This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
YardenBH
YardenBH Absent Member.
Absent Member.
‎2018-05-02 08:23
360 views

Subscriber channel of AD driver not support object GUID

Hi all,

We had an issue with strange AD Sub channel behavior regarding group membership management. I hope someone around here could advise.
Components' versions:
eDirectory 9.04
IDM Engine 4.6.2
AD Driver 4.0.3.0

Our client environment include single IDM engine connected to four ADs in a single forest (all domains are trusted), where we manage users and groups objects. Since one eDirectory user can be associated to one or more AD user (one at each domains), we use four AD drivers instead of multi-domain ad driver.

We have several cases where users in domain A (or B..) need to be assigned/removed from group in domain C. We had to interfere and set the members values for users not associated with the driver in order to escape schema mapping issue.
At first we tried to use the users' association values along with the 'association-ref' xml attribute, staying close the ad driver normal practice. However this approach only worked for users associated with the driver. The shim simply ignore any ldap operations involving object GUID for users from another domain. While working on this task, we noticed that the events coming up the publisher channel include 'association-ref' attributes for all users (from all domains), the same values that where deserted by the Subscriber channel.
We eventually end up using users full ad dn values for the members setting, a working approach yet somewhat more clumsy than using the associations.
Does anyone else had this issue? Or faced a case where the group and its member were not in the same domain?
Thanks.
Labels (1)
0 Likes
Reply
Report Inappropriate Content
2 Replies
Alex McHugh
Knowledge Partner
Knowledge Partner
‎2018-05-02 09:32

Re: Subscriber channel of AD driver not support object GUID

YardenBH <YardenBH@no-mx.forums.microfocus.com> wrote:
>
> We eventually end up using users full ad dn values for the members
setting, a working approach yet somewhat more clumsy than using the
associations.
> Does anyone else had this issue? Or faced a case where the group and its
member were not in the same domain?
>.


Yes. The objectGUID/assoc-ref doesn’t seem to work across domains in the
per AD domain driver implementation.

Recall that the shim in each case would need to know where to find the
forest DC and ask it to resolve the guid to a DN across all child domains.
That functionality can’t be configured in the driver params and doesn’t
seem to be performed otherwise by the shim.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Reply
Report Inappropriate Content
sdhaval1
sdhaval1 Absent Member.
Absent Member.
‎2018-05-08 11:31

Re: Subscriber channel of AD driver not support object GUID

You may want to look at Multidomain AD Driver which was built with such inter-domain use cases in mind.
https://www.netiq.com/documentation/identity-manager-47-drivers/multidomain_ad/data/boxjgaz.html
0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.