UC - LDAP integration to Novell eDirectory

Similar Messages

• Siebel SSO Integration with Novell eDirectory

  I am wondering if anyone on this forum has worked with integrating a SSO solution using Novell eDirectory and Siebel. I have personally worked on SSO integrations with Siebel using Cleartrust and Siteminder and they are all basically the same concept however, I am facing issues trying to get the Novell SSO solution to work with Siebel.
  I am using the standard LDAP Security adapter and I can make a basic connection into Siebel using LDAP. When implementing SSO I am using a "header" value and a custom userspec name that is different then then "Remote_Use" name mentioned in the Siebel SSO documentation. With SSO turned on I am successfully able to authenticate and almost get all the way into the home page of Siebel before the IE browser crashes. The SWSE log files, interestingly enough, show that my userspecsource is equal to header and that my userspec is correct and then I see the SISNAPI connection occurring between the Siebel We Server and the Siebel AOM but then after the IE browser crashes I see the SWSE log which then tries to picks up Siebel's default userspec " Remote_User" value which is not confiugred or turned on anywhere from within the application. I was just wondering if anyone else had faced similar issues when integrating Siebel into Novell eDirectory for SSO. I have also reviewed the configuration on Novell's side and they are protecting the correct object manager and are also using the same exact userspec name as what we have defined within the eapps.cfg of Siebel. We are using Siebel 8.1.1 Any ideas or help would be greatly appreciated as I have not gotten much support from my open SR on this issue.

  I am wondering if anyone on this forum has worked with integrating a SSO solution using Novell eDirectory and Siebel. I have personally worked on SSO integrations with Siebel using Cleartrust and Siteminder and they are all basically the same concept however, I am facing issues trying to get the Novell SSO solution to work with Siebel.
  I am using the standard LDAP Security adapter and I can make a basic connection into Siebel using LDAP. When implementing SSO I am using a "header" value and a custom userspec name that is different then then "Remote_Use" name mentioned in the Siebel SSO documentation. With SSO turned on I am successfully able to authenticate and almost get all the way into the home page of Siebel before the IE browser crashes. The SWSE log files, interestingly enough, show that my userspecsource is equal to header and that my userspec is correct and then I see the SISNAPI connection occurring between the Siebel We Server and the Siebel AOM but then after the IE browser crashes I see the SWSE log which then tries to picks up Siebel's default userspec " Remote_User" value which is not confiugred or turned on anywhere from within the application. I was just wondering if anyone else had faced similar issues when integrating Siebel into Novell eDirectory for SSO. I have also reviewed the configuration on Novell's side and they are protecting the correct object manager and are also using the same exact userspec name as what we have defined within the eapps.cfg of Siebel. We are using Siebel 8.1.1 Any ideas or help would be greatly appreciated as I have not gotten much support from my open SR on this issue.

• SharePoint 2010 with LDAP authentication, using NOVELL eDirectory

  One of my customers needs a SharePoint application that allows people to authenticate with either an Active Directory account (internal staff) or a Novell eDirectory account (external customers).
  Using the following article as a base guide (http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx)
  I configured a claims-based test application that had Windows authentication enabled and Forms based authentication (FBA) enabled (this is on a Windows 2008 server and not a domain controller)
  In the Membership provider name text box I entered "LdapMember"
  In the Role provider name  text box I entered "LdapRole"
  In the web.config for the SharePoint Central Admin, I modified/added the following details right before </system.web>
  <membership>
  <providers>
  <add name="LdapMember"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
  <providers>
  <add name="LdapRole"
  type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="sAMAccountName"
  dnAttribute="distinguishedName"
  groupFilter="((ObjectClass=group)"
  userFilter="((ObjectClass=person)"
  scope="Subtree" />
  </providers>
  </roleManager>
  I modified the SecurityTokenServiceApplication web.config with these details
  <system.web>
  <membership>
  <providers>
  <add name="LdapMemebr"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager enabled="true">
  <providers>
  <add name="LdapRole"
  type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="sAMAccountName"
  dnAttribute="distinguishedName"
  groupFilter="(&amp;(ObjectClass=group))"
  userFilter="(&amp;(ObjectClass=person))"
  scope="Subtree" />
  </providers>
  </roleManager>
  </system.web>
  I modified the web.config of the test application I created with these details
  <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
  <providers>
  <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
  <add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="cn"
  dnAttribute="dn"
  groupFilter="(&amp;(ObjectClass=group))"
  userFilter="(&amp;(ObjectClass=person))"
  scope="Subtree" />
  </providers>
  </roleManager>
  <membership defaultProvider="i">
  <providers>
  <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
  <add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  useDNAttribute="true"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  With all of this configured, I can go to the new test site, I do see the form where I can choose either Windows authentication or Forms authentication. I can successfully login with Windows authentication, but forms authentication gives me me an error.
  The server could not sign you in. Make sure your user name and password are correct, and then try again.
  I can successfully login to a LDAP management tool, using the same credentials I entered on the form, so I know the username and password being submitted are correct. I get the following items in the event viewer
  8306 - SharePoint Foundation - The security token username and password could not be validated.
  in the SharePoint trace logs - Password check on 'testuser' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. and
  then this:
  Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
  at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
  I monitored the LDAP server and did a packet-trace on the communication happening between the SharePoint server and the LDAP server and it is a bit odd. It goes like this:
  The SharePoint server successfully connects to the LDAP server, binding the ldapserviceid+password
  The LDAP server tells the SharePoint server it is ready to communicate
  the SharePoint server sends an LDAP query to the LDAP server, asking if the name entered in the form authentication page can be found.
  The LDAP server does the query, successfully finds the entered name and sends a success message back to SharePoint
  The LDAP server sends notification that it is done and is closing the connection that was bound to theldapserviceid+password
  The SharePoint server acknowledges the connection is closing
  ... and then nothing happens, except the error on SharePoint
  What I understand is that the SharePoint server, once it gets confirmation that the submitted username exists in LDAP, should attempt to make a new LDAP connection, bound to the username and password submitted in the form (rather than the LDAP service account
  specified in the web.config). That part does not seem to be happening.
  I am at a standstill on this and any help would be greatly appreciated.

  OK, our problem was resolved by removing any information about the ASP.NET role manager. Initially, we had information about a role manager defined in three different web.config files, as well as in the SharePoint Central Administration site, where there
  is the checkbox to Enable Forms Based Authentication (you see this when you first create the new SharePoint app, or afterwards by modifying the Authentication Provider for the app.) In either case, you will see two text boxes, underneath the checkbox item
  for enabling Forms Based Authentication:
  "ASP.NET Membership provider name"
  "ASP.NET Role manager name"
  We entered a name for Membership provider, and left Role manager blank.
  In the web.config for the SharePoint Central Administration site, the SecurityTokenServiceApplication app, and the web app we created with FBA enabled, we entered the following:
  <membership>
  <providers>
  <add name="LdapMember"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword="validpassword"
  useDNAttribute="false"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager>
  <providers>
  </providers>
  </roleManager>
  useDNAttribute="false" turned out to be important as well.
  So, for us to get LDAP authentication working between SharePoint 2010 and Novel eDirectory, we had to:
  leave anything related to the role provider blank
  configure the web.config in three different applications, with the proper connection information to reach our Novel eDir
  Ensure that useDNAttribute="false" was used in all three on the modified web.config files.
  Since our eDir is flat and used pretty much exclusively for external users, we had never done any sort of advanced role management configuration in eDir. So, by having role manager details in the web.config files, SharePoint was waiting for information from
  a non-existent role manager.

• Novell eDirectory Target Recon: Unable to search LDAP LDAP: error code 53

  Hi All,
  I am getting following error while running the Novell eDirectory Target Reconciliation in batch mode:
  *ERROR,27 Oct 2009 22:59:54,263,[XL_INTG.EDIRECTORY],Paged Search failed.javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Unwilling To Perform]; remaining name 'ou=centrica,ou=Regular,o=Infosys'*
  *DEBUG,27 Oct 2009 22:59:54,263,[XL_INTG.EDIRECTORY],tcUtilLDAPOperations -> ~~~~~~~~~~Entering disconnectFromLDAP()~~~~~~~~~~*
  *DEBUG,27 Oct 2009 22:59:54,263,[XL_INTG.EDIRECTORY],tcUtilLDAPOperations -> Closing initial directory context*
  *DEBUG,27 Oct 2009 22:59:54,263,[XL_INTG.EDIRECTORY],tcUtilLDAPOperations -> ~~~~~~~~~~Leaving disconnectFromLDAP()~~~~~~~~~~*
  *ERROR,27 Oct 2009 22:59:54,263,[XL_INTG.EDIRECTORY],tcTskLDAPUserReconciliation] --> execute(): failed. Exception in execute() method.*
  *javax.naming.NamingException: tcUtilLDAPOperations  -> : NamingException : Unable to search LDAP [[LDAP: error code 53 - Unwilling To Perform]]*
  *     at com.thortech.xl.integration.ldap.util.tcUtilLDAPOperations.search(Unknown Source)*
  *     at com.thortech.xl.util.schedule.tasks.tcTskLDAPUserReconciliation.processChange(tcTskLDAPUserReconciliation.java:2752)*
  *     at com.thortech.xl.util.schedule.tasks.tcTskLDAPUserReconciliation.execute(tcTskLDAPUserReconciliation.java:344)*
  *     at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)*
  *     at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionAction.run(Unknown Source)*
  *     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)*
  *     at weblogic.security.service.SecurityManager.runAs(Unknown Source)*
  *     at weblogic.security.Security.runAs(Security.java:41)*
  *     at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)*
  *     at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown Source)*
  *     at org.quartz.core.JobRunShell.run(JobRunShell.java:178)*
  *     at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:477)*
  *DEBUG,27 Oct 2009 22:59:54,264,[XL_INTG.EDIRECTORY],tcTskLDAPUserReconciliation] --> execute(): exit*
  This error is coming only for OU's which have more than 200 entries in them. The
  if anyone has any clue on this problem, then kindly help.
  Cheers,
  Sunny

  See if your e-directory supports paged searches.
  If not then you have to configure your e-directory to support paged searches. I think the connector by default only uses paged searches.
  You need to look for OID 1.2.840.113556.1.4.319 (page control) in supported control list of the rootDSE.
  Hope this helps,
  Sagar

• Issue during integrating OIM 9.1 with novell edirectory 8.8

  Hi,
  We are trying to integrate OIM 9.1 with Novell edirectory 8.8 using novell edirectory 9.0.4.2 connector.
  while privisioning i m facing the following issue
  DOBJ.THROWABLE_IN_SAVE Unhandled throwable java.lang.NoClassDefFoundError in com.thortech.xl.dataobj.tcScheduleItem's save.
  User is getting created OID but not provisioned to edirectory.
  Thanks in Advance
  Manju

  Hi,
  Thanks for responding.
  I am trying to provision users to novell edirectory.
  I create user in Oracle Idenity Manager 9.1 then select the Resource profile and provision new resource(to edirectory 8.8).
  During the last step of provisioning when i click continue button Oracle Idenity Manager is throwing the below error in the next screen with message "Provisioning is been initiated". But user is not created in the edirectory.
  DOBJ.THROWABLE_IN_SAVE Unhandled throwable java.lang.NoClassDefFoundError in com.thortech.xl.dataobj.tcScheduleItem's save.
  In the open tasks, System Validation task is created with the status Pending.
  Please help me to rectify this issue.
  Also let me know whether anyone has tried to integrate Oracle Idenity Manger 9.1 with edirectory 8.8 using Novell edirectory 9.0.4.2 connector.
  Thanks

• LDAP Integration

  Background:
  The most recent Novell eDirectory has something called LUM (Linux User Management) that automatically manages UNIX attributes for login. With some simple attribute mappings we have authentication working. All in all, configuring our first workstation took 10 minutes with no schema extensions or anything. Obviously we are missing workgroup manager... so not finished yet
  We have a login script that creates a profile and assigns permissions. In the GUI everything appears to be correct with the correct User and Group ownerships. However in the console File System rights show the numeric GID and not the alphanumeric translation from LDAP. The translation works for user in both GUI and console. Anyone any idea what we missed?
  Thanks for your help
  Chris

  Hi Adam,
  We ran in to the same scenario, and had to get a custom SSO event delivered by nS professional services.  It's a bit of a pain, as samAccountName can be duplicated across different domains.
  We set our BindDN in our LDAP configuration to be the parent domain; and our SSO event does the rest.  Buzz me if you'd like to discuss any further!
  Cheers,
  Ant

• Migration from sun one to novell edirectory

  hello folks,
  please share info if anybody have an ideas on how to migrate data from sun one to novell edirectory. help wil be appriciated. thanks

  Does the documentation provide an upgrade path?
  Do you have existing data you need to preserve? If not you should be able to uninstall the old version and install the the one one. You should be able to use pkgrm to remove the old one IF it was a package based install.
  The changes you want to do (changing the directory tree and adding a UID) should not require an upgrade.
  It sounds like you need to reed the Sun/Oracle provided documentation.
  If you are new to LDAP you should probably look for a general purpose book about LDAP. The Sun/Oracle LDAP server is pretty complicated. You probably want to understand LDAP in general before tackling a Oracle's product.

• Synchronization of OID and Novell Edirectory

  I did set up OID to synchronize with Novell edirectory using dipassistant, bootstrapped it and run ODISRV with the correct configuration number. Novell edirectory is leading, admin is done in edirectory only. Authentication is done through external authentication at the edirectroy. Works too.
  Adding users, groups and users to groups works fine. Even removing users from groups works ok. The only thing that does not work is deleting users or groups. They still exist in OID after removing them from edirectory.
  I tried setting the 'check all entries' configuration parameter to true: no results.
  Set the debug level to 511: I get debug info, but deletions are not detected at all.
  Any ideas, anyone?
  Robbert van der Hoorn
  OSA it Automation

  Part of the problem solved. This is a weird situation: allthough creating new entries is done every 60 seconds, reconciliation is done once a day (24 hrs, i.e. 86400 seconds..).
  This explains (half) the sudden error message I get: after failing deleting one of the groups, reconcile stops. This group failed to delete for some reason, maybe because it came from a different bootstrapped profile, and domain mapping rules failed on this group. After deleting manually some problematic groups, reconcile works.
  The weird thing however is this: the reconciliation period parameter IS NOT SHOWN in Oracle Directory Manager 10.1.4!!! (Tried 2 installations. on windows server 2003!) Using OID Manager 10.1.2 (same platform) however showed me this parameter, and after setting it to 60 seconds, reconcile does show up and log in the.aud files every minute (which may not be desired to run every minute in prod. situations off course). I know (now) this interval can be set using dipassistant.
  Once reconcile is running, I get a new error in my trace file:
  Unable to delete the entry :cn=agroup1,cn=roc,cn=groups,dc=rocvantwente,dc=nl as the binddn doesnot have permission to delete it javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name 'cn=agroup1,cn=roc,cn=groups,dc=rocvantwente,dc=nl'
  [LDAP: error code 50 - Insufficient Access Rights]
  Exception in reconcile()null
  [LDAP: error code 50 - Insufficient Access Rights]
  testImport : Error in executing reconciler: null
  javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name 'cn=agroup1,cn=roc,cn=groups,dc=rocvantwente,dc=nl'
  Update: problem occurs with groups only. Users can be reconciled perfectly.
  The bind dn in this case is orcladmin.... ideas?
  Thanks,
  Robbert
  Message was edited by:
  Robbert van der Hoorn
  (Problem not completely solved after all)
  Message was edited by:
  user536188

