LDAPAuthenticator Static Groups

Similar Messages

• Static Groups

  I have run into a big problem setting and searching dynamic groups and was told static groups are the most supported and most understood. I created a static group and added some members; now I am trying to search for members of this group and am facing difficulties. This is the code I am using and its on Windows 2003 Will appreciate your help as always.
  <cfldap action="QUERY"
  name="GetLDAP3"
  attributes="uid"
  start="ou=new group, ou=groups,dc=example,dc=com"
  Scope="subtree"
  filter="(|(&(objectclass=groupofuniquenames)(uniquemember=cn=New Group,uid=xxxx,ou=xxxx,dc=example,dc=com)(member=uid=xxxx)))"
  server="xxx.xxx.x.xxx"
  Port="1389"
  username="cn=ldapforwindows"
  password="sunforwindows">

  have you tried this ?
  ldapsearch -p 1389 -b dc=example,dc=com uid=xxx isMemberOf

• I can't find iplanet-am-static-group

  After intstallation JES, and during configuring now
  postinstallation, Access Manager step, i cant find the
  attribute iplanet-am-static-group.
  I enbaled successfully the plugin Referential integrity
  postoperation. But when adding the indexes.
  Anyone has a response for my problem.
  Thanks in advance.

  enlarge your DS admin window. Find out Additional Indexes:
  Scrolling down as attributes are alphabetic order. You will find iplanet-am-static-group is below iplanet-am-modifiable-by attribute. Jerry

• Using the iplanet-am-static-group-dn attribute

  Hi,
  I'm trying to construct a user query filter that would return me all the users in a particular static group, in order to integrate with some Synchronisation Services in Plumtree Portal.
  I'm thinking of using the iplanet-am-static-group-dn attribute to do so.
  However it seems that although I can see this attribute, there are restrictions using this for queries. I could only use this attribute to query when using the root account. When I tried the same query with my application account, it returned no results.
  I need advice on a few issues:
  1) Are there other better ways to query for the users in a static group? I'm not sure if the iplanet-am-static-group-dn attribute will remain stable in future releases.
  2) If there are no better ways to do this, can the right to query using this attribute be delegated? This is a system attribute, so I'm not sure if we can really open this out to be searchable by other users other than root?
  Appreciate any advice on this at all, as I'm running on a tight deadline for this solution.
  Thanks!

  The best way to query for members of a static group is to read the list of uniqueMembers in the group entry itself.
  The iplanet-am-static-group-dn attribute is an attribute whose usage is private to Identity Server, and is not guaranteed to be up to date, accurate, or maintained by any other tool that used the directory.

• Static group performance down considerably in 5.2?

  With the caveat that this system is supporting a set of applications that require static groups (and therefore preventing us from moving to a more scalable alternative), i've found that iPlanet 5.2 is much slower than 5.1 when it comes to handling static groups.
  Consider this simple case.
  1 - Create a sample tree with 500 inetOrgPerson entries and one groupOfUniquenNames entry.
  2 - Create an LDIF file that adds the users to the group in 500 separate operations (e.g. 500 individual changetype: modify stanzas).
  3 - Create an LDIF file that deletes the 500 users from the group in the same way (500 individual changetype: modify stanzas).
  In 5.1, this operation takes 20 seconds to add, 15 seconds to delete for a total of 35 seconds.
  In 5.2, this operation takes 31.2 seconds to add, 125.5(!!!) seconds to delete, for a total of 156.7 seconds.
  Any ideas? I've worked with Sun support a bit and have implemented the nsslapd-search-tune parameter, but that's about it so far.
  Help?

  Well first lets start with what exact version of 5.1
  and 5.2 you are comparing?DS 5.2 is 5.2 Patch 2 (DS 5.2_2)
  DS 5.1 is 5.1 Service Pack 2 (DS 5.1 SP2)
  Second do you have the referential integrity plugin
  enabled? If yes is it properly indexed on 5.2?Yes it is enabled. The current attributes it is monitoring are:
  - member
  - uniquemember
  - owner
  - nsroledn(note, this only shows up in the dse.ldif, not the gui)
  All attributes are indexed for equality
  What value for nsslapd-search-tune are you using and
  what was you case number?Current nsslapd-search-tune is set to 57. Case was 64814323
  Is 5.2x installed on exactly the same machine as 5.1?
  Using the same disk partitions?Yes and yes. Tests are being run one at a time. System is a 4CPU SunFire 480R with 8GB of memory.
  Upon further investigation, it appears that group modifications are where we have the biggest hit. In my test case, i build have an ldif file with 1,000 'add single user to a specific group' operations in it. I then have a file that deletes all of those users, one at a time, from the same group.
  I then time how long it takes for ldapmodify to execute these files against the respective versions of the directory server.
  In 5.1 it takes 43 seconds to add the users, in 5.2 it takes 97.
  In 5.1 it takes 33 seconds to delete the users, in 5.2 it takes 750!!!(12.5 mins)
  This is with the same content in the tree to start with (it isn't empty). We did run into an allids threshold issue before, it is now set to 8000, which gives us enough room to avoid hitting it for objectclass=groupOfUniqueNames.
  Thanks for any suggestions you may have.

• IGMP configuration (flooding, static group)

  Hello all,
  Looking to change my IGMP configuration as it is flooding numerous switches with unnecessary traffic and causing high CPU on switches that are connected to my 6500 cores.
  The requirement is that all servers need to send/receive broadcast traffic between each other with IP address of 22.22.22.22.  All servers are on the same VLAN with same L3 gateway which is configured on my 6500 core.  Below is current configuration of VLAN interface on 6500 core:
  interface Vlan1
  description VLAN 1 - Server VLAN
  ip address 10.10.0.1 255.255.0.0
  ip flow ingress
  ip igmp snooping querier
  The "ip igmp snooping querier" was added when the servers were physical and resided on separate 3750 switches that connected to the core.  May not have been ideal configuration, but it worked.
  We have now migrated the servers to virtual and I need to remove the flooding that is occurring to all access switches and causing the high IGMP CPU process to be pegged.  My thought is that I need to configure an IGMP Static Group.  Looking for suggestions on what to configure?  How to configure? Where to configure?  Probably simple, however, I don't have a test environment to play with.  I could configure different options to try, but that will disrupt the production servers which are 24x7. please refer to attached diagram.
  Thanks,
  Tim

  Rajesh
  Static RP can co-exist with dynamic RP mechanisms (ie: Auto-RP). Dynamically learned RP takes precedence over manually configured RPs. If a router receives Auto-RP information for a multicast group that has manually configured RP information, then the Auto-RP information will be used.
  http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ip-multicast/whitepaper_c11-508498.html
  Jon

• Dynamic Group pull from static group

  We've been restructuring our distribution groups to utilize dynamic groups for some areas.  We're finding this minimizes the amount of confusion and management we have to perform on the groups.
  What I'd like to know is if it is possible to create a dynamic group that pulls from a static group.  An example, we have a static group made up of all members of a specific group.  What I'd like to accomplish, is to create a dynamic group that
  would pull from members from this group based on their Job Title.  Example: Static Group members with Title Partner

  According to this document, MemberOf is a filterable property.  You're welcome to give it a try.
  https://technet.microsoft.com/en-us/library/bb738157(v=exchg.150).aspx
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• External emails in members of static group

  Hi,
  I have been using static groups as list of emails (like alias) but all emails members of this groups are internal emails all from my domain. Someone ask me to do a list or group of emails but email members are external (yahoo, hotmail etc). How could I do this?.

  Hi jay,
  Your assumptions are correct but,
  The command "commadmin group modify
  " reported OK when I tried to add an external member but did'nt add the member. So I just add the attribute
  mgrpRFC822MailMember: [email protected]
  with an ldif file and it works fine.

• Static Group headers while scrolling "Down"

    Finally got Row Header to stay present while "scrolling down". 
  Now I would like to have the 1st group row also remain present while scrolling down in the details.  Any
  options?

  Hi Marzipan24,
  Sorry for misunderstanding you question in my former reply.
  In a table, if we want to freeze column header, we should make the changes in the first Static row group in Row Groups pane with Advanced Mode. For more details, please see:
  In the Grouping pane, click the arrow that appears to the right of the Column Groups label, and click Advanced Mode to display all groups. You have done this according to the picture you posted.
  In the Row Groups sections, click the first Static group, and then in the Properties window, set the RepeatOnNewPage property to True.
  The following screenshot is for your reference：
  Besides, if we want to freeze column header in a matrix, we can enable “Repeat header columns on each page” and “Keep header visible while scrolling” options in Column Headers in Tablix Properties dialog box.
  If there are any other questions, please feel free to ask.
  Thanks,
  Katherine Xiong
  Katherine Xiong
  TechNet Community Support

