Active Directory connection and replication configuration

General

Click here for general information about user replication.

Active Directory

The Active Directory is divided into three parts: schema, configuration and domain.

The first two parts of the Active Directory are replicated between all domain controllers in the forest, while the domain-specific information is basically only available within the respective domain, i.e. on their respective domain controllers. Therefore, there is an additional so-called global catalog in each domain. It represents all information of its own domain and additionally contains important sub-information of the other domain from the overall structure and therefore enables cross-domain search operations, for example.

The records in the database are defined in Active Directory as objects and their properties as attributes. The attributes are defined depending on their type. Objects are uniquely identified by their name.

Objects can be divided into two main categories:

The potentially up to many millions of objects are stored in containers (organizational units), also called OUs (Organizational Unit). Some containers are predefined, any further organizational units can be created with subunits (suborganizational units). As an object-based system, Active Directory supports passing on object container properties to child objects that can also be containers themselves. This allows Active Directory to build networks logically and hierarchically.

An Active Directory contains various objects. In addition to the user, there are permission objects such as user groups and roles, as well as organizations, organizational units, general containers and distribution groups (mail system). In addition, an Active Directory from different systems is not necessarily identical. Each system comes with its own characteristics.

Intrexx offers various replication profiles that are adapted to the different Active Directory systems. These must be selected accordingly when configuring a replication job.

Profile name Description
Active Directory Large Groups.xml Profile for Active Directories with groups containing more than 1000 members. This profile takes more time to replicate and should be used only if the group membership exceeds the said value.
Active Directory NTLM compatible.xml This Active Directory profile is used when NTLMv1 login and domain names are desired in Intrexx, e.g. for the integrated authentication via Tomcat.
Active Directory Standard Active Directory replication profile
Attribute Based Role Sample.xml Example profile: In this profile, users are placed in the default user container (placing="fixed") and assigned to a role based on one of their attributes (here: roleattr).
Dynamic OU Path Sample.xml Example profile: Users are assigned to a container here that is read from one of their attributes (here: ou). The attribute value is expected as a path with backslash separators (2nd parameter of $path)
Dynamic OU Sample.xml Example profile: Similar to the Dynamic OU Path Sample profile except that only the last part of the path is evaluated to determine the container.
eDirectory.xml Novell eDirectory
OpenLDAP - POSIX.xml OpenLDAP
Sun ONE.xml SUN One

The following tables represent the most common attributes, i.e. only a part of the actual scope. In particular, the attributes are extended by other applications (e.g. Microsoft Exchange) but optional attributes can also be configured individually.

Table of Active Directory fields of the group object

Class Field name Description
General distinguishedName Distinguished name
General cn Common name
General objectClass Object class (USER)
General uSNCreated Original USN
General uSNChanged Current USN
General whenCreated Created on
General whenChanged Changed on
General objectGUID Object GUID
user Given name First name
user sn Last name
user name Display name
user samAccountName Login name NT
user userPrincipalName Login name
user description Description
user title Title
user initials Initials
user employeeID Employee number/ID
user physicalDeliveryOfficeName Office name
user company Company
user department Department
user streetAddress Street
user postalCode Postal/Zip code
user postOfficeBox PO box
user l City
user st State/province
user co Country (name)
user countryCode Country code (ISO-3166)
user c Country code (ISO-3166)
user wwwHomePage Website
user url Other websites
user mail Business email
user telephoneNumber Phone
user otherTelephone Other telephone numbers
user mobile Mobile
user otherMobile Other cellphone numbers
user facsimileTelephoneNumber Facsimile
user otherFacsimileTelephoneNumber Other fax numbers
user ipPhone IP telephone
user otherIpPhone Other IP telephone numbers
user pager Pager
user otherPager Other pagers
user homePhone Private phone
user otherHomePhone Other private home numbers Phone no.
user msExchHideFromAddressLists Do not show in Exchange address lists True = hide null/empty = show
user thumbnailPhoto Photo (max. 100kB)
user accountExpires Account lifetime Value 0 = Unlimited. Date value is calculated as 100ns interval since 01/01/1601 (UTC).
user passwordlastset Last password change as long value (100ns interval since 01.01.1601 UTC
user userAccountControl Account options
user info Comments on user
user homeDirectory Base directory
user lastLogonTimestamp Last time of login
user primaryGroupID Primary group assignment
user Nsaccountlock
user uid Login name (RFC 1274)

Table of Active Directory fields of the group object

Class Field name Description
General distinguishedName Distinguished name
General cn Common name
General objectClass Object class (GROUP)
General uSNCreated Original USN
General uSNChanged Current USN
General whenCreated Created on
General whenChanged Changed on
General objectGUID Object GUID
group sAMAccountName Group name (NT)
group description Description
group groupType Group area/type
group info Commen
group mail Email
group memberOf Member of
group managedBy Managed by
group primaryGroupToken Primary group assignment

Table of Active Directory fields of the organization object

Class Field name Description
General distinguishedName Distinguished name
General cn Common name
General objectClass Object class
General uSNCreated Original USN
General uSNChanged Current USN
General whenCreated Created on
General whenChanged Changed on
General objectGUID Object GUID
organizationalUnit name Variable
organizationalUnit Description Description
organizationalUnit gPLink

Intrexx User Manager

The Users module includes several database tables and a view to manage the components.

