X.509 PKI LDAP Schema for OID

Similar Messages

• LDAP schema for addressbook in Lion

  I am starting to setup an OpenLDAP server for the place where I work. So far everything has been good, but I need to add a couple more fields (attributes) than the one provided by the schema inteOrgPerson.
  I can add attributes to my accounts in LDAP all I want, but they do not show up in the addressbooks.
  Is there a schema that I could use to add something like the note field and have that show up in addressbooks connected to my LDAP server? Or even better, is it possible to add a "note" attribute and have that show up in the note field of addressbook?
  If such schema exist, please let me know where can I get it.
  If I am in the wrong forum to ask this question, please let me know where to post this.

  Anyways , I've created an LDIF for Active Directory with theses attributes and class objects.
  Don't really know if this is needed inside AD or not.
  If anyone wants these LDIFs for some reason, drop me a line. Keep in mind that they are a work in progress, so, if you find anything you dont like and would like to change it, please do let me know so I can update my versions aswell.
  If anyone got any idea regarding the last questions I posted, please do let me know aswell
  Rp

• LDAP Schema for AD  ( ADAM )

  Hi everyone.
  I've been reading the official documentation and searching the Web for some info into using an AD ( at this time it is an ADAM but later on will be AD ) user repository with AM 7.
  There is a reference in one of the manuals that says that there is a schema that needs to be added to the default schema of the AD. For the SunDS there is a LDIF file that can be used, but for AD there is none, and the syntax from DS to AD changes a bit.
  Is anyone here that can clarify me on this? It sound logical to me that these new attributes and object classes must be added to the AD schema, but is it so? And if so, does anyone have an LDIF that I can use to update the AD schema, which actually works?
  Thanks so much for all your help
  Rp

  Anyways , I've created an LDIF for Active Directory with theses attributes and class objects.
  Don't really know if this is needed inside AD or not.
  If anyone wants these LDIFs for some reason, drop me a line. Keep in mind that they are a work in progress, so, if you find anything you dont like and would like to change it, please do let me know so I can update my versions aswell.
  If anyone got any idea regarding the last questions I posted, please do let me know aswell
  Rp

• LDAP Configuration for ECC 6.0 ( ABAP Stack only)

  Hi,
  Can any one guide me with the steps for the LDAP Configuration for ECC 6.0 ( Abap stack only).
  Some of my observations are....
  I can see the LDAP Support in the Installation master at the following path.
  1. Additional Software Life cycle Tasks --> Application Server --> LDAP Support.
  But the prerequisites for this task is given as "You must have extended the LDAP schema for the sap data types before.".
  When i am goint thru service market place i came across the following note.
  Note 888848 - Notes on schema enhancement with RSLDAPSCHEMAEXT.
  Thanks,
  Tanuj

  Dear All,
  We are trying to configure the LDAP using with active directory .  In the
  step of "Synchronization of SAP User Administration with LDAP
  Directory"when executing the report"RSLDAPSYNC_USER" we are facing one
  error.
  Please find the trace file and error screenshot in the attachment.Please help us on
  priority.
  Please find the Trace log in the below:
  RFC destination : LDAP_LDAPSE-01
  Tracelevel      :      8,704
  F5: Shutdown F6: Clear list F7: Dump status F8: Refresh list
  [Wed Jun 26 11:15:38 2013]
  Slot 0 (WIPROTECH): >>> ldap_initU(host="abg-mumabc-dc1.abgplanet.abg.com", port=389)
  [Wed Jun 26 11:15:39 2013]
  Slot 0 (WIPROTECH): <<< ldap_initU() == <NOT NULL> := connected
  Slot 0 (WIPROTECH): >>> ldap_set_option(version=3)
  Slot 0 (WIPROTECH): <<< ldap_set_option() == 0
  Slot 0 (WIPROTECH): >>> ldap_simple_bind_sU(dn="poornataad", password: not initial)
  [Wed Jun 26 11:15:40 2013]
  Slot 0 (WIPROTECH): <<< ldap_simple_bind_sU() == 0 := success
  [Wed Jun 26 11:15:43 2013]
  >>>>Required attributes table
  Line    0: "CREATETIMESTAMP" (length 15)
  Line    1: "MODIFYTIMESTAMP" (length 15)
  Line    2: "SAPUSERNAME" (length 11)
  <<<<Required attributes table
  Slot 0 (WIPROTECH): >>> ldap_search_sU(base="CN=poornataad,CN=Users,DN=abgplanet,DC=abg,DC=com", filter="(&(OBJECTCLASS=user)(SAPUSERNAME=*))", scope=2)
  Slot 0 (WIPROTECH): <<< ldap_search_sU() == 91
  >>> ldap_msgfree()
  <<< ldap_msgfree()
  Slot 0 (WIPROTECH): >>> ldap_unbind_s()
  Slot 0 (WIPROTECH): <<< ldap_unbind_s() == 0
  Please find the error screenshot in the below.
  Regards,
  Dilip Sampath.CH
  +91-9619735957.

• Help with extending schema for redhat ldap sudo integration.

  Hi all,
  I've done LDAP administration for a few years, but I'm new to Directory server and I'm a bit stuck. I want to apply a custom schema and allow sudoers in our CentOs (Redhat) Linux servers. They're authenticating correctly, but I can't get sudoers to work. I've followed this documentation to update my schema.
  http://kbase.redhat.com/faq/docs/DOC-2057
  I'm having issues with the step that creates the SUDOers group as the following.
  dn: ou=SUDOers,dc=example,dc=com
  objectClass: top
  objectClass: organizationalUnit
  ou: SUDOers
  I want to make administration easy via the Workgroup manager so I don't have to manually add users to this group via ldif files. When I create a sudoers group via the workgroup manager, I get this dn
  cn=sudoers,cn=groups,dc=spidertracks,dc=local
  As you can see, it's a cn, not an ou. Furthermore, how do I get the defaults in the sudoer's group so that redhat recognizes the setup, but users can be assigned via the workgroup manager?
  Thanks,
  Todd

  Anyways , I've created an LDIF for Active Directory with theses attributes and class objects.
  Don't really know if this is needed inside AD or not.
  If anyone wants these LDIFs for some reason, drop me a line. Keep in mind that they are a work in progress, so, if you find anything you dont like and would like to change it, please do let me know so I can update my versions aswell.
  If anyone got any idea regarding the last questions I posted, please do let me know aswell
  Rp

• Error while doing the Ldap sync for UDFs

  Hi All,
  I am doing LDAP sync for UDFs,
  Created users in OID.
  assigned to orclIDXPerson object modified the ldapconfig.props and created the input file.
  Now I am running the ldapsyncudf.sh then I getting the below error.
  Exception in thread "main" java.lang.NullPointerException
  at oracle.ods.virtualization.schema.AttributeTypeDefinition.getOID(AttributeTypeDefinition.java:117)
  at oracle.ods.virtualization.jndi.OVDSchemaContext.convertAttrDefnToJNDIAttrs(OVDSchemaContext.java:655)
  at oracle.ods.virtualization.jndi.OVDSchemaContext.getAttributes(OVDSchemaContext.java:137)
  at oracle.ods.virtualization.jndi.OVDSchemaContext.getAttributes(OVDSchemaContext.java:109)
  at oracle.iam.configservice.impl.LDAPUDFSyncImpl.isAttrExistsInLDAP(LDAPUDFSyncImpl.java:555)
  at oracle.iam.configservice.impl.LDAPUDFSyncImpl.validateOVDSchema(LDAPUDFSyncImpl.java:519)
  at oracle.iam.configservice.impl.LDAPUDFSyncImpl.addUDFwithLDAP(LDAPUDFSyncImpl.java:1082)
  at oracle.iam.configservice.api.LDAPUDFSyncEJB.addUDFwithLDAPx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
  at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
  at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
  at $Proxy631.addUDFwithLDAPx(Unknown Source)
  can anyone please unblock me.
  Thanks,
  Valli

  Hi,
  Please see if these help (for 11gR2)
  Export the LDAPUser.xml file from MDS using weblogicExportMetatdata.bat. This xml contains the attributes mapping between OIM and OID for LDAP synchronization.
  Include the entry for OIM attribute (if entry does not exist for the attribute in the XML) under entity-attributes node. For e.g. use the following xml snippet to add the entry for ISD Code for Phone attribute
  <entity-attributes><attribute name=”ISD Code for Phone”> <type>string</type> <required>false</required> <attribute-group>Extended </attribute-group> <searchable>true</searchable> </attribute> </entity-attributes>
  Include the entry for OID attribute under target-fields node. For e.g. use the following xml snippet to add the entry for CountryCode
  <target-fields><field name=”CountryCode”><type>String</type> <required>false</required> </target-fields>
  Now map the OIM attribute with the OID attribute using the following xml snippet under attribute-maps node
  <attribute-maps><attribute-map> <entity-attribute> ISD Code for Phone </entity-attribute> <target-field>CountryCode</target-field> </attribute-map></attribute-maps>
  Save the changes and import the file back into MDS using WebLogic import utilities.

• Error Extending eDirectory Schema for Radius in iManager

  I am working on integrating eDirectory with FreeRADIUS on our OES 11 SP2 servers. I have been following all the steps in the "Integrating Novell eDirectory with FreeRADIUS" guide located here: https://www.netiq.com/documentation/edir_radius/. I did not have any problems installing FreeRADIUS or modifying its config files for LDAP authentication.
  I am now stuck trying to extend the eDirectory schema for radius. In iManager, I go to Roles and Tasks --> radius --> Extend Schema, and I keep getting the following error: "RADIUS plugin encountered an error. Click the Details button for more information." When I click "details" it shows the following:
  java.lang.NullPointerException\n at java.util.StringTokenizer.(StringTokenizer.java:88 )\n at java.util.StringTokenizer.(StringTokenizer.java:66 )\n at com.novell.ldap.LDAPConnection.connect(Unknown Source)\n at com.novell.nps.radius.NovellLDAPAuthenticator.logi n(NovellLDAPAuthenticator.java:155)\n at com.novell.nps.radius.ExtendRadiusSchema.showIniti alForm(ExtendRadiusSchema.java:178)\n at com.novell.nps.radius.ExtendRadiusSchema.execute(E xtendRadiusSchema.java:96)\n at com.novell.emframe.dev.Task.execute(Task.java:505) \n at com.novell.nps.gadgetManager.BaseGadgetInstance.pr ocessRequest(BaseGadgetInstance.java:858)\n at com.novell.nps.gadgetManager.GadgetManager.delegat eToGadget(GadgetManager.java:4256)\n at com.novell.nps.gadgetManager.LaunchService.onDeleg ateAction(LaunchService.java:86)\n at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)\n at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:60)\n at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:37)\n at java.lang.reflect.Method.invoke(Method.java:611)\n at com.novell.nps.gadgetManager.BaseGadgetInstance.ha ndleAction(BaseGadgetInstance.java:2371)\n at com.novell.nps.gadgetManager.GadgetManager.process InstanceRequest(GadgetManager.java:1609)\n at com.novell.nps.gadgetManager.GadgetManager.process ServiceRequest(GadgetManager.java:1062)\n at com.novell.nps.PortalServlet.handleFrameService(Po rtalServlet.java:509)\n at com.novell.nps.PortalServlet.processRequest(Portal Servlet.java:373)\n at com.novell.nps.PortalServlet.doPost(PortalServlet. java:279)\n at com.novell.nps.PortalServlet.doGet(PortalServlet.j ava:262)\n at javax.servlet.http.HttpServlet.service(HttpServlet .java:617)\n at com.novell.emframe.fw.servlet.AuthenticatorServlet .service(AuthenticatorServlet.java:332)\n at javax.servlet.http.HttpServlet.service(HttpServlet .java:717)\n at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:290)\n at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:206)\n at com.novell.emframe.fw.filter.CrossScriptingFilter. doFilter(CrossScriptingFilter.java:25)\n at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:235)\n at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:206)\n at com.novell.emframe.fw.filter.AntiCsrfServletFilter .doFilter(AntiCsrfServletFilter.java:275)\n at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:235)\n at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:206)\n at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:233)\n at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:191)\n at org.apache.catalina.authenticator.AuthenticatorBas e.invoke(AuthenticatorBase.java:530)\n at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:128)\n at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:102)\n at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:109)\n at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:286)\n at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyo teHandler.java:190)\n at org.apache.jk.common.HandlerRequest.invoke(Handler Request.java:291)\n at org.apache.jk.common.ChannelSocket.invoke(ChannelS ocket.java:769)\n at org.apache.jk.common.ChannelSocket.processConnecti on(ChannelSocket.java:698)\n at org.apache.jk.common.ChannelSocket$SocketConnectio n.runIt(ChannelSocket.java:891)\n at org.apache.tomcat.util.threads.ThreadPool$ControlR unnable.run(ThreadPool.java:690)\n at java.lang.Thread.run(Thread.java:761)\n
  Can anyone give me an idea of what is going on here? Everything I've been able to dig up so far has dealt with schema conflict errors and ssl/tls connection issues. I don't think that is what's going on here. I am getting the same error on multiple servers with eDirectory and iManager installed. Any help is appreciated. Thank you.
  Scot

  Originally Posted by bjunker
  I am working on integrating eDirectory with FreeRADIUS on our OES 11 SP2 servers. I have been following all the steps in the "Integrating Novell eDirectory with FreeRADIUS" guide located here: https://www.netiq.com/documentation/edir_radius/. I did not have any problems installing FreeRADIUS or modifying its config files for LDAP authentication.
  I am now stuck trying to extend the eDirectory schema for radius. In iManager, I go to Roles and Tasks --> radius --> Extend Schema, and I keep getting the following error: "RADIUS plugin encountered an error. Click the Details button for more information." When I click "details" it shows the following:
  Can anyone give me an idea of what is going on here? Everything I've been able to dig up so far has dealt with schema conflict errors and ssl/tls connection issues. I don't think that is what's going on here. I am getting the same error on multiple servers with eDirectory and iManager installed. Any help is appreciated. Thank you.
  Scot
  Seems like there is a know bug for this issue, I suggest you to open a SR if you can?
  Thomas

• Ask help for OID on Linux

  I installed OID which come from the download version of Oracle 8i 8.1.7 on redhat linux 6.2. I use universal installer installed the software code and run postcfg script in $ORACLE_HOME/ldap/postcfg to generate the database and LDAP schema. After correct some
  bugs manually in the postcfg(it is better to add one sentence of oidmon -start) and bugs in oidadmin(script in $ORACLE_HOME/bin, one is it point to a wrong place of jre, the other is it use a switch that only worked on sparc), I finally started the oidadmin.
  BUT, I still can not login the OID from oidadmin. Can any guy kind give me some info on what is the initial password for oidadmin of OID? I have tried all combos that listed on the on-line help, like: cn=orcladmin, oracladmin, etc. it doesn't work. I also use sqlplus as system to search it in the tables
  of the OID database, but find nothing.
  Thanks for any info or hint!
  null

  Hello:
  Sorry it took so long to respond to your question. I was exhibiting OID at AppsWorld in Paris and New Orleans for the past 2 weeks.
  Assuming you have followed the installation procedures from the "OID Installation Guide" there is one small bug patch that needs to be applied to the Linux versions. You can obtain a copy of this patch from the Oracle Metalinks web site:
  http://www.oracle.com/support/metalink/index.html
  Assuming that OID is up and running you should be able to start a gui JAVA tool from the command line prompt by typing in "oidamdin" or from your Linux Window console. The super user account name is "orcladmin" and the default password is "welcome". The default port number is 389. Also make sure you put in the host name of your machine.
  Let me know if any of this helps. If not Ill try to help you reinstall OID to make sure it is installed properly. I am unable to fully understand where you are stuck from your description of the problem.
  thanks,
  Jay
  null

• Radius or LDAP (not Oracle LDAP) authentication for GridControl

  I'm running GC 10.2.0.3.0 on Oracle Linux, and I'd like to be able to open up GridControl to other users without setting up accounts/passwords for them. Accounts I can handle, passwords, I don't want to handle.
  I see that if I create a new GC user via enterprise manager, a new database accout is also created in the EMREP database. I've configured our EMREP database to use radius authentication and it works when I connect via sqlplus to the EMREP database. The user is set to authenticate "externally" and os_authent_prefix is set to ''.
  However, after I set up external authentication for a given user, they are no longer able to login to enterprise manager using their radius authenticated password. So something about EM is not capable of radius authentication with the local EMREP database?
  Questions for all:
  Is it possible to authenticate users of enterprise manager GridControl against an external password store? I have at my disposal: radius (works great for several of our databases), ActiveDirectory (without oracle schema extensions), LDAP (active directory), proxying the EM server with another Apache server.
  I do not have a license for OID and the "free use" license for OID does not allow for user management. We cannot we purchase OID for this purpose.
  Our GC environment is Linux so Windows OS authentication against AD isn't going to work and we need to support Firefox/IE/Other browsers on various OS's.
  I've seen hints that "external authentication" is possible with "generic" sources, but nothing concrete. Anyone doing this?

  <QUOTE>All I want now is the capability to perform my own method of LDAP BIND to AD to be used as a security plugin to the database authentication piece</QUOTE>
  Amen.
  Right now, I've got an SR open on the radius authentication issue in GC. It took me a two weeks to convince the Oracle tech that I wasn't talking about getting Oracle to use OS authentication where OS users were authenticated by radius.
  I've put about 40 actual work hours in on this issue, going so far as to deconstruct the EM install .jar files and trying to replace the JDBC drivers.
  At this point I believe that it would be relatively easy for Oracle to add Radius authentication support to Grid control in their next big release (11g).
  Doing so would involve replacing the 10g JDBC thin drivers with 11g JDBC thin drivers. The 10g thin jdbc drivers support advanced security encryption and checksums, but not the radius authentication. The 11g thin drivers DO implement the radius option as well as a full complement of encryption checksum types not supported in 10g. From there it should be a simple matter of the EM java login procedure/bean/servlet/jsp being able to set the thin driver to use the radius code in the jdbc layer.
  The other option, which I haven't yet given up on would be to hack the EM code so that instead of using 10g thin drivers it uses 10g OCI jdbc (thick) drivers. The thick drivers support the radius authentication and encryption/checksum features natively, and the settings are controled by the sqlnet.ora file. I've got java code using those just fine. If only I could hack EM to use them.
  In short, if I had access to the source, I could probably code this up in a week. Very frustrating.
  I thought about trying the OID route, but as I said in my original post, we don't have a license. Even if I got it working, and it sounds like it doesn't really work, I can't justify spending $x00,000 for 10-15 dbas not to have to use dedicated accounts and passwords.
  Normal user login to our 9i and 10g databases we have working with radius (backed by Active Directory). All we do is "create user xxxxxx identified externally;" and the user is good to go.
  In short, I think EM GridControl is awesome. I manage 36 databases with it and I've solved problems in minutes that used to take hours or days. When I show it to some of our oracle "power users" they all want it, but they're all radius authenticated.
  I'll keep the thread updated if I see results from our SR.

• UCCX 7.0.1SR5 to 8.0 upgrade while also adding LDAP integration for CUCM - what happens to agents and Historical Reporting data?

  Current State:
  •    I have a customer running CUCM 6.1 and UCCX 7.01SR5.  Currently their CUCM is *NOT* LDAP integrated and using local accounts only.  UCCX is AXL integrated to CUCM as usual and is pulling users from CUCM and using CUCM for login validation for CAD.
  •    The local user accounts in CUCM currently match the naming format in active directory (John Smith in CUCM is jsmith and John Smith is jsmith in AD)
  Goal:
  •    Upgrade software versions and migrate to new hardware for UCCX
  •    LDAP integrate the CUCM users
  Desired Future State and Proposed Upgrade Method
  Using the UCCX Pre Upgrade Tool (PUT), backup the current UCCX 7.01 server. 
  Then during a weekend maintenance window……
  •    Upgrade the CUCM cluster from 6.1 to 8.0 in 2 step process
  •    Integrate the CUCM cluster to corporate active directory (LDAP) - sync the same users that were present before, associate with physical phones, select the same ACD/UCCX line under the users settings as before
  •    Then build UCCX 8.0 server on new hardware and stop at the initial setup stage
  •    Restore the data from the UCCX PUT tool
  •    Continue setup per documentation
  At this point does UCCX see these agents as the same as they were before?
  Is the historical reporting data the same with regards to agent John Smith (local CUCM user) from last week and agent John Smith (LDAP imported CUCM user) from this week ?
  I have the feeling that UCCX will see the agents as different almost as if there is a unique identifier that's used in addition to the simple user name.
  We can simplify this question along these lines
  Starting at the beginning with CUCM 6.1 (local users) and UCCX 7.01.  Let's say the customer decided to LDAP integrate the CUCM users and not upgrade any software. 
  If I follow the same steps with re-associating the users to devices and selecting the ACD/UCCX extension, what happens? 
  I would guess that UCCX would see all the users it knew about get deleted (making them inactive agents) and the see a whole group of new agents get created.
  What would historical reporting show in this case?  A set of old agents and a set of new agents treated differently?
  Has anyone run into this before?
  Is my goal possible while keeping the agent configuration and HR data as it was before?

  I was doing some more research looking at the DB schema for UCCX 8.
  Looking at the Resource table in UCCX, it looks like there is primary key that represents each user.
  My question, is this key replicated from CUCM or created locally when the user is imported into UCCX?
  How does UCCX determine if user account jsmith in CUCM, when it’s a local account, is different than user account jsmith in CUCM that is LDAP imported?
  Would it be possible (with TAC's help most likely) to edit this field back to the previous values so that AQM and historical reporting would think the user accounts are the same?
  Database table name: Resource
  The Unified CCX system creates a new record in the Resource table when the Unified CCX system retrieves agent information from the Unified CM.
  A Resource record contains information about the resource (agent). One such record exists for each active and inactive resource. When a resource is deleted, the old record is flagged as inactive; when a resource is updated, a new record is created and the old one is flagged as inactive.

• Configuring the authentication scheme for a web application

  Hi all,
  We have a requirement to configure the authentication scheme for a web application where some set of users should access the application using basic LDAP (userid/password) authentication and some using digital certificate authentication.
  Since the deployment descriptor (web.xml) allows only one directive for auth-method in logic-config, we want to know if there is any other way to achieve this requirement. We are thinking of a custom login module approach. But we are not able to figure out how to configure the auth-method at runtime from the login servlet.
  Please let us know if there is any other approach to achieve this.
  I will be thankful if any body shares any specific solution to this issue.

  This forum is probably not the correct one to ask in. It's more related to the web container than Java Programming.
  Kaj

• Best Approach to create LDAP structure in OID

  We are currently in the process to create LDAP schema and structure in OID 11g. This schema and structure in OID will be then used by Oracle products such as OIM, OES, OAM and others to perform user authentication, coarse grained authorization, fine grained authorizaiton, attribute mappings, etc.
  I wanted to know if there is any Best Practices approach/guidelines we can use to define this schema and structure now so we don't encounter any obstacles and limitations while using OIM, OAM and OES.
  Will appreciate quick response.
  Thanks!

