SAP R/3 Enterprise 4.7 Sync with Active Directory on Win2k3 server

All,
I'm having a nightmare with this and I'm hoping someone can either confirm my problem or solve it for me.
We are running R/3 Enterprise 4.7 (Web AS 6.20) and would like to sync the users with Micsoroft Active Directory 2003.
We are exploring the option of using full Active Directory schema expansion for the SAP sync. i.e. so we have all SAP related fields in AD.
According to the SAP notes, I need the WEB AS 6.10 installation CD so that I can run R3SETUP to perform the Active Directory schema modifications.
I have tried to download this from the SWDC with no luck.
So I guess my questions are:
1, Do I really need the 6.10 install cd (it seems it's only the ADSINIT.R3S file).
2, If I do, where can I get it from?, do I need to order it through our SAP contract manager?
In the meantime, I have tried performing the manual schema extension using the RSLDAPSCHEMAEXT report, uploading this to the AD server and running "ldifde" command.
This has extended the schema (or so it says), but I can't see any SAP icon in the AD tree. Have I missed something?
Any help appreciated.
Thanks,
Darryl

Rainer,
Thanks for that.
I have been re-reading note 793191 and question 14 says exactly that.
I will checkout JXplorer.
I have found a couple of MS technet articles on how to add your own context menus to the snap-in but it seems like a lot of effort for no real gain.
Thanks again.
ps. awarded points

Similar Messages

Issue in ldap-sync with active directory - OIM11gR2

Hi Expert,
I have enabled the ldap-sync with Active Directory in OIM11gR2. I followed the below document to enable the ldap-sync.
Enabling LDAP Synchronization in Oracle Identity Manager - 11g Release 2 (11.1.2)
For testing if ldap sync is working on not . I run the LDAPSync Post Enable Provision Users to LDAP schedule job. While running the job i encounter below exception in log. Please provide me some pointer to solve my issue. How we can sure ldap sync is configure properly? Please provide me some steps to test it out?
<Jul 31, 2013 9:51:25 AM PDT> <Warning> <JMS> <BEA-040442> <While attempting to bind JNDI name jms/b2b/B2BEventQueue for destination SOAJMSModule!dist_B2BEventQueue_auto_1_auto in module null a JNDI name conflict was found. This destination has not been bound into JNDI.>
<Jul 31, 2013 9:51:25 AM PDT> <Error> <oracle.iam.platform.entitymgr.provider.ldap> <BEA-000000> <An error occurred while searching the entity in LDAP, and the corresponding error is - {0}
javax.naming.NameNotFoundException: Error: NO_SUCH_OBJECT
LDAP Error 32 : No Such Object [Root exception is oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 32 : No Such Object]
at oracle.ods.virtualization.jndi.OVDUtil.mapErrorCode(OVDUtil.java:151)
at oracle.ods.virtualization.jndi.OVDContext.search(OVDContext.java:439)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:257)
at oracle.iam.platform.entitymgr.provider.ldap.LDAPUtil.search(LDAPUtil.java:1073)
at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.search(LDAPDataProvider.java:1218)
at oracle.iam.ldapsync.impl.util.CommonNamePolicyUtil.isUserExists(CommonNamePolicyUtil.java:84)
at oracle.iam.ldapsync.impl.util.CommonNameGenerationUtil.isCommonNameExistingOrReserved(CommonNameGenerationUtil.java:192)
at oracle.iam.ldapsync.impl.plugins.FirstNameLastNamePolicy.getCommonNameFromPolicy(FirstNameLastNamePolicy.java:157)
at oracle.iam.ldapsync.impl.util.CommonNameGenerationUtil.generateCommonName(CommonNameGenerationUtil.java:116)
at oracle.iam.ldapsync.impl.util.CommonNameGenerationUtil.generateCommonName(CommonNameGenerationUtil.java:82)
at oracle.iam.oimtoldap.impl.SeedOIMDataInLDAPImpl.createUserInLDAP(SeedOIMDataInLDAPImpl.java:182)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy710.createUserInLDAP(Unknown Source)
at oracle.iam.oimtoldap.api.SeedOIMDataInLDAPEJB.createUserInLDAPx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.oracle.pitchfork.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:34)
at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
at com.oracle.pitchfork.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:42)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy709.createUserInLDAPx(Unknown Source)
at oracle.iam.oimtoldap.api.SeedOIMDataInLDAP_8d8qil_SeedOIMDataInLDAPRemoteImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
at oracle.iam.oimtoldap.api.SeedOIMDataInLDAP_8d8qil_SeedOIMDataInLDAPRemoteImpl.createUserInLDAPx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
at $Proxy163.createUserInLDAPx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
at $Proxy707.createUserInLDAPx(Unknown Source)
at oracle.iam.oimtoldap.api.SeedOIMDataInLDAPDelegate.createUserInLDAP(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy708.createUserInLDAP(Unknown Source)
at oracle.iam.oimtoldap.scheduletasks.user.SeedOIMUsersInLDAP.execute(SeedOIMUsersInLDAP.java:59)
at oracle.iam.scheduler.vo.TaskSupport$1.processWithoutResult(TaskSupport.java:135)
at oracle.iam.platform.tx.OIMTransactionCallbackWithoutResult.process(OIMTransactionCallbackWithoutResult.java:9)
at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:13)
at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:6)
at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:128)
at oracle.iam.platform.tx.OIMTransactionManager.execute(OIMTransactionManager.java:22)
at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:116)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.iam.scheduler.impl.quartz.QuartzJob$TaskExecutionAction.run(QuartzJob.java:266)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:75)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
Caused By: oracle.ods.virtualization.service.VirtualizationException: oracle.ods.virtualization.engine.util.DirectoryException: LDAP Error 32 : No Such Object
at oracle.ods.virtualization.operation.SearchOperation.process(SearchOperation.java:209)
at oracle.ods.virtualization.operation.SearchOperation.process(SearchOperation.java:47)

I have checked the OIM vs AD attribute mapping. now I am getting below error. I have also attached the LDAPUsers.xml file . I don't know what went wrong .. How to test ldap-sync is configure properly? I created the user in OIM but in AD user is not getting created. I am not able to see any thing log file liek (dignostic and nohup log) .. Any idea where I can see the log to identify the issue??
g 1, 2013 8:15:15 AM PDT> <Warning> <JMS> <BEA-040442> <While attempting to bind JNDI name jms/b2b/B2BEventQueue for destination SOAJMSModule!dist_B2BEventQueue_auto_1_auto in module null a JNDI name conflict was found. This destination has not been bound into JNDI.>
<Aug 1, 2013 8:15:15 AM PDT> <Warning> <oracle.ods.virtualization.engine.backend.jndi.LDAP1.ConnectionHandle> <OVD-40082> <Could not modify entry.
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
<?xml version='1.0' encoding='UTF-8'?>
<tns:entity-definition xmlns:tns="http://www.oracle.com/schema/oim/entity" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/entity ../entity.xsd ">
<entity-type child-entity="false">LDAPUser</entity-type>
<provider-instance>
<repository-instance>Directory Server</repository-instance>
<provider-type>LDAPDataProvider</provider-type>
<parameters>
<parameter name="base">
<value>dc=cgtest,dc=adtest,dc=com</value>
</parameter>
<parameter name="rdnattribute">
<value>cn</value>
</parameter>
<parameter name="objectclass">
<value>orclIDXPerson</value>
</parameter>
<parameter name="idattribute">
<value>objectGUID</value>
</parameter>
<parameter name="entityIdentifierObjectclass">
<value>inetorgperson</value>
</parameter>
<parameter name="excludeObjectclass">
<value>orclappiduser</value>
</parameter>
</parameters>
</provider-instance>
<container-capability>
<enabled>false</enabled>
</container-capability>
<entity-attributes>
<attribute name="User Login">
<type>string</type>
<required>true</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="First Name">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="Last Name">
<type>string</type>
<required>true</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="Middle Name">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="Display Name">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
<multi-represented>true</multi-represented>
</attribute>
<attribute name="usr_password">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>false</searchable>
</attribute>
<attribute name="LDAP GUID">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="LDAP DN">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Role">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Email">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Start Date">
<type>date</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="End Date">
<type>date</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="usr_timezone">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="usr_manager_key">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Country">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Department Number">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Description">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Common Name">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="Employee Number">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Fax">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Generation Qualifier">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="Hire Date">
<type>date</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Home Phone">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Home Postal Address">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Locality Name">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Mobile">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Pager">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Postal Address">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="Postal Code">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="PO Box">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="usr_locale">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="State">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="Street">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Telephone Number">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Title">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="Initials">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="LDAP Organization">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="LDAP Organization Unit">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
<MLS>false</MLS>
</attribute>
<attribute name="User Status">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Lock Status">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Accessibility Mode">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Color Contrast">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Font Size">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Number Format">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Currency">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Date Format">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Time Format">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="Embedded Help">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="FA Language">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="FA Territory">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="User Name Preferred Language">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
</entity-attributes>
<target-fields>
<field name="uid">
<type>string</type>
<required>true</required>
</field>
<field name="givenname">
<type>string</type>
<required>false</required>
</field>
<field name="sn">
<type>string</type>
<required>true</required>
</field>
<field name="middleName">
<type>string</type>
<required>false</required>
</field>
<field name="cn">
<type>string</type>
<required>true</required>
</field>
<field name="userPassword">
<type>string</type>
<required>false</required>
</field>
<field name="objectGUID">
<type>string</type>
<required>false</required>
</field>
<field name="dn">
<type>string</type>
<required>false</required>
</field>
<field name="employeeType">
<type>string</type>
<required>false</required>
</field>
<field name="mail">
<type>string</type>
<required>false</required>
</field>
<field name="orclActiveStartDate">
<type>date</type>
<required>false</required>
</field>
<field name="orclActiveEndDate">
<type>date</type>
<required>false</required>
</field>
<field name="orclTimeZone">
<type>string</type>
<required>false</required>
</field>
<field name="manager">
<type>string</type>
<required>false</required>
</field>
<field name="c">
<type>string</type>
<required>false</required>
</field>
<field name="departmentNumber">
<type>string</type>
<required>false</required>
</field>
<field name="description">
<type>string</type>
<required>false</required>
</field>
<field name="employeeNumber">
<type>string</type>
<required>false</required>
</field>
<field name="facsimileTelephoneNumber">
<type>string</type>
<required>false</required>
</field>
<field name="orclGenerationQualifier">
<type>string</type>
<required>false</required>
</field>
<field name="orclHireDate">
<type>date</type>
<required>false</required>
</field>
<field name="homePhone">
<type>string</type>
<required>false</required>
</field>
<field name="homePostalAddress">
<type>string</type>
<required>false</required>
</field>
<field name="l">
<type>string</type>
<required>false</required>
</field>
<field name="mobile">
<type>string</type>
<required>false</required>
</field>
<field name="pager">
<type>string</type>
<required>false</required>
</field>
<field name="postalAddress">
<type>string</type>
<required>false</required>
</field>
<field name="postalCode">
<type>string</type>
<required>false</required>
</field>
<field name="postOfficeBox">
<type>string</type>
<required>false</required>
</field>
<field name="preferredLanguage">
<type>string</type>
<required>false</required>
</field>
<field name="st">
<type>string</type>
<required>false</required>
</field>
<field name="street">
<type>string</type>
<required>false</required>
</field>
<field name="telephoneNumber">
<type>string</type>
<required>false</required>
</field>
<field name="title">
<type>string</type>
<required>false</required>
</field>
<field name="initials">
<type>string</type>
<required>false</required>
</field>
<field name="o">
<type>string</type>
<required>false</required>
</field>
<field name="ou">
<type>string</type>
<required>false</required>
</field>
<field name="displayName">
<type>string</type>
<required>false</required>
</field>
<field name="orclAccountEnabled">
<type>string</type>
<required>false</required>
</field>
<field name="orclAccountLocked">
<type>string</type>
<required>false</required>
</field>
<field name="orclAccessibilityMode">
<type>string</type>
<required>false</required>
</field>
<field name="orclColorContrast">
<type>string</type>
<required>false</required>
</field>
<field name="orclFontSize">
<type>string</type>
<required>false</required>
</field>
<field name="orclNumberFormat">
<type>string</type>
<required>false</required>
</field>
<field name="orclCurrency">
<type>string</type>
<required>false</required>
</field>
<field name="orclDateFormat">
<type>string</type>
<required>false</required>
</field>
<field name="orclTimeFormat">
<type>string</type>
<required>false</required>
</field>
<field name="orclEmbeddedHelp">
<type>string</type>
<required>false</required>
</field>
<field name="orclFALanguage">
<type>string</type>
<required>false</required>
</field>
<field name="orclFATerritory">
<type>string</type>
<required>false</required>
</field>
<field name="orclDisplayNameLanguagePreference">
<type>string</type>
<required>false</required>
</field>
</target-fields>
<attribute-maps>
<attribute-map>
<entity-attribute>User Login</entity-attribute>
<target-field>uid</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>First Name</entity-attribute>
<target-field>givenname</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Last Name</entity-attribute>
<target-field>sn</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Middle Name</entity-attribute>
<target-field>middleName</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Common Name</entity-attribute>
<target-field>cn</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>usr_password</entity-attribute>
<target-field>userPassword</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>LDAP GUID</entity-attribute>
<target-field>objectGUID</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>LDAP DN</entity-attribute>
<target-field>dn</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Role</entity-attribute>
<target-field>employeeType</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Email</entity-attribute>
<target-field>mail</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Start Date</entity-attribute>
<target-field>orclActiveStartDate</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>End Date</entity-attribute>
<target-field>orclActiveEndDate</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>usr_timezone</entity-attribute>
<target-field>orclTimeZone</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>usr_manager_key</entity-attribute>
<target-field>manager</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Country</entity-attribute>
<target-field>c</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Department Number</entity-attribute>
<target-field>departmentNumber</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Description</entity-attribute>
<target-field>description</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Employee Number</entity-attribute>
<target-field>employeeNumber</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Fax</entity-attribute>
<target-field>facsimileTelephoneNumber</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Generation Qualifier</entity-attribute>
<target-field>orclGenerationQualifier</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Hire Date</entity-attribute>
<target-field>orclHireDate</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Home Phone</entity-attribute>
<target-field>homePhone</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Home Postal Address</entity-attribute>
<target-field>homePostalAddress</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Locality Name</entity-attribute>
<target-field>l</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Mobile</entity-attribute>
<target-field>mobile</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Pager</entity-attribute>
<target-field>pager</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Postal Address</entity-attribute>
<target-field>postalAddress</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Postal Code</entity-attribute>
<target-field>postalCode</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>PO Box</entity-attribute>
<target-field>postOfficeBox</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>State</entity-attribute>
<target-field>st</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Street</entity-attribute>
<target-field>street</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Telephone Number</entity-attribute>
<target-field>telephoneNumber</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Title</entity-attribute>
<target-field>title</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Initials</entity-attribute>
<target-field>initials</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>LDAP Organization</entity-attribute>
<target-field>o</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>LDAP Organization Unit</entity-attribute>
<target-field>ou</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Display Name</entity-attribute>
<target-field>displayName</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>User Status</entity-attribute>
<target-field>orclAccountEnabled</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Lock Status</entity-attribute>
<target-field>orclAccountLocked</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Accessibility Mode</entity-attribute>
<target-field>orclAccessibilityMode</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Color Contrast</entity-attribute>
<target-field>orclColorContrast</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Font Size</entity-attribute>
<target-field>orclFontSize</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Number Format</entity-attribute>
<target-field>orclNumberFormat</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Currency</entity-attribute>
<target-field>orclCurrency</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Date Format</entity-attribute>
<target-field>orclDateFormat</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Time Format</entity-attribute>
<target-field>orclTimeFormat</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>Embedded Help</entity-attribute>
<target-field>orclEmbeddedHelp</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>FA Language</entity-attribute>
<target-field>orclFALanguage</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>FA Territory</entity-attribute>
<target-field>orclFATerritory</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>User Name Preferred Language</entity-attribute>
<target-field>orclDisplayNameLanguagePreference</target-field>
</attribute-map>
</attribute-maps>
<control-attributes>
<attribute name="container">
<type>LDAPContainer</type>
<required>false</required>
</attribute>
</control-attributes>
</tns:entity-definition>

Active sync with Active Directory. activeSync.password

AD - OS - Win2k3
IDM -6.0SP1
I am using active sync with Active Directory.
Form for Active Sync make with Wizard Active Sync.
Make user in AD with correct password.Excecute StartActiveSync.
User not make in Lighthouse.
In log file appears the following:
<WavesetResult>
<ResultItem type='error' status='error'>
<ResultError throwable='com.waveset.exception.PolicyViolation'>
<Message id='PL_POLICY_VIOLATION_HEADER'>
<String>password</String>
<String>Lighthouse User</String>
</Message>
<Message id='PL_STRING_MIN_CHARACTERS'>
<String>4</String>
</Message>
<StackTrace>com.waveset.exception.PolicyViolation: Policy Violation (password on Lighthouse User):
Must contain at least 4 valid characters.
     at com.waveset.policy.StringQualityPolicy.check(StringQualityPolicy.java:1090)
     at com.waveset.provision.PolicyProcessor.checkPolicy(PolicyProcessor.java:716)
     at com.waveset.provision.PolicyProcessor.checkLighthousePasswordPolicy(PolicyProcessor.java:651)
     at com.waveset.provision.PolicyProcessor.checkPasswordPolicies(PolicyProcessor.java:574)
     at com.waveset.provision.PolicyProcessor.checkAccountPolicies(PolicyProcessor.java:232)
     at com.waveset.provision.Provisioner.checkPolicies(Provisioner.java:1102)
     at com.waveset.view.UserViewer.checkPolicies(UserViewer.java:1559)
     at com.waveset.view.UserViewer.checkPoliciesAndConstraints(UserViewer.java:1415)
     at com.waveset.view.UserViewer.checkinView(UserViewer.java:1159)
     at com.waveset.object.ViewMaster.checkinView(ViewMaster.java:725)
     at com.waveset.sync.IAPIUserImpl.submitCreate(IAPIUserImpl.java:559)
     at com.waveset.sync.IAPIUserImpl.submit(IAPIUserImpl.java:657)
     at com.waveset.adapter.ADSIResourceAdapter.processUpdates(ADSIResourceAdapter.java:1419)
     at com.waveset.adapter.ADSIResourceAdapter.getAndProcessChanges(ADSIResourceAdapter.java:1456)
     at com.waveset.adapter.ADSIResourceAdapter.poll(ADSIResourceAdapter.java:1546)
     at com.waveset.adapter.SARunner.doRealWork(SARunner.java:268)
     at com.waveset.task.Executor.execute(Executor.java:159)
     at com.waveset.task.TaskThread.run(TaskThread.java:119)
</StackTrace>
</ResultError>
</ResultItem>
</WavesetResult>
2006-11-09T13:19:07.904+0500: lastname: Bogdanov9, accountId: Bogdanov9, objectGUID: <GUID=fb4016ebb4851b43af59763d6094932d>, isDisabled: false, identity: cn=Alexey L. Bogdanov9,ou=Users,ou=Test,dc=aut,dc=tst, uSNChanged: 78587, firstname: Alexey, AccountLocked: false, fullname: Alexey L. Bogdanov9, Initials: L
Policy Violation (password on Lighthouse User):
Must contain at least 4 valid characters.
But, when i use sample active sync form from ...sample/forms/ActiveDirectoryActiveSyncForm user make in Ligthhouse with password change12345.
Logicaly, from this code:
<Field name='waveset.password'>
<Comments>
Make up a password for accounts that are being
created. This makes it a constant
</Comments>
<Disable>
          <neq>
          <ref>feedOp</ref>
               <s>create</s>
          </neq>
     </Disable>
<Expansion>
<cond>
          <notnull>
               <ref>activeSync.password</ref>
          </notnull>
<ref>activeSync.password</ref>
<s>change12345</s>
</cond>
</Expansion>
</Field>
I think password from AD not put in to activeSync.
Why?
With MBR
Bogdanov Alexey.

--I think password from AD not put in to activeSync.
--Why?
You cannot change the user's password from the activeSync RA. The password is encrypted in Active Directory and you can't decrypt it.
You can read the Idm Resources Reference - Active Directory. There's a table with all the supported fields; the userPassword field is write-only.
If you want to take the AD password and send it to IDM, you want to use Password Sync.
Good luck

Active Sync with Active Directory

I am using active sync with Active Directory, but When I excecute the synchronization, it does not work, in log file appears the following:
00.037-0500: Polling
2006-11-01T18:35:00.053-0500: Looking for updates with filter: (objectCategory=person)(uSNChanged>=62506)
2006-11-01T18:35:00.506-0500: Missing uSNChanged for user user1. Skipping
2006-11-01T18:35:00.506-0500: Missing uSNChanged for user mike2. Skipping
2006-11-01T18:35:00.506-0500: Missing uSNChanged for user little5. Skipping
2006-11-01T18:35:00.506-0500: Missing uSNChanged for user george. Skipping
2006-11-01T18:35:00.724-0500: Looking for deletes with filter: (uSNChanged>=62506)
2006-11-01T18:35:00.740-0500: Missing uSNChanged for user CN=maria \0ADEL:7924c26d-9f1f-40a8-af4d-120e191aa84e,CN=Deleted Objects,DC=xxx,DC=com. Skipping
2006-11-01T18:35:00.740-0500: Poll complete.
I am using IDM 6.0 sp1

Did you add the uSNChanged attribute to your schema mapping (name it "uSNChanged" on both the IDM and resource side of the mapping)?
- Robin

SAP R/3 4.6 C Integration with Active Directory

Dear Friends,
We have a requirement to Integrate Active Directory User Authentication to SAP User authentication. Currently we are using following systems in our organization:
SAP R/3 4.6 C Kernel 46D
SAP ECC 6.0 with EHP4
Currently users are logging into Individual SAP systems with ther own User ID and passwords and they need to remember all the system passwords.
We are not looking for EP for SIngle Sign on.
Do we have any option to Integrate Active Directory User authentication with these 2 SAP systems using SSO method ?
Regards
Graham

Hi Graham,
Depending on the server OS (Linux, Solaris, Windows, etc) and client (web browser, SAP GUI, etc), you can accomplish this several different ways ranging from using features provided by SAP directly ([SAP GUI and Windows to Windows|http://help.sap.com/saphelp_nw70ehp2/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/frameset.htm] for example) or by [several third party vendors|http://ecohub.sdn.sap.com/irj/ecohub/solutions?query=%22active+directory%22].
Please let us know what OS and clients are you working with and I'm sure we can point you in the right direction.
Thanks!
Kyle

SAP R/3 Authentication with Active Directory on Win2k server.

Hello list ,
We are running SAP R/3 4.7 with WebAS 6.2 on Solaris and a Windows 2000 Active Directory domain. Our users access SAP in 3 ways
1) SAP GUI .
2) SAP BW
3) Travel & Expense - a java application that records users travel details and posts a transaction to SAP using the SAP userid and password.
Wish to implement SSO for all our users.
Some research we have done suggests
1) Using Kerberos for authentication. while it appears that microsoft krb 5 implementation will work only on windows servers, it is not clear how well are other krb implementations supported by SAP. OSS note # 150380 and link http://help.sap.com/saphelp_nw2004s/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm
2) OSS note # 352295 suggest there could be some issue using KRB 5 shipped with unixes.
"All of the major Unix vendors seem to be shipping a version of Kerberos 5 these days. These implementations should be wire-interoperable with each other and with Microsoft W2K (not necessarily W2K3!), however they may not be interoperable with SAP's shared library interface to GSS-API v2 mechanisms."
3) There are some commercial solutions like - CyberSafe that provides krb based SSO at a fee. Has anyone tried this software ?
I have created an OSS ticket but we are still in a queue since 5 days already.
Has any one from the list implemented a similar solution ? What are the best practices and way to go for a robust solution.
4) Another option that we have is to start with user synchronization. Where in Users created in Active Directory get synchronized with SAP .
What is mandatory for us is that Users marked disabled in Active Directory should be blocked in SAP by synchronizing user information at regular interval. If anyone has implemented this solution I will appreciate if they give me some pointers.
Thanks in advance.
Harsh Busa

Tim,
you are perfectly right: that Vintela product is not certified (as SNC solution).
But you are not quite right regarding the separate treatment. The major difference between that product and the SNC certified products (such as CyberSafe, Entrust, ...) is: Vintela uses different SNC libraries on the client side (=> our Windows SSPI wrappers, see <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/352295">SAP note 352295</a>) and the server side (=> their own SNC library, not certified). And that is actually also one reason why that solution cannot be certified ...
Well, those Windows SSPI wrappers provided by SAP (=> gsskrb5.dll, for example) are also not "SNC certified", but SAP provides support (being in contact with Microsoft). Well, as some people might know, there are also some interoperability issues between different Microsoft OS versions ... - resulting in reactive patches of our SSPI wrappers.
I really do <u>not</u> want to promote <u>any</u> product - neither the one of Quest Software Inc., nor the one of <a href="http://www.cybersafe.ltd.uk/">CyberSafe Ltd</a>, nor <a href="http://www.entrust.com">Entrust Inc.</a>, nor <a href="http://www.secude.com/">SECUDE IT Security GmbH</a>, nor ...
I do not even want to disencourage anyone from implementing his own Kerberos-based solution (or any other solution which provides an GSS API), provided that this person is able to help himself. Reason: if products of different vendors are used and interoperability problems occur the usual finger-pointing will start. In the end you'll not get support by anyone ... - as long as you are aware of this (and capable of helping yourself) you can go ahead. Some (known) universities are belonging to that group ... - but it might not be appropriete to the vast majority of customers.

Error while password sync with Active directory.

Hi all.
Am doing active directory password sync with oim 11g but this gives an error
Debug [07/31/12 11:52:14] CONFIG VALUE LENGTH
Debug [07/31/12 11:52:14] 254
Debug [07/31/12 11:52:14]
Debug [07/31/12 11:52:14]
Debug [07/31/12 11:52:14] Before adding configsync attributes
Debug [07/31/12 11:52:14]
sgslrgac instance
Debug [07/31/12 11:52:14] User Name --->
Debug [07/31/12 11:52:14] TEST.TEST10
Debug [07/31/12 11:52:14]
Debug [07/31/12 11:52:14] RelativeId:
Debug [07/31/12 11:52:14] 1122
Debug [07/31/12 11:52:14]
Debug [07/31/12 11:52:14]
sgsladac Instance
Debug [07/31/12 11:52:14]
LDAP Connected
Debug [07/31/12 11:52:14] search string :
Debug [07/31/12 11:52:14] (&(objectCategory=person)(objectClass=user)(sAMAccountName=TEST.TEST10))
Debug [07/31/12 11:52:14]
Debug [07/31/12 11:52:14] Connected to ADSI
Debug [07/31/12 11:52:14] After Search
Debug [07/31/12 11:52:14] SID::
Debug [07/31/12 11:52:14] S-1-5-21-449192332-2375483478-3823051035-1122
Debug [07/31/12 11:52:14]
Debug [07/31/12 11:52:14] DN::
Debug [07/31/12 11:52:14] CN=test test10,CN=Users,DC=thakralone,DC=com
Debug [07/31/12 11:52:14]
Debug [07/31/12 11:52:14] GUID:::
Debug [07/31/12 11:52:14] QHetRJE7hEKkG8PeqYRKlQ==
Debug [07/31/12 11:52:14]
Debug [07/31/12 11:52:14] after ladp search
Debug [07/31/12 11:52:14] Success sgsldpap
Debug [07/31/12 11:52:14]
Passlen populated :
Debug [07/31/12 11:52:14] 190
Debug [07/31/12 11:52:14]
Debug [07/31/12 11:52:14]
Moving sgsloidi from asynchSystem
Debug [07/31/12 11:52:14] Store Object populated
Debug [07/31/12 11:52:14] [getObjectGuid=QHetRJE7hEKkG8PeqYRKlQ==
getPasswordLen=190
getUserDn=CN=test test10,CN=Users,DC=thakralone,DC=com
getUserId=TEST.TEST10
Debug [07/31/12 11:52:14]
***end of status
Debug [07/31/12 11:52:14]
Out of sgsloidi from asynchSystem
Debug [07/31/12 11:52:14]
Before Free
Debug [07/31/12 11:52:14]
After Free
i have tried to reconfig and reinstall the connector but still the same issue.

Don't think so.
Reconcile will just find accounts that are out of sync (that is, that exist on one system but not the other). It doesn't update account attributes.
ActiveSync can identify and process changed records, but the password itself is hashed, so unless you can use the hashed password directly (and IDM can't) then you just would get "garbage" data via the sync.
I think you do need to use one of the PasswordSync tools for this, because they intercept the password change process before the password is hashed, allowing you to apply the changes in multiple locations.

OIM 11g Sync with Active Directory

Hi, I need to configure OIM 11g 11.1.1.3 Sync with a AD (Windows server 2003), I believe this is not possible (in this release), but, I am trying to configure through OVD but the queries of creation Containers throw errors.
Can be configured through OVD ??
Sync with AD will be supported in future Releases?
Thanks!!

From the installation media, copy and extract contents of the bundle/ActiveDirectory.Connector-1.1.0.6380.zip file to the CONNECTOR_SERVER_HOME directory
Refer http://docs.oracle.com/cd/E22999_01/doc.111/e20347/deploy.htm#CHDDJGIG

Single Signon and Integration with Active Directory

Hi,
We have a requirement to integrate Active Directory with SAP and implement Single Signon solution. Our Active Directory is running on Windows 2003 and we are having systems 4.7 , ECC6.0 which run on Linux OS in our landscape.
Can anyone of you help me by answering following questions
1. Is there any need of any third party solution(tool) to integrate Active Directory and SAP and activate single signon?
2.Is there any difference in integration from SAP 4.7 and ECC6.0 of SAP on Linux OS with Active Directory ?
3. If possible please share any documents or links on above issue.
Suitable answers will be rewarded with points. Thanks in advance for your help
Regards
Murali

> Thank you very much for providing me the link. But the document on link seem to be in German. Can you please let me know how to get English version of this document.
I'm sorry, you'd have to ask Realtech for that document in English.
Basically you can follow
http://osdir.com/ml/encryption.kerberos.general/2004-11/msg00007.html
Markus

Error running Organization Lookup Recon in OIM 11g R2 with Active Directory

Hi all,
I have an implementation of OIM 11g R2, with an Active Directory 11.1.1.5.0 connecting to an instance of Active Directory on Windows Server 2008. I am trying to run the "Active Directory Organization Lookup Reconciliation" scheduled task, but the job fails with this error:
oracle.iam.connectors.icfcommon.exceptions.IntegrationException: Connector ConnectorKey( bundleName=ActiveDirectory.Connector bundleVersion=1.1.0.6380 connectorName=Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector ) not found
This is the full stack trace from the oim_domain.log file:
oracle.iam.connectors.icfcommon.exceptions.IntegrationException: Connector ConnectorKey( bundleName=ActiveDirectory.Connector bundleVersion=1.1.0.6380 connectorName=Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector ) not found
at oracle.iam.connectors.icfcommon.ConnectorFactory.createConnectorFacade(ConnectorFactory.java:176)
at oracle.iam.connectors.icfcommon.recon.AbstractReconTask.init(AbstractReconTask.java:115)
at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.execute(SchedulerBaseTask.java:382)
at oracle.iam.scheduler.vo.TaskSupport$1.processWithoutResult(TaskSupport.java:135)
at oracle.iam.platform.tx.OIMTransactionCallbackWithoutResult.process(OIMTransactionCallbackWithoutResult.java:9)
at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:13)
at oracle.iam.platform.tx.OIMTransactionCallback.doInTransaction(OIMTransactionCallback.java:6)
at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:128)
at oracle.iam.platform.tx.OIMTransactionManager.execute(OIMTransactionManager.java:22)
at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:116)
at sun.reflect.GeneratedMethodAccessor739.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.iam.scheduler.impl.quartz.QuartzJob$TaskExecutionAction.run(QuartzJob.java:266)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.security.Security.runAs(Security.java:41)
at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:75)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
The Connector Server is installed on the AD instance, and the key has been set, and used appropriately in the Active Directory Connector Server IT Resource in OIM.
Any advice on how to resolve this error or on any possible causes would be much appreciated, thank you.

From the installation media, copy and extract contents of the bundle/ActiveDirectory.Connector-1.1.0.6380.zip file to the CONNECTOR_SERVER_HOME directory
Refer http://docs.oracle.com/cd/E22999_01/doc.111/e20347/deploy.htm#CHDDJGIG

Problems with Active Directory and Windows 2003

Hello,
I'm using Mac OS X Server 10.4.9 with Active Directory bound to a Windows 2003 Active Directory Domain. I can bind successfully to the domain using the graphical interface. Then in Samba I can access shared directories using Windows users. However, after some time somehow there are problems and Windows users aren't authenticated anymore on the Mac. I've looked at the firewall and there are no denied packets from the Mac. There are two servers in the domain, all clocks are synchronized and domain information is up to date. When I unbind the Mac, I can see the machine account being deleted on both domain servers and created too on both machines when I bind to the domain.
Problems occur when I try login in using ssh or samba do I think this is a problem with the AD module.
I turned on debugging messages on DirectoryServices:
sudo killall -USR1 DirectoryService
When in Windows, using the Administrator user I try:
net use \\10.0.0.1 /user:domain\Administrator
Where 10.0.0.1 is the Mac.
In the Mac I get from
tail -f /Library/Logs/DirectoryService/DirectoryService.debug.log |grep ADPlug
2007-06-27 10:48:37 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:37 CDT - ADPlugin: Searching domain domain.com.mx for User administrator
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:37 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:37 CDT - ADPlugin: Adding Search for Attribute displayName containing DOMAIN\administrator
2007-06-27 10:48:37 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=DOMAIN\\administrator)), limit 1
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:37 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:37 CDT - ADPlugin: Searching domain domain.com.mx for User administrator
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:37 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:37 CDT - ADPlugin: Adding Search for Attribute displayName containing domain\administrator
2007-06-27 10:48:37 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=domain\\administrator)), limit 1
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:37 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:37 CDT - ADPlugin: Searching domain domain.com.mx for User ADMINISTRATOR
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:37 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:37 CDT - ADPlugin: Adding Search for Attribute displayName containing domain\administrator
2007-06-27 10:48:37 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=DOMAIN\\ADMINISTRATOR)), limit 1
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:37 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:37 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=administrator)(sAMAccountName=administrator)(dis playName=administrator)(mail=administrator)(userPrincipalName=administrator)(use rPrincipalName=administrator@*)))
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:37 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:37 CDT - ADPlugin: Adding Search for Attribute displayName containing ADMINISTRATOR
2007-06-27 10:48:37 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=administrator)), limit 1
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:37 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:37 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:37 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:37 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:37 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=ADMINISTRATOR)(sAMAccountName=ADMINISTRATOR)(dis playName=ADMINISTRATOR)(mail=ADMINISTRATOR)(userPrincipalName=ADMINISTRATOR)(use rPrincipalName=ADMINISTRATOR@*)))
2007-06-27 10:48:37 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=ADMINISTRATOR)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=administrator)(sAMAccountName=administrator)(dis playName=administrator)(mail=administrator)(userPrincipalName=administrator)(use rPrincipalName=administrator@*)))
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=administrator)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=ADMINISTRATOR)(sAMAccountName=ADMINISTRATOR)(dis playName=ADMINISTRATOR)(mail=ADMINISTRATOR)(userPrincipalName=ADMINISTRATOR)(use rPrincipalName=ADMINISTRATOR@*)))
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=ADMINISTRATOR)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Searching domain domain.com.mx for User administrator
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing DOMAIN\administrator
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=DOMAIN\\administrator)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Searching domain domain.com.mx for User administrator
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing domain\administrator
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=domain\\administrator)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Searching domain domain.com.mx for User ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing DOMAIN\ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=DOMAIN\\ADMINISTRATOR)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=administrator)(sAMAccountName=administrator)(dis playName=administrator)(mail=administrator)(userPrincipalName=administrator)(use rPrincipalName=administrator@*)))
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=administrator)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=ADMINISTRATOR)(sAMAccountName=ADMINISTRATOR)(dis playName=ADMINISTRATOR)(mail=ADMINISTRATOR)(userPrincipalName=ADMINISTRATOR)(use rPrincipalName=ADMINISTRATOR@*)))
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=ADMINISTRATOR)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=administrator)(sAMAccountName=administrator)(dis playName=administrator)(mail=administrator)(userPrincipalName=administrator)(use rPrincipalName=administrator@*)))
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=administrator)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=ADMINISTRATOR)(sAMAccountName=ADMINISTRATOR)(dis playName=ADMINISTRATOR)(mail=ADMINISTRATOR)(userPrincipalName=ADMINISTRATOR)(use rPrincipalName=ADMINISTRATOR@*)))
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RealName
2007-06-27 10:48:38 CDT - ADPlugin: Adding Search for Attribute displayName containing ADMINISTRATOR
2007-06-27 10:48:38 CDT - ADPlugin: Did DC search with queryFilter = (&(objectCategory=cn=person,cn=schema,cn=configuration,dc=domain,dc=com,dc=mx)( displayName=ADMINISTRATOR)), limit 1
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: 16784372 - Put 0 records in Buffer for AttributeValueSearch
2007-06-27 10:48:38 CDT - ADPlugin: Calling OpenDirNode
2007-06-27 10:48:38 CDT - ADPlugin: Opening Specific Node domain.com.mx
2007-06-27 10:48:38 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:38 CDT - ADPlugin: 16833877 - Calling GetRecordList Routine
2007-06-27 10:48:38 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:38 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:38 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=administrator)(sAMAccountName=administrator)(dis playName=administrator)(mail=administrator)(userPrincipalName=administrator)(use rPrincipalName=administrator@*)))
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:38 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:38 CDT - ADPlugin: 16833877 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:38 CDT - ADPlugin: Calling CloseDirNode
2007-06-27 10:48:42 CDT - ADPlugin: Calling OpenDirNode
2007-06-27 10:48:43 CDT - ADPlugin: Opening Specific Node domain.com.mx
2007-06-27 10:48:43 CDT - ADPlugin: Calling GetRecordList
2007-06-27 10:48:43 CDT - ADPlugin: 16833881 - Calling GetRecordList Routine
2007-06-27 10:48:43 CDT - ADPlugin: Search Records called in ADSWrapper
2007-06-27 10:48:43 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-06-27 10:48:43 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=administrator)(sAMAccountName=administrator)(dis playName=administrator)(mail=administrator)(userPrincipalName=administrator)(use rPrincipalName=administrator@*)))
2007-06-27 10:48:43 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:43 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-06-27 10:48:43 CDT - ADPlugin: Returning 0 Results
2007-06-27 10:48:43 CDT - ADPlugin: 16833881 - Put 0 records in Buffer for RecordList
2007-06-27 10:48:43 CDT - ADPlugin: Calling CloseDirNode
I really don't know what to do. The Windows Event log shows no messages. The link used to work and there have been no changes in the domain servers.
The key line seems to be:
2007-06-27 10:48:43 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
But I don't know what that ADSEngine.mm is.
XServe G5 Mac OS X (10.4.9)

