VDI 3 + Active Directory Child Domain Setup Question
Hi Everyone,
Quick question. Will this config work because I'm having some issues.
Domain A
Child Domains A.A, B.A, C.A, etc..
Kerbros is setup and pointing at domain A with admin account access.
VDI3 can see all the domains when I pull down the domain selector... however!... I can only log into the parent domain A. Attempts to log into child domains A.A, B.A, etc give me an 'Unknown user/password error'.
Will this config work? All child domains are part of the same forest which I thought was supported.
Many thanks in advanced for any replies.
Dono
Hello,
yes, forests with multiple child domains are supported and your configuration should be working.
In order to troubleshoot the problem, please follow the instructions at:
http://wikis.sun.com/display/VDI3/End-users+cannot+access+their+virtual+machines.
The cacao logs should contain more details about the error.
Thanks,
Katell
Similar Messages
-
Active Directory Cached Domain Login question
Hi all,
I would like to seek assistance on the following scenario setup where I have 2 independent AD forest setup
Production Forest #1 - Contoso
Test Lab Forest #2 - Contoso
Assuming both AD forests domain controllers are issued with Domain Controller Certs (to support smartcard login) from the same CA, and there exists a AD user acct - Mark in Production Forest #1 and this user is currently using a issued smartcard to perform
AD login on desktop client #1
Would it be possible to create a AD user acct - Mark in Test Lab Forest #2 and use the same issued production smartcard to perform AD login on laptop client #2 which is joined to Test Lab Forest #2? If not technically possible, why??? :(
I am trying to find a solution where I can have the laptop clients support login using the issued production smartcard. The challenge here is not all the laptop clients site have access to the production domain controllers hence am thinking of building the
Test Lab Forest #2 on another "server" laptop which provides a mobile means to allow the laptop clients to be joined to the Test Lab Forest and then supporting the issued production smartcard via domain cached login.So far I know the only requirement is that the UPN match and that the PKI is trusted (in NTAuth) in the forest, but I'm not a PKI expert. I suggest to ask this question in the security forum as well:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog -
Hi,
I am trying to install certificate services on a windows 2008 server (R2 ENT SP1) with a PCIe nCipher HSM module installed on it. The version of nCipher SW is = 11.30. It is a RootCA, and I am trying to use a key that is already stored in the HSM (I
have done this before with a PCI HSM (older HW version)). I select “Use existing private key” and “Select an existing private key on this computer” on the wizard, then i change the CSP to nCipher and click on "search" the key I am looking for
appears and I select that one. I repeat, I have done this before and it works with a PCI HSM module.
The installation is finished before being prompted to insert the operator cards, and it ends with two errors:
<Error>: Active Directory Certificate Services setup failed with the following error: Overlapped I/O operation is in progress. 0x800703e5 (WIN32: 997)
And:
<Error>: Active Directory Certificate Services setup failed with the following error: The group or resource is not in the correct state to perform the requested operation.
0x8007139f (WIN32: 5023)
The servermanager.log says:
1856: 2014-07-23 18:27:48.195 [CAManager] Sync: Validity period units: Years
1856: 2014-07-23 18:27:48.928 [Provider] Error (Id=0) System.Runtime.InteropServices.COMException (0x800703E5): CCertSrvSetup::Install: Overlapped I/O operation is in progress. 0x800703e5 (WIN32: 997)
at Microsoft.CertificateServices.Setup.Interop.CCertSrvSetupClass.Install()
at Microsoft.Windows.ServerManager.CertificateServer.CertificateServerRoleProvider.Configure(InstallableFeatureInformation featureInfo, DiscoveryResult discoveryResult, ChangeTracker changeTracker)
1856: 2014-07-23 18:27:48.928 [Provider] CAErrorID: 0, CAErrorString: 'Active Directory Certificate Services setup failed with the following error: Overlapped I/O operation is in progress.
0x800703e5 (WIN32: 997)'
1856: 2014-07-23 18:27:48.928 [Provider] Adding error message.
1856: 2014-07-23 18:27:48.928 [Provider] [STAT] For 'Certification Authority':
And:
1856: 2014-07-23 18:27:49.053 [CAWebProxyManager] Sync: Initializing defaults
1856: 2014-07-23 18:27:49.162 [Provider] Error (Id=0) System.Runtime.InteropServices.COMException (0x8007139F): CCertSrvSetup::Install: The group or resource is not in the correct state to perform the requested operation. 0x8007139f (WIN32: 5023)
at Microsoft.CertificateServices.Setup.Interop.CCertSrvSetupClass.Install()
at Microsoft.Windows.ServerManager.CertificateServer.CertificateServerRoleProvider.Configure(InstallableFeatureInformation featureInfo, DiscoveryResult discoveryResult, ChangeTracker changeTracker)
1856: 2014-07-23 18:27:49.162 [Provider] CAErrorID: 0, CAErrorString: 'Active Directory Certificate Services setup failed with the following error: The group or resource is not in the correct
state to perform the requested operation. 0x8007139f (WIN32: 5023)'
1856: 2014-07-23 18:27:49.162 [Provider] Adding error message.
Has anyone experienced this before? Am I missing something here?
Any help will be very appreciated
Thanks in advance
Best regards
Alejandro Lozano VillanuevaHi, thanks for your support.
I have been playing around a bit with some ncipher commands and found this:
C:\Program Files (x86)\nCipher\nfast\bin>cspcheck.exe
cspcheck: fatal error: File key_mscapi_container-1c44b9424a23f6cddc91e8a065241a0
9aa719e4f (key #1): 0 modules contain the counter (NVRAM file ID 021c44b9424a23f
6cddc91)
cspcheck: information: 2 containers and 2 keys found.
cspcheck: fatal error occurred.
If I perform the same command on the original server (the server with the original kmdata folder and with the running RootCA services):
E:\nfast\bin>cspcheck.exe
cspcheck: information: 2 containers and 2 keys found.
cspcheck: everything seems to be in order.
Strange?
Moreover, when I do a csptest.exe command (also on both servers, i find this)
On the new server:
C:\Program Files (x86)\nCipher\nfast\bin>csptest.exe
nCipher CSP test software
=========================
Found the nCipher domestic CSP named 'nCipher Enhanced Cryptographic Provider'
Provider name: nCipher Enhanced Cryptographic Provider
Version number: 1.48
User key containers:
Container 'csptest.exe' has no stored keys.
Container 'Administrator' has no stored keys.
Machine key containers:
Container '352dd28a-17cb-4c6f-b6e4-bf39bcf75db5' has a 2048-bit signature key.
