I'm trying to get the SafeBoot connector to work in monitor mode... We initally set up with Search Groups i.e. we specified the DN (CN=SafeBootUsers,OU=ADGroups,OU=GLOBAL,DC=wlmht,DC=local) and all was well.
We then found out that the connector cannot monitor using Search Groups, but requires Search Settings, so we set up a object filter: (&(objectClass=organizationalPerson)(memberOf=CN=SafeBootUsers,OU=ADGroups,OU=GLOBAL,DC=wlmht,DC=local))
We then found out that 'search monitoring cannot take account of complex Object Filters' (p 16-4 of Managment Center v5 Administrators Guide (B5400) It then proceeds to explain how to add this capability to the 'Connection Manager Settings file manually' and provides some code for an INI file:
So... after sucking and seeing it turns out the syntax they give you in the original CmSettings.xml file is wrong!
The initial file contains the section: ... <SyncDelay>0</SyncDelay> <DeleteContainer>CN=Deleted Objects</DeleteContainer> <UserValid0.DSAttrib>objectClass</UserValid0.DSAttrib> <UserValid0.AttribVal>user</UserValid0.AttribVal> <UserValid1.DSAttrib>objectCategory</UserValid1.DSAttrib> <UserValid1.AttribVal>CN=Person</UserValid1.AttribVal> </Module> ...
As you can see this has the syntax UserValidx.AttribVal
The sample code given for the old INI file uses the syntax UserValidityx.AttribVal
Therefore, to allow for 'compex object filters' using the 'memberOf' attribute you need: <UserValid0.DSAttrib>objectClass</UserValid0.DSAttrib> <UserValidity0.AttribVal>organizationalPerson</UserValidity0.AttribVal> <UserValid1.DSAttrib>memberOf</UserValid1.DSAttrib> <UserValidity1.AttribVal>CN=SafeBootUsers,OU=ADGroups,OU=GLOBAL,DC=wlmht,DC=local</UserValidity1.AttribVal>
Still not entirely convinced yet... However, user enable/disable is almost instant (we edit in eDirectory (ConsoleOne), which syncs to AD (IDM) and then the Connection Manager Monitor seems to pick it up straight away
Concern is that we occasionally get 'directory user is not valid' in the log?
Can anyone point to any documentation on this? How to get the connector to debug log, so we can see what it's trying to do? I tried to add in <SearchAttribs> as per an old SafeBoot manual, but that seemed to mess things up with spurious users added...
What's weird is that the monitor process has seemed to sync members of the Domain Admins AND Builtin\Administrators groups, with the exception of the Administrator account?!?
Is this a 'default behaviour' of the AD Connector? Is there anyway to prevent this? (e.g. Excluded/Revoked users?)
I'm not totally sure how the connector is evaluating, I added in the cmsettings.xml lines: <UserValid0.DSAttrib>objectClass</UserValid0.DSAttrib> <UserValidity0.AttribVal>organizationalPerson</UserValidity0.AttribVal> <UserValid1.DSAttrib>memberOf</UserValid1.DSAttrib> <UserValidity1.AttribVal>CN=SafeBootUsers,OU=ADGroups,OU=GLOBAL,DC=wlmht,DC=local</UserValidity1.AttribVal>
but have also left in the orginal 'object filter', though in the cmsettings.xml file this appear with amp; in it:
Thanks for the great info! Sorry to hear it's not quite working for you yet. I've tried to get documentation on CmSettings.xml from support but they just referred me back to the official documentation that only covers the old INI. We've had a lot of issues with the LDAP connector to eDirectory here. I'll begin testing B5400 soon with emphasis on the connector, if I find anything I'll let you know.
Hi Just to complete the saga, we had to give up on the 'monitor' function (we have a call open with mcafee, but time scales have forced our hand...) The sync part worked fine, it would even tidy up the spurious users added upon restart, however, monitor seemed to add users rather randomly... (even had one that got in after the account was used to unlock a screen saver!!). I'm guessing it's something to do with the config settings in cmsettingsl.xml...
Anyhow, we decided that we could cope with a 10 min delay between a/c disable (in edir, which syncs imm to ad) and the safeboot, so we set the AD Connector back to 'Group Search' (seems most efficient) and scheduled to run every 10mins. Seems fine so far, we could probably decrease the 10mins, as group targeted and only seems to take < 3sec to run, but powers that be are happy with 10 (as I'm sure our Domain Controller will be!! 😉
Anyhow, after a couple of days of trying loads, this is where we ended up HTH Regards