Security

Reply
Occasional Contributor II
Posts: 15
Registered: ‎06-21-2016

Obtaining authorization AD attributes about the parent OU of an AD object

[ Edited ]

Hi,

 

my goal is to store information in Active Directory OU attributes and using those informations in CPPM role mappings for user or computer authorization. I know it's possible to add attributes by modifing the authentication source for user and computer attributes. But there is no ldapfilter to query an objects parent OU. To obtain those attributes of the parent OU of an user or computer object i didn't find an easy solution.

 

Best Regards

Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: Obtaining authorization AD attributes about the parrent OU of an AD object

A user or computer's OU will be present in the UserDN attribute (default). You can use ENDS_WITH or CONTAINS operators with that attribute.

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 15
Registered: ‎06-21-2016

Re: Obtaining authorization AD attributes about the parrent OU of an AD object

[ Edited ]

Thank you for your reply Tim, but i am interessted in comparing or using informations stored in those OU attributes (not only the name) for later use in profiles. A solution would be:

- Extracting the OU UserDN with an dummy SQL SUBSELECT regex

- Store it as endpoint attribute

- Modifing the authentication source for checking the endpoints OU attributes by using an ldap filter which returns the OU attribute

 

Is there anything easier than this?

Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: Obtaining authorization AD attributes about the parrent OU of an AD object

What attributes would be stored “in” an OU? I’m confused. Please provide examples.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 15
Registered: ‎06-21-2016

Re: Obtaining authorization AD attributes about the parrent OU of an AD object

So an example would be storing a VLAN-ID in one of the OUs and use this information in an enforcement profile. I know this could also be done easily with group membership or separate rules checking if UserDN ends with 'OU=...,OU=...DC=..' for each role / VLAN-profile.

 

One of my customer would like to segement his clients in 50 or more VLANs, and the OUs will change very likely over time. With such an solution maintaining the network segemention would be an easy task for an average AD administrator without touching CPPM.

Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: Obtaining authorization AD attributes about the parrent OU of an AD object

But my question is how are you storing a VLAN ID in an OU? That’s not a direct function of an OU.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 15
Registered: ‎06-21-2016

Re: Obtaining authorization AD attributes about the parrent OU of an AD object

Lync.jpeg

Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: Obtaining authorization AD attributes about the parrent OU of an AD object

So you’re adding custom attributes inside AD?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 15
Registered: ‎06-21-2016

Re: Obtaining authorization AD attributes about the parrent OU of an AD object

With ADSI-Edit or simply using the attribute editor with ADUC Snapin:

 

Lync.jpeg

 

For extending the schema, see this post:

https://social.technet.microsoft.com/Forums/office/en-US/50b728b8-e706-4800-8b3d-94d11042337b/ad-schema-extension-add-new-attribute-to-an-ou-instead-of-users?forum=winserverDS

 

Occasional Contributor II
Posts: 15
Registered: ‎06-21-2016

Re: Obtaining authorization AD attributes about the parrent OU of an AD object

[ Edited ]

cappalli wrote:
So you’re adding custom attributes inside AD?


yes

Search Airheads
Showing results for 
Search instead for 
Did you mean: