Managing Director and structures not dishes user/group

Hello, I am trying to build a directory structure with several containers under an organization allowing to memorize the different portions of userdata and group data (i.e. not only UO = unit of organization and people = group, but also a few UO like them). Server software is 7u2 OUCS release. Users in 'other' containers are filled in LDAP (ODSEE 11) by replication, filling the same attributes as a freshly created account by DA has.

The delegated administration interface and other parts of the software accept this and work well with this configuration, the user information display, which allows connections and so forth - with the exception of attempts to change the user accounts in the containers of spare in the DA (add/remove application solutions, change quotas, etc.). First of all, I checked that it is not a LDAP problem - I use both ldapmodify command line and a GUI LDAPBrowser to edit the entries with no hiccups.

I followed him that when you try to save the account information for the accounts in non-standard containers, the DA try always to use a path hardcoded (i.e. uid = username, ou = people, o = DOMAINNAME, dc = DOMAIN, dc = NAME) despite the fact that the user account is (and DA displays of) uid = USER name, or = morePeople, o = DOMAINNAME dc = DOMAIN, dc = NAME.

Eventually, this "hard code" follows DA configuration in WEB-INF/classes/sun/comm/cli/server/servlet/serverconfig.properties that the list of parts of the LDAP structure:

#############################################################################
#
# Ldap configuration.
# List of hosts from ldap. Form is < ldaphost >: < PortNumber >. (By default the port = 389)
# Add additional hosts with ldaphost - < number >
# Schema type is '1' or '2 '.
# Reconnect interval is in seconds
# Group and people container is dn of dn (for example ou = people) Organization
#
#############################################################################
ldaphost-1 = oucsldap01:389
ldaphost-2 = oucsldap02:389
ldaphost-suffix = dc = DOMAIN, dc = NAME
ldaphost-dcsuffix = dc = DOMAIN, dc = NAME
ldaphost-maxcount = 50
ldaphost-schematype = 2
ldaphost-reconnectinterval = 60
peoplecontainer ldaphost = or = People
groupcontainer ldaphost = or = Groups
ldaphost-orgadminrole = cn = Admin role organization
#####

While the root of organization dn is not explicit here (and shouldn't be), the container of default people is... I could guess a logical programming error like this: indeed, the 'or = People' container should be used by default when you create a user through the DA; as likely a mistake, it could also be used when editing existing users - instead of their full DN/existing parent DN.

Issues related to the:

(1) anyone have a working configuration with several containers of user/group in an organization like this? Would you care to share details and solutions, if he had to?

(2) I think that the 'field/organization shared hosting' mode might help here - at least it is planned to have several LDAP trees with their Managing Directors as a single e-mail domain. Before I go and reconfigure everything, I'd like to hear if there are stories of success with this route? It is a good solution (or solution) for this config?

Thank you
Jim Klimov

I wanted to follow that reconfigure the directory structure according to domain hosting, with branches for SIE-synchronized accounts as one of the organizations which share the domain secondary and manually created accounts only OUCS being in another subsidiary organization. This method works for messaging components and the DA, as user ID are in OU = people in their organization. A little unfortunately, SIE config seems to allow only a single branch of target Department and set up groups (CN) here as well. Well, for our needs change the attributes of the user and application solutions via DA, that's enough. Sometimes, there are misfires (cannot save changes), but they are intermittent and more difficult to debug trace. usually disappear with the restart of the web container DA. Department LDAP instances are configured with plugins to apply the uniqueness of uid in the entire organization and the uniqueness of the values of the email messaging address attributes (mail, mailAlternateAddress, mailEqiuvalentAddress) in order to avoid setbacks between user accounts in different branches.

