during-message-resubmissionagent-mailbox-rules?forum=exchangesvrgeneral
Thanks
Mavis
Mavis Huang
TechNet Community Support -
Hi SAP Gurus,
We are configuring the CIN Settings for our client and at the time of testing, while saving the Out going excise invoice the system is giving the error as “Balance in Transaction Error” and when pressed enter the system displays the error as “ system failure during locking GL account 5555 by 13113910.”
We have configured Out going excise duty condition types in the SD pricing procedure
and
also maintained the same condition types as mentioned below in the path IMG / LOGISTICS GENERAL / TAX ON GOODS MOVEMENT / INDIA / BASIC SETTINGS/ DETERMINATION OF EXCISE DUTY / MAINTAIN EXCISE DEFAULTS
under the headings
AR BED Cond – JEXP
AR Cess Cond – JECS
ECS AR – JHEC
And also maintained the settings in the Path IMG / LOGISTICS GENERAL / TAX ON GOODS MOVEMENT / INDIA / SPECIFY EXCISE ACCOUNTS PER EXCISE TRANSACTION and also in SPECIFY G/L ACCOUNTS PER EXCISE TRANSACTION .
But still the above mentioned error is comming.
Note : error in not coming when I am removing the JHEC condition type from the path IMG / LOGISTICS GENERAL / TAX ON GOODS MOVEMENT / INDIA / BASIC SETTINGS/ DETERMINATION OF EXCISE DUTY / under the heading ECR AR, But we need the JHEC(ie. Higher education cess) also in out going excise invoice.
Please let me know what is the issue and how to resolve it.
Thanks & Regards
ShashiDear We faced the same issue and almost for 20 days to get it resolved.
For this kind of error firstly Check have you activated the Liable for AT1 indicator in(IMG>>Log.General>>Tax on goods Movement>>India>>Basic Settings>>Maintain Excise registrations)
Also Have you assigned Proper GL account in (IMG>>Log.General>>Tax on Good Movement>>>India>>>Account Determination>>Account determination per Excise transaction type.
Here pl check the relevant GL has been assigned for
1.RG23A BED(for Both incoming and outgoing excise invoice updations against your ETT)
2 RG23C BED, (for Both incoming and outgoing excise invoice updations against your ETT)
3 .OFF SET,(for Both incoming and outgoing excise invoice updations against your ETT)
4 MODVAT.CLEARING, (for Both incoming and outgoing excise invoice updations against your ETT)
5 PLA BED& AED & SED,(for Both incoming and outgoing excise invoice updations against your ETT at the time of utilizations)
6 PLA CESS(for Both incoming and outgoing excise invoice updations against your ETT at the time of utilizations)
7 CENVAT ON HOLD(for Both incoming and outgoing excise invoice updations against your ETT at the time of utilizations)
8.CENVAT SUSPENSE(for Both incoming and outgoing excise invoice updations against your ETT at the time of invoice posting)
9.PLA ON HOLD((for Both incoming and outgoing excise invoice updations against your ETT at the time of TR6c)
10. CENVAT REVERSAL(For cancellations vs ETT)
11. RG23A ECS(for Both incoming and outgoing excise invoice updations against your ETT)
12. RG23C ECS(for Both incoming and outgoing excise invoice updations against your ETT)
13. PLA ECS(for Both incoming and outgoing excise invoice updations against your ETT )
14. RG23A AT1(check this more carefully)
15. RG23C AT1(check this more carefully)
16. PLA AT1(check this more carefully)
Hope this helps you...
Phanikumar -
Mysql error java.sql.SQLException: Communication failure during handshake.
Hi !!!
I was working ok, with hibernate and mysql but yesterday I try to install the new mysql version (4.1.10) and receive the following error when I try to connect
Initializing Hibernate
INFO - Hibernate 2.1.6
INFO - hibernate.properties not found
INFO - using CGLIB reflection optimizer
INFO - configuring from resource: /hibernate.cfg.xml
INFO - Configuration resource: /hibernate.cfg.xml
INFO - Mapping resource: com/tutorial/hibernate/core/News.hbm.xml
INFO - Mapping class: com.tutorial.hibernate.core.News -> news
INFO - Configured SessionFactory: null
INFO - processing one-to-many association mappings
INFO - processing one-to-one association property references
INFO - processing foreign key constraints
INFO - Using dialect: net.sf.hibernate.dialect.MySQLDialect
INFO - Maximim outer join fetch depth: 2
INFO - Use outer join fetching: true
INFO - Using Hibernate built-in connection pool (not for production use!)
