LDAP groups issue

Hi,
We are using a external LDAP provider to authenticate users and groups in weblogic(10.3.5). Recently we have created some groups in LDAP, but when we check in weblogic console the newly created groups are not updated.
Can somebody please point us a way to resolve this?

What is your group base dn?
Faisal
http://www.weblogic-wonders.com

Similar Messages

  • Webcenter dicussion forum - Ldap Group Integration issue

    Hi All,
    I am trying to implement LDAP Group integration in our jive forums 5.1.0 installed in an Oracle IAS 10.1.3.2 server.
    I have followed the steps mentioned in the LDAP documentation and setup the following system properties:
    ldap.groupNameField cn
    ldap.groupMemberField uniquemember
    ldap.groupDescriptionField description
    ldap.groupSearchFilter (cn={0})
    I just restarted the server after setting up these , but the forums instance is not coming up in the server. Throwing the following error:
    08/01/21 14:52:33.550 jiveforums: http://CompressingFilter/1.4.4 CompressingFilter has initialized
    08/01/21 15:23:04.597 jiveforums: Servlet error
    java.io.IOException: An established connection was aborted by the software in your host machine
    at sun.nio.ch.SocketDispatcher.write0(Native Method)
    at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:33)
    at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:104)
    at sun.nio.ch.IOUtil.write(IOUtil.java:75)
    at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:302)
    at java.nio.channels.Channels.write(Channels.java:60)
    at java.nio.channels.Channels.access$000(Channels.java:47)
    at java.nio.channels.Channels$1.write(Channels.java:134)
    at com.evermind.server.http.AJPOutputStream.endRequest(AJPOutputStream.java:117)
    at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:309)
    at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:190)
    at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
    at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
    at java.lang.Thread.run(Thread.java:595)
    08/01/21 15:25:59.956 jiveforums: Exception thrown during contextDestroyed
    java.lang.ExceptionInInitializerError
    at com.jivesoftware.forum.database.DbForumFactory.getAttachmentManager(DbForumFactory.java:798)
    at com.jivesoftware.forum.database.DbForumFactory.destroy(DbForumFactory.java:410)
    at com.jivesoftware.forum.database.DbForumFactory.shutdown(DbForumFactory.java:381)
    at com.jivesoftware.forum.util.ForumsLifeCycleListener.contextDestroyed(ForumsLifeCycleListener.java:88)
    at com.evermind.server.http.HttpApplication.destroyContextListeners(HttpApplication.java:5877)
    at com.evermind.server.http.HttpApplication.destroy(HttpApplication.java:5843)
    at com.evermind.server.http.HttpSite.destroy(HttpSite.java:877)
    at com.evermind.server.http.HttpServer.destroy(HttpServer.java:548)
    at com.evermind.server.ApplicationServer.destroy(ApplicationServer.java:2030)
    at com.evermind.server.ApplicationServerShutdownHandler.run(ApplicationServerShutdownHandler.java:93)
    at java.lang.Thread.run(Thread.java:595)
    Caused by: java.lang.IllegalStateException: Timer already cancelled.
    at java.util.Timer.sched(Timer.java:354)
    at java.util.Timer.scheduleAtFixedRate(Timer.java:296)
    at com.jivesoftware.util.TaskEngine.scheduleTask(TaskEngine.java:218)
    at com.jivesoftware.util.TaskEngine.scheduleTask(TaskEngine.java:202)
    at com.jivesoftware.forum.database.DbAttachmentManager.<init>(DbAttachmentManager.java:160)
    at com.jivesoftware.forum.database.DbAttachmentManager.<clinit>(DbAttachmentManager.java:48)
    Can anyone please throw a light?
    Thanks and regards,
    ABhijit

    Hi Guneet,
    We are using jive 5.5.9 instead of 5.1.0 that comes with webcenter.
    Also we are just trying to validate the JIve's authorization scheme so didn't integrate the Java SSO part. Jive forum is just a standalone OC4J instance in the IAS server and we are using the LDAP configuration in the User,Groups Authentication page instead or default which is required for Java SSO.
    Thanks,
    ABhijit

  • Can an email address be a member of an LDAP group even if it isn't associated with an object in the Directory Server?

    Can an email address be a member of an LDAP group even if it isn't
    associated with an object in the Directory Server?
    <P>
    General members of a group are the members defined in the
    Directory Server. They are full-fledged members of the group who
    may have a set of permissions associated with their membership,
    a title, or other attributes. Mail-specific users are users who
    are not full-fledged members of the group, but who receive mail
    sent to the group. Mail-specific users need not be identified as
    a user in the Directory Server--an email address is sufficient.
    An example of this is a group of salespeople, all of whom are in
    the group "North American Sales Team." They have access to a
    sales-tracking database, on-line quota information, and
    competitive information. The mail-specific users of this group
    are the admins who support the members of the sales team, who need
    to get the mail that goes out to the group, but don't need access
    to the applications and information that the salespeople do.

    Hey EllyK,
    Welcome to the BlackBerry Support Community Forums.
    Thanks for the question.
    I would suggest performing this workaround and then try to login to BlackBerry Link:
    Open BlackBerry World on the BlackBerry smartphone and sign in using the BlackBerry ID. 
    Connect the BlackBerry 10 smartphone to the computer. 
    Open BlackBerry Link
    Sign in using the BlackBerry ID. 
    Let me know if the issue still persists.
    Cheers.
    -ViciousFerret
    Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
    Be sure to click Like! for those who have helped you.
    Click  Accept as Solution for posts that have solved your issue(s)!

  • Cannot Add user to CMC Group when they are a member of LDAP group

    On PreProduction Server CMC
    Softerra LDAP browser used to verify user is a member of LDAP group
    User does not show as a member of that group in the CMC
    Cannot add user to LDAP group showing in CMC, the same group shows the member in LDAP browser
    On Production Server CMC
    For kicks I logged into the CMC on Production and I found the user is correctly showing as a member of the Group
    Why doesn't the groups in CMC show what is actually showing in the LDAP browser?

    Hi,
    Check if you have also mapped in both servers the same groups. It might be that there are some groups missing in the Pre-prod.
    Also, try restarting the CMS. I have seen similar issues that are solved after forcing the recreation of the graph.
    If after the restart you still can't see the groups, check the mapping on the LDAP server. It might be that both servers do not use the same attribute mappings.
    Regards,
    Julian

  • Portal Roles added to the LDAP group is not showing up for users

    Hello expert,
    I have implemented SSO for Enterprise Portal and MS LDAP.  It is working fine but when I assigned roles to the LDAP group instead of UME group, they are not taking effect when I refresh the browser.  My service account that I set up in the keytab file is a read only account for the LDAP.  Is there some permission issue that I have to do to be able to add Portal roles or groups to LDAP groups?

    Hi,
    By default the LDAP integration configuration file is readonly.
    In this case, is not possible to modify data in LDAP.
    You must to connect in read-write mode; and I think that, furthermore, you need to configure SSL between Portal and LDAP in order to use read-write mode.
    regards,

  • Cannot import LDAP group through Import Wizard.

    Hello,
    We have a issue where we are unable to import Ldap group if we use cluster name while logging into Import Wizard.
    we are able to import the LDAP users/groups if we use the primary CMS name while logging into Import Wizard
    Is this a known issue in XI R2 SP 3 or are we missing out something?
    Please help!!!
    Thanks...

    I'm really surprised the import wizard even works with a clustername. Considering it's design is to migrate from 1 CMS to another it should require a CMS name and not a clustername. I don't think using clusternames was ever part of its design. It's even more bizarre that a clustername would conflict with LDAP. SP3 had several other LDAP bugs that are fixed in SP4 but other than that I'm not sure. What's the issue with using just 1 CMS name. This should be desirable so you can control which CMS gets the added load from the IW, otherwise it would just randomly select one.
    Regards,
    Tim

  • GetUserRoles() in SecurityContext returns LDAP group names

    Hi,
    getUserRoles() in SecurityContext returns LDAP group names along with the application role of the user. Is this expected? If not what could be the possible issue.
    I have OVDLDAP configured in the weblogic server.
    Thank you.

    Hi,
    yes, this is expected. OPSS APIs expose application roles and user roles. To distinguish between the two I recommend a naming convention like <name>app-role to identify application roles
    Frank

  • Retrieve nested LDAP groups independent from the network env. (five different approaches)

    Hi all,
    I want to retrieve a list of nested LDAP groups per user from the Active Directory. I have been searching google for half a day now, but I'm still not sure what approach to use. I have the following requirements:
    * The script/program must run in different network environments (I can't be sure if there is a global catelog or AD DS or AD LDS, etc). I will write my own program.
    * The membership info will be used in combination with directory ACL's and must be as complete as possible (global groups, universal groups, local groups, perhaps different domains). Distribution groups are not really necessary, because they are not used in
    the directory ACL's.
    * It would be nice to support other LDAP implementations than Active Directory using the same code, but that not a hard requirement. I could use another approach to support a different LDAP.
    Now I have figured out five possible approaches (info comes from different sites, please correct me if I'm wrong):
    1) tokengroups attribute:
    - The attribute contains Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine.
    - Returns a list of SIDs which will have to be translated to group names
    - The tokenGroups attribute exists on both AD DS and AD LDS
    - For AD DS, the tokenGroups attribute is not present if no GC server is available to evaluate the transitive reverse memberships.
    - quote from site "Now that I have had a chance to test it though I can definitely say that tokenGroups WILL get the Universal groups from the other domains even if is NOT a GC. I just did it in my test lab."
    - Token Groups cannot be retrieved if no Global Catalog is present to retrieve the transitive reverse memberships.
    2) tokenGroupsGlobalAndUniversal
    - A subset of the tokenGroups attribute. Only the global and universal group SIDs are included.
    - If you want consistent results, read tokenGroupsGlobalAndUniversal that will return the same result no matter which DC you are connected to. However, it will not include local groups.
    - other source says "tokenGroups will give you all the security groups this user belongs to, including nested groups and domain users, users, etc tokenGroupsGlobalAndUniversal will include everything from tokenGroups AND distribution groups". Not
    sure if this is correct, I think it doesn't contain local groups.
    - The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS.
    3) LDAP_MATCHING_RULE_IN_CHAIN / 1.2.840.113556.1.4.1941
    - Use a recursive search query which returns all nested groups for user at once.
    - Returns all groups except for the primary group
    - It's a fast approach, see performance test from Richard Mueller:
    http://social.technet.microsoft.com/Forums/fr-FR/f238d2b0-a1d7-48e8-8a60-542e7ccfa2e8/recursive-retrieval-of-all-ad-group-memberships-of-a-user?forum=ITCG
    - It only works on Active Directory, not for other LDAP implementations
    4) Recursive retrieval of the memberOf attribute
    - Retrieves all groups except the primary group. (also local groups from other domains??)
    - works for all LDAP implementations
    - executes a lot of queries to the LDAP, especially if you want to scan all users/groups (perhaps limited on OU, but still)
    5) Store memberOf attribute in local database and calculate the nested groups using recursive queries to the local database
    - No heavy load to the LDAP
    - Needs space to store the user/group info locally (embedded Derby database perhaps)
    - Performs fast since the queries are executed locally
    - Works for all LDAP implementations
    My thoughts on these different approaches:
    * appreach 1) I understand that the tokengroups attribute is not present if no GC server is available. In how many network environments is this the case? This option won't work because I want to support different network environments.
    * approach 2) The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS. Same here, in how many network environments is this the case? I don't think I can rely on this approach.
    * approach 3) Seems to be a good option. How will it perform compared to approach 5 (local recursive queries)? Won't work for other LDAP implementations
    * approach 4) I don't think I want to execute that many queries to the LDAP. I can limit the scan on OU, but still companies can have thousands of users and groups.
    * approach 5) Perhaps the best approach. I want to store user/group info locally for fast filtering / reporting (only group DNs, user names, databse id's and membership info as id-id pairs). I only need the memberOf attribute of users and groups, recursive
    loops are done locally. It will work for all LDAP implementations.
    What do you guys think? I'm not a network admin, but a programmer, so I'm no expert in network setups and when to use AD DS or AD LDS. The thing is I want to use this code at different customers without knowing their network setup (except for the domain name(s),
    LDAP host/port and bind user to connect to LDAP).
    Thanks a lot!
    Paul

    I want to write a tool that can answer questions like "what users from group ABC have delete permission in all the (sub)directories of server MyDataServer?". This results in a list of directories and users and includes nested group membership. So it's about
    effective permissions. That's why I want all information in a SQL database so I can answer these questions with a single query in milliseconds. Otherwise, in order to answer these questions, I would have to get all members from group ABC and determine the
    nested groups for all these members (which can be thousands) for every report. Using a SQL database I can retrieve this information once a night for all the members.
    But I guess I will use the LDAP_MATCHING_RULE_IN_CHAIN syntax which gives me all nested groups for a member and should work for all AD installations from W2K3 SP2 and higher. When I want to support other LDAPs I will use another method for that specific
    LDAP.
    Again - note that this question has nothing to do with LDAP or AD.  It just asks what group has permissions on what resources.
    I really think you would do well to spend time understanding the NTFS and its security along with how we sue security in Windows.  By assuming this has something to do with AD you are making it a bigger issue than needed.  AD is a repository for
    accounts and trusts and manages authentication and security group membership.  All file security is managed by the OS that hosts the files and not by AD.  Users are not normally granted access to resources through direct inclusion in the DACL but
    are given access through membership in one or more groups.  Loading AD into a SQLL database will not help you.
    ¯\_(ツ)_/¯

  • Renaming a managed LDAP group from a workflow

    Does anyone know how to rename an ldap group from within a custom workflow? The closest thing i've found is the resourceobjectrename.jsp that is called from the admin interface.
    Thanks,
    David

    Emir,
    Thanks for the response!   The version we are using is 2006.0.7.1.   The scenario I gave was only an example...   We are looking to address a dictionary permission issue due to regulatory issues.   We have fields in LDAP that contain the regulatory rules and have a need to permission dictionaries (read access) based on these rules.
    Just curious...how do you setup filters to ignore users?   Is this manually managed?  &

  • LDAP group query failure during per-recipient scanning, poss

    I am trying to figure out what this is referring to:
    LDAP group query failure during per-recipient scanning, possible LDAP misconfiguration or unreachable server
    I can still send test messages from my e-mail.
    Is it possible tht a user is trying to send in corectly..hmmm

    If you create a LDAP debug log from within the GUI, this will give you a more in depth look into the query that is being sent to your LDAP server and also more important any errors that are being returned.
    Great log for troubleshooting any LDAP related issues.

  • Report with grouping issue

    I have a report which have year(2008), Category(0-1,2-3, ALL), product(0,1,2,3,4..), % sales. I group by all the category elements and called it as All, I am not getting the right percentage sales for the Category ALL other wise for 0-1,2-3 i am getting it right. Please advise where i am doing it wrong. please find the blog for a screen shot of my issue.
    http://ravibiblog.blogspot.com/2012/04/report-with-grouping-issue.html
    Thanks,
    RC

    Pl post details of OS, database and EBS versions. Pl see if these MOS Docs can help
    FARXPBSH Failing With "Program was terminated by signal 11" or "Program was terminated by signal 10"          (Doc ID 742729.1)
    Publishing RXAPPYAC: The FARXPBSH Ends With 'Signal 11' Error          (Doc ID 432797.1)
    RXi RX Reports Failing With Program Was Terminated By Signal 10 or 11 Errors After FA Rollup Patch 6          (Doc ID 737963.1)
    Program was Terminated by Signal 11 when Running Rxi Reports          (Doc ID 559425.1)
    HTH
    Srini

  • Error while adding LDAP group

    Hi, I configured LDAP authentication on BOXI R2 SP3 on IIS. The settings are as given below.
    To change a setting, click on the value to start the LDAP Configuration Wizard.  I have replaced few entries with XXXX and YYYY due to security.
    LDAP Hosts: nccXXX.XXX.YYYY.XX.YY:636
    LDAP Server Type: Novell eDirectory
    Base LDAP Distinguished Name: ou=XXXXX,dc=YY
    LDAP Server Administration Distinguished Name: cn=XXX,o=YYYYY
    LDAP Referral Distinguished Name: ""
    Maximum Referral Hops: 0
    SSL Type: Server Authentication
    Server Side SSL Strength: Always accept server certificate
    Single Sign On Type: None
    When I add any new group then its not added and I get below error message in the Logging directory  for WCA.
    Error: 2009-08-24 14:56:30, Thread:161, WriteData::_Flush catch unexcepted exception, source: System.Web, message: Specified argument was out of the range of valid values.
    Parameter name: offset, stack:    at System.Web.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 count)
       at BusinessObjects.Enterprise.WebComponentAdapter.WriteData._Flush(IntPtr handle)
    Can anyone help to find if LDAP is configured correctly before adding group?
    Thanks,

    Resolved. It was due to wrong LDAP group given to me.
    Thanks,

  • Mapping LDAP Groups to SAP Roles

    Hi there,
    i am trying to build up a synchron usermanagement with a LDAP-Server between EP, Web AS Java and Web AS ABAP.
    My thought is to administrate the users in the LDAP-Directory. The users will be assigned to groups.
    In EP and Web AS Java its no problem to assign these groups to roles and then just change the Users in the LDAP-Group and reach a synchron usermanagement.
    In Web AS ABAP it seems impossible to assign roles to groups.
    <b>The question is, is it possible to map ldap groups with the ldap connector of the web AS ABAP to Roles in an ABAP System?</b>
    Or is there another way to administrate users in different systems?
    Thanks alot for your answers,
    stefan

    Hi
    in this case u have to use the concept of central user administration. use the following links
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-biti-03/cua with sap webas, ldap and third party software
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/user management and authorizations overview.pdf
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/integration of sap central user administration into microsoft active directory.pdf
    hope this helps u to get fair bit of idea
    don,t forget to give points
    With regards
    subrato kundu

  • Sorting /Grouping Issue: Single Artist Compilation Album Doesn't Group

    iTunes 8 Sorting / Grouping Issue
    EXAMPLE
    • Album: Essential Willie Nelson
    • There are 22 songs on this Disc
    • 19 of them are labelled "Willie Nelson" in the artist field
    • 3 of them are lebelled "Willie Nelson Feat. Waylon Jennings" in the artist field
    PROBLEM
    • Album will not stay grouped together when in the standard "Sort by Artist" in Grid View. A very legitimate expectation to be able to have Willie's name listed along with his pals in the artist field and have them grouped together in one album within Willie's albums section. 19 songs group within one album in the Willie Nelson section and the other 3 are placed separately either in the compilation section or as separate albums within the regular artists grid view.
    I've read most if not all postings that suggest solutions but no matter what... they don't work. The only way that I know to work is to strip out all other names and leave only "Willie Nelson" in the Artist field. All other sorting and grouping options don't work for this issue... I've tied every combination. My opinion is that this is just a limitation at this time and there is no solution until future updates. I don't want a cheezy work-around either, that's very "unApple like". I assume it to be fixed in future updates.
    Bueller... Bueller?
    Anyone?

    There's a few other "goodies" I have found also but haven't had time to check out.
    If you have songs not in iTunes that you want to add to iTunes in a different format than the song is in...
    (This is carried over from at least 7.4)
    Set the Importing prefs to what you want the new file to be.
    Hold the Option key and go to menu Advanced and select *Convert selection to* AAC (or whatever is in the Import prefs}.
    This will add it to iTunes in the new format.
    Previously, you had to Import the file, change the prefs, go to Advanced - *Convert selection to*, convert the file, then delete the original from iTunes.
    This is new...
    In iTunes 8, go to to File - > *Show duplicates*. (moved from View menu).
    Now hold Option and go to to File and it now displays *Show exact duplicates*.
    Don't know what it means by *exact duplicate* though.

  • LDAP groups and WebLogic Roles - Urgent ( weblogic 6.1 sp1, iPLanet 5.1)

    I have 2 questions and these are very urgent :-
    1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
    2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
    contractactors and employess. How do I map LDAP group contractors to weblogic security
    Role contractors? Similarly for employees ?
    2. I have not defined contarctors and employeees under People container in IPlanet.
    e.g. The RDN for contractor is
    uid=1234,ou=dir,dc=orams,dc=com
    Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
    under People ) OR I have to write my own custom code ?
    3. I am planning to use Roles insetad of groups to manage the logical grouping in
    iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
    parameters ?)
    This is very urgent ....so if any of you can throw any hints that will be greatly
    appreciated.
    --Sunita

    Hi Ariel,
    The driver is bundled with the product in WLS 6.1sp1. you don't have to
    download any additional driver. Use it as you normally would only thing to
    remember is if you are trying to write standalone java code then you have to
    have weblogic.jar in your classpath. For the rest of the info follow the wls
    docs for 6.1
    HTH
    sree
    "Ariel" <[email protected]> wrote in message
    news:3bb4a643$[email protected]..
    We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
    downloaded the JDriver from bea.com, but all the istructions that camewith
    it are for WLserver 5.1.
    What has to be done to do this with 6.1 sp1?
    Thanks,
    Ariel

Maybe you are looking for