Mapping LDAP Groups to SAP Roles

Similar Messages

• LDAP groups and WebLogic Roles - Urgent ( weblogic 6.1 sp1, iPLanet 5.1)

  I have 2 questions and these are very urgent :-
  1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
  2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
  contractactors and employess. How do I map LDAP group contractors to weblogic security
  Role contractors? Similarly for employees ?
  2. I have not defined contarctors and employeees under People container in IPlanet.
  e.g. The RDN for contractor is
  uid=1234,ou=dir,dc=orams,dc=com
  Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
  under People ) OR I have to write my own custom code ?
  3. I am planning to use Roles insetad of groups to manage the logical grouping in
  iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
  parameters ?)
  This is very urgent ....so if any of you can throw any hints that will be greatly
  appreciated.
  --Sunita

  Hi Ariel,
  The driver is bundled with the product in WLS 6.1sp1. you don't have to
  download any additional driver. Use it as you normally would only thing to
  remember is if you are trying to write standalone java code then you have to
  have weblogic.jar in your classpath. For the rest of the info follow the wls
  docs for 6.1
  HTH
  sree
  "Ariel" <[email protected]> wrote in message
  news:3bb4a643$[email protected]..
  We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
  downloaded the JDriver from bea.com, but all the istructions that camewith
  it are for WLserver 5.1.
  What has to be done to do this with 6.1 sp1?
  Thanks,
  Ariel

• LDAP Groups Performance

  I am planning LDAP authentication for a portal and am looking at assign LDAP groups to portal roles to ease user administration because there will be a signifigant amount of users.
  I've done this before with smaller amounts of users, but have heard concerns that with a large amount of user accounts, that authentication would take too long and would pose a problem. I don't know for sure if this is true and will be trying to test this out.
  Would appreciate advice / experience / references if available.
  Regards,
  Tom

  Hi Thomas,
  I don't think this is a problem if directories are properly tuned.
  Infact we connect to AD having 80k users and it works perfectly fine. But remember that your LDAP should be tuned properly and may be you can have indexes too.
  Regards,
  Piyush
  PS: please mark useful answers.

• LDAP user to application role mapping

  Hi All,
  OBIEE 11.1.1.5
  I have a table with ldap username and role. I have also configured external LDAP server in RPD. Users are able to login to portal.
  Can some one guide me, how to make sure that when user login to OBIEE automatically by table the role will be fetched and mapped with application role created?
  Or, In simple words,
  How can I assign an external ldap user to be mapped to application role? One by one?? or Via table as mentioned above?
  Anyone can help? All documents are not giving this simple picture to me.
  It was easy in 10g, In 11g is it rocket science so that my company can loose the hope to go ahead with 11g?

  Hi,
  1. Create block to initialize USER variable with user name from LDAP
  2. Create block to initialize GROUP variable with role name from external table
  3. In initializtion block for GROUP variable add precedence with User init block to make sure that USER variable have value
  4. If one user can have few roles you should check row-wise-initialization oprion
  Hope it's helpful

• How to Map ERP account group on SAP Cloud for customer

  I am puzzled that i do not find a way to configure ERP Account Groups to SAP Cloud for Customer solution. Am i missing something or some workaround is possible to do have that available in a ERP<-> HCI <-> C4C scenario.
  Regards
  Apoorva

  Hello Apoorva
  This is the Business Partner Role Code  - it maps to customizing in ERP for: 
  Logistics - General -> Business Partner -> Customers -> Control -> Define Account Groups and Field Selection for Customers
  -ginger

• How to access the mapping of Groups and Roles in the JAVA Application

  We have mapped the EJB roles with the groups through the Visual Administrator. We have developed the SSO. We have developed the application through which we are creating the user and role and mapping that role with the created user. The created role is saved in some LDAP directory. The second application in which ejb methods are mapped with some security roles.The LDAP roles we are getting in Netweaver as groups and we can perform the mapping of the deployed ejb roles with the group.Now for the logged in user we want to get the roles mapped with it so that we can give/deny the access to the methods from EJB as per the role of that user .How we will get the access to the mappings of the roles with the group in the application, if I know the LDAP roles mapped with the user (since these roles are accessible as groups in the NetWeaver)
  For e.g.  From application created the user with the role as "manager". This role is stored in iPlanet directory.
  This directory is mapped in the Netweaver.The manager role is displayed as the group in the Netweaver.
  Created the EJB application with the method "displayTheAccountDetails() with the role as "ManagerRole"
  This role is mapped with the manager group. Now we are having the details about the logged in user and the LDAP roles mapped to it (maneger role). How I will get the access to the details that for this group which ejb role is mapped in the application. So depending on that I can allow/deny the access to the ""displayTheAccountDetails()" method to the logged in user.

  Do you, guys, work together?
  See the last answer in this thread: How database works in UCM?

• User does not appear in group created from SAP role

  Hello --
  I have a user that has logged into InfoView successfully with SAP authentication and is showing in the CMC under the "User List." When I view the list of users in the group that was created from the SAP role he was a part of, he is not there.   When I go to the user account and view "Member of," the group IS shown in the list. 
  Any idea?  Any way I can "refresh" the group or anything like that?
  Thanks
  Casey

  Thanks for the replies.
  We are on XI 3.1 FP1.8 and we do have a CMS cluster.  Server reboots this weekend seem to have resolved the problem. I am curious why this question was asked, though:
  "Did you reassign the user to another SAP role after the user has already logged at least once in the InfoView?"
  Is this something that could have caused the problem or is it a possible workaround if we run into the issue again? 
  Thanks again...
  Casey

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• Managing LDAP groups and roles through SUN IDM

  Hi Guys,
  We have a requirement to build the following functionality in our Sun IDM tool.
  1.     Ability to create/manage Static LDAP group.
  2.     Ability to create/manage filtered LDAP group.
  3.     Ability to create/manage Static LDAP roles.
  4.     Ability to create/manage filtered LDAP roles.
  Can anyone let us know any pointers as to how to accomplish this or any ideas for the path to follow for this.
  Any reply will be appreciated.

  http://myidm.blogspot.com/2009/06/how-to-create-groups-in-ldap-or-active.html

• Portal Roles added to the LDAP group is not showing up for users

  Hello expert,
  I have implemented SSO for Enterprise Portal and MS LDAP.  It is working fine but when I assigned roles to the LDAP group instead of UME group, they are not taking effect when I refresh the browser.  My service account that I set up in the keytab file is a read only account for the LDAP.  Is there some permission issue that I have to do to be able to add Portal roles or groups to LDAP groups?

  Hi,
  By default the LDAP integration configuration file is readonly.
  In this case, is not possible to modify data in LDAP.
  You must to connect in read-write mode; and I think that, furthermore, you need to configure SSL between Portal and LDAP in order to use read-write mode.
  regards,

• Using Dynamic Groups in Ldap for Accounts and Roles

  Does anyone currently use dynamic groups in LDAP for accounts and roles? I have set up a dynamic group in ldap (we are using OID Oracle internet Directory 10.1.2.0) , ldapsearch returns the correct list of unique names, but the account does not appear on my profile page when I log in to UCM (10.1.3). I cannot find any documentation so I'm asking myself if it is supported .....

  Thanks tim ... will check, but Oracle are saying :
  Oracle Universal Content Management - Version: 7.5.1
  Information in this document applies to any platform.
  Product: Content Server
  Version: 6.0
  Goal
  Can the Content Server's LDAP provider support, or can it be configured to support, dynamic LDAP groups?
  Solution
  The Content Server by itself is unable to process dynamic LDAP groups since the filter that is used cannot read dynamic groups. However, dynamic groups can still work in the Content Server if the permissions for the queried user are generated on the LDAP server side. For example: Novell and Active Directory both have this functionality.
  to which I have replied you suport 3rd party ldaps, but not your own? Shurely shome mishtake ..... if ldap search works in a seamless way, surely provider should too ....
  Billy, you may well be right, just got a cashflow problem over here !

• Assign role to LDAP group

  Hello,
  I've assigned a role to a LDAP group in portal. But when accesing it displays: 'No portal roles are assigned for this user'.
  The user is included in the LDAP group but I dont't know why it doesn't display nothing.
  Please, do you know what could it be?
  Thanks in advance

  Hi Isabel,
  this really IS strange. Can you assign this user to a group defined in the database and try to assign a role to this group? Is it working then?
  If this is working, then we probably have to increase the log levels and check from there.
  You could also try to remove the role from the group and reassign it again.
  If it's not working: remove it again and this time search for the role and assign the group to it.
  Please come back if it is not working. Then we will try to dig deeper.
  Regards,
  Holger.

• Novell LDAP Group - Role

  Hi,
  I have created a Novell LDAP Group. In my realm I have now two authentication
  providers: default and novell, both optional. If I authenticate my user which
  is stored in the novell ldap the user is correctly authenticated (request.getRemoteUser()
  != null), although the log says user denied (no matter if the user is in the embedded
  ldap or the novell, but maybe the other one always complains). (novell user gets
  rejected if password is wrong)
  For a novell group i create a role with the condition: caller is a member of the
  group"novell group" this seems not to work. with request.isUserInRole("novell
  group") i get "false" !!
  any ideas??
  regards
  tobias

  found my mistake. i created a role in the weblogic console which i also have defined
  in the web.xml. then i also need to assign this role to the principal (my group)
  in the weblogic.xml.
  if i have a role not defined in the web.xml the request.isUserInRole(<RoleName>)
  works fine, but not in the above described case without assignment in the weblogic.xml.
  "Tobias Voigt" <[email protected]> wrote:
  >
  Actually groups are also configured correctly as it seems for me. On
  the group
  page, the ldap group is also listed (in the provider column it says NovellAuthenticator).
  Also if i look at the output of weblogic.security.Security.getCurrentSubject()
  the LDAP group is also listed as a Principal.
  weblogic.security.SubjectUtils.isUserInGroup(<Subject>,<LDAPGroup>) says
  true.
  but request.isUserInRole(<Role for Members in LDAPGroup>) says false.
  (Btw: Weblogic 8.1 sp1)
  "tm" <no-reply> wrote:
  Hi Tobias,
  It sounds like you can successfully use users
  in your Novell LDAP server but you cannot
  successfully use groups from the LDAP server.
  (ie. when you login, it's finding the user, but it
  isn't finding the user's groups thus the role isn't working).
  I'm assuming that you have configured a NovellAuthenticator.
  You must configure the NovellAuthenticator to tell
  how groups are stored in your Novell LDAP server
  (ie. tell it about the group schema). If this is not
  correctly configured, then groups won't work.
  See http://e-docs.bea.com/wls/docs81/secmanage/providers.html#1172008
  for more information on configuring group schemas for LDAP authentication
  providers.
  -tm
  "Tobias Voigt" <[email protected]> wrote in message
  news:[email protected]...
  Hi,
  I have created a Novell LDAP Group. In my realm I have now twoauthentication
  providers: default and novell, both optional. If I authenticate myuser
  which
  is stored in the novell ldap the user is correctly authenticated(request.getRemoteUser()
  != null), although the log says user denied (no matter if the useris in
  the embedded
  ldap or the novell, but maybe the other one always complains). (novelluser gets
  rejected if password is wrong)
  For a novell group i create a role with the condition: caller is amember
  of the
  group"novell group" this seems not to work. withrequest.isUserInRole("novell
  group") i get "false" !!
  any ideas??
  regards
  tobias

• Linking Query group to an SAP role

  I am able to link the Query group to the role but when we test the user does not have access to it. I know this used to be a problems years ago that I thought was fixes. Any ideas on how to get this to work?

  Hi,
  Assign the required user groups to the user in Sq03. if user still getting same error even after assignments in Sq03, ask user to please change query areas as below and check.
  Sq01 --> Environment --> Query areas --> select "Stanard area (client-specific).
  Regards,
  Gowrinadh

• Announcing General Availability of PowerShell Connector and Release Candidate of Generic SQL and SAP Roles/Users

  The FIM team is pleased to announce the availability of some additional Connectors for FIM2010R2.
  General Availability of PowerShell Connector
  The PowerShell Connector can be used to communicate with a system through PowerShell scripts. This allows an easy and flexible way to communicate with other systems but also to pre-/post-process data and files before handed over to the FIM Synchronization
  Service. We believe the community will help providing scripts for this Connector for various systems and will open a place where scripts can be published for reuse.
  TechNet docs:  
  http://go.microsoft.com/fwlink/?LinkID=393057
  Download:         
  http://go.microsoft.com/fwlink/?LinkID=393056
  Release Candidate of Generic SQL Connector
  The Generic SQL Connector will allow you to connect to any database where you have an ODBC driver available. It enables new features compared to the built-in MA such as support for Stored Procedures, running SQL scripts, built-in delta import support, import
  multiple object types, connect to multiple tables, and much more. This Connector is built on ECMA2.3 which allows schema discoverability to be customized in the Sync Engine UI. A pre-release of the next Sync Engine hotfix is included with the Connector download
  and is required for the Connector to work.
  Download:         
  https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=52652
  Release Candidate of SAP Users and Roles/Groups
  The updated SAP templates for Users and Roles/Groups allows you to manage Users, Roles, and Groups in SAP. This also include password sync for Users to SAP. The Connector will make sure roles are represented as groups to make it possible to manage these
  with bhold. This template will require the previously published WebService Connector:
  http://go.microsoft.com/fwlink/?LinkID=235883.
  Download:         
  https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=52651
  If you have participated in any other Connector preview program you will have access to the Release Candidate downloads. If you have not participated before then to get access to the preview programs on Connect either join the program “Identity and Access
  Management”, “FIM Synchronization Service Connectors Pre-release” on
  http://connect.microsoft.com/directory or follow this link
  http://connect.microsoft.com/site433/SelfNomination.aspx?ProgramID=6709&pageType=1
  We have also published an update to the Generic LDAP Connector adding support for some additional LDAP directories, see
  http://support.microsoft.com/kb/2936070/. If you have additional LDAP directories you think we should support, please feel free to contact me.
                  On behalf of the FIM Sync team,
                  /Andreas Kjellman

  On Tue, 18 Mar 2014 08:09:43 +0000, David Burghgraeve wrote:
  We've been using the OpenLDAPXMA to be able to connect to ACF2 CA-LDAP (from Computer Associates) running on a IBM Z-OS Mainframe System. We've been using it for password synchronization since 2004 on MIIS. Today it's still used via the
  OpenLDAPXMA (64bit) on FIM 2010 R2.
  We had to tweak the password management component in the OpenLDAPXMA to support the error messages we get from the ACF2 System, as we support a multi-master password setup between Mainframe and Active Directory (one can change the password on
  MF and/or on Windows). by example  "LDP0406E ACF2 error modifying lid(ACF00155 NEW PASSWORD CANNOT BE THE SAME AS CURRENT PASSWORD)".
  Additionally, we cannot get the delta import to work with the CA-LDAP, there's no capability in it and we tried to use the time attribute to use in the query for recent changes, but it does not work. (I think we need it in a large integer format
  or unix time integer).
  Would be great to have Microsofts' support in this :)
  In a case like this where your follow-up has nothing to do with the
  original post you should create a new thread.
  Having said that, neither of the MAs to which you refer are official
  Microsoft MAs and as such there is no support from Microsoft available.
  Also, keep in mind that the ECMA1/XMA extensibility framework has been
  deprecated and replaced by the ECMA 2.0. You should plan on replacing
  existing ECMA1 management agents with ECMA2.0 connectors.
  Paul Adare - FIM CM MVP
  "It's 106 light-years to Chicago, we've got a full chamber of anti-matter,
  a half a pack of cigarettes, it's dark, and we're wearing visors."
  "Hotsync." -- Paul Tomblin & Peter da Silva