Locked LDAP user search

Similar Messages

• ARQ:  Does LDAP User Search action require any special authorization for requester???

  Hi All,
  I was wondering if requester need to be given any special authorization to search users in LDAP?
  Because, I have noticed that a requester can not search users from LDAP. However, another user who is a super user in GRC system and has SAP_ALL profile assigned, can search users from LDAP easily!
  I have noticed only this change between these two users and not sure what authorizations should be granted to requester to search users from LDAP. I have tried to search relevant auth. object in his role "SAP_GRAC_ACCESS_REQUESTER" but could not find. I also check security guide for this but did not get any details.
  Can anyone advise?
  Regards,
  Faisal

  Alessandro,
  I switched on trace using ST01 for one of the requesters and viewed its details later. I found RC=4 or 12 for some of the auth. objects.
  For example:
  I opened of of the records and could see above details. I am unable to interpret it further. Can you please assist in this?
  Regards,
  Faisal

• LDAP User Search Base

  Need help configuring LDAP from Novell I can not find much reference to the command strings to use.
  I have 1000+ users in the Novell tree and would like to import them into the CCM database and be able to keep the passwords updated between the two.
  Thanks

  You can use the ICE utility for command line execution of LDAP scripts, exports, imports LDIF's etc. ICE is in the ConsoleOne folder on a server sys: volume.
  I dont think you can export passwords though. If pwds come out they'll ptobably be hashed up in their MD5 hashes. I only ever did this once and that was between two NDS trees.
  For password sync you'll need something else like Novells Identity Manager or else don't sync but direct all auths into the LDAP repository.
  N.

• GRC 10.0: Access Request Creation - LDAP user advanced search not working

  Dear Experts,
  We are implementing SAP GRC Access Control and we have an issue in Access Request Creation. If we put the user name in “User” field and press intro, the user details are updated, but if we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
  Scenario 1: If we put the user name in “User” field and press intro, the user details are updated:
  Scenario 2: If we want to make an "Advanced search" the user is not found and the application give us the following message: “No records found for the search criteria entered.”
  We are using the Active Directory as Data Source.
  Thanks and Regards.

  Hi Jose,
  Try maintaning the parameter 2050 as YES and check once.
  Kindly, also make refer to  the below list of SAP notes:
  1757906 - GRC 10.0 - LDAP user search does not work in NWBC
  1745370 - LDAP search in GRC does not work anonymously
  1718242- UAM: User search not working in Access Request.
  Regards,
  Neeraj Agarwal

• Editing LDAP User attributes from UME interface

  Hi Gurus,
  We want to develop a solution with user management screens in WD. These screens will provide password reset and unlock functionality for users. Our users are stored in LDAP. Current connection to LDAP is in Read Only manner.
  I want to know
  1. How to enable the connection from UME to LDAP in read/write manner?
  2. What certificates need to be exchanged for write access? if any?
  3. What changes needs to be done in config file of UME?
  4. Which permissions should be granted for communication user to edit LDAP user attributes?
  Even after performing the change to read LDAP in read/write manner, will it be sure: If we lock user from UME, it will lock LDAP user? please comment.
  regards
  Kedar Kulkarni

  Hi,
  We are half way into our application between UME and LDAP. We have developed screens and tested in our internal server. In internal landscape, UME is connected to LDAP in read only fashion. So when we try to create User, it gets created in UME.
  But when we deploy same application into client landscape, we receive error as below:
  No data source feels responsible for principal. Please check the data source configuration
  Now we are not sure why this error is getting displayed.
  In client landscape there are 2 LDAPs connected to UME, with only one LDAP in read/ write access.
  Is there any way we can check which LDAP is being accessed by our code? Is there any concept of Default LDAP?
  Any code to access LDAP details will help us lot.
  regards
  Kedar Kulkarni

• LDAP advanced search

  I am using IBM tivoli, in my java programming I need get the members from several DNs per the login user. I had several trips to LDAP to make this happen which is slow. Is it possible in LDAp can do one call to get everything back?
  now my LDAp tree structure is like this:
  I have a list groups, inside group has list members, when a user login, I need to check if this user related to any groups, that is my first LDAp call to get the group DNS, then I have another call to get all members per these list dns.
  So, is there any possible for one trip doing all of this?
  Thanks in advance!

  Hi Jose,
  Try maintaning the parameter 2050 as YES and check once.
  Kindly, also make refer to  the below list of SAP notes:
  1757906 - GRC 10.0 - LDAP user search does not work in NWBC
  1745370 - LDAP search in GRC does not work anonymously
  1718242- UAM: User search not working in Access Request.
  Regards,
  Neeraj Agarwal

• External LDAP user only has search priviledge in UCM

  After I have configed external LDAP successfully in weblogic console, I can see all user from external LDAP. And external LDAP user can login UCM successfully, but these users only has search priviledge. I want external LDAP user has Admin priviledge as weblogic(Default in embed LDAP). How to solve it. Any help will be appreciated greatly! Otherwise, I refer to Oracle's ducument,
  51.1.14 LDAP Users Not Receiving Some Administrator Privileges
  UCM inspects for the group "Administrators" on each user's login to grant UCM roles. If a user should have access to the UCM admin server, the UCM server requires that the user be a member in a group named "Administrators."
  How to add external LDAP user to the group of Administrators.

  Hi ,
  You can use Credential Maps to be achieve the requirement:
  Steps for the same are :
  1. Login to UCM - Administration - Credential Maps .
  2. Create the map name and the following mapping :
  <ldap role> , admin
  3. Save the changes
  4. Navigate to <domain_home>/ucm/cs/data/providers/jpsuserprovider/provider.hda
  add the following variable there :
  ProviderCredentialsMap=<map name created in step 2>
  5. Save the changes and restart ucm server .
  After that login with the user who has the ldap role that is mapped in stpe 2 , this user will have the ucm admin role .
  Hope this helps .
  Thanks
  Srinath

• Assigning roles to LDAP users through BIP API

  Hi.
  My customer has BIP 11g and OIM 9.1.0.2 running on the same weblogic server (11g). Both authenticate against the same LDAP server.
  One of our desired next steps is to provision from OIM the BIP roles to each LDAP user so every user gets the correct roles (and access to the correct reports) according to the groups he has on OIM.
  I've been searching for info regarding this without success. The BIP API doc does not show any info about assigning roles to users.
  We don't need to manage LDAP users, BIP roles, etc... through OIM. We only need to assign BIP roles to LDAP users.
  Is it possible to make that assignments through BIP API?
  If not, any other ideas? New ideas or different approaches are welcome.
  Thanks in advance.

  In OBIEE 11g which includes BIP the application roles are applied to LDAP users and groups using the Enterprise Manager Fusion Control.
  During the upgrade process from OBIEE 10g to OBIEE 11g the groups do get assigned to these roles transparently so there must be some API to leverage this functionality.
  I would start there, http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10541/admin_api.htm
  There are no specific instructions on accomplishing what you seek but if you have some WLST or Java Skills you should be able to get something prototyped.
  Let me know if that helps.

• LDAP user no longer able to log in

  We have CQ 5.3 set up using LDAP authentication.  We have one user who has been using CQ with her AD Userid/password for over a year with no issues, but she came in one day and now it's saying her user id and password don't match.
  We've tried on multiple different instances of CQ and she gets the same message every time.  She is able to log into other applicaitons that use LDAP for authentication just fine. We have tried resting CQ to see if that resolves the issue and it hasn't.  I originally thought it was some sort of issue with her LDAP account, but because she can log into other apps, I'm wondering if not? Or maybe there WAS an issue with her account, but it was resolved (she thought maybe her account was locked, so she ran an unlock procedure), but CQ just hasn't caught up to that fact?  This started happening a week ago.

  Hi Jennifer,
  Have you tried running a manual LDAP User sync for the single user (http://localhost:4502/crx/config/ldap.jsp)?  Since the user can login to other systems via LDAP, the problem is most likely with their account in CQ.  Maybe try deleting their account in CQ and re-creating/re-sync via LDAP User sync.
  Hope this helps.
  Ron

• When will I use object locking by User ID report?

  Hello,
  I am using EP7 SP9.
  I would like to see all the locked users at the portal.
  The problem is that even that there are locked users (I can locate them individually using the UME), the object locking report doesn't show them when I search by User ID.
  I know I can search it at the UME advanced search, so what the object locking by User ID is used for?

  Hi,
  You can view all the locked objects in your portal under System Administration>>Monitoring. Under the Portal tree node, click on the Object Locking. You can enter the search criteria to UserId and perform the search operation.
  Regards,
  Sujana

• OAM Identity Server user search is very slow after upgrading to 10.1.4.2

  We recently upgraded Identity-Server from 7.0.4 to 10.1.4.2 + BP10. The new webpass (version 10.1.4.2) is on iPlanet webserver, which does not have any bundled patch available. After this upgrade, we found the user search is very slow. It is taking double the time compare to version 7.0.4. The search performance for NetPoint admin users is fine.
  The new version is connecting to the same LDAP (Sun 5.2) as the old one. The 7.0.4 version was well tuned (like Ldap connections, caching, etc) for the performance. The migration suppose to carryover those performance configuration to the new version. Is there any new parameter (related to performance) I should look for in version 10 ? Anybody have faced these issues after migration and found a fix for it ?
  Thanks!
  Kabi

  More in this thread - Re: OAM- "You do not have sufficient access rights" message with Master Adm
  -Vinod

• Logical Locking for User and Session ID possible?

