vSRX
Highlighted
vSRX

User-group-mapping not all users

‎04-27-2018 04:13 AM

After change user's OU in Active Directory, this user is no longer matching groups. For other users, everything works well.

 

root@JUNOS-SRX# show services user-identification
active-directory-access {
domain domain.com {
user {
juniperadmin;
password "xxxxxxxx"; ## SECRET-DATA
}
domain-controller ATK-S-xxx {
address 192.168.254.xxx;
}
domain-controller ATK-S-xx1 {
address 192.168.254.xx1;
}
ip-user-mapping {
discovery-method {
wmi {
event-log-scanning-interval 30;
initial-event-log-timespan 1;
}
}
}
user-group-mapping {
ldap {
base DC=domain,DC=com;
}
}
}
authentication-entry-timeout 90;
wmi-timeout 120;
filter {
}
}

 

If i enter command:

show services user-identification active-directory-access user-group-mapping group internet domain domain.com 

all users appear in the list, but there is not only one that has been moved to another OU.

 

Not working user:

show services user-identification authentication-table authentication-source active-directory user bebely
Domain: domain.com
Source IP        Username       groups(Ref by policy)      state
172.20.6.49   bebely                                                        Valid 

 

This working users:

show services user-identification authentication-table authentication-source active-directory user irveli
Domain: domain.com
Source IP      Username  groups(Ref by policy)   state
172.20.6.65  irveli            internet                          Valid

4 REPLIES 4
Highlighted
vSRX

Re: User-group-mapping not all users

‎02-20-2019 07:24 AM

Did you ever get an answer to this question?  I have the same issue.

Highlighted
vSRX

Re: User-group-mapping not all users

‎06-24-2019 05:03 PM

Jmcsparin,

 

Are you still experiencing a problem on here?

 

Apologies on the lack of response.

 

Could you share traceoptions for this service, that would be a good starting point.

 

Cheers

Pooja

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

Highlighted
vSRX

Re: User-group-mapping not all users

‎06-24-2019 05:05 PM

Also, this page should help guide you on those traceoptions I requested.

 

https://www-origin.junipercloud.net/documentation/en_US/junos/topics/reference/configuration-stateme...

 

Cheers

Pooja

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

Highlighted
vSRX

Re: User-group-mapping not all users

‎06-25-2019 09:07 AM

Hi Daniyarjmcsparin,

 

Basically the authentication table output shows users' group only if that group is referenced in a security policy. 

 

show services user-identification authentication-table authentication-source active-directory user bebely 
Domain: domain.com
Source IP        Username       groups(Ref by policy) <<<<<      state
172.20.6.49   bebely                                                                    Valid 

 

So if the user was in 'internet' OU and this group was referenced in the policy then the user will shows up with group info in the auth table. If they were moved to another OU say 'admin' and if this admin group is not referenced anywhere in security policy, then the groups info will show up blank. This is by design as we wouldn't want the SRX to query for group information for users when those groups which are not referenced anywhere thereby saving the SRX's resources.

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!! 🙂

 

Regards,

HS

 

 

 

Feedback