Use SpanVA to Sync the users of a specific Active Directory Group
Article ID: 268954
Updated On:
Products
Issue/Introduction
The use case is for SpanVA to sync only the users who are members of a specific Active Directory group, along with the AD Groups.
Environment
Gatelet with Active Directory Sync enabled via SpanVA.
Resolution
Modify the Search string of the SpanVA profile so that it matches only on the required groups and users.
0- LDAP Search refresh:
LDAP OR condition is a pipe for example Condition1 OR Conditions is written (|(Condition1)(Condition2))
LDAP AND condition is a ampersand for example Condition1 AND Conditions is written (&(Condition1)(Condition2))
1- Base DN:
Choose the base DN the closest to the AD Groups required.
2- AD Group(s)
LDAP Group Search string:
(&(objectCategory=group)(objectclass=group)(|(cn=GROUP01)(cn=GROUP02))
which is logically means (or can be read as):
[ (The objectCategory equals group) AND (The object class equals group) AND ( (group name is GROUP01) OR (group name is GROUP02) ) ]
3- Users of the AD Group(s)
LDAP Users Search String:
(&(objectCategory=person)(objectClass=user)(|(memberOf=CN=GROUP01,CN=Users,DC=Example,DC=com)(memberOf=CN=GROUP02,CN=Users,DC=Example,DC=com))
which can be read as:
[ (The objectCategory equals 'person' ) AND (The objectclass equals 'user') AND ( (the user is member of GROUP01) OR (the user is member of GROUP01) ) ]
Note: The above condition will only return users who are directly assigned to the group. if the group contains nested groups, those users won't be included. Instead use the recursive search which is not supported natively by LDAP but some LDAP Directory support it like Microsoft Active Directory (please verify with your AD Admin team). if it is supported, then the recursive search format would be some like:
(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=GROUP01,CN=Users,DC=Example,DC=com))
Feedback
