1 2 Previous Next 10 Replies Latest reply on Apr 5, 2011 8:53 AM by jbsiede

    AD Connector Mapping multiple Groups

      I am trying to use the AD Connector to map 60+ A.D. Security groups to McAfee. At this point I'm not sure if I should be expecting McAfee to pull these groups into the console automatically, or if I need to map them to existing McAfee user groups. Here is what I am using for my filter:

       

      (&(objectClass=user)(memberof=CN=McAfee-Users,OU=TEST,OU=r3,DC=domain))

       

      Can someone please guide me as to how I would adjust my connector to import the 60+ security groups I want to associate with my current machine groups?

        • 1. Re: AD Connector Mapping multiple Groups

          what's the portion of users you want to include, vs those you want to exclude?

           

          Usually you'd do group mappings via the group mapping page, not by the objectfilter - you'd only do that if you need to limit the view of users the connector needs to see.

           

          Then, you have a choice of an object filter, or by using the search groups option.

          • 2. Re: AD Connector Mapping multiple Groups

            I am not looking to filter any users from those groups. My current issue is the connector is not creating / populating any of the groups with the users from those security groups.

             

            The goal is to have the connector point to a particular OU in A.D. that contains all of the security groups, have McAfee create the security group objects in the console, and apply them to the existing machine groups accordingly. Since I have less than 50 users per site (group) I should be able to add every user to the machine groups, thus ensuring that users are added to the system automatically.

             

            General info: Since I work at a Goverment office, and the latest version of McAfee Endpoint Encryption has not yet been FIPPS certified, I am unable to take advantage of the functionality that comes from version 6 and the EPO console.

             

            Also, when originally setup, the entire domain was imported into the McAfee console. (except the security groups) My problem is we have all of our users in one OU for our entire region (1200 users) so there is no way to seperate them out to their site specific machine groups without pulling all 1200 users.

             

            I have created 2 test groups, and two test users that have not been pulled into McAfee for testing purposes. Once I can get the connect to pull the security groups, I can remove the connection to our users OU, import the security groups, and then apply them to each sites machine group. Then when users are added/deleted from the system, they will be added/removed automatically when the connector runs.

             

            I hope what I'm trying to accomplish is clear. Let me know if I am missing any information. Thanks for your help in this.

            • 3. Re: AD Connector Mapping multiple Groups

              Quick question: Would changing an AD attribute in the properties, then changing the connector to poll for this setting be the easiest way out of this mess?

              • 4. Re: AD Connector Mapping multiple Groups

                your object filter is a memberOf attribute, which is a user>group mapping, OUs are specified as part of the DN of the user.

                 

                But basically what you are asking is not the way the connector works. You can either give it a list of actual groups (search groups) or an object filter, and AD will return the users who match that. You can't give it an OU and ask it to scan the groups within that OU.

                 

                You should use an LDAP Browser to look at an actual user record from your AD, so you can see the data the connector can see, then you can build a query from that.

                 

                Or, you could get someone from McAfee professional services to come and set it up for you?

                • 5. Re: AD Connector Mapping multiple Groups

                  So if I am hearing you correctly, all I need to do is to add the "memberOf" attribute in the filter, then go to the search groups area and enter in the groups I want the connector to pull?

                   

                  Two questions:

                   

                  1) Will this create the groups automatically in the console or will I need to map them to groups that already exist in the console

                   

                  2) How will already have pull the entire AD tree into the console effect this search?

                   

                  Currently I have created a second connector to pull these groups, as I didn't want to mess with the production one.

                  • 6. Re: AD Connector Mapping multiple Groups

                    Also, any idea on a time frame for version 6 to become FIPS compliant? Or do you not have access to that info?

                    • 7. Re: AD Connector Mapping multiple Groups

                      So if I am hearing you correctly, all I need to do is to add the "memberOf" attribute in the filter, then go to the search groups area and enter in the groups I want the connector to pull?

                       

                      >no - you can't use search groups and an object filter at the same time.

                       

                      Two questions:

                       

                      1) Will this create the groups automatically in the console or will I need to map them to groups that already exist in the console

                       

                      >automatic group creation is a tickbox in the connector properties so yes, it will create groups as it goes if you want. You'll need to make sure you use the right attribute though of course - the default is to use the DN, ie make groups based on the users OU.

                       

                      2) How will already have pull the entire AD tree into the console effect this search?

                       

                      >it won't if things are already in the right groups, if not they might get moved into groups as per your new connector settings.

                       

                      You have two things to think about here.

                       

                      1. what users do you want the connector to process (object filter or search groups)

                      2. where do you want them to end up in eem (group mappings)

                      • 8. Re: AD Connector Mapping multiple Groups

                        I think I understand now. Last question: If I continue to use a second connector based on the group settings while everyone is moved over (i.e. other regions) will it cause any ill effects?

                        • 9. Re: AD Connector Mapping multiple Groups

                          one instance of a connector won't touch users created by another instance, unless you give them the same instance name, then each connector will do whatever you tell them to.

                          1 2 Previous Next