Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 13893 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD Sync

Jon Glenn

I've read all the "AD Sync" posts that I can find, and so far nothing has helped me fix my situation, so I'm hoping someone here will be able to assist.

I just need to import one AD Security group that houses all our users that will need Sophos.  In the AD Sync setup, here's what I'm putting under AD filters in User Discovery Filters, Group Discovery Filters and Public Folder Discovery filters:

CN=SophosUsersCW,CN=Users,DC=mydomain,DC=local

The SophosUsersCW group pulls in, but none of the users in that group are imported.  When I take out the CN=SophosUsersCW and make all 3 filters "CN=Users,DC=mydomain,DC=local", all 800+ users and 300+ groups import, so I know the rest of my settings are correct.  This pulls in a ton of things that I don't want or need.

Also, when I try "memberOf=CN=SophosUsersCW,CN=Users,DC=mydomain,DC=local" as suggested in some of the posts, I get an LDAP error.

Does anyone have any insight on what I need to change on my AD Sync?  Thanks in advance!



This thread was automatically locked due to age.
Parents
  • 0

    Is [SophosUsersCW] the group name?  Try putting it in a separate OU and then using Group Discovery Filters to just search that OU.  For example:

    OU=SophosGroup,DC=mydomain,DC=local

     

    This is how we do it (we have multiple groups, but the idea should hold for just one group).  Hope this helps.

  • 0 in reply to K_M

    Keith, thanks for the quick response.  I created the "Sophos" OU as you suggested and put 2 security groups in the OU.  Here's the results:

    1)  I put "OU=Sophos,DC=mydomain,DC=local" in BOTH the users and groups filters.  Both groups pull into Sophos Central, but they're both empty (bottom half of inserted image).

    2)  I put "OU=Sophos,DC=mydomain,DC=local" in only the group filters section.  All 837 users then want to import, but the 2 groups then have members (top half of inserted image).  Also, the "Users to modify" pulls in AD information as it should.

    What do I need to change to get it to pull in what I want?  I'm guessing I have something set wrong.  Thanks!

  • +1 in reply to Jon Glenn

    Hi Jon.  I haven't tried it personally, but this might work under the 'User Discovery Filters' as a filter (not the search base):

    (&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=cn=SophosIT,OU=Sophos,dc=MYDOMAIN,dc=local)(memberOf=cn=SophosUsers****,OU=Sophos,dc=MYDOMAIN,dc=local)))

     

    Set the User Discovery Filter search base as the OU that contains your user accounts.  Set the Group Discovery Filter search base as:

    OU=Sophos,DC=mydomain,DC=local

     

    Reference Article:

    https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html

     

    Hope this helps.

  • 0 in reply to K_M

    Wow Keith, you're amazing!  Heck yes it did!  It now adds in 10 users, modifies the 3 that already exist, and modifies the 2 groups that pulled in with no users and bumps them to their respective 9 and 4 users. 

    I still wonder why the group members wouldn't pull in as originally set, but this definitely gets me moving. 

    Thanks again!

  • 0 in reply to Jon Glenn

    Glad to be of service.  LDAP is always quite the challenge to juggle!

Reply Children
No Data
Unfiltered HTML