Importing Enterprice Groups into CMA4000

Anonymous · ‎02-10-2012

We are busy installing a CMA4000 and RMX1500. I configured the CMA to Integrate into our AD with LDAP. I need to add a specific AAD Group to the CMA as only people in this group should be able to use CMA Desktop. But if I try to Import a group I get an error that it can't find any groups. As soon as I insert the BaseDN it blocks AD Authentication. The BaseDN should be: OU=Groups,OU=Johannesburg,DC=toyota,DC=co,DC=za and the group name is CMA Desktop JHB. Any Ideas?

simons3 · ‎02-10-2012

Wessel,

The Base DN is used for every LDAP/AD query in the CMA. This tells the CMA where the stating point to start searching within LDAP/AD. This will limit the search to only users and groups below the base dn. Typically the base dn is used to the domain level in order to restrict the ldap search to a particular domain in a group of domains.

In your case, if you want to restrict users for CMAD access, then you need to add an exclusion filter. By adding a exclusion filter and changing the syntax a bit, you will make it an inclusion filter. This states if you are in this group, then you have access. I have attached a quick guide to help you understand this process.

btw - make sure you are using Universal groups which are the only groups supported ont he CMA. Universal groups get indexed by the global catalog servers and makes it easier to search across multiple domains.

S.

Anonymous · ‎02-13-2012

Thanks for the assistance, I changed the group to be a Universal group and I can now see it in CMA. I've put in the exclusion as you sugessted but any user on AD can still log into CMA Desktop. Any Ideas? Only Users in the CMADJHB group should be able to use the Desktop client. In the screen shot I'm showing the filter.

simons3 · ‎02-13-2012

It looks like you have everything setup correctly. The filter basically tells the CMA to only allow any user in the CMADJHB group access.

1) Make sure the CMADJHB groups is also a Universal group.

2) Try rebooting the CMA

3) Can users outside this group log into the CMA?

4) You may need to contact support to get a deeper understanding of this issue, may be a bug.

S.

Anonymous · ‎08-08-2012

Interesting reading, I have exactly the same issue. I have CMA 6.01with Base DN setting (tried with and without this) and ! exclusion filter describing to groups and this has passed the built in syntax check.

It all looks simple enough and the logic is sound, but it just doesn't work in that any user can get DMC-D and then login. This isn't an issue for me yet, but its not doing what it should.

as you say.... may be a bug.

I shall monitor this post, thanks

Create an account on the HP Community to personalize your profile and ask a question