02-11-2015 01:39 AM
Hello,
I have a customer who migrate their VSM from 6.3 to 7.6. In VSM 6.3, we can add user by using LDAP and can manage each user from the LDAP. I mean that each user in LDAP can be manually assigned to the role which create from VSOM.
In VSM 7.6, I face problem with that. I think in VSM 7.6, Cisco has disabled that feature. In VSM 7.6, I can't manage each user separately. Am I right? After Active Directory conneted into VSOM via LDAP, I can't assign each user into one or several user group individually by using VSOM. I must group the user in the AD first and then filter it in VSOM. I think it is not efficient because it will be many duplicate user in AD if the user will be assigned more than 1 user group.
So, what is the best solution for the user in AD can be assigned in several user group but not duplicate in AD?
Thank you
Solved! Go to Solution.
03-19-2015 05:29 AM
Hi Arie,
I think the best approach to take would be to define what your *Roles* are going to be on the VSOM side, and then create User Groups in VSOM that map to those roles.
Then, create matching Security Groups within AD (LDAP) that correlate to the VSOM User Groups. Finally, create LDAP Search filters that link AD Security Group membership to VSOM User Groups upon LDAP authentication.
02-11-2015 09:44 AM
I'm not *quite* following what you are running into, but luckily, I'm about to do some LDAP integration of my own for a client, so this will likely come into full focus for myself as well.
The last time I visited it was with VSM 7.2, and if I remember correctly, the LDAP search filters matched OUs/Group membership to 'Roles' within VSOM...
I think worse case, you might end up with a list of groups in AD that match your 'roles' within VSOM and LDAP search filters that define these associations. Then it would just be a matter of ensuring that your AD accounts are members of the required respective roles? I could be misinterpreting this though...
I'll check back in once I refresh myself some more.
02-12-2015 02:53 AM
Hi,
Thanks for the reply.
I also think that I might end up with a list of groups in AD. Let's say I have 3 User Groups in VSOM with 3 different roles: Superadmin; Admin; Security.
In AD, let's say I have 5 users: User A; User B; User C; User D; User E.
For example, the mapping which I want is as below:
User Groups | User
=================
Security | User A; User B
Admin | User B; User C; User D
Superadmin | User B; User E
So, maybe I should create several OU / group in AD with replicate user (User B). Is it true?
Thank you
03-19-2015 05:29 AM
Hi Arie,
I think the best approach to take would be to define what your *Roles* are going to be on the VSOM side, and then create User Groups in VSOM that map to those roles.
Then, create matching Security Groups within AD (LDAP) that correlate to the VSOM User Groups. Finally, create LDAP Search filters that link AD Security Group membership to VSOM User Groups upon LDAP authentication.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide