User hierarchy in LDAP

Similar Messages

• R/3 users Authntication to LDAP?

  Hello,
  I have configured the LDAP Conenctor using Tx LDAP from R/3 4.7 running on AIX Server to MS-ADS LDAP Server.
  After making all the settigns i have run the report RSLDAPSYNC_USER for synchronizing the users between R/3 amd LDAP.
  Then the Users available in LDAP are getting Updated and Created in R/3, but the users in R/3 are not getting created. Its giving the LDAP_CREATE Failed, Restriction Violated For this I have posted in the previous thread.
  I want to know some of my assumptions are correct / wrong.
  1. If we do all these settings, when the User try to login he will be authenticated to LDAP?
  2. In MS-ADS the password length is more than 8 char we can have, but in SAP its 8 char, do we need to increase this field length.
  3. Or if the user changes the password in MS-ADS, do we need to run the synchronization again.
  4. We are assuming that if the LDAP configuration is finished then the users are not required to maintain or change their passwords in R/3 instead they can use the MS-ADS password and changes also in MS-ADS. Is this assumption right?
  Please Sugegst me.
  I am still investigating for the sync from R/3 to LDAP.
  The User available in LDAP is created in R/3 but there is no password allocated for him. Do i need to mention the password attribute also in the mapping, if so can any one please let me know the attribute and corresponding filed of R/3.
  Thanks & Regards
  Sumanth
  [email protected]

  Hi Prakas,
  I Logged the OSS Message for Checking the Issues of Authentication to LDAP from SAP R/3.
  Please find the Below Clarifications and SAP Replies along with the SAP Notes.
  Questions Posted in OSS Message:
  We need to get confirmation that, is this LDAP is for Authenticating like EP or only for Having the Sync Data between both systems?
  Secondly when the Users are getting created in Active Directory, they are in Deactivate Mode, To make it automatically aactive do we need to set any settings in R/3 or Directory, for this we searched the Notes and Documentation, but could not succeeded.
  Please Suggest. Our main concern is can we achieve the Authentication From LDAP as like in EP -> LDAP in this R/3 or not? The Users are expecting to do authentication, instead to maintain the passwords at different
  places.
  Replies from SAP
  - login in this manner is not possible, see note 603208
  - syncing the password is also not possible.
  - in general, please read note 448360 about features provided in the
  LDAP area.
  0000448360  Requests in the LDAP environment (directory integration) 
  0000603208  Passwords during the LDAP user master synchronization 
  But, I think we can achieve Authentication in Another Way, NTLM Authentication, For this You Need to Do SAP GUI Client Maintenance Also.
  I am in Collection of More DEtails in this Area. Once I get all info and procedure i will update you.
  Regards
  Sumanth

• Urgent : How to create Manager and Reportee of a User in Embedded LDAP in W

  Hi All,
  I have created user in Weblogic Server Embdeed LDAP (Console-->SecurityRealm)
  however how can I assign another user as Manager of this user and some other user as reportee of this user.
  Basically how to create Manager and Reportee of a User in Embedded LDAP in Weblogic 10.3.5
  ie I have a user A and user B created in Security Realm.
  Now I want user A to be as Manager of User B so that when I use getManager() function in Human Task,I get A as Manager of B.
  Thanks
  Edited by: Vivek on 28 Sep, 2011 3:54 AM

  To get an idea check these links.
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/aaa1a890-0201-0010-eb93-ae3d2bb74a78
  BSP/HowTo - Customizing the design of System Logon page in NetWeaver '04
  -Aman

• How to create Users/Roles for ldap in weblogic without using admin console

  Is it possible to create Users/Roles for ldap in weblogic without using admin console? if possible what are the files i need to modify in DefaultDomain?
  or is there any ant script for creating USers/Roles?
  Regards,
  Raghu.
  Edited by: user9942600 on Jul 2, 2009 1:00 AM
  Edited by: user9942600 on Jul 2, 2009 1:58 AM

  Hi..
  You can use wlst or jmx to perform all security config etc.. same as if it were perfomred from the admin console..
  .e.g. wlst create user
  ..after connecting to admin server
  serverConfig()
  cd("/SecurityConfiguration/your_domain_name/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator")
  cmo.createUser("userName","Password","UserDesc")
  ..for adding/configuring a role
  cd("/SecurityConfiguration/your_domain_name/Realms/myrealm/RoleMappers/XACMLRoleMapper")
  cmo.createRole('','roleName', 'userName')
  ...see the mbean docs for all the different attributes, operations etc..
  ..Mark.

• Provision a user into an LDAP Group/Organisation

  Is it possible to provision a user into a Role that is mapped to an LDAP Group/Organisation through Identity Manager? I've seen that you can add users directly into LDAP groups, but we would like to add users into groups where they already have an account in the Resource/Directory.
  For example I want to allow an existing user;
  uid=User1,ou=Users,o=mycompany
  to access a resource protected by LDAP Group;
  cn=AppGroup1,ou=Groups,o=mycompany
  this group would be mapped to an Application or Business Role within Identity Manager.
  Is this possible?

  If I understand your problem correctly then there is no need for customizing the resource adapter java source code at all. You can "calculate" in which OU or O a user is created by customizing the resource's identity template. Just add a variable to the identity template DN and "calculate" that variable in either your form or map it to IGNORE_ATTR on the resource and then you could even set that value in a role.
  Same for adding a user into a directory group. Map the respective groups attribute and create a role for that resource, then configure the role to set the group attribute or merge the values - as simple as that. Or did I misunderstand what you are trying to do?

• How to add user to external LDAP programmatically?

  Hello.
  I have portal application in JDeveloper. Here is code that adds user to WLS embedded LDAP:
  JpsContextFactory jps = JpsContextFactory.getContextFactory();
  JpsContext jpsContext = jps.getContext();
  IdentityStoreService storeService = jpsContext.getServiceInstance(IdentityStoreService.class);
  IdentityStore is = storeService.getIdmStore();
  UserManager mn = is.getUserManager();
  RoleManager rm = is.getRoleManager();
  Principal p = mn.createUser(username,password.toCharArray()).getPrincipal();
  Role r = is.searchRole(is.SEARCH_BY_NAME, "Administrators");
  rm.grantRole(r, p);
  But I also have external LDAP on my WLS. How can I add users to external LDAP programmaticaly?

  System Preferences > Users & Groups > Unlock the lock on the bottom left > click the plus sign on the bottom left

• User attributes for LDAP

  Hi guys,
  Currently we have an error for LDAP attribute .
  distinguishedName = (String) user.getTransientAttribute("ldap.distinguished_name");
  user is of type IUser.
  and it return null
  where could i find the list of user attributes in LDAP? currently we have LDAP 8.8.1.

  Don,
  you might should have a look at a LDAP Browser (eg. http://www-unix.mcs.anl.gov/~gawor/ldap/ ) which helps a lot to find out how the structure of your LDAP server is and which attributes you can access.
  1) Start the tool
  2) click onto the "Quick Connect"
  3) enter you LDAP server
  4) press "Fetch DNs"
  5) Uncheck "Anonymous bind"
  6) Enter your user credentials
  7) Browse your LDAP structure
  It helped me a lot to get the correct settings for the DBMS_LDAP calls.
  Patrick
  My APEX Blog: http://www.inside-oracle-apex.com
  The ApexLib Framework: http://apexlib.sourceforge.net
  The APEX Builder Plugin: http://apexplugin.sourceforge.net/ New!

• FAQ: BC-LDAP-USR (Directory Interface for User Management via LDAP )

  Version: 20060317
  Q: Where can i find more information to the BC-LDAP-USR interface ?
  A: Have a look on our ICC webpage in the SDN:
  SAP NetWeaver AS - Directory Interface for User Management via LDAP (BC-LDAP-USR)[1] [original link is broken]
  Q: What costs a arising when we want our product to be certified ?
  A: See also our SDN page under the headline "Price List".
  Q: Is there a link/page for the already certified products for this interface ?
  A: Sure, have a look on our ICC page under the headline "Certified Solutions"
  Q: Who can we ask in case of general question ?
  A: Have a look at our general ICC forum:
  SAP Integration and Certification Center (SAP ICC)
  Of course, if you have urgent requests you can send them also directly to our local ICC's:
  ICC Walldorf in Germany: [email protected]
  ICC Palo Alto in USA: [email protected]
  ICC Bangalore in India: [email protected]
  Q: Who can we ask in case of technical questions ?
  A: This depends on the state of your certification project.
  1.) If the certification contracts have been signed then you can ask in this forum and if this does not solve your question go back to your assigned integration consultant.
  2.) When the certification contracts have not been signed then you can ask questions in this forum.

  I distinguish it using the passwordExpirationTime(or something like that, i don't have code here with me).
  This is possible if after password is expired user has at least one more access.It is a user policy that can be set in the Ldap server.
  If it is possible, user can still login and perform operations.You chan search the passwordExpirationTime attribute and determine if password is expired, and the send a message to the user, telling him to change it.(If only one access is allowed and you change the password with the same application or service then do not close context, else you should not be able to connect again.) Instead, if you use an external script, then the last acces should not give you problems.
  Hope i made myself clear.

• Trying to setup im to store user props in ldap

  I am running the im/sbin/configure script. I'm trying to setup im to store user props in ldap. Can someone tell me what bind dn, I need to specify. It will be whatever the default is. I'm not sure how to find this.

  The default bind dn is normally "cn=Directory Manager".

• Push user accounts to LDAP

  Hello Experts,
  We have setup E-Sourcing 5.1 connected to a MS AD server as LDAP. This LDAP was created exclusively for E-Sourcing application.
  We want to try a scenario where the user administration is handled only by E-Sourcing system, and credentials and passwords are stored in the LDAP. Note that this means that there won't be any user Administration in LDAP, it would be done through e-Sourcing. Is this possible?
  We tried creating "New Accounts" in the LDAP by creating a new user in E-Sourcing, but so far it's been unsuccessful. We get a "driver error" in the ESO UI. It seems the system requires the account to be previously created in LDAP so it can be created in E-Sourcing.
  Has anybody tried doing this?
  Your help is appreciated.
  Regards,
  Gilberto Gallardo

  Hi Gilberto,
  If I understand correctly, when you create a new user account in Sourcing, you want Sourcing to create that account in LDAP as well. This should be possible. I would check if the right Driver is selected in the Directory Configuration. Also, make sure the LDAP related fields on the Directory Configuration such as Host, Port, Directory User Name, Password, BASE DN, etc. has the right values.
  Also, can you provide more details on the error message? I would check the Sourcing logs, it should contain more information on the error.
  Once the account is successfully created in LDAP, the attributes on the directory configuration can be set to push or pull depending on what is desired.
  Regards,
  Vikram

• JAZN user entries in LDAP

  Can JAZN-LDAP deal with user entries in LDAP that are not all under a single context? For example, suppose I have LDAP entries like
  cn=foo,cn=Users,o=abc.com
  cn=bar,cn=Users,o=abc.com
  cn=baz,ou=unit,cn=Users,o=abc.com
  and, for dn: cn=myrealm, cn=Realms, cn=JAZNContext, cn=Products, cn=OracleContext, the attribute
  orcljaznsubscriberdn: cn=Users,o=abc.com
  Will JAZN-LDAP be able to find the user "baz" as easily as it can find "foo" and "bar"?

  According to Oracle's documentation we can have only one realm specified for an application, surprisingly the JAZN manager will only look for the DN's of "Users" and "Roles" to formulate a Realm. The out of the box JANZ don't have the capability to search for Users in more than one subtree. Any suggestions from Oracle on improving the JAZN to make it to look for all the user objects starting from a top level tree, just have one more question, can we specify roles for all users in one DN?
  Thank you
  H.M.Mallik
  Can JAZN-LDAP deal with user entries in LDAP that are not all under a single context? For example, suppose I have LDAP entries like
  cn=foo,cn=Users,o=abc.com
  cn=bar,cn=Users,o=abc.com
  cn=baz,ou=unit,cn=Users,o=abc.com
  and, for dn: cn=myrealm, cn=Realms, cn=JAZNContext, cn=Products, cn=OracleContext, the attribute
  orcljaznsubscriberdn: cn=Users,o=abc.com
  Will JAZN-LDAP be able to find the user "baz" as easily as it can find "foo" and "bar"?

• Authenticate Users Using an LDAP Server

  Hi,
  I did implement 'Authenticate Users Using an LDAP Server' according the link blow below.
  [http://www.oracle.com/technology/products/database/application_express/howtos/how_to_ldap_authenticate.html]
  It works OK to specific DN String, example 'cn=%LDAP_USER%,OU=Menahel,OU=Cmp,DC=ho,DC=discount'.
  We have a lot of domain rules, mean the users not located at the same DN.
  Is it possibale to use general DN string (base root) like 'cn=%LDAP_USER%,*,*,DC=ho,DC=discount?
  Thanks in advance,
  Shay

  Augusto, one thing to check (since it caught me out) is that your LDAP entries conform to the right format, namely
  "cn=Bob" etc
  When I was integrating HTMLDB LDAP against a Sun One Directory Server, it had me scratching my head for ages, until I realised that the LDAP entries had been created in the format of -
  "uid=bob" rather than "cn=bob"
  This might not be your problem, but it's worth checking anyway ;)

• Alternative User Fork of Wiki Pages (User Hierarchy Wiki?)

  I am planning to create my own version of the Installation Wiki page.  The current one is good, but I prefer a version that adds a few of the steps right in there and gives a few warnings.  I can understand why the current maintainers like it the way it is.
  Should I just grab the current wiki html source and post a revised version on my own web server (for others), too?
  Or, would the arch wiki prefer to have (a few other users') alternative versions of the (Installation) page in some other obscure location on the arch wiki site, presumably under a user hierarchy, itself?  in this case, I can presumably register a user account on the arch wiki and copy the existing wiki (though the wiki cannot fork pages, I believe).  I was looking on the ArchWiki:Contributing page about whether arch endorses user hierarchies.  (I don't want to contaminate the main wiki-address space.)
  obviously, I am fine with whatever the preference is.
  /iaw
  Last edited by iaw4 (2015-03-18 23:34:26)

  If I may inject some comments as a moderator.  I agree with runical; the issue is purely that the one Arch forum moderators main charters is to to ensure that technical advise on the forums is applicable to Arch users.  We don't want the confusion that ensues if something is only true if you are running "Manjaro Arch" or "ArchBang" or "Evo/lution" or whatever.  Those distributions have, for various valid reasons, chosen to be different from Arch.  It is they who are the experts in the difference, not us; that is why we ask people to take their questions to the forums of their respective distributions.
  There is no animosity. There is no competition.  It is about choice; we don't care what people choose or why they choose it.  Proprietary, Free, Mostly Free, Friendly warm communities, rolling release, long term stability, easy to set up, infinitely customizable, whatever.   Yes, we have better relationships with some of the distributions, and there are strained relationships with others.  iaw4, I am sorry you felt "admonished".  I really wish Jeff and everyone else over at Evo/lution the very best, it is just that it is a different distribution and they are the authority on their distribution, not us.

• User Hierarchy Without Attr. Relationship

  All,
  I have created an attribute relationship without exactly having attribute relationships in the order the hierarchy is created.
  However, I do see some performance improvement when this hierarchy is used, compared to before when individual attributes were used in the same order.I just wanted to understand, what goes behind the scene when I am creating a User Hierarchy...and that too
  with no attribute relationship(in that order).
  Also, I don't see any size increase of the cube. Need to understand if this is actually helping, or just a co-incidence?
  Thanks
  Ayush

  Hi Ayush,
  According to your description, you created an attribute relationship without exactly having attribute relationships in the order the hierarchy is created. The strange thing is that there are some performance improvement when this hierarchy is used, right?
  Generally, hierarchies in themselves dont help much in performance until we have the Attribute relationships set between them. So in your scenario, the Attribute relationships can be set automatically when creating hierarchy. Please ensure that in the
  Attribute Relationships tab in Dimension design page.
  Attribute relationships improve the performance of Analysis Services when aggregating data. When an attribute relationship is defined between levels of a hierarchy, the engine can use the aggregations of one level to calculate the aggregations of another
  level, which is why you always receive a message that warns you to create those relationships.
  https://www.simple-talk.com/sql/reporting-services/implementing-user-defined-hierarchies-in-sql-server-analysis-services/
  Regards,
  Charlie Liao
  TechNet Community Support

• CUCM 8.6.2 LDAP User Delete Pending LDAP Sync Status Inactive

  BE6K ver 8.6.2
  Client has a user who recently got married.  They changed her account information in Active Directtory to reflect her new last name. At that point CUCM shows her as
  Delete Pending
  LDAP Sync Status Inactive
  CUC shows
  LDAP User has been deleted.
  The user still exists in both CUC and CUCM and is actively takign and receiving calls.  User has VM access.
  Shorrt of deleting the user in AD and recreating her, is there a way to force this to re-sync?
  Thanks
  Matt

  Then that's expected to happen, for all purposes to CUCM/CUC eyes, msmith no longer exists and will be deleted, and a new user mjones now will be imported.
  Depending on when the change was done and when CUCM detected this, it might take up to 48 hours maximum to delete the user
  You'll need to associate everything to the new user, and also add that new user into CUC.
  Or switch back her userID to the old one, and just change the surname for directory purposes.
  HTH
  java
  if this helps, please rate
  www.cisco.com/go/pdihelpdesk