XI3.1 and delegated admin?

hi,
we have two distinct project. each project must have delegated admin (manage user and group) : each admin must see only its users and groups...
we have apply this :
1/create specific admin groups
2/ create specific acces level (view object/general +add objects/content folder all rights/system user all rights/system usergroup)
3/ on user and groups/manage top level security/all group :
add the two admin groups and apply acces level
4/ on each group and subgroup remove acces on the admin group that does not (because each admin group is in inherited rigth...)
this work, but not for for user level, delegated admin can't create user and if we apply top level security acces level , the admingroup can see ALL user. it's not that we want...
have you ideas?
thank's

Hi Phil!
I think it is designed as is - but did you try to use Windows AD Groups.
You can enable specific windows AD groups to BO. These will be created automatically the first time they logon, or you can trigger an AD refresh. So the users are created automatically.
You admins could then have the rights to see the users only and to see/edit their own set of Groups, where they can put these users to. Also you can define which admin sees which objects (reports, universes, connections, ...)
But: you will get an issue if you loose/change your AD connection to your server, then everything must be redone.
ciao Hakan

Similar Messages

Using Mail, Calendar and Delegated Admin

I�ve installed mail, calendar and delegated admin for one of the domains I�m hosting.
I can�t figure out where I can adjust the settings for service packages ex earth. I�d like to have 60 mb mail box in stead of 6. (Changing this on user level in LDAP is not an option.)
Any one who can give me some tips about where to change this?
Tnx.
Kristian

Sounds like you need to change one of your Service Package templates. Alas, I've not had time to dive into that.
There is a default config setting for quota, that's global. If you set that, and don't put anything into the user's individual ldap entries, then everybody gets that quota:
store.defaultmailboxquota
http://docs.sun.com/app/docs/doc/819-2651/6n4u5ce7i?a=view

Jes3 and Delegated Admin

I'm setting up a demo of JES3 Messaging for a customer with the Delegated Admin. It seems to work for I can create users with the correct attributes. These users can log into Messagent express and can see their mail but cannot send outgoing mail. Also I can't pop from the command line fror any of these users but sending mail to them from he command line does work. This seems to be probles with MailAllowed Services, but it seems ok on a ldapsearch (see below).
Synopsis of results:
I can send mail to these users with a telnet to port 25. But MExpress canot send mail from any of these users.
Messaging Express smtp error:
"Not authorized to sned messages"
But MExpress get's incoming mail for these users.
Messager Express gets mail for the users but pop fails:
Telnet <server> 110
User testuser2
pass password
"-ERR [AUTH] Not authorized to login as specified user"
ldapsearch output for testuser2
uid=testuser2,ou=People,o=myjazz.com,dc=myjazz,dc=com
psIncludeInGAB=true
uid=testuser2
iplanet-am-modifiable-by=cn=Organization Admin Role,o=myjazz.com,dc=myjazz,dc=com
givenName=Test
[email protected]
mailUserStatus=active
sn=User2
cn=Test User2
inetCOS=gold
preferredLocale=en
mailHost=bigun.myjazz.com
objectClass=userpresenceprofile
objectClass=top
objectClass=iplanet-am-managed-person
objectClass=iplanet-am-user-service
objectClass=inetadmin
objectClass=organizationalperson
objectClass=person
objectClass=inetuser
objectClass=inetlocalmailrecipient
objectClass=iplanetpreferences
objectClass=ipuser
objectClass=inetorgperson
objectClass=inetsubscriber
objectClass=inetmailuser
inetUserStatus=Active
userPassword={SSHA}I8oftLKYhg0DzYAzCh1UfzaluWNuKVNIjXO7RQ==
mailDeliveryOption=mailbox
preferredLanguage=en
nswmExtendedUserPrefs=meDraftFolder=Drafts
nswmExtendedUserPrefs=meSentFolder=Sent
nswmExtendedUserPrefs=meTrashFolder=Trash
nswmExtendedUserPrefs=meInitialized=true
pabURI=ldap://bigun.myjazz.com:389/ou=testuser2,ou=People,o=myjazz.com,dc=myjazz,dc=com,o=pab
mailAllowedServiceAccess=+imaps:ALL$+pops:ALL$+smtps:ALL$+http:ALL
mailMsgMaxBlocks=700
mailMsgQuota=3000
mailQuota=8000000

I had the same problem. When I created a user account through the Delegated Admin interface the user could log into Communications Express, but was unable to send outgoing email. I then created another user account using the command below and this user is able to send email. I have not quite figured out the significany difference yet.
./commadmin user create -D admin -w <password> -X host.domain.com -n domain.com -d hosteddomain.com -l test5 -F Test5 -L User -W pass -S mail,cal -k legacy -E [email protected] -H host.domain.com

OUs and Delegated Admin

Folks,
How can I do to manage Organizational Units and Groups with the Delegated Administrator? I�ve created some OUs and Groups with Directory Server Console and after that I cannot see them thru the Delegated Administrator.
Any suggestion?
Thanks in advance.

