03-29-2017 07:42 AM - edited 03-29-2017 10:01 AM
my goal is to store information in Active Directory OU attributes and using those informations in CPPM role mappings for user or computer authorization. I know it's possible to add attributes by modifing the authentication source for user and computer attributes. But there is no ldapfilter to query an objects parent OU. To obtain those attributes of the parent OU of an user or computer object i didn't find an easy solution.
03-29-2017 07:57 AM
03-29-2017 08:08 AM - edited 03-29-2017 08:10 AM
Thank you for your reply Tim, but i am interessted in comparing or using informations stored in those OU attributes (not only the name) for later use in profiles. A solution would be:
- Extracting the OU UserDN with an dummy SQL SUBSELECT regex
- Store it as endpoint attribute
- Modifing the authentication source for checking the endpoints OU attributes by using an ldap filter which returns the OU attribute
Is there anything easier than this?
03-29-2017 08:50 AM
03-29-2017 10:15 AM
So an example would be storing a VLAN-ID in one of the OUs and use this information in an enforcement profile. I know this could also be done easily with group membership or separate rules checking if UserDN ends with 'OU=...,OU=...DC=..' for each role / VLAN-profile.
One of my customer would like to segement his clients in 50 or more VLANs, and the OUs will change very likely over time. With such an solution maintaining the network segemention would be an easy task for an average AD administrator without touching CPPM.
03-29-2017 10:19 AM
03-29-2017 11:04 AM
With ADSI-Edit or simply using the attribute editor with ADUC Snapin:
For extending the schema, see this post: