LDAP groups to pool assignation problem

Similar Messages

• Assign role to LDAP group

  Hello,
  I've assigned a role to a LDAP group in portal. But when accesing it displays: 'No portal roles are assigned for this user'.
  The user is included in the LDAP group but I dont't know why it doesn't display nothing.
  Please, do you know what could it be?
  Thanks in advance

  Hi Isabel,
  this really IS strange. Can you assign this user to a group defined in the database and try to assign a role to this group? Is it working then?
  If this is working, then we probably have to increase the log levels and check from there.
  You could also try to remove the role from the group and reassign it again.
  If it's not working: remove it again and this time search for the role and assign the group to it.
  Please come back if it is not working. Then we will try to dig deeper.
  Regards,
  Holger.

• Problem using a group which has a space in it's DN when using LDAP Group mappings in UCS 1.4

  Hey,
  We've been implementing LDAP authentication (Active Directory) using LDAP group mapping in UCS 1.4, and we've noticed that when using a group which has a DN with a space in it (such as "UCS Admins") it wouldn't authenticate the user with the appropriate role.
  Using a DN without spaces (such as "UCSAdmins"), works just fine.
  I should mention that having a base DN with spaces works just fine as well, it's just the group mappings that doesn't work.
  I should also mention that Cisco's "Quick guide to configuring ldap for ucs 1.4" shows an example in which the group's DN doesn't include a space.
  Is there a workaround available which can make it possible using a group which has a space in it's name?
  Thanks,
  Dor

  Hey Roman,
  Thanks for your prompt reply.
  We've tried putting quotes using UCSM which is not possible at all - not for the entire entry nor for the part with spaces.
  We've also tried using CLI ("scope security/ldap/ldap-group") where you have to put quotes if you use a DN with spaces, and it still doesn't work. Furthermore, we tried adding quotes only to the part with the spaces, i.e. - CN="UCS Admins",OU=TEST,DC=TEST. It adds the entry without an error, but shows like we would use "CN=UCS Admins,OU=TEST,DC=TEST". Anyway, it doesn't work either.
  Thanks again,
  Dor

• Mapping LDAP Groups to SAP Roles

  Hi there,
  i am trying to build up a synchron usermanagement with a LDAP-Server between EP, Web AS Java and Web AS ABAP.
  My thought is to administrate the users in the LDAP-Directory. The users will be assigned to groups.
  In EP and Web AS Java its no problem to assign these groups to roles and then just change the Users in the LDAP-Group and reach a synchron usermanagement.
  In Web AS ABAP it seems impossible to assign roles to groups.
  <b>The question is, is it possible to map ldap groups with the ldap connector of the web AS ABAP to Roles in an ABAP System?</b>
  Or is there another way to administrate users in different systems?
  Thanks alot for your answers,
  stefan

  Hi
  in this case u have to use the concept of central user administration. use the following links
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-biti-03/cua with sap webas, ldap and third party software
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/user management and authorizations overview.pdf
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/integration of sap central user administration into microsoft active directory.pdf
  hope this helps u to get fair bit of idea
  don,t forget to give points
  With regards
  subrato kundu

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• LDAP Groups Performance

  I am planning LDAP authentication for a portal and am looking at assign LDAP groups to portal roles to ease user administration because there will be a signifigant amount of users.
  I've done this before with smaller amounts of users, but have heard concerns that with a large amount of user accounts, that authentication would take too long and would pose a problem. I don't know for sure if this is true and will be trying to test this out.
  Would appreciate advice / experience / references if available.
  Regards,
  Tom

  Hi Thomas,
  I don't think this is a problem if directories are properly tuned.
  Infact we connect to AD having 80k users and it works perfectly fine. But remember that your LDAP should be tuned properly and may be you can have indexes too.
  Regards,
  Piyush
  PS: please mark useful answers.

• LDAP Groups Authorization

  Hi,
  I have read some of the forum threads about LDAP Group Authorization - I remain confused. Here's the problem I am trying to solve.
  I was successfull in setting my Authentication to "Based on authentication scheme from gallery:Existing Login Page: Use LDAP Directory Credentials" -
  That works fine, But I would not like all users in my OID LDAP directory to log into my application- Which is why I have created a group for the user I want to include in my OID directory.
  Now at the " Builder->Application...->Security->Authorization Schemes->
  I have created an Authorization Scheme as "PL/SQL Function returing a booloean" .
  My Scheme Source(Identify Query or PL/SQL) is as follows and is set to "once Per session"
  return wwv_flow_ldap.is_member
  (:APP_USER,
  null,
  'cn=users,dc=wellesley,dc=edu',
  'jadeland.wellesley.edu',
  '389',
  'wcd_HTMLDB',
  'cn=portal.040323.1220,cn=Groups, dc=wellesley,dc=edu');
  where in my LDAP directory, 'wcd_HTMLDB' is the subgroup under group "portal.040323.1220" -
  I have included 3 users in the group 'wcd_HTMLDB' .
  Still the login page allows all LDAP user ( and not just the 3 from the 'wcd_HTMLDB' group.
  Where did I go wrong -?
  What 's the proper way to authorise only LDAP users in a group ?
  Any help would be really appreciated.
  Thanks .

  Indira,
  The public synonym (and grant execute) must be created after that package is compiled which can happen after catldap is run in your database. This is only a problem if catldap has not been run before HTML DB is installed. That's described in the flows/doc/ldap.html file in the distribution directory (not very prominently, we know).
  When you initially attached the authorization scheme to your login page and it wouldn't let you in, the reason is that it was using the value of APP_USER to drive your lookup function. But when the login page is rendered, APP_USER is null because you haven't logged in yet. So a user-based authorization scheme on a login page can never work.
  When you changed the ldap username edit function the way you did, you achieved the goal of preventing an unauthorized user from using the login page to authenticate. Looks like the way it's set up is to give unauthorized users an authentication error, which is a little misleading (saying their credentials are invalid when in fact they are valid but they aren't authorized to use your application), but if it suits your purpose, great. You should consider that if you change the authentication method to, say Single Sign-On, you'll then want to use authorization schemes to keep unauthorized users out. So the authorization scheme that you first set about using would be fine in that case, so long as you adjust the code to allow for visits to public pages prior to authentication (v('APP_USER') = 'HTMLDB_PUBLIC_USER'). However, you'd want to attach that scheme to the application itself (Edit Application Attributes->Authorization) so it fires on every page. Evaluating a scheme like that on every page view rather that once per session probably works best, even better if you cache the result of the evaluation yourself for performance reasons, e.g., set an application item to some value the first time the authenticated user passes the ldap membership test, then using that item as an 'already passed' flag for subsequent invocations.
  Finally, I assume you are using the built-in ldap_dnprep function because you need to replace '.' with '_' in the username value entered by the user. If that is not your requirement, let's talk.
  Scott

• IMEI based IP Pool assignment GGSN

  HI Expert ..
  I have following Query , Can we assign different IP address to the same apn request based on IMEI number , In other word:
  if request for “internet” apn come from Iphone handset/IMEI I want to assign to it an IP address from following pool of IP address =  10.10.0.0/16 subnet .
  If request for “internet” apn come from Blackberry handset/IMEI I want to assign to it an IP address from following pool of IP address =  10.70.0.0/16 subnet .
  Thank You
  Tribhuwan Singh Danu

  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnadd.html#wp999685
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnadd.html#wp999685
  http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ref_extserver.html#wp1753749
  http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ref_extserver.html#wp1753749
  Using attribute 217 and Group mapping, pool names can be pushed from ACS.

• Ldap groups

  Hi,
  I have 5 roles and each role selection should provision user to a seperate ldap group + a default ldap group.
  How can i achieve that...
  dn: cn=group1,ou=people,o=domain,o=com
  + dn:cn=mail,ou=people,o=domain,o=com
  Where cn=mail is common for every role selection. I have a variable temp which generates group values based on role selection and i am mapping it in identity template. i think that will provision the user to one group. How can i provision the user to the default group.
  Any ideas?

  Hi,
  Here is one suggestion:
  Edit each the role using the admin pages under the Roles Tab, you will see
  a section called Assigned Resources, where you can set resource attribute values.
  Here you can override the ldapGroups attribute for your ldap resource.
  ldapGroups is a List, so you want to add a specific <s>cn=...</s>
  string to the existing ldapGroups list. This seems to work well and no xml editing required!
  The effect of this will be that different dns will get added to the ldapGroups
  variable, depending on which role gets assigned to the user.
  Does that make sense? hope this helps.
  As for the default dn (cn=mail...), you can either do it the same way (but call a rule rather that replicating the dn 5 times for each resource), or put that into the userform
  that gets invoked.
  I'm not sure if I explained this well enough, I hope this helps,
  John I

• New user creation in AE- user group not getting assigned

  Hi All,
  Here is a typical case, wherein when we create a new user with AE for the production system, the user gets created and the roles are also assigned but the user group is not getting assigned. The user group is being fetched from a table from the backend and all that is working fine. Infact in order to test the configurations we even created a new user in the production instance of AE giving the development system as the target system for user creation and in this case the user was successfully created and the user group is also assigned. The problem is arising only when the target system is production system.
  Connectors are all working fine, but we are unable to think of a reason. Can somebody help us on this?

  Hi Vani,
  If you are provisioning the user group using user defaults, check  that production system is selected in the user defaults configured. Configuration -> user defaults. You can define any user default system, but for perticuticular user defaults that is applicable define all the systems, in which you want user defaults to be provisioned.
  Kind Regards,
  Srinivasan

• Portal Roles added to the LDAP group is not showing up for users

  Hello expert,
  I have implemented SSO for Enterprise Portal and MS LDAP.  It is working fine but when I assigned roles to the LDAP group instead of UME group, they are not taking effect when I refresh the browser.  My service account that I set up in the keytab file is a read only account for the LDAP.  Is there some permission issue that I have to do to be able to add Portal roles or groups to LDAP groups?

  Hi,
  By default the LDAP integration configuration file is readonly.
  In this case, is not possible to modify data in LDAP.
  You must to connect in read-write mode; and I think that, furthermore, you need to configure SSL between Portal and LDAP in order to use read-write mode.
  regards,

• Provision a user into an LDAP Group/Organisation

  Is it possible to provision a user into a Role that is mapped to an LDAP Group/Organisation through Identity Manager? I've seen that you can add users directly into LDAP groups, but we would like to add users into groups where they already have an account in the Resource/Directory.
  For example I want to allow an existing user;
  uid=User1,ou=Users,o=mycompany
  to access a resource protected by LDAP Group;
  cn=AppGroup1,ou=Groups,o=mycompany
  this group would be mapped to an Application or Business Role within Identity Manager.
  Is this possible?

  If I understand your problem correctly then there is no need for customizing the resource adapter java source code at all. You can "calculate" in which OU or O a user is created by customizing the resource's identity template. Just add a variable to the identity template DN and "calculate" that variable in either your form or map it to IGNORE_ATTR on the resource and then you could even set that value in a role.
  Same for adding a user into a directory group. Map the respective groups attribute and create a role for that resource, then configure the role to set the group attribute or merge the values - as simple as that. Or did I misunderstand what you are trying to do?

• Ldap group lookups very slow

  We are currently testing Solaris 11 on one of our servers. We are encountering the problem that
  ldap group lookups are very slow. This didn't occur under Solaris 10. The ldap information is held
  in Active Directory with all unix information held in a relatively small separate branch, except for passwd information,
  which is held in the main very large part of AD (using the same user object for unix as used for the equivalent Windows user but
  with the added unix posixAccount attributes). What appears to be happening is that the first search is very
  quick when it accesses posixGroup information from the unix branch but it then tries to perform a memberOf
  search which must be using the passwd search base which then searches the whole of the AD and it is this
  part which is extremely slow. Is there any way of disabling the memberOf search ?
  The following snoop information is an example of the problem search ....
  LDAP: Operation *[APPL 3: Search Request]
  LDAP: [Base Object]
  LDAP: ou=uol,dc=livad,dc=liv,dc=ac,dc=
  LDAP: uk
  LDAP: [Scope]
  LDAP: wholeSubtree
  LDAP: [DerefAliases]
  LDAP: derefAlways
  LDAP: [SizeLimit]
  LDAP: [TimeLimit]
  LDAP: [TypesOnly]
  LDAP: Extensible Match *[9]
  LDAP: MatchingRule [1]
  LDAP: 1.2.840.113556.1.4.1941
  LDAP: Type [2]
  LDAP: memberOf
  LDAP: MatchValue [3]
  LDAP: CN=eme,OU=Group,OU=Unix,OU=UOL
  LDAP: ,DC=livad,DC=liv,DC=ac,DC=uk
  LDAP: dnAttributes [4]
  LDAP: *[Sequence]
  LDAP: [OctetString]
  LDAP: sAMAccountName
  LDAP: [OctetString]
  LDAP: objectClass
  LDAP: Controls List *[0]
  LDAP: *[Control]
  LDAP: [LDAP OID]
  LDAP: 1.2.840.113556.1.4.473
  LDAP: [Criticality]
  LDAP: [Control value]
  LDAP: *[Control]
  LDAP: [LDAP OID]
  LDAP: 2.16.840.1.113730.3.4.9
  LDAP: [Criticality]
  LDAP: [Control value]
  This is our ldap_client_file
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_AUTH= simple
  NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
  NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
  NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
  NS_LDAP_SEARCH_BASEDN= ou=unix,ou=uol,dc=livad,dc=liv,dc=ac,dc=uk
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=uol,dc=livad,dc=liv,dc=ac,dc=uk?sub
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,ou=unix,ou=uol,dc=livad,dc=liv,dc=ac,dc=uk?sub
  NS_LDAP_BIND_TIME= 5
  NS_LDAP_SEARCH_SCOPE= sub
  NS_LDAP_SERVERS= bhdc01.livad.liv.ac.uk
  NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn
  NS_LDAP_ATTRIBUTEMAP= passwd:uid=sAMAccountName
  NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
  NS_LDAP_ATTRIBUTEMAP= shadow:uid=sAMAccountName
  NS_LDAP_SEARCH_TIME= 8
  NS_LDAP_CACHETTL= 0

  Are you testing on the same machine?? or you're testing the SQL*Plus on the database machine directly??
  Tony

• Security - using LDAP groups

  I want to protect my EJB using LDAP groups. WLS is recognizing WLS users but unable
  to recogniz groups. Here is my weblogic-ejb-jar.xml
  <security-role-assignment>
  <role-name>channel-role</role-name>
  <principal-name>system</principal-name>
  <principal-name>mygroup</principal-name>
  <principal-name>cn=mygroup,ou=groups,o=mycompany</principal-name>
  </security-role-assignment>
  It recognizes user system but not the group. LDAP group is cn=mygroup,ou=groups,o=mycompany.
  When I pass the credentials from the client of a uniquemember, WLS generates a
  security exception. It won't recognise mygroups or cn=mygroup,ou=groups,o=mycompany
  either.
  Any suggestions?
  Thanks
  -Surya

  Yes, It has impact. You create groups in the Repository & Answers and assign the object level permissions.
  You Populate Group Variable during authentication via LDAP server. Once you login with X name you see the authorized groups in the my account.
  For dashboard A - For group Executive - User X - You have given full access.
  Now you have changed the Group name to AD_Executive. When You Login variable values would be
  User - X
  Group - Ad_Executive
  Dashboard A - No permissions.
  If you have a scenario of changing the group names then get Groups from database using Init block after authorization.

• Select list populated with ldap group membership attributes

  Is it possible to query an LDAP group and retrieve all the members of the group?
  For example, if I have an LDAP group with members' login name, I want to retrieve all login names and populate a select list so the end-user can choose a login name from the group.
  Thanks, alan.

  The problem is the second query. I would guess that the TO_CHAR(co) is not unique for each account, but is the same for the accounts. And as the second item in the select-list is the listitems values, all your listitem-entries have the same value. therefore, of you select any entry, the list will always go the the first entry again.
  Adjust your query.