INFO - Hibernate connection pool size: 20
INFO - using driver: org.gjt.mm.mysql.Driver at URL: jdbc:mysql://localhost/unnobanews
INFO - connection properties: {user=news, password=news}
INFO - Transaction strategy: net.sf.hibernate.transaction.JDBCTransactionFactory
INFO - No TransactionManagerLookup configured (in JTA environment, use of process level read-write cache is not recommended)
WARN - Could not obtain connection metadata
java.sql.SQLException: Communication failure during handshake. Is there a server running on localhost:3306?
at org.gjt.mm.mysql.MysqlIO.init(Unknown Source)
at org.gjt.mm.mysql.Connection.connectionInit(Unknown Source)
at org.gjt.mm.mysql.jdbc2.Connection.connectionInit(Unknown Source)
at org.gjt.mm.mysql.Driver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(DriverManager.java:512)
at java.sql.DriverManager.getConnection(DriverManager.java:140)
Somewhere I red that was necessary to update the jdbc driver, so I updated it from version nro 2 to version nro 3.1.7 but still the error
Phpmyadmin works ok and mysql control center can connect ok too.
But when I try a telnet localhost:3306 I receive and error of connection filed
Anyway the mysql status thowme correct information, that it working ok!
Any idea ?
King regards
NatyHibernate 2.1.6
loaded properties from resource hibernate.properties: {hibernate.connection.username=root, hibernate.connection.password="", hibernate.cglib.use_reflection_optimizer=true, hibernate.connection.pool_size=10, hibernate.dialect=net.sf.hibernate.dialect.MySQLDialect, hibernate.connection.url=jdbc:mysql://manoj/manoj, hibernate.connection.driver_class=org.gjt.mm.mysql.Driver}
using CGLIB reflection optimizer
configuring from resource: /hibernate.cfg.xml
Configuration resource: /hibernate.cfg.xml
Mapping resource: com/mec/emp.hbm.xml
Mapping class: com.mec.Employee -> emp
Configured SessionFactory: null
processing one-to-many association mappings
processing one-to-one association property references
processing foreign key constraints
Using dialect: net.sf.hibernate.dialect.MySQLDialect
Maximim outer join fetch depth: 2
Use outer join fetching: true
Using Hibernate built-in connection pool (not for production use!)
Hibernate connection pool size: 10
using driver: org.gjt.mm.mysql.Driver at URL: jdbc:mysql://manoj/manoj
connection properties: {user=root, password=""}
No TransactionManagerLookup configured (in JTA environment, use of process level read-write cache is not recommended)
Could not obtain connection metadata
java.sql.SQLException: Server configuration denies access to data source
at org.gjt.mm.mysql.MysqlIO.init(MysqlIO.java:144)
at org.gjt.mm.mysql.Connection.<init>(Connection.java:230)
at org.gjt.mm.mysql.Driver.connect(Driver.java:126)
at java.sql.DriverManager.getConnection(DriverManager.java:525)
at java.sql.DriverManager.getConnection(DriverManager.java:140)
at net.sf.hibernate.connection.DriverManagerConnectionProvider.getConnection(DriverManagerConnectionProvider.java:101)
at net.sf.hibernate.cfg.SettingsFactory.buildSettings(SettingsFactory.java:73)
at net.sf.hibernate.cfg.Configuration.buildSettings(Configuration.java:1155)
at net.sf.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:789)
at com.mec.CreateSession.getCurrentSession(CreateSession.java:35)
at com.mec.TestEmployee.createEmployee(TestEmployee.java:37)
at com.mec.TestEmployee.main(TestEmployee.java:24)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:78)
Use scrollable result sets: false
Use JDBC3 getGeneratedKeys(): false
Optimize cache for minimal puts: false
Query language substitutions: {}
cache provider: net.sf.hibernate.cache.EhCacheProvider
instantiating and configuring caches
building session factory
Not binding factory to JNDI, no JNDI name configured
SQL Error: 0, SQLState: 08001
Server configuration denies access to data source
Cannot open connection
java.sql.SQLException: Server configuration denies access to data source
at org.gjt.mm.mysql.MysqlIO.init(MysqlIO.java:144)
at org.gjt.mm.mysql.Connection.<init>(Connection.java:230)
at org.gjt.mm.mysql.Driver.connect(Driver.java:126)
at java.sql.DriverManager.getConnection(DriverManager.java:525)
at java.sql.DriverManager.getConnection(DriverManager.java:140)
at net.sf.hibernate.connection.DriverManagerConnectionProvider.getConnection(DriverManagerConnectionProvider.java:101)
at net.sf.hibernate.impl.BatcherImpl.openConnection(BatcherImpl.java:286)
at net.sf.hibernate.impl.SessionImpl.connect(SessionImpl.java:3326)
at net.sf.hibernate.impl.SessionImpl.connection(SessionImpl.java:3286)
at net.sf.hibernate.transaction.JDBCTransaction.begin(JDBCTransaction.java:40)
at net.sf.hibernate.transaction.JDBCTransactionFactory.beginTransaction(JDBCTransactionFactory.java:19)
at net.sf.hibernate.impl.SessionImpl.beginTransaction(SessionImpl.java:2231)
at com.mec.TestEmployee.createEmployee(TestEmployee.java:38)
at com.mec.TestEmployee.main(TestEmployee.java:24)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:78)
Process finished with exit code 0 -
Query is doing full table scan
Hi All,
The below query is doing full table scan. So many threads from application trigger this query and doing full table scan. Can you please tell me how to improve the performance of this query?
Env is 11.2.0.3 RAC (4 node). Unique index on VZ_ID, LOGGED_IN. The table row count is 2,501,103.
Query is :-
select ccagentsta0_.LOGGED_IN as LOGGED1_404_, ccagentsta0_.VZ_ID as VZ2_404_, ccagentsta0_.ACTIVE as ACTIVE404_, ccagentsta0_.AGENT_STATE as AGENT4_404_,
ccagentsta0_.APPLICATION_CODE as APPLICAT5_404_, ccagentsta0_.CREATED_ON as CREATED6_404_, ccagentsta0_.CURRENT_ORDER as CURRENT7_404_,
ccagentsta0_.CURRENT_TASK as CURRENT8_404_, ccagentsta0_.HELM_ID as HELM9_404_, ccagentsta0_.LAST_UPDATED as LAST10_404_, ccagentsta0_.LOCATION as LOCATION404_,
ccagentsta0_.LOGGED_OUT as LOGGED12_404_, ccagentsta0_.SUPERVISOR_VZID as SUPERVISOR13_404_, ccagentsta0_.VENDOR_NAME as VENDOR14_404_
from AGENT_STATE ccagentsta0_ where ccagentsta0_.VZ_ID='v790531' and ccagentsta0_.ACTIVE='Y';
Table Scan AGENT_STATE 2.366666667
Table Scan AGENT_STATE 0.3666666667
Table Scan AGENT_STATE 1.633333333
Table Scan AGENT_STATE 0.75
Table Scan AGENT_STATE 1.866666667
Table Scan AGENT_STATE 2.533333333
Table Scan AGENT_STATE 0.5333333333
Table Scan AGENT_STATE 1.95
Table Scan AGENT_STATE 0.8
Table Scan AGENT_STATE 0.2833333333
Table Scan AGENT_STATE 1.983333333
Table Scan AGENT_STATE 2.5
Table Scan AGENT_STATE 1.866666667
Table Scan AGENT_STATE 1.883333333
Table Scan AGENT_STATE 0.9
Table Scan AGENT_STATE 2.366666667
But the explain plan shows the query is taking the index
Explain plan output:-
PLAN_TABLE_OUTPUT
Plan hash value: 1946142815
| Id | Operation | Name | Rows | Bytes | Cost (%C
PU)| Time |
PLAN_TABLE_OUTPUT
| 0 | SELECT STATEMENT | | 1 | 106 | 244
(0)| 00:00:03 |
|* 1 | TABLE ACCESS BY INDEX ROWID| AGENT_STATE | 1 | 106 | 244
(0)| 00:00:03 |
|* 2 | INDEX RANGE SCAN | AGENT_STATE_IDX | 229 | | 4
(0)| 00:00:01 |
PLAN_TABLE_OUTPUT
Predicate Information (identified by operation id):
1 - filter("CCAGENTSTA0_"."ACTIVE"='Y')
2 - access("CCAGENTSTA0_"."VZ_ID"='v790531')
The values (VZ_ID) i have given are dummy values picked from the table. I dont get the actual values since the query is coming with bind variables. Please let me know your suggestion on this.
Thanks,
ManiHi,
But I am not getting what is the issue..its a simple select query and index is there on one of the leading columns (VZ_ID --- PK). Explain plan says its using its using Index and it only select fraction of rows from the table. Then why it is doing FTS. For Optimizer, why its like a query doing FTS.
The rule-based optimizer would have picked the plan with the index. The cost-based optimizer, however, is picking the plan with the lowest cost. Apparently, the lowest cost plan is the one with the full table scan. And the optimizer isn't necessarily wrong about this.
Reading data from a table via index probes is only efficient when selecting a relatively small percentage of rows. For larger percentages, a full table scan is generally better.
