search cancel

LDAP Nested Group Authentication


Article ID: 189276


Updated On:


CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps


Please let us know if DX NetOps supports LDAP nested authentication.
For example, we have two groups. Group A and Group B. We are testing membership against Group A. Group B is a member of Group A. Can members of Group B have access to DX NetOps?
We are finding they cannot.


NetOps Portal LDAP does not care about the hierarchy of groups.

LdapGroups processing does:

1) read the memberOf attribute on the user record provided by LDAP.
2) cycle the entries in LdapGroups XML, and if the entry matches an entry in memberOf, we use that userClone.
3) we don't know anything about the hierarchy of groups in SSO.
4) if you want sub-groups to be included to use the same userClone, you need to add entries to LdapGroups for each subgroup also.  For example:

<Group searchTag="memberOf" searchString="CN=usr_grp,OU=MyLDAP,OU=Accounts,DC=madeUp,DC=com" user="{sAMAccountName}" passwd="" userClone="user"/>
<Group searchTag="memberOf" searchString="CN=pwr_grp,OU=MyLDAPGroups,OU=Accounts,DC=madeUp,DC=com" user="{sAMAccountName}" passwd="" userClone="power"/>
<Group searchTag="memberOf" searchString="CN=adm_grp,OU=MyLDAPGroups,OU=Accounts,DC=madeUp,DC=com" user="{sAMAccountName}" passwd="" userClone="admin"/>