LDAPRealmV2 using group members as entries

Hi all,
we have configured our ldaprealm v2 (wls 6.1) to have group members as entries
below the group as opposed to the normal setup with group members as attributes
of one group. This has imposed some strange problems. We have several groups mapped
to one role in our webapps, but only members of some of the groups get access.
From the debug output of the realm I see that the groups working have a dn like:
groupName=GROUPA, ou=Groups, dc=common, dc=company,dc=com
and the ones that don't have a dn like:
groupName=GROUPB,ou=Groups,dc=common,dc=company,dc=com
that is the only differences are the spaces. I don't see how this could make such
a difference. In the LDAP all the groups look exactly the same.
Does anyone have any experience with this or have seen similar problems
Our ldap realm is configured like this:
server.host=someserver;
server.principal=cn=Manager,dc=company,dc=com;
user.filter=(&(uid=%u)(objectclass=person));
user.dn=ou=People, dc=common, dc=company, dc=com;
membership.scope=sub;
membership.scope.depth=1;
membership.filter=(&(member=%M)(objectclass=groupMember));
group.filter=(&(groupName=%g)(objectclass=Group));
group.dn=ou=Groups, dc=common, dc=company,dc=com

Check your attribute precedence in the metaverse for the group objects "member" attribute. Make sure your ADMA is set to the highest precedence. 
Also ensure that the attribute flow on your FIM MA is an export and not an import. 

Similar Messages

  • Controlling which email address is used for group members?

    Howdy Folks,
    Is there a way to control which email address is used for contacts that you have put into a group in Address Book?
    For example, say John Smith is a member of an Address Book group I have created. John's Address Book entry contains two email addresses for him, one for work and one for home.
    When I send an email to the group I want to have it sent to John's work email address.
    I have experimented by editing the entry and making sure the desired address is the first one listed for the individual in question, but that doesn't do the trick.
    Thanks in advance for any tips!
    --gordon
    15" PowerBook   Mac OS X (10.4.6)  

    Launch Address Book, choose Help > Address Book Help and type "group addresses" in the search box. Read the article titled "Selecting which addresses to use for members of a group". Does that solve your problem?

  • Using ios 7.0.4 can a group email be sent either from icloud or iPhone by a means other than selecting the individual Contact, ie; can the group be selected and then an email composed that will send the message to all group members.

    Using ios 7.0.4 can a group email be sent either from icloud or iPhone by a means other than selecting the individual Contact, ie; can the group be selected and then an email composed that will send the message to all group members.

    Hi Richard, 
    Thanks for the reply - I think I've sorted it though and there isn't actually an issue.
    The whole group wasn't receiving the NDR, only the group manager which I setup a few weeks prior. This is a new feature so it complies with certain RFC's, basically the group manager will recieive the NDR to let them know there is a problem.
    Something to do with mass mailing and unsolicited mail.
    Ta
    Ian

  • Can't remove static members using "Manage Group Members"

    Using the OAM 10.1.4.2 Group Manager app, I can remove static members from a group by modifying the Member property, but I can't remove members using the "Manage Group Members" page.
    When I search for members using that page, I get a list of the current members with an unselected checkbox for each. If I check the box next to a member and click Save, the member is not removed from the group. I turned on trace-level logging and saw that the correct user is being passed to the Identity server to be removed, but I haven't yet found anything to indicate why the removal doesn't work.
    Has anyone else run into this issue?
    Thanks,
    Matthew

    Hi Vinod,
    I'm running on Window 2003 against a Microsoft ADAM directory. I turned on diagnostics and re-ran the test using both "Manage Group Members" and modifying the property directly-- from what I can tell, the ldap modify only happens when I modify the property.
    (I had also noticed the problem with the instructions, but I eventually figured it out-- if I can get this working, I'll have to fix the verbiage before I deploy.)
    Any ideas? What platform and directory are you using?
    Thanks,
    Matthew

  • Convergence group members for invitations

    Dear all,
    we use Convergence with latest patch level. For invitations of groups and using check availability the group members are not resolved and therefore the busy/free time of group members is not displayed. Instead the group name is displayed but the group itself have not calendar.
    Is there any possibility - maybe in the config of convergence of ldap settings groups - that the individual calendars of the invited group members with showing free/busy time show up and in consequence the auto select time will work, too.
    The invitation of the group members itself works fine.
    Thanks for any help

    How are the group members defined in the LDAP entry for the group?
    With the assumption that you are using Calendar 7 with Convergence, the Calendar configuration considers the following attributes for members in an LDAP group:
    <tt>
    davcore.ldapattr.dngroupmember=uniquemember
    davcore.ldapattr.urlgroupmember=memberurl
    davcore.ldapattr.mailgroupmember=mgrprfc822mailmember
    </tt>
    Only <tt>uniqueMember</tt> is considered for ACL checking, along with invitation and free/busy scheduling.
    The <tt>mgrprfc822mailmember</tt> attribute is taken into account only when inviting the group.
    This is because, when doing the ACL check, we are relying on the LDAP Directory to provide us with the <tt>isMemberOf</tt> attribute directly on the logged in user LDAP entry (as opposed to looking at all the members of the group). The <tt>isMemberOf</tt> operational attribute is itself derived from the <tt>uniqueMember</tt> attribute only.
    Doing a group expansion for ACL purposes would be too expensive an operation.
    As a side note, we also check for dynamic group membership through the <tt>memberurl</tt> LDAP attribute of the group, both for scheduling and ACL purposes.
    Reference KM Doc:
    Calendar 7: Allowing Members Of A Migrated LDAP Group To Subscribe To Calendars (Doc ID 1483916.1)
    -Deb

  • Using Groups in SharePoint from Active Directory

    Hello,
    Is it possible to use groups in SharePoint from AD?
    I have several groups in AD that I would like to use in SP. Of course SP has its own set up groups in permission (Owner, Member and Visitor). I do not want to use these groups. What I would like to do is use groups that are in my AD and assign those the
    designer, contributor, read-only..etc permission.
    For example, SP people picker finds my AD group called "Finance_Project" and assign this group with permission rights as a contributor.
    Is this doable in SharePoint. I would think since SharePoint can be authenticated with AD, you should be able to use your own AD groups.
    Any suggestions, articles and answers are greatly appreciated.
    artisticweb

    You can do this in SharePoint. are you importing the AD groups via UPA?
    Creating a SharePoint group and adding an Active Directory group to its members…this allows anyone in the Active Directory group to participate in the SharePoint group
    Mapping roles directly to Active Directory groups and not using SharePoint groups at all.
    here is couple of article which will explain your choices one over to other
    Assign permission levels in SharePoint 2013
    Using Active Directory Vs. SharePoint Groups
    http://sergeluca.wordpress.com/2013/07/06/sharepoint-2013-use-ag-groups-yes-butdont-forget-the-security-token-caching-logontokencacheexpirationwindow-and-windowstokenlifetime/
    Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

  • How to show logged-in Line Group Members in a Hunt Pilot (CUCM V7.1.3)

    I have configured a Hunt Pilot with a Hunt List which points to a Line Group with some DNs as Line Group Members. Additionally i gave the affected Users the option to log-in or log-out from the Hunt Pilot by configuring the "Hunt Group Logout" Button in the corresponding Phone Button Template.
    Is there a way to find out who is logged-in or logged-out from the Hunt Pilot?

    Hi Bill,
    thanks for your very interesting hint .
    I run the query you posted and actually got the following output. But the displayed linegroups are only a subset from my configured 79 linegroups . Is there a possibility to display all linegroups with all corresponding DNs and can i display this information for only one linegroup?
    When i know the queery that satisfy my claims, i will write a small web application that uses the AXL-SOAP API.
    Regards, Robert
    admin:run sql select lg.name as LineGroup,n.dnorpattern,dhd.hlog from linegroup as lg inner join linegroupnumplanmap as lgmap on lgmap.fklinegroup=lg.pkid inner join numplan as n on lgmap.fknumplan = n.pkid inner join devicenumplanmap as dmap on dmap.fknumplan = n.pkid inner join device as d on dmap.fkdevice=d.pkid inner join devicehlogdynamic as dhd on dhd.fkdevice=d.pkid order by lg.name
    linegroup                      dnorpattern     hlog
    ============================== =============== ====
    LG_A-Ulr4_Augsburg_9965077_235 \+498215075234  f
    LG_A-Ulr4_Augsburg_9965077_235 \+498215075209  f
    LG_A-Ulr4_Augsburg_9965077_235 \+498215075224  f
    LG_A-Ulr4_Augsburg_9965077_235 \+498215075226  f
    LG_A-Ulr4_Augsburg_9965077_235 \+498215075227  f
    LG_A-Ulr4_Augsburg_9965079_300 \+498215075327  f
    LG_A-Ulr4_Augsburg_9965079_300 \+498215075306  f
    LG_AB-Fried17_9965006          \+496021391713  f
    LG_AB-Fried17_9965006          \+496021391714  f
    LG_AB-Fried17_9965006          \+496021391721  f
    LG_AB-Fried17_9965006          \+496021391727  f
    LG_AM-Mar9_9965004             \+499621474921  f
    LG_BT-Sch9_9965010             \+4992189423    f
    LG_DD-Fet29_9965014            \+493514459055  t
    LG_HO-Bah1_9965020             \+4992818194122 f
    LG_KE-Moz31_9965024            \+498315215110  f
    LG_LA-Dre11_9965025            \+498714308419  f
    LG_LA-Dre12_9965026            \+498719239113  f
    LG_Mue-Sta41_9965029           \+498631386227  f
    LG_N-KOEN11_9965034            \+4991124039112 f
    LG_N-KOEN11_9965034            \+4991124039142 f
    LG_N-KOEN11_9965034            \+4991124039110 f
    LG_N-Ste6_9965057_400          \+499112428403  f
    LG_N-Ste6_9965058_450          \+499112428455  f
    LG_NES-Sie2_9965008            \+499771610413  f
    LG_NES-Sie2_9965008            \+499771610421  f
    LG_NM-Bah12_9965030            \+499181293312  f
    LG_PA-Kle13_9965035            \+498519594109  f
    LG_PA-Kle13_9965035            \+498519594113  f
    LG_PAN-Drb12_9965036           \+498561961225  t
    LG_PAN-Drb12_9965036           \+498561961224  f
    LG_R-Her2_9965068_400          \+499413783414  f
    LG_TS-Bah26_9965040            \+498619887312  f
    LG_Voicemail                   997005          t
    LG_Voicemail                   997006          t
    LG_Voicemail                   997007          t
    LG_Voicemail                   997008          t
    LG_Voicemail                   997009          t
    LG_Voicemail                   997010          t
    LG_Voicemail                   997011          t
    LG_Voicemail                   997012          t
    LG_Voicemail                   997013          t
    LG_Voicemail                   997014          t
    LG_Voicemail                   997015          t
    LG_Voicemail                   997016          t
    LG_Voicemail                   997017          t
    LG_Voicemail                   997018          t
    LG_Voicemail                   997019          t
    LG_Voicemail                   997020          t
    LG_Voicemail                   997021          t
    LG_Voicemail                   997022          t
    LG_Voicemail                   997023          t
    LG_Voicemail                   997024          t
    LG_Voicemail                   997025          t
    LG_Voicemail                   997026          t
    LG_Voicemail                   997027          t
    LG_Voicemail                   997028          t
    LG_WEN-Buer16_9965041          \+499614820413  t
    LG_WEN-Buer16_9965041          \+499614820415  f
    LG_WM-Puet35_9965042           \+49881922927   f
    admin:

  • How to bulk add group members in Open Directory

    So the workgroup manager interface is ghey. The + sign to add group members drag&drops users one at a time. I need to bulk add group members.
    I tried ldapadd to add all the users quickly and that doesn't seem to work. The ldap group record now has all the users populated, under the multivalued attribute memberUid), but workgroup manager doesn't see the bulk group members.
    Any idea how to do this?

