Link existing resource to Active Directory

Similar Messages

• Joining 10.8.5 with existing account to Active Directory domain

  Hi-
  I have a MacBook Pro that I am using as a test computer to figure out how to introduce the growing population of Mac's into our Active Directory environment in our small company. This comptuer is running OSX 10.8.5
  There is a test account in AD that I will be using to connect to the windows domain. I am able to get the Laptop binded to AD, and have no problem authenticating, and seeing all the network resources required.
  Here is the part that has me stumped:
  Is there any way to take my existing "local" account that was configured when I began using my MBP without Active Directory and continue to use it, but logon to the laptop using my Active Directory account?
  Perhaps copy all the settings and preferences from the local account ontop of the AD account on the laptop?
  I have been using this laptop as my personal machine for many months and have quite a few customizations made to my deskop preferences, icon layouts, etc. This will be same case with all of the users that will soon be authenticating on the domain. We need this for centralized management of network shares, password policies, and number of other security features.
  There is some limited information on the web, but nothing that I have tried really works, here's some of what i found and the difficulty that resulted.
  http://community.spiceworks.com/how_to/show/37886-convert-mac-local-user-into-ac tive-directory-network-user
  - The script mentioned in step 3 was not able to copy local account to the destination folder.
  http://robotcloud.screenstepslive.com/s/2459/m/5322/l/112415-convert-local-accou nts-to-network-mobile-accounts
  - The sudo mv /Users/USERNAME /Users/DIRUSERNAME command was not able to make the "DIRUSERNAME" directory, and did not have any effect if this directory already existed due to a prior logon.
  I'm just looking for some help making it so that my users can retain their desktop layouts that they are used to, but logon to the domain using AD credentials.
  Seems simple, but is pretty difficult to get done.
  Thanks in advance for any help....
  -Aaron

  This might help:
  http://www.afp548.com/article.php?story=20060517222656622&query=radius

• How to migrate from existing Database Usermanagement to Active Directory?

  Hello experts,
  we are running a portal with more than 2000 users. So far our user management is done by the portal´s own identity management with the database as data source.
  However for many reasons instead of the database we would like to use an existing company´s Active Directory (=AD) as a data source for identity management. That means that we would like only to use the AD-users and AD-groups in the portal.
  All users who are in the portal´s database now you can find also in the existing company´s Active Directory. Luckily the users have the same ID both in the database and in the AD.
  We know that the migration form the database to AD is a big issue since many portal objects depend on the existing structures. However because the IDs of users are identical in both systems we hope to finde a way to "override" the existing usermanagement data with the AD data without loosing the existing settings (e.g. KM-Permissions, user profiles etc.).
  Generally I am asking you if you have had already experience with changing the user management´s datasource of an already "living" portal (several 1000 users) to Active Directory User Managent.
  What problems can occour?
  Which modifications need to be done?
  Which portal´s objects are affected by the migration?
  Is a migration possible at all?
  I will appreciate all suggestions, remarks, ideas.
  Thanks in advance.
  Thomas

  Hello experts,
  the current permissions in the KM-Objects are based on both groups and users from database.
  Because it is not possible to modify the Group´s Display Name in the portal´s database we would also like to use LDAP-Groups in the portal: All users and groups in the portal shall be managed by Active Directory in future.
  In the Active Directory it is possible to modify the Display Name of groups. This is a necessary feature because of reorganisations of departments in our company which occur from time to time.
  Creating new groups with the new department names is not an option because one has to assign all department members to the new group again. Otherwise one need to asign the new group to the ACLs of all KM objects in question. This is a too big deal.
  However, thank you for that hint Michael.
  Any other experiences?
  I will appreciate any ideas, foreseen problems.
  Thomas

• Updating custom boolean attribute in Active Directory via OIM

  The adapters delivered with the AD connector support updating standard attributes (string) and multi-value attributes, but I can't seem to figure out how to update a custom Boolean attribute in AD via OIM. The delivered Boolean fields all appear to have custom adapters (ie Account Locked, Password Never Expires, etc.)
  I've tried using the delievered adpADCSCHANGEATTRIBUTE adapter, but it fails (as expected) with:
  +com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : updateDetails : Attributes cannot update:[LDAP: error code 21 - 00000057: LdapErr: DSID-0C090B73, comment: Error in attribute conversion operation, data 0, v1772 ]+
  Suggestions?

  No I don't have custom boolean attributes in AD. But I added custom attributes of other types.
  When you say custom, do you mean it did not come with the out of the box AD connector, but exists in the Active Directory of your organization?
  There are a few attributes in AD which look like they are boolean when you see the AD console but are actually different. Look at the link for details.
  [http://support.microsoft.com/kb/305144]
  Look at this post for context.
  AD Provisioning - Password never expires & User must chg pwd at next logon
  Thanks,
  M

