VMware Cloud Community
qc4vmware
Virtuoso
Virtuoso
‎01-22-2016 12:23 PM
Jump to solution

vRO 7 Active Directory plugin returning computer objects when type set to "User"

First I'd like to say that so far its looking like the AD plugin that shipped in vRO 7 will actually work with our directory.  The last time I tested it was still too slow and unstable.  I'm not sure if it is something on our end or all the result of changes the vRO team made but its looking promising.

I am curious if I am testing something incorrectly though.  It seems like using ActiveDirectory.search* functions are returning object types other than "User" when I specify that type.  I am definitely seeing computer objects.  If I specify "ComputerAD" as the search type the filtering seems to work as I only see the computers.

Also, is there a way to specify the field to search on?  We have created workflows that are wrapping the dsquery command and query against specific fields.  Is there a way to format the query string to target a field?

0 Kudos
1 Solution

Accepted Solutions
igaydajiev
VMware Employee
VMware Employee
‎01-23-2016 12:19 AM
Jump to solution

>I am curious if I am testing something incorrectly though.  It seems like using ActiveDirectory.search* functions are returning object types other than "User" when I specify that type.  I am definitely seeing computer objects.  If I specify "ComputerAD" as the search type the filtering seems to work as I only see the computers.


If you check the Active directory schema you will see that for example Computer obejct is subclass of User. Which makes it kind of user object.

If you examine the objectClass property of a User object you will find following object classes "top;person;organizationalPersion;user"

If you examine the objectClass property of a Computer object you will find following object classes "top;person;organizationalPersion;user;computer"

When AD plugin performs query for User objetcs it limits the result based on object class by requesting all objects which have at least following classes "top;person;organizationalPersion;user"  but does not state that object class hierarchy should not contain other. That's why it returns also Computer's as User's.


We are keeping this behaviour for bakward compatibility with older version of the plugin but I agree that it make sense to limit the search only to "User" objects. You can open a customer request for proper tracking.


>Also, is there a way to specify the field to search on?  We have created workflows that are wrapping the dsquery command and query against specific fields.  Is there a way to format the query string to target a field?

As far as I know there is no such possibiliy in current plguin. There are multiple requests regarding generic search method allowing usage of LDAP syntax directly for quering against AD server. We are considering adding such functionality to the plugin but it is metter of priorities Smiley Happy.  Somethig like AdHost.search( ldpa_query_string )

Not sure if this will resolve your use case. Could you provide a bit more detais arround it. Sample workflow will also help.

View solution in original post

0 Kudos
5 Replies
igaydajiev
VMware Employee
VMware Employee
‎01-23-2016 12:19 AM
Jump to solution

>I am curious if I am testing something incorrectly though.  It seems like using ActiveDirectory.search* functions are returning object types other than "User" when I specify that type.  I am definitely seeing computer objects.  If I specify "ComputerAD" as the search type the filtering seems to work as I only see the computers.


If you check the Active directory schema you will see that for example Computer obejct is subclass of User. Which makes it kind of user object.

If you examine the objectClass property of a User object you will find following object classes "top;person;organizationalPersion;user"

If you examine the objectClass property of a Computer object you will find following object classes "top;person;organizationalPersion;user;computer"

When AD plugin performs query for User objetcs it limits the result based on object class by requesting all objects which have at least following classes "top;person;organizationalPersion;user"  but does not state that object class hierarchy should not contain other. That's why it returns also Computer's as User's.


We are keeping this behaviour for bakward compatibility with older version of the plugin but I agree that it make sense to limit the search only to "User" objects. You can open a customer request for proper tracking.


>Also, is there a way to specify the field to search on?  We have created workflows that are wrapping the dsquery command and query against specific fields.  Is there a way to format the query string to target a field?

As far as I know there is no such possibiliy in current plguin. There are multiple requests regarding generic search method allowing usage of LDAP syntax directly for quering against AD server. We are considering adding such functionality to the plugin but it is metter of priorities Smiley Happy.  Somethig like AdHost.search( ldpa_query_string )

Not sure if this will resolve your use case. Could you provide a bit more detais arround it. Sample workflow will also help.

0 Kudos
igaydajiev
VMware Employee
VMware Employee
‎01-23-2016 12:53 AM
Jump to solution

>First I'd like to say that so far its looking like the AD plugin that shipped in vRO 7 will actually work with our directory.

Just curious which version of AD plugin are you comparing?

0 Kudos
qc4vmware
Virtuoso
Virtuoso
‎01-24-2016 11:00 PM
Jump to solution

Thanks for the explanation.  Its easy enough to code around.  I just put a little extra filtering on the results to only return the users and ignore the computers.

Yes I think that AdHost.search( ldpa_query_string ) is exactly what I am looking for.  For instance right now I am attempting to use the plugin to find an OU.  I know the full DN but the search only seems to hit on the name not on dn so as it stands right now I have to search on "Servers" which returns about 70 hits in our environment.  I then have to filter those results for the exact OU I need.  If I could specify dn as the field I want to search against then I should just get the one hit I need.  For example the OU's would look something like this:

OU=Servers,OU=City1,DC=dc1,DC=company,DC=com

OU=Servers,OU=City2,DC=dc1,DC=company,DC=com


Both end up with the same "name" but unique "dn".  Generally speaking we like to build the most precise queries along with only returning just the attributes we need.  To query that OU with dsquery we can simply say:


dsquery ou OU=Servers,OU=City1,DC=dc1,DC=company,DC=com


With a user we might do something like this :


dsquery * forestroot -limit 100 -filter "^&(objectClass=User)(objectCategory=Person)(sAMAccountName=someuser)" -attr sAMAccountName objectSid  objectGUID -l

0 Kudos
qc4vmware
Virtuoso
Virtuoso
‎01-25-2016 01:35 PM
Jump to solution

I am pretty sure the last time I attempted to use the AD plugin that shipped with some version of vRO 6.  Not sure if it was still 1.x or a 2.x version.  I was still experiencing very poor performance against our directory and quite a bit of instability that manifested itself in stale connections.  The only thing that would revive them was restarting the vRO services. 

It also looks like the search box control in the client has been reworked which is also helping greatly with usability!

0 Kudos
qc4vmware
Virtuoso
Virtuoso
‎01-28-2016 03:10 PM
Jump to solution

You asked for some other search examples.  Just today we were asked to put a workflow together that does some auditing on accounts that have changed.  When they change we keep the previous id in the attribute proxyAddresses.  I have no way of searching this field with the AD plugin.  Luckily we can fall back to the previous development we did to call out to the Windows CLI.

0 Kudos