Search or Virtual Organizational Unit.

  • 85 Views
  • Last Post 25 May 2016
sumesh2279 posted this 24 May 2016


I am integrating a third party application to provide LDAP access. We don’t have a uniform OU for users as they are separated in different containers.  Application can be configured to search only one organization unit. . Is there any way to create a virtual container integrating multiple actual DN or a search OU?


 


Thanks


Sumesh


Order By: Standard | Newest | Votes
slavickp posted this 25 May 2016

Or drop filters for objectClass altogether.
I have to agree with Jeremy once again - even if you have existing ILM/FIM/MIM inverstment and expertise, creating another dommain is definitely an overkill. AD LDS is simple, you can easily script sync from AD without MIM and specialist knowlegde.
regards
Slav
MCM-AD

show

jeremyts posted this 25 May 2016

Really? This is unnecessary. As per my response, just use AD LDS with the userProxy object. It works a treat, you can have it all setup in an hour and sync

your various users based on the OU structures you want.

 

The users are created as a userProxy object, which refers back to the main AD they came from for their password, etc. Hence the word “proxy”.

 

Then you just configure your app to do it LDAP lookup against the root DN of the AD LDS instance and you’re done.

 

You do need to change the search filter in your app so that it returns objects of the userProxy class only…

 

For Example:

 

Use: (&(objectClass=userProxy)(!(objectClass=Computer)))

 

Instead of: (&(objectClass=user)(!(objectClass=Computer)))

 

This doc from Cisco might help, but in your scenario think of it as multiple OU structures instead of multiple domains/forests:



http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-version-80/111979-ucm-multi-forest-00.html

 

Cheers,

Jeremy

 

show

Mahdi posted this 25 May 2016

Agreed‎.



I think a viable option is to sync the users fro your domain to an external domain with a FIM like solution. But again he will need a lot of filter flows to exclude builtin and unnecessary ‎users. 








Sent from my BlackBerry 10 smartphone.















show

















Can you ACL the restricted OUs to prevent access by the people who shouldn’t have access?

 

There’s no native way for AD to combine OUs like that. You’d have to use a virtual directory or sync to an external directory.

 

-g

 





From: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx]

On Behalf Of Sumesh Adiyapurath


Sent: Tuesday, May 24, 2016 8:54 AM


To: ActiveDir@xxxxxxxxxxxxxxxx


Subject: Re: [ActiveDir] Search or Virtual Organizational Unit.





 



Yes we have certain restricted defence ous





 





Sumesh



Sent from my iPhone






On May 24, 2016, at 10:53 AM, Jeremy Saunders <jeremy@xxxxxxxxxxxxxxxx> wrote:







Hi Simesh,

 

Is there an issue pointing to the root DN (Domain)?

 

Cheers,

Jeremy

 





From:

ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx]

On Behalf Of Sumesh Adiyapurath


Sent: Tuesday, 24 May 2016 10:02 PM


To: ActiveDir@xxxxxxxxxxxxxxxx


Subject: [ActiveDir] Search or Virtual Organizational Unit.





 



 

I am integrating a third party application to provide LDAP access. We don’t have a uniform OU for users as they are separated in different containers.  Application can be configured to search only one organization

unit. . Is there any way to create a virtual container integrating multiple actual DN or a search OU?



 

 

 

Thanks

 

Sumesh

 

slavickp posted this 24 May 2016

I had this issue. The application was financial, from FICO, big name in credit rating and apparently dysfunctional in software development.
Ended up doing exactly whar Jeremy suggests
Regards
Slav
MCM-AD

show

gkirkpatrick posted this 24 May 2016

Can you ACL the restricted OUs to prevent access by the people who shouldn’t have access?

 

There’s no native way for AD to combine OUs like that. You’d have to use a virtual directory or sync to an external directory.

 

-g

 

show

PARRIS posted this 24 May 2016

What’s the third party application called?

 



Regards,

 

Mark Parris

 

Active Directory, Cloud Identity & Security Consultancy.

 

MVP Enterprise Mobility | MCM Directory Services

Mobile: +44 7801 690596


E-mail: mark@xxxxxxxxxxxxxxxx

 

Twitter |

Blog |

LinkedIn
| Skype |

About.me



 

show

jeremyts posted this 24 May 2016

That’s a pain.

 

Then AD LDS with the userProxy object may be an easy win option here.

 

Cheers,

Jeremy

 

show

sumesh2279 posted this 24 May 2016

Yes we have certain restricted defence ous
Sumesh
Sent from my iPhone
On May 24, 2016, at 10:53 AM, Jeremy Saunders <jeremy@xxxxxxxxxxxxxxxx> wrote:
















Hi Simesh,

 

Is there an issue pointing to the root DN (Domain)?

 

Cheers,

Jeremy

 

show

jeremyts posted this 24 May 2016

Hi Simesh,

 

Is there an issue pointing to the root DN (Domain)?

 

Cheers,

Jeremy

 

show

chriss3 posted this 24 May 2016

Not natively in AD, I guess you can specify any LDAP search base, not just an OU… Enfo ZipperChristoffer Andersson – Principal Advisor

show

Close