Searching for the users directory entry
About this task
The method available for finding the end-users information
involves defining a starting point in the Active Directory tree and
allowing BigFix® Remote
Control to
recursively search through the tree for the userid. For most Active
Directory implementations this is the preferred method as users are
usually spread out in several locations in an Active Directory tree.
This method is especially helpful if user information is contained
under a single branch of the tree but broken up by department or underneath
the branch
Note: It should be noted that when LDAP has been enabled,
new users and new user groups should be created in Active Directory
and not in BigFix® Remote
Control.
This is because each time the synchronization with Active Directory
takes place the users and user groups are deleted from the BigFix® Remote
Control database
and then imported again from Active Directory.
To use
the recursive search configure the following parameters:
- ldap.userBase
- The base LDAP directory entry for looking up users that match
the search criteria. If not specified, the search base is the top-level
element in the directory context.
You can refine your search by going deeper into the OU structure and selecting to search only within a specific organizational unit for example an OU called Users and therefore you would set the property value asfor example OU=mylocation,DC=mycompany,DC=com
This would instruct BigFix® Remote Control to look for users matching the criteria, only within the Users OU (and any OUs that belong to the Users OU if ldap.groupSubtree is set to true)ldap.userBase=OU=Users,ou=mylocation,dc=mydomain,dc=mycompany,dc=com
- ldap.userSearch
- Defines the LDAP query that is used to import Active Directory
users to BigFix® Remote
Control.
The defined query needs to filter the results such that only those
users which match the search criteria are imported to BigFix® Remote
Control.
The default value is
(objectClass=user)
which means, look for users in any object that is a user object within the userbase. That is import all Active Directory users to BigFix® Remote Control.Note: When using the above it should be noted that some environments can have thousands of users therefore it is important to create a filter which will only import the required users. To limit the users that are imported to only those users who match the search criteria and are members of the groups that were imported into BigFix® Remote Control through the ldap.groupSearch filter, you should set the property ldap.userInGroup to true. It should also be noted that as well as being imported into the relevant groups that are returned in the group search, users are also imported into the DefaultGroup. Setting ldap.userInGroup to false will import all users who match the search criteria, regardless of their group membership.The search can therefore be further refined by using more complex queries. For example if you have the following values set
If there were three groups defined, Department1, Department2 and Department3 the above query would authenticate and import any users that are defined as objectclass user and are members of the Department1 OR Department3 groups. Users from Department2 would not be able to logon to BigFix® Remote Control.ldap.groupBase=(OU=mylocation.DC=mycompany.DC=com) Ldap.userSearch: (&(objectClass=user)(|(memberOf=CN=Department1,OU=GROUPS, OU=mylocation,DC=mycompany,DC=com) (memberOf=CN=Department3,OU=GROUPS, OU=mylocation,DC=mycompany,DC=com))(name={0}))
The (&(name={0}) is added to the end to specify that the name attribute is used for logging in. This value has to match whatever attribute was specified as ldap.userid.
- ldap.userSubtree
- Set this value to true if you want to recursively search the sub
tree of the element specified by the userBase attribute for the user's
directory entry. The default value of false causes only the top level
to be searched (a nonrecursive search). This is ignored if you are
using the userPattern expression.
ldap.userSubtree=true