MaxL provisioning to native directory group intermittent

Similar Messages

• External directories users binding with native directory groups

  Hi All,
  I successfully migrated the shared services users from external directory(LDAP) and groups from native directory. i can able to see the groups and LDAP users..
  when i login ldap credentials that user are not able to the see the applications... please let me know how to bind the users particulars groups and how users see registered applications ?
  Appreciate your help
  thanks

  hallo experts please give me the solutions on this...
  i entered my account(ldap). in the workspace i can not see the any of the applications. even i given manually access to the applications also.
  its very critical for mine
  thanks

• Provision Unix accounts/roles/groups to Directory server using OIM

  Hi,
  I have a requirement to integrated large number of Unix servers with LDAP (OID or Sun Directory Server) for Centralized Authentication and Authorization and to provision Unix accounts/roles/groups to Directory server using OIM, I have following queries.
  1. If using PAM_LDAP then what are the schema changes required in ldap to support it ?
  2. Does OIM's out of box connector for OID or Sun Directory Server supports Unix accounts/roles/groups provisioning to Directory server ? If not, can it be extend ? or do I need to write a custom connector ?
  3. If I use Oracle Authentication Services for OS for centralized unix account management then OIM provisioning is same as #2 or different ?
  Thanks
  Nitin

  yes. iPlanet connector support for multivalued attribute. Go through the connector doc. It will let you know how to extend its functionality.
  --nayan                                                                                                                                                                                                                                                                                                               

• How to ensure the SSID matches in prod/dev when creating native users/group

  I am running into trouble when I migrate business rules projects-I lose any security assigned to native groups because the SSID in the open LDAP in DEV for that group is different from the SSID in PROD for that group. Is there any way to sync them up now?
  Also, for any new groups we create, how do I create them in both environments with the same SSID? I know I can create the group in PROD and use cssimportexport to create the group in DEV, but they end up with different SSIDs
  Thanks
  Jeff
  V 9.2.1 using Active Directory and Native Directory

  We are using 9.3.1 so I don't know if this switch is available.
  I export the prod ss security with the following switches which gets me all my native groups with sids, and the children of those groups.
  export.internal.identities=true
  export.provisioning.all=true
  export.delegated.lists=false
  export.user.filter=none@Native Directory
  I hack the file to remove anthing I don't want and then use the import utility to import it twice. First with a properties file that does a delete.
  import.operation=delete
  The first run fails right after it deletes the native groups I think because deleting the group deletes the children.
  The second properties file has this switch
  import.operation=create/update
  After this is complete you can have DBA do a schema export/import to the target environment. After bouncing planning in the target environment you go in and update the application settings to have the correct shared services server and re-register with shared services. A "Migrate Identities" ensures that you are in synch. The planning security should still be in place on all objects that had security.
  Keith

• SharePoint 2013 Workflow (SPD 2013) fails for Active Directory Group members

  Hi
  I have a SharePoint 2013 site called "Team Meetings". There are a number of lists and an InfoPath form library.
  The site's SharePoint Group "Team Meeting Members" has two Active Directory groups (All Club Managers and All Club Police) as members. Those two AD groups contain all the people that I want to have  access to the library and list, except for
  a few additional folk who I have made individual members. 
  My PROBLEM:
  I  have created a SharePoint 2013 Workflow using SPD 2013 associated with the  Form Library. Workflow is set to start on new or modified item. The first action is to write to history list, then determine the status (Submitted or Pending) of
  the form and go to different Stages depending on that status.
  The workflow works perfectly for any user who has been added directly to the SharePoint group (Team Meetings Members) BUT FAILS at the very first action for anyone who is a member of one of the AD groups. I know the Workflow is fine because I've tested it
  with numerous people who are direct members of the SharePoint Group, but whenever a person who is a member of the AD group tries it the Workflow just fails.
  Here's a print of the info from the Workflow Status page (I don't have access to server logs):
  RequestorId: 4494760f-92ff-2e8c-90d2-cc7df0e6baa4. Details: System.ApplicationException: HTTP 401 {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPRequestGuid":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"request-id":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"MicrosoftSharePointTeamServices":["15.0.0.4420"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1;
  RequireReadOnly"],"Cache-Control":["max-age=0, private"],"Date":["Mon, 10 Mar 2014 01:31:42 GMT"],"Server":["Microsoft-IIS\/8.0"],"WWW-Authenticate":["NTLM"],"X-AspNet-Version":["4.0.30319"],"X-Powered-By":["ASP.NET"]}
  The HTTP response content could not be read. 'Error while copying content to a stream.'. at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance
  instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor 
  Members of the SharePoint Group "Team Meetings Members" have Contribute Access to both the form library and another list that the workflow writes to as well as the Workflow History list (which in SP 2013 uses the credentials of the
  user who started the workflow, unlike 2010 which used System Account).
  All members of the Team Meetings Members group, whether they are individual members or part of one of the AD groups, have no problems opening and saving forms etc. It's just the Workflow that doesn't like them...
  I am stumped. I've spent many hours searching for a reason for this. There are about 200 people in the two AD groups so I really don't want to have to add them all individually - especially when these groups are managed in AD for a whole bunch of other reasons
  and using the AD groups means I'll basically never have to worry about modifying the SharePoint access permissions.
  Does anyone have any ideas why this is happening and what I can try to fix it?
  Mark

