03-13-2012 05:34 AM - edited 03-10-2019 06:54 PM
Hi,
i have several different groups on the ACS (example: finance, sales, marketing). how do i map this to AD? (for example, if i have to put a person under sales group then i want to goto AD and add him to the member of sales and this should dynamically map and reflect on ACS)
Thanks
03-13-2012 08:06 AM
any one can i get the ACS to dynamically map by the group on AD
03-13-2012 08:38 AM
Yes. You can tell ACS to query AD via LDAP.
What version of ACS are you using?
03-13-2012 09:37 AM
4.1 acs
Sent from my Windows Phone
03-13-2012 12:54 PM
We're using 4.2, so it's probably very similar.
Log into your ACS, click the External User Databases button.
Click External user Database Configuration link
Click Windows Database
Click Configure.
Pretty straightforward from there, but I think we had to do something on the AD server too.
Here's a link to the Cisco page that will guide you.
Ven
03-14-2012 03:40 AM
Thanks for this. I have already done this bit. What I want to do is, if add a member to sales group on AD then I want ACS to create a profile dynamically and map it to the sales group on ACS server. I know you will need to go into group mapping and select the domain and map it but cant remember exactly
Sent from my Windows Phone
03-15-2012 06:12 AM
any thoughts on this?
03-19-2012 02:53 PM
HI
ACS cannot create the dynamic group automatically,
you will need to go external user database > database group mapping> windows database > select the domian and map the AD group to ACS
03-20-2012 04:53 AM
Thanks for this. I meant dynamic entry on ACS. Example if I have a user Bill and assign to sales group in AD then will ACS automaticaaly create a entry on ACS with the name Bill mapped to sales team (considering I have done what you have told me to)
Thanks
Sent from my Windows Phone
03-20-2012 05:55 AM
yes, Your understanding is correct. If the AD group is mapped with ACS already. Then in that case, as soon as the authentication is done for the user. The dynamic entry will be created automatically.
In order to verify, whether the user has been created or not. You can do as follows:
user setup> list all users or you can click on the alphabet > you will be able to see that account
Let me know if you have any further questions.
03-20-2012 07:44 AM
Thanks for this. I have already mapped the user to the group and linked ACS and AD. But dynamic entry is not created. However on the ACS I can see there is /local, /xyz (domain name) , /default - 3 different domains. The /local has all users mapped to default group on ACS. The /xyz is in correct order - the way I wanted to map. I presume its not wokring as ACS goes in order. It first looks at /local and then goes to xyz. Is this correct? So if jli delete the /local it shd work ?
But just want to confirm one thing - i don't have to create an entry for the users if manually if goes well, isn't it?
Thanks
Sent from my Windows Phone
03-20-2012 08:13 AM
Yup, It should work. we should be concerned about the AD domain. so if the/ local is deleted. It shouldnt make any difference.
if the group mapping is done then you dont have to create a seprate entry of the user.
Note: The entry will only be created, if the authentication is successfull.
03-20-2012 09:46 AM
Thanks will give this a shot and update you
Sent from my Windows Phone
09-12-2013 10:23 AM
I would suggest you to watch the below video. and also request you to upgrade your version.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide