Windows Groups with ESF

When you configure ESF to use Windows users, you can optionally make use of Windows groups to assign resource access permissions.

The OS ESM Module does not set user-group information in Enterprise Server, but it is possible to use Windows groups through the MLDAP ESM Module, even if you are using the OS ESM Module to validate user credentials.

By default, the MLDAP ESM Module uses Micro Focus group objects in the LDAP repository (object class microfocus-MFDS-Group) to assign users to groups. You can configure it to use Windows groups defined in Active Directory (AD) instead with the group type configuration option in the Security Manager's Configuration Information field. For example:

[LDAP]
group type=AD

You might also need to set options such as group container and search scope so the Security Manager can find the groups in your Active Directory tree.

With this setting, the module will apply group membership based on Active Directory groups that the user belongs to.

There are some restrictions:

• As with Micro Focus groups, settings such as the maximum number of groups, the use-all-groups option, and the group federation setting still apply.
• Group names in Enterprise Server are limited to 8 characters, so all Active Directory group names will be truncated at 8 characters. Groups with names which are not unique in the first 8 characters will be treated as a single group. Resource access rules must use these shorter names.

It is also possible to configure a different attribute of the group object to be used as the group name with the group short name attribute configuration option.

See MLDAP ESM Module Custom Configuration Information for more information.