19 Feb 2018 06:21 PM
We
are using Oracle ODSEE for LDAP in our enterprise and we are having
difficulty in adding the group the query as we try to change the User
repository from Internal database to LDAP
The
documentation on dynatrace only gives the example where using Active
Directory. We want to understand what is the "Group Id attribute" value
that is being required. The documentation does not give any information
that is helpful.
Thanks
Moses
Solved! Go to Solution.
20 Feb 2018 10:40 AM
Hi Moses,
there are a few ways in which matching between group and user is done in LDAP directory servers. For example:
1. "group members" attribute (for example "member" or "uniqueMember") in group entry contains user's DN
dn: cn=Example Static Group 1,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
cn: Example Static Group 1
member: uid=user1,ou=People,dc=example,dc=com
member: uid=user2,ou=People,dc=example,dc=com
In this case configuring "group id" attribute is not necessary, you may configure it to the same value as "group name" attribute.
2. "group membership" attribute (for example "memberOf" or "isMemberOf") in user entry contains group's DN
dn: uid=user1,ou=People,dc=example,dc=com
objectClass: person
uid: user1
cn: User 1
...
memberOf: cn=Example Static Group 1,ou=Groups,dc=example,dc=com
In this case configuring "group id" attribute is not necessary as well, as group's DN is used for user-group matching. You may
configure "group id" attribute to the same value as "group name" attribute.
3. "group membership" attribute (for example "gidNumber" or "group") in user entry contains group's id - in this case "group id" attribute needs to be configured to the attribute storing referenced value
dn: cn=user 2,ou=People,dc=example,dc=com
objectClass: posixAccount
cn: user 2
gidNumber: 123
...
dn: cn=IT,ou=Group,dc=example,dc=com
objectClass: posixGroup
cn: IT
gid: 123
...
In the above example "group membership" attribute in user's query should be configured to "gidNumber" and "group id" attribute in group's query should be configured to "gid".
Another example:
dn: cn=user 3,ou=People,dc=example,dc=com
objectClass: person
cn: user 3
group: test
...
dn: cn=test,ou=Groups,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: test
...
In the above example "group membership" in user's query should be configured to "group" and "group id" attribute in group's query should be configured to "cn" (the same as "group name" in this case).
As you can see only in some cases "group id" attribute is needed (point 3), therefore from version 1.138 it won't be obligatory. For now if it's not needed in your case (points 1&2), just set it to the same value as "group name" attribute.
If it's still unclear, please share LDIF files of exemplary user and one of his/her groups (direct one) - it may be easier to explain this issue on your actual data.
Best regards,
Hanna