Anonymous_User Absent Member.
Absent Member.
157 views

AD Group Membership


Hi

This is supposed to be an easy thing which im struggling with however
its been keeping me busy the whole day.

I would like to add users to default groups within Active Directory ie.
A users has DEPT1 as a value in the Department Attribute in eDir, based
on this I would like to add him to the ALL-DEPT1 group in AD
(cn=all-dept1,ou=business groups,dc=domain,dc=com).

For some reason this is just not working.

Could somebody please point me in the right direction.


--
Hendrik
------------------------------------------------------------------------
Hendrik's Profile: https://forums.netiq.com/member.php?userid=2773
View this thread: https://forums.netiq.com/showthread.php?t=46333

Labels (1)
0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

Re: AD Group Membership


Just ot add some more info

Synchronisation comes from eDir ----> Vault ----> AD.

We are not synchronising Groups from eDir to Vault neither from AD to
Vault, hence all Group Memberships needs to be done when users are
created in the vault.


--
Hendrik
------------------------------------------------------------------------
Hendrik's Profile: https://forums.netiq.com/member.php?userid=2773
View this thread: https://forums.netiq.com/showthread.php?t=46333

0 Likes
Knowledge Partner
Knowledge Partner

Re: AD Group Membership

On 12/6/2012 10:44 AM, Hendrik wrote:
>
> Just ot add some more info
>
> Synchronisation comes from eDir ----> Vault ----> AD.
>
> We are not synchronising Groups from eDir to Vault neither from AD to
> Vault, hence all Group Memberships needs to be done when users are
> created in the vault.


There is a thread this past week just on this topic. Topic was about
group syncing. Alex nicely explained how to do what you need. Go look
for it.


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD Group Membership

On 06.12.2012 17:12, Geoffrey Carman wrote:
> On 12/6/2012 10:44 AM, Hendrik wrote:
>>
>> Just ot add some more info
>>
>> Synchronisation comes from eDir ----> Vault ----> AD.
>>
>> We are not synchronising Groups from eDir to Vault neither from AD to
>> Vault, hence all Group Memberships needs to be done when users are
>> created in the vault.

>
> There is a thread this past week just on this topic. Topic was about
> group syncing. Alex nicely explained how to do what you need. Go look
> for it.


To be honest, depending on how many departments/groups you are talking
about, the way I explained this in that previous thread isn't always ideal.

It works fine and is easy to understand, but can be fiddly to get right
and to maintain if for example groups are renamed or moved in AD.

If there aren't too many groups/departments, then I'd use the built in
logic for group membership via the group entitlement in recent versions
of the AD driver preconfig / packages. That way you don't really need
any special logic in your AD driver.

How you implement the logic as to when to grant/revoke the entitlements
is up to you.

The simplest way is to implement this via Role-Based Entitlements
Service (the most old fashioned approach) - but this has known
scalability issues.


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.