Importing Active Directory Groups

About this task

One of the greatest benefits of integrating with Active Directory is being able to use existing Active Directory groups. After Active Directory groups are imported, an administrator must define the permissions for each group and group membership is handled inherently by Active Directory. To import Active Directory groups, configure the following properties in the ldap.properties file.
ldap.groupName
The LDAP attribute name that is used for the group search.
ldap.groupName=cn    OR   ldap.groupName=name
ldap.groupDescription
The LDAP attribute name to be used to get the description for the group. It is set to description by default.
ldap.groupDescription=description    
ldap.groupNameTrim
Set to true or false. Limits the group name that is imported to the BigFix® Remote Control database to 64 characters. The recommended value is false.
ldap.groupMembers
LDAP attribute name to be used to find the members of the groups that are returned as a result of the specified search. The default value is member.
ldapgroupMembers=member
ldap.groupSubtree
If set to true, BigFix® Remote Control searches recursively through the subtree of the element that is specified in the ldap.groupBase parameter for groups that are associated with a user. If left unspecified, the default value of false causes only the top level to be searched, and no recursive search is run. True or False (default).
ldap.groupBase
The base LDAP directory entry for starting the search for groups to synchronize. If left unspecified, the default is to use the top-level element in the directory context.
for example OU=mylocation,DC=mycompany,DC=com
To refine your search and go deeper into the OU structure, select to start the search only within a specific organizational unit. For example, an OU called Test. Set the property to the following value.
OU=Test,OU=mylocation,DC=mycompany,DC=com
Therefore, BigFix® Remote Control looks for groups that match the criteria, only within the Test OU (and any OUs that belong to the Test OU if ldap.groupSubtree is set to true).
ldap.groupSearch
Defines the LDAP query that is used to import AD groups to BigFix® Remote Control. The defined query needs to filter the results such that only those groups that are needed are imported to BigFix® Remote Control.
ldap.groupSearch=(objectClass=group)
Imports all AD groups found in the OU specified in the ldap.groupBase property to BigFix® Remote Control. Some environment can have thousands of groups.
ldap.groupSearch=(&(objectClass=group)(cn=*SMS*))
Imports all groups that contain SMS in the cn attribute. For example, visio-sms-users.
ldap.groupSearch=(&(objectClass=group)(cn=admins))
Imports all groups that are named admins.
ldap.groupSearch=(&(objectClass=group)(cn=admins*))
Imports all groups that have the text admins in the name. For example, administrators, server-administrators.
ldap.groupMembers
LDAP attribute name to be used to find the members of the groups that are returned as a result of the specified search. The default value is member.
These queries can be tested by using the LDAP browsers directory search option or the LDAP configuration utility in the BigFix® Remote Control server UI.