OnDemand User Group

Support Forums => z/OS Server => Topic started by: Norbert Novotny on November 22, 2018, 04:11:23 AM

Title: Re: Automatic User and Group synchronization with LDAP
Post by: Norbert Novotny on November 22, 2018, 04:11:23 AM
Hi guys,
sorry to hijack this thread, can some provide me with a sample of LDAP sub-tree which would demonstrate how to setup LDAP/AD to perform LDAP sync?
Creating CMOD Gorup(s)
Creating CMOD User(s)
Binding the respective user(s) to respective Group(s)

and the corresponding ARS_LDAP parameters mostly:
ARS_LDAP_USER_FILTER
ARS_LDAP_GROUP_FILTER
ARS_LDAP_GROUP_MAPPED_ATTRIBUTE


I would appreciate your help.
Thank you,
 N.
Title: Re: Automatic User and Group synchronization with LDAP
Post by: Justin Derrick on November 22, 2018, 06:12:13 AM
I just moved this post from the Enhancements board...  It probably fits better here. 

I'll ping some folks from IBM to check in on this post since it's a technical question about a new feature. 

-JD.
Title: Re: Automatic User and Group synchronization with LDAP
Post by: rjrussel on November 23, 2018, 10:14:17 AM
The ARS_LDAP_USER_FILTER should be a query that identifies all users in LDAP that should be imported into CMOD. Same is true for the ARS_LDAP_GROUP_FILTER. Without having any info on your LDAP structure its hard to give an example that will have relevance to your particular setup. We always recommend working with your AD administrator to come up with the appropriate filters. In any case, here is an example that might help....

If you are using AD than your ARS_LDAP_GROUP_MAPPED_ATTRIBUTE will be ARS_LDAP_GROUP_MAPPED_ATTRIBUT=CN (I have yet to be see it something else).

So you might have something like the following:

ARS_LDAP_USER_FILTER=(objectclass=user)
ARS_LDAP_GROUP_FILTER=(&(objectclass=group)(cn=CMOD*))
ARS_LDAP_GROUP_MAPPED_ATTRIBUTE=cn

The above would import ALL user from the baseDN along with any groups that start with CN CMOD. If you are using unix you can use a command like ldapsearch to test your filters. For windows environments I recommend adfind.exe. There are plenty of other tools as well. The key is to test your searches before implementing arslsync. It will make the process much easier.


Thank you,
Rob
Title: Re: Automatic User and Group synchronization with LDAP
Post by: Norbert Novotny on November 26, 2018, 06:43:33 AM
Hi guys, thank you very much to both of you.
@Justin, yeh you are right I've realized that ... after  ::) I have hit submit.

@rob, you are right I would need to find AD admin ( they all are "very" busy) and my knowledge of LDAP/AD is rather thin

Can I ask you for favor, in the example you have provided, would it be possible to outline the LDAP sub tree?

Thank you,
 N.
Title: Re: Automatic User and Group synchronization with LDAP
Post by: rjrussel on November 26, 2018, 08:32:45 AM
Not sure this will answer your question but the subtree is the base DN. For example:

CN=Users,DC=example,DC=com

If you don't know your baseDN you can find it by doing the following from your AD server:

Type the command: dsquery user -name <known username>

The result will look something like: "CN=John.Smith,CN=Users,DC=MyDomain,DC=com"

Based on the above results your base DN would be CN=Users,DC=MyDomain,DC=com

-Rob