The member and memberOf attributes are guaranteed to be available only for Universal Security Groups within the Windows Global Catalog. Membership information for the following LDAP Groups types (where the group is not within the same domain as the Global Catalog) is not guaranteed to be available in the Global Catalog:
- Domain Local Security
- Domain Local Distribution
- Global Security
- Global Distribution
Using the following domain structure for illustration purposes:
- Parent (IP x.x.x.227)
- Child (IP x.x.x.228)
- GrandChild (IP x.x.x.229)
When registering an LDAP server using the Global Catalog with ePO, the following table shows when the memberOf or Member attributes are present:
Registered LDAP Server
|
Universal
Security
Group
|
Domain Local
Security |
Domain Local
Distribution |
Global Security |
Global
Distribution |
Parent
|
ALL
|
Parent Only |
Parent Only |
Parent Only |
Parent Only |
Child
|
ALL
|
Child Only |
Child Only |
Child Only |
Child Only |
GrandChild Only
|
ALL
|
GrandChild Only |
GrandChild Only |
GrandChild Only |
GrandChild Only |
The memberOf attribute is used when assigning LDAP Groups to ePO systems or branches. If the memberOf attribute is not present when trying to assign an LDAP Group, the group is added, but no users are synced from the LDAP server.
The memberOf attribute is used during the import of EEPC 5.x user groups when associating them to an LDAP user group for DE. If the memberOf attribute is not present, the LDAP Group is assigned. Any users that have Token Data are not found during the pre-processing stage and no users are synced from the LDAP server for the LDAP Group.
NOTES:
- In subsequent LDAP Synchronizations, the LDAP group Users are not updated if the memberOf attribute is not present.
- Changing an ePO LDAP registered server that was not using a Global Catalog, to using a Global Catalog, could also result in loss of both Users and Token Data.