MS Active Directory as LDAP Server - Email & Group variables do not pickup values
Hello Experts
We have OBIEE 10.1.3.4.2 using MS Active Directory as LDAP Server. Init Block "Authentication" (4 variables setup - USER, DISPLAYNAME, EMAIL and GROUP) seems to work fine, but when you do a "Test" and supply userid and password , only USER and DISPLAYNAME showup. Email and Group variables are blank.
Please help . Thanks lot in advance.
Regards.
Hello Srini
Just USER and DISPLAYNAME variables get populated and I think they are coming from MSAD. However, the Email and Group membership information from MSAD does not flow back to OBIEE Server.
Regards
Similar Messages
-
Creating users in Active Directory through LDAP connector
Hello,
If we need to create users in Active directory using LDAP connector, what are the options for the following:
1) Update back into SAP from AD. LDAP connector updates only in one direction i.e from SAP to Active directory.
2) Can we add additional fields in LDAPMAP which are not standard e.g can we we write our own code to extract data from HR to map the value with an attritube within Active directory?
Regards,
AhmadHello!
I noticed the email in my inbox and understand the reason for deleting it - checked the rules again - no problem with that.
Here is the posting again - sanitized this time.
You can create users in LDAP/AD from SAP without a problem. SAP provides function modules to create/maintain/delete users with LDAP attributes in the correct ou path.
You can also perform group membership assignment in LDAP from SAP if needed.
I have done this quite a few times at different companies that use SAP HCM.
A userid in SAP is created automatically during hiring action with default password e.g. birthday of employee and certain authorization roles based on configured information.
The userid is then created right away in LDAP in the correct ou path (controlled via custom configuration table) and LDAP group membership is assigned.
A job runs every 8 hours to perform delta updates in LDAP.
The userid in SAP and LDAP are locked automatically if the user is terminated using termination action in HR. -
Configuring Microsoft ACtive Directory in WebLogic server 10.3.3
Hi,
I am working on configuring Microsoft ACtive Directory in WebLogic server 10.3.3. After configuration I couldn't see any AD users in myrealm-users.
If there is any document / step-by-step tutorial available please provide me.
Thanks
MCJust check the product documentation ;-) The Guide Securing WebLogic Server might be of interest for you.
Here is a link to start with: http://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/atn.htm#SECMG175
--olaf -
Filtering Groups on Windows Active Directory using LDAP Authentication
Hi All,
I have small module that filters the groups from the Windows AD using LDAP attributes and flushes the data into the DB[code below].
This module was developed and tested on weblogic 8.1[on windows]and works fine.
Now the same is moved to another environment- Websphere on Linux Suse. The code fails to retreieve any value from the Windows AD.
Please note no exception is aslo thrown.
env.put(Context.INITIAL_CONTEXT_FACTORY,ldapCtxFactory);
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,authentication);
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//connect to my domain controller
env.put(Context.PROVIDER_URL, domainController);
// Create the initial directory context
try {
dirCtx = new InitialDirContext(env);
// Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"member"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
int totalResults = 0;
int iteration=0;
// Search for objects using the filter
NamingEnumeration results = ctx.search(searchBase, searchFilter, searchCtls);
In the above code the method exits even before the try block[i could detect this using Sysout's]
Below is the property file from which the values are read.
admin=username
password=password
#AD search attributes
searchBase=DC=domainname,DC=domainname
searchFilter=(&(objectClass=group) (CN=value*))
#JNDI context attributes
ldapCtxFactory=com.sun.jndi.ldap.LdapCtxFactory
authentication=simple
domainController=ldap://address
groupPattern=pattern
Please Assit,
Thanks in Advance
Message was edited by:
radiant
Message was edited by:
radiantAssuming it is the same Active Directory environment and only your Java platform has changed, the I can only assume that if no exception is thrown, and no data is returned, then the credentials you are using on the new Java platform are being mapped to an anonymous user (perhaps a blank password ?). By default, Windows Server 2003 domains, do not return any results to anonymous users.
-
SAP R/3 Authentication with Active Directory on Win2k server.
Hello list ,
We are running SAP R/3 4.7 with WebAS 6.2 on Solaris and a Windows 2000 Active Directory domain. Our users access SAP in 3 ways
1) SAP GUI .
2) SAP BW
3) Travel & Expense - a java application that records users travel details and posts a transaction to SAP using the SAP userid and password.
Wish to implement SSO for all our users.
Some research we have done suggests
1) Using Kerberos for authentication. while it appears that microsoft krb 5 implementation will work only on windows servers, it is not clear how well are other krb implementations supported by SAP. OSS note # 150380 and link http://help.sap.com/saphelp_nw2004s/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm
2) OSS note # 352295 suggest there could be some issue using KRB 5 shipped with unixes.
"All of the major Unix vendors seem to be shipping a version of Kerberos 5 these days. These implementations should be wire-interoperable with each other and with Microsoft W2K (not necessarily W2K3!), however they may not be interoperable with SAP's shared library interface to GSS-API v2 mechanisms."
3) There are some commercial solutions like - CyberSafe that provides krb based SSO at a fee. Has anyone tried this software ?
I have created an OSS ticket but we are still in a queue since 5 days already.
Has any one from the list implemented a similar solution ? What are the best practices and way to go for a robust solution.
4) Another option that we have is to start with user synchronization. Where in Users created in Active Directory get synchronized with SAP .
What is mandatory for us is that Users marked disabled in Active Directory should be blocked in SAP by synchronizing user information at regular interval. If anyone has implemented this solution I will appreciate if they give me some pointers.
Thanks in advance.
Harsh BusaTim,
you are perfectly right: that Vintela product is not certified (as SNC solution).
But you are not quite right regarding the separate treatment. The major difference between that product and the SNC certified products (such as CyberSafe, Entrust, ...) is: Vintela uses different SNC libraries on the client side (=> our Windows SSPI wrappers, see <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/352295">SAP note 352295</a>) and the server side (=> their own SNC library, not certified). And that is actually also one reason why that solution cannot be certified ...
Well, those Windows SSPI wrappers provided by SAP (=> gsskrb5.dll, for example) are also not "SNC certified", but SAP provides support (being in contact with Microsoft). Well, as some people might know, there are also some interoperability issues between different Microsoft OS versions ... - resulting in reactive patches of our SSPI wrappers.
I really do <u>not</u> want to promote <u>any</u> product - neither the one of Quest Software Inc., nor the one of <a href="http://www.cybersafe.ltd.uk/">CyberSafe Ltd</a>, nor <a href="http://www.entrust.com">Entrust Inc.</a>, nor <a href="http://www.secude.com/">SECUDE IT Security GmbH</a>, nor ...
I do not even want to disencourage anyone from implementing his own Kerberos-based solution (or any other solution which provides an GSS API), provided that this person is able to help himself. Reason: if products of different vendors are used and interoperability problems occur the usual finger-pointing will start. In the end you'll not get support by anyone ... - as long as you are aware of this (and capable of helping yourself) you can go ahead. Some (known) universities are belonging to that group ... - but it might not be appropriete to the vast majority of customers. -
Using Active Directory - either Secure or Distribution Groups
Reviewing the security documentation for UCM 10g R3, it appears that we should only map to Active Directory Secure Groups and not Distribution Groups, perhaps even if they are marked "secure"? Does anyone know if this is a technical limitation or a best practice? Our organization has processes in place to prevent ad-hoc updates to Distribution lists and I'd like to map UCM using this group type in AD because SQL statements can keep the membership list current in a Distribution Group.
dll is not a good candidate for the Agent, this has to be an application(exe), and the server onces it identifies the PCs should push this Agent to those PCs and the Application should have the logic to Phone home etc...
-
Solution: Active Directory over LDAP over SSL
Hey all
I have the solution and i will describe how i solved it.
- Install windows 2000 server
- install service pack 2
- install high encription pack from windows
http://www.microsoft.com/windows2000/downloads/recommended/encryption/
- install active directory
also install a dns server, if there isn't one.
- install a Certificate Authority
a stand alone, that requires Active Directory
- install JDK 1.4
- goto http://localhost/certsrv
choose: "Retrieve the CA certificate or certificate revocation list"
then choose: "Download CA certificate"
save this file to the hard disk
- use keytool to import this file in the cacerts file
keytool -import -alias foo -storetype jks -keystore cacerts -file yourca.cer
the cacerts file must be in C:\j2sdk1.4.0_01\jre\lib\security or something
- then run the followin code for a connection
import java.util.*;
import javax.naming.*;
import javax.naming.directory.*;
import java.io.*;
import java.net.*;
public class HBUserAdmin {
public HBUserAdmin() {}
private Hashtable env;
private void _initialize() {
env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://your.server.com:636");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "CN=Administrator,CN=Users,DC=jellie,DC=com");
env.put(Context.SECURITY_CREDENTIALS, "youknowit");
env.put(Context.REFERRAL, "ignore");
env.put(Context.SECURITY_PROTOCOL, "ssl");
//THE LOCATION OF THE CACERTS MUST BE SPECIFIED
System.setProperty("javax.net.ssl.keyStore", "D:\\j2sdk1.4.0_01\\jre\\lib\\security\\cacerts");
System.setProperty("javax.net.ssl.trustStore", "D:\\j2sdk1.4.0_01\\jre\\lib\\security\\cacerts");
System.setProperty("javax.net.ssl.trustStoreType", "jks");
public void bindAs(String principal, String credentials, String baseDN) {
env.put(Context.PROVIDER_URL, baseDN);
env.put(Context.SECURITY_PRINCIPAL, principal);
env.put(Context.SECURITY_CREDENTIALS, credentials);
DirContext ctx = null;
try {
ctx = new InitialDirContext(env);
System.out.println("bind Successful...");
ctx.close();
} catch(AuthenticationException aex) {
System.out.println("Invalid userid or password... Please try again");
} catch (Exception ex) {
ex.printStackTrace();
public static void main(String[] args) {
System.out.println("Starting to execute");
HBUserAdmin testUser = new HBUserAdmin();
System.out.println("Binding...");
testUser.bindAs("CN=Administrator,CN=Users,DC=jellie,DC=com", "youknowit", "ldap://your.server.com:636");
I hope this will help all of you
questions?....mail
Jellie
[email protected]System.setProperty("javax.net.ssl.keyStore", "D:\\j2sdk1.4.0_01\\jre\\lib\\security\\cacerts");
System.setProperty("javax.net.ssl.trustStore", "D:\\j2sdk1.4.0_01\\jre\\lib\\security\\cacerts");
Do not forget to alter these values.
IT MUST BE POINTING TO THE FILE YOU HAVE IMPORTED THE CERTIFICATE TO.
good luck -
DNS and Active Directory error 4000 server 2008
Hello all,
My network skills aren't very good and I'm facing a dilemma. First off we have two Windows servers on the network. The newest is 2008 Standard (named Vader) and the other is 2000 (dells3). Obviously I'd like to get rid of the 2000, but the people in charge
of my budget haven't given me the option to do so and it's the only back up we have.
Earlier in the week we had lots of problems. One of our nas boxes locked everyone out who was mapped to it and it would only let me log in through the web portal. Two of our Macs our marketing department uses suddenly locked up and wouldn't let them back
in (both were part of the Active Directory). A second nas box won't let certain people map to it and for awhile I had issues logging into Vader itself.
I believe all of these problems are connected to some issues on Vader and possibly in conduction with dells3. In Server Manager under DNS I get error 4000 "The DNS server was unable to open Active Directory.
This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code."
Then under Active Directory Domain Services I get error 2042 "It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded
the tombstone lifetime. Replication has been stopped with this source."
Followed by more text I can post if needed.
Under File Services error 1202 "The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the
next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues."
And finally if I try to open Active Directory Domains and Trusts "The configuration information describing this enterprise is not available. The server is not operational."
I'm not sure where to start or what to post that might help. Any and all help is appreciated.
Edit: Also I can only add dells3 as the DNS on Vader in the DNS Manager if I try to add Vader to itself I get an error.It's the other way around. Overall, I'm advising ripping the 2008 server out of AD and adding it back . Let's look at this as a series of steps:
1.) You do a force demote of the 2008 server because it's tombstoned. This means the 2008 server is no longer a DC. You are doing a force because it doesn't have the ability to replicate. If it could replicate, we'd just do a graceful demotion
and be done with it.
2.) Once the 2008 server is demoted, we go to the 2000 server which holds the only good copy of AD. From that server we run a metadata cleanup using the ntdsutil utility. We use that utility to clean out references to the 2008 server which is
no longer a DC.
3.) Once you have a clean AD, you can then promote the 2008 server back into Active Directory. Make sure Vader is pointing to Dells3 as its primary DNS server before promoting or you'll run into issues.
Hopefully that clarifies things. -
Upgrade from Windows Server 2012 Active Directory to Windows Server 2012 R2 Active Directory
We are currently running Windows Server 2012 Active Directory and would like to upgrade to Windows Server 2012 R2 AD. Is it OK to just do an in-place upgrade, or is it advisable to build new domain controllers on R2? Are there any guides or articles anyone
can recommend?Hi Ginandtonic,
To upgrade DC(Domain Controller) from windows server 2012 to windows server 2012 r2, please refer to these articles:
Upgrade from windows Server 2012 to 2012 R2
Upgrade Active Directory from 2012 to 2012 R2
I hope this helps.
Best Regards,
Anna -
How to create two domains name in one active directory domain service .server 2012 ??
Hi there
I want to try sharepoint foundation and office web apps server .
I installed server 2012 sharepoint found 2013 sql server 2012 and create a new forest on active directory domain sevice
now I want to install office web apps server 2013 but when I run the setup said me can't install office web apps server on the domain name that installed sharepoint .
how can I create second domain name on this active directory domain service to install office web apps server ?
help me please I'm new and just want to try sharepoint and office web apps server .
mostly I need to create MS access custom web app and I need the web place to run my access custom web app on this server and because I live in iran can't create and sign up for office 365 and sharepoint online so i'm forced to run them on my system .help
me to complete ths server ?
Greate Regards :
Raha
whit the best regard : RahaHi,
For how to Use Office Web Apps with SharePoint 2013, the below links should be what you want to refer to:
Configure Office Web Apps for SharePoint 2013
http://technet.microsoft.com/en-us/library/ff431687.aspx
Video: Configure Office Web Apps for SharePoint 2013
http://technet.microsoft.com/en-us/library/dn455088.aspx
How Office Web Apps work on-premises with SharePoint 2013
http://technet.microsoft.com/en-us/library/ff431685.aspx
In addition, for further assistance for Sharepoint, I suggest you post in the SharePoint forum.
Regards,
Yan Li
Regards, Yan Li -
SAP R/3 Enterprise 4.7 Sync with Active Directory on Win2k3 server
All,
I'm having a nightmare with this and I'm hoping someone can either confirm my problem or solve it for me.
We are running R/3 Enterprise 4.7 (Web AS 6.20) and would like to sync the users with Micsoroft Active Directory 2003.
We are exploring the option of using full Active Directory schema expansion for the SAP sync. i.e. so we have all SAP related fields in AD.
According to the SAP notes, I need the WEB AS 6.10 installation CD so that I can run R3SETUP to perform the Active Directory schema modifications.
I have tried to download this from the SWDC with no luck.
So I guess my questions are:
1, Do I really need the 6.10 install cd (it seems it's only the ADSINIT.R3S file).
2, If I do, where can I get it from?, do I need to order it through our SAP contract manager?
In the meantime, I have tried performing the manual schema extension using the RSLDAPSCHEMAEXT report, uploading this to the AD server and running "ldifde" command.
This has extended the schema (or so it says), but I can't see any SAP icon in the AD tree. Have I missed something?
Any help appreciated.
Thanks,
DarrylRainer,
Thanks for that.
I have been re-reading note 793191 and question 14 says exactly that.
I will checkout JXplorer.
I have found a couple of MS technet articles on how to add your own context menus to the snap-in but it seems like a lot of effort for no real gain.
Thanks again.
ps. awarded points -
Forward all alerts related to Active Directory to a specific email
Hi All,
When monitoring with SCOM how to forward all Active Directory related alerts to the administrator who is responsible for AD.
I saw when right click on a specific alert a notification subscription can be created but this only for that specific alert. How to create an email subscription to all errors related AD management pack.
Thanks,
KanishkaHi
Create a new subscription, on the criteria page select "created by specific rules or Monitors". On the rule and Monitor search select the Management pack(s) you want and click search. Then mark all rules / Monitors and click add. Repeat this step for every
Management pack you want to receive alerts.
