Users in new OU in Active Directory have to enter credentials when accessing SharePoint Foundation 2013
Hi,
We have a SharePoint farm consisting of one web front end server and one database server, running SharePoint Foundation 2013. This farm has been up and running for over a year and uses AD for authentication, and SharePoint groups for authorization.
The problem we are seeing is when we create a new Organizational Unit in AD, and add users under this new OU they are prompted for their credentials when trying to access SharePoint. We've done the below tests to narrow the issue down:
1) New user (xxx) in new OU (111) logs into Windows PC and tries to access SharePoint via IE 10 -- they are prompted for their credentials. They are required to enter their username as 'domain\username' to be able to log in successfully to SharePoint.
2) Existing user (yyy), in existing OU (222) logs into same Windows PC and tries to access SharePoint via IE 10 -- they are NOT prompted for their credentials and get into SharePoint successfully.
3) Existing user (yyy) is moved into new OU (111), logs into same Windows PC and tries to access SharePoint via IE 10 -- they are prompted for credentials and need to use 'domain\username' to log in to SharePoint
4) Existing user (yyy) is moved out of new OU (111) and back into their old OU (222), logs into same Windows PC and tries to access SharePoint via IE 10 -- they are prompted for credentials and need to use 'domain\username' to log in to SharePoint
Note: both the new OU (111) and old OU (222) are within the same parent OU.
1 & 2 combined tell me that it's not a PC or IE issue. We've also tried 1 & 2 on multiple PCs so that would eliminate a profile issue as well.
To me it seems that SharePoint doesn't know that the new OU is in our domain, so it doesn't think the users within the new OU are in our domain, which is why they have to supply the domain with their username when logging in...but I'm not exactly an expert
when it comes to AD so this is just a guess on my part.
As a long shot, what I thought may fix it would be by syncing AD with SharePoint by using User Profile Synchronization, but it's not offered as part of SharePoint Foundation, so I used this nice solution at CodePlex (https://foundationsync.codeplex.com/),
but that did not fix it.
Does anyone have any ideas on how to fix this? Or what the issue may be?
Thanks,
Shaun
Hi Christopher,
Thanks for the reply.
I feel very stupid right now -- I did look at this before posting this question to the forum, but it seems I didn't look far enough.
We have a GPO that enters our domain into the 'Local intranet' of IE. Our SharePoint site's URL is "http://sharepoint.ourdomain.com" and we've got "*.ourdomain.com" under Local intranet sites. But, I also found the FQDN "sharepoint.ourdomain.com"
under 'Trusted sites' and that seems to confuse SharePoint because once I moved the FQDN to Local intranet, and removed it from Trusted Sites, the user is now not prompted for their credentials when going into SharePoint.
Thanks for your reply in making me take a second look.
EDIT: We've just removed the FQDN from Local intranet, so all we have is "*.ourdomain.com" under Local intranet and it works as well.
Regards,
Shaun
Similar Messages
-
Can you authenticate user/password from SAP to Active Directory
I don't want to implement SSO for ABAP because my company doesn't have the license for "SAP NW Single Sign-On"; but we would like to authenticate our users and their passwords to active directory. Our goal is to make sure the user/password in SAP is the same as their Active Directory user/password. Is this possible?
Thanks!This has been discussed many times, for example see SSO with LAN UserID/Password. The short answer is no, you can't synchronize passwords. You can however achieve the requirement assuming you are using Identity Management to provision users and passwords to all systems (AD, SAP, etc). In that case you will have to deal with users changing their password. Recommendation is to enable SSO. If you don't want to get licenses for NWSSO, try to look at other options (X.509 certificates, SPNEGO in AS JAVA and then issue a Logon Ticket, 3rd party solution, etc).
-
Create a new group in Active Directory ?
Hello,
I'd like to create a new group in Active Directory. Can somebody show me a sample code please ?
Thanks.Someone should show you how to perform a search. There's a sample in this forum.
http://forums.sun.com/thread.jspa?threadID=623860 -
Hi,
I have successfully setup SharePoint Foundation 2013 as single server farm with SQL Server Standard database in a DMZ environment using local accounts since DMZ doesn't have an Active Directory and hence Domain accounts using powershell as described
in https://theblobfarm.wordpress.com/2012/12/03/installing-sharepoint-2013-without-a-domain-controller
When I run Farm configuration wizard to provision search service application, I get an error:
ERROR: "The service application(s) for the service "Search Service Application" could not be provisioned because of the following error: I/O error occurred."
