LDAP + User maintenance

Similar Messages

• Removing the responsbility of user maintenance from the DBA

  Suppose you were working with a customer whose DBAs refuse to be involved with user maintenance, i.e. creation and deletion of users, password maintenance, role and privilege assignment etc. What technology and/or approach would you recommend?
  Some random thoughts along this line:
  1. Ask the DBA to create one user with CREATE USER and ALTER USER privileges, and give that user access to SQL*Plus so that he can run the queries to create and maintain users himself. Obvious downside: Someone else has to know SQL, at least a few SQL statements, or have a custom user interface built for them that wraps the SQL statements. Is this really such a bad solution?
  2. LDAP or OID. I don't understand enough about either of these two technologies to truly be able to discuss the pros and cons. How exactly do they work in a Windows network envionment, perhaps one with or without Active Directory and/or Windows Groups? Can they really allow someone other than the DBA to create users, maintain passwords and maintain roles and privileges? If so, doesn't the person in charge of assigning roles and privileges to users have to have CREATE USER or ALTER USER privileges anyway? Really, why would this be such an improvement over solution #1?
  3. Any other approaches and/or experiences along this lines anyone wouldn't mind sharing?
  Appreciating any and all insights,
  DTXCF

  THanks sybrandb.
  On #2, suppose the application is set up in such a way that by default all of the security is handled in the database, i.e. when the application is installed and the scripts run to create the database it creates roles like these:
  cst_role_product_editor
  cst_role_product_admin
  cst_role_product_viewer
  cst_role_order_viewer
  cst_role_order_admin
  cst_role_order_editor
  cst_role_store_viewer
  cst_role_store_editor
  cst_role_store_admin
  in other words, for each object type in the database (stores, products, orders, coupons, catalogs etc.) all of these roles are created at the database level, and by default, each individual user has to be created using a CREATE USER command with the proper roles assigned.
  If I take an application like this to the client and they say they want to implement LDAP and/or OID, when the people who create these users outside the database as you mention,
  1) Does it create any additional actual Oracle users, and
  2) Can LDAP and OID handle actually assigning these users to specific Oracle roles?
  And one more question - can you explain what exactly is a proxy account to a rookie like me who thinks proxy sounds like the name of a night club you'd find in Las Vegas?
  Sorry to impose so much but I do appreciate the help.

• CUCM 8.6.2 LDAP User Delete Pending LDAP Sync Status Inactive

  BE6K ver 8.6.2
  Client has a user who recently got married.  They changed her account information in Active Directtory to reflect her new last name. At that point CUCM shows her as
  Delete Pending
  LDAP Sync Status Inactive
  CUC shows
  LDAP User has been deleted.
  The user still exists in both CUC and CUCM and is actively takign and receiving calls.  User has VM access.
  Shorrt of deleting the user in AD and recreating her, is there a way to force this to re-sync?
  Thanks
  Matt

  Then that's expected to happen, for all purposes to CUCM/CUC eyes, msmith no longer exists and will be deleted, and a new user mjones now will be imported.
  Depending on when the change was done and when CUCM detected this, it might take up to 48 hours maximum to delete the user
  You'll need to associate everything to the new user, and also add that new user into CUC.
  Or switch back her userID to the old one, and just change the surname for directory purposes.
  HTH
  java
  if this helps, please rate
  www.cisco.com/go/pdihelpdesk

• Problem with Afaria and LDAP user authentication in Android device

  Hi all,
  I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
  I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
  I follow the next steps:
  1-Create a new tenant
  2- Configure LDAP integration
  3-Create a inventory policy with authentication required
  4-Create a static group associated to the inventory policy
  5-Create a enrolment policy associated to the static group.
  When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
  I have seen the log and seem the problem is that Afaria can't authenticate this user.
  I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
  The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
  Could you please help to solve this problem?
  Thanks in advance.  

  Hi all,
  I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
  I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
  I follow the next steps:
  1-Create a new tenant
  2- Configure LDAP integration
  3-Create a inventory policy with authentication required
  4-Create a static group associated to the inventory policy
  5-Create a enrolment policy associated to the static group.
  When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
  I have seen the log and seem the problem is that Afaria can't authenticate this user.
  I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
  The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
  Could you please help to solve this problem?
  Thanks in advance.  

• How to force a new password in portal with LDAP user? external users

  With an external portal (used by agents that do not work for you or reside in your office), company policy is for password to be changed every qtr.
  If the users are creating as LDAP users how to force them to change their password when required?
  Is this a custom application that needs to be written so when they log into the portal if the qtr has expired the portal ask them to enter a new password that becomes valid for the next qtr.
  Versus internally deleting and emailing all the users a new password?

  Hi Glenn,
  We are getting one problem when we are creating user in LDAP and login with that user in  Portal that time we are getting Password change screen , but when we create a user in LDAP and change the password of that user in LDAP then when the user tries to  Login to portal that time we are not able to see the password change screen.
  But again if we change the password of that user through Portal we are able to see change password screen.
  can you help on this how we can force the user to change password when we are changing password in LDAP or in SAP System.
  Regards
  Trilochan

• Assigning roles to LDAP users through BIP API

  Hi.
  My customer has BIP 11g and OIM 9.1.0.2 running on the same weblogic server (11g). Both authenticate against the same LDAP server.
  One of our desired next steps is to provision from OIM the BIP roles to each LDAP user so every user gets the correct roles (and access to the correct reports) according to the groups he has on OIM.
  I've been searching for info regarding this without success. The BIP API doc does not show any info about assigning roles to users.
  We don't need to manage LDAP users, BIP roles, etc... through OIM. We only need to assign BIP roles to LDAP users.
  Is it possible to make that assignments through BIP API?
  If not, any other ideas? New ideas or different approaches are welcome.
  Thanks in advance.

  In OBIEE 11g which includes BIP the application roles are applied to LDAP users and groups using the Enterprise Manager Fusion Control.
  During the upgrade process from OBIEE 10g to OBIEE 11g the groups do get assigned to these roles transparently so there must be some API to leverage this functionality.
  I would start there, http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10541/admin_api.htm
  There are no specific instructions on accomplishing what you seek but if you have some WLST or Java Skills you should be able to get something prototyped.
  Let me know if that helps.

• LDAP user no longer able to log in

  We have CQ 5.3 set up using LDAP authentication.  We have one user who has been using CQ with her AD Userid/password for over a year with no issues, but she came in one day and now it's saying her user id and password don't match.
  We've tried on multiple different instances of CQ and she gets the same message every time.  She is able to log into other applicaitons that use LDAP for authentication just fine. We have tried resting CQ to see if that resolves the issue and it hasn't.  I originally thought it was some sort of issue with her LDAP account, but because she can log into other apps, I'm wondering if not? Or maybe there WAS an issue with her account, but it was resolved (she thought maybe her account was locked, so she ran an unlock procedure), but CQ just hasn't caught up to that fact?  This started happening a week ago.

  Hi Jennifer,
  Have you tried running a manual LDAP User sync for the single user (http://localhost:4502/crx/config/ldap.jsp)?  Since the user can login to other systems via LDAP, the problem is most likely with their account in CQ.  Maybe try deleting their account in CQ and re-creating/re-sync via LDAP User sync.
  Hope this helps.
  Ron

• How to only synchronize one specific LDAP user group with SAP?

  Hi,
  Hopefully this is the correct forum to post this in. I want to have continuous one-way synchronization of users from my LDAP server to my SAP central system. I've started configure in SAP using transaction SM59 and LDAP. Can I somewhere set that only one specific LDAP user group shall be transferred to SAP (they do not need to be assigned to any specific group, profile, role in SAP) - or should this be done on the LDAP server side (or is it at all possible)?
  Correct me if I'm wrong, but the User Group field in the report RSLDAPSYNC_USER only concerns SAP user groups right? This would therefore not be sufficient since I want to select the users to synchronize based on user groups in the directory.
  Thanks, Oscar

  We've used a repository constant to specify the LDAP filter for reading users / groups from the LDAP target.
  E.g. LDAP_FILTER_USERS (&(objectCategory=person)(objectClass=user))
  Then we also have a constant for the LDAP_STARTING_POINT
  For our AD Group Initial Load we filter according to these settings:
  LDAP_FILTER_GROUPS = (objectclass=group)
  LDAP_STARTING_POINT_GROUPS = ou=IDMManagedGroups,ou=Groups,dc=cfstest,dc=le,dc=ac,dc=uk
  The above example only reads AD groups starting at the specified OU
  Then in a Job From LDAP Pass the LDAP URL looks like this:
  LDAP://%$rep.LDAP_HOST%:%$rep.LDAP_PORT%/%$rep.LDAP_STARTING_POINT_GROUPS%?*?SUB?%$rep.LDAP_FILTER_GROUPS%
  I hope this helps
  Paul

