Multidomain LDAP as Writable
Hi all,
I have configured Portal to use Mutidomain LDAP servers.I have setup my LDAPS to connect with UME using SSL.
Now I would like to configure LDAPs in such a way that the users can change their password as well as through code the user creation can be done.
Can anyone share the sample datasource configuration file for this.And let me know is there any other configurations that I need to carry out.
I had a lok at the follwing SAP Notes and SAP Help.
Note 868194 - Change password for LDAP users is not working
Note 673824 - LDAP Issues for UME
Note 865399 - Change password on LDAP Server
http://help.sap.com/saphelp_nw04s/helpdata/en/af/0cfc3f09c2c442e10000000a1550b0/frameset.htm
Regards,
Karthick
Hi MAnish,
For Dual stack its NOT possible to change UME datasource from ABAP.
Regards
Deb
Similar Messages
-
Hi
I am having a strange issue in SAP Forums Application.
my Netweaver 7.31 Portal is configured for Multidomain LDAP.
there are two domain.
domain_1 and domain_2.
while users from domain_1 can access the contents of Forums, Users of Domain_2 are not able to access the Forums and are being termed as Guests.
Another thing which i observed is:
if i add permission to users from domain_1 in Forum Admin, the users show in the permissions grid.
whereas if i add permission to users from domain_2 in Forum Admin, the users does not show in the permissions grid and automatically the permissions for registered users are enabled.
How to solve this?
Any one faced such issue?
Regards
RajendraSolved.
Note 1965740 -
LDAP access info in datasource xml file for multidomain Test Connect fails.
Hello SDN
I've gone through the video that explains how to setup the multidomain conf.
I have my service users but when it comes to enter the ldap access user I'm not sure what info to enter.
My ldap user is created at the company.com level not at the domain1.company.com level as is indicated in the video.
I entered the following values
ume.ldap.access.server_name> server1
ume.ldap.access.user> [email protected]
ume.ldap.access.base_path.user> CN=USERS,DC=COMPANY,DC=COM
ume.ldap.access.base_path.grup> CN=USERS,DC=COMPANY,DC=COM
And when I try to test connection I'm getting an error. So I have two questions:
Should the ldap account be created at the domain1.company.com level?
And how do I get the correct info to populate the base_path fields? Not sure where to get it, I just followed video.
Thanks for any help.
MRCouple of things.,
1. What LDAP you are using
2. What kind of hierarchy (flat or deep)
The hierachy will decide the user path and the group path.
Given you have all the right values then you populate the values for the foolowing.,
- Server Name or IP
- Server port number
- LDAP user name by (used for connectivity and access which should have enough rights)
- Password for the LDAP user
- User path
- Group path
With all the above given right the test connection should succeed.
Optionally SSL can be enabled for LDAP connectivity and can specify unique attribute for UME unique ID (this field will be uid for SUN LDAP and samaccountname for MS AD)
Regards,
Muthu Kumaran KG -
Ise Authentication to two different forests second using External Radius, Not LDAP
Hi Guys,
I am hoping someone can help me. We currently have two AD forests one for staff and one for students. These forests do not have a two way trust between them nor do we want to. We currently have Ise 1.2 integration with our Student forest using AD working just fine. The ipads and other devices are playing nicely and cooperating well. We want to get our staff to be able to use ISE as well. Currently there is no way to use two AD forests so I was directed to use LDAP instead for the second domain. Unfortunatley after playing around with it LDAP doesn't support mschapv2 which our mobile devices like ipads do play nicely with. This causes an issue only because we would have to utilize certificates to get everything to work correctly. This is not the route we want to go. So i was speaking to Tac and they recommended using an External Radius server. Then modify my auth profiles to look for the domain name in the authentication string. If it starts for example student\ then i can have ise forward the auth request to the AD integrated PSNs for auth. If the auth string starts with staff\ for example i should be able to forward this request to my external radius server.
This sounds all good in theory but i have not found any documentation to support this to help me configure it. Has anyone tried this approach? Or have any leads on where i can find some good documentation as to what radius servers are supported. I am hoping Windows server 2008 R2 with a radius role installed, but i am just not sure.
If anyone can help i would greatly appreciate it.
Thank you
JoeyThat is correct! Cisco ISE supports integration with a single Active Directory identity source. Cisco ISE uses this Active Directory identity source to join itself to an Active Directory domain. If this Active Directory source has a multidomain forest, trust relationships must exist between its domain and the other domains in order for Cisco ISE to retrieve information from all domains within the forest.
However, you may create multiple instances for LDAP. Cisco ISE can communicate via LDAP to Active Directory servers in an untrusted domain. The only limitation you would see with LDAP being a database that it doesn't support PEAP MSCHAPv2 ( native microsoft supplicant). However it does suppport EAP-TLS.
For more information you may go through the below listed link
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_45_multiple_active_directories.pdf -
Multi-Domain LDAP UME configuration
Hello
We have EP 7.0 installed and want to connect the UME to our Corporate
LDAP (MSADS) as data source.
Our ADS is as follows:
domain.pt u2013 This is our top level domain. Here we have our main users.
Gs.domain.pt u2013 This is a child domain of ren.pt. Here are some special
users that cannot be moved to domain.pt level (because of this we have to
use multi-domain configuration)
According to some documents Step 2 of Note 762419 - Multi-Domain Logon
Using Microsoft Active Directory this configuration as to be done
according to a Multiple-Domain UME LDAP Configuration.
Following is is my configuration of LDAP access:
I have set the u201CUME LDAP Datau201D in Config Tool to point to
the u201CdataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xmlu201D configuration file that has been previously change by me following previous documents. The xml is is the end of the message
Also in the u201CUME LDAP Datau201D (Directory Server) I have defined the following settings:
Server Name: dc01.domain.pt (This is the DC of domain.pt)
Server port: 389
User: j2ee-pp3 @domain.pt
Pass: ******* (ok on all configuration tests and authentication)
SSL: NO.
User Path: DC=domain,DC=pt
Group Path: DC=domain,DC=pt
Checked the u201CFlat User Group Hierarchyu201D.
Checked the u201CUse UME Unique id with unique LDAP Attributeu201D.
At u201CAdditional LDAP Propertiesu201D I have set the properties of
ume.ldap.unique_user_attribute(global) and
ume.ldap.unique_uacc_attribute(global) to userprincipalname. This was
done according to the Multi-Domain configuration.
Also ume.ldap.access.multidomain.enabled=true was set the property
sheet of the UME service. After this all checks are ok including in
User Administration in Portal.
Conclusion: We have no problem with SSO and search capabilities
at u201Cdomain.ptu201D level. All users of this domain are able to access the
portal with SSO.
Nevertheless no user from u201Cgs.domain.ptu201D is able to logon. Additionally,
using User Admninistration in Portal with option u201CAll Data Sourcesu201D
returns no results when searching for users from this child domain. It
seems the the configuration file does not recognize gs.domain.pt.
Is it possible that our xml file is incorrectly adapted? Is there any
missing or wrong configuration for multi-domain LDAP access? Please
advice.
Thanks in advance
dataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xml
<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
<!DOCTYPE dataSources SYSTEM "dataSourceConfiguration.dtd">
<dataSources>
<dataSource id="PRIVATE_DATASOURCE"
className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</homeFor>
<notHomeFor/>
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</responsibleFor>
<privateSection>
</privateSection>
</dataSource>
<dataSource id="CORP_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="true"
isPrimary="true">
<homeFor/>
<responsibleFor>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="j_user"/>
<attribute name="j_password"/>
<attribute name="userid"/>
<attribute name="logonalias"/>
</attributes>
</nameSpace>
</principal>
<principal type="user">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="firstname" populateInitially="true"/>
<attribute name="displayname" populateInitially="true"/>
<attribute name="lastname" populateInitially="true"/>
<attribute name="fax"/>
<attribute name="email" populateInitially="true"/>
<attribute name="email"/>
<attribute name="title"/>
<attribute name="department"/>
<attribute name="description"/>
<attribute name="mobile"/>
<attribute name="telephone"/>
<attribute name="streetaddress"/>
<attribute name="uniquename" populateInitially="true"/>
<attribute name="krb5principalname"/>
<attribute name="kpnprefix"/>
<attribute name="dn"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</attributes>
</nameSpace>
<nameSpace name="$usermapping$">
<attributes>
<attribute name="REFERENCE_SYSTEM_USER"/>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="group">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="displayname" populateInitially="true"/>
<attribute name="description" populateInitially="true"/>
<attribute name="uniquename"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"/>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attributes>
<attribute name="dn"/>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
</responsibleFor>
<attributeMapping>
<principals>
<principal type="account">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="domain_j_user">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="j_user">
<physicalAttribute name="userprincipalname"/>
<attribute name="logonalias">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="j_password">
<physicalAttribute name="unicodepwd"/>
</attribute>
<attribute name="userid">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="user">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="firstname">
<physicalAttribute name="givenname"/>
</attribute>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="lastname">
<physicalAttribute name="sn"/>
</attribute>
<attribute name="fax">
<physicalAttribute name="facsimiletelephonenumber"/>
</attribute>
<attribute name="uniquename">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="loginid">
<physicalAttribute name="null"/>
</attribute>
<attribute name="email">
<physicalAttribute name="mail"/>
</attribute>
<attribute name="mobile">
<physicalAttribute name="mobile"/>
</attribute>
<attribute name="telephone">
<physicalAttribute name="telephonenumber"/>
</attribute>
<attribute name="department">
<physicalAttribute name="ou"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="streetaddress">
<physicalAttribute name="postaladdress"/>
</attribute>
<attribute name="pobox">
<physicalAttribute name="postofficebox"/>
</attribute>
<attribute name="krb5principalname">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="kpnprefix">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="dn">
<physicalAttribute name="distinguishedname"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="$usermapping$">
<attributes>
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="group">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="uniquename" populateInitially="true">
<physicalAttribute name="ou"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attributes>
<attribute name="dn">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
</principals>
</attributeMapping>
<privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.objectclass.grup>organizationalUnit</ume.ldap.access.objectclass.grup>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>samaccountname</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>samaccountname</ume.ldap.access.auxiliary_naming_attribute.uacc>
<ume.ldap.access.naming_attribute.grup>ou</ume.ldap.access.naming_attribute.grup>
<ume.ldap.access.pwd.via.usercontext>true</ume.ldap.access.pwd.via.usercontext>
<ume.ldap.access.set_pwd>true</ume.ldap.access.set_pwd>
<ume.ldap.access.multidomain.enabled>true</ume.ldap.access.multidomain.enabled>
<ume.ldap.access.extended_search_size>200</ume.ldap.access.extended_search_size>
<ume.ldap.access.domain_mapping>
[DOMAIN_PT;DC=domain,DC=pt]
[GS_DOMAIN_PT;DC=gs,DC=domain,DC=pt]
[gs;DC=DC=gs,DC=domain,DC=pt]
[domain;DC=pt]
</ume.ldap.access.domain_mapping>
</privateSection>
</dataSource>
</dataSources>
Edited by: Joaquim Pereira on Feb 7, 2009 1:34 PMHi Gaetano
I tried to set back the "uniqueid" in the XML to samaccountname.
Also, i changed the spnego to go only to domain.pt (gs.domain.pt is a child domain).
In the 1st tests this worked perfectly, but we still to do some testings with this config.
When i get confirmation, ill reply here.
Thank you.
PS:. we thought on defining the abap user for each user, but there are a lot of users...
we'll try this config, and if it doesn't work, probably, thats what we'll do.
Edited by: Joaquim Pereira on Feb 12, 2009 5:45 PM
Everything seams to be working now. setting back the uniqueid to samaccountname and configuring spnego to go to only 1 domain solved the issue.
I just need to test which change did the trick.
Edited by: Joaquim Pereira on Feb 13, 2009 1:02 PM -
Parent / Child Groups in Portal with LDAP
Heya,
we are using EP 7 on SP 10 (NW 7), for User Authentication we use the UME with a configured (writable) LDAP
Server as backend with a flat hierarchie. We have a Federated Portal Landscape with
3 Portals connected to one "main" portal and using Remote Role Assignement on the main portal for
our right managenemt.
Remote Roles which are added to Groups are working fine, but as soon as we try to use
the parent/child group functionality we are facing the problem that the user who logs on
has no access to anything in this group.
According to http://help.sap.com/saphelp_nw04s/helpdata/en/af/0cfc3f09c2c442e10000000a1550b0/frameset.htm
the only restriction for the use of child / parent groups is that:
"If user management is set up with write access to an LDAP directory, the following restriction applies:
When assigning members to a group that is stored in the LDAP directory, you can only assign users or
groups that are also stored in the LDAP directory. You cannot assign users or groups from the database
to groups from the LDAP directory. "
We fullfill the above condition (everything is LDAP based) - sooo: Any Hints for me / Someone facing
the same problem.
Thanks,
MarcoHi Murali,
User Configuration
A particular company has the following setup:
● Two roles: External and Internal
● The role Internal contains users who also belong to two user groups: N.America and Asia
● User A belongs to both the role Internal and the user group N.America
● User B belongs to both the role Internal and the user group Asia
● User C belongs to the role External
Conditions Defined in Portal Display Rules
1. If Group = N.America
Then Portal Desktop = Orange Flavor
2. If Role = Internal
Then Portal Desktop = Green Flavor
3. If Group = Asia
Then Portal Desktop = Blue Flavor
4. If Role = External
Then Portal Desktop = Red Flavor
Note that user A matches conditions 1 and 2; (ii) user B matches conditions 2 and 3; and (iii) user C matches condition 4.
Results
According to the list of priorities, these are the results:
● User A receives portal desktop "Orange Flavor" (according to condition 1 which has priority over rule 2)
● User B receives portal desktop "Green Flavor" (according to condition 2 which has priority over rule 3)
● User C receives portal desktop "Red Flavor" (according to condition 4)
still any help on portal disktop rules to can see this link http://help.sap.com/saphelp_nw70/helpdata/EN/4b/29cf122f414721964269e1b675d62c/frameset.htm
if helpful don't to give points
thanks
best regards
ep -
External LDAP and attributes aliases mapping ?
I have mapped iwtUserInfoProvider-lastName = sn.
And when i after that access the Portal Server and try to uppdate for examlpe my "IMAP user name" in the User Info channel the Portal Server tries to update my "External LDAP Server". This update is unsuccessful and i get an "error storing user profile".
Why is the Portal Server trying to update my external LDAP server??
I only want it to fill in som info for me......By configuring External LDAP we map certain LDAP-parameters to portal-parameters. Thus while updating the User Info channel we get "error storing user profile". Edit the /etc/opt/SUNWips/desktop/default/iwtUserInfoProvider/edit.template file to not include the non-writable fields in the form, then the user info provider will not try to write those fields. This should help.
Thanks,
Raj_indts
Developer Technical Support
Sun Microsystems
http://www.sun.com/developers/support -
LDAP Groups not displaying correctly in EP User Administration
I am having difficulty configuring EP to pull my Active Directory groups correctly. Currently, it is pulling a list of objects that have an objectClass of 'organizationalUnit', instead of 'group' which is how it is set-up inn Active Directory. I have tried setting the objectClass = group in the direct editing of the UM Configuration, but that does not seem to matter. Each time I change the configuration, I am re-starting the J2EE engine.
Any suggestions would be greatly appreciated
ume.acl.validate_cached_acls=FALSE
ume.admin.account_privacy=FALSE
ume.admin.addattrs=
ume.admin.allow_selfmanagement=TRUE
ume.admin.auto_password=TRUE
ume.admin.create.redirect=
ume.admin.debug_internal=FALSE
ume.admin.display.redirect=
ume.admin.modify.redirect=
ume.admin.nocache=FALSE
ume.admin.password.migration=false
ume.admin.phone_check=TRUE
ume.admin.search_maxhits=1000
ume.admin.search_maxhits_warninglevel=200
ume.admin.self.addattrs=
ume.admin.selfreg_company=FALSE
ume.admin.selfreg_guest=TRUE
ume.admin.selfreg_sus=FALSE
ume.admin.selfreg_sus.adapterid=SUS
ume.admin.selfreg_sus.adminrole=
ume.admin.selfreg_sus.deletecall=TRUE
ume.allow_nested_groups=TRUE
ume.allow_nested_roles=FALSE
ume.authenticationFactory=com.sap.security.core.logon.imp.SAPJ2EEAuthenticator
ume.cache.acl.default_caching_time=1800
ume.cache.acl.initial_cache_size=10000
ume.cache.acl.permissions.default_caching_time=3600
ume.cache.acl.permissions.initial_cache_size=100
ume.cache.default_cache=distributableCache
ume.cache.group.default_caching_time=3600
ume.cache.group.initial_cache_size=500
ume.cache.notification_time=0
ume.cache.principal.default_caching_time=3600
ume.cache.principal.initial_cache_size=500
ume.cache.role.default_caching_time=3600
ume.cache.role.initial_cache_size=500
ume.cache.user.default_caching_time=3600
ume.cache.user.initial_cache_size=500
ume.cache.user_account.default_caching_time=3600
ume.cache.user_account.initial_cache_size=500
ume.company_groups.description_template=Company
ume.company_groups.displayname_template= ()
ume.company_groups.enabled=FALSE
ume.company_groups.guestusercompany_enabled=TRUE
ume.company_groups.guestusercompany_name=Guest Users
ume.db.connection_pool.j2ee.is_unicode=FALSE
ume.db.connection_pool.j2ee.jta_transaction_support_enabled=FALSE
ume.db.connection_pool.j2ee.xatransactions_used=FALSE
ume.db.connection_pool_type=SAP/BC_UME
ume.db.or_search.max_arguments=50
ume.db.parent_search.max_arguments=300
ume.db.use_default_transaction_isolation=FALSE
ume.ldap.access.action_retrial=2
ume.ldap.access.auxiliary_naming_attribute.grup=
ume.ldap.access.auxiliary_naming_attribute.uacc=
ume.ldap.access.auxiliary_naming_attribute.user=
ume.ldap.access.auxiliary_objectclass.grup=
ume.ldap.access.auxiliary_objectclass.uacc=
ume.ldap.access.auxiliary_objectclass.user=
ume.ldap.access.base_path.grup=DC\=left,DC\=sand
ume.ldap.access.base_path.uacc=
ume.ldap.access.base_path.user=DC\=sand
ume.ldap.access.context_factory=com.sun.jndi.ldap.LdapCtxFactory
ume.ldap.access.creation_path.grup=
ume.ldap.access.creation_path.uacc=
ume.ldap.access.creation_path.user=
ume.ldap.access.dynamic_group_attribute=
ume.ldap.access.dynamic_groups=FALSE
ume.ldap.access.flat_group_hierachy=MIXED
ume.ldap.access.msads.control_attribute=userAccountControl
ume.ldap.access.msads.control_value=512
ume.ldap.access.msads.grouptype.attribute=grouptype
ume.ldap.access.msads.grouptype.value=4
ume.ldap.access.multidomain.enabled=FALSE
ume.ldap.access.naming_attribute.grup=ou
ume.ldap.access.naming_attribute.uacc=
ume.ldap.access.naming_attribute.user=
ume.ldap.access.objectclass.grup=group
ume.ldap.access.objectclass.uacc=
ume.ldap.access.objectclass.user=
ume.ldap.access.server_name=myserver
ume.ldap.access.server_port=3232
ume.ldap.access.server_type=
ume.ldap.access.size_limit=0
ume.ldap.access.ssl=FALSE
ume.ldap.access.ssl_socket_factory=com.sap.security.core.server.https.SecureConnectionFactory
ume.ldap.access.time_limit=0
ume.ldap.access.user=domain
svc_user
ume.ldap.access.user_as_account=TRUE
ume.ldap.blocked_accounts=Administrator,Guest
ume.ldap.blocked_groups=Administrators,Guests
ume.ldap.blocked_users=Administrator,Guest
ume.ldap.cache_lifetime=300
ume.ldap.cache_size=100
ume.ldap.connection_pool.connect_timeout=0
ume.ldap.connection_pool.max_connection_usage_time_check_interval=120000
ume.ldap.connection_pool.max_idle_connections=5
ume.ldap.connection_pool.max_idle_time=300000
ume.ldap.connection_pool.max_size=10
ume.ldap.connection_pool.max_wait_time=60000
ume.ldap.connection_pool.min_size=1
ume.ldap.connection_pool.monitor_level=0
ume.ldap.connection_pool.retrial=5
ume.ldap.connection_pool.retrial_interval=10000
ume.ldap.default_group_member=cn\=DUMMY_MEMBER_FOR_UME
ume.ldap.default_group_member.enabled=FALSE
ume.ldap.record_access=FALSE
ume.ldap.unique_grup_attribute=
ume.ldap.unique_uacc_attribute=samaccountname
ume.ldap.unique_user_attribute=samaccountname
ume.persistence.batch.page_size=25
ume.persistence.data_source_configuration=dataSourceConfiguration_ads_deep_readonly_db.xml
ume.persistence.pcd_roles_data_source_configuration=dataSourceConfiguration_PCDRoles.xml
ume.persistence.ume_roles_data_source_configuration=dataSourceConfiguration_UMERoles.xml
ume.principal.cache_group_hierarchy=TRUE
ume.principal.cache_indirect_parents=TRUE
ume.principal.cache_role_hierarchy=TRUEHi Doug,
I request your help on this. I am faced with a similar issue.
In my WinAD system, one user can be stored in multiple groups. However, the tree-structure is also present in my Windows AD hierarchy. Hence I am either using a Flat hierarchy or a Mixed hierarchy.
Changing the Datasource Configuration file to a Flat Readonly didn't solve the issue. The AD group path mentioned is correct and hence the group is visible in EP. However, I am not sure what should the UserPath be (As for now, I have kept it the same as the Group path).
Request you to please let me know what should the userpath be.
Rgds,
Sree -
Error -14002 -- connecting to external LDAP server -- HELP!
Hi all,
I did a clean install over an exisiting 10.4 Server that was connected via LDAP to our eDirectory. I exported and imported our custom mappings into /System/Library/DirectoryServices/Templates/LDAPv3 . (Which we can do on any of our 10.4 servers and its fine).
However it appears that the 10.5 server can't properly see the eDirectory server. We've tried all combinations of SSL on/off, port 636 or 389, using authentication or not. Whatever we do, Workgroup manager gives the following when trying to browse and will lock up if run from a client system. WGM will not lock up on the server but will still give the attached error.
"Error of type eDSOpenNodeFailed (-14002) on line 3873 of /SourceCache/WorkgroupManager/WorkgroupManager-319/PMMUGMainView.mm"
Interestingly, using an LDAP-browsing application like LDapper from the server is completely successful in browsing eDirectory.
Any takers??Assuming you meant /etc/openldap/ldap.conf I changed mine, which now reads
something similar to the following (there doesn't seem to be any way to
get the forum to not apply some sort of wiki-style markup)
arbela:~ nw$ cat /etc/openldap/ldap.conf
# LDAP Defaults
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT never
arbela:~ nw$
But I still get the same error. -
Slapd Exited with Exit code: 1 main: TLS init def ctx failed: -1 Open LDAP
After enabling the SSL in the Server Admin panel under Open Directory / LDAP My openLDAP will not start. Any help you could give me would be greatly appreciated!
Every 10 seconds the log file updates with:
Jan 31 21:48:26: --- last message repeated 4 times ---
Jan 31 21:48:26 home slapd[1338]: main: TLS init def ctx failed: -1
Jan 31 21:48:26 home slapd[1338]: slapd stopped.
Jan 31 21:48:26 home slapd[1338]: connections_destroy: nothing to destroy.
Jan 31 21:48:36 home slapd[1343]: @(#) $OpenLDAP: slapd 2.3.27 (Oct 4 2007 23:24:38) $
Jan 31 21:48:36 home slapd[1343]: overlay_config(): warning, overlay "dynid" already in list
and in the console log:
1/31/08 9:48:46 PM com.apple.launchd[1] (org.openldap.slapd[1356]) Exited with exit code: 1
I've tried to disable SSL to see if that helps, but, it seems as though even if I uncheck the use SSL box the slapd still will not start. I have also tried editing the ldap.conf and commenting out the
#TLS_REQCERT demand
My ldap.conf file is as per:
# LDAP Defaults
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#TLS_REQCERT demand
and my slapd_macosxserver.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
# This file is maintained by Server Admin.
allow update_anon
# config database definitions
database config
rootpw {SMD5}rddHtHIDi0mRFAo01222TvztzY0=
access to *
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by * read
# bdb database definitions
database bdb
suffix "dc=home,dc=ryanwilson,dc=com"
rootdn "uid=root,cn=users,dc=home,dc=ryanwilson,dc=com"
rootpw {SMD5}rddHtHIDi0mRFAo01222TvztzY0=
access to dn.onelevel="cn=users,dc=home,dc=ryanwilson,dc=com" attrs=@apple-user-info
by self write
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by * read
access to dn.base="cn=resources,dc=home,dc=ryanwilson,dc=com" attrs=children
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dynacl/idattr/OP:ADD.exact=USERS write
by dynacl/idattr/OP:DELETE.exact=OWNER write
by * read
access to dn.onelevel="cn=resources,dc=home,dc=ryanwilson,dc=com" attrs=entry
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dnattr=creatorsName write
by dynacl/idattr.exact=OWNER write
by * read
access to dn.onelevel="cn=resources,dc=home,dc=ryanwilson,dc=com" attrs=@apple-resource
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dynacl/idattr.exact=OWNER write
by * read
access to dn.base="cn=places,dc=home,dc=ryanwilson,dc=com" attrs=children
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dynacl/idattr/OP:ADD.exact=USERS write
by dynacl/idattr/OP:DELETE.exact=OWNER write
by * read
access to dn.onelevel="cn=places,dc=home,dc=ryanwilson,dc=com" attrs=entry
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dnattr=creatorsName write
by dynacl/idattr.exact=OWNER write
by * read
access to dn.onelevel="cn=places,dc=home,dc=ryanwilson,dc=com" attrs=@apple-resource
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dynacl/idattr.exact=OWNER write
by * read
access to dn.base="cn=maps,dc=home,dc=ryanwilson,dc=com" attrs=children
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dynacl/idattr/OP:ADD.exact=USERS write
by dynacl/idattr/OP:DELETE.exact=OWNER write
by * read
access to dn.onelevel="cn=maps,dc=home,dc=ryanwilson,dc=com" attrs=entry
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dnattr=creatorsName write
by dynacl/idattr.exact=OWNER write
by * read
access to dn.onelevel="cn=maps,dc=home,dc=ryanwilson,dc=com" attrs=@apple-resource
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dynacl/idattr.exact=OWNER write
by * read
access to dn.base="cn=people,dc=home,dc=ryanwilson,dc=com" attrs=children
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dynacl/idattr/OP:ADD.exact=USERS write
by dynacl/idattr/OP:DELETE.exact=OWNER write
by * read
access to dn.onelevel="cn=people,dc=home,dc=ryanwilson,dc=com" attrs=entry
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dnattr=creatorsName write
by dynacl/idattr.exact=OWNER write
by * read
access to dn.onelevel="cn=people,dc=home,dc=ryanwilson,dc=com" attrs=@extensibleObject
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dynacl/idattr.exact=OWNER write
by * read
access to dn.onelevel="cn=computers,dc=home,dc=ryanwilson,dc=com" attrs=apple-serviceinfo,apple-serviceslocator,apple-keyword
by self write
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by * read
access to dn.onelevel="cn=computers,dc=home,dc=ryanwilson,dc=com" attrs=entry,apple-realname,description,macAddress,authAuthority,userPassword
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dnattr=creatorsName write
by * read
access to dn.base="cn=computers,dc=home,dc=ryanwilson,dc=com" attrs=children
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dynacl/idattr/OP:ADD.exact=USERS write
by * read
access to dn.base="cn=groups,dc=home,dc=ryanwilson,dc=com" attrs=children
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dynacl/idattr/OP:ADD.exact=USERS write
by dynacl/idattr/OP:DELETE.exact=OWNER write
by * read
access to dn.onelevel="cn=groups,dc=home,dc=ryanwilson,dc=com" attrs=entry
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dnattr=creatorsName write
by dynacl/idattr.exact=OWNER write
by * read
access to dn.onelevel="cn=groups,dc=home,dc=ryanwilson,dc=com" attrs=apple-group-nestedgroup,apple-group-realname,description,apple-serviceslo cator,apple-user-picture,apple-group-services,apple-contactguid,apple-ownerguid, jpegPhoto,labeledURI,apple-selfwrite
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dynacl/idattr.exact=OWNER write
by * read
access to dn.onelevel="cn=groups,dc=home,dc=ryanwilson,dc=com" attrs=apple-group-memberguid
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dynacl/idattr.exact=OWNER write
by dynacl/idattr/BOOLATTR:apple-selfwrite;SELFATTR:apple-generateduid.exact=SELFWR ITE write
by * read
access to dn.onelevel="cn=groups,dc=home,dc=ryanwilson,dc=com" attrs=memberUid
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dynacl/idattr.exact=OWNER write
by dynacl/idattr/BOOLATTR:apple-selfwrite;SELFATTR:uid.exact=SELFWRITE write
by * read
access to *
by set="user/uid & [cn=admin,cn=groups,dc=home,dc=ryanwilson,dc=com]/memberUid" write
by dn.exact="cn=home.ryanwilson.com$,cn=computers,dc=home,dc=ryanwilson,dc=com" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by * read
sasl-regexp
uid=host/(.),cn=.,cn=gssapi,cn=auth
"uid=$1,cn=computers,dc=home,dc=ryanwilson,dc=com"
sasl-regexp
uid=(.[$]),cn=.,cn=auth
"cn=$1,cn=computers,dc=home,dc=ryanwilson,dc=com"
sasl-regexp
uid=(.),cn=.*,cn=.,cn=auth
"uid=$1,cn=users,dc=home,dc=ryanwilson,dc=com"
sasl-regexp
uid=(.),cn=.,cn=auth
"uid=$1,cn=users,dc=home,dc=ryanwilson,dc=com"
# use crypt passwords to support older clients
password-hash {CRYPT}
password-crypt-salt-format "%.2s"
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/db/openldap/openldap-data
# checkpoint the database every 10MB of logging and every 1 hour
checkpoint 10240 60
# Indices to maintain
index cn,sn,uid,apple-serviceslocator pres,eq,approx,sub
index uidNumber,gidNumber eq
index memberUid eq
index sambaSID,rid eq
index sambaPrimaryGroupSID eq
index apple-generateduid eq
index ou eq
index apple-group-realname eq
index macAddress eq
index apple-category eq
index apple-computers eq
index apple-networkview eq
index apple-group-memberguid eq
index apple-group-nestedgroup eq
index objectClass eq
timelimit 60
idletimeout 300
cachesize 20000
idlcachesize 10000So I did a bit more work on this and came up with the following to disabled SSL and get slapd running again:
1) sudo emacs /etc/openldap/slapd_macosxserver.conf; comment out the following lines for the following parameters: TLSCertificateFile, TLSCertificateKeyFile, and TLSCertificatePassphraseTool
2) sudo emacs '/etc/openldap/slapd.d/cn=config.ldif'; comment out the lines for the following attributes: olcTLSCertificateFile, olcTLSCertificateKeyFile, olcTLSCertificatePassphraseTool
slapd started up just fine for me after this. This looks a lot like a bug. I'm not sure what the story is on the underlying issue, so I've filed a bug on ADC. I'll let you know what I hear. -
LDAP and Solaris Authorization.
Hi,
Need some help. Can we do authorization of users with LDAP using PAM on Solaris. I am aware that we can use netgroups with LDAP for restricting access but is there any generic facility that can be used directly with PAM itself to restrict the users?
All ideas are appreciated.
Regards,
AbrarI wonder anyone had successfully compiled pam_listfile.so (part of LinuxPAM) on Solaris8/9 and use it successfully in /etc/pam.conf as a mean of Authorization Control?
===
# cat /usr/share/doc/pam-0.77/txts/README.pam_listfile
SUMMARY:
pam_listfile:
Checks a specified item against a list in a file.
Options:
* item=tty
* sense=allow (action to take if found in file,
if the item is NOT found in the file, then
the opposite action is requested)
* file=/the/file/to/get/the/list/from
* onerr=succeed (if something weird happens
such as unable to open the file, what to do?)
* apply=user
restrict the user class for which the restriction
apply. Note that with item=user this
does not make sense, but for item=tty
it have a meaning. (Cristian Gafton)
Also checks to make sure that the list file is a plain
file and not world writable.
- Elliot Lee <[email protected]>, Red Hat Software.
v0.9 August 16, 1996.
===
Gary -
LDAP lookup NOT Integration?
Hi,
A problematic AD integration has been rolled back to the local DC Directory.
However is it possible to simply have a AD lookup rather for the IP phones rather than the full AD integration?Not sure why everyone keeps going on and on and on about ccm 5.0... but it's not out yet. If you have a copy or are using, you are fairly brave or are in beta. For all other CCM 4.x... I would recommend bypassing the local cisco ldap and the AD integration, unless you are using the AD integration for Extension Mobility..... even then it's a pain.
We have been using the Citrix Application Gateway at my current client and it's really nice. It's basically is an LDAP bridge between your AD, LDAP, META, multidomains to callmanager. Couple configs on CallManager and you have a completely integrated Corporate Directory pulling for your AD or even a txt file. The Citrix box basically caches everything locally and serves it th CCM via XML. It's very fast, very flexiable in the fields you can populate and the spelling is amazing. For instance, Cisco's LDAP makes you press the "7" key 4 times to get the letter "S".... with the Citrix box, just keep spelling the name on the keypad and it narrows down to either the name or a list of names to select from. We have 2000 names in our directory and I can look up a name in about 6 seconds and then dial it.
Anyways... I'm not a sales person, but this has helped me on this rollout 3 fold. -
Jabber Windows - no phone control with LDAP Custom filter
I am unable to control the desktop phone from the Jabber 9.1 Windows client when the CallManager LDAP Directory uses a Custom Filter.
Has anyone else experienced this?
If I set the LDAP Custom Filter to <none> and save, then Desktop Phone control works great.
If I set it to use my custom filter, then trying to enable Desktop control just gives me the spinning circle, then times out to the Red X symbol.
I do not need to resync the LDAP Directory to get the error, just enable/disable the custom filter and save.
In both cases calling from the Computer works great.
This is an On-Prem deployment with full MS-AD LDAP integration.
Versions are:
Jabber - 9.1.0 build 12296
CUPC - 8.6.4.11900-1
CUCM - 8.6.2.22900-9
I upgraded to CUCM 8.6.2 SU2 last night hoping that would fix the problem, but no luck.
The LDAP filter is one I have used in numerous other clusters with no CTI issues.
It allows me to sync to the root directory, but only import active user accounts with an entry in the ipPhone AD attribute:
(&((objectclass=user)(ipPhone=*))(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
Thanks, RandyHi Randy,
Have you specified this base filter in jabber-config.xml file? As per Admin Guide:
"In some cases, base filters do not return query results if you specify a closing bracket in your Cisco Jabber for Windows configuration file. For example, this issue might occur if you specify the following base filter: (&(memberOf=CN=UCFilterGroup,OU=DN))
To resolve this issue, remove the closing bracket; for example, (&(memberOf=CN=UCFilterGroup,OU=DN)"
Thanks,
Maqsood -
How get all sAMAccountName from LDAP?
Good day ... i'm find this ...
declare
-- Adjust as necessary.
l_ldap_host VARCHAR2(256) := &&;
l_ldap_port VARCHAR2(256) := &&;
l_ldap_user VARCHAR2(256) := &&;
l_ldap_passwd VARCHAR2(256) := &&;
l_ldap_base VARCHAR2(256) := 'dc=&&,dc=&&,dc=&&';
l_filter varchar2(100) := '(&(sAMAccountName=*))';
l_retval pls_integer;
l_session dbms_ldap.session;
l_attrs dbms_ldap.string_collection;
l_message dbms_ldap.message;
l_entry dbms_ldap.message;
l_attr_name varchar2(256);
l_ber_element dbms_ldap.ber_element;
l_vals dbms_ldap.string_collection;
l_raw dbms_ldap.binval_collection;
l_result varchar2(100);
begin
-- Choose to raise exceptions.
dbms_ldap.use_exception := true;
dbms_ldap.utf8_conversion := false;
-- Connect to the LDAP server.
l_session := dbms_ldap.init(hostname => l_ldap_host, portnum => l_ldap_port);
l_retval := dbms_ldap.simple_bind_s(ld => l_session, dn => l_ldap_user, passwd => l_ldap_passwd);
-- Get all attributes
l_attrs(1) := 'sAMAccountName'; -- retrieve all attributes
l_retval := dbms_ldap.search_s(ld => l_session
,base => l_ldap_base
,scope => dbms_ldap.scope_subtree
,filter => l_filter
,attrs => l_attrs
,attronly => 0
,res => l_message);
if dbms_ldap.count_entries(ld => l_session, msg => l_message) > 0
then
-- Get all the entries returned by our search.
l_entry := dbms_ldap.first_entry(ld => l_session, msg => l_message);
<<entry_loop>>
while l_entry is not null
loop
-- Get all the attributes for this entry.
dbms_output.put_line('---------------------------------------');
l_attr_name := dbms_ldap.first_attribute(ld => l_session
,ldapentry => l_entry
,ber_elem => l_ber_element);
<<attributes_loop>>
while l_attr_name is not null
loop
-- Get all the values for this attribute.
l_vals := dbms_ldap.get_values(ld => l_session, ldapentry => l_entry, attr => l_attr_name);
<<values_loop>>
for i in l_vals.first .. l_vals.last
loop
dbms_output.put_line('ATTIBUTE_NAME: ' || l_attr_name || ' = ' || substr(l_vals(i), 1, 200));
end loop values_loop;
l_attr_name := dbms_ldap.next_attribute(ld => l_session
,ldapentry => l_entry
,ber_elem => l_ber_element);
end loop attibutes_loop;
l_entry := dbms_ldap.next_entry(ld => l_session, msg => l_entry);
end loop entry_loop;
end if;
-- Disconnect from the LDAP server.
l_retval := dbms_ldap.unbind_s(ld => l_session);
dbms_output.put_line('L_RETVAL: ' || l_retval);
end;
If i use filter '(&(sAMAccountName=*))' (me need get all 'sAMAccountName')
ERROR at line 1:
ORA-31202: DBMS_LDAP: LDAP client/server error: Sizelimit exceeded
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
ORA-06512: at "SYS.DBMS_LDAP", line 1457
ORA-06512: at "SYS.DBMS_LDAP", line 234
ORA-06512: at line 28
How fix it ?
Thanks all.
p.s. I'm beginner Developer Oracle 10gProbably some workaround needed. Hopefully this one works: http://www.freelists.org/archives/oracle-l/04-2006/msg01100.html
-
Questions on LDAP w.r.t XML Publisher 5.6.2
Hi all,
I have 2 questions on LDAP integration w.r.t XML P 5.6.2
1) Is OID the only supported LDAP repository? I tried to set up a Iplanet directory server against XMLP, but could not. Did I miss something, or it is not supported?
Other than OID, any other LDAP supported?
2) Suppose, my use-case is: I want to show some values from the database, and also in the same report, print out the user attributes from the LDAP (like email id of the user, for example) who fired the report, then is this possible?
Thanks,
Ambarish,Ok. Question 1 - I have answered myself. I could not set up SunONE Directory server against XMLP :-(
But I could set up against openldap. :-)
I plan to contribute to the blog in 2/3 days time on how this can be done.
But I still need some help on the question 2. How can I create a report which has all the data from both the backend database, and well as from the LDAP repository. For example, report like:
Report Fired By:
EMAIL id:
Mobile:
(data1, data2...)
where data1, data2 comes from the database, and email id, mobile from the LDAP.
Maybe you are looking for
-
SQL Error while creating data Owner certification in SRM 5.0.3
Hi , In SRM 5.0.3, while creating data Owner certification by choosing data owner, I m getting the following error. database i upgraded and the migration script is also run. java.sql.SQLException: Violation of PRIMARY KEY constraint 'pk_id_attr_val_u
-
Hi gurus, A user status with existing transactions was inadvertently deleted. While it has now been created again, the transactions with this status that are created prior to the changes are now unviewable whenever the standard and customized report
-
Surround Mix with Logitech Z-5500 Digital
Hello, I have a project for a 3D animation short movie, and I'll also make the score and sound effect for it, to make a DVD. I don't have Logic Pro yet; I have Logic Express. Is it possible to use a Logitech Z-5500 Digital set to do the surround mix
-
Error while starting J2EE RI.
I have installed the J2EE RI on Microsoft Windows 2000 But While starting server using following instructions I am getting exception as follows. D:\>j2eerun1 D:\>cd\ D:\>cd j2sdkee D:\j2sdkee>set JAVA_HOME=d:\jdk D:\j2sdkee>set J2EE_HOME=d:\j2sdkee D
-
when trying to sync, I get this computer is no longer authorized for purchases on this iphone. I click on store-authorize this computer and get successful and still get the error. I tried deauthorizing and reauthorizing and keep getting this message.