Cheers,
Stefan
Blog: http://blog.scomfaq.ch -
Adding printer in active directory- in windows server 2008 r2
Is that addition will enhance the printing and the scanning management capability ? how ? and to which extent ?
by example please !!
thank you in advanceWhen publishing a shared printer to active directory, the machine sharing the printer creates a PrintQueue AD container with information about the print share and the print driver capabilities. There is absolutely no information regarding
the scan capability of the device. AD printqueue objects are not printers, the objects contain the data needed to create a connection to the share.
Alan Morris Windows Printing Team -
WLS 5.1, Microsoft Active Directory w/ LDAP Realm redux
Greetings,
We are attempting to certify our app against MS ADS and are running into a few problems.
Let me state up front that we've recoded a wack of the WL classes to provide us with user -> group and group -> user lookups. This is part of our licensing model, so has to be done.
My main query is that I'm having a real problem distinguishing groups from users. If we get a group, we can enumerate through it to find users, no problem. If a group contains another group, things are less useful.
The main issue is that under ADS, the default users and groups are under /Users, so our group.dn and user.dn values are identical. Normally, I would use the DN to tell if I'm looking at a group or not, but in this case, we can't.
Our class chokes if any of the DNs are "", so just leaving it blank is no good for me.
Any comments, advice or ideas?
jdvgood morning:
this issue was solved by using a fully domain administrator account. the cisco acs server is registered immediately and i can save the query or changes to acs database.
regards! -
Active Directory RPC Ports - Server 2012 R2
Hi,
My networking team are looking to restrict the ports from clients to Domain Controllers.
They have opened the following ports:
TCP and UDP 389
TCP 636
TCP 3268
TCP 3269
TCP and UDP 88
TCP and UDP 53
TCP and UDP 445
UDP 123
TCP and UDP 464
UDP 138
TCP 9389
UDP 137
TCP 139
TCP/UDP 49152 - 65535
The question is do we need all of the TCP/UDP RPC Ports (49152 - 65535)? We are running Exchange and Lync. I have found articles (http://support.microsoft.com/kb/224196) which suggest I can use a static port but am concerned what impact this will have on
services.
Any help greatly appreciated.No you do not need all the high ports open and you can restrict them and be perfectly fine.
We restrict our high ports to a range of 50,000-51,000
This is the article we use below:
http://support.microsoft.com/kb/300083
Obviously you can't click on Start in 2012 so if you move the mouse to the lower right and then click search you can search and find Component Services. You can also find it in the Administrative Tools.
Hope this helps!
If it answered your question, remember to “Mark as Answer”.
If you found this post helpful, please “Vote as Helpful”.
Postings are provided “AS IS” with no warranties, and confers no rights.
Active Directory: Ultimate Reading Collection
Maybe you are looking for
-
How to print the Actual Check on 1st Page if line items are more for F110_p
Hi, How to print the Actual Check on 1st page if the line items are more in F110_PRENUM_CHCK script. The standard script is printing at the last page of line items. I tried using IF &PAGE& EQ '1 ' /E 545 --> text element ENDIF but it is of no use. Pl
-
CP 5 text to speech--purchased voices integrated directly?
Hi, I am hoping someone from Adobe will answer this question definitively for me (or someone who has figured this out and tested it). Let's say I have to add text-to-speech to a software demo and provide the demo in, say, five different languages. I
-
Drill/Down don't work and Characteristic is deleted after filter in BEx Ana
Hi All, please help me experts I have 2 issue: 1.- When I execute a Query in BEx Analyzer I got the first result, I can add other characteristics just to click on this.. or with context menu.. but later If I try to move de order of columns in the
-
How do I zoom in and out in Pages for the iPad?
I'm using Pages on my iPad (1), but don't seem to be able to zoom in. The "pinch open to zoom in" doesn't seem to work, it just springs back when I take my fingers off the screen. Am I missing something? I have no problem zooming in using pinch open
-
Spotlight Searches in Lion no longer have "title/content" option in Finder?
Hi: I upgraded to Lion and notice that when I use spotlight to search I no longer have the option on the top bar for choosing either "contents" or "title" in finder. The option for current directory or "this Mac" still is there, but not the other.