7015822: Preventing OES System Groups and Users from being imported in Filr.

To prevent the users and groups, who only provide server functionality, from polluting the Novell Filr user and group list, they should be filtered out.

When this is done properly before the initial LDAP sync, these will never be imported.

In case there are additional administrative or system (LUM-enabled) users that are required to be prevented from being imported into Filr, these can be added to the filter string.

For instance, when Novell Open Enterprise server is not using a OESCommonProxy user, but rather a Proxy User per service. (AFP, CIFS, NetStorage, FTP, NCS ….)


These are prevented from being imported by adding for instance these entries in the string:

(cn=afp*)

(cn=*Proxy)

(cn=ftp)

This would make the complete string look like:

(&(|(objectClass=Person)(objectClass=orgPerson)(objectClass=inetOrgPerson))(!(|(cn=*admin)(cn=novlxregd)(cn=novlxsrvd)(cn=OESCommonProxy_*)(cn=afp*)(cn=*Proxy)(cn=wwwrun)(cn=ftp))))

Modify the string so it is applicable to the back-end environment.

Using the Preview sync, which is available from Novell Filr 1.1 on should indicate if only the desired users are disabled or prevented from being imported.


In certain cases, users are moved or renamed with an alias for backwards compatibility.

Filr will process the aliases as if they were the user, so it will not update the user objects stored in the Filr databases. This will only occur if the LDAP filter for the users is updated to exclude the objectClass aliasObject.

This is achieved by adding !(objectClass=aliasObject).

The compete user filter will then look something like:

(&(|(objectClass=Person)(objectClass=orgPerson)(objectClass=inetOrgPerson))(!(|(cn=*admin)(cn=novlxregd)(cn=novlxsrvd)(cn=OESCommonProxy_*)(cn=afp*)(cn=*Proxy)(cn=wwwrun)(cn=ftp)(ou:dn:=Tomcat-Roles)(objectClass=aliasObject))))

Related:

Leave a Reply