VSOM 7.0.1 LDAP Filter AD
Hello!
LDAP server settings are as follows:
Name: SFC.LOCAL
Host Name: 192.168.104.252
port: 389
Member of: %USERID%@sfc.local
Database search for users: OU=Accounts,DC=sfc,DC=local
User ID attribute: sAMAccountName
How to create a filter selecting users from a specific location in aerarhii AD?
People are on the way:
OU=SPK,OU=Offices,OU=Delegate,OU=Common,OU=Accounts,DC=sfc,DC=local
try like this:
search path: OU=Accounts,DC=sfc,DC=local
Filter: (&(sAMAccountName=%USERID%)(memberOf=CN=SPK,OU=Offices,OU=Delegate,OU=Common,OU=Accounts,DC=sfc,DC=local))
Runtime Error: The user with the given name is not found in the LDAP filter by (&(sAMAccountName=drozdov.alexander)(memberOf=CN=SPK,OU=Offices,OU=Delegate,OU=Common,OU=Accounts,DC=sfc,DC=local))
in it may be inaccurate filter configuration?
Hello Alex,
Here is the example to do LDAP serach filter configuration. Let me know if this help
•General Settings
Hostname: ds.cisco.com
Port: 389
Principal: %USERID%@cisco.com
User Search Base: ou=Cisco Users,dc=cisco,dc=com
Userid Attribute: sAMAccountName
•LDAP Search Filter:
Select a Cisco mailing list you are on from mailer.cisco.com, and substitute its name for <anyMailer> in the Filter below
Search Path: ou=Cisco Users,dc=cisco,dc=com
Filter: (&(sAMAccountName=%USERID%)(memberOf=CN=<anyMailer>,OU=Mailer,OU=Cisco Groups,DC=cisco,DC=com))
Br,
Nadeem Ahmed
Similar Messages
-
Creating LDAP filter in authorization rule OAM 10G
Hi,
I want to set up a LDAP filter in Authorization rule based on which i will redirect users to specific URL's. what is the syntax to writing LDAP filters in OAM authorization policy. Any pointers to documentation will be appreciated.
Also i want to know whether authorizations always follow authentication. i.e. my redirection will be successful only after a user is authenticated in end application based on the headers we send out after successful authentication.
Please Help
Thanks
Edited by: 904630 on Dec 27, 2011 5:34 AM
Edited by: 904630 on Dec 27, 2011 5:36 AMOpen Identity server console and check the attribute's Display Name and type in Object classes section. I recently faced a similar issue and it got fixed after providing these two values.
Hope it works for your as well :) -
How to create LDAP filter-based rule to check Group membership in OAM
Hi folks,
I'm having hard time creating an authorization rule to verify ldap group membership. I've followed "Configure User Authorization" article from Oracle website (http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2authz.htm#BABHBFEJI) and created an Authorization scheme w ldap_attribute_name as User Parameter and ruleExpression as Required Parameter. Then, inside my policy I created an Authorization Rule based on my Authz scheme w Allow Access attrib filter-based Rule which looks like this:
ldap://ldap_server:port/ou=People,o=Company,c=US??sub?(ldap_attribute_name=ldap_attribute_value)
This works fine.
Now, I've added another filter-based rule under the same Authz Rule/Allow Access:
ldap://ldap_server:port/ou=Groups,o=Company,c=US?uniqueMember?sub?(&(objectClass=groupOfUniqueNames)(cn=ldap_group_name))
While query looks somewhat correct and works as a command-line argument (slightly modified format), it does not work in OAM (meaning people w out req-d group membership can still login).
Can someone steer me to the right direction as to what do I need to do:
1. Change/fix the ldap query
2. Create new Authz scheme with uniqueMember userParameter; create new Authz rule based on new authz scheme; create new Allow Access filter rule with the ldap query I have
3. Do smth else
Any help is greatly appreciated.
Thank you, RomanYou can create two authorization rules
First for user with attribute
and second for group
and then in authorization expression you can have AND of these two.
Regarding your query...
First ... If your requirement is to give access to all the members of a particular group then you don't require any ldap filters
All you have to do is in the authorization rule -> Allow access -> Select People (here you have to select group so click on the group tab, its little hard to see but its there in light blue color on dark blue tab) -> select the group you want to give access
Second.. If your requirement is such that you want to give access to a member of a group which has certain attribute lets say group with status active ( In this case you are not aware of the name of the group because user can be a member of any group but you want to give access only to the group with specific attribute.) then you have to write custom authorization plugin.
If the option is second let me know i can give you a solution which will work for a single domain without any effort of developing a major plugin.
Hope this helps,
Sagar -
LDAP Filter to exclude a sub OU?
I have a need to exclude a sub OU from a search base. CUCM is LDAP integrated to Active Directory. The directory search basically OU=Users, DC=company,DC=local. There is a couple of OU's located under the Users container (OU=service, OU=special). A third party manages this companies AD and is not willing to make any changes to the structure. Does anyone have a suggestion for a filter that will work to filter out the users in the OU=special? I have tried several things but the ones i thought would work are:
1. (&(objectClass=user)(!(OU=special))) have tried this with the full search base as well
2. (!(&(objectClass=user)(OU=special)))
Any help would be appreciated.Hi gpword,
I dont think you can exlcude a sub OU, at least I could never get it working.
A few options you can use.
1. Add all the users in the "Special" OU to a group and then exclude that group - I use this option and it works
(&(ipPhone=*)(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(memberOf=cn=GrouptoExclude,ou=XXXX,ou=XXXXX,DC=domain,DC=local)))
2. As above you could utilise the ipPhone field and only sync users who have this set or only sync users who are a member of a particular group below
(&(ipPhone=*)(objectclass=user)(memberOf=cn=USERStoSYNC,ou=XXXX,ou=XXXX,DC=domain,DC=local)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
The above examples also exclude disabled accounts, computer objects and inlcude only users with the ipPhone field set.
Thanks, -
How to setup an LDAP filter in OpenDirectory
Hello,
I hope I am posting to the right forum.
I have an existing central directory managed by LDAP.
The users can authenticate against my LDAP server.
In the LDAP directory, the users have a special attribute, making a list of machines and services they can or cannot access.
How to configure OpenDirectory to apply a filter to the LDAP records, so only users with a given value (lets say "macosx" in a given attribute) can authenticate?
For example, on another machine (FreeBSD) I have the following in pal_ldap configuration:
nssbasepasswd ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th?one?csimAccountPermission=sambalogin
where csimAccountPermission=sambalogin is the filter and only users with that key will be able to use samba service.
TIA,
OlivierPlease try this forum, its for OS X server.
http://discussions.apple.com/category.jspa?categoryID=96 -
Q: UCM Ldap filter not finding groups
Hi There,
I am setting up UCM and am having problems with group(roles) being set by the ldap provider.
The users authorizes, but the ldap search returns no groups.
LDAP mapping of roles gives the following error every time...
userstorage 09.03 10:06:59.806 IdcServerThread-34 Loaded extended info for user ucm_user
userstorage 09.03 10:06:59.806 IdcServerThread-34 Loading Attributes for user ucm_user
userstorage 09.03 10:06:59.806 IdcServerThread-34 UseFullGroupName false
userstorage 09.03 10:06:59.807 IdcServerThread-34 UseGroupFilter true
userstorage 09.03 10:06:59.807 IdcServerThread-34 Searching for groups containing user CN=ucm_user,OU=city,OU=Users-Active,DC=abc,DC=com
userstorage 09.03 10:06:59.807 IdcServerThread-34 Using search filter (&(objectclass=group)(member=CN\3ducm_user\2cOU\3dcityr\2cOU\3dUsers-Active\2cDC\3dabc\2cDC\3dcom))
userstorage 09.03 10:06:59.807 IdcServerThread-34 Searching for groups based at DN ou=Users-Active,dc=abc,dc=com
userstorage 09.03 10:06:59.904 IdcServerThread-34 No groups found for user CN=ucm_user,OU=city,OU=Users-Active,DC=abc,DC=com
userstorage 09.03 10:06:59.905 IdcServerThread-34 Adding default network account '#none" to CN=ucm_user,OU=city,OU=Users-Active,DC=abc,DC=com
userstorage 09.03 10:06:59.905 IdcServerThread-34 Attributes loaded
userstorage 09.03 10:06:59.905 IdcServerThread-34 LdapProvider.checkCredentials() finished in 0.182 seconds.
Using a freeware ldap gui (ldapadmin.exe), I can run the query just fine, the groups are found.
Has anyone seen this before?
ThanksPlease see the attached link under primaryGroupID, which states that the
Domain Users group is not part of the memberOf attribute.
http://msdn.microsoft.com/en-us/library/ms677943.aspx
That explains why the mapping fails for any Domain Users as seen in the debugs -
LDAP - Filter on groups (iPlanet)
We connected Weblogic to our LDAP server (iPlanet type) and successfully imported all users and groups.
No we want to filter on the users being in one group (we are not interested in all users)
With an ActiveDirectory LDAP Provider you can set at the All Users filter & User From Name filter:
(&(sAMAccountName =*)(memberOf= CN=OBIEE,OU=Security,OU=Groups,OU=COMP1,DC=COMPANY,DC=com)(objectclass=person))
With this filter in place, only users that are member of "CN=OBIEE,OU=Security,OU=Groups,OU=COMP1,DC=COMPANY,DC=com" will be able to login.
Now we are migrating the LDAP server from ActiveDirectory to iPlanet.
The structure of this system is:
GROUPS
GRP OBIEE
uniqueMember:MVL
uniqueMember:DFG
USERS
uniqueMember: MVL
The relation between users and groups is stored on group level.
Does anyone know if this is possible and what the structure of the filter is?
Thanks in advance.Have you already found a work around?
Depending on your DIT, I'd assume you could set your base lower, and just do a search for (!(objectclass=SAccount)).
Also, you've probably checked it a number of times already, but could there be a spelling error? Have you tried using the wildcard on your ! filter, so that it reads:
(&(objectclass=customAccount)(!(objectclass=customSA*)))
Good luck! -
Hos to setup a LDAP filter in OpenDirectory
Hello,
I hope I am posting to the right forum.
I have an existing central directory managed by LDAP.
The users can authenticate against my LDAP server.
In the LDAP directory, the users have a special attribute, making a list of machines and services they can or cannot access.
How to configure OpenDirectory to apply a filter to the LDAP records, so only users with a given value (lets say "macosx" in a given attribute) can authenticate?
For example, on another machine (FreeBSD) I have the following in pal_ldap configuration:
nssbasepasswd ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th?one?csimAccountPermission=sambalogin
where csimAccountPermission=sambalogin is the filter and only users with that key will be able to use samba service.
TIA,
OlivierPlease try this forum, its for OS X server.
http://discussions.apple.com/category.jspa?categoryID=96 -
Jabber Windows - no phone control with LDAP Custom filter
I am unable to control the desktop phone from the Jabber 9.1 Windows client when the CallManager LDAP Directory uses a Custom Filter.
Has anyone else experienced this?
If I set the LDAP Custom Filter to <none> and save, then Desktop Phone control works great.
If I set it to use my custom filter, then trying to enable Desktop control just gives me the spinning circle, then times out to the Red X symbol.
I do not need to resync the LDAP Directory to get the error, just enable/disable the custom filter and save.
In both cases calling from the Computer works great.
This is an On-Prem deployment with full MS-AD LDAP integration.
Versions are:
Jabber - 9.1.0 build 12296
CUPC - 8.6.4.11900-1
CUCM - 8.6.2.22900-9
I upgraded to CUCM 8.6.2 SU2 last night hoping that would fix the problem, but no luck.
The LDAP filter is one I have used in numerous other clusters with no CTI issues.
It allows me to sync to the root directory, but only import active user accounts with an entry in the ipPhone AD attribute:
(&((objectclass=user)(ipPhone=*))(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
Thanks, RandyHi Randy,
Have you specified this base filter in jabber-config.xml file? As per Admin Guide:
"In some cases, base filters do not return query results if you specify a closing bracket in your Cisco Jabber for Windows configuration file. For example, this issue might occur if you specify the following base filter: (&(memberOf=CN=UCFilterGroup,OU=DN))
To resolve this issue, remove the closing bracket; for example, (&(memberOf=CN=UCFilterGroup,OU=DN)"
Thanks,
Maqsood -
LDAP Search filter Jabber for Android
Hi,
I have this LDAP Filter which only shows me active users:
<BaseFilter>(&(objectclass=user)(objectcategory=person)(!UserAccountControl:1.2.840.113556.1.4.803:=2))</BaseFilter>
I have the same line for Jabber for Android, but it doesn't work.
<BDIBaseFilter>(&(objectclass=user)(objectcategory=person)(!UserAccountControl:1.2.840.113556.1.4.803:=2))</BDIBaseFilter>
I get 0 results for any search on Jabber Andorid. When I delete the "BDI" Line for the filter all together, then I get correct results - with photos and everything.