Database table Function
DSOBJECT Object management of all objects of the user management
DSORGANIZATION Organization attributes
DSORGUNIT Organizational unit attributes
DSCONTAINER Container attributes
DSDISTLIST Distribution list attributes
DSGROUP User group attributes
DSUSER User attributes
DSROLE Role assignment table
DSSET User group assignment table
DSCLASS Object classes and associated data groups
DSCLASSTITLE Multilingual object class titles
DSATTRIBUTE Management of all user management attributes and their properties
DSATTRIBUTETITLE Multilingual attribute titles
VBLUSER View from DSUSER and DSOBJECT referring to the users

Field user attributes (DSUSER)

Variable Data Field Description Type Size
- LID User ID Integer
- STRGUID User GUID String 255
LOGIN STRLOGIN Login name String 64
LOGINLWR STRLOGINLWR Login name (short description) String 64
DOMAIN STRDOMAIN Domain String 48
DOMAINLWR STRDOMAINLWR Domain (short description) String 48
TIMEZONE STRTIMEZONE Time zone String 32
FIRSTNAME STRFIRSTNAME First name String 64
LASTNAME STRLASTNAME Last name String 64
MIDDLENAME STRMIDDLENAME Middle name String 64
FULLNAME STRFULLNAME Full name String 172
TITLE STRTITLE Title String 64
GENDER LGENDER Gender Integer
STREET STRSTREET Street String 96
POSTALCODE STRPOSTALCODE Postal/Zip code String 10
POBOX STRPOBOX PO box String 10
CITY STRCITY City String 96
STATE STRSTATE State/province String 32
COUNTRY STRCOUNTRY Country String 32
MAILBIZ STRMAILBIZ Business email String 192
PHONEBIZ STRPHONEBIZ Phone String 40
PHONEMOBILEBIZ PHONEMOBILEBIZ Business cellphone number String 40
PHONEFAX STRPHONEFAX Facsimile String 40
PHONEPAGER STRPHONEPAGER Pager String 40
MAILHOME STRMAILHOME Private email String 192
PHONEHOME STRPHONEHOME Private phone String 40
PHONEMOBILEHOME STRPHONEMOBILEHOME Private cellphone number String 40
BIRTH DTBIRTH Date of birth DateTime
ENTER DTENTER Date of entry DateTime
LOGINATTEMPTS LLOGINATTEMPTS Login attempts(V7) Integer
PWDCHANGED DTPWDCHANGED Date password was changed (V7) DateTime
DEFAULTLANGUAGE STRDEFAULTLANG Default language String 2
MUSTCHANGEPASS BMUSTCHANGEPASS User must change password at next login (V7) Boolean
MUSTNOTCHANGEPASS BMUSTNOTCHANGEPASS User cannot change password (V7) Boolean
PWDEXPIRES BPWDEXPIRES Password expires (V7) Boolean
DEFAULTLOCALE STRDEFAULTLOCALE Default locale (V7) String 50
TIMEZONE STRTIMEZONE Time zone String 32

Organizational attribute fields (DSORGANIZATION)

Variable Data Field Description Data type Size
ID LID Organization ID Integer
STREET STRSTREET Street String 96
POSTALCODE STRPOSTALCODE Postal/Zip code String 10
POBOX STRPOBOX PO box String 10
CITY STRCITY City String 96
STATE STRSTATE Province/State/Canton String 32
COUNTRY STRCOUNTRY Country String 32

Organizational unit fields (DSORGUNIT)

Variable Data Field Description Data type Size
ID LID Organizational unit ID Integer
STREET STRSTREET Street String 96
POSTALCODE STRPOSTALCODE Postal/Zip code String 10
POBOX STRPOBOX PO box String 10
CITY STRCITY City String 96
STATE STRSTATE Province/State/Canton String 32
COUNTRY STRCOUNTRY Country String 32

Object table fields (DSOBJECT)

Variable Data Field Description Data type Size
ID LID Object ID Integer
CONTAINERID LCONTAINERID Integer
NAME STRNAME Object name String 128
CLASSID LCLASSID

Object class ID:

2 = User

3 = Container

5 = Role

6 = User group

7 = Distribution list

8 = Organizational unit

9 = Organization

Integer
GUID STRGUID Internal object GUID String 40
PRIORITY LPRIORITY

Priority (0 ... 100):

100 = maximum

0 = minimum

Integer
DELETABLE BDELETABLE Object is deletable Boolean
DELETED BDELETED Object deleted Boolean
DISABLED BDISABLED Object deactivated Boolean
INTERNALUSN LINTERNALUSN Integer
RPLGUID STRREPLGUID Replication job GUID String 40
DN STRDN Distinguished name String 512
DESCRIPTION STRDESCRIPTION Object description String 512
EXTERNALGUID STREXTERNALGUID External object GUID (Active Directory) String 40
EXTPRIMGRPTKN
EXTPRIMGRPID LEXTPRIMGRPID External primary group assignment (primaryGroupID) Integer

The Intrexx replication profile

LDAP replication profiles in the installation directory cfg/ldapconfig serve to define the replication between LDAP sources and the Intrexx organizational structure.

The replication profiles are XML files that contain a mapping definition for each object type to be transferred. Each object type recorded in the Intrexx organization schema can be replicated. Every attribute is writable.

The <ldap> element (document root node)

Global settings can be made in this element. It is the root element for the XML document.

<ldap  enablePaging="true">
        …
</ldap>

 

Parameters As of version Description
enablePaging 5.2 This parameter can be used to enable page-by-page querying of LDAP directories. Some directory servers limit the number of entries per result page, e.g. Active Directory to 1000 hits. If you enable this option, the directory server will be instructed to deliver the other pages on demand, not just the first one.
pageSize 7 The pageSize attribute of the ldap element can be used to set the page size for replication.
pageSize 5.2 The system property de.uplanet.lucy.server.usermanager.replication.ldap.pagesize can be used to specify the page size. The default value is 500.

Not all directory servers support page-by-page queries. Setting these options in this case will result in an error.

The <item> element

The <item> element is used to define the mapping between Intrexx object types and LDAP query results. It may include a number of other definition:

<item class="<Zielklasse>" query="<LDAP-Query>" placing="<Platzierungsmodus>" [dnfilter="<Filter-Regexp>"]> <attribute source="<Quellattribut>"/>
  ...
  <attribute destination="<Zielattribut>" source="<Quellausdruck>"/>
  ...
  <call class="<Werkzeugklasse>" method="<Methode>" [execafterwrite="true|false"]> <parameter type="<Builtin-Parameter>"/>
    ...
    <parameter type="<Java-Klasse>" value="<Wert>"/>
    ...
  </call>
  ...
</item>
Parameters Description
Target class Class name in the Intrexx schema, e.g. USER for user.
LDAP query LDAP query that is used to query the objects in the external directory. Please refer to http://tools.ietf.org/html/rfc2254 for the definition.
Placement mode

Intrexx provides the following here:

 

parent:

Intrexx attempts to determine the correct location in the Intrexx organizational structure based on the placement in the source directory.

 

fixed:

Intrexx uses a standard container (e.g. users) as the target container. To be used when you want to replicate only the user objects without the organizational structure.

 

fixed by domain:

Intrexx uses a subcontainer of the standard container that corresponds to the domain name of the object. For this to work, the domain attribute of the target object must be filled correctly.

 

dynamic <source expression>:

Intrexx determines the corresponding target container from the directory data based on the source expression. The definition of the source expressions can be found in the <attribute> element section.

dnfilter

dnfilter="<Filter-Regexp>"

The dnfilter attribute is optional. A regexp pattern can be specified here to filter the objects to be replicated by DN (Distinguished Names), e.g. dnfilter=".*ou=Intrexx User.*"

The <attribute> element

This element exists in two forms: with a target specification, it serves to assign source expressions to Intrexx target fields; without a target specification, it is an instruction to the replication module to also query the specified source attribute, since it will be needed at a later time. If a source attribute is not specified in either variant, it will not be read.

Target attribute:

Attribute of the Intrexx target class

Source attribute:

Attribute of the LDAP object class

Source expression:

<source expression> = [<source attribute>|<function call>]

The expression consists of either an attribute or a function call.

Function call:

<function call>=$functionname([<source expression>[,...]])

A function can have 0-n parameters, which in turn are source expressions. The documentation of the available built-in functions can be found here.

The <call> element

Not every task can be performed via a simple assignment via attribute element. For this reason, there is the option of integrating specialized code by defining calls to Java classes. To parameterize the call, the <call> element can contain 0-n <parameter> elements.

Tool class:

Name of the Java class that contains the static method to be called.

Methods:

Method to be called

execafterwrite attribute:

Defines whether the method takes place immediately or only after the Intrexx object has been written.

The <parameter> element

The parameter element always has a type attribute. This contains either the name of a built-in parameter, which is automatically filled correctly, or the name of a known Java class whose content is defined via the value attribute. At the moment, java.lang.String and the numeric classes built into the JRE are supported here.

Built-in parameters:

Parameters Description
$destinationitem Contains the target object (IDs* object) for the element
$dircontext Contains the LDAP directory context
$domain Contains the already created domain name for the target object (only available if execafterwrite=true and it is a user object)
$inserted Contains a flag that specifies whether the target object was new or updated (only available if execafterwrite=true)
$itemconnector Contains the reference to the instance of the internal class that performs the attribute mapping.
$jdbcconnection Contains the JDBC system database connection from Intrexx
$login Contains the already created login name for the target object (only available if execafterwrite=true and if it is a user object)
$replicationconfig Contains the replication configuration object
$searchresult Contains the current record in the LDAP search result
$sourceconfig Contains a source definition object
$usn Contains the unique number of the current replication run
$dbmanager Type-dependent DbManager object for editing the Intrexx organization schema

Built-in functions (from Intrexx 5.2 onwards)

The following functions are available at various points:

Function Intrexx Description
$add 5.2 $add(val0, val1) Add two values together
$ansiTime 7.0 $ansiTime(value) Converts a long value (100ns interval since 01/01/1601 UTC) as used in the passwordlastset field.
$bitand 5.2 $bitand(value, bitmask) Compound value with bitmask
$call 6.0 $call(class, method [, param type, param value [...]] Calling an individual method
$case 5.2 $case(value, checkval0, result0[,checkval1, result1...][elseresult]) Case construct
$concat 7.0 OU7 $concat(<string-expression1>, <string-expression2>) Merges two strings together
$datetime 6.0 $datetime(format [, [locale,] timezone], value) Create a timestamp from a string, e.g.: <attribute destination="myDateField" source="$datetime(&quot;dd.MM.yyyy&quot;, &quot;Europe/Berlin&quot;, whenChanged)"/>
$format 5.2 $format(formatstring, value...) Format a value. The JAVA notation applies to the formatstring.
$generalizedTime 7.0 $generalizedTime(value) Generate a timestamp from a string in generalized time format (YYYYMMDDHHmmSS.fffZ).
$last 5.2 $last(array) Extracts last element from an array $last(value, number) Extracts the last n characters from a string
$length 5.2 $length(value) Returns the length of a string
$lower 5.2 $lower(value) Converts a string to lowercase letters
$null 5.2 $null() Null value
$print 6.0 $print(value-array, separator) Write an array of values into a single field, separator is <separator>.
$replace 7.0 OU7 $replace(<string-expression>, <string to replace>, <string replacement>) Replaces all occurrences of a substring (string to replace) in a string (string expression ) with another string (string-replacement).
$split 5.2 $split(value, delimiter) Splits a string into single strings.
$substring 5.2 $substring(string, beginindex [,endindex]) Extract a part from a string
$trim 7.0 OU7 $trim(<string expression>)
$upper 5.2 $upper(value) Converts a string to uppercase letters

LDAP queries

The definition of LDAP requests is covered in RFC 4515.

RFC 4515

Lightweight Directory Access Protocol (LDAP):

String Representation of Search Filters

http://www.ietf.org/rfc/rfc4517.txt

Syntax and operators

LDAP queries consist of one or more criteria that are linked together using AND or OR operators. The operators are noted at the beginning followed by the search criteria. The search criteria are listed in round brackets, which are again enclosed in round brackets.

AND link:

(& ( S1 ) ( S2 ) … ( Sn ) )

OR link:

(| ( S1 ) ( S2 ) … ( S3 ))

Interleaved links:

Each AND/OR operation can be defined as a single criterion again:

(|(& ( S1 ) ( S2 ))(& ( S3 ) ( S4 ))) corresponds to: (S1 AND S2) OR (S3 AND S4)

Negation:

The negation / reversal of a query is implemented with an exclamation mark:

(! ( S1 ))

Comparison:

The negation / reversal of a query is implemented with an exclamation mark:

Same (givenName=Max)
Greater than comparison (passwordlastset >= 130575614253222449)
Less than comparison (passwordlastset <= 130575614253222449)
Approximate comparison (givenName~=Meier)
Defined (givenName=Max)
Wildcards (givenName=Max*) (givenName=*meier*)

Only accounts with login names starting with 8 or 9 (e.g. if the login name is a personnel number and only certain number ranges are to be replicated):

(|(sAMAccountName=8*)( sAMAccountName=9*)

Tips and Tricks

Domains with many objects (> 5,000)

The number of objects per replication or query in Active Directory is limited for security reasons (Windows Server 2008 R2 = Max. 5,000). This limit can be removed by administrators in the Active Directory by configuring the dSHeuristic attribute accordingly. However, this customization is done at your own risk and Microsoft also excludes any liability for this customization.

From Intrexx 6.0 onwards, the ability to process data from the Active Directory block by block has been implemented. The parameter enablePaging is already set to true in the profiles. In this process, 1,000 elements are read per block.

<ldap xmlns=http://schemas.unitedplanet.de/intrexx/server/ldap/replication/enablePaging="true">

Truncate field contents from Active Directory

The Intrexx user data has field length limitations, which under certain circumstances leads to so-called truncation errors during replications because fields in the Active Directory are partially misused and field contents are transmitted that are longer than usual. To counteract this situation, the field lengths in Intrexx can be extended via the Schema Manager, or the contents of the AD fields can be truncated during processing. To be on the safe side, you should provide such delimiters for string fields - even after adjusting the length.

<attribute destination="FIRSTNAME" source="$case(givenName, $null, $null, $format(&quot;%1.64s&quot;,givenName))"/>

In the example, the first name is limited to 64 characters. The corresponding length value must be entered for the position highlighted in blue. With $format, the field content is truncated, and with $case, it is ensured that zero is written into the Intrexx field if the value is missing.

Replication of the superior

The supervisor replication is already predefined in the Active Directory profile templates but commented out by default. If the supervisor is stored under Manager, the section can be activated in the replication profile. The function determines the user in Intrexx based on the assignment in the Active Directory and assigns it.

<call class="de.uplanet.lucy.server.usermanager.replication.ldap.LDAPImportTools" method="assignBoss" execafterwrite="true">  
  <parameter type="$dbmanager"/>
  <parameter type="$destinationitem"/>
  <parameter type="$itemconnector"/>
  <parameter type="$searchresult"/>
  <parameter type="$jdbcconnection"/>
  <parameter type="$usn"/>
  <parameter type="java.lang.String" value="manager"/>
</call>

Replication of user photos

Since Windows 2000, there are attributes for the management of user photos in the Active Directory. However, the photo information can only be used and displayed from the Active Directory as of Outlook/Exchange 2010. The size per photo is limited to 100kB but if there are many employees in a company, the volume to be replicated can become correspondingly high. Microsoft recommends that thumbnail photos have 96 x 96 pixels with a maximum size of 10KB. The photos must also be updated in the Active Directory - i.e. this work must be handled by the administrators. In addition, a procedure must still be in place to document consent from the respective employee to use the photo.

<call class="de.uplanet.lucy.server.usermanager.replication.ldap.LDAPImportTools" method="assignImage" execafterwrite="true">
  <parameter type="$dbmanager"/>
  <parameter type="$destinationitem"/>
  <parameter type="$itemconnector"/>
  <parameter type="$searchresult"/>
  <parameter type="$jdbcconnection"/>
  <parameter type="$inserted"/>
  <parameter type="java.lang.String" value="thumbnailPhoto"/>
</call>

Photo files in the Active Directory can be imported using http://www.exclaimer.de/outlook-photos/.

Class de.uplanet.lucy.server.usermanager.replication.ldap.LDAPImportTools

Here is an overview of the methods of the class de.uplanet.lucy.server.usermanager.replication.ldap.LDAPImportTools:

assignMembers

public void assignMembers​(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strMemberAttr, JobLog p_log) throws SQLException, NamingException

With this method, members specified in an LDAP attribute of a group object are assigned to the corresponding Intrexx group. The member attribute must contain the group members in an array of distinguished names.

Parameters:

p_item Intrexx group object
p_connector Item connector
p_sr Search result of the LDAP group object
p_conn Database connection
p_iInternalUsn Current internal USN
p_strMemberAttr Member attribute of the LDAP group
p_log Job log, if available

Throws:

SQLException - when an exception occurs

NamingException - when an exception occurs

assignMembersByLoginName

public void assignMembersByLoginName​(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strDomainQuery, String p_strMemberAttr, JobLog p_log) throws SQLException, NamingException

With this method, members specified in an LDAP attribute of a group object are assigned to the corresponding Intrexx group. The member attribute must contain the group members in an array with login names.

Parameters:

p_item Intrexx group object
p_connector Item connector
p_sr Search result of the LDAP group object
p_conn Database connection
p_iInternalUsn Current internal USN
p_strMemberAttr Member attribute of the LDAP group
p_log Job log reference
p_strDomainQuery User domain query

Throws:

SQLException - when an exception occurs

NamingException - when an exception occurs

assignDomain

public void assignDomain​(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, String p_strDomainAttribute, String p_strDomainQuery) throws NamingException

Assigns a domain specified by the content of an LDAP attribute to an Intrexx object.

Parameters:

p_item Intrexx item
p_connector Intrexx item connector
p_sr LDAP search result
p_conn Database connection
p_strDomainQuery LDAP domain query
p_strDomainAttribute LDAP domain attribute

Throws:

NamingException - when an exception occurs

assignCredentialsWithDomainQuery

public void assignCredentialsWithDomainQuery​(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, String p_strLoginAttribute, String p_strDomainAttribute, String p_strDomainQuery) throws NamingException

Assigns credentials to an Intrexx object and the domain via domain attribute and query.

Parameters:

p_item Intrexx item
p_connector Intrexx item connector
p_sr LDAP search result
p_strDomainQuery LDAP domain query
p_strDomainAttribute LDAP domain attribute
p_strDomainAttribute LDAP login attribute

Throws:

NamingException - when an exception occurs

getDomain

public void getDomain​(LDAPItemConnector p_connector, SearchResult p_sr, String p_strDomainAttribute, String p_strDomainQuery) throws NamingException

Throws:

NamingException

assignNameFromLogin

public void assignNameFromLogin​(IDsObjectRecord p_record)

Assigns an Intrexx login name as the object name.

Parameters:

p_record Intrexx user object record

assignPathRoleFromOUAttribute

public void assignPathRoleFromOUAttribute​(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strTopOUAttribute) throws Exception

Assigns an object to a group, role or set to be imported with an OUAttribute of the object.

Parameters:

p_item Intrexx item
p_connector Intrexx item connector
p_sr Search result
p_conn Database connection
p_iInternalUsn Internal USN
p_strTopOUAttribute OU attribute

Throws:

Exception - when an exception occurs

makeRelative

public String makeRelative​(String p_strBaseDn, String p_strDn) throws InvalidNameException

Throws:

InvalidNameException

findUser

public int findUser​(JdbcConnection p_conn, LDAPItemConnector p_itemConnector, String p_strMember, String p_strLogin, String p_strDomain) throws Exception

Parameters:

p_conn Database connection
p_itemConnector Intrexx item connector
p_strMember Member attribute name
p_strLogin Login name
p_strDomain Domain name

Returns:

User ID

Throws:

Exception - when an exception occurs

assignBoss

public void assignBoss​(IDsDbManager<IDsObjectRecord> p_dbMan, IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strBossAttr) throws SQLException, NamingException

Assigns the supervisor to an object.

Parameters:

p_dbMan Database manager
p_item Item
p_connector Item connector
p_sr Search result
p_conn JDBC connection
p_iInternalUsn Internal USN
p_strBossAttr Boss attribute name

Throws:

SQLException - when an exception occurs

NamingException - when an exception occurs

normalizeName

public static String normalizeName​(String p_strName) throws InvalidNameException

Throws:

InvalidNameException

dnForQuery

public static String dnForQuery​(String p_strDN) throws InvalidNameException

Throws:

InvalidNameException

assignImage

public void assignImage​(IDsDbManager<IDsObjectRecord> p_dbMan, IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, boolean p_bInsert, String p_strImageAttribute) throws Exception

Assigns a user photo.

Parameters:

p_dbMan Database manager
p_item Intrexx item
p_connector Intrexx item connector
p_sr LDAP search result
p_conn Database connection
p_bInsert true for insert, false for update
p_strImageAttribute LDAP image attribute name

Throws:

Exception - when an exception occurs

assignAsMember

public void assignAsMember​(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strMemberOfAttr) throws SQLException, NamingException

Assigns a user to a group set, identified by a user attribute.

Parameters:

p_item User item
p_connector LDAP item connector
p_sr LDAP search result
p_conn System database connection
p_iInternalUsn Internal replication USN
p_strMemberOfAttr "Member of" attribute

Throws:

SQLException - when an exception occurs

NamingException - when an exception occurs

assignDefaultSet

public void assignDefaultSet​(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strDefaultSetGuid) throws SQLException

Assigns a user to a default set.

Parameters:

p_item User item
p_connector LDAP item connector
p_sr LDAP search result
p_conn System database connection
p_iInternalUsn Internal replication USN
p_strDefaultSetGuid Default set GUID

Throws:

SQLException - when an exception occurs

assignToSet

public void assignToSet​(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strSetGUID) throws SQLException

Assigns a user to a set, identified by the given name.

Parameters:

p_item User item
p_connector LDAP item connector
p_sr LDAP search result
p_conn System database connection
p_iInternalUsn Internal replication USN
p_strSetGUID Set GUID

Throws:

SQLException - when an exception occurs

getContainers

public Map<String,​IValueHolder<?>> getContainers()

getRoles

public Map<String,​IValueHolder<?>> getRoles()

Prevent deactivation of accounts from the domain

When replicating users, their activation state is transferred to the account options. This means, in the same way as whether the account is activated or deactivated in the domain, the user will also be activated or deactivated in Intrexx. The state of the option is determined with the method $bitand and assigned to the Intrexx attribute "DISABLED".

<attribute destination="DISABLED" source="$bitand(userAccountControl,2)"/>

If you would like to independently determine which account should be active after replication in Intrexx, the statement in the replication profile must be commented out or removed.

Replicate date fields

There are two dates in an Active Directory that are stored in the format yyyy-MM-ddTHH:mm:ss.000: the date for the creation (whenCreated) and the date of the last change (whenChanged) of the account. Further date information, such as the date of birth or entry date, is not provided and must be defined additionally. To transfer such date information into Intrexx, the following construct can be applied in the replication profile. As an example, it fills the date of birth in Intrexx with a date value from the Active Directory. BIRTHDAY stands for the attribute name from the Active Directory.

<attribute destination="BIRTH" source="$case(BIRTHDAY, $null, $null, $datetime(&quot;dd.MM.yyyy&quot;, &quot;Europe/Berlin&quot;, $case(BIRTHDAY, $null, &quot;01.01.1900&quot;, BIRTHDAY)))"/>

Fix domain when replicating

In larger corporate structures with continuous acquisitions or mergers, there are also extensions and restructurings in the Active Directory. It is not uncommon for these to happen during ongoing operations or for the new domain to be integrated and then gradually converted. Often, this reconstruction follows the organizational reconstruction. This has its pitfalls because actually a domain should be consolidated before it is included. The following example was the solution in a replication scenario where two user objects from two different domain replications contained the same domain in the user attribute "Domain". During replication, the user name is now used and the domain information is fixed per replication (domain) and not read from the AD field.

<!-- Replikation des Users mit fest vorgegebener Domäne -->
        <attribute destination="LOGIN" source="sAMAccountName"/>
        <attribute destination="LOGINLWR" source="$lower(sAMAccountName)"/>
        <attribute destination="DOMAIN" source="&quot;meinedomain.de&quot;"/>
        <attribute destination="DOMAINLWR" source="&quot;meinedomain.de&quot;"/>

Write fixed value to a field

To generally write a fixed value into a field during replication - independent of an LDAP field - the string must be enclosed with " in the source attribute.

<attribute destination="TYPE" source="&quot;Text&quot;"/>

Evaluate UserAccountControl

The Active Directory attribute UserAccountControl contains various settings that in most cases are only relevant for control in the domain. Intrexx already uses the option "User account deactivated" from this by default. If some of the options are to be replicated due to workflow controls or for information purposes, corresponding "Boolean" attributes must be created beforehand in the Intrexx Users module (User attribute).

Label Hex
The logon script was executed 0x00000001
User account deactivated 0x00000002
Home directory required 0x00000008
No password required 0x00000020
Password never expires 0x00010000
User must authenticate with smartcard 0x00040000
Computer account that is a member of this domain 0x00001000
Computer account for a system backup domain controller that is a member of this domain 0x00002000

The hex value must be specified as the second parameter in the $bitand function. The first parameter is always the attribute from the Active Directory (userAccountControl):

<attribute destination="DISABLED" source="$bitand(userAccountControl,2)"/>
  <-- Beispiel zum Abruf von "Kein Passwort erforderlich"
  <attribute destination="NOPWREQ" source="$bitand(userAccountControl,20)"/>

Report replication error

A corresponding email address must be entered in the execution options in each LDAP job in order to detect, analyze and correct error-related interruptions at an early stage. Select the "Error" setting in "From status".

Replicate multiple domains into one portal

If multiple domains are synchronized into a portal, a job should be designated that is configured as the initial replication that is executed automatically. The replication jobs for the remaining domains are executed sequentially starting from this first job by defining a chain of subsequent jobs. This prevents overlapping of the individual replication jobs, which could cause performance problems or locking situations on the database.

The subsequent jobs can be configured in the corresponding replication job in the task scheduler. When you edit the schedule, a group can be defined for each job and the LDAP job can be added. Attention: There may be only one LDAP job per group. All entries of a group are executed in parallel!

If one of the replications in the chain causes an error, all subsequent replications are not executed. To prevent this, the setting "Start subsequent processes even in case of error" can be activated.

Any errors that occur should be reported by email and then corrected promptly so that even failed replications are completed again when they are executed again.

Replication without an organizational structure

Replication in Intrexx creates an image of the Active Directory.

However, replication only works 1:1 if the "Import organizational structure" setting is set for the import job. Users are assigned to their respective organizational unit (parent) during import. If the organizational units were not imported before, they cannot be assigned. Therefore, users are not imported. Only users and user groups that are not assigned to an organizational unit in the Active Directory are imported.

Importing all users without the organizational structure works only by adjusting the profile. The adjustment should be made only on the copy of an existing profile.

Replace the word parent with fixed by domain in each of the following two places:

<item class="USER" query="(&amp;(objectClass=User)(objectCategory=Person)(!(cn=*$)))" placing="parent">
<item class="GROUP" query="(&amp;(objectClass=Group)(groupType:1.2.840.113556.1.4.803:=2147483648))" placing="parent">

With this adjustment, the users and user groups are imported even without the organizational units and included in the default container for new users defined in the Users module via the main menu "Users / Configuration".

Replication of users of a user group

If you want to restrict the replication of users to a user group, you need to adjust the profile for replication.

Here you can add the condition "memberOf=CN=Support,OU=Support,DC=unitedplanet,DC=en))" to the user query e.g. for the group Support.

<main use-usns="false" path-separator-char=","escape-char="\" 
user-query="(&amp;(objectClass=User)(objectCategory=Person)(!(cn=*$)
(memberOf=CN=Support,OU=Support,DC=unitedplanet,DC=de))"
group-query="(objectClass=Group)"
unit-query="(objectClass=organizationalUnit)"
domain-query="(objectClass=domain)" />

If all inherited permissions (i.e. all objects that are members of the specified group) are also to be taken into account during replication, a special filter can be added to the query statement when querying a Windows domain from Windows Server 2003 SP2:

<main use-usns="false" path-separator-char="," escape-char="\"
user-query="(&amp;(objectClass=User)(objectCategory=Person)(memberOf:1.2.840.113556.1.4.1941:=CN=SUPPORTER,OU=Team-Gruppen,DC=meinedomain,DC=org)(!(cn=*$)))"
group-query="(&amp;(objectClass=Group)"
unit-query="(objectClass=organizationalUnit)"
domain-query="(objectClass=domain)" />

If the replication of user groups should also be restricted, the condition (name=SUPPORTER) can be added to the group query.

<main use-usns="false" path-separator-char="," escape-char="\"
user-query="(&amp;(objectClass=User)(objectCategory=Person)(!(cn=*$)))"
group-query="(&amp;(objectClass=Group)(name=SUPPORTER))"
unit-query="(objectClass=organizationalUnit)"
domain-query="(objectClass=domain)" />

You can find more information about special LDAP filters here:

https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

Replication without user groups and distribution lists

If the user groups or distribution lists from the Active Directory cannot be used meaningfully in Intrexx, it is also possible to import only the users and the organizational structure. The user groups can also be defined in Intrexx and the users assigned from the Active Directory. However, the maintenance of the assignment must always take place in Intrexx and this is a corresponding administrative effort. In an existing replication profile, the two responsible blocks can be commented out as follows:

<!—Deactivate group replication
 <item class="GROUP"
 …
 </item>
 -->
 <!—Deactivate group replication
 <item class="DISTLIST"
 …
 </item>
 -->

Actions after a replication

It may well be useful to perform subsequent maintenance on the replicated users after replication. An important action after replication is to perform indexing for the search engine.

That means, as a subsequent job after user replication, the application indexing "User/User search" should be executed so that both new users and changed users can be found via the search.

Another downstream action is the analysis of certain data in the user and the definition of additional data or assignments dependent on it. An example is the creation of an additional attribute "sort name" for users. This should contain the name in the form "Last name, First name" to use it in drop-down lists, for example. A process executed after replication can use Groovy to combine the first and last name appropriately and write back to the additional attribute in the user.

In a second example, an attribute is replicated from the Active Directory that contains an organizational characteristic such as the cost center or an organizational abbreviation. Based on this characteristic, the user is now to be assigned to a specific permissions object (group, role) or organizational object (organizational unit). In this way, administration can be partially automated if the AD structure does not provide usable structures and permissions objects for the portal.

Use a timer event source with a connection to the user data group to define a post-replication process. It is imperative that the event source is deactivated, as this is not to be executed periodically but via the follow-on event chain of the replication job. This is possible via the main menu "Edit/Disable Element" if the timer is marked on the workspace. Then save the process.

A Groovy action is executed via the event handler associated with the timer, which can be used to handle the respective user object.

def l_intUserId = g_record["E3911A1A0198AFAD87AE026B161B7F7F202D557A"].value
/* datafield (PK) (S) Benutzer ID <integer> */
def l_strFirstname = g_record["71F6E73DF87EF94D5B2CB5F6946C7CC4093D876C"].value /* datafield Vorname <string> */
def l_strLastname = g_record["22BF94B5B5D9794429B741D8FD42128CC5E93A62"].value /* datafield Nachname <string> */
// Sortiername erzeugen
def l_strSortname = l_strLastname + ", " + l_strFirstname
//Aktualisieren des Benutzerdatensatzes
g_dbQuery.executeUpdate(conn, "UPDATE DSUSER SET STR_SORTNAME = ? WHERE LID = ?") {
	setString(1, l_strSortname)
	setInt(8, l_intUserId)
	}		
}

If Intrexx Share is installed in the portal, a profile update can also be executed after the replication to take into account name changes, for example. To do this, you must first check whether a profile exists for the current user.

With the following Groovy script, the GUID of the user can be used to check whether a profile record exists in Intrexx Share. If this is the case, the output "profile_exist" is triggered, which subsequently executes a data group action to update the corresponding fields in the profile.

def conn = g_dbConnections.systemConnection
	def l_strUserGuid = g_record["ACF15A10BE183A1EFBC7EF8C462069428F1E4663"].value
	/* datafield Guid <string> */
	if(l_strUserGuid != null)
	{
		def l_intShareProfile = g_dbQuery.executeAndGetScalarIntValue(conn, "SELECT COUNT(*) FROM DATAGROUP('198F73334DF58D0996897A5D7EF8DB12E6727E8D') WHERE STRID = ? AND B_DELETED = ?", 0)
		{
			setString(1, l_strUserGuid)
			setBoolean(2, false)
		}
		if(l_intShareProfile > 0)
		{
			return profile_exist
		}
}

Limited replication of groups

To replicate only certain groups that follow a certain naming convention, the query for the group objects (also for any other object type) can be customized. In the example, all groups starting with "IX_" in the name are replicated.

If the groups in turn contain memberships in other groups or permissions objects that are relevant for the assignment of users, it must be carefully checked whether loopholes open up when the objects are replicated in a limited manner.

