LDAP Profile Source
Hi, I've got a problem with LDAP Profile Source.
In my LDAP I've got two OU for my user. In the first ou "ou=People" I've got : uid, Name, Society and in the second ou "ou=Society" Address, Telephone, Fax.
I don't know how to get data from multi OU with LDAP Profile Object.
Along the lines of what Mark was saying - you must have a single auth source that is bringing in multiple OUs. The trick is that you can have multiple profile sources, simply set the query base in each to your specific OU with the specific property map for that OU. Set each profile source to profile sync the everyone group for your auth source. Each user in the entire auth source will be sync'd by each profile source, but the users will only match one of the two profile sources. This way they get properly sync'd and you get the correct vars.
The other thing you can do is simply setup a single profile source, put all the properties in the property map regardless of OU. Only the properties that values exist for will get imported to the users they exist for. If you want to limit the props however (i.e. they actually exist for both OU's but you only want the ones you specify to show up), then you need to take the 2 profile source route.
Hope this helps,Akash
Similar Messages
-
LDAP Profile Source - "Remote Unique Name" oddity
We have an Active Directory that I've set up to use as an Authentication Source, and it also retrieves a few properties from there - not a problem.
We also have an LDAP directory which contains other attributes of users that I need to retrieve.
I set everything up as I thought it should be, however it's querying the LDAP server with the wrong parameters!
An example user I have is IUSER\803244205. ALUI is showing the Login Name as "IUSER\803244205", the Remote Unique Name as "137eb349-7579-4b15-9a68-b1bff296d933" and the Remote Authentication Name as "803244205@IUSER".
When I look at the LDAP job, the error log is showing that it's trying to sync using the Remote Unique Name -
Unable to attach to user 137eb349-7579-4b15-9a68-b1bff296d933, user not found
My LDAP directory only holds (and is keyed on) the numeric portion of the login name (known as EIN to us) - 803244205. I have got this EIN as a property of the user (a seperate Property that I have mapped to the User object), which is held as a seperate attribute on the Active Directory.
So how do I tell the sync job to use the EIN (which happens to be the "User Name Attribute" on the Authentication Source - samAccountName), rather than trying to use the "Remote Unique Name", which it appears to have generated for itself!
CheersArrgh! Just found the option for myself, seconds after posting this! Cheers anyway.
-
Regd LDAP Profile Synch web service
Hi,
I am using the plumtree provided LDAP profile sync web service. I have a query regarding the re-sync operation.
How is re-sync operation implemented? Will the re-sync occurs for all the users or it will query the LDAP change log and find out all the users that have changed since the lasp job run and then sync the profiles of only the changed users.
I think this is the way it works, but pls confirm
regards
raghuOn the LDAP Profile source you can configure a Signature Attribute. This attribute should be some sort of modify timestamp. When the job runs it will go through each user and check their current signtaure attribute vs. the one saved on the portal. If the value is the same, the rest of the profile attributes will not be retrieved and written to the Plumtree DB.
-
Property Mapping in remote Profile source vs. User Porfile Mgr
I am confused about Property to user info mapping. I have mapped the user properties that I need to the user info attricutes in the user profile manager. However, if I go to setup the profile source, I am prompted to setup the mapping again. It does not recoganize the mapping already done though the user profile manager. What am I missing or not doing correctly? Do I only need to setup the Profile source no the user profile manager? I'd appreciate any insight into the differences between the two.
Thanks.
Vanita
StaplesOn the Profile source, the property map you define here maps Plumtree properties to the attribute names on the remote system you are synching with. An example from the LDAP PWS: on the portal their is a property called "Email Address". LDAP does not have an attribute with the exact name "Email Address", instead this information is stored in an attribute called "mail". So on the Profile Source, you have to map "Email Address" to "mail".
The map on the User Profile Manager allows you to map Plumtree properties to the name of the user info header you want sent to portlets. For most cases this is the same as the property name. -
Jabber for Windows LDAP Profiles
I have been unable to find a lot of information on LDAP profiles, but I came across a blog that said that LDAP profiles are only used for Android, iphone and ipad. It stated that the only way to control the search base on Jabber for Windows is by using the jabber-config.xml file. So far this appears to be true based on my limited testing.
I have been able to integrate with OpenLDAP using the jabber-config.xml file to set the server and search base. The only problem i can see with this particular design is I would have to give all users the same LDAP profile and search settings. In our environment this will not satisify our requirements.
Does anyone know of a way where i can integrate with OpenLDAP, use the Jabber for windows client and control the LDAP search setttings on a per user basis?
ThanksYes but you won't like it.
Group Configuration File NamesYou specify the name of the group configuration files in the Cisco Support Field on the CSF device configuration in Cisco Unified Communications Manager.If you remove the name of the group configuration file in the CSF device configuration on Cisco Unified Communications Manager, Cisco Jabber for Windows detects the change, prompts the users to sign out, and loads the global configuration file. You can remove the name of the group configuration file in the CSF device configuration by deleting the entire configurationFile=group_configuration_file_name.xml string or by deleting the group configuration filename from the string.If users have desk phone devices only, use the following command line argument to specify unique names configuration files for different groups: TFTP_FILE_NAMESee the Install Cisco Jabber for Windows chapter for more information about the command line arguments.
Please remember to rate helpful responses and identify helpful or correct answers. -
ISE Admin Access Authentication against multiple AD/LDAP Identity Sources
Hi all!
We would like to grant admin cccess to our ISE deplyoment to users stored in multiple Active Directories. Since there is no trust relationship between these ADs, we created an LDAP Identity Source for each AD and also an Identity Source Sequence but in the UI we can only select one Identity Source.
Any ideas how to solve this problem?
Thanks in advance!
Kind regards,
Michael LangerreiterI did check in my lab and yes for admin access we can't select identity store sequence in authentication. We can only pick one external database. However, on the login page you may select the appropriate database before you enter the username and password.
Jatin Katyal
- Do rate helpful posts - -
I've written a profile service to import employee information from our HR system to populate user profiles.
When I run the Profile Source Job, I'm getting this error:
4/14/04 13:16:48- The Profile Source encountered an error (0x80004005): CPTRAPProvider::Initialize, PWS SOAP call failed.4/14/04 13:16:48- *** Job Operation #1 failed: The Profile Source encountered an error (0x80004005): CPTRAPProvider::Initialize, PWS SOAP call failed. (0x4)4/14/04 13:16:48- Done with job operations.4/14/04 13:16:48- The Profile Source encountered an error (0x80004005): CPTRAPProvider::Initialize, PWS SOAP call failed.
Does this look familiar to anyone?
Thanks,Wes [email protected]Joseph, Akash--Let me answer your questions:
Coding is set to Doc Literal for .netSoap timeout is 30 seconds (this is an immediate error)I can access the web service from the automation serverI'm using the Remote Server Basic AuthenticationHaven't gone the TCPTrace route yet.I run Spy from the portal server 98% of the time-- I often forget to run it on the remote servers. When I ran Spy from the Automation Server, it looks like there is SOAP exception being thrown by the remote Profile Web Service when the Initialize call is made:
3342 04-15 10:37:16 Warn SOAP 6092 6084 Envelope.cpp(105) *** COM exception caught *** Error info: IDispatch error #19876 (0x80044fa4): [SOAP fault: faultcode='soap:Server' faultstring='System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.IO.FileNotFoundException: File or assembly name openfoundation, or one of its dependencies, was not found.
File name: "openfoundation"_ at Plumtree.Remote.Profile.Soap.ProfileProviderSoapBinding.Initialize(PropertyListArray PropertyList, NamedValueHolder ProfileSourceInfo, NamedValueHolder AuthSourceInfo)
=== Pre-bind state information ===LOG: DisplayName = openfoundation, Version=2.0.9.8318, Culture=neutral, PublicKeyToken=d0e882dd51ca12c5(Fully-specified)LOG: Appbase = [url=file:///C:/Inetpub/wwwroot/Abra]file:///C:/Inetpub/wwwroot/AbraLOG: Initial PrivatePath = bin_Calling assembly : xpcommon, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null._===
LOG: Publisher policy file is not found.LOG: No redirect found in host configuration file (C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet.config).LOG: Using machine configuration file from C:\WINNT\Microsoft.NET\Framework\v1.1.4322\config\machine.config.LOG: Post-policy reference: openfoundation, Version=2.0.9.8318, Culture=neutral, PublicKeyToken=d0e882dd51ca12c5LOG: Attempting download of new URL file:///C:/WINNT/Microsoft.NET/Framework/v1.1.4322/TemporaryASP.NET Files/abra/16123dc4/9c23a487/openfoundation.DLL.LOG: Attempting download of new URL file:///C:/WINNT/Microsoft.NET/Framework/v1.1.4322/TemporaryASP.NET Files/abra/16123dc4/9c23a487/openfoundation/openfoundation.DLL.LOG: Attempting download of new URL file:///C:/Inetpub/wwwroot/Abra/bin/openfoundation.DLL.LOG: Attempting download of new URL file:///C:/Inetpub/wwwroot/Abra/bin/openfoundation/openfoundation.DLL.LOG: Attempting download of new URL file:///C:/WINNT/Microsoft.NET/Framework/v1.1.4322/TemporaryASP.NET Files/abra/16123dc4/9c23a487/openfoundation.EXE.LOG: Attempting download of new URL file:///C:/WINNT/Microsoft.NET/Framework/v1.1.4322/TemporaryASP.NET Files/abra/16123dc4/9c23a487/openfoundation/openfoundation.EXE.LOG: Attempting download of new URL file:///C:/Inetpub/wwwroot/Abra/bin/openfoundation.EXE.LOG: Attempting download of new URL file:///C:/Inetpub/wwwroot/Abra/bin/openfoundation/openfoundation.EXE. --- End of inner exception stack trace ---'] (105,Envelope.cpp)
Since we've identified a SOAP exception, what do I need to do next?
Thanks all--Wes -
Multiple profile sources...ways to combine properties
My situation:
every user is in back end data source 1 (DS1)
some users are in back end data source 2 (DS2)
I can sync in properties from DS1, but its probably out of date. If they are in DS2, then I can sync in this more up to date info. However, there is no way to say "if this property exists in DS2, use it, otherwise, use the property from DS1". Each profile source will overwrite the properties from the other profile source.
I'd combine them into 1 profile source but DS1 is the active directory profile source so I don't want to have to edit it or create my own.
Is there any way around this?Joel Collins wrote:
I'd combine them into 1 profile source but DS1 is the active directory profile source so I don't want to have to edit it or create my own.While it might be the more complex option I think this is the best long term solution to data redundancy. At the very least reconcile the shared data fields and eliminate them from whichever source is less used. -
Multiple LDAP data sources in EP7.0 SP14
Hello,
I am new to a site that uses portal and SSO between portal and AD LDAP. The portal version is EP7.0 SP14. The datasource is configured with 'datasourceConfiguration_ads_readonly_db_with_krb5.xml'. User path is OU=Users,OU=Finance,DC=io,DC=network and Group Path is OU=Groups,OU=Finance,DC=io,DC=network. The flag to use the Unique ID is also set to 'samaccountname'. The problem is that we also have users in OU=Admins,OU=Finance,DC=io,DC=network and OU=Managers,OU=Finance,DC=io,DC=network in the same AD LDAP that are not visible to the portal but we would like them to be?
It did appear to work if I changed the User Path to OU=Finance,DC=io,DC=network but I can not find any SAP document that supports doing this?
I have seen the document 'Configure multiple LDAP data sources for the UME' with the following link https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e1959b90-0201-0010-849c-d2b1d574768b however this specifies EP6 so I'm not sure if it is still relevant?
Also somebody did warn me with "If you change the xml file it will remove all current user mappings to the portal, all the groups mapped to roles will be lost and you will have to set them up again". Is this true?
Am I supposed to be using the SPNego Wizard as described in SAP Note 994791?
And possibly the following links for configuring and testing the SPNego...
Configuring and troubleshooting SPNego -- Part 1
Configuring and troubleshooting SPNego -- Part 2
Any guidance towards the best approach to solve our problem would be greatly appreciated.
Thanks,
DaveHi Dave,
It did appear to work if I changed the User Path to OU=Finance,DC=io,DC=network but I can not find any SAP document that supports doing this?
OK, I am not an LDAP expert, but if you just want to change your entry point in the structure, I do not see how this would be a problem. I do not know what kind of statement you would expect in the SAP documentation allowing this. Maybe this will answer your question: [Organization of Users and Groups in LDAP Directory|http://help.sap.com/saphelp_nw04s/helpdata/en/09/c5ee407552742ae10000000a155106/frameset.htm]
I have seen the document 'Configure multiple LDAP data sources for the UME' with the following ... however this specifies EP6 so I'm not sure if it is still relevant?
This function has not changed much since EP6, only the administration tools.
Also somebody did warn me with "If you change the xml file it will remove all current user mappings to the portal, all the groups mapped to roles will be lost and you will have to set them up again". Is this true?
It depends on how you change the XML file, but it does not sound like you need to do this, just the configuration of the connection to the LDAP, that is, higher in the structure.
Am I supposed to be using the SPNego Wizard as described in SAP Note 994791?
Only if you want to use SPNego for SSO.
-Michael -
CUPC not logging in after changing LDAP profile
Hi,
We are using Cisco Call Manager version 7.0.2.20000-5 and using Cisco Unified Presence Administration System version: 7.0.4.10000-18. We are changing our Active Directory structure as a result we have created a new LDAP profile in Call manager and Cisco Unified Presence Administration. The LDAP profile in Call Manager and Cisco Unified Presence Administration seems to synced correctly. Once I move users from the default OU to the new OU in AD, CUPC clients are unable to logon. They keep getting failed user and login error. Is there something else that needs to be checked? Users are able to make and recieve calls, browse the corporate directory and check voicemails. Its just the CUPC client that does not seem to work with this OU move. Is there a place I can check for errors on CUPC side?
ThanksYou may test the user logon with CCM User page.
1) CUCM Admin > User Management > End User. Make sure the user you wanted to test was in "CCM End Users" group.
2) Open a separate web browser window (NOT a separate tab). Go to http://ip-address-of-cucm/ccmuser
3) Tried to log on with the user's credential.
If the logon was successful, you may continue the test on CUPS. Otherwise, you'll have to troubleshoot CUCM first.
4) Open a web browser. Go to http://ip-address-of-cups/ccmuser
5) Tried to log on with the user's credential.
Hope this helps!
You may take a look at this blog for more troubleshooting tips http://htluo.blogspot.com -
IDispatch error #19876 - LDAP Authentication Source - User Unique Name Attribute
Hi,
we have troubles with the User Unique Name Attribute:
As 'cn' and 'dn' may change we want to use the EmployeeID ('workforceID') as unique identifier for our user synchronisation. This attribute exists and is also imported in the profile service. But when we add 'workforceID' to the 'User Unique Name Attribute' in the LDAP Settings of the Remote Authentication Source (LDAP AWS) the job fails and throws the error at the end of this message in the history log.
When we remove 'workforceID' everything works fine. If we set the user unique name attribute to 'cn' or 'dn' everything works fine, too. If we enter not existing names the same error is thrown. It seems like 'workforceID' could not be read/found? What are we doing wrong? Thanks in advance.
1/17/06 12:37:01- (34432) CPTSyncAgent::ProcessUsers: Call to retrieve the users on this auth source failed. Please check that the authentication source server is online.
*** COM exception was: IDispatch error #19876 (0x80044fa4): [SOAP fault: faultcode='ns1:Server.userException' faultstring='java.rmi.RemoteException: Unknown error occured in internalGetUsers null
com.plumtree.remote.ServiceException: Unknown error occured in internalGetUsers nullat com.plumtree.ldap.aws.LDAPSyncProvider.internalGetUsers(LDAPSyncProvider.java:671)at com.plumtree.ldap.aws.LDAPSyncProvider.getUsers(LDAPSyncProvider.java:504)at com.plumtree.remote.auth.NativeSyncProvider.GetUsers(Unknown Source)at com.plumtree.remote.auth.xp.XPSyncProvider.GetUsers(Unknown Source)at com.plumtree.remote.auth.soap.SyncProviderSoapBindingImpl.GetUsers(Unknown Source)at com.plumtree.remote.auth.soap.SyncProviderSoapBindingSkeleton.GetUsers(Unknown Source)at sun.reflect.GeneratedMethodAccessor1024.invoke(Unknown Source)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)at java.lang.reflect.Method.invoke(Method.java:324)at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:372)at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:292)at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:276)at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:71)at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:156)at org.apache.axis.SimpleChain.invoke(SimpleChain.java:126)at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:437)at org.apache.axis.server.AxisServer.invoke(AxisServer.java:316)at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:701)at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:335)at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:256)at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2422)at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:163)at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:199)at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:833)at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:711)at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:584)at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:687)at java.lang.Thread.run(Thread.java:536)']
1/17/06 12:37:01- (34432) *** Job Operation #1 failed: ProcessUsers failed (0x4)That's the correct place to look for the version.
My guess at what is happening is that some of users do not have the 'workforceID' attribute and that is causing the AWS to fail when it gets to them. Unfortunately there is not great error logging around this in the 2.0 version of the LDAP AWS. In order to find out if this is indeed the case, and to see what user does not have this attribute, do a trial run with workforceID as the User Login Attribute. This case is caught and reported better. -
Custom ldap authenticator to retrieve user bean ldap profile
Hi,
Wondering if we could use a custom ldap authenticator to get the user profile from Ldap and put the data bean into session.
This will allow to use the same connection to Ldap and to benefit from Bea security authentication configuration.
Any input on this ?
Thank youIncreasing the search limit is the only practical solution. Really, ~2000 entries is not that many.
-
DIP Profile sources - please help.
This is in regards to the structures / tables related to sources - maintained in table AD01SRCTAB. What is the function of the table/structure assigned to the source? How should they be used?
For reference, sources are assigned to DIP profiles in transaction ODP1.BUMP!
-
I need to have allow a user to have permission to execute a certain script as if he were another user. Specifically, when user IAO executes "retrieve_sst_version.pl";, the shell needs to allow iao to execute that script as sstadm (uid=2124). IAO will not be able to su into sstadm. I need the user to be sstadm because sstadm has privileges (such as passwordless ssh) that I do not want IAO to have.
As IAO is an LDAP account, I have the following output from #profiles -l iao. sstadm is both local and LDAP, and in this case the script should choose the local sstadm.
C_iao
/scripts/retrieve_sst_version.pl uid=2124, gid=other
#other exec privileges that are working correctlyI'm executing a master.pl script, which kicks off the retrieve_sst_version script. My expectation is that when I execute master.pl as IAO, the script will execute retrieve_sst_version.pl as if it were sstadm. However, this does not work. retrieve_sst_version is ALWAYS executing as IAO and never as sstadm. The script is unable to kick off a password-less SSH command, and will always return "IAO" when I add a "whoami' debug line. I have also tried transforming the retrieve_sst_version.pl script into a ksh script....there was no change in behavior. Again, if I start off as sstadm everything works beautifully...but I really need IAO to read it's profile and execute said script as sstadm.
Any ideas for how I can get it to work?? Thanks in advance.Since Customer A and Customer B are connecting to two different tunnel-groups so you can define a compound condition for a new rule with the dictionary ‘RAIDUS-Cisco VPN 3000/VPN/ASA/PIX 7.x’ and the attribute ‘CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name 146 ‘ that will come in the radius access-request with the tunnel-group name. With this attribute you can differentiate the 2 different requests. If request is coming for CORP-VPN-CUSTOMER-A look in CUSTOMER A DOMAIN and if its coming for CORP-VPN-CUSTOMER-B look in CUSTOMER B profile.
~BR
Jatin Katyal
**Do rate helpful posts** -
Where can I found the novell ldap api's source code?
It contains com.novell.ldap package and some other ones.
Thanks.Look around on your hard drive for src.jar or src.zip.
Where it is varies depending on what version you have and how you installed it, but
C:\JDK1.4.2_01\src.zip
might help.
Maybe you are looking for
-
Convert doc to PDF and make it available for workspace
Hi, is there a way, how to convert a doc file to PDF file and make it available for the workspace (accept - deny scenario)? Lets say, that I have a contract that has to be approved by my manager. I convert the doc to PDF file and send it to his to-do
-
hi i buy macbook pro. how i can to connected with t.v hdmi? which cable television? tnx
-
Date of last extraction from DataSource 0HR_PY_PP_2 is not available
Hello all, We are using this data source to extract data for HR in BW. We are currently on BI 7.0 When I used this datasource in BW development system it worked fine. But now I am trying to extract data using the same datasource in BW QA system and I
-
Hi All, There is a requiremnet to create a report that will contain the total amount due to and from of vendor ,the amount due in the current week. i am using BSEG table. Couid you please guid me to how to get the current week report when ever runs.
-
HT1657 Once I download a rented movie do I need Internet connection to watch
Once I download a rented movie on iTunes doi need Internet connection to watch it.