DX Infrastructure Management

  • Private Community
 View Only
Back to Library

Hub - Ldap security setup 

Mar 08, 2017 04:13 AM

When using the standard hub config ldap/ad gui settings we receive in a lot of cases a popup that indicate that we have too many entries in the "Group Container" filter when selecting the Test button.

This can result later that during the uim ldap sync process an error occurs with as result that no Active Directory users can login anymore.

 

But there are some not really well documented parameters, specially: filter_group, where you can use additional parameters to limit the search into teh Active Directory hierarchy.

Example that you can use in hub.cfg:

filter_group = (&(objectCategory=group)  (cn=NIM_*))

 

The attached Word document tries to give a way to test, via ldp.exe,  and find the most correct parameters to use to define the ldap/active directory security interface.

 

Note: comments are very welcome so that we can update this document.

Statistics
1 Favorited
37 Views
1 Files
0 Shares
22 Downloads
Attachment(s)
docx file
UIM Ldap setup_v1.2.docx   415 KB   1 version
Uploaded - May 29, 2019
 
Download

Tags and Keywords

Comments

Tgentilhomme
May 04, 2017 12:13 PM

Hi Chris,

 

Think to add proper tags to the article   (however it will be hard to find the article with the search tool or on google).

 

Best Regards,

Thomas

RowanCollis
Mar 08, 2017 04:56 AM

Awesome document Luc, many thanks for documenting this.

This is my current customers' LDAP filtering to show what we had to do to make it work. Fortunately the customers AD sme was very quick to set this up. 

      <Active Directory>

         tag = ad

         filter_group = (cn=uim-*)

         filter_user = (&(objectClass=person)(xlnxemploystatus=active*)(|(userPrincipalName=$loginname)(sAMAccountName=$loginname)))

         exclude_regexp = /(@)|(\\)|(^(C|c)(N|n)=)/

         ldap_dn_regexp = /^(C|c)(N|n)=/

         attr_grp_name = name

         attr_grp_member_name = member

         attr_usr_firstname = givenName

         attr_usr_lastname = sn

         attr_usr_mail = mail

         attr_usr_cellphone = mobile

         attr_usr_phone = telephoneNumber

         attr_usr_www = wWWHomePage

         attr_usr_office = physicalDeliveryOfficeName

         attr_usr_company = company

         attr_usr_title = title

         attr_usr_department = department

         attr_usr_description = description

         attr_usr_name = displayName

         attr_usr_id = userPrincipalName

         attr_usr_member_of = memberOf

         attr_usr_restrict_view = restrictViewToUserAssets

         format = $username@$domain

         lookup = no

         paging = yes

         member_lookup_reverse = yes

      </Active Directory>

Related Entries and Links

No Related Resource entered.