I have a windows access file policy to populate a directory for users to connect to shares on our network. I am having a problem with the policy for user's personal share directory using Active Directory (Native mode): \\server\home\username
I need a variable for the username so the authenticated user will have access to their own directory.
I tried this: \\server\home\<user> but it does not work because the domain is included with the username. The user log shows:
\\server\home\domain\username\ which is not correct.
Is this only possible to come up with the correct variable using LDAP authentication? OR is there a variable that returns only the username for AD?
Dan - when using AD the value <user> returns both domain/user - if you use the value <username> it will return user only and should also work just fine with LDAP.
This should do it - let me know if it does not. If it works please flag this as solved so others can learn!
You should use the <Homedir> variable from the user settings in your AD. Setup an LDAP type AD server as an autorisation server.Match your <user> string to the samAccountname e.g. John or to userPrincipalName e.g. [email protected]
Use \\<userAttr.homeDirectory>\ in your role under file access.
So, when John's account in AD states his homedir is on \\server001\users\john the IVE will publish exactly this variable.
We've setup our User directories with the following path, and it seems to work:
This is assigned to all users, and they'll end up with a link to their "User" drive. This has been working for us since 3.x days of IVEOS.
is it possible to use variables when not connection via LDAP?
for example my userhome is like that: \\server\home\Jason
but I connect to the IVE via the user [email protected].
when I use a variable <user> in this bookmark, the access-log shows me that he tries to open \\server\home\[email protected], which does not exist.
any possibility to cut that "@token" away or something like that to get that running?
To see what variables are available you can run a policy tracing with:
Pre-Authentication Authentication Role Mapping
It will show all the variables name/values pair that you can use in Resource Profiles, Resource Policies, Role Maping...
For example (using AD auth):
Variable user = "MYDOMAIN\user1"
Variable userName = "user1"
Variable ntdomain = "MYDOMAIN"
Variable ntuser = "user1"
Available variables will depend on the authentication type (Radius, LDAP, AD, Certificate). You will just get a lot more choices of variables if you do LDAP or Radius (userAttr.xxx) for authentication or authorisation.
To use the variable, include the variable name between <> like this: <userName> and it will be replaced by its value when evaluating the policy.
It is not possible to perform any manipulation on variable values (like truncating after the @ sign).
hmm well then i cant solve this problem and need to make a bookmark with the root folder \\server\home\ where anyone has to browse for his userhome-directory.
cause i do not allow ldap authentication from external, only rsa with token.
I understand that you have a need for authentication via RSA but why not seperate out the "authorization" side. Do your authentication via AD and then do your authorization via LDAP.