LDAP profiles

Similar Messages

• Jabber for Windows LDAP Profiles

  I have been unable to find a lot of information on LDAP profiles, but I came across a blog that said that LDAP profiles are only used for Android, iphone and ipad. It stated that the only way to control the search base on Jabber for Windows is by using the jabber-config.xml file. So far this appears to be true based on my limited testing.
  I have been able to integrate with OpenLDAP using the jabber-config.xml file to set the server and search base. The only problem i can see with this particular design is I would have to give all users the same LDAP profile and search settings. In our environment this will not satisify our requirements.
  Does anyone know of a way where i can integrate with OpenLDAP, use the Jabber for windows client and control the LDAP search setttings on a per user basis?
  Thanks          

  Yes but you won't like it.
  Group Configuration File NamesYou specify the name of the group configuration files in the Cisco Support Field on the CSF device configuration in Cisco Unified Communications Manager.If you remove the name of the group configuration file in the CSF device configuration on Cisco Unified Communications Manager, Cisco Jabber for Windows detects the change, prompts the users to sign out, and loads the global configuration file. You can remove the name of the group configuration file in the CSF device configuration by deleting the entire configurationFile=group_configuration_file_name.xml string or by deleting the group configuration filename from the string.If users have desk phone devices only, use the following command line argument to specify unique names configuration files for different groups:    TFTP_FILE_NAMESee the Install Cisco Jabber for Windows chapter for more information about the command line arguments.
  Please remember to rate helpful responses and identify helpful or correct answers.

• CUPC not logging in after changing LDAP profile

  Hi,
  We are using Cisco Call Manager version 7.0.2.20000-5 and using  Cisco Unified Presence Administration System version: 7.0.4.10000-18. We are changing our Active Directory structure as a result we have created a new LDAP profile in Call manager and Cisco Unified Presence Administration. The LDAP profile in Call Manager and Cisco Unified Presence Administration  seems to synced correctly. Once I move users from the default OU to the new OU in AD, CUPC clients are unable to logon. They keep getting failed user and login error. Is there something else that needs to be checked? Users are able to make and recieve calls, browse the corporate directory and check voicemails. Its just the CUPC client that does not seem to work with this OU move. Is there a place I can check for errors on CUPC side?
  Thanks

  You may test the user logon with CCM User page.
  1) CUCM Admin > User Management > End User.  Make sure the user you wanted to test was in "CCM End Users" group.
  2) Open a separate web browser window (NOT a separate tab).  Go to http://ip-address-of-cucm/ccmuser
  3) Tried to log on with the user's credential.
  If the logon was successful, you may continue the test on CUPS.  Otherwise, you'll have to troubleshoot CUCM first.
  4) Open a web browser.  Go to http://ip-address-of-cups/ccmuser
  5) Tried to log on with the user's credential.
  Hope this helps!
  You may take a look at this blog for more troubleshooting tips http://htluo.blogspot.com

• LDAP Profile Source

  Hi, I've got a problem with LDAP Profile Source.
  In my LDAP I've got two OU for my user. In the first ou "ou=People" I've got : uid, Name, Society and in the second ou "ou=Society" Address, Telephone, Fax.
  I don't know how to get data from multi OU with LDAP Profile Object.

  Along the lines of what Mark was saying - you must have a single auth source that is bringing in multiple OUs. The trick is that you can have multiple profile sources, simply set the query base in each to your specific OU with the specific property map for that OU. Set each profile source to profile sync the everyone group for your auth source. Each user in the entire auth source will be sync'd by each profile source, but the users will only match one of the two profile sources. This way they get properly sync'd and you get the correct vars.
  The other thing you can do is simply setup a single profile source, put all the properties in the property map regardless of OU. Only the properties that values exist for will get imported to the users they exist for. If you want to limit the props however (i.e. they actually exist for both OU's but you only want the ones you specify to show up), then you need to take the 2 profile source route.
  Hope this helps,Akash

• Regd LDAP Profile Synch web service

  Hi,
  I am using the plumtree provided LDAP profile sync web service. I have a query regarding the re-sync operation.
  How is re-sync operation implemented? Will the re-sync occurs for all the users or it will query the LDAP change log and find out all the users that have changed since the lasp job run and then sync the profiles of only the changed users.
  I think this is the way it works, but pls confirm
  regards
  raghu

  On the LDAP Profile source you can configure a Signature Attribute. This attribute should be some sort of modify timestamp. When the job runs it will go through each user and check their current signtaure attribute vs. the one saved on the portal. If the value is the same, the rest of the profile attributes will not be retrieved and written to the Plumtree DB.

• Custom ldap authenticator to retrieve user bean ldap profile

  Hi,
  Wondering if we could use a custom ldap authenticator to get the user profile from Ldap and put the data bean into session.
  This will allow to use the same connection to Ldap and to benefit from Bea security authentication configuration.
  Any input on this ?
  Thank you

  Increasing the search limit is the only practical solution. Really, ~2000 entries is not that many.

• LDAP Profile Source - "Remote Unique Name" oddity

  We have an Active Directory that I've set up to use as an Authentication Source, and it also retrieves a few properties from there - not a problem.
  We also have an LDAP directory which contains other attributes of users that I need to retrieve.
  I set everything up as I thought it should be, however it's querying the LDAP server with the wrong parameters!
  An example user I have is IUSER\803244205. ALUI is showing the Login Name as "IUSER\803244205", the Remote Unique Name as "137eb349-7579-4b15-9a68-b1bff296d933" and the Remote Authentication Name as "803244205@IUSER".
  When I look at the LDAP job, the error log is showing that it's trying to sync using the Remote Unique Name -
  Unable to attach to user 137eb349-7579-4b15-9a68-b1bff296d933, user not found
  My LDAP directory only holds (and is keyed on) the numeric portion of the login name (known as EIN to us) - 803244205. I have got this EIN as a property of the user (a seperate Property that I have mapped to the User object), which is held as a seperate attribute on the Active Directory.
  So how do I tell the sync job to use the EIN (which happens to be the "User Name Attribute" on the Authentication Source - samAccountName), rather than trying to use the "Remote Unique Name", which it appears to have generated for itself!
  Cheers

  Arrgh! Just found the option for myself, seconds after posting this! Cheers anyway.

• Integrate Profile WS with LDAP in PT5.0.1

  HiI have SSO enabled PT-5.0.1 up and running with AD authentication source. But user profile information of the users are in stored in a different system (LDAP).
  The task is to retrieve user profile information from LDAP system and store it in AD authenticated source imported user's user-profile.
  Need a jumpstart here. Has anyone done this in past?Thanks

  Hi Kuljit,
  The primary problem with this scenario is that you cannot tell the Native LDAP Profile Source what attribute you'd like to lookup your AD User's against. So unless you have the Object GUID (that AD AWS uses to uniquely identify each AD User) in your LDAP directory, you can't do this out of the box.However there is a fairly straightforward solution, it will require you to write your own AD PWS:
  Write an AD PWS that accepts a GUID as the unique identifierThe PWS should lookup the CN attribute given the GUID on the ADUse the LDAP PWS to talk to LDAPThe AD PWS you write should make calls into the LDAP PWS using the CN as the unique identifierthe AD PWS should proxy all calls made to it to the LDAP PWS, substituting the GUID with the CN looked up aboveThis amounts to something like this (from the SOAP call perspective):
  Portal calls AttachToUser on your AD PWS using a GUIDAD PWS asks the AD directory for the CN given that GUIDif the GUID doesn't exist on the AD, AttachToUser failsGiven the CN, call AttachToUser against the LDAP PWSif this fails, pass the failure back to the portalreturn a success to the portalFor subsequent calls, you should have saved the current user GUID and CN on the session with the portal. You can now do proxy all requests directly to the LDAP PWS and send responses back to the portal. Make sure you substitute the CN for the GUID on requests, and vice versa on responses.
  In futue versions this may become simpler - but for now this is the best solution. Also, if you are wondering where to get the LDAP PWS, it is currently in beta - please e-mail me if you are interested in tryng it out.
  ThanksAkash Jain

• C100 LDAP accept to multiple AD domains?

  Hi All,
  Just been settings up our Ironport c100 and noticed that per listener you can only have one LDAP lookup host (or many in failover) however what we require is the following:
  Inbound e-mail for [email protected] c100 lookups AD (LDAP) of domainA.com for the user and accepts or denies, now at the same time another inbound e-mail comes in but for [email protected] this needs to the do the lookup against the domainB.com AD server which is a completly different host to domainA.com (infact different network/customer).
  From what i can see at the moment I would need to setup a separate Listener for each domain with 2 IPs each which would soon get very out of hand.
  Has anybody done this before or have any idea how this could be done??
  Just a side note I setup an ADAM server and used the AD to ADAM syncronizer to get a copy of the domain into a partition in the ADAM server and then another domain into its own partition but seeing as the C100 needs a base DN this makes this impossible, unless anybody again has some ideas about this....

  Torsten is correct, the feature that you need for supporting either different LDAP servers per domain or tiered LDAP lookups is due in the 5.5 release slated for Q3/2007 so this will be addressed.
  With regards to ADAM I personally haven't done an installation with ADAM however I will stated that it's not required to put a base DN into the LDAP profile. So you might want to consider removing the base DN from your ADAM profile and see if the query will work for you.
  Another good step might be to download the Softerra LDAP browser utility and take a look at the ADAM server to idenify relevent pieces of LDAP information...assuming that it doesn't conform to AD's (|mail={a})(proxyAddresses=smtp:{a})) query string.
  Sincerely,
  Jay Bivens
  IronPort Systems

• External ldap mapping & portal 6.2

  Hello
  To my knowledge external ldap mapping is not supported in portal 6.0 & portal 6.1, my question is it implemented in portal 6.2 ?! , If not is there any workaround that can solve this issue and considered as a professtional solution !

  Yes, you can do authentication against your existing
  external LDAP and dynamicaly create user profiles
  in your local LDAP(which can be physically on a different box)
  The "professtional name" for this configuration is:
  LDAP "profile server" with "external authentication" LDAP.
  Cheers,
  Alex :-)
  PS: After "Sun Forum Accounts Update" I couldn't login to this forum and at SUN
  no one cares - they just ignore my mails. "Thanks a lot" for supporting free comunity!
  (Check my old profile at http://swforum.sun.com/jive/profile.jspa?userID=3455)
  OK. I have now a new account and I will try to help you out here...
  -------------------------------------------------------------------------

• Log-Entry: 'Warning: LDAP: query accept could not be found'

  I found many entries like this:
  Thu Mar 13 12:45:30 2008 Warning: LDAP: query accept could not be foundin our log 'mail.current'.
  We don't use LDAP (anymore). Where do I have to check if we have missed something what should be de-activated?
  In the GUI 'System Administration', 'LDAP' I have the following entry:
  Server Profile Host Name Port Queries
  Profilename 1.2.3.4.,1.2.3.5 389 None configured
  How can we prevent this warning-entries in the logfile?

  On the GUI interface, go to "Network > Listeners".
  Select the inbound listener. At the bottom, make sure the LDAP queries are all set to None. You may also want to delete your ldap profiles if you're not using them anymore. "System Administration > LDAP"
  If that doesn't address the warnings, contact Technical Support so they can further investigate it.
  I found many entries like this:Thu Mar 13 12:45:30 2008 Warning: LDAP: query accept could not be foundin our log 'mail.current'.
  We don't use LDAP (anymore). Where do I have to check if we have missed something what should be de-activated?
  In the GUI 'System Administration', 'LDAP' I have the following entry:
  Server Profile Host Name Port Queries
  Profilename 1.2.3.4.,1.2.3.5 389 None configured
  How can we prevent this warning-entries in the logfile?

• SGD-AD "LDAP error code 49"

  Dear all,
  I saw the following error in the server-login log file:
  2007/07/24 15:15:03.098 (pid 2698) server/login/moreinfo #1185261303098
  Loaded class com.sco.tta.server.login.LdapLoginAuthority: {
  LDAPRoot=.../_ldapmulti/forest/
  accountEnabledChecked=false
  anonLogin=false
  attemptPasswordChange=true
  generalLdapProfileName=.../_ens/o=Tarantella System Objects/cn=LDAP Profile
  mustChangePasswordResult[0]=LDAP: error code 49 - 80090308: LdapErr: DSID-0C090290, comment: AcceptSecurityContext error, data 701
  mustChangePasswordResult[1]=LDAP: error code 49 - 80090308: LdapErr: DSID-0C090290, comment: AcceptSecurityContext error, data 773
  mustChangePasswordResult[2]=LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 773
  mustChangePasswordResult[3]=LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 773
  name=com.sco.tta.server.login.LdapLoginAuthority
  propAccEnabled=scottaaccountenabled
  userMustChangePasswordResult=LDAP: error code 49 - 80090308: LdapErr: DSID-0C090290, comment: AcceptSecurityContext error, data 773
  userPasswordExpiredResult=LDAP: error code 49 - 80090308: LdapErr: DSID-0C090290, comment: AcceptSecurityContext error, data 701
  version=4.31.905
  What should i do in my SGD server ?
  What should i do in my AD server ?
  What is the solution to resolve the error ?
  Appreciate any help given.

  Hi,
  I am also getting the same error. Please let me explain what i have encountered.
  In the active directory (version 2003), the administrator has limited the user to login to only his workstation. This has been set by putting his workstation host name or IP (which is allowed to accessed by the user) into a "log on to" list (at the user level) in Active Directory.There is another option if the administrator allow the user to be able to log on to any workstation, that is by checking the "log on to all computer" check box at that particular user id.
  When my user has been set to "log on to all computer", i don't encounter the error message i.e. error code 49, as mentioned in the subject of this topic. However, when a particular user has been limited to only access to his own workstation, the error appears. However, if the Active Directory server host name or IP has been added into the "log on to" list, the authentication is successful.
  My application is actually running on an application server and the user is using Internet Explorer to login to my application from his workstation. And also, the application server has been joined to the same domain as the Active Directory server. My question is, is it a must that the Active Directory server name be added to the "log on to" list of that particular user in order for it to be authenticated by Active Directory? Does anyone has any ideas why this is happening? I definitely don't want to add the AD server name into the list as this will give the user rights to login to the AD server. Any advise would be of great help. Thanks a million in advance.

• Configure 2 Ldap servers on C370

  hello everyone,
  we are consdering to configure a dual bundle C370 to Host a production and sumulation environement simutanously.
  from Netwotking and mail flow plicies i think this is possible.
  but i am not sure about Ldap profiles.
  is it possible to configure two Ldap servers an associate each one with the adequate domain.
  regards

  If they go in via the notification message they get in their email, they don't need authentication.
  But if they need to do more than release that specific message, they'll need auth.
  Go to Monitor/Quarantines
  In the row for Spam Quarantin there's an "Edit" link on the far right, click that.
  There's a section called End-User Quarantine Access, where you can turn on how users get access to the Quarentine.  Pick LDAP.
  You'll need to turn on and configure the Spam Quarantine End-User Authentication Query and the Spam Qarantine Alias Consolidation Query in your LDAP profiles under System Administration > LDAP

• Problems setting up ldap on solaris 10.

  when trying to set up LDAP on Solaris 10 I am asked for an LDAP profile and the address of the ldap server. I know the address of the LDAP server but what is the profile, and how do I set it up with active directory?

  Hi,
  The profile defines how the client will interact with the server. On a Solaris server, you set this file up with the /usr/lib/ldap/idsconfig command. On the client, you use ldapclient init -a profileName=xyz -a domainName=your.domain <server.ip.adderss.here:portno> portno not necessary if you are using port 389 on server. I'm not sure how you duplicate the functionality of that file from a Windows server. Maybe if you look at man page on idsconfig, it may help identify what needs to be done on Windows server to create a profile the Solaris client can use. I went to MS TechNet and searched for "ldap server for solaris client" A lot of hits. Hope this helps.
  John

• Cisco Jabber windows call option and user addition issue

  Hi,
  After uploading the jabber-config.xml (EDI-BDI) on the CUCM, the call option for new user contacts started appearing but the already existing contacts in Jabber client have still no call option. Also when we add new contacts to the Jabber client, it just disappears as such. Any one faced similar issue before. Below are the details and attached jabber-config.xml and LDAP profile snap.
  We are using employeeNumber as attribute in LDAP configuration.
  CUCM - 8.5.1.15900-4
  UCCX - 8.6.3.10000-20
  Jabber for windows - 9.7.0 (Tried with earlier version of jabber as well)

  Hey
  Just right click on the contacts which do not have the call option and select view profile, then see if those contacts that are added are they from the Outlook or the AD, if its AD then they will have a contact number and as such they will have the Call Option enabled.
  If they are from outlook then delete the users and readd them by checking the view profile option to verify they are being pulled from AD.
  Also if i assumed the issue differently then what it is please explain the whole scenario.
  Note-: In case of J4W it will not connect to the directory using the LDAP profile info, it automatically verified and cnnects to the domain using your login creds.