Active Directory connection and replication configuration

General

Click here for general information about user replication.

Active Directory

Active Directory is divided into three parts: Schema, Configuration and Domain.

A schema is a template for all Active Directory entries. It defines object types, their classes and attributes as well as their attribute syntax. By defining new types, it is possible to influence which object types are available in Active Directory. The underlying template for this is the schema that defines the objects and their attributes.
The configuration represents the structure of the Active Directory forest and its trees.
Finally, the domain contains all the information that describes itself and the objects created in it.

The first two parts of the Active Directory are replicated between all domain controllers in the forest, while the domain-specific information is basically only available within the respective domain, i.e. on their respective domain controllers. Therefore, there is an additional so-called global catalog in each domain. It represents all information of its own domain and additionally contains important sub-information of the other domain from the overall structure and therefore enables cross-domain search operations, for example.

The records in the database are defined in Active Directory as objects and their properties as attributes. The attributes are defined depending on their type. Objects are uniquely identified by their name.

Objects can be divided into two main categories:

Accounts, such as user, group, and computer accounts
Resources, such as file and printer shares

The potentially up to many millions of objects are stored in containers (organizational units), also called OUs (Organizational Unit). Some containers are predefined, any further organizational units can be created with subunits (suborganizational units). As an object-based system, Active Directory supports passing on object container properties to child objects that can also be containers themselves. This allows Active Directory to build networks logically and hierarchically.

An Active Directory contains various objects. In addition to the user, there are permission objects such as user groups and roles, as well as organizations, organizational units, general containers and distribution groups (mail system). In addition, an Active Directory from different systems is not necessarily identical. Each system comes with its own characteristics.

Intrexx offers various replication profiles that are adapted to the different Active Directory systems. These must be selected accordingly when configuring a replication job.

Profile name	Description
Active Directory Large Groups.xml	Profile for Active Directories with groups containing more than 1000 members. This profile takes more time to replicate and should be used only if the group membership exceeds the said value.
Active Directory NTLM compatible.xml	This Active Directory profile is used when NTLMv1 login and domain names are desired in Intrexx, e.g. for the integrated authentication via Tomcat.
Active Directory	Standard Active Directory replication profile
Attribute Based Role Sample.xml	Example profile: In this profile, users are placed in the default user container (placing="fixed") and assigned to a role based on one of their attributes (here: roleattr).
Dynamic OU Path Sample.xml	Example profile: Here users are assigned to a container which is read from one of their attributes (here: ou). The attribute value is expected as a path with backslash separators (2nd parameter of $path)
Dynamic OU Sample.xml	Example profile: Similar to Profile Dynamic OU Path Sample, except that only the last part of the path is evaluated to determine the container.
eDirectory.xml	Novell eDirectory
OpenLDAP - POSIX.xml	OpenLDAP
Sun ONE.xml	SUN One

The following tables represent the most common attributes, i.e. only a part of the actual scope. In particular, the attributes are extended by other applications (e.g. Microsoft Exchange) but optional attributes can also be configured individually.

Table of Active Directory fields of the group object

Class	Field name	Description
General	distinguishedName	Distinguished name
General	cn	Common name
General	objectClass	Object class (USER)
General	uSNCreated	Original USN
General	uSNChanged	Current USN
General	whenCreated	Created on
General	whenChanged	Changed on
General	objectGUID	Object GUID
user	Given name	First name
user	sn	Last name
user	name	Display name
user	samAccountName	Login name NT
user	userPrincipalName	Login name
user	description	Description
user	title	Title
user	initials	Initials
user	employeeID	Employee number/ID
user	physicalDeliveryOfficeName	Office name
user	company	Company
user	department	Department
user	streetAddress	Street
user	postalCode	Postal/Zip code
user	postOfficeBox	PO box
user	l	City
user	st	State/province
user	co	Country (name)
user	countryCode	Country code (ISO-3166)
user	c	Country code (ISO-3166)
user	wwwHomePage	Website
user	url	Other websites
user	mail	Business email
user	telephoneNumber	Phone
user	otherTelephone	Other telephone numbers
user	mobile	Mobile
user	otherMobile	Other cellphone numbers
user	facsimileTelephoneNumber	Facsimile
user	otherFacsimileTelephoneNumber	Other fax numbers
user	ipPhone	IP telephone
user	otherIpPhone	Other IP telephone numbers
user	pager	Pager
user	otherPager	Other pagers
user	homePhone	Private phone
user	otherHomePhone	Other private home numbers Phone no.
user	msExchHideFromAddressLists	Do not show in Exchange address lists True = hide null/empty = show
user	thumbnailPhoto	Photo (max. 100kB)
user	accountExpires	Account lifetime Value 0 = Unlimited. Date value is calculated as 100ns interval since 01/01/1601 (UTC).
user	passwordlastset	Last password change as long value (100ns interval since 01.01.1601 UTC
user	userAccountControl Account options
user	info	Comments on user
user	homeDirectory	Base directory
user	lastLoginTimestamp	Last time of login
user	primaryGroupID	Primary group assignment
user	Nsaccountlock
user	uid	Login name (RFC 1274)

Table of Active Directory fields of the group object

Class	Field name	Description
General	distinguishedName	Distinguished name
General	cn	Common name
General	objectClass	Object class (GROUP)
General	uSNCreated	Original USN
General	uSNChanged	Current USN
General	whenCreated	Created on
General	whenChanged	Changed on
General	objectGUID	Object GUID
group	sAMAccountName	Group name (NT)
group	description	Description
group	groupType	Group area/type
group	info	Comment
group	mail	Email
group	memberOf	Member of
group	managedBy	Managed by
group	primaryGroupToken	Primary group assignment

Table of Active Directory fields of the organization object

Class	Field name	Description
General	distinguishedName	Distinguished name
General	cn	Common name
General	objectClass	Object class
General	uSNCreated	Original USN
General	uSNChanged	Current USN
General	whenCreated	Created on
General	whenChanged	Changed on
General	objectGUID	Object GUID
organizationalUnit	name	Name
organizationalUnit	Description	Description
organizationalUnit	gPLink

Intrexx User Manager

The "User" module consists of several database tables and a view to manage the components.

Database table	Function
DSOBJECT	Object management of all objects of the user management
DSORGANIZATION	Organization attributes
DSORGUNIT	Organizational unit attributes
DSCONTAINER	Container attributes
DSDISTLIST	Distribution list attributes
DSGROUP	User group attributes
DSUSER	User attributes
DSROLE	Role assignment table
DSSET	User group assignment table
DSCLASS	Object classes and associated data groups
DSCLASSTITLE	Multilingual object class titles
DSATTRIBUTE	Management of all user management attributes and their properties
DSATTRIBUTETITLE	Multilingual attribute titles
VBLUSER	View from DSUSER and DSOBJECT referring to the users

Field user attributes (DSUSER)

Name	Data Field	Description	Type	Size
-	LID	User ID	Integer
-	STRGUID	User GUID	String	255
LOGIN	STRLOGIN	Login name	String	64
LOGINLWR	STRLOGINLWR	Login name (short description)	String	64
DOMAIN	STRDOMAIN	Domain	String	48
DOMAINLWR	STRDOMAINLWR	Domain (short description)	String	48
TIMEZONE	STRTIMEZONE	Time zone	String	32
FIRSTNAME	STRFIRSTNAME	First name	String	64
LASTNAME	STRLASTNAME	Last name	String	64
MIDDLENAME	STRMIDDLENAME	2. First name	String	64
FULLNAME	STRFULLNAME	Full name	String	172
TITLE	STRTITLE	Title	String	64
GENDER	LGENDER	Gender	Integer
STREET	STRSTREET	Street	String	96
POSTALCODE	STRPOSTALCODE	Postal/Zip code	String	10
POBOX	STRPOBOX	PO box	String	10
CITY	STRCITY	City	String	96
STATE	STRSTATE	State/province	String	32
COUNTRY	STRCOUNTRY	Country	String	32
MAILBIZ	STRMAILBIZ	Business email	String	192
PHONEBIZ	STRPHONEBIZ	Phone	String	40
PHONEMOBILEBIZ	PHONEMOBILEBIZ	Business cellphone number	String	40
PHONEFAX	STRPHONEFAX	Facsimile	String	40
PHONEPAGER	STRPHONEPAGER	Pager	String	40
MAILHOME	STRMAILHOME	Private email	String	192
PHONEHOME	STRPHONEHOME	Private phone	String	40
PHONEMOBILEHOME	STRPHONEMOBILEHOME	Private cellphone number	String	40
BIRTH	DTBIRTH	Date of birth	DateTime
ENTER	DTENTER	Date of entry	DateTime
LOGINATTEMPTS	LLOGINATTEMPTS	Login attempts(V7)	Integer
PWDCHANGED	DTPWDCHANGED	Date password was changed (V7)	DateTime
DEFAULTLANGUAGE	STRDEFAULTLANG	Default language	String	2
MUSTCHANGEPASS	BMUSTCHANGEPASS	User must change password at next login (V7)	Boolean
MUSTNOTCHANGEPASS	BMUSTNOTCHANGEPASS	User cannot change password (V7)	Boolean
PWDEXPIRES	BPWDEXPIRES	Password expires (V7)	Boolean
DEFAULTLOCALE	STRDEFAULTLOCALE	Default locale (V7)	String	50
TIMEZONE	STRTIMEZONE	Time zone	String	32

Organizational attribute fields (DSORGANIZATION)

Name	Data Field	Description	Data type	Size
ID	LID	Organization ID	Integer
STREET	STRSTREET	Street	String	96
POSTALCODE	STRPOSTALCODE	Postal/Zip code	String	10
POBOX	STRPOBOX	PO box	String	10
CITY	STRCITY	City	String	96
STATE	STRSTATE	Province/State/Canton	String	32
COUNTRY	STRCOUNTRY	Country	String	32

Organizational unit fields (DSORGUNIT)

Name	Data Field	Description	Data type	Size
ID	LID	Organizational unit ID	Integer
STREET	STRSTREET	Street	String	96
POSTALCODE	STRPOSTALCODE	Postal/Zip code	String	10
POBOX	STRPOBOX	PO box	String	10
CITY	STRCITY	City	String	96
STATE	STRSTATE	Province/State/Canton	String	32
COUNTRY	STRCOUNTRY	Country	String	32

Object table fields (DSOBJECT)

Name	Data Field	Description	Data type	Size
ID	LID	Object ID	Integer
CONTAINERID	LCONTAINERID		Integer
NAME	STRNAME	Object name	String	128
CLASSID	LCLASSID	Object class ID: 2 = User 3 = Container 5 = Role 6 = User group 7 = Distribution list 8 = Organizational unit 9 = Organization	Integer
GUID	STRGUID	Internal object GUID	String	40
PRIORITY	LPRIORITY	Priority (0 ... 100): 100 = maximum 0 = minimum	Integer
DELETABLE	BDELETABLE	Object is deletable	Boolean
DELETED	BDELETED	Object deleted	Boolean
DISABLED	BDISABLED	Object deactivated	Boolean
INTERNALUSN	LINTERNALUSN		Integer
RPLGUID	STRREPLGUID	Replication job GUID	String	40
DN	STRDN	Distinguished name	String	512
DESCRIPTION	STRDESCRIPTION	Object description	String	512
EXTERNALGUID	STREXTERNALGUID	External object GUID (Active Directory)	String	40
EXTPRIMGRPTKN
EXTPRIMGRPID	LEXTPRIMGRPID	External primary group assignment (primaryGroupID)	Integer

The Intrexx replication profile

LDAP replication profiles in the installation directory cfg/ldapconfig serve to define the replication between LDAP sources and the Intrexx organizational structure.

The replication profiles are XML files that contain a mapping definition for each object type to be transferred. Each object type recorded in the Intrexx organization schema can be replicated. Every attribute is writable.

The <ldap> element (document root node)

Global settings can be made in this element. It is the root element for the XML document.

<ldap xmlns="https://schemas.unitedplanet.de/intrexx/server/ldap/replication/" enablePaging="true">
        …
</ldap>

Parameters	As of version	Description
enablePaging	5.2	This parameter can be used to enable page-by-page querying of LDAP directories. Some directory servers limit the number of entries per result page, e.g. Active Directory to 1000 hits. If you enable this option, the directory server will be instructed to deliver the other pages on demand, not just the first one.
pageSize	7	The pageSize attribute of the ldap element can be used to set the page size for replication.
pageSize	5.2	The system property de.uplanet.lucy.server.usermanager.replication.ldap.pagesize can be used to specify the page size. The default value is 500.

Not all directory servers support page-by-page queries. Setting these options in this case will result in an error.

The <item> element

The <item> element is used to define the mapping between Intrexx object types and LDAP query results. It may include a number of other definition:

<item class="<Target class>" query="<LDAP-Query>" placing="<Placement mode>" [dnfilter="<Filter-Regexp>"]> <attribute source="<Source attribute>"/>
  ...
  <attribute destination="<Target attribute>" source="<Source expression>"/>
  ...
  <call class="<Tool class>" method="<Methode>" [execafterwrite="true|false"]> <parameter type="<Builtin-Parameter>"/>
    ...
    <parameter type="<Java class>" value="<Value>"/>
    ...
  </call>
  ...
</item>

Parameters	Description
Target class	Class name in the Intrexx schema, e.g. USER for user.
LDAP query	LDAP query that is used to query the objects in the external directory. Please refer to https://tools.ietf.org/html/rfc2254 for the definition.
Placement mode	Intrexx provides the following here: parent: Intrexx attempts to determine the correct location in the Intrexx organizational structure based on the placement in the source directory. fixed: Intrexx uses a standard container (e.g. users) as the target container. To be used when you want to replicate only the user objects without the organizational structure. fixed by domain: Intrexx uses a subcontainer of the standard container that corresponds to the domain name of the object. For this to work, the domain attribute of the target object must be filled correctly. dynamic <source expression>: Intrexx determines the corresponding target container from the directory data based on the source expression. The definition of the source expressions can be found in the <attribute> element section.
dnfilter	dnfilter="<Filter-Regexp>" The dnfilter attribute is optional. A regexp pattern can be specified here to filter the objects to be replicated by DN (Distinguished Names), e.g. dnfilter=".ou=Intrexx User."

The <attribute> element

This element exists in two forms: with a target specification, it serves to assign source expressions to Intrexx target fields; without a target specification, it is an instruction to the replication module to also query the specified source attribute, since it will be needed at a later time. If a source attribute is not specified in either variant, it will not be read.

Target attribute:

Attribute of the Intrexx target class

Source attribute:

Attribute of the LDAP object class

Source expression:

<source expression> = [<source attribute>|<function call>]

The expression consists of either an attribute or a function call.

Function call:

<function call>=$functionname([<source expression>[,...]])

A function can have 0-n parameters, which in turn are source expressions. The documentation of the available built-in functions can be found here.

The <call> element

Not every task can be performed via a simple assignment via attribute element. For this reason, there is the option of integrating specialized code by defining calls to Java classes. To parameterize the call, the <call> element can contain 0-n <parameter> elements.

Tool class:

Name of the Java class that contains the static method to be called.

Methods:

Method to be called

execafterwrite attribute:

Defines whether the method takes place immediately or only after the Intrexx object has been written.

The <parameter> element

The parameter element always has a type attribute. This contains either the name of a built-in parameter, which is automatically filled correctly, or the name of a known Java class whose content is defined via the value attribute. At the moment, java.lang.String and the numeric classes built into the JRE are supported here.

Built-in parameters:

Parameters	Description
$destinationitem	Contains the target object (IDs* object) for the element
$dircontext	Contains the LDAP directory context
$domain	Contains the already created domain name for the target object (only available if execafterwrite=true and it is a user object)
$inserted	Contains a flag that specifies whether the target object was new or updated (only available if execafterwrite=true)
$itemconnector	Contains the reference to the instance of the internal class that performs the attribute mapping.
$jdbcconnection	Contains the JDBC system database connection from Intrexx
$login	Contains the already created login name for the target object (only available if execafterwrite=true and if it is a user object)
$replicationconfig	Contains the replication configuration object
$searchresult	Contains the current record in the LDAP search result
$sourceconfig	Contains a source definition object
$usn	Contains the unique number of the current replication run
$dbmanager	Type-dependent DbManager object for editing the Intrexx organization schema

Built-in functions (from Intrexx 5.2 onwards)

The following functions are available at various points:

Function	Intrexx version	Description
$add	5.2	$add(val0, val1) Add two values together
$ansiTime	7.0	$ansiTime(value) Converts a long value (100ns interval since 01/01/1601 UTC) as used in the passwordlastset field.
$bitand	5.2	$bitand(value, bitmask) Compound value with bitmask
$call	6.0	$call(class, method [, param type, param value [...]] Calling an individual method
$case	5.2	$case(value, checkval0, result0[,checkval1, result1...][elseresult]) Case construct
$concat	7.0 OU7	$concat(<string-expression1>, <string-expression2>) Merges two strings together
$datetime	6.0	$datetime(format [, [locale,] timezone], value) Create a timestamp from a string, e.g.: <attribute destination="myDateField" source="$datetime("dd.MM.yyyy", "Europe/Berlin", whenChanged)"/>
$format	5.2	$format(formatstring, value...) Formating a value. The JAVA notation applies to the formatstring.
$generalizedTime	7.0	$generalizedTime(value) Generate a timestamp from a string in generalized time format (YYYYMMDDHHmmSS.fffZ).
$last	5.2	$last(array) Extracts last element from an array $last(value, number) Extracts the last n characters from a string
$length	5.2	$length(value) Returns the length of a string
$lower	5.2	$lower(value) Converts a string to lowercase letters
$null	5.2	$null() Null value
$print	6.0	$print(value-array, separator) Write an array of values into a single field, separator is <separator>.
$replace	7.0 OU7	$replace(<string-expression>, <string to replace>, <string replacement>) Replaces all occurrences of a substring (string to replace) in a string (string expression ) with another string (string-replacement).
$split	5.2	$split(value, delimiter) Splits a string into single strings.
$substring	5.2	$substring(string, beginindex [,endindex]) Extract a part from a string
$trim	7.0 OU7	$trim(<string expression>)
$upper	5.2	$upper(value) Converts a string to uppercase letters

LDAP queries

The definition of LDAP requests is covered in RFC 4515.

RFC 4515

Lightweight Directory Access Protocol (LDAP):

String Representation of Search Filters

https://www.ietf.org/rfc/rfc4517.txt

Syntax and operators

LDAP queries consist of one or more criteria that are linked together using AND or OR operators. The operators are noted at the beginning followed by the search criteria. The search criteria are listed in round brackets, which are again enclosed in round brackets.

AND link:

(& ( S1 ) ( S2 ) … ( Sn ) )

OR link:

(| ( S1 ) ( S2 ) … ( S3 ))

Interleaved links:

Each AND/OR operation can be defined as a single criterion again:

(|(& ( S1 ) ( S2 ))(& ( S3 ) ( S4 ))) corresponds to: (S1 AND S2) OR (S3 AND S4)

Negation:

The negation / reversal of a query is implemented with an exclamation mark:

(! ( S1 ))

Comparison:

A query is compared using an equal sign:

Same	(givenName=Max)
Greater than comparison	(passwordlastset >= 130575614253222449)
Less than comparison	(passwordlastset <= 130575614253222449)
Approximate comparison	(givenName~=Meier)
Defined	(givenName=Max)
Wildcards	(givenName=Max) (givenName=meier*)

Only accounts with login names starting with 8 or 9 (e.g. if the login name is a personnel number and only certain number ranges are to be replicated):

(|(sAMAccountName=8*)( sAMAccountName=9*)

Tips and Tricks

Domains with many objects (> 5,000)

The number of objects per replication or query in Active Directory is limited for security reasons (Windows Server 2008 R2 = Max. 5,000). This limit can be removed by administrators in the Active Directory by configuring the dSHeuristic attribute accordingly. However, this customization is done at your own risk and Microsoft also excludes any liability for this customization.

From Intrexx 6.0 onwards, the ability to process data from the Active Directory block by block has been implemented. The parameter enablePaging is already set to true in the profiles. In this process, 1,000 elements are read per block.

<ldap xmlns=https://schemas.unitedplanet.de/intrexx/server/ldap/replication/enablePaging="true">

Truncate field contents from Active Directory

The Intrexx user data has field length limitations, which under certain circumstances leads to so-called truncation errors during replications because fields in the Active Directory are partially misused and field contents are transmitted that are longer than usual. To counteract this situation, the field lengths in Intrexx can be extended via the Schema Manager, or the contents of the AD fields can be truncated during processing. To be on the safe side, you should provide such delimiters for string fields - even after adjusting the length.

<attribute destination="FIRSTNAME" source="$case(givenName, $null, $null, $format(&quot;%1.64s&quot;,givenName))"/>

In the example, the first name is limited to 64 characters. The corresponding length value must be entered for the position highlighted in blue. With $format, the field content is truncated, and with $case, it is ensured that zero is written into the Intrexx field if the value is missing.

Replication of the superior

The supervisor replication is already predefined in the Active Directory profile templates but commented out by default. If the supervisor is stored under Manager, the section can be activated in the replication profile. The function determines the user in Intrexx based on the assignment in the Active Directory and assigns it.

<call class="de.uplanet.lucy.server.usermanager.replication.ldap.LDAPImportTools" method="assignBoss" execafterwrite="true">  
  <parameter type="$dbmanager"/>
  <parameter type="$destinationitem"/>
  <parameter type="$itemconnector"/>
  <parameter type="$searchresult"/>
  <parameter type="$jdbcconnection"/>
  <parameter type="$usn"/>
  <parameter type="java.lang.String" value="manager"/>
</call>

Replication of user photos

Since Windows 2000, there are attributes for the management of user photos in the Active Directory. However, the photo information can only be used and displayed from the Active Directory as of Outlook/Exchange 2010. The size per photo is limited to 100kB but if there are many employees in a company, the volume to be replicated can become correspondingly high. Microsoft recommends that thumbnail photos have 96 x 96 pixels with a maximum size of 10KB. The photos must also be updated in the Active Directory - i.e. this work must be handled by the administrators. In addition, a procedure must still be in place to document consent from the respective employee to use the photo.