• Adding dynamic table in static Group UI element

  Hi Experts,
  I have a Group UI element under Root Ui element. Now in wdDoinit i have crerated a dynamic table. Can some one suggest how can i add my table in that Group UI element?
  Regards
  Pranav

  Hi Pranav,
  you can only add dynamic elements in the wdDoModifyView method of your view.
  So you best store your table element in the view-context, then use the following in your doModify:
  // get the Table from context (may differ)
  IWDTable myTable = wdContext.currentContextElement().getMyTable();
  // get the group from view
  IWDGroup group = view.getElement("<MYGROUP_ID>");
  group.addChild(myTable);
  hope that helps.
  Jan

• Static Identity Group Assignment

                     Does anyone know a way to bring in an endpoint with the following attributes?
  Endpoint Policy Name       Static = True
  Static Group Assignment   Static = True
  The 1.2 manual says;
  If the file used for import contains endpoints that have their MAC addresses, and their assigned endpoint profiling policy is the static assignment, then they are not re-profiled during import. 
  To change a dynamic assignment of an endpoint identity group to static, check the Static Group Assignment check box. If the check box is not checked, then the endpoint identity group is dynamic as assigned by the profiler based on policy configuration.
  Statically Profiled Endpoints
  An endpoint can be profiled statically when you create an endpoint with its MAC address and associate a profile to it along with an endpoint identity group in Cisco ISE. Cisco ISE does not reassign the profiling policy and the identity group for statically assigned endpoints.
  A) Does anyone know a way to import from an LDAP database and maintain the Static Group Assignment = True.
  I successfully do an LDAP import of the MAC and Endpoint Group (which comes in as True) but the Static Group Assignment has the Endpoint Group Assignment correct but static is false unchecked.  I don't want these profiling any more.  These are thousands of endpoints and I do not see any way to do a bulk change.  I have tried exporting and re-importing but that doesn't really scale.
  B) Would creation of an endpoint group that is not part of the Profiled endpoint group change the behavior I see above when I do my LDAP import?
  If there were a way to do the bulk selection and change the static property or the Static Group Assignment that would be of huge benefits.  The changes apply to the fields selected within the endpoints while maintaining the MAC property of the endpoint.
  Thanks in advance for any suggestions.

  James,
  That is possible but do you have the dhcp probe enabled and have you thought about setting up an ip helper statement or assigning the ISE node as one of the dhcp servers on the WLC?
  There is a built in check such that if the dhcp class identifier contains MSFT will profile the endpoint as a windows workstation.
  However if this is not the case then you can create the following condition under the Policy Elements > Conditions > Profiling > New Profiler Condition, you will use the create (advanced...) then select NMAP > 135-tcp > then set the operator EQUAL to msrpc.
  Then go under the Microsoft-Workstation and select the option to create a matching identity group (its much easier rather than using the heirarchy option) and set the certainity factor 30. Then add this new condition and set the certainity to 30 also.
  Hope that helps,
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Concept of groups vs concept of roles

  Hi!
  I'm designing an LDAP structure mainly for authentication and authorization of users. I want to use the LDAP server for applications, intranet (different platforms like linux, NT, ...) and portals.
  I read the Admin guide about groups and roles and found, that there aren't that many reasons for using roles instead of groups. The only real difference is (as I understood) that when using roles, I don't have to search for the the groups a user is member of, because every user contains the nsrole attribute with all the roles he is member of.
  One big reason for not using roles is, that they are quite specific for iPlanet Directory Server. If one ever changes to another product (for example OpenLDAP) the roles concept may or may not be the same. When using groups I don't have that problem.
  (If my information about that is incorrect please conradict!)
  A mixture of groups and roles is a quite bad idea because if I put a group in a role, the "nsrole" attribute is added only to the group but not the the members of the group, so if I use roles, I should stick to them and should not use any groups.
  As I told at the beginning, I am planning an LDAP structure. I don't have any "real life LDAP-experience" so if your experience is different, please tell me.
  Thanks in advance for your opinion!
  Florian

