3 Replies Latest reply on Mar 31, 2014 7:52 AM by CRB

    Importing users using nested groups

    blwallace Apprentice

      I am new to Service Desk.  We are setting up our lab and I'm having a problem with importing analysts.  Our Active Directory implementation uses nested groups to identify users.  We have defined user roles in our AD (user roles are groups).  A user can be a member of only one role.  Multiple users can share the same role.  User roles are then members of an application role (application roles are groups).  An application role may be email, or file services, etc.  An application role may contain multple user roles.  No user is directly a member of an application role - only a user role can be members of an application role.

       

      I'm trying to create a connector, either Active Directory or LDAP that will pull in analysts using this type of nested grouping.  However, I'm not understanding the best way to import users which are members of a nested group heirarchy.  Hopefully someone can point the way.

       

      My current effort is using an AD connector as outlined here http://community.landesk.com/support/docs/DOC-4369

       

      My current analyst is:

      cn=bart,ou=users,ou=groups,ou=lab,dc=company,dc=us

       

      My user role (group) is:

      cn=uit_administrator,ou=Information_Technology,ou=UserRoles,ou=groups,ou=lab,dc=company,dc=us

       

      My user role is a member of application role (group):

      cn=app_hd_analyst,ou=ApplicationRoles,ou=groups,ou=lab,dc=company,dc=us

       

      I've set my AD connector type, hdAnalyst, with a custom LDAP filter of:

      (memberof=cn=app_hd_analyst,ou=ApplicationRoles,ou=groups,ou=lab,dc=msrslab,dc=us)

      When I run a query to test, I get nothing in return. 

       

      I reconfigure my hdAnalyst connector with this LDAP filter:

      (memberof=cn=uit_administrator,ou=Information_Technology,ou=UserRoles,ou=groups,ou=lab,dc=msrslab,dc=us)

      When I run a query to test, I get a current list members of this group.

       

      I run an ldapsearch command from my Linux workstation to test my filter:

      ldapsearch -x -h 192.168.x.x -p 389 -D "msrslab\ldapsu" -W -b "ou=lab,dc=company,dc=us" -s sub "(cn=app_hd_analyst)"

      and this search returns current group members of which my uit_administrator role is listed.

       

      Running a similar ldapsearch command from my Linux workstation to test membership of uit_administrator:

      ldapsearch -x -h 192.168.x.x -p 389 -D "msrslab\ldapsu" -W -b "ou=lab,dc=company,dc=us" -s sub "(cn=uit_administrator)" member

      and this search returns current members of my uit_administrator group, which are user objects, namely my list of analysts.

       

      Notice my LDAP filter of my connector hdAnalyst uses "memberOf" and not "member".  There doesn't appear to be a "member" attribute available within the AD connector.  Notice also, that LDAP does have "member" available.  So it looks like LDAP my be a better connector to use.

       

      I set out to make an LDAP connector type, but am getting stuck on the filter syntax.  Even though my LDAP connector tests successful, I'm getting "Unable to read the tree structure using the current login details" when I try and browse the directory.  I don't know why.  Even if I get my LDAP connector syntax to work, I still don't know how I'm going to get nested groups to work.

       

      I know this is long-winded, but I wanted to give as much info as I have.  Hopefully someone can tell me how to use nested groups to import my analysts (my main users are also held withing nested groups) into Service Desk.

       

      Thanks,

       

      Bart