I also tried a simple filter e.g:
<BDIBaseFilter>(!UserAccountControl:1.2.840.113556.1.4.803:=2))</BDIBaseFilter>
No search results either.
Any ideas how to get Filter for Android working?
Versions:
Jabber for Android: 10.6
CUCM: 9.1.2I think I found the coresponding messages in the log:
csf.person.ldap: [LdapSearchQueryHandler.cpp(51)] [start] - reqId = 2
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1482)] [sendSearchQuery] -
02-26 09:18:59.851 15477 15477 I csf.person.xmpp: [XMPPPersonRecordSource.cpp(268)] [fetchContacts] - Entering.
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1531)] [sendSearchQuery] - filter = (&(objectclass=user)(objectcategory=person)(!UserAccountControl:1.2.840.113556.1.4.803:=2)(|(sAMAccountName=at1sath))), baseDN=OU=Organization,DC=at,DC=customer,DC=net
02-26 09:18:59.851 15477 15477 D services-dispatcher: [ServicesDispatcher.cpp(147)] [pumpNext] - pumpNext.executed (ContactsAdapter::LoadContactsFromSource)
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1576)] [sendSearchQuery] - ldap search error. rc= -7 ,msg=Bad search filter
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1675)] [notifyListenersSearchRequestCompleted] - errorCode=-7
02-26 09:18:59.851 15477 15477 D services-dispatcher: [ServicesDispatcher.cpp(145)] [pumpNext] - pumpNext.executing (ContactsAdapter::LoadContactsFromSource)
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1258)] [mapErrorNo] - Code = -7, Msg=Bad search filter
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapSearchQueryHandler.cpp(84)] [onSearchRequestCompleted] - reqId = 1, errcode = 9
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1531)] [sendSearchQuery] - filter = (&(objectclass=user)(objectcategory=person)(!UserAccountControl:1.2.840.113556.1.4.803:=2)(|(sAMAccountName=at1hafr))), baseDN=OU=Organization,DC=at,DC=customer,DC=net
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1576)] [sendSearchQuery] - ldap search error. rc= -7 ,msg=Bad search filter
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1675)] [notifyListenersSearchRequestCompleted] - errorCode=-7
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapDirectoryImpl.cpp(1258)] [mapErrorNo] - Code = -7, Msg=Bad search filter
02-26 09:18:59.851 15477 15645 D csf.person.ldap: [LdapSearchQueryHandler.cpp(84)] [onSearchRequestCompleted] - reqId = 2, errcode = 9
The next question is now: Why is it a bad search filter? And what is the correct one? The same filter works on jabber for windows...
BR, Dave -
How to only synchronize one specific LDAP user group with SAP?
Hi,
Hopefully this is the correct forum to post this in. I want to have continuous one-way synchronization of users from my LDAP server to my SAP central system. I've started configure in SAP using transaction SM59 and LDAP. Can I somewhere set that only one specific LDAP user group shall be transferred to SAP (they do not need to be assigned to any specific group, profile, role in SAP) - or should this be done on the LDAP server side (or is it at all possible)?
Correct me if I'm wrong, but the User Group field in the report RSLDAPSYNC_USER only concerns SAP user groups right? This would therefore not be sufficient since I want to select the users to synchronize based on user groups in the directory.
Thanks, OscarWe've used a repository constant to specify the LDAP filter for reading users / groups from the LDAP target.
E.g. LDAP_FILTER_USERS (&(objectCategory=person)(objectClass=user))
Then we also have a constant for the LDAP_STARTING_POINT
For our AD Group Initial Load we filter according to these settings:
LDAP_FILTER_GROUPS = (objectclass=group)
LDAP_STARTING_POINT_GROUPS = ou=IDMManagedGroups,ou=Groups,dc=cfstest,dc=le,dc=ac,dc=uk
The above example only reads AD groups starting at the specified OU
Then in a Job From LDAP Pass the LDAP URL looks like this:
LDAP://%$rep.LDAP_HOST%:%$rep.LDAP_PORT%/%$rep.LDAP_STARTING_POINT_GROUPS%?*?SUB?%$rep.LDAP_FILTER_GROUPS%
I hope this helps
Paul -
Show Stopper today with eDirectory (LDAP)
We are currently setting up Sun IDM 5.5 and are trying to do
reconciliation with an eDirectory 8.6.2 (10350.29) but are experiencing
severe performance issues. The directory contains groups with large scale
membership base, some groups 25.000+ members.
Same scenario occurs with Sun IDM 5.0 SP5.
When isolating to a single OU as baseDN with 10 accounts, a full clean
reconciliation takes 6-10 minutes. The network has thoroughly been
debugged, and no errors or issues have been found. Manual browsing in the
eDirectory with various ldap-tools without any issues. The total case
involves a total of more than 30.000+ accounts.
A test with identical user data in a Sun Directory Server 5.2 does the reconciliation take approx 2-3 seconds.
The eDirectory LDAP RA adapter can be viewed below. Any insight, or similar experiences are of great value and importance! Anything that can help me get this on track...
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Resource PUBLIC 'waveset.dtd' 'waveset.dtd'>
<!-- MemberObjectGroups="#ID#Top" hostname="130.243.85.109" id="#ID#F77594225BD088E0:775121:1065E88DBC9:-7FE5" name="NDS" startupType="Disabled" supportedObjectTypes="Group|Domain|Organization|Organizational Unit" supportsContainerObjectTypes="true" supportsScanning="false" syncEnabled="false" syncSource="true" type="LDAP"-->
<Resource id='#ID#F77594225BD088E0:775121:1065E88DBC9:-7FE5' name='NDS' creator='Configurator' createDate='1126879507899' lastModifier='Configurator' lastModDate='1126886340268' lastMod='19' class='com.waveset.adapter.LDAPResourceAdapter' typeString='LDAP' typeDisplayString='com.waveset.adapter.RAMessages:RESTYPE_LDAP' hasId='true' facets='provision' timeLastExamined='0' reconcileTime='0' syncSource='true' startupType='Disabled'>
<ResourceAttributes>
<ResourceAttribute name='host' displayName='com.waveset.adapter.RAMessages:RESATTR_HOST' description='RESATTR_HELP_240' value='130.243.85.109'>
</ResourceAttribute>
<ResourceAttribute name='port' displayName='com.waveset.adapter.RAMessages:RESATTR_PORT' description='RESATTR_HELP_264' value='389'>
</ResourceAttribute>
<ResourceAttribute name='ssl' displayName='com.waveset.adapter.RAMessages:RESATTR_SSL' description='RESATTR_HELP_281' value='0'>
</ResourceAttribute>
<ResourceAttribute name='principal' displayName='com.waveset.adapter.RAMessages:RESATTR_USERDN' description='RESATTR_HELP_271' value='cn=admin,ou=nds,ou=res,o=mdh'>
</ResourceAttribute>
<ResourceAttribute name='credentials' displayName='com.waveset.adapter.RAMessages:RESATTR_PASSWORD' type='encrypted' description='RESATTR_HELP_219' value='izkkkM1YJto='>
</ResourceAttribute>
<ResourceAttribute name='baseContext' displayName='com.waveset.adapter.RAMessages:RESATTR_BASE_CTXS' description='com.waveset.adapter.RAMessages:RESATTR_BASE_CTX_DESC' multi='true' value='ou=06,ou=STUDENT,ou=ANV,o=mdh'>
</ResourceAttribute>
<ResourceAttribute name='Object Class' displayName='com.waveset.adapter.RAMessages:RESATTR_OBJECT_CLASS' description='RESATTR_HELP_253' multi='true'>
<value>top</value>
<value>person</value>
<value>organizationalPerson</value>
<value>inetorgperson</value>
<value>ndsLoginProperties</value>
</ResourceAttribute>
<ResourceAttribute name='ldapSearchFilter' displayName='com.waveset.adapter.RAMessages:RESATTR_LDAP_SEARCH_FILTER' description='com.waveset.adapter.RAMessages:RESATTR_HELP_LDAP_SEARCH_FILTER'>
</ResourceAttribute>
<ResourceAttribute name='includeObjClassesInSearchFilter' displayName='com.waveset.adapter.RAMessages:RESATTR_INCL_OBJCLASSES_IN_SEARCH_FILTER' type='boolean' description='com.waveset.adapter.RAMessages:RESATTR_HELP_INCL_OBJCLASSES_IN_SEARCH_FILTER' value='true'>
</ResourceAttribute>
<ResourceAttribute name='wsname' displayName='com.waveset.adapter.RAMessages:RESATTR_WSNAME' description='RESATTR_HELP_292' value='cn'>
</ResourceAttribute>
<ResourceAttribute name='Display Name Attribute' displayName='com.waveset.adapter.RAMessages:RESATTR_DISPLAY_NAME_ATTR' description='RESATTR_HELP_41'>
</ResourceAttribute>
<ResourceAttribute name='Use blocks' displayName='com.waveset.adapter.RAMessages:RESATTR_USE_BLOCKS' description='RESATTR_HELP_192' value='1'>
</ResourceAttribute>
<ResourceAttribute name='blockCount' displayName='com.waveset.adapter.RAMessages:RESATTR_BLOCKCOUNT' description='RESATTR_HELP_34' value='100'>
</ResourceAttribute>
<ResourceAttribute name='groupMemberAttr' displayName='com.waveset.adapter.RAMessages:RESATTR_GRP_MBR_ATTR' description='RESATTR_HELP_233' value='groupMembership'>
</ResourceAttribute>
<ResourceAttribute name='Password Hash Algorithm' displayName='com.waveset.adapter.RAMessages:RESATTR_PASSWORD_HASH_ALG' description='RESATTR_HELP_49'>
</ResourceAttribute>
<ResourceAttribute name='changeNamingAttr' displayName='com.waveset.adapter.RAMessages:RESATTR_MOD_NAMING_ATTR' description='RESATTR_HELP_47' value='0'>
</ResourceAttribute>
<ResourceAttribute name='Object Classes to Synchronize' displayName='com.waveset.adapter.RAMessages:RESATTR_ACTIVE_SYNC_OBJECT_CLASSES' description='com.waveset.adapter.RAMessages:RESATTR_HELP_ACTIVE_SYNC_OBJECT_CLASSES' multi='true' facets='activesync'>
<value>person</value>
<value>organizationalPerson</value>
<value>inetorgperson</value>
</ResourceAttribute>
<ResourceAttribute name='LDAP Filter for Accounts to Synchronize' displayName='com.waveset.adapter.RAMessages:RESATTR_ACTIVE_SYNC_LDAP_FILTER' description='com.waveset.adapter.RAMessages:RESATTR_HELP_ACTIVE_SYNC_LDAP_FILTER' facets='activesync'>
</ResourceAttribute>
<ResourceAttribute name='Attributes to synchronize' displayName='com.waveset.adapter.RAMessages:RESATTR_ATTRIBUTE_FILTER' description='com.waveset.adapter.RAMessages:RESATTR_HELP_ATTRIBUTE_FILTER' multi='true' facets='activesync'>
</ResourceAttribute>
<ResourceAttribute name='When reset, ignore past changes' displayName='com.waveset.adapter.RAMessages:RESATTR_RESET_TO_TODAY' description='com.waveset.adapter.RAMessages:RESATTR_HELP_LDAPAS_RESET_TO_TODAY' facets='activesync' value='1'>
</ResourceAttribute>
<ResourceAttribute name='Change Log Blocksize' displayName='com.waveset.adapter.RAMessages:RESATTR_BLOCKSIZE' description='com.waveset.adapter.RAMessages:RESATTR_HELP_36' facets='activesync' value='100'>
</ResourceAttribute>
<ResourceAttribute name='Change Number Attribute Name' displayName='com.waveset.adapter.RAMessages:RESATTR_CHANGE_NUMBER_ATTRIBUTE_NAME' description='com.waveset.adapter.RAMessages:RESATTR_HELP_37' facets='activesync' value='changenumber'>
