• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 714
  • Last Modified:

Microsoft Active Directory LDAP Attributes

I am working on integrating an application called GE Centricity Business with my Microsoft Windows 2008 Active Directory.  I got most of it working except for a conditional statement.  Here's what part of the config file looks like.  I have underlined the parts that are not working.  

Basically it's the part that has the "memberof" statement.  If I remove the condition "memberof" statement, then it works just fine.  (i.e. I can authenticate to Active Directory and I'm able to login to the application)

I'm thinking it has something to do with the attribute map I'm using.

      <AttributeMap>
            <UserID>sAMAccountName</UserID>
            <LastName>sn</LastName>
            <FirstName>givenName</FirstName>
            <memberOf>memberOf</memberOf>
            <Email>email</Email>
      </AttributeMap>
      <AttributeOverride>
            <Password></Password>
      </AttributeOverride>
      <AttributeDefault>
            <Condition memberOf="cn=CBScheduling,ou=CB,dc=test,dc=com">
                 <IDXWF_RoleID Add="Y">CBScheduling</IDXWF_RoleID>
           </Condition>
            <Condition memberOf="cn=CBAdmins,ou=CB,dc=test,dc=com">
                  <IDXWF_DefaultSystemID>IDXWFAdm</IDXWF_DefaultSystemID>
            </Condition>
            <IDXWF_DefaultSystemID>DCIP_TEST</IDXWF_DefaultSystemID>
      </AttributeDefault>
      <SearchBase>dc=test,dc=com</SearchBase>
      <Filter></Filter>
      <AuthErrorMap>
            <Message contains="data 52e,">(LDAP) Invalid password</Message>
            <Message contains="data 533,">(LDAP2) Account disabled</Message>
            <Message contains="data 773,">(LDAP) Password expired</Message>
      </AuthErrorMap>
      <UserNotFoundMessage>(LDAP) Incorrect username and/or password</UserNotFoundMessage>
      <NoPermissionMessage>(LDAP) You do not have access to this application</NoPermissionMessage>
      <PostAuthCheck>
            <Prevent accountDisabled="true">(LDAP3) Account disabled</Prevent>
      </PostAuthCheck>
0
Florescu
Asked:
Florescu
  • 3
1 Solution
 
Mike KlineCommented:
Did you try placing the quotes before memberof

 <Condition "memberOf=cn=CBAdmins,ou=CB,dc=test,dc=com">

Thanks

Mike
0
 
FlorescuAuthor Commented:
That didn't work.  I also tried single quotes and no quotes as well.
0
 
Brad HeldCommented:
So assuming the line(s):
<Condition memberOf="cn=CBAdmins,ou=CB,dc=test,dc=com">
                  <IDXWF_DefaultSystemID>IDXWFAdm</IDXWF_DefaultSystemID>
            </Condition>
works, the next question would be is the distinguishedName of the group CBScheduling correct. If that is correct then I would validate that the role assignment is correct.
<IDXWF_RoleID Add="Y">CBScheduling</IDXWF_RoleID>, one way to test that is to assign the IDXWFAdm role to the first clause assuming that works for the second condition - If that works then its the actual role assignment and not the AD Query causing issues
0
 
FlorescuAuthor Commented:
We figured it out, there was a case sensitive issue.  LDAP was wanting everything upper case for some reason.  The GE engineer finally figured it out after some additional testing.
0
 
FlorescuAuthor Commented:
figured it out on my own
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now