SSL VPN
Reply
Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0

Authentication Problem with AD/LDAP

I am trying to authenticate users via LDAP. My users are in abc.com->Computer departement->System Departement->Networking Departement. In Neworking Department there is a group Netdep. But my users are in Networking Departement.

 

When I search the group then It is showing me only abc.com->Computer departement->System Departement->Networking Departement->Netdep. But I need abc.com->Computer departement->System Departement->Networking Departement. I used depth option also but no luck.

 

Can any one explain me AD/LDAP supports users in OU? What I am missing?

 

Thanks

Contributor
DeaconZ
Posts: 136
Registered: ‎01-14-2009
0

Re: Authentication Problem with AD/LDAP

Are you talking about your Base DN in your Auth Servers?

Contributor
ozmark
Posts: 16
Registered: ‎10-28-2008
0

Re: Authentication Problem with AD/LDAP

The SA's do hierarchial LDAP searches.

 

The two things to consider are what is looking for  and what access does the binding account

have to LDAP.

 

In looking for an LDAP group

Groups ... -> Search ...

 

The SA unit is looking for objects with an objectclass of 'groupofUniqueNames'  or 'groupOfNames' or 'posixGroup'

it expects the entry to have a CN - does your object/group match these conditions?

 

 

Contributor
TravisJohnson
Posts: 116
Registered: ‎12-14-2009
0

Re: Authentication Problem with AD/LDAP

I have a similar issue.  I am using ADAM for my ldap, and my SSG firewalls auth fine, but when I try to auth the same user in the SA, it isn't found in the searches?

 

My users do have a CN.

 

 

________________________________________________


If my post helped you, please feel free to give me kudos.
Distinguished Expert
muttbarker
Posts: 2,351
Registered: ‎01-29-2008
0

Re: Authentication Problem with AD/LDAP

[ Edited ]

That is an interesting problem. If you try and create a role mapping based on group membership it will fail as your users are members of the OU "Networking Department" but not the Group "Netep" - Correct?

 

You can't use the attribute "member-of" as that also only applies to groups. I am assuming you have some reason why you don't want to use groups and need to use an OU match instead.

 

Have you tried testing using the distinguishedName attribute? That attribute is the only one that I know of that would contain the full string with the OU.

 

Maybe there is a custom expression that could be written based on that. Just a thought.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.