Solved: CMA & Single sign on - HP Support Community

Anonymous · ‎08-26-2011

Hi,

Does anyone know if it is possible when using single sign on, how to prevent everyone known in AD from using CMAD? I mean, anyone within AD could connect to CMA and start using CMAD, this is not desireable.

Would it also be possible to create groups, suppose a CEO only wants to be called by certain groups?

Thanks

Luke

Anonymous · ‎08-30-2011

Luke,

The way to do this is via the exlusion filters on the LDAP page of the CMA. Here are a couple of good Microsoft Knowledgebase articles on the syntax of LDAP filters:

http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx

and

http://msdn.microsoft.com/en-us/library/ms808539.aspx#efficientadapps_topic01e

But the gist of it is that you can set up the filter to exclude all of the people you don't want to be able to register to your CMA and they will not be returned in queries from the LDAP server, thereby excluding them from using the CMA or the CMAD. If I set up the exclusion filter to look like this:

(samAccountName=tom)

Then everyone but Tom could use the CMA, and tom would be locked out.

If I set it up to look like this:

(!($(objectClass=user)(employeeType=executive)))

Then I would only be including users with the custom attribute "employeeType" of "executive." You can use any attributes in your schema (custom or default) as long as they are replicated accross the global catalogue.

Just remember that this is an exclusion filter, not an inclusion filter. So if you come up with a filter that identifies all of the users you want to be able to use the CMA ($(objectClass=user)(employeeType=executive)) for example, you must then add a "not" operator "!", to the front in order to negate it.

Hope this helps.

View solution in original post

Anonymous · ‎08-30-2011

Luke,

The way to do this is via the exlusion filters on the LDAP page of the CMA. Here are a couple of good Microsoft Knowledgebase articles on the syntax of LDAP filters:

http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx

and

http://msdn.microsoft.com/en-us/library/ms808539.aspx#efficientadapps_topic01e

But the gist of it is that you can set up the filter to exclude all of the people you don't want to be able to register to your CMA and they will not be returned in queries from the LDAP server, thereby excluding them from using the CMA or the CMAD. If I set up the exclusion filter to look like this:

(samAccountName=tom)

Then everyone but Tom could use the CMA, and tom would be locked out.

If I set it up to look like this:

(!($(objectClass=user)(employeeType=executive)))

Then I would only be including users with the custom attribute "employeeType" of "executive." You can use any attributes in your schema (custom or default) as long as they are replicated accross the global catalogue.

Just remember that this is an exclusion filter, not an inclusion filter. So if you come up with a filter that identifies all of the users you want to be able to use the CMA ($(objectClass=user)(employeeType=executive)) for example, you must then add a "not" operator "!", to the front in order to negate it.

Hope this helps.

Anonymous · ‎03-05-2012

I am having some problems restricting the CMA Desktop users .

I have my allowed users in the cn=CMA Allowed Group,cn=users,dc=domain,dc=com

The apply the exclusion filer

!(Memberof=cn=CMA Allowed Group,cn=users,dc=domain,dc=com) on the CMA Server which would mean only to allow members of the CMA Allowed Group to sign in but in fact all the domain members are able to sign in.

Pl advise.

Anonymous · ‎03-07-2012

Hi Itadmin,

I had a similar issue to this, does your enterprise user ID have access to all of the domain or only the users in the group? I ensured that our Enterprise user ID only has access to read from the group you are using in your exclusion filter. Below is a working example (domainname changed) of our config.

Enterprise Directory Exclusion Filter: (!(Memberof=CN=App_CMADesktop,OU=Security Groups,OU=XXXX,DC=xxxx,DC=com))

Enterprise Directory Search BaseDN: OU=XXXX,DC=xxxx,DC=com

Anonymous · ‎04-08-2012

Dear

To ellaborate , My enterprise directory consists of a root domain and three child domains. The user id what the cma is a regular user account in the root domain.I have created a universal security group and added members from the root domain and the child domains whom i would like to register with the CMA . I have applied the exclusion filter as below

(!(Memberof=cn=CMAUSERS,OU=XXX,OU=,XXX,dc=XXX,dc=com)).

I have users in the child domain looging in to the cma with operator/scheduler roles, so i will have to leave my serach base as blank or (dc=xxx,dc=com)

I tried removing users from the child domain from the CMAUSERS group but the cma is still allowing all users to login with any restriction

simons3 · ‎04-09-2012

Make sure the security group is set to be a Universal security group and give it time to replicate throughout your envirnoment.

S.

CMA & Single sign on

Create an account on the HP Community to personalize your profile and ask a question