The log file logged the details of this error as:
ERROR: "Failed to create file share Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 at D:\SharePoint Search\Office Server\Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 (System.ArgumentException: The SDDL string contains an invalid sid or a sid
that cannot be translated."
After investigation, I found that potentially the error could be because the timer service is trying to setup a network share for analytics component (as part of provisioning search). It is trying to setup that share with a domain account that happens to
be a local user instead in this case and fails with error “System.ArgumentException: The SDDL string contains an invalid sid or a sid that cannot be translated”.
I got some pointer from the below thread
https://social.technet.microsoft.com/Forums/en-US/c8e93984-f4e5-46da-8e8a-c5c79ea1ff62/error-creating-search-service-application-on-sharepoint-foundation-with-local-account?forum=sharepointadmin
However, the above thread doesn't state that the solution worked.
I have tried creating share manually for Analytics_<Guid> folder but it doesn't work since every time farm configuration wizards is run it creates a new Analytics_<Guid> folder.
Since, I have setup SharePoint Foundation 2013 on a production environment I cannot test and trial various solutions.
Can some please guide me on how to successfully provision search for SharePoint Foundation 2013 setup as a single server farm with SQL Server Standard database in a DMZ environment using local accounts (without Active Directory - domain accounts).
Thanks in advance.
HimanshuMicrosoft documentation doesn't always specifically call out all products (Project Server isn't there, either). But it does apply. You'll need to stand up at least one Domain Controller, or allow port access back to a DC.
Preferably, set up SharePoint on the internal network and use a reverse proxy (which will terminate client connections at the reverse proxy) present in the DMZ.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
I'm trying to give a mailbox user Send As right for a distribution group. But the cmdlet comes back with this:
Get-DistributionGroup MyGroup | Add-ADPermission -user albert -ExtendedRights Send-As
Active Directory operation failed on <DC fqdn>. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : FE24751F,Microsoft.Exchange.Management.RecipientTasks.AddADPermission
What could be the problem, considering the items below :
- inheritance is not broken to the level of the distribution group object
- the account used to run the cmdlet is a member of the Organization Management group
- creating a new distribution group in the same OU and running the command works as expected; checking the permission for this group against MyGroup (using Get-DistributionGroup testgroup | Get-ADPermission | Sort-Object User,AccessRights | ft user,accessrights,extendedrights,properties)
shows no differences.
- adding the permission using ADUC results in the user being able to Send As the group, however I'm trying to find out the root cause of the Powershell cmdlet execution problem
- there is no Deny permission on the group's ACL
- the group didn't have the "Hide Membership" feature of Exchange 2003 applied, so there shouldn't be any non-canonical ACL issuesAnyone ever come up with a solution to this? I get something similar when Activesync tries to create objects on user containers.
Exchange ActiveSync doesn't have sufficient permissions to create the "CN=Test User,OU=Domain Users,DC=domain,DC=com" container under Active Directory user "Active Directory operation failed on DELL7S09.domain.com. This error is not retriable.
Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.
Details:%3
So...I get this after I introduced a MS Exchange 2010 SP3 RU8 server into my environment. You can find LOTS of people suggesting the same fix but I've not found anything that deviates from those fixes: check the "inherit permissions",
and give full permis to msExchActiveSync devices for the Exchange Servers security group, blah blah.
I got to this point by following a Migrate to Exch2010 paper by MS. I have no Win2k servers, my old Exchange server is Win2003r2SP2 with Exch2003SP2 fully patched. The Exch server is also a DC. I installed a new 2012r2 server and then patched
it. Installed Exch2010SP3Ru8 and all seems well.
The old Exch2003 server is still in production. My iPhone army connects remotely for mail, and all works great. I created a new Test User in AD, gave it a mailbox on the 2003 server, and waited a bit. It eventually shows up in the Server
Manager on the new 2010 Exch Server. I send it a bunch of emails, connect to it with an outook client on a Win7 machine, all works. I go to the SM on the 2010 box and migrate the mailbox to the new server. It works. I can connect with
outlook, send receive mail to other users in the org. I then try to connect with my iPhone and I get the message in Event Viewer over and over.
Went so far as to Promo the new 2012 server to a DC. seems to be fine. Now am wondering if I Demote the old Exch2003 server will it help...or cause a new crop of issues.... -
Event properties – Event 91, Level Error, Event ID 91, Date and time 5/10/2012 11:29:48AM, Service CertificationAuthority
General:
Could not connect to the Active Directory.
Active Directory Certificate Services will retry when processing requires Active Directory access.
We have a Windows 2008 Server Enterprise with AD . I would like to enable the service "Certificate Services" that
allow me to enable radius to authenticate users wireless with the active directory.Hi,
Can you please check this forum or someone from Microsoft, as we have post here dating back from October that are not being answered.
Everything for us is exactly the same as szucsati and Racom
NMNM,
Please give us an answer on this as the link provided is absolutely useless.
Thank you. -
Since moving to Maverick and the new updated of Keynote, I have a constant problem when typing in a text box, the program crashes. Is there a bug fix for this. Drives me nuts. Like many who can type quite quickly but at secretarial level, the text box freezes, nothing works and you know what's coming...crash!
This is most annoying. Is there bug fixes for this. Apparently I have the current updates and this problem still exists. Is it a Maverick bug or Keynote.
BarryHow did you install Mavericks, as an update ontop of the previous OS or did you wipe the drive and install clean?
-
Sharepoint Foundation 2013 User field issue
Guys, I have an issue with Sharepoint Foundation 2013 site that we have created some custom workflows for. We have a couple required fields that we type in a users name and it automatically pulls up a user based on Active directory. once we choose that name
and then save the form. the field immediately becomes blank when i open the workflow item back up. I'm kind of at a loss. I've already totally hosed the server once and was forced to restore. This seams to have started when we installed share point server
patch KB2881077 but i cannot uninstall or roll back the patch as there is no option to.
Thoughts?If you're using SharePoint 2013 April 2013 CU or higher, this is a known issue where the People data is missing in Edit view. There is a separate issue that is resolved in the September 2014 CU:
http://support.microsoft.com/kb/2995905
Consider the following scenario:
You create a SharePoint 2013 list that contains a Person or Group (people picker) column.
You create or edit an item, and then you select a person whose name contains a comma in the Person or Group field.
In this scenario, the value of the Person or Group field is lost when you save the item.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Site Login Behavior For SharePoint Foundation 2013 Users With Expired Passwords?
What are the most user-friendly ways of getting external users with expired AD passwords back into the SharePoint site with a new working password?
We already send automated email notifications to users reminding them to change their soon-to-expire passwords. However, sometimes they miss seeing the email notifications before the password expires (such as after returning from vacation or just carelessness
and lack of attention to email messages) or they see the warning messages and forget to act on it.
When this happens and they try to log into the SharePoint site from the Internet, their login fails without telling the user the reason they can't log in is because their password expired. So, they end up confused and call the help desk to get their
password reset.
Is there a way to set up SharePoint Foundation 2013 login in a similar way to the OWA login so that, when a user with a correct but expired password tries to log in, it gives them a prompt to set a new password right there rather than just an error indicating
their login failed for unknown reasons or password is "incorrect?"It could be done. You get a different event log entry for an expired login attempt than for a wrong password, 4625 events denote a login failure and an error ID of 23 denotes a logon failure.
A naff, but simple, approach would be to create a tool that checks your server logon event log for 4625 entries and then emails that user, or the help desk, or security, that they're trying to get onto your system with expired credentials.
For a more polished experience you've got a lot more work and bluntly it's going to be impractical for you. You'd have to re-write sections of the SharePoint authentication process or intercept the process, both are risky and not a good idea to try.
There's a really interesting paper here that might be of interest, it won't help you in your current situation but it might shed more light on the overall authentication/authorisation process.
http://www.sans.org/reading-room/whitepapers/forensics/windows-logon-forensics-34132 -
When trying to create a new server farm in the sharepoint foundation 2013 we get a following error :
The local farm is not accessible. Cmdlets with FeatureDependencyId are not registered.
PS C:\Users\Administrator> New-SPConfigurationDatabase
cmdlet New-SPConfigurationDatabase at command pipeline position 1
Supply values for the following parameters:
DatabaseName: SharePoint_Config
DatabaseServer: PC78\SQLEXPRESS,25111
FarmCredentials
Passphrase: *********
New-SPConfigurationDatabase : One or more types failed to load. Please refer
to the upgrade log for more details.
At line:1 char:1
+ New-SPConfigurationDatabase
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (Microsoft.Share...urationDatabase:
SPCmdletNewSPConfigurationDatabase) [New-SPConfigurationDatabase], SPUpgra
deException
+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPCon
figurationDatabase
And the error log is shown below :
Microsoft.SharePoint.Upgrade.SPUpgradeException: One or more types failed to load.
Please refer to the upgrade log for more details.
at Microsoft.SharePoint.Upgrade.SPActionSequence.LoadUpgradeActions()
at Microsoft.SharePoint.Upgrade.SPActionSequence.get_ActionsInternal()
at Microsoft.SharePoint.Upgrade.SPUtility.GetLatestTargetSchemaVersionByMajorVersion(Type typeActionSequence, Int32 majorVer)
at Microsoft.SharePoint.Upgrade.SPUtility.get_CurrentSPSiteWssTargetSchemaVersion()
at Microsoft.SharePoint.Administration.SPSiteCollection.Add(SPContentDatabase database, SPSiteSubscription siteSubscription, String siteUrl, String title, String description, UInt32 nLCID, Int32 compatibilityLevel, String webTemplate, String ownerLogin, String ownerName, String ownerEmail, Strin... b712a522-fa85-49eb-b59c-dedf55295504
...g secondaryContactLogin, String secondaryContactName, String secondaryContactEmail, String quotaTemplate, String sscRootWebUrl, Boolean useHostHeaderAsSiteName, Boolean overrideCompatibilityRestriction)
at Microsoft.SharePoint.Administration.SPSiteCollection.Add(SPSiteSubscription siteSubscription, String siteUrl, String title, String description, UInt32 nLCID, Int32 compatibilityLevel, String webTemplate, String ownerLogin, String ownerName, String ownerEmail, String secondaryContactLogin, String secondaryContactName, String secondaryContactEmail, Boolean useHostHeaderAsSiteName)
at Microsoft.SharePoint.Administration.SPAdministrationWebApplication.CreateDefaultInstance(SqlConnectionStringBuilder administrationContentDatabase, SPWebService adminService, IdentityType identityType, ... b712a522-fa85-49eb-b59c-dedf55295504
...String farmUser, SecureString farmPassword)
at Microsoft.SharePoint.Administration.SPFarm.CreateAdministrationWebService(SqlConnectionStringBuilder administrationContentDatabase, IdentityType identityType, String farmUser, SecureString farmPassword)
at Microsoft.SharePoint.Administration.SPFarm.CreateBasicServices(SqlConnectionStringBuilder administrationContentDatabase, IdentityType identityType, String farmUser, SecureString farmPassword)
at Microsoft.SharePoint.Administration.SPFarm.Create(SqlConnectionStringBuilder configurationDatabase, SqlConnectionStringBuilder administrationContentDatabase, IdentityType identityType, String farmUser, SecureString farmPassword, SecureString masterPassphrase)
at Microsoft.SharePoint.Administration.SPFarm.Create(SqlConnectionStringBuil... b712a522-fa85-49eb-b59c-dedf55295504
...der configurationDatabase, SqlConnectionStringBuilder administrationContentDatabase, String farmUser, SecureString farmPassword, SecureString masterPassphrase)
at Microsoft.SharePoint.PowerShell.SPCmdletNewSPConfigurationDatabase.InternalProcessRecord()
at Microsoft.SharePoint.PowerShell.SPCmdlet.ProcessRecord() b712a522-fa85-49eb-b59c-dedf55295504
Error Category: InvalidData Target Object Microsoft.SharePoint.PowerShell.SPCmdletNewSPConfigurationDatabase Details NULL RecommendedAction NULL b712a522-fa85-49eb-b59c-dedf55295504
Leaving ProcessRecord Method of New-SPConfigurationDatabase. e9ae5ba6-c499-0000-d35c-aee999c4cf01
we are using server 2012 R2 and we don't have office 2010 installedYes,SQL server is on the same server as SharePoint
SQL has both the permissions Securityadmin
and DBcreator roles on SQL Server.
When we run those sharepoint management shell commands the database will be created with the error
msg (shown in attachment) -
Restrict Which Users Can Enter Data In List Form in SharePoint Foundation 2013
Is there a way to restrict which users can enter data in particular fields in a list item entry form?
We are using a SharePoint Foundation 2013 list and calendar to manage vacation time. We need to restrict non-supervisor users users from entering a value in a certain field in the vacation request form.
Here is how the system works now:
1. Employees complete the vacation request form (which creates a list item)
2. An email is sent to their supervisor to either approve or decline the request
3. Approved requests are automatically entered onto the vacation calendar
We have restricted the list so that only supervisors can edit items (the pending vacation requests). The problem is that all users can mark their own requests as approved when they fill out the request form in the first place. Is there a way to restrict
which users can enter data in particular fields on a list item entry form?Thanks for the suggestion. We ended up 1) hiding the approval column and 2) creating a second list, workflow, etc. The user no longer sees the approval column when filling out the form. Requests are now submitted to list A. Workflow #1 copies the request
to List B, then deletes the item from List A. Once the request is added to List B, Workflow #2 emails the user that the request has been received and emails the supervisor that a request needs to be approved. Only supervisors have editing permissions on List
B. Approved requests are automatically added to the vacation calendar (the calendar view of List B).
We found the following site to be helpful in learning how to hide the list column:
http://community.bamboosolutions.com/blogs/bambooteamblog/archive/2013/06/03/how-to-hide-a-sharepoint-list-column-from-a-list-form.aspx -
Hi,
I want to install SharePoint Foundation 2013 on a standalone server with SQL Express but I want to be able to name the content databases without their GUID references. Will I have to use an install script (AutoSPInstaller perhaps?) to achieve this?
Thanks.You can't do a standalone install if you want the alias (also if you plan to move the databases in the future)
You'll need to create the alias before you create the farm with the Configuration wizard or PowerShell so you can specify the alias. Whether you create the alias before or after installing SQL Express doesn't matter as long as it points to the instance.
Jason Warren
@jaspnwarren
jasonwarren.ca
habaneroconsulting.com/Insights -
How to add a new schema in active directory by jndi?
I can add new objectclass schema and new attribute into eDirectory from JNDI. But I failed doing the same to active directory. I search all topic in this forums and seems like there is no such answer. So for active directory, the only way to add new schema is by using MS MMC + AD schema snap-in?
You can update the schema via LDAP. Any tool that uses LDAP, such as Active Directory Services Interface (ADSI), Java/JNDI, LDAP Data Interchange Format (LDIF) can be used. You are not restricted to the Active Directory Schema Management snap-in.
I strongly recomend that you read the following article http://windowssdk.msdn.microsoft.com/en-us/library/ms677995.aspx as schema extensions are not to be undertaken lightly.
Also, if you are extending the schema, DO NOT use other organization's schema OID's. Imagine how directories would become inoperable because you defined hat size as an integer value with an OID of 1.2.3 and someone else defined Social Security Number as a string with an OID of 1.2.3 ! You can obtain your own OID branch from either Microsoft (http://msdn.microsoft.com/certification/ad-registration.asp) or from a standards organization such as ANSI.
I'm kind of hoping that seeing as though you have mentioned that you have extended the schema for e-Directory, that you understand LDAP schemas and that you have your own valid OID. Do not use my shoe size OID !
The following snippet illustrates how to extend the schema using JNDI.....
String attrName = "cn=ms-ShoeSize,cn=Schema,cn=Configuration,dc=antipodes,dc=com";
LdapContext ctx = new InitialLdapContext(env,null);
Attributes attr = new BasicAttributes(true);
attr.put("cn","ms-ShoeSize");
attr.put("objectClass","attributeSchema");
attr.put("ldapDisplayName","msShoeSize");
attr.put("isSingleValued","TRUE");
attr.put("attributeID","1.2.840.113556.1.4.7000.141");
attr.put("attributeSyntax","2.5.5.9");
Context newattr = ctx.createSubcontext(attrName,attr);Having created a new attribute, you could then either add it to an existing class, or create another abstract class, add it to the new abstract class, and add the the new abstract class as an auxilliary class to an existing structural class. For example create a new auxilliary class called "clothes Sizes", add the attribute "Shoe Size" as a mayContain attribute, and then add "Clothes Sizes" as an auxilliary class to inetOrgPerson.
Note that you need to wait for the schema cache to refresh, before adding attribute or class definitions to one another, and before instantianting new objects with the new classes & attribute definitions. You can either wait for teh schema cache to refresh itself, or you can force a refresh by writing the value of 1, to the attribute "schemaUpdateNow" on the RootDSE.
As I mentioned at the start of this response, I personally prefer to use LDIF, simply because it enables end-users/customers to review the schema extensions and understand their potential impact before applying them. A sample that accomplishes the above would look something like:dn: CN=ms-ShoeSize,CN=Schema,CN=Configuration,DC=Antipodes,dc=com
changetype: add
objectClass: attributeSchema
cn: ms-ShoeSize
ldapDisplayName: msShoeSize
attributeID: 1.2.840.113556.1.4.7000.141
attributeSyntax: 2.5.5.9
isSingleValued: TRUE
dn:
changetype: modify
replace: schemaupdatenow
schemaupdatenow: 1
dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=Antipodes,dc=com
changetype: modify
add: mayContain
mayContain: mSShoeSize
dn:
changetype: modify
replace: schemaupdatenow
schemaupdatenow: 1
- -
Need to automatically add newly created user account in an existing active directory group.
Hi All ,
In my environment we are having window server 2012 active directory environment.We need to have the newly created active directory user account to get added automatically to the existing active directory group after that new user account creation.
Please tell us the possible ways to achieve this scenario.
Regards
S.Nithyanandham
Thanks S.NithyanandhamHi,
Can you please confirm your requirement,
When you create a new user account in AD, based on the user's property like Department, Job or Location, the user need to be added to your specific AD groups?
Regards,
Gopi
JiJi
Technologies -
DBMS_LDAP adding user to security group on Active Directory
Hi forum members,
I am accessing and manipulating Active Directory using the DBMS_LDAP package and its API's.
My initial code is to add a new entry in our MUsers group.After establishing the session and binding it , I supply the required credentials and the user , ex: 366944 is created successfully in the MUsers group which is a global users group.
My package then calls another function to now add the same user to the MGroups group and under that the Researcher security group.
When I do a search on the "Researcher" group this is the result : (I have deleted a few irrelevant entries)
ATTIBUTE_NAME: objectClass = top
ATTIBUTE_NAME: objectClass = group
ATTIBUTE_NAME: cn = Researcher
ATTIBUTE_NAME: member = CN=3,OU=MUsers,DC=xxx,DC=yyy
ATTIBUTE_NAME: member = CN=2,OU=MUsers,DC=xxx,DC=yyy
ATTIBUTE_NAME: member = CN=1,OU=MUsers,DC=xxx,DC=yyy
ATTIBUTE_NAME: distinguishedName =
CN=Researcher,OU=MGroups,DC=xxx,DC=yyy
ATTIBUTE_NAME: instanceType = 4
ATTIBUTE_NAME: whenCreated = 20100315150614.0Z
ATTIBUTE_NAME: whenChanged = 20100322172413.0Z
ATTIBUTE_NAME: uSNCreated = 97190
ATTIBUTE_NAME: uSNChanged = 102960
ATTIBUTE_NAME: name = Researcher
ATTIBUTE_NAME: objectGUID = ?P??|F?
?Q?'
