Related Tips & Info

Active directory nested groups with NetIQ Access Manager

csr
0 Likes

Download AD Nested Groups user store plugin



Introduction



Using nesting, you can add a group as a member of another group. You nest groups to consolidate member accounts and reduce replication traffic.
Nesting options depend on whether the domain functionality of your Windows Server 2003 domain is set to Windows 2000 native or Windows 2000 mixed.
By default, when you nest a group within another group, user rights are inherited. For example, if you make Group_1 a member of Group_2, users in Group_1 have the same permissions as the users in Group_2.



Setup Information




  1. Download plugin from this solution

  • Extract the zip file and copy the “com” folder to the Identity Server:

  • Copy it to the <NIDP>/WEB-INF/classes directory


    Linux: 
    /opt/novell/nam/idp/webapps/nidp/WEB-INF/classes
    Windows Server 2008: 
    \Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB-INF\classes



  • To associate an LDAP Server plug-in with the Custom1, Custom2, or Custom3 directory type, modify the web.xml file on the Identity Server:

    4.1 In a text editor, open the web.xml file.

    Linux: 
    /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml
    Windows Server 2008: 
    \Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB-INF\web.xml



    4.2 Add an entry for the ladpStorePlugins context parameter. Your entry should look similar to the following to associate the com.netiq.custom.LDAPStorePluginActiveDirExt with the Custom1 directory type.

    <context-param>
    <param-name>ldapStorePlugins</param-name>
    	<param-value>custom1:com.netiq.custom.LDAPStorePluginActiveDirExt</param-value>
    </context-param>




  • Restart IDP

    Linux: 
    Enter one of the following commands:
    /etc/init.d/novell-idp restart
    rcnovell-idp restart
    Windows: 
    Enter the following commands:
    net stop Tomcat7
    net start Tomcat7



  • Repeat above steps on each Identity Server in the cluster.


  • In the Administration Console, configure the Identity Server to use the new directory type for a user store.


    7.1 Click Access Manager > Identity Servers > Edit > Local.

    7.2 Either select the name of a user store or click New.

    7.3 For the Directory type, select the custom string you have configured above that is custom1


  • Complete one of the following:

    8.1 For a new user store, configure the other required values, then click Finish.

    8.2 For a modified user store, modify the other options to fit the new directory type, then click OK.


  • Update the Identity Server.


  • (Optional) To verify that the new directory type is functioning correctly, log in to the user portal by using the credentials of a user in the user store.


  • Refer to nested groups in policy creation or role creation. This is regular steps to be followed as per documentation how to created role or policy.

Reference:

http://www.novell.com/documentation/developer/nacm31/nacm_enu/data/bfg3gnn.html

Labels:

How To-Best Practice
Comment List
  • in reply to sma2006
    In fact there is no problem with the new NAM portal (/nidp), but with the Kerberos authentication that no longer works after changing AD user store configuration to "custom1".

    Any idea ?

    Thanks
  • Hello,

    I tried it with NetIQ NAM 4.2.1 and it almost work :

    Actually, the Role that filter on Nested Group membership in AD works, but changing the ADIR directory type to Custom1 breaks the NAM Portal (new feature in NAM 4.2)

    The NAM portal authentication works, but the Appmark are not showed.

    Do you have any idea of the problem ?

    thanks

    Sylvain
Related
Recommended

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.