Shared Services and LDAP
This is a complete newbie question so pardon me if I sound ignorant: my understanding is that you provision users in Planning (11.1.13 or Fusion) through Shared Services. So if you're installing and configuring planning from scratch, you have to get users into Shared Services. However, these is also a concept called native directory or OpenLDAP which is involved somewhere. How do I push users into sharedservices/planning application and where does OpenLDAP come into this? thanks.
You provision the users in shared services, there is also an Openldap database which stores user information in its database, so when you can create and provision a user some of the information is stored in Shared Services and some in Openldap (Openldap has finally been removed in 11.1.2 which is a positive move in my opinion)
Once you have provisioned a user for planning and then either refesh planning, run one of the utilities or run a refresh the user information is passed into the planning tables. Also when a user logs into planning it queries shared services to see if they exist and their password is correct.
Cheers
John
http://john-goodwin.blogspot.com/
Similar Messages
-
Shared Services and Planning Synchronization
Ok, this is probably useful for a lot of people, but can anyone articulately explain the relationship between MSAD (or whatever the source security system is), Shared Services, and Planning? There are like 5 utiities and or Web Client buttons that claim to sync different parts to each other.
MSAD is the source system. It is "plugged into" Shared Services. (Are these always in sync, is there some utility to run to sync them?)
Then there is this Shared Services "Native Directory" what is this? There is a "Sync Native Directory" button in Shared Services, what does this sync?
Assuming that SS is synced with MSAD, we then turn to Planning. In Planning, there are "Migrate Identities" and "Remove Non-Provisioned Users/Groups" buttons. What do these buttons sync, and is Migrate Identities the same as the ProvisionUsers.cmd utility?
I want to know the best way to keep all this in sync, MSAD to SS and SS to Planning. Is any of this automatic, and if I need to run manual utilities, which ones do I need to run and which "buttons" do I need to push.
thanks
-PatrickHi,
Ok here goes, I am not really sure which version you are on because there was a bit of a change between 9.2 and 9.3 with regards to MSAD (uses the ObjectGUID instead of SamAccountName)
Sync Native Directory - Shared Services contains all the product registration details, OpenLdap (Native Directory) stores all the provisioning, sometimes it is possible they could go out of sync which is pretty rare, so the sync native directory makes sure Shared Services and Open Ldap are in sync.
Migrate Identities - I think this is more of the line of the updateusers.cmd utility where if a user has changed in the directory (this was more of an issue when SamAccountName was used as users group change OUs in the Active Directory) it will update the planning table with the new details.
Remove-Non Provisioned Users/Groups - I am sure this doesn't actually work and has been removed in later versions, it is meant to clear up users/groups in the planning tables where there don't exist in Shared Services anymore.
It depends what you mean by is MSAD always in sync with Shared Services, if you are using 9.3 and configured to use the ObjectGUID then it is pretty much in sync as the id is not likely to change, if you are using SamAccountName and a user moves place in the organisational structure then it can go out of sync. There is another ultilty for that :) (update native directory utility)
If you run the provision users utility after you have provisioned a user in shared services it will add the user to the planning tables and also push the user to essbase.
All depends what you are finding is it a problem to what utility to you want to use.
Cheers
John
http://john-goodwin.blogspot.com/ -
Issue bringing up Shared Services and Planning
Hi guys,
We have added 3 new MSAD to our Shared Services for user authentication, previously we already had 2 setup and working fine.
Now that we added the 3 new ones, we restarted Planning and Shared services and now it doesn't come back up.
We see the following error message on the logs:
2009-11-27 17:05:09,702 [Thread-23] WARN com.hyperion.css.spi.impl.msad.MSADCacheUpdater.updateUserCache(Unknown Source) - Ignoring User. Error getting User for User Cache:[LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=IL,DC=x,DC=Corp'
2009-11-27 17:05:09,811 [Thread-23] WARN com.hyperion.css.spi.impl.msad.MSADCacheUpdater.updateUserCache(Unknown Source) - Ignoring User. Error getting User for User Cache:[LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=IL,DC=xx,DC=Corp'
2009-11-27 17:05:09,936 [Thread-23] WARN com.hyperion.css.spi.impl.msad.MSADCacheUpdater.updateUserCache(Unknown Source) - Ignoring User. Error getting User for User Cache:[LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=IL,DC=xx,DC=Corp'
These "xx" we are just using because of the company name but it has the right name
That's the security log for Shared Services.
Do you have an idea of what I can do either to bring it up with the new MSAD or delete the newly created and bring it back up?
Thanks in advanceUsually your MSAD admins will have a master domain setup that has access to all geographic specific domains. You would have a user setup in this higher level domain
Let's say you have the following setup:
na.ad.co.com
sa.ad.co.com
eme.ad.co.com
jp.ad.co.com
cn.ad.co.com
You would just need one domain setup at ad.co.com with a user who has read access to that directory. The way Shared Services security is setup you may need to re-provision some users with that new global provider and I highly recommend using a group filter -- your group filter can be in any of the domains just all users would need to be added to it in that domain.
Regards,
John A. Booth
http://www.metavero.com -
Shared services and workspace login error in epm 11.1.2.3
Hello,
When click on the url of shared services and workspace for epm 11.1.2.3
showing the below error as soon.
"Internet explorer can not display the webpage error"
Tried with all supported browsers
Please suggest all possibles solutions..
ThanksHave you check the logs to make sure all the web apps are up and running and no errors are being generated.
Cheers
John
http://john-goodwin.blogspot.com/ -
Hi Guru's
how can i assign a filter to a group in shared services. I have created one group in shared services and filter in EAS.Do i have to click on export to shared services ? where in shared services will i see my filter to make it effective on the group
thank youHi,
Refer to this thread. The same was discussed there...
Re: Granting filters without writing maxl -
Hyperion EPM: Will Oracle Express suffice for Shared Services and Registry?
Hi.
I'm trying to install Hyperion EPM on Linux to make use of the Hyperion Interactive Reporting server components to allow report scheduling, web delivery of reports, etc. My data sources will all be MySQL. I'm at the point where I'm attempting to use the EPM Configurator for setting up Shared Services and Registry Database Connection. It seems my options for choosing a database on which to allow Shared Services and Registry data to reside are limited to 3: Oracle, SQL Server or DB2 (noticeably absent is MySQL)
So, it looks like I'm going to have to install an Oracle DB instance at the very least.
My question is this:
Can I get away with just installing Oracle Express for the Shared Services and Registry or will I have to install a full blown Oracle DB instance?
Thanks
-- TomHi, I confirm that you can use Oracle Express for Shared services and registry. We have installed the complete EPM platform on a single virtual machine using Oracle Express. It’s interesting to use it because Oracle Express use less resource. We can run this virtual machine on a computer that only have 4GB of RAM and get good performance (for a single user).
I recommend using it for proof-of-concept and Bootcamps. -
Shared services and workspace architecture(How we can find out req &respon)
Good morning Hyperion folks,
Does any body have any document or PDF about workspace and shared service architecture...How these both components are communicate each other..any idea or any document..while communicating of these if anything goes wrong,,where we need to check, what is exactly the problem (any suggestible logs)...
Company are doing big mistake by using this hyperion tool ..These guys are not supporting and even they don't know much about the tool apart Product dev team..and that too they are not disclosure any documents related product...
**Does anybody found any kind performance tunning guide or lab guide about workspace and shared service HFM,Planning...** I have never seen component wise documents and tunning guide and recommendations.
I am strong opnion about hyperion is,we would not get any support from oracle and documents so He can migrate Cognos TM1 and Finance management etc........
Edited by: 888154 on 29/09/2011 02:55Thanks john For ur reply ..i have seen these documents long ago ..i am asking about Shared services and workspace architecture and how these are functioning and where we can find out communication error and slow login issue with workspce and shared services.. How authentication is log on ..is there any machanisam they are using for authencation ...We are using OpenLadp ...
Ex :1.Per suppose log on to workspace that request goes to shared services directory and it will check whether that user is exists or not on Shared services tables ...here what kind of alogirtham using to aunthenticate user...How we can diagonse this process taking to much time,,,is there any specific logs related this (If logs are exsits how we can find out)...
2.Once authencation done successfully and responce send to workspace and populate workspace home page...then i click on application button (FM application) and it's taki ng to much time to load HFM page.To this where we need to look whta excatly problem? what are logs file helpful to us to diagonse.. -
Shared services and Essbase Sync issue
Hi,
Today morning all of sudden lot of users raised an issue that they can't see few applications while connecting through Smart view. I have checked Shared services and the groups are already provisoned. Finally I ran alter system resync sss and after the syncing its fine.
Any reasons why this morning Syncing was not there.
Thanks..Its fascinating, if the users are provisioned too they can see other applications in smart view and that's what I heard but never checked on it, Is there any possible filters where they cant see it ?
If so please let me know. -
Installation of Essbase, Shared services and Planning
Hi,
I am using Essbase (64 Bit), Shared server and Planning +mandatory component of hyperion:
Can i install 32 bit applications Planning, Shared services, Analytic Provider on 64 bit OS (windows 2003 EE)
Regards
KumarCross post :- Installation of Essbase, Shared services and Planning
Cheers
John
http://john-goodwin.blogspot.com/ -
How to enable Kerberos - Shared Services and Workspace
Hi All
I'm trying to enable Kerberos SPNEGO with WebSphere 6.1.0.31. I've protected the urls.....and i can see the handshake happening in the trace logs.....
Shared Services SSO is working fine if i use the option of Get Remote user info from http header.....
But workspace doesn't seem to accept any of the options given $REMOTE_USER$, $HTTP_USER$.
Can some please let me know how to do this....? Or is there a way to change the header information?Thanks john For ur reply ..i have seen these documents long ago ..i am asking about Shared services and workspace architecture and how these are functioning and where we can find out communication error and slow login issue with workspce and shared services.. How authentication is log on ..is there any machanisam they are using for authencation ...We are using OpenLadp ...
Ex :1.Per suppose log on to workspace that request goes to shared services directory and it will check whether that user is exists or not on Shared services tables ...here what kind of alogirtham using to aunthenticate user...How we can diagonse this process taking to much time,,,is there any specific logs related this (If logs are exsits how we can find out)...
2.Once authencation done successfully and responce send to workspace and populate workspace home page...then i click on application button (FM application) and it's taki ng to much time to load HFM page.To this where we need to look whta excatly problem? what are logs file helpful to us to diagonse.. -
SSL Enabling Shared Services and Active Directory
The SSL config guidfe suggests that a valid certificate (CA) must be issue for User directories (MSAD/LDAP), Web and application servers. Is it essential to obtain a CA for for MSAD as well? Can we do without MSAD cert? We have the certs for our Web and App layers ready. We are not sure if the IT department has SSL configured MSAD. If MSAD/LDAP is not SSL configured - can we still go about SSL-Enabling Hyperion? Thanks.
-- SriniIf your MSAD is set for SSL, you can import their certificates through your Java Application Server. Since you are unsure, I would set up MSAD and if you are able to browse for users on the AD domain in Shared Services, you are good to go.
I must say that SSL is a big pain from my point of view. Unless you are required to encrypt because of the data you have stored, I would pass it up. The certificates often expire on a yearly basis and there are many different certificates to keep track of. Multiply that by Development, Prod, BCP or Recovery server, and you're looking at lots of maintenance.
The big pain comes when the signer certificate for your server expires because after the next reboot or restart of your JVMs, Shared Services starts up but none of the other applications can talk to it which means your whole application is down until you get that certificate fixed. My organization is fairly strict on their controls, so that means that I either make a federal case out of my system being down or I get to wait three days for a change request. Big pain in the rear. -
EPM 11.1.1.3 Shared Services and Registration
Hi all,
I installed EPM 11.1.1..3 on a windows 2003 server
Install is ok. I then used config tool to configure repositories (Oracle 10g) , deploy ( Websphere 6.1) and register with shared services :
Here is my issue : I can log to shared services but I cannot create any application group : log says I try to add a duplicate name ( tried several times with different names , still same error ) , I cannot provision anything for user admin ( shared services console says no application is available or insufficient rights)
During configuration for eas, planning... , database connections where ok, deployment ok but they all failed the registration with shared services. Log says there is an oracle error 1722 , invalid number !!
When externalizing users in Essbase , it fails saying "UnableToGetNodeRevisionDescriptor"
Checked database settings ( UTF8) looks fine. I tried to deploy shared services with tomcat same problem...
If you have any ideas or hints , I would appreciate
ThanksHi Christophe
Try to reinstall shared services then run configuration only for shared services commons setting and database. after that configure "server deployement. then stop shared services web application and open LDAP server. start it again. check that shared services works perfectly by launching the web app.
