cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Adding User to Active Directory Groups Based on Privileges

Former Member

on ‎12-15-2011 5:43 PM

0 Kudos

Hello All,

I am using Netweaver IDM 7.2 and attempting to provision user accounts and group membership to Active Directory. I am using the SAP Provisioning Framework Task 'ProvisionADSUser'. Underneath this is the 'ProvisionADSUserToSystem' task which ultimately runs the CreateADSUser pass. I have the top-level task linked a as a provining task to a privilege I have created in the SAP_Master Identity store. The privilege is called 'PRIV:GROUP:AD_Repository:Group_Name '.

When I assign the privilege to a user in the UI an AD account is provisioned and everything works as expected. The problem is, I also want the user added to the group in AD that corresponds to the privilege. Judging from everything I've read, the proper way to do this is to add the task ProvisionADSGroupAssignment' task underneath the 'ProvisionADSUser' task. I have done this. When I then assign a privilege to the user in the UI the pass 'AssignUserToADSGroup' ultimately runs but the user is not added to the group. This is the error I get in the job log:

15.12.2011 11:20:46 :I:Pending Object MSKEY: not-existing-mskey

15.12.2011 11:20:46 :I:PrivilegeMSKEY : !ERROR:No such attribute

15.12.2011 11:20:46 :I:GroupDN:!ERROR:Entry does not exist

15.12.2011 11:20:46 :I:Account attribute value: cn=NEIL.FERGUSO,dc=kiewittest,dc=com

15.12.2011 11:20:46 :E:Failed storing !ERROR:Entry does not exist

15.12.2011 11:20:46 :E:Exception from Mod operation:ToDSADirect.modEntry !ERROR:Entry does not exist failed with NamingException. (LDAP error: The distinguished name has an invalid syntax)

Explanation: !ERROR:Entry does not exist: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8350, best match of:

'!ERROR:Entry does not exist'

]

Remaining name: !ERROR:Entry does not exist

Resolved name:

javax.naming.InvalidNameException: !ERROR:Entry does not exist: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8350, best match of:

'!ERROR:Entry does not exist'

]; remaining name '!ERROR:Entry does not exist'

If my setup is correct, I believe the problem is that the users MSKEYVALUE is what is being given to the 'ProvisionADSGroupAssignment' task. It appears the script that ultimately runs is looking for the MSKEY of the privilege. So my questions are:

1. Is my task hierarchy setup correctly?

2. If so or if not, how do I get the ADS group task to add the user to an AD group based on the privilege that was just assigned?

I have searched the forum and found this thread: It appears very similar to my problem, but not the same. The scripts that he references are not available in my global scripts. I'm assuming that's because he was using a version of IDM older than 7.2.

Thanks in advance for any help you can provide in helping me solve this problem. I'm going on my 2nd full day of banging my head against the wall with this one.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
‎01-30-2012 11:22 PM
0 Kudos

I thought I would update this question, just in case someone else is experiencing similar issues. The fix turned out to be that we needed to execute a functioin to store the MSKEY for the privilige in a context variable. We then later run another function to get the mskey from the context variable and use that to add the user to the group.

Walking through all the steps in this tutorial will give you a good idea what needs to be done:

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f09552b2-f514-2e10-bb83-ee81cbbbb...

Show replies
Show replies
Former Member
‎12-20-2011 7:10 PM
0 Kudos

I thought I had this figured out, but I don't. This was only working if I hard-coded the mskey for the privilege into the pass.

The way I currently hae things set up is there is a repository constant MX_PROVISIONTASK that is set to my CreateADSUser Task. Whenever I assign a privilege to a user, the MX_PROVISIONTASK kicks off as expected and the user is provisioned in AD. Now my question is how do I add that user to the AD group that corresponds to the privilege? From where should I call the AssignUserToADSGroup task so that the mskey of the privilege is sent rather than the mskey of the user? Every way I've tried to do it so far sends the MSKEY of the user to the AssignUserToADSGroup task and the task fails (that is unless I hard-code the mskey of the privilige into the script or pass).

Can someone please point me to some documentation that shows the proper/recommended way to set up AD User/Group Provisioning? I'm finding bits and pieces of information all over and trying to piece things together.

Show replies
Show replies
Former Member
‎12-19-2011 9:23 PM
0 Kudos

The problem was with how I had the tasks set up. I had an ordered task group set that first created the AD User and then added the user to group. This task was set as an Assignment Add Task on the specific privilege. This didn't work since it was trying to pass the User account mskey to the assign user membership task. I found that I could provision my AD user accounts a different way then set the add task to only perform the assign user membership task. After I did this everything works as expected.

Thanks for the help.

Show replies
Show replies
Former Member
‎12-16-2011 5:07 PM
0 Kudos

Thank you very much for the reply. I agree that the problem is the wrong value is being passed. My question is, how do I configure this to send the privilege to the AssignUserToADSGroup pass?

Below is what is in the destination tab of assignUserToADSGroup pass:

dn $FUNCTION.sap_core_getGroupACCOUNTFromPrivilege(%MSKEY%)$$

changetype modify

member $FUNCTION.sap_core_checkAccountAttributeValueExists(%ACCOUNT%$rep.$NAME%%)$$

I know I could hardcode the value of my privilege in the first line rather than using %MSKEY%. But this would mean I would have to create a seperate task for every single privilege that we have. That doesn't seem like it would be the best way. I want to make it work such that I only have a single ProvisionADSGroupAssignment that is linked as a provisioning task to all of the privileges. Then whenever a user is assigned that privilege it kicks off the task to add the user to the corresponding AD group. I will admit that I'm fairly new to to IDM. This is just what I am envisioning after the class I've taken and all the research I've done. If there is a better way to provision users/privileges/groups I would love to hear it.

Thanks again for your time.

Show replies
Show replies
former_member2987
Active Contributor
‎12-16-2011 4:25 PM
0 Kudos

Courtney,

Looking at your log snippet, it seems you're passing the wrong value. It's reporting that you're trying to pass a user when a group name is expected (they are members of different object classes which leads to the LDAP 34 since the memberof attribute is not part of the user objectclass.

Make sure you're passing the group name like so <PRIV:GROUP:AD_Repository:Group_Name> in the 'ProvisionADSGroupAssignment' task. By encasing the name in <> IDM will look up the MSKEY for you based on that MSKEYVALUE.

You'll need to make sure that you're reconciling the names of the groups into privileges first as well.

This should help get you started!

Keep us posted

Matt

Show replies
Show replies
Ask a Question