Tuesday, September 13, 2011

Ant build script to automate OIM build

<?xml version="1.0" encoding="UTF-8"?>
<project basedir="." name="Builder" default="BuildAll">
 <property name="debug" value="on"/>
 <property name="project.home" value=".."/>
 <property name="src.dir" value="${project.home}/source"/>
 <property name="WebApp.src.dir" value="${project.home}/xlWebApp"/>
 <property name="test.src.dir" value="${project.home}/testsource"/>
 <property name="XellerateFull.src.dir" value="${project.home}/XellerateFull"/>
 <property name="lib.dir" value="${project.home}/lib"/>
 <property name="build.dir" value="${project.home}/build"/>
 <property name="javadocs.dir" value="${build.dir}/javadocs"/>
 <property name="build.classes.dir" value="${build.dir}/classes"/>
 <property name="build.classes.dir.com" value="${build.dir}/classes/com"/>
 <property name="build.deploy.dir" value="${build.dir}/deploy"/>
 <property name="build.deploy.JavaTasks.dir" value="${build.deploy.dir}/JavaTasks"/>
 <property name="build.deploy.ScheduleTask.dir" value="${build.deploy.dir}/ScheduleTask"/>
 <property name="build.deploy.ThirdParty.dir" value="${build.deploy.dir}/ThirdParty"/>
 <property name="build.deploy.EventHandler.dir" value="${build.deploy.dir}/EventHandlers"/>
 <path id="project.class.path">
  <fileset dir="${lib.dir}">
       <include name="**/*.jar"/>
  </fileset>
 </path>
 <target description="Clean All" name="Clean">
  <delete dir="${build.classes.dir.com}" />
  <delete dir="${build.deploy.dir}"/>
  <delete dir="${javadocs.dir}"/>
 </target>

 <target description="Build Java Documentation." name="javadoc">
  <delete dir="${javadocs.dir}"/>
  <mkdir dir="${javadocs.dir}"/>
  <javadoc use="true" doctitle=" Documentation" windowtitle=" JavaDoc" private="true" sourcepath="${src.dir}" packagenames="com.*" destdir="${javadocs.dir}">
   <classpath refid="project.class.path"/>
  </javadoc>
 </target>
 <target name="Initialize" description="Initialize Build Directories" >
  <tstamp/>
  <mkdir dir="${build.deploy.dir}"/>
  <mkdir dir="${build.deploy.JavaTasks.dir}"/>
  <mkdir dir="${build.deploy.ScheduleTask.dir}"/>
  <mkdir dir="${build.deploy.ThirdParty.dir}"/>
  <mkdir dir="${build.deploy.EventHandler.dir}"/>
 </target>

 <target description="ScheduledTask" name="ScheduledTask" depends="Initialize">
  <javac debug="${debug}" deprecation="false" destdir="${build.classes.dir}" srcdir="${src.dir}">
   <classpath refid="project.class.path"/>
   <include name="**/com/xxx/scheduledtasks/**/*.java"/>
  </javac>
  <jar basedir="${build.classes.dir}" jarfile="${build.deploy.ScheduleTask.dir}/ScheduledTasks.jar" >
   <include name="**/com/xxx/scheduledtasks/**/*.class"/>
  </jar> 
 </target>

 <target description="JavaTasks" name="JavaTasks" depends="Initialize">
  <javac debug="${debug}" deprecation="false" destdir="${build.classes.dir}" srcdir="${src.dir}">
   <classpath refid="project.class.path"/>
   <include name="**/com/xxx/javatasks/**/*.java"/>
  </javac>
  <jar basedir="${build.classes.dir}" jarfile="${build.deploy.JavaTasks.dir}/JavaTasks.jar" >
   <include name="**/com/xxx/javatasks/**/*.class"/>
  </jar> 
 </target>

