02-03-2009 04:11 AM
i configured as first authentication Radius.
The second authentication is LDAP.
On the realm the directory/attribute = LDAP
I put into the Authentication server to following settings:
user filter base dn ou=<groupname> DC=<domain name>
filter = saMAccountName=<USER>
member attribute = member
Search all groups
I make a role mapping based on a LDAP group lets take portalusers
When I log in with a user (who's member of the group portalusers) It works fine.
When I log in with an other user (who is also member of the group portaluser). I got no roles applied.
I test it with only LDAP authentication, then It works fine.
Does anyone seen this before?
When I change the user filter from filter = saMAccountName=<USER> to cn =<USER> I got the same issue
Solved! Go to Solution.
02-03-2009 09:37 AM
02-05-2009 10:00 AM
02-08-2009 11:02 PM
When I look into the policy trace I see the Juniper tries to do the first username to authenticatie on LDAP. After it, The Juniper tries to authenticate the second username on LDAP. So yes he tries also to authenticate with the second username
The user is a direct member of the goup portalusers
02-09-2009 09:33 AM
02-11-2009 11:53 AM
02-11-2009 12:50 PM
So this wasnt an issue of one user can login and another can't it was that if a user is specified "usernam is" LDAP login worked great. But my issue was that I could not specify groups. Anywho, I figured out what the issue was.
Quit simple really.
In role mapping I overlooked the update button. Silly design and silly me really.
So when you creat a new role and click the drop down to select "Rule is based on:" and click "Group Memebership" you have to click update button to view available groups and from there you can create groups. : ' )
As long as your LDAP look ups are working your DN info should populate.
02-11-2009 01:53 PM
02-12-2009 10:59 PM
The problem was the following. There LDAP is realy **bleep**ed! For some users whe must do a samAccountname and for the other memberOf
What I did, with Juniper Support was to make userattributes
The problem for this was, I didn;t have a userattribute MemberOf.
We made the userattribute and configured custom expressions
With testing for a lot of users and everything works fine
02-13-2009 06:41 AM
Hey Marcel - thanks for the update. Screwy setup! If you get a minute why don't you flag you post as the "solution" so people who see it can jump to what you wrote and learn from it.
08-05-2009 02:14 AM
If you are having problems and cannot get the Group Search to show you any groups, sniff the traffic between your SA and your LDAP server. if you clear the Member Attribute field, the reply packets that you receive from the LDAP server will contain a list of the available attributes listed under LDAP->LDAP Message Search->ProtocolOp->searchResEntry->attributes->Pa
In my case there were three returned: objectClass, cn, uniqueMember. I then set the Member Attribute field to 'cn' and now my groups show up in the Group Search window and I can add them.
My other problem is that I don't do this often enough to remember exactly what to do for each different type of LDAP server (the one I'm working with now is CentOS Directory Server.