rhaeber Absent Member.
Absent Member.
687 views

missing [pseudo].groupMember

Hello,

in LDAP driver I need to retrieve all nested sub groups of a certain group.
To deal partwise with calculated values for nested groups I can use "[pseudo].Member" and "[pseudo].Group Membership" special attribute names.
But unfortunately there is no "[pseudo].groupMember". Does anyone know why not and how could I solve the problem in an other way?

Thanks,
Robert
Labels (1)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: missing [pseudo].groupMember

rhaeber wrote:

> Does anyone know why not

I would guess, they just implemented what was required back then.
pseudo.groupMember probabaly was not...

> and how could I solve the problem in an other way?


You can read groupMember for each group and recursively resolve the full list
of nested groups. while-do, for-each a few nodeset variabels should be enough
to get it done all in DirXMLScript.

Or you can read all nested groupMembers via LDAP, if your nested groups are
configured accordingly, i.e. nestedConfig=0 (hint: you can temporarily change
nestedConfig to match your needs...)



--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
rhaeber Absent Member.
Absent Member.

Re: missing [pseudo].groupMember

lhaeger;2480904 wrote:

I would guess, they just implemented what was required back then.
pseudo.groupMember probabaly was not...

What a pity.

I will try the suggested ways.
Thank you!

Greets - Robert
0 Likes
Knowledge Partner
Knowledge Partner

Re: missing [pseudo].groupMember

rhaeber wrote:

> What a pity.
>
> I will try the suggested ways.


Oh, btw. there is a way to make a driver always read the calculated
members/memberships through an ECV (this was default behavior until IDM 3.6.1,
which then changed and introduced this ECV to enable backwards compatibility
where required), see
https://www.netiq.com/documentation/identity-manager-47/policy_understanding/dat
a/policynestedgroups.html This might also affect groupMember (though it's not
explicitly mentioned) and solve your issue.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
rhaeber Absent Member.
Absent Member.

Re: missing [pseudo].groupMember

lhaeger;2481196 wrote:

Oh, btw. there is a way to make a driver always read the calculated
members/memberships through an ECV (this was default behavior until IDM 3.6.1,
which then changed and introduced this ECV to enable backwards compatibility
where required)


Yes, I know the ECV, but I have to deal with the challenge that I need access to the direct members, group members and group memberships as well as the calculated values.
Since the nesting depth is not limited and I have no idea how to implement real recursion with DirXMLScript I have now implemented an ECMAScript ldapSearch (the one from and use it to query the calculated groupMembers.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.