2 Replies Latest reply on Jan 20, 2009 11:19 AM by mss_JT

    AD Connector Issue 2

      Hi,

      I am experiencing an issue at 1 of the NHS trusts we are dealing with and would like some assistance in resolving it.

      The customers AD structure is causing problems with the Safeboot Active Directory connector. All of their users are contained within a single parent OU. The child OU's are generally based on department - Finance, Directors, Wards, IT..etc, and within these OU's are further child OU's that contain pretty much anything - users, groups, printers..etc. When the Safeboot AD connector is run on the parent OU it throws up an "Incorrect object class" error and the connector manager crashes. I believe the problem is being caused by the presence of a "Distribution List" OU within the parent OU, as when I ran the connector on one of the child OU's that didn't contain distribution lists it worked absolutely fine and pulled the AD users into Safeboot without any issues. Unfortunately, the customer is unable to move the Distribution list OU as there are numerous group policy settings applied to it.

      The connector I have created is using search groups, and is pointed at the root OU as explained above. I have looked into the possibility of removing the search group and using the search setting instead. As the trust has a pretty good AD scripting guy who is of the belief that he can configure the connector to completely ignore the “Distribution List” OU.

      The only other option I can see open to me is to create numerous connectors that pull users into their matching groups in Safeboot. Ideally, I don’t want to have to do this as I will need at least 10 connectors and 10 SB groups. This, I am sure will only lead to confusion.

      Any help/suggestions would be gratefully received.
        • 1. RE: AD Connector Issue 2
          Hi,

          I also work at an NHS trust and we have recently had Safeboot setup by a supplier. Here are the settings we use which works fine even with the distribution list OU.

          BaseDN: DC=domain,DC=nhs,DC=uk
          objectFilter: (objectClass=user)
          entrylimit: 30000
          timeout: 30
          retrival enabled
          entire subtree
          monitor changes

          Atrribute Type List
          objectGUID (binary string)

          Attributes to substring check
          distisguishedName
          memberOf

          there are NO search groups setup.

          We then have our Safeboot group to match AD groups, so that any members of the AD group will get put into the safeboot group, then if not in any of those groups they get ignored.

          Thanks
          • 2. AD Connector Issue 2
            Many thanks for the response on this. Although it asn't directly resolved the issue, it has opened up other avenues that did not previously exist. I have been looking into configuring an object filter from within the search settings tab that will search for object class=user in the numerous child OU's below the parent but will skip searching within the problematic "Distribution List" OU. If anyone has any knowledge/experience with configuring such an LDAP query, again, this would prove extremely helpful.

            To summarise, I need to look for user objects in the child OU's below the main parent OU but ask the connector to disregard the Distribution Lists OU.

            Regards, and thanks again.