</ResourceAttribute>
<ResourceAttribute name='Filter Changes Made By' displayName='com.waveset.adapter.RAMessages:RESATTR_FILTER_CHANGES_BY' description='com.waveset.adapter.RAMessages:RESATTR_HELP_FILTER_CHANGES_BY' multi='true' facets='activesync'>
</ResourceAttribute>
<ResourceAttribute name='Proxy Administrator' displayName='com.waveset.adapter.RAMessages:RESATTR_PROXY_ADMINISTRATOR' description='com.waveset.adapter.RAMessages:RESATTR_HELP_30' value='Configurator'>
</ResourceAttribute>
<ResourceAttribute name='Input Form' displayName='com.waveset.adapter.RAMessages:RESATTR_FORM' description='com.waveset.adapter.RAMessages:RESATTR_HELP_26'>
</ResourceAttribute>
<ResourceAttribute name='Pre-Poll Workflow' displayName='com.waveset.adapter.RAMessages:RESATTR_PREPOLL_WORKFLOW' description='com.waveset.adapter.RAMessages:RESATTR_PREPOLL_WORKFLOW_HELP'>
</ResourceAttribute>
<ResourceAttribute name='Post-Poll Workflow' displayName='com.waveset.adapter.RAMessages:RESATTR_POSTPOLL_WORKFLOW' description='com.waveset.adapter.RAMessages:RESATTR_POSTPOLL_WORKFLOW_HELP'>
</ResourceAttribute>
<ResourceAttribute name='Maximum Archives' displayName='com.waveset.adapter.RAMessages:RESATTR_MAX_ARCHIVES' description='com.waveset.adapter.RAMessages:RESATTR_HELP_MAX_ARCHIVES' value='3'>
</ResourceAttribute>
<ResourceAttribute name='Maximum Age Length' displayName='com.waveset.adapter.RAMessages:RESATTR_MAX_LOG_AGE' description='com.waveset.adapter.RAMessages:RESATTR_HELP_MAX_LOG_AGE'>
</ResourceAttribute>
<ResourceAttribute name='Maximum Age Unit' displayName='com.waveset.adapter.RAMessages:RESATTR_MAX_LOG_AGE_UNIT' description='com.waveset.adapter.RAMessages:RESATTR_HELP_MAX_LOG_AGE_UNIT'>
</ResourceAttribute>
<ResourceAttribute name='Log Level' displayName='com.waveset.adapter.RAMessages:RESATTR_LOG_LEVEL' description='com.waveset.adapter.RAMessages:RESATTR_HELP_27' value='2'>
</ResourceAttribute>
<ResourceAttribute name='Log File Path' displayName='com.waveset.adapter.RAMessages:RESATTR_LOG_PATH' description='com.waveset.adapter.RAMessages:RESATTR_HELP_28'>
</ResourceAttribute>
<ResourceAttribute name='Maximum Log File Size' displayName='com.waveset.adapter.RAMessages:RESATTR_LOG_SIZE' description='com.waveset.adapter.RAMessages:RESATTR_HELP_29'>
</ResourceAttribute>
<ResourceAttribute name='Scheduling Interval' displayName='com.waveset.adapter.RAMessages:RESATTR_SCHEDULE_INTERVAL' description='com.waveset.adapter.RAMessages:RESATTR_HELP_51'>
</ResourceAttribute>
<ResourceAttribute name='Poll Every' displayName='com.waveset.adapter.RAMessages:RESATTR_SCHEDULE_INTERVAL_COUNT' description='com.waveset.adapter.RAMessages:RESATTR_HELP_52'>
</ResourceAttribute>
<ResourceAttribute name='Polling Start Time' displayName='com.waveset.adapter.RAMessages:RESATTR_SCHEDULE_START_TIME' description='com.waveset.adapter.RAMessages:RESATTR_HELP_56'>
</ResourceAttribute>
<ResourceAttribute name='Polling Start Date' displayName='com.waveset.adapter.RAMessages:RESATTR_SCHEDULE_START_DATE' description='com.waveset.adapter.RAMessages:RESATTR_HELP_54'>
</ResourceAttribute>
<ResourceAttribute name='useInputForm' displayName='com.waveset.adapter.RAMessages:RESATTR_USE_INPUT_FORM' type='boolean' description='com.waveset.adapter.RAMessages:RESATTR_USE_INPUT_FORM_HELP' facets='activesync' value='true'>
</ResourceAttribute>
<ResourceAttribute name='parameterizedInputForm' displayName='com.waveset.adapter.RAMessages:RESATTR_PARAMETERIZED_INPUT_FORM' description='com.waveset.adapter.RAMessages:RESATTR_PARAMETERIZED_INPUT_FORM_HELP' facets='activesync'>
</ResourceAttribute>
<ResourceAttribute name='activeSyncPostProcessForm' displayName='com.waveset.adapter.RAMessages:RESATTR_SYNC_POST_PROCESS_FORM' description='com.waveset.adapter.RAMessages:RESATTR_SYNC_POST_PROCESS_FORM_HELP' facets='activesync'>
</ResourceAttribute>
<ResourceAttribute name='activeSyncConfigMode' displayName='com.waveset.adapter.RAMessages:RESATTR_SYNC_CONFIG_MODE' description='com.waveset.adapter.RAMessages:RESATTR_SYNC_CONFIG_MODE_HELP' facets='activesync' value='basic'>
</ResourceAttribute>
<ResourceAttribute name='processRule' displayName='com.waveset.adapter.RAMessages:RESATTR_PROCESS_RULE' description='com.waveset.adapter.RAMessages:RESATTR_PROCESS_RULE_HELP' facets='activesync'>
</ResourceAttribute>
<ResourceAttribute name='correlationRule' displayName='com.waveset.adapter.RAMessages:RESATTR_CORRELATION_RULE' description='com.waveset.adapter.RAMessages:RESATTR_CORRELATION_RULE_HELP' facets='activesync' value='CORRELATION_RULE_NONE'>
</ResourceAttribute>
<ResourceAttribute name='confirmationRule' displayName='com.waveset.adapter.RAMessages:RESATTR_CONFIRMATION_RULE' description='com.waveset.adapter.RAMessages:RESATTR_CONFIRMATION_RULE_HELP' facets='activesync' value='CONFIRMATION_RULE_NONE'>
</ResourceAttribute>
<ResourceAttribute name='deleteRule' displayName='com.waveset.adapter.RAMessages:RESATTR_DELETE_RULE' description='com.waveset.adapter.RAMessages:RESATTR_DELETE_RULE_HELP' facets='activesync'>
</ResourceAttribute>
<ResourceAttribute name='createUnmatched' displayName='com.waveset.adapter.RAMessages:RESATTR_CREATE_UNMATCHED' description='com.waveset.adapter.RAMessages:RESATTR_CREATE_UNMATCHED_HELP' facets='activesync' value='true'>
</ResourceAttribute>
<ResourceAttribute name='resolveProcessRule' displayName='com.waveset.adapter.RAMessages:RESATTR_RESOLVE_PROCESS_RULE' description='com.waveset.adapter.RAMessages:RESATTR_RESOLVE_PROCESS_RULE_HELP' facets='activesync'>
</ResourceAttribute>
