[Defect?] LDAP Import - "User Options -> Organizations -> Member Of" not working?

[samwoo]

Good afternoon,

I am updating our LDAP Import configurations to take into account the Members of our Wards, and I am utilizing the "User Options -> Organizations" to assign them to the relevant Hornbill Org.

https://docs.hornbill.com/data-imports-guide/users/ldap/configuration#user-options (Scroll down to the Organizations sub-section)

I can confirm these members are a part of the LDAP Groups specified by supplying the Distinguished Name value from AD into the "Member Of" fields, but when running the Import, it states that these users are not a member of any AD Groups and cannot therefore assign them to the "Organization" in Hornbill.

I am using an account that has full access to Active Directory, and when running the LDAP query using PowerShell with that account, I can see the AD Groups these Members are a part of.

I wonder if this is a defect within the LDAP Import Tool - please can someone have a look.

Here is a screenshot showing a part of my configuration - we've taken into account all potential groups. (The reason I am using Department, is so this information shows up in the Co-Worker Search)
#

Thee messages in the log file:

Yet these users are clearly members of AD Groups.

Thanks,

Samuel Wood

[Joshua Howitt]

Hi @samwoo,

I've had a look on our end and haven't managed to recreate the same issue. Could you please confirm that the Member Of values that you are importing match exactly what Hornbill will be expecting?

Best,

Josh
 

[SamS]

Hi @samwoo,

I didn't think it mattered (and it MIGHT not), but could you please add "memberof" as an attribute to the Atrributes-list in the "LDAP Query"-section on the "LDAP Server"-tab.

Please keep it all lowercase (i.e. "memberof") and see what happens. IF "memberOf" (notice the camel-caps) is already listed, please remove that version (and for completeness, "memberOf" might also be tested).

Please let us know the results.

[samwoo]

Hi @Joshua Howitt and @SamS,

I am using this LDAP Filter currently:

(& 
	(objectClass=user) 
	(objectCategory=person) 
	(!
		(SamAccountName=L7*)
	) 
	(memberOf=CN=Members,OU=REDACT,OU=REDACT,DC=REDACT,DC=REDACT,DC=REDACT)
)

So, everything inside the Members group is what I want to be included already.

The Members in these groups are also a part of other AD Groups as well which determines who they represent - so I might be getting the wrong end of the stick, but it sounds like I need to create individual Imports for each potential group after they accounts have already been processed by the initial Members import? 

Or are you saying I need to include each of the other AD Groups inside the LDAP Filter, alongside the one I have above, like this?

(&
	(objectClass=user)
	(objectCategory=person)
	(!
		(SamAccountName=L7*)
	)
	(|
		(memberOf=CN=Members,OU=REDACT,OU=REDACT,DC=REDACT,DC=REDACT,DC=REDACT)
		(memberOf=CN=Conservative Group,OU=REDACT,OU=REDACT,OU=REDACT,DC=REDACT,DC=REDACT,DC=REDACT)
		(memberOf=CN=Labour Group,OU=REDACT,OU=REDACT,OU=REDACT,DC=REDACT,DC=REDACT,DC=REDACT)
		(memberOf=CN=Liberal Democrat Group,OU=REDACT,OU=REDACT,OU=REDACT,DC=REDACT,DC=REDACT,DC=REDACT)
		(memberOf=CN=Independent Group,OU=REDACT,OU=REDACT,OU=REDACT,DC=REDACT,DC=REDACT,DC=REDACT)
	)
)

 

[samwoo]

@SamS - Sorry I misread what you meant, now I got it and will give it a try

[samwoo]

Hi @SamS and @Joshua Howitt,

Good news, adding in memberof as an attribute made it work, yay!

docs.hornbill.com doesn't make this clear (at least how I'm reading it) so might be worth updating it to reflect this?

Also I didn't need to include each of the memberOf in the main LDAP Filter, I just needed the one that references users who are in the Members group, and it was still able to iterate through each of the Groups the user was a "memberof" and check if they are a part of any of the ones specified in the Data Import Config, and if there is a match, then associate them with that Org.

Thanks for both of your help!

[Steve Giller]

I think this is the section that is intended to convey that requirement: