User disabled in LDAP triggers disable identity in IDM?

Similar Messages

• [OIM 9.1.0.2] RESOURCE NOT REVOKED BY ACCESS POLICY WHEN USER DISABLED

  Hi Experts,
  OIM Build Number: 1866.62 ( BP15 )
  IHAC that faced an unexpected behavior on User disabling.
  Some users were associated to groups that had access policies applied.
  When those users were disabled, they didnt lose their associated groups and also the resource and permission associated thru access policy applied to those groups.
  I saw that there was a bug reported to that issue. So I performed the action plan and set up the XL.EvaluateMembershipForInactiveUser System Property as TRUE. Now after disabling the users are properly removed from groups.
  Customer problem: For those users, almost 1000, I did a recon just to estimule the identity, so the membership rule was applied and the groups were removed, but OIM didn't evaluate the access policies and didn't revoke the resources.
  I ran the Evaluate User Policies task, and it seems to be stuck. Should the Evaluate User Policies schedule task work for that scenario? Should the resource after running that task be revoked?
  Any help would be very appreciated.

  Hi Nishith,
  I ran the task, but it seems really stuck. It displays the RUNNING status, but any effect is observed. I have to change task status to INACTIVE in the Design Console.
  This task has 2 attributes: Batch Size= 500 and Number of Threads=20.
  But I have noticed this task in another environment (w/ BP 18 applied), it has 3 attributes: Batch Size= 500 ; Number of Threads=20 and Time Limit in mins=1.
  Is it any enhancement for this task in order to improve its performance, or something like that?
  What else I can check?
  Thanks in advance.

• [OIM 9.1.0.2] Access Policy being evaluated to an OIM user disabled.

  Hi Gurus,
  I have an Access Policy being evaluated and provisioning resource (AD) to an OIM user disabled.
  Any tip on what I should take a look?
  Thanks in advance.

  Hi all,
  I have configured out the XL.EvaluateMembershipForInactiveUser System Property as TRUE, but the membership rule does not get evaluated for disabled users. So the user still remain into the group. I have restarted the OIM.
  I need to active the Evaluate User Policies schedule task for this configuration be effective. Or should I do something more?
  Thanks a lot.

• Getting users disabled/deleted with disabled resources in OIM

  Hi,
  Consider following use case related to OIM:
  To get the Users deleted or disabled on a particular date with their 'AD User' resources which are in disabled state.
  By means of built in reports i can get the users disabled or deleted for particular date.... how do i get the disabled AD User resource for each user....
  i can go for scheduler task but how to proceed on that?

  the exact requirement here is to get the users/deleted a day before along with their 'AD User' resources which are disabled
  getObjectsByTypeStatus(long plUserKey, java.lang.String psObjectType, java.lang.String psStatus)
  Gets a list of all the objects of the specified type that have been provisioned for a user and are in the specified status.
  What i can make out here is that:
  i need to write some logic that would give users disabled/deleted say yesterday... after this i would loop in these user keys into getObjectsByTypeStatus that would give resources disabled for each user.
  Am i correct?
  Now how do i get the users disabled/deleted yesterday. This is realised by default Users Disabled/Users deleted report.
  But how do i use it in my scheduler
  Edited by: Chhavi Saluja on Jun 30, 2010 1:20 AM

• CISCO ISE ISSUE 24206 User disabled

  Hi there,
      We have here an issue with Cisco ISE. When I create a guest account with the sponsor portal We can´t access the Wlan. On tne Cisco ISE Operations \ Authentications returns the error message  Event "Authentication"  Faulure Reason "24206 User Disabled"  Auth Method "PAP_ASCII"  Authentication Protocol "PAP_ASCII"
    In order to fix this issue, what can I do?  I don´t understand why because I can create the user withou error message.
    At the sponsor portal the user that I have created doens´t show at the list... 
    Any help??
   Regards
   Adriano

  Select the affected account and click Reinstate.
  It is possible, that your sponsor account does not have the permission to Reinstate/Suspend accounts. Check/change this in your ISE admin page:
  - Go to Administration > Guest Management > Sponsor Groups.
  - Click the Sponsor Group your sponsor account is a member of to edit.
  - Select tab Authorization Levels: view/modify the permission listed for the option Suspend/reinstate Accounts.
  ref: https://supportforums.cisco.com/discussion/11431386/ise-guest-user-problem

• Failed to authenticate user to ACS 5.1 with LDAP as external identity storage

  Hi ,  I have an ACS and Open-LDAP server running on my company network.
  Now, I 'm setting up a new linksys WAP-54G and choose WPA2-Enterprise option with ACS as the radius server.
  first thing first, I created new internal user on ACS, and trying to join the wireless network from my computer. I made it....
  then, I'm moving on external entity (LDAP Server). I've set up the LDAP configuration and identity sequence, also select it on access service.  but when I tried to authenticate from my computer, an error was occurred. I received : 
  the following error 22056 Subject not found in the applicable identity store (s)
  Wonder 'bout this thing, I set up a cisco 1841 router to become AAA client. and surprisingly... it works !!!
  so, is there any problem to authenticate from windows platform to ACS (pointing to LDAP) ?  
  any suggestion ?
  thanks

    This is the log when using windows 7 as authentication client (Failed) :
  Steps
  11001  Received RADIUS  Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - Default Network  Access
  11507  Extracted  EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with  challenge
  11006  Returned RADIUS  Access-Challenge
  11001  Received RADIUS  Access-Request
  11018  RADIUS is re-using an existing  session
  12301  Extracted EAP-Response/NAK requesting to use  PEAP instead
  12300  Prepared EAP-Request proposing PEAP with  challenge
  11006  Returned RADIUS  Access-Challenge
  11001  Received RADIUS  Access-Request
  11018  RADIUS is re-using an existing  session
  12302  Extracted EAP-Response containing PEAP  challenge-response and accepting PEAP as negotiated
  12318  Successfully negotiated PEAP version  0
  12800  Extracted first TLS record; TLS handshake  started.
  12805  Extracted TLS ClientHello  message.
  12806  Prepared TLS ServerHello  message.
  12807  Prepared TLS Certificate  message.
  12810  Prepared TLS ServerDone  message.
  12305  Prepared EAP-Request with another PEAP  challenge
  11006  Returned RADIUS  Access-Challenge
  11001  Received RADIUS  Access-Request
  11018  RADIUS is re-using an existing  session
  12304  Extracted EAP-Response containing PEAP  challenge-response
  12318  Successfully negotiated PEAP version  0
  12812  Extracted TLS ClientKeyExchange  message.
  12804  Extracted TLS Finished  message.
  12801  Prepared TLS ChangeCipherSpec  message.
  12802  Prepared TLS Finished  message.
  12816  TLS handshake succeeded.
  12310  PEAP full handshake finished  successfully
  12305  Prepared EAP-Request with another PEAP  challenge
  11006  Returned RADIUS  Access-Challenge
  11001  Received RADIUS  Access-Request
  11018  RADIUS is re-using an existing  session
  12304  Extracted EAP-Response containing PEAP  challenge-response
  12313  PEAP inner method started
  11521  Prepared EAP-Request/Identity for inner EAP  method
  12305  Prepared EAP-Request with another PEAP  challenge
  11006  Returned RADIUS  Access-Challenge
  11001  Received RADIUS  Access-Request
  11018  RADIUS is re-using an existing  session
  12304  Extracted EAP-Response containing PEAP  challenge-response
  11522  Extracted EAP-Response/Identity for inner  EAP method
  11806  Prepared EAP-Request for inner method  proposing EAP-MSCHAP with challenge
  12305  Prepared EAP-Request with another PEAP  challenge
  11006  Returned RADIUS  Access-Challenge
  11001  Received RADIUS  Access-Request
  11018  RADIUS is re-using an existing  session
  12304  Extracted EAP-Response containing PEAP  challenge-response
  11808  Extracted EAP-Response containing EAP-MSCHAP  challenge-response for inner method and accepting EAP-MSCHAP as  negotiated
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store -
  22043  Current Identity Store does not support the  authentication method; Skipping it.
  24210  Looking up User in Internal Users IDStore -  xxxxx
  24216  The user is not found in the internal users  identity store.
  22016  Identity sequence completed iterating the  IDStores
  22056  Subject not found in the applicable identity  store(s).
  22058  The advanced option that is configured for  an unknown user is used.
  22061  The 'Reject' advanced option is configured  in case of a failed authentication request.
  11815  Inner EAP-MSCHAP authentication  failed
  11520  Prepared EAP-Failure for inner EAP  method
  22028  Authentication failed and the advanced  options are ignored.
  12305  Prepared EAP-Request with another PEAP  challenge
  11006  Returned RADIUS  Access-Challenge
  11001  Received RADIUS  Access-Request
  11018  RADIUS is re-using an existing  session
  12304  Extracted EAP-Response containing PEAP  challenge-response
  12307  PEAP authentication failed
  11504  Prepared EAP-Failure
  11003  Returned RADIUS Access-Reject
  This is the log when using 1841 router as authentication client (succeded)  :
  Steps
  11001  Received RADIUS  Access-Request
  11017  RADIUS created a new session
  11049  Settings of RADIUS default network will be  used
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - Default Network  Access
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store -  LDAPyyyy
  24031  Sending request to primary LDAP  server
  24015  Authenticating user against LDAP  Server
  24022  User authentication  succeeded
  22037  Authentication Passed
  22023  Proceed to attribute  retrieval
  22038  Skipping the next IDStore for attribute  retrieval because it is the one we authenticated against
  24210  Looking up User in Internal Users IDStore -   xxxxx
  24216  The user is not found in the internal users  identity store.
  22016  Identity sequence completed iterating the  IDStores
  Evaluating Group Mapping Policy
  Evaluating Exception Authorization  Policy
  15042  No rule was matched
  Evaluating Authorization Policy
  15006  Matched Default Rule
  15016  Selected Authorization Profile - Permit  Access
  11002  Returned RADIUS Access-Accept
  I realized that Windows is using PEAP-MSCHAPv2 while Router is using PAP-ASCII as it's protocol.
  so now, why PEAP-MSCHAPv2 can't authenticate to LDAP ?
  is there anything I can do to make it work ?

• Problem with users disabling ARD client service

  I've got a problem and i'm not quite sure of the work around. I'm a PC guy by nature and can't quite figure this out.
  I'm having a problem with users disabling the ARD service from the sharing menu. Unfortunately users need to have admin privleges to do their work so I can't simply give them a standard account.
  I've hidden the ARD user account i created from the login window through Netinfo, but I need to find a way to stop users from shutting the ard service down.
  They don't seem to understand that the company requires that it be on the computer. Now, I'm the one who is set as the admin for ARD in the building, however we really just use it to rollout drivers, install packages, and its a lifesaver for remotely fixing problems with programs. The company didn't really buy it to spy on the employee's.
  Is there any way to hide the service from an admin level account? Or keep them from shutting it down?
  BTW, this would have to be done on multiple machines running both panther and tiger.
  Any help would be appreciated as I'm not quite sure where to start.

  First, as a matter of policy, let them know this service is active, and needs to remain active. If they disobey this instruction and turn it off, you have a human resources issue, not a technical issue.
  Second, there are very few enterprise users that need admin access to their machines. Oh, they ALL think they do, and there will be howling when non-admin status is first imposed, but we have 350 users in a publishing environment with less that 20 setup as admins. Those users are almost all superusers who assist others in a technical role.
  We have far fewer software problems like this and with ARD, IT can install/ authorize installation of software remotely should a user need that. It simply does not dramatically impact our users to have non-admin access. On the other hand, we recognize that a FEW users will need more access, and grant that on a case-by-case basis.

• If user disable cookie how to set and use session with URL Rewritting

  if user disable cookie how to set and use session with URL Rewritting by append session ID in url

  If cookies are disabled, then app server will automatically try to use URL rewriting for session control. Programmer's responsibility is to encode any links or redirects using
  response.encodeURL("/yourPage.jsp")
  and
  response.encodeRedirectURL("/yourPage.jsp")
  See API for details
  http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/http/HttpServletResponse.html#encodeURL(java.lang.String))

• User Disable

  Hello All,
  I am using OIM 10g.
  If user is disabled in OIM then how we to know timestamp of user disable;
  Thanks.

  Check CREATE_DATE field from UPA_FIELDS Table for that disabled user

• How to get user attributes from LDAP authenticator

  I am using an LDAP authenticator and identity asserter to get user / group information.
  I would like to access LDAP attributes for the user in my ADF Taskflow (Deployed into webcenter spaces).
  Is there an available api to get all the user attributes through the established weblogic authenticator provider or do i have to directly connect to the LDAP server again?
  Any help would be appreciated

  Hi Julián,
  in fact, I've never worked with BSP iViews and so I don't know if there is a direct way to achieve what you want. Maybe you should ask within BSP forum...
  A possibility would be to create a proxy iView around the BSP iView (in fact: before the BSP AppIntegrator component) which reads the user names and passes this as application params to the BSP component. But this is
  Beginner
  Medium
  Advanced
  Also see http://help.sap.com/saphelp_nw04/helpdata/en/16/1e0541a407f06fe10000000a1550b0/frameset.htm
  Hope it helps
  Detlev

