This content has been marked as final. Show 13 replies
Hi, no one out there needs AD nested group info?
Were you able to get any information on this? We are having similar issues.
Yes and No.
Oracle says "the native query might work (they mean using DSQUERY/DSGET or an LDAPSEARCH) but our connector uses ADSI - memberOf property. This property returns only direct memberships.
To get all indirect memberships of a user would be very intensive and would definitely have performance issues."
Oracle has deliberately coded it this way and has not provided an alternative workaround yet.
Thanks a lot for the reply.
We are using OIM OOTB AD connector, so you mean this would support nested groups?
Hi, I am using OOTB AD Connector also, and am not getting nested (indirect) groups to be loaded in OIM....only direct (membersof) groups.
Hi, so given that Oracle wants an ER to support indirect group recon with AD users, in the meantime, do you have a recommendation on how to get this done?
The goal is to list allmembers of (both (in)direct) groups for every AD user under their Resoure tab.
I think we got nested groups reconciliation working in our OIM env(If we did it right on AD). We created two group in AD (say Level1 and Level2 -Domain Local, Security), we made Level2 memberOf Level1 and reconciled the groups into lookup, both these groups appeared in the lookup.
Edited by: user608228 on Jan 24, 2013 8:03 AM
That's what I have done and I'm still only seeing the memberof (direct) top-level group entries in the User's OIM Resource AD User Groups entry. Here is an example user in AD:
All memberof (direct and nested)
How do we get the result of AllMemberOf? Oracle states they only call ADSI memberof in the AD Connector. Thanks for looking.
Rick is a (Direct memberof) Domain Admins (which is a memberof) Administrators
Rick is a (Direct memberof) Domain Admins (which is a memberof) Wall Scheduler
Rick is a (Direct memberof) Domain Admins (which is a memberof) Parent
Rick is also a (Direct memberof) Parent (which is a memberof) Nothing
During group reconciliation process OIM reconciles object from AD which has objectclass type set as Group and it does not maintain hierarchical Group structure in OIM as it is in case of target -it just maintains a flat group structure in OIM. So it should reconcile all groups (including memberOf) unless your objectclass is not of type Group on AD.
Hi, every group we have has the Group object class assigned and still only MembersOf groups are being pulled into OIM.
It appears OIM's AD Connector works like this...let me know if different...it searches on user's membersof groups and populates the UD_ADUSRC table with only membersof groups by user.
Validating by searching on UD_ADUSER_KEY and comparing entries with the OIM user's record under resource=AD User, Groups.
Going to the AD controller and running the DSQUERY/DSGET command to retrieve all direct and indirect groups for the user, returns 10 groups, not two.
Thoughts? Has anyone solved the AD Nested issue with OIM 184.108.40.206.4 and the current AD Connector?
Hi, any suggestion on how to about populating UD_ADUSRC with the 'allmemberof' group results from a direct query to AD using the dsquery|dsget commands. Using dsquery|dsget as admin on the AD cl returns allmemberof groups for the user (just have to omit the 'dn' and 'success' lines the results tack on.
Each attribute in the UD_ADUSRC table will have to be found first, or do something like query UD_ADUSRC first, find one entry for the user, then hash all the attribute values, and build entries for each group in the dsquery|dsget results, then while adding back into the UD_ADUSRC table check that the entry does not exist and update or skip.
Better still, can anyone provide guidance on adding a task to the AD User Process Definintion under the Reconciliation Field Mappings tab.
There, the groups recon adds the user's direct groups to the UD_ADUSRC table.
If I can add another task after that to add the indirect groups, problem solved.
Better still, is there a way to view/edit the call/code being made here in this task/field?
Until future improvements are made to the AD Connector, to get all groups a user is a member of, use the dsquery|dsget command and pump the results (use a java program for customizing results-to-table) into a new OIM table you create. Then I used BIP to join this table with the other AD tables for my reports.