Removing LDAP group

Similar Messages

• How to delete / remove a group in AD using LDAP?

  Can anyone please point me in the right direction to code the ability to delete or remove a group from AD using LDAP? Is this even possible? I'm surprised I cannot find anything related to this action.

  How would you delete any other object using LDAP ?
  Why do you think deleting a group is any different ?
  String groupName = "CN=Idiots,OU=Developers,DC=Antipodes,DC=Com";
  // Create the initial directory context
  LdapContext ctx = new InitialLdapContext(env,null);
  // Delete the group, and wishfully all the idiots that ask stupid questions
  ctx.destroySubcontext(groupName);

• Glassfish LDAP group search results in Exception

  I'm trying to get my group search running but I keep getting the same exception
  java.lang.NullPointerException
       at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.groupSearch(LDAPRealm.java:705)
       at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:497)
       at com.sun.enterprise.security.auth.login.LDAPLoginModule.authenticate(LDAPLoginModule.java:108)
       at com.sun.enterprise.security.auth.login.PasswordLoginModule.authenticateUser(PasswordLoginModule.java:117)
       at com.sun.appserv.security.AppservPasswordLoginModule.login(AppservPasswordLoginModule.java:148)
  There's only on post on the web with the same problem and there is is not fixed.
  This is the domain.xml
  <auth-realm name="EpsLdapRealm" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
  <property name="directory" value="ldap://myldap:389"></property>
  <property name="base-dn" value="ou=Users,o=xxx"></property>
  <property name="jaas-context" value="ldapRealm"></property>
  <property name="search-bind-dn" value="cn=saepsman,ou=Users,ou=e-Directory,ou=Services,o=xxx"></property>
  <property name="search-bind-password" value="xxxxx"></property>
  <property name="search-filter" value="(&amp;(objectClass=user)(uid=%s))"></property>
  <property description="null" name="assign-groups" value="USER"></property>
  <property name="group-search-filter" value="(&amp;(objectClass=groupOfNames)(member=%d))"></property>
  <property name="group-base-dn" value="ou=AccessControl,o=xxx"></property>
  </auth-realm>
  Authentication works fine, but group assignments do not work. When I remove the group-search-filter I get no error but then also no groups are assigned.
  The group I am trying to map is
  cn=cug-EPSManager-Administrators,ou=AccessControl,o=xxx
  And I do the following mapping in glassfish-web.xml
  <security-role-mapping>
            <role-name>ADMIN</role-name>
            <group-name>cug-EPSManager-Administrators</group-name>
       </security-role-mapping>
  I also have used
  -Djava.naming.referral=follow
  EDIT:
  I also get the following log message indicating that the search-bin-dn and password are OK. I can also browse the LDAP tree with the credentials in Softerra LDAP Browser.
  Error during LDAP search with filter [(&(objectClass=groupOfNames)(member=cn=cdamen,ou=Users,o=xxx))].|#]
  When I look at the look at the LDAPRealm source code I see it is failing on the following statement
  int sz = grpAttr.size();
  This looks like to me that it means that some group was found but there are no group attributes. But there are when I query with Softerra, strange...
  * Search for group membership using the given connection.
  private List groupSearch(DirContext ctx, String baseDN,
  String filter, String target)
  List groupList = new ArrayList();
  try {
  String[] targets = new String[1];
  targets[0] = target;
  SearchControls ctls = new SearchControls();
  ctls.setReturningAttributes(targets);
  ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
  NamingEnumeration e = ctx.search(baseDN,
  filter.replaceAll(Matcher.quoteReplacement("\\"), Matcher.quoteReplacement("\\\\")), ctls);
  while(e.hasMore()) {
  SearchResult res = (SearchResult)e.next();
  Attribute grpAttr = res.getAttributes().get(target);
  int sz = grpAttr.size();
  for (int i=0; i<sz; i++) {
  String s = (String)grpAttr.get(i);
  groupList.add(s);
  } catch (Exception e) {
  _logger.log(Level.WARNING, "ldaprealm.searcherror", filter);
  _logger.log(Level.WARNING, "security.exception", e);
  return groupList;
  Hope anyone knows the solution.
  Coen

  Hi Jeong
  Can you explain exactly what you're tyring to achieve.
  Howard
  http://www.avoka.com

• Assign role to LDAP group

  Hello,
  I've assigned a role to a LDAP group in portal. But when accesing it displays: 'No portal roles are assigned for this user'.
  The user is included in the LDAP group but I dont't know why it doesn't display nothing.
  Please, do you know what could it be?
  Thanks in advance

  Hi Isabel,
  this really IS strange. Can you assign this user to a group defined in the database and try to assign a role to this group? Is it working then?
  If this is working, then we probably have to increase the log levels and check from there.
  You could also try to remove the role from the group and reassign it again.
  If it's not working: remove it again and this time search for the role and assign the group to it.
  Please come back if it is not working. Then we will try to dig deeper.
  Regards,
  Holger.

• LDAP Resource Adapter - Delete "uniqueMember"s from LDAP Groups

  We are trying to add/delete users (dn) to LDAP groups. Built in a workflow that uses the "updateResoruceObject" service to update any LDAP Group. The 'add' operation works fine as anticipated, but the 'delete' does not. Our guess is that the LDAPResourceAdapter only supports the ldapadd and not delete. We want to find out if customizing the LDAPResourceAdapter is the only workaround.
  Thanks in advance.
  Message was edited by:
  indie

  Hey, I am challenged now by not being able to remove users from ldapGroups. I found after adding ldapGroups to LDAP schema mapping, I can only keep adding users to the new groups, accounts[LDAP].ldapGroups is never able to return any value, namely is always null, so I also keep getting errors for user updating because the form keeps adding the same groups based on my custom formula.
  Overall, would you mind explain a little bit in detail how you ldapGroups field works for you on updating user groups?

• How can I remove 300 groups from my iCloud Contacts?

  My OS X Address Book started out with about 10 groups, but now iCloud.com has about 300 groups.
  The replication arose because of a bug in how iCloud handles a mixture of Address Book Cards with both OS X and Windows line terminated Notes (LF vs. CRLF - it helps if you once used a typewriter).
  I figured out how to convert Address Book to all LF terminated line feeds and I was able to get iCloud.com working on a different account, but my core account is stuck with 300 groups (some replicated 50 times).
  I know how to delete all Cards/Contacts in iCloud.com Contacts, but, unfortunately that doesn't remove Groups. (Groups have an interesting behavior in iCloud, almost as though Apple has a special plan for them.)
  I can delete Groups one at a time on iCloud.com, but that's tedious. Unfortunately deleting them on Address Book, and trusting in sync to clear up iCloud.com, is equally tedious.
  Has anyone heard of a way to delete all Groups on iCloud or Address Book 6? Perhaps an AppleScript?
  Has anyone heard of Apple resetting a corrupt iCloud account to clear out bad data? (I have a clean version of Address Book I can use to restart -- that, by the way, is harder than you'd think. Again because Groups are special).
  Advice appreciated. If I get some free time I might take may laptop by the Genius bar and see what they say...

  I figured this out. In this case I didn't care about my Contacts, I had them elsewhere. My problem was my iCloud acount was "poisoned" with massive replication of 'Groups'. Even after I deleted all the Contacts I still had hundreds of Groups to get rid of. Manual deletion was too tedious.
  The answer was a simple AppleScript (I'm on ML on the machine i ran this on, so it's "contacts" rather than Address Book:
  tell application "Contacts"
            repeat 50 times
                      set theGroup to group "MyGroupName"
    delete theGroup
            end repeat
  save
  end tell
  Since I had the same Group Names replicated about 100 times each, I only had to run this about 10 times to clear them all out. When I got to smaller numbers I had to drop the repeat count. I changed the Group name as I went.
  Took me about five minutes.
  I'm sure an AppleScripter could turn this into a general script for removing all groups all at once. Or could get very clever, and only remove groups that had no contacts (so one could salvage the group/contact relationships).
  I didn't need that. My problem has been fixed.
  I think sync works a LOT better in ML than Lion btw. iCloud updated very quickly.

• Error while adding LDAP group

  Hi, I configured LDAP authentication on BOXI R2 SP3 on IIS. The settings are as given below.
  To change a setting, click on the value to start the LDAP Configuration Wizard.  I have replaced few entries with XXXX and YYYY due to security.
  LDAP Hosts: nccXXX.XXX.YYYY.XX.YY:636
  LDAP Server Type: Novell eDirectory
  Base LDAP Distinguished Name: ou=XXXXX,dc=YY
  LDAP Server Administration Distinguished Name: cn=XXX,o=YYYYY
  LDAP Referral Distinguished Name: ""
  Maximum Referral Hops: 0
  SSL Type: Server Authentication
  Server Side SSL Strength: Always accept server certificate
  Single Sign On Type: None
  When I add any new group then its not added and I get below error message in the Logging directory  for WCA.
  Error: 2009-08-24 14:56:30, Thread:161, WriteData::_Flush catch unexcepted exception, source: System.Web, message: Specified argument was out of the range of valid values.
  Parameter name: offset, stack:    at System.Web.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 count)
     at BusinessObjects.Enterprise.WebComponentAdapter.WriteData._Flush(IntPtr handle)
  Can anyone help to find if LDAP is configured correctly before adding group?
  Thanks,

  Resolved. It was due to wrong LDAP group given to me.
  Thanks,

• Can an email address be a member of an LDAP group even if it isn't associated with an object in the Directory Server?

  Can an email address be a member of an LDAP group even if it isn't
  associated with an object in the Directory Server?
  <P>
  General members of a group are the members defined in the
  Directory Server. They are full-fledged members of the group who
  may have a set of permissions associated with their membership,
  a title, or other attributes. Mail-specific users are users who
  are not full-fledged members of the group, but who receive mail
  sent to the group. Mail-specific users need not be identified as
  a user in the Directory Server--an email address is sufficient.
  An example of this is a group of salespeople, all of whom are in
  the group "North American Sales Team." They have access to a
  sales-tracking database, on-line quota information, and
  competitive information. The mail-specific users of this group
  are the admins who support the members of the sales team, who need
  to get the mail that goes out to the group, but don't need access
  to the applications and information that the salespeople do.

  Hey EllyK,
  Welcome to the BlackBerry Support Community Forums.
  Thanks for the question.
  I would suggest performing this workaround and then try to login to BlackBerry Link:
  Open BlackBerry World on the BlackBerry smartphone and sign in using the BlackBerry ID. 
  Connect the BlackBerry 10 smartphone to the computer. 
  Open BlackBerry Link
  Sign in using the BlackBerry ID. 
  Let me know if the issue still persists.
  Cheers.
  -ViciousFerret
  Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
  Be sure to click Like! for those who have helped you.
  Click  Accept as Solution for posts that have solved your issue(s)!

• Mapping LDAP Groups to SAP Roles

  Hi there,
  i am trying to build up a synchron usermanagement with a LDAP-Server between EP, Web AS Java and Web AS ABAP.
  My thought is to administrate the users in the LDAP-Directory. The users will be assigned to groups.
  In EP and Web AS Java its no problem to assign these groups to roles and then just change the Users in the LDAP-Group and reach a synchron usermanagement.
  In Web AS ABAP it seems impossible to assign roles to groups.
  <b>The question is, is it possible to map ldap groups with the ldap connector of the web AS ABAP to Roles in an ABAP System?</b>
  Or is there another way to administrate users in different systems?
  Thanks alot for your answers,
  stefan

  Hi
  in this case u have to use the concept of central user administration. use the following links
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-biti-03/cua with sap webas, ldap and third party software
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/user management and authorizations overview.pdf
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/integration of sap central user administration into microsoft active directory.pdf
  hope this helps u to get fair bit of idea
  don,t forget to give points
  With regards
  subrato kundu

• How can I easily remove a group of photos from my iPad

  how can I easily remove a group of photos from my iPad?

  Iif the photos were synced to the iPad they can only be removed by connecting to iTunes on your computer, unselecting the photos folder that you synced to the iPad and then follow that with a sync.
  IF the photos are in the camera roll, open the camera roll album, tap the as select button in the upper right corner, tap on each photo that you want to delete in order to select them and then tap the trash can icon.

• LDAP groups and WebLogic Roles - Urgent ( weblogic 6.1 sp1, iPLanet 5.1)

  I have 2 questions and these are very urgent :-
  1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
  2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
  contractactors and employess. How do I map LDAP group contractors to weblogic security
  Role contractors? Similarly for employees ?
  2. I have not defined contarctors and employeees under People container in IPlanet.
  e.g. The RDN for contractor is
  uid=1234,ou=dir,dc=orams,dc=com
  Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
  under People ) OR I have to write my own custom code ?
  3. I am planning to use Roles insetad of groups to manage the logical grouping in
  iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
  parameters ?)
  This is very urgent ....so if any of you can throw any hints that will be greatly
  appreciated.
  --Sunita

  Hi Ariel,
  The driver is bundled with the product in WLS 6.1sp1. you don't have to
  download any additional driver. Use it as you normally would only thing to
  remember is if you are trying to write standalone java code then you have to
  have weblogic.jar in your classpath. For the rest of the info follow the wls
  docs for 6.1
  HTH
  sree
  "Ariel" <[email protected]> wrote in message
  news:3bb4a643$[email protected]..
  We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
  downloaded the JDriver from bea.com, but all the istructions that camewith
  it are for WLserver 5.1.
  What has to be done to do this with 6.1 sp1?
  Thanks,
  Ariel

• Portal Error (A critical error...) after removing "Administrators" group

  Hello experts,
  I'm very new on the Portal topic and faced with an error on our portal environment (SAP ECC 6.0 and SAP Netweaver 7.01)
  I've created a custom role with some worksets, folders and SAP standard delivered iView inside.
  My portal dummy user is owner of this role. Furthermore he's assigned to the groups: "Everyone", "Administrators" and "Authenticated Users". The corresponding user in R/3 backend has SAP_ALL.
  When I log-on to portal it's working fine, iViews, etc. are properly loaded. But thanks to the "Administrators" group, the user can access the tabs "Content Administration", "System Administration" and "User Administration" which should be obviously not the case. When I remove the group "Administrators" from the portal user, the 3 tabs are not displayed anymore. Therefore the iView from my custom role are not loaded any more. I get an error message in main screen saying "Critical Error. A critical error has occured. Processing of the service was terminated. Unsaved data has been lost. Contact your system administrator".
  A colleague told me that it might be an issue on portal permission. I went via tab "System Administation" > "Permission" into the PCD and gave to my roles, folders and an example iView the following permissions:
  - Name: Everyone; Administrator: Full Control; End User: checked
  - Name: Authenticated Users; Administrator: Full Control; End User: checked
  As I've used Delta Links I gave these permission to the SAP delivered iViews, too. Unfortunately the error stays the same.
  Please advice what's missing.
  Thank you so much, Jessica

  Hi,
  Thanks for your reply.
  I started the NWA and went to Analysis > Debug > Logs and Traces.
  There is a fatal error stated but the explanation is not very detailed:
  Severity: fatal; Message: n/a; Category: /Applications/Xss; Location: com.sap.tc.webdynpro.progmodel.generation.DelegatingComponent; Application: sap.com/tcwddispwda; Host: pesap57; Node: Server 0 26_91224
  The message is displayed twice (again: Severity: fatal; Message: n/a; Category: /Applications/Xss; Location: com.sap.tc.webdynpro.progmodel.generation.DelegatingComponent; Application: sap.com/tcwddispwda; Host: pesap57; Node: Server 0 26_91224)
  These errors are not in the log when I add the Administrators Group.
  Thanks for your advice, Jessica

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• LDAP Groups Authorization

  Hi,
  I have read some of the forum threads about LDAP Group Authorization - I remain confused. Here's the problem I am trying to solve.
  I was successfull in setting my Authentication to "Based on authentication scheme from gallery:Existing Login Page: Use LDAP Directory Credentials" -
  That works fine, But I would not like all users in my OID LDAP directory to log into my application- Which is why I have created a group for the user I want to include in my OID directory.
  Now at the " Builder->Application...->Security->Authorization Schemes->
  I have created an Authorization Scheme as "PL/SQL Function returing a booloean" .
  My Scheme Source(Identify Query or PL/SQL) is as follows and is set to "once Per session"
  return wwv_flow_ldap.is_member
  (:APP_USER,
  null,
  'cn=users,dc=wellesley,dc=edu',
  'jadeland.wellesley.edu',
  '389',
  'wcd_HTMLDB',
  'cn=portal.040323.1220,cn=Groups, dc=wellesley,dc=edu');
  where in my LDAP directory, 'wcd_HTMLDB' is the subgroup under group "portal.040323.1220" -
  I have included 3 users in the group 'wcd_HTMLDB' .
  Still the login page allows all LDAP user ( and not just the 3 from the 'wcd_HTMLDB' group.
  Where did I go wrong -?
  What 's the proper way to authorise only LDAP users in a group ?
  Any help would be really appreciated.
  Thanks .

  Indira,
  The public synonym (and grant execute) must be created after that package is compiled which can happen after catldap is run in your database. This is only a problem if catldap has not been run before HTML DB is installed. That's described in the flows/doc/ldap.html file in the distribution directory (not very prominently, we know).
  When you initially attached the authorization scheme to your login page and it wouldn't let you in, the reason is that it was using the value of APP_USER to drive your lookup function. But when the login page is rendered, APP_USER is null because you haven't logged in yet. So a user-based authorization scheme on a login page can never work.
  When you changed the ldap username edit function the way you did, you achieved the goal of preventing an unauthorized user from using the login page to authenticate. Looks like the way it's set up is to give unauthorized users an authentication error, which is a little misleading (saying their credentials are invalid when in fact they are valid but they aren't authorized to use your application), but if it suits your purpose, great. You should consider that if you change the authentication method to, say Single Sign-On, you'll then want to use authorization schemes to keep unauthorized users out. So the authorization scheme that you first set about using would be fine in that case, so long as you adjust the code to allow for visits to public pages prior to authentication (v('APP_USER') = 'HTMLDB_PUBLIC_USER'). However, you'd want to attach that scheme to the application itself (Edit Application Attributes->Authorization) so it fires on every page. Evaluating a scheme like that on every page view rather that once per session probably works best, even better if you cache the result of the evaluation yourself for performance reasons, e.g., set an application item to some value the first time the authenticated user passes the ldap membership test, then using that item as an 'already passed' flag for subsequent invocations.
  Finally, I assume you are using the built-in ldap_dnprep function because you need to replace '.' with '_' in the username value entered by the user. If that is not your requirement, let's talk.
  Scott

• Cannot Add user to CMC Group when they are a member of LDAP group

  On PreProduction Server CMC
  Softerra LDAP browser used to verify user is a member of LDAP group
  User does not show as a member of that group in the CMC
  Cannot add user to LDAP group showing in CMC, the same group shows the member in LDAP browser
  On Production Server CMC
  For kicks I logged into the CMC on Production and I found the user is correctly showing as a member of the Group
  Why doesn't the groups in CMC show what is actually showing in the LDAP browser?

  Hi,
  Check if you have also mapped in both servers the same groups. It might be that there are some groups missing in the Pre-prod.
  Also, try restarting the CMS. I have seen similar issues that are solved after forcing the recreation of the graph.
  If after the restart you still can't see the groups, check the mapping on the LDAP server. It might be that both servers do not use the same attribute mappings.
  Regards,
  Julian