Re: User's home directory

danr_ · ‎06-05-2009

I have a windows access file policy to populate a directory for users to connect to shares on our network. I am having a problem with the policy for user's personal share directory using Active Directory (Native mode): \\server\home\username

I need a variable for the username so the authenticated user will have access to their own directory.

I tried this: \\server\home\<user> but it does not work because the domain is included with the username. The user log shows:

\\server\home\domain\username\ which is not correct.

Is this only possible to come up with the correct variable using LDAP authentication? OR is there a variable that returns only the username for AD?

Thanks,

muttbarker_ · ‎06-05-2009

Dan - when using AD the value <user> returns both domain/user - if you use the value <username> it will return user only and should also work just fine with LDAP.

This should do it - let me know if it does not. If it works please flag this as solved so others can learn!

Thanks

gamer004_ · ‎06-11-2009

You should use the <Homedir> variable from the user settings in your AD. Setup an LDAP type AD server as an autorisation server.Match your <user> string to the samAccountname e.g. John or to userPrincipalName e.g. [email protected]

Use \\<userAttr.homeDirectory>\ in your role under file access.

So, when John's account in AD states his homedir is on \\server001\users\john the IVE will publish exactly this variable.

Frank

imtravis_ · ‎06-17-2009

We've setup our User directories with the following path, and it seems to work:

\\dfsdomain\DFS\Root\User\<USERNAME>

This is assigned to all users, and they'll end up with a link to their "User" drive. This has been working for us since 3.x days of IVEOS.

SonicBoom_ · ‎08-03-2009

im having a similar issue and am wondering if the <Homedir> value described by gamer004 would work best when groups of users have their home directories on several different servers

rdit_ · ‎08-04-2009

is it possible to use variables when not connection via LDAP?

for example my userhome is like that: \\server\home\Jason

but I connect to the IVE via the user [email protected].

when I use a variable <user> in this bookmark, the access-log shows me that he tries to open \\server\home\[email protected], which does not exist.

any possibility to cut that "@token" away or something like that to get that running?

regards

123go_ · ‎08-04-2009

To see what variables are available you can run a policy tracing with:

Pre-Authentication Authentication Role Mapping

It will show all the variables name/values pair that you can use in Resource Profiles, Resource Policies, Role Maping...

For example (using AD auth):

Variable user = "MYDOMAIN\user1"

Variable userName = "user1"

Variable ntdomain = "MYDOMAIN"

Variable ntuser = "user1"

etc...

Available variables will depend on the authentication type (Radius, LDAP, AD, Certificate). You will just get a lot more choices of variables if you do LDAP or Radius (userAttr.xxx) for authentication or authorisation.

To use the variable, include the variable name between <> like this: <userName> and it will be replaced by its value when evaluating the policy.

It is not possible to perform any manipulation on variable values (like truncating after the @ sign).

rdit_ · ‎08-05-2009

hmm well then i cant solve this problem and need to make a bookmark with the root folder \\server\home\ where anyone has to browse for his userhome-directory.

cause i do not allow ldap authentication from external, only rsa with token.

muttbarker_ · ‎08-05-2009

I understand that you have a need for authentication via RSA but why not seperate out the "authorization" side. Do your authentication via AD and then do your authorization via LDAP.

rdit_ · ‎08-05-2009

you mean by using multiple authentication-servers? or how would you do this?