RSA Archer LDAP同步仅显示来自同一AD的组成员 [英] RSA Archer LDAP sync shows group-members from the same AD only

问题描述

我的团队刚刚继承"了带有2个AD和每个LDAP同步设置的Archer设置. LDAP同步可单独正常运行；我们可以按照LDAP配置的过滤器查看用户/组.但是，我们在AD#1中有一些组，其中包含来自AD#2的用户，并且LDAP同步仅显示/拉动Archer中来自1 AD的用户.我使用的是Archer 6.4.

我的问题:

1. 在Archer中，是否有可能让小组来展示2个AD中的成员?
2. LDAP服务帐户是否需要任何特殊权限?
3. 还有什么我想念的，或者任何可行的解决方法?

我查看了这问题，其中讨论了一些可能性，但是它已经很老了，所以开始一个新的问题.任何帮助，我们将不胜感激.

解决方案

您引用的问题与Archer v5.x和v6.x有关，因此我提到的所有内容在2019-04-26之前仍然有效. /p>

回到您提出的问题:

1. 在Archer中，是否有可能让小组来展示2个AD中的成员?

答案是是"，但不是那么简单. 如果查看后端的表，则可以看到有两种类型的组:

1. 由Archer管理员手动创建的组.这些组不是任何LDAP源的一部分，您无法同步这些组/用户.

2. 通过LDAP Synch创建的组.这些组和用户与LDAP Synch配置同步.

在您的情况下，如果您配置了两个LDAP同步，那么您将有两组LDAP组和两组LDAP用户，假设LDAP同步已配置为添加并同步使用过滤器的组和用户.

如果两个LDAP源中都有组"ABC"，则根据共享的内容，您将有两个组添加到Archer.在表tblGroup的后端，它们将具有不同的"ldap_config_id"值，但名称相同.

同样适用于用户-如果两个LDAP源中都有用户"User1"，则最终将有两个具有不同域和不同"ldap_config_id"的用户.

回到您的问题-是的，如果您有两个具有相同组名的LDAP源，那么您将最终得到两个具有相同名的组，如果您配置了两个LDAP同步来添加和添加，则每个组都应分配来自相应LDAP的用户.同步组和用户. 如果这不适用于您，请检查您的LDAP同步配置.您可能没有启用用于同步组的选项，或者没有适当的过滤器来获取它们.

2. LDAP服务帐户是否需要任何特殊权限?

在Archer中-否，但是在LDAP源(活动目录)中，您在LDAP配置中指定的帐户应有权查询某些区域.您用于第二个LDAP的帐户可能无权访问查询组.我不是AD安全专家，您应该在此问题上与AD管理员联系.

还有什么我想念的，或者任何可行的解决方法?

查看您引用的旧问题/答案. Archer v5和v6中的LDAP同步主体与我所知道的相同.

我认为最好的解决方案是在两个活动目录之间建立虚拟链接"或信任.可以合并或链接AD#1和AD#2来创建第三个AD.这样，您仅使用一个LDAP同步配置/域，就可以查询AD#3并为您提供组和用户.这是最简单的解决方案，但您的广告管理员必须做一些工作.

您也可以在旧问题中检查其他选项.

P.S:我开发的实例有2个LDAP源，但是我将它们配置为具有唯一的组名和唯一的用户.这样就不会发生冲突.

祝你好运！

My team just "inherited" an Archer setup with 2 ADs and LDAP sync setup for each of them. The LDAP sync works fine individually; we are able to see the users/groups as per the LDAP configuration's filters. However, we have some groups in AD#1, that contain users from AD#2 and the LDAP sync is only showing/pulling users from 1 AD in Archer. I'm on Archer 6.4.

My question:

1. Is it possible at all in Archer to get the groups to show members from the 2 AD's?
2. Does the LDAP service account need any special permissions?
3. Anything else that I'm missing, or any viable workarounds?

I have looked at this question which talks about some possibilities but it's quite old so starting a new question. Any help is greatly appreciated.

解决方案

The question you referenced is related to Archer v5.x and v6.x, so everything I mentioned there is still valid as of 2019-04-26.

Back to the questions you asked:

1. Is it possible at all in Archer to get the groups to show members from the 2 AD's?

The answer is "Yes", but not that simple. If you check tables on the back end you can see that there are two type of groups:

1. Manually created groups by Archer admins. These groups are not part of any LDAP source and you can't synch these groups/users.

2. Groups created via LDAP Synch. These groups and users are synched with LDAP Synch configuration.

In your case, if you have two LDAP synchs configured then you will have two sets of LDAP groups and two sets of LDAP users, assuming LDAP synch is configured to add and synch groups and users using filters correctly.

Based on what you shared if you have group "ABC" in both LDAP sources you will have two groups added to Archer. On the back end in the table tblGroup they will have different "ldap_config_id" values, but same name.

Same applies for users - if you have user "User1" in both LDAP sources you will end up with two users with different domains and different "ldap_config_id".

Back to your question - Yes, if you have two LDAP sources with same group name you will end up with two groups with same name, each group should have users from corresponding LDAP assigned, if you configured both LDAP synchs to add and synch groups and users. If this doesn't work this way for you, then review your LDAP synch configuration. Your may not have an option enabled to synch groups or don't have any filters in place to get them.

2. Does the LDAP service account need any special permissions?

In Archer - no, but in LDAP source (Active Directory) the account you specified in LDAP configuration should have access to query certain areas. The account you use for 2nd LDAP may not have access to query groups. I'm not an expert in AD security, you should talk to AD admin on this matter.

Anything else that I'm missing, or any viable workarounds?

See the old question/answer you referenced. LDAP synch principals in Archer v5 and v6 are the same as I know.

Best solution in my opinion is to establish "virtual link" or trust between both Active Directories. Third AD can be created with both AD#1 and AD#2 merged or linked. This way you can query AD#3 and have groups and users provided for you by using only one LDAP synch configuration/Domain. This is the simplest solution for you, but your AD admin will have to do some work.

You can check other options in the old question as well.

P.S: the instance I develop for had 2 LDAP sources, but I configured them to have unique group names and unique users. This way collisions don't occur.

Good luck!

这篇关于RSA Archer LDAP同步仅显示来自同一AD的组成员的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！