Solved

Microsoft Active Directory LDAP Attributes

Posted on 2013-12-02
5
670 Views
Last Modified: 2014-01-12
I am working on integrating an application called GE Centricity Business with my Microsoft Windows 2008 Active Directory.  I got most of it working except for a conditional statement.  Here's what part of the config file looks like.  I have underlined the parts that are not working.  

Basically it's the part that has the "memberof" statement.  If I remove the condition "memberof" statement, then it works just fine.  (i.e. I can authenticate to Active Directory and I'm able to login to the application)

I'm thinking it has something to do with the attribute map I'm using.

      <AttributeMap>
            <UserID>sAMAccountName</UserID>
            <LastName>sn</LastName>
            <FirstName>givenName</FirstName>
            <memberOf>memberOf</memberOf>
            <Email>email</Email>
      </AttributeMap>
      <AttributeOverride>
            <Password></Password>
      </AttributeOverride>
      <AttributeDefault>
            <Condition memberOf="cn=CBScheduling,ou=CB,dc=test,dc=com">
                 <IDXWF_RoleID Add="Y">CBScheduling</IDXWF_RoleID>
           </Condition>
            <Condition memberOf="cn=CBAdmins,ou=CB,dc=test,dc=com">
                  <IDXWF_DefaultSystemID>IDXWFAdm</IDXWF_DefaultSystemID>
            </Condition>
            <IDXWF_DefaultSystemID>DCIP_TEST</IDXWF_DefaultSystemID>
      </AttributeDefault>
      <SearchBase>dc=test,dc=com</SearchBase>
      <Filter></Filter>
      <AuthErrorMap>
            <Message contains="data 52e,">(LDAP) Invalid password</Message>
            <Message contains="data 533,">(LDAP2) Account disabled</Message>
            <Message contains="data 773,">(LDAP) Password expired</Message>
      </AuthErrorMap>
      <UserNotFoundMessage>(LDAP) Incorrect username and/or password</UserNotFoundMessage>
      <NoPermissionMessage>(LDAP) You do not have access to this application</NoPermissionMessage>
      <PostAuthCheck>
            <Prevent accountDisabled="true">(LDAP3) Account disabled</Prevent>
      </PostAuthCheck>
0
Comment
Question by:Florescu
  • 3
5 Comments
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Did you try placing the quotes before memberof

 <Condition "memberOf=cn=CBAdmins,ou=CB,dc=test,dc=com">

Thanks

Mike
0
 

Author Comment

by:Florescu
Comment Utility
That didn't work.  I also tried single quotes and no quotes as well.
0
 
LVL 6

Expert Comment

by:Brad Held
Comment Utility
So assuming the line(s):
<Condition memberOf="cn=CBAdmins,ou=CB,dc=test,dc=com">
                  <IDXWF_DefaultSystemID>IDXWFAdm</IDXWF_DefaultSystemID>
            </Condition>
works, the next question would be is the distinguishedName of the group CBScheduling correct. If that is correct then I would validate that the role assignment is correct.
<IDXWF_RoleID Add="Y">CBScheduling</IDXWF_RoleID>, one way to test that is to assign the IDXWFAdm role to the first clause assuming that works for the second condition - If that works then its the actual role assignment and not the AD Query causing issues
0
 

Accepted Solution

by:
Florescu earned 0 total points
Comment Utility
We figured it out, there was a case sensitive issue.  LDAP was wanting everything upper case for some reason.  The GE engineer finally figured it out after some additional testing.
0
 

Author Closing Comment

by:Florescu
Comment Utility
figured it out on my own
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Resolve DNS query failed errors for Exchange
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now