deltasigma
New Member.
663 views

Re: Adding user in vault only if member of a specific AD Group


HI,

I have done more test and put the GroupMemberShip in the filter and
When the connector grab the info from the AD I saw the group information
coming back from the AD



-<attr attr-name="mDBUseDefaults">
<value naming="true" type="state">false</value>
</attr>
<attr attr-name="mail">
<value naming="true" type="string">Thierry.Si@lab.ca</value>
</attr>
<attr attr-name="memberOf">
<value association-ref="a9dfdc393cb955498899ca941b290c03" naming="true"
type="dn">CN=G-UL-IDM,OU=Lab,DC=local</value>
<value association-ref="1e1b8e9d106cd7488e090082973c7d62" naming="true"
type="dn">CN=G-UF-LOAN,OU=Lab,DC=local</value>
<value association-ref="920ec608888efb408e40615eb1e07db1" naming="true"
type="dn">CN=G-US-IT,OU=Lab,DC=local</value>
</attr>
<attr attr-name="msExchALObjectVersion">
<value naming="true" type="int">55</value>
</attr>
<attr attr-name="msExchHomeServerName">
<value naming="true" type="string">/o=fun/ou=Exchange Administrative
Group
(FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=QESFSMM235</value>
</attr>-

Since my user is not yet association How I can build a policy in the
Event Publisher to "catch" that information.

My goal is:
if the AD user is member of CN=G-UL-IDM,OU=Lab,DC=local in AD
then continu the process then associate and sync attribute.
else VETO

Could you provide me example of code. I tried many way but didn`t get
any result.
That will really help me.

Jean-Guy


--
deltasigma
------------------------------------------------------------------------
deltasigma's Profile: http://forums.novell.com/member.php?userid=24994
View this thread: http://forums.novell.com/showthread.php?t=447533

Labels (1)
0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: Adding user in vault only if member of a specific AD Group

On Mon, 07 Nov 2011 15:36:02 +0000, deltasigma wrote:

> I have done more test and put the GroupMemberShip in the filter and When
> the connector grab the info from the AD I saw the group information
> coming back from the AD


Can we see the trace of the whole event? It would make it easier to
figure out where this document fragment fits in to the event, and how to
use it.


--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.

0 Likes
Knowledge Partner
Knowledge Partner

Re: Adding user in vault only if member of a specific AD Group

On 07.11.2011 16:36, deltasigma wrote:
>
> HI,
>
> I have done more test and put the GroupMemberShip in the filter and
> When the connector grab the info from the AD I saw the group information
> coming back from the AD
>
>
>
> -<attr attr-name="mDBUseDefaults">
> <value naming="true" type="state">false</value>
> </attr>
> <attr attr-name="mail">
> <value naming="true" type="string">Thierry.Si@lab.ca</value>
> </attr>
> <attr attr-name="memberOf">
> <value association-ref="a9dfdc393cb955498899ca941b290c03" naming="true"
> type="dn">CN=G-UL-IDM,OU=Lab,DC=local</value>
> <value association-ref="1e1b8e9d106cd7488e090082973c7d62" naming="true"
> type="dn">CN=G-UF-LOAN,OU=Lab,DC=local</value>
> <value association-ref="920ec608888efb408e40615eb1e07db1" naming="true"
> type="dn">CN=G-US-IT,OU=Lab,DC=local</value>
> </attr>
> <attr attr-name="msExchALObjectVersion">
> <value naming="true" type="int">55</value>
> </attr>
> <attr attr-name="msExchHomeServerName">
> <value naming="true" type="string">/o=fun/ou=Exchange Administrative
> Group
> (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=QESFSMM235</value>
> </attr>-
>
> Since my user is not yet association How I can build a policy in the
> Event Publisher to "catch" that information.
>
> My goal is:
> if the AD user is member of CN=G-UL-IDM,OU=Lab,DC=local in AD
> then continu the process then associate and sync attribute.
> else VETO
>
> Could you provide me example of code. I tried many way but didn`t get
> any result.
> That will really help me.


Try this -

<rule>
<description>limited password publish</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">user</if-class-name>
<if-operation mode="case" op="equal">modify-password</if-operation>
<if-src-attr mode="nocase" name="memberOf"
op="not-equal">CN=G-UL-IDM,OU=Lab,DC=local</if-src-attr>
</and>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>

This rule is designed to be in your input transform (otherwise
Pre-filter Association Processor and Post-filter Association Processor
may get in the way)

I'd also guess that this kind of operation is most efficent when placed
in the input transform.

If you want to have it in your publisher event transform, then you may
also need to use the reformat memberOf rule I posted before in your
event transform.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Adding user in vault only if member of a specific AD Group

On 07.11.2011 18:00, Alex McHugh wrote:
> On 07.11.2011 16:36, deltasigma wrote:


>> Since my user is not yet association How I can build a policy in the
>> Event Publisher to "catch" that information.
>>
>> My goal is:
>> if the AD user is member of CN=G-UL-IDM,OU=Lab,DC=local in AD
>> then continu the process then associate and sync attribute.
>> else VETO
>>
>> Could you provide me example of code. I tried many way but didn`t get
>> any result.
>> That will really help me.

>
> Try this -
>

I second David's comment that you need to publish more of a trace so we
can better help you. The last trace fragment you posted was an instance
document (result of a query)

The prior rule I provided was likely not what you wanted (I thought you
wnated to block password publish for all users bar those who had
specific group membership). It's hard to work out exactly what you want
as you aren't really providing the full picture.

Re-reading what you have written so far, is this is what you want (to be
added to a publisher event transform policy set)

<rule>
<description>limit publish by group membership</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">user</if-class-name>
<if-operation mode="regex" op="equal">add|modify</if-operation>
<if-xpath
op="true">query:readObject($srcQueryProcessor,'',@src-dn,'','Group
Membership')//attr[@attr-name="Group
Membership"]/value/text()='CN=G-UL-IDM,OU=Lab,DC=local'</if-xpath>
</and>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>

You will probably have case-related issues with this rule (xpath is case
sensitive). See how it goes. Ecmascript can help if you need to
uppercase or lowercase before comparing (look at the AJC ecmascript
library that is included with IDM3.6 and higher)
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.