Also, we had a problem with the calendar server after migrating LDAP entries: since our deployment used the nsUniqueID for identification of calendar user, relocation of entries (as we did) generated new values for new entries and users got new databases empty caledar. It wasn't a major problem on this POC and latest releases OUCS with a davUniqueID attribute must be specifically immune to this problem. However, for the other trodding this way I can suggest that they export the LDAP database in LDIF, including unique identifiers, re-create the suffixes if necessary (the Organization SIE in Department target should be a separate suffix of LDAP database), edit the LDIF entry path and import the LDIF anew. This would erase the old LDAP data and should add nsUniqueIDs old entries moved unlike (recreation via ldapadd) or relocation via a ldapmodrdn.

We also hit a problem with DA refusing to return the list of accounts (that returns 0 or 25 empty entries in a table). LDAP logs showed that the Protocol LDAP side everything is ok, and expected responses amount was. Boss research often produced good food with a subset of users in da end, we linked the problem to binary EIS encoded base64 attributes (dspswuserlink and al.; some of these values as output garbaged commadmin queries in a terminal) and created an LDAP ACI, which forbade all our DA-admin user to read, to search compare these attributes. This solved the problem for us. I wonder if a more generic solution is possible, to apply this ACI not to a user explicitly named admin, but to all users with administrator privileges of DA (by group or role? what channel to cover them all in advance)? Or, perhaps, no one except the user account of EIS should see these attributes SIE?

Hope this report helps others who are experimenting at the forefront of this road to integration of messaging

Jim Klimov

Tags: Fusion Middleware

Similar Questions

  • The remote procedure call failed and did not run + user problem?

    Good so I have a Sony VAIO with Windows 7 Home Premium 64-bit, 4 GB RAM and 640 GB hard drive. During his first installation, VAIO asks you to name your computer so I called him "CARINA" and everything worked perfectly.

    However, we wanted to change the main username in the 'OSCAR', so I went to the control panel > users and this has changed. I thought that everything was great, because when I open the Start Menu, top-right, he says "OSCAR". After more research in the area of research, two things appears under the name 'CARINA': a 'user profile', I think, who had a small square color sky-blueish. and a folder with a lock on it. I tried clicking on the user 'CARINA' first profile, and it just opened what, in my view, is a Properties window 'CARINA '.

    But when I clicked on the folder "CARINA" with a lock, it opened my libraries. But get this: at the top, he said not "CARINA", but "OSCAR". I thought it was odd he did that so I told the computer to delete the folder with the lock named 'CARINA '. As soon as I realized it was a huge file and a gazillion files were there (real libraries), I canceled it, he wants to immediately restore the Recycle bin. But nothing appears on the trash, or I can't enter either because an error saying "the remote procedure call failed and did not execute".

    But the mistake has been made and now it does not work. The Start Menu appears, but I can't click on anything or use the search box. When I click on my library of records, the same message appears ("the remote procedure call failed and did not execute") or when I enter 'Open action center', he said ': {266EE0668-A00A-44D7-9371-BEB064C98683}\5\::{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB...» The remote procedure call failed and did not execute. " Programs on my toolbar work, such as Chrome or Windows Media, or I can change the volume with the icon in the lower right, but I can not enter in 'Computer', my libraries, or anything else. When I open the the TASK Manager, under processes, they are all under the name CARINA. If I stand on the top of the "explorer.exe" process, and I do a right-click on top of CARINA > properties > Security > there are 4 listed users:

    • SYSTEM
    • Administrators (CARINA-VAIO\Administrators)
    • Users (CARINA-VAIO\Users)
    • TrustedInstaller

    The computer has a backup (if I have a backup of an another VAIO Windows 7 Home Premium 64 - bit if necessary) and I'm afraid to stop in case it does not start again. :(

    Any help? What can I do?

    Hello

    Method 1:

    Follow the steps mentioned below.

    (a) type services in the start menu search box.

    (b) in Services, scroll down to "Remote Procedure Call", and make sure the status 'Started' and set to automatic.

    (c) the second "RPC Locator' must be set to"manual ".

    Method 2:

    I suggest you to scan SFC. Scan SFC will be scans all protected system files and replaces incorrect versions with appropriate Microsoft versions.

    How to use the System File Checker tool to fix the system files missing or corrupted on Windows Vista or Windows 7
    http://support.Microsoft.com/kb/929833

    Note:     I suggest you check manage user accounts to check how many user accounts are present.

    a. Click Start.
    b. go to the control panel.
    c. click user accounts and family safety, and click on user accounts.

    Check how many accounts user is present.

    Method 3:
    I suggest you to create the new user account and check if the problem persists.

    Create a user account
    http://Windows.Microsoft.com/en-in/Windows7/create-a-user-account

    If everything works well in the new user account, then I suggest you to transfer data and settings to the fixed aid corrupt profile.

    Difficulty of a corrupted user profile
    http://Windows.Microsoft.com/en-in/Windows7/fix-a-corrupted-user-profile

  • Smartphones from blackBerry Desktop Manager stops and does not sync

    Hello, I just got my new BlackBerry Storm and I installed the software on my laptop running Vista Home.  The software loaded properly, the icon is on the desktop, but when I use the USB cable and open the Desktop Manager, then I click on synchronize and I get an error.  There is no error number, it just says: unknown error reported

    How can I get my mobile calendar and Notes to synchronize with my Blackberry Storm?

    Thank you

    Bill

    Well, I broke down and called Bell Mobility.  They had me up and running in a few minutes.  I guess I would have called them first, but history with Bell Mobility Technical Support... Well I only use as a last resort.

    in any case, the fix for this problem is to go into your control panel / user accounts / turn user account or disable / and then make sure that the box is NOT checked where it says use User Account Control to help protect your computer.

    My box has a check mark, so when I removed, then returned to the BBDM I was then able to synchronize my data between the Storm and my laptop.

    Thanks to those who helped, now we know what to do if someone else comes in the Forum with the same problem.

  • Adobe Application Manager hangs and does not load

    I am a subscriber of creative cloud

    I have manually uninstalled Acrobat XI - I know, bad idea, I would not have done, but now it is what it is...

    So now I can't run Adobe Application Manager without hang

    I downloaded and installed the patch AAM from here: http://www.Adobe.com/support/downloads/detail.jsp?ftpID=4774

    Who has not solved the problem

    I used the uninstall programs to remove all my apps Cloud creative as suggested here: http://helpx.Adobe.com/Creative-Suite/KB/troubleshoot-creative-cloud-installation-download .html #download_freeze

    Who has not solved the problem

    I'm stuck.  Now, I have no creative Cloud applications and I can't get the MAO running so that I can get the apps installed.

    Remove the opm.db. Should be in the library: Application Support: Adobe

    Mylenium

  • R510 'or foreign patterns found on the map.' do not accept C or F and can not in small groups

    Hi all

    I have a misconduct R510 who complains of ' or configurations foreign adapter.»  Normally I can erase it import with F or going to config with C.  However, this machine does not accept the F or C (despite the offer) and I can't get out early with all BIOS or Ctrl-R options.  Any advice on how to escape from it?  The keyboard works (I can get into the stuff of enet with Ctrl-S), but otherwise he's stuck.

    Thank you

    Jack

    Try disconnecting the drives and see if it moves beyond this error, one of the disks may be suspended the controller. If it moves no doubt spent is not a problem of controller and you can try to reinsert the readers.

  • is Tsinternet user group, download manager, and NNTP service does not participate in 2008 if server windows Yes... Please give me the link of reference

    Required link that support it, upload, Tsinternet user group manager and the NNTP service is not longer involved in windows server 2008

    Hi HP_990,

    I would suggest to repost your question in our forums Windows Server TechNet here:

    http://social.technet.Microsoft.com/forums/en/category/WindowsServer

    Thank you!

  • user belongs to a domain and user does not belong to the local administrator or power users groups, or any custom group and the user is not part of the domain administrators group, but user show that it is admin

    WinXP
    user belongs to a domain and user does not belong to the local administrator or power users groups, or any custom group and the user is not part of the domain administrators group, but user show that it is admin

    I did a gpupdate/force and restart twice PC
    Yet, user indicate it is always admin when we right click on Start menu and see the possibility to open all users

    Hi elena_ad,

    Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the public on the TechNet site. Please post your question in the below link:

    http://social.technet.Microsoft.com/forums/en/winserverManagement/threads

  • My computer is connected to the Windows 2008 R2 server and some of the users on this computer receive their network drive mapped on group policy and some do not.

    My computer is connected to the Windows 2008 R2 server and some of the users on this computer receive their network drive mapped on group policy and some do not.  I find nothing in Event Viewer that shows that there is a problem.  Please let me know what to do to get the disks appears

    Original title: Network Networking file sharing file sharing file sharing file sharing discovery sharing Fileshare share shared

    Hi,

    The question you posted would be better suited in the TechNet Forums. I would recommend posting your query in the TechNet Forums.

    TechNet Forum

    http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer

     

    Hope this information helps.

  • Difference between built in Admin users and assigned to the Administrators group.

    I'm trying to use a printer on Remote Desktop Services OPOS driver.  My computer is Windows 7 and Server 2008 R2 64-bit.

    If I remote as the built in Admin, driver utility works correctly.  IF I log in as a user assigned to the Admin group I have error claim OPOS.

    I tried to copy the user information in the case where the user data has been corrupted.

    Can you please explain, shed some light on how and why w/Admin user rights do not work on the opos utility.

    The hidden administrator account does not have the UAC filtered token as other accounts admin "a programmer is just a tool that converts the caffeine in code" Deputy CLIP - http://www.winvistaside.de/

  • ASA LDAP is not find memberOf Active Directory domain users group

    It seems that any group I have add an account for the ldap memberOf thinks it is except for the domain users group. Is there a specific exclusion of this group somewhere? It does not seem to be a problem with space in name, because if I test it with other default groups like domain administrators, it works. I get the same result of the ldap attribute card as long as you try to use the domain users group in a DAP policy. Debugging ldap 255 returns every other group membership for an account with the exception of users in the domain.

    When I run the command "sh filter LDAP ad 'Domain' group ' is the domain users group in the list of results, so he is able to see it and it exists."

    Please see the attached link under primaryGroupID, which states that the Domain Users group is not part of the memberOf attribute. http://msdn.microsoft.com/en-us/library/ms677943.aspx That explains why the mapping fails for any Domain Users as seen in the debugs

  • AnyConnect tunnel-group automatic assignment without selecting any group-tunnel-group-list alias and user-group strategy.

    Objective is that the anyconnect user must select group-alias, so that when a user enters his username and password he must go to his political group and tunnel-group specific. as I removed this command in webvpn 'no tunnel-group-list don't enable '. This I can not connect (user does not authenticate).

    1 - my question is why his past does not?

    Solution:

    If I keep only a single tunnel-group by default and make several group policies and assign to each user with his specific group policy that it works. in user attribute means I have only question following the commands it works, but if I put "group-lock value test-tunnel" that it did not identify.

    Please explain why.

    WebVPN

    allow outside

    limit the cache-fs 50

    SVC disk0:/anyconnect-win-3.0.10055-k9.pkg 1 image

    enable SVC

    internal strategy of group test-gp

    attributes of the strategy of group test-gp

    VPN-tunnel-Protocol svc webvpn

    the address value test-pool pools

    username, password test test

    username test attributes

    VPN-tunnel-Protocol svc

    group-lock value test-tunnel

    Strategy Group-VPN-test-gp

    tunnel-group test-tunnel type remote access

    attributes global-tunnel-group test-tunnel

    Group Policy - by default-test-gp

    tunnel-group test-tunnel webvpn-attributes

    allow group-url https://192.168.168.2/test

    Yes, you have the right solution. You only need to create 1 group of tunnel and multiple group policy. Under the attribute of the user, you re then group policy of vpn that you want the user assigned too.

    You can also authenticate users against AD and configure ldap attribute map to map the user to a specific group policy automatically.

    Here is an example of configuration if you happen to have the AD and will authenticate against AD:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

    Hope that helps.

  • How to set up users, groups, and security role in WebCenter E-capture 11.1.1.8.0

    Hello

    I need to set the security of user group and the role of E-Capture but not no matter what doc and I configured 5 reviews in web logical console with the administrator group, but faced with a problem that is mentioned below

    Problem:

    (1) in the E-capture show only user weblogic and I'm not able to search for any user.

    (2) not yet able to connect to e-capture console and client using another user except weblogic.

    Please guide me how to set security for e-capture console and customer e-capture.

    Thanks in advance

    Sanjeev

    Hello

    Connect to Enterprisemanger-> right click on the domain-> titles-> roles and policies

    Then select capture and navigate to capture roles add LDAP users and groups to roles according to your requirement to capture. If faced with any LDAP related issues can create the user with the admin role and try to add it all first by assigning the two roles out there. Hoping that this will certainly help.

  • Portal of WC - need information about the Migration or DB tables for roles and users/groups.

    Hello

    We are to modernize the WebCenter portal for a client of 11.1.1.3.0 to 11.1.1.8.0.

    Anything can let me know the procedure of migration or the involved DB tables that store the roles and the "user groups &" under the administration of security.

    A manual level by recreating all roles and users and groups one by one is my last option.

    Thank you

    Jean Claude

    Hello.

    Do not recreate it manually.

    The documentation must guide for PS2 - PS7 migration explaining step by step what to do regarding the security / policies.

    Read it slowly and carefully.

    Using WLST backup/export/import of your policy store scripts / qualifications.

    Following links can help you understand the WLST Scripts for the migration of security:

    http://docs.Oracle.com/CD/E29542_01/core.1111/e10043/addlsecfea.htm#JISEC3639

    Custom security infrastructure controls WLST - 11g Release 1 (10.3.6)

    We have migrated many times of 11.1.1.4/5 to 11.1.1.8. Always on the PS3 (11.1.1.4) version.

    11.1.1.3 to 11.1.1.4 was the biggest change from my point of view. I never had the opportunity to PSx PS2.

    For migration tasks, my recommendation is to ask for doubts or things not clearly in Support of Oracle documentation.

    Kind regards.

  • Can not delete the Group of Catalog Manager

    We have a user who cannot connect in the dashboards. It seems that the error is because his user name corresponds to a group or a user with the same name. I say 'user or group' as the name of the object's icon next to what I normally see with groups of catalog. However, the object is only visible when is choosing 'display users and groups '.

    As an administrator, I try and delete this user/group only but it never deletes and no error message. How can I force delete this?

    Remove Administration-> manage Presentation catalog groups and users
    You can go to find or use "View users and groups" and then perform a search.

    To remove a user, you can go to offline catalog manager and delete

    If brand pls help

  • Users not configured OID groups IOM

    I created a strategy to access such that when I create a user with the role of advise it is automatically placed in service at OID resource and group OID (cn = group1, cn = groups, dc = ad, dc is company, dc = com).
    The user is provisioned to the OID users(cn=users) but not to the cn = group1, cn = group...
    What could be wrong?

    I ran the research tasks of freshly added OID to generate Group's research group. Research of theses are completed as a process when I create an access policy.
    For ex generated lookup is cn = group1, cn = group, dc = ad, dc = company, dc = com, and the decoding value is Group1

    The form of profile and user processes are not related. This means that changes in the form of courses are not reflected in the user profile. This may be a possible reason for the defined above hassle

    Please help me solve this problem.

    Edited by: Nelly Saluja on February 15, 2010 01:30

    Are you sure that the user must enter cn = groups.... Which appears as the CN for the group. I saw never really OID, but see by viewing the properties of that user and are looking for a tab as groups or memberOf etc. Maybe that's how the group is associated with the user. Just to confirm.

    Or rather to create a user manually in IOM under this group and see if the user is still visible under cn = groups... you expect.

    Thank you

    Sunny

Maybe you are looking for