ATTIBUTE_NAME: objectSid =
ATTIBUTE_NAME: sAMAccountName = $1B1000-EVVA2O0MRRBE
ATTIBUTE_NAME: sAMAccountType = 268435456
ATTIBUTE_NAME: groupType = -2147483646
ATTIBUTE_NAME: objectCategory =
CN=Group,CN=Schema,CN=Configuration,DC=xxx,DC=yyy
My add_in_group function is : (I am hardcoding certain values for simplicity)
FUNCTION add_in_group
(ldap_session dbms_ldap.SESSION
RETURN PLS_INTEGER
IS
lv_vals dbms_ldap.string_collection;
lv_array dbms_ldap.mod_array;
ln_retval PLS_INTEGER;
l_group VARCHAR2(256);
BEGIN
-- Initialize the varray for the modify command
lv_array := dbms_ldap.create_mod_array(10);
IF lv_array = NULL THEN
dbms_output.put_line('Error add_in_group: lv_array not initialized.');
NULL;
END IF;
dbms_output.put_line ('lv_array successfully initialized');
-- Populate the varray
lv_vals(1) := 'CN=366944,OU=MUsers,DC=xxx,DC=yyy';
dbms_ldap.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'member',lv_vals);
--Populate the object class variables
lv_vals(1) := 'group';
BEGIN
DBMS_LDAP.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'objectclass',lv_vals);
EXCEPTION
WHEN OTHERS THEN
DBMS_OUTPUT.PUT_LINE('Populating object classes failed');
END;
--BEGIN
-- Group Modification
l_group := 'cn=Researcher,OU=Mgroups,DC=xxx,DC=yyy';
BEGIN
ln_retval := dbms_ldap.modify_s(ldap_session, l_group, lv_array);
--EXCEPTION
--WHEN OTHERS THEN
--dbms_output.put_line ('Error in modify_s ');
END;
-- Free the varray
dbms_ldap.free_mod_array(lv_array);
RETURN ln_retval;
EXCEPTION
WHEN OTHERS THEN
dbms_output.put_line('add_in_group : '|| SQLCODE||' '||SQLERRM);
RETURN -1 ;
END add_in_group;
My error is :
ORA-31202: DBMS_LDAP: LDAP client/server error: Already exists. 00000562:
UpdErr: DSID-031A0F4F, problem 6005 (ENTRY_EXISTS), data 0
The error descriptions reads like this :
Indicates that the add operation attempted to add an entry that already exists, or that the modify operation attempted to rename an entry to the name of an entry that already exists.
In this case , I am using the modify_s operation.I am supplying the credentials of the researcher group and trying to set the 'member' attribute as the user already existing in a diff group(MUsers).
The researcher group already has 3 uers , namely ,1,2 and 3 as members . These users are also part of MUsers group.
Hence I am not trying to rename any entry to the name of an entry that already exists.
Any help on this would be appreciated.Hi,
I tried the same code that you have mentioned and did some changes as follows and now able to add members to a group.
remove the section that contains the following commands, then it will work
h5. lv_vals(1) := 'group';
h5. DBMS_LDAP.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'objectclass',lv_vals);
Thanks & Best Regards,
Indika
Maybe you are looking for
-
Session timeout + strange characters
Hello. We're working in a G4 eMac, OS 10.3.9. We are having two issues that probably are not related (?) but let's give it a shot: 1. This just started happening a couple of weeks ago. Odd characters are suddenly displaying in our browsers (chiefly a
-
After upgrading to IOS 5 I have no access to my music on the IPAD
I installed the IOS 5 on my IPAD 2. Ok the backup, and the restore of the applications. But I had two problems. The first with "Ibooks". I wasn't able to see my books. I resolved changing the sinchronyzation button from "selected books" to "all the b
-
This is constantly happening when I try to save and replace a JPG in the same folder or save as a copy in the same folder. Sometimes it seems to happen when I even save to another folder, though I've also been able to workaround this by doing that (t
-
Since upgrading to OS 10.7.1, my touch Ipod (version 4.2.1, model PB528LL) does not appear on the iTunes as a device on the computer screen. It also seems that the ipod is no longer being charged via the USB connection. Any assistance would be apprec
-
&CAUFVD-MATNR& with leading zeros in sapscript
Hi, i use &CAUFVD-MATNR& in an sapscript-formular for an PP-Order. It prints the MATNR without leading zeroes. How is it possible to print this field with leading Zeros? Thanks. Regards, Dieter