  1. Why there could be a problem without scopes in
  groups. If I have two companies and each of them has
  a group "employees". Two companies would probably be
  separated in two different subtrees, so I just use a
  dynamic group, where I can specify a subtree where
  groupmembers can be located or I use static groups,
  where I define each entry.You see, you had to make a choice on which group type you could use - not because one was more convenient for defining members for the problem at hand, but because only one would work at all.
  One thing I did not mention about roles advantages: they all work the same way - if a new role type were invented, applications written to work with roles prior to the new role, would still work with that role type. Groups types are so different that forward compatibility is not possible - mostly because to even use groups, applications have to do all the work to do common things like, enumerate the group, enumerate the groups an entry belongs to, test for group membership etc.
  >
  2. The coding logic for group evaluation with dynamic
  and static groups and even mixtures of it is quite
  complicated, it is much easier to ask an entry for a
  roledn and thats it, but do most clients support
  roles? Probably not. But then roles have not been around as long. I don't have any hard data on how many apps use roles - you would be surprised how hard it is to get that data for a developer.
  As far as I know roles are not used in any
  other LDAP Server. Well, the Sun DS, and the Netscape DS (which admittedly were once the same thing) both support the same roles.
  So you can optimize an
  applications implementing a role based queries, but
  if you have a OpenLDAP environment you also need a
  possibility to use groups. Talk to the OpenLDAP people about that. I believe they (at one time at least) decided to support the Netscape slapi interface - roles have interface components in that api.
  I do understand what you are saying - there isn't an RFC, so other servers don't support roles. Well, I'm sorry, I never got around to it. To be perfectly frank, a lot of LDAP RFCs/Drafts merely describe some proprietary mechanism which other servers never adopt. Some even describe mechanisms that nobody has ever implemented.
  When it comes down to it, it is only you who can decide whether being able to move to OpenLDAP or some other server without any reimplimentation is an important consideration. Every server will have features not supported by others, and if your choice is to use only those that are commonly supported, then that is your choice.
  Roles will allow much less complex coding in order to use them and they are much faster than equivalent client side operations, but the price is non-comformance with other servers. But when that non-conformance simply boils down to entries which merely "describe" the groups without adding application level functionality - how much have you really lost? Well, until you need to change server vendor you have only gained, and then you'll need to put in the effort you saved ealier.
  On the other side, what
  application do support roles right now? (I really
  don't know)Apart from applications by vendors that also supply DS I don't know either - but support for features such as this need to come from customers of those products. It is surprisingly simple to add support for roles in a product (for most it will almost be free) - much simpler than for groups.

• How to define membership if attribute is not given in group?

  This is a newbie question.
  If we setup an OpenLDAP provider in our security realm, we successfully see the users (from the users tree ou=People,ou=webUsers,dc=meteoswiss,dc=ch) and the groups (from the groups tree ou=Applications,dc=meteoswiss,dc=ch; in our case different applications). However the users are unfortunately not associated to the group.
  In the LDAP directory, the groups do not have an attribute such as member which links the user to the group. Instead, each group (application) has a people tree with all users associated to the group (application). The dn for such a user is as follows:
  uid=user1,ou=People,ou=ApplicationX,ou=Applications,dc=meteoswiss,dc=ch
  This user entry has an owner attribute which links this user back to the entry in the user tree:
  owner=uid=user1,ou=People,ou=webUsers,dc=meteoswiss,dc=ch
  How do we have to configure wls:static-member-dn-attribute and wls: static-group-dns-from-member-dn-filter in config.xml so that user1 is connected to ApplicationX (e.g. user1 is in the group ApplicationX)?
  From our config.xml:
       <sec:authentication-provider xsi:type="wls:open-ldap-authenticatorType">
  <sec:name>OpenLDAP</sec:name>
  <sec:control-flag>OPTIONAL</sec:control-flag>
  <wls:host>ourHost</wls:host>
  <wls:user-name-attribute>uid</wls:user-name-attribute>
  <wls:principal>cn=blabla,dc=meteoswiss,dc=ch</wls:principal>
  <wls:user-base-dn>ou=People,ou=webUsers,dc=meteoswiss,dc=ch</wls:user-base-dn>
  <wls:credential-encrypted>REMOVED/wls:credential-encrypted>
  <wls:user-search-scope>onelevel</wls:user-search-scope>
  <wls:user-from-name-filter>(&(uid=%u)(objectClass=inetOrgPerson))</wls:user-from-name-filter>
  <wls:all-users-filter>(objectClass=inetOrgPerson)</wls:all-users-filter>
  <wls:group-base-dn>ou=Applications,dc=meteoswiss,dc=ch</wls:group-base-dn>
  <wls:group-search-scope>onelevel</wls:group-search-scope>
  <wls:group-from-name-filter>(&(cn=%g)(objectClass=tvdMeteoAppl))</wls:group-from-name-filter>
  <wls:all-groups-filter>(objectClass=tvdMeteoAppl)</wls:all-groups-filter>
  <wls:static-group-object-class>tvdMeteoAppl</wls:static-group-object-class>
  <wls:static-member-dn-attribute>owner</wls:static-member-dn-attribute>
  <wls:static-group-dns-from-member-dn-filter>(&(owner=%M)(objectClass=tvdMeteoApplUser))</wls:static-group-dns-from-member-dn-filter>
  <wls:use-retrieved-user-name-as-principal>true</wls:use-retrieved-user-name-as-principal>
  </sec:authentication-provider>
  Thanks, Peter
  Edited by peter05 at 10/02/2007 8:18 AM
  Edited by peter05 at 10/02/2007 8:20 AM

  The answer to the question: "Can Weblogic assign a user to a group even if the group has NOT a MEMBER ATTRIBUTE but a SUBTREE (!= ATTRIBUTE) holding a USER entry attached to the GROUP entry (GROUP->PEOPLE->USER) which holds a reference to a separate USER tree" is unfortunatelly: "No"
  Thanks anyway.
  Peter

• Group RCDC Event Handler Bug?

  I have added a field in the Group RCDC in a Tab (grouping) called "Admin" and marked it as Required within the RCDC.
  Now, if I were to take an existing group that has a Member Selection of "Criteria-Based" and change it to "Manual" and click "OK" without populating the "required" field in the other tab, I would be re-directed to
  the field with the note "The required field cannot be empty" as expected. However, if I fill out the field and submit the request, I noticed it doesn't clear the underlying "Filter" attribute and the request fails with "Group validation
  failed: Static group cannot update membership filter".
  I believe this is related to the fact that the Group RCDC has a built-in event handler when the "Member Selection" changes. But doesn't modify the "Filter" attribute unless you go to the "Members" tab? Seems the even handler
  is ignored or overridden by the event handler that checks for Required fields to be populated?
  Anyone else run into this?

  I have added a field in the Group RCDC in a Tab (grouping) called "Admin" and marked it as Required within the RCDC.
  Now, if I were to take an existing group that has a Member Selection of "Criteria-Based" and change it to "Manual" and click "OK" without populating the "required" field in the other tab, I would be re-directed to
  the field with the note "The required field cannot be empty" as expected. However, if I fill out the field and submit the request, I noticed it doesn't clear the underlying "Filter" attribute and the request fails with "Group validation
  failed: Static group cannot update membership filter".
  I believe this is related to the fact that the Group RCDC has a built-in event handler when the "Member Selection" changes. But doesn't modify the "Filter" attribute unless you go to the "Members" tab? Seems the even handler
  is ignored or overridden by the event handler that checks for Required fields to be populated?
  Anyone else run into this?