• LDAP against BEA identity

  This may sound...odd...but I swear there's a legit business reason. :)
  Situation:
  ==========
  * I have ~5 auth sources
  - BEA DB ("native" users)
  - ~4 separate LDAP sources
  * Read: no central user store
  - auth sources are confusing to users
  - very difficult to resolve integration with external services as portal is never truly able to integrate with 3rd part apps that assume we use a central AD/LDAP user store
  * I want to provide a way to solve the second bit of that problem, but ... realistically... I won't be able to fix it the right way by getting a central store set up.
  - central store not possible given our IT and business constraints
  - setting up my own store creates other issues
  My dumb idea
  ===============
  I'm wondering. Has anyone ever considered authing against the portal natively over LDAP? Process might work like...
  1) Portal replicates users from multiple sources, etc. (it knows where to phone home for synch/auth per user)
  2) Configure a web service that mimics LDAP interfaces such that systems can synch and auth against the portal
  - does a search against user name (in theory, finds user - realize you could get duplicate matches)
  - knows the "true" auth source for that user (database, ldap, ad, whatever)
  - passes on provided credentials to "true" auth source
  This may sound stupid, but my thought is that if the portal can become the central point of aggregation for apps, profile data, etc. and is being pushed as a nice bridge between all these places, why not set it up to also be the bridge for the "federated" identity management problems that prohibit us from integrating 3rd party apps that rely on a central LDAP/AD store shared by those apps and the portal. Basically, the portal becomes the user store "glue."
  Yeah - it would be slow. Not as worried about that atm :)
  Just kinda seeing if I'm the only one facing this problem and if there are other options

  Hi Eric,
  I understand where you're coming from. You don't necessarily control the "guts" of the authentication and authorization code for the third-party application and it is expecting a single central user repository like LDAP or AD. You want Plumtree to be that repository (which would allow you to use any number of LDAPs or ADs AND native Plumtree DB users as well) by sync'ing with all the user repositories and then "brokering" authentication to the correct repository based on which repository was used to sync the given user.
  Here's a 10,000-foot view of how I would build this.
  You'll need the following ingredients:
  1) One or more LDAP and/or AD auth sources
  2) A custom SSO or Login solution
  3) A portlet "container" that gets credentials, calls the authenticator web service, and then redirects to the portlet application
  3) An authenticator web service running on a machine that has access to the server APIs (plumtreeserver.dll)
  First, bring all your users and groups in using the LDAP and AD auth sources. Create the necessary Plumtree DB users as well.
  Next, build a custom SSO or customized Login solution that will (ideally, log the user in automatically) capture their username, password and auth source id and send these values to portlets. That's accomplished very easily in custom SSO by putting the headers or cookies into an array, which instructs the portal to forward them to the portlets. However, if you customize login, you can set these settings as personal settings in Login or in one of the Login PEIs and then configure them to be sent to the portlets as User Settings. If you don't know how to do this, let me know and I'll walk you through it.
  Next, configure a portlet "container" of sorts. This "container" will call the EDK to get the username, password and auth source, call the authenticator web service* to re-authenticate the user, and then redirect the request to eRoom (or whatever application you're trying to integrate).
  *The authenticator web service will be the hardest peice of this puzzle to write. You'll need to use the auth source id sent down by the container to figure out which auth source to use, then crack open the auth source to get the settings out of the property bag, and then manually authenticate the user and return success or failure to the caller.
  Theorically, all this sounds great -- albeit a little complicated. If any of it doesn't make sense, let me know. I'm always up for a challenge, so if you want me to help you write some or all of this stuff, I'm game. (Read: will work for food and/or alcohol. :-)
  Regards,
  Chris Bucchere | bdg | [email protected] | www.bdg-online.com

• Provision a user into an LDAP Group/Organisation

  Is it possible to provision a user into a Role that is mapped to an LDAP Group/Organisation through Identity Manager? I've seen that you can add users directly into LDAP groups, but we would like to add users into groups where they already have an account in the Resource/Directory.
  For example I want to allow an existing user;
  uid=User1,ou=Users,o=mycompany
  to access a resource protected by LDAP Group;
  cn=AppGroup1,ou=Groups,o=mycompany
  this group would be mapped to an Application or Business Role within Identity Manager.
  Is this possible?

  If I understand your problem correctly then there is no need for customizing the resource adapter java source code at all. You can "calculate" in which OU or O a user is created by customizing the resource's identity template. Just add a variable to the identity template DN and "calculate" that variable in either your form or map it to IGNORE_ATTR on the resource and then you could even set that value in a role.
  Same for adding a user into a directory group. Map the respective groups attribute and create a role for that resource, then configure the role to set the group attribute or merge the values - as simple as that. Or did I misunderstand what you are trying to do?

• Disable activities in IDM

  Hello,
  I must disable activities in idm, someone knows like making?
  thanks

  You can generally select what a user can and can't do by selecting and de-selecting what Capabilities they have - either directly or through an administrator role. Is that what you're trying to do? If that doesn't get you want you want, let us know as there are some other things to do to provide customized permissions.

• R/3 users Authntication to LDAP?

  Hello,
  I have configured the LDAP Conenctor using Tx LDAP from R/3 4.7 running on AIX Server to MS-ADS LDAP Server.
  After making all the settigns i have run the report RSLDAPSYNC_USER for synchronizing the users between R/3 amd LDAP.
  Then the Users available in LDAP are getting Updated and Created in R/3, but the users in R/3 are not getting created. Its giving the LDAP_CREATE Failed, Restriction Violated For this I have posted in the previous thread.
  I want to know some of my assumptions are correct / wrong.
  1. If we do all these settings, when the User try to login he will be authenticated to LDAP?
  2. In MS-ADS the password length is more than 8 char we can have, but in SAP its 8 char, do we need to increase this field length.
  3. Or if the user changes the password in MS-ADS, do we need to run the synchronization again.
  4. We are assuming that if the LDAP configuration is finished then the users are not required to maintain or change their passwords in R/3 instead they can use the MS-ADS password and changes also in MS-ADS. Is this assumption right?
  Please Sugegst me.
  I am still investigating for the sync from R/3 to LDAP.
  The User available in LDAP is created in R/3 but there is no password allocated for him. Do i need to mention the password attribute also in the mapping, if so can any one please let me know the attribute and corresponding filed of R/3.
  Thanks & Regards
  Sumanth
  [email protected]

  Hi Prakas,
  I Logged the OSS Message for Checking the Issues of Authentication to LDAP from SAP R/3.
  Please find the Below Clarifications and SAP Replies along with the SAP Notes.
  Questions Posted in OSS Message:
  We need to get confirmation that, is this LDAP is for Authenticating like EP or only for Having the Sync Data between both systems?
  Secondly when the Users are getting created in Active Directory, they are in Deactivate Mode, To make it automatically aactive do we need to set any settings in R/3 or Directory, for this we searched the Notes and Documentation, but could not succeeded.
  Please Suggest. Our main concern is can we achieve the Authentication From LDAP as like in EP -> LDAP in this R/3 or not? The Users are expecting to do authentication, instead to maintain the passwords at different
  places.
  Replies from SAP
  - login in this manner is not possible, see note 603208
  - syncing the password is also not possible.
  - in general, please read note 448360 about features provided in the
  LDAP area.
  0000448360  Requests in the LDAP environment (directory integration) 
  0000603208  Passwords during the LDAP user master synchronization 
  But, I think we can achieve Authentication in Another Way, NTLM Authentication, For this You Need to Do SAP GUI Client Maintenance Also.
  I am in Collection of More DEtails in this Area. Once I get all info and procedure i will update you.
  Regards
  Sumanth

• User Exit not getting triggered

  Dear all,
  we are creating a workflow for PR Release which needed release strategy customization. so we are trying to set the release stratagy by changing the communciation structure CEBAN-USRC1 field.
  for this, i had done the following things:
  1. SMOD->M06B0005->components->EXIT_SAPLEBND_004->INCLUDE ZXM06U31 (double clicked) wrote few lines of code.
  2. CMOD-> created a proj ZMM_PREL->assigned Enhancement M06B0005 under enhancements tab-> EXIT_SAPLEBND_004-> activated all
  (User exit, project eveything).
  Now my problem is when i create a PR, this user exit does not get triggered at all. I am working on ECC6.0 the same code which i did in Ecc5.0 for my previous client is still working fine.
  Can anyone please guide me where i might have gone wrong?
  Thank you,
  Regards,
  Lakshmi

  Hi,
  HAve u verifiyed that the user-exit u r using is triggered whenever u create ou PR.?
  First of all u have to put breakpoints at each and every user-exits provided for that transaction, then check which user exit is getting triggered when u carete ur PR. and thenafter write ur code in this user-exit only.
  Reward is useful.
  Regards,
  Harsha