    Use tcsh SHELL builtin command 'foreach' to accomplish this:
    $ tcsh
    $ which foreach
    foreach: shell built-in command.
    $ foreach user (`cat users.txt`)
    foreach? echo adding $user to group
    foreach? /usr/bin/dscl -u diradmin -P [passwd] /LDAPv3/127.0.0.1 append /Groups/yourgroup GroupMembership $user
    foreach? end

  • Task Assignment to Ggroup - Group Members Not Getting Email

    I have a process with an approval activity with initial user selection set to a group rather than a specific user. I want all selected users to receive an email notification that a new task awaits them. When I assign to a specific user, the custom email template is sent to the user. When I assign to a group, the group members don't get the task assignment email.
    How do I change that so that group members will receive email notification of task assignment?
    Thanks in advance!
    Eric

    One possible solution:
    You can use our Group Lookup component to get a comma-separated list of the emails of the members of the group. Then, in the step before the User>assignTask step, send the group an email. The only problem is that you won't be able to embed a link directly to the task, because the task doesn't exist yet.
    Doc: http://avoka.dnsalias.com/confluence/display/Public/Lookup+DSC
    Download: http://www.avoka.com/avoka/escomponents.shtml
    To work around this problem, you can use the technique outlined here:
    http://blogs.avoka.com/2008/10/20/customize-user-task-escalation-after-assignment/
    http://avoka.dnsalias.com/confluence/display/Public/Customize+User+Task+Escalation+After+A ssignment
    If you need more assistance, contact info-at-avoka.com
    Howard

  • Missing group members in ADSI & LDAP

    Hi there. I have an AD problem here (obviously :))
    It started by wanting to list all members of a group (recursivly, but that does not matter for now, the problem occurs on a single group).
    I tried this in Powershell, but our AD is still  on 2003, so no AD web services, so no powershell.
    In PHP & Java I got the same results: It only shows 3 members, where there should be 23.
    In Active Directory Computers & Users, these 23 (including a group) are listed on the member tab.
    In ADSI I see only the 3 entries mentioned above in the attribute "member", and the other users don't have the membersOf attribute backlink.
    dsget group -members (-expand) works properly.
    Where do Active Directory Computers & Users and dsget get their information regarding group members from, and how can I access that programmatically via LDAP access from php or Java?

    Sorry, forgot about the Domain Users or the Domain Admins group over the link/image upload issue.
    No, it wasn't these groups.
    But: you were on the right path. The term primary group is what I was missing.
    The group is for one of our roadwarrior subsidiaries, and they are not Domain users as primary group, but the one shown here.
    Do you happen to know which LDAP attributes represent the primary group association?
    The primaryGroupID attriute store the RID of the group that is assigned as the primary group. This was to work around the limitation in Windows 2000 before LVR (Linked-Value Replication) so that more than 5000 users could be member of the same group. (It also
    plays a role for POSIX - Services for Mac clients)
    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

  • CustomRealm without listing Group Members

    Hi,
    we are considering to implement a custom security realm. We have a fixed number
    of groups to be used in ACLs. Users are stored in an LDAP server.
    Group membership depends on some information on the individual user which needs
    to be gathered from a separate backend system. Therefore, it is not feasible to
    implement the getMembers() method on the Group class since that means iterating
    over all "user records" in the backend system.
    Here my question:
    1. Is the getMembers() method needed for Authorization and/or Authentication or
    can we simply make it return an empty list? (We do not mind if we do not see group
    members in the administration console.)
    2. Is it a good idea at all to have this kind of group definition?
    3. What about the method "getUsers" for the ListableRealm? Is this one needed
    for Authorization/Authentification. This method poses a similar problem.
    Regards,
    Andreas

    1. Is the getMembers() method needed for Authorization and/orAuthentication or
    can we simply make it return an empty list? (We do not mind if we do notsee group
    members in the administration console.)I think this method is not needed at all for authentication and
    authorization, it's only used to list the users in the WL admin page.
    3. What about the method "getUsers" for the ListableRealm? Is this oneneeded
    for Authorization/Authentification. This method poses a similar problem.Same answer.

