SA4000 cluster (61.R2) with AD LDAP authentication. I can authenticate users from AD by specifying different group membership, except the group Domain Users. The user gets authenticated but then I get an error message in the logs that the user failed due to "No Rules" to map to.
I browsed the AD LDAP, and since Domain Users is a default it is not listed in the user container for the attribute "member" or "memberof". I can see Domain Users object in the Nested Groups and create the group on the IVE (and map the role), so I know the LDAP configuration is correct.
Anyone know how to map roles for the group Domain Users with LDAP?
Thanks!
Solved! Go to Solution.
SA4000 cluster (61.R2) with AD LDAP authentication. I can authenticate users from AD by specifying different group membership, except the group Domain Users. The user gets authenticated but then I get an error message in the logs that the user failed due to "No Rules" to map to.
I browsed the AD LDAP, and since Domain Users is a default it is not listed in the user container for the attribute "member" or "memberof". I can see Domain Users object in the Nested Groups and create the group on the IVE (and map the role), so I know the LDAP configuration is correct.
Anyone know how to map roles for the group Domain Users with LDAP?
-------
Problem is that the domain users is the primary group for users in AD and these groups memberships are not visable via LDAP as a "memberOf" user atribute.
Solution is to change primary group setting of the users in something other than domain user or create a new security group where all the domain users are member of.
Can you post your policy trace? Did you verify via an LDAP reader like Softerra that the value you are using is defined in the correct LDAP attribute?
When you said that you tried using groups - did you try via LDAP or with your Authorization server being AD? If via LDAP where you able to display the groups through the role mapping rule definition - IE select "New Rule" - select "Group Membership" select "Groups" and then "Search" - This should display all the valid groups in your directory. If you are not seeing the groups then you may have something wrong in your LDAP auth server setup.
SA4000 cluster (61.R2) with AD LDAP authentication. I can authenticate users from AD by specifying different group membership, except the group Domain Users. The user gets authenticated but then I get an error message in the logs that the user failed due to "No Rules" to map to.
I browsed the AD LDAP, and since Domain Users is a default it is not listed in the user container for the attribute "member" or "memberof". I can see Domain Users object in the Nested Groups and create the group on the IVE (and map the role), so I know the LDAP configuration is correct.
Anyone know how to map roles for the group Domain Users with LDAP?
-------
Problem is that the domain users is the primary group for users in AD and these groups memberships are not visable via LDAP as a "memberOf" user atribute.
Solution is to change primary group setting of the users in something other than domain user or create a new security group where all the domain users are member of.
We have a 6.X cluster with AD authentication that's been doing LDAP authorization (for years)
Our existing process uses LDAP lookups from the SSLVPN device to our AD to see if a user is in particular groups in AD to decide what role mapping should happen.
The change wanted is to allow all Domain Users to get in (if they authenticate) and get some basic services.
Problem seems to be that Domain Users is normally a users primary group.
This means LDAP cant look it up?
So then I nested the groups in AD - I put "Domain Users" *inside* of my existing LDAP group that we were putting people in, left the rules alone, went to the definition of the LDAP auth server inside the SSLVPN and set it up for various options, like recursion, 10 levels deep, tried member and memberOf, and nothing there worked.
Getting creative with custom expressions, tried things like:
groups = "Domain%20Users"
Inspired by http://msdn.microsoft.com/en-us/library/ms675090(VS.85).aspx tried various userAttr values
userAttr.<attribute> values (http://msdn.microsoft.com/en-us/library/ms675090(VS.85).aspx) trying to see if any of these would work:
userAttr.Default-Group = "Domain Users"
(havent tried) userAttr.Primary-Group-ID = "{sid of group would go here"} (by running getsid.exe from the Resource kit, find out)
you can also add the attribute "513" which specifies the "domain users" in the LDAP server catalog.
this would be the best way of mapping the "domain users"
Yes that works!
If you make a Role Mapping rule under -
Users -> User Realms -> (pick a realm) -> Role Mapping
Under the Role Mapping screen,
Choose Attribute: primaryGroupID
choose: is
and then in the free text field: 513
Then assign the role you want
Thank you SSLViking, that works great.
hello-
i have to configure LDAP , i have't idea so, can u share your configuration
@tyoud wrote:We have a 6.X cluster with AD authentication that's been doing LDAP authorization (for years)
Our existing process uses LDAP lookups from the SSLVPN device to our AD to see if a user is in particular groups in AD to decide what role mapping should happen.
The change wanted is to allow all Domain Users to get in (if they authenticate) and get some basic services.
Problem seems to be that Domain Users is normally a users primary group.
This means LDAP cant look it up?
So then I nested the groups in AD - I put "Domain Users" *inside* of my existing LDAP group that we were putting people in, left the rules alone, went to the definition of the LDAP auth server inside the SSLVPN and set it up for various options, like recursion, 10 levels deep, tried member and memberOf, and nothing there worked.
Getting creative with custom expressions, tried things like:
groups = "Domain%20Users"
Inspired by http://msdn.microsoft.com/en-us/library/ms675090(VS.85).aspx tried various userAttr values
userAttr.<attribute> values (http://msdn.microsoft.com/en-us/library/ms675090(VS.85).aspx) trying to see if any of these would work:
userAttr.Default-Group = "Domain Users"
(havent tried) userAttr.Primary-Group-ID = "{sid of group would go here"} (by running getsid.exe from the Resource kit, find out)
Message Edited by tyoud on 05-28-2008 10:50 AM
hello all,
i have no idea to configure LDAP authentication using srx device.so i thankfull to you who help for me guiding me.
Hi All,
I have successfully configured AAA Authentication on my IVE device and mapped roles agains them depending on the Class value returned on the Group level.
Now i want to achieve the same result using AD/LDAP servers. I have been successful in authentication and assigning roles using the username attribute. But I still cannot map roles depending on the department name or any other attribute.
Can anyone please share their experience as how can I achieve this task. I have also made a separate Security Group on my AD Server and place my users in it (other than Domain Group).
Please be as descriptive as possible.
Regards.
From the Role Mapping tab you would define a new role. Then change the "Rule Based On" value to match "Group Membership" to use a group and then hit "update". You can now hit the Groups button to select groups to use - this will bring you to the Search screen where you can view and select the groups.
To use a user attribute such as department you will need to set the Rule Based On" to the value of "user attribute" - you can then use any of the displayed attributes, or again, drill in and select other attributes to use. If you want to use multiple values together for a single role map then you can use the "Rule Based On" of "custom expressions" and write complex rules, but that is more difficult.
Does that make sense?