Anonymous_User Absent Member.
Absent Member.
165 views

Fan-out Census population limitation/question


Hello all,

I was looking for a way to populate the Census of the Fan-Out driver in
a more 'scoped' way.

Current setup :
Windows Coredriver build 3.6.1.22 140414

Toplevel i have an ou=Data, with beneath that an ou=Users and an
ou=Groups (nothing fancy)
Group naming is based on a prefix so that a driver ( in my case 3
different prefixes: 'ads' , 'lin' and 'sql') can be scoped on the
prefix.
Currently the Search-object is defined as searching from ou=Data, so all
underlying groups are now present in the census ( still as
designed/should be)
But as assumed i also get the unwanted groups in the census, and are
accordingly synched to the linux client machine ... its kinda
'polluting' my /etc/group


Is there a way to 'scope' the Census searchobject so that it would only
pickup the groups starting with the 'lin' -prefix ?

i have lready tried to make a dynamic group that has a searchfilter
(&(cn=lin-*)(objectClass=groupOfNames)), which reflects the correct set
of groups, but if i give that as DN for the Searchobject it wont pickup
the groups.
Is this a limitation of the Core Service , or am i approaching this in a
wrong way ?

- if it were a limitation i'd love to see an enhancement to the core
services to also be able to make use of dynamic groups ( and its
members), so that my census doesnt get that 'messy' with groups i dont
need.


- Michael


--
Shadowm
------------------------------------------------------------------------
Shadowm's Profile: https://forums.netiq.com/member.php?userid=6005
View this thread: https://forums.netiq.com/showthread.php?t=52386

Labels (1)
0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Fan-out Census population limitation/question


Shadowm;251932 Wrote:
> Hello all,
>
> I was looking for a way to populate the Census of the Fan-Out driver in
> a more 'scoped' way.
>
> Current setup :
> Windows Coredriver build 3.6.1.22 140414
>
> Toplevel i have an ou=Data, with beneath that an ou=Users and an
> ou=Groups (nothing fancy)
> Group naming is based on a prefix so that a driver ( in my case 3
> different prefixes: 'ads' , 'lin' and 'sql') can be scoped on the
> prefix.
> Currently the Search-object is defined as searching from ou=Data, so all
> underlying groups are now present in the census ( still as
> designed/should be)
> But as assumed i also get the unwanted groups in the census, and are
> accordingly synched to the linux client machine ... its kinda
> 'polluting' my /etc/group
>
>
> Is there a way to 'scope' the Census searchobject so that it would only
> pickup the groups starting with the 'lin' -prefix ?
>
> i have lready tried to make a dynamic group that has a searchfilter
> (&(cn=lin-*)(objectClass=groupOfNames)), which reflects the correct set
> of groups, but if i give that as DN for the Searchobject it wont pickup
> the groups.
> Is this a limitation of the Core Service , or am i approaching this in a
> wrong way ?
>
> - if it were a limitation i'd love to see an enhancement to the core
> services to also be able to make use of dynamic groups ( and its
> members), so that my census doesnt get that 'messy' with groups i dont
> need.
>
>
> - Michael


Hello,

I would probably put the census searchobject to only look for the users,
and then create a search group for each of the groups you want to send
out to the linux boxes. Make sure those are not included in the census
itself (selectable on the search object) and also put "expand users" on
the group searchobject. Then you will get all users to the census + the
grups you have selected. On the linux boxes you will get the users that
are covered by a group + the group with members.
Then you select to what platformsets to attach the searchobjects to ->
you can have different userbase on different platformsets.

Selecting only some groups by some search thingy will not work.

