LDAP User Privileges

Similar Messages

• External LDAP user only has search priviledge in UCM

  After I have configed external LDAP successfully in weblogic console, I can see all user from external LDAP. And external LDAP user can login UCM successfully, but these users only has search priviledge. I want external LDAP user has Admin priviledge as weblogic(Default in embed LDAP). How to solve it. Any help will be appreciated greatly! Otherwise, I refer to Oracle's ducument,
  51.1.14 LDAP Users Not Receiving Some Administrator Privileges
  UCM inspects for the group "Administrators" on each user's login to grant UCM roles. If a user should have access to the UCM admin server, the UCM server requires that the user be a member in a group named "Administrators."
  How to add external LDAP user to the group of Administrators.

  Hi ,
  You can use Credential Maps to be achieve the requirement:
  Steps for the same are :
  1. Login to UCM - Administration - Credential Maps .
  2. Create the map name and the following mapping :
  <ldap role> , admin
  3. Save the changes
  4. Navigate to <domain_home>/ucm/cs/data/providers/jpsuserprovider/provider.hda
  add the following variable there :
  ProviderCredentialsMap=<map name created in step 2>
  5. Save the changes and restart ucm server .
  After that login with the user who has the ldap role that is mapped in stpe 2 , this user will have the ucm admin role .
  Hope this helps .
  Thanks
  Srinath

• Enabling Direct Database Request for LDAP User in RPD

  Hi All,
  Can anybody help me out how to set the Direct datasbase parameter in repository for the respective LDAP User.
  Actually I am implementing PROXY USer setup, in this process im encountering the below error
  Odbc driver returned an error (SQLExecDirectW).
  State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred.
  [nQSError: 13017] User or group has not been granted the Direct Database Access privilege to access the database 'So n So'. Please verify the User/Group Permissions in the Oracle BI Administration Tool. (HY000)
  http://1.bp.blogspot.com/-NqzXnCsUse0/UT5D2F6SksI/AAAAAAAAA1s/SpygihX4z5A/s1600/3.PNG
  If i create the user in the repository and for him if i set "direct database Request" to "Allow" then he is able to use the PROXY functionality , but in my case i am using LDAP there are no room for the USers.
  Any assistance , greatly appreciated.
  Thank you./
  Siva Budagam.

  Hi All,
  Can anybody help me out how to set the Direct datasbase parameter in repository for the respective LDAP User.
  Actually I am implementing PROXY USer setup, in this process im encountering the below error
  Odbc driver returned an error (SQLExecDirectW).
  State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred.
  [nQSError: 13017] User or group has not been granted the Direct Database Access privilege to access the database 'So n So'. Please verify the User/Group Permissions in the Oracle BI Administration Tool. (HY000)
  http://1.bp.blogspot.com/-NqzXnCsUse0/UT5D2F6SksI/AAAAAAAAA1s/SpygihX4z5A/s1600/3.PNG
  If i create the user in the repository and for him if i set "direct database Request" to "Allow" then he is able to use the PROXY functionality , but in my case i am using LDAP there are no room for the USers.
  Any assistance , greatly appreciated.
  Thank you./
  Siva Budagam.

• CUCM 8.6.2 LDAP User Delete Pending LDAP Sync Status Inactive

  BE6K ver 8.6.2
  Client has a user who recently got married.  They changed her account information in Active Directtory to reflect her new last name. At that point CUCM shows her as
  Delete Pending
  LDAP Sync Status Inactive
  CUC shows
  LDAP User has been deleted.
  The user still exists in both CUC and CUCM and is actively takign and receiving calls.  User has VM access.
  Shorrt of deleting the user in AD and recreating her, is there a way to force this to re-sync?
  Thanks
  Matt

  Then that's expected to happen, for all purposes to CUCM/CUC eyes, msmith no longer exists and will be deleted, and a new user mjones now will be imported.
  Depending on when the change was done and when CUCM detected this, it might take up to 48 hours maximum to delete the user
  You'll need to associate everything to the new user, and also add that new user into CUC.
  Or switch back her userID to the old one, and just change the surname for directory purposes.
  HTH
  java
  if this helps, please rate
  www.cisco.com/go/pdihelpdesk

• Problem with Afaria and LDAP user authentication in Android device

  Hi all,
  I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
  I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
  I follow the next steps:
  1-Create a new tenant
  2- Configure LDAP integration
  3-Create a inventory policy with authentication required
  4-Create a static group associated to the inventory policy
  5-Create a enrolment policy associated to the static group.
  When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
  I have seen the log and seem the problem is that Afaria can't authenticate this user.
  I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
  The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
  Could you please help to solve this problem?
  Thanks in advance.  

  Hi all,
  I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
  I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
  I follow the next steps:
  1-Create a new tenant
  2- Configure LDAP integration
  3-Create a inventory policy with authentication required
  4-Create a static group associated to the inventory policy
  5-Create a enrolment policy associated to the static group.
  When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
  I have seen the log and seem the problem is that Afaria can't authenticate this user.
  I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
  The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
  Could you please help to solve this problem?
  Thanks in advance.  

• How to force a new password in portal with LDAP user? external users

  With an external portal (used by agents that do not work for you or reside in your office), company policy is for password to be changed every qtr.
  If the users are creating as LDAP users how to force them to change their password when required?
  Is this a custom application that needs to be written so when they log into the portal if the qtr has expired the portal ask them to enter a new password that becomes valid for the next qtr.
  Versus internally deleting and emailing all the users a new password?

  Hi Glenn,
  We are getting one problem when we are creating user in LDAP and login with that user in  Portal that time we are getting Password change screen , but when we create a user in LDAP and change the password of that user in LDAP then when the user tries to  Login to portal that time we are not able to see the password change screen.
  But again if we change the password of that user through Portal we are able to see change password screen.
  can you help on this how we can force the user to change password when we are changing password in LDAP or in SAP System.
  Regards
  Trilochan

• Assigning roles to LDAP users through BIP API

  Hi.
  My customer has BIP 11g and OIM 9.1.0.2 running on the same weblogic server (11g). Both authenticate against the same LDAP server.
  One of our desired next steps is to provision from OIM the BIP roles to each LDAP user so every user gets the correct roles (and access to the correct reports) according to the groups he has on OIM.
  I've been searching for info regarding this without success. The BIP API doc does not show any info about assigning roles to users.
  We don't need to manage LDAP users, BIP roles, etc... through OIM. We only need to assign BIP roles to LDAP users.
  Is it possible to make that assignments through BIP API?
  If not, any other ideas? New ideas or different approaches are welcome.
  Thanks in advance.

  In OBIEE 11g which includes BIP the application roles are applied to LDAP users and groups using the Enterprise Manager Fusion Control.
  During the upgrade process from OBIEE 10g to OBIEE 11g the groups do get assigned to these roles transparently so there must be some API to leverage this functionality.
  I would start there, http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10541/admin_api.htm
  There are no specific instructions on accomplishing what you seek but if you have some WLST or Java Skills you should be able to get something prototyped.
  Let me know if that helps.

• LDAP user no longer able to log in

  We have CQ 5.3 set up using LDAP authentication.  We have one user who has been using CQ with her AD Userid/password for over a year with no issues, but she came in one day and now it's saying her user id and password don't match.
  We've tried on multiple different instances of CQ and she gets the same message every time.  She is able to log into other applicaitons that use LDAP for authentication just fine. We have tried resting CQ to see if that resolves the issue and it hasn't.  I originally thought it was some sort of issue with her LDAP account, but because she can log into other apps, I'm wondering if not? Or maybe there WAS an issue with her account, but it was resolved (she thought maybe her account was locked, so she ran an unlock procedure), but CQ just hasn't caught up to that fact?  This started happening a week ago.

  Hi Jennifer,
  Have you tried running a manual LDAP User sync for the single user (http://localhost:4502/crx/config/ldap.jsp)?  Since the user can login to other systems via LDAP, the problem is most likely with their account in CQ.  Maybe try deleting their account in CQ and re-creating/re-sync via LDAP User sync.
  Hope this helps.
  Ron

• How to only synchronize one specific LDAP user group with SAP?

  Hi,
  Hopefully this is the correct forum to post this in. I want to have continuous one-way synchronization of users from my LDAP server to my SAP central system. I've started configure in SAP using transaction SM59 and LDAP. Can I somewhere set that only one specific LDAP user group shall be transferred to SAP (they do not need to be assigned to any specific group, profile, role in SAP) - or should this be done on the LDAP server side (or is it at all possible)?
  Correct me if I'm wrong, but the User Group field in the report RSLDAPSYNC_USER only concerns SAP user groups right? This would therefore not be sufficient since I want to select the users to synchronize based on user groups in the directory.
  Thanks, Oscar

  We've used a repository constant to specify the LDAP filter for reading users / groups from the LDAP target.
  E.g. LDAP_FILTER_USERS (&(objectCategory=person)(objectClass=user))
  Then we also have a constant for the LDAP_STARTING_POINT
  For our AD Group Initial Load we filter according to these settings:
  LDAP_FILTER_GROUPS = (objectclass=group)
  LDAP_STARTING_POINT_GROUPS = ou=IDMManagedGroups,ou=Groups,dc=cfstest,dc=le,dc=ac,dc=uk
  The above example only reads AD groups starting at the specified OU
  Then in a Job From LDAP Pass the LDAP URL looks like this:
  LDAP://%$rep.LDAP_HOST%:%$rep.LDAP_PORT%/%$rep.LDAP_STARTING_POINT_GROUPS%?*?SUB?%$rep.LDAP_FILTER_GROUPS%
  I hope this helps
  Paul

• How to find out user privilege using JPDK

  Hi All,
  How can I find out what type of user-privilege that a user has inside the renderBody method of the subclass of the BaseManagedRenderer class? e.g: whether the user has the Administer privilege.
  I looked through the ProviderUser object which can be obtained from the pr.getUser() (PortletRenderRequest.getUser()) and it does not seem to provide the method to get the user's privilege.
  Any insight is greatly appreciated!
  Thanks,
  Vince

  Vince,
  How did you figure out calling the is_user_in_group or other
  similar function calls in the WWSEC_API?
  I tried making a regular SQL Statement by doing the following.
  CallableStatement callablestatement = conn.prepareCall
  ("begin ? := wwsec_api.is_user_in_group(?,?); end;");
  callablestatement.registerOutParameter(1, 12);
  callablestatement.setInt(2, 17);
  callablestatement.setInt(3, 0);
  callablestatement.execute();
  boolean s2 = callablestatement.getBoolean(1);
  callablestatement.close();
  but it fails with the following exception in the JSP...
  java.sql.SQLException: ORA-06550: line 1, column 13: PLS-00382:
  expression is of wrong type ORA-06550: line 1, column 7: PL/SQL:
  Statement ignored
  Can you shed some light on the problem?
  Thanks,
  Niket Parikh

• LDAP users Faicng Error While Accessing the ESS Iviews in Portal

  Hi,
  My Portal is SAP EP 7.0 SP20 And ECC 6.0 SP16.
  UME users able to access the ESS MSS Iviews.But only one LDAP User only access ESS/MSS Iviews Other getting the Below error.
  Critical Error
  A critical error has occured. Processing of the service had to be terminated. Unsaved data has been lost.     
  Please contact your system administrator     
  Syntax error in program CL_XSS_CAT_BUFFER=============CP        ., error key: RFC_ERROR_SYSTEM_FAILURE     
  Syntax error in program CL_XSS_CAT_BUFFER=============CP        ., error key: RFC_ERROR_SYSTEM_FAILURE:
  com.sap.tc.webdynpro.modelimpl.dynamicrfc.WDDynamicRFCExecuteException: Syntax error in program CL_XSS_CAT_BUFFER=============CP        ., error key: RFC_ERROR_SYSTEM_FAILURE
                  at com.sap.tc.webdynpro.modelimpl.dynamicrfc.DynamicRFCModelClassExecutable.execute(DynamicRFCModelClassExecutable.java:101)
                  at com.sap.xss.ser.xssmenu.fc.ModelHandler.onInit(ModelHandler.java:205)
                  at com.sap.xss.ser.xssmenu.fc.wdp.InternalModelHandler.onInit(InternalModelHandler.java:428)
                  at com.sap.xss.ser.xssmenu.fc.FcXssMenu.setPersonnelNumber(FcXssMenu.java:570)
                  at com.sap.xss.ser.xssmenu.fc.FcXssMenu.onInit(FcXssMenu.java:292)
                  at com.sap.xss.ser.xssmenu.fc.wdp.InternalFcXssMenu.onInit(InternalFcXssMenu.java:455)
                  at com.sap.xss.ser.xssmenu.fc.FcXssMenuInterface.onInit(FcXssMenuInterface.java:165)
                  at com.sap.xss.ser.xssmenu.fc.wdp.InternalFcXssMenuInterface.onInit(InternalFcXssMenuInterface.java:389)
                  at com.sap.xss.ser.xssmenu.fc.wdp.InternalFcXssMenuInterface$External.onInit(InternalFcXssMenuInterface.java:546)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPM.attachComponentToUsage(FPMComponent.java:922)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPM.attachComponentToUsage(FPMComponent.java:891)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPMProxy.attachComponentToUsage(FPMComponent.java:1084)
                  at com.sap.pcuigp.xssutils.navi.FcNavigation.onInit(FcNavigation.java:314)
                  at com.sap.pcuigp.xssutils.navi.wdp.InternalFcNavigation.onInit(InternalFcNavigation.java:358)
                  at com.sap.pcuigp.xssutils.navi.FcNavigationInterface.onInit(FcNavigationInterface.java:145)
                  at com.sap.pcuigp.xssutils.navi.wdp.InternalFcNavigationInterface.onInit(InternalFcNavigationInterface.java:142)
                  at com.sap.pcuigp.xssutils.navi.wdp.InternalFcNavigationInterface$External.onInit(InternalFcNavigationInterface.java:278)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPM.attachComponentToUsage(FPMComponent.java:922)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPM.attachComponentToUsage(FPMComponent.java:891)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPMProxy.attachComponentToUsage(FPMComponent.java:1084)
                  at com.sap.pcuigp.xssutils.roadmap.VcRoadmap.onInit(VcRoadmap.java:188)
                  at com.sap.pcuigp.xssutils.roadmap.wdp.InternalVcRoadmap.onInit(InternalVcRoadmap.java:162)
                  at com.sap.pcuigp.xssutils.roadmap.VcRoadmapInterface.onInit(VcRoadmapInterface.java:153)
                  at com.sap.pcuigp.xssutils.roadmap.wdp.InternalVcRoadmapInterface.onInit(InternalVcRoadmapInterface.java:144)
                  at com.sap.pcuigp.xssutils.roadmap.wdp.InternalVcRoadmapInterface$External.onInit(InternalVcRoadmapInterface.java:220)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent.doProcessEvent(FPMComponent.java:564)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent.doEventLoop(FPMComponent.java:438)
                  at com.sap.pcuigp.xssfpm.wd.FPMComponent.wdDoInit(FPMComponent.java:196)
                  at com.sap.pcuigp.xssfpm.wd.wdp.InternalFPMComponent.wdDoInit(InternalFPMComponent.java:110)
                  at com.sap.tc.webdynpro.progmodel.generation.DelegatingComponent.doInit(DelegatingComponent.java:108)
                  at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
                  at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
                  at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.init(ClientComponent.java:430)
                  at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:362)
                  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:782)
                  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:302)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingPortal(ClientSession.java:761)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:696)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
                  at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
                  at com.sap.tc.webdynpro.clientserver.session.core.ApplicationHandle.doProcessing(ApplicationHandle.java:73)
                  at com.sap.tc.webdynpro.portal.pb.impl.AbstractApplicationProxy.sendDataAndProcessActionInternal(AbstractApplicationProxy.java:869)
                  at com.sap.tc.webdynpro.portal.pb.impl.AbstractApplicationProxy.create(AbstractApplicationProxy.java:229)
                  at com.sap.portal.pb.PageBuilder.updateApplications(PageBuilder.java:1344)
                  at com.sap.portal.pb.PageBuilder.createPage(PageBuilder.java:356)
                  at com.sap.portal.pb.PageBuilder.init(PageBuilder.java:549)
                  at com.sap.portal.pb.PageBuilder.wdDoInit(PageBuilder.java:193)
                  at com.sap.portal.pb.wdp.InternalPageBuilder.wdDoInit(InternalPageBuilder.java:150)
                  at com.sap.tc.webdynpro.progmodel.generation.DelegatingComponent.doInit(DelegatingComponent.java:108)
                  at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
                  at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
                  at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.init(ClientComponent.java:430)
                  at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:362)
                  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:782)
                  at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:302)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:741)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:694)
                  at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:253)
                  at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
                  at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
                  at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doPost(DispatcherServlet.java:53)
                  at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
                  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
                  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
                  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
                  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
                  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
                  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
                  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
                  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
                  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
                  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
                  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
                  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
                  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Caused by: com.sap.aii.proxy.framework.core.BaseProxyException: Syntax error in program CL_XSS_CAT_BUFFER=============CP        ., error key: RFC_ERROR_SYSTEM_FAILURE
                  at com.sap.aii.proxy.framework.core.AbstractProxy.send$(AbstractProxy.java:150)
                  at com.sap.pcuigp.xssutils.xssmenu.model.MenuModel.hrxss_Ser_Getmenudata(MenuModel.java:171)
                  at com.sap.pcuigp.xssutils.xssmenu.model.Hrxss_Ser_Getmenudata_Input.doExecute(Hrxss_Ser_Getmenudata_Input.java:137)
                  at com.sap.tc.webdynpro.modelimpl.dynamicrfc.DynamicRFCModelClassExecutable.execute(DynamicRFCModelClassExecutable.java:92)
                  ... 76 more
  Thanks & Regrads,
  Subba Rao

  Hi,
  Now every user facing the same error while accessing ESS Iviews from Portal.
  in ST22 Dump is created.
  What happened?                                                                                |
  Error in the ABAP Application Program
  The current ABAP program "CL_XSS_CAT_TIME_SHEET=========CP" had to be
  terminated because it has
  come across a statement that unfortunately cannot be executed.
  The following syntax error occurred in program
  "CL_XSS_CAT_BUFFER=============CP " in include
  "CL_XSS_CAT_BUFFER=============CM00C " in
  line 50:
  ""L_CATSDB" and "L_CATSDBCOMM" are not mutually convertible. In Unicode"
  " programs, "L_CATSDB" must have the same structure layout as "L_CATSDB"
  "COMM", independent of the length of a Unicode character."
  The include has been created and last changed by:
  Created by: "SAP "
  Last changed by: "SAP "
  Error in the ABAP Application Program
  The current ABAP program "CL_XSS_CAT_TIME_SHEET=========CP" had to be
  terminated because it has
  |    come across a statement that unfortunately cannot be executed.
  What we need to resolve the above issue.
  Thanks & Regards,
  Subba Rao

• Creation of Public Sector Planning application fails for LDAP user

  The environment is on Windows 2008 R2 & EPM 11.1.2.2.302 of Planning. The creation of "general" planning applications works fine, regardless of the method of creation, Native User/LDAP User or Classic/EPMA. The creation of Public Sector Planning application using Classic Administration fails when using an LDAP user.
  It works when using a Native User. It also works fine if EPMA is used, for both Native as well as LDAP users.
  Our developers are not comfortable with EPMA yet, so want/need the ability to create the applications using Classic Administration.
  Looking at the Planning sysout log, the only error message indicates a timeout with Calculation Manager:
  Calc manager rules initialization failed. Please load and deploy the rules from Calc Manager UI
  ERROR:Error while loading rules in Calc Manager. <HTML><HEAD><TITLE>Weblogic Bridge Message</TITLE></HEAD> <BODY><H2>Failure of server APACHE bridge:</H2><P><hr>No backend server available for connection: timed out after 10 seconds or idempotent set to OFF or method not idempotent.<hr> </BODY></HTML>
  Calculation Manager itself seems to be working fine.
  Any suggestions/thoughts anyone?
  Thanks,
  Andy

  Hi Vivek,
  The LDAP port is open to all the servers in the environment. LDAP users have no issues logging in to any of the tools that they have access to.
  I think it has something to do with how Classic Planning passes the security token to Calculation Manager for an LDAP user. For a "general" Planning app, there is no evidence of such a transfer, because the Rules are created after the app has been created. And there the user logs in directly to Calculation Manager to create the rules.
  When using EPM Architect, it would lead to reason that such a token is also passed, however, that mechanism does not seem to have any trouble.
  This is the first time I am using a pre-packaged application like PSB, and have so far worked with only with "general" Planning apps. Wanted to see if anyone else has created PSB apps using external users successfully, so I can trade environment notes and may be come to a cause/solution.
  Thanks,
  Andy

• Server App not seeing external LDAP users & groups

  I have a clean 10.8.2 + Server install set up with our standard external LDAP directory (Novell's eDirectory in our case) configuration that is known to support Lion & Mountain Lion client LDAP authentication. With this same configuration on OS X 10.8.2 Server both Directory Utility and WGM can see all the LDAP users and groups as expected.
  When I look for the external users & groups in the LDAP domain under the Server App "Accounts" heading I cannot see any entries in either users or groups lists. Should I be able to or is this a Server App quirk?
  I can add individual LDAP users to a local group and enable access to individual services. How can I give access to services to all LDAP users without having to build & maintain a massive "All LDAP Users" local group?
  Is there a published list of required LDAP attributes for users & groups for Mountain Lion Server? I suspect there are new requirements over and above those for 10.6 server but I have failed to find a good reference. I've noticed I get different behaviours for LDAP templates that includes a mapping for GeneratedUID to one which does not for example.
  This is all so much more opaque than our superbly reliable Snow Leopard servers!
  TIA

  Ok, and again:
  You want to see Users and Groups , which are stored in an third Party directory service like OpenLDAP, in your Server.app? This is what you have to do:
  Connect the third party ldap to your server
  Have all your external LDAP entries made so you can see them in the Workgroup Manager and are able to Login with them
  When you see your LDAP-entry in the Directory Manager, change it from "From Server" to "RFC2307"
  Edit the entry, add the following mapping to it:GeneratedUUID maps to apple-generateduuid
  To your group and user entries in the external LDAP add the follwing attribute:apple-generateduuid gets the value taken from the output of "uuidgen"
  Feel lucky
  And there ist ist; now you are able to use The accounts taken from an external LDAP.

