Symantec Identity Manager - How to add Active Directory groups (AD groups) via PxPolicy Deep Dive
search cancel

Symantec Identity Manager - How to add Active Directory groups (AD groups) via PxPolicy Deep Dive

book

Article ID: 189955

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

After configuring a PxPolicy to assign Active Directory groups (AD Groups) the "Assign Active Directory Group" event is failing or not working correctly.

You can experience errors similar to:

LDAP: error code 70 - Unable to set Group Membership Attribute: memberOf Reason: Group-Membership modification error

Failed to execute AddToRelationshipEvent. ERROR MESSAGE: JIAMOperationException:javax.naming.NamingException: [LDAP: error code 80 - :ETA_E_0008

Environment

Release : 14.X
Component : CA Identity Suite (Virtual Appliance)
Component : CA Identity Manager (Standalone Appliance)

Cause

Incorrect configuration of the PxPolicy Action Rule.

Resolution

Following the documentation can be tricky as some valuable information is not currently present. The most common problem with the PxPolicy is the declaration of the group itself. Most times the DN value is configured incorrectly.

Please see the below guide on how to create your DN value appropriately.

Connect to the IM Provisioning Server via LDAP Browser (Jxplorer)
Copy the DN Value of your AD group:
Example: eTADSGroupName=MyTestGroup,eTADSOrgUnitName=Organization3,eTADSOrgUnitName=Organization2,eTADSOrgUnitName=Organization1,eTADSOrgUnitName=Organization,eTADSDirectoryName=MyActiveDirectoryName,eTNamespaceName=ActiveDirectory,dc=im,dc=eta

The next step is to convert this DN Value to an accepted value within Identity Manager there are a few changes to be made.

1) Remove leading 'eT' and trailing 'Name' on the attributes.
Example: eTADSOrgUnitName=Organization becomes ADSOrgUnit=Organization

2) Modify the trailing DN value to be proper config. ADSDirectory is now renamed to EndPoint as well as dc=im,dc=eta becomes Domain=im,Server=Server
Example: eTADSOrgUnitName=Organization,eTADSDirectoryName=MyActiveDirectoryName,eTNamespaceName=ActiveDirectory,dc=im,dc=eta
Becomes: ADSOrgUnit=Organization,EndPoint=MyActiveDirectoryName,Namespace=ActiveDirectory,Domain=im,Server=Server

Example of completed DN Conversion:
{"memberOf" : "ADSGroup=MyTestGroup,ADSOrgUnit=Organization3,ADSOrgUnit=Organization2,ADSOrgUnit=Organization1,ADSOrgUnit=Organization,EndPoint=MyActiveDirectoryName,Namespace=ActiveDirectory,Domain=im,Server=Server"}

See Action Item Example Below:

Powered by Wolken Software