Operations Orchestration Practitioners Forum

LDAP configuration

Honored Contributor.

LDAP configuration

Hello all!

I've got some trouble with ldap configuration of HP OO.

I have users in AD: OU=Corp users,OU=Corp_TST,DC=zxcv,DC=com

I have user groups in AD: OU=Corp groups,OU=Corp_TST,DC=zxcv,DC=com

Using filter CN={0},OU=123,OU=Corp users,OU=Corp_TST,DC=zxcv,DC=com  can find users, but i can't find their groups with filter member=CN={1},OU=Corp groups,OU=Corp_TST,DC=zxcv,DC=com.

Where i made a mistake?


Here is the conf:


List of LDAP contexts containing user groups... - OU=Corp groups,OU=Corp_TST,DC=zxcv,DC=com

LDAP search filter that tries to match the user groups - member=CN={1},OU=Corp groups,OU=Corp_TST,DC=zxcv,DC=com

Attribute of any group (returned from the group search), to use as group name. - name

List of LDAP contexts containing users. - CN={0},OU=123,OU=Corp users,OU=Corp_TST,DC=zxcv,DC=com

List of user context attribute names which can be used as groups. - empty

LDAP search filter used in the user search - (&(objectClass=person)(|(sAMAccountName={0})(uid={0})))

The default group an LDAP authenticated user... - Everybody

An internal OO account representing a user that has search capabilities under AD/LDAP. - cn=adm,ou=corp,DC=zxcv,DC=com

AD Domain - zxcv

Frequent Contributor.

Re: LDAP configuration

I will admit it has been a while since I have dug into our OO AD authentication settings.  However, I do know that we had issues because our user dn's contained special characters (or was it comma's).  I am not sure what version of OO you are using, but you might want to contact HP support for the HotFix. 


The configuration was driving me crazy until I got ahold of that hotfix. 


I could use the "AD Deprecated" settings, but not the "LDAP settings" if I remember correctly.


good luck!


Frequent Contributor.

Re: LDAP configuration

You need to correct your filter
"LDAP search filter that tries to match the user groups"

Are you trying to make that user member of all the groups under OU=Corp groups?
if yes try using a filter: (sAMAccountName=*)
if not which I am assuming should be the case you can add multiple filters lke: (sAMAccountName=Domain Users) where Domain Users is the AD group under Corp groups

Frequent Contributor.

Re: LDAP configuration

Once you get all your LDAP/AD filters and settings sorted out, there is one additional bit you need to configure.
Make sure whatever group name you are pulling out of LDAP/AD, also exists in OO!

You will find the specific section here (as an OO admin user):
* OO Central > Administration > Manage Groups
* Click "Add New Group"
* Fill out the details in the 1st & 2nd tabs
* Fill out the group you are mapping against from LDAP in the 3rd tab
* Click "Create Group", and your done!

This will resolve issues where your config "tests" clean, but the LDAP authenticated users keep getting mapped to the "Everyone" group.