Q: UCM Ldap filter not finding groups

Similar Messages

• LC Rights Management End User can not find groups or users during policy creation process

  hello,
  I'm using LC8.0.1 turnkey install on win2003 box.
  Problem is LC Rights Management End User can not find groups or users (search result is empty) during policy creation process, thus can not apply specific restriction to certain groups or users.
  I have create a user in the DefaultDom and assigned the following roles:
  Live Cycle Rights Management Invite User
  Live Cycle Rights Management End User
  How can I allow the above created user to search for groups and user during policy creation? Thanks.

  Good catch Phuc. Make sure you do this for each Policy Set as well as My Policies.
  Here's an overview of Policy Sets:
  http://blogs.adobe.com/security/2008/04/delegating_control_over_policy.html
  Cut and paste the URL.

• Dseditgroup not finding group to add to local domain.

  For years now have had trouble getting the Allow Administration by field to work properly in OS X. It wasn't a problem before I just ignored it but I can't any longer.
  It doesn't work through the GUI, and when I try via command line
  sudo dseditgroup -o edit -a “DOMAIN\domain admins” -t group admin
  where DOMAIN is the name of my domain (in all caps) the response back is "Group not found"
  Any ideas? The computer is bound to the domain, and authenticates just fine of AD accounts. Just can't seem to give local admin rights to the right people (well anyone with an AD account)

  Hello jrv,
  Here's what i was trying to do. The two domains im working with have a trust between them.
  1. Create a user in External.Domain.Com
  2. Add the user in External.Domain.Com to GroupOne in ExternalDomain2.Domain.com
  3. The only knowledge that ExternalDomain2.Domain.Com would have about the account in External.Domain.Com is whatever is in the Global Catalog. Here is what im trying, but it isn't working.
  #Connecting to domain PSDrive
  New-PSDrive
  -Name
  ExternalDomain
  -PSProvider
  ActiveDirectory
  -Root
  -Server
  DC01.Domain.com
  cd
  ExternalDomain:
  #Create user
  #Add to ExternalDomain Groups
  $UserDN=Get-ADUser-LDAPFilter"(sAMAccountName=$UserID)"
  #Connecting to domain2 PSDrive 
  cd
  AD:
  $GroupDN="CN=Wireless
  Device Users,OU=Wireless,OU=Systems and Technology,DC=External,DC=Domain2,DC=Com"
  Add-ADGroupMember-Identity$GroupDN-Members(Get-ADObject-Identity$UserDN.DistinguishedName
  -Server"DC01.Domain.com:3268")
  Connecting via port 3268 allows me to talk to the global catalog instead of LDAP.
  I receive the following message: A Referral was returned from the server
  I know that if i connect using [ADSI] i am able to specify that the connection follows referrals, the AD cmdlets seem to not have that function. The Quest AD cmdlets do... I just dont want to have to use third party cmdlets to do what the AD cmdlets should
  be able to do in the first place.
  THanks,
  LittleTech

• List server not finding group recipients (Server 4.0.3)

  We cannot send emails to group members:
  Group members themselves can receive email OK individually from the internet thank goodness. But ...in OS X Server
  The Groups' "Mailing Lists" boxes are now empty. Even "Workgroup" lists all the users but no "Mailing List" now.
  Newly re-adding a mailing list name to an existing (listless) Group does notget email to the Group's members, though. The List Server log says :no recipients for <mail list name>" when it receives a group email even though it's received if for the newly added mailing list name. And next:... list_server_agent[6025] <Error>: no recipients for message-id=1420584145.....
  Creating a new group fills the "Mailing Lists" box with an assortment of  crazy mailing list names ...
  This is probably going to be yet another crazy error in the way that the List Server uses LDAP / OD I expect ... or LDAP getting corrupted possibly after  upgrading to Server 4.0.3 when we first noticed this. Oh dear ... this is all we need right now ... just as we were beginning to restore our faith in the gradually improving OS X Server.
  We don't have a very recent OD Archive (wouldn't be too much trouble to update from it, though) and if I had any faith that restoring from it would solve the problem I would do so. 
  Any advice gratefully considered!

  It's just seemingly broken.
  (pardon the double-post)
  I have a fresh install of OS X Server 4.1 with the former directory users imported. Facing the same issue as everyone else.
  I noticed in /Library/Server/Mail/Config/MailServicesOther.plist, you can enable debug logging for the list server:
  <key>list_server</key>
  <dict>
    <key>dest_domain</key>
    <string>example.com</string>
    <key>list_server_log_level</key>
    <string>debug</string>
  Bizarrely, when I now send a message, the list server even lists the members, and then says no members found:
  May  3 13:01:06 server.example.com list_server_agent[12758] <Debug>: initalized recipient cache: marketing
  May  3 13:01:06 server.example.com list_server_agent[12758] <Debug>: expanding group: marketing
  May  3 13:01:06 server.example.com list_server_agent[12758] <Debug>: fetching nested groups within: marketing
  May  3 13:01:06 server.example.com list_server_agent[12758] <Debug>: carlee is member of mail SACL
  May  3 13:01:06 server.example.com list_server_agent[12758] <Debug>: sophie is member of mail SACL
  May  3 13:01:06 server.example.com list_server_agent[12758] <Debug>: jaimee is member of mail SACL
  May  3 13:01:06 server.example.com list_server_agent[12758] <Error>: no recipients for: marketing
  This makes no sense at all. I have no SACL's set for Mail, or any other service in case anyone's curious.

• UCM Migration: can not find the source collection in target content

  Hi,
  I'm trying to migrate our content to new instance.
  I have configured the outgoning provider in both servers(source and target), and tested they are ok.
  but I can't continue the step 4:
  Set up an automated pull transfer from the Contribution server to the HR Portal
  server:
  1. On the Contribution content server, create an outgoing provider to the HR portal
  content server.
  2. Open Archiver on the HR portal content server.
  3. Open the target collection and make the target archive “targetable.”
  *4. Open the source collection and select the source archive.*
  5. On the Transfer To tab, select the target archive as the target destination.
  6. Run a manual transfer.
  7. Set the transfer to be automated.
  Any suggestion is appreciated!
  Thanks,
  Y.H.
  Edited by: Yonghui.Feng on 2010-1-28 下午7:34

  Hi Srinath,
  Thanks for your quick response on this!
  Actually, I have tried both the admin applet and the $UCM_HOME/bin/Archiver. I can't find the remote colletions.
  indeed, there is browse proxied... and browse local. when i click the browe proxied, I can find the remote collection, when i try to open it. but there is alway an error:
  'Unable to retrieve lis of proxied servers. A collection with this name already exists in the system'
  I'm not sure if it caused by the same instance name for both source server and target server?
  Thanks,
  Y.H.

• How to create LDAP filter-based rule to check Group membership in OAM

  Hi folks,
  I'm having hard time creating an authorization rule to verify ldap group membership. I've followed "Configure User Authorization" article from Oracle website (http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2authz.htm#BABHBFEJI) and created an Authorization scheme w ldap_attribute_name as User Parameter and ruleExpression as Required Parameter. Then, inside my policy I created an Authorization Rule based on my Authz scheme w Allow Access attrib filter-based Rule which looks like this:
  ldap://ldap_server:port/ou=People,o=Company,c=US??sub?(ldap_attribute_name=ldap_attribute_value)
  This works fine.
  Now, I've added another filter-based rule under the same Authz Rule/Allow Access:
  ldap://ldap_server:port/ou=Groups,o=Company,c=US?uniqueMember?sub?(&(objectClass=groupOfUniqueNames)(cn=ldap_group_name))
  While query looks somewhat correct and works as a command-line argument (slightly modified format), it does not work in OAM (meaning people w out req-d group membership can still login).
  Can someone steer me to the right direction as to what do I need to do:
  1. Change/fix the ldap query
  2. Create new Authz scheme with uniqueMember userParameter; create new Authz rule based on new authz scheme; create new Allow Access filter rule with the ldap query I have
  3. Do smth else
  Any help is greatly appreciated.
  Thank you, Roman

  You can create two authorization rules
  First for user with attribute
  and second for group
  and then in authorization expression you can have AND of these two.
  Regarding your query...
  First ... If your requirement is to give access to all the members of a particular group then you don't require any ldap filters
  All you have to do is in the authorization rule -> Allow access -> Select People (here you have to select group so click on the group tab, its little hard to see but its there in light blue color on dark blue tab) -> select the group you want to give access
  Second.. If your requirement is such that you want to give access to a member of a group which has certain attribute lets say group with status active ( In this case you are not aware of the name of the group because user can be a member of any group but you want to give access only to the group with specific attribute.) then you have to write custom authorization plugin.
  If the option is second let me know i can give you a solution which will work for a single domain without any effort of developing a major plugin.
  Hope this helps,
  Sagar

• Can static/dynamic LDAP (not posix) groups be nested?

  Does anyone here know whether the LDAP static or dynamic groups (i.e. not simple POSIX groups) can be nested inside of one another? Basically I just want to add groups to groups, but I'm not able to find out if this works (thus far it's not working for me).
  Patrick

  Groups can be nested. Use the attribute uniquemember in the objectclass groupofuniquenames. uniquemember's value is then the dn of another Group.
  Regards,
  Ingo

• How can I filter to find photos NOT pinned to a map? I have 28,000 phots with many mapped and many not. The Search function does not include GPS data. I haven't found  way to search metadata inside or out of Elements.

  How can I filter to find photos NOT pinned to a map? I have 28,000 phots with many mapped and many not. The Search function does not include GPS data. I haven't found  way to search metadata inside or out of Elements.

  How can I filter to find photos NOT pinned to a map? I have 28,000 phots with many mapped and many not. The Search function does not include GPS data. I haven't found  way to search metadata inside or out of Elements.

• Could not find the group name.

  HI,
  I executed the below VBS  file in Windows 7 Enterprise Edition workstation and received "Could not find the group name. Code :800708ac"
  GetObject("WinNT://" + WScript.CreateObject("WScript.Network").ComputerName + "/Administrators").Add"WinNT://MYDOMAIN/TEST-TESTWorkstationAdmins"
  I am able to add the "TEST-TESTWorkstationAdmins" in Administrator group manually but not able to add using the script.
  "TEST-TESTWorkstationAdmins" is Global Security Group. Please help me to fix the problem. 
  Regards,
  Boopathi S

  The code in VBScript would look like this:
  Dim AdminGroup
  Set AdminGroup = GetObject("WinNT://" & CreateObject("WScript.Network").ComputerName & "/Administrators,Group")
  AdminGroup.Add "WinNT://MYDOMAIN/TEST-TESTWorkstationAdmins"
  But I would recommend using Group Policy to update local Administrators group membership rather than using a script.
  -- Bill Stewart [Bill_Stewart]

• LDAP- When importing a Group it goes into Security Users and not Groups.

  Hello,
  I created a new LDAP Server
  cn=GroupBI,OU=Groups,OU=Systems,OU=Milan,OU=Italy,OU=Countries,DC=u,DC=a,DC=g
  Connection Test was ok.
  The problem is on importing members of my group, on Security Import window instead of having the group drop-down list populated I have the user drop-down list populated with "GroupBI".
  If I import this group (considered as a user by BI) it goes into Security > Users and not Security > Groups.
  This does not make sense.
  I'm sure this "GroupBI" is a group and not a user and the atribute type used is sAMAccountname
  Any help?
  Cheers

  Let me tell how we did Authentication using LDAP
  I havent imported any groups or users once the LDAP is set up and connection was successfull. I simply created the session variables USER DISPLAYNAME EMAIL and mapped to LDAP Variables uid, displayname, mail.
  Authentication is done in this way by mapping the OBIEE variables to LDAP variables instead of importing the groups.
  Now for Authorization I created the groups populated using some db tables and captured the group name and loglevel and applied filters on the group in the rpd for data level and permissions on the group in webcat for object level.
  So just for Authentication purposes I think we can authenticate with out really importing groups as long as you map OB variables to LDAP
  hope it helps
  Prash

• Essbase 11.1.2.1 Users not inheriting filter access from group

  Hello all! We installed Essbase 11.1.2.1 in a distributed environment integrated with Shared Services and ran into an issue when provisioning users via groups. Using Shared Services we created a Native Directory Group and User. We provisioned the group with the Server Access Role and Filter Application role, then assigned the filter to the group using 'assign access control' on the application in Shared Services. For some reason using the Essbase add-in we are unable to retrieve data from the database. We receive an error stating the user id does not have read access to the db. If we carry out the same provisioning steps above on the user directly, we are able to retrieve data from the database. Any ideas on what might be causing this?

  In V11.1.2.2 ESSBASE is managed by OPMN. OPMN needs to be started before starting ESSBASE. You need to use "start.sh". Please do the following
  1) Run "stop.sh" that is in the starter scripts folder - This will stop all Oracle EPM components that are installed on the box
  2) Run "start.sh" - this will start OPMN, ESSBASE and all other installed components
  The "startEssbase.sh" and "stopEssbase.sh" can be used to start or stop ESSBASE only when OPMN is already running.

• Find / -group network -- no permission / directory not found

  Hi,
  sorry, I unfortunately started the treat in German. Now the English version.
  I'd like to find all files asigned to the group e.g. network.
  I used this command with the following errors.
  # find / -group network
  find: "/home/clementis/.gvfs": no permission
  find: "/proc/1581/task/1581/fd/5": file or directory not found
  find: "/proc/1581/task/1581/fdinfo/5": file or directory not found
  find: "/proc/1581/fd/5": file or directory not found
  find: "/proc/1581/fdinfo/5: file or directory not found
  Does this output simply mean that there are no files with the group "network" or is it an access problem or something else?
  Could please help or give me a hint?
  Thx!
  Clementis
  Last edited by clementis (2012-04-16 19:56:27)

  Solche Fehler sind normal mit den meisten Suchanfragen. Normalerweise ist es sicher, die stderr auf /dev/null schicken.
  $ find / -group network 2>/dev/null
  (Übersetzt mit Google Translate)

• GP Preference Items Throwing "Could not find a part of the path" Error in GP Management Console

  Hello, 
  For background, I recovered two Server 2008 R2 Domain Controllers in the same domain from a JRNL_WRAP_ERROR
  using the BurFlags registry key as outlined in KB290762. The non-authoritative restore seemed to resolve NtFrs/replication challenges, as now the FRS and System logs are free from any major errors and "repadmin /showreps" output looks clean.
  As part of the cleanup process I am going through and checking all the policy objects. Policy objects that leverage group policy preferences are
  throwing an error when the settings are viewed in the management console:
  The following errors were encountered: 
  An unknown error occurred while data was gathered for this extension. Details: Could not find a part of the path 'C:\Users\administrator.YOURDOMAIN\AppData\Local\Temp\2\ny0ho1ht.tmp'. 
  This occurs for existing Group Policy Preference objects and those that are newly created. It is important note if I go to edit the policy in question
  the preference settings are available, it is viewing them in the management console that seems to be the issue. What concerns me here is that the file it is looking for is stored in the local temp directory and not the SYSVOL directory. With replication issues
  behind me I am not sure how to address this last piece of the puzzle.
  Any assistance in getting this squared away you be appreciated.
  Thanks!
  Jordan

