LDAP Sync - Multiple AE Domains for single client

I've got LDAP Sync functioning properly in my v11.2 system and have multiple group mappings that are all working successfully. 

Does any know if/how you can assign different AE domains/depts to the same users? 

For instance, if I want a single user to have Read/Execute access normally but be able to log in with the same ID but different AE domain/dept to do any modifications.

Example:
User: TEST  DEPT: RE
User: TEST  DEPT: EDIT



<Configuration>
    <Schema baseDN="OU=AUTOMIC,OU=Users and Groups,DC=mycompany,DC=com" 
                    userDN=""
                    groupDN="" 
                    updateDn="true"/>

    <AE userDomain="RE"
            autoDeactivateUsers="True"/>

    <GroupMappings>
        <map ae="READ_EXECUTE" ldap="AUTOMIC_READ_EXECUTE" />
    </GroupMappings>
</Configuration>


Thanks for any and all help! 

Best Answer

  • Jim GriffithJim Griffith Posts: 9 Explorer ✭✭
    Accepted Answer
    Thanks Antoine. However, that scenario doesn't allow for a single user to be able to have different accounts in Automic with different levels of access and still use their AD credentials, unless they have a normal user and elevated user in AD. A user that just monitors processes 90% of the time doesn't need modify access 100% of the time or even admin type access if they have tasks the require that level.

    I was able to find a way to do this by creating multiple LDAPSync.xml files. Each LDAPSync xml file would reference a different directory for client xml files. Then I call each specific LDAPSync xml file from the command line. The user would need to be a member of multiple AD groups. In my example, the user is a member of the automic_read_only and the automic_write_access groups in AD. 



    Example: 

    LDAPSync_<client>_<access>.xml 

    LDAPSync_1_RO.xml 

    <Clients path="1_RO" default="defaults.xml"/> 

    Client_1.xml inside of the 1_RO folder. 

    <AE userDomain="RO" 
    autoDeactivateUsers="true" 
    /> 

    <GroupMappings> 
    <map ae="Read_Only" ldap="automic_read_only" /> 
    </GroupMappings> 

    java -jar ldap-sync-1.0.7.jar -config LDAPSync_1_RO.xml -cl "1" 

    This creates users as <user>/RO with the READ_ONLY user group. 


    LDAPSync_1_write.xml 

    <Clients path="1_WRITE" default="defaults.xml"/> 

    Client_1.xml inside of the 1_WRITE folder. 

    <AE userDomain="WRITE" 
    autoDeactivateUsers="true" 
    /> 

    <GroupMappings> 
    <map ae="WRITE_ACCESS" ldap="automic_write_access" /> 
    </GroupMappings> 

    java -jar ldap-sync-1.0.7.jar -config LDAPSync_1_WRITE.xml -cl "1" 

    This creates users as <user>/WRITE with the WRITE_ACCESS user group.


    This way the user would login as <user>/RO for 90% of their job and if they need to make a change, they open a new instance of the user interface and login with <user>/WRITE. 

    The other thing to note is that each AE Domain (Dept) will need a UC_LDAP_<DEPT> vara in Client 0 with LDAP connection information. 

Answers

  • Antoine SauteronAntoine Sauteron ViennaAutomic Moderator, Team Automic Posts: 870 mod
    Hi @Jim Griffith ,

    A user should belong to one department / domain at a time.
    What you can do, however, is create a TEST/RE user, and another TEST/EDIT user.

    Hope this helps.

    Best regards,
    Antoine
    EMEA Support: +43 57 080 90
    support@automic.com


  • Jim GriffithJim Griffith Posts: 9 Explorer ✭✭
    Accepted Answer
    Thanks Antoine. However, that scenario doesn't allow for a single user to be able to have different accounts in Automic with different levels of access and still use their AD credentials, unless they have a normal user and elevated user in AD. A user that just monitors processes 90% of the time doesn't need modify access 100% of the time or even admin type access if they have tasks the require that level.

    I was able to find a way to do this by creating multiple LDAPSync.xml files. Each LDAPSync xml file would reference a different directory for client xml files. Then I call each specific LDAPSync xml file from the command line. The user would need to be a member of multiple AD groups. In my example, the user is a member of the automic_read_only and the automic_write_access groups in AD. 



    Example: 

    LDAPSync_<client>_<access>.xml 

    LDAPSync_1_RO.xml 

    <Clients path="1_RO" default="defaults.xml"/> 

    Client_1.xml inside of the 1_RO folder. 

    <AE userDomain="RO" 
    autoDeactivateUsers="true" 
    /> 

    <GroupMappings> 
    <map ae="Read_Only" ldap="automic_read_only" /> 
    </GroupMappings> 

    java -jar ldap-sync-1.0.7.jar -config LDAPSync_1_RO.xml -cl "1" 

    This creates users as <user>/RO with the READ_ONLY user group. 


    LDAPSync_1_write.xml 

    <Clients path="1_WRITE" default="defaults.xml"/> 

    Client_1.xml inside of the 1_WRITE folder. 

    <AE userDomain="WRITE" 
    autoDeactivateUsers="true" 
    /> 

    <GroupMappings> 
    <map ae="WRITE_ACCESS" ldap="automic_write_access" /> 
    </GroupMappings> 

    java -jar ldap-sync-1.0.7.jar -config LDAPSync_1_WRITE.xml -cl "1" 

    This creates users as <user>/WRITE with the WRITE_ACCESS user group.


    This way the user would login as <user>/RO for 90% of their job and if they need to make a change, they open a new instance of the user interface and login with <user>/WRITE. 

    The other thing to note is that each AE Domain (Dept) will need a UC_LDAP_<DEPT> vara in Client 0 with LDAP connection information. 
Sign In or Register to comment.