Absent Member.. Absent Member..
Absent Member..
5495 views

OML 9.10 AdminUI with LDAP (AD) integration. Problem with users in different containers

Hi there,

 

I recently ran into a few problems with LDAP integration with Admin UI for my OML installation.

Here's what my environment looks like:

 

1. Active Directory - I have access to working service account which is entitled to LDAP search/browse.

    - IMPORTANT - users are scrambled across the whole AD Tree

2. OML (9.10.240) is installed on RHEL 6.4

 

I've integrated Admin UI with Ad using SEARCH option, specifying everything in ../adminUI/conf/ldap.properties (and also auth.xml and auth.properties):

LDAP://ldapaddress:389/dc=some,dc=local,dc=domain


search base: CN=Users.

 

Needless to say I can log in using an account located in CN=Users,DC=some,DC=local,DC=domain so all configuration is correct.

 

I'd also like to enable login for users located under: OU=MF,OU=USERS,DC=some,DC=local,DC=domain

 

How can I do that ? Do I use search by groups option ?

Any help is really appreciated 🙂

 

Regards,

Blichew

Tags (1)
0 Likes
2 Replies
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Re: OML 9.10 AdminUI with LDAP (AD) integration. Problem with users in different containers

Hi Blichew,

 

According to RFC4511 which defines the LDAP protocol, the scope of the search request could be one of the following:

 

 

baseObject: The scope is constrained to the entry named by baseObject.

 

singleLevel: The scope is constrained to the immediate subordinates of the entry named by baseObject.


wholeSubtree: The scope is constrained to the entry named by baseObject and to all its subordinates.

 

 

What you want could be easily achieved with a "wholeSubtree" search from the top LDAP tree but as far I understand the AdminUI is currently limited to do "singleLevel" searches. The following "Enhancement Request" has been submitted to ask for this functionality:

 

http://support.openview.hp.com/selfsolve/document/LID/QCCR1A124069

 

I don't think there is currently a solution for you other than placing all the AdminUI users under the same OU in the LDAP tree or use the full fledged MIDAS product which does support subtree searches.

 

 

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: OML 9.10 AdminUI with LDAP (AD) integration. Problem with users in different containers

Hello Blichew,

 

Since you mentioned that in your AD setup users are scrambled across the whole AD then I think the key here is that your search base starts from CN=Users and thus it won't search for users that are not under that search base you have setup.

 

I hope this helps. 

 

Best regards.

HP Support
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.
If you liked it I would appreciate KUDOs.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.