Hi Carsten,
LDAPSync allows you to synchronize one or more AD groups with OneAutomation groups either by adding or deleting them
The configuration of the tool is based on a hierarchy of XML files which allows to define different mappings according to the OA' clients
It is even possible to synchronize several ADs with the same OneAutomation system.
All that remains is to plan the execution of LDAPSync, for example, every 5 minutes through OA.
This limits the administration of OneAutomation to the creation of user groups.
The tool will take care of creating or deleting users in OA according to the AD groups they belong to
Note: LDAPSync does not work with client 0000. In addition, LDAPSync uses client 0000 to create users before moving them to their destination client. If the AD user already exists in client 0000, the tool will report an error
Regards,
------------------------------
Solution Architect Automation
Broadcom
------------------------------
Original Message:
Sent: 04-09-2020 07:24 AM
From: Carsten Schmitz
Subject: AD Integration - need answers on some basics
Hi.
I have read the documentation for 11.2 and the overhauled one for 12.3, and I have just written a lengthy email to Automic documentation writers outlining the issues I have with the later still.
But that doesn't really help me, at least not now. As usual, it helps Broadcom :)
I still have very basic questions that maybe someone here can answer:
- Specifically with 12.x, what can LDAP integration actually do for me? Do I still need to create a user objects for every AE user? Or can AE actually authenticate against, say, an AD controller based on AD groups without creating AE users?
- And if so, how does it actually work, does AE pass the hash of a password I type to the AD controller and the AD controller then says "valid or not"?
The reason I ask this is that the documentation has this odd hint that AD passwords only work if they don't contain any characters disallowed by the AE database schema. This worries me. Why would that be? AE doesn't get to store my AD plain text password, right? With live AD integration, it shouldn't store anything about my passwords, not even hashes, but certainly not passwords!? - Beyond the documentation being very confusing to me, 12.3 seems to describe an additional tool, but without saying why: LDAPSync.jar. Do I need it? In plain terms, what does it do for me?
In the spirit of Reddit, feel free to answer these questions like I'm five.
Thanks!
------------------------------
These contain very good advise on asking questions and describing supposed bugs (no, you do not need to go to StackExchange for Automic questions, but yes, the parts on asking detailed, useful questions ARE usually relevant):
http://www.catb.org/~esr/faqs/smart-questions.html
https://www.chiark.greenend.org.uk/~sgtatham/bugs.html
I will not respond to PM asking for help unless there's an actual reason to keep the discussion off of the public forums.
------------------------------