on 09-02-2008 1:01 PM
Hi,
i'm trying to assign a User to an ADS group using the script "sap_getGroupDN".
Unfortunately the mskey given to that method is the mskey from the user and not from the group.
Any suggestions or ideas?
How managed you that case?
Kind regards,
Achim Heinekamp
CONET Solutions GmbH
Hello,
Instead of Using a script you can use a ToLDAP Pass with the following config :
dn %GROUPDN%
. Objectclass group
changetype modify
+ member %USER_DN%
You can link the task to the workflow. I presume you know the GROUPDN value which comes from the Idstore if not you can create it by adding a script infront of dn
The thing is the group should exist before you add a user as a member. You can run the task for different group names.
Hope this helps while you fix your script.
Regards,
Dev
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Achim,
the script sap_getGroupDN works fine for us. You give the MSKEY of the user and get back the DN of the assigned or unassigned group. Be careful - you have to assign the AD groups as MX_PRIVILEGE instead of MX_GROUP! MX_GROUP is used e.g. to assign SAP NW Portal privileges to AD Groups.
In the SAP Provisioning Framework the script is called in the pass of the Job AssignUserToADSGroup:
dn $FUNCTION.sap_getGroupDN(%MSKEY%)$$
changetype modify
+ member %DN%$rep.$NAME%%
This job is called within the whole task structure, when you set the MX_(DE)PROVISIONTASK and MX_MODIFYTASK of your repository correctly and assign groups to users or the other way round. It also works for more than one assigned group, because this pass is called several times for each (un)assignment.
If you still get errors, check your initial load jobs and if you have set DISTINGUISHEDNAME and MX_REPOSITORYNAME in your groups (in reality MX_PRIVILEGE).
Best regards,
Nils Sibold
Hi Nils,
thank you for your reply. (you earned six points for that! )
My problem is the string, expected by the script.
The script is expecting a string like "#0815:Insert:4711;0
But I have no idea at which point the string is created and written to the table. I assume I made mistake during the definition of the ToPass.
br,
Achim Heinekamp
Hi folks,
it seems I'm having a very similar problem to Achim, although the sympton is a little different. When I run the task to assign a role (1 AS ABAP, 1 AS Java and 1 AD OU) on the task AssignUserToADSGroupI get an error message that reads:
PrivDN: !ERROR:No such attribute
I've assigned the privelege to the role, and it seems to recognize that and create the user, however...the groups don't get assigned.
The full output s below:
<?xml version="1.0" encoding="UTF-8"?>
<mx:EMSLOG xmlns:mx="http://www.maxware.com/EMS">
<mx:GENERAL>
<mx:DATE>21.07.2009 20:57:41</mx:DATE>
<mx:VERSION>DSE.JAR version: 7.10.02.0 Built: 01.07.2009 15:49:23 (c) Copyright 2008 SAP AG. All rights reserved.</mx:VERSION>
<mx:MACHINE>clklabvm3-disp01</mx:MACHINE>
<mx:JOBID>045EB0C2-E35B-4AD7-8D0A-84B51594EAAF</mx:JOBID>
<mx:WORKAREA>C:/Program Files (x86)/SAP/IdM/Identity Center/Jobs/045EB0C2-E35B-4AD7-8D0A-84B51594EAAF</mx:WORKAREA>
<mx:JOB>jdbc:sqlserver://clklabvm3\idm:1988;responseBuffering=full;encrypt=false;databaseName=mxmc_db;selectMethod=direct;trustServerCertificate=false;lastUpdateCount=true; - MACHINE:clklabvm3-disp01</mx:JOB>
<mx:PRODUCT>Provisioning</mx:PRODUCT>
<mx:CUSTOMER>SAP customer : f9c1c5cd66189d133765ac44ea6c127a</mx:CUSTOMER>
<mx:TIMEUSED>5</mx:TIMEUSED>
<mx:NERRORS>0</mx:NERRORS>
<mx:NWARNINGS>3</mx:NWARNINGS>
<mx:NENTRIES adds="3" mods="0" dels="0" noops="0" markdels="0">3</mx:NENTRIES>
</mx:GENERAL>
<mx:PASSES>
<mx:PASS name="Job Initialization" title="Messages that occurred before the job was loaded" type="init" seq="0">
<mx:MESSAGES>
<WARNING seq="1">
<mx:TEXT>Failed loading JDBC Driver class com.microsoft.jdbc.sqlserver.SQLServerDriver</mx:TEXT>
<mx:TEXT>java.lang.ClassNotFoundException: com.microsoft.jdbc.sqlserver.SQLServerDriver</mx:TEXT>
</WARNING>
<WARNING seq="2">
<mx:TEXT>Failed loading JDBC Driver class com.sap.dbtech.jdbc.DriverSapDB</mx:TEXT>
<mx:TEXT>java.lang.ClassNotFoundException: com.sap.dbtech.jdbc.DriverSapDB</mx:TEXT>
</WARNING>
<WARNING seq="3">
<mx:TEXT>Failed loading JDBC Driver class org.gjt.mm.mysql.Driver</mx:TEXT>
<mx:TEXT>java.lang.ClassNotFoundException: org.gjt.mm.mysql.Driver</mx:TEXT>
</WARNING>
<WARNING seq="4">
<mx:TEXT>Failed loading JDBC Driver class oracle.jdbc.driver.OracleDriver</mx:TEXT>
<mx:TEXT>java.lang.ClassNotFoundException: oracle.jdbc.driver.OracleDriver</mx:TEXT>
</WARNING>
<WARNING seq="5">
<mx:TEXT>Failed loading JDBC Driver class COM.ibm.db2.jdbc.app.DB2Driver</mx:TEXT>
<mx:TEXT>java.lang.ClassNotFoundException: COM.ibm.db2.jdbc.app.DB2Driver</mx:TEXT>
</WARNING>
<WARNING seq="6">
<mx:TEXT>Failed loading JDBC Driver class COM.ibm.db2.jcc.DB2Driver</mx:TEXT>
<mx:TEXT>java.lang.ClassNotFoundException: COM.ibm.db2.jcc.DB2Driver</mx:TEXT>
</WARNING>
<WARNING seq="7">
<mx:TEXT>Failed loading JDBC Driver class COM.ibm.db2.jdbc.net.DB2Driver</mx:TEXT>
<mx:TEXT>java.lang.ClassNotFoundException: COM.ibm.db2.jdbc.net.DB2Driver</mx:TEXT>
</WARNING>
</mx:MESSAGES>
</mx:PASS>
<mx:PASS name="6D5485D1-2CF6-4E5B-9972-7141CB9051EA" title="AssignUserToADSGroup" type="ToLDIF" seq="1">
<mx:MESSAGES>
<mx:WARNING seq="1">
<mx:TEXT>PrivDN: !ERROR:No such attribute</mx:TEXT>
<mx:ENTRY/>
</mx:WARNING>
<mx:WARNING seq="2">
<mx:TEXT>PrivDN: !ERROR:No such attribute</mx:TEXT>
<mx:ENTRY/>
</mx:WARNING>
<mx:WARNING seq="3">
<mx:TEXT>PrivDN: !ERROR:No such attribute</mx:TEXT>
<mx:ENTRY/>
</mx:WARNING>
</mx:MESSAGES>
<mx:DELTA>0</mx:DELTA>
<mx:TIMEUSED>2</mx:TIMEUSED>
<mx:NENTRIES adds="3" mods="0" dels="0" noops="0" markdels="0">3</mx:NENTRIES>
<mx:NERRORS>0</mx:NERRORS>
<mx:NWARNINGS>3</mx:NWARNINGS>
</mx:PASS>
</mx:PASSES>
</mx:EMSLOG>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Achim,
So you're saying that the script is returning the MSKEY of the user and not the group?
Trying working in the fuction: uIS_sGetValue to get the MSKEY of the proper group and then you can write it in using uIS_sSetValue
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.