• LDAP users Faicng Error While Accessing the ESS Iviews in Portal

  Hi,
  My Portal is SAP EP 7.0 SP20 And ECC 6.0 SP16.
  UME users able to access the ESS MSS Iviews.But only one LDAP User only access ESS/MSS Iviews Other getting the Below error.
  Critical Error
  A critical error has occured. Processing of the service had to be terminated. Unsaved data has been lost.     
  Please contact your system administrator     
  Syntax error in program CL_XSS_CAT_BUFFER=============CP        ., error key: RFC_ERROR_SYSTEM_FAILURE     
  Syntax error in program CL_XSS_CAT_BUFFER=============CP        ., error key: RFC_ERROR_SYSTEM_FAILURE:
  com.sap.tc.webdynpro.modelimpl.dynamicrfc.WDDynamicRFCExecuteException: Syntax error in program CL_XSS_CAT_BUFFER=============CP        ., error key: RFC_ERROR_SYSTEM_FAILURE
                  at com.sap.tc.webdynpro.modelimpl.dynamicrfc.DynamicRFCModelClassExecutable.execute(DynamicRFCModelClassExecutable.java:101)
                  at com.sap.xss.ser.xssmenu.fc.ModelHandler.onInit(ModelHandler.java:205)
                  at com.sap.xss.ser.xssmenu.fc.wdp.InternalModelHandler.onInit(InternalModelHandler.java:428)
                  at com.sap.xss.ser.xssmenu.fc.FcXssMenu.setPersonnelNumber(FcXssMenu.java:570)
                  at com.sap.xss.ser.xssmenu.fc.FcXssMenu.onInit(FcXssMenu.java:292)
                  at com.sap.xss.ser.xssmenu.fc.wdp.InternalFcXssMenu.onInit(InternalFcXssMenu.java:455)
                  at com.sap.xss.ser.xssmenu.fc.FcXssMenuInterface.onInit(FcXssMenuInterface.java:165)
                  at com.sap.xss.ser.xssmenu.fc.wdp.InternalFcXssMenuInterface.onInit(InternalFcXssMenuInterface.java:389)
                  at com.sap.xss.ser.xssmenu.fc.wdp.InternalFcXssMenuInterface$External.onInit(InternalFcXssMenuInterface.java:546)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPM.attachComponentToUsage(FPMComponent.java:922)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPM.attachComponentToUsage(FPMComponent.java:891)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPMProxy.attachComponentToUsage(FPMComponent.java:1084)
                  at com.sap.pcuigp.xssutils.navi.FcNavigation.onInit(FcNavigation.java:314)
                  at com.sap.pcuigp.xssutils.navi.wdp.InternalFcNavigation.onInit(InternalFcNavigation.java:358)
                  at com.sap.pcuigp.xssutils.navi.FcNavigationInterface.onInit(FcNavigationInterface.java:145)
                  at com.sap.pcuigp.xssutils.navi.wdp.InternalFcNavigationInterface.onInit(InternalFcNavigationInterface.java:142)
                  at com.sap.pcuigp.xssutils.navi.wdp.InternalFcNavigationInterface$External.onInit(InternalFcNavigationInterface.java:278)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPM.attachComponentToUsage(FPMComponent.java:922)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPM.attachComponentToUsage(FPMComponent.java:891)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPMProxy.attachComponentToUsage(FPMComponent.java:1084)
                  at com.sap.pcuigp.xssutils.roadmap.VcRoadmap.onInit(VcRoadmap.java:188)
                  at com.sap.pcuigp.xssutils.roadmap.wdp.InternalVcRoadmap.onInit(InternalVcRoadmap.java:162)
                  at com.sap.pcuigp.xssutils.roadmap.VcRoadmapInterface.onInit(VcRoadmapInterface.java:153)
                  at com.sap.pcuigp.xssutils.roadmap.wdp.InternalVcRoadmapInterface.onInit(InternalVcRoadmapInterface.java:144)
                  at com.sap.pcuigp.xssutils.roadmap.wdp.InternalVcRoadmapInterface$External.onInit(InternalVcRoadmapInterface.java:220)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent.doProcessEvent(FPMComponent.java:564)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent.doEventLoop(FPMComponent.java:438)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent.wdDoInit(FPMComponent.java:196)
                  at com.sap.pcuigp.xssfpm.wd.wdp.InternalFPMComponent.wdDoInit(InternalFPMComponent.java:110)
                  at com.sap.tc.webdynpro.progmodel.generation.DelegatingComponent.doInit(DelegatingComponent.java:108)
                  at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
                  at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
                  at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.init(ClientComponent.java:430)
                  at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:362)
                  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:782)
                  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:302)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingPortal(ClientSession.java:761)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:696)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
                  at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
                  at com.sap.tc.webdynpro.clientserver.session.core.ApplicationHandle.doProcessing(ApplicationHandle.java:73)
                  at com.sap.tc.webdynpro.portal.pb.impl.AbstractApplicationProxy.sendDataAndProcessActionInternal(AbstractApplicationProxy.java:869)
                  at com.sap.tc.webdynpro.portal.pb.impl.AbstractApplicationProxy.create(AbstractApplicationProxy.java:229)
                  at com.sap.portal.pb.PageBuilder.updateApplications(PageBuilder.java:1344)
                  at com.sap.portal.pb.PageBuilder.createPage(PageBuilder.java:356)
                  at com.sap.portal.pb.PageBuilder.init(PageBuilder.java:549)
                  at com.sap.portal.pb.PageBuilder.wdDoInit(PageBuilder.java:193)
                  at com.sap.portal.pb.wdp.InternalPageBuilder.wdDoInit(InternalPageBuilder.java:150)
                  at com.sap.tc.webdynpro.progmodel.generation.DelegatingComponent.doInit(DelegatingComponent.java:108)
                  at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
                  at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
                  at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.init(ClientComponent.java:430)
                  at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:362)
                  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:782)
                  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:302)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:741)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:694)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
                  at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
                  at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
                  at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doPost(DispatcherServlet.java:53)
                  at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
                  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
                  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
                  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
                  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
                  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
                  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
                  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
                  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
                  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
                  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
                  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
                  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
                  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Caused by: com.sap.aii.proxy.framework.core.BaseProxyException: Syntax error in program CL_XSS_CAT_BUFFER=============CP        ., error key: RFC_ERROR_SYSTEM_FAILURE
                  at com.sap.aii.proxy.framework.core.AbstractProxy.send$(AbstractProxy.java:150)
                  at com.sap.pcuigp.xssutils.xssmenu.model.MenuModel.hrxss_Ser_Getmenudata(MenuModel.java:171)
                  at com.sap.pcuigp.xssutils.xssmenu.model.Hrxss_Ser_Getmenudata_Input.doExecute(Hrxss_Ser_Getmenudata_Input.java:137)
                  at com.sap.tc.webdynpro.modelimpl.dynamicrfc.DynamicRFCModelClassExecutable.execute(DynamicRFCModelClassExecutable.java:92)
                  ... 76 more
  Thanks & Regrads,
  Subba Rao

