4 Replies Latest reply on Mar 1, 2010 11:33 AM by SafebootMEE

    AD Connector Mapping Question

      I am working with a heavily nested OU structure and I am having a problem with the Group Mappings. I am mapping to MEE groups with AD Security groups. The AD Security group's DN is like this....


      CN=Security Group,OU=Department,OU=Geographic Site,OU=Support,OU=Department,OU=Top Site,DC=Domain,DC=Org


      I run the connector and I get the error message 'Error User <username> no mapping found'. I move this AD Security group to a higer level OU such as:


      CN=Security Group,OU=Department,DC=Domain,DC=Org


      I adjust my group mappings in the connector and it will add the user(s) without any problems. Is it because the connector gets confused when it sees that there are two OU=Department(s)? or is it because it is such a long DN? I also think it had to do with AD permissions since there are different Group Policies in some of the OUs.

        • 1. Re: AD Connector Mapping Question

          use the LDAP browser to view one of the users in the group, and then find the "MemberOf" attribute for the group you want to map against. Use this as the string in the group mappings list.

          • 2. Re: AD Connector Mapping Question

            The user(s) already had the 'memberOf'  attribute of the AD Security group (CN=Security Group,OU=Department,OU=Geographic Site,OU=Support,OU=Department,OU=Top Site,DC=Domain,DC=Org) as I described previously. The string is already listed in the connector mappings with the 'memberOf' Directory Services attribute.


            It only worked if I move the AD Security group to a higher level OU so the DN is now: CN=Security Group,OU=Department,DC=Domain,DC=Org.


            I have used different MEE Groups in the mappings so I do not believe this is a Database problem. I think it is either the Connector gets confused or it is the OU permissions.




            • 3. Re: AD Connector Mapping Question

              if you log onto the ldap browser with the same credentials you use in the connector, you'll see what it can see. I'm not sure why the group position would matter, the connector is not following the structure of your AD, it's just retrieving the users based on the search you set and then looking through their attributes.


              Are you using search groups mode, or an object filter? If you're using search groups, then obviously the connector won't see those users unless they match the search.


              You could set MemberOf to be a substring-searched attribute, then you'd just need the CN to score a match?

              • 4. Re: AD Connector Mapping Question

                I am using Search Groups Mode and have the 'memberOf' for the substring search atribute. The CN match should be good know matter where I place the AD Security Group in my OU directory. I think now that it is an AD problem. I used a very long CN with duplicate OU names inside the string and it works perfectly in my test environment.