Container 'ROOTCA' has no stored keys.
Container 'csptest.exe' has no stored keys.
While in the old server:
E:\nfast\bin>csptest.exe
nCipher CSP test software
=========================
Found the nCipher domestic CSP named 'nCipher Enhanced Cryptographic Provider'
Provider name: nCipher Enhanced Cryptographic Provider
Version number: 1.40
User key containers:
Container 'csptest.exe' has no stored keys.
Machine key containers:
Container '352dd28a-17cb-4c6f-b6e4-bf39bcf75db5' has a 2048-bit signature key.
Container 'ROOTCA' has a 2048-bit signature key.
Container 'csptest.exe' has no stored keys.
As you can see, the container called ROOTCA, which is the one that I use during the installation, says it has no stored keys. While on the old server, it says it contains a key. Why is this happening? I dont know, I am copying the complete
key management folder from one server to another and initialize the security world with that folder as I always do, and i dont have any errors during this procedure.
Do you know what could be the cause of this? or how can I fix this? Thanks a lot, best regards.
Alejandro Lozano Villanueva -
Prevent Active Directory Parent Domain Admins from accessing Child Domain
We want to prevent Parent domain administrators (or a similar profile?) from accessing and/or administering child domains. Is this possible, or do parent domain admins have irrevocable administrative access to any child domain?
Asked another way, can a restricted profile be configured for administration of the parent domain that does not cross domain boundaries effectively isolating each domain's administrative needs?
Thanks in advance for input and advice!
Best regards.Sorry, I was replying again after I read your second paragraph. The parent domain is the Forest root. we have parentdomain.com
parent.parentdomain.com
child1.parentdomain.com
child2.parentdomain.com
child3.parentdomain.com
We do not want the Domain Administrator for parentdomain.com to be able to administer, or preferably, even access the Child Domains.
1.) Can we remove that user from "Enterprise Admin" role and assign a different role so that they can only administer parentdomain.com (effectively demoting that user)?
2.) Promote a Child.parentdomain.com user to Enterprise Admin?
Thanks sorry for the confusion.
Ah ok.
Yes, you can. the answer is the same basically. The group membership is what counts. So in the child domain, remove the enterprise admins group from the child domain admins groups. OR make sure the domain admins of the forest root are not members of the
enterprise admins group. that way they are still only admins in the parent domain.
It is really only depending on group members ship and including those groups in the child domain. by default the enterprise group is included for example, but nothing stops you from removing those groups.
based on the group membership you can also deny them the ability to log on.
the only thing you cannot prevent is the forest administrator account from doing something.
One thing I would like to add though: any admin in the forest domain likely has the ability to still get access if he wants to force his way in. -
Problem authenticating user in Active Directory cross domain
Hi,
We have two different AD servers serving our London and Tokyo networks. My application runs in London network but used by both London and Tokyo users.
The two ADs have domain trust setup between them. I have groups defined in London AD to which users from both the London and Tokyo ADs are assigned.
'm trying to connect to London AD using the "users credentials" and retrieve the groups they are assigned to.
I can connect to the London AD using any of the London user and I could retrieve the groups. But when I use a Tokyo user credentials to connect using the London AD server 'm getting Security exception with a code indicating "User Not Found".
The code I use which is very basic is given below . The code below run as such gives me the following error,
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece.
If I change in the code below, Provider URL to Tokyo AD Server URL then it works but I can't use that due to security restrictions. As per the Windows Team the domain trust should allow me to connect/bind to the London AD Server with the Tokyo credentials.
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "london ldap server url");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.REFERRAL, "follow");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "password");
env.put(LdapContext.CONTROL_FACTORIES, "com.sun.jndi.ldap.ControlFactory");
ctx = new InitialLdapContext(env, null);
I would like to know how to authenticate a user in a cross domain Active Directory environment. I read in one of the blogs that the "simple bind" will not work for cross domain user authentication. Unfortunately the blogger didn't mention what would work :( . Any help is much appreciated.
Please bear with me if my query is a naive one and point me in the right direction.
Thanks
JothiHi Praveen,
to avoid losing data when user objects are moved to new locations in the LDAP server, it is possible to configure the User Management Engine to use the value of a specific unique attribute as part of the unique ID instead of the distinguished name.
For this, you have to change the following UME properties:
For user objects: ume.ldap.unique_user_attribute=<attributename>
For account objects: ume.ldap.unique_uacc_attribute=<attributename>
For group objects: ume.ldap.unique_grup_attribute=<attributename>
Be aware that the attribute (i.e. cn or uid) must be unique in the configured user/group path.
Please read SAPNote 777640 for more information regarding this problem and the way to change the UME properties.
Best regards,
Robert -
Authentication Plug-ins for active directory Multiple Domains(oidspad2.sh)
hi ,
i have use note 294791.1 from metalink to try link to active directory i have 2 one is staff and another is student
i first ran oidspadi.sh to create plugin for staff it works then i edit the 2 script to oidspad2.pls and oidspad2.sh with the require changes inside the files then i ran it it work but now the problem is the first ad now cant work this is my changes below
FOR oidspad2.pls
Rem
Rem $Header: oidspada.pls 02-aug-2004.04:45:11 saroy Exp $
Rem
Rem oidspads.pls
Rem
Rem Copyright (c) 2002, 2004, Oracle. All rights reserved.
Rem
Rem NAME
Rem oidspada.pls - 9.0.4 OID Password Active Directory
Rem External Authentication Plug-in
Rem
Rem
Rem NOTES
Rem <other useful comments, qualifications, etc.>
Rem
Rem MODIFIED (MM/DD/YY)
Rem saroy 08/02/04 - Fix for bug 3807482
Rem qdinh 01/27/04 - bug 3374115
Rem dlin 01/08/04 - pingan perf
Rem dlin 08/22/03 - 3111770 bug fix
Rem dlin 08/27/03 - change the way to get name
Rem dlin 08/13/03 - bug 2962082 fix
Rem dlin 02/21/03 - plug-in install changes
Rem dlin 02/13/03 - dlin_bug-2625027
Rem dlin 02/05/03 - fix ssl & failover
Rem dlin 01/31/03 - dlin_adextauth1
Rem dlin 01/30/03 - Created
Rem
SET echo off;
SET serveroutput off;
SET feedback off;
SET verify off;
CREATE OR REPLACE PACKAGE OIDADPSW2 AS
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
AD_HANDLE DBMS_LDAP.session DEFAULT NULL;
END OIDADPSW2;
SHOW ERROR
CREATE OR REPLACE PACKAGE BODY OIDADPSW2 AS
SUBTYPE LDAP_SESSION IS RAW(32);
SUBTYPE LDAP_MESSAGE IS RAW(32);
SUBTYPE LDAP_BER_ELEMENT IS RAW(32);
SUBTYPE ATTRLIST IS DBMS_LDAP.STRING_COLLECTION;
SUBTYPE MOD_ARRAY IS RAW(32);
SUBTYPE BERLIST IS DBMS_LDAP.BERVAL_COLLECTION;
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_bind_replace()');
DBMS_LDAP.USE_EXCEPTION := FALSE;
result := 49;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := 1;
plg_debug('Can not get ADUserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_bind_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_bind_replace() ===');
RETURN;
END IF;
plg_debug( 'Go to AD for authentication');
-- externally authenticate user
IF ('&1' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&2', &3);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
-- Should free the old session if retry logic kept failing
-- to cause the number of outstanding sessions exceeding the
-- limit session number
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&4', &5);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
-- SSL bind
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&6', &7);
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&8', '&9', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM
-- or LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&10', &11);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&12', '&13', 2);
IF (retval != 0) THEN
plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session1);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
-- for failover to connect to the secondary server
IF ('&14' = 'y' AND retval != 0) THEN
IF ('&15' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&16', &17);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&18', &19);
plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'retry simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&20', &21);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&22', '&23', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&24', &25);
plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&26', '&27', 2);
IF (retval != 0) THEN
plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
END IF;
IF (retval = 0) THEN
result := 0;
plg_debug('AD auth return TRUE');
ELSE
result := retval;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_bind_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
OIDADPSW2.AD_HANDLE := NULL;
plg_debug( ' exception unbind_res returns ' || TO_CHAR(retval));
errormsg := 'Exception: when_bind_replace plugin';
plg_debug( 'Exception in when_bind_replace(). Error code is ' ||
TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
END;
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_compare_replace()');
result := DBMS_LDAP.COMPARE_FALSE;
DBMS_LDAP.USE_EXCEPTION := FALSE;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('Can not get ADuserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_compare_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_compare_replace() ===');
RETURN;
END IF;
-- externally authenticate user
IF ('&28' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&29', &30);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&31', &32);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&33', &34);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&35', '&36', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&37', &38);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&39', '&40', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
-- for failover to connect to the secondary AD
IF ('&41' = 'y' AND retval != 0) THEN
IF ('&42' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&43', &44);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&45', &46);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&47', &48);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&49', '&50', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&51', &52);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&53', '&54', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session1);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
END IF;
IF (retval = 0) THEN
result := DBMS_LDAP.COMPARE_TRUE;
plg_debug('AD auth return TRUE');
ELSE
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_compare_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
errormsg := 'Exception: when_compare_replace plugin';
plg_debug( 'Exception in when_compare_replace(). Error code is ' ||
TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
OIDADPSW2.AD_HANDLE := NULL;
END;
END OIDADPSW2;
SHOW ERRORS
EXIT;
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
FOR oidspadi.sh
#!/bin/sh
# $Header: oidspadi.sh 13-may-2005.13:48:51 saroy Exp $
# oidspadi.sh
# Copyright (c) 2002, 2005, Oracle. All rights reserved.
# NAME
# oidspadi.sh - AD external authentication plug-in install
# DESCRIPTION
# <short description of component this file declares/defines>
# NOTES
# <other useful comments, qualifications, etc.>
# MODIFIED (MM/DD/YY)
# saroy 05/13/05 - Fix for bug 4233817
# saroy 02/18/05 - Fix for bug 4054414
# saroy 11/02/04 - Fix for bug 3980370
# qdinh 01/19/04 - bug 3374115
# dlin 07/10/03 - turn off debug
# dlin 02/21/03 - plug-in install changes
# dlin 02/13/03 - dlin_bug-2625027
# dlin 07/22/02 - Creation
ADHOST="A"
ADPORT="1"
ADSSLPORT="1"
WALLETLOC="A"
WALLETPWD="A"
WALLETPWD2="A"
CONNECT="A"
ODSPWD="A"
ODSPWD2="A"
OIDHOST="A"
OIDPORT="1"
ORCLADMINPWD="A"
ORCLADMINPWD2="A"
PRGDN="A"
SCUSB="A"
EP="A"
ISSSL="n"
ISFAILOVER="n"
ISFAILOVERSSL="n"
SECADHOST="A"
SECADPORT="1"
SECADSSLPORT="1"
SECWALLETLOC="A"
SECWALLETPWD="A"
SECWALLETPWD2="A"
clear
echo "---------------------------------------------"
echo " OID Active Directory Plug-in Configuration"
echo "---------------------------------------------"
echo " "
echo "Please make sure Database and OID are up and running."
echo " "
LDAP_DIR=${ORACLE_HOME}/ldap
LDAP_LOG=${LDAP_DIR}/log
## ORACLE_HOME
if [ -z $ORACLE_HOME ] ; then
echo " ORACLE_HOME must be set for this installation script"
exit 0
fi
# gather required information
if [ ${ADHOST} = "A" ] ; then
printf "Please enter Active Directory host name: "
read ADHOST
fi
## active directory host name is required
if [ "${ADHOST}" = "" ]
then
echo "Active Directory host name is required";
exit 1;
fi
printf "Do you want to use SSL to connect to Active Directory? (y/n) "
read ISSSL
if [ "${ISSSL}" = "n" ]
then
if [ ${ADPORT} = "1" ] ; then
printf "Please enter Active Directory port number [389]: "
read ADPORT
if [ "${ADPORT}" = "" ]
then
ADPORT="389"
fi
fi
fi
if [ "${ISSSL}" = "y" ]
then
if [ ${ADSSLPORT} = "1" ] ; then
printf "Please enter Active Directory SSL port number [636]: "
read ADSSLPORT
if [ "${ADSSLPORT}" = "" ]
then
ADSSLPORT="636"
fi
fi
if [ ${WALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read WALLETLOC
fi
## wallet location is required
if [ "${WALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${WALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read WALLETPWD ; stty echo ; echo
fi
if [ "${WALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${WALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read WALLETPWD2 ; stty echo ; echo
fi
if [ "${WALLETPWD}" != "${WALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
if [ ${CONNECT} = "A" ] ; then
echo " "
printf "Please enter DB connect string: "
read CONNECT
fi
if [ ${ODSPWD} = "A" ] ; then
printf "Please enter ODS password: "
stty -echo ; read ODSPWD ; stty echo ; echo
fi
## password is required
if [ "${ODSPWD}" = "" ]
then
echo "ODS password is required";
exit 1;
fi
if [ ${ODSPWD2} = "A" ] ; then
printf "Please enter confirmed ODS password: "
stty -echo ; read ODSPWD2 ; stty echo ; echo
fi
if [ "${ODSPWD}" != "${ODSPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
if [ "${CONNECT}" = "" ]
then
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD} "
else
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD}@${CONNECT} "
fi
# Check if ODS password and connect string is correct
${ORACLE_HOME}/bin/sqlplus -L ods/${ODSPWD}@${CONNECT} << END 1>/dev/null 2>/dev/null
exit;
END
if [ $? -ne 0 ]; then
echo "Incorrect connect string or ODS password specified"
exit 1;
fi
if [ ${OIDHOST} = "A" ] ; then
echo " "
printf "Please enter OID host name: "
read OIDHOST
fi
## oid host is required
if [ "${OIDHOST}" = "" ]
then
echo "OID host name is required";
exit 1;
fi
if [ ${OIDPORT} = "1" ] ; then
printf "Please enter OID port number [389]: "
read OIDPORT
if [ "${OIDPORT}" = "" ]
then
OIDPORT="389"
fi
fi
# Check if OID host and port is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect OID host or port specified"
exit 1;
fi
if [ ${ORCLADMINPWD} = "A" ] ; then
printf "Please enter orcladmin password: "
stty -echo ; read ORCLADMINPWD ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" = "" ]
then
echo "orcladmin password is required";
exit 1;
fi
if [ ${ORCLADMINPWD2} = "A" ] ; then
printf "Please enter confirmed orcladmin password: "
stty -echo ; read ORCLADMINPWD2 ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" != "${ORCLADMINPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
# Check if orcladmin password is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect orcladmin password specified"
exit 1;
fi
echo " "
if [ ${SCUSB} = "A" ] ; then
printf "Please enter the subscriber common user search base [orclcommonusersearchbase]: "
read SCUSB
if [ "${SCUSB}" = "" ]
then
SCUSB=`${ORACLE_HOME}/bin/ldapsearch -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} -s base -b 'cn=common,cn=products,cn=oraclecontext' -L 'objectclass=*' orclcommonusersearchbase | head -2 | grep -v 'dn:' | awk '{printf $2}'`
fi
fi
if [ ${PRGDN} = "A" ] ; then
printf "Please enter the Plug-in Request Group DN: "
read PRGDN
fi
if [ ${EP} = "A" ] ; then
printf "Please enter the exception entry property [(!(objectclass=orcladuser))]: "
read EP
if [ "${EP}" = "" ]
then
EP='(!(objectclass=orcladuser))'
fi
fi
echo " "
printf "Do you want to setup the backup Active Directory for failover? (y/n) "
read ISFAILOVER
if [ "${ISFAILOVER}" = "y" ]
then
if [ ${SECADHOST} = "A" ] ; then
printf "Please enter the backup Active Directory host name: "
read SECADHOST
if [ "${SECADHOST}" = "" ]
then
echo "Backup Active Directory host name is required";
exit 1;
fi
fi
printf "Do you want to use SSL to connect to the backup Active Directory? (y/n) "
read ISFAILOVERSSL
if [ "${ISFAILOVERSSL}" = "n" ]
then
if [ ${SECADPORT} = "1" ] ; then
printf "Please enter the backup Active Directory port number [389]: "
read SECADPORT
if [ "${SECADPORT}" = "" ]
then
SECADPORT="389"
fi
fi
fi
if [ "${ISFAILOVERSSL}" = "y" ]
then
if [ ${SECADSSLPORT} = "1" ] ; then
printf "Please enter the backup Active Directory SSL port number [636]: "
read SECADSSLPORT
if [ "${SECADSSLPORT}" = "" ]
then
SECADSSLPORT="636"
fi
fi
if [ ${SECWALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read SECWALLETLOC
fi
## wallet location is required
if [ "${SECWALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${SECWALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read SECWALLETPWD ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${SECWALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read SECWALLETPWD2 ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" != "${SECWALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
fi
# install the plug-in PL/SQL packages
echo " "
echo "Installing Plug-in Packages ..."
echo " "
# install plug-in debug tool
cp $ORACLE_HOME/ldap/admin/oidspdsu.pls $LDAP_LOG
chmod +w $LDAP_LOG/oidspdsu.pls
echo "EXIT;" >> $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$LDAP_LOG/oidspdsu.pls
rm $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspdof.pls
# install plug-in packages
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
#stty -echo; eval ${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# register the plug-ins
echo " "
echo "Registering Plug-ins ..."
echo " "
$ORACLE_HOME/bin/ldapadd -h ${OIDHOST} -p ${OIDPORT} -D cn=orcladmin -w ${ORCLADMINPWD} << EOF
dn: cn=adwhencompare2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapcompare
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhencompare2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginattributelist:userpassword
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
dn: cn=adwhenbind2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapbind
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhenbind2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
EOF
cat <<DONE
Done.
DONEHi,
This is a problem that is not made clear in the note. What is probably happening here is that both plugins are being fired when a user logs in. OID will only read the value returned from the final plugin to fire. This can be a problem if the user authenticates correctly against the first plug-in but fails on the second. This is entirely legitimate as this note tells you to configure this way but the OID only observes the final result. The note doesn't tell us this.
Here's an example:
We've two OID User users in different containers: cn=Al is in container cn=usersA,dc=oracle,dc=com and cn=BOB is in container cn=usersB,dc=oracle,dc=com.
We have two plugins: pluginA and PluginB. Installed in that order.
When Al logs in the two plugins fire. pluginA finds Al and returns a true, but then pluginB fires and returns a false undoing the good result. OID only accepts the final answer and so rejects the user. When Bob logins in both plugins fire again but it's the second plugin that returns the answer again. This is true and bob gets in.
There's a couple of ways around this and one of the more effective ways is to associate the plugin with the dn. So in our example, we associate the pluginA to fire only for the dn cn=usersA,dc=oracle,dc=com and pluginB only to fire when a user is in cn=usersB,dc=oracle,dc=com. This gets around the problem of mulitple plugins firing and giving conflicting answers as the appropriate plugin only fires once.
I've used this solution in a realtime environment when connecting and provisioning multiple ADs into one OID and found it to be extremely effective.
Another solution is to associate the plugins with groups.
Both of these options may be configured easily by modifying the plugin properties in ODM. Don't forget to restart OID after you've made the changes.
HTH!
Phil.
If -
Lync 2013 & Active Directory Intra Domain Migrations
Hi all,
Hopefully this is the correction forum to ask. Suppose the following scenario
Parent Domain containing Lync 2013 Servers
Child domains consisting of user accounts
It is intended that child domains containing Lync 2013 enabled users be migrated to the parent domain.
A few questions
Is it possible to migrate user accounts to another domain and configure the migrated (technically new) account to link back to Lync so as to retain contact information?
Or prior to migration have contacts exported so they can be imported into the new Lync 2013 accounts?
Thanks,Within a single forest it quite possible to have Lync installed in one domain and User a part of another domain
All we have to do during the Lync server install process run the domain prepaerationn wizard for all the domain weher we shall either have Lync user object or Lync server object
Please refer http://technet.microsoft.com/en-us/library/gg398630.aspx
I believe As long as the user SIP URI Doesn't change you can export the user data information and after the migration if you can import in user information
Please refer http://technet.microsoft.com/en-us/library/jj204897.aspx
PLEASE REMEMBER, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answered" -
Active Directory Groups - Domain Users Group
Using the AD resource adpater, I am able to assign groups and remove groups, but I noticed that the Domain Users group does not appear in the list of groups the user belongs to. Looking AD the user does belong, but in IDM it does not list this group membership. Is this normal ?
Thanks for the reply. I noticed there are quite a few issues with trying to UNC map to any share outside of the local MXE3500. I'm also seeing some issues with FTP watches on an EMC NAS, that has been FTP enabled. The problem I'm seeing now is that the watch will only work, if the watch is at the root level. If I add a file path, its accepted as valid when I save the directory watch, but looking at the fa.log its appending the last directory on twice.
So if my watch is looking at FTP Directory Path of: lifelink
The fa.log shows: .../lifelink/lifelink/
the word lifelink is displayed twice, causing an error, stating: "Error checking file size delay"
thanks,
Dave -
How to script out to connect to Active Directory specific domain controller server?
How to script out a script that enable us to connect to the specific domain controller server, it is because I have 2 different servers version and both of them have been communicate with powershell, thus, I wanted to powershell to communicate with one
server version. How to script this out?Please see the Posting Guidlines:
http://social.technet.microsoft.com/Forums/en-US/a0def745-4831-4de0-a040-63b63e7be7ae/posting-guidelines?forum=ITCG
and this article on how to ask questions in a technical forum:
http://sincealtair.blogspot.com/2010/04/how-to-ask-questions-in-technical-forum.html
[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " " -
BOXI r2 - SSO in Active Directory multi domain
Hi all,
I have a customer with XI r2 on windows and infoview deployed on Tomcat. Security is (OK until yesterday) sedWinAD with SSO via Vintela. Yesterday they have add a new domain in krbc5.ini and new domain's users cannot login. Tomcat trace reports the following:
INFO: Server startup in 8516 ms
24625 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.GSSManager - No Subject found on the current thread
24641 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - GSS: Acceptor supports: KRB5
24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - Ticket service name is: HTTP/svrcrmboprod.sti.stg***STI.STG
24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - GSS name is: HTTP/svrcrmboprod.STI.STG***STI.STG
24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - Using keytab entry for: HTTP/svrcrmboprod.STI.STG***STI.STG
24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - ** decrypting ticket .. **
with key
Principal: HTTP/svrcrmboprod.STI.STG***STI.STG
Type: 1
TimeStamp: Thu Jan 01 01:00:00 CET 1970
KVNO: 6
Key: [3, a8 7f 51 1a f1 40 e3 19 ]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - decrypted ticket:
Ticket:
encryption type: 3 (DECRYPTED OK)
service principal: HTTP/svrcrmboprod.sti.stg***STI.STG
TransitedEncoding:
client: Quattri***BFP.STG
session key: [3, 9e 46 40 31 df a8 68 1 ]
ticket flags: forwardable renewable ok-as-delegate preauthent
valid from: Thu Sep 24 17:19:40 CEST 2009
valid till: Fri Sep 25 03:19:40 CEST 2009
valid for:
all addresses
auth data:
[1, 30 82 3 62 30 82 3 5e a0 4 2 2 0 80 a1 82 3 54 4 82 3 50 4 0 0 0 0 0 0 0 1 0 0 0 c0 2 0 0 48 0 0 0 0 0 0 0 a 0 0 0 18 0 0 0 8 3 0 0 0 0 0 0 6 0 0 0 14 0 0 0 20 3 0 0 0 0 0 0 7 0 0 0 14 0 0 0 38 3 0 0 0 0 0 0 1 10 8 0 cc cc cc cc b0 2 0 0 0 0 0 0 0 0 2 0 15 d6 9d 6f 2a 3d ca 1 ff ff ff ff ff ff ff 7f ff ff ff ff ff ff ff 7f c2 f0 21 d3 2f 2d ca 1 c2 70 86 cb c2 44 ca 1 c2 70 4f bc e8 73 ca 1 e 0 e 0 4 0 2 0 20 0 20 0 8 0 2 0 0 0 0 0 c 0 2 0 0 0 0 0 10 0 2 0 44 0 44 0 14 0 2 0 4 0 4 0 18 0 2 0 45 6 0 0 de 4 0 0 1 2 0 0 3 0 0 0 1c 0 2 0 20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 14 0 16 0 20 0 2 0 6 0 8 0 24 0 2 0 28 0 2 0 0 0 0 0 0 0 0 0 14 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 0 0 0 2c 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 7 0 0 0 0 0 0 0 7 0 0 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 0 0 10 0 0 0 0 0 0 0 10 0 0 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 20 0 4c 0 6f 0 72 0 65 0 64 0 61 0 6e 0 61 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 22 0 0 0 0 0 0 0 22 0 0 0 5c 0 5c 0 73 0 76 0 72 0 62 0 66 0 70 0 66 0 73 0 68 0 66 0 2e 0 62 0 66 0 70 0 2e 0 73 0 74 0 67 0 5c 0 48 0 4f 0 4d 0 45 0 24 0 5c 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 2 0 0 0 0 0 0 0 2 0 0 0 4d 0 3a 0 3 0 0 0 1 2 0 0 7 0 0 0 9a 4 0 0 7 0 0 0 48 e 0 0 7 0 0 0 b 0 0 0 0 0 0 0 a 0 0 0 53 0 56 0 52 0 42 0 46 0 50 0 44 0 43 0 30 0 32 0 4 0 0 0 0 0 0 0 3 0 0 0 42 0 46 0 50 0 0 0 4 0 0 0 1 4 0 0 0 0 0 5 15 0 0 0 3b c2 da 85 8 fa d1 16 fe 9b 47 2f 4 0 0 0 30 0 2 0 7 0 0 0 34 0 2 0 7 0 0 0 38 0 2 0 7 0 0 0 3c 0 2 0 7 0 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 82 8b a6 28 4b 2c bc 1a 7 e5 3b 2b 36 40 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 82 8b a6 28 4b 2c bc 1a 7 e5 3b 2b 99 33 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 82 8b a6 28 4b 2c bc 1a 7 e5 3b 2b d0 12 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 9b 11 b 6a 91 78 ec 27 6b 53 ee 1b 7a c 0 0 0 0 0 0 0 8e 60 6f 2a 3d ca 1 e 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 76 ff ff ff 16 15 71 e5 8 76 59 2a 0 de 13 b9 f8 a3 c4 94 0 0 0 0 76 ff ff ff a6 9f 99 90 c7 63 41 c6 4a b4 f 8d c2 70 44 9f 0 0 0 0 ]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.GSSContext - Setting context expiry to [1253841580000]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.GSSContext - Current wall time is [1253805580586]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - ** decrypting application request .. **
with key
[3, 9e 46 40 31 df a8 68 1 ]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - decrypted application request:
++++ KRB-AP-REQ Message ++++
encryption type: 3 (DECRYPTED OK)
ap options: mutual-required
Ticket:
encryption type: 3
service principal: HTTP/svrcrmboprod.sti.stg***STI.STG
client: Quattri***BFP.STG
subkey: [3, da 34 d3 4 8f f2 e9 b9 ]
client time: Thu Sep 24 17:19:40 CEST 2009
cusec: 1546
sequence number: 1846075710
++++++++++++++++++++++++++++
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - Got delegated credential
24703 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - Delegated credential:
++++ KRB-CRED Message ++++
encryption type: 0 (DECRYPTED OK)
sender address: null
receiver address: null
nonce: -1
timestamp: null
credentials:
Credential
client: Quattri***BFP.STG
session key: [3, 1 62 43 b3 a2 15 1f 70 ]
service principal: krbtgt/BFP.STG***BFP.STG
valid from: Thu Sep 24 17:19:40 CEST 2009
valid till: Fri Sep 25 03:19:40 CEST 2009
renewable till: Thu Oct 01 17:19:40 CEST 2009
Ticket:
encryption type: 23
service principal: krbtgt/BFP.STG***BFP.STG
ticket flags: forwardable forwarded renewable preauthent
valid for: all addresses
++++++++++++++++++++++++++++
24703 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - ** creating application response .. **
with key
[3, 9e 46 40 31 df a8 68 1 ]
24703 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - created application response:
++++ KRB-AP-REP Message ++++
encryption type: 3
sequence number: 162921799
sub session key: null
client time: Thu Sep 24 17:19:40 CEST 2009
cusec: 1546
++++++++++++++++++++++++++++
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker -
GSS: Initiator supports: KRB5
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker -
GSS: Initiator TGS key type:
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker - 3
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker -
Found acceptor realm: null
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker - GSS: Initiator getting service ticket for: BO_Admin
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - ** requesting service ticket .. **
with credentials:
Credential
client: Quattri***BFP.STG
session key: [3, 1 62 43 b3 a2 15 1f 70 ]
service principal: krbtgt/BFP.STG***BFP.STG
valid from: Thu Sep 24 17:19:40 CEST 2009
valid till: Fri Sep 25 03:19:40 CEST 2009
renewable till: Thu Oct 01 17:19:40 CEST 2009
Ticket:
encryption type: 23
service principal: krbtgt/BFP.STG***BFP.STG
ticket flags: forwardable forwarded renewable preauthent
valid for: all addresses
for service principal: BO_Admin
at realm: BFP.STG
26250 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.impl.DefaultKdcResolver - Resolving KDC for realm: BFP.STG
26250 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Resolver -
UDP attempt #0 to DNS server svrstidc01.sti.stg/172.20.1.103
26250 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Resolver - Data sent:
0d 20 01 00 00 01 00 00 00 00 00 00 09 5f 6b 65 72 62 65 72
6f 73 04 5f 75 64 70 03 42 46 50 03 53 54 47 00 00 21 00 01
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Resolver - Data received:
0d 20 81 80 00 01 00 01 00 00 00 01 09 5f 6b 65 72 62 65 72
6f 73 04 5f 75 64 70 03 42 46 50 03 53 54 47 00 00 21 00 01
c0 0c 00 21 00 01 00 00 01 c6 00 1a 00 00 00 64 00 58 0a 73
76 72 62 66 70 64 63 30 32 03 62 66 70 03 73 74 67 00 c0 3a
00 01 00 01 00 00 00 00 00 04 ac 15 01 66
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response - params: 1000000110000000
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response - Query sent:
Qname: _kerberos._udp.BFP.STG
Qtype: 33
Qclass: 1
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response -
Record
Name: _kerberos._udp.BFP.STG
Class: 1
TTL: 454
Type: SRV
Priority: 0
Weight: 100
Port: 88
Target: svrbfpdc02.bfp.stg
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response -
Record
Name: svrbfpdc02.bfp.stg
Class: 1
TTL: 0
Type: A
IP Address: 172.21.1.102
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.impl.DefaultKdcResolver - Available KDC found: svrbfpdc02.bfp.stg/172.21.1.102:88
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Sending message to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Sending UDP request: svrbfpdc02.bfp.stg/172.21.1.102:88
26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - --- got 79-byte response, initial byte = 0x7e
26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Message sent sucessfully to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
26297 [http-8080-Processor25] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database)
26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/logon/logon.jsp, pathInfo=null, queryString=null, name=null
26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/common/bannerheader.jsp, pathInfo=null, queryString=null, name=null
26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/logon/_logon.jsp, pathInfo=null, queryString=null, name=null
26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
Do yuo have any tips?
Thanks in advance
FabrizioSorry,
I noticed that the trace is too long, so I put the most important
Thanks
F.