 <target description="EventHandlers" name="EventHandlers" depends="Initialize">
  <javac debug="${debug}" deprecation="false" destdir="${build.classes.dir}" srcdir="${src.dir}">
   <classpath refid="project.class.path"/>
   <include name="**/com/xxx/eventhandlers/**/*.java"/>
  </javac>
  <jar basedir="${build.classes.dir}" jarfile="${build.deploy.EventHandler.dir}/EventHandlers.jar" >
   <include name="**/com/xxx/eventhandlers/**/*.class"/>
  </jar> 
 </target>
 <target description="ThirdParty" name="ThirdParty" depends="Initialize">
  <javac debug="${debug}" deprecation="false" destdir="${build.classes.dir}" srcdir="${src.dir}">
   <classpath refid="project.class.path"/>
   <include name="**/com/xxx/utils/**/*.java"/>
  </javac>
  <jar basedir="${build.classes.dir}" jarfile="${build.deploy.ThirdParty.dir}/Util.jar" >
   <include name="**/com/xxx/utils/**/*.class"/>
  </jar> 
 </target>
 <target description="BuildAll" name="BuildAll" depends="Clean, Initialize, ScheduledTask, JavaTasks, EventHandlers, ThirdParty">
 </target>
</project>

Friday, September 2, 2011

Modifying the maxpagesize in active directory

By default, windows returns only a maximum of 1000 objects in response to a single LDAP query. This can be a limitation when you have more than 1000 objects in your Active Directory and you are running some kind of script that does a bulk import of objects (user accounts and/or computers) from Active Directory.

Some applications like Adobe Connect also require such bulk imports. If you find that the number of user accounts imported from Active Directory is exactly 1000 when you are sure there are more, its time to take a look at this.

The 1000-object limit is governed by the MaxPageSize LDAP administration limit, which is defined using NTDSUTIL. To increase the value:

1.Open Command Prompt on a domain controller, logged in as domain administrator.
2.Type NTDSUTIL and press ENTER.
3.In the ntdsutil: prompt, type ldap policies
4.In the ldap policy: prompt, type connections
5.In the server connections: prompt, type connect to server <FQDN of domain controller>
6.Once you are connected, type q to come back to the ldap policy: prompt.
7.If you type show values, you can see the current value for the administration limits, including the MaxPageSize limit.
8.To change the value to allow up to 30,000 objects to be returned in a single LDAP query, type set MaxPageSize to 30000
9.You can view your changes by typing Show Changes. Note that the new values appear in brackets, because you have not yet commited your changes.
10.To commit changes type commit changes

Ntdsutil Usage

Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.
Ntdsutil.exe is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkID=177813).
To use Ntdsutil.exe, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

LDAP Error Codes

Error CodeErrorDescription
0

LDAP_SUCCESSIndicates the requested client operation completed successfully.
1LDAP_OPERATIONS_ERRORIndicates an internal error. The server is unable to respond with a more specific error and is also unable to properly respond to a request. It does not indicate that the client has sent an erroneous message. In NDS 8.3x through NDS 7.xx, this was the default error for NDS errors that did not map to an LDAP error code. To conform to the new LDAP drafts, NDS 8.5 uses 80 (0x50) for such errors.
2LDAP_PROTOCOL_ERROR

Indicates that the server has received an invalid or malformed request from the client.
3LDAP_TIMELIMIT_EXCEEDEDIndicates that the operation's time limit specified by either the client or the server has been exceeded. On search operations, incomplete results are returned.
4LDAP_SIZELIMIT_EXCEEDEDIndicates that in a search operation, the size limit specified by the client or the server has been exceeded. Incomplete results are returned.

5LDAP_COMPARE_FALSEDoes not indicate an error condition. Indicates that the results of a compare operation are false.
6LDAP_COMPARE_TRUEDoes not indicate an error condition. Indicates that the results of a compare operation are true.
7LDAP_AUTH_METHOD_NOT_SUPPORTEDIndicates that during a bind operation the client requested an authentication method not supported by the LDAP server.
8LDAP_STRONG_AUTH_REQUIREDIndicates one of the following: In bind requests, the LDAP server accepts only strong authentication.
In a client request, the client requested an operation such as delete that requires strong authentication. In an unsolicited notice of disconnection, the LDAP server discovers the security protecting the communication between the client and server has unexpectedly failed or been compromised.


9
Reserved.
10LDAP_REFERRALDoes not indicate an error condition. In LDAPv3, indicates that the server does not hold the target entry of the request, but that the servers in the referral field may.
11LDAP_ADMINLIMIT_EXCEEDEDIndicates that an LDAP server limit set by an administrative authority has been exceeded.
12LDAP_UNAVAILABLE_CRITICAL_EXTENSIONIndicates that the LDAP server was unable to satisfy a request because one or more critical extensions were not available. Either the server does not support the control or the control is not appropriate for the operation type.
13

LDAP_CONFIDENTIALITY_REQUIREDIndicates that the session is not protected by a protocol such as Transport Layer Security (TLS), which provides session confidentiality.
14LDAP_SASL_BIND_IN_PROGRESSDoes not indicate an error condition, but indicates that the server is ready for the next step in the process. The client must send the server the same SASL mechanism to continue the process.
15

Not used.
16LDAP_NO_SUCH_ATTRIBUTEIndicates that the attribute specified in the modify or compare operation does not exist in the entry.
17LDAP_UNDEFINED_TYPEIndicates that the attribute specified in the modify or add operation does not exist in the LDAP server's schema.

18LDAP_INAPPROPRIATE_MATCHINGIndicates that the matching rule specified in the search filter does not match a rule defined for the attribute's syntax.
19LDAP_CONSTRAINT_VIOLATIONIndicates that the attribute value specified in a modify, add, or modify DN operation violates constraints placed on the attribute. The constraint can be one of size or content (string only, no binary).
20LDAP_TYPE_OR_VALUE_EXISTSIndicates that the attribute value specified in a modify or add operation already exists as a value for that attribute.
21LDAP_INVALID_SYNTAXIndicates that the attribute value specified in an add, compare, or modify operation is an unrecognized or invalid syntax for the attribute.
22-31
Not used.
32LDAP_NO_SUCH_OBJECTIndicates the target object cannot be found. This code is not returned on following operations: Search operations that find the search base but cannot find any entries that match the search filter. Bind operations.
33

LDAP_ALIAS_PROBLEMIndicates that an error occurred when an alias was dereferenced.
34LDAP_INVALID_DN_SYNTAXIndicates that the syntax of the DN is incorrect. (If the DN syntax is correct, but the LDAP server's structure rules do not permit the operation, the server returns LDAP_UNWILLING_TO_PERFORM.)
35LDAP_IS_LEAF

Indicates that the specified operation cannot be performed on a leaf entry. (This code is not currently in the LDAP specifications, but is reserved for this constant.)
36LDAP_ALIAS_DEREF_PROBLEMIndicates that during a search operation, either the client does not have access rights to read the aliased object's name or dereferencing is not allowed.
37-47
Not used.

48LDAP_INAPPROPRIATE_AUTHIndicates that during a bind operation, the client is attempting to use an authentication method that the client cannot use correctly. For example, either of the following cause this error: The client returns simple credentials when strong credentials are required...OR...The client returns a DN and a password for a simple bind when the entry does not have a password defined.
49LDAP_INVALID_CREDENTIALSIndicates that during a bind operation one of the following occurred: The client passed either an incorrect DN or password, or the password is incorrect because it has expired, intruder detection has locked the account, or another similar reason. This is equivalent to AD error code 52e.
49ERROR_TOO_MANY_CONTEXT_IDSCorresponds to data code 568. Indicates that during a log-on attempt, the user's security context accumulated too many security IDs. This is an issue with the specific LDAP user object/account which should be investigated by the LDAP administrator.
50LDAP_INSUFFICIENT_ACCESSIndicates that the caller does not have sufficient rights to perform the requested operation.
51LDAP_BUSYIndicates that the LDAP server is too busy to process the client request at this time but if the client waits and resubmits the request, the server may be able to process it then.
52LDAP_UNAVAILABLEIndicates that the LDAP server cannot process the client's bind request, usually because it is shutting down.
52e

