LDAP Schema from VDS
We are using SAP VDS 7.2 SP8. Out of the Box Identity Service is deployed on VDS to expose LDAP Interface. When we connect to VDS LDAP Interface using standard LDAP client, we are not getting the schema information for the user attributes.
Is any separate configuration needed at VDS level to get the user schema information?
Any thoughts? Done heaps of googling, but nothing really comes up.
cheers,
Henrik
Hi Henrik,
I am experiencing the exact same issue. Under server properties it appears you can select a method to create the rootDSE, there are a few delivered options but none of them appear to work. I see entries in the operations log but nothing useful.
VDS does function for authentication and browse but searching always fails.
The help doc seems to suggest you should write a custom method, it would be great to know if you attempt this or have got any information from SAP that might suggest how to make the delivered classes to work?
Thanks,
Pete.
Similar Messages
-
Configuring Multiple LDAP Datasources in VDS
Hi,
I'm trying to configure multiple LDAP Datasources using VDS, one talking to AD and other to Novell eDir from VDS, my LDAP connection strings works well but when I start the service in VDS the service will never startup all I see is Exception null, it does not throw any exception at the same time it doesn't start up the service. I've tried configuring with signle Datasource which works fine. This is failing when I combine those two datasources into one configuration. Have any configured multiple datasources with in VDS. Not sure if you have encountered any problems.
Thanks,
Joe.PAre you just trying to bring in two LDAP data sources or do a join between them?
Actually both I believe are considered types of joins.
You cannot just define two datasources and expect them to show up. -
Ldap schema extension to control which users / group are imported
Hello,
would like to have your opinion:
would it be a good idea to implement ldap schema extensions to control
which users / group are imported and controlled from ldap in a ldap
mastered installation?
e.g. we could implement the following schema extension for users:
attributetype ( 1.3.6.1.4.1.<iana-org-id>.1.1 NAME ( 'BogusisBeehiveUser' )
DESC ''
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
# BogusinetOrgPerson
# The BogusinetOrgPerson is derived from inetOrgPerson
objectclass ( 1.3.6.1.4.1.<iana-org-id>.1
NAME 'BogusinetOrgPerson'
DESC 'RFC2798: Internet Organizational Person, plus Bogus Extensions'
SUP inetOrgPerson
STRUCTURAL
MAY (
BogusisBeehiveUser )
Then we could control the inclusion in beehive by simply switching
BogusisBeehiveUser on or off.sure; that's pretty much what is talked about in the Install Guide for LDAP Integration under the "inclusion and exclusion" section, about here:
http://download.oracle.com/docs/cd/E14897_01/bh.100/e14830/ldap.htm#CHDEFFJF
that doesn't go into the specifics of how you might want to design your objectClass schemas, though, as beehive is agnostic to that.
If you don't want to provision all users that match a certain existing rule (like everyone under dn=foo, or everyone where userType=employee), then adding a new attribute and building the profile inclusion rule around it is a valid thing to do.
richard -
Provisioning LDAP roles from SIM
SIM Experts:
I am trying to provision LDAP roles from SIM into our local IPlanet/Sun DS LDAP instance.
When I created the resource in SIM, I noticed it didnt rope in the built in roles from our LDAP instance, just as it did LDAP groups.
I tried to circumvent this by :
1. Creating individual Role_<> attribute entries in the LDAP resource schema which in turn get mapped to 'nsRoleDN' from LDAP.
2. Create 'Roles' in SIM mapped to the LDAP resource and set attribute values for the 'Role_<>' attributes (added earlier to the schema mapping) like -
Role_auditor : cn=Auditor,dc=example,dc=com
The hitch with this approach is if I add multiple roles to the account (during creation), only the last role gets added .. in other words, I see only 1 'nsroleDN'' entry.
I do not know if this the right approach, but could someone suggest a better alternative, if there is one.
Thanks in advance,
apn.Answered here: http://forum.java.sun.com/thread.jspa?threadID=5247269&tstart=30
... although, as indicated getRoles should return a list of Role names as well... If you create a variable in the workflow and populate it with this call... it should be a List. [item1,item2,item3] may just be the trace representation of a list. -
Extending the default schema from install to add few new atttributes
We use sun ldap5.2 with OAM 10.1.4.2. The LDAP schema that we currently use is from the install that was extended from the default Sun LDAP schema by Oracle. I have been asked to extend this schema to provide more attibutes like Challenge question, challenge answer and role. I'm hesistant for couple of reasons
1) I have a feeling that challenge question and challenge answers must be available already. If so, how do I use it.
2) Is it a best practice to reuse some already present attributes like say TELEX (I believe no body uses telex any more) or create new ones
3) my understanding of extending schema involves create new object classes (say customInetOrgPerson class). If I were to implement this new requirement in production environment, what happens to existing users that were created using InetOrgPerson class from the date of installation
Many thanks in advance for guidance.
SriIt is considered poor practice to use an attribute for a purpose other than that which is obvious by it's name.
Therefore, the best practice is to enrich your person objects with an AUX class or to build a new structural class to include the attributes required. AUX class is your most flexible option especially if your OAM is already installed against inetorgperson.
I usually create a class like mycoChallengeResponseUser with mycoChallengePhrase and mycoChallengeResponse attributes where myco is some sensible prefix for the organization.
Hope that helps.
Mark -
Web service URI from VDS for GRC 5.3- IDM 7.1 Integration
Hi All
For connecting IDM 7.1 from SAP Business objects Access control 5.3 , when creating a connector we need to give following details of SAP IDM
1) Web Service URI
u201Center the URI address of the Web service in the IdM. u201C
How we can get the Web service URI? how we can get these details from VDS. Can you give the details
In the link , It is telling to create an .ear file from VDS . Is there Any documentation which talks about how to get this ?
Also it is written in grc config guide that
u201CFor the IdM system integration, obtain a copy of the SPML Schema file (an XML file). You must physically obtain a copy of the SPML Schema file from the IdM vendor u201C
How we can get this SPML Schema file from IDM 7.1 ?I think this is the URL for the documentation
http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/106ecdec-ddfa-2a10-cf89-c2e75482d090&overridelayout=true' -
Changing LDAP System from AD to ADAM in CUCM 7.1.5
Hello Guys,
First time poster here, so be gentle...
We have a query regarding LDAP Synchronisation in CUCM 7.1.5.
A brief background :
Our CUCM environment has expanded since we first put it in a couple of years ago. We originally had, and continue to have, a single LDAP System configured on CUCM for only one of our AD forests.
We have a multi-forest AD environment, with us rolling out more and more CUCM enabled sites from our differing AD forests.
1 x CUCM 7.1.5 Pub (+ 2 x Subs)
1 x Presence
1 x MP
1 x UCCX
1 x Unity Connection
3 x Unity
We are building an AD LDS (ADAM) server to enable our multi-forest integration and LDAP synchronisation from CUCM. This is built based of this Cisco doco :
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_configuration_example09186a0080b2b103.shtml
Our question :
Changing the CUCM LDAP System (and thus also changing the LDAP Directory and Authentication)
From : "Microsoft Active Directory"
To : "Microsoft Acive Directory Application Mode" (ADAM)
AND : After running the first CUCM sync with the new ADAM server.
What impact will this have on the existing user accounts in CUCM (in terms of their Associated Devices and their Permissions Groups and Roles)?
Will they be overwritten and thus the above fields be blank? Leaving us having to manually add all that back in to our existing user base.
Or, (which we feel is most likely), will there be duplicate accounts created in CUCM?
The reason we feel there will be duplicates is due to the nature of multi-forest deployments and the issue of having the same usernames in two or more forests. All authentication requests must be performed using their User Principal Name (UPN), such as [email protected], rather than the standard way of just using your userid : jdoe
Sorry for the long winded query.
Appreciate any thoughts/opinions on this.
Cheers,
Rick.Rick,
I haven't done this myself, so keep that in mind. As you say, be gentle.
Putting ADAM aside for the moment, in an LDAP sync configuration when you establish a sync agreement the CUCM does the following:
1. All user objects in the CUCM db are marked inactive
2. CUCM begins sync'ng with LDAP
3. For each user object learned from LDAP: The LDAP attribute chosen to map to the user ID in CUCM is compared to existing CUCM user objects.
- If a match is found, the account is activated
- attributes for first name, last name, telephoneNumber, etc. are then overwritten with the LDAP values (based on attribute mappings)
4. After the sync completes, any CUCM user object that did not have a LDAP object with the same user ID are still marked inactive. These objects will be purged during the next clean up interval
To give an example, I had a project where the customer was doing an upgrade from 4.1 to 7.1(3). As part of the upgrade, user objects were moved over to CUCM 7.1(3). Then we enabled LDAP sync. User objects were not deleted, nor were there duplicates. Configurations such as device associations were unaffected. The only thing we needed to do was check the CUCM user DB against LDAP user objects (running scripts against both) to find any mismatches between sAMAccountName and the CUCM user ID.
