SAM group expansion not working for a specific user

Symptom

Group expansion fails for a specific user. Only public documents are returned when searching at the qrserver for documents when using the security parameter &qtf_securityfql:uid= lts:cn=Jonathon Doe/o=orgname. The documents are Lotus Notes documents..

Cause

The user name being used in the &qtf_securityfql:uid= security parameter in the query did not match what was present in the SAM Local Cache. This will result in only public documents being returned in search.

Resolution

Exporting the SAM Local Cache from the SAM Admin GUI will provide a file containing all the users and their group memberships that are present in SAM’s local cache. The local cache shows that there is an entry for this specific user:

<entity id="cn=john doe/o=orgname@groupname" name="cn=john doe/o= orgname@domainname" type="user">
<memberof id="group users" />
</entity>


When using the name cn=john doe/o= orgname@domainname from the SAM Local Cache in the security parameter in the query, secure search results are returned for that user.  The user information that was initially used (cn=Jonathon Doe/o=orgname) was not found in the SAM Local Cache, and could not get the secure search results.

Reg-ex aliasers are commonly used to handle a large percentage of the mappings from the one domain to another, based on a common similarity in naming conventions between the environments.  In this specific case, the reg-ex aliaser is mapping to “cn={givenName} {sn}/o=orgname”.  With this mapping in place, the user would be mapped as cn=Jonathon Doe/o=orgname, but the actual Lotus Notes account is John Doe.  As Jonathon Doe does not exist in Lotus Notes, the mapping will not work for the user.

The configured reg-ex aliaser cannot map this name from the win domain to the lts domain.  One can handle the mapping of a specific user name in the win domain to the proper account in the lts domain as a special case.  This would allow the desired user to receive the secure search results.

When one needs to alias between two domains, and a reg-ex alias can't be built to perform the operation, one can build an XML Principal Aliaser to accomplish the task.  The XML Principal Aliaser is a file that contains the hardcoded mapping JohnathonD=”cn= Jonathon Doe/o=orgname”.

An example of an XML Principal Aliaser is below:

<?xml version="1.0" encoding="UTF-8" ?>
<ssoMap ver="1.1">
<user name="JonathonD">
<domain prefix="lts" username="John Doe/o=orgname" />
</user>
</ssoMap>

Note: When configuring the XML Principal Aliaser in the SAM Admin GUI, provide the complete path to the XML file.

After completing the above, group expansion will occur for this user, and the user will receive secure search results.  
속성

문서 ID: 2360593 - 마지막 검토: 2011. 9. 22. - 수정: 1

피드백