Saviynt Forums

Hi @sk thanks for your revert.

Yes, i have configured all of these parameters groupImportMapping, ENTITLEMENT_ATTRIBUTE, groupSearchBaseDN & createUpdateMappings but still group domains field doesn't pre-populate.
Following are the configurations i have made:

groupImportMapping

{
"importGroupHierarchy" : "false",
"entitlementTypeName": "ismemberof",
"groupAccountMappingAttributeName":"uniqueMember",
"performGroupAccountLinking": "true",
"incrementalTimeField": "modifyTimestamp",
"advanceGroupFilter":{"ismemberof":{"OU Name":["(&(objectClass=XXX))"]}},
"mapping": "memberHash:uniqueMember_char,entitlement_value:nameinnamespace_char,description:description_char,DISPLAYNAME:nameinnamespace_char,createdate:createTimestamp_date,updatedate:modifyTimestamp_date,entitlement_glossary:description_char,customproperty1:nameinnamespace_char,customproperty2:cn_char,customproperty3:uniqueMember_char,customproperty4:grouptype_char,customproperty5:objectClass_char,entitlementid:nameinnamespace_char,customproperty6:ismemberof_char,RECONCILATION_FIELD:customproperty1,lastscandate:createTimestamp_date,customproperty7:createTimestamp_char,customproperty8:modifyTimestamp_char,customproperty9:ngbgroupowners_char",
"entitlementOwnerAttribute":"ngbgroupowners",
"tableFieldAttribute":"NAME"
}

ENTITLEMENT_ATTRIBUTE = ismemberof

groupSearchBaseDN = not required as i have used advanceGroupFilter mapping in groupImportMapping

createUpdateMappings
{
"cn": "${role?.customproperty27}",
"objectCategory": "OU Name",
"displayName": "${role?.displayname}",
"sAMAccountName": "${role?.customproperty27}",
"description": "${role?.description}",
"objectClass": "XXX",
"name": "${role?.customproperty27}"
}

Please let me know what configuration is missing here as LDAP Account/Entitlement reconciliation and provisioning is working fine.

Regards

Gaurav

@GauravJain : I don't think ENTITLEMENT_ATTRIBUTE = ismemberof is the right configuration.

It should be memberOf instead can you try with same? I see you have referenced the same in groupImportMapping as well.

So please replace ismemberof with memberOf  and see if that works?

Hi @sk thanks for your revert.

As i am onboarding LDAP application, "memberOf" attribute will not give groups created in LDAP . i believe "memberOf" should be used for AD application onboarding. Also, in my LDAP application integration "ismemberof" attribute is working absolutely fine.

Any luck with my original issue of "Groups Domain"?

Regards

Gaurav

Hi @SumathiSomala thanks for your revert.

Yes, i have selected endpoint name but still Groups domain is blank. Please see my above post where i have shared configuration for different parameters and please let me know if i am missing anything.

Regards

Gaurav

@GauravJain Could please try with below sample

"cn": "${role?.customproperty2}",
"objectCategory": "OU Name",
"displayName": "${role?.displayname}",
"sAMAccountName": "${role?.customproperty2}",
"description": "${role?.description}",
"objectClass": "group",
"name": "${role?.customproperty2}",
"managedBy":"${if(ownerAccountListMap.size()>0 && allOwnerList.size()>0){ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username)!=null && ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).size()>0?ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).get(0)?.accountID:''}else{''}}"

"objectCategory": "CN=Group,CN=Schema,CN=Configuration,DC=xx,DC=xx,C=xx",

@GauravJain remove the { } in createUpdateMappings JSON

Hi @SumathiSomala - Thanks for your time on this issue.

i have tried the options you have shared but still no luck. Using "{}" brackets is not a problem i guess because version 23.7 onwards we can use json format as per Saviynt documentation. but still i have tried with both brackets and without bracket but result is same - not working.

Whats the significance of "objectCategory" aatribute? dont see any documentation around it? 

Secondly, is it a problem with "objectCategory" attribute? as i want to do group management in LDAP so i have also tried with this "ou=applications123,ou=applications,l={region},o=domain.com" where i want to create new groups but still no luck.

is there anything on endpoint configuration i am missing?

Regards

Gaurav

@GauravJain refer this to know more about objectCategory

Object Class and Object Category - Win32 apps | Microsoft Learn

Can you please share your updated createupdatemapping

also check objectCategory in target -Open any group in LDAP>Attribute editor

is it a problem with "objectCategory" attribute? Seems to be Yes.

Hi @SumathiSomala thanks for your suggestions and link so far. i need to check this attribute in LDAP but here is the mapping.

createupdatemapping

"cn": "${role?.customproperty2}",
"objectCategory": "ou=applications123,ou=applications,l={region},o=domain.com",
"displayName": "${role?.displayname}",
"sAMAccountName": "${role?.customproperty2}",
"description": "${role?.description}",
"objectclass": "aaaa",
"objectclass": "xxx",
"objectclass": "yyyy",
"name": "${role?.customproperty2}",
"managedBy":"${if(ownerAccountListMap.size()>0 && allOwnerList.size()>0){ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username)!=null && ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).size()>0?ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).get(0)?.accountID:''}else{''}}"

Please note, i have mentioned multiple objectclasses here because we need those. In case that's not the correct way of putting it please advice.

@GauravJain "objectCategory": "ou=applications123,ou=applications,l={region},o=domain.com", seems to be incorrect

it should be similar to this 

"objectCategory":"CN=Group,CN=Schema,CN=Configuration,DC=xx,DC=xx",

please check the objectCategory attribute in target for any one of the group .

sample

To validate this first try with one objectclass i.e group

to use multiple

"objectclass":[

      "top",

      "person",

      "organizationalPerson",

      "user"

   ],

Yes, earlier i tried with one objectClass but it didnt work. Let me get details around objectCategory and then will confirm back.

Secondly, whats the significance of "customproperty2" in any attribute like 

"cn": "${role?.customproperty2}"

do we need to keep some value in it in case role is null or something?

It's LDAP. I thought if AD works then LDAP should also work. Please confirm.

@GauravJain I miss understood your usecase.

Currently Group management not supported for LDAP.

https://ideas.saviynt.com/ideas/EIC-I-4772

Please upvote this.

No problem. i have voted for idea.

thanks @rushikeshvartak .