• Novell eDirectory load balancing

  Dear community,
  we use Novell eDirectory (LDAP)  to verify our users in the portal.
  We are Running SSL over port 636.
  New situation is that the LDAP collegues implemented load balancing .
  The problem now is that the certificate from the maschine responsible for the load balancing not contain any servername in the CN compaired to the (OLD) direct access to LDAP where the certificate contained a name CN=severname.domain.
  The new certificate only contains an O=name and
  OU= Organizational CA.
  For the definitions in the UME a servername is needed in the certificate .  Otherwise the connection check returns an error.

  Answer to my question: http://ieoc.com/forums/p/26385/218976.aspx#218976

• UCCX 7.0.1SR5 to 8.0 upgrade while also adding LDAP integration for CUCM - what happens to agents and Historical Reporting data?

  Current State:
  •    I have a customer running CUCM 6.1 and UCCX 7.01SR5.  Currently their CUCM is *NOT* LDAP integrated and using local accounts only.  UCCX is AXL integrated to CUCM as usual and is pulling users from CUCM and using CUCM for login validation for CAD.
  •    The local user accounts in CUCM currently match the naming format in active directory (John Smith in CUCM is jsmith and John Smith is jsmith in AD)
  Goal:
  •    Upgrade software versions and migrate to new hardware for UCCX
  •    LDAP integrate the CUCM users
  Desired Future State and Proposed Upgrade Method
  Using the UCCX Pre Upgrade Tool (PUT), backup the current UCCX 7.01 server. 
  Then during a weekend maintenance window……
  •    Upgrade the CUCM cluster from 6.1 to 8.0 in 2 step process
  •    Integrate the CUCM cluster to corporate active directory (LDAP) - sync the same users that were present before, associate with physical phones, select the same ACD/UCCX line under the users settings as before
  •    Then build UCCX 8.0 server on new hardware and stop at the initial setup stage
  •    Restore the data from the UCCX PUT tool
  •    Continue setup per documentation
  At this point does UCCX see these agents as the same as they were before?
  Is the historical reporting data the same with regards to agent John Smith (local CUCM user) from last week and agent John Smith (LDAP imported CUCM user) from this week ?
  I have the feeling that UCCX will see the agents as different almost as if there is a unique identifier that's used in addition to the simple user name.
  We can simplify this question along these lines
  Starting at the beginning with CUCM 6.1 (local users) and UCCX 7.01.  Let's say the customer decided to LDAP integrate the CUCM users and not upgrade any software. 
  If I follow the same steps with re-associating the users to devices and selecting the ACD/UCCX extension, what happens? 
  I would guess that UCCX would see all the users it knew about get deleted (making them inactive agents) and the see a whole group of new agents get created.
  What would historical reporting show in this case?  A set of old agents and a set of new agents treated differently?
  Has anyone run into this before?
  Is my goal possible while keeping the agent configuration and HR data as it was before?

  I was doing some more research looking at the DB schema for UCCX 8.
  Looking at the Resource table in UCCX, it looks like there is primary key that represents each user.
  My question, is this key replicated from CUCM or created locally when the user is imported into UCCX?
  How does UCCX determine if user account jsmith in CUCM, when it’s a local account, is different than user account jsmith in CUCM that is LDAP imported?
  Would it be possible (with TAC's help most likely) to edit this field back to the previous values so that AQM and historical reporting would think the user accounts are the same?
  Database table name: Resource
  The Unified CCX system creates a new record in the Resource table when the Unified CCX system retrieves agent information from the Unified CM.
  A Resource record contains information about the resource (agent). One such record exists for each active and inactive resource. When a resource is deleted, the old record is flagged as inactive; when a resource is updated, a new record is created and the old one is flagged as inactive.

• Enterprise Portal - MDM - LDAP integration

  We are succesfully able to integrate Portal to MDM with a trusted connection and with portal users existing in LDAP and mdm users existing in MDM console.
  We also successfully integrated MDM with LDAP so that we dont have to store users in console, but manage them in LDAP. But once we did the LDAP integration, portal to MDM connection was lost saying mdm user details could not be retrieved.
  Has anybody faced this issue? what key steps to taken care during MDM-LDAP integration.

  Hi goerge,
  When ever we integrate MDM with LDAP, we need to make a setting in MDS.ini file.
  Please check the "User Identifier" setting in MDS.ini file.
  Typically this should be The name of the LDAP id field which will match the value the user provides as the Username at logon.
  Make the entry in MDS.ini like User Identifier = cn or SamAccountName.
  If that is done, please verify other parameters corresponding to LDAP in MDS.ini as per the table 91 in Page no 291 in MDM Console referece guide.
  Or refer to the SAP note 1635338 for reference which is pointing to same issue.
  This should solve your problem.
  Regards,
  Sravan

• NDS error: duplicate value (-614) on Generic LDAP Export to NetIQ eDirectory

  Dear community,
  using the Generic LDAP Agent, the latest eDirectory (8.8.SP8 (20806.01) and FIM Version (4.1.3627.0)) I encounter the following problem in very special situations (namely when the value in eDirectory only differs from the FIM value by different upper/lower
  case letters:
  NDS error: duplicate value (-614)
  DirectoryOperationException: (0) 0 Server Message: The attribute exists or the value has been assigned.

  I don't see that as a Problem, when it is in fact doing string comparison.  You may need to write an advanced flow rule to simply say something like this
  CSHARP Snippet.  (if not equal, case does not matter)
  if !(csentry["co"].ToUpper().Equals(mventry["co"].ToUpper()))
   csentry["co"].Value =mventry["co"].Value ;
  Nosh Mernacaj, Identity Management Specialist

• LDAP Integration with CUCM 9.0

  We would like to use LDAP to sync all of our users from Active Directory.  All of our current CM Users are local, the problem is that they have the same user names as our Active Directory users.  From what I understand this is going to be a problem because:
  "If accounts from LDAP match an existing Unified CM account that is not marked as an LDAP synchronized account, then these accounts are ignored."
  Does that mean we will have to delete all our existing CM users in order to sync the LDAP users correctly?  Is there a best practice for this?  Once we syncronize the LDAP users how to I ensure that the user gets associated with the proper phone?  Or do I have to visit each user individually? 

  I just did a quick test for this, my lab CUCM 9 is already LDAP integrated, but I created a local user, then I created that same local user in my LDAP OU, and performed a full sync.
  The user is no longer showing as a local active user, but as an active LDAP synchronized user.
  Which was my thought, there's only one conversion, from LDAP to local.
  The behavior is just as with any previous release, local users who match an LDAP user after you enable it, are just updated, and kept with all their configurations.
  I checked the option to turn it back again into a local user, did a full sync, and it's again an active LDAP user.
  HTH
  java
  if this helps, please rate
  www.cisco.com/go/pdihelpdesk

• ISE and LDAP Integration

  Hello,
  I have a question about the LDAP integration with the ISE:
  Since the ISE has a limitation of reading only 100 groups, I cannot find the groups that I need to use on the authorization, and also the ISE cannot find group if I search for it directly.
  What I mean here, that I can fetch the first 100 groups from the top of the directory, but when I search as example for any group (appear on the list or not) the ISE did not find it.
  Even I tried to change the base DN and the search DN but without luck.
  The ISE version is 1.1.4 installed on VM and the LDAP schema is AD.
  Is there any missing information/tips required in such integration?

