and more in a single search tool across platforms. Read the announcement here. |
10/26/2023 08:59 AM
Hi
I have following two questions on Saviynts group management function:
1) Is it allow group lifecycle management (create/update/delete groups) in LDAP?
2) If answer to #1 is "Yes" then how do we populate "Groups Domain" dropdown on "Create Ad Groups" form? i could see Endpoint & Application Name dropdowns getting pre-populated with correct values but not getting "Groups Domain. What configuration am i missing here?
Regards
Gaurav
10/26/2023 03:30 PM
10/26/2023 09:57 PM
Hi @sk thanks for your revert.
Yes, i have configured all of these parameters groupImportMapping, ENTITLEMENT_ATTRIBUTE, groupSearchBaseDN & createUpdateMappings but still group domains field doesn't pre-populate.
Following are the configurations i have made:
groupImportMapping
{
"importGroupHierarchy" : "false",
"entitlementTypeName": "ismemberof",
"groupAccountMappingAttributeName":"uniqueMember",
"performGroupAccountLinking": "true",
"incrementalTimeField": "modifyTimestamp",
"advanceGroupFilter":{"ismemberof":{"OU Name":["(&(objectClass=XXX))"]}},
"mapping": "memberHash:uniqueMember_char,entitlement_value:nameinnamespace_char,description:description_char,DISPLAYNAME:nameinnamespace_char,createdate:createTimestamp_date,updatedate:modifyTimestamp_date,entitlement_glossary:description_char,customproperty1:nameinnamespace_char,customproperty2:cn_char,customproperty3:uniqueMember_char,customproperty4:grouptype_char,customproperty5:objectClass_char,entitlementid:nameinnamespace_char,customproperty6:ismemberof_char,RECONCILATION_FIELD:customproperty1,lastscandate:createTimestamp_date,customproperty7:createTimestamp_char,customproperty8:modifyTimestamp_char,customproperty9:ngbgroupowners_char",
"entitlementOwnerAttribute":"ngbgroupowners",
"tableFieldAttribute":"NAME"
}
ENTITLEMENT_ATTRIBUTE = ismemberof
groupSearchBaseDN = not required as i have used advanceGroupFilter mapping in groupImportMapping
createUpdateMappings
{
"cn": "${role?.customproperty27}",
"objectCategory": "OU Name",
"displayName": "${role?.displayname}",
"sAMAccountName": "${role?.customproperty27}",
"description": "${role?.description}",
"objectClass": "XXX",
"name": "${role?.customproperty27}"
}
Please let me know what configuration is missing here as LDAP Account/Entitlement reconciliation and provisioning is working fine.
Regards
Gaurav
10/27/2023 07:34 AM
@GauravJain : I don't think ENTITLEMENT_ATTRIBUTE = ismemberof is the right configuration.
It should be memberOf instead can you try with same? I see you have referenced the same in groupImportMapping as well.
So please replace ismemberof with memberOf and see if that works?
10/29/2023 10:00 PM
Hi @sk thanks for your revert.
As i am onboarding LDAP application, "memberOf" attribute will not give groups created in LDAP . i believe "memberOf" should be used for AD application onboarding. Also, in my LDAP application integration "ismemberof" attribute is working absolutely fine.
Any luck with my original issue of "Groups Domain"?
Regards
Gaurav
10/26/2023 09:41 PM
1.Yes
2.Did you try by selecting the endpoint name on create AD groups page?
10/26/2023 10:08 PM
Hi @SumathiSomala thanks for your revert.
Yes, i have selected endpoint name but still Groups domain is blank. Please see my above post where i have shared configuration for different parameters and please let me know if i am missing anything.
Regards
Gaurav
10/26/2023 10:19 PM - edited 10/26/2023 10:24 PM
@GauravJain Could please try with below sample
"cn": "${role?.customproperty2}",
"objectCategory": "OU Name",
"displayName": "${role?.displayname}",
"sAMAccountName": "${role?.customproperty2}",
"description": "${role?.description}",
"objectClass": "group",
"name": "${role?.customproperty2}",
"managedBy":"${if(ownerAccountListMap.size()>0 && allOwnerList.size()>0){ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username)!=null && ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).size()>0?ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).get(0)?.accountID:''}else{''}}"
"objectCategory": "CN=Group,CN=Schema,CN=Configuration,DC=xx,DC=xx,C=xx",
10/26/2023 10:25 PM
@GauravJain remove the { } in createUpdateMappings JSON
10/26/2023 11:14 PM
Hi @SumathiSomala - Thanks for your time on this issue.
i have tried the options you have shared but still no luck. Using "{}" brackets is not a problem i guess because version 23.7 onwards we can use json format as per Saviynt documentation. but still i have tried with both brackets and without bracket but result is same - not working.
Whats the significance of "objectCategory" aatribute? dont see any documentation around it?
Secondly, is it a problem with "objectCategory" attribute? as i want to do group management in LDAP so i have also tried with this "ou=applications123,ou=applications,l={region},o=domain.com" where i want to create new groups but still no luck.
is there anything on endpoint configuration i am missing?
Regards
Gaurav
10/27/2023 12:50 AM
@GauravJain refer this to know more about objectCategory
Object Class and Object Category - Win32 apps | Microsoft Learn
Can you please share your updated createupdatemapping
also check objectCategory in target -Open any group in LDAP>Attribute editor
is it a problem with "objectCategory" attribute? Seems to be Yes.
10/27/2023 03:35 AM
Hi @SumathiSomala thanks for your suggestions and link so far. i need to check this attribute in LDAP but here is the mapping.
createupdatemapping
"cn": "${role?.customproperty2}",
"objectCategory": "ou=applications123,ou=applications,l={region},o=domain.com",
"displayName": "${role?.displayname}",
"sAMAccountName": "${role?.customproperty2}",
"description": "${role?.description}",
"objectclass": "aaaa",
"objectclass": "xxx",
"objectclass": "yyyy",
"name": "${role?.customproperty2}",
"managedBy":"${if(ownerAccountListMap.size()>0 && allOwnerList.size()>0){ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username)!=null && ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).size()>0?ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).get(0)?.accountID:''}else{''}}"
Please note, i have mentioned multiple objectclasses here because we need those. In case that's not the correct way of putting it please advice.
10/27/2023 03:47 AM - edited 10/27/2023 03:59 AM
@GauravJain "objectCategory": "ou=applications123,ou=applications,l={region},o=domain.com", seems to be incorrect
it should be similar to this
"objectCategory":"CN=Group,CN=Schema,CN=Configuration,DC=xx,DC=xx",
please check the objectCategory attribute in target for any one of the group .
sample
To validate this first try with one objectclass i.e group
to use multiple
"objectclass":[
"top",
"person",
"organizationalPerson",
"user"
],
10/27/2023 04:19 AM
Yes, earlier i tried with one objectClass but it didnt work. Let me get details around objectCategory and then will confirm back.
Secondly, whats the significance of "customproperty2" in any attribute like
"cn": "${role?.customproperty2}"
do we need to keep some value in it in case role is null or something?
10/27/2023 07:44 AM
Hi @GauravJain ,
Is this LDAP, Active Directory? If not, group creation/modification and deletion might not be supported.
Configuring Group Management (saviyntcloud.com)
10/29/2023 10:02 PM
It's LDAP. I thought if AD works then LDAP should also work. Please confirm.
10/29/2023 10:07 PM
@GauravJain I miss understood your usecase.
Currently Group management not supported for LDAP.
https://ideas.saviynt.com/ideas/EIC-I-4772
Please upvote this.
10/29/2023 10:09 PM
No problem. i have voted for idea.
10/29/2023 08:15 PM
Its not supported @Gaurav
https://ideas.saviynt.com/ideas/EIC-I-4772
10/29/2023 10:04 PM
thanks @rushikeshvartak .