Consider a simple example: a query that selects from a table with biographies for all people on the planet. Suppose you are interested in all people from a certain country.
select * from all_people where country='Vatican'
would only return only 800 rows (as Vatican is an extremely small country with population of just 800 people). For this case, obviously, using an index would be very efficient.
Now if we run this query:
select * from all_people where contry = 'India',
we'd be getting over a billion of rows. For this case, a full table scan would be several thousand times faster.
Now consider the third case:
select * from all_people where country = :b1
What plan should the optimizer choose? The value of :b1 bind variable is generally not known during the parse time, it will be passed by the user when the query is already parsed, during run-time.
In this case, one of two scenarios takes place: either the optimizer relies on some built-in default selectivities (basically, it takes a wild guess), or the optimizer postpones taking the final decision until the
first time the query is run, 'peeks' the value of the bind, and optimizes the query for this case.
In means, that if the first time the query is parsed, it was called with :b1 = 'India', a plan with a full table scan will be generated and cached for subsequent usage. And until the cursor is aged out of library cache
or invalidated for some reason, this will be the plan for this query.
If the first time it was called with :b1='Vatican', then an index-based plan will be picked.
Either way, bind peeking only gives good results if the subsequent usage of the query is the same kind as the first usage. I.e. in the first case it will be efficient, if the query would always be run for countries with big popultions.
And in the second case, if it's always run for countries with small populations.
This mechanism is called 'bind peeking' and it's one of the most common causes of performance problems. In 11g, there are more sophisticated mechanisms, such a cardinality feedback, but they don't always work as expected.
This mechanism is the most likely explanation for your issue. However, without proper diagnostic information we cannot be 100% sure.
Best regards,
Nikolay -
How to verify user LDAP group membership
Hi,
we are attempting to determine if a user is a member of a specific LDAP group in our directory and if the user is a member it should return TRUE else FALSE (this is done by defining the LDAP attribute 'CN' (property) which returns a result 'CN=<UserName> or returns 'getting 0 entries'. The query we have is
(&(cn=<username>)(memberOf=CN=<groupname>,DC=domain,DC=com)).
Any pointers on how to do this ?
Thank you.You could do a couple of things...
1) Install dsquery (add remote AD tools to your box) and run something like
dsquery group -u <user name>
Username would be their login name, yours is "swaupadh" for example. This would return a listing of all the groups they are in and you could regex through that output for the group you are looking for. Use either the Execute Powershell or Execute Windows Command activity here.
2) Use powershell functions and powershell capability to check for group membership, something like this:
function Get-GroupMembership($DN,$group){
$objEntry = [adsi]("LDAP://"+$DN)
$objEntry.memberOf | where { $_ -match $group}
//EXAMPLE CALL
Get-GroupMembership "Cn=kazun,dc=contoso,dc=com" "Backup Operators"
Then you can regex through the output for the "True" or "False" word and run with that.
Either should get you what you want. -
Webcenter dicussion forum - Ldap Group Integration issue
Hi All,
I am trying to implement LDAP Group integration in our jive forums 5.1.0 installed in an Oracle IAS 10.1.3.2 server.
I have followed the steps mentioned in the LDAP documentation and setup the following system properties:
ldap.groupNameField cn
ldap.groupMemberField uniquemember
ldap.groupDescriptionField description
ldap.groupSearchFilter (cn={0})
I just restarted the server after setting up these , but the forums instance is not coming up in the server. Throwing the following error:
08/01/21 14:52:33.550 jiveforums: http://CompressingFilter/1.4.4 CompressingFilter has initialized
08/01/21 15:23:04.597 jiveforums: Servlet error
java.io.IOException: An established connection was aborted by the software in your host machine
at sun.nio.ch.SocketDispatcher.write0(Native Method)
at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:33)
at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:104)
at sun.nio.ch.IOUtil.write(IOUtil.java:75)
at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:302)
at java.nio.channels.Channels.write(Channels.java:60)
at java.nio.channels.Channels.access$000(Channels.java:47)
at java.nio.channels.Channels$1.write(Channels.java:134)
at com.evermind.server.http.AJPOutputStream.endRequest(AJPOutputStream.java:117)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:309)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:190)
at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
at java.lang.Thread.run(Thread.java:595)
08/01/21 15:25:59.956 jiveforums: Exception thrown during contextDestroyed
java.lang.ExceptionInInitializerError
at com.jivesoftware.forum.database.DbForumFactory.getAttachmentManager(DbForumFactory.java:798)
at com.jivesoftware.forum.database.DbForumFactory.destroy(DbForumFactory.java:410)
at com.jivesoftware.forum.database.DbForumFactory.shutdown(DbForumFactory.java:381)
at com.jivesoftware.forum.util.ForumsLifeCycleListener.contextDestroyed(ForumsLifeCycleListener.java:88)
at com.evermind.server.http.HttpApplication.destroyContextListeners(HttpApplication.java:5877)
at com.evermind.server.http.HttpApplication.destroy(HttpApplication.java:5843)
at com.evermind.server.http.HttpSite.destroy(HttpSite.java:877)
at com.evermind.server.http.HttpServer.destroy(HttpServer.java:548)
at com.evermind.server.ApplicationServer.destroy(ApplicationServer.java:2030)
at com.evermind.server.ApplicationServerShutdownHandler.run(ApplicationServerShutdownHandler.java:93)
at java.lang.Thread.run(Thread.java:595)
Caused by: java.lang.IllegalStateException: Timer already cancelled.
at java.util.Timer.sched(Timer.java:354)
at java.util.Timer.scheduleAtFixedRate(Timer.java:296)
at com.jivesoftware.util.TaskEngine.scheduleTask(TaskEngine.java:218)
at com.jivesoftware.util.TaskEngine.scheduleTask(TaskEngine.java:202)
at com.jivesoftware.forum.database.DbAttachmentManager.<init>(DbAttachmentManager.java:160)
at com.jivesoftware.forum.database.DbAttachmentManager.<clinit>(DbAttachmentManager.java:48)
Can anyone please throw a light?
Thanks and regards,
ABhijitHi Guneet,
We are using jive 5.5.9 instead of 5.1.0 that comes with webcenter.
Also we are just trying to validate the JIve's authorization scheme so didn't integrate the Java SSO part. Jive forum is just a standalone OC4J instance in the IAS server and we are using the LDAP configuration in the User,Groups Authentication page instead or default which is required for Java SSO.
Thanks,
ABhijit -
I want to protect my EJB using LDAP groups. WLS is recognizing WLS users but unable
to recogniz groups. Here is my weblogic-ejb-jar.xml
<security-role-assignment>
<role-name>channel-role</role-name>
<principal-name>system</principal-name>
<principal-name>mygroup</principal-name>
<principal-name>cn=mygroup,ou=groups,o=mycompany</principal-name>
</security-role-assignment>
It recognizes user system but not the group. LDAP group is cn=mygroup,ou=groups,o=mycompany.
When I pass the credentials from the client of a uniquemember, WLS generates a
security exception. It won't recognise mygroups or cn=mygroup,ou=groups,o=mycompany
either.
Any suggestions?
Thanks
-SuryaYes, It has impact. You create groups in the Repository & Answers and assign the object level permissions.
You Populate Group Variable during authentication via LDAP server. Once you login with X name you see the authorized groups in the my account.
For dashboard A - For group Executive - User X - You have given full access.
Now you have changed the Group name to AD_Executive. When You Login variable values would be
User - X
Group - Ad_Executive
Dashboard A - No permissions.
If you have a scenario of changing the group names then get Groups from database using Init block after authorization.
Maybe you are looking for
-
Who can give me a clear picture on getCalllerPrincipal in EJB
We keep on encountering some problems which are related with security issues. So I hope can get a clear picture on how it is handled inside WebLogic. Currently what we did is we create a common login function. Inside this function, we declare a local
-
Extending WiFi of ATT 2Wire modem w/ Apple Express modems?
We have residential / small business internet via AT&T DSL. We run a phone line into a 2Wire (Gateway 2701 HG-B) modem/router (804.11g/n) which provides internet connectivity for an older Mac via an ethernet cable and via wireless for my MacBook (n)
-
How to restrict f4 help values in select options of Employee Search
Hi, I am using HRASR_EMPLOYEE_SEARCH for employee search and created a new query ,infoset , usergroup which is responsible to fetch the selection criteria and result.I have one field in the search criteria as Cost Center which is connected to P0001
-
Multiple Delimiters from a Text File
I am having an issue trying to figure out how to seperate this text file into 4 columns so I can use the data, S, 0, { }, {a, d} a, 7, {S}, b, 5, {a}, {c, h} c, 2, {b, d}, {f} d, 10, {S}, {c, e} e, 1, {d}, {f} f, 3, {c, e, h}, {g} g, 4, {f}, {F} h, 4
-
OpenMHP problem with HelloWorld
Hello I've just installed OpenMHP and also jmf 2.1.1 (I've got jre 1.6.0_03) but helloworld example doesn't work... Please could anyone help me? THX