Sync User Locks from LDAP(Microsoft AD) to Portal UME
Hi All,
Currently we have our Portal UME connected to LDAP (Microsoft AD) as our data source. I can bring up all Active Directory users in Portal, however the users that are locked and disabled in Active directory are still active in portal. To be more clear the expiration date of a userid in AD does not sync with Portal UME account expiration date. Is there a way to bring in the expiration value in to portal?
Regards,
Junaid
Config tool may not have expiry date as mapping in Additional LDAP prop tab, you may need to look for configuration file where you can map the logical attribute to the LDAP.
Licensing impact depends on your contract with SAP.
However you can check portal users with USMM at the end of URL.
E.g.
remove 'irj/portal' from your initial portal link and add 'usmm'
Similar Messages
-
How i get user info from ldap using java after authenticating user with SSO
Hi
I have one jsp/bean application as a partner application with SSO.
It works fine.
Now i need to get other attributes of user from LDAP who has logged into the application through SSO.
using SSO java APIs i only get username, userDN, subscriber info.
To get user's other attribute i have to user LDAP APIs for that i have to create on Directory Context, for the same i need userpassword.
so here i my question, how do i get user password after he has logged in thro SSO.
regards..
and thanking u in advance
samirValentina,
there's no way to get the password value from the directory (it's one way). Of course you can get the hashed (MD4,MD5,SHA-1) base64 encoded value (i.e. the value you see in OiD) but not the 'password'.
--Olaf -
How to get user information from ldap - bpm11g
hi all,
i need know how to do get information from ldap, but using adf bean for show user data in adf form.
anyone knows about this ?
tks.Neal wrote:
>
Hi,
I am using WLS default authentication to protect my JSP pages. Can someone tell
me if it is possible to add more fields to the default login box (in addition
to login and password boxes, I want to ask user the department name). In additional,
can WLS propogate this information (department name) along with other security
credentails to other J2EE components such as EJBs? In my EJBs I want to be able
to get the department name that user provided during login and then use that for
conditional business logic.
Any insights on this subject will be greatly appreciated.
TIA,
-NealYou can't do this with the default simple authentication. That can only handle a
username / password combination.
You should be able to do this with JAAS. You could write a LoginModule that
populates the department as a Principal or public Credential on the Subject in
addition to the normal authentication. You would have to do a callback handler
that passed through the department info to it.
This link has more on WLS's stab at JAAS:
http://e-docs.bea.com/wls/docs61/security/prog.html#1039659
Once you have associated the Subject with the access control context by invoking
a doAs() you should be able to get it back at any point with
Subject.getSubject(AccessController.getContext()) to get access to the
department info.
It will all be a bit of a chore, mind. -
Retriving user list from ldap (username - first and last, dn, cn)
Hi,
I tried connecting LDAP server and succesfully connected and now i need to get userlist from LDAP can anyone give me a sample code to get userlist from LDAP.
public static boolean testLDAP() {
InitialDirContext ctx = null;
try {
Hashtable htbl = new Hashtable();
htbl.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
htbl.put(Context.PROVIDER_URL, "ldap://padl:389");
htbl.put(Context.URL_PKG_PREFIXES, "com.sun.jndi.url");
htbl.put(Context.REFERRAL, "ignore");
htbl.put(Context.SECURITY_AUTHENTICATION, "simple");
htbl.put(Context.SECURITY_PRINCIPAL, "cn=administrator");
htbl.put(Context.SECURITY_CREDENTIALS, "password");
ctx = new InitialDirContext(htbl);
if (ctx != null) {
ctx.close();
return true;
catch (NamingException e) {
System.out.println("Error Connecting to LDAP Server.");
System.out.println(e.toString());
ctx=null;
return false;
return false;
}Thank You.Ok here is the code to fetch userlist(First Name, Last Name, cn, dn, mail) from LDAP.
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
public class UserListFromLDAP
public static void main(String args[])
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,"ldap://host:389");
DirContext ctx;
try {
ctx = new InitialDirContext(env);
} catch (NamingException e) {
throw new RuntimeException(e);
NamingEnumeration results = null;
try {
SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
results = ctx.search("", "(objectclass=person)", controls);
while (results.hasMore()) {
SearchResult searchResult = (SearchResult) results.next();
Attributes attributes = searchResult.getAttributes();
System.out.println("dn----------> "+searchResult.getName());
System.out.println("cn----------> "+attributes.get("cn").get());
if (attributes.get("givenName")!=null)
System.out.println("First Name--> "+attributes.get("givenName").get());
System.out.println("Last Name---> "+attributes.get("sn").get());
System.out.println("Mail--------> "+attributes.get("mail").get()+"\n\n");
} catch (NameNotFoundException e) {
System.out.println("Error : "+e);
} catch (NamingException e) {
throw new RuntimeException(e);
} finally {
if (results != null) {
try {
results.close();
} catch (Exception e) {
System.out.println("Error : "+e);
if (ctx != null) {
try {
ctx.close();
} catch (Exception e) {
System.out.println("Error : "+e);
}Here is the code to search user from LDAP based on cn and sn
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
public class LDAPUserSearch
public static void main(String args[])
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,"ldap://host:10389");
DirContext ctx;
try {
ctx = new InitialDirContext(env);
} catch (NamingException e) {
throw new RuntimeException(e);
NamingEnumeration results = null;
// give either cn or sn to check
String cn = "Common Name";
String sn = "lastName";
try {
SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
if(!cn.equalsIgnoreCase("") && !sn.equalsIgnoreCase("")){
System.out.println("Please test with either cn or sn");
else if(cn!=null && !cn.equalsIgnoreCase("")){
System.out.println("Result based on cn:");
results = ctx.search("", "(cn="+cn+")", controls);
else if(sn!=null && !sn.equalsIgnoreCase("")){
System.out.println("Result based on sn:");
results = ctx.search("", "(sn="+sn+")", controls);
else{
System.out.println("No results found");
while (results.hasMore()) {
SearchResult searchResult = (SearchResult) results.next();
Attributes attributes = searchResult.getAttributes();
System.out.println("Full Name:--------> "+attributes.get("cn").get());
if(attributes.get("givenName")!=null)
System.out.println("First Name:-------> "+attributes.get("givenName").get());
System.out.println("Last Name:--------> "+attributes.get("sn").get());
System.out.println("Mail:-------------> "+attributes.get("mail").get());
} catch (NullPointerException e) {
// Leave this...
catch (NameNotFoundException e) {
System.out.println("Error : "+e);
} catch (NamingException e) {
throw new RuntimeException(e);
} finally {
if (results != null) {
try {
results.close();
} catch (Exception e) {
System.out.println("Error : "+e);
if (ctx != null) {
try {
ctx.close();
} catch (Exception e) {
System.out.println("Error : "+e);
public static void common() {
} -
Can I retreive user parameter from SolMan to use in Portal?
Hi gurus!
Is there a way to use paramters from Solution Manager (SolMan) in portal? To explain further here is our scenario: we are going to use the portal as an interface for Retail Store in R3. We use SolMan as authentication database for the portal instead of the portals internal one and that works nicely. Further more we have an Application Integrator iview that shows/connect to an external index engine. As of now we logon with ONE user in each store and this Id, which actually is the store number, is sent as an parameter through the URL AppInt iview to the index engine. It's in the form of <LogonUserID> or <User.UserID>, either works fine.
Now for the problem: we have faced the need to use a separate logon Id for every computer instead of one for each store. This means we no longer can't send the parameter LogonUserId since this no longer is the store number. But we connect the parameter Werks (technical name WRK) to the users in SolMan, the question now is if it's possible to reach this parameter from SolMan "through" User or in another way, if it's possible whatsoever... Does anyone have any suggestions? It will be immencely appriciated.
