Fan-out Census population limitation/question


Hello all,

I was looking for a way to populate the Census of the Fan-Out driver in
a more 'scoped' way.

Current setup :
Windows Coredriver build 3.6.1.22 140414

Toplevel i have an ou=Data, with beneath that an ou=Users and an
ou=Groups (nothing fancy)
Group naming is based on a prefix so that a driver ( in my case 3
different prefixes: 'ads' , 'lin' and 'sql') can be scoped on the
prefix.
Currently the Search-object is defined as searching from ou=Data, so all
underlying groups are now present in the census ( still as
designed/should be)
But as assumed i also get the unwanted groups in the census, and are
accordingly synched to the linux client machine ... its kinda
'polluting' my /etc/group


Is there a way to 'scope' the Census searchobject so that it would only
pickup the groups starting with the 'lin' -prefix ?

i have lready tried to make a dynamic group that has a searchfilter
(

  • Shadowm;251932 Wrote:
    > Hello all,
    >
    > I was looking for a way to populate the Census of the Fan-Out driver in
    > a more 'scoped' way.
    >
    > Current setup :
    > Windows Coredriver build 3.6.1.22 140414
    >
    > Toplevel i have an ou=Data, with beneath that an ou=Users and an
    > ou=Groups (nothing fancy)
    > Group naming is based on a prefix so that a driver ( in my case 3
    > different prefixes: 'ads' , 'lin' and 'sql') can be scoped on the
    > prefix.
    > Currently the Search-object is defined as searching from ou=Data, so all
    > underlying groups are now present in the census ( still as
    > designed/should be)
    > But as assumed i also get the unwanted groups in the census, and are
    > accordingly synched to the linux client machine ... its kinda
    > 'polluting' my /etc/group
    >
    >
    > Is there a way to 'scope' the Census searchobject so that it would only
    > pickup the groups starting with the 'lin' -prefix ?
    >
    > i have lready tried to make a dynamic group that has a searchfilter
    > (

  • Another idea I pass onto a lot of users that want to achieve more
    complex fan-out implementations that are simply difficult to do without
    the use of policy, is to create a fan-out loopback driver that bridges
    the gap between your real container and your "fanout" container. In the
    loopback, you can put all your logic for "staging", including
    transformation of data, scoping, etc., and let the fan-out driver just
    key off of this new container. There's duplication involved, but it
    gives you much more flexibility and a way to leverage the power of IDM
    policy.

    abergvall;251936 Wrote:
    > Hello,
    >
    > I would probably put the census searchobject to only look for the users,
    > and then create a search group for each of the groups you want to send
    > out to the linux boxes. Make sure those are not included in the census
    > itself (selectable on the search object) and also put "expand users" on
    > the group searchobject. Then you will get all users to the census the
    > grups you have selected. On the linux boxes you will get the users that
    > are covered by a group the group with members.
    > Then you select to what platformsets to attach the searchobjects to ->
    > you can have different userbase on different platformsets.
    >
    > Selecting only some groups by some search thingy will not work.
    >
    > I might have completely misunderstood your question though :)
    >
    > br
    > /Anders



    --
    jgrieshop
    ------------------------------------------------------------------------
    jgrieshop's Profile: https://forums.netiq.com/member.php?userid=483
    View this thread: https://forums.netiq.com/showthread.php?t=52386


  • Thanks for the suggestions

    I will test out the one made by abergvall,

    The other suggetion made by jgrieshop is also a solution, however in my
    case the duplication is concidered 'unwanted', so i'll keep it in my
    mind and only go down that road if there no other way.



    In some more digging in the (eDirectory) searchobject itself i found an
    unvalued attribute 'ASAM-SearchObjectFilter' , which (looking at its
    name) might be what i'm after.
    The difficulty in this is that i cannot find any information other then
    the OID of the attribute, so no clue what to value it with, and how it
    would interact with the searchobject itself.

    Under the assumption of it applying a LDAP-filter to the search i have
    been trying out some options, then tracing the LDAP-queries made to
    eDir, but i cant see any differences (or errors).

    Only difference i have noticed is that the iManager page for
    searchobject when clicking thru on the one which has a valued
    ASAM-SearchObjectFilter isnt showing its content when trying to view
    it.

    Any ideas about the attribute and its possible
    value(s)/format/interaction with the searchobject ?

    - Michael


    --
    Shadowm
    ------------------------------------------------------------------------
    Shadowm's Profile: https://forums.netiq.com/member.php?userid=6005
    View this thread: https://forums.netiq.com/showthread.php?t=52386


  • abergvall;251936 Wrote:
    > Hello,
    >
    > I would probably put the census searchobject to only look for the users,
    > and then create a search group for each of the groups you want to send
    > out to the linux boxes. Make sure those are not included in the census
    > itself (selectable on the search object) and also put "expand users" on
    > the group searchobject. Then you will get all users to the census the
    > grups you have selected. On the linux boxes you will get the users that
    > are covered by a group the group with members.
    > Then you select to what platformsets to attach the searchobjects to ->
    > you can have different userbase on different platformsets.
    >
    > Selecting only some groups by some search thingy will not work.
    >
    > I might have completely misunderstood your question though :)
    >
    > br
    > /Anders


    Having taken your suggested method to the test i switched it around the
    other way, i put the wanted groups in the searchobject (and census) ,
    and created a searchobject for the users at the base of the
    ou=Users,ou=Data,o=<org> (not in Census) , this got my census filled
    with the correct data, and on the serviced platform the correct groups
    are then available by default ( to hook rights on the platform to them)
    The members are created/synched when they get added to the groups
    specified in the Census/searchobject.

    Many thanks on thinking along with me here, it led me to a solution that
    will do just fine.

    The only (very minor) downside ofcourse is when an additional group is
    created it will have to be manually created as a searchobject/added to
    the Census.

    - Michael


    --
    Shadowm
    ------------------------------------------------------------------------
    Shadowm's Profile: https://forums.netiq.com/member.php?userid=6005
    View this thread: https://forums.netiq.com/showthread.php?t=52386