This content has been marked as final. Show 7 replies
this is what the connector is meant to do - it puts users in groups based on settings in the source directory.
There's no way to disable this - it's an integral point of the purpose of the connector.
So is there no way to set some of the users as administrators then?
On another side note along the same lines, the customer has a few sites each of which have their own AD server.
What will happen if say Site A has a user called Reception and site B has a user called reception. Will it move the user reception within safeboot to whichever connector ran last?
I.e Connector A is putting users into Users Group A
Connector B is putting users into Users Group B
Will the reception user keep bouncing between the 2?
you need to sit down with someone and discuss I think. :o
the connector will add users it finds and "connect" them to their directory counterparts. It won't take over users that other connectors have added, or that you've added manually - though you can "glue" an existing user to one, or more connectors.
so, you can't give users in EEM a different property set than their connector wants - it will just put them back when it runs. You need to either teach the connector with rules so it does that for you, or disconnect those users from that connector.
If you have multiple directories and user name overlap, that's a situation no meta-directory supports. The first connector to create the user will do so, all others will give you an error saying the user already exists.
Thanks for your replies. very usefull.
If someone has time could they check the 5600 Build for me to see if they get the same as were were experiencing yesterday. The sites that had the reception user were working as you stated. The second connector to run gve the error that the user already existed. However when we changed to 5600 build the reception user was moving dependant on which connector ran last.
Here is how I've setup the Admin/User connection. I have one AD Connector configured as follows:
Connector -> General -> Search Groups
cn=McAfee EE Admins,ou=Groups,dc=corp,dc=mydomain,dc=com
Connector -> Group Mappings
Endpoint Encryption Group: Admins
Directory Service Attribute: memberOf
Attribute Value: cn=McAfee EE Admins,ou=Groups,dc=corp,dc=mydomain,dc=com
If NO mapping Exists: Use The Group: Users - Default
Folks that are members of the Admins group are put in the Admins group, all other users are dumped into the Users - Default group. To date it's worked flawlessly.
Of course, since you're not using AD you'll need to just find a new way to configure the one Group Mapping above, but I'm sure there is some other parameter you can use. If you're on eDirectory, I think it might even still be called memberOf, but any LDAP browser will help you there.
If the admin list is fairly small and experiences little change, then you could just manually define them in SafeBoot/MEE as unmanaged accounts.