ARSLSYNC User filter not working

Previous topic - Next topic
Print
Go Down Pages1
User actions

anandsivan

August 20, 2025, 09:08:47 AM
We have Ondemand 10.5 running in Linux. We are setting up LDAP sync with Active Directory. Below is our configuration.

ARS_LDAP_SERVER=xxxxx.yyy.zzz.com
ARS_LDAP_PORT=636
ARS_LDAP_USE_SSL=TRUE
ARS_LDAP_BASE_DN=DC=xxxx,DC=yyyyy,DC=zzz,DC=com
ARS_LDAP_BIND_ATTRIBUTE=sAMAccountName
ARS_LDAP_MAPPED_ATTRIBUTE=CN
ARS_LDAP_ALLOW_ANONYMOUS=FALSE
ARS_LDAP_REFERRALS=FALSE
ARS_LDAP_BIND_MESSAGES_FILE=
ARS_LDAP_IGN_USERIDS=admin
ARS_LDAP_IGN_GROUPS=admin,admin1
ARS_LDAP_KEYRING_FILE=/ars/certs/ondemand.kdb
ARS_LDAP_KEYRING_LABEL=CERTS
ARS_LDAP_SERVER_TYPE=AD
ARS_LDAP_GROUP_FILTER=(&(objectClass=group)(CN=ONDM*,OU=ONDM-IN,OU=APPS,dc=xxxx,dc=yyyy,dc=zzz,dc=com))
ARS_LDAP_USER_FILTER=(&(objectclass=user)(memberOf=CN=ONDM*,OU=ONDM-IN,OU=APPS,dc=xxxx,dc=yyyy,dc=zzz,dc=com))
ARS_LDAP_GROUP_MAPPED_ATTRIBUTE=CN


Multiple Security Groups under OU: APPS/ONDM-IN

ONDM-ADMINS
ONDM-USERS-READONLY
ONDM-OPS

When running ARSLSYNC, we are able to pull the groups all under the OU which starts with the name ONDM.
But not able to pull the users. Seems memberOf attribute running at DN level not allowing wildcard. If we provide the group name explicitly, we are able to get the users.

Anyone did any similar setup, Kindly advise,

anandsivan

#1
September 04, 2025, 06:33:25 AM
IBM suggested to create a common group in AD and map all the other groups as a member of this group. And use the common group to get all the users linked to the member groups using nested query.

Common group name : ONDM-ALL

ARS_LDAP_USER_FILTER=(&(objectclass=user)(memberof:1.2.840.113556.1.4.1941:=CN=ONDM-ALL,OU=ONDM-IN,OU=APPS,dc=xxxx,dc=yyyy,dc=zzz,dc=com))

Print
Go Up Pages1
User actions
SMF 2.1.4 © 2023, Simple Machines
ProCurve Theme Made By : TwitchisMental