Pulse Secure formerly SSL VPN
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 10
Registered: ‎11-05-2008
0 Kudos
Accepted Solution

LDAP role mapping

i configured as first authentication Radius.

 

The second authentication is LDAP.

On the realm the directory/attribute = LDAP

I put into the Authentication server to following settings:

user filter base dn ou=<groupname> DC=<domain name>

filter = saMAccountName=<USER>

 

filter= cn=<GROUPNAME>

member attribute = member

Search all groups

 

I make a role mapping based on a LDAP group  lets take portalusers

 

When I log in with a user (who's member of the group portalusers) It works fine.

When I log in with an other user (who is also member of the group portaluser). I got no roles applied.

 

 

I test it with only LDAP authentication, then It works fine.

Does anyone seen this before?

 

 When I change the user filter from filter = saMAccountName=<USER> to cn =<USER> I got the same issue

Distinguished Expert
Posts: 2,405
Registered: ‎01-29-2008

Re: LDAP role mapping

You should use the policy trace feature and the user log to see what is really happening during the login process. Go to "Maintenance / Troubleshooting / User Sessions / Policy Tracing" - enable tracing for the user / realm in question and the login - turn it off and go back and look at the results. You should see exactly what happens.
Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
Posts: 10
Registered: ‎11-05-2008
0 Kudos

Re: LDAP role mapping

Hi,

 

When I do a policy trace, I see the user isn't a member of the AD group. But he is a member of that group.......

 

Distinguished Expert
Posts: 2,405
Registered: ‎01-29-2008
0 Kudos

Re: LDAP role mapping

So - is the "only" role mapping rule you have the one that matches on the rule that is "member of portalusers?" - also are you sure the user is passing the 2nd authentication?
Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Recognized Expert
Posts: 420
Registered: ‎03-24-2008
0 Kudos

Re: LDAP role mapping

Is the user who is being reported as not a member of the group a direct member of the group or a member of a nested group? 
Contributor
Posts: 10
Registered: ‎11-05-2008
0 Kudos

Re: LDAP role mapping

When I look into the policy trace I see the Juniper tries to do the first username to authenticatie on LDAP. After it, The Juniper tries to authenticate the second username on LDAP. So yes he tries also to authenticate with the second username

 

The user is a direct member of the goup portalusers

Distinguished Expert
Posts: 2,405
Registered: ‎01-29-2008
0 Kudos

Re: LDAP role mapping

Sent you a private message  -
Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
Posts: 3
Registered: ‎01-27-2009
0 Kudos

Re: LDAP role mapping

I am having exactly the same issue.  Did we have a solution to this?
Distinguished Expert
Posts: 2,405
Registered: ‎01-29-2008
0 Kudos

Re: LDAP role mapping

What do your policy traces show? There is no reason that the SA box would work for one user and not for another without some variable, probably in the LDAP entry. Can you post them?
Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
Posts: 3
Registered: ‎01-27-2009
0 Kudos

Re: LDAP role mapping

So this wasnt an issue of one user can login and another can't it was that if a user is specified "usernam is" LDAP login worked great.  But my issue was that I could not specify groups.  Anywho, I figured out what the issue was.

 

Quit simple really.

 

In role mapping I overlooked the update button.  Silly design and silly me really.

So when you creat a new role and click the drop down to select "Rule is based on:" and click "Group Memebership" you have to click update button to view available groups and from there you can create groups. : ' )

 

As long as your LDAP look ups are working your DN  info should populate.

 

 

 

 

Distinguished Expert
Posts: 2,405
Registered: ‎01-29-2008
0 Kudos

Re: LDAP role mapping

Glad you figured it out! That update button is a real "pain" until you get used to it. I think it probably bites everybody at least once when they are coming up to speed on the box Smiley Happy
Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
Posts: 3
Registered: ‎01-27-2009
0 Kudos

Re: LDAP role mapping

Ive been running Neoteris box for 5 years now and the update button is still easily over looked. 

 

Contributor
Posts: 10
Registered: ‎11-05-2008

Re: LDAP role mapping

Hi Kevin,

 

The problem was the following. There LDAP is realy **bleep**ed! For some users whe must do a samAccountname and for the other memberOf

 

What I did, with Juniper Support was to make userattributes

The problem for this was, I didn;t have a userattribute MemberOf.

We made the userattribute and configured custom expressions

 

With testing for a lot of users and everything works fine

 

Marcel

Distinguished Expert
Posts: 2,405
Registered: ‎01-29-2008
0 Kudos

Re: LDAP role mapping

Hey Marcel - thanks for the update. Screwy setup! If you get a minute why don't you flag you post as the "solution" so people who see it can jump to what you wrote and learn from it.

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
Posts: 10
Registered: ‎11-05-2008
0 Kudos

Re: LDAP role mapping

because I want let you know first. Maybe you siad something else.

I will make a solution on this topic

 

Marcel

Highlighted
Trusted Contributor
Posts: 446
Registered: ‎05-05-2008
0 Kudos

Re: LDAP role mapping

If you are having problems and cannot get the Group Search to show you any groups, sniff the traffic between your SA and your LDAP server.  if you clear the Member Attribute field, the reply packets that you receive from the LDAP server will contain a list of the available attributes listed under LDAP->LDAP Message Search->ProtocolOp->searchResEntry->attributes->PartialAttributeList.

In my case there were three returned: objectClass, cn, uniqueMember.   I then set the Member Attribute field to 'cn' and now my groups show up in the Group Search window and I can add them.

 

My other problem is that I don't do this often enough to remember exactly what to do for each different type of LDAP server (the one I'm working with now is CentOS Directory Server.

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)