I have this problem: we try to authenticate a user against an Active Directory that uses ForeignSecurityPrinciple to map users from different domains.
We have several groups that are stored inside a single domain and users that are coming from different domains.
The problem we have here is that we cannot get the real user name from ForeignSecurityPrinciple.
We tried to use the guidelines from here:
http://www.brandonclaps.com/?p=57
but with no luck.
When we tried to edit the entry for group that had 3 members, we found this next to the member field:
CN = S-1-5-21-other numbers, CN=ForeignSecurityPrinciple; DC=DomainName, DC=local
Do you have other solutions for retrieving the username against Active Directory using ForeginSecurityPrinciple ?
Is there any recommendation for using that?
Thanks a lot in advance
Related
I checked a few posts asked the similar questions before, but none works for my case, not sure if something wrong on my side or it's the AD.
So I have security group at path:
CN=MigratedUsers,OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm,AD
And in the MigratedUsers group, there is a member property with a few AD users in the group.
I am trying to get the list of users, so I can iterate through them.
So in my base location I specified:
OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm
For the LDAP Filter I have:
(&(objectCategory=user)(memberOf=CN=MigratedUsers,OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm))
The result returned 0 records.
I tried other combinations such as (&(objectCategory=group)(CN=MigratedUsers)), it doesn't work either.
So, could anyone point out to me if anything in my query is wrong or I need to start checking something else like AD settings etc.
Thank you.
Your first filter looks fine :
(&(objectCategory=user)(memberOf=CN=MigratedUsers,OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm))
But the search base is not, (it's a group search base, while you want to retrieve user entries). The user base should look like this :
OU=Users,OU=National Organization,DC=abc,DC=firm
You're searching for users, but you set the base of the search to:
OU=Azure Groups,OU=Security Groups,OU=National Organization,DC=abc,DC=firm
That tells it to only return users that are in the Azure Groups OU. I'm guessing that there are no users in that OU. Set the base of the search to the root of the domain (e.g. DC=abc,DC=firm), or just don't set it at all, since that will be the default.
Your first filter is the correct one (which has the full DN of the group).
We are trying to find a way to fetch the list of resources to which the AD Groups are mapped to. We have a huge list of AD groups (17k+ AD groups) and we have to update the tags of the resources to which the AD Groups belong to. We have a script to bulk update tags of the resources but we don't have the resource list for these specific resources.
• As you are confirming that each resource that you have created in Azure has been assigned a tag of the Azure AD group that it is mapped to, then it is quite aptly possible to get the list of resources for which a particular group is mentioned as a tag in it. For that purpose, kindly execute the below powershell command with atleast ‘Contributor’ role Azure assignment to the ID through which this command will be executed.
To get the list of Azure resources tagged with the exact value as ‘Reason’ as ‘Repro’, use the command below: -
(Get-AzResource -Tag #{ “Reason"="Repro"}).Name
Output: -
Similarly, if you want the list of resource groups that have a tag value of 'Reason : Repro' with the exact name and value, kindly use the below powershell command: -
(Get-AzResourceGroup -Tag #{ "Reason"="Repro" }).ResourceGroupName
Output: -
To know more about the commands relating to the above, kindly refer to the below documentation link: -
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json#list-by-tag
I try to get all users "memberOf" all groups begining with "JE_"
I know that I cannot do the following:
memberOf=CN=JE*,OU=JE,OU=Gruppen,DC=subd,DC=dom,DC=net
But all the JE_* are located under a knot called "JE". Is it possible to get all users memberOf the groups located under the knot "JE"?
yes but you need to approach the problem differently. Rather than search against the user object you should search against teh group object with the user's DN.
For example, consider the user
cn=dave,OU=user,DC=subd,DC=dom,DC=net
The user is a member of several JE* groups.
CN=JE_1,OU=JE,OU=Gruppen,DC=subd,DC=dom,DC=net
CN=JE_2,OU=JE,OU=Gruppen,DC=subd,DC=dom,DC=net
CN=JE_3,OU=JE,OU=Gruppen,DC=subd,DC=dom,DC=net
In order to find the JE* groups to which the user belongs search for groups with a base of OU=JE,OU=Gruppen,DC=subd,DC=dom,DC=net and a search filter of
(&(objectclass=group)(member=cn=dave,OU=user,DC=subd,DC=dom,DC=net))
That will return all of the JE* group objects that contain the user in question. Ensure to specify that you only want the group name returned as an attribute otherwise all of the members will be returned too. Not a problem if there are only a handful but it might be a nuisance if there are thousands.
We have an LDAP login problem of a specific user and I'm suspecting that this is due to cyclic groups assignment in LDAP, i.e. the user is assigned to groups A,B,C,D. Group A contains sub-groups E,F,G and group E contains group A again.
If I query for the user I can see that he has been assigned with 50+ groups and each group may contain more groups and each of those may contain more....
My question is if there's a query I can run to get the nested groups inside those main groups all the way down instead of going each group and do it manually?
The server is AD
To find all the groups that "user1" is a member of (adaptation of this answer see AD search filter):
Set the base to the groups container DN; for example root DN (dc=dom,dc=fr)
Set the scope to subtree
Use the following filter : (member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)
Example with LDIFDE.EXE (native command line AD search on windows) :
ldifde -f t.txt -d "DC=dom,DC=fr" -r "(member:1.2.840.113556.1.4.1941:=CN=jblanc,OU=MonOu,DC=dom,DC=fr)"
Remark : as far as I remember there is a small syntax difference with in brackets user DN name. '1.2.840.113556.1.4.1941' is not working in W2K3 SP1, it begins to work with SP2. I presume it's the same with W2K3 R2. I test here with W2K8R2.
With Apache Directory Studio :
Result :
I am using the bulk upload code described at http://www.salesforce.com/us/developer/docs/api_asynch/.
The only difference is that i am uploading a custom object type. I can access Employee_c. But now i get a different error
stateMessage='InvalidBatch : Field name not found : First Name'
First Name is the first column in the csv.
While debugging i can see that the temp csv is being created correctly. However i get this error when checkResults executes. The code is exactly the same as in the sample java code for bulk api using REST.
I am using the free developer version of salesforce.
I created a new permission set where i have given following permissions on custom object employee:
Read/create/edit/delete/view all/modify all.
All fields are given edit permissions.
The permission set is associated with salesforce user license.
The programmatic login is with a user associated with System administrator profile , which has sales force user license.
But still the error persists!
Any pointers would be appreciated
Thanks
Sameer
Try "FirstName" without the space.
You can view the API name of any field in Setup > App Setup > Objects > (Select Your Object) > (Select Your Field). Make sure all the fields you are querying have the correct API names.