I might have completely misunderstood your question though 🙂

br
/Anders


--
abergvall
------------------------------------------------------------------------
abergvall's Profile: https://forums.netiq.com/member.php?userid=278
View this thread: https://forums.netiq.com/showthread.php?t=52386

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Fan-out Census population limitation/question


Another idea I pass onto a lot of users that want to achieve more
complex fan-out implementations that are simply difficult to do without
the use of policy, is to create a fan-out loopback driver that bridges
the gap between your real container and your "fanout" container. In the
loopback, you can put all your logic for "staging", including
transformation of data, scoping, etc., and let the fan-out driver just
key off of this new container. There's duplication involved, but it
gives you much more flexibility and a way to leverage the power of IDM
policy.

abergvall;251936 Wrote:
> Hello,
>
> I would probably put the census searchobject to only look for the users,
> and then create a search group for each of the groups you want to send
> out to the linux boxes. Make sure those are not included in the census
> itself (selectable on the search object) and also put "expand users" on
> the group searchobject. Then you will get all users to the census + the
> grups you have selected. On the linux boxes you will get the users that
> are covered by a group + the group with members.
> Then you select to what platformsets to attach the searchobjects to ->
> you can have different userbase on different platformsets.
>
> Selecting only some groups by some search thingy will not work.
>
> I might have completely misunderstood your question though 🙂
>
> br
> /Anders



--
jgrieshop
------------------------------------------------------------------------
jgrieshop's Profile: https://forums.netiq.com/member.php?userid=483
View this thread: https://forums.netiq.com/showthread.php?t=52386

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Fan-out Census population limitation/question


Thanks for the suggestions

I will test out the one made by abergvall,

The other suggetion made by jgrieshop is also a solution, however in my
case the duplication is concidered 'unwanted', so i'll keep it in my
mind and only go down that road if there no other way.



In some more digging in the (eDirectory) searchobject itself i found an
unvalued attribute 'ASAM-SearchObjectFilter' , which (looking at its
name) might be what i'm after.
The difficulty in this is that i cannot find any information other then
the OID of the attribute, so no clue what to value it with, and how it
would interact with the searchobject itself.

Under the assumption of it applying a LDAP-filter to the search i have
been trying out some options, then tracing the LDAP-queries made to
eDir, but i cant see any differences (or errors).

Only difference i have noticed is that the iManager page for
searchobject when clicking thru on the one which has a valued
ASAM-SearchObjectFilter isnt showing its content when trying to view
it.

Any ideas about the attribute and its possible
value(s)/format/interaction with the searchobject ?

- Michael


--
Shadowm
------------------------------------------------------------------------
Shadowm's Profile: https://forums.netiq.com/member.php?userid=6005
View this thread: https://forums.netiq.com/showthread.php?t=52386

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Fan-out Census population limitation/question


abergvall;251936 Wrote:
> Hello,
>
> I would probably put the census searchobject to only look for the users,
> and then create a search group for each of the groups you want to send
> out to the linux boxes. Make sure those are not included in the census
> itself (selectable on the search object) and also put "expand users" on
> the group searchobject. Then you will get all users to the census + the
> grups you have selected. On the linux boxes you will get the users that
> are covered by a group + the group with members.
> Then you select to what platformsets to attach the searchobjects to ->
> you can have different userbase on different platformsets.
>
> Selecting only some groups by some search thingy will not work.
>
> I might have completely misunderstood your question though 🙂
>
> br
> /Anders


Having taken your suggested method to the test i switched it around the
other way, i put the wanted groups in the searchobject (and census) ,
and created a searchobject for the users at the base of the
ou=Users,ou=Data,o=<org> (not in Census) , this got my census filled
with the correct data, and on the serviced platform the correct groups
are then available by default ( to hook rights on the platform to them)
The members are created/synched when they get added to the groups
specified in the Census/searchobject.

Many thanks on thinking along with me here, it led me to a solution that
will do just fine.

The only (very minor) downside ofcourse is when an additional group is
created it will have to be manually created as a searchobject/added to
the Census.

- Michael


--
Shadowm
------------------------------------------------------------------------
Shadowm's Profile: https://forums.netiq.com/member.php?userid=6005
View this thread: https://forums.netiq.com/showthread.php?t=52386

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.