EEM-Dynamic Group Policy for domain user to access PAM not working

Document ID : KB000007021
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

EEM was initially setup to use the BASIC LDAP connection only.
This was updated to use Multiple MicroSoft Actve Directory Domains

When setting this up, you are prompted to provide the domain name. This is looking for just the name (second level domain) without the top level domain (.info, .com, .net, etc). So if your domain is  company.net the second level domain is "company" and the top level domain is ".net".

So for this issue, the first entry in EEM was set with just the second level domain, and the second entry was set with both second and top level domain.

In process Automation, when Multi MS AD domains are set in EEM, we need to define a default AD domain. The setting in the oasisconfig.properties file is 

oasis.security.activeDirectory.defaultDomain=

In this case, the defaultDomain was set to company.net

 

Resolution:

To resolve the issues with the users not being able to complete any tasks in CA Process Automation, the following was done:


1. In the EEM User Store, when setting up the Multiple Active Directory Domain, the domain prompt for each was set to only use the second level domain name, ie: company and company2  instead of company.net or company2.net

2. In the oasisconfig.properties file, the defaultDomain was set to company   and not company.net as:
oasis.security.activeDirectory.defaultDomain=company

3.  There was a modification in the group level configuration in EEM to resolve all of the groups in both AD servers. To do this, log into EEM to the Global application as EiamAdmin, select Configure, then User Store, then from the left menu Group Configuration. 

   For the top section - Global Group Configuration 

   Set the Group Resolution Level: to Resolve Direct Groups, and change the Group cache size from the default of 1000 to 5000. 

   The Application Group Configuration should be set as Resolve nested groups.

 

At this point, you can now log into Process Automation and complete tasks. If you are a member of the default domain (company) then you only need to use your "username" to log in. If you are a member of the other domain (company2) then you must use "domain\username" or in this example "company2\username" to log into Process Automation. 

Users of either domain will be able to complete tasks.