<item class="GROUP" query="(&amp;(objectClass=Group)(cn=IX_*)(groupType:1.2.840.113556.1.4.803:=2147483648))" placing="parent">

You can find more info about LDAP filters here: http://www.selfadsi.de/ldap-filter.htm

Frequent error messages

Unprocessed continuation reference(s)

Since the LDAP import interface of Intrexx is also compatible with OpenLDAP, a function is called that is not correctly implemented with Microsoft Active Directory. The LDAP referrals are not implemented by Microsoft in a standard-compliant way. Therefore, this warning message occurs when importing from Microsoft Active Directory. The message is in many cases inconsequential and does not cause an error during import. In rare cases, however, it may be an indication of a break. In any case, you should check the replication result (compare the number of objects in the AD against the number of replicated objects).

WARN 2008-06-19 11:29:44,110 - de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator[UserReplicationWorker]

javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=unitedplanet,DC=de'

javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=unitedplanet,DC=de'

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2784)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2758)

at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumeration.java:129)

at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:198)

at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:171)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.replicateIncremental(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.UserReplicationJobController$1.run(Unknown Source)

WARN 2008-06-19 11:29:45,637 - de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator[UserReplicationWorker]

Data truncation

This is not an error on the part of Intrexx. User import does not work because there are entries in Active Directory that are too long in one or more records. The maximum field length of the corresponding target data field in the Intrexx Users module is too small or the Active Directory entry is too long.

Possible solutions to prevent an error and termination of replication can be found in the section "Truncate field contents from Active Directory".

Import job finished with errors:

de.uplanet.jdbc.StandardDbException: Error: 0, SQLState: 22001: Data truncation

at de.uplanet.jdbc.sqlserver.SQLServerDescriptor.convertException(Unknown Source)

at de.uplanet.jdbc.JdbcPreparedStatement.executeUpdate(Unknown Source)

at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager._doUpdateInsert(Unknown Source)

at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.insert(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.b(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.b(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.replicateIncremental(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.UserReplicationJobController$1.run(Unknown Source)

03.12.2008 15:17:54: *** ERROR OCCURED, JOB STOPPED ***

Class DISTLIST is not castable to the class GROUP

This error occurs when the class of an object in Active Directory is changed. When an object is created, its function is defined by the class (user group or a distribution list).

The conversion of an object such as a distribution list group into a user group or vice versa has effects on Intrexx and the objects replicated there. In the Active Directory, the objects are distinguished by a flag whereas in Intrexx, each object type is managed in its own data group. A conversion results in a replication error:

Error when processing search result:

mail=adresse@domain.de

objectGUID;binary=[B@64250a59

name=Objektbezeichnung

memberOf=CN=Benutzer,OU=Empfänger,DC=row,DC=domain,DC=de

primaryGroupToken=5338

de.uplanet.lucy.usermanager.DsRuntimeException: The dest ds class DISTLIST is not castable to the class GROUP

at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.select(Unknown Source)

at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.select(Unknown Source)

at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.select(Unknown Source)

at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.selectFullRecord(Unknown Source)

at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.selectFullRecord(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.b(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.replicateIncremental(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.UserReplicationJob.doWork(Unknown Source)

at de.uplanet.lucy.server.scheduler.AbstractJob.execute(Unknown Source)

at org.quartz.core.JobRunShell.run(JobRunShell.java:213)

at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)

As of Intrexx version 7, the original object should be deleted in Intrexx and recreated in the corresponding data group when such a change is made. If the object was used in a distribution list or in permissions, it is no longer effective because it no longer exists. The correct procedure would be to create a new object and assign the users instead of changing the type of an object. Administrators save time by this procedure because the assigned objects in the new object do not have to be done again but the resulting problems should be known.

Connection timed out: connect

This error occurs when the specified domain controller is unreachable. This may be caused by lack of access permissions to the server or blocked ports. If the error occurs while a replication job is running and has already been successfully set up, the cause may be a server failure or a changed IP address or access permissions. It is important, especially in large organizations with multiple independently maintained domains, that changes are coordinated to avoid such problems.

20.07.2014 22:17:36: *** User Replication Job 912496D87C849A5D109ED500F0D696A01B60D680 STARTED ***

Configuration:06C3620E8A4A3AB57992EF33A0263409CE7727C9 / DOMAIN

javax.naming.CommunicationException: 192.168.10.100:389 [Root exception is java.net.ConnectException: Connection timed out: connect]

at com.sun.jndi.ldap.Connection.<init>(Connection.java:209)

at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:116)

at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1580)

at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2678)

at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)

at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)

at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)

at javax.naming.InitialContext.init(InitialContext.java:223)

at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.replicateIncremental(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.UserReplicationJob.doWork(Unknown Source)

at de.uplanet.lucy.server.scheduler.AbstractJob.execute(Unknown Source)

at org.quartz.core.JobRunShell.run(JobRunShell.java:213)

at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)

Caused by: java.net.ConnectException: Connection timed out: connect

at java.net.PlainSocketImpl.socketConnect(Native Method)

at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351)

at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213)

at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200)

at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)

at java.net.Socket.connect(Socket.java:529)

at java.net.Socket.connect(Socket.java:478)

at java.net.Socket.<init>(Socket.java:375)

at java.net.Socket.<init>(Socket.java:189)

at com.sun.jndi.ldap.Connection.createSocket(Connection.java:351)

at com.sun.jndi.ldap.Connection.<init>(Connection.java:186)

... 18 more

20.07.2014 22:17:57: *** ERROR OCCURRED, JOB STOPPED ***

Tools

The search dialog of the Jxplorer is useful for testing a query.

Tool Websites

Apache Directory Studio: http://directory.apache.org/studio/

LDAP Adnub: http://www.ldapadmin.org/