  • Copy global group members to local groups

    I have an AD environment with a lot of global groups, all named G-FG-groupname and I would like to move (or copy) the members of these groups to already existing domain local groups with a similar groupname but
    with another prefix which is L-RG-groupname.
    Example, in which Testn can be replaced by any name.
    Members of domain global group G-FG-Test1 have to be moved or copied to domain local group L-RG-Test1
    Members of domain global group G-FG-Test2 have to be moved or copied to domain local group L-RG-Test2
    Members of domain global group G-FG-Test3 have to be moved or copied to domain local group L-RG-Test3
    etc..
    Many thanks!

    Hi Hoffer,
    as Mike already said, use the Searchbase parameter. Here's an example how it could look like in the previous script:
    # Import Module
    Import-Module ActiveDirectory
    # Get old Groups
    $GroupsOld = Get-ADGroup -Filter { name -like "G-FG-*" } -Properties Members -SearchBase "OU=OU TestOU,DC=intra,DC=netzwerker,DC=de"
    # Then for each group do ...
    foreach ($GroupOld in $GroupsOld)
    # Get the name of the new group
    $NewName = "L-RG-" + $GroupOld.Name.SubString(5)
    # Add Group Members
    Add-ADGroupMember -Identity $NewName -Members $GroupOld.Members -ErrorAction 'SilentlyContinue'
    # Remove Members from old group
    Remove-ADGroupMember -Identity $GroupOld -Members $GroupOld.Members -Confirm:$false
    Basically, use the Distinguished name of an Organizational Unit as the searchbase parameter.
    If you want to know the Distinguished Name of a given OU, you can either use the AD Console, or use this command (change the name as necessary):
    Get-ADOrganizationalUnit -filter { name -eq "OU TestOU" } | Select -ExpandProperty DistinguishedName
    Cheers,
    Fred
    There's no place like 127.0.0.1

  • RRM RF Group Leader not updating RF Group Members

    We cannot get RRM RF Group Leader to update the RF Group Members. On our group leader controller, it sees our other controllers in the RF group. We have APs assigned to all four of our controllers and the tx power and dynamic channel assignment do not work. When we put all of the APs onto the RF group leader controller, the tx power levels and dynamic channel assignment both work as they are supposed to. All of our settings on our controllers are exactly the same. I guess my question is, is there a set of specific settings that I need to apply before RRM starts to update from the RF group leader?

    We have all four of our controllers on the same RF Domain Name. We have verified the status of the Mobility Group using eping and mping. We split up our APs on two of our controllers that are in the same 6500 and it still would not update from the RRM Group Leader. We "tricked" the WLC into moving the group leader onto the other controller that was in the same 6500. The same thing happened, now the 2nd controller won't send updates to the original controller. We moved all the APs onto the group leader and everything worked fine.

  • Can I enable "Use default gateway on remote network" on VPN connection using Group Policy?

    Hi,
    First timer here so please bear with me!
    Environment: Domain Windows 2003, Clients: Windows 7 and Windows XP (with Client Side Extensions pushed out)
    When creating a VPN connection on a client machine manually with default settings the "Use default gateway on remote network" found in [Connection Properties - Networking - IPv4 - Advanced] is enabled, which is good as we don't allow split-tunneling.
    I have a test GPO that creates a new VPN Connection [Computer Config - Preferences - Control Panel - Network Options], but the above setting is unticked.
    Am I missing something on the options for the GP preference to set this automtically?
    I can write a script to directly change the C:\Users\All Users\Microsoft\Network\Connections\Pbk\rasphone.pbk file but would prefer if I could sort it all out using Group Policy.
    Any help would be greatly appreciated!
    Thanks a lot!
    David

