Hi Thanks for answering. The policy tracer shows the following:

Michael

Hi,

According to the log, it looks like the device doesn't get the correct list of groups.

Could you please check if the groupsworks fine if you use LDAP instead of active directory ? (with the same server).

The server you see in the logs is already a LDAP server type. We did this because we understood that 2008 is not supported until end of 03/09.

Is there a possibility we are using the filters incorrectly?

we have the base dn set dc=me-corp,dc=lan

filter cn=Domain Users

I set nesting to 3, where the groups we are looking for are in the cn=Users container. If i go to server catalog and search, I find them as cn=iveadmin,cn=Users,dc=me-corp,dc=lan.

In the config I'm using, the group filter is set as below :

cn=<GROUPNAME>

Can you try this with 0 as nested group level ?

You can also run a network trace vs port 389 to gte the detail of the ldap request that is sent.

Some tools like ldapsearch or an ldapbrowser on windows can also be useful.

The trace suggests User is not member of group 'iveadmin' . If the user is, can you check if the iveadmin is a Primary Group for this user, Can you make some other group a Primary group and try again?

Thanks.

thanks for the reply,

the user is a member of serveral groups. I thought about that at one point and in fact set his primary group to iveadmin.

I got the same results. I thought maybe I hadn't set the nested depth. So i did to 4 but it didn't make any difference. Has anyone succeeded to do this with AD2008?

I understand that 6.4 is out in 2weeks (I hope ) and there should be support for AD2008.

6.4 does have the support for AD 2008 on the SA device as AD Authentication Instance. But I have seen positive reports of LDAP Auth Instance against AD 2008 work pre 6.4.

In my previous comment, I meant to "NOT HAVE" iveadmin as the primary group for the user. LDAP group lookup fails for PrimaryGroup and one has to use LDAP Attribute PrimaryGroupID . KB2527 on Juniper support site will help for the LDAP Attribute setup.

Thanks.

I have an IVE (6.3r3) authenticating against Windows Server 2008, I have been unable to make it work using an account other that administrator, but it does work. Here is my config. It allows for user password resets via the IVE (one failing is that in order for you to use <username> and <password> in terminal services, the user must log off and back on after changing their password)

Name: AUTH-SERVER-NAME
LDAP Server: my2k8ad.mysubdomain.mydomain.mytld

LDAP Port: 636
LDAP Server Type: Active Directory
Connection:
Unencrypted x LDAPS Start TLS

Connection Timeout: 15
Search Timeout: 60

Authentication required?

x Authentication required to search LDAP

Admin DN: cn=administrator,cn=users,dc=mysubdomain,dc=mydomain,dc=mytld
Password: ********

Finding user entries

Base DN: dc=mysubdomain,dc=mydomain,dc=mytld
Filter: samaccountname=<username>

Determining group membership

Base DN: dc=mysubdomain,dc=mydomain,dc=mytld
Filter: cn=<GROUPNAME>

Member Attribute: memberOf
x Reverse group search
Nested Group Level: 4
Nested Group Search:
x Search all nested groups

stine

JNCIA-ER