Assuming the sync process and behavior for activating/deactivating accounts is the same with an ADAM integration, then I wouldn't expect you to have an issue.
HTH.
Regards,
Bill -
Exporting schema from 11.1.0.7 to 10.2.0.4
I am working on Oracle Database version 11.1.0.7 on Solaris 10. I need to export a schema from this version and import into 10.2.0.4 version i Windows 2003.
So should I install 10.2.0.4 client on Solaris and run exp to create a 10.2.0.4 dump file.
Should I run any specific scripts before running 10.2.0.4 exp on 11.1.0.7 database?
IN case of datapump will using version parameter solve the issue like
expdp version=10.2.0.4
Let me know if I'm wrong and any other suggestions are welcome?I the exp optons will take quite some time as I dont have 10g software installed on the machine and it is 40G export so by network it is going to take a while.
I think datapump verion=10.2.0.4 is something to consider here?
expdp system/..... schemas=hr directory=sample_dir dumpfile=hr.dmp logfile=hr.log version=10.2.0.4
is the previous command correct way of doing it ?
Once done while importing think so I dont need to do anything extra there
impdp system/.... directory=sample1_dir dumpfile=hr.dmp logfile=hr.log
Also should I run any scripts before doing expdp at source or impdp at target? -
Not able to access schema from a Web Server
I am not successful in using a schema from a web server. I am using j2sdk1.4.2_06, and JDOM-b10. I have been successful in accessing schema using a file path, but not with a web address. The server is Windows Server 2003, I create a virtual directory using IIS under Inetpub.
Let the URL be: http://server/research_schema/client.xsd
This would be accessible only on the intranet.
Here is some XML:
<client xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://server/research_schema/client.xsd">
<execute matlab="false" commit="false" return_server_msg="false">
<t1>
<load_batch_data>
<username>test</username>
<password>test</password>
<database>db</database>
<get_next_batch>true</get_next_batch>
</load_batch_data>
</t1>
</execute>
</client>
Here is the code that sets the parser to be validating, and sets the schema location, I am using JDOM:
builder = new SAXBuilder("org.apache.xerces.parsers.SAXParser", true);
builder.setFeature(
"http://apache.org/xml/features/validation/schema",
true);
builder.setProperty(
"http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation",
"http://server/research_schema/client.xsd");
doc = builder.build(source);The error I get is a JDOMException saying the client element is not found, but I know that the client element is there, after seeing the XML output to
a file from the sender.
I see many exmples on the internet using a URL for the schema location, and it is usually the internet and not just the intranet. So it does work for someone.
I'd appreaciate any help.Steve, et. al.,
My apologies for using this in lieu of email, but I have been searching and searching for the answer to your questions from last summer concerning the correct method for getting the local xsd file to be correctly accessed from the xml file when using JDOM to parse with validation..
I did not see successful resolution of the thread from last summer, but this one seems closely related and suggests that you were either instructed to give up, or gave up on your own and went to the solution of placing the xsd file on a server.
Maybe I've got my head screwed on wrong, but I, like you, would like to find a successful way to make xml processing work for a JWS-provisioned application the same as it would if I just sent the clients a big jar file and told them to unjar it to some convenient local directory. In that scenario xsi:noNamespaceSchemaLocation = "itsrighthere.xsd" works as expected.
Can anyone tell us what the correct method of specification is in the JWS context?
Thank you. -
How can I use LDAP searching from OSX Lion Server to Mozilla Thunderbird?
How can I use LDAP searching from OSX Lion Server to Mozilla Thunderbird? We have a super awesome contacts server that works great for our Mac users. About 30% of our company are on PCs, and I would like to use the Mozilla Thunderbird mail client for them. I see that in Thunderbird I can set up LDAP searching, and would like to have this feature point to our contacts server. I've tried several different settings, and looked all over the web, but could not find the proper way to configure this. Does anyone know if this can be done, or if not, would have a better suggestion? Thank you for your time!!
try double clicking keychain acces should launch and ask if you want to install login, system, System roots
A dialog box will launch asking where to install the cert since your configuring a vpn I would put the certificate it in system. -
How can i access all the objects of one schema from another schema
Dear All,
How can i access all the objects(Tables,Views,Triggers,Procedures,Functions,Packages etc..) and do the modifications of one schema from another schema (Without using synonyms concept).
