dssuski Absent Member.
Absent Member.
227 views

AD computer object to eDir user object

Anyone know if this is possible? I've added Computer to the AD
publisher filter and mapped that to the User on the eDirectory side.
But I keep getting this error:

event discarded because class is not in publisher filter

Not even sure if I can have 2 mappings to a User class in eDir.

Thanks,
Denis
Labels (1)
0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: AD computer object to eDir user object

On Thu, 06 Mar 2014 21:55:54 +0000, Denis Suski wrote:

> Anyone know if this is possible?


It might be possible, but to what end?


> I've added Computer to the AD
> publisher filter and mapped that to the User on the eDirectory side. But
> I keep getting this error:
>
> event discarded because class is not in publisher filter
>
> Not even sure if I can have 2 mappings to a User class in eDir.


You can't in the schema map.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD computer object to eDir user object

Denis Suski wrote:

> Anyone know if this is possible? I've added Computer to the AD publisher filter and mapped that to the User on the eDirectory side. But I keep getting this error:


Agree with David, this is an odd requirement and you might want to re-think your goals, maybe we can suggest a better approach if we know what you are after.

> event discarded because class is not in publisher filter
>
> Not even sure if I can have 2 mappings to a User class in eDir.


I don't think it's impossible, but there are some limitations.

If I recall correctly, you need to do it in a similar fashion to the example below.

https://www.netiq.com/documentation/idm402/policy/data/policytypes.html#b7ghv5w

One confusing part here is that when using a custom (dirxml script) schema mapping policy, it is ignored during the init-params phase of driver startup.
This can be used to your advantage (I think)

so..

1. Add a Computer class to the driver filter, set publisher sync
2. Add a regular schema mapping that converts this to the class name in AD - I guess that is just the lowercase version "computer".
3. In custom (dirxml script) schema mapping,

rule
if-class=computer
if-xml-attr fromNDS = false
set class = User

Test and see how it goes. I do recall that the merge processor creates issues here.
It detects the object class of the object in the IDV and reverts to using the attributes specified for that object class in the driver filter to perform the merge.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
dssuski Absent Member.
Absent Member.

Re: AD computer object to eDir user object

On 3/6/2014 4:55 PM, Denis Suski wrote:
> Anyone know if this is possible? I've added Computer to the AD
> publisher filter and mapped that to the User on the eDirectory side. But
> I keep getting this error:
>
> event discarded because class is not in publisher filter
>
> Not even sure if I can have 2 mappings to a User class in eDir.
>
> Thanks,
> Denis

Thanks for the responses. The reason I'm looking is because we have a
requirement to create roaming profiles (on NSS volumes with a CIFS
share). These work fine, except for the redirected folders part, the
windows machine tries to create these instead of the user's account
doing it. I can see a "user" in the cifs log called, for example,
JDOEMACHINE$ so I figure if I can get, when the machine is created in AD
to come across to eDir as a user called the same thing I can log in.
Apparently, AD auto-changes the passwords on the machine which I'd need
to pass also. I'll give your suggestions a shot.

Thanks again,
Denis
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD computer object to eDir user object


Sorry, I don't follow you .
You need to explain that a little better.

Anyway, what ever you need I would advice you to set up a secondary
driver if you do need to map the computer to user.
Do you intend the computer account to create new user accounts? that has
only relations with the computer object in AD? - this is most likely
easiest with a new driver.
Or do you want the computer object to update a few attributes on an
existing user account? - this is also most likely easiest with a new
driver, even more since you already got an association with another
object.

You do write about the password changing i AD, not sure how the pwd
filter works, if it catches all passwords or only passwords from users.

You can test Alex suggestion in the matching rule as well, the merge
processor and associations do mess things up quite a lot when trying to
match two classes into one if you try to update the same object from two
objects.


--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=50198

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD computer object to eDir user object

joakim ganse wrote:

> Anyway, what ever you need I would advice you to set up a secondary
> driver if you do need to map the computer to user.
> Do you intend the computer account to create new user accounts? that has
> only relations with the computer object in AD? - this is most likely
> easiest with a new driver.


The big issue with using a separate driver is that it seems he wants passwords captured as well.

> Or do you want the computer object to update a few attributes on an
> existing user account? - this is also most likely easiest with a new
> driver, even more since you already got an association with another
> object.


Agreed.

> You do write about the password changing i AD, not sure how the pwd
> filter works, if it catches all passwords or only passwords from users.


I do know that the underlying API PasswordChangeNotify - which is called when a password is cussefully changed - does notify on computer account password changes.
I've never tested it with the NetIQ password sync filter though. I don't see why it wouldn't work.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
dssuski Absent Member.
Absent Member.

Re: AD computer object to eDir user object

On 3/7/2014 6:10 AM, Alex McHugh wrote:
> joakim ganse wrote:
>
>> Anyway, what ever you need I would advice you to set up a secondary
>> driver if you do need to map the computer to user.
>> Do you intend the computer account to create new user accounts? that has
>> only relations with the computer object in AD? - this is most likely
>> easiest with a new driver.

>
> The big issue with using a separate driver is that it seems he wants passwords captured as well.
>
>> Or do you want the computer object to update a few attributes on an
>> existing user account? - this is also most likely easiest with a new
>> driver, even more since you already got an association with another
>> object.

>
> Agreed.
>
>> You do write about the password changing i AD, not sure how the pwd
>> filter works, if it catches all passwords or only passwords from users.

>
> I do know that the underlying API PasswordChangeNotify - which is called when a password is cussefully changed - does notify on computer account password changes.
> I've never tested it with the NetIQ password sync filter though. I don't see why it wouldn't work.
>

Thanks for the assistance on this... ends up things just aren't going to
work out this way. During the implementation, some other admins we're
creating users in eDir and the driver was creating computers in AD, so
the reverse of what I was looking for was happening. Either way, after
exhaustive testing, we just could not get folder redirection and roaming
profile permissions to function properly on NSS. So, in summary, looks
like the driver was going to work after some tinkering, but in the end
NSS would have been the hangup. Thanks again.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.