cancel
Showing results for 
Search instead for 
Did you mean: 

GRC 10.1 - Active Directory Groups Provisioning Issue

0 Kudos

Hi experts!

Im working in GRC10.1 AC SP07, and im trying to configure provisioning for AD Groups. I have created group in BRM, and im able to do the request; however, when this request is approved provisioning fails.

In SLG1 i get following message and audit log for request says: "Auto provisoning failed; Applied Escape route"

MSADCLNT000 is LDAP connector and "APP_NEX_Operacion" is the AD group.

Any idea about which could be the problem?

I think problem could be USER PATH and GROUP PATH; i don´t know exactly how to configure this point because users belong to a certain OU in AD, and groups belong to another OU.

Note im using LDAP connector like Data Source until now, and it works fine.

Thanks a lot!

Emiliano

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member682099
Discoverer
0 Kudos

LDAP group provisioning is configured in SPRO "Assign Group Parameter Mapping' under "Maintain mapping for Actions and Connector groups". There map the 'GROUPMEMBER' AC filed to 'uniquemember' parameter value, that will solve the problem.

0 Kudos

Hello,

No solution to that problem ?  I have the same issue.

My search patch is : CN=XXXX-ALL-SysGroup,OU=ouDistribution,OU=ouGroups,DC=XXXXt,DC=XXXX"

Thanks is someone can help,

Pierre

0 Kudos

Hi Pierre!

In my case, i have two OU, one for AD Groups and another for Users; yo can map these under SPRO>> Governance, Risk and Compliance>> Access Control>> Maintain Connector Setting; there you select your LDAP Connector and then "Assign attributes to the connector". Attribute names are "GROUP PATH" and "USER PATH".

I hope this help you.

Regards

Emiliano

former_member193066
Active Contributor
0 Kudos

Hello,

Please make sure in your LDAP attribute mapping you map all the required objectClasses that exist in target LDAP server to group parameter User:OCThis is sample LDAP group parameter mapping for action type 4:

User:OC top

User:OC person

User:OC user

User:OC organizationalPerson

User:OC inetOrgPerson


Also the default password for LDAP user is hardcoded to Password1!, but if in case customer wants to change it,

please add an attribute Password and provide the value that matches with the password policy of your LDAP server.

Ex. in group field mapping:

PASSWORD Password123!


Ex. of group field mappings:

PASSWORD Password1!

USERID CN

FIRSTNAME SN

LASTNAME givenName

EMAIL mail

COMPANY COMPANY


Please make sure you map CN to userID field. As that is used to construct DN for the provisioned user.


Regards,

Prasant