cancel
Showing results for 
Search instead for 
Did you mean: 

AD LDAP and Domain Users Group

SOLVED
joepope_
Occasional Contributor

AD LDAP and Domain Users Group

SA4000 cluster (61.R2) with AD LDAP authentication. I can authenticate users from AD by specifying different group membership, except the group Domain Users. The user gets authenticated but then I get an error message in the logs that the user failed due to "No Rules" to map to.

I browsed the AD LDAP, and since Domain Users is a default it is not listed in the user container for the attribute "member" or "memberof". I can see Domain Users object in the Nested Groups and create the group on the IVE (and map the role), so I know the LDAP configuration is correct.

Anyone know how to map roles for the group Domain Users with LDAP?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Eltjo_
New Contributor

Re: AD LDAP and Domain Users Group

SA4000 cluster (61.R2) with AD LDAP authentication. I can authenticate users from AD by specifying different group membership, except the group Domain Users. The user gets authenticated but then I get an error message in the logs that the user failed due to "No Rules" to map to.

I browsed the AD LDAP, and since Domain Users is a default it is not listed in the user container for the attribute "member" or "memberof". I can see Domain Users object in the Nested Groups and create the group on the IVE (and map the role), so I know the LDAP configuration is correct.

Anyone know how to map roles for the group Domain Users with LDAP?

-------

Problem is that the domain users is the primary group for users in AD and these groups memberships are not visable via LDAP as a "memberOf" user atribute.

Solution is to change primary group setting of the users in something other than domain user or create a new security group where all the domain users are member of.

View solution in original post

10 REPLIES 10
muttbarker_
Valued Contributor

Re: AD LDAP and Domain Users Group

Can you post your policy trace? Did you verify via an LDAP reader like Softerra that the value you are using is defined in the correct LDAP attribute?

When you said that you tried using groups - did you try via LDAP or with your Authorization server being AD? If via LDAP where you able to display the groups through the role mapping rule definition - IE select "New Rule" - select "Group Membership" select "Groups" and then "Search"  - This should display all the valid groups in your directory. If you are not seeing the groups then you may have something wrong in your LDAP auth server setup.





Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Eltjo_
New Contributor

Re: AD LDAP and Domain Users Group

SA4000 cluster (61.R2) with AD LDAP authentication. I can authenticate users from AD by specifying different group membership, except the group Domain Users. The user gets authenticated but then I get an error message in the logs that the user failed due to "No Rules" to map to.

I browsed the AD LDAP, and since Domain Users is a default it is not listed in the user container for the attribute "member" or "memberof". I can see Domain Users object in the Nested Groups and create the group on the IVE (and map the role), so I know the LDAP configuration is correct.

Anyone know how to map roles for the group Domain Users with LDAP?

-------

Problem is that the domain users is the primary group for users in AD and these groups memberships are not visable via LDAP as a "memberOf" user atribute.

Solution is to change primary group setting of the users in something other than domain user or create a new security group where all the domain users are member of.

tyoud_
New Contributor

Re: AD LDAP and Domain Users Group

We have a 6.X cluster with AD authentication that's been doing LDAP authorization (for years)

Our existing process uses LDAP lookups from the SSLVPN device to our AD to see if a user is in particular groups in AD to decide what role mapping should happen.

The change wanted is to allow all Domain Users to get in (if they authenticate) and get some basic services.

Problem seems to be that Domain Users is normally a users primary group.

This means LDAP cant look it up?

So then I nested the groups in AD - I put "Domain Users" *inside* of my existing LDAP group that we were putting people in, left the rules alone, went to the definition of the LDAP auth server inside the SSLVPN and set it up for various options, like recursion, 10 levels deep, tried member and memberOf, and nothing there worked.

Getting creative with custom expressions, tried things like:

groups = "Domain%20Users"

Inspired by http://msdn.microsoft.com/en-us/library/ms675090(VS.85).aspx tried various userAttr values

userAttr.<attribute> values (http://msdn.microsoft.com/en-us/library/ms675090(VS.85).aspx) trying to see if any of these would work:

userAttr.Default-Group = "Domain Users"

(havent tried) userAttr.Primary-Group-ID = "{sid of group would go here"} (by running getsid.exe from the Resource kit, find out)

Message Edited by tyoud on 05-28-2008 10:50 AM
SSLViking_
Not applicable

Re: AD LDAP and Domain Users Group

you can also add the attribute "513" which specifies the "domain users" in the LDAP server catalog.

this would be the best way of mapping the "domain users"

tyoud_
New Contributor

Re: AD LDAP and Domain Users Group

Yes that works!

If you make a Role Mapping rule under -

Users -> User Realms -> (pick a realm) -> Role Mapping

Under the Role Mapping screen,

Choose Attribute: primaryGroupID

choose: is

and then in the free text field: 513

Then assign the role you want

Thank you SSLViking, that works great.

shyan_
New Contributor

Re: AD LDAP and Domain Users Group

hello-

i have to configure LDAP , i have't idea so, can u share your configuration


@tyoud wrote:

We have a 6.X cluster with AD authentication that's been doing LDAP authorization (for years)

Our existing process uses LDAP lookups from the SSLVPN device to our AD to see if a user is in particular groups in AD to decide what role mapping should happen.

The change wanted is to allow all Domain Users to get in (if they authenticate) and get some basic services.

Problem seems to be that Domain Users is normally a users primary group.

This means LDAP cant look it up?

So then I nested the groups in AD - I put "Domain Users" *inside* of my existing LDAP group that we were putting people in, left the rules alone, went to the definition of the LDAP auth server inside the SSLVPN and set it up for various options, like recursion, 10 levels deep, tried member and memberOf, and nothing there worked.

Getting creative with custom expressions, tried things like:

groups = "Domain%20Users"

Inspired by http://msdn.microsoft.com/en-us/library/ms675090(VS.85).aspx tried various userAttr values

userAttr.<attribute> values (http://msdn.microsoft.com/en-us/library/ms675090(VS.85).aspx) trying to see if any of these would work:

userAttr.Default-Group = "Domain Users"

(havent tried) userAttr.Primary-Group-ID = "{sid of group would go here"} (by running getsid.exe from the Resource kit, find out)

Message Edited by tyoud on 05-28-2008 10:50 AM

shyan_
New Contributor

Re: AD LDAP and Domain Users Group

hello all,

i have no idea to configure LDAP authentication using srx device.so i thankfull to you who help for me guiding me.

MavKhan_
New Contributor

Re: AD LDAP and Domain Users Group

Hi All,

I have successfully configured AAA Authentication on my IVE device and mapped roles agains them depending on the Class value returned on the Group level.

Now i want to achieve the same result using AD/LDAP servers. I have been successful in authentication and assigning roles using the username attribute. But I still cannot map roles depending on the department name or any other attribute.

Can anyone please share their experience as how can I achieve this task. I have also made a separate Security Group on my AD Server and place my users in it (other than Domain Group).

Please be as descriptive as possible.

Regards.

muttbarker_
Valued Contributor

Re: AD LDAP and Domain Users Group

From the Role Mapping tab you would define a new role. Then change the "Rule Based On" value to match "Group Membership" to use a group and then hit "update". You can now hit the Groups button to select groups to use - this will bring you to the Search screen where you can view and select the groups.

To use a user attribute such as department you will need to set the Rule Based On" to the value of "user attribute" - you can then use any of the displayed attributes, or again, drill in and select other attributes to use. If you want to use multiple values together for a single role map then you can use the "Rule Based On" of "custom expressions" and write complex rules, but that is more difficult.

Does that make sense?