Rule to apply ldap group filter to allow access in OAM Policy Manager

This may be pretty basic, but I'm trying to implement a rule in Policy Manager to allow access to a resource based on LDAP group membership. I can't figure out how to construct the ldap query. I'm using OID as the directory server.
Does anybody know how to create an ldap query that will apply a group filter to authenticated?
the format would be something like
ldap:///dc=oracle,dc=com??sub?(......)
thanks for any help!

Mark,
Do you by any chance know what we can include in our DBMS_LDAP statement to populate the OID for a new user creation to populate the obpasswordcreationdate as a part of the user creation.
Here is what are running but since we moved to OBLIX, we don't know how to populate a new user?
Here is part of our code using MOD_ADD.
emp_vals(7) := null;
DBMS_LDAP.populate_mod_array(emp_array,DBMS_LDAP.MOD_ADD,'obpasswordcreationdate',emp_vals);
emp_vals(1) := 'top';
emp_vals(2) := 'person';
emp_vals(3) := 'organizationalPerson';
emp_vals(4) := 'inetOrgPerson';
emp_vals(5) := 'orcluser';
emp_vals(6) := 'orcluserv2';
emp_vals(7) := 'oblixPersonPwdPolicy';
After it runs, it send me an error no data found.
Thx so much in advance. Not getting any answers.
KA

Similar Messages

Intermediary DMZ domain - Will this allow access whilst maintaining seperation?

Hi
We have a client who has a requirement to link the domain of an acquired company whilst maintaining separation from the legacy environment. We have access to the legacy resources using legacy resource domain credentials but the customer wants to connect
to these resources using the user domain credentials.
The company has a large forest with several child domains, the users and workstations are hosted in one of these child domains.
The legacy/resource domain runs many services print/application/file from both the forest root and several of their child domains.
There is to be a DMZ between both domains and there are DNS/routing/firewall constraints which prevent a direct trust between the two at the moment.
The user domain is only permitted to have an external one-way (incoming trust) from one of the child domains.
With these constraints in mind would the introduction of an intermediary domain in the DMZ allow users in the user domain access to the resource domain as described below?
Groups are created in the DMZ domain which contain the user accounts from the users domain using the one-way trust
These groups in the DMZ domain are then added, where required, to the acl's of the resources in the resource domain.
Would the above allow a user in the user domain access to the legacy resources using the user credentials?
Any suggestions comments will be greatly appreciated, hopefully I have qualified the requirements and the constraints please ask if I have missed out some detail you need to clarify the scope of what I am trying to achieve.
Thanks, Garry

Thanks Gleb
Your answer does support what I thought may be the case as the external trust is non-transitive, wasn't sure if the 2 way forest trust between the resource domain and DMZ domain using group membership would allow access without authentication.
We have looked into creating a direct trust with a DC in the DMZ of the resource domain and due to a split DNS, address NATing, lack of reverse routing (all configured for other reasons and not something that can easily be undone) and reliance on root DFS
of the resource domain we experienced issues when trying to establish a trust in this fashion - hence the attempt to further separate the user and resource domains.
Also a forest trust is not permissible from the user domain due to company policies. The firewall rules are the least of our issues as this is well documented and has been configured before in the environment just highlighting another layer of complexity.
The users can currently access resources in the legacy domain however they need to authenticate with legacy credentials. The primary goal we are trying to achieve is provide a solution to allow access to these resources with the user domain credentials.
Any further suggestions would be welcome.
Garry.

Vibe ldap group exlusion filter?

This is the default Group Sync filter which brings all the eDirectory groups into Vibe.
(|(objectClass=group)(objectClass=groupOfNames)(ob jectClass=groupOfUniqueNames))
Can someone help me with an example of what the ldap group sync filter in Vibe would look like if I wanted to exclude eDirectory groups such as www and novlxtier from the sync?
Thanks, Dave.

On 07/08/2014 17:56, dkerbaugh wrote:
> This is the default Group Sync filter which brings all the eDirectory
> groups into Vibe.
>
> (|(objectClass=group)(objectClass=groupOfNames)(ob jectClass=groupOfUniqueNames))
>
> Can someone help me with an example of what the ldap group sync filter
> in Vibe would look like if I wanted to exclude eDirectory groups such as
> www and novlxtier from the sync?
I use something like the following with Filr to achieve what you're asking:
(&(|(objectClass=group)(objectClass=groupOfNames)( objectClass=groupOfUniqueNames))(!(|(cn=www)(cn=no vlxtier))))
HTH.
Simon
Novell Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

Application adding '\' to the group filter

Hi,
We have two groups created in Oracle Internet Directory server.here are the details
cn=user_group_1,cn=organisation,cn=groups,dc=oracle,dc=com
cn=user_group_2,cn=organisation,cn=groups,dc=oracle,dc=com
we are using the below configurations from our portal to pull the users from the above two groups,but we couldn't do that.
Group Path = cn=organisation,cn=groups,dc=oracle,dc=com
Group scope = SUB_TREE
Group Filter = (cn=user_*)
I am getting an error with above configurations and error message saying that "Please make sure Group path is correct".But the Group path is correct.Our LDAP admin said that my portal itself adding '\' to the group filter.
Below is the request comes to LDAP server.
ldapsearch -h ldap_server_name -p 636 -U 1 -b "cn=organisation,cn=groups,dc=oracle,dc=com" "(&(objectclass=groupofuniquenames)(cn=user\_*))"
Please let us know how can i remove this '\' at portal level (or) how can i handle at LDAP server level.
Thanks in Advance.
Regards,
Laxman

It seems that it is not allowing _ .
Whenever some special characters comes then it add \ in front of it.
It happens in OIM but that is Java so we can handle.
Escape character before dot in dn entry after OID provisioning
I don't know how request are coming to portal. You can see the link below. It may help you.
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Finding_Directory_Entries-Using_ldapsearch.html

LDAP Group Lookup Policy

I would like to know if it is possible to set up a Inbound filter that will stop media files from being delivered unless the receipant is a member of a LDAP group.
I don't want media files (mpeg, avi, Divx, PPS, MOV) being delivered to everyone but the members of a Distribution group called Media_Access.
Does this need to be a distribution group or an mail enabled security group.
We are using Active Directory.
Thanks

Though you could accomplish this with message filters, my vote would be for using ldap group query with the incoming mail policy. You can have the Media-policy that checks if the recipients are a member of the Media group. If recipients aren't members of the group, they will use the Default policy. This is called message splintering by the way.
Then, once things have splintered into their appropriate incoming mail policies, you can have incoming content filters that drop the media attachments for the default policy while the Media policy allows them through.
Have you tried to create a policy allowing these file types and checking the recipients using LDAP group query ?
Then, insert a policy below this (the mentioned above) not allowing these file type for non-group members.

Jabber Windows - no phone control with LDAP Custom filter

I am unable to control the desktop phone from the Jabber 9.1 Windows client when the CallManager LDAP Directory uses a Custom Filter.
Has anyone else experienced this?
If I set the LDAP Custom Filter to <none> and save, then Desktop Phone control works great.
If I set it to use my custom filter, then trying to enable Desktop control just gives me the spinning circle, then times out to the Red X symbol.
I do not need to resync the LDAP Directory to get the error, just enable/disable the custom filter and save.
In both cases calling from the Computer works great.
This is an On-Prem deployment with full MS-AD LDAP integration.
Versions are:
Jabber - 9.1.0 build 12296
CUPC - 8.6.4.11900-1
CUCM - 8.6.2.22900-9
I upgraded to CUCM 8.6.2 SU2 last night hoping that would fix the problem, but no luck.
The LDAP filter is one I have used in numerous other clusters with no CTI issues.
It allows me to sync to the root directory, but only import active user accounts with an entry in the ipPhone AD attribute:
(&((objectclass=user)(ipPhone=*))(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
Thanks, Randy

Hi Randy,
Have you specified this base filter in jabber-config.xml file? As per Admin Guide:
"In some cases, base filters do not return query results if you specify a closing bracket in your Cisco Jabber for Windows configuration file. For example, this issue might occur if you specify the following base filter: (&(memberOf=CN=UCFilterGroup,OU=DN))
To resolve this issue, remove the closing bracket; for example, (&(memberOf=CN=UCFilterGroup,OU=DN)"
Thanks,
Maqsood

FICA: clearing rules to applying payments against unpaid security deposits regardless of due date

Hi Folks,
We have a requirement in FICA clearing rules to apply the payment against unpaid security deposit irrespective of the due date. I have the below rule configured as the first step in my clearing variant.
Grouping String: 019 (statistical indicator); Grp Rule: 3; Char Value: H (security deposits); AIRI: 4; Group: 019
Sort characteristic: 010 (Due date); Rank: 3; Char value: H; Rank: 1
I have maintained the corresponding clearing variant in all the clearing types (account maintenance, automatic clearing, and incoming payments); However, I still see that the items are cleared only based on due date;
Am I missing something here? Please share your suggestions.
Thanks,
Santosh
Moderator update - question solved with FICA: Clearing rules for account maintenance & auto clearing to apply credits against unpaid security deposits regardless of due date
Message was edited by: William Eastman

Santosh:
This rule will not work in account maintenance. You would need to include the data about the credits into your grouping criteria in order for that to work. Most clearing rules do not work for account maintenance as they do for payments. You probably need to have a separate variant with a rule not based on statistical indicator, but rather based on transaction value or maybe create your own custom grouping via TFK116.
regards,
bill.

Sharepoint 2010 Document Library Group Filter

I am having difficulty grouping my documents without folder by grouping by. I would like to use the expand or collapse feature. I have several documents that are need to be group together and have a separate sub group of folders that will not allow me
to have to type each content in the sub groups.

Hi,
Per my knowledge, when we apply the group by feature in the view, the documents would group by the column which you had chosen as below.
When we upload a file to the library, the file would auto group by in the library.
Could you explain more details about your issue? It will be better if you can give us a print screen.
Thanks & Regards,
Jason
Jason Guo
TechNet Community Support

Timeout querying LDAP groups from BPM Workspace Administration page

I already configured my server to use Active Directory instead the Weblogic embedded LDAP to users authentication in the BPM Workspace.
When I go to [Weblogic Console / Security Realms / myrealm / Users and Groups / Groups] the console shows correctly all the AD groups after a 20 secs aprox, but when I try to assign some group to a role using the BPM Workspace Administration menu, the app only show users in the search pop up, if I search usign "All" or "Groups" filter I always get this error:
ORABPEL-10592
Identity Service soap error.
BPMIdentityService encountered soap error in method invoke for with fault "javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: miserver.com:389 [Root exception is java.net.ConnectException: Connection timed out]]".
Ensure that the soap message is properly formed and has all necessary attributes and elements. Contact oracle support if error is not fixable.
        at oracle.bpel.services.identity.client.IdentityServiceSOAPClient.invoke(IdentityServiceSOAPClient.java:265)
        at oracle.bpel.services.identity.client.IdentityServiceSOAPClient.searchGroups(IdentityServiceSOAPClient.java:391)
        at oracle.bpel.services.identity.client.AbstractIdentityServiceClient.searchGroups(AbstractIdentityServiceClient.java:514)
        at oracle.bpel.worklistapp.dc.idbrowser.beans.model.identity.UnrestrictedIDSearcher.searchGroups(UnrestrictedIDSearcher.java:65)
        at oracle.bpel.worklistapp.dc.idbrowser.beans.model.IdentityBrowserModel.executeSearch(IdentityBrowserModel.java:265)
        at oracle.bpel.worklistapp.dc.idbrowser.beans.view.IdentityBrowserView.executeSearch(IdentityBrowserView.java:308)
        at oracle.bpel.worklistapp.dc.idbrowser.beans.controller.IdentityBrowserController.executeSearch(IdentityBrowserController.java:84)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at com.sun.el.parser.AstValue.invoke(AstValue.java:157)
        at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:283)
        at org.apache.myfaces.trinidadinternal.taglib.util.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:53)
        at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcastToMethodBinding(UIXComponentBase.java:1259)
        at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:183)
        at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:97)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:90)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:309)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:94)
        at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:91)
        at oracle.adf.view.rich.component.fragment.UIXRegion.broadcast(UIXRegion.java:148)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:90)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:309)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:94)
        at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:97)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:90)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:309)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:94)
        at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:91)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:90)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:309)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:94)
        at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:97)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:90)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:309)
        at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:94)
        at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:91)
        at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.broadcastEvents(LifecycleImpl.java:812)
        at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:292)
        at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:177)
        at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
        at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
        at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
        at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
        at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.help.web.rich.OHWFilter.doFilter(Unknown Source)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:191)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:97)
        at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:420)
        at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
        at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:420)
        at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:247)
        at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:157)
        at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:94)
        at java.security.AccessController.doPrivileged(Native Method)
        at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
        at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:414)
        at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:138)
        at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:159)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:94)
        at java.security.AccessController.doPrivileged(Native Method)
        at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
        at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:414)
        at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:138)
        at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.dms.wls.DMSServletFilter.doFilter(DMSServletFilter.java:330)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
        at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
        at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
        at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)It seems like the long response time from AD is closing the connection, but I can find where to configure the timeout for workspace app. In my Provider specific settings for AD provider I checked "Keep Alive Enabled" but doesn't work.
Any ideas about this?, I'm using Oracle SOA Suite 11gR3

