Multi-Domain LDAP UME configuration

Similar Messages

• Shared Services: Multi-domain MSAD based configuration issue

  Hello to All,
  Can someone tell me how to configure MSAD to use two domains X and Y under one user directory D.
  My actual configuration is based on the domain X and provides some MSAD users groups in D user directory.
  But I need to provisionne another user that belong to another AD in a foreign domain Y.
  A trusted relationship (approbation relationship) have been created between the two domains X and Y.
  Is this kind of multi-domain configuration allowed in Shared Services?
  If yes, how can I configure this?
  OS: Solaris
  Hyperion Shared Services 9.3.1
  Thanks in advance for your help

  There are a couple of ways:
  1) Add a new provider in Shared Services
  2) Modify your current provider to go to a higher level in your domain which will likely require different parameters on your existing Active Directory provider
  Option 2 is preferable if you see this will cascade and other domains will be needed and they are all under a global company domain.
  Regards,
  John A. Booth
  http://www.metavero.com

• MS AD LDAP+UME configuration guide

  Hello
  I have to implement User Management in LDAP(Deep hierachy)+UME Database mode. I am looking for Step by Step guides for the same with the requisite tools to manage MS Active Directory as a LDAP data source.
  Thanks
  ASR

  Thanks for the reply.
  1 more question
  Which tool is used to administer LDAP users (e.g. Add a new LDAP user) from the Windows 2003 server.
  Thanks
  Ananda

• LDAP - UME Domain filter

  Hi,
  Thanks for helping!
  Does anyone know how to set up a negative user filter for users in a given domain? I am using novell as LDAP server.
  Ex. for a organization unit it is done like this:
  <ume.ldap.negative_user_filter>ou=[unit]</ume.ldap.negative_user_filter>
  What I would like to know is; what is the physical attribute name of Domain?
  I have been looking for this for hours now... Any help would be very nice!
  The best regards
  Kris

  I don't think the negative user filter can be used in my case. I am going to use multible LDAP domains in UME using the same LDAP server but with different user and group paths.
  This sould do the trick.
  Thanks for your help!
  Best regards
  Kris

• How to provide access to multiple users connected to a Dumb switch? (multi-auth/multi-domain)

  Good morning everybody,
  I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
  What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
  What I have successfully managed to get to work so far is this:
  1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
  Interface  MAC Address     Method   Domain   Status         Session ID          
  Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
  Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
  2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
  show authentication sessions:
  Interface  MAC Address     Method   Domain   Status         Session ID          
  Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
  Fa0/23     b888.e3eb.ebac   dot1x    DATA     Authz Success  C0A8FF69000000F8008C (user2)
  Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
  However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
  What I want to get is an output like this:
  Interface  MAC Address     Method   Domain   Status         Session ID          
  Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
  Fa0/23     b888.e3eb.ebac dot1x    DATA     Authz Success  C0A8FF69000000F8008C (user2)
  Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
  I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
  The configuration of the interface connected to the Dumb switch is as follows.
  interface FastEthernet0/x                                                      
   description Connection to DUMBswitch                                            
   switchport mode access                                                         
   switchport voice vlan XXX                                                      
   switchport port-security maximum 10                                            
   switchport port-security                                                       
   switchport port-security violation protect                                     
   authentication host-mode multi-auth                                            
   authentication priority dot1x                                                  
   authentication port-control auto                                               
   authentication timer reauthenticate 4000                                       
   authentication violation replace                                               
   dot1x pae authenticator                                                        
   dot1x timeout tx-period 10                                                     
   spanning-tree portfast                                                         
  The way I see it is explained in the following steps:
  - PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
  - When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
  Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
  Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
  Thank you
  Stoimen Hristov

  Hi Stoimen,
  I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
  From what I can see, you have 2 options available to you:
  1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
  2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
  Hopefully someone else will chime in with another option.
  Xavier

• Problem OIM OID Ldap Sync Configuration in 11g.

  Hi Team,
  I am doing OIM and OID LDAP Sync configuration There It is failed in "Configuration Process" Step.
  and also in weblogic OIM Maganaged server in ADMIN mode not in running mode.
  please find the both logs.
  *********************************Weblogic Logs**********************************************
  Enter username to boot WebLogic server:weblogic
  Enter password to boot WebLogic server:
  <28-Sep-2012 14:07:44 o'clock BST> <Info> <Management> <BEA-141107> <Version: We
  bLogic Server 10.3.5.0 Fri Apr 1 20:20:06 PDT 2011 1398638 >
  <28-Sep-2012 14:07:47 o'clock BST> <Notice> <WebLogicServer> <BEA-000365> <Serve
  r state changed to STARTING>
  <28-Sep-2012 14:07:47 o'clock BST> <Info> <WorkManager> <BEA-002900> <Initializi
  ng self-tuning thread pool>
  <28-Sep-2012 14:07:48 o'clock BST> <Notice> <Log Management> <BEA-170019> <The s
  erver log file E:\Oracle\Middleware\user_projects\domains\IAM_domain\servers\oim
  server1\logs\oimserver1.log is opened. All server side log events will be writ
  ten to this file.>
  28-Sep-2012 14:07:56 oracle.security.am.common.nap.util.NAPLogger log
  SEVERE: Failed to communicate with any of configured Access Server, ensure that
  it is up and running.
  <28-Sep-2012 14:07:57 o'clock BST> <Notice> <Security> <BEA-090082> <Security in
  itializing using security realm myrealm.>
  <28-Sep-2012 14:08:04 o'clock BST> <Notice> <WebLogicServer> <BEA-000365> <Serve
  r state changed to STANDBY>
  <28-Sep-2012 14:08:04 o'clock BST> <Notice> <WebLogicServer> <BEA-000365> <Serve
  r state changed to STARTING>
  <28-Sep-2012 14:08:20 o'clock BST> <Warning> <oracle.jps.upgrade> <JPS-06003> <C
  annot migrate credential folder/key ADF/anonymous#oimBpelCredKey.Reason oracle.s
  ecurity.jps.service.credstore.CredentialAlreadyExistsException: JPS-01007: The c
  redential with map ADF and key anonymous#oimBpelCredKey already exists..>
  <28-Sep-2012 14:08:21 o'clock BST> <Warning> <oracle.adf.share.ADFContext> <BEA-
  000000> <Automatically initializing a DefaultContext for getCurrent.
  Caller should ensure that a DefaultContext is proper for this use.
  Memory leaks and/or unexpected behaviour may occur if the automatic initializati
  on is performed improperly.
  This message may be avoided by performing initADFContext before using getCurrent
  To see the stack trace for thread that is initializing this, set the logging lev
  el of oracle.adf.share.ADFContext to FINEST>
  <28-Sep-2012 14:08:24 o'clock BST> <Error> <Deployer> <BEA-149205> <Failed to in
  itialize the application 'oim [Version=11.1.1.3.0]' due to error oracle.iam.plat
  form.utils.OIMAppInitializationException:
  OIM application intialization failed because of the following reasons:
  oim-config.xml was not found in MDS Repository.
  Unable to find keystore ".xldatabasekey" in <DOMAIN_HOME>/config/fmwconfig/.
  Password for OIMSchemaPassword is not seeded in CSF.
  Password for xell is not seeded in CSF.
  Password for DataBaseKey is not seeded in CSF.
  Password for JMSKey is not seeded in CSF.
  Password for .xldatabasekey is not seeded in CSF.
  Password for default-keystore.jks is not seeded in CSF.
  Password for SOAAdminPassword is not seeded in CSF.
  oracle.iam.platform.utils.OIMAppInitializationException:
  OIM application intialization failed because of the following reasons:
  oim-config.xml was not found in MDS Repository.
  Unable to find keystore ".xldatabasekey" in <DOMAIN_HOME>/config/fmwconfig/.
  Password for OIMSchemaPassword is not seeded in CSF.
  Password for xell is not seeded in CSF.
  Password for DataBaseKey is not seeded in CSF.
  Password for JMSKey is not seeded in CSF.
  Password for .xldatabasekey is not seeded in CSF.
  Password for default-keystore.jks is not seeded in CSF.
  Password for SOAAdminPassword is not seeded in CSF.
  at oracle.iam.platform.utils.OIMAppInitializationListener.preStart(OIMAp
  pInitializationListener.java:145)
  at weblogic.application.internal.flow.BaseLifecycleFlow$PreStartAction.r
  un(BaseLifecycleFlow.java:282)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate
  dSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:
  120)
  at weblogic.application.internal.flow.BaseLifecycleFlow$LifecycleListene
  rAction.invoke(BaseLifecycleFlow.java:199)
  Truncated. see log file for complete stacktrace
  Caused By: oracle.iam.platform.utils.OIMAppInitializationException:
  OIM application intialization failed because of the following reasons:
  oim-config.xml was not found in MDS Repository.
  Unable to find keystore ".xldatabasekey" in <DOMAIN_HOME>/config/fmwconfig/.
  Password for OIMSchemaPassword is not seeded in CSF.
  Password for xell is not seeded in CSF.
  Password for DataBaseKey is not seeded in CSF.
  Password for JMSKey is not seeded in CSF.
  Password for .xldatabasekey is not seeded in CSF.
  Password for default-keystore.jks is not seeded in CSF.
  Password for SOAAdminPassword is not seeded in CSF.
  at oracle.iam.platform.utils.OIMAppInitializationListener.preStart(OIMAp
  pInitializationListener.java:145)
  at weblogic.application.internal.flow.BaseLifecycleFlow$PreStartAction.r
  un(BaseLifecycleFlow.java:282)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate
  dSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:
  120)
  at weblogic.application.internal.flow.BaseLifecycleFlow$LifecycleListene
  rAction.invoke(BaseLifecycleFlow.java:199)
  Truncated. see log file for complete stacktrace
  >
  <28-Sep-2012 14:08:24 o'clock BST> <Warning> <Munger> <BEA-2156203> <A version a
  ttribute was not found in element application in the deployment descriptor in E:
  \Oracle\Middleware\Oracle_IDM1\server\apps\spml-xsd.ear/META-INF/application.xml
  . A version attribute is required, but this version of the Weblogic Server will
  assume that the JEE5 is used. Future versions of the Weblogic Server will reject
  descriptors that do not specify the JEE version.>
  <28-Sep-2012 14:08:24 o'clock BST> <Warning> <Munger> <BEA-2156203> <A version a
  ttribute was not found in element application in the deployment descriptor in E:
  \Oracle\Middleware\user_projects\domains\IAM_domain\servers\oim_server1\tmp\_WL_
  user\spml-xsd\s8d2b9/META-INF/application.xml. A version attribute is required,
  but this version of the Weblogic Server will assume that the JEE5 is used. Futur
  e versions of the Weblogic Server will reject descriptors that do not specify th
  e JEE version.>
  <28-Sep-2012 14:08:24 o'clock BST> <Emergency> <Deployer> <BEA-149259> <Server '
  oim_server1' in cluster 'OIM_Cluster' is being brought up in administration stat
  e due to failed deployments.>
  Loading xalan.jar for XPathAPI.
  14:08:30 INFO [[STANDBY] ExecuteThread: '2' for queue: 'weblogic.kernel.Default
  (self-tuning)'] -
  ----------------- NEXAWEB SERVER LICENSE ------------------
  - Customer ID : 122
  - License type : Enterprise
  - Max unique IPs : unlimited
  - Max XUL sessions : unlimited
  - Max CPUs/server : unlimited
  - Clustering allowed : true
  - Expiration date : none
  Nexaweb Technologies Inc.(C)2000-2004. All Rights Reserved.
  Nexaweb Technologies Inc.
  10 Canal Park
  Cambridge, MA 02141
  Tel: 617.577.8100. Email: [email protected]
  14:08:31 INFO [[STANDBY] ExecuteThread: '2' for queue: 'weblogic.kernel.Default
  (self-tuning)'] - Clustering is OFF.
  14:08:31 INFO [[STANDBY] ExecuteThread: '2' for queue: 'weblogic.kernel.Default
  (self-tuning)'] - Servlet Engine: WebLogic Server 10.3.5.0 Fri Apr 1 20:20:06 PD
  T 2011 1398638 Oracle WebLogic Server Module Dependencies 10.3 Thu Mar 3 14:37:5
  2 PST 2011 Oracle WebLogic Server on JRockit Virtual Edition Module Dependencies
  10.3 Thu Feb 3 16:30:47 EST 2011
  14:08:31 INFO [[STANDBY] ExecuteThread: '2' for queue: 'weblogic.kernel.Default
  (self-tuning)'] - Servlet API Version: 2.5
  14:08:31 INFO [[STANDBY] ExecuteThread: '2' for queue: 'weblogic.kernel.Default
  (self-tuning)'] - Nexaweb Server Info = Nexaweb Server 3.3.1072
  14:08:31 INFO [[STANDBY] ExecuteThread: '2' for queue: 'weblogic.kernel.Default
  (self-tuning)'] - Nexaweb Server initialized successfully.
  <28-Sep-2012 14:08:34 o'clock BST> <Notice> <Log Management> <BEA-170027> <The S
  erver has established connection with the Domain level Diagnostic Service succes
  sfully.>
  <28-Sep-2012 14:08:34 o'clock BST> <Notice> <Cluster> <BEA-000197> <Listening fo
  r announcements from cluster using unicast cluster messaging>
  <28-Sep-2012 14:08:34 o'clock BST> <Notice> <Cluster> <BEA-000133> <Waiting to s
  ynchronize with other running members of OIM_Cluster.>
  <28-Sep-2012 14:09:04 o'clock BST> <Notice> <Server> <BEA-002613> <Channel "Defa
  ult[2]" is now listening on 127.0.0.1:14000 for protocols iiop, t3, CLUSTER-BROA
  DCAST, ldap, snmp, http.>
  <28-Sep-2012 14:09:04 o'clock BST> <Notice> <Server> <BEA-002613> <Channel "Defa
  ult[3]" is now listening on 0:0:0:0:0:0:0:1:14000 for protocols iiop, t3, CLUSTE
  R-BROADCAST, ldap, snmp, http.>
  <28-Sep-2012 14:09:04 o'clock BST> <Notice> <Server> <BEA-002613> <Channel "Defa
  ult[1]" is now listening on fe80:0:0:0:0:5efe:a2f:f22a:14000 for protocols iiop,
  t3, CLUSTER-BROADCAST, ldap, snmp, http.>
  <28-Sep-2012 14:09:04 o'clock BST> <Warning> <Server> <BEA-002611> <Hostname "UK
  SHWTOAP03A.skandia.co.uk", maps to multiple IP addresses: 10.47.242.42, 0:0:0:0:
  0:0:0:1>
  <28-Sep-2012 14:09:04 o'clock BST> <Notice> <Server> <BEA-002613> <Channel "Defa
  ult" is now listening on 10.47.242.42:14000 for protocols iiop, t3, CLUSTER-BROA
  DCAST, ldap, snmp, http.>
  <28-Sep-2012 14:09:04 o'clock BST> <Notice> <WebLogicServer> <BEA-000330> <Start
  ed WebLogic Managed Server "oim_server1" for domain "IAM_domain" running in Prod
  uction Mode>
  <28-Sep-2012 14:09:04 o'clock BST> <Notice> <WebLogicServer> <BEA-000365> <Serve
  r state changed to ADMIN>
  <28-Sep-2012 14:09:04 o'clock BST> <Notice> <WebLogicServer> <BEA-000360> <Serve
  r started in ADMIN mode>
  **********************************OIM OID Ldap Sync Configuration Logs****************************
  [2012-09-28T14:49:11.171+01:00] [as] [NOTIFICATION] [] [oracle.as.provisioning] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] [[
  [OIM_CONFIG] Updating Ldap Sync Configuration
  [2012-09-28T14:49:11.171+01:00] [as] [TRACE:16] [] [oracle.as.provisioning] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] [SRC_CLASS: LdapSync] [SRC_METHOD: configurationLdap] ENTRY
  [2012-09-28T14:49:11.171+01:00] [as] [TRACE] [] [oracle.as.provisioning] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] [SRC_CLASS: oracle.as.install.oim.config.util.LdapSync] [SRC_METHOD: configurationLdap] Create the Database connection
  [2012-09-28T14:49:11.171+01:00] [as] [TRACE:16] [] [oracle.as.provisioning] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] [SRC_CLASS: LdapSync] [SRC_METHOD: createDBConnection] ENTRY
  [2012-09-28T14:49:11.296+01:00] [as] [TRACE] [] [oracle.as.provisioning] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] [SRC_CLASS: oracle.as.install.oim.config.util.LdapSync] [SRC_METHOD: configurationLdap] isLIBOVD:true
  [2012-09-28T14:49:11.312+01:00] [as] [TRACE:16] [] [oracle.as.provisioning] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] [SRC_CLASS: LdapSync] [SRC_METHOD: closeDBConnection] ENTRY
  [2012-09-28T14:49:11.312+01:00] [as] [TRACE:16] [] [oracle.as.provisioning] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] [SRC_CLASS: LdapSync] [SRC_METHOD: closeDBConnection] RETURN
  [2012-09-28T14:49:11.312+01:00] [as] [TRACE:16] [] [oracle.as.provisioning] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] [SRC_CLASS: LdapSync] [SRC_METHOD: configurationLdap] RETURN
  [2012-09-28T14:49:11.312+01:00] [as] [NOTIFICATION] [] [oracle.as.provisioning] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] [[
  Updated LDAP Server Details in mds schema
  [2012-09-28T14:49:11.312+01:00] [as] [TRACE:16] [] [oracle.as.provisioning] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] [SRC_CLASS: LdapSync] [SRC_METHOD: configurationLdap] RETURN
  [2012-09-28T14:49:11.812+01:00] [as] [NOTIFICATION] [] [oracle.as.provisioning] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] [OIM_CONFIG] Updated LDAPContainerRules.xml.
  [2012-09-28T14:49:11.812+01:00] [as] [TRACE:16] [] [oracle.as.provisioning] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] [SRC_CLASS: mdsMetadata] [SRC_METHOD: loadEventhandler] RETURN
  [2012-09-28T14:49:14.687+01:00] [as] [NOTIFICATION] [] [oracle.as.provisioning] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] [[
  [OIM_CONFIG] Created jobs using seedSchedulerData. Log location C:\Program Files\Oracle\Inventory\logs
  [2012-09-28T14:49:14.687+01:00] [as] [ERROR] [] [oracle.as.provisioning] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] File not found[[
  java.io.FileNotFoundException: File not found
       at java.util.zip.ZipFile.open(Native Method)
       at java.util.zip.ZipFile.<init>(ZipFile.java:117)
       at java.util.jar.JarFile.<init>(JarFile.java:135)
       at java.util.jar.JarFile.<init>(JarFile.java:72)
       at oracle.as.install.oim.config.util.RoleSODJarUtil.updateFile(RoleSODJarUtil.java:32)
       at oracle.as.install.oim.config.OIMConfigManager.configureOIM(OIMConfigManager.java:783)
       at oracle.as.install.oim.config.OIMConfigManager.doExecute(OIMConfigManager.java:538)
       at oracle.as.install.engine.modules.configuration.client.ConfigAction.execute(ConfigAction.java:335)
       at oracle.as.install.engine.modules.configuration.action.TaskPerformer.run(TaskPerformer.java:87)
       at oracle.as.install.engine.modules.configuration.action.TaskPerformer.startConfigAction(TaskPerformer.java:104)
       at oracle.as.install.engine.modules.configuration.action.ActionRequest.perform(ActionRequest.java:15)
       at oracle.as.install.engine.modules.configuration.action.RequestQueue.perform(RequestQueue.java:63)
       at oracle.as.install.engine.modules.configuration.standard.StandardConfigActionManager.start(StandardConfigActionManager.java:158)
       at oracle.as.install.engine.modules.configuration.boot.ConfigurationExtension.kickstart(ConfigurationExtension.java:81)
       at oracle.as.install.engine.modules.configuration.ConfigurationModule.run(ConfigurationModule.java:83)
       at java.lang.Thread.run(Thread.java:662)
  [2012-09-28T14:49:14.687+01:00] [as] [NOTIFICATION] [] [oracle.as.provisioning] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] [[
  [OIM_CONFIG] Failed configuration step Configure OIM Server
  [2012-09-28T14:49:14.702+01:00] [as] [ERROR] [] [oracle.as.install.engine.modules.configuration.standard.StandardConfigActionManager] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] One or More configurations failed. Exiting
  [2012-09-28T14:49:14.702+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine.modules.statistics] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] Install Adapter: Mark End for:CONFIG
  [2012-09-28T14:49:14.702+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine.modules.statistics] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] Install Adapter: Mark End for:INTERVIEW
  [2012-09-28T14:49:14.702+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine.modules.statistics] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] Install Adapter: Mark End for:INSTALL
  [2012-09-28T14:49:14.702+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine.modules.statistics] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] Install Adapter: Mark End for:COPY
  [2012-09-28T14:49:14.702+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine.modules.statistics] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] Install Adapter: Mark End for:LINK
  [2012-09-28T14:49:14.765+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine] [tid: 12] [ecid: 0000JcD8obD9pYjpp0_AiY1GPQHh000003,0] Setting valueOf(IS CONFIGURATION SUCCESSFUL) to:false. Value obtained from:USER
  [2012-09-28T15:11:21.461+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine] [tid: 11] [ecid: 0000JcD2jfD9pYjpp0_AiY1GPQHh000002,0] Setting valueOf(IS CONFIGURATION SUCCESSFUL) to:false. Value obtained from:USER
  [2012-09-28T15:11:27.914+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine] [tid: 11] [ecid: 0000JcD2jfD9pYjpp0_AiY1GPQHh000002,0] Setting valueOf(IS CONFIGURATION SUCCESSFUL) to:false. Value obtained from:USER
  Regards,
  Ravi.

  Your log files too give some hint... Please verify whether following files like .xldatabasekey are present in your environment:-
  OIM application intialization failed because of the following reasons:
  oim-config.xml was not found in MDS Repository.
  Unable to find keystore ".xldatabasekey" in <DOMAIN_HOME>/config/fmwconfig/.
  Password for OIMSchemaPassword is not seeded in CSF.
  Password for xell is not seeded in CSF.
  Password for DataBaseKey is not seeded in CSF.
  Password for JMSKey is not seeded in CSF.
  Password for .xldatabasekey is not seeded in CSF.
  Password for default-keystore.jks is not seeded in CSF.
  Password for SOAAdminPassword is not seeded in CSF.
  I doubt whether OIM is properly installed in your environment otherwise .xldatabasekey would have been present in <DOMAIN_HOME>/config/fmwconfig..
  Also, as far as Weblogic starting in ADMIN mode is concerned, you may try to do the following...
  ps -eaf| grep AdminServer
  Kill the process
  Then remove the lok file. i.e. Lock files...
  rm -rf /home/oracle/Oracle/Middleware/user_projects/domains/oimdomain/servers/oim_server1/tmp/*oim_server1.lok*
  rm -rf /home/oracle/Oracle/Middleware/user_projects/domains/oimdomain/servers/soa_server1/tmp/*soa_server1.lok*
  rm -rf /home/oracle/Oracle/Middleware/user_projects/domains/oimdomain/servers/AdminServer/tmp/*AdminServer.lok*
  After that
  Take the backup of /home/oracle/Oracle/Middleware/user_projects/domains/<DOMAIN_HOME>/servers/AdminServer/data/ldap/ldapfiles (I mean CUT this folder and save it in Backup folder..
  Share the result with us....

• Open LDAP Authenticator Configuration on WLSSP5

  I have problems in the open LDAP authenticator configuration on Weblogic Server with Service Pack 5. I have users on OpenLDAP Server that do not belong to any group. My LDIF file contents are as given below.
  dn: dc=my-domain,dc=com
  dc: my-domain
  objectClass: dcObject
  objectClass: organization
  o: MYABC, Inc
  dn: cn=Manager, dc=my-domain,dc=com
  userPassword:: c2VjcmV0
  objectClass: person
  sn: Manager
  cn: Manager
  dn: cn=myabcsystem, dc=my-domain,dc=com
  userPassword:: dmVuZGF2b3N5c3RlbQ==
  objectClass: person
  sn: myabcsystem
  cn: myabcsystem
  dn: cn=Philippe, dc=my-domain,dc=com
  userPassword:: UGhpbGlwcGU=
  objectClass: person
  sn: Philippe
  cn: Philippe
  dn: cn=mlrick, dc=my-domain,dc=com
  userPassword:: bWxyaWNr
  objectClass: person
  sn: mlrick
  cn: mlrick
  All these users appear in the Users tab after configuration on the console only if LDAP Server is up. While I select group tab, I get errors indicating BAD SEARCH Filter.
  Inspite of me not having any groups in the ldap as indicated in ldif contents.
  While I try to login t the application with this LDAP configuration, I do not get any errors. LDAP authentication is not happening with just the LDAP authenticator in place. Even if I stop the LDAP server, I do nto get any exceptions while trying ot login. The config params for the Open LADP are as given below
  <weblogic.security.providers.authentication.OpenLDAPAuthenticator
  AllGroupsFilter="objectclass=*"
  Credential="{3DES}rGCpYmhaIorI99BjZ2u6Fg=="
  GroupBaseDN="dc=my-domain,dc=com"
  GroupFromNameFilter="(cn=%u)"
  Name="Security:Name=MYABCAuthenticationOpenLDAPAuthenticator"
  Principal="cn=myabcsystem,dc=my-domain,dc=com"
  Realm="Security:Name=MYABCAuthentication"
  StaticGroupDNsfromMemberDNFilter=""
  StaticGroupNameAttribute="" StaticGroupObjectClass=""
  StaticMemberDNAttribute="" UserBaseDN="dc=my-domain, dc=com"/>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP ATN LoginModule initialized>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <LDAP Atn Login username: bob>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <authenticate user:bob>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <getDNForUser search("ou=people,ou=MYABCAuthentication,dc=myabc", "(&(uid=bob)(objectclass=person))", base DN & below)>
  ####<Mar 3, 2006 4:21:34 PM IST> <Debug> <SecurityDebug> <hemalatha> <myserver> <ExecuteThread: '49' for queue: 'default'> <<WLS Kernel>> <> <000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  CAN ANYONE HELP ME IDENTIFY WHAT IS THE ISSUE. Why is the authentication not happening?

  Hi Amol,
  I've seen this happen at least two times in 11.1.1.1 installs. You can safely restart and then add the service back again. Suggest you reboot after you re-add the service back or cycle all the Hyperion services.
  I was not aware you could install the service with that command.
  I used the below command instead:
  sc create OpenLDAP-slapd start= auto binPath= "D:\Hyperion\...\slapd.exe service" DisplayName= "Hyperion Shared Services OpenLAP"
  Regards,
  -John

• UME Configuration change for  j_user attribute

  Hi All,
  We have a requirement in portal like users login into the portal with the windows ID(Which is loginuid in the LDAP)(loginuid is synchronized with windows ID) and the further authorizations should happen with the field called uid.
  We made change in the UME datasourse xml file as below.
  In the attribute mapping ,
  <attribute name="j_user"><physicalAttribute name="loginuid"/>
  and
  <attribute name="uniquename"><physicalAttribute name="uid"/>
  After making this changes user couldnt login with the loginuid..
  We are getting the following error in the trace file:
  ===========================================
  []#2#ume.configuration.active#true#
  #1.5#000C299E546D002A0000000100000464000423C9E09FC94C#1165249872673#com.sap.security.core.server.jaas#sap.com/irj#com.sap.security.core.server.jaas#j2ee_guest#192#####SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Java###got []: []#2#ume.configuration.active#true#
  #1.5#000C299E546D002A0000000200000464000423C9E09FCB79#1165249872673#com.sap.security.core.server.jaas#sap.com/irj#com.sap.security.core.server.jaas#j2ee_guest#192#####SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Java###Received no SAPLogonTicket. Authentication stack: [].#1#ticket#
  #1.5#000C299E546D002A0000000300000464000423C9E09FCCB0#1165249872673#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence.[cf=com.sap.security.core.persistence.datasource.imp.DataBasePersistence][md=doSearch][cl=19919]#j2ee_guest#192#####SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###Perform query: SELECT DISTINCT PID FROM UME_STRINGS WHERE ((PID LIKE ? ESCAPE '\#') AND (((NAMESP=?) AND (NAMESPH=?) AND (ATTR=?) AND (ATTRH=?) AND (UPPERVAL =  ?) AND (UPPERVALH = ?))))#
  #1.5#000C299E546D002A0000000400000464000423C9E09FE037#1165249872688#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence.[cf=com.sap.security.core.persistence.datasource.imp.LDAPPersistence][md=searchPrincipalDatabag][cl=20149]#j2ee_guest#192#####SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###entry for search with searchfilter (&(objectclass=inetorgperson)(loginuid=user1)) searched in cache#
  #1.5#000C299E546D002A0000000500000464000423C9E09FE07B#1165249872688#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence.[cf=com.sap.security.core.persistence.datasource.imp.LDAPPersistence][md=searchPrincipalDatabag][cl=20149]#j2ee_guest#192#####SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###search result found in cache#
  #1.5#000C299E546D002A0000000600000464000423C9E09FE07E#1165249872688#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence.[cf=com.sap.security.core.persistence.datasource.imp.LDAPPersistence][md=searchPrincipalDatabag][cl=20149]#j2ee_guest#192#####SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###found principals: no results found#
  #1.5#000C299E546D002A0000000700000464000423C9E09FE3FD#1165249872688#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence.[cf=com.sap.security.core.persistence.datasource.imp.DataBasePersistence][md=doSearch][cl=19919]#j2ee_guest#192#####SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###Perform query: SELECT DISTINCT PID FROM UME_STRINGS WHERE ((PID LIKE ? ESCAPE '\#') AND (((NAMESP=?) AND (NAMESPH=?) AND (ATTR=?) AND (ATTRH=?) AND (UPPERVAL =  ?) AND (UPPERVALH = ?))))#
  #1.5#000C299E546D002A0000000800000464000423C9E09FF19E#1165249872688#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence.[cf=com.sap.security.core.persistence.datasource.imp.LDAPPersistence][md=searchPrincipalDatabag][cl=20149]#j2ee_guest#192#####SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###entry for search with searchfilter (&(objectclass=inetorgperson)(loginuid=user1)) searched in cache#
  #1.5#000C299E546D002A0000000900000464000423C9E09FF1DE#1165249872688#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence.[cf=com.sap.security.core.persistence.datasource.imp.LDAPPersistence][md=searchPrincipalDatabag][cl=20149]#j2ee_guest#192#####SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###search result found in cache#
  #1.5#000C299E546D002A0000000A00000464000423C9E09FF217#1165249872688#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence.[cf=com.sap.security.core.persistence.datasource.imp.LDAPPersistence][md=searchPrincipalDatabag][cl=20149]#j2ee_guest#192#####SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###found principals: no results found#
  #1.5#000C299E546D002A0000000B00000464000423C9E0A03B38#1165249872704#com.sap.security.core.imp#sap.com/irj#com.sap.security.core.imp.[cf=com.sap.security.core.sapmimp.logon.SAPMLogonLogic][md=initBeans][cl=20245]#j2ee_guest#192#####SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###LanguagesBean created#
  #1.5#000C299E546D002A0000000C00000464000423C9E0A03CE4#1165249872704#com.sap.security.core.util#sap.com/irj#com.sap.security.core.util.[cf=com.sap.security.core.util.ErrorBean][md=ErrorBean(Message)][cl=15715]#j2ee_guest#192#####SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Java###message USER_AUTH_FAILED#1#message USER_AUTH_FAILED#
  #1.5#000C299E546D002A0000000D00000464000423C9E0A03DB3#1165249872704#com.sap.security.core.imp#sap.com/irj#com.sap.security.core.imp.[cf=com.sap.security.core.sapmimp.logon.SAPMLogonLogic][md=executeRequest][cl=20245]#j2ee_guest#192#####SAPEngine_Application_Thread[impl:3]_35##0#0#Info##Plain###No command found, forwarding to umLogonPage#
  #1.5#000C299E546D00270000001100000464000423C9E0B8A4B3#1165249874314#com.sap.security.core.server.jaas#sap.com/irj#com.sap.security.core.server.jaas#j2ee_guest#192#####SAPEngine_Application_Thread[impl:3]_4##0#0#Info##Java###got []: []#2#ume.configuration.active#true#
  #1.5#000C299E546D00270000001200000464000423C9E0B8A7ED#1165249874314#com.sap.security.core.server.jaas#sap.com/irj#com.sap.security.core.server.jaas#j2ee_guest#192#####SAPEngine_Application_Thread[impl:3]_4##0#0#Info##Java###got []: []#2#ume.configuration.active#true#
  #1.5#000C299E546D00270000001300000464000423C9E0B8A89E#1165249874314#com.sap.security.core.server.jaas#sap.com/irj#com.sap.security.core.server.jaas#j2ee_guest#192#####SAPEngine_Application_Thread[impl:3]_4##0#0#Info##Java###Received no SAPLogonTicket. Authentication stack: [].#1#ticket#
  #1.5#000C299E546D00270000001400000464000423C9E0B8B6D3#1165249874314#com.sap.security.core.imp#sap.com/irj#com.sap.security.core.imp.[cf=com.sap.security.core.logon.imp.SAPJ2EEAuthenticator][md=getLoggedInUser][cl=20245]#j2ee_guest#192#####SAPEngine_Application_Thread[impl:3]_4##0#0#Warning##Java###null
  [EXCEPTION]
  #1#com.sap.engine.services.security.exceptions.BaseLoginException: Authentication did not succeed.
  Regards,
  Birla.

  Hi ,
  you need to change uniqename too.
  <attribute name="uniquename">
                                               <physicalAttribute name="loginuid"/>
  change it and test on configutool  before activate & restart .
  Thanks
  Tag

• 802.1x Multi-Domain

  I've got a unique setup I'm trying to get set up with regards to 802.1x and have ran into some issues.  I've got Avaya phones that I need to authenticate onto the voice vlan that they are getting via LLDP.  But I'm only using 802.1x to keep things off the voice VLAN which is in a VRF.  The PCs that will either be connected to the back of the phone or plugged directly into the switch cannot be configured for 802.1x as these PCs are not owned by the department.
  My idea was to run multi-domain as seems to be the suggestion for phone deployments and then put anything that fails authentication into the Data VLAN (30) using guest-vlan as well as authorizing them to Vlan 30 when authentication fails.  It seems like authentication fail Vlan and guest Vlan cannot be used in multi-domain mode though, so I'm out of ideas and the port is not working properly.  Here is my current config that is not working as it's not putting the PC into Vlan 30 when authentication fails.  Vlan 40 is the voice Vlan. Vlan 30 is the data Vlan.
  interface GigabitEthernet1/0/1
  description Test 802.1x port
  switchport mode access
  switchport voice vlan 40
  authentication event fail action authorize vlan 30
  authentication event server dead action authorize vlan 30
  authentication event no-response action authorize vlan 30
  authentication host-mode multi-domain
  authentication port-control auto
  authentication violation restrict
  dot1x pae authenticator
  dot1x timeout server-timeout 15
  dot1x timeout supp-timeout 2
  spanning-tree portfast
  Any ideas on how I can go about acheiving this?
  Thanks,
  Brian

  Well, you can use multiple-authentication mode.
  Multiple-authentication (multiauth) mode allows  one client on the voice VLAN and multiple authenticated clients on the  data VLAN. When a hub or access point is connected to an 802.1x-enabled  port, multiple-authentication mode provides enhanced security over  multiple-hosts mode by requiring authentication of each connected  client. For non-802.1x devices, you can use MAC authentication bypass or  web authentication as the fallback method for individual host  authentications to authenticate different hosts through by different  methods on a single port.
  Multiple-authentication mode is limited to eight authentications (hosts) per port.
  Multiple-authentication mode also supports MDA functionality on the  voice VLAN by assigning authenticated devices to either a data or voice  VLAN, depending on the VSAs received from the authentication server.
  VERY IMPORTANT: When  a port is in multiple-authentication mode, all the VLAN assignment  features, including the RADIUS server supplied VLAN assignment, the  Guest VLAN, the Inaccessible Authentication Bypass, and the  Authentication Failed VLAN do not activate.
  This is the configuration commands:
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1271507.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• WAS & LDAP ume

  Hi,
  Is there a possibility to enable UME on Java WAS to use database & LDAP directory even if the WAS is Developer Workplace or Java Sneak Preview ?
  When I try to change UME configuration in UME configtool and save change, error ocurs. When I do that on regular Java Central instance installation, everything goes ok.
  Can anyone answer my question ?
  Thanks,
  Best regards
  Miroslav Koskar

  Hi Miroslav ,
  i didn'get u properly.
  Config tool is for Offline Administration of SAP WAS.
  just follow these links for UME LDAP Configuration.
  http://help.sap.com/saphelp_nw04/helpdata/en/eb/00954081efb90ee10000000a155106/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/6f/258b2ef17d45a4afa45a00309a6a33/content.htm
                             Regards
                             Kishor Gopinathan

• Multi-Forest LDAP Authentication

  Hi Guys
  We are trying to implement authentication and import across multiple domains
  We originally tried to build our own custom code but this has failed due to some unforseen errors.
  I have revert back to the inbuilt ciac option for import person and EUA
  The import for one domain is working however, i wish use multiple forests and to add a unique identifier to the login name to avoid login name clashes
  for example
  ASE\#sAMAccountName#
  or
  #userPrincipalName#
  When i try to add this i receive the error that no person fround in the result of the LDAP getperson search
  I have tried the format for EUA as
  uid=#LoginId#,dc=ase,dc=internal
  DomainName\#LoginId#
  #LoginId#
  Any help will be greatly apreciated
  Regards,
  Matt

  If you are logging into java (i.e. tomcat55) and have set up a krb5.ini. All users that are not in the default domain need to logon with username @FQDN.COM where FQDN.COM is their fully qualified domain name in all caps. That FQDN.COM should be entered in the krb5.ini (in all caps) with at least 1 KDC defined.
  Do a search on SMP (look at the forum sticky for the link) for rules for krb5.ini and I have a more in depth explanation for multi forest and multi domain as it pertains to the krb5.ini.
  To verify AD connectivity is ok use a client tool like deski/designer/business views. Since there tools don't use java you can logon with domain\user (no case sensitivity).
  Also to note urgently issues should open cases with support the forums are not the place and it is against the rules of engagement (also in the sticky post )
  Regards,
  Tim

• UME Configuration for 2 groups

  Hi All,
  We have configured our UME with one LDAP source having group path as 'ou=groups,ou=SAP ePortal,ou=Applications,ou=Intranet,dc=<companyname>,dc=com'.
  But if we create a new group, can we configure the XML such that it will have both the groups. Existing one should be as it is and the new one should also be added.
  Regards,
  Gurmat

  Hi
  How to configure multiple LDAP datasources?
  ans:
  a) Note 736471 - UME Configuration of multiple LDAP data sources
  b)https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e1959b90-0201-0010-849c-d2b1d574768b
  Example: Configuration of Multiple LDAP Data Sources
  http://help.sap.com/saphelp_nw70/helpdata/EN/4e/4d0d40c04af72ee10000000a1550b0/content.htm
  Regards
  Shridhar Gowda

• UME Configuration Negative Filter failing

  I'm currently having a problem putting a negative filter in my UME configuration.  Can anyone see what is missing or order that this should be place in the configuration.
       <privateSection>
            <ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
       <ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
            <ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
            <ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>
            <ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>               <ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
       <ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
                 <ume.ldap.negative_user_filter>objectclass=COMPUTER;cn=[test1];</ume.ldap.negative_user_filter>
                 <ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>
                 <ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>
                 <ume.ldap.access.objectclass.grup>Group</ume.ldap.access.objectclass.grup>
                 <ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
                 <ume.ldap.access.auxiliary_naming_attribute.user>samaccountname</ume.ldap.access.auxiliary_naming_attribute.user>
            <ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
                 <ume.ldap.access.auxiliary_naming_attribute.uacc>samaccountname</ume.ldap.access.auxiliary_naming_attribute.uacc>
                 <ume.ldap.access.naming_attribute.grup>cn</ume.ldap.access.naming_attribute.grup>
                 <ume.ldap.access.server_name>server1.com</ume.ldap.access.server_name>
                 <ume.ldap.access.server_port>389</ume.ldap.access.server_port>
                 <ume.ldap.access.default_switch>20</ume.ldap.access.default_switch>
                 <ume.ldap.access.user>*********</ume.ldap.access.user>
                 <ume.ldap.access.password>$ume.ldap.access.additional_password.1</ume.ldap.access.password>
                 <ume.ldap.access.base_path.user>DC=com</ume.ldap.access.base_path.user>
                 <ume.ldap.access.base_path.grup>DC=com</ume.ldap.access.base_path.grup>
            </privateSection>
  Thanks

  I resolved this issue by looking again at the SAP delivered documentation.

• LDAP UME for ABAP + JAVA SYSTEM

  Hi,
  I am using NW 7  SP 15 with both ABAP + JAVA stack. The UME is set to ABAP by default during installation.
  Can we change that to LDAP datasource?
  Under System Configuration -> UME Configuration -> Data Sources (TAB) -> in Data Source dropdown box -> there is only ONE option available "ABAP SYSTEM" and no other option is present.
  Any suggestion?
  Regards
  Deb

  Ups! Obviously a later change from ABAP to some other UME indeed is not supported by SAP. But this means not, that you cannot use LDAP or JAVA from the very beginning.
  Did you not have the option to choose another UME data source for the Java Add-In during the installation process? (this may make sense, because the installation sequence for double stacks is always 1. ABAP stack 2. Java stack).
  If not, then indeed LDAP as the primary UME data source is not supported for double stack installations.
  If yes, you only have the chance to re-install your system.
  In every case you can install 2 separate instances and connect them later. 1 ABAP instance with UME of course ABAP and 1 Java instance with UME LDAP or Java DB.
  But before doing that and if I were you I would open a CSN at SMP and ask the software vendor ...
  Regards,
  Volker

• 2012 R2 DirectAccess multi domain forest: Is it possible Limit Auto-discovery of domain controllers?

  I've just successfully implemented Multisite server 2012 R2 DirectAccess in a child domain of a global company with numerous sub domains.  I'd like to limit the scope of the auto discovery of management servers in 2012 R2 DA is anyone aware of
  any way of doing this?
  During the default initial configuration of DirectAccess Auto-discovery of domain controllers is performed for all domains in the same forest as the DirectAccess server and client computers.
  In my scenario the number of sub domains and multinational nature of the company means that the DA servers cannot contact all DCs for every child domain in the forest.
  This means the Operations Status page in the Remote Access Management console always shows the status of the Domain Controller check as "critical" leaving a red X amongst my nice green ticks. It's untidy and at first glance it looks like there
  are major problems with the service.
  The DA servers, Client machines and users are in a single sub domain so we have no need to contact the other child domain DCs.
  I looked into using the Remove-DAMgmtServer PowerShell cmdlet however this is not applicable since it cannot be used to remove automatically configured management servers such as DCs.
  Also the child domain DCs don't actually appear in the management servers list.

  Hi, a colleague of mine had the same problem in a DirectAccess deployment in a large organization tat have a multi-domain forest. He had no choice to open network flow to have at least one domain controller per domain in the forest.  
  BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx