This document was generated from CDN thread
Created by: ROD TAGUCHI on 02-11-2012 01:10:05 PM
Is there a way to setup an LDAP sync agreement that is not tied to an OU, but to a Group Membership (in Active Directory) search filter? I'd like to retain current OU Structure which includes users, service accounts, external contractors, but want to only sync users that belong to an Active Directory group.
Thanks
Rod
Subject: Re: New Message from ROD TAGUCHI in WebEx Social Developer - Technical ques
Replied by: Mohsin Ali on 02-11-2012 01:16:44 PM
Hi Rod,
You can use the below ldap search filter and achieve the desired results.
memberOf=CN=webexsocialusers,ou=security groups,dc=corporate,dc=test,dc=org
In the above example, AD group name is webexsocialusers, ou is security groups and domain is corporate.test.org
Hth,
Mo
From: Cisco Developer Community Forums <cdicuser@developer.cisco.com<mailto:cdicuser@developer.cisco.com>>
Reply-To: "cdicuser@developer.cisco.com<mailto:cdicuser@developer.cisco.com>" <cdicuser@developer.cisco.com<mailto:cdicuser@developer.cisco.com>>
Date: Friday, November 2, 2012 11:10 AM
To: "cdicuser@developer.cisco.com<mailto:cdicuser@developer.cisco.com>" <cdicuser@developer.cisco.com<mailto:cdicuser@developer.cisco.com>>
Subject: New Message from ROD TAGUCHI in WebEx Social Developer - Technical questions: LDAP sync with group filter?
ROD TAGUCHI has created a new message in the forum "Technical questions": -------------------------------------------------------------- Is there a way to setup an LDAP sync agreement that is not tied to an OU, but to a Group Membership (in Active Directory) search filter? I'd like to retain current OU Structure which includes users, service accounts, external contractors, but want to only sync users that belong to an Active Directory group.
Thanks
Rod
--
To respond to this post, please click the following link: http://developer.cisco.com/web/webexsocial-developer/forums/-/message_boards/view_message/8267262 or simply reply to this email.
Subject: RE: LDAP sync with group filter?
Replied by: ROD TAGUCHI on 02-11-2012 05:06:44 PM
Thanks Mo,
I tried that and am getting these errors in the appserver log with Directory Services on DEBUG. I am running 3.0 SR3.
Nov 2 21:45:00 web01.psesouth.com quad[]: DEBUG - [DSLDAPSyncImpl(5)] - [] - []: Base=memberOf=CN=QuadUsers,OU=PSELAB,DC=psesouth,DC=com
Nov 2 21:45:00 web01.psesouth.com quad[]: DEBUG - [DSLDAPSyncImpl(5)] - [] - []: Filter=(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
Nov 2 21:45:00 web01.psesouth.com quad[]: ERROR - [DSLDAPSyncImpl(5)] - [] - []: Caught NamingException
Nov 2 21:45:00 web01.psesouth.com quad[]: ERROR - [DSLDAPSyncImpl(5)] - [] - []: javax.naming.InvalidNameException: memberOf=CN=QuadUsers,OU=PSELAB,DC=psesouth,DC=com: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8349, best match of
012#011'memberOf=CN=QuadUsers,OU=PSELAB,DC=psesouth,DC=com'#012#000]; remaining name 'memberOf=CN=QuadUsers,OU=PSELAB,DC=psesouth,DC=com'#012MESSAGE memberOf=CN=QuadUsers,OU=PSELAB,DC=psesouth,DC=com: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8349, best match of012#011'memberOf=CN=QuadUsers,OU=PSELAB,DC=psesouth,DC=com'#012#000]#012com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)#012com.sun.jndi.ldap.LdapCtx.process...
Nov 2 21:45:00 web01.psesouth.com quad[]: ERROR - [DSLDAPSyncImpl(5)] - [] - []: com.cisco.ccm.dir.dirsync.common.DSException#012MESSAGE null#012com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPMutualFunc.LDAPFullSync(DSLDAPMutualFunc.java:527)#012com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.run(DSLDAPSyncImpl.java:343)#012
Subject: RE: LDAP sync with group filter?
Replied by: John Kazmerzak on 02-11-2012 05:28:09 PM
You should try using the ldapsearch tool via command line to help debug this. Start simple, make sure you have enough access to retrieve the desired information and work your way up to more complexity. The error you are getting seems to indicate your DN is invalid, perhaps there is a hidden or invalid character.
Subject: RE: LDAP sync with group filter?
Replied by: ROD TAGUCHI on 07-12-2012 01:41:16 PM
Do you have an example of how to configure this? I see that the Cloud Connector ldap sync tool for WxS in the cloud does allow you to filter users that are to be synced to the WxS directory. The cloud tool also allows the sync to remove accounts in WxS as well as add via sync. Is that functionality capable for Premise installs?
Thanks
Rod
Subject: RE: LDAP sync with group filter?
Replied by: Daniele Salladini on 05-03-2013 08:12:45 AM
Hi Rod, yes you can use group to filter authentication, I use it, and in my opinion is the best way to manage user access easily.
Auth Search Filter sintax must be in this form:
(&(sAMAccountName=@screen_name@)(memberOf=CN=quad,OU=GROUPS,OU=CORPORATE,DC=corp,DC=dom))
group created is "quad" and match is done with merge of " sAMAccountName=@screen_name@ " filter (mandatory!) and memberOf=CN=quad,OU=GROUPS,OU=CORPORATE,DC=corp,DC=dom" filter
Import search filter can be
(objectClass=person)
Daniele
Subject: RE: LDAP sync with group filter?
Replied by: ROD TAGUCHI on 06-03-2013 03:14:06 PM
I am doing the Group filter with Authentication with great results. I'd like to be able to use a group filter ALSO for the LDAP sync agreement so users that exist in AD if not a member of a group are not even synched to the Social directory. I can currently use OU filter, disabled/enabled user to filter the users synced via the sync agreement. Group membership is preferred.
Any help with that would be greatly appreciatd.
Thanks /Rod
Created by: ROD TAGUCHI on 02-11-2012 01:10:05 PM
Is there a way to setup an LDAP sync agreement that is not tied to an OU, but to a Group Membership (in Active Directory) search filter? I'd like to retain current OU Structure which includes users, service accounts, external contractors, but want to only sync users that belong to an Active Directory group.
Thanks
Rod
Subject: Re: New Message from ROD TAGUCHI in WebEx Social Developer - Technical ques
Replied by: Mohsin Ali on 02-11-2012 01:16:44 PM
Hi Rod,
You can use the below ldap search filter and achieve the desired results.
memberOf=CN=webexsocialusers,ou=security groups,dc=corporate,dc=test,dc=org
In the above example, AD group name is webexsocialusers, ou is security groups and domain is corporate.test.org
Hth,
Mo
From: Cisco Developer Community Forums <cdicuser@developer.cisco.com<mailto:cdicuser@developer.cisco.com>>
Reply-To: "cdicuser@developer.cisco.com<mailto:cdicuser@developer.cisco.com>" <cdicuser@developer.cisco.com<mailto:cdicuser@developer.cisco.com>>
Date: Friday, November 2, 2012 11:10 AM
To: "cdicuser@developer.cisco.com<mailto:cdicuser@developer.cisco.com>" <cdicuser@developer.cisco.com<mailto:cdicuser@developer.cisco.com>>
Subject: New Message from ROD TAGUCHI in WebEx Social Developer - Technical questions: LDAP sync with group filter?
ROD TAGUCHI has created a new message in the forum "Technical questions": -------------------------------------------------------------- Is there a way to setup an LDAP sync agreement that is not tied to an OU, but to a Group Membership (in Active Directory) search filter? I'd like to retain current OU Structure which includes users, service accounts, external contractors, but want to only sync users that belong to an Active Directory group.
Thanks
Rod
--
To respond to this post, please click the following link: http://developer.cisco.com/web/webexsocial-developer/forums/-/message_boards/view_message/8267262 or simply reply to this email.
Subject: RE: LDAP sync with group filter?
Replied by: ROD TAGUCHI on 02-11-2012 05:06:44 PM
Thanks Mo,
I tried that and am getting these errors in the appserver log with Directory Services on DEBUG. I am running 3.0 SR3.
Nov 2 21:45:00 web01.psesouth.com quad[]: DEBUG - [DSLDAPSyncImpl(5)] - [] - []: Base=memberOf=CN=QuadUsers,OU=PSELAB,DC=psesouth,DC=com
Nov 2 21:45:00 web01.psesouth.com quad[]: DEBUG - [DSLDAPSyncImpl(5)] - [] - []: Filter=(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
Nov 2 21:45:00 web01.psesouth.com quad[]: ERROR - [DSLDAPSyncImpl(5)] - [] - []: Caught NamingException
Nov 2 21:45:00 web01.psesouth.com quad[]: ERROR - [DSLDAPSyncImpl(5)] - [] - []: javax.naming.InvalidNameException: memberOf=CN=QuadUsers,OU=PSELAB,DC=psesouth,DC=com: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8349, best match of
012#011'memberOf=CN=QuadUsers,OU=PSELAB,DC=psesouth,DC=com'#012#000]; remaining name 'memberOf=CN=QuadUsers,OU=PSELAB,DC=psesouth,DC=com'#012MESSAGE memberOf=CN=QuadUsers,OU=PSELAB,DC=psesouth,DC=com: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8349, best match of012#011'memberOf=CN=QuadUsers,OU=PSELAB,DC=psesouth,DC=com'#012#000]#012com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)#012com.sun.jndi.ldap.LdapCtx.process...Nov 2 21:45:00 web01.psesouth.com quad[]: ERROR - [DSLDAPSyncImpl(5)] - [] - []: com.cisco.ccm.dir.dirsync.common.DSException#012MESSAGE null#012com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPMutualFunc.LDAPFullSync(DSLDAPMutualFunc.java:527)#012com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.run(DSLDAPSyncImpl.java:343)#012
Subject: RE: LDAP sync with group filter?
Replied by: John Kazmerzak on 02-11-2012 05:28:09 PM
You should try using the ldapsearch tool via command line to help debug this. Start simple, make sure you have enough access to retrieve the desired information and work your way up to more complexity. The error you are getting seems to indicate your DN is invalid, perhaps there is a hidden or invalid character.
Subject: RE: LDAP sync with group filter?
Replied by: ROD TAGUCHI on 07-12-2012 01:41:16 PM
Do you have an example of how to configure this? I see that the Cloud Connector ldap sync tool for WxS in the cloud does allow you to filter users that are to be synced to the WxS directory. The cloud tool also allows the sync to remove accounts in WxS as well as add via sync. Is that functionality capable for Premise installs?
Thanks
Rod
Subject: RE: LDAP sync with group filter?
Replied by: Daniele Salladini on 05-03-2013 08:12:45 AM
Hi Rod, yes you can use group to filter authentication, I use it, and in my opinion is the best way to manage user access easily.
Auth Search Filter sintax must be in this form:
(&(sAMAccountName=@screen_name@)(memberOf=CN=quad,OU=GROUPS,OU=CORPORATE,DC=corp,DC=dom))
group created is "quad" and match is done with merge of " sAMAccountName=@screen_name@ " filter (mandatory!) and memberOf=CN=quad,OU=GROUPS,OU=CORPORATE,DC=corp,DC=dom" filter
Import search filter can be
(objectClass=person)
Daniele
Subject: RE: LDAP sync with group filter?
Replied by: ROD TAGUCHI on 06-03-2013 03:14:06 PM
I am doing the Group filter with Authentication with great results. I'd like to be able to use a group filter ALSO for the LDAP sync agreement so users that exist in AD if not a member of a group are not even synched to the Social directory. I can currently use OU filter, disabled/enabled user to filter the users synced via the sync agreement. Group membership is preferred.
Any help with that would be greatly appreciatd.
Thanks /Rod
Daniele Salladini:Hi Rod, yes you can use group to filter authentication, I use it, and in my opinion is the best way to manage user access easily.
Auth Search Filter sintax must be in this form:
(&(sAMAccountName=@screen_name@)(memberOf=CN=quad,OU=GROUPS,OU=CORPORATE,DC=corp,DC=dom))
group created is "quad" and match is done with merge of " sAMAccountName=@screen_name@ " filter (mandatory!) and memberOf=CN=quad,OU=GROUPS,OU=CORPORATE,DC=corp,DC=dom" filter
Import search filter can be
(objectClass=person)
Daniele