Hi Bruno,
usually, users and groups are located in different branches in the LDAP, and they are related through membership attributes. I mean, group branch does not contain users.
Example:
- Users under ou=People,dc=field,dc=mydomain,dc=com
- Groups under ou=Groups,dc=field,dc=mydomain,dc=com
Is this your case?
You have to configure LDAP integration with a baseDN, that reduce the scope of the search and it can be the branch the users are located (ou=People,dc=field,dc=mydomain,dc=com) or suffix (dc=mydomain,dc=com). Remember to check Search subdirectories if this is the case.
Later, ensure you are using the right attribute in the user entry to search the user by. Examples are uid={0} or
sAMAccountName={0},where {0} is the username you introduce for authentication
Regards
Original Message:
Sent: 03-09-2021 08:04 AM
From: Bruno Reis
Subject: Spectrum 10.4.0 - LDAP/AD Groups Membership
Hello,
Yes it does make sense and I have be doing that with no success. I always receive the error saying the user does not exist or the password is wrong (when I test a user).
Maybe I am seeing this in the wrong way, checking the group object for the Users belonging to it, and the only option it to update to 10.4.2 and configure to check the user membership to each groups they belong.
Thanks.
Original Message:
Sent: 03-09-2021 06:40 AM
From: Jose Vicente Espinosa
Subject: Spectrum 10.4.0 - LDAP/AD Groups Membership
Hi Bruno,
I think you have only to reconfigure the connection details in OneClick.
If you LDAP structure (baseDN) has changed, just update it.
User authentication process will search the user in the directory based on the configured criteria: User by search or User by pattern
User by search is less impacted by LDAP structure changes because it searches from basedDN
Make sense?
Regards
Original Message:
Sent: 03-09-2021 06:30 AM
From: Bruno Reis
Subject: Spectrum 10.4.0 - LDAP/AD Groups Membership
Hello Jose,
"The only difference is that 10.4.2 included the ability to auto-provision users in Spectrum based on their group membership."
Ok, I see. Its not what I am looking for.
I have OneClick pointing to AD, to a specific directory in which there are the all users that can access Spectrum (and I have them configured in Spectrum) and they can access; Now, I have to change it to point to other directory, but it only has one Security Group (group_object) inside it. That group has the same members as in the previous directory.
My question is, how do I configure OneClick to use that Group (group_object) and allow the "contained" Users to access Spectrum?
(When I say "contained" users, is the users inside that group)
Thanks for the help, much apreciated.
Original Message:
Sent: 03-09-2021 05:24 AM
From: Jose Vicente Espinosa
Subject: Spectrum 10.4.0 - LDAP/AD Groups Membership
Hi Bruno,
LDAP authentication should work as well in 10.4.0. The only difference is that 10.4.2 included the ability to auto-provision users in Spectrum based on their group membership. In 10.4.0, you must guarantee the user already exist in Spectrum with the same name as it appears in LDAP.
Regards
Original Message:
Sent: 03-09-2021 04:54 AM
From: Bruno Reis
Subject: Spectrum 10.4.0 - LDAP/AD Groups Membership
Hello Jose,
Thanks for the repply.
"do you refer to this feature?
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4-2/release-information/features-and-enhancements.html#concept.dita_74630ff8e83cd59592f994d76127c7a97e847997_LDAPUserGroupAuthentication"
Yes its something like that, I need to point OneClick to the LDAP/AD to the group containing the users that can access Spectrum;
"It was introduced in 10.4.2."
So this means its not possible with the version I have (10.4.0) and the only solution is to upgrade to at least 10.4.2 ?
"When you search your user in the LDAP using ldapsearch, does it return the memberOf attributes?"
Yes, when I query the AD for listing the users, I can see the memberOf attribute, and when I query the group I can see the users in it.
Thanks for the help.
Original Message:
Sent: 03-09-2021 04:24 AM
From: Jose Vicente Espinosa
Subject: Spectrum 10.4.0 - LDAP/AD Groups Membership
Hi Bruno,
do you refer to this feature?
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4-2/release-information/features-and-enhancements.html#concept.dita_74630ff8e83cd59592f994d76127c7a97e847997_LDAPUserGroupAuthentication
It was introduced in 10.4.2.
When you search your user in the LDAP using ldapsearch, does it return the memberOf attributes?
Regards
Original Message:
Sent: 03-09-2021 04:08 AM
From: Bruno Reis
Subject: Spectrum 10.4.0 - LDAP/AD Groups Membership
Hello Magen,
Thanks for the tip. I have seen that link before, but like you sayed its for 10.4.3 and for now we are not going to do upgrades (I do not known when to be done), I am stuck with 10.4.0 for the moment; Is there any way to make it work with groups in this version?
Thanks
Original Message:
Sent: 03-09-2021 03:18 AM
From: Magen Kamil
Subject: Spectrum 10.4.0 - LDAP/AD Groups Membership
hi, first of all from my experince the ldap integration didn't work so good to us at this version...
we upgraded to 10.4.3 and it works perfect + you can configure ldap groups.
see this documention:
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4-3/administrating/oneclick-administration/oneclick-administration-pages.html#concept.dita_99bd4cd8af497f4501d74d0457df4a5fc66ed4b4_LDAPUserGroupAuthentication
Original Message:
Sent: 03-08-2021 11:13 AM
From: Bruno Reis
Subject: Spectrum 10.4.0 - LDAP/AD Groups Membership
Hello all,
I am trying to find some information on how to configure LDAP authentication on Spectrum (version 10.4.0) for LDAP/AD Groups Membership (group object containing users) authentication.
I can configure to search inside an OU (containing a list users in the directory), validate and authenticate the users but when I try to configure it to check a Group, it gives me the error of "User unkown or wrong password" and I know for sure that user belongs to that Group and the path is correct (I tested using ldapsearch and got the users).
Does this version, 10.4.0, support LDAP/AD Group Membership?
If it does where can I find the documentation for it (I cant find it in its manual)?
If not, is there a workaround?
Thanks,
Bruno