Locating memberOf Groups How To Guide

From Swivel Knowledgebase
Revision as of 12:52, 11 May 2017 by Admin (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


Overview

On large installations where other teams take care of directory management, it is often the case that other user groups are added to PINsafe groups which are used by PINsafe.

Despite removing a user from a Repository Group defined within PINsafe, the user still remains within PINsafe after a user sync. This is due to being referenced by a group which is a member of the defined group.

So whilst a user is no longer directly a member of the group defined for use by PINsafe, the user is still synced in because the user is a member of the group contained within the group referenced by PINsafe.

It can become difficult to quickly tell which of the groups a user is a member of is responsible for the user still being synced into PINsafe.

This article demonstrates an easy way to find which groups are members of the defined PINsafe group, so that you may compare those groups with the groups you know a member still belongs to.


Symptoms

User still appears in PINsafe after a User Sync, despite having been removed from the group defined under Repository -> Groups.


Prerequisites

  • We recommend the use of third-party software from Softerra called LDAP Browser. This is available as freeware and as a commercial paid-for product. Available here: http://www.ldapbrowser.com/
  • You will need the credentials that PINsafe uses to bind to the particular repository that the user belongs to. These are already listed under the Repository definition within PINsafe, but you will need to know the password;
  • You will require network access to the Repository server, e.g. Active Directory or LDAP, using the same network details defined on the Repository configuration screen within PINsafe.


Solution

  • Using Softerra LDAP Browser, define a new profile/connection to the LDAP or Active Directory server;
  • As you expand the directory structure, Softerra will begin to retrieve and cache information about the directory. It may take some time;
  • Click the top-most entry in the directory;
  • Click the Directory Search button (or press Ctrl+F);


ObjectClassGroup.png


  • In the 'Search DN' field enter the base DN, e.g. DC=swivel, DC=local
  • In the 'Filter' field enter this filter, using the PINsafe Group that you know the user was removed from, e.g.

(&(objectClass=group)(memberOf=CN=PINsafeUsers,OU=Example,DC=Swivel,DC=Local))

...where in this example the group the user was removed from is highlighted with a different colour;

  • Click 'Search';
  • The Directory Search may take some time to retrieve the query from the LDAP server, but eventually it should return a list of groups that belong to that PINsafe group.
  • Analyse this list of groups to determine if your problematic user exists within them. If they do, then you can investigate whether:
    • The user can be removed from the group contained within those groups, or:
    • if the entire group contained within the PINsafe group should even be a member of the PINsafe group.