After that configure the other products one by one.
regards
Laurent BRECHON-CORNERY
EPM System Engeenier
*Partake Consulting France*
partake.com -
Integrating Hyperion Shared services with LDAP
Hi All,
I have a quick question regarding managing LDAP users using Shared services. I was able to create connection with LDAP using "anonymous bind" but now when I try to see the LDAP users in Shared services , it says no records. How can I see the records ?
Please help.Suggest you talk to your IT people who setup that specific id. Tell them you need the Distinguished Name (DN) of that user -- usually they will have the user placed in a set of containers which may be several levels deep depending on how they organize the directory.
If you were using Active Directory rather than LDAP you could use AD Explorer to locate the user and you can find the DN yourself. AD Explorer is available at: http://technet.microsoft.com/en-us/sysinternals/bb963907
Regards,
John A. Booth
http://www.metavero.com -
Regarding Shared Services and Essbase Access
Hello,
I am curious on few things regarding how Essbase and Shared services are interlinked.
Basically we have created Essbase Filters to limit the User access to specific entities , my concern is if a User is trying to Run a report or retrieve through Smart View and if they don't have access to any one of the list of Filter definitions say if there are X , Y ,Z entities in the Spread sheet for Smart View retrieval or in a report and the user does not have privilege for Z do they still get terminated from the entire Essbase Applications. I encountered similar type of problem with one of the users today.
Any comments.
Thanks !Thanks for the reply Glenn , yes it should not get disconnected or have any connection issue. But below is what the error we get when using Essbase security filter.
**** Cannot Open Member Selection. Essbase Error(1001064):You do not have sufficient access to perform read on this database **** -
HFM shared services and workspace configuration
Hello,
I am new to Hyperion environment and learning the products. Downloaded the products for 11.11.3, installed and configured them, but having problems.
1. Shared services is up and able tol log in, but not verified anything else there
2. Not able to bring up the workspace , used the url http://<servername>:19000/workspace. After entering the user id and password.. got the following error...
"Could not find a Hyperion Reporting and analysis server running on local host at port 6800..." , not able to see any download with "Reporting and Analysis server", but downloaded and installed V17378-01 & V17380-01.
In the diagnostic report seeing the following error... "Availability of web application context http://localhost:10080/eas
Error: Bad response code: 404
Recommended Action: Check application is started "
Please advice.
Regards
GV.
Edited by: user7236320 on Oct 19, 2009 7:13 AMHi,
I think you need to download all the following components for installing Hyperion. In this release Workspace is bundled under foundation and not as part of Reporting.
Oracle Hyperion Enterprise Performance Management System Installer, Fusion Edition Release 11.1.1.3.0 V17382-01 381M
Download Hyperion Enterprise Performance Management System Foundation Services Release 11.1.1.3.0 Part 1 of 4 V17397-01 2.0G
Download Hyperion Enterprise Performance Management System Foundation Services Release 11.1.1.3.0 Part 2 of 4 V17369-01 1.2G
Download Hyperion Enterprise Performance Management System Foundation Services Release 11.1.1.3.0 Part 3 of 4 V17370-01 1.2G
Download Hyperion Enterprise Performance Management System Foundation Services Release 11.1.1.3.0 Part 4 of 4 for Microsoft Windows (32-bit) V17371-01 224M
Maybe you are looking for
-
R3trans not exporting all tables
Hi I am creating a control file to export SXNODES table export file = '/tmp/SXNODES_dmp' delete * from 'SXNODES' select * from 'SXNODES' When I export, using R3trans, I get 0 entries exported. I used to be able to export this table until we upgraded
-
Recently few companies went live for my client in asset accounting module for local curreny INR. New company currency = INR Global currency = USD. Using AS91 we loaded legacy assets and found that asset bought is 2013 was showing some differnet USD
-
How can I add some help text to a plain text field?
I would like to put the basics in the plain text (formatted text) field and then some details and clarifications in the help text area. Seems like this would be easy and useful.
-
I am running Photoshop CC 2014 on iMac OS X and have recently had to reinstall the OS following upgrade to an SSD. I cannot update Photoshop as it says it is unable to extract the downloaded files (U44M1/2010). Should I reinstall Photoshop and Brid
-
TS1389 I did everything that apple suggest and it's still doesn't work. What should I do ?
I just bought the album Dark Eyes by Half Moon Run and I can't listen to half the songs because itunes is telling me that my computer is not authorized to play those songs. When I enter my account name and password it tells me that my computer is alr