How to Include or Exclude an Active Directory OU from the Microsoft LDAP directory on RSA Authentication Manager 8.x
2 months ago
Article Number
000072660
Applies To
RSA Product Set:  SecurID
RSA Product/Service Type:  RSA Authentication Manager
RSA Version/Condition:  8.x
Platform: Linux
Issue
This article explains how to Include or Exclude an Active Directory OU from the Microsoft LDAP directory on RSA Authentication Manager 8.x

There may arise the need to include or exclude a specific OU or subset of OUs when mapping users into RSA Authentication Manager from Active Directory. In larger environments with many parent or child OUs, this can quickly become untenable to perform manually on the AD Integration page when mapping User OUs and/or Group OUs through multiple AD

While providing specific examples of LDAP filtering is not under the purview of Support, this document is given as a best effort to assist customers with large AD domains.
 
Tasks
Follow the steps below:
  1. Login to the Operations Console of the primary Authentication Manager instance.
  2. Click Deployment Configuration > Identity Sources > Manage Existing.
  3. When prompted, enter the super admin user ID and password
  4. Click the context arrow for the identity source in question and select Edit.
          image.png
  1. Click the Connection(s) tab or the Map tab to view the properties of the external identity source:
          image.png
  1. Scroll down to the Directory Configuration - Users section and modify the default search filter from (&(objectClass=User)(objectcategory=person)) to the search filter specific to your requirement to include / exclude OU
       image.png

Include Only: 

Users:
(&(objectClass=User)(objectcategory=person)(msDS-parentdistname=OU=ParentOU,DC=domain,DC=com))       

User Groups: 
(&(objectCategory=group)(msDS-parentdistname=OU=ParentOU,DC=domain,DC=com))                          


Exclude Only:

Users:
(&(objectClass=User)(objectcategory=person)(!(msDS-parentdistname=OU=ParentOU,DC=domain,DC=com)))

User Groups: 
(&(objectCategory=group)(!(msDS-parentdistname=OU=ParentOU,DC=domain,DC=com)))


Please note: because extensible matching is not performed, only the users/groups that are present in the OU will be included or excluded. If wishing to include child OUs, they must be explicitly named.

Example:

Include Only:

(&(objectClass=User)(objectcategory=person)(|(msDS-parentdistname=OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=Child1,OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=SubChild,OU=Child1,OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=Child2,OU=ParentOU,DC=domain,DC=com)))

Exclude Only:

(&(objectClass=User)(objectcategory=person)(!(|(msDS-parentdistname=OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=Child1,OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=SubChild,OU=Child1,OU=ParentOU,DC=domain,DC=com)(msDS-parentdistname=OU=Child2,OU=ParentOU,DC=domain,DC=com))))
  1. Once done, click Save and Finish for the changes to take effect.
  2. Login to the Security Console for the primary.
  3. Verify that required OU's are Included / excluded from the Microsoft LDAP Directory. 
 
Notes
For steps on how to create a new identity source, please see article - How to create an external identity source to Active Directory in RSA Authentication Manager 8.x

How to exclude RSA Authentication Manager 8.x from picking up disabled user account data from the Microsoft LDAP directory

Active Directory:  LDAP Syntax Filters.

msDs-parentdistname attribute

AD does not support extensible matching
 

Related Articles

Trending Articles

Don't see what you're looking for?