SSL VPN
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
BGT
Visitor
BGT
Posts: 8
Registered: ‎08-06-2008
0
Accepted Solution

AD group membership

Options

‎08-22-2008 10:09 AM

I have a SA-4000 with the version 6.2R1 (build 13255).

I want to configure the LDAP search to find a user in a group.

The user entries are in: cn=user_1,ou=GROUP1,dc=domain2,dc=domain1

The groups are in: cn=group_1,ou=GROUP2,ou=GROUP1,dc=domain2,dc=domain1

The user1 is memberof Domain Users and group_1

In the SA.4000 i have the following configuration

Finding user entries

Base DN: ou=GROUP1,dc=domain2,dc=domain1

Filter: cn=<USER>

Determining group membership

Base DN: ou=GRUP2,ou=GROUP1,dc=domain2,dc=domain1

Filter: cn=group_1

(the other fields values are empry or by default)

I have a user_2 (cn=user_2,ou=GROUP1,dc=domain2,dc=domain1) defined an is not memberof the group_1 and we can access.

I don't understand what i'm doing wrong.

 

Best Regards

 

Message 1 of 6 (10,071 Views)
 
Reply
Recognized Expert
Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

Re: AD group membership

Options

‎08-22-2008 10:21 AM

How are you using the group membership?  Are you assigning a role based upon it?

 

You should be able to use policy trace to see what groups the user was found to belong to.

Message 2 of 6 (10,070 Views)
 
Reply
imtravis
Contributor
imtravis
Posts: 38
Registered: ‎04-01-2008
0

Re: AD group membership

Options

‎08-22-2008 04:03 PM

Try doing the following for group memebership:

 

BASE DN: dc=domain2, dc=domain1

Filter: cn=<GROUPNAME>

Member Atrribute: member

 

Travis

Message 3 of 6 (10,044 Views)
 
Reply
BGT
Visitor
BGT
Posts: 8
Registered: ‎08-06-2008
0

Re: AD group membership

Options

‎08-25-2008 01:06 AM

Kentars: I use policy tracing and the search is done only in Finding user entries none register appear to Determining group membership

 

imtravis: I add the member but still not working.

 

Any more suggestions?

Message 4 of 6 (9,990 Views)
 
Reply
BGT
Visitor
BGT
Posts: 8
Registered: ‎08-06-2008
0

Re: AD group membership

Options

‎08-25-2008 08:53 AM

The solution is:

In autentication server fill the following text boxs:

BASE DN: dc=domain2, dc=domain1

Filter: cn=<GROUPNAME>

Member Atrribute: member

 

Go to Server Catalog in the tab Group add the Group (click in search to find the group in AD)

 

Go to the realm where this Authentication server is applied select the tab role mapping, create a new rule in the dropdownlist for Rule based on: choose Group Membership click in Update select the group and assing it to a role.

Message 5 of 6 (9,974 Views)
 
Reply
Dan_Smart
Contributor
Dan_Smart
Posts: 18
Registered: ‎07-17-2008
0

Re: AD group membership

Options

‎08-27-2008 11:48 AM

Yes, the whole "server catalog" is very confusing.  If you use AD authentication, this isn't necessary, but it is with LDAP.  Nested groups can also be a problem.

 

I set Nested Group Level to 3 (three levels deep) and "Search all nested groups" so I don't have to define very nested group in the server catalog (otherwise you have to do this).  JTAC suggests limiting Group Level to a max of 5 for performance reasons.  Also, using the server catalog for nested groups is much faster (but not as foolproof and simple).

 

-=Dan=-

 

PS:  6.2R1 is buggy.  As I've said other places, try this in 6.1 if possible.

Message 6 of 6 (9,894 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.