Hello.
Thanks for your reply.
I tried the net use with a drive letter with and without the /user switch. When I use a domain user domain\user1 I can't connect. When I use a user local to the XServe it works.
When I use
net use x: \\10.0.0.1\share /user:domain\user1
I get prompted for a password, but it doesn't work.
I checked the firewall and all packets to or from the mac are accepted, no denied or dropped packages.
I already went through the MS document on fw ports. Before I opened to Kerberos ports the binding failed. No the binding work OK.
Some users who were authenticated yesterday still can access files using the Windows domain accounts. It's new users trying to connect those who have problems.
This is what the Samba log.smbd log shows:
[2007/07/04 14:58:45, 2] /SourceCache/samba/samba-100.7/samba/source/smbd/sesssetup.c:setupnew_vcsession(662)
setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
[2007/07/04 14:58:45, 2] /SourceCache/samba/samba-100.7/samba/source/smbd/sesssetup.c:setupnew_vcsession(662)
setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
[2007/07/04 14:58:46, 0] /SourceCache/samba/samba-100.7/samba/source/auth/authutil.c:make_server_infoinfo3(1138)
makeserver_infoinfo3: pdbinitsam failed!
[2007/07/04 14:58:46, 0] pdbods.c:odssamgetsampwnam(2329)
odssam_getsampwnam: [0]getsam_recordattributes dsRecTypeStandard:Users no account for 'user1'!
[2007/07/04 14:58:46, 2] /SourceCache/samba/samba-100.7/samba/source/auth/auth.c:checkntlmpassword(367)
checkntlmpassword: Authentication for user [user1] -> [user1] FAILED with error NTSTATUS_NO_SUCHUSER
This is what the DS log shows:
2007-07-04 14:58:46 CDT - ADPlugin: 16892201 - Calling GetRecordList Routine
2007-07-04 14:58:46 CDT - ADPlugin: Search Records called in ADSWrapper
2007-07-04 14:58:46 CDT - ADPlugin: Searching attribute: dsAttrTypeStandard:RecordName
2007-07-04 14:58:46 CDT - ADPlugin: Locating User with Query (&(objectCategory=person)(|(cn=user1)(sAMAccountName=user1)(displayName=user1)( mail=user1)(userPrincipalName=user1)(userPrincipalName=user1@*)))
2007-07-04 14:58:46 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-07-04 14:58:46 CDT - ADPlugin: Failed getting credentials at line 2687 in ADSEngine.mm
2007-07-04 14:58:46 CDT - ADPlugin: Returning 0 Results
2007-07-04 14:58:46 CDT - ADPlugin: 16892201 - Put 0 records in Buffer for RecordList
XServe G5 Mac OS X (10.4.9)

Issue with Active Directory User Target Recon

Hi ,
I am facing an issue with Active Directory User Target Recon
My environment is OIM 11g R2 with BP03 patch applied
AD Connector is activedirectory-11.1.1.5 with bundle patch 14190610 applied
In my Target there are around 28000 users out of which 14000 have AD account (includes Provisioned,Revoked,Disabled accounts)
When i am running Active Directory User Target Recon i am not putting any filter cleared the batch start and batch size parameters and ran the recon job .Job ran successfully but it stopped after processing around 3000 users only.
Retried the job two three times but every time it is stopping after processing some users but not processing all the users.
Checked the log file oimdiagnostic logs and Connector server logs cannot see any errors in it.
Checked the user profile of users processed can see AD account provisioned for users
My query is why this job is not processing allthe users.Please point if i am missing some thing .
thanks in advance

Check the connector server load when you are running the recon. Last time I checked the connector, the way it was written is that it loads all the users from AD into the connector server memory and then sends them to OIM. So if the number was huge, then the connector server errored out and did not send data to OIM. We then did recon based on OUs to load/link all the users into OIM. Check the connector server system logs and check for memory usage etc.
-Bikash

Tighter Integration with Active Directory User Groups

I just wrapped up a Jabber deployment with IM&P 9.1(1) and J4W clients 9.1(3).
The customer asked me if it is on Cisco's roadmap to allow groups in Active Directory to be pulled into the Jabber client. The primary business case is to allow those in IT to send out IM blasts to the corporation or certain departments.
Obviously, this would require a significant amount of development and a much tighter integration with Active Directory, but I need to ask anyway.
Has something like this been identified and placed on any roadmap?
Thanks,
Matthew Berry

Unfortunately this kind of questions cannot be addressed here, roadmap questions need to go thru official channels for an answer.
You need to reach your SE/AM for this question.
HTH
java
if this helps, please rate
www.cisco.com/go/pdihelpdesk

OIM Integration with Active Directory Federation Services (ADFS)

Hello friends
I have a question about the integration of Oracle Identity Manager with Active Directory which is federated with another external directory for ADFS. My question is:
What considerations should be to contemplate if I have an active directory federated environment when carrying out the integration with Identity Manager?
I use version 9.1.0.2 of Oracle Identity Manager with Microsoft Active Directory Connector User Management 9.1.1.7
Thanks for the support.

First consideration is that the OIM's target ADFS - in the federated scenario, will that participate as a Service provider or identity provider. I would think identity provider.
Next consideration: What all attributes are required to be played in the SAML assertion to the other end-point? All these attributes must be present and should be provisioned to the AD in this case.
So, OIM should be set up (UDF etc) to provision all those attributes needed in the SAML.
Next consideration: What all scenario to support? IdP initiated or SP initiated? If SP initiated, then process will hv to be defined if a user id does not exist in the AD of the OIM target. Will the request be failed or a in-time provisioning should happen.
Hope this helps.

Beginners guide to integration with Active Directory?

Hi (complete beginner to this, but a quick learner)
I don't know where to start with regards to getting the Macs on our network connecting like the PCs. Currently we have about 100 Macs on 10.4.x that are bound to the AD using Directory Access - users can log in, but that's about as far as integration goes. Their home folders do not "map" to the corresponding folders on the Macs, and we (as administrators) have no control over the Mac network users like we would have the local Mac users.
I've been asked to look into this issue, and along with creating new modular 10.5.x system builds for all our Macs (different hardware, different software needs, different physical locations), I need to know what the next steps are. I have no experience of using Mac OS X Server or Active Directory. Besides telling me to ask the IT department to hire a Mac professional, what should I be looking into next?
So far, this is how I think the process goes:
1) Ensure I have solid modular system builds ready to go for the different macs/different classrooms.
2) Get an Xserve for IT.
3) Have Open Directory integrate with Active Directory, so that the same access controls/permissions are applied to the Mac users as they are the Windows users (including Finder access controls, Application controls, folder mapping etc) - *this is where I need guidance*.
4) Push out the system builds to the Macs on the network
5) Connect the Macs using Open Directory...
6) ...
As you can see, my knowledge kind of peters out towards the end there; is this a realistic undertaking for me (a classroom technician who happens to use Macs - NOT trained in any of this) and the Mac-phobic IT department (who would prefer switching all of our workstations to PC)? Are we going to have to bite the bullet and get some expensive consultants in?

pisto_grih wrote:
Hi (complete beginner to this, but a quick learner)
I don't know where to start with regards to getting the Macs on our network connecting like the PCs. Currently we have about 100 Macs on 10.4.x that are bound to the AD using Directory Access - users can log in, but that's about as far as integration goes. Their home folders do not "map" to the corresponding folders on the Macs, and we (as administrators) have no control over the Mac network users like we would have the local Mac users.
And that is about as far as the Apple plugin will take you. In order to do more you need to either extend schema (very scary), look at third party products like Centrify (very expensive), or look at getting an OS X Server and implementing the "magic triangle" in which OS X attributes are managed in OD while users, groups, and password are managed by AD.
I've been asked to look into this issue, and along with creating new modular 10.5.x system builds for all our Macs (different hardware, different software needs, different physical locations), I need to know what the next steps are. I have no experience of using Mac OS X Server or Active Directory. Besides telling me to ask the IT department to hire a Mac professional, what should I be looking into next?
If you go the route of OS X Server and MCX settings, make life easy on yourself and build one common build. Then limit app access based on your groups. That way you can simplify the number of images you maintain down to one (provided you have appropriate licensing).
So far, this is how I think the process goes:
1) Ensure I have solid modular system builds ready to go for the different macs/different classrooms.
See above. But if you need to, look at InstaDMG
2) Get an Xserve for IT.
Yep. But if you are only doing MCX you might want to look for a cheeper alternative. The Xserve can offer some nice additions, including software update server and Netinstall server among others.
3) Have Open Directory integrate with Active Directory, so that the same access controls/permissions are applied to the Mac users as they are the Windows users (including Finder access controls, Application controls, folder mapping etc) - *this is where I need guidance*.
Yep. You are on the money.
4) Push out the system builds to the Macs on the network
Push huh. Look at Radmind. Then take a summer off to learn it. Then become god.
5) Connect the Macs using Open Directory...
Actually, connect the macs to both AD and OD. This will allow authentication and instantiating through AD and management through OD. Works very well.
6) ...
As you can see, my knowledge kind of peters out towards the end there; is this a realistic undertaking for me (a classroom technician who happens to use Macs - NOT trained in any of this) and the Mac-phobic IT department (who would prefer switching all of our workstations to PC)? Are we going to have to bite the bullet and get some expensive consultants in?
It is learnable especially with the summer and available hardware. However, supporting the consulting industry is always nice http://consultants.apple.com
Hope this helps

SAP R/3 Enterprise 4.7 Sync with Active Directory on Win2k3 server

Similar Messages

Maybe you are looking for