Adding groups from the directory console is not supported. You need to provision all users and groups through the iDA. You will be able to send mail to the groups you created through the console, but you won't be able to see them in the iDA. Here is a link to the provisioning guide: http://docs.sun.com/source/816-6018-10/index.html
I guess to answer you question, you can't see the groups in the iDA because they are missing the proper object classes and attributes which they are given when created through the iDA.

Organizational Units and Delegated Admin (again)

Hi,
In fact I've read that Domain Organizations can only be created thru LDAP but I'm a newbie in all this stuff, the paper says that I must create some LDIFs records to create a Domain Organization my question is where should be these files (LDIFs) be placed?
Rgds.

Hi
Once you have created the ldif file with information about the Organizational Unit , you then import that ldif file into directory server (ldap).
You can import through directory console or through command line ldif2db.
Regards

From schema 1 to schema 2 migration delegated admin problem

I want migrate from schema 1 to schema 2 the messaging server 6.2 ( jes 2005q1).
I have install access manager and delegated admin.
With the commdirmig I migrate the domain and schema , the messaging work correctly.
I have a problem with the delegated admin web interface.
The delegated don't view my domain. If I add the sundelegatedorganization objectclass I can view my domain on delegated admin but I can view user and group.
Any Idea?
TIA
Bye Giovanni

There are two very different products called "deletaged admin". The old iPlanet Delegated Admin (iDA) only works with Schema 1. The current Delegated Admin, that comes with JES3 only works with Schema 2.
If you're using the old iDA that worked with schema 1, it won't work with schema 2. You have to install the new DA for that.
It doesn't work with groups/lists, only with users and domains.

Delegated Admin for Messaging does not run properly

Hi, my environment is:
iDS5.1, iMS5.2, iCS5.1 and Delegated Admin for Messaging 1.2.
I have installed all the components and it seems to run fine, but when I log on to the Delegated Admin I cna't see the frame in the middle of the browser window. An error appears that "The page cannot be displayed".
I had a look in the error log of the WebServer to see what might happen and I saw the following error message:
Internal error: servlet service function had thrown ServletException (uri=/servlet/getPage): javax.servlet.ServletException: java.lang.Exception: ../templates/isp/SearchSelected.html:45 -> Template contains directive that first requires LdapEntry to be initiallized by program., stack: javax.servlet.ServletException: java.lang.Exception: ../templates/isp/SearchSelected.html:45 -> Template contains directive that first requires LdapEntry to be initiallized by program. at java.lang.Throwable.fillInStackTrace(Native Method) at java.lang.Throwable.fillInStackTrace(Compiled Code) at java.lang.Throwable.<init>(Compiled Code) at java.lang.Exception.<init>(Compiled Code) at javax.servlet.ServletException.<init>(ServletException.java:107) at netscape.nda.servlet.NDAIMSGetPage.execute(Compiled Code) at netscape.nda.servlet.NDAServlet.doPost(NDAServlet.java:117) at netscape.nda.servlet.NDAServlet.doGet(NDAServlet.java:138) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.iplanet.server.http.servlet.NSServletRunner.invokeServletService(NSServletRunner.java:897) at com.iplanet.server.http.servlet.NSServletRunner.Service(NSServletRunner.java:464) , root cause:
I had no errors during the installation and the access to the LDAP server seems to be o.k. because it is possible to log on to the Del. Admin.
Does anyone can give me hint what this might be?
Any help would be very appreciate.
THX
Marcel

iDS5.1, iMS5.2, iCS5.1 and Delegated Admin for Messaging 1.2.
Why is anybody installing 3-year old software today?
The error message implies that not all installation steps were done correctly. The most common problem is that when ims_dssetup.pl is run, the entries there are not correct for what you intend to put in during Messaging install...

Delegated Admin and non-flat user/group structures

Hello, I am trying to build a directory structure with several containers under an organization used to store different portions of userdata and group data (i.e. not only ou=people and ou=group, but also a few ou's like them). Server software is from OUCS 7u2 release. Users in "other" containers are populated into LDAP (ODSEE 11) by replication, filling in all the same attributes as a freshly DA-created account has.
The Delegated Admin interface and other parts of the software accept this and work okay with this setup, displaying user information, allowing logins and so on - except for attempts to edit user accounts in the alternate containers in the DA (i.e. add/remove service packages, change quotas, etc.). First I've verified that this is not an LDAP problem - I can use both command-line ldapmodify and an LDAPBrowser GUI to edit the entries with no hiccups.
I tracked that when trying to save account information for accounts in non-standard containers, the DA still tries to use a hard-coded path (i.e. uid=USERNAME,ou=people,o=DOMAINNAME,dc=DOMAIN,dc=NAME) despite the fact that the user account is (and DA displayed it from) uid=USERNAME,ou=morePeople,o=DOMAINNAME,dc=DOMAIN,dc=NAME.
Possibly, this "hardcoding" stems from DA configuration in WEB-INF/classes/sun/comm/cli/server/servlet/serverconfig.properties which does list components of the LDAP structure:
# Ldap configuration.
# List of ldap hosts. Form is <ldaphost>:<portnumber>. (Default port = 389)
# add additional hosts with ldaphost-<consecutive number>
# Schema type is either "1" or "2".
# Reconnect interval is in seconds
# Group and people container is dn from organization dn (e.g ou=people)
ldaphost-1=oucsldap01:389
ldaphost-2=oucsldap02:389
ldaphost-suffix=dc=DOMAIN,dc=NAME
ldaphost-dcsuffix=dc=DOMAIN,dc=NAME
ldaphost-maxcount=50
ldaphost-schematype=2
ldaphost-reconnectinterval=60
ldaphost-peoplecontainer=ou=People
ldaphost-groupcontainer=ou=Groups
ldaphost-orgadminrole=cn=Organization Admin Role
While the organization root dn is not explicit here (and shouldn't be), the default people container is... I might guess a coding error logic like this: indeed, the "ou=People" container should be used by default when creating a user via DA; as a likely error, it might also be used when editing existing users - instead of their existing full DN/parent DN.
Questions:
1) Does anyone have a working configuration with several user/group containers within an organization like this? Would you care to share details and workarounds, if were needed?
2) I think that possibly the "shared domain/organization hosting" mode might help here - at least it is expected to have several LDAP trees with their delegated administrators performing as a single e-mail domain. Before I go and reconfigure everything, I'd love to hear if there are any success stories with this route? Is it a proper solution (or THE solution) for such config?
Thanks,
//Jim Klimov

I wanted to follow up that reconfiguring the directory structure according to shared domain hosting, with branches for ISW-synchronized accounts as one of the sub-organizations which share the domain, and manually created OUCS-only accounts being in another sub-organization. This works for both messaging components and the DA, as long as UIDs are in ou=People in their organization. Somewhat unfortunately, ISW config seems to allow only one DSEE target branch and puts groups (CN) there as well. Well, for our needs to edit user attributes and service packages via DA, this suffices. Sometimes there are hiccups (Can not save changes), but they are intermittent and harder to trace debug; usually go away with restart of the DA web container. The DSEE LDAP instances are configured with plugins to enforce uid uniqueness across the organization and uniqueness of values of messaging email address attributes (mail, mailAlternateAddress, mailEqiuvalentAddress) to avoid mixups between user accounts in different branches.
Also, we had a problem with Calendar server after migrating the LDAP entries: since our deployment used the nsUniqueID for calendar user identification, relocation of entries (the way we did it) generated new values for new entries and users got new empty caledar databases. On this POC this was not a major problem, and newer OUCS releases with a davUniqueID attribute should specifically be immune to this problem. However, for others trodding this path I can suggest that they export the LDAP database into LDIF including the unique IDs, recreate the suffixes as needed (the ISW target organization in DSEE should be a separate LDAP database suffix), change the LDIF entry pathnames, and import the LDIF anew. This would wipe old LDAP data and should add old nsUniqueIDs to relocated entries (unlike recreation via ldapadd or relocation via ldapmodrdn).
We have also hit a problem with DA refusing to render the list of accounts (returning 0 or 25 empty entries in a table). The LDAP logs showed that on the LDAP side all is ok, and expected amount of replies was located. Pattern searches often produced the proper table with a subset of users in DA. Ultimately, we linked the problem to ISW binary base64-encoded attributes (dspswuserlink et al; some of those values also garbaged output of commadmin queries in a terminal) and created an LDAP ACI which forbade our DA-admin user to read,search,compare these attributes. This solved the problem for us. I wonder if a more generic solution is possible, so as to apply this ACI not to an explicitly named admin user but to any users with DA admin privileges (by group or role? which string, to cover them all in advance)? Or, perhaps, nobody except the ISW user account should see these ISW attributes?
Hope this report helps others who would try to pioneer this path of messaging integration
//Jim Klimov

