000030964 - How to map an Active Directory external identity source to a universal group for Authentication Manager 8.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000030964
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1 or later
Product Name: RSA-0010810
Product Description: RSA-0010810
IssueIt is possible to limit the scope of an external identity source down from the top level domain that is defined in the Authentication Manager Operations Console to a specific group in Active Directory.  Any users that are members of this Active Directory group will show up when searching for users in the identity source via the Security Console.  Any users that are removed from the Active Directory group will be removed from Authentication Manager after running the clean-up process.
TasksThe following tasks will be completed when following the steps in this article:
1.  Create a universal group in Active Directory.
2.  Add Active Directory users to the group.
3.  Map this group as a CN= in your identity source for Group Base DN, not User Base DN.
4.  Change the User Search Filter in the external identity source to include the memberof= search filter.  Note:  Using the memberof filter only works with Active Directory.  The memberof function does not work correctly in a SunONE/Oracle LDAP directory server identity source.  In SunONE, the users are placed into an OU instead of into a group then make the OU a part of the User Base DN and User Group Base DN on the Map tab when configuring the identity source (Operations Console > Deployment Configuration > Identity Source > Manage Existing > Map).
Resolution1.  Create a Universal Group in Active Directory
In this example a universal group called RSAUsers is added under the top level of the domain on a server called 2k8r2-vcloud.local.
RSAUsers Group
2.  Add Active Directory users to the group
Two users, Jo Aaberg and Kvive Aaby, are members of the RSAUsers group.
2 Members
3.  Map the group with the Common Name (CN) in the identity source for User Group Base DN, not User Base DN
Note that the User Group Base DN includes CN=RSAUsers, while the User Base DN does not.  The User Base DN is using the default value of dc=2k8r2-vcloud, dc=local, the Active Directory server's name .
Base DN
4.  Change the Users Search Filter in the external identity source to include the memberof filter.
The default Search Filter under Directory Configuration - Users is (&(objectClass=User)(objectcategory=person)).  Add the memberOf group to the middle of the statement, as in the example below:
User Search Filter
5.  Perform a clean-up if these users were previously in another identity source.  This does not need to be done if this is a new identity source.  To run the cleanup,
a.  Login to the Security Console of the primary Authentication Manager server.
b.  Select Setup > Identity Sources > Cleanup Unresolvable Users.
Define the grace period,

  • If you want to clean up users who have been unresolvable for more than the specified number of days, select the checkbox.
  • If you want to clean up users immediately when they are found to be unresolvable, clear the checkbox.
d.  Click Next.
e.  A preview will display if there are unresolvable users
f.  In the Preview pane, review the list of users. Click the column names to sort the list. If the list is empty, there are no unresolvable users.
g.  Click Clean Up Now.
There are variations on how this process can be done, so test the configuration options in a development or pre-production environment.

The two users Jo Aaberg and Kvive Aaby from the example above would now be searchable in the Security Console under Identity > Users > Manage Existing under this new identity source:

2 Users in IS