  Hi colleagues!
  We are developing on NetWeaver CE 7.10 SP6
  Currently it is possible for a user to access the same business object (like a specific order number for example) in two separate browser tabs in parallel. This leads to many strange and unwanted side-effects.
  One option would be to use a non cumulative exclusive locking. However we would like to avoid that as we use the lock life time "user session". And in this case we would need to set the lock only at one place and could not assure the setting of the lock again at different places (lock() may only be called once in this case).
  It would be nice if the com.sap.engine.services.applocking.LogicalLocking class would support support a session based exclusive locking where the same lock can be applied multiple times but only for the same session. But this does not seem to be possible.
  Does anybody know a nice solution for this issue? How to avoid that the same user opens the same business object in multiple sessions? Ideally this should be callable from a CAF application service.
  Thanks and kind regards,
  Gunnar
  Edited by: Gunnar Goerke on Jul 6, 2009 4:07 PM
  Edited by: Gunnar Goerke on Jul 6, 2009 4:09 PM

  For analyze, we have synchronized 15 LDAP Users to Notes
  FirstName, Lastname and login attributes are from 1 to 15 characters lenght as following :
  givenname, lastname, UID
  1,1,1
  F2,L2,ID
  F33,L33,ID3
  F444,L444,ID44
  F5555,L5555,ID555
  F66666,L66666,ID6666
  F777777,L777777,ID77777
  F8888888,L8888888,ID888888
  F99999999,L99999999,ID9999999
  Faaaaaaaaa,Laaaaaaaaa,IDaaaaaaaa
  Fbbbbbbbbbb,Lbbbbbbbbbb,IDbbbbbbbbb
  Fccccccccccc,Lccccccccccc,IDcccccccccc
  Fdddddddddddd,Ldddddddddddd,IDddddddddddd
  Feeeeeeeeeeeee,Leeeeeeeeeeeee,IDeeeeeeeeeeee
  Fffffffffffffff,Lffffffffffffff,IDfffffffffffff
  Between 6 and 8 characters, le logical Name of the user is correct
  He is constructed as %fistname% %lastname%/DOMAIN
  Less than 6 or more than 8 characters, the logical name is not correct
  We can show the partial path of the lotus's data directory.
  I can send screenshot to an email Adress if you want
  Why this ? It's not usable
  PS : All certificates can be viewed without provide password !
  Why the LDAP password of the user's entry is not used to open the ID ?
  Thanks for your help.
  BRs
  Vincent

• GRC AC User Search Data Source Configuration

  Hello all!
  I´ve configured BRM and ARM as recommended on SAP Access Control 10.0. A lot of things are working ok and some of them not. At this moment I´m testing an Access Request to lock a user, the problem happens when I try to search the user, I didn´t receive any return. Please check the print screen:
  "Maintain Data Sources Configuration" is configured as the print bellow pointing to our ECC/HR system:
  Someone can help?
  Regards,
  SAP Legend

  HI,
  Also maintain detail data source and make sure you run repository sync job..
  Also check if the user you are trying to lock is present in the table GRACUSER/GRACUSERCONN.
  Regards,
  Neeraj

• User status shows active in portal for inactive LDAP users

  Hi all,
  Users listed in the LDAP as deleted or inactive are still listed in EP
  User Management as valid active users.
  1) is there any process or OSS note which can help us to get users
  inactive in portal user management to the corresponding LDAP inactive
  users?
  2) is there any chance that any inactive or deleted entries in LDAP
  should not be searchable from User admin Portal search?
  Any solution for the above problem?
  Please reply.
  Regards,
  haroon

  Hello there,
  i have the same problem: We have several domains that sometimes contain users with the same user-id. This happens, if a user is "moved" from one domain to another: A new user with the same user-id is created in the new domain and the user-status of the user in the old domain is set to "inactive".
  But SAP NetWeaver Portal (7.0 EHP 1) ignores this user-status flag and thus login (with SPNego / Integrated Windows Authentication, which does not send the domain of an identified user to the portal) fails.
  Is there a possibility to get the portal to "ignore" LDAP users (meaning no longer list them in the UME) that have their user-status flag set to "inactive"?
  Thanks for a reply in advance!
  Regards,
  René

• Lock a user account

  1.can I use weblogic API in websphere?
  2.if not how can i lock a user account for 3 unsuccessful login attempts?
  Thanks in advance

  can u help me out in writing code for populating one
  combobox depending on selection in another combo box
  in java or javascript
  like country,state,city in address
  by selecting particular country in country combo box
  ,states belongs to that country should be populated
  in state combo box.Go on.......this way the next question would be about the neighbour's dog.
  Is it so difficult to post a new topic if your question/doubt is entirely different from what you set out asking initially ?
  That way, it would be easier for others who come here seeking answers to quickly browse through the questions or do a effective search. It would also help those who wish to help you.
  Viki and AngryCat ::: You both are regular respected members of this forum. While this is a free and unmoderated forum, IMO, you people should really put your foot down and politely ask the OP to post another thread if he/she goes of on a tangent posting totally unrelated questions in a single thread. As I said, this is my humble opinion and feel free to do or state otherwise.
  cheers,
  ram.