Home
Content Management (Extended ECM)
API, SDK, REST and Web Services
How to use department mappings
Jerzy_Fasbender
Hello,I read a lot of topics but I'm not clear about this.What is the best way to accomplish the following:We have a LDAP sync like:(&(objectClass=user)(memberOf=cn=Livelink_users,ou=Livelink,ou=Groups,dc=****,dc=com))If we make a user and make it member of a other group in livelink, after the next sync it's back to the old default group.I'd like to sync users with the AD direct to the right department group. I think this should be done with department mapping but how does it work ? Livelink Directory Services 3.0.0 Installation and Administration Guide.pdf does not give much information about this.Does anyone have some info or best practices ?
Find more posts tagged with
Comments
Chris_Wagg
Message from Chris Wagg <
cwagg@opentext.com
> via eLink
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">eLink
Hi there,
Department mapping tends to be a tricky spot for a number of customers. You need to identify a single value attribute in your LDAP structure that can be used to base the mapping on. Using an attribute like "memberOf" won't work because it is not a single value attribute. There happens to be an attribute called "department" in AD that is single value, so perhaps that can be used.
In any case, you have 2 options for department mapping, enabled, or disabled. If the value of your department attribute matches the name of the group in Livelink that is to be the user's department, then you should disable department mapping, and it will assign the right department automatically.
If however, you have a value of test1 (for example) in your department attribute in LDAP, but all users with that value should be mapped to the HR group for their department, then you need to enable department mapping, and create a mapping in the department mapping table (there is an interface for that). In this case you would enter test1 in the LDAP depertment, and HR in the Livelink department.
As I mentioned, this tends to be a tricky point for some customers, so if you have further questions on this, i would probably recommend opening a ticket on this, so that it can be explained more clearly.
---------------------------------------
Chris Wagg
Principal Product Specialist
Escalations Support Team
Open Text Corporation
Ph: 800-540-7292
---------------------------------------
From:
eLink Discussion: Livelink Directory Services Discussion [mailto:directoryservices@elinkkc.opentext.com]
Sent:
Wednesday, June 10, 2009 4:46 AM
To:
eLink Recipient
Subject:
How to use department mappings
How to use department mappings
Posted by
j.fasbender@asz.nl
(Fasbender, Jerzy) on 2009/06/10 04:41
Hello,
I read a lot of topics but I'm not clear about this.
What is the best way to accomplish the following:
We have a LDAP sync like:
(&(objectClass=user)(memberOf=cn=Livelink_users,ou=Livelink,ou=Groups,dc=****,dc=com))
If we make a user and make it member of a other group in livelink, after the next sync it's back to the old default group.
I'd like to sync users with the AD direct to the right department group. I think this should be done with department mapping but how does it work ?
Livelink Directory Services 3.0.0 Installation and Administration Guide.pdf does not give much information about this.
Does anyone have some info or best practices ?
Jerzy_Fasbender
Thank you Chris,Now you explaned it it's sounds logic.I'm going to play with it and if I have any questions I'll open a ticket.Thank you for your reply.Jerzy Fasbender
Eddy_McCafferty
What I have done for one of my customers is the following. They wanted to keep the maximum number of users in a group to less than 1000. However, since they had over 3500 users in the system, all with the same "Department" name i was forced to come up with another solution.Directory Services 3.0 or later allows for you to setup multiple syncronization profiles, each with their own department mapping. So what I did was created a set of groups that matched the first letter of their last name. Example: Dept-HR-Users-A-CThen i setup a sync profile to syncronize using the following LDAP query:(&(objectCategory=person)(objectclass=user)(SAMAccountName=*)(userAccountcontrol=512)(|(sn=A*)(sn=B*)(sn=C*)(sn=a*)(sn=b*)(sn=c*)))I then set a mapping for Department: HR in AD to map to Dept-HR-Users-A-CI continued through the alphebet and setup a total of 7 seperate type profiles.Upon completion, each sync profile only pulled Users with the coorisponding first letter of the last name and put them in the matching group. It looked like thisDept-HR-Users-A-CDept-HR-Users-D-FDept-HR-Users-G-KDept-HR-Users-L-NDept-HR-Users-O-SDept-HR-Users-T-ZHope this is useful to someone as it allowed for some dynamic group population control based on my LDAP query rather than just the department.
Kevin_Bailey
Message from Kevin Bailey <
kbailey@opentext.com
> via eLink
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">eLink
nice! Will put that in my bag o' tricks!
From:
eLink Discussion: Livelink Directory Services Discussion [mailto:directoryservices@elinkkc.opentext.com]
Sent:
Monday, June 15, 2009 10:43 AM
To:
eLink Recipient
Subject:
We have found a unique way to set mappings based on Sync Profile
We have found a unique way to set mappings based on Sync Profile
Posted by
edmccaff
(McCafferty, Eddy) on 2009/06/15 10:39
In reply to:
How to use department mappings
Posted by
j.fasbender@asz.nl
(Fasbender, Jerzy) on 2009/06/11 09:19
What I have done for one of my customers is the following.
They wanted to keep the maximum number of users in a group to less than 1000. However, since they had over 3500 users in the system, all with the same "Department" name i was forced to come up with another solution.
Directory Services 3.0 or later allows for you to setup multiple syncronization profiles, each with their own department mapping. So what I did was created a set of groups that matched the first letter of their last name.
Example: Dept-HR-Users-A-C
Then i setup a sync profile to syncronize using the following LDAP query:
(&(objectCategory=person)(objectclass=user)(SAMAccountName=*)(userAccountcontrol=512)(|(sn=A*)(sn=B*)(sn=C*)(sn=a*)(sn=b*)(sn=c*)))
I then set a mapping for Department: HR in AD to map to Dept-HR-Users-A-C
I continued through the alphebet and setup a total of 7 seperate type profiles.
