asolera Trusted Contributor.
Trusted Contributor.
230 views

AD query


A customer has an AD driver without groups synchronization. And I want
to recover all the groups that has the user in the AD, I think the best
way is with a XPATH query, but I have never used it before, so I'm quite
lost.

I have tried with
<token-xpath
expression="query:readObject($srcQueryProcessor, association, @src-dn,
@class-name, 'memberOf')"/>
But this only returns the groups that has the user in eDirectory


--
kiekurt
------------------------------------------------------------------------
kiekurt's Profile: https://forums.netiq.com/member.php?userid=1394
View this thread: https://forums.netiq.com/showthread.php?t=53429

Labels (1)
0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: AD query

On 5/5/2015 7:24 AM, kiekurt wrote:
>
> A customer has an AD driver without groups synchronization. And I want
> to recover all the groups that has the user in the AD, I think the best
> way is with a XPATH query, but I have never used it before, so I'm quite
> lost.
>
> I have tried with
> <token-xpath
> expression="query:readObject($srcQueryProcessor, association, @src-dn,
> @class-name, 'memberOf')"/>
> But this only returns the groups that has the user in eDirectory


This is why there are tokens like Destination Attribute (or the Query
token).

No need to do it all in the old way.

However, you have a different problem. The Member attribute on Groups,
and memberOf (which is not a real attribute in AD, and I think depends
on the AD version if you will get it back) attribute are type="dn" which
has some implications.

When the query comes back, in the ITP it will look good, but when the
association processor handles it, if the member (or group) named as the
DN is not available in the IDV you will get a message "Unable to
synchronize reference to <insert DN here>.

This means your query will likely look good going out, start coming back
ok, and then seem empty when it gets back to your policy.

What is typically done is to detect a special query case in the OTP, tag
on an Op Property, then in the ITP, if the <instance> event has the
specific op-property then reformat op attr the attribute, and simply use
the variable current-value in the token. (What that does is reformat
the type="dn" to type="string") and now it will be a string and come
back. (The DCS driver does this, and if you look in a modern driver, you
will see two policies in Schema map, one before, one after that changes
the DN types to strings).




0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD query


Hi,

in addtion to what geoff already pointed out:

reading the memberOf Attribute will work (at least with functional level
> 2008) however, you can't write to that attribute.

memberOf is not a real attribute instead it is a backlink constructed
from the member attribute of the group.
If you want to set group memberships you have to add the user to the
group and not the group to the user.

Regards


--
fwitt
------------------------------------------------------------------------
fwitt's Profile: https://forums.netiq.com/member.php?userid=8759
View this thread: https://forums.netiq.com/showthread.php?t=53429

0 Likes
Knowledge Partner
Knowledge Partner

Re: AD query

On 5/5/2015 10:04 AM, fwitt wrote:
>
> Hi,
>
> in addtion to what geoff already pointed out:
>
> reading the memberOf Attribute will work (at least with functional level
>> 2008) however, you can't write to that attribute.

> memberOf is not a real attribute instead it is a backlink constructed
> from the member attribute of the group.
> If you want to set group memberships you have to add the user to the
> group and not the group to the user.


Agreed. The initial question was about reading memberOf, with those
caveats. What you can do is query for Groups, whose member=DN of user
in AD to get that list as well. (Which is what AD is doing, a dynamic
query, when you look at it).


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.