  Hi,
  Now every user facing the same error while accessing ESS Iviews from Portal.
  in ST22 Dump is created.
  What happened?                                                                                |
  Error in the ABAP Application Program
  The current ABAP program "CL_XSS_CAT_TIME_SHEET=========CP" had to be
  terminated because it has
  come across a statement that unfortunately cannot be executed.
  The following syntax error occurred in program
  "CL_XSS_CAT_BUFFER=============CP " in include
  "CL_XSS_CAT_BUFFER=============CM00C " in
  line 50:
  ""L_CATSDB" and "L_CATSDBCOMM" are not mutually convertible. In Unicode"
  " programs, "L_CATSDB" must have the same structure layout as "L_CATSDB"
  "COMM", independent of the length of a Unicode character."
  The include has been created and last changed by:
  Created by: "SAP "
  Last changed by: "SAP "
  Error in the ABAP Application Program
  The current ABAP program "CL_XSS_CAT_TIME_SHEET=========CP" had to be
  terminated because it has
  |    come across a statement that unfortunately cannot be executed.
  What we need to resolve the above issue.
  Thanks & Regards,
  Subba Rao

• Creation of Public Sector Planning application fails for LDAP user

  The environment is on Windows 2008 R2 & EPM 11.1.2.2.302 of Planning. The creation of "general" planning applications works fine, regardless of the method of creation, Native User/LDAP User or Classic/EPMA. The creation of Public Sector Planning application using Classic Administration fails when using an LDAP user.
  It works when using a Native User. It also works fine if EPMA is used, for both Native as well as LDAP users.
  Our developers are not comfortable with EPMA yet, so want/need the ability to create the applications using Classic Administration.
  Looking at the Planning sysout log, the only error message indicates a timeout with Calculation Manager:
  Calc manager rules initialization failed. Please load and deploy the rules from Calc Manager UI
  ERROR:Error while loading rules in Calc Manager. <HTML><HEAD><TITLE>Weblogic Bridge Message</TITLE></HEAD> <BODY><H2>Failure of server APACHE bridge:</H2><P><hr>No backend server available for connection: timed out after 10 seconds or idempotent set to OFF or method not idempotent.<hr> </BODY></HTML>
  Calculation Manager itself seems to be working fine.
  Any suggestions/thoughts anyone?
  Thanks,
  Andy

  Hi Vivek,
  The LDAP port is open to all the servers in the environment. LDAP users have no issues logging in to any of the tools that they have access to.
  I think it has something to do with how Classic Planning passes the security token to Calculation Manager for an LDAP user. For a "general" Planning app, there is no evidence of such a transfer, because the Rules are created after the app has been created. And there the user logs in directly to Calculation Manager to create the rules.
  When using EPM Architect, it would lead to reason that such a token is also passed, however, that mechanism does not seem to have any trouble.
  This is the first time I am using a pre-packaged application like PSB, and have so far worked with only with "general" Planning apps. Wanted to see if anyone else has created PSB apps using external users successfully, so I can trade environment notes and may be come to a cause/solution.
  Thanks,
  Andy

• Server App not seeing external LDAP users & groups

  I have a clean 10.8.2 + Server install set up with our standard external LDAP directory (Novell's eDirectory in our case) configuration that is known to support Lion & Mountain Lion client LDAP authentication. With this same configuration on OS X 10.8.2 Server both Directory Utility and WGM can see all the LDAP users and groups as expected.
  When I look for the external users & groups in the LDAP domain under the Server App "Accounts" heading I cannot see any entries in either users or groups lists. Should I be able to or is this a Server App quirk?
  I can add individual LDAP users to a local group and enable access to individual services. How can I give access to services to all LDAP users without having to build & maintain a massive "All LDAP Users" local group?
  Is there a published list of required LDAP attributes for users & groups for Mountain Lion Server? I suspect there are new requirements over and above those for 10.6 server but I have failed to find a good reference. I've noticed I get different behaviours for LDAP templates that includes a mapping for GeneratedUID to one which does not for example.
  This is all so much more opaque than our superbly reliable Snow Leopard servers!
  TIA

  Ok, and again:
  You want to see Users and Groups , which are stored in an third Party directory service like OpenLDAP, in your Server.app? This is what you have to do:
  Connect the third party ldap to your server
  Have all your external LDAP entries made so you can see them in the Workgroup Manager and are able to Login with them
  When you see your LDAP-entry in the Directory Manager, change it from "From Server" to "RFC2307"
  Edit the entry, add the following mapping to it:GeneratedUUID maps to apple-generateduuid
  To your group and user entries in the external LDAP add the follwing attribute:apple-generateduuid gets the value taken from the output of "uuidgen"
  Feel lucky
  And there ist ist; now you are able to use The accounts taken from an external LDAP.

• Error while configuring external LDAP user store with weblogic

  Hi,
  I have weblogic 10.3 installed and I can access weblogic admin console using weblogic (admin) user. I want to use external ldap user store to access admin console with users present in external ldap.
  To do this, I have configured authentication provider and provided all the required details to connect to ldap.
  For example:
  Base DN: cn=admin,cn=Administrators,cn=dscc (user with which we will connect to LDAP)
  User DN: ou=People,dc=test,dc=com
  Group DN: ou=Groups,dc=test,dc=com
  This authentication provider is set to SUFFICIENT mode. I have deleted the default authentication provider.
  In the boot.properties file I have given the user name and password of the user with which LDAP instance was created something like below.
  password=xxxxxxx
  username=admin
  Now while starting the admin weblogic server, I am getting the below error:
  <Jul 25, 2012 2:22:28 PM IOT> <Critical> <Security> <BEA-090402> <Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.>
  <Jul 25, 2012 2:22:28 PM IOT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
  weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  Truncated. see log file for complete stacktrace
  Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User admin javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User admin denied
  at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
  at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  Truncated. see log file for complete stacktrace
  >
  <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
  <Jul 25, 2012 2:22:28 PM IOT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
  <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
  Can anyone please suggest how to resolve this problem? If, anyone can suggest the exact steps to configure external ldap store to manage admin console via ldap users.
  Regards,
  Neeraj Tati.

  Hi,
  Please refer the below content that I found for Oracle 11g in the docs.
  "If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. Do one of the following in the LDAP directory:
  By default in WebLogic Server, the Admin role includes the Administrators group. Create an Administrators group in the LDAP directory, if one does not already exist. Make sure the LDAP user who will boot WebLogic Server is included in the group.
  The Active Directory LDAP directory has a default group called Administrators. Add the user who will be booting WebLogic Server to the Administrators group and define Group Base Distinguished Name (DN) so that the Administrators group is found.
  If you do not want to create an Administrators group in the LDAP directory (for example, because the LDAP directory uses the Administrators group for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the Admin role."
  Now in my LDAP directory, setup is in such a way that Administrators is a group created under following heirarchy " cn=Administrators,ou=Groups,dc=test,dc=com" and there is one user added in this Administrators group.
  The problem that I am having is when I modify the Admin role in which Administrators group should be added what exaclty I should give in Admin role. Whether I should give only Administrators or full DN: cn=Administrators,ou=Groups,dc=test,dc=com ???
  When i give full DN, it takes every attribute as different, i mean cn=Administrators as different and ou=Groups as different and shows a message that cn=Administrators does not exist.
  Here not sure what to do.
  Also if external ldap authentication provider is the only provider then I need to give the user information in boot.properties file also for weblogic to boot properly. Now, what should I give there in user? still complete DN ??
  Regards,
  Neeraj Tati.

