AnsweredAssumed Answered

How to create an Application based on Active Directory Security Groups

Question asked by Shlomo Katz on Jun 2, 2017
Latest reply on Jun 16, 2017 by Shlomo Katz

Like • Show 0 Likes0
Comment • 5

My scenario is as follows:

1. Create Application Collector to collect AD groups and the members, filter as "(&(objectClass=group)(cn=groupprefix*))" (no quotes). This maps the security group member > Security Group collected as Application > Aveksa Identity.

However, I am not able to fulfill AFX requests as the error below states.

I think I need to do a step 2 and create an Entitlement collector as well but somehow map the same security groups collected as an entitlement as well??

This thought seems to be inline as to why I had to configure a request form for users to be added to a security group as "entitlement" (example: x."Business Source Name"='Active Directory' and x."Entitlement Name"= xxxxxx)

Does anybody have any experience for this scenario?

Am I overlooking something simple?

Version 7.0.2 SP5

Error as follows:

RSA Via L&G - Manual Fulfillment: 144711

Thank you

Shlomo

Shlomo Katz Jun 16, 2017 3:53 PM

Correct Answer

I resolved this issue by creating a specific AFX connector to handle my scenario.

I added the capability to Add user to AD group : Account, DN, and CN.

See the reply in context

No one else had this question

Outcomes

Boris Lekumovich

Jun 4, 2017 8:30 PM

You don't have to create a new EDC to collect the groups as entitlements.

ADC which collects groups and members should be sufficient.

Did you test the connector capability (Add account to AD group) and found it successful?

if yes, then I suggest you share some screenshots (AFX connector config, CR and etc.).

Actions

Andrew Beauchamp @ Boris Lekumovich on Jun 4, 2017 10:22 PM

In addition to Boris Lekumovich reply. You "can" collected AD groups using a EDC but it will define it as application roles. When it comes to AFX and using the standard out-of-box setting and workflows it will fail because the AFX connector for Active Directory wants a Group and not approles. It can be done BUT using an ADC will save you the headache.

Actions

Shlomo Katz @ Boris Lekumovich on Jun 5, 2017 2:10 PM

Normal Add to group functions work fine, this is only when the group is being requested from the Application grouping and not the Active Directory directory group.

@Andrew Beauchamp - I will look at the workflow when i return next week.

Actions

Shlomo Katz @ Boris Lekumovich on Jun 15, 2017 5:19 PM

Hello Boris,

I can add to User to an ADGroup without any problem during Test.

I can add a user to the same group when the group is requested from Active Directory business source.

My current challenge is: That when I choose from my "application" it goes into manual fulfillment with the error of

   AFX reports this item failed with code [-1] and message: 'LDAPException: No Such Object (32) No Such Object
   LDAPException: Server Message: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
   'Top Level of Domain'

LDAPException: Matched DN: 'Top Level of Domain'. If available, another handler will be used to fulfill this item.

The "application" is set to use Default AFX Fufillment - AD

The Capabilities are:

No mapping for Group ^

The "application" is mapped as:

Any assistance will be greatly appreciated.

Thank you
Shlomo

Actions

Shlomo Katz Jun 16, 2017 3:53 PM

I resolved this issue by creating a specific AFX connector to handle my scenario.

I added the capability to Add user to AD group : Account, DN, and CN.

Actions

5 Replies

Boris Lekumovich Jun 4, 2017 8:30 PM
Mark Correct
Correct Answer
You don't have to create a new EDC to collect the groups as entitlements.
ADC which collects groups and members should be sufficient.

Did you test the connector capability (Add account to AD group) and found it successful?

if yes, then I suggest you share some screenshots (AFX connector config, CR and etc.).
Like • Show 0 Likes0
Actions
- Andrew Beauchamp @ Boris Lekumovich on Jun 4, 2017 10:22 PM
  Mark Correct
  Correct Answer
  In addition to Boris Lekumovich reply. You "can" collected AD groups using a EDC but it will define it as application roles. When it comes to AFX and using the standard out-of-box setting and workflows it will fail because the AFX connector for Active Directory wants a Group and not approles. It can be done BUT using an ADC will save you the headache.
  Like • Show 0 Likes0
  Actions
- Shlomo Katz @ Boris Lekumovich on Jun 5, 2017 2:10 PM
  Mark Correct
  Correct Answer
  Normal Add to group functions work fine, this is only when the group is being requested from the Application grouping and not the Active Directory directory group.
  @Andrew Beauchamp - I will look at the workflow when i return next week.
  Like • Show 0 Likes0
  Actions
- Shlomo Katz @ Boris Lekumovich on Jun 15, 2017 5:19 PM
  Mark Correct
  Correct Answer
  Hello Boris,
  I can add to User to an ADGroup without any problem during Test.
  I can add a user to the same group when the group is requested from Active Directory business source.
  My current challenge is: That when I choose from my "application" it goes into manual fulfillment with the error of
     AFX reports this item failed with code [-1] and message: 'LDAPException: No Such Object (32) No Such Object
     LDAPException: Server Message: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
     'Top Level of Domain'
     LDAPException: Matched DN: 'Top Level of Domain'. If available, another handler will be used to fulfill this item.
  
  The "application" is set to use Default AFX Fufillment - AD
  The Capabilities are:
  No mapping for Group ^
  
  The "application" is mapped as:
  
  Any assistance will be greatly appreciated.
  
  Thank you
  Shlomo
  Like • Show 0 Likes0
  Actions
Shlomo Katz Jun 16, 2017 3:53 PM
Unmark Correct
Correct Answer
I resolved this issue by creating a specific AFX connector to handle my scenario.
I added the capability to Add user to AD group : Account, DN, and CN.
Like • Show 1 Like1
Actions

How to create an Application based on Active Directory Security Groups

Outcomes

Related Content

Recommended Content