5 Replies Latest reply on Oct 11, 2008 12:30 PM by djbrightman

    SafeBoot Connector, AD & CmSettings.xml

      Hi

      I'm trying to get the SafeBoot connector to work in monitor mode...
      We initally set up with Search Groups i.e. we specified the DN (CN=SafeBootUsers,OU=ADGroups,OU=GLOBAL,DC=wlmht,DC=local) and all was well.

      We then found out that the connector cannot monitor using Search Groups, but requires Search Settings, so we set up a object filter:
      (&(objectClass=organizationalPerson)(memberOf=CN=SafeBootUsers,OU=ADGroups,OU=GL OBAL,DC=wlmht,DC=local))

      We then found out that 'search monitoring cannot take account of complex Object Filters' (p 16-4 of Managment Center v5 Administrators Guide (B5400)
      It then proceeds to explain how to add this capability to the 'Connection Manager Settings file manually' and provides some code for an INI file:

      UserValid0.DSAttrib=objectClass
      UserValidity0.AttribVal=user
      UserValid1.DSAttrib=objectCategory
      UserValidity1.AttribVal=CN=Person
      UserValid2.DSAttrib=memberOf
      UserValidity2.AttribVal='full memberOf attribute'


      It turns out that the config file, since v5 is an xml file, CmSettings.xml
      I have therefore tried to add the 'memberOf' settings to the file, using it's layout and syntax, i.e.:

      <UserValid0.DSAttrib>objectClass</UserValid0.DSAttrib>
      <UserValid0.AttribVal>user</UserValid0.AttribVal>
      <UserValid1.DSAttrib>objectCategory</UserValid1.DSAttrib>
      <UserValid1.AttribVal>CN=Person</UserValid1.AttribVal>
      <UserValid2.DSAttrib>memberOf</UserValid2.DSAttrib>
      <UserValid2.AttribVal>full memberOf attribute</UserValid2.AttribVal>


      However, now when I run the connector it tells me that the 'directory user is not valid' and disables my SafeBoot user accounts...

      I can find absolutely no reference material for this file, etc., just one forum post:
      http://forums.mcafeehelp.com/showthread.php?t=222647

      Can anyone please help?
      Many thanks

      David
        • 1. RE: SafeBoot Connector, AD & CmSettings.xml
          So... after sucking and seeing it turns out the syntax they give you in the original CmSettings.xml file is wrong!

          The initial file contains the section:
          ...
          <SyncDelay>0</SyncDelay>
          <DeleteContainer>CN=Deleted Objects</DeleteContainer>
          <UserValid0.DSAttrib>objectClass</UserValid0.DSAttrib>
          <UserValid0.AttribVal>user</UserValid0.AttribVal>
          <UserValid1.DSAttrib>objectCategory</UserValid1.DSAttrib>
          <UserValid1.AttribVal>CN=Person</UserValid1.AttribVal>
          </Module>
          ...


          As you can see this has the syntax UserValidx.AttribVal

          The sample code given for the old INI file uses the syntax UserValidityx.AttribVal

          Therefore, to allow for 'compex object filters' using the 'memberOf' attribute you need:
          <UserValid0.DSAttrib>objectClass</UserValid0.DSAttrib>
          <UserValidity0.AttribVal>organizationalPerson</UserValidity0.AttribVal>
          <UserValid1.DSAttrib>memberOf</UserValid1.DSAttrib>
          <UserValidity1.AttribVal>CN=SafeBootUsers,OU=ADGroups,OU=GLOBAL,DC=wlmht,DC=loc al</UserValidity1.AttribVal>

          I hope this helps someone!

          Regards
          David
          • 2. RE: SafeBoot Connector, AD & CmSettings.xml
            Still not entirely convinced yet...
            However, user enable/disable is almost instant (we edit in eDirectory (ConsoleOne), which syncs to AD (IDM) and then the Connection Manager Monitor seems to pick it up straight away

            Concern is that we occasionally get
            'directory user is not valid' in the log?

            Can anyone point to any documentation on this? How to get the connector to debug log, so we can see what it's trying to do?
            I tried to add in <SearchAttribs> as per an old SafeBoot manual, but that seemed to mess things up with spurious users added...

            Any pointers welcome
            Regards and thanks

            David
            • 3. RE: SafeBoot Connector, AD & CmSettings.xml
              So, it's run for over 14 hours now.

              What's weird is that the monitor process has seemed to sync members of the Domain Admins AND Builtin\Administrators groups, with the exception of the Administrator account?!?

              Is this a 'default behaviour' of the AD Connector?
              Is there anyway to prevent this? (e.g. Excluded/Revoked users?)

              I'm not totally sure how the connector is evaluating, I added in the cmsettings.xml lines:
              <UserValid0.DSAttrib>objectClass</UserValid0.DSAttrib>
              <UserValidity0.AttribVal>organizationalPerson</UserValidity0.AttribVal>
              <UserValid1.DSAttrib>memberOf</UserValid1.DSAttrib>
              <UserValidity1.AttribVal>CN=SafeBootUsers,OU=ADGroups,OU=GLOBAL,DC=wlmht,DC=loca l</UserValidity1.AttribVal>

              but have also left in the orginal 'object filter', though in the cmsettings.xml file this appear with amp; in it:

              <ObjectFilter>(&amp;(objectClass=organizationalPerson)(memberOf=CN=SafeBootUsers ,OU=ADGroups,OU=GLOBAL,DC=wlmht,DC=local))</ObjectFilter>

              Can someone please explain how this works?
              The fact it's adding in members of these groups is a security risk, as there will be accounts there with the default password....

              Anyone?!?
              Cheers

              David
              • 4. RE: SafeBoot Connector, AD & CmSettings.xml
                Thanks for the great info! Sorry to hear it's not quite working for you yet. I've tried to get documentation on CmSettings.xml from support but they just referred me back to the official documentation that only covers the old INI. We've had a lot of issues with the LDAP connector to eDirectory here. I'll begin testing B5400 soon with emphasis on the connector, if I find anything I'll let you know.
                • 5. RE: SafeBoot Connector, AD & CmSettings.xml
                  Hi
                  Just to complete the saga, we had to give up on the 'monitor' function (we have a call open with mcafee, but time scales have forced our hand...)
                  The sync part worked fine, it would even tidy up the spurious users added upon restart, however, monitor seemed to add users rather randomly... (even had one that got in after the account was used to unlock a screen saver!!). I'm guessing it's something to do with the config settings in cmsettingsl.xml...

                  Anyhow, we decided that we could cope with a 10 min delay between a/c disable (in edir, which syncs imm to ad) and the safeboot, so we set the AD Connector back to 'Group Search' (seems most efficient) and scheduled to run every 10mins. Seems fine so far, we could probably decrease the 10mins, as group targeted and only seems to take < 3sec to run, but powers that be are happy with 10 (as I'm sure our Domain Controller will be!! ;-)

                  Anyhow, after a couple of days of trying loads, this is where we ended up
                  HTH
                  Regards

                  David