I'm afraid you would need to setup distinctive OU's not Group CN's for it to work.
Or you can try separate connectors for each CN group as main LDAP fiter. Each connector with different, non-overlapping filter criteria.
So I'm afraid it cannot be done the way you want.
Unfortunately, we are limited on the changes on AD. I already asked if they could create sub OUs for the encrypted users, but they denied my request.
As far as multiple connectors, I have run thru the scenarios with that, but supposedly, McAfee's recommendations are, not to have more then one connector per domain.
Initially when Professional Services installed the server they did 25 connectors and it brought the server down on its knees; then, they deleted all the connectors and recreated only one, but that imports all AD users, which makes the sync to take about 10 hours. We have one special group that has over 2100 users, and when the laptops want to sync, they time out about 1000.
My only option was the attribute. I do have the search on OU, but I want to look at the user's attribute to see if they belong to the McAfee * group as a requirement for the import. If that could work, it would solve my problems....
We are having a tough time getting support from Gold Support and we are very frustrated and considering to get a refund at this point.
I was relly hoping that someone might have solved a similar problem....
Let me clarify a few points before I comment further:
- How many user accounts do you have in AD, that makes user objects in SafeBoot database?
- Do you have database index enabled?
- How do you assign users to machines? How many users do you have assigned to each machine, on average?
close to 6000 AD Accounts.
I need to check on the database index. How do I check the index ?
I have the admin group, Desk Top and their particular group, but the group that we are talking about has over 2100 users....
Whe we test an install set with less then 1000, there is not problem with the laptop sync.
Please post your "dbcfg.ini". If you never heard about index, check best practices document.
So you assign 1000-2000 users to each machine? That is not good. Try to come up with other approach.
I would guess that the dbcfg.ini is o the client, correct ?
Yes, because that particular group interchanges laptops, they have to be able to log in to any laptop in the group. It so happens that the way the connector is configured, it adds all 2100 users from AD. We only have one user what an encrypted laptop, and at themost we would procably have around 400 in that group.
That is the reason that I am trying to only import from AD the users that have encrypted laptops. The way that professional services configured the server, adds everyone on that OU to the group, which are 2100 users.
you can do what you want with a more advanced base search query - if you put the group membership entries in that, your connector instance will only see those users returned in the search. You can use wild cards in LDAP queries for the base search, but I think the format is a little different than simply adding a "*"
Great, that sounds good. Could you tell me the correct syntax to accomplish my goal ?
He wants user search groups filtered on specific CN groups, not baseDN filtered on those CN groups.