Best regards
Benny LangeFor my SSM this code works,
public java.lang.String getPortalContactState( )
String portalState = "";
String epUserName = "";
try {
IWDClientUser wdClientUser = WDClientUser.forceLoggedInClientUser();
com.sap.security.api.IUser sapUser = wdClientUser.getSAPUser();
if (sapUser.getName() != null) {
epUserName = sapUser.getName();
if (sapUser.getState() != null) {
portalState = sapUser.getState();
} else {
wdComponentAPI.getMessageManager().reportException(
"State hasn't set for "
+ epUserName
+ " Please Contact Your System Administrator ",
true);
} catch (Exception ex) {
wdComponentAPI.getMessageManager().reportSuccess(
"Exception=" + ex.getMessage());
return portalState;
Regards,
Nitin -
User locked while Ldap password sync.
I'm testing Ldap Password Synchronization in IDM70.
It works pretty fine, but sometimes I find in the ActiveSync log the following error:
"Cannot access user <accountId> at this time, please try again later.".
In this case ActiveSync fails updating the User's password, but what is bad is that it will never try it again: the changelog update is considered done, no later try.
IDM and Ldap passwords are out-of-sync.
Is there a way to overcome this limit?I usually see that message occur when an account is opened for edit and didn't press the cancel button. A common practice, but remember that there is a lock on that account you are performing an edit on, and cancel will unlock it. If you just close out instead of cancel, the record can't be accessed.
let me know if that solves it -
How to get user attributes from LDAP authenticator
I am using an LDAP authenticator and identity asserter to get user / group information.
I would like to access LDAP attributes for the user in my ADF Taskflow (Deployed into webcenter spaces).
Is there an available api to get all the user attributes through the established weblogic authenticator provider or do i have to directly connect to the LDAP server again?
Any help would be appreciatedHi Julián,
in fact, I've never worked with BSP iViews and so I don't know if there is a direct way to achieve what you want. Maybe you should ask within BSP forum...
A possibility would be to create a proxy iView around the BSP iView (in fact: before the BSP AppIntegrator component) which reads the user names and passes this as application params to the BSP component. But this is
Beginner
Medium
Advanced
Also see http://help.sap.com/saphelp_nw04/helpdata/en/16/1e0541a407f06fe10000000a1550b0/frameset.htm
Hope it helps
Detlev -
How to delete the user permanently from LDAP. I want to delete the user's mail and calendar services also.
Hi,
It is generally not a best practice to touch your directory server directly. If you're just playing around for learning purposes its ok. Otherwise, from an implementation perspective, do not try accessing DS directly.
I will try giving u a solution if u use legacy mode of AM. I'm still learning about realm mode, but i guess such scenarios are mostly common between the two.
You can use the amadmin command found in /opt/SUNWam/bin or in windows c:\program files\sun\javaes5\identity\bin. You have sample XML file pcDeleteRequests. You could use this to delete just one or few users.
The sample is
<Requests>
<PeopleContainerRequests DN="ou=People1,dc=example,dc=com">
<DeleteUsers>
<DN>uid=dpUser,ou=People1,dc=example,dc=com</DN>
</DeleteUsers>
</PeopleContainerRequests>
</Requests>
Make an XML, run this command : amadmin -u "uid=amadmin,ou=people,dc=example,dc=com" -w <password> -t <your_file> -
Hi Gurus,
I am trying to programatically query the list of users belonging to a particular user-group, from LDAP.
LDAP is deployed on Weblogic as a 'provider'.
I have the following details of the LDAP instance - host:port, security principal (CN=aaa,OU=bbb,OU=ccc,DC=ddd,DC=com), LDAP password (credential), User Base DN.
I tried the following using BPEL:
<sequence name="main">
<!-- Receive input from requestor. (Note: This maps to operation defined in BPELProcess1.wsdl) -->
<receive name="receiveInput" partnerLink="bpelprocess1_client" portType="client:BPELProcess1" operation="process" variable="inputVariable" createInstance="yes"/>
<!-- Generate reply to synchronous request -->
<assign name="Assign1">
<copy>
<from>ora:getContentAsString(ldap:listUsers('people','ou=people'))</from>
<to>$outputVariable.payload/client:result</to>
</copy>
</assign>
<reply name="replyOutput" partnerLink="bpelprocess1_client" portType="client:BPELProcess1" operation="process" variable="outputVariable"/>
</sequence>
</process>
and following is the content of the directories.xml that I have created:
<?xml version="1.0" ?>
<directories>
<directory name='people'>
<property name="java.naming.provider.url">ldap://<host>:<port></property>
<property
name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</property>
<property name="java.naming.security.principal">CN=aaa,OU=bbb,OU=ccc,DC=ddd,DC=com</property>
<property name="java.naming.security.authentication">simple</property>
<property name="java.naming.security.credentials">password</property>
<property name="entryDN">User Base DN</property>
</directory>
</directories>
When I run this BPEL process, I get a blank value on my output variable -
<outputVariable>
<part name="payload">
<processResponse>
<result><users xmlns="http://schemas.oracle.com/bpel/ldap"/></result>
</processResponse>
</part>
</outputVariable>
Is there something I am missing here?
Regards,
Arindamslight change in my approach here:
I would like to use welogic provider to connect to this LDAP
so... instead of MyProgram --> LDAP, it should now be MyProgram --> Weblogic/SecurityRealms/myrealm/Providers/myAuthenticator --> LDAP
in this guess, i wont be using LDAP connection details, instead the weblogic host/port and Authenticator name should be sufficient
How can I programatically query the list of users using this approach? -
Rename users display name from LDAP
my OBIEE 10.1.3.4 does user authentication from LDAP on our domain Active Directory..
a users display name was mis-spelled in Active Directory.. I corrected the mis-spelling.. but BI still shows it wrong..
when the user is created is the display name then stored in an ATR file or somewhere in the catalog..
were do I go to change it.. or how do I get it to update from Active Directory again..If the display name is really bothering the user, then you can do a work around like letting users to set their own display name by enabling the enable any user to set the value of the variable option for the DISPLAYNAME variable in the LDAP init block and calling it in the front end using NQSSetSessionValue().
Hope this helps.
Regards,
-Amith. -
Exporting the user IDs from R/3 to a flat file
I need to generate a flat file with all the user IDs from an ABAP system. How can I do that? is there something available out-of-the-box or I need to develop something?
Also, is there a quick way to bering all the user IDs from R/3 into the Portal?Hi,
Goto SE16 - click on the Table contents button in the screen and execute the table.it will list out the user details - > Edit > Download-> Spreadsheet ->give the name and location for the file.
REward with points if it is useful
Regards,
Sangeetha.A -
Problem with activesync provisioning user from ldap to red hat
hello,
i am using activesync to provision the user from ldap to red hat linux . i am getting the following error message
An error occurred adding user '#########' to resource 'Red Hat Linux'.
Script failed waiting for " PASSWORD:" in response "passwd: Only one user name may be specified.
_,)#+(:"
Script processor timed out with nothing to read and the following unprocessed text: "passwd: Only one user name may be specified.
_,)#+(:".
when to try to assign redhat resource to a user from the idm the user is getting provisioned to redhat successfully .active sync form is working for all the other resource except the redhat.
can anyone give me solution for the above problem
thanks in advance.Have you set the xhost as ROOT (xhost +hostname), and then as the ORACLE user type "export DISPLAY:0.0" (without the quotes of course) ? This needs to be done prior to running the installer. Try this site for further information - http://www.puschitz.com/OracleOnLinux.shtml
-
Editing LDAP User attributes from UME interface
Hi Gurus,
We want to develop a solution with user management screens in WD. These screens will provide password reset and unlock functionality for users. Our users are stored in LDAP. Current connection to LDAP is in Read Only manner.
I want to know
1. How to enable the connection from UME to LDAP in read/write manner?
2. What certificates need to be exchanged for write access? if any?
3. What changes needs to be done in config file of UME?
4. Which permissions should be granted for communication user to edit LDAP user attributes?
Even after performing the change to read LDAP in read/write manner, will it be sure: If we lock user from UME, it will lock LDAP user? please comment.
regards
Kedar KulkarniHi,
We are half way into our application between UME and LDAP. We have developed screens and tested in our internal server. In internal landscape, UME is connected to LDAP in read only fashion. So when we try to create User, it gets created in UME.
But when we deploy same application into client landscape, we receive error as below:
No data source feels responsible for principal. Please check the data source configuration
Now we are not sure why this error is getting displayed.
In client landscape there are 2 LDAPs connected to UME, with only one LDAP in read/ write access.
Is there any way we can check which LDAP is being accessed by our code? Is there any concept of Default LDAP?
Any code to access LDAP details will help us lot.
regards
Kedar Kulkarni -
I guess it's common problem in LDAP. If the user locks out after 3 failed failed logins, The admin needs to be entered in NDS conslole and he need to be unlock after he gets a request from that user. But I couldn't find the property for single User. whatever you specify the parameter in User Lockout tab, it's valid for all the user.
i.e. if you uncheck the checkbox User lockout check box it's valid for all the users. How to unlock the particular user in NDS???
any help in this regard is really appreciable.
regards,
chandraWhat version of WLS are you using? In the 6.0 beta, user lockout was one of
the new security features
added. This way, WLS could detect the failure and allow administrators to
detect password guessing
attempts.
If this is a previous release of WLS, you will need to check the NDS
documentation for how to unlock
a given user.
Paul Patrick
"chandra" <[email protected]> wrote in message
news:3a1e3d7d$[email protected]..
>
I guess it's common problem in LDAP. If the user locks out after 3 failedfailed logins, The admin needs to be entered in NDS conslole and he need to
be unlock after he gets a request from that user. But I couldn't find the
property for single User. whatever you specify the parameter in User Lockout
tab, it's valid for all the user.
>
i.e. if you uncheck the checkbox User lockout check box it's valid for allthe users. How to unlock the particular user in NDS???
>
any help in this regard is really appreciable.
regards,
chandra -
How to sync user for planning from Shared Services
Hi ..
Can anybody please let me know how to sync users for planning from shared services.
Thank you.You need to expand on your question.
But the basic concept is you create or connect (for LDAP) users in Shared Services. You also create groups as required for these users. Then in shared services you provision those user to Planning applications (directly or indirectly through groups)
Then in Planning you will see users or groups. And in planning you connect them to either members in dimensions or to objects like Forms, Task lists, Business Rules.
There is therefore no such thing as synching Shared Services with Planning.
Note: the 2 steps mentioned above can be done in batch through load utilities.
Please expand you question if necessary
Maybe you are looking for
-
Applying rules manually doesn't work for multiple messages
I've been using Mail for some time now and love rules. Love 'em. A few months ago I started having touble and have not been able to figure it out. The rules get applied to new incoming messages properly, as they should. However, I used to be able to
-
Sub-folders of images under a master folder have disappeared
The folders are under a master folder, and another sub-folder (at the same level) has remained. I have already processed the files and exported JPGs, which also used to be there but now are not. I have not moved anything or had a crash. I am on a Win
-
Dear all, Would you tell me how to check out whether a database instance is a shared or a dedicated server? Thanks
-
I need selution for this massage
hi apple my problem if i go to update my app i see this massage (There was an error in the App Store. Please try again later. (13) ) pleas send to me the selution for this and thanks Mthaqafy
-
Hell all, Does anyone know how to determine the amount of LDOMS one can create on a T5220 with 1 Quad core running Sybase 12.5. I understand there are many factors in the type of database but in general are there best practices or guidelines to follo