Synchronization of OID and Novell Edirectory

I did set up OID to synchronize with Novell edirectory using dipassistant, bootstrapped it and run ODISRV with the correct configuration number. Novell edirectory is leading, admin is done in edirectory only. Authentication is done through external authentication at the edirectroy. Works too.
Adding users, groups and users to groups works fine. Even removing users from groups works ok. The only thing that does not work is deleting users or groups. They still exist in OID after removing them from edirectory.
I tried setting the 'check all entries' configuration parameter to true: no results.
Set the debug level to 511: I get debug info, but deletions are not detected at all.
Any ideas, anyone?
Robbert van der Hoorn
OSA it Automation

Part of the problem solved. This is a weird situation: allthough creating new entries is done every 60 seconds, reconciliation is done once a day (24 hrs, i.e. 86400 seconds..).
This explains (half) the sudden error message I get: after failing deleting one of the groups, reconcile stops. This group failed to delete for some reason, maybe because it came from a different bootstrapped profile, and domain mapping rules failed on this group. After deleting manually some problematic groups, reconcile works.
The weird thing however is this: the reconciliation period parameter IS NOT SHOWN in Oracle Directory Manager 10.1.4!!! (Tried 2 installations. on windows server 2003!) Using OID Manager 10.1.2 (same platform) however showed me this parameter, and after setting it to 60 seconds, reconcile does show up and log in the.aud files every minute (which may not be desired to run every minute in prod. situations off course). I know (now) this interval can be set using dipassistant.
Once reconcile is running, I get a new error in my trace file:
Unable to delete the entry :cn=agroup1,cn=roc,cn=groups,dc=rocvantwente,dc=nl as the binddn doesnot have permission to delete it javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name 'cn=agroup1,cn=roc,cn=groups,dc=rocvantwente,dc=nl'
[LDAP: error code 50 - Insufficient Access Rights]
Exception in reconcile()null
[LDAP: error code 50 - Insufficient Access Rights]
testImport : Error in executing reconciler: null
javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name 'cn=agroup1,cn=roc,cn=groups,dc=rocvantwente,dc=nl'
Update: problem occurs with groups only. Users can be reconciled perfectly.
The bind dn in this case is orcladmin.... ideas?
Thanks,
Robbert
Message was edited by:
Robbert van der Hoorn
(Problem not completely solved after all)
Message was edited by:
user536188

Similar Messages

Password synchronization between OID and AD - 10.1.2

Hi,
I've some questions about the following issue:
I've tried to setup the password synchronization between OID 10.1.2 and active directory, with the intent of exporting ldap users from OID to AD..
Well, the bootstrap gone fine, but when I tried to activate the export of password in the activexp.map configuration file,
I've obtained this:
*Writer Thread - 0 - [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0*
for each entry I tried to export...
I've opened a SR on metalink and I've received the following answer:
_" As shown by the synchronization profile, currently you have a mapping for the password from OID to AD._
_userpassword: : :person:unicodepwd: :person:_
_According to the documentation, password synchronization requires the directories to be configured for SSL mode:_
    _http://download-uk.oracle.com/docs/cd/B14099_12/idmanage.1012/b14085/odip_actdir003.htm#CHDEFIED_
_18.3.2.8 Synchronizing Passwords_
_You can synchronize Oracle Internet Directory passwords with Active Directory._
   _You can also make passwords stored in Microsoft Active Directory available in Oracle Internet Directory._
   _Password synchronization is possible only when the directories run in SSL mode 2, that is, server-only authentication."_
The SSL setup is the only way to achieve this, or there's another alternative?
Thanks

Yes. It needs to be in SSL.
http://download-uk.oracle.com/docs/cd/B14099_12/idmanage.1012/b14085/odip_actdir003.htm#CHDCJHHB
Some excerpts:
Active Directory Connector uses SSL to secure the synchronization process. Whether or not you synchronize in the SSL mode depends on your deployment requirements. For example, synchronizing public data does not require SSL, but synchronizing sensitive information such as passwords does. To synchronize password changes between Oracle Internet Directory and Microsoft Active Directory, you must use SSL mode with server-only authentication, that is, SSL Mode 2.
-shetty2k

How to synchronize between OID and the Custom Database Tables ?

Hi All,
Our ADF Application is using Oracle SIngle-Sign On (OAS 10.1.4). Meanwhile we also maintain
users login within Database table to store application menu accessibility data.
i.e:
Firstly user Login using Oracle SSO, after logged in, application will query the above mentioned
database tables to determine which menu he/she has access.
We have develope a security module to input users login into the database, so I need to synchronize
the data into OID, so that that particular user can use Oracle SSO.
How is the mechanism to do that ?
Thank you very much,
xtanto

Hi,
OID providesa Java and PLSQL API. I agree with Chris that from what you describe, the PLSQL API seems to be the best approach to take as it allows you to use database triggers for the synchronization
Frank

OSX 10.6.2 and Novell Netware eDirectory 8.8 SP5

Ok, forgive the long winded post - but I thought some background would be in order. Briefly, the problem we have is:
We create a new user in eDirectory, extended them with apple-user,
add apple-user-homeDirectory of:
/Network/Servers/<ip of server>/SERVER.VOLUME/HomeDirectory
and an apple-user-homeurl of:
afp://<ip of server>/SERVER.VOLUME/HomeDirectory
AFP works fine, I can manually mount this volume with login / password in OSX with Command-K
LDAP authentication works great.
After login, no home directory is mounted or exists, so we get an error (login still occurs).
Now, if I change the apple-user-homeurl to:
<home_dir><url>afp://<ip of server>/SERVER.VOL</url><path>HomeDirectory</path></home_dir> (this is how an X Serve stores this value in Open Directory) and attempt to login, login fails "because an 'error' occurred"
If I check the console / system logs on the OSX client, I see:
authorizationhost[455]: afp home directory mount failed in theEnumerator->Count in AFP_OpenSession: status = Unknown error: -5023
Now, for the weird part, if I change apple-user-homeurl on the user back to:
afp://<ip of server>/SERVER.VOLUME/HomeDirectory - login then works fine and their home directory is created and they are able to use the Mac normally.
Any ideas? I will post this to Apple forums as well. If I get any answers I will cross-post them.
Thanks,
Joe Jenkins
ps: Novell, please please please, we really need a working OSX client for Netware / OES!!!
Background:
New Netware 6.5SP8 server / eDirectory 8.8 SP5 / latest NMAS
Latest Novell AFP FTF patch from mid Sept 2009
Edirectory schema extended and LDAP mappings made with documentation I pieced together on the web. If I browse via ldap, I am seeing proper returns for all the objects I need to login.
Mount object created in Edirectory for the AFP mount corresponding to users home directories.
OSX test client is Snow Leopard 10.6.2 (patched this morning, clean install)
Authentication works fine, client works fine once I do the switcheroo with the apple-user-homeurl as indicated above, AFP mounts work fine in OSX, no weird errors in NMAS/LDAP dstrace, AFPTCP.log etc
By the way, if anyone else is trying to figure this out, my LDIF and my LDAP template may be of use:
http://www.nerdnet.com/edirldifandplist.zip
The LDIF is the Apple schema you apply to your eDirectory to support OS X computers. The template is used by the Directory Utility on OSX for mapping eDirectory values to their OSX values. It's taken me about two weeks of work off and on to get a working set of these, hope they save someone else some time!
Thanks to whoever wrote the "Integrating Mac OS X and Novell eDirectory" document - it was a great help, as is Randy Saek's posts here and his written document "Mac OS X and Novell eDirectory integration" - with these documents and numerous posts on Novell's forums, I've almost got this working well (these documents are available all over the web, but if you can't find them, let me know and I'll put them on my webserver)
Cheers,
Joe Jenkins

