Ume + LDAP ADS lock users

I'm working with EP6 SP12 with UME connected to an LDAP Microsoft ADS in read-write mode.
I have set the attribute "ume.logon.security_policy.lock_after_invalid_attempts=5" and when a user fails to login with wrong password 5 times it's locked.
The issue is that a user is locked both in UME and in LDAP. Is it right? If yes how can I unlock a user in UME and in LDAP too. When I unlock user from UME it works fine from UME side but it remains locked in LDAP. As result this user it's not able to login in portal.
Thanks a lot in advance.
Tiziano

I came across the same issue with my setup.
I authenticate off of database + MS ADS read only. If a user locks them self out, we have to unlock in portal and ADS.
There is the option in the UME for read-write to ADS for users to be able to change passwords in the portal and have it replicate out to ADS. If you went that way I would do SSL for LDAP and opening port 626 on your firewall as well.
We do not have employees using our portal as their only means of getting to the network so, I do not allow them to change passwords via portal. I am sure that it would be safe but, the though of opening up something else on the firewall scares me.

Similar Messages

UME LDAP configuration XML file

Dear Experts-
I am configuring multiple LDAP as ume for EP 7.0 EHP2 . I am following the the document below.
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/8036faa9-3d95-2c10-e596-c7c97082f07e?QuickLink=index&overridelayout=true
It mentions xml file to be dowloaded is dataSourceConfiguration_multiLDAP_db.xml file but ther eis no such file. Can you please let me know where I can find this.
The only ones I see are.
Microsoft ADS readonly , deep and flat
Microsoft ADS Deep & flat
Novell LDAP Read only flat and deep
Novell LDAP flat & deep
DatasourceConfiguration_simens_deep_readonly_db
Siemes LDAP servers Read flat & deep
Just to let you know we are using MS ADS flat. Please let me which which file I can choose to put the second LDAP data source.
Thanks,
John

John,
There is no such file (dataSourceConfiguration_multiLDAP_db.xml) delivered for configuring multiple LDAP data sources.
You will need to download dataSourceConfiguration_ads_readonly_db.xml and modify as per your needs and upload it with your own custom name.
1. Open the dataSourceConfiguration_ads_readonly_db.xml file using a text
editor (other than Notepad) and locate the <dataSource.../> section for the u201CCORP_LDAPu201D.
2. For each additional LDAP server, paste the copy into the document after the original
</dataSourceu2026> ending tag for the CORP_LDAP source. Change the name of the data source for
pasted copy to u201CCORP_LDAP_Xu201D or some other value. This value becomes a data source identifier
for UME and prefixes the principal Ids.
For each LDAP data source, locate the <privateSectionu2026> within the <dataSourceu2026> tag and
enter the following lines if they are not present:
<ume.ldap.access.server_name>SERVER_HOSTNAME</ume.ldap.access.server_name>
<ume.ldap.access.server_port>SERVER_PORT</ume.ldap.access.server_port>
<ume.ldap.access.user>DS_USER_NAME</ume.ldap.access.user>
<ume.ldap.access.password>DS_PASSWORD</ume.ldap.access.password>
<ume.ldap.access.base_path.user>USER_ROOT_IN_DS</ume.ldap.access.base_path.user>
<ume.ldap.access.base_path.grup>GROUP_ROOT_IN_DS</ume.ldap.access.base_path.grup
>
Save this file with your custom name and upload it.
Thanks,
Shanti

MS Active Directory LDAP Authentication/Locking Issue.

Dear All,
We are a software company; we have implemented feature of LDAP Authentication in our product using Java API and its working fine from our network environment.
We have used following things with LDAP feature.
1. User Authentication.
2. Locking account after exceed the maximum attempts that has configured in window server.
Main our issue is: The LDAP feature is not working properly from our client side. They are able to authenticate their LDAP user but do not able to lock user account however they have exceeded the maximum attempts from login dialog of our products but it still working in our side.
If anybody has any experienced about it then please reply with positvie solution or any other information like require do the specific configuration for different version of Windows and Active Directory Server etc.
Can any body know what are the possibilities for identifying and resolving this issue?
Please help us if anybody has any experienced about it.
Please do the needful.
Thanks,
Mehul.

Hi,
Thanks for your reply.
We have used java package of javax.naming.* and javax.naming.directory.* for LDAP Authentication.
Following code for checking whether ADS User is valid or not.
* Function checks whether ADSUser is valid user or not
* @returns int value indicating result.
public int isValidADSUser() {
Hashtable env = new Hashtable(5);
Vector adsInfoVec = getADSInfo();
env.put("java.naming.referral", "ignore");
// env.put("java.naming.security.authentication", "simple");
env.put(Context.SECURITY_AUTHENTICATION,"simple");
String provider = "com.sun.jndi.ldap.LdapCtxFactory";
env.put("java.naming.factory.initial", provider);
//For handling Uncontinued reference found message of partial result exception
env.put(Context.REFERRAL, "follow");
env.put("java.naming.ldap.derefAliases", "always");
env.put("java.naming.ldap.deleteRDN", "false");
env.put("java.naming.ldap.attributes.binary", "");
env.put(Context.PROVIDER_URL,
"ldap://" + (String) adsInfoVec.elementAt(0) + ":" +
(String) adsInfoVec.elementAt(1));
// env.put("java.naming.security.principal",
// userNameStr + "@" + (String) adsInfoVec.elementAt(0));
env.put(Context.SECURITY_PRINCIPAL,
userNameStr + "@" + (String) adsInfoVec.elementAt(0));
if (userPassStr == null) {
userPassStr = "";
// env.put("java.naming.security.credentials", userPassStr);
env.put(Context.SECURITY_CREDENTIALS, userPasswordStr);
try {
DirContext ctx = new InitialDirContext(env);
ctx.lookup("");
//System.out.println(ctx.lookup(""));
ctx.close();
catch (javax.naming.AuthenticationException ex) {
//System.out.println();
ex.printStackTrace();
return AUTHENTICATION_ERROR;
catch (javax.naming.PartialResultException pex) {
pex.printStackTrace();
return COMMUNICATION_ERROR;
catch (javax.naming.CommunicationException pex) {
pex.printStackTrace();
return COMMUNICATION_ERROR;
catch (NamingException e) {
System.out.println("Failed to connect to ");
e.printStackTrace();
return COMMUNICATION_ERROR;
return SUCCESS;
Result of this code from our company: We are able to Authenticate LDAP user and also Lock User Account after exceed the Max Failure Attempt that configured from Windows Server.
Result of this code from our client side: They are able to Authenticate LDAP user but they can't User Accout Lock however exceed the Max Failure Attemp that configured from their Windows Server.
Can u please help us if any experience about it and suggest if any other configuration require from Windows Server / Active Directory Server OR also if some other implementation require for resolving this issue.
Your optimistic reply is much appreciated.
Thanks,
Mehul Garnara.
Edited by: [email protected] on Mar 6, 2008 10:24 PM
Edited by: [email protected] on Mar 6, 2008 10:25 PM
Edited by: [email protected] on Mar 6, 2008 10:25 PM

UME+LDAP issue

Hi SDN Guru's,
Here is my problem. I have set up UME to use ADS as backend. Now i have enabled SSL on ADS and i am able to write data into ADS, like creating users, groups etc. on 636 port. I have 2 problems now
1)The connection to the LDAP times-out..I am able to view the contents for sometime but if i don't work(idle state) for a few minutes. Then the connection to LDAP gets reset and i am not able to neither view data nor write dta. But i am able to write and view data from the UME database. I feel this is something to do with the session time-out between the UME and the ADS. Please let me know what needs to be done. I have already increaed the session-time in configtool for LDAP and alos in the visualadmin but effort has gone in vain .
2)I am not able to login with the users created in LDAP into the UME. But i am able to login with the UME users.
My config details:
LDAP:ADS
datasourceconfig file: dataSourceConfiguration_write.xml
Port:636 (SSL enabled, verified wth the ldp tool)
Please help me to solve these 2 issues

Hi--
Also, this problem does not persist with non-SSL port. I saw teh server log and found this
#1.5 #0013724C15D600770000001F000012CC00044A925CC04A08#1207892388617#/System/Server/WebRequests#sap.com/tcwddispwda#com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl#Guest#0##n/a##b3024f90078911dd859c0013724c15d6#SAPEngine_Application_Thread[impl:3]_33##0#0#Error#1#com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl#Plain###application [webdynpro/dispatcher] Processing HTTP request to servlet [dispatcher] finished with error.
The error is: java.lang.NullPointerException: null
Exception id: [0013724C15D600770000001E000012CC00044A925CC04705]#
#1.5 #0013724C15D6007700000022000012CC00044A925CC0A8CB#1207892388632#/System/Server/WebRequests#sap.com/tcwddispwda#com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl#Guest#0##n/a##b3024f90078911dd859c0013724c15d6#SAPEngine_Application_Thread[impl:3]_33##0#0#Error#1#com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl#Plain###application [webdynpro/dispatcher] Cannot send an HTTP error response [500 Application error occurred during request processing. (details: java.lang.NullPointerException: null)].
The error is: com.sap.engine.services.servlets_jsp.server.exceptions.WebIOException: An attempt to write after the stream had been closed.
Exception id: [0013724C15D6007700000021000012CC00044A925CC0A70B]#

UME LDAP Data - XML file not appearing

Hi,
I have configured the readonly ADS with DB for the user authentication. Now I want to restore back to the default datasource configuration (dataSourceConfiguration_database_only.xml). But in the dropdown box in the Configtool >> UME LDAP data under the "Directory Security" tab, I am not able see the config XML file for the DB only. I tried uploading the file, but its saying file already exists. After this I tried deleting the fils from the cluster_data\server\persistent\com.sap.security.core.ume.service and then uplaoded the XML file. Still this is not appearing in the List of Datasources available.
Can you please let me know how shall I revert the Datasouce to DB only?
Regards,
Debasis

Hi,
Go to ConfigTool -> Global Server Configuration -> Services -> com.sap.security.core.ume.service.
You can change the value of ume.persistence.data_source_configuration to dataSourceConfiguration_database_only.xml.
Regards,
Siva
P.S: Award points if you find this useful.

No Access Error with Locked User iView

Hi
We are running EP6SP2 Patch 35
Im trying to give access to the Locked User iView to a group of users (I dont want them to have full User Management functionality)
Ive created a role and added Locked User iView to it. The role has the same property values as the standard User Admin role (eg UME Action ID: UME.Manage_All = Yes), but when I try to access the Locked User iView I get:
No Access
You have no permission to perform this action.
Can anybody advise what else I need to do to get this to work?
Thanks.

Hi Mike,
just to make sure: did you restart the server after assigning the UME Action to the role???
Unfortunately, this has to be done in order for your changes to take effect.
Best regards,
Robert

Help me: I have locked user cn=orcladmin in oid

Hello.
Pleas help me, I have locked user cn=orcladmin in oid production environment
I have tried to unlock with this procedure, but It doesn´t work:
[oracle@appamucm01pro admin]$ /opt/oracle/mw/mw_idm/Oracle_IDM/ldap/bin/oidpasswd connect=OIDDB unlock_su_acct=true
OID DB user password:
ERROR * gsldpuUnlockSuAccount * ORA-28000:ORA-28000: the account is locked
encountered
Error in unlocking OID super user account.
[oracle@appamucm01pro admin]$
This is my oid version:
[oracle@appamucm01pro admin]$ $ORACLE_HOME/bin/oidldapd -version
oidldapd: Release 11.1.1.5.0 - Production on fri mar 1 14:38:56 2013
Copyright (c) 1982, 2011 Oracle. All rights reserved.
[oracle@appamucm01pro admin]$
[oracle@appamucm01pro admin]$

Hi ,
First get your OID schema name for example suppose it's ODS the follow the following steps
1- sqlplus / as sysdba
2- alter user ODS account unlock;
it should unlock you OID user .
thanks
Amar

Guide me how to automate UME LDAP Configuration

Hello colleagues,
I am not sure if this is the right place for putting my question.
We wanted to automate 'UME LDAP Configuration with Microsoft AD', because we have nearly 25 portals and has to be refreshed for every 3 months from different systems. Instead of configuring UME every time, we wanted to automate it such that
it can be done by one click for each portal.
I am not aware, if it can be done through Webdynpro or Java API.
Please let me know in which way we can achieve this functionality. If it is in Java then please let me know how to access UME APIs. Moreover Configtool will not save its data at O.S level, it stores in DB.
Please guide me on achieving this.
Regards,
kasi

Hi Nivas,
thank you very much for your answer.
Could you please let me know any APIs to use these functions
I googled and found APIs for User management ( creating,deleting ,etc..) only.
I could not find any APIs for LDAP settings in Configtool.
I wanted to set these values ( which are specified in above link ) from out side.
Regards,
venkat
Edited by: Venkata Kasi G on Mar 2, 2012 2:41 PM

Value to be populated in oblastloginattemptdate while locking user account?

Hi,
I am writing a custom JAVA module for forgot password where in i am locking user account if the user fails to answer correctly to his challenegd questions.
I am populating oblogintrycount and oblockouttime.
Can anyone tell me what value should be populated to oblastloginattemptdate?
The LDAP shows the value something as "2009-03-16T09:52:57-05:00".
Please let me know if anyone has any information on the same.
Regards,
Anubha

Hope I have got your question correct.
I beleive, you need to update the lastloginattemptdate with the time when user tried to login whether successful or unsuccessful.
Just update it with the time you are locking out the user. Date format is like "YYYY-MM-DDThh:mi:ss[+/-]hh:mi"
[+/-]hh:mi is the time relative to GMT.

Locked user tab on portal

Hi All,
Iam gettin the following error when iam clicking the 'locked user' tab on the portal .
User Management Exception
An exception occurred. Inform your system administrator.
Suggested Options
Look at the log file for the cause of the error
can anybody help me its very urgent.........
Thanks in advance..........

Hi,
You either have DB inconsistencies, or you are on SP14.
There was a problem with SP14 for the empty lock reason with locked user accounts. If on SP 14, it is best to upgrade. You can also run the UME consistency check tool in order to remove any inconsistencies which might cause this problem.
Regards,
Iliyan

Locking user account

Hi,
I have to questions:
1. Is there anyway to lock user account in OBIEE 11g?
2. Can i disable "Create New>" menu in analytics?

We ran into that ourselves, courtesy of our <SARCASM>friends</SARCASM> Sarbanes and Oxley. Based on our research and statements from Sun engineers, the only ways to do it in Solaris 9 are:
* Write a PAM module to do it
* Log all failed attempts to a file and have a process scan it for successive login failures
* Go to something like Directory Server (LDAP) which has account lockouts built into it
We decided to go with the last option - and yours truly was responsible for doing everything. Two months of hell, but it's done and much easier to manage than files or NIS.

"Calculated UME LDAP id is null" error received during runtime.

Hello All,
I am new to this community and this is my first post.
Therefore please pardon me for providing inadequate explanation/resources while mentioning my problem.
I am trying to build a SOAP webservice in SAP NetWeaver Developer Studio 7.3. This webservice will be used for integration between SAP user management (AS Java) with Dell's Quest Identity Management (Q1IM).
The webservice will be used for
Fetching
-> All UME Users
-> All UME Groups
-> All UME Roles
Add/Delete
-> User to/from Group
-> User to/from Role
Change
-> User Account Details
The current scenario is the webservice built in Java is ready and all the functional components are working fine during runtime except for one and that is when I try to retrieve all the UME Users.
Below mentioned piece of code is for getAllUser function
    public SAPUser[] getAllUsers() throws UMException {
    IUserFactory userFactory = UMFactory.getUserFactory();
    IUserSearchFilter searchFilter = userFactory.getUserSearchFilter();
    searchFilter.setDisplayName("*", ISearchAttribute.LIKE_OPERATOR, false);
    ISearchResult searchResult = userFactory.searchUsers(searchFilter);
    ArrayList<SAPUser> ar = new ArrayList<SAPUser>();
    while (searchResult.hasNext())
    String uniqueid = searchResult.next().toString();
    if (uniqueid.startsWith("USER.PRIVATE_DATASOURCE.un"))
        IUser user = userFactory.getUser(uniqueid);
        IUserAccount[] userAcc = user.getUserAccounts();
        for (int i = 0; i<userAcc.length;i++)
        ar.add(new SAPUser(userAcc[i]));
    SAPUser[] users = new SAPUser[ar.size()];
return ar.toArray(users);
Similar logic have been used for Groups and Roles and they are working fine.
During runtime it gives following error
Web service returned error. Fault Code: "(http://schemas.xmlsoap.org/soap/envelope/)Server" Fault String: "Calculated UME LDAP id is null"
(Screenshot has also been attached)
I tried searching for a solution on internet and specially on SAP SCN but couldn't come across any suitable option.
Thereby my request to member-experts of this forum to please look into my matter mentioned above and provide some appropriate solution for it.
Thanks in advance.
Regards,
Tanuj Jaitly

Hi Soumya,
Thanks for the valuable suggestion.
Now I have another situation and this I would like to share with you and other experts in this forum.
Apart from above scenario I was trying to fetch all the LDAP users as well, but due to large number of employees in my organization I received Connection Time Out. We thus changed our requirement.
We now want to display those LDAP users which have UME roles and groups associated with their accounts. In other words LDAP users who can login to SAP Java portal to access their roles and groups.
From UME API as getLastSuccessfulLogonDate() and getPreviousSuccessfulLogonDate() are already deprecated I am unable to find any concrete solution.
Request to please help. Thanks in advance.
Tanuj Jaitly

Lock User when enter password in wrong 3 times

Hi,
I user oracle E-Business Suite 11i .
I want to Lock User(Disable Account) when enter password in wrong 3 times.
Thanx
Rafeek
Edited by: reemax on Apr 20, 2010 4:19 AM

Hi,
you can set the profile value FAILED_LOGIN_ATTEMPETS to 3 to restrict that wrong password entry as folows
sql>ALTER PROFILE default LIMIT failed_login_attempts 3;
--Rathina

Background job for auto lock user

Dear Friends,
Which background job i have to be schedule for auto locking user after every 30 days if then are not logged for last 30 days.
Thanks,
Regards,
Sachin

Hi, Sachin.
Please check this thread.
Locking users if they did not login for 15 days
Best Regards.
Sejoon

How to find list of locked users & unlock them?

Hello,
Is there any method in portal to find the list of locked users? and unlock them.
we can unlock single user at a time.
but if we want to unlock a group of users (for Ex:- 20 locked users), how can we unlock al the 20 locked users?
Thanks in advance,
Vila.

Hi Vila,
Go to user administration -> Identity management
Click on advanced search. Go to account information tab. Check the use account locked field and then click on search. This will give you a list of all the users whose accounts are locked.
Select all the users whose accounts you want to unlock, and then click unlock.
Regards,
Ankit

Ume + LDAP ADS lock users

Similar Messages

Maybe you are looking for