• "24427 Access to Active Directory failed" error in ACS 5.1

  Hello,
  I'm working on implementing a RADIUS authentication for wireless access with the following :
  - PCs running Windows 7, protocol used is PEAP (without validating the server certificate to make it simple at first),
  - AP 1252  configured to use a RADIUS server to authenticate (it's working good with an ACS server 4.2),
  - ACS Server 5.1.0.44.5 running as VM connected to an AD domain and working good with VPN connections,
  - AD domain running on Windows 2003 Server.
  My ACS VM is working good since a couple of months for VPN (RADIUS) and administration (TACACS) remote access, both using Active Directory. Now, I'd like to use it to authenticate people connecting to a 1252 Cisco access point but I'm getting this error "24427 Access to Active Directory failed". I switched from PEAP to LEAP but this is the same.
  All I can get running the expert troubleshoot
  Investigating failure code: 24427 Access to Active Directory failed
  Checking if Active Directory is configured
  Active Directory is configured
  Attempting connection to Active Directory
  Connection to Active Directory was successful.
  Troubleshooting completed.
  Click on Show Results Summary to view results.
  I followed this guide, at least for the ACS certificate section :
  http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml
  Anyone has an idea where the problem may come from?
  Thanks in advance,
  Vincent

  hey there, I ran into the same issue with 5.3 and it turned out being this bug. i came across your post looking for instructions on retrieving the logs. thanks mate.
  link
  Problem: Error "24495 Active Directory servers are not available"
  Authentication starts failing with this error: 24495 Active Directory servers are not available. in the ACS 5.3 logs.
  Solution
  Check the ACSADAgent.log file through the CLI of the ACS 5.x for messages such as:Mar 11 00:06:06 xlpacs01 adclient[30401]: INFO base.bind.healing Lost connection to xxxxxxxx. Running in disconnected mode: unlatch. If you see the Running in disconnected mode: unlatch error message, this means the ACS 5.3 cannot maintain a stable connection with Active Directory. The workaround is to either switch to LDAP or downgrade the ACS to 5.2 version. Refer to Cisco bug ID CSCtx71254 (registered customers only) for more information.

• How to avoid duplicate DN exception when creating Active Directory Account

  I am using OIM 9.1.0.2 to provision Active Directory accounts.
  I run into issues when the DN of the user to be created already exists and I would like to know if anyone has some logic I can use to generate a different DN for new user by adding a number or something like that to the DN
  Here is an example.
  User 1 exists already and their DN: cn=john smith, cn=users, dc=company,dc=org
  New user joins the company and his name is also john smith and he has no middle name: so system attempts to create his account as cn=john smith, cn=users, dc=company,dc=org
  how can I accomplish this by making the account say cn=john smith_1, cn=users, dc=company,dc=org

  855640 wrote:
  I run into issues when the DN of the user to be created already exists and I would like to know if anyone has some logic I can use to generate a different DN for new user by adding a number or something like that to the DN
  There are two different questions:
  1. How to generate a sequence of candidates for the name attribute
  2. How to check if a record with the given name candidate already exists in the Active Directory, and hence try the next candidate from the sequence.
  The answer for the first part is usually defined by the policy existing in your organization, in the simplest case you can append sequential integer numbers to the end of the original name.
  The answer for the second question is not so simple if you use are provisioning with MSAD connector.
  There are two places you can put the check:
  -- in the pre-populate adapter for the UD_ADUSER_COMMONNAME field
  -- in the adpADCSCREATEUSER event handler, which is responsible for new AD user record creation.
  Both cases need some coding, since you have to obtain the AD connection and search AD for matching records.
  Pros & cons
  Placing check code in the pre-populate adapter:
  Pros:
  the result is visible in the form, administrator can change the pre-calculated value if he wishes
  Cons:
  you need to have all access to connection parameters, and establish one extra connection
  this is not the way OIM is supposed to work :-(
  Placing check code in the AD user creation task:
  Pros:
  you have all access to connection parameters, and open a connection here anyway
  Cons:
  the result is not present in the form, so no way for manual interaction by administrator here
  BTW: this problem is not only related to DN generation, some other AD attributes (e.g. sAMAccountName, mailNickName, userPrincipalName, mail) should be unique in the AD domain scope.
  Edited by: madhatter on Sep 7, 2012 12:02 AM

• Active Directory schema extensions

  Hi
  We are in a process of implementing SAP LDAP sync to manage users from MS Active Directory. SAP requires schema extension generated by RSLDAPSCHEMAEXT program to be applied to Active Directory so that report RSLDAPSYNC_USER can be identify SAP users in MS AD.
  The MS AD team says that any non miscrosoft schema extensions are not supported as OIDs of the schema might conflict with other applications / patches.
  Are the MS AD schema extensions generated by SAP program RSLDAPSCHEMAEXT supported / certified by Microsoft.
  Harsh

  Hi Harsh,
  I would like to point you also to SAP Note 888848 - Notes on schema enhancement with RSLDAPSCHEMAEXT.
  It especially states that:
  ..."The text document generated by RSLDAPSCHEMAEXT was supplied and validate as part of a certification process by the directory vendor."...
  that means in this case by Microsoft.
  If you decide not to use the schema extension that has been supplied by Microsoft you can use attributes that are already existing in your Active Directory as Juergen already pointed out.
  As an example Microsoft Exchange Server creates several additional attributes such as extensionattribute1, ... , extensionattribute15 as part of the installation process. These attributes might be an option for you if you do not want to use the schema extension suggested by RSLDAPSCHEMAEXT.
  Please have in mind that the filter attribute that you will use to determine the SAP username should be indexed since this will reduce the synchronization time.
  Best Regards,
  André

• Integrating Active Directory LDAP in OBIEE 11g

  Hi All,
  I Have Configured Active Directory LDAP in OBIEE.
  Steps i have Followed are,
  1) configured Active Directory in providers under Scurity Releam.
  2) Restarted BI Services to Load the Ldap Users.
  3) login to the EM under bifoundation domain selected securitues->security configuration provider.created user.login.attr and username.attr.
  4) under Credentials->oracle.bi.system map->system.user->deleted BISystemUser and Created key with the Existing name in Active Directory.
  5) assigned System user to BISystem role in em.
  6) in Console Roles and Polocies->Global Roles->Roles->Admin->view Role Condition (User = Active Directory User or Group=Administrators).
  7) Restarted BI Server and Presentation Services.
  Now I am Unable to Login to Presentation Services.
  Please Reply ASAP.
  Thanks and Regards
  Kiran Kumar

  Kiran, Is there a specific reason for using RPD for LDAP authentication? From 11g onwards, the best practice is to use Weblogic (or external Authentication providers). Is it correct to say that for "Authentication' without proper RPD LDAP config for "USER" variable, users cannot login via presentation layer?
  Cheers!
  BK

• Active Directory users unable to change passwords

  I have about 10 Macs running 10.4.11 that are bound to Active Directory (Windows 2000 Server).
  Users see the warning that their password is about to expire. However, for users who have a local account on the machine, when they attempt to change their password via System Prefs, only the local password is changed - the Active Directory password remains unchanged.
  For users who do not have a local account on the machine, this error occurs:
  "You cannot change your password to the password you entered. Your system administrator may not allow you to change your password or there was some other problem with your password."
  We have the following password requirements in place via Group Policy: complexity, length, min age (2 days), max age (90 days), history (last 4 remembered).
  Has anyone else encountered this?
  Thanks.

  Sign me up as well. I dont remember this being an issue before 10.5.5. I notice that it makes directory services crash and makes a crash report. I'll paste below.
  Note: the time appears to be synced properly with the domain controller-BUT i can an error in the console saying:
  com.apple.service_helper[6492]: launchctl: Error unloading: org.ntp.ntpd
  com.apple.launchd[1] (org.ntp.ntpd): Unknown key: SHAuthorizationRight
  I am able to communicate with time server via ntpq -inp
  Directory Service Crash Report:
  Process: DirectoryService [34]
  Path: /usr/sbin/DirectoryService
  Identifier: DirectoryService
  Version: ??? (???)
  Code Type: X86 (Native)
  Parent Process: launchd [1]
  Date/Time: 2008-12-05 16:38:09.091 -0800
  OS Version: Mac OS X 10.5.5 (9F33)
  Report Version: 6
  Exception Type: EXCBADACCESS (SIGSEGV)
  Exception Codes: KERNINVALIDADDRESS at 0x00000000c018096b
  Crashed Thread: 2
  Thread 0:
  0 libSystem.B.dylib 0x94a734a6 machmsgtrap + 10
  1 libSystem.B.dylib 0x94a7ac9c mach_msg + 72
  2 com.apple.CoreFoundation 0x948ef0ce CFRunLoopRunSpecific + 1790
  3 com.apple.CoreFoundation 0x948efd54 CFRunLoopRun + 84
  4 DirectoryService 0x000173ff main + 2767
  5 DirectoryService 0x00016912 start + 54
  Thread 1:
  0 libSystem.B.dylib 0x94a734a6 machmsgtrap + 10
  1 libSystem.B.dylib 0x94a7ac9c mach_msg + 72
  2 com.apple.CoreFoundation 0x948ef0ce CFRunLoopRunSpecific + 1790
  3 com.apple.CoreFoundation 0x948efd54 CFRunLoopRun + 84
  4 DirectoryService 0x000235bc CPluginRunLoopThread::ThreadMain() + 222
  5 ...ectoryServiceCore.Framework 0x00167f83 DSCThread::Run() + 39
  6 ...ectoryServiceCore.Framework 0x0016818e DSLThread::_RunWrapper(void*) + 84
  7 libSystem.B.dylib 0x94aa46f5 pthreadstart + 321
  8 libSystem.B.dylib 0x94aa45b2 thread_start + 34
  Thread 2 Crashed:
  0 libobjc.A.dylib 0x94de1688 objc_msgSend + 24
  1 ...oryService.Active Directory 0x00305eaf -[ADSPluginNode changePassword:recordName:oldPassword:newPassword:] + 767
  2 ...oryService.Active Directory 0x003415ee BaseDirectoryPlugin::DoSimplePasswordChange(sBDPINodeContext*, __CFString const*, tDataBuffer*) + 682
  3 ...oryService.Active Directory 0x00340b76 BaseDirectoryPlugin::DoAuthentication(sDoDirNodeAuth*, char const*, CDSAuthParams&) + 718
  4 ...oryService.Active Directory 0x00346aca BaseDirectoryPlugin::ProcessRequest(void*) + 1376
  5 ...oryService.Active Directory 0x0030ebae ADSPlugin::ProcessRequest(void*) + 66
  6 ...oryService.Active Directory 0x0033fc5c _ProcessRequest(void*, void*) + 92
  7 DirectoryService 0x00002d8d CRequestHandler::HandlePluginCall(sComData**) + 775
  8 DirectoryService 0x00003b48 CRequestHandler::HandleRequest(sComData**) + 82
  9 DirectoryService 0x0002ec71 dsmigdo_apicall + 543
  10 DirectoryService 0x00060df4 Xapicall + 407
  11 DirectoryService 0x00060aa0 DirectoryServiceMIG_server + 109
  12 DirectoryService 0x00026d08 dsmigdemux_notify(mach_msg_headert*, machmsg_headert*) + 86
  13 libSystem.B.dylib 0x94ae8ed3 machmsgserver + 343
  14 DirectoryService 0x000237f5 CMigHandlerThread::ThreadMain() + 303
  15 ...ectoryServiceCore.Framework 0x00167f83 DSCThread::Run() + 39
  16 ...ectoryServiceCore.Framework 0x0016818e DSLThread::_RunWrapper(void*) + 84
  17 libSystem.B.dylib 0x94aa46f5 pthreadstart + 321
  18 libSystem.B.dylib 0x94aa45b2 thread_start + 34
  Thread 3:
  0 libSystem.B.dylib 0x94a7a68e _semwaitsignal + 10
  1 libSystem.B.dylib 0x94acb8e0 pthreadcondtimedwait$UNIX2003 + 72
  2 ...ectoryServiceCore.Framework 0x00168409 DSEventSemaphore::WaitForEvent(long) + 191
  3 DirectoryService 0x00043200 CSearchPlugin::CheckNodes(tDirPatternMatch, int*, DSEventSemaphore*) + 1120
  4 DirectoryService 0x000432f9 CSearchPluginHandlerThread::ThreadMain() + 101
  5 ...ectoryServiceCore.Framework 0x00167f83 DSCThread::Run() + 39
  6 ...ectoryServiceCore.Framework 0x0016818e DSLThread::_RunWrapper(void*) + 84
  7 libSystem.B.dylib 0x94aa46f5 pthreadstart + 321
  8 libSystem.B.dylib 0x94aa45b2 thread_start + 34
  Thread 4:
  0 libSystem.B.dylib 0x94a7a68e _semwaitsignal + 10
  1 libSystem.B.dylib 0x94acb8e0 pthreadcondtimedwait$UNIX2003 + 72
  2 ...ectoryServiceCore.Framework 0x00168409 DSEventSemaphore::WaitForEvent(long) + 191
  3 DirectoryService 0x00043200 CSearchPlugin::CheckNodes(tDirPatternMatch, int*, DSEventSemaphore*) + 1120
  4 DirectoryService 0x000432f9 CSearchPluginHandlerThread::ThreadMain() + 101
  5 ...ectoryServiceCore.Framework 0x00167f83 DSCThread::Run() + 39
  6 ...ectoryServiceCore.Framework 0x0016818e DSLThread::_RunWrapper(void*) + 84
  7 libSystem.B.dylib 0x94aa46f5 pthreadstart + 321
  8 libSystem.B.dylib 0x94aa45b2 thread_start + 34
  Thread 5:
  0 libSystem.B.dylib 0x94aa3f66 kevent + 10
  1 libSystem.B.dylib 0x94aa46f5 pthreadstart + 321
  2 libSystem.B.dylib 0x94aa45b2 thread_start + 34
  Thread 6:
  0 libSystem.B.dylib 0x94ac35e2 select$DARWIN_EXTSN + 10
  1 libSystem.B.dylib 0x94aa46f5 pthreadstart + 321
  2 libSystem.B.dylib 0x94aa45b2 thread_start + 34
  Thread 7:
  0 libSystem.B.dylib 0x94ab61d5 syscall + 5
  1 ...ectoryServiceCore.Framework 0x00167f83 DSCThread::Run() + 39
  2 ...ectoryServiceCore.Framework 0x0016818e DSLThread::_RunWrapper(void*) + 84
  3 libSystem.B.dylib 0x94aa46f5 pthreadstart + 321
  4 libSystem.B.dylib 0x94aa45b2 thread_start + 34
  Thread 8:
  0 libSystem.B.dylib 0x94a734a6 machmsgtrap + 10
  1 libSystem.B.dylib 0x94a7ac9c mach_msg + 72
  2 libSystem.B.dylib 0x94ad0dc1 machmsg_serveronce + 318
  3 DirectoryService 0x00023768 CMigHandlerThread::ThreadMain() + 162
  4 ...ectoryServiceCore.Framework 0x00167f83 DSCThread::Run() + 39
  5 ...ectoryServiceCore.Framework 0x0016818e DSLThread::_RunWrapper(void*) + 84
  6 libSystem.B.dylib 0x94aa46f5 pthreadstart + 321
  7 libSystem.B.dylib 0x94aa45b2 thread_start + 34
  Thread 2 crashed with X86 Thread State (32-bit):
  eax: 0x0028c030 ebx: 0x94fa606b ecx: 0x94e7d334 edx: 0xc018094b
  edi: 0x00000001 esi: 0x00600fe0 ebp: 0xb01027e8 esp: 0xb0102678
  ss: 0x0000001f efl: 0x00010206 eip: 0x94de1688 cs: 0x00000017
  ds: 0x0000001f es: 0x0000001f fs: 0x0000001f gs: 0x00000037
  cr2: 0xc018096b
  Binary Images:
  0x1000 - 0x10ffff +DirectoryService ??? (???) <4c56e8e1e57b70096f86b84a52d49c0a> /usr/sbin/DirectoryService
  0x160000 - 0x16eff3 com.apple.DirectoryServiceCore.Framework 3.5.5 (3.5.5) <29a684df6d0a0fafe87aeabaa5ca72c9> /System/Library/PrivateFrameworks/DirectoryServiceCore.framework/Versions/A/Dir ectoryServiceCore
  0x19b000 - 0x19dffc apop.so ??? (???) <af168e2e8b86c66628d8b1d44b646cb7> /usr/lib/sasl2/apop.so
  0x1a1000 - 0x1a9fff digestmd5WebDAV.so ??? (???) <192fc897aeea8b4c8fe66dcef8137a95> /usr/lib/sasl2/digestmd5WebDAV.so
  0x1ca000 - 0x1ccfff libanonymous.2.so ??? (???) <161902c9ed78dce78b61125c7c155f0f> /usr/lib/sasl2/libanonymous.2.so
  0x1e3000 - 0x1e5ffc libcrammd5.2.so ??? (???) <c917c89eefddcfcacf48c939c3af12aa> /usr/lib/sasl2/libcrammd5.2.so
  0x1e9000 - 0x1f2ffb libdigestmd5.2.so ??? (???) <c8595204acd0e7cb362b33d008693019> /usr/lib/sasl2/libdigestmd5.2.so
  0x1f6000 - 0x1fafff libgssapiv2.2.so ??? (???) <a47ee23249e7c36aee418a6e7fd3a502> /usr/lib/sasl2/libgssapiv2.2.so
  0x300000 - 0x358ffc com.apple.DirectoryService.Active Directory 1.6.3 (1.6.3) <aeaf0f5bed2b48a776a4567154f3fa66> /System/Library/Frameworks/DirectoryService.framework/Resources/Plugins/Active Directory.dsplug/Contents/MacOS/Active Directory
  0x377000 - 0x38ffe2 dhx.so ??? (???) <8144ab11b8201f120dc87f3ec57d0714> /usr/lib/sasl2/dhx.so
  0x39e000 - 0x3a0ffc login.so ??? (???) <03d28ec908a6ed9abee1b25fe87716ef> /usr/lib/sasl2/login.so
  0x3a4000 - 0x3abffc libotp.2.so ??? (???) <0b7c8cd165835331c586e49465ef1186> /usr/lib/sasl2/libotp.2.so
  0x3b5000 - 0x3b7ffc libplain.2.so ??? (???) <5992f1149ff6cc7fadafa2bfd4ecc00a> /usr/lib/sasl2/libplain.2.so
  0x3bb000 - 0x3c0ffc libpps.so ??? (???) <31fe03649320e2f8b5404b179684d23a> /usr/lib/sasl2/libpps.so
  0x3c6000 - 0x3c9fff mschapv2.so ??? (???) <5c0fc0400a600f7c2d29ecbf95bc6017> /usr/lib/sasl2/mschapv2.so
  0x3cd000 - 0x3cfffc shadow_auxprop.so ??? (???) <b90c297da0fdf1bf0252ea496fbe83f2> /usr/lib/sasl2/shadow_auxprop.so
  0x3d5000 - 0x3d7ffd smb_lm.so ??? (???) <b0e54904b8dcecaa7d98c39841d03528> /usr/lib/sasl2/smb_lm.so
  0x3db000 - 0x3ddffc smb_nt.so ??? (???) <f927d77c27a795c0e7bb8478a47b83ed> /usr/lib/sasl2/smb_nt.so
  0x3e1000 - 0x3e4ff0 smb_ntlmv2.so ??? (???) <a31a5d3a2184c97ecb945c6cbd308da9> /usr/lib/sasl2/smb_ntlmv2.so
  0x3f8000 - 0x3f9fff com.apple.odlocate 1.1 (1.1) <58ace87ddfcba42df58856cabf3b6633> /System/Library/KerberosPlugins/KerberosFrameworkPlugins/ODLocate.bundle/Conten ts/MacOS/ODLocate
  0x436000 - 0x437ffc com.apple.KerberosHelper.LKDCLocate 1.1 (1.0) <cec0029c7e0345fee6e22aac185376c7> /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Cont ents/MacOS/LKDCLocate
  0x8fe00000 - 0x8fe2da53 dyld 96.2 (???) <14ac3b684fa5a31932fa89c4bba7a29b> /usr/lib/dyld
  0x90315000 - 0x9039cff7 libsqlite3.0.dylib ??? (???) <6978bbcca4277d6ae9f042beff643f7d> /usr/lib/libsqlite3.0.dylib
  0x91d29000 - 0x91d54fe7 libauto.dylib ??? (???) <42d8422dc23a18071869fdf7b5d8fab5> /usr/lib/libauto.dylib
  0x91d55000 - 0x9202fff3 com.apple.CoreServices.CarbonCore 786.6 (786.6) <5682aae1e2cf5ae750d5a4dea98c084c> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonC ore.framework/Versions/A/CarbonCore
  0x922cf000 - 0x92313feb com.apple.DirectoryService.PasswordServerFramework 3.0.3 (3.0.3) <8135bb4f34a3bf02b8c2ca869fe33a42> /System/Library/PrivateFrameworks/PasswordServer.framework/Versions/A/PasswordS erver
  0x92793000 - 0x92812ff5 com.apple.SearchKit 1.2.1 (1.2.1) <3140a605db2abf56b237fa156a08b28b> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/SearchK it.framework/Versions/A/SearchKit
  0x92891000 - 0x928a7fff com.apple.DictionaryServices 1.0.0 (1.0.0) <ad0aa0252e3323d182e17f50defe56fc> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Diction aryServices.framework/Versions/A/DictionaryServices
  0x928a8000 - 0x928dffff com.apple.SystemConfiguration 1.9.2 (1.9.2) <8b26ebf26a009a098484f1ed01ec499c> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfi guration
  0x92964000 - 0x929adfef com.apple.Metadata 10.5.2 (398.22) <a6b676925dd832780daf991e79adfebd> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadat a.framework/Versions/A/Metadata
  0x929ae000 - 0x929bcffd libz.1.dylib ??? (???) <5ddd8539ae2ebfd8e7cc1c57525385c7> /usr/lib/libz.1.dylib
  0x92a17000 - 0x92aa3ff7 com.apple.LaunchServices 290 (290) <61af37aac50984d220dd176f777e3b72> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchS ervices.framework/Versions/A/LaunchServices
  0x92aa4000 - 0x92bdcff7 libicucore.A.dylib ??? (???) <3d8fdaf51c2664ab620f1688203caf26> /usr/lib/libicucore.A.dylib
  0x939bf000 - 0x939c3fff com.apple.OpenDirectory 10.5 (10.5) <e7e4507f5ecd8c8cdcdb2fc0675da0b4> /System/Library/PrivateFrameworks/OpenDirectory.framework/Versions/A/OpenDirect ory
  0x93ecd000 - 0x93ed1fff libmathCommon.A.dylib ??? (???) /usr/lib/system/libmathCommon.A.dylib
  0x93f4d000 - 0x93f4dffa com.apple.CoreServices 32 (32) <2fcc8f3bd5bbfc000b476cad8e6a3dd2> /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
  0x94105000 - 0x94123fff libresolv.9.dylib ??? (???) <a8018c42930596593ddf27f7c20fe7af> /usr/lib/libresolv.9.dylib
  0x94124000 - 0x941a8fe3 com.apple.CFNetwork 339.5 (339.5) <c6565c13b0356e1d4bb99a68398d558b> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CFNetwo rk.framework/Versions/A/CFNetwork
  0x94569000 - 0x94619fff edu.mit.Kerberos 6.0.12 (6.0.12) <da7253e3fb7e47e46cb46d47ed320ffc> /System/Library/Frameworks/Kerberos.framework/Versions/A/Kerberos
  0x9485e000 - 0x9487cff3 com.apple.DirectoryService.Framework 3.5.5 (3.5.5) <4b81063df189bc462f012a169474fcbc> /System/Library/Frameworks/DirectoryService.framework/Versions/A/DirectoryServi ce
  0x9487d000 - 0x949affff com.apple.CoreFoundation 6.5.4 (476.15) <e2869ad6dc1dd289f21b305b0bea9158> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
  0x94a0c000 - 0x94a13fe9 libgcc_s.1.dylib ??? (???) <f53c808e87d1184c0f9df63aef53ce0b> /usr/lib/libgcc_s.1.dylib
  0x94a14000 - 0x94a71ffb libstdc++.6.dylib ??? (???) <04b812dcec670daa8b7d2852ab14be60> /usr/lib/libstdc++.6.dylib
  0x94a72000 - 0x94bd2ff3 libSystem.B.dylib ??? (???) <98fc91f31f185411ddc46d3225e9af55> /usr/lib/libSystem.B.dylib
  0x94dcc000 - 0x94eacfff libobjc.A.dylib ??? (???) <7b92613fdf804fd9a0a3733a0674c30b> /usr/lib/libobjc.A.dylib
  0x94ead000 - 0x94ebcfff libsasl2.2.dylib ??? (???) <b9e1ca0b6612e280b6cbea6df0eec5f6> /usr/lib/libsasl2.2.dylib
  0x94f87000 - 0x94f8effe libbsm.dylib ??? (???) <d25c63378a5029648ffd4b4669be31bf> /usr/lib/libbsm.dylib
  0x94fa0000 - 0x9521bfe7 com.apple.Foundation 6.5.6 (677.21) <5cfa0aa8b9b43193955d601ba6c2591a> /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
  0x952ea000 - 0x9539cffb libcrypto.0.9.7.dylib ??? (???) <69bc2457aa23f12fa7d052601d48fa29> /usr/lib/libcrypto.0.9.7.dylib
  0x953fd000 - 0x95421feb libssl.0.9.7.dylib ??? (???) <c7359b7ab32b5f8574520746e10a41cc> /usr/lib/libssl.0.9.7.dylib
  0x95422000 - 0x954dcfe3 com.apple.CoreServices.OSServices 226.5 (226.5) <2a135d4fb16f4954290f7b72b4111aa3> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServi ces.framework/Versions/A/OSServices
  0x95ca1000 - 0x95e6ffff com.apple.security 5.0.4 (34102) <f01d6cbd6a0f24f6c13952ed448e77d6> /System/Library/Frameworks/Security.framework/Versions/A/Security
  0x966ac000 - 0x966bdffe com.apple.CFOpenDirectory 10.5 (10.5) <6a7f55108d77db7384d0e2219d07e9f8> /System/Library/PrivateFrameworks/OpenDirectory.framework/Versions/A/Frameworks /CFOpenDirectory.framework/Versions/A/CFOpenDirectory
  0x96d5e000 - 0x96e3fff7 libxml2.2.dylib ??? (???) <1baef3d4972ee789d8fa6c1fa44da45c> /usr/lib/libxml2.2.dylib
  0x96e40000 - 0x96e6ffe3 com.apple.AE 402.2 (402.2) <e01596187e91af5d48653920017b8c8e> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/AE.fram ework/Versions/A/AE
  0x96e70000 - 0x96e94fff libxslt.1.dylib ??? (???) <4933ddc7f6618743197aadc85b33b5ab> /usr/lib/libxslt.1.dylib
  0x96e95000 - 0x96e9dfff com.apple.DiskArbitration 2.2.1 (2.2.1) <75b0c8d8940a8a27816961dddcac8e0f> /System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration
  0x96f06000 - 0x96f91fff com.apple.framework.IOKit 1.5.1 (???) <324526f69e1443f2f9fb722cc88a23ec> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
  0x96f93000 - 0x96fc5fff com.apple.LDAPFramework 1.4.5 (110) <cc04500cf7b6edccc75bb3fe2973f72c> /System/Library/Frameworks/LDAP.framework/Versions/A/LDAP
  0xfffe8000 - 0xfffebfff libobjc.A.dylib ??? (???) /usr/lib/libobjc.A.dylib

• Pulling "cn=Users" account data from Active Directory issue

  I'm using the following general syntax:
  ldapsearch -h <active directory server> -p 389 -D "CN=Administrator,CN=Users,dc=ORACLE,dc=COM" -b "DC=ORACLE,DC=COM" -s base objectclass=*
  What I get is only "cn=System" output. Any ideas to get the "cn=Users" data?? I can authenticate users in other ways using the Oracle LDAP tools through the same "active directory server". So it's not a matter of it not existing in the Active Directory Server. Also, there is no password right now for the "Administrator" account; so it's not a matter of including/excluding the "-w" option.
  Any suggestions??
  Thanks.

  I recommend you to post this here:
  Forums Home » Oracle Technology Network (OTN) » Products » Application Server » Oracle Internet Directory
  Identity Manager
  Joel Pérez
  http://otn.oracle.com/experts

• Active Directory Volume Activation Services Forest Prep on 2003 Functional Level?

  Hello,
  Please can anyone tell me if I can perform the steps outlined below when I have a mix of 2003 R2 and 2008 R2 domain controllers currently running on 2003 Functional Level. 
  My aim is to get AD Volume Activation Services running without needing to install a 2012 R2 DC and upgrade all my 2003 R2 DCs (which I have no control of), though I accept the schema update is a requirement for the AD Volume Activation Services aspect, where
  as KMS will still work?
  (http://social.technet.microsoft.com/Forums/windowsserver/en-US/99e94b1c-fe8a-4224-954b-2126994c9d0f/how-do-i-activate-kms-on-2012-in-a-2008-r2-domain?forum=winserver8setup)
  Steps to make this work:
  Copy ALL files from <win2012 DVD>\support\adprep folder to a folder on server holding FSMO role for Forest/Domain
  Run "adprep.exe /forestPrep"
  Run "adprep.exe /domainPrep /forceReplicate"
  Join 2012 server that VAS will be installed on to domain
  Follow instructions, as needed, in VAS 2012 test lab guide here: http://technet.microsoft.com/en-us/library/hh831794.aspx
  Thanks,
  Peter

  Hi,
  As far as I know this role should be installed on Windows 2012, so without Windows 2012, we cannot do this.
  AD DS must be at the schema level of Windows Server 2012 or newer to store activation objects. Domain controllers running earlier versions of Windows Server can activate clients after their schemas have been updated using the Windows Server 2012 version
  of Adprep.exe.
  Please go through the below links for more details:
  Active Directory-Based Activation vs. Key Management Services
  https://blogs.technet.com/b/askpfeplat/archive/2013/02/04/active-directory-based-activation-vs-key-management-services.aspx
  Volume Activation Overview
  http://technet.microsoft.com/en-us/library/hh831612.aspx
  Regards,
  Yan Li
  Regards, Yan Li

• 11gr2 Active Directory User Target Delete Recon Search Root

  Hi All,
  latest AD conector with the patch.
  Have a situation where I need to change the root or base search for the delete recon. by default it seams to want to search at the domain level but that won't work for us. Checked the doc and can't seem to find anyway to change this for the delete recon.
  Thanx in advance
  Fred

  Hi,
  The issue is still pending. I am specifying the following parameters for the scheduled job :
  Batch Size : 100
  Object Type : User
  Batch Start : 1
  Resource Object Name : AD User
  Filter : startsWith('samAccountName','c')
  Scheduled Task Name : Active Directory User Target Recon
  Incremental Recon Attribute : uSNChanged
  Search Base : <blank>
  IT Resource Name : Active Directory
  Search Scope : subtree
  Latest Token : <blank>
  Sort By : samAccountName
  Number of Batches : All
  Sort Direction : asc
  The job runs successfully but no records are reconciled into UD_ADUSER table and the job reports the following error in the logs :
  [2012-10-25T02:32:04.785-07:00] [oim_server1] [ERROR] [] [org.quartz.impl.jdbcjobstore.JobStoreCMT] [tid: QuartzScheduler_OIMQuartzScheduler-iamoimdev-v1.capgroup.com1351057898397_MisfireHandler] [userId: oiminternal] [ecid: 80eeb34d89d5ed80:-343bffe9:13a9150ba30:-8000-0000000000000005,1:24567] [APP: oim#11.1.2.0.0] MisfireHandler: Error handling misfires: Unexpected runtime exception: null[[
  org.quartz.JobPersistenceException: Unexpected runtime exception: null [See nested exception: java.lang.NullPointerException]
  at org.quartz.impl.jdbcjobstore.JobStoreSupport.doRecoverMisfires(JobStoreSupport.java:3042)
  at org.quartz.impl.jdbcjobstore.JobStoreSupport$MisfireHandler.manage(JobStoreSupport.java:3789)
  at org.quartz.impl.jdbcjobstore.JobStoreSupport$MisfireHandler.run(JobStoreSupport.java:3809)
  Caused by: java.lang.NullPointerException
  at org.quartz.SimpleTrigger.computeNumTimesFiredBetween(SimpleTrigger.java:800)
  at org.quartz.SimpleTrigger.updateAfterMisfire(SimpleTrigger.java:514)
  at org.quartz.impl.jdbcjobstore.JobStoreSupport.doUpdateOfMisfiredTrigger(JobStoreSupport.java:944)
  at org.quartz.impl.jdbcjobstore.JobStoreSupport.recoverMisfiredJobs(JobStoreSupport.java:898)
  at org.quartz.impl.jdbcjobstore.JobStoreSupport.doRecoverMisfires(JobStoreSupport.java:3029)
  Edited by: IDM_newbie on Oct 25, 2012 2:38 AM

• Livecycle - Active Directory

  I need display a control depending of the user logged in the SO exists on a active directory specific group. Is it possible?
  The form is design in Adobe LiveCycle ES4,
  THANKS

