Managing AD Group Placement

0 Likes
over 14 years ago

Problem



A Forum reader recently asked:



"I am working on an eDir to AD driver. I would like to get users automatically placed in a group in AD, based on what is in their description attribute. The groups are created in AD, and I do not want Group Sync to create or manage the same group in eDirectory. I simply want my AD driver to read the description attribute and put a user in a group based on that entry. Is this possible without Group Sync? If so, what would the policy syntax be?"



And here's the response from Father Ramon ...



Solution



Using RBE is one option that you could use without changing the policies at all, as long as you enable the group entitlement when you import the driver configuration.



If you're not using RBE, then something like this in the subscriber command transformation should work:



<policy 
xmlns:query="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsQueryProcessor">
<rule>
<description>Add New User to Groups based on Description</description>
<conditions>
<and>
<if-operation op="equal">add</if-operation>
<if-class-name op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-for-each>
<arg-node-set>
<token-op-attr name="Description"/>
</arg-node-set>
<arg-actions>
<do-for-each>
<arg-node-set>
<token-xpath expression="$current-node[. = 'Description for
Group1']"/>
</arg-node-set>
<arg-actions>
<do-add-dest-attr-value class-name="Group" name="Member">
<arg-dn>
<token-text>cn=group1,ou=people,o=novell</token-text>
</arg-dn>
<arg-value type="string">
<token-dest-dn/>
</arg-value>
</do-add-dest-attr-value>
</arg-actions>
</do-for-each>
</arg-actions>
</do-for-each>
</actions>
</rule>
<rule>
<description>Update Group Membership when Description
changes</description>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
<if-operation mode="case" op="equal">modify</if-operation>
<if-op-attr name="Description" op="changing"/>
</and>
</conditions>
<actions>
<do-set-local-variable name="userdn" scope="policy">
<arg-string>
<token-xpath expression='query:readObject($destQueryProcessor,
association, "", "User", "")/@src-dn'/>
</arg-string>
</do-set-local-variable>
<do-for-each>
<arg-node-set>
<token-removed-attr name="Description"/>
</arg-node-set>
<arg-actions>
<do-for-each>
<arg-node-set>
<token-xpath expression="$current-node[. = 'Description for
Group1']"/>
</arg-node-set>
<arg-actions>
<do-remove-dest-attr-value class-name="Group" name="Member">
<arg-dn>
<token-text>cn=group1,ou=people,o=novell</token-text>
</arg-dn>
<arg-value type="string">
<token-local-variable name="userdn"/>
</arg-value>
</do-remove-dest-attr-value>
</arg-actions>
</do-for-each>
</arg-actions>
</do-for-each>
<do-for-each>
<arg-node-set>
<token-op-attr name="Description"/>
</arg-node-set>
<arg-actions>
<do-for-each>
<arg-node-set>
<token-xpath expression="$current-node[. = 'Description for
Group1']"/>
</arg-node-set>
<arg-actions>
<do-add-dest-attr-value class-name="Group" name="Member">
<arg-dn>
<token-text>cn=group1,ou=people,o=novell</token-text>
</arg-dn>
<arg-value type="string">
<token-local-variable name="userdn"/>
</arg-value>
</do-add-dest-attr-value>
</arg-actions>
</do-for-each>
</arg-actions>
</do-for-each>
</actions>
</rule>
</policy>


You'll need to duplicate each of the innermost for-each loops for each description you want to map to a group.



You will also need Description in the Subscriber filter as either notify or sync (depending on if you are also synchronizing it). To update Users that already exist on both sides, you will need to set the merge-authority for Description to eDir and perform a migrate or resync
on the Users.

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended