Home
Extended ECM
API, SDK, REST and Web Services
Specifying User Groups using LDAP Read-Only Synchronization
Roger_McCoy
Hello,We are running Directory Services 2.2.2 using NTLM Auth & LDAP Read-Only Sync. We would like to create a "read-only" group within Livelink to give specific users limited access to the system and have a second group with normal access. Currently, all users are part of the same group.Is there a way to use multiple groups within a 'User Search Filter'?Documentation and exact syntax for use with Directory Services seems to be limited at best. Any help or comments would be greatly appreciated. ThanksRoger
Find more posts tagged with
Comments
Geoff_Obbard
Message from Geoff Obbard <<A HREF="mailto:gobbard@opentext.com">gobbard@opentext.com> via eLink
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
Message
Hi Roger,
I'm assuming that your user search filter looks something like "&(objectClass=user)(memberOf=<some group>)", is that correct?
This is a common form of user search filter for people using Read-Only Synchronization against Active Directory, as it allows them to simply put users in a group to have them synchronised. To synchronise members of a second group, you can use the LDAP 'or' operator, '|'. An example of the updated filter is:
&(objectClass=user)(|(memberOf=<some group>)(memberOf=<some other group>))
Basically, LDAP search filters retrieve sets of entries that match each of your criteria, then combine those sets to produce a result set. The basic pattern matching operators are presence '=*', equality '=', begins with '=<text>*', ends with '=*<text>', and substring '=*<text>*'. There are others, but this should do for 99% of instances. The set operators are AND '&', OR '|', and NOT '!'. The only really unusual thing about LDAP set operators is that they are in prefix notation, meaning that they come before their operands.
For example, if I wanted to show all users that had memberOf=group1 and memberOf=group2 I would set:
&(memberOf=group1)(memberOf=group2)
for users that have memberOf=group1 but not memberOf=group2:
&(memberOf=group1)(!(memberOf=group2))
The exact syntax used for the user and group search filters can be found in RFC 2254,
The String Representation of LDAP Search Filters
.
Geoff
-----Original Message-----
Specifying User Groups using LDAP Read-Only Synchronization
Posted by
AERENE01Admin
(McCoy, Roger) on 01/13/2004 10:59 AM
Hello,
We are running Directory Services 2.2.2 using NTLM Auth & LDAP Read-Only Sync. We would like to create a "read-only" group within Livelink to give specific users limited access to the system and have a second group with normal access. Currently, all users are part of the same group.
Is there a way to use multiple groups within a 'User Search Filter'?
Documentation and exact syntax for use with Directory Services seems to be limited at best. Any help or comments would be greatly appreciated. Thanks
Roger
eLink User
Message from Adams, Gavin <<A HREF="mailto:GAdams@skm.com.au">GAdams@skm.com.au> via eLink
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
Message
Roger,
You could create some groups in LDAP that the users are members of. Then syncthat group with livelink.
You could look at using the llquery to make the group dynamic.
However you would still need to assign that group as readonly (see/see contents) permissions to the folders, etc.
The priv level on the llserverinfo only changes the privileges of the user tomanage users/groups or have sysadmin rights.
In our environment our permissions are set that public access is turned off.
Then we have an LDAP group that has all staff that have been given access to livelink to be able to see everything.
We are project centric so we give permissions to add/change within projects.
External access by clients is limited to them only seeing withina project that have been given access to and nothing else.
Hope this helps,
Regards,
Gavin
------------------------------------------------------------
Gavin Adams
Senior
Application Services Manager
Sinclair Knight Merz
Ph 2-9928-2517 -
gadams@skm.com.au
-----Original Message-----
From:
eLink Discussion: Livelink Directory Services Discussion [mailto:directoryservices@elinkkc.opentext.com]
Sent:
Wednesday, 14 January 2004 4:19 AM
To:
eLink Recipient
Subject:
Specifying User Groups using LDAP Read-Only Synchronization
Specifying User Groups using LDAP Read-Only Synchronization
Posted by
AERENE01Admin
(McCoy, Roger) on 01/13/2004 10:59 AM
Hello,
We are running Directory Services 2.2.2 using NTLM Auth & LDAP Read-Only Sync.We would like to create a "read-only" group within Livelink to give specific users limited access to the system and have a second group with normal access. Currently, all users are part of the same group.
Is there a way to use multiple groups within a 'User Search Filter'?
Documentation and exact syntax for use with Directory Services seems to be limited at best. Any help or comments would be greatly appreciated. Thanks
Roger
Luke_Morris_(brinkadmin_-_(deleted))
Howdy,Geoff, I am using the &(objectClass=user)(memberOf=)But my issue is that the only members of that group are sub groups that contain all of the users. How do I use that same or modified user search filter, and get a list of the users still?ChrisBrinker
Geoff_Obbard
Message from Geoff Obbard <<A HREF="mailto:gobbard@opentext.com">gobbard@opentext.com> via eLink
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
Message
Hi Chris,
Your situation isn't much different than Roger's. One of the most common
problems people have with member, memberOf, and other such attributes is in thinking that they have meaning. As far as the LDAP server is concerned, these attributes are no different than givenname or telephonenumber, it doesn't know that it should then look for an entry with that DN.
That aside, now we need to create a search filter that will return all the LDAP entries we would like to have Livelink create as users. Using your example, you have a group, say 'top_group', that contains a few groups, say 'sub_group1' to 'sub_group3', and each of the sub groups contains users you want to synchronise. If all your users and groups are stored in the employees OU, and the structure of your groups looks something like this:
top_group
sub_group1
Fred
sub_group2
Barney
sub_group3
Wilma
then the attributes assigned to top_group will look something like this:
dn: cn=top_group, ou=employees, dc=yourcompany, dc=com
cn: top_group
member: cn=sub_group1, ou=employees, dc=yourcompany, dc=com
member: cn=sub_group2, ou=employees, dc=yourcompany, dc=com
member: cn=sub_group3, ou=employees, dc=yourcompany, dc=com
and the attributes assigned to Fred will look something like this:
dn: cn=Fred, ou=employees, dc=yourcompany, dc=com
cn: Fred
memberOf: cn=sub_group1, ou=employees, dc=yourcompany, dc=com
As you can see, Fred doesn't have a memberOf attribute with a value of "cn=top_group, ou=employees, dc=yourcompany, dc=com". If there aren't many sub groups, then adding the individual memberOf attributes to your query will work. That query would look something like this:
&(objectClass=user)(|(memberOf=cn=sub_group1, ou=employees, dc=yourcompany, dc=com)(cn=sub_group2, ou=employees, dc=yourcompany, dc=com)(cn=sub_group3, ou=employees, dc=yourcompany, dc=com))
Most people can manage about a half dozen groups this way, and a dozen by editing the .ini entry directly. If your list of sub-groups is longer than that, you may need to come up with some other way of determining which users are to be synchronised, and which are not.
I hope this helps,
Geoff
Luke_Morris_(brinkadmin_-_(deleted))
Thanks Geoff,I am dealing with about 15 sub groups. So editing the .ini may help. What file is that?Thanks!
Luke_Morris_(brinkadmin_-_(deleted))
you meant the opentext.ini...thanks
Roger_McCoy
Hi Geoff,I may have been a bit unclear before. We have an existing group (group1) within Active directory that has "modify" access and is currently synchronized with a group by the same name within Livelink. What we'd like to do is create a separate group (group2) in Active Directory and synch that one with Livelink. Group2 would basically have only "read" access. In other words, we don't want ALL users from both group1 and group2 combined but rather each group separately. I've tried to use an 'OR' operator but this placed all users into the existing group1 within Livelink. Am I missing something here? Do I need to create group2 first within Livelink? I thought Livelink would create this new group if it didn't already exist.Roger
Roger_McCoy
Hi Gavin,So your LDAP group essentially replaces Public Access? Do I understand you correctly that all staff have "read-only" access to everything by default except where specified within projects? Just curious if you're using 'Department Mapping' in Directory Services to map this LDAP group as your 'Default'? I have no problem with manually assigning this new group "read-only" permissions at a folder level. ThanksRoger