<call class="de.uplanet.lucy.server.usermanager.replication.ldap.LDAPImportTools" method="assignImage" execafterwrite="true">
  <parameter type="$dbmanager"/>
  <parameter type="$destinationitem"/>
  <parameter type="$itemconnector"/>
  <parameter type="$searchresult"/>
  <parameter type="$jdbcconnection"/>
  <parameter type="$inserted"/>
  <parameter type="java.lang.String" value="thumbnailPhoto"/>
</call>

Class de.uplanet.lucy.server.usermanager.replication.ldap.LDAPImportTools

Here is an overview of the methods of the class de.uplanet.lucy.server.usermanager.replication.ldap.LDAPImportTools:

assignMembers

public void assignMembers(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strMemberAttr, JobLog p_log) throws SQLException, NamingException

With this method, members specified in an LDAP attribute of a group object are assigned to the corresponding Intrexx group. The member attribute must contain the group members in an array of distinguished names.

Parameters:

p_item	Intrexx group object
p_connector	Item connector
p_sr	Search result of the LDAP group object
p_conn	Database connection
p_iInternalUsn	Current internal USN
p_strMemberAttr	Member attribute of the LDAP group
p_log	Job log, if available

Throws:

SQLException - when an exception occurs

NamingException - when an exception occurs

assignMembersByLoginName

public void assignMembersByLoginName(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strDomainQuery, String p_strMemberAttr, JobLog p_log) throws SQLException, NamingException

Parameters:

p_item	Intrexx group object
p_connector	Item connector
p_sr	Search result of the LDAP group object
p_conn	Database connection
p_iInternalUsn	Current internal USN
p_strMemberAttr	Member attribute of the LDAP group
p_log	Job log reference
p_strDomainQuery	User domain query

Throws:

SQLException - when an exception occurs

NamingException - when an exception occurs

assignDomain

public void assignDomain(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, String p_strDomainAttribute, String p_strDomainQuery) throws NamingException

Assigns a domain specified by the content of an LDAP attribute to an Intrexx object.

Parameters:

p_item	Intrexx item
p_connector	Intrexx item connector
p_sr	LDAP search result
p_conn	Database connection
p_strDomainQuery	LDAP domain query
p_strDomainAttribute	LDAP domain attribute

Throws:

NamingException - when an exception occurs

assignCredentialsWithDomainQuery

public void assignCredentialsWithDomainQuery(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, String p_strLoginAttribute, String p_strDomainAttribute, String p_strDomainQuery) throws NamingException

Assigns credentials to an Intrexx object and the domain via domain attribute and query.

Parameters:

p_item	Intrexx item
p_connector	Intrexx item connector
p_sr	LDAP search result
p_strDomainQuery	LDAP domain query
p_strDomainAttribute	LDAP domain attribute
p_strDomainAttribute	LDAP login attribute

Throws:

NamingException - when an exception occurs

getDomain

public void getDomain(LDAPItemConnector p_connector, SearchResult p_sr, String p_strDomainAttribute, String p_strDomainQuery) throws NamingException

Throws:

NamingException

assignNameFromLogin

public void assignNameFromLogin(IDsObjectRecord p_record)

Assigns an Intrexx login name as the object name.

Parameters:

p_record

Intrexx user object record

assignPathRoleFromOUAttribute

public void assignPathRoleFromOUAttribute(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strTopOUAttribute) throws Exception

Assigns an object to a group, role or set to be imported with an OUAttribute of the object.

Parameters:

p_item	Intrexx item
p_connector	Intrexx item connector
p_sr	Search result
p_conn	Database connection
p_iInternalUsn	Internal USN
p_strTopOUAttribute	OU attribute

Throws:

Exception - when an exception occurs

makeRelative

public String makeRelative(String p_strBaseDn, String p_strDn) throws InvalidNameException

Throws:

InvalidNameException

findUser

public int findUser(JdbcConnection p_conn, LDAPItemConnector p_itemConnector, String p_strMember, String p_strLogin, String p_strDomain) throws Exception

Parameters:

p_conn	Database connection
p_itemConnector	Intrexx item connector
p_strMember	Member attribute name
p_strLogin	Login name
p_strDomain	Domain name

Returns:

User ID

Throws:

Exception - when an exception occurs

assignBoss

public void assignBoss(IDsDbManager<IDsObjectRecord> p_dbMan, IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strBossAttr) throws SQLException, NamingException

Assigns the supervisor to an object.

Parameters:

p_dbMan	Database manager
p_item	Item
p_connector	Item connector
p_sr	Search result
p_conn	JDBC connection
p_iInternalUsn	Internal USN
p_strBossAttr	Boss attribute name

Throws:

SQLException - when an exception occurs

NamingException - when an exception occurs

normalizeName

public static String normalizeName(String p_strName) throws InvalidNameException

Throws:

InvalidNameException

dnForQuery

public static String dnForQuery(String p_strDN) throws InvalidNameException

Throws:

InvalidNameException

assignImage

public void assignImage(IDsDbManager<IDsObjectRecord> p_dbMan, IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, boolean p_bInsert, String p_strImageAttribute) throws Exception

Assigns a user photo.

Parameters:

p_dbMan	Database manager
p_item	Intrexx item
p_connector	Intrexx item connector
p_sr	LDAP search result
p_conn	Database connection
p_bInsert	true for insert, false for update
p_strImageAttribute	LDAP image attribute name

Throws:

Exception - when an exception occurs

assignAsMember

public void assignAsMember(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strMemberOfAttr) throws SQLException, NamingException

Assigns a user to a group set, identified by a user attribute.

Parameters:

p_item	User item
p_connector	LDAP item connector
p_sr	LDAP search result
p_conn	System database connection
p_iInternalUsn	Internal replication USN
p_strMemberOfAttr	"Member of" attribute

Throws:

SQLException - when an exception occurs

NamingException - when an exception occurs

assignDefaultSet

public void assignDefaultSet(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strDefaultSetGuid) throws SQLException

Assigns a user to a default set.

Parameters:

p_item	User item
p_connector	LDAP item connector
p_sr	LDAP search result
p_conn	System database connection
p_iInternalUsn	Internal replication USN
p_strDefaultSetGuid	Default set GUID

Throws:

SQLException - when an exception occurs

assignToSet

public void assignToSet(IDsObjectRecord p_item, LDAPItemConnector p_connector, SearchResult p_sr, JdbcConnection p_conn, int p_iInternalUsn, String p_strSetGUID) throws SQLException

Assigns a user to a set, identified by the given name.

Parameters:

p_item	User item
p_connector	LDAP item connector
p_sr	LDAP search result
p_conn	System database connection
p_iInternalUsn	Internal replication USN
p_strSetGUID	Set GUID

Throws:

SQLException - when an exception occurs

getContainers

public Map<String,IValueHolder<?>> getContainers()

getRoles

public Map<String,IValueHolder<?>> getRoles()

Prevent deactivation of accounts from the domain

When replicating users, their activation state is transferred to the account options. This means, in the same way as whether the account is activated or deactivated in the domain, the user will also be activated or deactivated in Intrexx. The state of the option is determined with the method $bitand and assigned to the Intrexx attribute "DISABLED".

<attribute destination="DISABLED" source="$bitand(userAccountControl,2)"/>

If you would like to independently determine which account should be active after replication in Intrexx, the statement in the replication profile must be commented out or removed.

Replicate date fields

There are two dates in an Active Directory that are stored in the format yyyy-MM-ddTHH:mm:ss.000: the date for the creation (whenCreated) and the date of the last change (whenChanged) of the account. Further date information, such as the date of birth or entry date, is not provided and must be defined additionally. To transfer such date information into Intrexx, the following construct can be applied in the replication profile. As an example, it fills the date of birth in Intrexx with a date value from the Active Directory. BIRTHDAY stands for the attribute name from the Active Directory.

<attribute destination="BIRTH" source="$case(BIRTHDAY, $null, $null, $datetime(&quot;dd.MM.yyyy&quot;, &quot;Europe/Berlin&quot;, $case(BIRTHDAY, $null, &quot;01.01.1900&quot;, BIRTHDAY)))"/>

Fix domain when replicating

In larger corporate structures with continuous acquisitions or mergers, there are also extensions and restructurings in the Active Directory. It is not uncommon for these to happen during ongoing operations or for the new domain to be integrated and then gradually converted. Often, this reconstruction follows the organizational reconstruction. This has its pitfalls because actually a domain should be consolidated before it is included. The following example was the solution in a replication scenario where two user objects from two different domain replications contained the same domain in the user attribute "Domain". During replication, the user name is now used and the domain information is fixed per replication (domain) and not read from the AD field.

<!-- Replication of the user with a fixed domain -->
        <attribute destination="LOGIN" source="sAMAccountName"/>
        <attribute destination="LOGINLWR" source="$lower(sAMAccountName)"/>
        <attribute destination="DOMAIN" source="&quot;meinedomain.de&quot;"/>
        <attribute destination="DOMAINLWR" source="&quot;meinedomain.de&quot;"/>

Write fixed value to a field

To generally write a fixed value into a field during replication - independent of an LDAP field - the string must be enclosed with " in the source attribute.

<attribute destination="TYPE" source="&quot;Text&quot;"/>

Evaluate UserAccountControl

The Active Directory attribute UserAccountControl contains various settings that in most cases are only relevant for control in the domain. Intrexx already uses the option "User account deactivated" from this by default. If some of the options are to be replicated due to workflow controls or for information purposes, corresponding "Boolean" attributes must be created beforehand in the Intrexx Users module (User attribute).

Label	Hex
The login script was executed	0x00000001
User account deactivated	0x00000002
Home directory required	0x00000008
No password required	0x00000020
Password never expires	0x00010000
User must authenticate with smartcard	0x00040000
Computer account that is a member of this domain	0x00001000
Computer account for a system backup domain controller that is a member of this domain	0x00002000

The hex value must be specified as the second parameter in the $bitand function. The first parameter is always the attribute from the Active Directory (userAccountControl):

<attribute destination="DISABLED" source="$bitand(userAccountControl,2)"/>
  <-- Example for retrieving "No password required"
  <attribute destination="NOPWREQ" source="$bitand(userAccountControl,20)"/>

Report replication error

A corresponding email address must be entered in the execution options in each LDAP job in order to detect, analyze and correct error-related interruptions at an early stage. Select the "Error" setting in "From status".

Replicate multiple domains into one portal

If multiple domains are synchronized into a portal, a job should be designated that is configured as the initial replication that is executed automatically. The replication jobs for the remaining domains are executed sequentially starting from this first job by defining a chain of subsequent jobs. This prevents overlapping of the individual replication jobs, which could cause performance problems or locking situations on the database.

The subsequent jobs can be configured in the corresponding replication job in the task scheduler. When you edit the schedule, a group can be defined for each job and the LDAP job can be added. Attention: There may be only one LDAP job per group. All entries of a group are executed in parallel!

If one of the replications in the chain causes an error, all subsequent replications are not executed. To prevent this, the setting "Start subsequent processes even in case of error" can be activated.

Any errors that occur should be reported by email and then corrected promptly so that even failed replications are completed again when they are executed again.

Replication without an organizational structure

Replication in Intrexx creates an image of the Active Directory.

However, replication only works 1:1 if the "Import organizational structure" setting is set for the import job. Users are assigned to their respective organizational unit (parent) during import. If the organizational units were not imported before, they cannot be assigned. Therefore, users are not imported. Only users and user groups that are not assigned to an organizational unit in the Active Directory are imported.

Importing all users without the organizational structure works only by adjusting the profile. The adjustment should be made only on the copy of an existing profile.

Replace the word parent with fixed by domain in each of the following two places:

<item class="USER" query="(&amp;(objectClass=User)(objectCategory=Person)(!(cn=*$)))" placing="parent">
<item class="GROUP" query="(&amp;(objectClass=Group)(groupType:1.2.840.113556.1.4.803:=2147483648))" placing="parent">

After this change has been made, users and user groups are also imported without organizational units and included in the default container for new users, which is defined in the "Users" module via the "Users / Configuration" main menu.

Replication of users of a user group

If you want to restrict the replication of users to a user group, you need to adjust the profile for replication.

Here you can add the condition "memberOf=CN=Support,OU=Support,DC=unitedplanet,DC=en))" to the user query, e.g. for the group "Support".

<main use-usns="false" path-separator-char=","escape-char="\" user-query="(&amp;(objectClass=User)(objectCategory=Person)(!(cn=*$)(memberOf=CN=Support,OU=Support,DC=unitedplanet,DC=de))" group-query="(objectClass=Group)" unit-query="(objectClass=organizationalUnit)" domain-query="(objectClass=domain)" />

If all inherited permissions (i.e. all objects that are members of the specified group) are also to be taken into account during replication, a special filter can be added to the query statement when querying a Windows domain from Windows Server 2003 SP2:

<main use-usns="false" path-separator-char="," escape-char="\" user-query="(&amp;(objectClass=User)(objectCategory=Person)(memberOf:1.2.840.113556.1.4.1941:=CN=SUPPORTER,OU=Team-Gruppen,DC=meinedomain,DC=org)(!(cn=*$)))" group-query="(&amp;(objectClass=Group)" unit-query="(objectClass=organizationalUnit)" domain-query="(objectClass=domain)" />

If the replication of user groups should also be restricted, the condition (name=SUPPORTER) can be added to the group query.

<main use-usns="false" path-separator-char="," escape-char="\" user-query="(&amp;(objectClass=User)(objectCategory=Person)(!(cn=*$)))" group-query="(&amp;(objectClass=Group)(name=SUPPORTER))" unit-query="(objectClass=organizationalUnit)" domain-query="(objectClass=domain)" />

You can find more information about special LDAP filters here:

https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

Replication without user groups and distribution lists

If the user groups or distribution lists from the Active Directory cannot be used meaningfully in Intrexx, it is also possible to import only the users and the organizational structure. The user groups can also be defined in Intrexx and the users assigned from the Active Directory. However, the maintenance of the assignment must always take place in Intrexx and this is a corresponding administrative effort. In an existing replication profile, the two responsible blocks can be commented out as follows:

<!—Deactivate group replication
 <item class="GROUP"
 …
 </item>
 -->
 <!—Deactivate group replication
 <item class="DISTLIST"
 …
 </item>
 -->

Actions after a replication

It may well be useful to perform subsequent maintenance on the replicated users after replication. An important action after replication is to perform indexing for the search engine.

That means, as a subsequent job after user replication, the application indexing "User/User search" should be executed so that both new users and changed users can be found via the search.

Another downstream action is the analysis of certain data in the user and the definition of additional data or assignments dependent on it. An example is the creation of an additional attribute "sort name" for users. This should contain the name in the form "Last name, First name" to use it in drop-down lists, for example. A process executed after replication can use Groovy to combine the first and last name appropriately and write back to the additional attribute in the user.

In a second example, an attribute is replicated from the Active Directory that contains an organizational characteristic such as the cost center or an organizational abbreviation. Based on this characteristic, the user is now to be assigned to a specific permissions object (group, role) or organizational object (organizational unit). In this way, administration can be partially automated if the AD structure does not provide usable structures and permissions objects for the portal.

Use a timer event source with a connection to the user data group to define a post-replication process. It is imperative that the event source is deactivated, as this is not to be executed periodically but via the follow-on event chain of the replication job. This is possible via the main menu "Edit/Disable Element" if the timer is marked on the workspace. Then save the process.

A Groovy action is executed via the event handler associated with the timer, which can be used to handle the respective user object.

def l_intUserId = g_record["E3911A1A0198AFAD87AE026B161B7F7F202D557A"].value
/* datafield (PK) (S) User ID <integer> */
def l_strFirstname = g_record["71F6E73DF87EF94D5B2CB5F6946C7CC4093D876C"].value /* datafield Firstname <string> */
def l_strLastname = g_record["22BF94B5B5D9794429B741D8FD42128CC5E93A62"].value /* datafield Lastname <string> */
// Create sortname
def l_strSortname = l_strLastname + ", " + l_strFirstname
//Update of user record
g_dbQuery.executeUpdate(conn, "UPDATE DSUSER SET STR_SORTNAME = ? WHERE LID = ?") {
	setString(1, l_strSortname)
	setInt(8, l_intUserId)
	}		
}

If Intrexx Share is installed in the portal, a profile update can also be executed after the replication to take into account name changes, for example. To do this, you must first check whether a profile exists for the current user.

With the following Groovy script, the GUID of the user can be used to check whether a profile record exists in Intrexx Share. If this is the case, the output "profile_exist" is triggered, which subsequently executes a data group action to update the corresponding fields in the profile.

def conn = g_dbConnections.systemConnection
	def l_strUserGuid = g_record["ACF15A10BE183A1EFBC7EF8C462069428F1E4663"].value
	/* datafield Guid <string> */
	if(l_strUserGuid != null)
	{
		def l_intShareProfile = g_dbQuery.executeAndGetScalarIntValue(conn, "SELECT COUNT(*) FROM DATAGROUP('198F73334DF58D0996897A5D7EF8DB12E6727E8D') WHERE STRID = ? AND B_DELETED = ?", 0)
		{
			setString(1, l_strUserGuid)
			setBoolean(2, false)
		}
		if(l_intShareProfile > 0)
		{
			return profile_exist
		}
}

Limited replication of groups

To replicate only certain groups that follow a certain naming convention, the query for the group objects (also for any other object type) can be customized. In the example, all groups starting with "IX_" in the name are replicated.

If the groups in turn contain memberships in other groups or permissions objects that are relevant for the assignment of users, it must be carefully checked whether loopholes open up when the objects are replicated in a limited manner.

<item class="GROUP" query="(&amp;(objectClass=Group)(cn=IX_*)(groupType:1.2.840.113556.1.4.803:=2147483648))" placing="parent">

Frequent error messages

Unprocessed continuation reference(s)

Since the LDAP import interface of Intrexx is also compatible with OpenLDAP, a function is called that is not correctly implemented with Microsoft Active Directory. The LDAP referrals are not implemented by Microsoft in a standard-compliant way. Therefore, this warning message occurs when importing from Microsoft Active Directory. The message is in many cases inconsequential and does not cause an error during import. In rare cases, however, it may be an indication of a break. In any case, you should check the replication result (compare the number of objects in the AD against the number of replicated objects).

WARN 2008-06-19 11:29:44,110 - de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator[UserReplicationWorker]

javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ‘DC=unitedplanet,DC=de'

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2784)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2758)

at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumeration.java:129)

at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:198)

at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:171)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.replicateIncremental(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.UserReplicationJobController$1.run(Unknown Source)

WARN 2008-06-19 11:29:45,637 - de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator[UserReplicationWorker]

Data truncation

This is not an error on the part of Intrexx. User import does not work because there are entries in Active Directory that are too long in one or more records. The maximum field length of the corresponding target data field in the Intrexx Users module is too small or the Active Directory entry is too long.

Possible solutions to prevent an error and termination of replication can be found in the section "Truncate field contents from Active Directory".

Import job finished with errors:

de.uplanet.jdbc.StandardDbException: Error: 0, SQLState: 22001: Data truncation

at de.uplanet.jdbc.sqlserver.SQLServerDescriptor.convertException(Unknown Source)

at de.uplanet.jdbc.JdbcPreparedStatement.executeUpdate(Unknown Source)

at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager._doUpdateInsert(Unknown Source)

at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.insert(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.b(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.b(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.replicateIncremental(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.UserReplicationJobController$1.run(Unknown Source)

03.12.2008 15:17:54: *** ERROR OCCURED, JOB STOPPED ***

Class DISTLIST is not castable to the class GROUP

This error occurs when the class of an object in Active Directory is changed. When an object is created, its function is defined by the class (user group or a distribution list).

The conversion of an object such as a distribution list group into a user group or vice versa has effects on Intrexx and the objects replicated there. In the Active Directory, the objects are distinguished by a flag whereas in Intrexx, each object type is managed in its own data group. A conversion results in a replication error:

Error when processing search result:

mail=adresse@domain.de

objectGUID;binary=[B@64250a59

name=Objektbezeichnung

memberOf=CN=Benutzer,OU=Empfänger,DC=row,DC=domain,DC=de

primaryGroupToken=5338

de.uplanet.lucy.usermanager.DsRuntimeException: The dest ds class DISTLIST is not castable to the class GROUP

at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.select(Unknown Source)

at de.uplanet.lucy.server.usermanager.ds.managerimpl.DsDbManager.selectFullRecord(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.b(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.replicateIncremental(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.UserReplicationJob.doWork(Unknown Source)

at de.uplanet.lucy.server.scheduler.AbstractJob.execute(Unknown Source)

at org.quartz.core.JobRunShell.run(JobRunShell.java:213)

at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)

Connection timed out: connect

This error occurs when the specified domain controller is unreachable. This may be caused by lack of access permissions to the server or blocked ports. If the error occurs while a replication job is running and has already been successfully set up, the cause may be a server failure or a changed IP address or access permissions. It is important, especially in large organizations with multiple independently maintained domains, that changes are coordinated to avoid such problems.

20.07.2014 22:17:36: *** User Replication Job 912496D87C849A5D109ED500F0D696A01B60D680 STARTED ***

Configuration:06C3620E8A4A3AB57992EF33A0263409CE7727C9 / DOMAIN

javax.naming.CommunicationException: 192.168.10.100:389 [Root exception is java.net.ConnectException: Connection timed out: connect]

at com.sun.jndi.ldap.Connection.<init>(Connection.java:209)

at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:116)

at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1580)

at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2678)

at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)

at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)

at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)

at javax.naming.InitialContext.init(InitialContext.java:223)

at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.a(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.ldap.LDAPReplicator.replicateIncremental(Unknown Source)

at de.uplanet.lucy.server.usermanager.replication.UserReplicationJob.doWork(Unknown Source)

at de.uplanet.lucy.server.scheduler.AbstractJob.execute(Unknown Source)

at org.quartz.core.JobRunShell.run(JobRunShell.java:213)

at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)

Caused by: java.net.ConnectException: Connection timed out: connect

at java.net.PlainSocketImpl.socketConnect(Native Method)

at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351)

at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213)

at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200)

at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)

at java.net.Socket.connect(Socket.java:529)

at java.net.Socket.connect(Socket.java:478)

at java.net.Socket.<init>(Socket.java:375)

at java.net.Socket.<init>(Socket.java:189)

at com.sun.jndi.ldap.Connection.createSocket(Connection.java:351)

at com.sun.jndi.ldap.Connection.<init>(Connection.java:186)

... 18 more

20.07.2014 22:17:57: *** ERROR OCCURRED, JOB STOPPED ***

Tools

The search dialog of the Jxplorer is useful for testing a query.

Websites tool

Apache Directory Studio: https://directory.apache.org/studio/

LDAP Adnub: http://www.ldapadmin.org/