New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Cadet 1st Class Cadet 1st Class
Cadet 1st Class
1289 views

Active Directory (AD) Synchronization with HPE CM 9.1

In the near future we're going to be testing this function.  I just want to know if anyone has experience using this function.  If so, are there any gotcha's, lessons-learned, or documentation outside of what's contained in the help file?

Thanks!

Ps.  I'll share what we find through our testing.

 

0 Likes
11 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

I have seen it running in a small test environment, seemed to work well. Wasn't up to the normal volume of a production site though. 

Be interested in hearing your experiences.

**Any opinions expressed in this forum are my own personal opinion and should not be interpreted as an official statement on behalf of Micro Focus**
0 Likes
Highlighted
Ensign Ensign
Ensign

Do you have any screen shots of your User and Group mappings?  I've been trying to import old config files from the 7.2 days (before it was taken away in 8.3), but getting error messages about "Invalid Pointer (#80004003)".  

After doing some research on the error, it says its most likely a SQL error.  We're using the same SQL dataset, but the schema has, of course, been upgraded.  Kind of given up and accepted that I'm going to have to re-write all the sync scripts, but the old fields aren't "lining up" with the new fields.  I'm either getting a completely blank user imported, or my groups are coming in as Inqury users.  My searches seem to be working (a search on a group that has 9 users in it, runs and says there are 9.)

Any screen shots of what should be in each of the fields would be great, so I can plug in my OUs and DNs. (nothing found on Google)

Thanks.

0 Likes
Highlighted
Captain Captain
Captain

Have you got any luck this time for AD Synchronization? I tried different options as per help on Group and user mapping and nothing seems happening. Any tips or findings based on your setup can share will be helpful

0 Likes
Highlighted
Captain Captain
Captain

I am able to map the rule and OU fetch the users as part of this synchronization. But, I am not getting "Accept logins for this user using credentials" checkbox enabled when tried to sync for "creating the location" as part of the sync. Tried different rule and mapping with LDAP and not working. Can you pls share your screenshot on the user mapping or share info will be helpful. thx 

Highlighted
Vice Admiral
Vice Admiral

We set ours up blank so that it applies to every Sync when it is Enabled.

Capture2.PNG

Brian

0 Likes
Highlighted
Captain Captain
Captain

Hi Brian,

Thanks, I tried this option as well. But, when I run , I am not getting th echeckbox enabled and the Domain name to be display here. Are you saying, you are getting this option enabled and domain name binding when you run with the same settings? If Yes, we may need other mapping in order to work. Pls check and share.

DS behaviour Share.JPG

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Hi. @kuth. Please find attached a working configuration used by a colleague.

You can import and compare the setting to yours. I hope it helps.  

 

Shiela

*** Any posts I make on this forum are my own personal opinion and should not be interpreted as an official statement on behalf of Micro Focus ***
0 Likes
Highlighted
Captain Captain
Captain

Thanks Sheila. I took backup of mine and import your file [ change the LDAP and OU name like mine ] and run , still the same behaviour. But, it is fine for me as this checkbox is not enabled as part of the Sync. We will enable manually once the user completes online training & Test about TRIM. 

What I found is , 

Once I have enabled the “Accept Logins for this user credentials”  - then TRIM license consuming. [  For ex: remaining license 777 ]

If I keep keep network name alone and I untick this “Accept Logins for this user credentials” then license not consuming. [  For ex: remaining license 778]

So for me, this Activate or Deactivate [ Accept Logins for this user credentials ] is the key for licensing. - Please someone can confirm.

Based on the sample file, I am not sure how Deactivate location is working. Do you or colleague tried and it is working? 

As per the Help:

Synchronised Content Manager Locations are deactivated if any of the following conditions hold true:

1.The LDAP entry the location is synchronised from, is no longer present.

2.For Active Directory-based directories - if the LDAP entry is marked as disabled or expired in Active Directory.

When deactivating a Content Manager location, the "Enable Network Login" property is set to False, and the Active To date is set to the current date.

Highlighted
Captain Captain
Captain

Any Micro Focus experts can confirm the licensing part? Appreciate it.

Activate or Deactivate [ Accept Logins for this user credentials ] is the key for licensing. - Please someone can confirm.

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Yes, when “Accept Logins for this user credentials ...”  is  enabled, it will be count towards the number of seats or license count. 

The configuration supplied is a working one. If the AD object is disables or expired, the “Accept Logins for this user credentials ...” checkbox will be unticked after a synch.

 

Shiela

*** Any posts I make on this forum are my own personal opinion and should not be interpreted as an official statement on behalf of Micro Focus ***
0 Likes
Highlighted
Captain Captain
Captain

Thanks Shiela for the confirmation. Noted. Strange though, for me Accept Logins never checked for new locations and for never unticked [ disabled ] for the expired AD Accounts. Not sure what else is missing.

Do you know any way we can check the account disabled in AD and exists in TRIM?

I am trying the query to combine TSLocation, TSLOCLOGIN, TSLOCUSAGE, TSLOCPERSO and with case statement like below. But, it is not accurate and some other flag \ check requires ? Any input..

case
WHEN
LC.lcDirSyncDN IS NULL then 'AD Account Does not exists'
Else 'AD Account Active'
End 'AD Active or Deactive'

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.