Thanks in advance,
MahiFirst of all, synonyms only help you easy reference the object. It doesn't have any implication of object privilege.
As long as you have proper privilege on target object. You can access it with or without synonyms.
Assuming you have proper privilege of objects, you can use following command to assume schema owner.
ALTER SESSION SET CURRENT_SCHEMA = Schema_owner -
How to restrict the user(Schema) from deleting the data from a table
Hi All,
I have scenario here.
I want to know how to restrict a user(Schema) from deleting the values from a table created in the same schema.
Below is the example.
I have created a table employee in abc schema which has two values.
EMPLOYEE
ABC
XYZ
In the above scenario the abc user can only fire select query on the EMPLOYEE table.
SELECT * FROM EMPLOYEE;
He should not be able to use any other DML commands on that table.
If he uses then Insufficient privileges error should be thrown.
Can anyone please help me out on this.Hi,
kumar0828 wrote:
Hi Frank,
Thanks for the reply.
Can you please elaborate on how to add policies for a table for just firing a select DML statement on table.See the SQL Packages and Types manual first. It has examples. You can also search the web for examples. This is sometimes called "Virtual Private Database" or VPD.
If you have problems, post a specific question here. Include CREATE TABLE and INSERT statements to create a table as it exists before the policies go into effect, the PL/SQL code to create the policies, and additonal DML statements that will be affected by the policies. Show what the table should contain after each of those DML statements.
Always say which version of Oracle you're using. Confirm that you have Enterprise Edition.
See the forum FAQ {message:id=9360002}
The basic idea behind row-level security is that it generates a string that is automatically added to SELECT and/or DML statement WHERE clauses. For example, if user ABC is only allowed to query a table on Sunday, then you might write a function that returns the string
USER != 'ABC'
OR TO_CHAR (SYSDATE, 'DY', 'NLS_DATE_LANGUAGE=ENGLISH') = 'SUN'So whenever any user says
SELECT *
FROM table_x
;what actually runs is:
SELECT *
FROM table_x
WHERE USER != 'ABC'
OR TO_CHAR (SYSDATE, 'DY', 'NLS_DATE_LANGUAGE=ENGLISH') = 'SUN'
;If you want to prevent any user from deleting rows, then the policy function can return just this string
0 = 1Then, if somone says
DELETE employee
;what actually gets run is
DELETE employee
WHERE 0 = 1
;No error will be raised, but no rows will be deleted.
Once again, it would be simpler, more efficient, more robust and easier to maintain if you just created the table in a different schema, and not give DELETE privileges.
Edited by: Frank Kulash on Nov 2, 2012 10:26 AM
I just saw the previous response, which makes some additional good points (e.g., a user can always TRUNCATE his own tables). ALso, if user ABC applies a security policy to the table, then user ABC can also remove the policy, so if you really want to prevent user ABC from deleting rows, no matter how hard the user tries, then you need to create the policies in a different schema. If you're creating things in a different schema, then you might as well create the table in a different schema. -
Dbms_sql in a different schema from query table-error ** ORA-00942
Oracle Experts,
I think I am having problems with using DBMS_SQL in which the function was created in one schema and the query table was created in a different schema.
We have 2 schemas: S1, S2
We have 2 tables:
T1 in Schema S1
T2 in Schema S2
We have a function F1 created by DBA in schema S1 that uses the dbms_sql as:
CREATE OR REPLACE FUNCTION S1.F1(v1 in VARCHAR2) return NUMBER IS
cursor1 INTEGER;
BEGIN
cursor1 := dbms_sql.open_cursor;
dbms_sql.parse(cursor1, v1, dbms_sql.NATIVE);
dbms_sql.close_cursor(cursor1);
return (0);
EXCEPTION
when others then
dbms_sql.close_cursor(cursor1);
return (1) ;
END;
I am using jdeveloper 11G. We have an Oracle DB 11g.
We have a java program which uses jdbc to talk to our Oracle DB.
Basically, in my java program, I call function F1 to check if the query is valid.