• LDAP user to application role mapping

  Hi All,
  OBIEE 11.1.1.5
  I have a table with ldap username and role. I have also configured external LDAP server in RPD. Users are able to login to portal.
  Can some one guide me, how to make sure that when user login to OBIEE automatically by table the role will be fetched and mapped with application role created?
  Or, In simple words,
  How can I assign an external ldap user to be mapped to application role? One by one?? or Via table as mentioned above?
  Anyone can help? All documents are not giving this simple picture to me.
  It was easy in 10g, In 11g is it rocket science so that my company can loose the hope to go ahead with 11g?

  Hi,
  1. Create block to initialize USER variable with user name from LDAP
  2. Create block to initialize GROUP variable with role name from external table
  3. In initializtion block for GROUP variable add precedence with User init block to make sure that USER variable have value
  4. If one user can have few roles you should check row-wise-initialization oprion
  Hope it's helpful

• LDAP user group

  I have configured the LDAP to connect to the AD. I can see the required Roles in the "Roles to Map" Tab on LDAP user Configuration.
  I am able to import the Users.
  I am able to see the groups in the SAP xMII Menu -> Portal Services -> Navigation tab and also in SAP xMII Menu -> Security Services -> System Security.
  But when i assign pages to the Roles and Login with the Users under the Role. The Navigation menu doesnt show the pages linked to the role. When i tried accessing the property using http://<server name>/Lighthammer/PropertyAccessServlet?Mode=List, It shows that the user doesnt belong to any roles(blank space in place of roles).
  However, when i try to check the same using LDAP queries (Select Roles for User & Select Role by Distinguished Name) it shows that the user belongs to the group to which i assigned the pages in the SAP xMII Menu -> Portal Services -> Navigation Menu.
  Does it have something to do with the Role mapping in the LDAP user configuration? I havent assigned any of the groups(including the one i want) to any of the default xMII roles.
  I also tried assigning all the roles to all the services in xMII. It still shows that the user doesnt belong to any group. Manually if i assign to any group through SAP xMII Menu ->Security manager ->Roles ->Admin, it works fine. But, as the imported groups are not listed in the security manager I cannot manually assign these users to the groups(also i cannot do this for all the users, even if it was possible)
  Any ideas?

  I tried assigning the user to the Everyone group and also checked the Logs. Below are the results:
  cmsseclogin.log
  2007-11-28 17:12:04,097 [login] IP 64.240.152.5 - Successful login for user a0000, service url http://phixmiiqas01.sbs.int/Lighthammer/
  2007-11-28 17:12:04,534 [login] IP 10.144.18.63 - Ticket has been validated for user a0000
  cmssecurity.log
  2007-11-28 17:12:04,472 [ServletExec: request: time=1196287924456, uri=/LHSecurity/validate] WARN   Validate - Proxy URL requested [http://phixmiiqas01.sbs.int], is not a authorized proxy
  no luck so far!!

• LDAP User Synchronization : Password

  Hi All,
  I have a question about LDAP User Synchronization to SU01 in ABAP. Does it create an initial password for the users being Synced? or It stores the LDAP Password in SU01 password field?
  I have doubt about the second, as LDAP will never return the password in plain text, and Password Hashing schemes can be different between LDAP and ABAP.
  If it doesn't store the password at all in SU01 for Synced users, then how does user login into SAP GUI?
  Please let me know.
  Thanks in Advance,
  Sanjeev

  Hi Tim,
  it's not possible to unhash cryptographic hash function. One of the main properties of each cryptographic hash function is preimage resistance which means that it's not feasible for a given hash h to find a message m that hash(m) = h. Even in case that it is possible to find this message you can't be sure that that was the original message because as we know a hash function maps message of arbitrary length to fixed size string. Obviously, there is more messages with variable length than messages with one fixed sized so there has to be at least one hash where there are two messages m1 and m2 and hash(m1) = hash(m2) (pigeon hole principle). So it could happen that user would choose password m1 but your unhasing algorithm would get m2. Obviously, it's highly improbable that second hash function hash m1 and m2 into same hash. Therefore such a solution will not be never available and the only solution is to get password in clear text and distribute it to each system in clear text form. As Julius mentioned this is supported but it has some disadvantages.
  Cheers