Upon completion, each sync profile only pulled Users with the coorisponding first letter of the last name and put them in the matching group. It looked like this
Dept-HR-Users-A-C
Dept-HR-Users-D-F
Dept-HR-Users-G-K
Dept-HR-Users-L-N
Dept-HR-Users-O-S
Dept-HR-Users-T-Z
Hope this is useful to someone as it allowed for some dynamic group population control based on my LDAP query rather than just the department.
Chris_Wagg
Message from Chris Wagg <
cwagg@opentext.com
> via eLink
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">eLink
this looks like it shoudl work for you, but my concern would be group memberships. If a user is created with synch001, he will not be put into a group that he should be a member of if that group was created using synch002. Keep in mind, I am talking about group memberships, not departments.
If you can live with this limitation, then this is a good solution.
---------------------------------------
Chris Wagg
Principal Product Specialist
Escalations Support Team
Open Text Corporation
Ph: 800-540-7292
---------------------------------------
From:
eLink Discussion: Livelink Directory Services Discussion [mailto:directoryservices@elinkkc.opentext.com]
Sent:
Monday, June 15, 2009 11:14 AM
To:
eLink Recipient
Subject:
RE We have found a unique way to set mappings based on Sync Profile
RE We have found a unique way to set mappings based on Sync Profile
Posted by
kbailey
(Bailey, Kevin) on 2009/06/15 11:14
In reply to:
We have found a unique way to set mappings based on Sync Profile
Posted by
edmccaff
(McCafferty, Eddy) on 2009/06/15 10:39
Message from Kevin Bailey <
kbailey@opentext.com
> via eLink
nice! Will put that in my bag o' tricks!
From:
eLink Discussion: Livelink Directory Services Discussion [mailto:directoryservices@elinkkc.opentext.com]
Sent:
Monday, June 15, 2009 10:43 AM
To:
eLink Recipient
Subject:
We have found a unique way to set mappings based on Sync Profile
We have found a unique way to set mappings based on Sync Profile
Posted by
edmccaff
(McCafferty, Eddy) on 2009/06/15 10:39
In reply to:
How to use department mappings
Posted by
j.fasbender@asz.nl
(Fasbender, Jerzy) on 2009/06/11 09:19
What I have done for one of my customers is the following.
They wanted to keep the maximum number of users in a group to less than 1000. However, since they had over 3500 users in the system, all with the same "Department" name i was forced to come up with another solution.
Directory Services 3.0 or later allows for you to setup multiple syncronization profiles, each with their own department mapping. So what I did was created a set of groups that matched the first letter of their last name.
Example: Dept-HR-Users-A-C
Then i setup a sync profile to syncronize using the following LDAP query:
(&(objectCategory=person)(objectclass=user)(SAMAccountName=*)(userAccountcontrol=512)(|(sn=A*)(sn=B*)(sn=C*)(sn=a*)(sn=b*)(sn=c*)))
I then set a mapping for Department: HR in AD to map to Dept-HR-Users-A-C
I continued through the alphebet and setup a total of 7 seperate type profiles.
Upon completion, each sync profile only pulled Users with the coorisponding first letter of the last name and put them in the matching group. It looked like this
Dept-HR-Users-A-C
Dept-HR-Users-D-F
Dept-HR-Users-G-K
Dept-HR-Users-L-N
Dept-HR-Users-O-S
Dept-HR-Users-T-Z
Hope this is useful to someone as it allowed for some dynamic group population control based on my LDAP query rather than just the department.
Eddy_McCafferty
We are only using this for the department, which in turn is an actual "Livelink Group". We are not syncronizing AD groups at all, only users. So a user would only show up in one of the above queries. There would never be a case where they could be in two different departments. They may get manually added to other groups to get access.This was put in place to overcome the "DefaultGroup" having too many users in it. In trying to optimize the performance, we did not want 50000 users in one group so we broke it down by dept mapping. But that still was more than optimal membership numbers. So we further broke it down by the LDAP query, each having a different department mapping.If that makes sense. But this type of topology could be used in other ways, not just off of first initial of last name. As long as your scheme that you come up with will return unique members, you should be fine.
Chris_Wagg
Message from Chris Wagg <
cwagg@opentext.com
> via eLink
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">eLink
In this case, you should be good. Your group memberships that were created manually in Livelink won't be undone by the synch.
---------------------------------------
Chris Wagg
Principal Product Specialist
Escalations Support Team
Open Text Corporation
Ph: 800-540-7292
---------------------------------------
From:
eLink Discussion: Livelink Directory Services Discussion [mailto:directoryservices@elinkkc.opentext.com]
Sent:
Monday, June 15, 2009 11:36 AM
To:
eLink Recipient
Subject:
We are only using this for the department, which in turn is an actual "Livelink...
We are only using this for the department, which in turn is an actual "Livelink...
Posted by
edmccaff
(McCafferty, Eddy) on 2009/06/15 11:31
In reply to:
RE RE We have found a unique way to set mappings based on Sync Profile
Posted by
cwagg
(Wagg, Chris) on 2009/06/15 11:25
We are only using this for the department, which in turn is an actual "Livelink Group".
We are not syncronizing AD groups at all, only users. So a user would only show up in one of the above queries. There would never be a case where they could be in two different departments. They may get manually added to other groups to get access.
This was put in place to overcome the "DefaultGroup" having too many users in it. In trying to optimize the performance, we did not want 50000 users in one group so we broke it down by dept mapping. But that still was more than optimal membership numbers. So we further broke it down by the LDAP query, each having a different department mapping.
If that makes sense. But this type of topology could be used in other ways, not just off of first initial of last name. As long as your scheme that you come up with will return unique members, you should be fine.
