cancel
Showing results for 
Search instead for 
Did you mean: 

SafeBoot Connector, AD & CmSettings.xml

Hi

I'm trying to get the SafeBoot connector to work in monitor mode...
We initally set up with Search Groups i.e. we specified the DN (CN=SafeBootUsers,OU=ADGroups,OU=GLOBAL,DC=wlmht,DC=local) and all was well.

We then found out that the connector cannot monitor using Search Groups, but requires Search Settings, so we set up a object filter:
(&(objectClass=organizationalPerson)(memberOf=CN=SafeBootUsers,OU=ADGroups,OU=GLOBAL,DC=wlmht,DC=local))

We then found out that 'search monitoring cannot take account of complex Object Filters' (p 16-4 of Managment Center v5 Administrators Guide (B5400)
It then proceeds to explain how to add this capability to the 'Connection Manager Settings file manually' and provides some code for an INI file:

UserValid0.DSAttrib=objectClass
UserValidity0.AttribVal=user
UserValid1.DSAttrib=objectCategory
UserValidity1.AttribVal=CN=Person
UserValid2.DSAttrib=memberOf
UserValidity2.AttribVal='full memberOf attribute'


It turns out that the config file, since v5 is an xml file, CmSettings.xml
I have therefore tried to add the 'memberOf' settings to the file, using it's layout and syntax, i.e.:

<UserValid0.DSAttrib>objectClass</UserValid0.DSAttrib>
<UserValid0.AttribVal>user</UserValid0.AttribVal>
<UserValid1.DSAttrib>objectCategory</UserValid1.DSAttrib>
<UserValid1.AttribVal>CN=Person</UserValid1.AttribVal>
<UserValid2.DSAttrib>memberOf</UserValid2.DSAttrib>
<UserValid2.AttribVal>full memberOf attribute</UserValid2.AttribVal>


However, now when I run the connector it tells me that the 'directory user is not valid' and disables my SafeBoot user accounts...

I can find absolutely no reference material for this file, etc., just one forum post:
http://forums.mcafeehelp.com/showthread.php?t=222647

Can anyone please help?
Many thanks

David
5 Replies

RE: SafeBoot Connector, AD & CmSettings.xml

So... after sucking and seeing it turns out the syntax they give you in the original CmSettings.xml file is wrong!

The initial file contains the section:
...
<SyncDelay>0</SyncDelay>
<DeleteContainer>CN=Deleted Objects</DeleteContainer>
<UserValid0.DSAttrib>objectClass</UserValid0.DSAttrib>
<UserValid0.AttribVal>user</UserValid0.AttribVal>
<UserValid1.DSAttrib>objectCategory</UserValid1.DSAttrib>
<UserValid1.AttribVal>CN=Person</UserValid1.AttribVal>
</Module>
...


As you can see this has the syntax UserValidx.AttribVal

The sample code given for the old INI file uses the syntax UserValidityx.AttribVal

Therefore, to allow for 'compex object filters' using the 'memberOf' attribute you need:
<UserValid0.DSAttrib>objectClass</UserValid0.DSAttrib>
<UserValidity0.AttribVal>organizationalPerson</UserValidity0.AttribVal>
<UserValid1.DSAttrib>memberOf</UserValid1.DSAttrib>
<UserValidity1.AttribVal>CN=SafeBootUsers,OU=ADGroups,OU=GLOBAL,DC=wlmht,DC=local</UserValidity1.AttribVal>

I hope this helps someone!

Regards
David

RE: SafeBoot Connector, AD & CmSettings.xml

Still not entirely convinced yet...
However, user enable/disable is almost instant (we edit in eDirectory (ConsoleOne), which syncs to AD (IDM) and then the Connection Manager Monitor seems to pick it up straight away

Concern is that we occasionally get
'directory user is not valid' in the log?

Can anyone point to any documentation on this? How to get the connector to debug log, so we can see what it's trying to do?
I tried to add in <SearchAttribs> as per an old SafeBoot manual, but that seemed to mess things up with spurious users added...

Any pointers welcome
Regards and thanks

David

RE: SafeBoot Connector, AD & CmSettings.xml

So, it's run for over 14 hours now.

What's weird is that the monitor process has seemed to sync members of the Domain Admins AND Builtin\Administrators groups, with the exception of the Administrator account?!?

Is this a 'default behaviour' of the AD Connector?
Is there anyway to prevent this? (e.g. Excluded/Revoked users?)

I'm not totally sure how the connector is evaluating, I added in the cmsettings.xml lines:
<UserValid0.DSAttrib>objectClass</UserValid0.DSAttrib>
<UserValidity0.AttribVal>organizationalPerson</UserValidity0.AttribVal>
<UserValid1.DSAttrib>memberOf</UserValid1.DSAttrib>
<UserValidity1.AttribVal>CN=SafeBootUsers,OU=ADGroups,OU=GLOBAL,DC=wlmht,DC=local</UserValidity1.AttribVal>

but have also left in the orginal 'object filter', though in the cmsettings.xml file this appear with amp; in it:

<ObjectFilter>(&amp;(objectClass=organizationalPerson)(memberOf=CN=SafeBootUsers,OU=ADGroups,OU=GLOBAL,DC=wlmht,DC=local))</ObjectFilter>

Can someone please explain how this works?
The fact it's adding in members of these groups is a security risk, as there will be accounts there with the default password....

Anyone?!?
Cheers

David

RE: SafeBoot Connector, AD & CmSettings.xml

Thanks for the great info! Sorry to hear it's not quite working for you yet. I've tried to get documentation on CmSettings.xml from support but they just referred me back to the official documentation that only covers the old INI. We've had a lot of issues with the LDAP connector to eDirectory here. I'll begin testing B5400 soon with emphasis on the connector, if I find anything I'll let you know.

RE: SafeBoot Connector, AD & CmSettings.xml

Hi
Just to complete the saga, we had to give up on the 'monitor' function (we have a call open with mcafee, but time scales have forced our hand...)
The sync part worked fine, it would even tidy up the spurious users added upon restart, however, monitor seemed to add users rather randomly... (even had one that got in after the account was used to unlock a screen saver!!). I'm guessing it's something to do with the config settings in cmsettingsl.xml...

Anyhow, we decided that we could cope with a 10 min delay between a/c disable (in edir, which syncs imm to ad) and the safeboot, so we set the AD Connector back to 'Group Search' (seems most efficient) and scheduled to run every 10mins. Seems fine so far, we could probably decrease the 10mins, as group targeted and only seems to take < 3sec to run, but powers that be are happy with 10 (as I'm sure our Domain Controller will be!! 😉

Anyhow, after a couple of days of trying loads, this is where we ended up
HTH
Regards

David
More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center