7 Replies Latest reply on Apr 19, 2009 9:29 PM by mrgui

    Connector Issues

      Hi all.

      Im hoping someone might be able to shed some light on this issue I am having. Im almost 99% sure that this has not happened before and I have done about 20 installations of Endpoint Encryption in a variety of different companies.

      Right here the problem.

      I have a connector setup to pull users from the customers LDAP (Netware) server and put them in a group called Laptop Users. This works perfectly fine without errors.

      Now the customer wanted himself and a couple of others to be in the Administrators group as they will be setting up a couple of user groups to assign to different groups of machines. This way the IT staff always have access to all machines.

      So I have moved the 4 Users from the Laptop users group and popped them into the Admins group. Now they stay there right up until the connector runs on its schedule and it dumps them back into the Laptop group.

      Customer is running 5502. We have tested it with 5600 build aswell but the same is happening.

      I hope someone can help as im sure this has not happened elsewhere.
        • 1. RE: Connector Issues
          this is what the connector is meant to do - it puts users in groups based on settings in the source directory.

          There's no way to disable this - it's an integral point of the purpose of the connector.
          • 2. RE: Connector Issues
            So is there no way to set some of the users as administrators then?
            • 3. RE: Connector Issues
              On another side note along the same lines, the customer has a few sites each of which have their own AD server.

              What will happen if say Site A has a user called Reception and site B has a user called reception. Will it move the user reception within safeboot to whichever connector ran last?

              I.e Connector A is putting users into Users Group A
              Connector B is putting users into Users Group B

              Will the reception user keep bouncing between the 2?
              • 4. RE: Connector Issues
                you need to sit down with someone and discuss I think. :o

                the connector will add users it finds and "connect" them to their directory counterparts. It won't take over users that other connectors have added, or that you've added manually - though you can "glue" an existing user to one, or more connectors.

                so, you can't give users in EEM a different property set than their connector wants - it will just put them back when it runs. You need to either teach the connector with rules so it does that for you, or disconnect those users from that connector.

                If you have multiple directories and user name overlap, that's a situation no meta-directory supports. The first connector to create the user will do so, all others will give you an error saying the user already exists.
                • 5. RE: Connector Issues
                  Thanks for your replies. very usefull.

                  If someone has time could they check the 5600 Build for me to see if they get the same as were were experiencing yesterday. The sites that had the reception user were working as you stated. The second connector to run gve the error that the user already existed. However when we changed to 5600 build the reception user was moving dependant on which connector ran last.
                  • 6. RE: Connector Issues
                    Here is how I've setup the Admin/User connection. I have one AD Connector configured as follows:

                    Connector -> General -> Search Groups
                    cn=Laptop Users,ou=Groups,dc=corp,dc=mydomain,dc=com
                    cn=McAfee EE Admins,ou=Groups,dc=corp,dc=mydomain,dc=com

                    Connector -> Group Mappings
                    Endpoint Encryption Group: Admins
                    Directory Service Attribute: memberOf
                    Attribute Value: cn=McAfee EE Admins,ou=Groups,dc=corp,dc=mydomain,dc=com

                    If NO mapping Exists: Use The Group: Users - Default

                    Folks that are members of the Admins group are put in the Admins group, all other users are dumped into the Users - Default group. To date it's worked flawlessly.

                    Of course, since you're not using AD you'll need to just find a new way to configure the one Group Mapping above, but I'm sure there is some other parameter you can use. If you're on eDirectory, I think it might even still be called memberOf, but any LDAP browser will help you there.
                    • 7. RE: Connector Issues
                      If the admin list is fairly small and experiences little change, then you could just manually define them in SafeBoot/MEE as unmanaged accounts.