If it is, it returns 0. Otherwise, returns 1:
oracle.jdbc.OracleCallableStatement cstmt = (oracle.jdbc.OracleCallableStatement) connection.prepareCall ("begin ? := S1.F1 (?); end;");
cstmt.registerOutParameter (1, java.sql.Types.INTEGER);
cstmt.setString(2, "Select * from S2.T2");
cstmt.execute ();
Since the table that I run the query is T2, created in different schema than F1 was created in, I have the error:
** ORA-00942: table or view does not exist
So my questions are these:
- I am using Oracle DB 11g, if I run the query on a table that created in a different schema from the one that the function (which uses dbms_sql) was created in, I would get the error ORA-00942?
- If I runs the query on table T1 in the same schema as the function F1, would I have the same problem(The reason I ask is I cannot create any table in schema S1 because the DBA has to do it; I am not a DBA)
- This is not a problem, but a security feature because of SQL injection?
- How to resolve this issue other than creating the table in the same schema as the function that utilizes DBMS_SQL?
Regards,
BinhDefiner rights (default) stored objects run under owner's security domain and ignore role based privileges. So regardless what user you are logged in as, function S1.F1 always executes as user S1 and ignores user S1 roles. Therefore exeuting statement within S1.F1:
Select * from S2.T2requires user S1 to have SELECT privilege on S2.T2 granted to S1 directly, not via role.
SY. -
Create a schema from web service in eclipse
Hi all,
I'm trying to export some data out of SF to an 3rd party via a web service. In the webUI I have the possibility(Attachment 1) to create a schema from web service so my outgoing file matches the requirements. In Eclipse I cannot find that option and I'm encoutering some errors (attachement 2).
Can anyone tell me if there is a possibility like the web UI in eclipse?
Thanks in advance.Hi,
You can create a portal service which can access KM to create a folder and then expose this portal service as Web Services.
To know more:
http://help.sap.com/saphelp_nw2004s/helpdata/en/43/cb213e578c0262e10000000a11466f/frameset.htm
https://www.sdn.sap.com/irj/sdn/thread?threadID=324931
To know the api to create folder in your service method, check this:
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/5d0ab890-0201-0010-849d-98d70bd1d5f0
Some code:
IResourceContext context = new ResourceContext(user);
ICollection parent = (ICollection) ResourceFactory.getInstance()
.getResource(″/documents″, context);
IResource resource = parent.createResource(″file″, null, null);
ICollection collection = parent.createCollection(″folder″, null);
Greetings,
Praveen Gudapati
p.s. Points are always welcome for helpful answers -
Can I recover one schema from Rman Backup
hi experts,
I have Raman backup of my database and database is in archivelog mod.
by mistake all data is deleted from one of schema. I dont want to change anything in other schemas.
Can I recover my data ?
O.S. = SunOS 5.10
oracle = 10.2.0.3.0As far as I know RMAN doesn't really function at the schema level. It's only really concerned with blocks, datafiles, tablespaces and entire databases.
You should be able to get the schema back by, recovering the database to another server or filesystem, and then migrating the schema from the restored database to the current database using datapump.
Maybe you are looking for
-
Why do I get lots of noise in my photos on the D30 at long exposure times with 100 ISO speed? Help!
So I'm using a Canon D30 (3.1 megapixel). My ISO speed is set to 100, but when take phots at very slow shutter speeds I get a lot of noise. And I mean a lot. Can anybody help?
-
I keep getting notifications to upgrade to FF 8.0.1. However that version of FF will not run several programs I have, for which I paid good money Also...when I went from FF 3.6 to FF 4.all my bookmarks disappeared...and two other major programs cease
-
SM59 Error in HTTP connections to ABAP Sytems
Hi All, My scenario is to connect to XI systems... I need to create a RFC destination (HTTP connections to ABAP Systems) in SM 59 with below details..... Target host: xyz.abc.com Service No. : 0000 Prefix path : /sap/xi/engine?type=entry But SAP GU
-
Lifecycle Picklist values not showing up
Hello, We are on CRM 7.0. Lifecycle stages ( BP Role Exclusion group values ) are not being displayed in the picklist. Method : GETV_PARTNERROLE in BP_HEAD/Lifecycle view_ IF ls_attributes-partnerrole IS INITIAL. TRY. lr_cuco ?= owner->ge
-
Empty Attachment after sending with JAVAMAIL
Hey! In my stand-alone-application works like a observer and i have the following problem: I send a zipfile that contains a xsl-document. I also us the AES256 encryption for the Zip-File. So my apllication send a mail depending on the database-tables