Managing AD Group Placement

coolguys_netiq

By: coolguys_netiq

March 7, 2007 8:12 am

Reads: 190

Comments:0

Rating:0

Problem

A Forum reader recently asked:

“I am working on an eDir to AD driver. I would like to get users automatically placed in a group in AD, based on what is in their description attribute. The groups are created in AD, and I do not want Group Sync to create or manage the same group in eDirectory. I simply want my AD driver to read the description attribute and put a user in a group based on that entry. Is this possible without Group Sync? If so, what would the policy syntax be?”

And here’s the response from Father Ramon …

Solution

Using RBE is one option that you could use without changing the policies at all, as long as you enable the group entitlement when you import the driver configuration.

If you’re not using RBE, then something like this in the subscriber command transformation should work:

<policy 
xmlns:query="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsQueryProcessor">
  <rule>
   <description>Add New User to Groups based on Description</description>
   <conditions>
    <and>
     <if-operation op="equal">add</if-operation>
     <if-class-name op="equal">User</if-class-name>
    </and>
   </conditions>
   <actions>
    <do-for-each>
     <arg-node-set>
      <token-op-attr name="Description"/>
     </arg-node-set>
     <arg-actions>
      <do-for-each>
       <arg-node-set>
        <token-xpath expression="$current-node[. = 'Description for 
Group1']"/>
       </arg-node-set>
       <arg-actions>
        <do-add-dest-attr-value class-name="Group" name="Member">
         <arg-dn>
          <token-text>cn=group1,ou=people,o=novell</token-text>
         </arg-dn>
         <arg-value type="string">
          <token-dest-dn/>
         </arg-value>
        </do-add-dest-attr-value>
       </arg-actions>
      </do-for-each>
     </arg-actions>
    </do-for-each>
   </actions>
  </rule>
  <rule>
   <description>Update Group Membership when Description 
changes</description>
   <conditions>
    <and>
     <if-class-name op="equal">User</if-class-name>
     <if-operation mode="case" op="equal">modify</if-operation>
     <if-op-attr name="Description" op="changing"/>
    </and>
   </conditions>
   <actions>
    <do-set-local-variable name="userdn" scope="policy">
     <arg-string>
      <token-xpath expression='query:readObject($destQueryProcessor, 
association, "", "User", "")/@src-dn'/>
     </arg-string>
    </do-set-local-variable>
    <do-for-each>
     <arg-node-set>
      <token-removed-attr name="Description"/>
     </arg-node-set>
     <arg-actions>
      <do-for-each>
       <arg-node-set>
        <token-xpath expression="$current-node[. = 'Description for 
Group1']"/>
       </arg-node-set>
       <arg-actions>
        <do-remove-dest-attr-value class-name="Group" name="Member">
         <arg-dn>
          <token-text>cn=group1,ou=people,o=novell</token-text>
         </arg-dn>
         <arg-value type="string">
          <token-local-variable name="userdn"/>
         </arg-value>
        </do-remove-dest-attr-value>
       </arg-actions>
      </do-for-each>
     </arg-actions>
    </do-for-each>
    <do-for-each>
     <arg-node-set>
      <token-op-attr name="Description"/>
     </arg-node-set>
     <arg-actions>
      <do-for-each>
       <arg-node-set>
        <token-xpath expression="$current-node[. = 'Description for 
Group1']"/>
       </arg-node-set>
       <arg-actions>
        <do-add-dest-attr-value class-name="Group" name="Member">
         <arg-dn>
          <token-text>cn=group1,ou=people,o=novell</token-text>
         </arg-dn>
         <arg-value type="string">
          <token-local-variable name="userdn"/>
         </arg-value>
        </do-add-dest-attr-value>
       </arg-actions>
      </do-for-each>
     </arg-actions>
    </do-for-each>
   </actions>
  </rule>
</policy>

You’ll need to duplicate each of the innermost for-each loops for each description you want to map to a group.

You will also need Description in the Subscriber filter as either notify or sync (depending on if you are also synchronizing it). To update Users that already exist on both sides, you will need to set the merge-authority for Description to eDir and perform a migrate or resync
on the Users.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: ,
Categories: eDirectory, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment