13 Replies Latest reply: Mar 27, 2013 2:43 PM by 960529 RSS

    Nested Groups in AD User

    960529
      Hi,

      When I run AD User, it is only showing Direct groups in the user's resource/groups tab.

      Is the only way to pull in nested (indirect/allmembersof) groups with a java app via a Scheduled Task?

      Thank you.
        • 1. Re: Nested Groups in AD User
          960529
          Hi, no one out there needs AD nested group info?
          • 2. Re: Nested Groups in AD User
            user608228
            Hi,

            Were you able to get any information on this? We are having similar issues.

            Thanks.
            • 3. Re: Nested Groups in AD User
              960529
              Yes and No.

              Oracle says "the native query might work (they mean using DSQUERY/DSGET or an LDAPSEARCH) but our connector uses ADSI - memberOf property. This property returns only direct memberships.
              To get all indirect memberships of a user would be very intensive and would definitely have performance issues."

              Oracle has deliberately coded it this way and has not provided an alternative workaround yet.
              • 4. Re: Nested Groups in AD User
                user608228
                Thanks a lot for the reply.

                We are using OIM OOTB AD connector, so you mean this would support nested groups?

                Thanks again.
                • 5. Re: Nested Groups in AD User
                  960529
                  Hi, I am using OOTB AD Connector also, and am not getting nested (indirect) groups to be loaded in OIM....only direct (membersof) groups.
                  • 6. Re: Nested Groups in AD User
                    960529
                    Hi, so given that Oracle wants an ER to support indirect group recon with AD users, in the meantime, do you have a recommendation on how to get this done?

                    The goal is to list allmembers of (both (in)direct) groups for every AD user under their Resoure tab.
                    • 7. Re: Nested Groups in AD User
                      user608228
                      Hi,

                      I think we got nested groups reconciliation working in our OIM env(If we did it right on AD). We created two group in AD (say Level1 and Level2 -Domain Local, Security), we made Level2 memberOf Level1 and reconciled the groups into lookup, both these groups appeared in the lookup.

                      Thanks

                      Edited by: user608228 on Jan 24, 2013 8:03 AM
                      • 8. Re: Nested Groups in AD User
                        960529
                        That's what I have done and I'm still only seeing the memberof (direct) top-level group entries in the User's OIM Resource AD User Groups entry. Here is an example user in AD:

                        Direct memberof
                        CN=Parent,OU=Test_Groups,OU=Groups,DC=corp,DC=com
                        CN=Domain Admins,CN=Users,DC=corp,DC=com

                        Nested memberof
                        CN=Parent,OU=Test_Groups,OU=Groups,DC=corp,DC=com
                        CN=Wall Scheduler,OU=Data,OU=Groups,DC=corp,DC=com
                        CN=Administrators,CN=Builtin,DC=corp,DC=com

                        All memberof (direct and nested)
                        CN=Parent,OU=Test_Groups,OU=Groups,DC=corp,DC=com
                        CN=Domain Admins,CN=Users,DC=corp,DC=com
                        CN=Wall Scheduler,OU=Data,OU=Groups,DC=corp,DC=com
                        CN=Administrators,CN=Builtin,DC=corp,DC=com


                        How do we get the result of AllMemberOf? Oracle states they only call ADSI memberof in the AD Connector. Thanks for looking.

                        Rick is a (Direct memberof) Domain Admins (which is a memberof) Administrators
                        Rick is a (Direct memberof) Domain Admins (which is a memberof) Wall Scheduler
                        Rick is a (Direct memberof) Domain Admins (which is a memberof) Parent
                        Rick is also a (Direct memberof) Parent (which is a memberof) Nothing
                        • 9. Re: Nested Groups in AD User
                          user608228
                          During group reconciliation process OIM reconciles object from AD which has objectclass type set as Group and it does not maintain hierarchical Group structure in OIM as it is in case of target -it just maintains a flat group structure in OIM. So it should reconcile all groups (including memberOf) unless your objectclass is not of type Group on AD.

                          Thanks
                          • 10. Re: Nested Groups in AD User
                            960529
                            Hi, every group we have has the Group object class assigned and still only MembersOf groups are being pulled into OIM.

                            It appears OIM's AD Connector works like this...let me know if different...it searches on user's membersof groups and populates the UD_ADUSRC table with only membersof groups by user.

                            Validating by searching on UD_ADUSER_KEY and comparing entries with the OIM user's record under resource=AD User, Groups.

                            Going to the AD controller and running the DSQUERY/DSGET command to retrieve all direct and indirect groups for the user, returns 10 groups, not two.

                            Thoughts? Has anyone solved the AD Nested issue with OIM 11.1.1.5.4 and the current AD Connector?
                            • 11. Re: Nested Groups in AD User
                              960529
                              Hi, any suggestion on how to about populating UD_ADUSRC with the 'allmemberof' group results from a direct query to AD using the dsquery|dsget commands. Using dsquery|dsget as admin on the AD cl returns allmemberof groups for the user (just have to omit the 'dn' and 'success' lines the results tack on.

                              Each attribute in the UD_ADUSRC table will have to be found first, or do something like query UD_ADUSRC first, find one entry for the user, then hash all the attribute values, and build entries for each group in the dsquery|dsget results, then while adding back into the UD_ADUSRC table check that the entry does not exist and update or skip.

                              Thoughts?
                              • 12. Re: Nested Groups in AD User
                                960529
                                Better still, can anyone provide guidance on adding a task to the AD User Process Definintion under the Reconciliation Field Mappings tab.

                                There, the groups recon adds the user's direct groups to the UD_ADUSRC table.
                                If I can add another task after that to add the indirect groups, problem solved.
                                Better still, is there a way to view/edit the call/code being made here in this task/field?
                                • 13. Re: Nested Groups in AD User
                                  960529
                                  Until future improvements are made to the AD Connector, to get all groups a user is a member of, use the dsquery|dsget command and pump the results (use a java program for customizing results-to-table) into a new OIM table you create. Then I used BIP to join this table with the other AD tables for my reports.

                                  Have fun.