Cadet 1st Class
Cadet 1st Class
270 views

Discrepancies between user and group membership

Jump to solution

Hello,

Today I face a strange issue:

"User A" is member of "group A", but when I look who is member of "group A" I do not find the "User A" on the membership list of the group.

See an example on iManger, left the user group membership and right the group members

ricard1_1-1591177352398.png

Anyone can explain why??

Thanks in advance

Ricard Malvesi

 

 

 

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Group membership is actually represented by 4 attributes, 2 on the user, 2 on the Group.

For fun, do Security Equals (User pointing at Group) and Equivalent To Me (Group pointing at User) match as well?  (These are the other two in addition to Member/Group Membership.

How does this happen? Someone manually via LDAP or other API adds a user to a group by only setting one of the 4 (or some subset of the 4) attributes. It happens.  Often happens when AD admins are involved since they are used to just one attribute on the Group.  (MemberOf on the user in AD is a dynamic filter and looked up every time you look at it not an actual static value)

Here is a better question for you?  How widespread is this issue?

Good news!  Alekz who posts here, wrote a kick-tushy tool called Console2. It is sort of meant for IDM people but it does directory stuff very cleverly as well.

http://sneakycat.biz

He has a function in there that check recipricol attribute mappings. So a group has a pair of reciprical attributes as discussed above. You can use an LDAP filter for only certain objects, a base container to start etc.  But it finds all the mismtaches.  And there is a tickbox to generate a LDIF to fix them!  Which you can edit and fix one, all, or just the ones you want.

Woo Hoo!  You could od this on your own loading it all into a DB or somesuch or Excel but this tool just finds them all and offers to fix them.

 

So this will find them all and help you fix them all.  Go get the tool, it really is great.  Also does unique value finding.  Do I have two users with the same uniqueID?  That would be bad. 

Multiple value finder: Do I have users with two values for Surname (Legal in eDir, oher systems do not like it).  Easy peasy.

View solution in original post

2 Replies
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Group membership is actually represented by 4 attributes, 2 on the user, 2 on the Group.

For fun, do Security Equals (User pointing at Group) and Equivalent To Me (Group pointing at User) match as well?  (These are the other two in addition to Member/Group Membership.

How does this happen? Someone manually via LDAP or other API adds a user to a group by only setting one of the 4 (or some subset of the 4) attributes. It happens.  Often happens when AD admins are involved since they are used to just one attribute on the Group.  (MemberOf on the user in AD is a dynamic filter and looked up every time you look at it not an actual static value)

Here is a better question for you?  How widespread is this issue?

Good news!  Alekz who posts here, wrote a kick-tushy tool called Console2. It is sort of meant for IDM people but it does directory stuff very cleverly as well.

http://sneakycat.biz

He has a function in there that check recipricol attribute mappings. So a group has a pair of reciprical attributes as discussed above. You can use an LDAP filter for only certain objects, a base container to start etc.  But it finds all the mismtaches.  And there is a tickbox to generate a LDIF to fix them!  Which you can edit and fix one, all, or just the ones you want.

Woo Hoo!  You could od this on your own loading it all into a DB or somesuch or Excel but this tool just finds them all and offers to fix them.

 

So this will find them all and help you fix them all.  Go get the tool, it really is great.  Also does unique value finding.  Do I have two users with the same uniqueID?  That would be bad. 

Multiple value finder: Do I have users with two values for Surname (Legal in eDir, oher systems do not like it).  Easy peasy.

View solution in original post

Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

There's a four way relationship for user / group stuff needed for referential integrity, i.e.

on the user object both "groupMembership" and "securityEquals" have to point to the FDN of the group object. On the latter "member" and "equivalentToMe" have to point the FDN of the user. Now depending on how (with which tools) and when (15 years back there's been a bug in ConsoleOne regarding this) the membership has been established one or more of these 4 parts might be missing. Removing / readding the relation with e.g. a current iManager build should clean things up.

 

If you like it: like it.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.