Automic Workload Automation

Expand all | Collapse all

LDAP Sync - Multiple AE Domains for single client

Jump to Best Answer
  • 1.  LDAP Sync - Multiple AE Domains for single client

    Posted 01-30-2018 10:56 AM
    I've got LDAP Sync functioning properly in my v11.2 system and have multiple group mappings that are all working successfully. 

    Does any know if/how you can assign different AE domains/depts to the same users? 

    For instance, if I want a single user to have Read/Execute access normally but be able to log in with the same ID but different AE domain/dept to do any modifications.

    Example:
    User: TEST  DEPT: RE
    User: TEST  DEPT: EDIT



    <Configuration>
             <Schema baseDN="OU=AUTOMIC,OU=Users and Groups,DC=mycompany,DC=com" 
                                  userDN=""
                                  groupDN="" 
                             updateDn="true"/>

             <AE userDomain="RE"
                          autoDeactivateUsers="True"/>

             <GroupMappings>
                      <map ae="READ_EXECUTE" ldap="AUTOMIC_READ_EXECUTE" />
             </GroupMappings>
    </Configuration>


    Thanks for any and all help! 


  • 2.  LDAP Sync - Multiple AE Domains for single client

    Posted 02-06-2018 05:05 AM
    Hi Jim_Griffith_8234 ,

    A user should belong to one department / domain at a time.
    What you can do, however, is create a TEST/RE user, and another TEST/EDIT user.

    Hope this helps.

    Best regards,
    Antoine


  • 3.  LDAP Sync - Multiple AE Domains for single client
    Best Answer

    Posted 02-13-2018 11:22 AM
    Thanks Antoine. However, that scenario doesn't allow for a single user to be able to have different accounts in Automic with different levels of access and still use their AD credentials, unless they have a normal user and elevated user in AD. A user that just monitors processes 90% of the time doesn't need modify access 100% of the time or even admin type access if they have tasks the require that level.

    I was able to find a way to do this by creating multiple LDAPSync.xml files. Each LDAPSync xml file would reference a different directory for client xml files. Then I call each specific LDAPSync xml file from the command line. The user would need to be a member of multiple AD groups. In my example, the user is a member of the automic_read_only and the automic_write_access groups in AD. 



    Example: 

    LDAPSync_<client>_<access>.xml 

    LDAPSync_1_RO.xml 

    <Clients path="1_RO" default="defaults.xml"/> 

    Client_1.xml inside of the 1_RO folder. 

    <AE userDomain="RO" 
    autoDeactivateUsers="true" 
    /> 

    <GroupMappings> 
    <map ae="Read_Only" ldap="automic_read_only" /> 
    </GroupMappings> 

    java -jar ldap-sync-1.0.7.jar -config LDAPSync_1_RO.xml -cl "1" 

    This creates users as <user>/RO with the READ_ONLY user group. 


    LDAPSync_1_write.xml 

    <Clients path="1_WRITE" default="defaults.xml"/> 

    Client_1.xml inside of the 1_WRITE folder. 

    <AE userDomain="WRITE" 
    autoDeactivateUsers="true" 
    /> 

    <GroupMappings> 
    <map ae="WRITE_ACCESS" ldap="automic_write_access" /> 
    </GroupMappings> 

    java -jar ldap-sync-1.0.7.jar -config LDAPSync_1_WRITE.xml -cl "1" 

    This creates users as <user>/WRITE with the WRITE_ACCESS user group.


    This way the user would login as <user>/RO for 90% of their job and if they need to make a change, they open a new instance of the user interface and login with <user>/WRITE. 

    The other thing to note is that each AE Domain (Dept) will need a UC_LDAP_<DEPT> vara in Client 0 with LDAP connection information.