Importing Active Directory Groups
About this task
One of the greatest benefits of integrating with Active Directory is being able to use existing
Active Directory groups. After Active Directory groups are imported, an administrator must define
the permissions for each group and group membership is handled inherently by Active Directory. To
import Active Directory groups, configure the following properties in the
ldap.properties file.
- ldap.groupName
- The LDAP attribute name that is used for the group search.
ldap.groupName=cn OR ldap.groupName=name
- ldap.groupDescription
- The LDAP attribute name to be used to get the description for the group. It is set to
description by default.
ldap.groupDescription=description
- ldap.groupNameTrim
- Set to true or false. Limits the group name that is imported to the IBM® BigFix® Remote Control database to 64 characters. The recommended value is false.
- ldap.groupMembers
- LDAP attribute name to be used to find the members of the groups that are returned as a result
of the specified search. The default value is member.
ldapgroupMembers=member
- ldap.groupSubtree
- If set to true, IBM BigFix Remote Control searches recursively through the subtree of the element that is specified in the ldap.groupBase parameter for groups that are associated with a user. If left unspecified, the default value of false causes only the top level to be searched, and no recursive search is run. True or False (default).
- ldap.groupBase
- The base LDAP directory entry for starting the search for groups to synchronize. If left
unspecified, the default is to use the top-level element in the directory context.
To refine your search and go deeper into the OU structure, select to start the search only within a specific organizational unit. For example, an OU called Test. Set the property to the following value.for example OU=mylocation,DC=mycompany,DC=com
Therefore, IBM BigFix Remote Control looks for groups that match the criteria, only within the Test OU (and any OUs that belong to the Test OU if ldap.groupSubtree is set to true).OU=Test,OU=mylocation,DC=mycompany,DC=com
- ldap.groupSearch
- Defines the LDAP query that is used to import AD groups to IBM BigFix Remote Control. The defined
query needs to filter the results such that only those groups that are needed are imported to
IBM BigFix Remote Control.
ldap.groupSearch=(objectClass=group)
- Imports all AD groups found in the OU specified in the ldap.groupBase property to IBM BigFix Remote Control. Some environment can have thousands of groups.
ldap.groupSearch=(&(objectClass=group)(cn=*SMS*))
- Imports all groups that contain SMS in the cn attribute. For example, visio-sms-users.
ldap.groupSearch=(&(objectClass=group)(cn=admins))
- Imports all groups that are named admins.
ldap.groupSearch=(&(objectClass=group)(cn=admins*))
- Imports all groups that have the text admins in the name. For example, administrators, server-administrators.
- ldap.groupMembers
- LDAP attribute name to be used to find the members of the groups that are returned as a result of the specified search. The default value is member.