    Shane,
    There is actually a way to set the "Use default gateway on remote network" through Group Policy Preferences. And this may even be a better way to do it, because you may change this flag without touching any other settings, or other VPN connections.
    (All VPN connections are stored in the same .pbk file.)
    Here's the trick: Opening the .pbk file in notepad, I realized that this is actually an oldstyle ini-structured file. And Group Policy Preferences can update ini files! In the .pbk file the section names are the VPN connections names, like [My VPN],
    and the property IpPrioritizeRemote is the flag "Use default gateway on remote network".
    So, in Group Policy Management Editor, go to Preferences / Windows Settings / Ini Files.
    Create a new object with Action = Update, and File Path =
    C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk
    (If this is where your file is located, I guess it is in c:\users if the VPN connection is made for a single user.)
    Section Name should be the display name of your VPN connection, without the brackets.
    Property Name = IpPrioritizeRemote
    Property Value = 1
    Peter, www.skov.com, Denmark
    Peter :-)
    This is great, but just one question. I also want to append a list of DNS Sufixes in order (when viewing a VPN properties, this is buried in
    "Networking --> IPv4/6 --> Advanced --> DNS --> Append these DNS Suffixes (in order)". However, for the VPNs I have manually created with this list populated, I can't see any entries in the rasphone.pbk. Does anyone know
    where these are stored?
    Cheers.

  • Migrate network object group members; risk

           We upgraded to new 5555 hardware and jumped from 8.2 to 9.1 last year. Our objects listing is now a bit messy. I have never run the "Migrate Network Object Group Members" menu option in asdm. I see what it is going to do, I am not sure it really helps me clean old objects, it seems low risk, but when I walk up to execution, there are a lot of changes it wants to make. We always save backup configurations but, if there are "gotchas" I don't want to put the company in that position. What has been the communities, Cisco's experience? Thanks for any feedback. jc

    John,
    if you feel that is risky, you can always go for plan B.
    - you can take closure look at the object groups and decide new object naming convention policy.
    - from ASDM or CSM, you can see overlapped or duplicate rules, so you can start with reducing them
    - you can see same services used in couple of rules with different service groups.
         - like object-group service WEB-PORTS tcp
                        port-object eq http
                        port-object eq https
                 object-group service APPLICATION-PORTS tcp
                        port-object eq http
                        port-object eq https
                   object-group service APPS-PORT tcp
                        port-object eq www
                        port-object eq https
    - you can replace all these different object-group with one object group. like WEB-PORTS.
    - same way you can do excercise for network group as well.
    hope this helps.
    JD...

Maybe you are looking for

  • J2I5 Authorization on Plant

    Dear Sir, We have multiple Plant configured in our SAP system . For Tcode J2I5 , we need to have authorization control on Plant also . But in the default Authorization Control Object available for J2I5 , we find that control is available only on ACTI

  • Hide Z icon not working in 10.3.3?

    In my (so far) very limited testing with 10.3.3 it appears the 'Hide the Z icon in the taskbar' directive isn't working. I've tested an XP(sp3) and a Win7(sp1) and according to ZCC, the policy is applying, but the Z icon is showing up in the taskbar

  • Logic Pro X Keeps Crashing.

    Hi. I've had a problem with logic pro x the last few days. I can't be sure, but i have a feeling that it started when i was prompted to download a "logic content pack". Pretty much, i clicked on the sub bass on the EXS24 and it said i needed to downl

  • My phone is not recognizing my contacts

    Help.  All of my contacts are in my phone.  However, my phone is not recognizing them.  When one of my contacts calls, only the number, not the name, shows up.  Also, my siri won't work with contacts.

  • Developement module pink/green question. Is +18 really Zero? *in white balance sliders *

    Is Pink +18 the new Zero between green and the pink slider? The +18 does in fact show up 'greyed out' but if you go +/- 18 the number is no longer greyed out it is brightened up. Just curious. Is this a little bug too? Thanks!