  Hi Damion,
  As far as I understand, you are adding two Directory providers in a single LiveCycle domain. One of the directory provider (DC2 and which has a 15 minute delay) overrides the user/groups added by the other. Currently, there is no support in LiveCycle to add a failover domain controller. You can contact Adobe support and they help you file a feature request.
  Temporarily, you may delete DC2 directory provider from the domain to prevent this but that would not give you any failover advantage.
  Thanks,
  Neerav

• Retrieving Active Directory infomation from SQL Server

  Dear All
  We have a requirement to load active directory users and user groups into a SQL Server database. Looking at the information available it seems you need to create a Linked Server of type 'Active Directory Service Interfaces'. Creating a linked server will
  be a problem for out customers so I was wondering if there was another way of doing it. I will accept all ideas no matter how odd :D
  Thanks
  Peter

  Please refer the below link for incremental loading of data from AD:
  http://beyondrelational.com/modules/2/blogs/557/posts/15401/incremental-dl-porting-in-sql-server-querying-ldap-to-get-the-users-belongs-to-a-dl-group-in-sql-ser.aspx

• Active sync with Active Directory.  activeSync.password

  AD - OS - Win2k3
  IDM -6.0SP1
  I am using active sync with Active Directory.
  Form for Active Sync make with Wizard Active Sync.
  Make user in AD with correct password.Excecute StartActiveSync.
  User not make in Lighthouse.
  In log file appears the following:
  <WavesetResult>
  <ResultItem type='error' status='error'>
  <ResultError throwable='com.waveset.exception.PolicyViolation'>
  <Message id='PL_POLICY_VIOLATION_HEADER'>
  <String>password</String>
  <String>Lighthouse User</String>
  </Message>
  <Message id='PL_STRING_MIN_CHARACTERS'>
  <String>4</String>
  </Message>
  <StackTrace>com.waveset.exception.PolicyViolation: Policy Violation (password on Lighthouse User):
  Must contain at least 4 valid characters.
       at com.waveset.policy.StringQualityPolicy.check(StringQualityPolicy.java:1090)
       at com.waveset.provision.PolicyProcessor.checkPolicy(PolicyProcessor.java:716)
       at com.waveset.provision.PolicyProcessor.checkLighthousePasswordPolicy(PolicyProcessor.java:651)
       at com.waveset.provision.PolicyProcessor.checkPasswordPolicies(PolicyProcessor.java:574)
       at com.waveset.provision.PolicyProcessor.checkAccountPolicies(PolicyProcessor.java:232)
       at com.waveset.provision.Provisioner.checkPolicies(Provisioner.java:1102)
       at com.waveset.view.UserViewer.checkPolicies(UserViewer.java:1559)
       at com.waveset.view.UserViewer.checkPoliciesAndConstraints(UserViewer.java:1415)
       at com.waveset.view.UserViewer.checkinView(UserViewer.java:1159)
       at com.waveset.object.ViewMaster.checkinView(ViewMaster.java:725)
       at com.waveset.sync.IAPIUserImpl.submitCreate(IAPIUserImpl.java:559)
       at com.waveset.sync.IAPIUserImpl.submit(IAPIUserImpl.java:657)
       at com.waveset.adapter.ADSIResourceAdapter.processUpdates(ADSIResourceAdapter.java:1419)
       at com.waveset.adapter.ADSIResourceAdapter.getAndProcessChanges(ADSIResourceAdapter.java:1456)
       at com.waveset.adapter.ADSIResourceAdapter.poll(ADSIResourceAdapter.java:1546)
       at com.waveset.adapter.SARunner.doRealWork(SARunner.java:268)
       at com.waveset.task.Executor.execute(Executor.java:159)
       at com.waveset.task.TaskThread.run(TaskThread.java:119)
  </StackTrace>
  </ResultError>
  </ResultItem>
  </WavesetResult>
  2006-11-09T13:19:07.904+0500: lastname: Bogdanov9, accountId: Bogdanov9, objectGUID: <GUID=fb4016ebb4851b43af59763d6094932d>, isDisabled: false, identity: cn=Alexey L. Bogdanov9,ou=Users,ou=Test,dc=aut,dc=tst, uSNChanged: 78587, firstname: Alexey, AccountLocked: false, fullname: Alexey L. Bogdanov9, Initials: L
  Policy Violation (password on Lighthouse User):
  Must contain at least 4 valid characters.
  But, when i use sample active sync form from ...sample/forms/ActiveDirectoryActiveSyncForm user make in Ligthhouse with password change12345.
  Logicaly, from this code:
  <Field name='waveset.password'>
  <Comments>
  Make up a password for accounts that are being
  created. This makes it a constant
  </Comments>
  <Disable>
            <neq>
            <ref>feedOp</ref>
                 <s>create</s>
            </neq>
       </Disable>
  <Expansion>
  <cond>
            <notnull>
                 <ref>activeSync.password</ref>
            </notnull>
  <ref>activeSync.password</ref>
  <s>change12345</s>
  </cond>
  </Expansion>
  </Field>
  I think password from AD not put in to activeSync.
  Why?
  With MBR
  Bogdanov Alexey.

  --I think password from AD not put in to activeSync.
  --Why?
  You cannot change the user's password from the activeSync RA. The password is encrypted in Active Directory and you can't decrypt it.
  You can read the Idm Resources Reference - Active Directory. There's a table with all the supported fields; the userPassword field is write-only.
  If you want to take the AD password and send it to IDM, you want to use Password Sync.
  Good luck