A long winded post deserves a long winded reply! Are you serving the home directories from Novell's AFP file server? If not -- if you're serving them from a Mac server -- then nevermind all this.
If so, you may need to create a generic mount object in your eDirectory tree (not an AppleShare object -- I've never been able to get that working)
Get Properties of the mount object and, under the "Other" tab (I'm assuming you're using ConslowOne) add the following attributes: values (or whatever variations of them are appropriate for you)
apple-mountDirectory: /Network/Servers
apple-mountOption: net
apple-mountOption: url==afp://;AUTH=NO%20USER%[email protected]/staff-network-drive
(yes, apple-mountOption gets two values! i just wrote the attribute twice for clarity)
apple-mountType: url
Once I had this in place I still had to do some fiddling with how to specify the home directory for each user. I settled on
OSX Home: /Network/Servers/10.9.7.11/student-network-drive/Users/stevejobs
(you would put this in apple-user-homeDirectory, not OSX Home. We just mapped things a little differently.)
apple-user-homeurl: <homedir><url>afp://10.9.7.11/student-network-drive</url><path>Users/stevejobs</path> </homedir>
Note how we have Users/stevejobs in the path section. This is different than how Workgroup Manager will save it, even though it will appear to be the same path if you look at it in WGM (thanks, apple.) Unfortunately the way WGM saves it doesn't work (at least, I couldn't get it to) so you can't use WGM to assign this attribute. I ended up writing a shell script to do it.
Hope that helps. If you want the shell script, I can probably dig it up but make sure you know what you're doing with it. It is tailored to our system and I didn't bother writing any exception handling, so it could very well nuke your system, call you names and eat your dog.

SharePoint 2010 with LDAP authentication, using NOVELL eDirectory

One of my customers needs a SharePoint application that allows people to authenticate with either an Active Directory account (internal staff) or a Novell eDirectory account (external customers).
Using the following article as a base guide (http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx)
I configured a claims-based test application that had Windows authentication enabled and Forms based authentication (FBA) enabled (this is on a Windows 2008 server and not a domain controller)
In the Membership provider name text box I entered "LdapMember"
In the Role provider name text box I entered "LdapRole"
In the web.config for the SharePoint Central Admin, I modified/added the following details right before </system.web>
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="((ObjectClass=group)"
userFilter="((ObjectClass=person)"
scope="Subtree" />
</providers>
</roleManager>
I modified the SecurityTokenServiceApplication web.config with these details
<system.web>
<membership>
<providers>
<add name="LdapMemebr"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
</system.web>
I modified the web.config of the test application I created with these details
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="cn"
dnAttribute="dn"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
useDNAttribute="true"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
With all of this configured, I can go to the new test site, I do see the form where I can choose either Windows authentication or Forms authentication. I can successfully login with Windows authentication, but forms authentication gives me me an error.
The server could not sign you in. Make sure your user name and password are correct, and then try again.
I can successfully login to a LDAP management tool, using the same credentials I entered on the form, so I know the username and password being submitted are correct. I get the following items in the event viewer
8306 - SharePoint Foundation - The security token username and password could not be validated.
in the SharePoint trace logs - Password check on 'testuser' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. and
then this:
Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
I monitored the LDAP server and did a packet-trace on the communication happening between the SharePoint server and the LDAP server and it is a bit odd. It goes like this:
The SharePoint server successfully connects to the LDAP server, binding the ldapserviceid+password
The LDAP server tells the SharePoint server it is ready to communicate
the SharePoint server sends an LDAP query to the LDAP server, asking if the name entered in the form authentication page can be found.
The LDAP server does the query, successfully finds the entered name and sends a success message back to SharePoint
The LDAP server sends notification that it is done and is closing the connection that was bound to theldapserviceid+password
The SharePoint server acknowledges the connection is closing
... and then nothing happens, except the error on SharePoint
What I understand is that the SharePoint server, once it gets confirmation that the submitted username exists in LDAP, should attempt to make a new LDAP connection, bound to the username and password submitted in the form (rather than the LDAP service account
specified in the web.config). That part does not seem to be happening.
I am at a standstill on this and any help would be greatly appreciated.

OK, our problem was resolved by removing any information about the ASP.NET role manager. Initially, we had information about a role manager defined in three different web.config files, as well as in the SharePoint Central Administration site, where there
is the checkbox to Enable Forms Based Authentication (you see this when you first create the new SharePoint app, or afterwards by modifying the Authentication Provider for the app.) In either case, you will see two text boxes, underneath the checkbox item
for enabling Forms Based Authentication:
"ASP.NET Membership provider name"
"ASP.NET Role manager name"
We entered a name for Membership provider, and left Role manager blank.
In the web.config for the SharePoint Central Administration site, the SecurityTokenServiceApplication app, and the web app we created with FBA enabled, we entered the following:
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword="validpassword"
useDNAttribute="false"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager>
<providers>
</providers>
</roleManager>
useDNAttribute="false" turned out to be important as well.
So, for us to get LDAP authentication working between SharePoint 2010 and Novel eDirectory, we had to:
leave anything related to the role provider blank
configure the web.config in three different applications, with the proper connection information to reach our Novel eDir
Ensure that useDNAttribute="false" was used in all three on the modified web.config files.
Since our eDir is flat and used pretty much exclusively for external users, we had never done any sort of advanced role management configuration in eDir. So, by having role manager details in the web.config files, SharePoint was waiting for information from
a non-existent role manager.