• DIP fails loading dynamic groups into OID

  Hello,
  we're trying to load groups from OeBS into OID and associate them via dynamic groups feature with user records that was loaded earlier as follows:
  personid=18630,cn=dev,cn=hrsyncusers,cn=users,dc=ic,dc=lan
  orcltimezone=Asia/Yekaterinburg
  displayname=NOT ASCII
  employeetype=NOT ASCII
  givenname=NOT ASCII
  postalcode=628484
  orcldateofbirth=19610404000000
  orclgender=F
  departmentnumber=342
  uid=18630
  mail=HRNULL
  cn=NOT ASCII
  initials=NOT ASCII
  street=NOT ASCII
  employeenumber=4824
  middlename=NOT ASCII
  l=NOT ASCII
  orclhiredate=20051107000000
  sn=NOT ASCII
  personid=18630
  c=Russia
  title=NOT ASCII
  objectclass=inetorgperson
  objectclass=person
  objectclass=organizationalperson
  objectclass=orcluserv2
  objectclass=kapitalperson
  objectclass=country
  objectclass=residentialperson
  objectclass=locality
  objectclass=top
  Among other attributes each user entity has 'departmentNumber' that indicates number of his/her department.
  Now trying to load list of departments as dynamic groups with the following config
  files:
  *** DevHRAgentGroups.cfg ***
  [SELECT]
  SELECT psv.version_number
  , pos.name hierarchyname
  , hou.organization_id depno
  , poe.organization_id_parent parent_id
  , REPLACE(hou2.name, '"') parentname
  , poe.organization_id_child child_id
  , REPLACE(hou.name, '"') orgname
  , ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(depar
  tmentnumber='||hou.organization_id||')' ldapuri
  , hrl.meaning org_type
  FROM per_organization_structures pos
  , per_org_structure_versions psv
  , per_org_structure_elements poe
  , hr_all_organization_units hou
  , hr_all_organization_units hou2
  , hr_lookups hrl
  WHERE pos.business_group_id = psv.business_group_id
  AND pos.organization_structure_id = psv.organization_structure_id
  AND pos.primary_structure_flag = 'Y'
  AND psv.date_to IS NULL
  AND poe.org_structure_version_id = psv.org_structure_version_id
  AND poe.business_group_id = hou.business_group_id
  AND poe.organization_id_child = hou.organization_id
  AND poe.business_group_id = hou2.business_group_id
  AND poe.organization_id_parent = hou2.organization_id
  AND hrl.lookup_code = hou.type
  AND hrl.enabled_flag = 'Y'
  AND hrl.lookup_type = 'ORG_TYPE'
  AND hrl.lookup_code NOT IN (30,40)
  AND TRUNC(SYSDATE) BETWEEN hou.date_from AND NVL(hou.date_to, TO_DATE('31.12.4712','dd.mm.yyyy'))
  AND hou.last_update_date >= to_date(:BINDVAR,'YYYYMMDDHH24MISS')
  *** DevHRAgentGroups.map ***
  DomainRules
  NONLDAP:cn=DEV,cn=HRSyncGroups,cn=Groups,dc=ic,dc=lan:departmentID=%,cn=DEV,cn=HRSyncGroups,cn=Groups,dc=ic,dc=lan
  AttributeRules
  orgname:1: : :cn: :groupOfUniqueNames
  depno:1: : :departmentID: :kapitalDepartment
  ldapuri: : : :labeledURI: :orclDynamicGroup
  We're getting the following error in ?/ldap/odi/log/DevHRAgentGroups.trc during HRAgent execution at mapping phase:
  Normalized DN : departmentid=82,cn=dev,cn=hrsyncgroups,cn=groups,dc=ic,dc=lan
  Changetype is 5
  Processing modifyRadd Operation ..
  Entry Not Found. Converting to an ADD op..
  Processing Insert Operation ..
  Performing createEntry..
  Exception creating Entry : javax.naming.NamingException: [LDAP: error code 1 - Dynamic group cache update failed.]; remaining name 'departmentid=82,cn=dev,cn=
  hrsyncgroups,cn=groups,dc=ic,dc=lan'
  [LDAP: error code 1 - Dynamic group cache update failed.]
  javax.naming.NamingException: [LDAP: error code 1 - Dynamic group cache update failed.]; remaining name 'departmentid=82,cn=dev,cn=hrsyncgroups,cn=groups,dc=i
  c,dc=lan'
  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3028)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
  at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
  at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
  at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)
  at oracle.ldap.odip.gsi.LDAPWriter.createEntry(LDAPWriter.java:1162)
  at oracle.ldap.odip.gsi.LDAPWriter.insert(LDAPWriter.java:425)
  at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java:822)
  at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:349)
  at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:655)
  at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:376)
  at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:237)
  DIP_LDAPWRITER_ERROR_CREATE
  Error in executing mapping DIP_LDAPWRITER_ERROR_CREATE
  DIP_LDAPWRITER_ERROR_CREATE
  Please, note. Loading is successful if we commenting out mapping line for labeledURI attribute (that's loading static groups).
  Loading is also successful when labeledURI is mapped to
  'ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(objec
  tclass=person)' but this definetly is not what we are going to get.
  I don't have ideas what's wrong for example with the following generated 'labeledURI' attribute:
  ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(departmentnumber=82)
  Any help is appreciated
  Thanks,
  Edward

  Hi Frank,
  there is something wrong with departmentnumber attribute of user records. Searching users with ldapsearch using "departmentnumber=*" filter fails with the following error:
  ldap_search: DSA is unwilling to perform
  ldap_search: additional info: Function Not Implemented
  I think this is probably the cause of failing creation of dynamic groups.
  Searching on other user attributes (cn, uid, employyenumber) works fine.
  Still don't understand what's wrong with this particular attribute.