UME - Creating users in LDAP via Anonymous account
I want to create users in LDAP via UME security API's. I am using
IUserManagementEngine umService = (IUserManagementEngine) PortalRuntime.getRuntimeResources().getService( IUserManagementEngine.KEY );
and saving/commiting values etc using IUserFactory and IUserAccountFactory. It throws an exception
LDAP: error code 53 - 0000052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
Inference - User doesnt have permission to create users in LDAP.
I am in an anonymous portal and I am writing a custom application to create users in LDAP, so there is no logged in user to which extra rights can be added to.
So to which user should I assign the extra rights to write to LDAP? How can I achieve this?
Thanks for hints, Dhanz
Hi,
LDAP users are coming from external directory.
Portal UME is differnt from LDAP. UME users and LDAP users are differnt.
You can created users in UME as long as you have user administration rights.
But LDAP needs special permissions as the external user directory is integrated in portal.
So you should have full or write permission to that external directory through LDAP.
Raghu
Similar Messages
-
Error while create user in LDAP - LDAP: error code 1
Hi Guy's, I am getting below error while creating user in LDAP MS AD.
cn=3001,ou=sAP_IDM,dc=springswf,dc=comcn<mx:TEXT>putNextEntry failed storingOU=SAP_IDM,DC=springswf,DC=com</mx:TEXT>
<mx:LTEXT>Exception from Add operation:javaxnaming.NamingException: {LDAP: error code 1 = 00000000: LdapErr: DSID-OC090AE2, coment: In order to perform this operation a successful bind must be completed on the connection.,data0,vece
Steps I am following:
1. create a job through wizard and pick from (IC->jobs->Active Directory->Create Active Directory User)
2. Destination tab values that I am passing:
dn: cn=Dummyuser,ou=SAP_IDM,dc=<main domain>,dc=com
objectClass: top|person|organizationalPerson|user
sn: Surname
givenName: GivenName
displayName: Dummy user displayname
Under <main domain> an OU has been created called SAP_IDM for testing user creation from IDM.
Admin user account created called <XYZ> and has full control over SAP_IDM OU.
I am passing <XYZ> credentials into my job for user creation.
Thanks for you help!Farhan,
Based on the error message presented,
In order to perform this operation a successful bind must be completed on the connection
Make sure that you're using the correct information to do the AD Bind. User name should be something like cn=administrator,cn=users,dc=xxx,dc=xxx and the proper password.
Matt -
How to create user credit control via customization
Hi !
I have to create user credit control via Transaction :
SPRO.
path:
Sales and Distribution->Basic Functions->Credit Management/Risk Management->Credit Management->Define Automatic Credit Control.
I want to check the user checkbox, and create my logic
of credit control.
In the help of credit control screen, it says that i have
to use user exits LVKMPTZZ and LVKMPFZ1.
However when i looked for that user exits at SMOD
that user exit don't exist !!!
How do i use those user exits ? Why can't i find those user exit ?
Can you give me please a code example of how to use
the user checkbox to change the logic of credit control ? or any material about the issue.
thanks
mosheHi,
You dont find the programs LVKMPTZZ and LVKMPFZ1 in SMOD transaction, check in SE38 by typing the program names, there you have the provision to write your custom code,
As user exits are specific to the business, it would be difficult to send the sample code to cater the functionality expected by your business,
Hope this helps,
Rgds, -
Creating User Defined Fields via DI API
Hello,
Has anyone tried creating User Defined Fields via DI without direct database intervention ? My add on relies on some UDF's that have to be created on install.
Thank youI regularly use the UI API to do this. You can find several discussions on this forum. I have not put this in my installation program, but I use UserFieldsMD in the DI API and a CSV file from Excel to store the information about the fields.
-
Creating user in LDAP using Oracle Identity Store API
We are trying to create users in LDAP (open LDAP) using Oracle's Fusion Middleware's Oracle Identity Service API. Here is my code snippet to create user,
final IdentityStoreService identityStoreService = jpsContextFactory
.getContext().getServiceInstance(IdentityStoreService.class);
IdentityStore idmStore = identityStoreService.getIdmStore();
final Property statusProperty = new Property("status", Arrays.asList("active"));
final PropertySet propertySet = new PropertySet();
propertySet.put(statusProperty);
idmStore.getUserManager().createUser("userid", new char[0], propertySet);
but I am getting this error
Caused by: oracle.security.idm.IMException: Mandatory attribute missing :status
at oracle.security.idm.providers.stdldap.util.LDAPRealm.createUser(LDAPRealm.java:139)
even though I am clearly adding the attribute as mentioned above, am I missing any thing?
Thanks for your help :)
Full stack trace:
oracle.security.idm.OperationFailureException: oracle.security.idm.IMException: Mandatory attribute missing : status
at oracle.security.idm.providers.stdldap.util.LDAPRealm.throwException(LDAPRealm.java:785)
at oracle.security.idm.providers.stdldap.util.LDAPRealm.createUser(LDAPRealm.java:153)
at oracle.security.idm.providers.stdldap.LDUserManager.createUser(LDUserManager.java:170)
at oracle.security.idm.providers.stdldap.LDUserManager.createUser(LDUserManager.java:121)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:173)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:89)
at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:61)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:75)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:106)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:118)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:208)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:205)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:113)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:184)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:107)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:163)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)
Caused by: oracle.security.idm.IMException: Mandatory attribute missing :status
at oracle.security.idm.providers.stdldap.util.LDAPRealm.createUser(LDAPRealm.java:139)
... 52 more
Edited by: 940837 on Jun 14, 2012 5:00 PMURGENT** How to change OIM user password from outside OIM
-
Create user in LDAP subtrees via UME
Hi all,
We have different user types (public, employee, ...) in our LDAP server. Each user type has its own subtree under the ou=User node which is configured in UME. It is possible to create users via UME which are places under the according subtree?
Best Regrads,
DanielHi Stuart,
we had exactly the same problem.
Defining the additional attributes in the sapum.properties only makes them "visible" in the User Admin iViews.
We also had to define the Attributes in our DataSource COniguration File in the section for the corresponding Datasource with:
<attribute name="uniquename" populateInitially="true"/> (SAP Standard Attribute)
e.g.
<attribute name="FavouriteAnimal" populateInitially="true"/>
Furthermore you should create a mapping to an LDAP Attribute. E.G. the Exchange Extension for MSADS offers 9 extensionattributes for free use.
this is made in the section
<attributemapping>
<attribute name="displayname"> (-> Portal Attribute) <physicalAttributename="displayname"/> (> LDAP)
</attribute>
(SAP Standard)
so for your own attribute you can use e.G.
<attribute name="FavouriteAnimal">
<physicalAttributename="extensionattribute1"/>
</attribute>
Regards,
Jochen
Message was edited by: Jochen Spieth -
Error while creating user in LDAP (MS ADS) from SAP Portal 7.0
Hi,
Is it obliged to use SSL connection to create new user in LDAP (MS ADS) from SAP Portal 7.0 ?
I've configured the UME with ldap server adress and port 389. And use configuration file "dataSourceConfiguration_ads_writeable_db.xml"
I succeed to view users existing in LDAP but when I try to create new user I've the following error message:
LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0)
Thanks and regardscheck this link
http://help.sap.com/saphelp_nw70/helpdata/EN/37/cfd93f130f9115e10000000a155106/frameset.htm
and at the end of the page there is a qoute "We strongly recommend that you configure SSL between the UME and the LDAP directory. Some LDAP directories, such as Microsoft Active Directory Server, require an SSL connection if you want to create users on the LDAP directory"
hence follow this link to configure SSL
http://help.sap.com/saphelp_nw70/helpdata/EN/7d/77fa735e5f47a2a50b5336fd1b5a61/frameset.htm
hope this helps..
[Rahul|http://rahulursportal.blogspot.com/] -
Creating user with LDAP Intergrated
Hi Guys,
I just sync with LDAP with SAP (ABAP) and its came out nicely.But there's still some questions about how to use this (FYI, the LDAP Server are the leading systems) :
- How to create a new user from SAP, is it SU01 or from LDAP tcode?
- As for mapping , do I need to run the RSLDAPSCHEMAEXT on SE38 if LDAP Server is the leading system? Our LDAP server are running on Tivoli
- If I have to create user from tcode LDAP, do I need to put these syntax: dn=,cn=,sn=...etc?
Thank You in returnHi,
You can use SU01 or U can create the user in LDAP not using LDAP tocde.Yuo can create the user in LDAP directory and then sync the users by running the report.
Regards,
Vamshi. -
Portal 7.0 sp10 2004s
ECC 6.0 sp 10 ERP 2005
Portal is connected to ABAP backend for user authenticity,
Data source configuration file is dataSourceConfiguration_abap.xml which should allow users created in the portal to be in the UME database only.
Problem, When creating users on the Portal they are automatically being created with a datasource of ABAP and are created in the ECC abap backend.
I have tried creating the users using the Visual Admin tool and it also created the users in the ECC abap backend
I have in the past been able to create users in the UME only in fact I could not create Backend ABAP users from the POrtal
Any help would be appreciated.
Thanks
sarahHaydn
Thanks for your suggestion, I am still having problems
I changed the SAPJSF user that communicates from the portal to the abap backend to read only. I got an error, it is still trying to create an ABAP backend user
An error occurred in the persistence. The original message (possibly not translated) was: "BAPI_USER_CREATE1@RS2CLNT100: ID=01, NUMBER=491, MESSAGE=You are not authorized to create users in group". Contact your system administrator
From the SAP Note 718383 it states the following:
Supported changes to the data source configuration
The allowed change options depend on the currently active data source configuration. You can determine the current data source configuration with the J2EE ConfigTool.
In "cluster-data -> Global server configuration -> services -> com.sap.security.core.ume.service" check the property "ume.persistence.data_source_configuration".
Depending on the data source configuration file you use, the following changes are possible:
dataSourceConfiguration_abap.xml
No change is possible.
This configuration supports all usages (especially SAP Exchange Infrastructure and SAP Enterprise Portal) by making ABAP users and ABAP roles available as users and groups in the UME, and supports the creation of new groups in the UME (which are then stored in the local database) as well.
Any other suggestions would be appreciated,
Thanks
Sarah -
Creating users in Active Directory through LDAP connector
Hello,
If we need to create users in Active directory using LDAP connector, what are the options for the following:
1) Update back into SAP from AD. LDAP connector updates only in one direction i.e from SAP to Active directory.
2) Can we add additional fields in LDAPMAP which are not standard e.g can we we write our own code to extract data from HR to map the value with an attritube within Active directory?
Regards,
AhmadHello!
I noticed the email in my inbox and understand the reason for deleting it - checked the rules again - no problem with that.
Here is the posting again - sanitized this time.
You can create users in LDAP/AD from SAP without a problem. SAP provides function modules to create/maintain/delete users with LDAP attributes in the correct ou path.
You can also perform group membership assignment in LDAP from SAP if needed.
I have done this quite a few times at different companies that use SAP HCM.
A userid in SAP is created automatically during hiring action with default password e.g. birthday of employee and certain authorization roles based on configured information.
The userid is then created right away in LDAP in the correct ou path (controlled via custom configuration table) and LDAP group membership is assigned.
A job runs every 8 hours to perform delta updates in LDAP.
The userid in SAP and LDAP are locked automatically if the user is terminated using termination action in HR. -
How to create user in local datasource when UME is already switched to LDAP
HI,
Info : I have portal ( NW 700), recently i switched the datasource of portal to LDAP from local datasource.
issue: if i create user in portal it get created in LDAP, i want create few users in Local datasource.
how to create user in local datasource when UME is already switched to LDAP?
one solution is change the ume back to local datasource > create user > then switch back to LDAP.
do you know any other sol?
Regards
Shridhar GowdaPlease let me know the Datasource file name .. i.e. the .xml filename.
try to analyze this name and see whether you get a solution or post it here.
Reward points if helpful - -
Creating User account via SQL query
Hi,
Is it possible to create a user account programmatically?
thanks,
DekelIn SQL, use the CREATE USER statement. In PL/SQL, see Re: Creating user in PL/sql procdure.
-
Trouble Creating Users Via Web Form
I'm having trouble creating user in a 9i database via web front end.
I use the following sql to create the user
strSQL="CREATE USER"""+strUser+"""PROFILE ""DEFAULT"" IDENTIFIED BY ""HELLO"" DEFAULT TABLESPACE ""DATA"" TEMPORARY TABLESPACE ""TEMP"" ACCOUNT UNLOCK"
I then execute another two sql statments to grant "connect" thus
strSQL="GRANT ""CONNECT"" TO "+strUser+""""
strSQL="ALTER USER """ strUser"""DEFAULT ROLE ALL"
Whenever I try connecting using the new users details, but get an error message that the server had problems accessing the LDAP directory service(ORA-28030).
I'm happy that the SQL is correect as I created the account that I wanted using Enterprise Console and coppied the SQL it produced. I'm assuming that there's something in the background that is not being triggered when creating the user via the web front end.
Can anyone tell me where I'm going wrong?
Thanks
JasonMy apologies, I didn't realise HTML DB was a product. I thought it was a forum for questions regarding HTML and databases.
Doh!!!
Jason -
How Do I Create User Account with "limited admin rights"?
Hello;
I would like to give a handful of users the ability to login to the DCC and enable them to add/delete/modify users and or hosts only, I.e. People and/or hosts.
Is there anyway to:
1. Make a user with this admin capability?
2. Segregate the containers they are able to modify?
Thanks to all in advance.BobM53, That would be needed regardless of what front end my users log in with, in my case I was looking for them to access the DIT via the DSCC/DCC, which is not possible. Regardless, thank you for your reply, it is reassuring to know I am headed in the right direction.
I am now looking towards installing something else like Apache Directory Studio, or some other GUI for users to manage the directory.
I will most likely create one or more ACI's to build groups, adding members to those groups as needed; each group being allowed to perform functions such as create users, lockout users, add/modify hosts, etc.
I will most likely follow the steps outlined in:
Directory Server Groups, Roles, and CoS - 11g Release 1 (11.1.1.7.0)
Slightly OT, does anyone have a suitable and similar proven method to "lockdown" root accounts, and who has root access?
Thank you -
Create users via the CLI interface on a SX20
Hi
Are there some who know how to create users via the CLI interface on a SX20. You can do this via the web interface but I have many video installations where I need to create a user account. Therefore, it would be easiest if I can make it through the CLI interface.
Best regards
JesperUnless there's a very well hidden command somewhere, then no. As far as I know, this can only be done for the remote supportuser account;
xcommand UserManagement ?
xCommand UserManagement RemoteSupportUser Create
ExpiryDays: <1..31>
xCommand UserManagement RemoteSupportUser Delete
xCommand UserManagement RemoteSupportUser DisablePermanently
Confirm(r): <Yes>
xCommand UserManagement RemoteSupportUser GetState
/jens
Please rate replies and mark question(s) as "answered" if applicable.
Maybe you are looking for
-
Input and output varaiables are not shown
Hi, I am using BICS connectivity to connect to a BeX query from Xcelsius. I am able to logon to SAP use datamanager conn and also able to select a query. But after that the query input and output variables are not shown. Instead all those fields are
-
Nokia E61/Speed Dial - Invalid number error
I have synchronized with my outlook to pull my contacts into the phone. I can dial out of the contacts just fine but when I try to assign one to a speed dial button I get an "invalid number" error. If I create a new contact, it works when I assign it
-
Long Text display in WebI using transient provider
Hi, I need to display the long text (about 5000 characters) in WebI report in one column. I have created a transient provider and query with 84 (5000/60) InfoObject . when i tried to create the WebI query with all 84 dimensions, got error "Termina
-
using javafx 1.2 testing javafx.scene.charts Looks like there is a memory leak Here is a small bar chart app. The bars are animated. They shrink and grow when clicked on. Keep clicking and the app eventually crashes with the following error Unexpecte
-
Passing variable value with button or MC, that acts like a button
Hi, I have a system.swf, that coordinates which MC should be loaded into container. I'm trying with IF statement... if (scene == "VALUE")) { load ... My question is, how can I pass a variable value from loaded swf to the system swf, where this value