<ResourceAttribute name='populateGlobal' displayName='com.waveset.adapter.RAMessages:RESATTR_POPULATE_GLOBAL' description='com.waveset.adapter.RAMessages:RESATTR_POPULATE_GLOBAL_HELP' facets='activesync' value='false'>
</ResourceAttribute>
</ResourceAttributes>
<AccountAttributeTypes nextId='15'>
<AccountAttributeType id='2' name='accountId' syntax='string' mapName='cn' mapType='string' required='true'>
<AttributeDefinitionRef>
<ObjectRef type='AttributeDefinition' id='#ID#AttributeDefinition:accountId' name='accountId'/>
</AttributeDefinitionRef>
</AccountAttributeType>
<AccountAttributeType id='3' name='password' syntax='encrypted' mapName='userPassword' mapType='string'>
<AttributeDefinitionRef>
<ObjectRef type='AttributeDefinition' id='#ID#AttributeDefinition:password' name='password'/>
</AttributeDefinitionRef>
</AccountAttributeType>
<AccountAttributeType id='4' name='firstname' syntax='string' mapName='givenname' mapType='string'>
<AttributeDefinitionRef>
<ObjectRef type='AttributeDefinition' id='#ID#AttributeDefinition:firstname' name='firstname'/>
</AttributeDefinitionRef>
</AccountAttributeType>
<AccountAttributeType id='5' name='lastname' syntax='string' mapName='sn' mapType='string' required='true'>
<AttributeDefinitionRef>
<ObjectRef type='AttributeDefinition' id='#ID#AttributeDefinition:lastname' name='lastname'/>
</AttributeDefinitionRef>
</AccountAttributeType>
<AccountAttributeType id='8' name='loginDisabled' syntax='string' mapName='loginDisabled' mapType='string'>
</AccountAttributeType>
<AccountAttributeType id='9' name='fullname' syntax='string' mapName='fullname' mapType='string'>
</AccountAttributeType>
<AccountAttributeType id='10' name='email' syntax='string' mapName='mail' mapType='string'>
</AccountAttributeType>
<AccountAttributeType id='11' name='ssn' syntax='string' mapName='workforceId' mapType='string'>
</AccountAttributeType>
<AccountAttributeType id='12' name='description' syntax='string' mapName='description' mapType='string'>
</AccountAttributeType>
</AccountAttributeTypes>
<Template>
<text>cn=</text>
<ObjectRef type='AttributeDefinition' id='#ID#AttributeDefinition:accountId' name='accountId'/>
<text>,ou=06,ou=STUDENT,ou=ANV,o=mdh</text>
</Template>
<Retries max='0' delay='10' emailThreshold='5'/>
<ObjectTypes>
<ObjectType name='Group' nameKey='UI_RESOURCE_OBJECT_TYPE_GROUP' icon='group'>
<ObjectClasses primary='groupOfUniqueNames' operator='OR'>
<ObjectClass name='groupOfNames'/>
<ObjectClass name='groupOfUniqueNames'/>
</ObjectClasses>
<ObjectFeatures>
<ObjectFeature name='create'/>
<ObjectFeature name='update'/>
<ObjectFeature name='delete'/>
<ObjectFeature name='rename'/>
<ObjectFeature name='saveas'/>
</ObjectFeatures>
<ObjectAttributes idAttr='dn' displayNameAttr='cn' descriptionAttr='description' objectClassAttr='objectclass'>
<ObjectAttribute name='cn' type='string'/>
<ObjectAttribute name='description' type='string'/>
<ObjectAttribute name='owner' type='distinguishedname' namingAttr='cn'/>
<ObjectAttribute name='uniqueMember' type='distinguishedname' namingAttr='cn'/>
</ObjectAttributes>
</ObjectType>
<ObjectType name='Domain' nameKey='UI_RESOURCE_OBJECT_TYPE_DOMAIN' icon='folder' container='true'>
<ObjectClasses operator='AND'>
<ObjectClass name='domain'/>
</ObjectClasses>
<ObjectFeatures>
<ObjectFeature name='find'/>
</ObjectFeatures>
<ObjectAttributes idAttr='distinguishedName' displayNameAttr='dc' objectClassAttr='objectclass'>
<ObjectAttribute name='dc' type='string'/>
</ObjectAttributes>
</ObjectType>
<ObjectType name='Organization' nameKey='UI_RESOURCE_OBJECT_TYPE_ORGANIZATION' icon='folder_with_org' container='true'>
<ObjectClasses operator='AND'>
<ObjectClass name='organization'/>
</ObjectClasses>
<ObjectFeatures>
<ObjectFeature name='create'/>
<ObjectFeature name='delete'/>
<ObjectFeature name='rename'/>
<ObjectFeature name='saveas'/>
<ObjectFeature name='find'/>
</ObjectFeatures>
<ObjectAttributes idAttr='dn' displayNameAttr='o' objectClassAttr='objectclass'>
<ObjectAttribute name='o' type='string'/>
</ObjectAttributes>
</ObjectType>
<ObjectType name='Organizational Unit' nameKey='UI_RESOURCE_OBJECT_TYPE_ORGANIZATIONALUNIT' icon='folder_with_orgunit' container='true'>
<ObjectClasses operator='AND'>
<ObjectClass name='organizationalUnit'/>
</ObjectClasses>
<ObjectFeatures>
<ObjectFeature name='create'/>
<ObjectFeature name='delete'/>
<ObjectFeature name='rename'/>
<ObjectFeature name='saveas'/>
<ObjectFeature name='find'/>
</ObjectFeatures>
<ObjectAttributes idAttr='dn' displayNameAttr='ou' objectClassAttr='objectclass'>
<ObjectAttribute name='ou' type='string'/>
</ObjectAttributes>
</ObjectType>
</ObjectTypes>
<LoginConfigEntry name='com.waveset.security.authn.WSResourceLoginModule' type='LDAP' displayName='com.waveset.adapter.RAMessages:RES_LOGIN_MOD_LDAP'>
<AuthnProperties>
<AuthnProperty name='ldap_uid' displayName='com.waveset.adapter.RAMessages:UI_USERID_LABEL' isId='true' formFieldType='text' dataSource='user'/>
<AuthnProperty name='ldap_password' displayName='com.waveset.adapter.RAMessages:UI_PWD_LABEL' formFieldType='password' dataSource='user'/>
</AuthnProperties>
<SupportedApplications>
<SupportedApplication name='Administrator Interface'/>
<SupportedApplication name='User Interface'/>
</SupportedApplications>
</LoginConfigEntry>
<ResourceUserForm>
<ObjectRef type='UserForm' id='#ID#LDAP User Form'/>
</ResourceUserForm>
<MemberObjectGroups>
<ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
</MemberObjectGroups>
</resource>few questions....are you getting any errors on the ldap side? object class errors perhaps?
what app server are you using and what version of java?
--Dana Reed -
How to filter disabled accounts out of Dynamic Distribution Groups/Lists?
As far as I understand it, OPATH does not support bitwise and/or flags, so excluding disabled accounts from dynamic distribution lists is impossible, unless I am missing something super simple.
Many have found what they believe to be a valid solution by using -not(UserAccountControl -eq 'AccountDisabled, NormalAccount') in their filter, but this only equates to "anything NOT with a UserAccountControl value of 514 (integer)". Simply
adding "password does not expire" option on the account breaks that filter even if the account is disabled.
Further, it appears anytime you create an OPATH filter, Exchange does create an LDAP equivalent filter that can be read, however it seems you cannot directly edit the LDAPRecipientFilter. If I could, I could put in the necessary bitwise operation needed
for this, e.g. (!UserAccountControl:1.2.840.113556.1.4.803:=2), but it doesn't seem possible.
Unfortunately I cannot rely on the ExchangeUserAccountControl flag as that relates to just hiding from Address Lists, and I have disabled accounts that need to be in the GAL. Further I have active mailboxes for disabled AD accounts so I cannot use IsMailboxDisabled.
Is this by design? If so I don't understand why. Are there any options (even with Exchange 2013)?Hi Simon. Thanks for your response.
I'm not sure what additional information I can provide that I have not already regarding the my suggestion/requirement, short of re-stating my original query.
With Exchange 2003, we could simply exclude disabled accounts from dynamic distribution lists via the use of an LDAP filter that used bitwise logic against the UserAccountControl attribute, e.g.
(!UserAccountControl:1.2.840.113556.1.4.803:=2)
With Exchange 2007, direct LDAP queries were deprecated in favor of OPATH. Unfortunately as a result, we can no longer filter out disabled accounts because OPATH does not support bitwise logic -xor -xand, etc. Because of this we can no longer
effectively use the UserAccountControl flags to exclude disabled accounts. We can use this attribute by specifying explicit combinations of flags, e.g.
UserAccountControl -ne 'AccountDisabled, NormalAccount'
But because this attribute is a culmination of bits representing many different account options, there are a large number of combinations of values that could include Disabled Accounts whereby a filter such as above would NOT work. E.g. simply adding
an option to not expire the password on the account renders the filter above invalid.
Currently our only option is to use workarounds which are not very effective (e.g. using a different attribute to store information about disabled accounts and filter on that instead). As accounts can be disabled simply with a right-click in ADUC,
enforcing the use of an additional attribute is not effective.
I would like to understand why OPATH excludes this functionality, e.g. is it a design decision? Or is it simply an oversight? Further I'd like to see this functionality added. -
Sun LDAP to IDM synchronization issue
Hello friends, I am trying to synchronize all the new accounts created in sun LDAP to IDM. It runs every 10 minutes as configured but does not pick the new user from LDAP. Here is the brief configuration detail.
(1) I have switched on the "Retro Plugin" for LDAP and found the changes are getting logged. The sample entry of the change log looks like :-
dn: changenumber=665,cn=changelog
objectClass: top
objectClass: changelogentry
changeNumber: 665
targetDn: uid=zorouser7,ou=people,ou=appuser,dc=educ,dc=mde
changeTime: 20090518211551Z
changeType: modify
changes:: cmVwbGFjZTogb2JwYXNzd29yZGNoYW5nZWZsYWcKb2JwYXNzd29yZGNoYW5nZWZsYWc6IGZhbHNlCi0KcmVwbGFjZTogb2JwYXNzd29yZGNyZWF0aW9uZGF0ZQpvYnBhc3N3b3JkY3JlYXRpb25kYXRlOiAyMDA5LTA1LTE4VDIxOjE1OjUwWgotCnJlcGxhY2U6IG1vZGlmaWVyc05hbWUKbW9kaWZpZXJzTmFtZTogY249b2JsaXgKLQpyZXBsYWNlOiBtb2RpZnlUaW1lc3RhbXAKbW9kaW
Z5VGltZXN0YW1wOiAyMDA5MDUxODIxMTU1MFoKLQoA
creatorsname: cn=Retro Changelog Plugin,cn=plugins,cn=config
modifiersname: cn=Retro Changelog Plugin,cn=plugins,cn=config
createtimestamp: 20090518211551Z
modifytimestamp: 20090518211551Z
nsuniqueid: 081d2284-1dd211b2-80b380e1-7558dd15
parentid: 1
entryid: 666
entrydn: changenumber=665,cn=changelog
numsubordinates: 0
subschemasubentry: cn=schema
hassubordinates: FALSE
(2) Here is my synchronization policy for LDAP resource :-
o Object class to synchronize : inetorgperson mdeUser mdeAuthZ OblixPersonPwdPolicy OblixOrgPerson (Last four are custom object)
o Ldap Filter for account synchronize : objectClass=inetOrgPerson
o Attributes to synchronize : uid userPassword givenName sn cn mail telephoneNumber objectClass mdeApplicationId mdeRoleId
o change log block size : 100
o Change Number Attribute Name : 665
o Proxy Administrator : Configurator
o Input form : Tabbed : User Form
o Create Unmatched Accounts : yes
o Assign source resource on create events : yes
(3) The IDM log for synchronization shows the following detail for each polling :-
2009-05-18T17:20:00.069-0500: Pause completed
2009-05-18T17:20:00.131-0500: Polling
2009-05-18T17:20:00.209-0500: Start of poll - lastUpdated = {changenumber=266}
2009-05-18T17:20:00.209-0500: buildSearchParams:BEGIN
2009-05-18T17:20:00.209-0500: Block Size: 100
2009-05-18T17:20:00.209-0500: Change Number Attribute Name: 665
2009-05-18T17:20:00.209-0500: Searching for: (&(665>=267)(665<=366))
2009-05-18T17:20:00.209-0500: Search attributes: [targetdn, changetype, changes, changetime, changenumber, newrdn, deleteoldrdn, newsuperior]
2009-05-18T17:20:00.225-0500: buildSearchParams:END
2009-05-18T17:20:00.240-0500: End of poll - lastUpdated = {changenumber=266}
2009-05-18T17:20:00.240-0500: Poll complete.
2009-05-18T17:20:00.240-0500: SARunner: loop 1
2009-05-18T17:20:00.272-0500: Started, paused until Mon May 18 17:30:00 CDT 2009
Please help .....
- Kabi
Edited by: kpp on May 18, 2009 5:21 PMMaybe something like this. Keep in mind, your LDAP may have specific rules for what really constitutes a Create, Update, or Delete.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Configuration PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Configuration name='LDAP Active Sync Form' wstype='UserForm'>
<Extension>
<Form name='LDAP Active Sync Form' objectLocationID='objectType=UserForm&objectName=LDAP+Active+Sync+Form&objectPath=0&isBegin=true'>
<Field name='IAPI.cancel'>
<Expansion>
<s>true</s>
</Expansion>
<Disable>
<isnull>
<select>
<ref>activeSync.changedAttributes.accountType</ref>
<ref>activeSync.accountType</ref>
</select>
</isnull>
</Disable>
</Field>
<Field name='password.password'>
<Expansion>
<s>TestPassword1</s>
</Expansion>
</Field>
<Field name='waveset.accountId'>
<Expansion>
<ref>activeSync.accountId</ref>
</Expansion>
<Disable>
<neq>
<upcase>
<ref>feedOp</ref>
</upcase>
<upcase>
<s>create</s>
</upcase>
</neq>
</Disable>
</Field>
<Field name='waveset.resources'>
<Expansion>
<list>
<s>LDAP_RESOURCE_NAME</s>
</list>
</Expansion>
<Disable>
<neq>
<upcase>
<ref>feedOp</ref>
</upcase>
<upcase>
<s>create</s>
</upcase>
</neq>
</Disable>
</Field>
<Field name='waveset.organization'>
<Expansion>
<s>Top:Something</s>
</Expansion>
<Disable>
<neq>
<upcase>
<ref>feedOp</ref>
</upcase>
<upcase>
<s>create</s>
</upcase>
</neq>
</Disable>
</Field>
<Field name='accounts[Lighthouse].email'>
<Expansion>
<ref>activeSync.mail</ref>
</Expansion>
</Field>
<Field name='global.idmManager'>
<Expansion>
<ref>activeSync.supervisor</ref>
</Expansion>
<Disable>
<neq>
<upcase>
<ref>feedOp</ref>
</upcase>
<upcase>
<s>create</s>
</upcase>
</neq>
</Disable>
</Field>
<Field name='waveset.idmManager'>
<Expansion>
<ref>global.idmManager</ref>
</Expansion>
<Disable>
<neq>
<upcase>
<ref>feedOp</ref>
</upcase>
<upcase>
<s>create</s>
</upcase>
</neq>
</Disable>
</Field>
<Field name='viewOptions.Process'>
<Expansion>
<switch>
<upcase>
<ref>feedOp</ref>
</upcase>
<case>
<s>CREATE</s>
<s>Active Sync Create User Workflow</s>
</case>
<case>
<s>UPDATE</s>
<s>Active Sync Update User Workflow</s>
</case>
<case>
<s>DELETE</s>
<s>Active Sync Disable User Workflow</s>
</case>
<case default='true'>
<null/>
</case>
</switch>
</Expansion>
</Field>
</Form>
</Extension>
<MemberObjectGroups>
<ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
</MemberObjectGroups>
</Configuration> -
Partial Reconciliation - Problem with Search Filter
Hi All,
I'm trying to do a partial reconciliation and am getting this error:
INFO [ACTIVEDIRECTORY] ActiveDirectoryRecon/performReconciliation
INFO [ACTIVEDIRECTORY] Search Filter (&(&(objectclass=user)(whenChanged>=20100312190553.0Z))(((&((objectclass=user)())(sn=Test)))))
ERROR [ACTIVEDIRECTORY] Error during search : javax.naming.directory.InvalidSearchFilterException: Missing 'equals'; remaining name 'dc=dinghy,dc=hal,dc=test'
INFO [STDOUT] javax.naming.directory.InvalidSearchFilterException: Missing 'equals'; remaining name 'dc=dinghy,dc=hal,dc=test'
INFO [STDOUT] at com.sun.jndi.ldap.Filter.encodeSimpleFilter(Filter.java:305)
Missing equals??? This is what I entered as the query filter:
(&(objectclass=user)(sn=Test))
I just want to do it on a user whose last name is Test. I took the query straight out of the documentation.
I'm using an older adapter, 9.0.4, so they had me add this in the CustomizedReconQuery property of ITResource. The documentation also states:
The CustomizedReconQuery attribute is used in conjunction with the
isNativeQuery attribute. You use the isNativeQuery attribute to specify whether
or not the query condition is in the native format.
But I don't see a isNativeQuery property in either the ITResource or the Scheduled Task. I'm guessing that's not the issue anyway.
Anyone see any obvious issue I'm missing?
Thank you so muchI have a flat file recon process that I believe is my trusted source and this Updates or Creates OIM users. I just want only certain users to update to AD.. only ones where OIM.EmployeeID = AD.EmployeeID.
I got all the pieces together, except that all my OIM users have no EmployeeID, so I want to do a one time reconcliation from AD to get the AD.EmployeeID property into OIM.
Since my ProcessForm's Employee ID field is being populated correctly from Reconciliation, I thought I could take that value and put it in the User form with a "Employee ID Updated" task, but that, for some reason, doesn't trigger as an update from Reconciliation, works when I click Save tho. I guess it's not meant to work that way.
I've never heard of Entity Adapters, but I'll look into it now.
Thanks much
Alex
EDIT - OK, so I see Entity is a type of Adapter.... how do I call this adapter? Do I make a process task that calls it? Do I do it as above and name it "MYFILED Updated", or do something else?
Edited by: alecks29 on Mar 17, 2010 3:04 PM
Maybe you are looking for
-
How do you use new ipod nano with itunes 10.6.3?
How do you use new ipod nano with Itunes 10.6.3. I have MBP and it lists itunes 10.6.3 as most current version and won't let me install itunes 11
-
Installing Leopard and new internal hard drive at same time, best plan?
Ok so basically the title explains what I need to do. I am currently travelling in Europe, and returning home to New York on Tuesday night. I have a new hitachi 250gb HD and will have Leopard waiting for me at home when I arrive, and will get right t
-
How to Control Cheque value not exceed the PO Value
Dear All, My client requirement of the how to control cheque make above the PO Value. My client make the PO before MIRO puchase dept. make the Advance payment request and send to Accounts Dept., Accounts dept. make the payment against the Down paymen
-
Problems with calendar syncing
I am having problems with my calendar syncing... my iPad has the correct date/time, and so does my computer (Mac Pro with Snow Leopard). I use Entourage 2004 on my computer for my calendar. I have the sync on Entourage to sync with iCal, and then in
-
Our college Portal site uses a Flash animation to display rotating content relevant to the current semester. My latest project involves presenting users with a static image on the Portal home page if their browser does not have Flash installed. After