Novell LDAP to Active Directory Migration

[bfmooz]

I'm really hoping that someone has done this migration before and encountered the same problem...we're running out of ideas.

So we are in the middle of a migration from Novell eDirectory to Active Directory.  I am handling the Cognos side of the migration.  Prior to beginning this process, all users and security groups were recreated in Active Directory.  The users were reassigned to the new AD groups as they were in Novell.  Here is what I've done in Cognos:

- Created a new resource/namespace in Cognos Configuration and assigned the new values for Active Directory per IBM's instructions...test OK
- In Cognos Administration, I've remapped the new Active Directory groups to the Cognos security groups
- In Cognos Connection, I've remapped package and report access to the new groups
- Removed the old LDAP groups, removed the LDAP source from Cognos Configuration, removed the old LDAP as an authentication source in Cognos Administration

After all of this was done, my users still cannot access reports or packages.  For my query users, they can see the packages in Cognos Connection, but cannot select them as usable packages when launching Query Studios.  For consumers, they can navigate to the packages and within the folders, but when they click on the report to run, they receive an error message that they do not have access to the package.  I've validated every step from Public Folders down to the individual reports that the security is correct and that there are no overrides that could be creating a problem.  Interestingly enough, only my administrators, who have access to every Cognos group, can run these reports.

I've validated that these users have exactly the same access settings that they had in the previous LDAP environment.  Any suggestions on what may be causing this problem?

I should note that we have a production environment (8.2) and a QA environment (8.4) that both react the same way.

[bfmooz]

Just a new followup on this one...in digging through the audit tables, I noticed that an error was being logged for this when a user failed to access the report.  Here is the error:

RSV-SRV-0066 A soap fault has been returned. QE-DEF-0313 An error occurred while calling the content store for the model: '/content/package[@name='Job Cost Reporting']/model[@name='model']' information.
CCL-RCI-0005 Content Manager is looking for a trusted request.
The error messages from WASP engine:
CM-REQ-4011 You do not have permission to access the object "/Public Folders/Job Cost Reporting/model".


I assume the model being referred to here is the underlying model.xml file for the package.  I've checked this file to insure that there are no references internally to the old LDAP source.  Does anyone know where permissions to this physical file in Cognos are actually viewed?  I've used CMTools.exe and see the file there and it shows the actual permissions such as execute, traverse, etc.  but doesn't show the group permissions.

[SomeClown]

have you tried republishing a package after the change?

[bfmooz]

Yes.  I believe I've found the solution to the problem.

After publishing the package, I clicked on properties and permissions and made sure the new active directory groups were assigned.  This only seems to set the permissions on the "folder" container for the package.  There is another permissions set that needs to be changed.  If you select "More..." next to the package, there is an option to "Modify the configuration of the package".  There is another permissions tab here that was still set to the old LDAP groups.  I'm guessing this is the object level security settings for the package.  Once I changed these as well, everything worked fine.

[pratyush]

I'm really hoping that someone has done this migration before and encountered the same problem...we're running out of ideas.

So we are in the middle of a migration from Novell eDirectory to Active Directory.  I am handling the Cognos side of the migration.  Prior to beginning this process, all users and security groups were recreated in Active Directory.  The users were reassigned to the new AD groups as they were in Novell.  Here is what I've done in Cognos:

- Created a new resource/namespace in Cognos Configuration and assigned the new values for Active Directory per IBM's instructions...test OK
- In Cognos Administration, I've remapped the new Active Directory groups to the Cognos security groups
- In Cognos Connection, I've remapped package and report access to the new groups
- Removed the old LDAP groups, removed the LDAP source from Cognos Configuration, removed the old LDAP as an authentication source in Cognos Administration

After all of this was done, my users still cannot access reports or packages.  For my query users, they can see the packages in Cognos Connection, but cannot select them as usable packages when launching Query Studios.  For consumers, they can navigate to the packages and within the folders, but when they click on the report to run, they receive an error message that they do not have access to the package.  I've validated every step from Public Folders down to the individual reports that the security is correct and that there are no overrides that could be creating a problem.  Interestingly enough, only my administrators, who have access to every Cognos group, can run these reports.

I've validated that these users have exactly the same access settings that they had in the previous LDAP environment.  Any suggestions on what may be causing this problem?

I should note that we have a production environment (8.2) and a QA environment (8.4) that both react the same way.

Hi

Have you implemented the LDAP authentication at the Cognos Connection again ?? If yes then have you published all the packages on the Cognos Connection by using the LDAP authentication i.e the authors have being also being authenticated by the LDAP ?

Check out these ... it should work ........ !

Cheers ....