AD query


A customer has an AD driver without groups synchronization. And I want
to recover all the groups that has the user in the AD, I think the best
way is with a XPATH query, but I have never used it before, so I'm quite
lost.

I have tried with
<token-xpath
expression="query:readObject($srcQueryProcessor, association, @src-dn,
@class-name, 'memberOf')"/>
But this only returns the groups that has the user in eDirectory


--
kiekurt
------------------------------------------------------------------------
kiekurt's Profile: https://forums.netiq.com/member.php?userid=1394
View this thread: https://forums.netiq.com/showthread.php?t=53429

  • On 5/5/2015 7:24 AM, kiekurt wrote:
    >
    > A customer has an AD driver without groups synchronization. And I want
    > to recover all the groups that has the user in the AD, I think the best
    > way is with a XPATH query, but I have never used it before, so I'm quite
    > lost.
    >
    > I have tried with
    > <token-xpath
    > expression="query:readObject($srcQueryProcessor, association, @src-dn,
    > @class-name, 'memberOf')"/>
    > But this only returns the groups that has the user in eDirectory


    This is why there are tokens like Destination Attribute (or the Query
    token).

    No need to do it all in the old way.

    However, you have a different problem. The Member attribute on Groups,
    and memberOf (which is not a real attribute in AD, and I think depends
    on the AD version if you will get it back) attribute are type="dn" which
    has some implications.

    When the query comes back, in the ITP it will look good, but when the
    association processor handles it, if the member (or group) named as the
    DN is not available in the IDV you will get a message "Unable to
    synchronize reference to <insert DN here>.

    This means your query will likely look good going out, start coming back
    ok, and then seem empty when it gets back to your policy.

    What is typically done is to detect a special query case in the OTP, tag
    on an Op Property, then in the ITP, if the <instance> event has the
    specific op-property then reformat op attr the attribute, and simply use
    the variable current-value in the token. (What that does is reformat
    the type="dn" to type="string") and now it will be a string and come
    back. (The DCS driver does this, and if you look in a modern driver, you
    will see two policies in Schema map, one before, one after that changes
    the DN types to strings).





  • Hi,

    in addtion to what geoff already pointed out:

    reading the memberOf Attribute will work (at least with functional level
    > 2008) however, you can't write to that attribute.

    memberOf is not a real attribute instead it is a backlink constructed
    from the member attribute of the group.
    If you want to set group memberships you have to add the user to the
    group and not the group to the user.

    Regards


    --
    fwitt
    ------------------------------------------------------------------------
    fwitt's Profile: https://forums.netiq.com/member.php?userid=8759
    View this thread: https://forums.netiq.com/showthread.php?t=53429

  • On 5/5/2015 10:04 AM, fwitt wrote:
    >
    > Hi,
    >
    > in addtion to what geoff already pointed out:
    >
    > reading the memberOf Attribute will work (at least with functional level
    >> 2008) however, you can't write to that attribute.

    > memberOf is not a real attribute instead it is a backlink constructed
    > from the member attribute of the group.
    > If you want to set group memberships you have to add the user to the
    > group and not the group to the user.


    Agreed. The initial question was about reading memberOf, with those
    caveats. What you can do is query for Groups, whose member=DN of user
    in AD to get that list as well. (Which is what AD is doing, a dynamic
    query, when you look at it).