I have a report with a matrix, where I want to further drill down AD groups into members:
I know there is an AD source,
My goal is to connect my table which has column 'AD group' with a table that has: AD group, Member columns.
(the relationship shall be "many to many")
How can I achieve this?
(the AD source has cryptic names, so its hard to navigate).
Related
I'm working with a vendor who needs to use LDAP queries to pull information on our Active Directory. The query pulls from the 'members' attribute of the AD Group directly. However it only pulls 8 of the 20+ users in this group. If I look at the group's Members tab, I can see all of the users, and they work without an issue. I switch to the Attributes tab and scroll to the members entry view the values which shows only 8 of the users. The LDAP query only pulls these 8 and not the rest of the users.
How do I fix this so the attribute and members list match without deleting/recreating the group? If I delete and recreate it would take down our production environment.
I've tried removing and re-adding users to the group and it does not fix the issue.
I'm going to guess that this group is the primary group for the users that you don't see in the member attribute. Members don't appear in the member attribute if the group is the primary group. I don't know why this is... blame Microsoft.
To find those users, look at the primaryGroupToken of the group. It will be a number. Then search for users that have that value in their primaryGroupId attribute.
Usually, the primary group is the built-in Domain Users group, which always has a primaryGroupToken of 513. So to find users of that, you would use this LDAP query:
(primaryGroupId=513)
According to the documentation, the primaryGroupId attribute is indexed, so you don't need any other criteria.
If you want to learn more about how memberships work, I wrote an article a while ago about What makes a member a member?
I'm trying to write a filter to get all the users of a given group in Active Directory.
To that end I have the following query
LDAPSearch("DC=test,DC=myorg,DC=com", "(objectClass=user)", 1, "name")
I'm a bit confused as to where I should give the name of the group on which to base the search on. As far as I know you cannot have two groups in AD with the same name.
In general, user objects have an attribute called memberOf that lists DNs of groups that a user is member of. Therefore you can search with a filter like (&(objectClass=user)(memberOf=<DN of requested group>)).
Please note that due to AD design, user's primary group is not included in memberOf attribute. For most users that group would be Domain Users (unless explicitly changed), but if changed, that group will no longer list in memberOf and this query will not find such user.
My current Cube has two roles:
AdminSec: are for a few users only and refers to a Group of administrators in my Active Directory.
GlobalSec: refers to "Everyone" and gives everyone access to read all data.
We are now planning to incorporate a new department (MinimalDepartment) in our company. This department should not have access to very much of the information in our company, so my plan is to create a third role (DepartmentSec) and assigning a new Active Directory Group (MinimalDepartment) to this role. Also I will limit the access to my dimension data by deselecting all departments and only grant access to the relevant department in the Department dimension.
My question is: If an employee is a member of the Active Directory Group MinimalDepartment will they then only be able to see the data in the cube which the role DepartmentSec allows (which is what I want)? Or will they be able to see all data as they are also part of "everyone" and therefore also the role GlobalSec?
If it is the latter is it then possible somehow to create the role so "everyone" has access except those in AD-group MinimalDepartment?
It seems that I have to create a new group in my AD which contains all the departments which I want to include and then use this instead of "everyone". Fortunately my IT-supports could tell me that we already have this group so for me its not a problem.
IBM state that:
nested
Nested means that the response from the LDAP server to a
request for the group membership attribute already includes any nested
group relationships, but not any dynamic group memberships. If the
user is a member of group "A2" and "A2" is a member of group "A1",
then the list of group memberships includes both A1 and A2. This
information tells VMM that even if a client requests nested group
information, the response already provides it. No further work needs
to be done by VMM to satisfy the request.
How can I achieve this in websphere (connecting to Active Directory), so that if a user is a member of A2, and A2 is a member of group A1, I want the user to be in both A1 and A2.
I have nested groups enabled in the group attribute definition, however when I browse for the users, it only shows them belonging to group A2
The configuration helps VMM only to know what is expected in the attribute returned from the LDAP server. VMM performs a fast lookup of the membership by using an attribute provided by the LDAP containing the membership. The config element where you can define if it is nested, all or direct only helps VMM to have a hint if it needs to perform further actions.
All depends on the values returned from LDAP. In your case Active Directory. Usually it would be memberOf and from https://msdn.microsoft.com/en-us/library/ms677943%28v=vs.85%29.aspx
memberOf
The memberOf attribute is a multi-valued attribute that contains groups of which the user is a direct member, except for the primary
group, which is represented by the primaryGroupId. Group membership is
dependent on the domain controller (DC) from which this attribute is
retrieved:
At a DC for the domain that contains the user, memberOf for the user is complete with respect to membership for groups in that
domain; however, memberOf does not contain the user's membership in
domain local and global groups in other domains.
At a GC server, memberOf for the user is complete with respect to all universal group memberships.
If both conditions are true for the DC, both sets of data are contained in memberOf.
Be aware that this attribute lists the groups that contain the user in their member attribute—it does not contain the recursive list
of nested predecessors. For example, if user O is a member of group C
and group B and group B were nested in group A, the memberOf attribute
of user O would list group C and group B, but not group A.
This attribute is not stored—it is a computed back-link attribute.
memberOf includes only the direct members. In combination with the configuration you have done VMM will only check the values inside of memberOf and does not perform any additional LDAP call.
Now I have too many options. Do you want to have the nested Groups for J2EE roles or within your application as you are calling VMM direct using API or or. I do not want to speculate to I leave it with the statement
memberOf returns the flat membership aka direct membership and VMM needs to perform additional calls to get the full info. By setting nested VMM will not perform any additional call
You need to switch from nested to direct, to tell VMM to perform additional searches, since AD returns only direct members. See Locating user group memberships in a Lightweight Directory Access Protocol registry for more details.
If I query the AD then for some users the attribute memberOf does not contains any builtin groups. The users with the problem are all moved in a separate OU.
The query is simple:
(&(objectClass=person)(uid=xyz))
But the "Active Directory Users and Computers" tool from Microsoft show this members. Where can be the problem? Is this an access right problem?
There is a notion of a Primary group in AD. The default is usually Domain Users.
This is represented on the user object as an attribute called PrimaryGroupID, and 513 is Domain Users.
There can and must be only one primary group, and to remove the current one, you need to first add another group as a member, to then swap with the primary group ID.