1 2 3 Previous Next 83 Replies Latest reply on Jun 8, 2010 12:06 PM by peter_eepc

    EndPoint Encryption AD Connector

      I have one domain and one connector, and on the Connetor's General filter I have  (&(objectClass=user)(!objectClass=computer)

       

       

      I have setup multiple groups on the manager mapping to each group on AD, which there is no problem there, but what I have a problem with is that I do not need every user to be added from AD.

       

      I am trying to do this with one connector because you are only supposed to have one connector per domain.  I need to perhaps include a user attribute on the filter as (memberof=CN=McAfee,OU=UK,DC=cbi,dc=com).

       

      My question is that when the connector sycns with AD, is it going to look at every user on the base DN OU=UK,DC=cbi,dc=com , and only add the users that are part of the McAfee group ?


      The second question is that I will need to search on the same attribute but for multiple diferent groups, and can I have a wild card on the filter as: (memberof=CN=McAfee*,OU=UK,DC=cbi,dc=com).

       

      McAfee Sales Encrypted Laptops

      McAfee Purchases Encrypted Laptops

      McAfee Warehouse Encrypted Laptops

      McAfee Help Desk Encrypted Laptops

       

      And the third question if I have the correct mappings will it put them in their respective groups on the manager ?.

       

      I have tried to create a mapping to a CN=McAfee and try to inport users, but it does not work the way I have it setup.

       

       

      Message was edited by: mariosanchez on 5/12/10 3:45:59 PM CDT
        • 1. Re: EndPoint Encryption AD Connector

          I'm afraid you would need to setup distinctive OU's not Group CN's for it to work.

          Or you can try separate connectors for each CN group as main LDAP fiter. Each connector with different, non-overlapping filter criteria.

           

          So I'm afraid it cannot be done the way you want.

          • 2. Re: EndPoint Encryption AD Connector

            Unfortunately, we are limited on the changes on AD. I already asked if they could create sub OUs for the encrypted users, but they denied my request.

             

            As far as multiple connectors, I have run thru the scenarios with that, but supposedly, McAfee's recommendations are, not to have more then one connector per domain.

             

            Initially when Professional Services installed the server they did 25 connectors and it brought the server down on its knees; then, they deleted all the connectors and recreated only one, but that imports all AD users, which makes the sync to take about 10 hours.  We have one special group that has over 2100 users, and when the laptops want to sync, they time out about 1000.

             

            My only option was the attribute. I do have the search on OU, but I want to look at the user's attribute to see if they belong to the McAfee * group as a requirement for the import. If that could work, it would solve my problems....

             

            We are having a tough time getting support from Gold Support and we are very frustrated and considering to get a refund at this point.

             

            I was relly hoping that someone might have solved a similar problem....

            • 3. Re: EndPoint Encryption AD Connector

              Let me clarify a few points before I comment further:

              • How many user accounts do you have in AD, that makes user objects in SafeBoot database?
              • Do you have database index enabled?
              • How do you assign users to machines? How many users do you have assigned to each machine, on average?
              • 4. Re: EndPoint Encryption AD Connector

                close to 6000 AD Accounts.

                I need to check on the database index. How do I check the index ?

                I have the admin group, Desk Top and their particular group, but the group that we are talking about has over 2100 users....

                 

                Whe we test an install set with less then 1000, there is not problem with the laptop sync.

                • 5. Re: EndPoint Encryption AD Connector

                  Please post your "dbcfg.ini". If you never heard about index, check best practices document.

                  So you assign 1000-2000 users to each machine? That is not good. Try to come up with other approach.

                  • 6. Re: EndPoint Encryption AD Connector

                    I would guess that the dbcfg.ini is o the client, correct ?

                     

                    Yes, because that particular group interchanges laptops, they have to be able to log in to any laptop in the group. It so happens that the way the connector is configured, it adds all 2100 users from AD. We only have one user what an encrypted laptop, and at themost we would procably have around 400 in that group.

                     

                    That is the reason that I am trying to only import from AD the users that have encrypted laptops. The way that professional services configured the server, adds everyone on that OU to the group, which are 2100 users.

                    • 7. Re: EndPoint Encryption AD Connector

                      you can do what you want with a more advanced base search query - if you put the group membership entries in that, your connector instance will only see those users returned in the search. You can use wild cards in LDAP queries for the base search, but I think the format is a little different than simply adding a "*"

                      • 8. Re: EndPoint Encryption AD Connector

                        Great, that sounds good. Could you tell me the correct syntax to accomplish my goal ?

                        • 9. Re: EndPoint Encryption AD Connector

                          He wants user search groups filtered on specific CN groups, not baseDN filtered on those CN groups.

                          1 2 3 Previous Next