UCM 6.1 LDAP Directory Integration

Similar Messages

• Integrating Flat File data to LDAP Directory using sunopsis driver

  Hello
  I need to import data from a csv file into a LDAP Directory.
  In order to acheive this, i used Demo physical and logical File data server (called FILE_GENERIC) and set up a new LDAP data server using tutorial "Oracle Data Integrator Driver for LDAP - User's Manual".
  I can manually see and update data on both file and LDAP datastores.
  The fact is that i cannot manage to import/update data from the file to the LDAP directory through a dedicated interface.
  The issue do, i think, come from the PK/FK used by sunopsis relational model to represent the directory.
  LDAP DN is represented by a set of two table representing in my example the organizational units in one hand and the persons in the other hands, linking them through FK in persons to auto-generated PK in organization units. My person table also have a auto generated PK. All the directory datastore tables have been reversed through ODI.
  In my interface, i always use my cn as update key.
  I first tried not to map the person PK in the interface, letting the driver generating it for me (or mapping a null PK). I then catch in operator a message like: " null : java.sql.SQLException: Try to insert null into a non-nullable column".
  Anyway, the first row is created in the directory and a new PK is given into ODI datastore. Curiously, this is not as i would presume the last PK value + 1.
  There are some kinds of gaps in the ID sequences.
  I even tried checking the "tolerated error" into the IKM step called "Insert new row". I'm using IKM shipped with ODI :"IKM SQL Incremental Update". The sequence is finished in operator but due, i guess, to the catched error, the other rows are not processed. (Anyway i shouldn't have to tolerate errors)
  I tried after to put not used custom PK values into my file, then map the PK column to the LDAP datastore PK column without much success: Only one row is processed. Futhermore, the id of the PK in the datastore is different of the one I put in the file.
  I finally tried to generate PK values through SQL instructions by creating new steps in the IKM modul but that did not worked much.
  I really do not see any other ideas to either have the driver construct new PK at insert/update or to make him ignore the null PK problem and process all the rows.
  If anyone do have an idea about it, please share...
  Greetings,
  Adrien

  Hi,
  I am facing an issue who is probably the same.
  using ODI 10.1.3.5, I can't insert new rows into my openLDAP.
  One of the point I see is that the execution take the LDAP server for staging area and want to create I$ table into it, so the data are already imported into the ldap Server.
  thanks for any help.

• Integrating standalone OC with existing 3rd party LDAP directory question

  Hello everyone,
  we have a standalone version 9 Oracle Calendar server with internal directory. We also have an existing enterprise wide LDAP directory. We would like to integrate them together, with as few changes to our existing LDAP schema as possible. Has anyone dealt with this issue before? Are there any documents out there describing how to deal with such situation? What if we upgrade to OC version 10 first?
  Thanks

  Migration might be tricky -
  We've been running Calendar since the Netscape era with external LDAP. Basically user's preferences are stored in LDAP, though these can be 'regenerated' on the fly by the client using defaults.
  You will need to modify the schema, but it's simply as loading the supplied schema file.
  Data itself is still maintained in the internal DB. The link between the DB and LDAP is done via the calendar ID number which gets stored in the user's entry in ldap.
  I don't think it would matter on upgrading OC to 10 or not, since the upgrade would not modify anything on the LDAP side (schema has not changed).
  You should set up a test environment and test it out...

• Workflow reviewers in an ldap directory

  Hi,
  I have integrated an ldap directory with UCM as the user/group store.
  I need to create a criteria workflow where the initial reviewer(s) are actually users in the ldap directory. After the intial review, it would be escalated to another higher level group of users, also in the ldap directory.
  i) In this case, how would I be able to have UCM search the ldap store as reviewers? I don't recall idoc script being able to do this.
  ii)What would be the best practice to accomplish this?
  Thanks.

  Blake,
  If I am using a web application model, I would use the following to allow
  "everyone" in my LDAP server to get into certian area's of web applications:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>GeneralEmployee</web-resource-name>
  <description>Employee Resource</description>
  <url-pattern>/process/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <description>Employees only</description>
  <role-name>everyone</role-name>
  </auth-constraint>
  </security-constraint>
  If you are allowing access to this servlet, I would try:
  weblogic.allow.execute.weblogic.servlet.servlets/iclientservlet=bseely,every
  one
  Ken
  "Blake Seely" <[email protected]> wrote in message
  news:3b4c9003$[email protected]..
  >
  <sigh>it's already been a long day: my number is 877-870-4718
  Thanks again,
  Blake
  "Blake Seely" <[email protected]> wrote:
  I have a servlet set up on a WebLogic 5.1 SP 8 server running on NT 4.
  I want that servlet protected so that only company employees defined
  in our Netscape
  LDAP directory can log in.
  If I just want a single user to access, then my access controls for the
  servlet
  are:
  weblogic.httpd.register.servlets/iclientservlet=iclientservlet
  weblogic.allow.execute.weblogic.servlet.servlets/iclientservlet=bseely
  I have set up the LDAP Realm (ldaprealm.properties is attached) and this
  works
  fine for one user. (all lookups, access, etc are anonymous on this
  directory,
  so I didn't specify any principals or passwords)
  But now I need to specify that any user who is in the directory canaccess
  the
  servlet - how do I do that? What do I list in theweblogic.allow.execute...
  line?
  How do I need to change my ldaprealm.properties?
  Thanks - any help appreciated. If anyone has time to give me a call,
  I would appreciate
  that, too.

• Connecting MDM to a LDAP directory (IDM)

  Hi experts,
  Does anybody already connected MDM to a LDAP directory? I have a requirement to integrate MDM with IDM (Novell). The IDM should mantain users and groups of MDM.
  Also, is there any way to connect UME on MDM user and groups database? this solution is also valid once the IDM is already integrated with EP.
  Thanks in advance,
  Armando Martines Neto

  Hi Armando,
  MDM integration with LDAP is supported in MDM 7.1, you can configure and use LDAP as a datasource for users and roles. You can create a custom attribute in LDAP to identify the MDM Roles. Refer to the MDM Console Reference Guide for the procedure.
  Regarding you second question, if you have configured the same LDAP ds in portal also then you can us Trusted Connections to enable SSO between portal and MDM.
  Hope this helps!!
  Cheers,
  Arafat

• Directory Integration Platform Configuration Assistant hanging

  Hi,
  Installing 10gAS (10.1.2.0.2) infrastructure on Linux ES4 (64-bit) - High Availability cluster, node 1.
  The Directory Integration Platform CA is hanging when I retry it, it having previously failed probably due to a Load Balancer config error on my part (I had a timeout set too low (30s) and got "Broken Pipe" error message).
  Having fixed this LB config, hit retry on the CA (still in the OUI) but it is just hanging.
  Tried deleting the /tmp/EM_CONFIG_INSTALL.lk file, as per the install doc, and retrying but no success.
  I am on retry attempt no. 7 and previous attempt (I think attempt no. 4) reported the following in dipca.log:
  oracle.ldap.oidinstall.backend.OIDCAException: Invalid Credentials
  at oracle.ldap.oidinstall.backend.OIDConfiguration.sslbind(OIDConfiguration.java:814)
  at oracle.ldap.oidinstall.backend.OIDConfiguration.<init>(OIDConfiguration.java:144)
  at oracle.ldap.oidinstall.backend.OIDConfigWrapper.configDIP(OIDConfigWrapper.java:463)
  This log has not been written to since this attempt.
  Any ideas?
  Thanks,
  Gavin

  Hi,
  If the SSOCA falis, you may notice a Java Stack Trace. Can you please post the Java Stack Trace too ? It might give a clue about the problem.
  Regards,
  Sandeep

• Directory Integration Platform Configuration Assistant - Invalid Credential

  O/S: SuSE Enterprise 9
  Situation: During the installer for Oracle Application Server 10g Basic Installation/Portal, I see the following error:
  "Directory Integration Platform Configuration failed. Please see lofile file: /home/oracle/product/10.1.2/OracleAS/infra/ldap/log/dipca.log"
  A review of dipca.log shows the following:
  "oracle.ldap.oidinstall.backend.OIDCAException: Invalid Credentials at oracle.ldap.oidinstall.backend.OIDConfiguration.sslbind(OIDConfiguration.java:787"
  The user authentication method set up on the server was local (/etc/passwd). Could this be my issue? If so, how do I correct it? Any thoughts as to what the issue is?

  You can have the BI, J2EE and webcache in a single midtier. That should not be an issue.
  The password for b2b stored in OID may be out of sync with the password you have set. Please find out what is the password in OID and then reset your b2b schema password with the password stored in OID. The way to locate the b2b password in OID is as follows:
  Login to OID and traverse through the following nodes:
  Entry Management | cn=OracleContext | Products | IAS | IAS
  Infrastructure Database | orclReferenceName | orclResourceName=B2B
  Hope this will resolve your problem,
  Eng

• Insufficient access rights registering Oracle Directory Integration Server

  Hi all!
  following steps I´ve done to use the Oracle Directory Integration Server.(I´ve installed Oracle 10g infrastructure - OID is running - I´m also able to apply successful with ODM and orcladmin account)
  - oidctl connect=mydb1 server=odisrv instance=1 stop
  - odisrvreg -h localhost -p 389 -D cn=orcladmin,cn=Users,dc=localhost;dc=com -w ,pass
  where pass is the password of orcladmin.
  -> now I get the following error:
  registering..
  Error javax.naming.NoPermissionException [LDAP:error code 50: Insufficient Access Rights]; remaining name 'cn=odisrv+orclhostname=maschine,cn=odi,cn=oracle internet directory' !
  Any idea ??
  Thanks for all help & comments.

  I have gone through the documentation for creating the script. But there is one thing which I am not able to understand i.e. Subscription Parameters.
  Can anyone tell me the use of subscription parameters? What is the role of subscription parameters in Oracle Lite and External Authentication.
  Regards
  Kapil

• What is Portal Ldap Directory

  Hi Experts,
  In documentation of User Management, I saw ' in addition to corporate LDAP directory server(which portla uses as user data repository) Portal User Management Component uses a dedicated portal LDAP directory to store additional data for the portal.
  So here my dought is what is portal LDAP directory, Is it comes with portal installation or do we need this server separately,if we need to install separately, which directory server we need to install and for what additional information we need to install this server.
  Pls any one clarify my dought,,Points will be rewards.
  Regards
  Seshu

  Hi,
  Yes you need to have a separate server i.e. LDAP server. It is not  shipped with portal installation, usually every organisation have LDAP servers as their data sources where every user in an organisation is stored so portal provides ways to integrate this server so that we need not to create users again in portal, once integrated all the users in LDAP will be accessed using portal and every user will have his/her own id created in portal through this data source.
  For some more information, refer these links.
  http://help.sap.com/saphelp_nw70/helpdata/en/48/d1d13f7fb44c21e10000000a1550b0/frameset.htm
  http://help.sap.com/saphelp_nw70/helpdata/en/63/14f5b51a6eff429f2d8b2063400e82/frameset.htm
  Regards,
  Ameya
  Message was edited by:
          Ameya Pimpalgaonkar
  Message was edited by:
          Ameya Pimpalgaonkar

• Webservices authentication against local vs. directory integration

  On version CPSC 10.0 (at least), it appears that if you have Directory Integration enabled, the behavior for authentication for web services are as follows:
  -- If calling any Requisition Service web services (that route to Request Center), web service authentication is performed against directory integration, so you are required to use a directory integrated login, and provide the login's LDAP password.
  -- If calling any Task Service web services (that route to Service Link), web service authentication is performed against local person record password, so you are required to provide the login's local person record password.
  Is there a way to use 'other' type of login/password for either web services? i.e. is there a way for me to use locally defined login to call Requisition Service web services, when Directory Integration is enabled, and vice versa for Task Service web services?
  Thank you.

  I don't think having SSH keys has any effect at all over AFP authentication.  Two seperate authentication mechanisms at work here.
  For SSH keys to work, each user ID on our local machines would need a matching network user defined on the server, and the authorized keys stored in that user's ~/.ssh folder on the server.
  Once you get SSH working, you can use scp and rsync to move files around.

• MP 8 Directory Integrated

  I have recently installed MP 8 and used the Directory Integration feature in order to sync user accounts with UCM.  I can access all administrative functionality with the default admin user but when I attempt to make one of the imported UCM users a System Administrator they get an error "User is not local" when they attempted to log in.  It doesn't really make sense that only local users can be admin.  Is that true?

  Ben is correct.
  To be a system administrator, it requires a local MP account only like the admin account.  You will not be able to use any CUCM/AD user account since this is a remote user to MP.  On top of this, the WebEx admin account has to have a different e-mail address specified than is in use for any other user account.  This is by design and you would have to create a local user on the MP side in order to facilitate the system administrator role for MP administration or have them use the built in admin account.
  Gerry

• Jabber for Windows - wildcard search against LDAP directory

  Hi all,
  I have set up an on premise environment with CUCM, CUPS and a 3rd party LDAP Directory. For CUPC everything is working fine. For Jabber for Windows it took me some time to find the correct jabber-config.xml settings to make it working.
  At the moment I am able to search the LDAP Directory, but I have to write the complete Name, i.e. "Miller, John", in the search field. If I try it with "Miller" only, I get no results for my search.
  I played arround with the  <UseWildcards>0</UseWildcards>  tag without any changes in the behaviour.
  Is there anybody who can help?
  Best regards
  Manfred

  Hi Manfred,
  Jabber for Windows has been tested with following directory services:
  Supported Directories
  Microsoft Active Directory  2003
  Microsoft Active Directory  2008
  Cisco Unified Communications Manager User Data Service UDS  is supported on Cisco Unified Communications Manager version 8.6.2 or later.
  OpenLDAP
  The behavior you are seeing could be related to interop issues. I suggest to open a TAC case for further assistance.
  Thanks,
  Maqsood

• Jabber Directory Integration in hybrid mode

  We are running Jabber in cloud/hybrid mode.  Meaning we use WebEx connect cloud for IM/Presence but use our on premise CUCM for voice services.  This works great for the most part.
  We recently had Cisco enable "Directory Integration" for our ORG domain.  This allows us to export our users from AD, create a CSV file and then upload this CSV file to Cisco's SFTP server to be imported into Jabber.  Everything is scheduled and requires no user intervention to add/deacitvate users.  We have the import working and are able to get accounts created.  The problem is that enabling Directory Integration has disabled our ability to manually update user profiles and our users ability to upload their contact photo from the Jabber client. 
  From the docs it looks like we can specify a webserver that hosts our contact photos.  But this webserver would need to be wide open, no security so that Jabber can access the photos directly.  Seems like there has to be a better solution.  
  Anyone else running a hybrid deployment and tackled the contact photos dilemma?

  Hi Venkat,
  Yes, we installed a Windows 2008 with AD-LDS. Configured CUCM to sync to this AD-LDS and then configured Jabber to use UDS (CUCM 8.6(2) feature). This way Jabber has (indirect) access to the multi-forrest AD data.
  Used this document to configure the AD-LDS (https://supportforums.cisco.com/docs/DOC-16356
  Regards,
  Erik
  PS. One thing we learned in this is that you've got to be carefull on selecting the "user-id" field. We initially used "mail" as the user id to make sure all accounts are unique but found out that when using Extension Mobility the user-id input on the phone doesn't accept very long usernames (which you might encounter when integrating based on the mail attribute).

• Can't Authenticate in LDAP directory after upgrade from 10.4.11 to 10.5.1

  Hi, all
  Yesterday I have tried to upgrade my Xserve Intel from 10.4.11 Tiger to 10.5.1 Leopard Server
  In my server there is this service:
  -AFP
  -DNS
  -SMB
  -Open Directory Master
  - XSAN Primary MDC
  All works fine but when I try to acces with worgroup manager to LDAP directory I can't authenticate with "diradmin" this thing appen in local machine and with remote worgroup manager connected to the server.
  I have tried with "root" user and I have been able to authenticate for some time, (5-15 min.) after It's impossible to access with all user.
  The client still authenticate with user and password in all computer with 10.5.1 and 10.4.11 workstation, but now i wan't to add some new users and I can't do That!!!!!
  So for now I have restore my old 10.4.11 Server Tiger, but I wish to know if someone have tried new 10.5.2 server upgrade and maybe there is some kind of fix to this problem.
  Thank's In Advance

  After posting on numerous message boards, and no one having an exact answer, but several making plenty of great suggestions, I think I've finally figured out the cause of this issue or at least part of the cause.
  Within 'Server Admin', select "Open Directory",
  under: Settings > Policy > Binding
  there are six check boxes under "Security"... for testing kerberos, I have been checking the first four boxes, which are:
  1. disable clear text passwords
  2. digitally sign all packets (requires Kerberos)
  3. encrypt all packets (requires ssl or kerberos)
  4. block man-in-the-middle attackes (requires kerberos)
  through troubleshooting this myself, and doing each change, followed by a server reboot, then immediately attempting to authenticate to /LDAPv3/127.0.0.1/, it seems that enabling some, or some combination of these Security settings triggers WordGroup Manager to not accept the diradmin password.
  referring to the numbers above (1 through 4)...
  2 or 4 by themselves fails
  1 and 3 together fails
  I haven't gone beyond that for testing and don't know what other combinations works or fails.
  I don't know if there is something beyond this that is specific to my configuration or environment that plays a part in this failing. All I know is that turning off all Security checkboxes in this section fixes the problem.
  I wonder if anyone who has never seen this problem can try this on their 10.5.2 Server and see if they are still able to authenticate as their diradmin to WGM. Regardless, seems that this is a WGM bug to me, right?
  if you are having this problem, uncheck all of these boxes and then reboot before trying to authenticate.

• Help with Active Directory Integration and kerberos

  Hello,
  I’m encountering a bug preventing me to use Active Directory integration with kerberos :
  Our domain name is CORP.DOMAIN.COM.
  When we request the GC in this domain :
  bash-3.00# nslookup -query=any gc.tcp.corp.domain.com
  Server: 1.2.1.6
  Address: 1.2.1.6#53
  ** server can't find gc.tcp.corp.domain.com: NXDOMAIN
  there is no answer.
  But when we request without corp, we find the servers :
  bash-3.00# nslookup -query=any gc.tcp.domain.com | grep sis
  gc.tcp.domain.com service = 0 100 3268 serveur02.corp.domain.com.
  gc.tcp.domain.com service = 0 100 3268 serveur01.corp.domain.com.
  bash-3.00#
  Is-it possible to add the possibility to enter the domain name where reside the gc.tcp ?
  Thank you.

  Hello
  the domain.com domain exist, but it's not our domain.
  so, when I put domain.com, it search with no result (nothing appends).
  our kdc.conf :
  [kdcdefaults]
  kdc_ports = 88,750
  [realms]
  CORP.DOMAIN.COM = {
  profile = /etc/krb5/krb5.conf
  database_name = /var/krb5/principal
  admin_keytab = /etc/krb5/kadm5.keytab
  acl_file = /etc/krb5/kadm5.acl
  kadmind_port = 749
  max_life = 8h 0m 0s
  max_renewable_life = 7d 0h 0m 0s
  default_principal_flags = +preauth
  krb.conf
  [libdefaults]
  default_realm = CORP.DOMAIN.COM
  default_checksum = rsa-md5
  [realms]
  CORP.DOMAIN.COM = {
  kdc = dc01.corp.domain.com
  kdc = dc02.corp.domain.com
  [domain_realm]
  .corp.domain.com = CORP.DOMAIN.COM
  corp.domain.com = CORP.DOMAIN.COM
  in every domain, I think the GC are in corp.domain.com. but in my company, it's in domain.com...
  Thank you,