• Error while configuring external LDAP user store with weblogic

  Hi,
  I have weblogic 10.3 installed and I can access weblogic admin console using weblogic (admin) user. I want to use external ldap user store to access admin console with users present in external ldap.
  To do this, I have configured authentication provider and provided all the required details to connect to ldap.
  For example:
  Base DN: cn=admin,cn=Administrators,cn=dscc (user with which we will connect to LDAP)
  User DN: ou=People,dc=test,dc=com
  Group DN: ou=Groups,dc=test,dc=com
  This authentication provider is set to SUFFICIENT mode. I have deleted the default authentication provider.
  In the boot.properties file I have given the user name and password of the user with which LDAP instance was created something like below.
  password=xxxxxxx
  username=admin
  Now while starting the admin weblogic server, I am getting the below error:
  <Jul 25, 2012 2:22:28 PM IOT> <Critical> <Security> <BEA-090402> <Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.>
  <Jul 25, 2012 2:22:28 PM IOT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
  weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  Truncated. see log file for complete stacktrace
  Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User admin javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User admin denied
  at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
  at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  Truncated. see log file for complete stacktrace
  >
  <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
  <Jul 25, 2012 2:22:28 PM IOT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
  <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
  Can anyone please suggest how to resolve this problem? If, anyone can suggest the exact steps to configure external ldap store to manage admin console via ldap users.
  Regards,
  Neeraj Tati.

  Hi,
  Please refer the below content that I found for Oracle 11g in the docs.
  "If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. Do one of the following in the LDAP directory:
  By default in WebLogic Server, the Admin role includes the Administrators group. Create an Administrators group in the LDAP directory, if one does not already exist. Make sure the LDAP user who will boot WebLogic Server is included in the group.
  The Active Directory LDAP directory has a default group called Administrators. Add the user who will be booting WebLogic Server to the Administrators group and define Group Base Distinguished Name (DN) so that the Administrators group is found.
  If you do not want to create an Administrators group in the LDAP directory (for example, because the LDAP directory uses the Administrators group for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the Admin role."
  Now in my LDAP directory, setup is in such a way that Administrators is a group created under following heirarchy " cn=Administrators,ou=Groups,dc=test,dc=com" and there is one user added in this Administrators group.
  The problem that I am having is when I modify the Admin role in which Administrators group should be added what exaclty I should give in Admin role. Whether I should give only Administrators or full DN: cn=Administrators,ou=Groups,dc=test,dc=com ???
  When i give full DN, it takes every attribute as different, i mean cn=Administrators as different and ou=Groups as different and shows a message that cn=Administrators does not exist.
  Here not sure what to do.
  Also if external ldap authentication provider is the only provider then I need to give the user information in boot.properties file also for weblogic to boot properly. Now, what should I give there in user? still complete DN ??
  Regards,
  Neeraj Tati.

• OBIEE11g: Set user privileges to  Open RPD in Read Only mode.

  Hi All,
  Can some one help me , how to set user privileges to open RPD in read only mode.
  1) If a user ( xxxx) logs into the RPD then the rpd should open in Read Only Mode for xxxx user.
  2) If other user (YYYY) logs in online mode then it should open in online mode for other user (YYYY).
  How to set the security to achieve this.

  863866 wrote:
  Hi All,
  Can some one help me , how to set user privileges to open RPD in read only mode.
  1) If a user ( xxxx) logs into the RPD then the rpd should open in Read Only Mode for xxxx user.
  2) If other user (YYYY) logs in online mode then it should open in online mode for other user (YYYY).
  How to set the security to achieve this.Hi,
  I don't think it's possible, can go with metadata dictionary option which is also help to analysis RPD.
  refer section,
  http://docs.oracle.com/cd/E23943_01/bi.1111/e10540/utilitiesexprbldr.htm#BIEMG325
  Thanks
  Deva