08-05-2014 11:30 PM
Any secret back door method allowing me to join CPPM to a specific OU in a domain?
I have a client who has some strict security permissions and we need to specify the OU in order to be allowed to join CPPM to domain.
Solved! Go to Solution.
08-06-2014 01:50 AM
No secret back door ;-)
Domain joins typically has two parts: the join to do EAP-MSCHAPv2 (not required for TLS) and the LDAP connection to fetch user information (like group membership).
For the domain join, I found two methods that seem to work:
1) Join the domain in the normal way, then move the created computer account to the OU or folder that you want.
2) Manually create a computer account with the hostname of the ClearPass server in the desired OU, and then join. If the names between your ClearPass server and the created Computer object in AD match, that object will be used. I have seen situations where local administrators were able to create the computer account in their OU, and then ClearPass could be joined by that administrator.
For the LDAP connection, you can have an account created with read rights on the objects and attributes that you need in your authentication, in many cases that will be the user folders/object and group folders/objects. Use that account in your authentication source. The AD administrators should know how to create such an account.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
08-06-2014 10:19 PM
You can not in the GUI but you can in the CLI. I will open a ticket and get it added to the gui. :)
We can do this by using CLI command ad netjoin.
[appadmin@etips150]# ad netjoin
ERROR - Insufficient arguments to proceed
netjoin <domain-controller.domain-name> [domain NETBIOS name] [domain REALM name] [ou=<object container>]
domain NETBIOS name -- NETBIOS name of the domain. You can specifiy this arugment if the derived
NETBIOS name is different from the actual. This is an optional argument.
domain REALM name -- Domain REALM name. You can specify this argument
if the derived REALM is different from the actual. This is an optional
ou=<object container> -- Specify the Object Container if the computer account has to be created in a different OU.
For example 'ou=Domain Computer' OR 'ou=Domain Computer+Linux Hosts'. Note the usage
of separator '+' to specify the OU hierarchy.
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.