SSL VPN
Reply
BGT
Visitor
BGT
Posts: 8
Registered: ‎08-06-2008
0
Accepted Solution

AD group membership

I have a SA-4000 with the version 6.2R1 (build 13255).

I want to configure the LDAP search to find a user in a group.

The user entries are in: cn=user_1,ou=GROUP1,dc=domain2,dc=domain1

The groups are in: cn=group_1,ou=GROUP2,ou=GROUP1,dc=domain2,dc=domain1

The user1 is memberof Domain Users and group_1

In the SA.4000 i have the following configuration

Finding user entries

Base DN: ou=GROUP1,dc=domain2,dc=domain1

Filter: cn=<USER>

Determining group membership

Base DN: ou=GRUP2,ou=GROUP1,dc=domain2,dc=domain1

Filter: cn=group_1

(the other fields values are empry or by default)

I have a user_2 (cn=user_2,ou=GROUP1,dc=domain2,dc=domain1) defined an is not memberof the group_1 and we can access.

I don't understand what i'm doing wrong.

 

Best Regards

 

Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

Re: AD group membership

How are you using the group membership?  Are you assigning a role based upon it?

 

You should be able to use policy trace to see what groups the user was found to belong to.

Contributor
imtravis
Posts: 38
Registered: ‎04-01-2008
0

Re: AD group membership

Try doing the following for group memebership:

 

BASE DN: dc=domain2, dc=domain1

Filter: cn=<GROUPNAME>

Member Atrribute: member

 

Travis

BGT
Visitor
BGT
Posts: 8
Registered: ‎08-06-2008
0

Re: AD group membership

Kentars: I use policy tracing and the search is done only in Finding user entries none register appear to Determining group membership

 

imtravis: I add the member but still not working.

 

Any more suggestions?

BGT
Visitor
BGT
Posts: 8
Registered: ‎08-06-2008
0

Re: AD group membership

The solution is:

In autentication server fill the following text boxs:

BASE DN: dc=domain2, dc=domain1

Filter: cn=<GROUPNAME>

Member Atrribute: member

 

Go to Server Catalog in the tab Group add the Group (click in search to find the group in AD)

 

Go to the realm where this Authentication server is applied select the tab role mapping, create a new rule in the dropdownlist for Rule based on: choose Group Membership click in Update select the group and assing it to a role.

Contributor
Dan_Smart
Posts: 18
Registered: ‎07-17-2008
0

Re: AD group membership

Yes, the whole "server catalog" is very confusing.  If you use AD authentication, this isn't necessary, but it is with LDAP.  Nested groups can also be a problem.

 

I set Nested Group Level to 3 (three levels deep) and "Search all nested groups" so I don't have to define very nested group in the server catalog (otherwise you have to do this).  JTAC suggests limiting Group Level to a max of 5 for performance reasons.  Also, using the server catalog for nested groups is much faster (but not as foolproof and simple).

 

-=Dan=-

 

PS:  6.2R1 is buggy.  As I've said other places, try this in 6.1 if possible.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.