000024303 - RSA Access Manager 6.0.2 Member User Groups and users not listing

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024303
Applies ToClearTrust Authorization Server 6.0.2
LDAP datastore
Issue How to view Member User Groups with additional object classes
Member User Groups which contain additional object classes fail to list with admin GUI (admingui)
Cause

A group search filter will be created using the objectclass configured in following parameter in the ldap.conf file:

    cleartrust.data.ldap.group.filter :(objectclass=groupOfUniqueNames)

then the retrieved objects are differentiated and identified as  group, user or administrative group with the value set in the parameter:

    cleartrust.data.ldap.group.objectclass  :top, groupOfUniqueNames

If there is an entry with an objectclass which is not present in the above parameter, that entry is considered as "it is not a group" and ignored for the group segregation.

Resolution

List all additional objectclass classes in use in the cleartrust.data.ldap.group.objectclass parameter,   for example  cleartrust.data.ldap.group.objectclass  :top, groupOfUniqueNames, posixGroup 

As an example, consider the following directory server objects:

The Parent Group:

dn: cn=MyParentGroup,ou=Groups,dc=techfest,dc=com
uniqueMember: cn=MyGroup1,ou=Groups,dc=techfest,dc=com
uniqueMember: cn=MyGroup2,ou=Groups,dc=techfest,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: MyParentGroup

Now consider the two member groups:

dn: cn=MyGroup2,ou=Groups,dc=techfest,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: MyGroup2

The object class list which makes up the object matches the cleartrust.data.ldap.group.objectclass parameter to this object will be visible.

dn: cn=MyGroup1,ou=Groups,dc=techfest,dc=com
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixGroup
cn: MyGroup1

This has the additional object class value of posixGroup so would not be displayed unless the cleartrust.data.ldap.group.objectclass parameter were updated (note that MyGroup2 would need to be altered so that its object class heirarchy also matched).

Legacy Article IDa37878

Attachments

    Outcomes