  Hi Lars,
  I'm afraid not so far but we are trying a few things today so I will post back with results.
  First thing we are doing is making the AD Group universal because one of our (external provider) gurus remembers seeing something about that. He also sent me a link to a post where they were talking about earlier
  versions but having similar issues and their solution was to make sure the app pool account has sufficient permissions in AD::
  http://social.msdn.microsoft.com/Forums/sharepoint/en-US/27a547da-5cc0-49d7-8056-6eb40b4c3242/failed-to-start-workflow-access-is-denied-exception-from-hresult-0x80070005-eaccessdenied
  This part of that thread looks interesting but we haven't checked it yet as were trying the universal setting first:
  "If the users participating in the workflows have been added to the SharePoint site via Active Directory groups, SharePoint has to update the user’s security token periodically by connecting to
  the domain controller. By default, the token times out every 24 hours. But if the application pool account did not have the right permissions on the domain controller to update the user’s token, user will keep getting the access denied error. The error was
  intermittent because when the user browsed to any page other than the workflow form, the token was getting updated successfully.
  You can try to fix it through granting the application pool account the appropriate permission by adding the account to the group “Windows Authorization Access Group” in Active Directory."
  I'll update when we try these ideas. If you have any luck please do the same.
  Mark
  (sorry about formatting - using my phone....)
  Mark

• Syncing Active Directory Groups for Unity Distribution Groups

  We have multiple remote stores with managers that move around quite a bit. This poses an administration nightmare when trying to keep voicemail distribution lists up to date. Is there a way to syncronize an active directory group to a Unity voicemail distribution group? Therefore when we move a manager around in ADS the user automatically moves in Unity.

  Unfortunately this feature has not been re-implemented in Unity Connection. This is one of the few things from Unity that I miss. I suggest voicing your desire for this as a feature enhancement with your Cisco AM.
  If you are doing that many changes you may want to consider going through the Cisco Unity Connection Provisioning Interface. At least you could script the changes there using code that checked AD group membership and replicated the changes into CUC.

• Urgent-Failed to Syn with Native Directory

  Helllo,
  I'm getting this error "Sync with user provisioning succedded with Errors. See Planning log for details" while I'm login to Planning Application. We are using Native Directory. Please help
  Rahul

  Hi,
  If it the application owner/creator was admin on the source environment and the same on the target environment then you shouldn't have to do anything extra if you migrated the repository correctly.
  If not then you will have to store the SID in the hsp_users table and update it once you have migrated.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Provisioning users to AD groups in OIM 11gR2

  I could use some advice on how to resolve this issue I am having.
  Using the Active Directory connector (11.1.1.5) in our OIM 11gR2 development environment I can successfully provision OIM users to our AD resource. I have successfully run the org and group lookup recons, and provisioned users do go into the correction ou in AD.
  However when I select which groups a user should be a member of in the ADUSERC child form (via the lookup), the user is not provisioned with the correct group membership in AD.
  A separate issue is how to map the objectClass in AD in the ProvAttrMap; could anyone point me in the direction of how to go about that?
  Thanks

  The ObjectClass should be configured in this lookup Lookup.Configuration.ActiveDirectory
  Check below
  http://docs.oracle.com/cd/E22999_01/doc.111/e20347/extnd_func.htm#sthref221
  4.6 Configuring the Connector for User-Defined Object Classes

• Hyperion User Directory and Native Directory

  Hi,
  I am new to Hyperion and had a query related to User directory and Shared Services Native Directory.
  Can a same native directory, for e.g., oracle database used by Shared services for provisioning be also used by Hyperion applications/products as user directory for user authentication?
  Thanks

  The term 'Hyperion User Directory' is not used in any standard documentation -- and here is where some folks would ask you is this an 'interview question'.
  Shared services has two components it uses to store information 1. A Relational repository 2. OpenLDAP. Your question seems to assume 1 and 2 are one in the same and they are not.
  The Relational Repository is used regardless of your use of Native Directory or an external directory provider such as LDAP or MS Active Directory.
  You can house the Shared Services Relational Repository along with other databases on a single database server.
  Please clarify what you are asking if John or my responses still have not answered your query.
  Regards,
  John A. Booth

• Difference between user directory and native directory in Shared Services

  Hi,
  Please any one can help me......
  I am new to Hyperion, what is difference between Hyperion Shared services Native directory and User/Active directory.
  thanks in advance..............

  Hi,
  Shared Services native directory, as the name suggests, is a user directory (i.e. ldap) that is native to Hyperion. It allows you to create users, groups and define access rights to Hyperion Products. User/Active directory is the directory where users in your company reside. Shared Services can connect to it and retrieve the list of users and groups. You can define the access rights for these users if you configure the system in a way that it works with Active Directory.
  You can use both combined also. Meaning, you can create user groups in native directory and assign native directory users into them and define access rights onto user groups and/or users.
  Cheers,
  Alp

• SharePoint 2013 Active Directory Groups represented as c:0+.w| SID in UserInformation list instead of c:0+.w|Domain\Groupname

  Hi
  We are running on SharePoint Server 2013.When we add AD groups as permissions, we see that the group name is being displayed properly in the permissions. Whereas when I click on the groupname I see the SID with the Sharepoint specific claims characters,
  instead of domain\groupname. I understand that the claims characters are because of claims mode. But I expected domain\groupname instead of SID. Is this the right behaviour.
  When I call SiteData.GetContent web service, I get the SID of the group name instead of the domain\groupname.
  Can someone please clarify?
  Thanks
  Naga

  Hi,
  Yes, the identity claim for an AD group is based on the SID of the group. The claim encoding for an Active Directory group consists of the following sections:
  c:0+.w|<SID>
  •"c" for a claim other than identity
  •"+" for a group SID
  •"." for a string
  •"w" for a Windows claim
  More information:
  http://www.sharepointfire.com/MyBlog/2013/11/get-ad-group-identity-claim-in-sharepoint-2013/
  Thanks,
  Dennis Guo
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Dennis Guo
  TechNet Community Support

• BO XI 3.1 : Active Directory Authentication failed to get the Active Directory groups

  Dear all 
          In our environment, there are 2 domain (domain A and B); it works well all the time. Today, all the user belong to domain A are not logi n; for user in domain B, all of them can log in but BO server response is very slowly. and there is error message popup when opening Webi report for domain B user. Below are the error message: 
         " Active Directory Authentication failed to get the Active Directory groups for the account with ID:XXXX; pls make sure this account is valid and belongs to an accessible domain"
        Anyone has encountered similar issue?
     BO version: BO XI 3.1 SP5
     Authenticate: Windows AD
  Thanks and Regards

  Please get in touch with your AD team and verify if there are any changes applied to the domain controller and there are no network issues.
  Also since this is a multi domain, make sure you have 2 way transitive forest trust as mentioned in SAP Note : 1323391 and FQDN for Directory servers are maintained in registry as per 1199995
  http://service.sap.com/sap/support/notes/1323391
  http://service.sap.com/sap/support/notes/1199995
  -Ambarish-

• Cisco 1702i WAP: how to get an interface in a non-native bridge group/ VLAN to be recognized by the internal DHCP server

  Does anyone know how the internal DHCP server in these access points connects to virtual interfaces and bridges in the unit?
  Is there some sort of default connection that connects the DHCP server to the native bridge group or VLAN?
  In a test case, with an SSID in the native VLAN and bridge group, the 1702i serves an IP address to a wireless client no problem. But with a second SSID in a non native VLAN and bridge group, no IP gets served. My only guess is that since the bvi1 defaults to the native bridge group and VLAN, sub-interfaces also in this group are assumed to be in the same subnet as bvi1, or in this case:
  interface bvi1
    ip address 192.168.1.205 255.255.255.0
    no ip route-cache
    exit
  It would be the ..1. subnet.
  Since the dhcp pool is set as:
  ip dhcp pool GeneralWiFi
    network 192.168.1.0 255.255.255.0
    lease 1
    default-router 192.168.1.1
    dns-server 8.8.8.8
    exit
  There may be an assumption that anything bvi1 can talk to is in the ..1. subnet, so the above pool gets activated on a request coming through bvi1.
  Is the DHCP server just hanging out waiting for a request from an "area" that is assumed to be on the same subnet as the given pool?
  Do I need to somehow show the device what subnet the 2nd SSID/ subinterfaces are in so the internal DHCP server can decide it needs to go to work, or is there some sort of bridging between the DHCP server and the interfaces that needs to be done? I am trying to use the same DHCP pool for the second subnet at this point, since I assume I will need another router to service an additional subnet and DHCP pool.

