cancel
Showing results for 
Search instead for 
Did you mean: 

Linking users from an AD to groups in another one

clotilde_martinez
Participant
0 Kudos

Hi,

I am using IDM 7.2 sp9 and we are trying to connect it to an active directory.

The problem is the following :

- I have an AD "CORP" containing all users, their dn is something like DC=CORP,DC=COM,CN=PERSONAL,CN=CEF6756 (i only need to manage one branch of users)

- I have a new AD "CLIENT", where the users will be migrated in a few months and where for now IDM will be managing groups, their dn is something like OU=CLIENT,DC=XX,DC=LOCAL

- Those two AD are linked through a "trusted relationship" with kerberos

- Both AD's are in the same domain

- the technical user have read-only rights on "CORP" and RW on groups on "CLIENT"

- I don't have any "ROOT" adress that could be used to adress both systems

I first tried to connect IDM to the AD using the standard way with a repository connected to the "CLIENT". I do a addmember on a group filling in the user DN but I have an error saying that it doesn't find the user.

I tried the other way, connecting the AD "CORP" to IDM, it didn't work either.

I then tried to configure the VDS to have a "fake" root, that could be used to adress both systems, but i still have the same error.

Did someone already do this configuration and did you manage to do it using standard frameworks or did you have to develop something else?

Thanks a lot and best regards,

Clotilde

Accepted Solutions (1)

Accepted Solutions (1)

clotilde_martinez
Participant
0 Kudos

Hi Matt and Jay,

@Jay : I tried without any scripts, just "hardcode" the path and it didn't work. I tried to change only the description of the group so i know idm finds it.

@Matt : I do have a multi search Operation defined, how should i use it?

Another useful data : I learnt that some other guys had the same trouble with another IAM product here what they explained to me :

"the Active Directory uses a pseudo-object as a stub for references to security objects in other domains.

These security objects stubs are stored in a specific container within AD called ForeignSecurityPrincipals.
It is this stub object which is used to link in and out of groups. The link to the original security objects is stored by means of the Security Identifier (SID) value of that object. The SID value is a combined value which contains a type identifier, a domain identifier and a unique identifier within that domain.

By using this SID as the identifier of an account, it is possible to add accounts to/remove accounts from AD groups in an uniform manner, independent of the account that is being modified (normal account or ForeignSecurityPrincipal). This is achieved by adding/removing a "member"-value "<SID=[[SID-VALUE]]>" to/from the group. In case that the ForeignSecurityPrincipal stub object for the account in the trusted domain doesn’t exist yet, then AD will create this stub-object, regardless of the account used by ITIM having only read-rights."

Do you know if the standard IDM connector is able to handle users using this SID and not the complete DN? Did you ever hear about the ForeignSecurityPrincipals container?

Thanks

Clotilde

clotilde_martinez
Participant
0 Kudos

Hi again,

so, we found how to link a user to a group using the SID, the syntax to use in a toLDAP pass is + member <SID=xxxx>

Now we found another problem :

we need the SID, which is a binary attribute in the active directory and it seems like the fromLDAP pass doesn't manage to read it correctly as what i find in my temporary table for the attribute objectSID is "|".

I tried all the available attribute types and in tab destination, source column i also tried to add ;binary after my attribute name with no success.

do you know if it is possible to retrieve a binary attribute in a fromLDAP pass or do i necessary have to go through another way (powerShell for instance..)? and if it possible, do you have the correct syntax?

thanks a lot,

Clotilde

UPDATE : to retrieve a binary attribute, prefix it with "!" in the source column

Message was edited by: Clotilde Martinez

Answers (2)

Answers (2)

former_member2987
Active Contributor
0 Kudos

Clotilde,

You might want to try a multi-search join in VDS to have the two AD containers joined together to look like one source.

Matt

jaisuryan
Active Contributor
0 Kudos

Hi Clotilde,

I would check few things in this scenario,

1. The user you are trying to assign access has ACCOUNTCLIENT attribute with his/her DN.

2. In "AssignUserToADSGroup" job, check the destination tab to have attribute 'dn' as value '$FUNCTION.sap_core_getGroupACCOUNTFromPrivilege(%MSKEY%)$$'

3. And member as '$FUNCTION.sap_core_checkAccountAttributeValueExists(%ACCOUNT%$rep.$NAME%%)$$'

Kind regards,

Jaisuryan