  Hello,
  I found a cisco doc that provides resolution of Key Features of Integration of Cisco ISE and LDAP .I hope this helps!
  This section contains the following:
  •Directory  Service
  •Multiple  LDAP Instances
  •Failover
  •LDAP  Connection Management
  •User  Authentication
  •Authentication  Using LDAP
  •Binding  Errors
  •User  Lookup
  •MAC  Address Lookup
  •Group  Membership Information Retrieval
  •Attributes  Retrieval
  •Certificate  Retrieval
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059913

• Evaluating Xserve to replace Novell eDirectory / Groupwise

  Hello all,
  I just wanted to get a feel for the capabilities of OS X Server. I've recently installed a new Xserve and have it providing DNS / DHCP / NAT / Print / Open Directory and Windows services. Today, I was able to get a Windows machine to authenticate to this machine and set up a roaming profile / home directory (after much research!) We also use Linux clients, and will probably start adding OS X clients to the network as well.
  I am looking to replace our current Novell eDirectory file / print services with OS X Server, and coming from that, I was wondering a couple of things.
  First off, can OS X Server provide automatic drive mapping / mounts to Windows / Linux clients? Currently, when a user logs into our Novell server, they get all their drives mapped automatically as part of a login script. These drives are just shares on the Novell fileserver. I would like to replicate this action for our users with OS X Server. Is this possible?
  Secondly, users logging into Novell get all their printers set up when they connect to the server. They don't have to add them, they just show up. Is there a way to make OS X Server provide the same service to Windows clients?
  Finally, can you set up Open Directory users to only have access to certain printers / drives etc? I know you can set up shares and access lists and all this, but I want to be able to define that by group or by user. For example, I want user X who is a developer to get access only to developer shares and developer printers, so I would think I could set up a group with those privileges and just assign that user to the "group" and they automatically get it. Can this be done is OS X?
  Most of our users are on Windows, and basically I'd love to be able to get away from Novell (particularly license costs) and move to OS X Server, without having to teach 200 users how to add drive mapping and printers and such. I don't want to have to visit 200 workstations either, so I am hoping I can define all this on the server and make it happen per client as they log in. Apple touts OS X Server as a good replacement for Active Directory / Novell eDirectory services so I'm hoping that it lives up to my expectations.
  Anyone care to chime in? Thanks, I look forwarding to making this work!
  Joe Jenkins
  Network Engineer
  Davis Tool Inc
  Xserve   Mac OS X (10.4.10)  

  Hi
  First off, can OS X Server provide automatic drive
  mapping / mounts to Windows / Linux clients?
  Currently, when a user logs into our Novell server,
  they get all their drives mapped automatically as
  part of a login script. These drives are just shares
  on the Novell fileserver. I would like to replicate
  this action for our users with OS X Server. Is this
  possible?
  If you launch WorkGroup Manager and click on the Windows tab there are settings there that should help you achieve what you want in some way.
  Secondly, users logging into Novell get all their
  printers set up when they connect to the server. They
  don't have to add them, they just show up. Is there a
  way to make OS X Server provide the same service to
  Windows clients?
  You can apply managed preferences for users defined in the Open Directory Node can access in terms of printers and quotas etc. There are some good 3rd-Party add-ons that can augment what is available also.
  Finally, can you set up Open Directory users to only
  have access to certain printers / drives etc? I know
  you can set up shares and access lists and all this,
  but I want to be able to define that by group or by
  user. For example, I want user X who is a developer
  to get access only to developer shares and developer
  printers, so I would think I could set up a group
  with those privileges and just assign that user to
  the "group" and they automatically get it. Can this
  be done is OS X?
  See the previous answer.
  Bear in mind that if these are networked printers on the same IP address range and subnet as the clients then anyone who knows how to add a network printer using Printer Setup Utility and/or has access to the local client admin account could bypass this easily. You could really lock things down by either physically connecting the printers to the server usings its second NIC or if they are USB printers use a USB hub.
  If they are all the same printer type you could have a Pool of printers.
  For example two to three Epson R800 Printers could be the Epson Pool. Users would access these printers as if they were just one printer. When a client sends a print job the server will spool it to the first printer. If the first printer runs out of paper or ink it will spool to the second printer and so on. The same thing would apply if more than one user decides to print at the same time. First person to the queue would get the first printer and so on. You could have a series of Printer Pools defined for a particular group that only users from that group can use.
  Hope this helps – Tony