Reconciliation - Windows Active Directory - Bypass/Filter certain accounts
Hello experts,
Accounts in our Active Directory have an attribue employeeType. We want to load employeeType of "E" and "G" into our IDM repository. There are other employeeType's which we do not want to load. For example we are not interested in AD accounts with an employeeType of "R" so we prefer not to load them into IDM.
1 solution is to load the employeeType's we want into an organization and all other employeeType's into a different organization then delete the account from the different organization when recon is finished. Not real efficient, but it would work.
Are there other ideas we are over looking?
We decided to not filter Active Directory accounts. Instead accounts we are not interested in are assigned to an organization we call Non User Accounts. We might delete those accounts from that organization after the recon runs, but have not decided at this time.
If you want to filter Active Directory accounts you'll need to modify ADSIResourceAdapter. The method that needs modified is: "public AccountIterator getAccountIterator()". The code bolded below is where you will need to add your ldap filter parms.
Here is the method from the ADSIResourceAdapter:
public AccountIterator getAccountIterator()
throws WavesetException
String method = "getAccountIterator";
HashMap params = new HashMap();
String objectCategory = getOptionalStringResAttrVal("Object Category");
if(objectCategory != null)
params.put("Search Filter String", "(objectCategory=" + objectCategory + ")");
} else
String objectClass = getOptionalStringResAttrVal("Object Class");
if(objectClass == null || objectClass != null && "user".equalsIgnoreCase(objectClass.trim()))
params.put("Search Filter String", "(search filter here");
AccountIterator result = null;
try
result = getBlockAccountIterator(params);
catch(WavesetException e)
if(_util != null)
_util.logString(1, e.getMessage());
TRACE.info1("getAccountIterator", e.getMessage());
throw e;
return result;
If we were to change this method the 'search filter here' would be changed to (|(employeeType=E)(employeeType=G)).
Another fix might be to use the LDAPResourceAdapter. We did not explore that option in great depth. However it appears it would work once configured correctly.
Hope this helps someone.
Similar Messages
-
SAP User Authentication via Windows Active Directory
The non-profit company I work for as an SAP Security Admin has been using SAP since 1999. We are currently running ECC 6.0, BI 7.0, and CRM 7.0. With fewer than 300 SAP users, we have not implemented CUA, so each of our multiple clients in these systems is managed independently.
The company recently licensed and implemented some non-SAP software to be used by all of our employees (~1200) in keeping track of & catagorizing their work time; a very handy feature of this software is that it depends upon Windows Active Directory for user authentication. Therefore, each employee logs into this time-keeping package by entering his/her standard PC userID & password. If you can log onto your PC, you can log into the time-keeping software.
That got me thinking & researching, because our SAP users - especially those who have access to three or more SAP clients - must maintain their passwords independently in each SAP client that they hope to access in the future. I'm certainly not the first person who has thought of how nice it would be to permit SAP users to log into all SAP clients across the landscape in which they have defined userIDs, using the same password that they are using to log into their PCs (i.e., the password that is stored & maintained in Windows Active Directory). My quest has led me to find presentations on this topic that typically involve modules we aren't using & very complicated configurations that we really lack the time & resources to employ; or, to third-party solution providers who claim to be certified SAP partners who would love to sell us more software to provide this convenience, usually irelated to single sign-on, LDAP, etc. The lowest pricing tier for such software usually would cover many times the number of SAP users we have to serve here - and it feels like trying to push in a tack using a sledgehammer. It is true that we have not used the same userID for our PCs that we have defined in SAP, so there would need to be some way to translate from one to the other, but our PC password rules are consistent with those we have configured in SAP clients, so it seems to me it should be very simple. Can anyone lead me to a more straightforward solution? If not, can you articulate why this has to be so complicated using SAP software when it seems so simple using relatively inexpensive timekeeping sotware?>
Gagan Deep Kaushal wrote:
> Hi Tim,
>
> Its nice to see video.
>
> Is that mean using different username on OS and SAP level still we can achieve SSO.
>
> Correct if if am wrong.
> The only thing we need to maintain SNC name.
Once installed, yes. This is all you need to maintain when users are added. You can even use LDAP if you like to sync all user info between SAP and MS AD domain, but this cannot sync the password, so using SNC authentication instead of using SAP passwords is ideal.
>
> So for user test1 i can manage name as p:test2..... ??
Yes, that is correct. The mapping is maintained using standard SAP user management, such as su01. The user in AD domain might have long account name, e.g. "firstname.verylonglastname" which is too big for use as a SAP username so you can map this long AD account name onto a SAP user called FIRSTLAST in one or more SAP clients.
>
> I think that is what Ronald is also looking, user name need not to be same.
>
> Regards,
> Gagan Deep Kaushal -
How to create mailboxes under mac os x 10.6.4 either using ldapv3 or windows active directory?
hi,
i'm working on the mail server of our company. the plan is to implement the built in mail server feature of mac mini OS X 10.6.4 using either ldapv3 or preferably our existing window active directory users.
i was able to set the open directory and can view the user accounts from AD. my problem is i do not have any clear documentation or manual on how to create mailboxes using either AD accounts or MAC LDAPv3. i already checked the manual of mac os x mail service administration and have found none pertaining to this case.
i would really appreciate if someone can give me reference on how to do this. as of now im quite desperate because i have a deadline for this project.
thank you in advance for your help.You said, "A 2014 iMac can't run either Snow Leopard or Lion." I know that. What I want to know is how I can install Lion or Snow Leopard on a peripheral hard drive, NOT on my iMac.
– Larry -
I want to understand if we change User logon Name to Employee Number format in Active Directory for all User accounts, then what would be the impact on existing profile. Whether we need to change it manualy or it will connect to same profiles in terminal
session.
As i observed it create new profile after logon name changed to employee number where existing users profile settings get fails to load and prompt for new settings (such as outlook reconfiguration, share drive mapping etc.).
Kindly let me know the proper process to overcome with this, how to connect same existing roaming profile with employee number format change.Hi,
What if we change the user name of user account, will it have impact on roaming profiles.
Yes, it will affect roaming profiles. Please rename the roaming profile folder as the new user account name, in addition, change the profile path in ADUC.
Here is an related article below for you:
How to Rename a Windows 7 User Account and Related Profile Folder
http://social.technet.microsoft.com/wiki/contents/articles/19834.how-to-rename-a-windows-7-user-account-and-related-profile-folder.aspx
Best Regards,
Amy -
Oracle database and Windows Active directory authentication
Hello,
Our developers have created a couple of web apps which look at our oracle database. Presently they use the APPS user and the user/password is hard coded into the config files.
Is it possible to authenticate these using Windows Active Directory instead? Is it possible to use AD authentication for all developer access to the database?
I'm trying to research this on the web but getting very confused. Would a lot of work be involved to get this up and running?
Is anyone able to offer and advise?
Thank you very much
SarahI don't have experience in joining a Linux system with Windows AD, and it generally does not sound like the best idea to me, but since Oracle Enterprise Linux is a clone of Red Hat Enterprise Linux, the solution you are looking for could be called Winbind.
Perhaps the following links are useful:
http://spiralbound.net/blog/2007/04/11/rhel-winbind-authentication-against-active-directory
http://www.linuxmail.info/active-directory-integration-samba-centos-5/
http://magazine.redhat.com/2007/11/12/tips-and-tricks-how-can-i-configure-winbind-to-synchronize-user-and-group-ids-across-multiple-red-hat-enterprise-linux-hosts-on-active-directory-accounts/ -
Oracle Linux and Windows Active Directory
I am looking for a good article on joining an Oracle Linux server to a Windows Active directory domain.
We are primarily a Windows shop but need to bring up a couple of Oracle Linux servers (VM Server and VM Manager). I would like to use the existing Windows domain controller for user authentication.I don't have experience in joining a Linux system with Windows AD, and it generally does not sound like the best idea to me, but since Oracle Enterprise Linux is a clone of Red Hat Enterprise Linux, the solution you are looking for could be called Winbind.
Perhaps the following links are useful:
http://spiralbound.net/blog/2007/04/11/rhel-winbind-authentication-against-active-directory
http://www.linuxmail.info/active-directory-integration-samba-centos-5/
http://magazine.redhat.com/2007/11/12/tips-and-tricks-how-can-i-configure-winbind-to-synchronize-user-and-group-ids-across-multiple-red-hat-enterprise-linux-hosts-on-active-directory-accounts/ -
JNDI Realm for ADS (Windows Active Directory)
Hi,
Does anybody know how to connect to the windows active directory? I have to proof,
that java can do this and I don't know how. Please help, otherwise we will start
using .NET!!!!!
sincerly
Gabriel"gabriel" <[email protected]> wrote in message
news:[email protected]..
