Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Microsoft Active Directory LDAP Attributes

Posted on 2013-12-02
5
682 Views
Last Modified: 2014-01-12
I am working on integrating an application called GE Centricity Business with my Microsoft Windows 2008 Active Directory.  I got most of it working except for a conditional statement.  Here's what part of the config file looks like.  I have underlined the parts that are not working.  

Basically it's the part that has the "memberof" statement.  If I remove the condition "memberof" statement, then it works just fine.  (i.e. I can authenticate to Active Directory and I'm able to login to the application)

I'm thinking it has something to do with the attribute map I'm using.

      <AttributeMap>
            <UserID>sAMAccountName</UserID>
            <LastName>sn</LastName>
            <FirstName>givenName</FirstName>
            <memberOf>memberOf</memberOf>
            <Email>email</Email>
      </AttributeMap>
      <AttributeOverride>
            <Password></Password>
      </AttributeOverride>
      <AttributeDefault>
            <Condition memberOf="cn=CBScheduling,ou=CB,dc=test,dc=com">
                 <IDXWF_RoleID Add="Y">CBScheduling</IDXWF_RoleID>
           </Condition>
            <Condition memberOf="cn=CBAdmins,ou=CB,dc=test,dc=com">
                  <IDXWF_DefaultSystemID>IDXWFAdm</IDXWF_DefaultSystemID>
            </Condition>
            <IDXWF_DefaultSystemID>DCIP_TEST</IDXWF_DefaultSystemID>
      </AttributeDefault>
      <SearchBase>dc=test,dc=com</SearchBase>
      <Filter></Filter>
      <AuthErrorMap>
            <Message contains="data 52e,">(LDAP) Invalid password</Message>
            <Message contains="data 533,">(LDAP2) Account disabled</Message>
            <Message contains="data 773,">(LDAP) Password expired</Message>
      </AuthErrorMap>
      <UserNotFoundMessage>(LDAP) Incorrect username and/or password</UserNotFoundMessage>
      <NoPermissionMessage>(LDAP) You do not have access to this application</NoPermissionMessage>
      <PostAuthCheck>
            <Prevent accountDisabled="true">(LDAP3) Account disabled</Prevent>
      </PostAuthCheck>
0
Comment
Question by:Florescu
  • 3
5 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39691149
Did you try placing the quotes before memberof

 <Condition "memberOf=cn=CBAdmins,ou=CB,dc=test,dc=com">

Thanks

Mike
0
 

Author Comment

by:Florescu
ID: 39691179
That didn't work.  I also tried single quotes and no quotes as well.
0
 
LVL 6

Expert Comment

by:Brad Held
ID: 39737972
So assuming the line(s):
<Condition memberOf="cn=CBAdmins,ou=CB,dc=test,dc=com">
                  <IDXWF_DefaultSystemID>IDXWFAdm</IDXWF_DefaultSystemID>
            </Condition>
works, the next question would be is the distinguishedName of the group CBScheduling correct. If that is correct then I would validate that the role assignment is correct.
<IDXWF_RoleID Add="Y">CBScheduling</IDXWF_RoleID>, one way to test that is to assign the IDXWFAdm role to the first clause assuming that works for the second condition - If that works then its the actual role assignment and not the AD Query causing issues
0
 

Accepted Solution

by:
Florescu earned 0 total points
ID: 39764308
We figured it out, there was a case sensitive issue.  LDAP was wanting everything upper case for some reason.  The GE engineer finally figured it out after some additional testing.
0
 

Author Closing Comment

by:Florescu
ID: 39774550
figured it out on my own
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question