Variance in User attributes from EEM when switching from ldap port 389 to 3268 for Active Directory
search cancel

Variance in User attributes from EEM when switching from ldap port 389 to 3268 for Active Directory

book

Article ID: 49320

calendar_today

Updated On:

Products

CA Directory CA IT Asset Manager CA Software Asset Manager (CA SAM) ASSET PORTFOLIO MGMT- SERVER CA Service Management - Service Desk Manager CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) Workload Automation Agent CA Process Automation Base

Issue/Introduction

Customers working with EEM and connecting to an external ldap such as Active Directory may see a difference in user attributes available when switching from the normal ldap port 389 to the Global Catalog port 3268. In fact some user attributes are not being listed at the GC port level at all. Below are the steps to resolve this problem.

Environment

Release:
Component: ETEIAM

Resolution

Pre-requisites:

  • You will need access to the Global Catalog Domain Controller as this problem is coming from the ldap source.
  • You will need Administrative access to make changes to group memberships if necessary.
  • You will need access to the EEM webUI and EiamAdmin level privileges.

Symptoms:

  • The screenshot below is showing details for a user in Active Directory via the Manage Identities window in EEM when connected to the local DC port 389:

  • Notice that the attributes Address, Postal Code, Country, and Department are visible. Here is the same user when connecting to the same Domain Controller via port 3268:



  • Notice above now when connecting to this port, the fields Department, Address, Postal Code, and Country are no longer visible attributes.
  • This is due to the fact that these attributes are considered a set of partially visible attributes that are not indexed nor replicated to the Global Catalog. This would make creating Dynamic Group Policies in EEM impossible if searches are based on these partially visible attributes.
  • listed. Then save the mapping with a new name.
  • Connect to the domain controller as a user that is a member of the Schema Admins group in Active Directory. This is crucial.
  • Open Microsoft Management Console as administrator from the Run command in the start menu: mmc /a
  • Select Add/Remove Snap in from the File menu.
  • Locate and add Active Directory Schema

  • Click OK. Expand the Snap in for the Domain controller and click on Attributes in the tree view.
  • Locate the Attributes you wish to use in the list. Below is the Street Address example. Double-Click on this attribute and select "Index this attribute" and "Replicate this attribute to the Global Catalog".

  • Note: If you receive an access permission error, check to make sure you are a member of the Schema Admins group, you have run the Console as administrator, and if necessary log off/on to the DC again. If necessary, disable UAC on the system for the time being.
  • Note: If there is an attribute you have listed as indexed and available, and it is still not being shown in EEM, then check to see that the out of the box AD mapping lists this attribute for user filters. If not, you will need to make a new mapping and designate this attribute in addition to the ones that are listed. Then save the mapping with a new name.

 

Powered by Wolken Software