>
Hi,
Does anybody know how to connect to the windows active directory? I haveto proof,
that java can do this and I don't know how. Please help, otherwise we willstart
using .NET!!!!!
We certainly don't want that.
With WLS 6.x, you can use the ldap realm v2 to access active directory.
With WLS 7.x and 8.x, you can use the External LDAP Authentication provider
to access
active directory.
If you have to use JNDI to access Active Directory, then you can write your
own authentication
security provider and hook it up with WLS. -
Hello everyone,
I'm learing OIA and trying to create namespace for Window Active Directory.
Created name space using administration-->Configuration-->resource types--> Windows Active Directory
then Created Attribute category. Now I want to create attributes, but I dont know attribute names for the same.
Can any one help me on this.
Thanks in advance
Regards,
Krish.Hi Krish,
All the attribute values are all the entitlements you are intending to populate into OIA.
Note, endpoint, domain,name, statuskey don't need to be registered as a attributes within the attribute page
Read from the 'Understanding the Schema File for Accounts' down
http://docs.oracle.com/cd/E24179_01/doc.1111/e23369/oiaimporting.htm
Regards,
Daniel -
Hi,
We are using Windows active directory to manage our users. Another company has configured the same for us.
Currently we don't have permissions to create a new user. They have given us one account and by using that account, we are able to create new groups in AD, add users to the groups, etc. We would like to get the logs for each user removal or addition to the
AD groups. How do we enable the same. We would like to know who and when each user is getting added to the AD groups. Please help us in this.Hi Kewpin,
To enable the complete details on user account account changes including group membership, you need enable the following audit settings,
1. Open GPMC console, click Start --> Administrative Tools --> Group Policy Management.
2. Right click the Default Domain Controllers Policy, and then click Edit.
3. Navigate to Audit Policy node, “Computer Configuration/ Policies/ Windows Settings/ Security Settings/ Local Policies/ Audit Policy”.
4. Now enable the Success auditing for - Audit Account Management and Audit Directory Service Access.
5. Execute the command “GPUPDATE /FORCE” in the Domain Controller to force apply the GPO settings.
For Windows Server 2008 R2 and later versions, additional configuration is required in “Advanced Audit Policy Configuration” section in Default Domain Controller Policy.
For additional auditing configuration of,
1. AD Changes
Go to the node DS Access (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/DS Access.)
Enable Success auditing for the following settings
- Audit Directory Service Changes
2. Account Management
Go to the node Account Management (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/Account Management.)
Enable Success auditing for the following settings
- Audit User Account Management
- Audit Security Group Management
- Audit Distribution Group Management
Once you have enabled the above audit settings, you can set an auditing SACL for the AD object.
Checkout the below screenshot for setting the auditing SACL,
Checkout the below link on Security Event id list for auditing AD changes,
http://www.morgantechspace.com/2013/08/active-directory-change-audit-events.html
Regards,
Gopi
JiJi Technologies -
Crystal Reports and Windows Active Directory
Hi,
I am trying to authenticate using the Windows Active Directory. I have created a test group in the Active directory and added myself as a member to that group. On the Crystal reports server side, I have enabled the Windows Active Directory. I can see the group that I created on the Active Directory. But I do not see any users. I have a Java infoview and I changed the web.xml file. I changed the authentication parameter to secWinAD. But does anyone know how to restart the web application server? I restarted the service Intelligent Agent. But when I login using my user id and password it still gives me the same error:
Account Information Not Recognized: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)
Any help will be appreciated.
Thanks.Infoview doesn't even need to be restarted.
You said "I have a Java infoview and I changed the web.xml file" in your original post
If you have .net IIS then it would be a web.config file that needs to be changed. IIS will pick up the changes as soon as you save the file and open an infoview logon page. you may also opt to set authentication.visible to true so users will have the ability to select AD when logging in.
Regards,
Tim -
How can I authenticate a User In Windows Active Directory?
I need to authenticate a user in Windows Active Directory, but I found use the code below will return true if the user name and password are both correct and false if one of them is wrong. But when I input a user name which is not exist in Active Driectory with a blank password, it will also return true. What shall I do? Ask every user must input a password withnot blank?
Please give me some help to solve this problem. Thanks a lot.