AD_INVALID CREDENTIALSIndicates an Active Directory (AD) AcceptSecurityContext error, which is returned when the username is valid but the combination of password and user credential is invalid.This is the AD equivalent of LDAP error code 49.
53LDAP_UNWILLING_TO_PERFORMIndicates that the LDAP server cannot process the request because of server-defined restrictions. This error is returned for the following reasons: The add entry request violates the server's structure rules...OR...The modify attribute request specifies attributes that users cannot modify...OR...Password restrictions prevent the action...OR...Connection restrictions prevent the action.
54LDAP_LOOP_DETECTIndicates that the client discovered an alias or referral loop, and is thus unable to complete this request.
55-63
Not used.
64

LDAP_NAMING_VIOLATIONIndicates that the add or modify DN operation violates the schema's structure rules. For example,
The request places the entry subordinate to an alias. The request places the entry subordinate to a container that is forbidden by the containment rules. The RDN for the entry uses a forbidden attribute type.
65LDAP_OBJECT_CLASS_VIOLATIONIndicates that the add, modify, or modify DN operation violates the object class rules for the entry. For example, the following types of request return this error:
The add or modify operation tries to add an entry without a value for a required attribute. The add or modify operation tries to add an entry with a value for an attribute which the class definition does not contain. The modify operation tries to remove a required attribute without removing the auxiliary class that defines the attribute as required.
66LDAP_NOT_ALLOWED_ON_NONLEAFIndicates that the requested operation is permitted only on leaf entries. For example, the following types of requests return this error:
The client requests a delete operation on a parent entry. The client request a modify DN operation on a parent entry.
67LDAP_NOT_ALLOWED_ON_RDNIndicates that the modify operation attempted to remove an attribute value that forms the entry's relative distinguished name.

68LDAP_ALREADY_EXISTSIndicates that the add operation attempted to add an entry that already exists, or that the modify operation attempted to rename an entry to the name of an entry that already exists.
69LDAP_NO_OBJECT_CLASS_MODSIndicates that the modify operation attempted to modify the structure rules of an object class.
70LDAP_RESULTS_TOO_LARGEReserved for CLDAP.
71LDAP_AFFECTS_MULTIPLE_DSASIndicates that the modify DN operation moves the entry from one LDAP server to another and requires more than one LDAP server.
72-79
Not used.
80LDAP_OTHERIndicates an unknown error condition. This is the default value for NDS error codes which do not map to other LDAP error codes.
525

USER NOT FOUNDIndicates an Active Directory (AD) AcceptSecurityContext data error that is returned when the username is invalid.
530NOT_PERMITTED_TO_LOGON_AT_THIS_TIMEIndicates an Active Directory (AD) AcceptSecurityContext data error that is logon failure caused because the user is not permitted to log on at this time. Returns only when presented with a valid username and valid password credential.

531RESTRICTED_TO_SPECIFIC_MACHINESIndicates an Active Directory (AD) AcceptSecurityContext data error that is logon failure caused because the user is not permitted to log on from this computer. Returns only when presented with a valid username and valid password credential.
532PASSWORD_EXPIRED

Indicates an Active Directory (AD) AcceptSecurityContext data error that is a logon failure. The specified account password has expired. Returns only when presented with valid username and password credential.
533ACCOUNT_DISABLEDIndicates an Active Directory (AD) AcceptSecurityContext data error that is a logon failure. The account is currently disabled. Returns only when presented with valid username and password credential.
701ACCOUNT_EXPIREDIndicates an Active Directory (AD) AcceptSecurityContext data error that is a logon failure. The user's account has expired. Returns only when presented with valid username and password credential.
773USER MUST RESET PASSWORDIndicates an Active Directory (AD) AcceptSecurityContext data error. The user's password must be changed before logging on the first time. Returns only when presented with valid user-name and password credential.