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response -
Record
Name: svrbfpdc02.bfp.stg
Class: 1
TTL: 0
Type: A
IP Address: 172.21.1.102
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.impl.DefaultKdcResolver - Available KDC found: svrbfpdc02.bfp.stg/172.21.1.102:88
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Sending message to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Sending UDP request: svrbfpdc02.bfp.stg/172.21.1.102:88
26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - --- got 79-byte response, initial byte = 0x7e
26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Message sent sucessfully to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
26297 [http-8080-Processor25] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database)
26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/logon/logon.jsp, pathInfo=null, queryString=null, name=null
26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/common/bannerheader.jsp, pathInfo=null, queryString=null, name=null
26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/logon/_logon.jsp, pathInfo=null, queryString=null, name=null
26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include -
CMC Authentication Active Directory Synchronization Updates Drops Users
We are using SAP Business Objects on a Windows Server 2008 box and have configured single sign-on using Active Directory. We schedule the Active Directory in the Authentication tab to synchronize every day. Yesterday not all of the users updated and actually were dropped from the CMC. We think it was because one of the domain controllers went down for a group of users during the last CMC Active Directory Update. My question is, are there any log files we can look at for the active directory synch to see if there were any errors detected during the synchronization. It would be nice too, to be able to see a list of what actually happened during the Active directory synch like what groups, users and user group associations where added and deleted.
The result was when the users were dropped we lost any manual security setups and the user lost their favorites and preferences settings because they were dropped. Is there anyway we can insulate our Acitve Directory updates from accidentally dropping users when something goes wrong with the Active Directory Synch Update?
Any best practices would be greatly appreciated.
Thanks,
BillHi Bill,
Usually, if a group has been deleted or renamed in the AD controller, the group is deleted from the CMC. If a DC is not available, the group shouldn't have been deleted.
As far as I know, there are no options for debugging the action of the schedule. If you suspect that this can happen again, you can enable/disable traces on your CMS programming the creation/copy of CMS_trace.ini when the AD graph/alias schedule is going to happen.
There is an Idea that you can vote to avoid users being deleted when the group is accidentally deleted from the CMC:
https://cw.sdn.sap.com/cw/ideas/2645
In the meantime, you can also create Enterprise alias for your AD users, so even if the problem appears again, the security, inboxes and favourites will still be there.
1401058 - How to create Enterprise aliases for LDAP or AD accounts
[https://service.sap.com/sap/support/notes/1401058]
Regards,
Julian -
Unable to save Unified Messaging PIN: Access to Active Directory Failed
I'm trying to enable all of our users for Unified Messaging and I've created a powershell script for each of users I want to enable but I am getting an error message everytime I try and run it.
Unable to save Unified Messaging PIN for mailbox 'smtp address': Access to Active Directory Failed
Our setup is forest root domain and 2 child domains. Most of the users are in the child domains and the Exchange server is in the forest root domain.
I'm using -domaincontroller but this doesn't make a difference. Here is the script I am using:
Enable-UMMailbox -Identity [email protected] -UMMailboxPolicy "DefaultUM Default Policy" -Extensions 303 -PIN 1234 -SIPResourceIdentifier "[email protected]" -PINExpired $false -domaincontroller "rc-curdc-01.curriculum.riddlesdown.local"
Can someone point out why this isn't working?I had the same experience as Gueetar. Couldn't enable a UM mailbox, or change the PIN. Got a generic "Access to Active Directory Failed" message instead of anything useful. Even went so far as enabled a ton of diagnostic logging, which didn't report anything
useful.
Of course, all the accounts I was enabling had the HiddenFromAddressListsEnabled property set to $true (these were old deactivated accounts I was using to test with). I found that setting it back to $false corrected the issue.
Of course I didn't know it was that exact problem at the time. I only found a difference after disabling/re-connecting mailboxes (and of course newly created mailboxes exhibited no issues). Assuming this was going to be the case for all mailboxes this would
be fine for testing and proof of concept, bad for production/implementation. Instead I ran a bunch of scenarios over two days, culminating in a crap load of LDIFDEs and DSACL dumps to enumerate the object properties and compare the values that were different.
This property (HideFromALEnabled) and a few others stood out. Luckily it wasn't ACL-related - that would've been a complete head wreck!
Dear Microsoft: More descriptive errors next time, please :) -
Error while creating a user in Active Directory.
Hi Guys,
I am creating a custom connector for AD and Exchnage , I am able to create user in AD using my Java Code... but i am also getting below error, I want to finish the operation smoothly.... Please find below error logs.
13:51:15,635 ERROR [STDERR] Data AccessException:
13:51:15,636 ERROR [STDERR] com.thortech.xl.orb.dataaccess.tcDataAccessException: DB_READ_FAILEDDetail: SQL: select UD_AD_CHILD_GRP_NAME from UD_AD_CHILD where UD_AD_CHILD_KEY = Description: ORA-00936: missing expression
SQL State: 42000Vendor Code: 936Additional Debug Info:com.thortech.xl.orb.dataaccess.tcDataAccessException
at com.thortech.xl.dataaccess.tcDataAccessExceptionUtil.createException(Unknown Source)
at com.thortech.xl.dataaccess.tcDataBase.createException(Unknown Source)
at com.thortech.xl.dataaccess.tcDataBase.readPartialStatement(Unknown Source)
at com.thortech.xl.dataobj.tcDataBase.readPartialStatement(Unknown Source)
at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.adapterfactory.events.tcAdpEvent.getChildTableFieldValue(Unknown Source)
at com.thortech.xl.adapterfactory.events.tcAdpEvent.getRunTimeValue(Unknown Source)
at com.thortech.xl.adapterfactory.events.tcAdpEvent.getRunTimeValue(Unknown Source)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADDUSERTOADGROUP.implementation(adpADDUSERTOADGROUP.java:49)
at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.insertResponseMilestones(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.eventPostUpdate(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.update(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
at com.thortech.xl.adapterfactory.events.tcAdpEvent.updateSchItem(Unknown Source)
at com.thortech.xl.adapterfactory.events.tcAdpEvent.finalizeProcessAdapter(Unknown Source)
at com.thortech.xl.adapterfactory.events.tcAdpEvent.finalizeAdapter(Unknown Source)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpCREATEADUSER.implementation(adpCREATEADUSER.java:85)
at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
at com.thortech.xl.dataobj.tcORC.insertNonConditionalMilestones(Unknown Source)
at com.thortech.xl.dataobj.tcORC.completeSystemValidationMilestone(Unknown Source)
at com.thortech.xl.dataobj.tcOrderItemInfo.completeCarrierBaseMilestone(Unknown Source)
at com.thortech.xl.dataobj.tcOrderItemInfo.eventPostInsert(Unknown Source)
at com.thortech.xl.dataobj.tcUDProcess.eventPostInsert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
at com.thortech.xl.dataobj.tcTableDataObj.save(Unknown Source)
at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.setProcessFormData(Unknown Source)
at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.setProcessFormData(Unknown Source)
at com.thortech.xl.ejb.beans.tcFormInstanceOperationsSession.setProcessFormData(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.jboss.invocation.Invocation.performCall(Invocation.java:359)
at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionContainer.java:237)
at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:158)
at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstanceInterceptor.java:169)
at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63)
at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121)
at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:350)
at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:181)
at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:168)
at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205)
at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:138)
at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:648)
at org.jboss.ejb.Container.invoke(Container.java:960)
at sun.reflect.GeneratedMethodAccessor135.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at org.jboss.invocation.local.LocalInvoker$MBeanServerAction.invoke(LocalInvoker.java:169)
at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:118)
at org.jboss.invocation.InvokerInterceptor.invokeLocal(InvokerInterceptor.java:209)
at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:195)
at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:61)
at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:70)
at org.jboss.proxy.ejb.StatelessSessionInterceptor.invoke(StatelessSessionInterceptor.java:112)
at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:100)
at $Proxy758.setProcessFormData(Unknown Source)
at Thor.API.Operations.tcFormInstanceOperationsClient.setProcessFormData(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source)
at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
at $Proxy803.setProcessFormData(Unknown Source)
at com.thortech.xl.webclient.actions.DirectProvisionUserAction.handleVerifyProcessData(Unknown Source)
at com.thortech.xl.webclient.actions.DirectProvisionUserAction.goNext(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(Unknown Source)
at com.thortech.xl.webclient.actions.tcActionBase.execute(Unknown Source)
at com.thortech.xl.webclient.actions.tcAction.execute(Unknown Source)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.thortech.xl.webclient.security.SecurityFilter.doFilter(Unknown Source)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Thread.java:619)
Thanks,
Hemantat com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADDUSERTOADGROUP.implementation(adpADDUSERTOADGROUP.java:49)
This is definitely a Custom Adapter because OOTB Adapter name is adpADCSADDUSERTOGROUP and NOT adpADDUSERTOADGROUP
So, it is your custom code and in the code you are passing incorrect value of the Active Directory Child process form...
The correct name is UD_ADUSRC and the Group Name column name is UD_ADUSRC_GROUPNAME.
While you are passing UD_AD_CHILD as the child process form and UD_AD_CHILD_GRP_NAME as Group Name column name..
Use OOTB Adapter... Correct these discrepancies... Your addition of group will work
And since you are creating custom adapter, you need to be more careful and remain consistent throughout..
Then if you want to use UD_AD_CHILD_GRP_NAME, use it everywhere consistently... Pass only this value in the adapter...
And even in lookups, if any... Search everywhere... Keep things consistent... They will work... Because good news is that you are able to create user in AD via Java Code...
And if any post is even slightly helpful, it is a good habit to mark it with helpful or correct ... And also mark the entire question as answered so that other people also are benefited. -
Exchange 2013 fails Active Directory Prep
This is a new, new, installation of Windows Server 2012 R2 Essentials followed by Exchange 2013, all on a single server that is also the DC, in a lab environment. This is to replace an existing SBS2000 installation in a small business.
Server 2012 setup without any significant issues. The first pass at Exchange 2013 resulted in "access denied" when attempting to access the Exchange Management PS and login credentials failure for Exchange EAC (ECP). After manually
adding the installation Administrator to a number of the Exchange security groups, I was able to access Exchange Manager. I checked that there was a mailbox associated with the Installation Admin ID, attempted to reset passwords and a number of other
things to no avail. I uninstalled Exchange (what a pain).
I reinstalled Exchange. As with the first time, no prerequisite errors and no installation failure alerts. Again, I could not access Exchange Manager (access denied) or the EAC (login credentials failure). This time, I was not
able change the security group permissions to gain access to Exchange Manager. Again, checked about everything there was to check on the web and found a reference to Exchange possibly not installing correctly due to lingering entries from the first install.
As I could not access Exchange Manager to perform the uninstall prerequisites, I attempted to manually delete it (nothing to loose at this point), but made the anticipated mess.
Wiped the RAID and started over with a clean sheet install of Server 2012 Essentials-OK. Progressed in the Exchange install prep to "Prepare Active Directory and Domains" (http://technet.microsoft.com/en-us/library/bb125224(v=exchg.150).aspx)
and stopped when I could not detect the confirming ADSI entries of AD prep set forth at the close of the TechNet document.
I methodically stepped through the install procedure and again received no prerequisite failures or installation failure alerts. I examined the install logs and found no errors, either.
Any words of wisdom?Hi,
From your description, Windows Server 2012 R2 Essentials and Exchange 2013 are installed on a single server that is also the DC.
Microsoft does not support installing Exchange Server on a server that is running Windows Server Essentials. You need to install Exchange Server on a second server and then join the second server to the Windows Server Essentials domain.
And it is not recommended to install Exchange server on DC.
Here is a related article for your reference.
Integrate an On-Premises Exchange Server with Windows Server Essentials
http://technet.microsoft.com/en-us/library/jj200172.aspx
Best regards,
Belinda Ma
TechNet Community Support -
I would like for the users middle initial or middle name to show in outlook 2010. I
can set it in the header meaning I see the middle initial when the email comes in but its not in the signature. I read a post about the middle name attribute has to be set in a/d? if that is the case please provide some feed back on how to accomplish that?
server 2008, a/d 2008In AD, the attribute name is "middleName". You can populate it in bulk using Powershell with
Set-ADUser cmdlet.
For Exchange questions, I would recommend asking them here: http://social.technet.microsoft.com/Forums/exchange/en-us/home?category=exchangeserver
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password
Maybe you are looking for
-
How can I hide early morning hours in iCal?
how can I hide early morning hours in ical??? i'm sleeping at those hours and i really don't need to see them. it would give me a lot more space to see what really matters if i could define myself what hours i would like ical to show. i saw an old po
-
We are trying to use jCOM to connect to our WL-App. (We had been using JIntegra before) I made a simple JCom-Helper identical to the one, delivered in the earlybound-sample. Trying to create an object in VB couses the server to say: <03.05.2002 15:11
-
Select/configure relevant hostname in cluster environment
The actual situation of my problem is more complex, but I will try to reduce it to the relevant part: I have a web service and a servlet running within a TomCat4 instance, which is controlled by HPServiceGuard. This means: the JVM of TomCat runs with
-
i want to install OS X 10.5 on my new MacBook Pro instead of 10.7 because of few applications, i want to ask is it possible and it wont create a problem?
-
hey guys recently downloaded this package http://aur.archlinux.org/packages.php?ID=22813 and installed the theme. i would like to edit the theme so that i get less of the horrid white buttons and then submit the fix to author here is the screenshot s