Hello Martin,
Did you check it on apex.oracle.com because I just did and didn’t encounter the same problem.
Regards,
Arie.
&diams; Please remember to mark appropriate posts as correct/helpful. For the long run, it will benefit us all.
&diams; Author of Oracle Application Express 3.2 – The Essentials and More

LDAP Groups Authorization

Hi,
I have read some of the forum threads about LDAP Group Authorization - I remain confused. Here's the problem I am trying to solve.
I was successfull in setting my Authentication to "Based on authentication scheme from gallery:Existing Login Page: Use LDAP Directory Credentials" -
That works fine, But I would not like all users in my OID LDAP directory to log into my application- Which is why I have created a group for the user I want to include in my OID directory.
Now at the " Builder->Application...->Security->Authorization Schemes->
I have created an Authorization Scheme as "PL/SQL Function returing a booloean" .
My Scheme Source(Identify Query or PL/SQL) is as follows and is set to "once Per session"
return wwv_flow_ldap.is_member
(:APP_USER,
null,
'cn=users,dc=wellesley,dc=edu',
'jadeland.wellesley.edu',
'389',
'wcd_HTMLDB',
'cn=portal.040323.1220,cn=Groups, dc=wellesley,dc=edu');
where in my LDAP directory, 'wcd_HTMLDB' is the subgroup under group "portal.040323.1220" -
I have included 3 users in the group 'wcd_HTMLDB' .
Still the login page allows all LDAP user ( and not just the 3 from the 'wcd_HTMLDB' group.
Where did I go wrong -?
What 's the proper way to authorise only LDAP users in a group ?
Any help would be really appreciated.
Thanks .

Indira,
The public synonym (and grant execute) must be created after that package is compiled which can happen after catldap is run in your database. This is only a problem if catldap has not been run before HTML DB is installed. That's described in the flows/doc/ldap.html file in the distribution directory (not very prominently, we know).
When you initially attached the authorization scheme to your login page and it wouldn't let you in, the reason is that it was using the value of APP_USER to drive your lookup function. But when the login page is rendered, APP_USER is null because you haven't logged in yet. So a user-based authorization scheme on a login page can never work.
When you changed the ldap username edit function the way you did, you achieved the goal of preventing an unauthorized user from using the login page to authenticate. Looks like the way it's set up is to give unauthorized users an authentication error, which is a little misleading (saying their credentials are invalid when in fact they are valid but they aren't authorized to use your application), but if it suits your purpose, great. You should consider that if you change the authentication method to, say Single Sign-On, you'll then want to use authorization schemes to keep unauthorized users out. So the authorization scheme that you first set about using would be fine in that case, so long as you adjust the code to allow for visits to public pages prior to authentication (v('APP_USER') = 'HTMLDB_PUBLIC_USER'). However, you'd want to attach that scheme to the application itself (Edit Application Attributes->Authorization) so it fires on every page. Evaluating a scheme like that on every page view rather that once per session probably works best, even better if you cache the result of the evaluation yourself for performance reasons, e.g., set an application item to some value the first time the authenticated user passes the ldap membership test, then using that item as an 'already passed' flag for subsequent invocations.
Finally, I assume you are using the built-in ldap_dnprep function because you need to replace '.' with '_' in the username value entered by the user. If that is not your requirement, let's talk.
Scott

Event ID 1085 on DC - Failed to Apply the Group Policy Local Users and Groups Settings

I have a domain with 2 DCs. The primary DC is running Server 2012 and is raising Event ID 1085 every 10 minutes and 20 seconds.
Windows failed to apply the Group Policy Local Users and Groups settings. Group Policy Local Users and Groups settings might have its own log file. Please click on the "More information" link.
System
- Provider
[ Name] Microsoft-Windows-GroupPolicy
[ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
EventID 1085
Version 0
Level 3
Task 0
Opcode 1
Keywords 0x8000000000000000
- TimeCreated
[ SystemTime] 2014-10-20T20:09:03.706992400Z
EventRecordID 130087
- Correlation
[ ActivityID] {FDDFB8C5-9ECF-41B9-B2B4-3AD0B345A37A}
- Execution
[ ProcessID] 1000
[ ThreadID] 3280
Channel System
Computer SERVER.DOMAIN.NAME
- Security
[ UserID] S-1-5-18
- EventData
SupportInfo1 1
SupportInfo2 4404
ProcessingMode 0
ProcessingTimeInMilliseconds 10343
ErrorCode 183
ErrorDescription Cannot create a file when that file already exists.
DCName \\SERVER.DOMAIN.name
ExtensionName Group Policy Local Users and Groups
ExtensionId {17D89FEC-5C44-4972-B12D-241CAEF74509}
Everything I look up for Event ID 1085 seems to be about a different cause.
Any ideas?

I enabled tracing on a domain gpo and I still get the error when running gpupdate /force .
I'm also still getting Event 1085. Here's the trace file. I've anonymized the site/domain and the GUIDs.
2014-10-21 11:16:54.003 [pid=0x3e8,tid=0xcd0] Entering ProcessGroupPolicyExLocUsAndGroups()
2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] SOFTWARE\Policies\Microsoft\Windows\Group Policy\{GUID-1}
2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] BackgroundPriorityLevel ( 0 )
2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] DisableRSoP ( 0 )
2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] LogLevel ( 2 )
2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] Command subsystem initialized. [SUCCEEDED(S_FALSE)]
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] Background priority set to 0 (Idle).
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ----- Parameters
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] CSE GUID : {GUID-1}
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] Flags : ( X ) GPO_INFO_FLAG_MACHINE - Apply machine policy rather than user policy
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( X ) GPO_INFO_FLAG_BACKGROUND - Background refresh of policy (ok to do slow stuff)
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_SLOWLINK - Policy is being applied across a slow link
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_VERBOSE - Verbose output to the eventlog
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_NOCHANGES - No changes were detected to the Group Policy Objects
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_LINKTRANSITION - A change in link speed was detected between previous policy application and current policy application
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_LOGRSOP_TRANSITION - A change in RSoP logging was detected between the application of the previous policy and the application of the current policy.
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( X ) GPO_INFO_FLAG_FORCED_REFRESH - Forced Refresh is being applied. redo policies.
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_SAFEMODE_BOOT - windows safe mode boot flag
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_ASYNC_FOREGROUND - Asynchronous foreground refresh of policy
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Token (computer or user SID): S-1-5-18
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Abort Flag : Yes (0x313be090)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] HKey Root : Yes (0x80000002)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Deleted GPO List : No
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Changed GPO List : Yes
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Asynchronous Processing : Yes
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Status Callback : No (0x00000000)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] WMI namespace : Yes (0x32273740)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] RSoP Status : Yes (0x320cc7f4)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Planning Mode Site : (none)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Computer Target : No (0x00000000)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] User Target : No (0x00000000)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Calculated list relevance. [SUCCEEDED(S_FALSE)]
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ----- Changed - 0
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Options : ( ) GPO_FLAG_DISABLE - This GPO is disabled.
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPO_FLAG_FORCE - Do not override the settings in this GPO with settings in a subsequent GPO.
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Options (raw) : 0x00000000
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Version : 19267878 (0x01260126)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPC : LDAP://CN=Machine,CN={GUID-2},CN=Policies,CN=System,DC=SITE,DC=DOMAIN
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPT : \\SITE.DOMAIN\sysvol\SITE.DOMAIN\Policies\{GUID-2}\Machine
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPO Display Name : Default Domain Policy
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPO Name : {GUID-2}
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPO Link : ( ) GPLinkUnknown - No link information is available.
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPLinkMachine - The GPO is linked to a computer (local or remote).
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPLinkSite - The GPO is linked to a site.
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( X ) GPLinkDomain - The GPO is linked to a domain.
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPLinkOrganizationalUnit - The GPO is linked to an organizational unit.
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GP Link Error
2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] lParam : 0x00000000
2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Prev GPO : No
2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Next GPO : Yes
2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Extensions : [{00000000-0000-0000-0000-000000000000}{GUID-3}][{GUID-1}{GUID-3}][{GUID-4}{GUID-5}{GUID-6}{GUID-7}{GUID-8}][{GUID-9}{GUID-10}][{GUID-11}{GUID-5}{GUID-6}]
2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] lParam2 : 0x3146f978
2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Link : LDAP://DC=SITE,DC=DOMAIN
2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Purge GPH : C:\ProgramData\Microsoft\Group Policy\History\{GUID-2}\Machine\Preferences\Groups\Groups.xml
2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Read GPE XML data file (592 bytes total).
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ----- Changed - 1
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Options : ( ) GPO_FLAG_DISABLE - This GPO is disabled.
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPO_FLAG_FORCE - Do not override the settings in this GPO with settings in a subsequent GPO.
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Options (raw) : 0x00000000
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Version : 1245203 (0x00130013)
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPC : LDAP://CN=Machine,CN={GUID-12},CN=Policies,CN=System,DC=SITE,DC=DOMAIN
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPT : \\SITE.DOMAIN\sysvol\SITE.DOMAIN\Policies\{GUID-12}\Machine
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPO Display Name : Default Domain Controllers Policy
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPO Name : {GUID-12}
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPO Link : ( ) GPLinkUnknown - No link information is available.
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPLinkMachine - The GPO is linked to a computer (local or remote).
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPLinkSite - The GPO is linked to a site.
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPLinkDomain - The GPO is linked to a domain.
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( X ) GPLinkOrganizationalUnit - The GPO is linked to an organizational unit.
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GP Link Error
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] lParam : 0x00000000
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Prev GPO : Yes
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Next GPO : No
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Extensions : [{00000000-0000-0000-0000-000000000000}{GUID-3}][{GUID-1}{GUID-3}][{GUID-9}{GUID-10}]
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] lParam2 : 0x324e8198
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Link : LDAP://OU=Domain Controllers,DC=SITE,DC=DOMAIN
2014-10-21 11:16:54.127 [pid=0x3e8,tid=0xcd0] Purge GPH : C:\ProgramData\Microsoft\Group Policy\History\{GUID-12}\Machine\Preferences\Groups\Groups.xml
2014-10-21 11:16:54.127 [pid=0x3e8,tid=0xcd0] Read GPE XML data file (592 bytes total).
2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] Completed get next GPO. [SUCCEEDED(S_FALSE)]
2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] WQL : SELECT * FROM RSOP_PolmkrSetting WHERE polmkrBaseCseGuid = "{GUID-1}"
2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] Purged 2 old RSoP entries.
2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] Logging 2 new RSoP entries.
2014-10-21 11:16:54.159 [pid=0x3e8,tid=0xcd0] RSoP Entry 0
2014-10-21 11:16:54.174 [pid=0x3e8,tid=0xcd0] RSoP Entry 1
2014-10-21 11:16:54.174 [pid=0x3e8,tid=0xcd0] Completed get GPO list. [SUCCEEDED(S_FALSE)]
2014-10-21 11:16:54.174 [pid=0x3e8,tid=0xcd0] IsRsopPlanningMode() [SUCCEEDED(S_FALSE)]
2014-10-21 11:17:04.252 [pid=0x3e8,tid=0xcd0] Completed settings update (csePostProcess). [ hr = 0x800700b7 "Cannot create a file when that file already exists." ]
2014-10-21 11:17:04.252 [pid=0x3e8,tid=0xcd0] Completed CSE post-processing. [ hr = 0x800700b7 "Cannot create a file when that file already exists." ]
2014-10-21 11:17:04.267 [pid=0x3e8,tid=0xcd0] Leaving ProcessGroupPolicyExLocUsAndGroups() returned 0x000000b7

Webcenter dicussion forum - Ldap Group Integration with JSSO

Hi,
We want to implement LDAP Group integration for the authorization purposes in
webcenter Jive Disucussions deployed in our IAS 10.1.3.2 application server.
Though jive provides support for the same, yet the JIve documentation says
that we need to implement the JIve's LDAP User authentication steps in order
to leverage LDAP Groups integration. In case of Webcenter if we use Java SSO
for the authentication purpose, we need opt for the 'Default' in the Jive
Admin's authentication page instead of LDAP settings. Opting for 'Default'
scheme doesn't allow us to configure the LDAP group settings. We are not able
find any documentation for LDAP Group Integration along with Java SSO. Could
provide us the steps required for the same? Or has anyone tried the same?
Thanks and Regards,
ABhijit

Hi Abhijit,
You can ignore 'Default', and implement your own user authentication mechanism, which can include LDAP group settings. You will have to follow:
- OC4J security documentation for using Java SSO in your own implementation (I think this is the right link - confirm the version numbers - http://download.oracle.com/docs/cd/B32110_01/web.1013/b28957/javasso.htm#BABEJFDI)
- Jive documentation for implementing user authentication
Navneet.

Ldap groups

Hi,
I have 5 roles and each role selection should provision user to a seperate ldap group + a default ldap group.
How can i achieve that...
dn: cn=group1,ou=people,o=domain,o=com
+ dn:cn=mail,ou=people,o=domain,o=com
Where cn=mail is common for every role selection. I have a variable temp which generates group values based on role selection and i am mapping it in identity template. i think that will provision the user to one group. How can i provision the user to the default group.
Any ideas?

Hi,
Here is one suggestion:
Edit each the role using the admin pages under the Roles Tab, you will see
a section called Assigned Resources, where you can set resource attribute values.
Here you can override the ldapGroups attribute for your ldap resource.
ldapGroups is a List, so you want to add a specific <s>cn=...</s>
string to the existing ldapGroups list. This seems to work well and no xml editing required!
The effect of this will be that different dns will get added to the ldapGroups
variable, depending on which role gets assigned to the user.
Does that make sense? hope this helps.
As for the default dn (cn=mail...), you can either do it the same way (but call a rule rather that replicating the dn 5 times for each resource), or put that into the userform
that gets invoked.
I'm not sure if I explained this well enough, I hope this helps,
John I

Provision a user into an LDAP Group/Organisation

Is it possible to provision a user into a Role that is mapped to an LDAP Group/Organisation through Identity Manager? I've seen that you can add users directly into LDAP groups, but we would like to add users into groups where they already have an account in the Resource/Directory.
For example I want to allow an existing user;
uid=User1,ou=Users,o=mycompany
to access a resource protected by LDAP Group;
cn=AppGroup1,ou=Groups,o=mycompany
this group would be mapped to an Application or Business Role within Identity Manager.
Is this possible?

If I understand your problem correctly then there is no need for customizing the resource adapter java source code at all. You can "calculate" in which OU or O a user is created by customizing the resource's identity template. Just add a variable to the identity template DN and "calculate" that variable in either your form or map it to IGNORE_ATTR on the resource and then you could even set that value in a role.
Same for adding a user into a directory group. Map the respective groups attribute and create a role for that resource, then configure the role to set the group attribute or merge the values - as simple as that. Or did I misunderstand what you are trying to do?

Hot to Dynamically set Group Filter via parameter

To display top X records per group in a report, we can set the group's filter type = First and Number of Records = X. What if X is variable and is passed as a parameter?

To dinamically set a group filter use a bind parameter, e.g. :MAX_Records. A second (dummy) bind parameter which has to be reset at a level above this group e.g. :INC_CNTR has to be defined. Then edit the function for the group where your filter should apply to.
BEGIN
:inc_cntr := :inc_cntr + 1;
if :inc_cntr <= :max_records then
return (TRUE);
else
return (FALSE);
end if;
END;
:MAX_Records can then be set at runtime through the parameter form.
Hope this is what you were looking for.
null

Rule to apply ldap group filter to allow access in OAM Policy Manager

Similar Messages

Maybe you are looking for