SSL VPN
Reply
Moderator
zanyterp
Posts: 2,263
Registered: ‎11-19-2007
0

Re: Nested AD groups - Cross domain

Hi Stewart,

 

Yes, either of those options would work for giving the user the display of which domain/realm they will be logging in against. I have seen both used (together and separately); whichever you think would work best for your users.

Contributor
Frostie
Posts: 48
Registered: ‎07-27-2010
0

Re: Nested AD groups - Cross domain

Hello

Ok...this problem is marked as solved, but I had a similar problem with users in multiple domains, so maybe my solution can help you in any way.

Here we have a classic domain setup with a root domain and some sub-domains.

domain.com
aaa.domain.com
bbb.domain.com

..and so on.

The users of the SA can be from any of these domains, which means the LDAP lookup had to start at the root domain.

dc=domain,dc=com

Because of the size and number of the domains, the LDAP lookup took inacceptable long (40+ seconds).
An AD/NT lookup ran into timeout after 2 minutes or so. So I had to search for another solution.

My Idea then was to build some kind of dynamic BASE DN to let the LDAP lookup start directly within the users domain.


To achieve this, I configured the Reply-message attribute on the Radius server (we use Radius for the first authentication) to reply with the (sub)domain name of the user who logs in.


JohnDoe Auth-Type := Local, Cleartext-Password := "password"
Reply-Message:="aaa"


In the LDAP Auth Server settings I then used the system variable "userAttr.<auth-attr> to dynamically build the correct
BASEDN for the lookup.

Looks like this

dc=<userAttr@Authservername.Reply-Message>,dc=domain,dc=com

When a users logs in, this resolves to ....

dc=aaa,dc=domain,dc=com


With this Base DN, the LDAP Server of the root domain directly replies with a redirect to the domain controller of the users domain,  which is then queried for the user attributes.


Maybe my solution can help in any way.


Marc







Trusted Contributor
stine
Posts: 434
Registered: ‎05-05-2008
0

Re: Nested AD groups - Cross domain

That is genius.

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Contributor
Stewart
Posts: 33
Registered: ‎02-11-2011
0

Re: Nested AD groups - Cross domain

[ Edited ]

Agreed! Great information. We have a radius server so hopefully we can achieve the same thing. Our domains do not share a commmon sufix or prefix, but I don't suppose that shouldn't matter too much. I guess I could just provide the whole base DN in the reply: 

 

JohnDoe Auth-Type := Local,

Cleartext-Password := "password"

Reply-Message:="dc=aaa,dc=domain,dc=com"

 

Then use Base DN under auth server as "<userAttr@Authservername.Reply-Message>"

 

Hopefully this will work too.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.