While installing IMS on p4, the delegated admin, MTA and IWS6.0 could not be started

I am installing IMS 5.1 NT version on a p4 machine and my MTA services are not starting, i searched for the IMTA.conf file but that was not found. Also the IWS 6.0 that was installed additionally for the upgraded JVM is not getting started , and the delegated admin through the browser could not be accessed

I am installing IMS 5.1 NT version on a p4 machine and my MTA services are not starting, i searched for the IMTA.conf file but that was not found. Also the IWS 6.0 that was installed additionally for the upgraded JVM is not getting started , and the delegated admin through the browser could not be accessed

Delegated Admin and User Management in WLP 9.2

Hi,
I've made Delegated Administrator role and a user for it. The user is Delegated Admin for our users and groups. Still that user cannot create new users, only new groups.
The error message that shows when creating new user is "The subject does not have access to the specified group".
What should I do to make it work ?
Regards,
Tanja

Unfortunately, you've run into a bug in the product. See CR282051 in the WLP 9.2 release notes.
http://edocs.bea.com/wlp/docs92/relnotes/relnotes.html#wp1147925
If you have a support contract, you might be able contact BEA Support to see if a patch might be available.

Delegated Admin and Class of Service

Hi
we have configured
Messaging Server
Calendar server
Instant Messaging Server
and Portal Server
We would like use delegated admin for user provisioning.
We are able to modify default Class of Service templates to suit our needs for Messaging and Calendaring.
We would also like to provide Portal desktop and Instant messaging access thru' delegated admin.
Help us to configure these class of services either using directory console or any other method
Thanks
Saba

rkbunca wrote:
Recently we deleted about 3K users using: commadmin domain purge, and while
it appears to have successfully deleted the users -- ldapsearch doesn't yield any
output. The lower number of users is NOT reflected in the field "Number of Users"
on the Delegated Admin page. It still shows the same number of users >11K we
"had" prior to the deletion process.
Any ideas to explain this discrepancy?The number of users displayed in the DA GUI is recorded in the "sunNumUsers" attribute associated with the domain e.g.
dn: o=aus.sun.com,dc=aus,dc=sun,dc=com
sunNumUsers: 11
This is to avoid having to do an ldapsearch across the domain to get a count. You can manually update this attribute to get the number back-in-sync.
The commadmin domain purge should have updated this value -- I couldn't find any pre-existing bugs to explain why it didn't happen in your case. I suggest you log a support case to get this looked into further.
You may also want to check your directory audit logs to see if an attempt was made to update this attribute but failed for some reason.
Regards,
Shane.

Delegated Admin and Number of Users

Recently we deleted about 3K users using: commadmin domain purge, and while
it appears to have successfully deleted the users -- ldapsearch doesn't yield any
output. The lower number of users is NOT reflected in the field "Number of Users"
on the Delegated Admin page. It still shows the same number of users >11K we
"had" prior to the deletion process.
Any ideas to explain this discrepancy?
-- Bob

rkbunca wrote:
Recently we deleted about 3K users using: commadmin domain purge, and while
it appears to have successfully deleted the users -- ldapsearch doesn't yield any
output. The lower number of users is NOT reflected in the field "Number of Users"
on the Delegated Admin page. It still shows the same number of users >11K we
"had" prior to the deletion process.
Any ideas to explain this discrepancy?The number of users displayed in the DA GUI is recorded in the "sunNumUsers" attribute associated with the domain e.g.
dn: o=aus.sun.com,dc=aus,dc=sun,dc=com
sunNumUsers: 11
This is to avoid having to do an ldapsearch across the domain to get a count. You can manually update this attribute to get the number back-in-sync.
The commadmin domain purge should have updated this value -- I couldn't find any pre-existing bugs to explain why it didn't happen in your case. I suggest you log a support case to get this looked into further.
You may also want to check your directory audit logs to see if an attempt was made to update this attribute but failed for some reason.
Regards,
Shane.

