08-22-2008 10:09 AM
I have a SA-4000 with the version 6.2R1 (build 13255).
I want to configure the LDAP search to find a user in a group.
The user entries are in: cn=user_1,ou=GROUP1,dc=domain2,dc=domain1
The groups are in: cn=group_1,ou=GROUP2,ou=GROUP1,dc=domain2,dc=domai
The user1 is memberof Domain Users and group_1
In the SA.4000 i have the following configuration
Finding user entries
Base DN: ou=GROUP1,dc=domain2,dc=domain1
Determining group membership
Base DN: ou=GRUP2,ou=GROUP1,dc=domain2,dc=domain1
(the other fields values are empry or by default)
I have a user_2 (cn=user_2,ou=GROUP1,dc=domain2,dc=domain1) define
I don't understand what i'm doing wrong.
Solved! Go to Solution.
08-25-2008 01:06 AM
Kentars: I use policy tracing and the search is done only in Finding user entries none register appear to Determining group membership.
imtravis: I add the member but still not working.
Any more suggestions?
08-25-2008 08:53 AM
The solution is:
In autentication server fill the following text boxs:
BASE DN: dc=domain2, dc=domain1
Member Atrribute: member
Go to Server Catalog in the tab Group add the Group (click in search to find the group in AD)
Go to the realm where this Authentication server is applied select the tab role mapping, create a new rule in the dropdownlist for Rule based on: choose Group Membership click in Update select the group and assing it to a role.
08-27-2008 11:48 AM
Yes, the whole "server catalog" is very confusing. If you use AD authentication, this isn't necessary, but it is with LDAP. Nested groups can also be a problem.
I set Nested Group Level to 3 (three levels deep) and "Search all nested groups" so I don't have to define very nested group in the server catalog (otherwise you have to do this). JTAC suggests limiting Group Level to a max of 5 for performance reasons. Also, using the server catalog for nested groups is much faster (but not as foolproof and simple).
PS: 6.2R1 is buggy. As I've said other places, try this in 6.1 if possible.