search cancel

LDAP Nested Group Authentication

book

Article ID: 189276

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Please let us know if DX NetOps supports LDAP nested authentication.
 
For example, we have two groups. Group A and Group B. We are testing membership against Group A. Group B is a member of Group A. Can members of Group B have access to DX NetOps?
 
We are finding they cannot.

Resolution

NetOps Portal LDAP does not care about the hierarchy of groups.

LdapGroups processing does:

1) read the memberOf attribute on the user record provided by LDAP.
2) cycle the entries in LdapGroups XML, and if the entry matches an entry in memberOf, we use that userClone.
3) we don't know anything about the hierarchy of groups in SSO.
4) if you want sub-groups to be included to use the same userClone, you need to add entries to LdapGroups for each subgroup also.  For example:

<LDAPGroups>
<Group searchTag="memberOf" searchString="CN=usr_grp,OU=MyLDAP,OU=Accounts,DC=madeUp,DC=com" user="{sAMAccountName}" passwd="" userClone="user"/>
<Group searchTag="memberOf" searchString="CN=pwr_grp,OU=MyLDAPGroups,OU=Accounts,DC=madeUp,DC=com" user="{sAMAccountName}" passwd="" userClone="power"/>
<Group searchTag="memberOf" searchString="CN=adm_grp,OU=MyLDAPGroups,OU=Accounts,DC=madeUp,DC=com" user="{sAMAccountName}" passwd="" userClone="admin"/>
</LDAPGroups>
Powered by Wolken Software