Solved

Microsoft Active Directory LDAP Attributes

Posted on 2013-12-02
5
691 Views
Last Modified: 2014-01-12
I am working on integrating an application called GE Centricity Business with my Microsoft Windows 2008 Active Directory.  I got most of it working except for a conditional statement.  Here's what part of the config file looks like.  I have underlined the parts that are not working.  

Basically it's the part that has the "memberof" statement.  If I remove the condition "memberof" statement, then it works just fine.  (i.e. I can authenticate to Active Directory and I'm able to login to the application)

I'm thinking it has something to do with the attribute map I'm using.

      <AttributeMap>
            <UserID>sAMAccountName</UserID>
            <LastName>sn</LastName>
            <FirstName>givenName</FirstName>
            <memberOf>memberOf</memberOf>
            <Email>email</Email>
      </AttributeMap>
      <AttributeOverride>
            <Password></Password>
      </AttributeOverride>
      <AttributeDefault>
            <Condition memberOf="cn=CBScheduling,ou=CB,dc=test,dc=com">
                 <IDXWF_RoleID Add="Y">CBScheduling</IDXWF_RoleID>
           </Condition>
            <Condition memberOf="cn=CBAdmins,ou=CB,dc=test,dc=com">
                  <IDXWF_DefaultSystemID>IDXWFAdm</IDXWF_DefaultSystemID>
            </Condition>
            <IDXWF_DefaultSystemID>DCIP_TEST</IDXWF_DefaultSystemID>
      </AttributeDefault>
      <SearchBase>dc=test,dc=com</SearchBase>
      <Filter></Filter>
      <AuthErrorMap>
            <Message contains="data 52e,">(LDAP) Invalid password</Message>
            <Message contains="data 533,">(LDAP2) Account disabled</Message>
            <Message contains="data 773,">(LDAP) Password expired</Message>
      </AuthErrorMap>
      <UserNotFoundMessage>(LDAP) Incorrect username and/or password</UserNotFoundMessage>
      <NoPermissionMessage>(LDAP) You do not have access to this application</NoPermissionMessage>
      <PostAuthCheck>
            <Prevent accountDisabled="true">(LDAP3) Account disabled</Prevent>
      </PostAuthCheck>
0
Comment
Question by:Florescu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39691149
Did you try placing the quotes before memberof

 <Condition "memberOf=cn=CBAdmins,ou=CB,dc=test,dc=com">

Thanks

Mike
0
 

Author Comment

by:Florescu
ID: 39691179
That didn't work.  I also tried single quotes and no quotes as well.
0
 
LVL 6

Expert Comment

by:Brad Held
ID: 39737972
So assuming the line(s):
<Condition memberOf="cn=CBAdmins,ou=CB,dc=test,dc=com">
                  <IDXWF_DefaultSystemID>IDXWFAdm</IDXWF_DefaultSystemID>
            </Condition>
works, the next question would be is the distinguishedName of the group CBScheduling correct. If that is correct then I would validate that the role assignment is correct.
<IDXWF_RoleID Add="Y">CBScheduling</IDXWF_RoleID>, one way to test that is to assign the IDXWFAdm role to the first clause assuming that works for the second condition - If that works then its the actual role assignment and not the AD Query causing issues
0
 

Accepted Solution

by:
Florescu earned 0 total points
ID: 39764308
We figured it out, there was a case sensitive issue.  LDAP was wanting everything upper case for some reason.  The GE engineer finally figured it out after some additional testing.
0
 

Author Closing Comment

by:Florescu
ID: 39774550
figured it out on my own
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question