Code:
private Context ctx = null;
Hashtable env = new Hashtable ();
boolean isValid = false;
try {
this.setEnvironmentProperties();
String domainName = AuthenticateResources.getString("mydomain.com");
//set the name of domain with the user name
String fullName = name + "@" + domainName;
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,"ldap://mydomain:389");
env.put(Context.SECURITY_AUTHENTICATION,"simple");
//set user related information
env.put(Context.SECURITY_PRINCIPAL, fullName);
//set user password
env.put(Context.SECURITY_CREDENTIALS, password);
//validate user
ctx = new InitialDirContext(env);
isValid = true;
}catch (AuthenticationException ex){
isValid = false;
catch (NamingException ex) {
throw ex;
}finally{
this.freeContext();
return isValid;This is usually a problem if Anonymous Binding is enabled. I have faced this in other Directory Servers, but I am not familiar with Active Directory.
I think by default Active Directory disables Anonymous Binding, but you may want to check. -
ISE 1.0.4 & Windows Active Directory
We are planning to add a NAC sollution in our network and we are a little confused with ISE. Can ISE support signle sign on with Windows Active Directory in this version 1.0.4? If yes how we can do it?
Thank youThanks for prompt answer,
Something more, i can't find in the following page which is the correct licence in order to install a DEMO ISE in my network. https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y
Can you help me? -
Hi, i want to write a windows application in LV which can have a single Sign-on concept. I want the users to be able to log into the application (exe located on the desktop) with-out any log-in prompts.
However, if the user wants to switch his/her role in between, the application must go to the login screen and prompt for a user name and password. This username and password must be in sync with the "windows active directory". can anyone help?
RegardsI'm confused! You want a user to login into your application without login prompt or you want him to be able to startup the application without login? The first seems highly contradictory to me.
The requirments about using the login credentials of a Windows domain setup are most easily met by using .Net functionality. I have used in the past Windows API functionality for this which has some extra features that seem not available in .Net at all, but that is a very complicated and cumbersome interface that I can't recommend to use to anyone.
Rolf Kalbermatter
CIT Engineering Netherlands
a division of Test & Measurement Solutions -
Windows Active Directory only ABAP?
Hi experts,
I configure a JAVA system with SSO by kerberos and Active Directory...
Now, i want configure a only ABAP system (in Windows) with Windows Active Directory, is it possible ? Are there any manual or blog?
Thanks in advance,
Regards,Victor,
Yes, this is possible and very common.
It is implemented using an interface known as SNC (Secure Network Communications) that is available in SAP ABAP and SAP GUI. You need an SNC library that supports Kerberos, and if you are running SAP ABAP on UNIX you need to get this SNC library from a SAP partner, so there will be additional cost considerations. If your SAP ABAP system is on Windows, then you have the option to use an SNC library from SAP which has basic SSO functionality. Some of the SAP partners provide more than SSO. I work for one of the SAP partners which I am describing.
Also, if you search in this forum for SNC Kerberos keywords you will find many references to this subject.
Thanks,
Tim -
Windows active directory integeration with sap user mangement
Hi All
I have installed sap as local installation now my client wants to integerate sap user management with windows active directory.we have ECC,BI,PI ,SCM and ep system in our landscape.kindly suggest hoe to do that and what will be the best strategy to do that in a simple scenario.
Regards
Pranavpranav kumar wrote:
Hi Kenneth
>
> I jst want to integerate the sap with windows active directory.
>
>
> Regards
> Pranav
Hi Pranav,
Check the article, http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/c00464ce-c974-2e10-f5be-f8f4c6dce31c
Then, take e a look at SSO solutions at http://ecohub.sap.com/
You can find many solutions there.
Best regards,
Orkun Gedik
Maybe you are looking for
-
Crystal Reports for VS2010 using a custom SAP ABAP function module data source
I recently worked with Crystal Reports 2011 and was able to connect and retrieve data from our R/3 system via an ABAP function module. While researching other features, I found this version that can be installed into Visual Studio 2010. The parameter
-
Itune wont recognize my password which was recently changed from an old account.
I recently changed my email address and went to itune to change it there. Now when I try to update my apps on my ipod touch it shows my old email address and wont accept any passwords.
-
Now that I have downloaded the new software for my iphone, the contact name of the person who is texting me disappears and only the phone number is there. This only happens if the person texting is using an iphone. Any solutions?
-
Weird behavior with streamreader. How do I fix?
I have a ~ 1 GB text file containing a line of text followed by 100 million lines each containing a prime number followed by a last line with a zero. I've used (read with streamreader) this file in several VB (2010) programs without problem. This mo
-
Hi all, How do you create the link on a page that when someone is on that page can 'send to a friend'. I know how to create links to other pages or sites, but not sure how to do this? Can someone help me. Thanks, Dennis