OID and MS Active Directory LDAP information Synchronization

Do you know have to do the integration between OID and MS active Directory? How to synchronize the LDAP information between two?

Hi, I have the same question.
Thanks,
Malin

Snow Leopard and Novell Netware Edirectory Howto

Hello all,
I've spent the last few weeks piecing together an OS X / Edirectory setup from several documents I've found online and lots of help from users on this and the Netware forums.
From this I've put together a preliminary HOWTO document that I hope will be useful to others fighting this battle. I've also included my complete Apple schema LDIF and my Edirectory LDAP mappings plist file for use as an OS X Directory Utility template.
I hope these things help guide others through the headaches and hopefully it helps make more sense out of the process. Thanks to those of you who have helped me figure out the problems along the way.
If you have any suggestions for this document or the attached files, please let me know. I hope to update it more as I add more Macs to our Novell network and learn more Enjoy!
http://www.nerdnet.com/?q=node/88
Cheers,
Joe Jenkins
Davis Tool Inc

A long winded post deserves a long winded reply! Are you serving the home directories from Novell's AFP file server? If not -- if you're serving them from a Mac server -- then nevermind all this.
If so, you may need to create a generic mount object in your eDirectory tree (not an AppleShare object -- I've never been able to get that working)
Get Properties of the mount object and, under the "Other" tab (I'm assuming you're using ConslowOne) add the following attributes: values (or whatever variations of them are appropriate for you)
apple-mountDirectory: /Network/Servers
apple-mountOption: net
apple-mountOption: url==afp://;AUTH=NO%20USER%[email protected]/staff-network-drive
(yes, apple-mountOption gets two values! i just wrote the attribute twice for clarity)
apple-mountType: url
Once I had this in place I still had to do some fiddling with how to specify the home directory for each user. I settled on
OSX Home: /Network/Servers/10.9.7.11/student-network-drive/Users/stevejobs
(you would put this in apple-user-homeDirectory, not OSX Home. We just mapped things a little differently.)
apple-user-homeurl: <homedir><url>afp://10.9.7.11/student-network-drive</url><path>Users/stevejobs</path> </homedir>
Note how we have Users/stevejobs in the path section. This is different than how Workgroup Manager will save it, even though it will appear to be the same path if you look at it in WGM (thanks, apple.) Unfortunately the way WGM saves it doesn't work (at least, I couldn't get it to) so you can't use WGM to assign this attribute. I ended up writing a shell script to do it.
Hope that helps. If you want the shell script, I can probably dig it up but make sure you know what you're doing with it. It is tailored to our system and I didn't bother writing any exception handling, so it could very well nuke your system, call you names and eat your dog.

Issue during integrating OIM 9.1 with novell edirectory 8.8

Hi,
We are trying to integrate OIM 9.1 with Novell edirectory 8.8 using novell edirectory 9.0.4.2 connector.
while privisioning i m facing the following issue
DOBJ.THROWABLE_IN_SAVE Unhandled throwable java.lang.NoClassDefFoundError in com.thortech.xl.dataobj.tcScheduleItem's save.
User is getting created OID but not provisioned to edirectory.
Thanks in Advance
Manju

Hi,
Thanks for responding.
I am trying to provision users to novell edirectory.
I create user in Oracle Idenity Manager 9.1 then select the Resource profile and provision new resource(to edirectory 8.8).
During the last step of provisioning when i click continue button Oracle Idenity Manager is throwing the below error in the next screen with message "Provisioning is been initiated". But user is not created in the edirectory.
DOBJ.THROWABLE_IN_SAVE Unhandled throwable java.lang.NoClassDefFoundError in com.thortech.xl.dataobj.tcScheduleItem's save.
In the open tasks, System Validation task is created with the status Pending.
Please help me to rectify this issue.
Also let me know whether anyone has tried to integrate Oracle Idenity Manger 9.1 with edirectory 8.8 using Novell edirectory 9.0.4.2 connector.
Thanks

Synchronization from OID to AD failed by using ActiveExport profile

Hi All
Synchronization from OID to AD failed by using ActiveExport profile
and i use copy activeexp.map.master that contains
DomainRules
cn=Users,dc=software,dc=raya,dc=corp:CN=Users,DC=twa,DC=com:
AttributeRules
# Organizational Unit Mapping
ou: : :organizationalunit:ou: : organizationalunit
# Container mapping
cn: : :orclcontainer: cn: :Container
#Domain cannot be exported
#name: : :domain: dc: :domain
cn:1: :inetorgperson:cn: :User
cn:1: :inetorgperson:SAMAccountName: :User
# attribute rule for mapping Active Directory LOGIN id
#mail: : :person:sn: :User:
mail: : :person:UserPrincipalName: :User:
# attribute rule for mapping entry and to create orclUserV2
# There should be a mapping rule with orcluserv2 objectclass
# without which the PORTAL may not function properly
cn: : :inetorgperson:givenname: :person
givenName: : :person:displayName: :person
# mail needs to be assigned valid value for default settings ing DAS
mail: : :inetorgperson:mail: :person
# The next mapping rule is for synchronizing password from OID to AD.
# Additional configuration is required. Please refer to DIP documentation
# for details.
# NOTE - To synchronize password from OID to AD, uncomment the next rule.
# userpassword: : :person:unicodepwd: :person:
# Setting useraccountcontrol to "544" (0x220) means
# 1) regular account 2) password not required 3) user account is enabled
cn: : :person:useraccountcontrol: :person:"544"
mobile: : :inetorgperson:mobile: :organizationalperson:
# GROUP ENTRY MAPPING RULES
cn: : :orclgroup:cn: :group:
# This will work successfully only when cn doesn't have any
# special characters associated with it.
cn: : :orclgroup:SAMAccountName: :group:
uniquemember: : :groupofuniquenames:member: :group:
when i check the log file i found
Trace Log Started at Mon Jul 24 07:54:58 EEST 2006
tampro.Twa.com:389
rdn value is missing in change record when performing insert operation. Please ensure that required mapping rule is specified in the profile.
java.lang.NullPointerException
at oracle.ldap.odip.gsi.ActiveWriter.insert(ActiveWriter.java:286)
at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:272)
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:581)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:200)
null
ActiveExport:Error in Mapping Enginejava.lang.NullPointerException
java.lang.NullPointerException
at java.io.Writer.write(Writer.java:126)
at java.io.PrintStream.write(PrintStream.java:303)
at java.io.PrintStream.print(PrintStream.java:462)
at java.io.PrintStream.println(PrintStream.java:599)
at java.lang.Throwable.printStackTrace(Throwable.java:461)
at oracle.ldap.odip.engine.ODIException.printStackTrace(ODIException.java:296)
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:740)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:200)
Updated Attributes
orclodipLastExecutionTime: 20060724075501
orclLastAppliedChangeNumber: 3833
orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted
orclOdipSynchronizationErrors: Unknown Error Encountered
Sleeping for 1 secs
can any one tell me what can i do ?

If its a very rare failure, then as you mentioned, you can skip it..

OID and Server 2008 R2 AD

Hi,
We have recently decided to upgrade our Active Directory Domain to Server 2008 R2. We use Oracle OID 10g but are experiencing problems pointing OID at a 2008 R2 domain controller because only 250 results are returned. Below is a message we have recieved from Oracle support blaming Microsoft AD for the problem but we think there may be something else going on.
Can anyone help us out please?
Many thanks,
Tim
Hello.
Please have a look at Note 944298.1
Although DIP synchronization of OID 10g with MS Windows 2008 / AD 2008 may work, it is not officially compatible / certified due to known issues.
You can try to fix the synchronization but it's possible that may not work, or other components may not work (for example WNA).
Current error at bootstrap is
[LDAP: error code 12 - 00002040: SvcErr: DSID-031401E0, problem 5010 (UNAVAIL_EXTENSION)
This error is thrown by Microsoft AD when searching for more than 250 entries.
This is an AD issue, and if you would like to fix the uncertified setup, you will need to first raise a case with Microsoft Support for this error.
For opening a case, more details would need to be provided to Microsoft.
I have seen the exact same error recently with AD2008 and I know that the problem is with Microsoft's pagination control "1.2.840.113556.1.4.319 (pagedResultsControl)" when reading the second page.
In order to confirm this before opening a case with Microsoft, please use following note to capture network trace during bootstrap and check the controlType of the frame which returns UNAVAIL_EXTENSION.

Thought I'd follow up with you guys. Been working with Ritesh Mishra at Microsoft. He had us install the patch referenced in KB977180 on our 2008 R2 domain controller followed by a reboot, which did not work by itself. But after adding the following registry key to the 2008 R2 domain controller followed by another reboot, everything started working.
HKLM\System\CurrentControlSet\Services\NTDS\Parameters
Add String value “DSA Heuristics”
Set the value to 000000000001
I hope this helps.
Edited by: user13336785 on Aug 4, 2010 12:38 PM

Evaluating Xserve to replace Novell eDirectory / Groupwise

Hello all,
I just wanted to get a feel for the capabilities of OS X Server. I've recently installed a new Xserve and have it providing DNS / DHCP / NAT / Print / Open Directory and Windows services. Today, I was able to get a Windows machine to authenticate to this machine and set up a roaming profile / home directory (after much research!) We also use Linux clients, and will probably start adding OS X clients to the network as well.
I am looking to replace our current Novell eDirectory file / print services with OS X Server, and coming from that, I was wondering a couple of things.
First off, can OS X Server provide automatic drive mapping / mounts to Windows / Linux clients? Currently, when a user logs into our Novell server, they get all their drives mapped automatically as part of a login script. These drives are just shares on the Novell fileserver. I would like to replicate this action for our users with OS X Server. Is this possible?
Secondly, users logging into Novell get all their printers set up when they connect to the server. They don't have to add them, they just show up. Is there a way to make OS X Server provide the same service to Windows clients?
Finally, can you set up Open Directory users to only have access to certain printers / drives etc? I know you can set up shares and access lists and all this, but I want to be able to define that by group or by user. For example, I want user X who is a developer to get access only to developer shares and developer printers, so I would think I could set up a group with those privileges and just assign that user to the "group" and they automatically get it. Can this be done is OS X?
Most of our users are on Windows, and basically I'd love to be able to get away from Novell (particularly license costs) and move to OS X Server, without having to teach 200 users how to add drive mapping and printers and such. I don't want to have to visit 200 workstations either, so I am hoping I can define all this on the server and make it happen per client as they log in. Apple touts OS X Server as a good replacement for Active Directory / Novell eDirectory services so I'm hoping that it lives up to my expectations.
Anyone care to chime in? Thanks, I look forwarding to making this work!
Joe Jenkins
Network Engineer
Davis Tool Inc
Xserve Mac OS X (10.4.10)

Hi
First off, can OS X Server provide automatic drive
mapping / mounts to Windows / Linux clients?
Currently, when a user logs into our Novell server,
they get all their drives mapped automatically as
part of a login script. These drives are just shares
on the Novell fileserver. I would like to replicate
this action for our users with OS X Server. Is this
possible?
If you launch WorkGroup Manager and click on the Windows tab there are settings there that should help you achieve what you want in some way.
Secondly, users logging into Novell get all their
printers set up when they connect to the server. They
don't have to add them, they just show up. Is there a
way to make OS X Server provide the same service to
Windows clients?
You can apply managed preferences for users defined in the Open Directory Node can access in terms of printers and quotas etc. There are some good 3rd-Party add-ons that can augment what is available also.
Finally, can you set up Open Directory users to only
have access to certain printers / drives etc? I know
you can set up shares and access lists and all this,
but I want to be able to define that by group or by
user. For example, I want user X who is a developer
to get access only to developer shares and developer
printers, so I would think I could set up a group
with those privileges and just assign that user to
the "group" and they automatically get it. Can this
be done is OS X?
See the previous answer.
Bear in mind that if these are networked printers on the same IP address range and subnet as the clients then anyone who knows how to add a network printer using Printer Setup Utility and/or has access to the local client admin account could bypass this easily. You could really lock things down by either physically connecting the printers to the server usings its second NIC or if they are USB printers use a USB hub.
If they are all the same printer type you could have a Pool of printers.
For example two to three Epson R800 Printers could be the Epson Pool. Users would access these printers as if they were just one printer. When a client sends a print job the server will spool it to the first printer. If the first printer runs out of paper or ink it will spool to the second printer and so on. The same thing would apply if more than one user decides to print at the same time. First person to the queue would get the first printer and so on. You could have a series of Printer Pools defined for a particular group that only users from that group can use.
Hope this helps – Tony

Siebel SSO Integration with Novell eDirectory

I am wondering if anyone on this forum has worked with integrating a SSO solution using Novell eDirectory and Siebel. I have personally worked on SSO integrations with Siebel using Cleartrust and Siteminder and they are all basically the same concept however, I am facing issues trying to get the Novell SSO solution to work with Siebel.
I am using the standard LDAP Security adapter and I can make a basic connection into Siebel using LDAP. When implementing SSO I am using a "header" value and a custom userspec name that is different then then "Remote_Use" name mentioned in the Siebel SSO documentation. With SSO turned on I am successfully able to authenticate and almost get all the way into the home page of Siebel before the IE browser crashes. The SWSE log files, interestingly enough, show that my userspecsource is equal to header and that my userspec is correct and then I see the SISNAPI connection occurring between the Siebel We Server and the Siebel AOM but then after the IE browser crashes I see the SWSE log which then tries to picks up Siebel's default userspec " Remote_User" value which is not confiugred or turned on anywhere from within the application. I was just wondering if anyone else had faced similar issues when integrating Siebel into Novell eDirectory for SSO. I have also reviewed the configuration on Novell's side and they are protecting the correct object manager and are also using the same exact userspec name as what we have defined within the eapps.cfg of Siebel. We are using Siebel 8.1.1 Any ideas or help would be greatly appreciated as I have not gotten much support from my open SR on this issue.

I am wondering if anyone on this forum has worked with integrating a SSO solution using Novell eDirectory and Siebel. I have personally worked on SSO integrations with Siebel using Cleartrust and Siteminder and they are all basically the same concept however, I am facing issues trying to get the Novell SSO solution to work with Siebel.
I am using the standard LDAP Security adapter and I can make a basic connection into Siebel using LDAP. When implementing SSO I am using a "header" value and a custom userspec name that is different then then "Remote_Use" name mentioned in the Siebel SSO documentation. With SSO turned on I am successfully able to authenticate and almost get all the way into the home page of Siebel before the IE browser crashes. The SWSE log files, interestingly enough, show that my userspecsource is equal to header and that my userspec is correct and then I see the SISNAPI connection occurring between the Siebel We Server and the Siebel AOM but then after the IE browser crashes I see the SWSE log which then tries to picks up Siebel's default userspec " Remote_User" value which is not confiugred or turned on anywhere from within the application. I was just wondering if anyone else had faced similar issues when integrating Siebel into Novell eDirectory for SSO. I have also reviewed the configuration on Novell's side and they are protecting the correct object manager and are also using the same exact userspec name as what we have defined within the eapps.cfg of Siebel. We are using Siebel 8.1.1 Any ideas or help would be greatly appreciated as I have not gotten much support from my open SR on this issue.

Novell eDirectory Target Recon: Unable to search LDAP LDAP: error code 53

Hi All,
I am getting following error while running the Novell eDirectory Target Reconciliation in batch mode:
*ERROR,27 Oct 2009 22:59:54,263,[XL_INTG.EDIRECTORY],Paged Search failed.javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Unwilling To Perform]; remaining name 'ou=centrica,ou=Regular,o=Infosys'*
*DEBUG,27 Oct 2009 22:59:54,263,[XL_INTG.EDIRECTORY],tcUtilLDAPOperations -> ~~~~~~~~~~Entering disconnectFromLDAP()~~~~~~~~~~*
*DEBUG,27 Oct 2009 22:59:54,263,[XL_INTG.EDIRECTORY],tcUtilLDAPOperations -> Closing initial directory context*
*DEBUG,27 Oct 2009 22:59:54,263,[XL_INTG.EDIRECTORY],tcUtilLDAPOperations -> ~~~~~~~~~~Leaving disconnectFromLDAP()~~~~~~~~~~*
*ERROR,27 Oct 2009 22:59:54,263,[XL_INTG.EDIRECTORY],tcTskLDAPUserReconciliation] --> execute(): failed. Exception in execute() method.*
*javax.naming.NamingException: tcUtilLDAPOperations -> : NamingException : Unable to search LDAP [[LDAP: error code 53 - Unwilling To Perform]]*
*     at com.thortech.xl.integration.ldap.util.tcUtilLDAPOperations.search(Unknown Source)*
*     at com.thortech.xl.util.schedule.tasks.tcTskLDAPUserReconciliation.processChange(tcTskLDAPUserReconciliation.java:2752)*
*     at com.thortech.xl.util.schedule.tasks.tcTskLDAPUserReconciliation.execute(tcTskLDAPUserReconciliation.java:344)*
*     at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)*
*     at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionAction.run(Unknown Source)*
*     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)*
*     at weblogic.security.service.SecurityManager.runAs(Unknown Source)*
*     at weblogic.security.Security.runAs(Security.java:41)*
*     at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)*
*     at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown Source)*
*     at org.quartz.core.JobRunShell.run(JobRunShell.java:178)*
*     at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:477)*
*DEBUG,27 Oct 2009 22:59:54,264,[XL_INTG.EDIRECTORY],tcTskLDAPUserReconciliation] --> execute(): exit*
This error is coming only for OU's which have more than 200 entries in them. The
if anyone has any clue on this problem, then kindly help.
Cheers,
Sunny

See if your e-directory supports paged searches.
If not then you have to configure your e-directory to support paged searches. I think the connector by default only uses paged searches.
You need to look for OID 1.2.840.113556.1.4.319 (page control) in supported control list of the rootDSE.
Hope this helps,
Sagar

Migration from sun one to novell edirectory

hello folks,
please share info if anybody have an ideas on how to migrate data from sun one to novell edirectory. help wil be appriciated. thanks

Does the documentation provide an upgrade path?
Do you have existing data you need to preserve? If not you should be able to uninstall the old version and install the the one one. You should be able to use pkgrm to remove the old one IF it was a package based install.
The changes you want to do (changing the directory tree and adding a UID) should not require an upgrade.
It sounds like you need to reed the Sun/Oracle provided documentation.
If you are new to LDAP you should probably look for a general purpose book about LDAP. The Sun/Oracle LDAP server is pretty complicated. You probably want to understand LDAP in general before tackling a Oracle's product.

OID and Active Directory

1 Does Oracle OID integrate with Active Directory to synch data with Active Directory periodically?
2 Marshall data from Active Directory on demand (live link)?
3 Does Oracle Single Sign-on solution work with multiple directories (i.e. OID and AD both being used by Oracle Single Sign-on)
4 Can Oracle Single-Sing-on work with a Desktop login into a Domain (also called NT Authentication or Desktop authentication).

This is what I have to share with you....For further details refer link http://otn.oracle.com/products/oid/index.html and Oracle Internet Directory Administrator's Guide.
1 Does Oracle OID integrate with Active Directory to synch data with Active Directory periodically?
For synchronizing from Microsoft Active Directory to Oracle Internet Directory, you need to track changes in Microsoft Active Directory and configure your Active directory connector giving its URL, user account and password to be used by the Active Directory connector, its DIT info on domain which contain the users/groups. And in the Active Directory synchronization profile you'll have to set the mapping rule.
2 Marshall data from Active Directory on demand (live link)?
Yes, its possible to migrate data between directories. Configure your Active Directory connector and External auth Plug-in. And use the Directory Integration and Provisioning Assistant.
3 Does Oracle Single Sign-on solution work with multiple directories (i.e. OID and AD both being used by Oracle Single Sign-on)
Yes, its possible. When a user tries to log in, the OracleAS Single Sign-On server tries to verify the credentials the user enters against those stored in Oracle Internet Directory. If the user credentials are not there, then the Oracle directory server invokes the Active Directory external authentication plug-in. This plug-in verifies the user credentials in Microsoft Windows. If the verification is successful, then the Oracle directory server notifies the OracleAS Single Sign-On accordingly.
4 Can Oracle Single-Sing-on work with a Desktop login into a Domain (also called NT Authentication or Desktop authentication).
Oracle Application Server Single Sign-On enables native authentication, also called autologin, in a Microsoft Windows environment. Once logged into the Windows desktop, the user automatically has access to Oracle components. OracleAS Single Sign-On automatically logs the user into the Oracle environment using user's Kerberos credentials.

Synchronization of OID and Novell Edirectory

Similar Messages

Maybe you are looking for