Pulse Secure formerly SSL VPN
Showing results for 
Search instead for 
Do you mean 
Posts: 796
Registered: ‎06-30-2009
0 Kudos

Authentication Problem with AD/LDAP

I am trying to authenticate users via LDAP. My users are in abc.com->Computer departement->System Departement->Networking Departement. In Neworking Department there is a group Netdep. But my users are in Networking Departement.


When I search the group then It is showing me only abc.com->Computer departement->System Departement->Networking Departement->Netdep. But I need abc.com->Computer departement->System Departement->Networking Departement. I used depth option also but no luck.


Can any one explain me AD/LDAP supports users in OU? What I am missing?



Posts: 142
Registered: ‎01-14-2009
0 Kudos

Re: Authentication Problem with AD/LDAP

Are you talking about your Base DN in your Auth Servers?

Posts: 17
Registered: ‎10-28-2008
0 Kudos

Re: Authentication Problem with AD/LDAP

The SA's do hierarchial LDAP searches.


The two things to consider are what is looking for  and what access does the binding account

have to LDAP.


In looking for an LDAP group

Groups ... -> Search ...


The SA unit is looking for objects with an objectclass of 'groupofUniqueNames'  or 'groupOfNames' or 'posixGroup'

it expects the entry to have a CN - does your object/group match these conditions?



Posts: 116
Registered: ‎12-14-2009
0 Kudos

Re: Authentication Problem with AD/LDAP

I have a similar issue.  I am using ADAM for my ldap, and my SSG firewalls auth fine, but when I try to auth the same user in the SA, it isn't found in the searches?


My users do have a CN.




If my post helped you, please feel free to give me kudos.
Distinguished Expert
Posts: 2,405
Registered: ‎01-29-2008
0 Kudos

Re: Authentication Problem with AD/LDAP

[ Edited ]

That is an interesting problem. If you try and create a role mapping based on group membership it will fail as your users are members of the OU "Networking Department" but not the Group "Netep" - Correct?


You can't use the attribute "member-of" as that also only applies to groups. I am assuming you have some reason why you don't want to use groups and need to use an OU match instead.


Have you tried testing using the distinguishedName attribute? That attribute is the only one that I know of that would contain the full string with the OU.


Maybe there is a custom expression that could be written based on that. Just a thought.

Kevin Barker
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.