YardenBH

Absent Member.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-05-02
08:23
417 views
Subscriber channel of AD driver not support object GUID
Hi all,
We had an issue with strange AD Sub channel behavior regarding group membership management. I hope someone around here could advise.
Components' versions:
eDirectory 9.04
IDM Engine 4.6.2
AD Driver 4.0.3.0
Our client environment include single IDM engine connected to four ADs in a single forest (all domains are trusted), where we manage users and groups objects. Since one eDirectory user can be associated to one or more AD user (one at each domains), we use four AD drivers instead of multi-domain ad driver.
We have several cases where users in domain A (or B..) need to be assigned/removed from group in domain C. We had to interfere and set the members values for users not associated with the driver in order to escape schema mapping issue.
At first we tried to use the users' association values along with the 'association-ref' xml attribute, staying close the ad driver normal practice. However this approach only worked for users associated with the driver. The shim simply ignore any ldap operations involving object GUID for users from another domain. While working on this task, we noticed that the events coming up the publisher channel include 'association-ref' attributes for all users (from all domains), the same values that where deserted by the Subscriber channel.
We eventually end up using users full ad dn values for the members setting, a working approach yet somewhat more clumsy than using the associations.
Does anyone else had this issue? Or faced a case where the group and its member were not in the same domain?
Thanks.
We had an issue with strange AD Sub channel behavior regarding group membership management. I hope someone around here could advise.
Components' versions:
eDirectory 9.04
IDM Engine 4.6.2
AD Driver 4.0.3.0
Our client environment include single IDM engine connected to four ADs in a single forest (all domains are trusted), where we manage users and groups objects. Since one eDirectory user can be associated to one or more AD user (one at each domains), we use four AD drivers instead of multi-domain ad driver.
We have several cases where users in domain A (or B..) need to be assigned/removed from group in domain C. We had to interfere and set the members values for users not associated with the driver in order to escape schema mapping issue.
At first we tried to use the users' association values along with the 'association-ref' xml attribute, staying close the ad driver normal practice. However this approach only worked for users associated with the driver. The shim simply ignore any ldap operations involving object GUID for users from another domain. While working on this task, we noticed that the events coming up the publisher channel include 'association-ref' attributes for all users (from all domains), the same values that where deserted by the Subscriber channel.
We eventually end up using users full ad dn values for the members setting, a working approach yet somewhat more clumsy than using the associations.
Does anyone else had this issue? Or faced a case where the group and its member were not in the same domain?
Thanks.
2 Replies


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-05-02
09:32
YardenBH <YardenBH@no-mx.forums.microfocus.com> wrote:
>
> We eventually end up using users full ad dn values for the members
setting, a working approach yet somewhat more clumsy than using the
associations.
> Does anyone else had this issue? Or faced a case where the group and its
member were not in the same domain?
>.
Yes. The objectGUID/assoc-ref doesn’t seem to work across domains in the
per AD domain driver implementation.
Recall that the shim in each case would need to know where to find the
forest DC and ask it to resolve the guid to a DN across all child domains.
That functionality can’t be configured in the driver params and doesn’t
seem to be performed otherwise by the shim.
>
> We eventually end up using users full ad dn values for the members
setting, a working approach yet somewhat more clumsy than using the
associations.
> Does anyone else had this issue? Or faced a case where the group and its
member were not in the same domain?
>.
Yes. The objectGUID/assoc-ref doesn’t seem to work across domains in the
per AD domain driver implementation.
Recall that the shim in each case would need to know where to find the
forest DC and ask it to resolve the guid to a DN across all child domains.
That functionality can’t be configured in the driver params and doesn’t
seem to be performed otherwise by the shim.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
sdhaval1

Absent Member.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-05-08
11:31
You may want to look at Multidomain AD Driver which was built with such inter-domain use cases in mind.
https://www.netiq.com/documentation/identity-manager-47-drivers/multidomain_ad/data/boxjgaz.html
https://www.netiq.com/documentation/identity-manager-47-drivers/multidomain_ad/data/boxjgaz.html