  I understand that the LDAP structure design depends on the business goals and requirements and we are defnitely building the schema in that lines. But the thing we want to make sure is how flexible are the products like OIM, OAM and OES to provide user authentication(if the user is deep down in the tree), authorization (if the user needs to be authorized to services having attributes deep down in the tree), mapping complex relationships and permissions in conjunction with OID.
  I think the other way of asking this question would be what we should take into consideration while designing the LDAP structure in OID as the backend LDAP store and what things we should leave whille designing LDAP structure in OID that could be considered while designing the authentication, authorization process in OIM, OAM and OES.
  Our goal is to keep the LDAP structure simple and flexible but at the sametime use OAM, OES and OIM at their best capabilities to serve our purpose without lot of customizations required.
  Thanks!

• I need to extend the schema for iPlanet Dir. 5.0 and add custom objectclasses and atributes. I do this by adding entries in the 99user.ldif file. Its not working. Any ideas?

  Hi
  I need to extend the schema for iPlanet Dir. 5.0 and I do not want to do so from the console. As per the documentation, I need to either add entries in the 99user.ldif file or define my own custom [00-99]myname.ldif file. I tried this but its not working.
  I have made the assumption that there is no explicit import step for the 'user defined' schema files (as it is for user data ldif files). I assume that on start (or on opening the console), I'd be able to see the new schema after the server has read the schema file.
  I have verified that entering new objectclasses and attributes from the console adds entries into the 99user.ldif file. So why is the reverse process not working. Can anybody throw some light on this? Also in case my assumptions are faulty, please let me know.
  I did not change the aci entries in the existing ldif file. Is any modification needed there? I was logged in as the Directory Manager during this testing process.
  regards
  Sikka ([email protected])

  Hi Sikka,
  The server reads its schema configuration on startup. If you manually modify the schema files while the server is running, it will not have any effect. You have to restart the server.
  The console adds the new schema elements over LDAP (you could do that as well, you only have to modify the cn=schema entry), so the server is aware of the changes immediately and thus restarting is not needed.
  I hope this helps.
  Bertold

• Ldap schema extension to control which users / group are imported

  Hello,
  would like to have your opinion:
  would it be a good idea to implement ldap schema extensions to control
  which users / group are imported and controlled from ldap in a ldap
  mastered installation?
  e.g. we could implement the following schema extension for users:
  attributetype ( 1.3.6.1.4.1.<iana-org-id>.1.1 NAME ( 'BogusisBeehiveUser' )
       DESC ''
  EQUALITY booleanMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
  SINGLE-VALUE )
  # BogusinetOrgPerson
  # The BogusinetOrgPerson is derived from inetOrgPerson
  objectclass     ( 1.3.6.1.4.1.<iana-org-id>.1
  NAME 'BogusinetOrgPerson'
       DESC 'RFC2798: Internet Organizational Person, plus Bogus Extensions'
  SUP inetOrgPerson
  STRUCTURAL
       MAY (
            BogusisBeehiveUser )
  Then we could control the inclusion in beehive by simply switching
  BogusisBeehiveUser on or off.

  sure; that's pretty much what is talked about in the Install Guide for LDAP Integration under the "inclusion and exclusion" section, about here:
  http://download.oracle.com/docs/cd/E14897_01/bh.100/e14830/ldap.htm#CHDEFFJF
  that doesn't go into the specifics of how you might want to design your objectClass schemas, though, as beehive is agnostic to that.
  If you don't want to provision all users that match a certain existing rule (like everyone under dn=foo, or everyone where userType=employee), then adding a new attribute and building the profile inclusion rule around it is a valid thing to do.
  richard

• LDAP Schema Designer

  I am looking for a kind of LDAP Schema Designer , utility that can check consistency of my schema , detect redundancies ....
  Any suggestions?
  Thanks

  I don't know of any tool like that. The problem is actually not quite that simple, since LDAP does not implement a relational database per se, or have concepts about 1st, 2nd, 3rd, etc normal forms.
  If you want me to review and refine your schema for you, then you can hire me as a consultant. I have extensive experience in designing schema and modeling directory objects and DIT.
  Click my handle for my email address if interested.
  podzap