Delegated Admin Deleted org and attribute violation

I'm using Sun Messaging Server 6 and Delegated Administrator 6.3-0.09. I've created an organization, and got everything to work just fine. Then I deleted it with the GUI and then used commadmin to delete and purge it, but now when I try to make one of the same name and domain it says "Attribute uniqueness violated." I've checked the LDAP DB directory and its not there.
Also I did the same with some other domains (creating and deleting) with commadmin and it says "Conflicts with deleted Organization". Those domains are still in the LDAP DB and I googled around and I set the mailDomainStatus from "active" to "removed" with ldapmodify. But commadmin domain purge still doesn't get rid of it. I'm running out of ideas. Anybody have any ideas?
Thanks

Hi Jay,
Yes you're probably right about it being a different issue.
1) Sun Java(tm) System Messaging Server 6.2-7.05 (built Sep 5 2006)
libimta.so 6.2-7.05 (built 12:18:44, Sep 5 2006)
SunOS msg01 5.10 Generic_118833-24 sun4v sparc SUNW,Sun-Fire-T200
Delegated Administrator 6.3-2.02 (built Mar 7, 2006)
Sun Java System Access Manager 7 2005Q4
Solaris is patched with the latest and greatest. I had the same issue before patching Messaging Server and DA.
2) I've created a number of organizations and users using DA, that worked fine, commnications express and calendar also both appear to work just fine.
I can remove users just fine, before commadmin domain purge, I run msuserpurge and csclean.
Now, when I want to delete the actual organization they obviously get marked as "deleted" and I have to use -g 0 when I do commadmin domain purge, but it doesn't work. commadmin domain purge appears to work, I get no errors, even in verbose mode it looks fine, except everything says the same in LDAP.
I've replaced the actual domain with acme.com :)
# ./commadmin domain purge -v -D admin -w password -n acme.com -d "*" -g 0 -X accm01.acme.com -p 80
[Debug]: DBG:Object = domain ; task = purge
[Debug]: default domain from Properties: acme.com
[Debug]: IShost from Properties: accm01.acme.com
[Debug]: ISPort from Properties: 80
[Debug]: Contacting : http://accm01.acme.com:80/commcli/auth
[Debug]: To servlet: domain=acme.com&username=admin&password=password&charsetenc=UTF-8
[Debug]: cookie => JSESSIONID=C60C53354E7A3CC9DFE8BA50BE3041B3;Path=/commcli
[Debug]: RECV: OK
[Debug]: RECV: OK
[Debug]: RECV: dn: uid=admin, ou=People, o=acme.com,dc=acme,dc=com
[Debug]: RECV: datasource: Sun ONE Messaging Server Installer
[Debug]: RECV: objectclass: ipUser
[Debug]: RECV: objectclass: top
[Debug]: RECV: objectclass: iplanet-am-managed-person
[Debug]: RECV: objectclass: iplanet-am-user-service
[Debug]: RECV: objectclass: icsCalendarUser
[Debug]: RECV: objectclass: iPlanetPreferences
[Debug]: RECV: objectclass: person
[Debug]: RECV: objectclass: inetAdmin
[Debug]: RECV: objectclass: inetMailUser
[Debug]: RECV: objectclass: userPresenceProfile
[Debug]: RECV: objectclass: inetorgperson
[Debug]: RECV: objectclass: inetLocalMailRecipient
[Debug]: RECV: objectclass: organizationalPerson
[Debug]: RECV: objectclass: inetUser
[Debug]: RECV: nsroledn: cn=Top-level Admin Role,dc=acme,dc=com
[Debug]: RECV: mailquota: -1
[Debug]: RECV: loginid: admin
[Debug]: RECV: uid: admin
[Debug]: RECV: userpassword: {SSHA}RDI/jttF2mJBn/guc4zi74WupckeR+B+zjCPZA==
[Debug]: RECV: mail: [email protected]
[Debug]: RECV: givenname: Store
[Debug]: RECV: mailuserstatus: active
[Debug]: RECV: icssubscribed: [email protected]:[email protected]:anonymous
[Debug]: RECV: sn: Top Level Admin
[Debug]: RECV: surname: Top Level Admin
[Debug]: RECV: cn: Top Level Admin
[Debug]: RECV: maildeliveryoption: mailbox
[Debug]: RECV: icscalendarowned: [email protected]:anonymous$
[Debug]: RECV: memberof: cn=Service Administrators,ou=Groups,dc=acme,dc=com
[Debug]: RECV: initials: TLA
[Debug]: RECV: mailhost: comx01.acme.com
[Debug]: RECV: mailmsgquota: -1
[Debug]: RECV: iplanet-am-user-login-status: Active
[Debug]: RECV: inetuserstatus: active
[Debug]: RECV:
[Debug]: DBG: before getobjtaskargs
[Debug]: In getObjTaskArgs for: domain; purge
[Debug]: Contacting : http://accm01.acme.com:80/commcli/climap
[Debug]: Sending to servlet: task=purge&object=domain
[Debug]: getObjTaskArgs Status: 0
[Debug]: Number of servlets: 1
[Debug]: Servlet Name: TaskManager
[Debug]: Servlet args: task=PurgeDomain
[Debug]: Servlet args: objecttype=Domain
[Debug]: Valid Options Array: 4
d, true, *, true, true, [search_op]domain pattern, search_op=~=, =,!=,>=, or <=, domain, ,
S, true, , false, true, service(s) to be purged, services, ,
g, true, 10, false, true, grace period (days), purgegrace, ,
r, false, , false, true, recursively delete subentries, recursive=yes, ,
[Debug]: DBG: getObjTaskArgs done
[Debug]: servInfo len = 1
[Debug]: argVal =*
[Debug]: servCommand =task=PurgeDomain&objecttype=Domain&domain=*
[Debug]: argVal =0
[Debug]: servCommand =task=PurgeDomain&objecttype=Domain&domain=*&purgegrace=0
[Debug]: Contacting : http://accm01.acme.com:80/commcli/TaskManager
[Debug]: To servlet: task=PurgeDomain&objecttype=Domain&domain=*&purgegrace=0
[Debug]: RECV: OK
[Debug]: RECV:
[Debug]: CLITask: status returned =OK
OK
[Debug]: DBG: doOne returned code=0
[Debug]: Contacting : http://accm01.acme.com:80/commcli/logout
[Debug]: Logout ...
[Debug]: RECV: SSOToken id AQIC5wM2LY4SfczYpHHUrvgaZnCL10QKi1CbUcI+yMCK72s=@AAJTSQACMDE=#
[Debug]: RECV: destroyed
If I then do an LDAP search, I still see the domains there, eventhough I've set mailDomainStatus: removed (as suggested in other threads)
dn: o=test3.dk,dc=acme,dc=com
o: test3.dk
sunNameSpaceUniqueAttrs: uid
sunMaxUsers: -1
sunOrgType: full
sunPreferredDomain: test3.dk
sunEnableGAB: false
preferredMailHost: msg01.acme.com
mailClientAttachmentQuota: -1
mailDomainDiskQuota: -1
objectClass: inetdomainauthinfo
objectClass: sunismanagedorganization
objectClass: top
objectClass: sunnamespace
objectClass: sundelegatedorganization
objectClass: sunmanagedorganization
objectClass: maildomain
objectClass: icscalendardomain
objectClass: organization
icsDWPBackEndHosts: cal01.acme.com
icsStatus: Active
preferredLanguage: en
sunRegisteredServiceName: DomainMailService
sunRegisteredServiceName: GroupMailService
sunRegisteredServiceName: iPlanetAMAuthMembershipService
sunRegisteredServiceName: UserMailService
sunRegisteredServiceName: iPlanetAMAuthService
sunRegisteredServiceName: iPlanetAMAuthConfiguration
sunRegisteredServiceName: UserCalendarService
sunRegisteredServiceName: iPlanetAMPolicyConfigService
sunRegisteredServiceName: iPlanetAMAuthLDAPService
sunRegisteredServiceName: DomainCalendarService
sunNumUsers: 0
sunAvailableServices: earth:10:0
inetDomainStatus: removed
mailDomainStatus: removed
3) Not a lot.
4) Organizations removed from LDAP, as it is now they are blocking should I want to re-add them, and of course filling up LDAP :-/

Portal and Delegated Administrator for Messaging

Hi,
I was wondering if anyone has managed to get the iPlanet Messaging server Delegated Admin working properly with the portal gateway.
In particular - was anyone able to adjust the gateway rewrite rules to prevent the gateway only from appending to the URL's in the left control frame? We have tried various rewriting combinations but none have worked so far. A rewrite of the hRefStr variable comes close does not work as it does not handle the escape character "\" properly and appends extra info as well. The URLs turn out like the following example:
https://gateway.com/http://portal.com/servlet/"/servlet/getPage?op=createMLM&mode=edit"
If anyone has suggestions on how to overcome this it would be greatly appreciated.

Can you tell the version of Portal Server that you use. There are some known issues with SP2, and it is rectified in sp3. Or else this should be an issue with iPlanet Delegated Admin.
Thanks,
Raj_indts
Developer Technical Support
Sun Microsystems
http://www.sun.com/developers/support

Can't login to Delegated Admin after redeploy

I originally had Delegated Admin 6.4 running on port 80 in Webserver 7u3 along with AM, and UWC. I needed to move DA off of port 80 so I created another Webserver instance on port 81 and then uninstalled and reinstalled Delegated Admin against the new instance. In the configurator I specified port 80 where it asked about Access Manager and port 81 where it asked to deploy DA. Now I cannot login to DA. It keeps telling me: "Invalid login ID or password, please try again". The ID and password are correct. No LDAP traffic is being generated during the attempted login. I turned on DA logging and this is what I get:
Aug 23, 2008 4:43:39 PM com.sun.comm.da.security.DALoginManager login
INFO: Login failed, login id [admin]
com.sun.comm.jdapi.DAException: Moved Temporarily: Moved Temporarily
at com.sun.comm.jdapi.DAConnection.liveAuth(DAConnection.java:88)
at com.sun.comm.jdapi.DAConnection.authenticate(DAConnection.java:130)
at com.sun.comm.da.security.DALoginManager.login(DALoginManager.java:209)
at com.sun.comm.da.view.LoginViewBean.handleLoginButtonRequest(LoginViewBean.java:212)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:816)
at com.sun.comm.da.DAServlet.service(DAServlet.java:152)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:917)
at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:398)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
at com.sun.comm.da.LoginFilter.doFilter(LoginFilter.java:133)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:217)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:255)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:188)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:556)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:187)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:556)
at com.sun.webserver.connector.nsapi.NSAPIProcessor.service(NSAPIProcessor.java:160)
Here is a sample of what I get when I run commadmin:
./commadmin -v search domain o=xyz.com
[Debug]: DBG:Object = search ; task = domain
[Debug]: default domain from Properties: xyz.com
[Debug]: IShost from Properties: webmail.xyz.com
[Debug]: ISPort from Properties: 80
Enter login ID: admin
Enter login password:
[Debug]: Contacting : http://webmail.xyz.com:80/commcli/auth
[Debug]: To servlet: domain=xyz.com&username=admin&password=xxxxxxxx&charsetenc=UTF-8
[Debug]: Http Error recvd: Moved Temporarily
Moved Temporarily: Moved Temporarily
Invalid value for Identity server host name: webmail.xyz.com
Invalid value for Identity server port: 80
Enter Identity server port[80]:
Any ideas?

sheger77 wrote:
I originally had Delegated Admin 6.4 running on port 80 in Webserver 7u3 along with AM, and UWC. I needed to move DA off of port 80 so I created another Webserver instance on port 81 and then uninstalled and reinstalled Delegated Admin against the new instance. In the configurator I specified port 80 where it asked about Access Manager and port 81 where it asked to deploy DA.As per the administration guide, Delegated Administrator server needs to be installed in the same web-container/instance as Access Manager.
http://docs.sun.com/app/docs/doc/819-4438/acfck?a=view
"The Delegated Administrator server uses the same Web container as Access Manager. The configuration program asks for Web container information after it asks for the Access Manager base directory."
[Debug]: IShost from Properties: webmail.xyz.com
[Debug]: ISPort from Properties: 80The commadmin client is trying to contact the DA server which is supposed to be installed in the same Web container as Access Manager
(hence the use of IShost/ISPort):
[Debug]: Contacting : http://webmail.xyz.com:80/commcli/auth
[Debug]: To servlet: domain=xyz.com&username=admin&password=xxxxxxxx&charsetenc=UTF-8
[Debug]: Http Error recvd: Moved TemporarilyCan't contact DA server so attempt fails.
Regards,
Shane.

XI3.1 and delegated admin?

Similar Messages

Maybe you are looking for