  Keep in mind that DHCP is a broadcast packet to start. So the AP can only listen in the subnet that it has an IP address for.
  Now, for any other subnet you can use the AP for DHCP but you have to have an IP helper address on your L3 pointing back to the AP.
  That being said, I wouldn't use the DHCP server on the AP as it is limited. You'd be better off using a Microsoft server or some other device that is designed for DHCP.
  HTH,
  Steve

• How to do provisioning in Active Directory multiple lavel OU structure from FIM 2010 R2 with Country basis.

  Hi,
  I want to do provisioning in Active Directory multiple level Organization Unit(OU) from FIM 2010 R2  with country name basis.
  Suppose i have Asia,Europe,UK,USA region OU and they have another OU in Asia OU like India,china etc if country name is India then Users should be go in India OU and if  if country name is China then Users should be go
  in China OU.so please give me any idea on this this would be very helpful for me
  Regards
  Anil Kumar

   
  Do you have Region attribute in your user object? If yes, then you can do something like this
  "CN="+displayname+
  ",OU="+country+
  ",OU="+region+
  ",DC=mycompany,DC=local"
  If you don’t have region attribute, then you have to write own IIF statement for every county
  IIF(Eq(contry,"China",",OU=China,OU=Asia","")
  You can also parse your dn for synchronization rule in some other place (e.g. metaverse extension), but if you want to do it codeless, IIFs are the way to go.

• Lion Server not reading Active Directory Groups reliably

  I am trying to upgrade one of our XServes from Snow Leopard Server to Lion Server and am running into a strange issue with our Active Directory based users and Groups.
  The current Snow Leopard Server serving files from a XSan volume is running fine, though we find a very long Lag time for Windows users to connect. Once a few users have connected the lag seems to go away, but it is still not nearly as fast as Mac users connecting or Windows connecting to a PC server.
  So I have connected a second Xserve to the SAN and performed a clean install of Lion Server. Initially while it would find my Active Directory Groups it would not import any of the users, so obvioulsly no one could connect. In a last ditch effort I installed the beta of 10.7.4, which seemed to resolve the issue for a small group of test users. However as I expanded the test I found that some users would get a message that the were no resources available to them, or they didn't have the correct permissions. This is very strange as everyone is in the same group so should have the same permissions. As a test I took one of the user accounts and created a new share and gave him R/W permission to that share and suddenly all of the shares that he should have had permission to in the first place popped up.
  The only thing that I can think of is that we have such a large Active Directory structure that the authentication is timing out or reaching some user limit and stops looking. (we have over 50,000 users and thousands of groups spread through multiple OUs in the AD structure)
  The new Server.app in Lion looks nice, but it does not seem to have nearly the robustness of the previous Server Admin tools. For instance, I never needed or wanted to setup a "Golden Triangle" but with Lion it is required. Perviously I could search for AD users or groups and drag them from the search window to the share to assign permission, now even though I've imported the groups and users it needs to search the entire directory when assigning permissions - why can't it see the groups that are already there? Why can I run a dscl search and find a user or group instantly, but the Server.app hangs for 5 minutes and shows 0 results?
  Has anyone found a way to make Lion Server work in an enterprise environment?

  Yesterday morning I bound a 10.7.4 server to our AD, and in the afternoon I eventually saw all the AD users, groups, etc show in Workgroup Manager. Now, with dscl, I can see all the AD user and group records, and with Workgroup Manager, I can search the groups, users, and computers, but with the Server.app, when trying to create new group of the type "Imported group from another directory", the searches returned nothing. Directory Utility can show all the AD information also. Our AD has thousands of user record, and so it is reasonable that it may take some time for the Mac server to get all the info. But from the add users or groups interface, I just could not get any search results. What could be wrong then?