  DCDIAG /C outputs the following error in relation to the VerifyEnterpriseRefrences test:
  Starting test: VerifyEnterpriseReferences
     The following problems were found while verifying various important DN
     references.  Note, that  these problems can be reported because of
     latency in replication.  So follow up to resolve the following
     problems, only if the same problem is reported on all DCs for a given
     domain or if  the problem persists after replication has had
     reasonable time to replicate changes.
        [1] Problem: Missing Expected Value
         Base Object:
        CN=DC04,OU=Domain Controllers,DC=YOURDOMAIN,DC=local
         Base Object Description: "DC Account Object"
         Value Object Attribute Name: msDFSR-ComputerReferenceBL
         Value Object Description: "SYSVOL FRS Member Object"
         Recommended Action: See Knowledge Base Article: Q312862
        [2] Problem: Missing Expected Value
         Base Object:
        CN=DC03,OU=Domain Controllers,DC=YOURDOMAIN,DC=local
         Base Object Description: "DC Account Object"
         Value Object Attribute Name: msDFSR-ComputerReferenceBL
         Value Object Description: "SYSVOL FRS Member Object"
         Recommended Action: See Knowledge Base Article: Q312862
        LDAP Error 0x20 (32) - No Such Object.
  I am evaluating the suggested KB now but am not sure it is related to the issue at hand but posted it for completeness. 
  All other tests pass. 

• VSOM 7.0.1 LDAP Filter AD

  Hello!
  LDAP server settings are as follows: 
  Name: SFC.LOCAL
  Host Name: 192.168.104.252
  port: 389
  Member of: %USERID%@sfc.local
  Database search for users: OU=Accounts,DC=sfc,DC=local
  User ID attribute: sAMAccountName
  How to create a filter selecting users from a specific location in aerarhii AD?
  People are on the way: 
  OU=SPK,OU=Offices,OU=Delegate,OU=Common,OU=Accounts,DC=sfc,DC=local
  try like this: 
  search path: OU=Accounts,DC=sfc,DC=local
  Filter: (&(sAMAccountName=%USERID%)(memberOf=CN=SPK,OU=Offices,OU=Delegate,OU=Common,OU=Accounts,DC=sfc,DC=local))
  Runtime Error: The user with the given name is not found in the LDAP filter by (&(sAMAccountName=drozdov.alexander)(memberOf=CN=SPK,OU=Offices,OU=Delegate,OU=Common,OU=Accounts,DC=sfc,DC=local))
  in it may be inaccurate filter configuration?

  Hello Alex,
  Here is the example to do LDAP serach filter configuration. Let me know if this help
  •General Settings
  Hostname: ds.cisco.com
  Port: 389
  Principal: %USERID%@cisco.com
  User Search Base: ou=Cisco Users,dc=cisco,dc=com
  Userid Attribute: sAMAccountName
  •LDAP Search Filter:
  Select a Cisco mailing list you are on from mailer.cisco.com, and substitute its name for <anyMailer> in the Filter below
  Search Path: ou=Cisco Users,dc=cisco,dc=com
  Filter: (&(sAMAccountName=%USERID%)(memberOf=CN=<anyMailer>,OU=Mailer,OU=Cisco Groups,DC=cisco,DC=com))
  Br,
  Nadeem Ahmed

• How do you filter content by groups?

  I used to spent a great deal of time on Apple Discussions, but having been away for a couple of years I see there have been major changes. As a result, I'm finding it hard to manage tasks that used to be easy, & I would appreciate some help with these questions so that I can go back to helping others…
  1) How do you filter "Content" by groups? I used to be able to select the group I was particularly interested in (usually Logic Pro). I see that if a recent question has been asked in a group, I can click on the name of that group — but if no questions have been asked in the last few hours, this would mean page after page of scrolling…
  2) Someone answered another question I asked yesterday. I wanted to thank them & to mark the question as answered. But all I could see was the "Helpful" link (which unfortunately I clicked on before I realised it wasn't the same as the old "Answered" link). I can't see how to mark the reply as THE ANSWER, I can't see how to mark the question as answered, & I can't see any way of replying to the answer. The only text field available is to reply to myself, which seems daft — & yes, I AM logged in.
  (I can't quite believe how hard it is to find out this stuff. I recall a certain meeting where the object of the exercise was to make the interface more accessible, not more opaque…)

  A lot of the collective consciousness:
  How to improve your experience with Apple Support Communities ( ASC )
  Easiest way to all User Tips on Using ASC may be to add " /content " to the URL then click the User Tips Category TAB
  *some User Tips have some of the same stuff but also some unique
  SITEMAP | Apple Support Communities has some gems as well