Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AD group membership

SOLVED
Go to solution
BGT_
Occasional Contributor
‎08-22-2008 10:09:AM
‎08-22-2008 10:09:AM

AD group membership

I have a SA-4000 with the version 6.2R1 (build 13255).

I want to configure the LDAP search to find a user in a group.

The user entries are in: cn=user_1,ou=GROUP1,dc=domain2,dc=domain1

The groups are in: cn=group_1,ou=GROUP2,ou=GROUP1,dc=domain2,dc=domain1

The user1 is memberof Domain Users and group_1

In the SA.4000 i have the following configuration

Finding user entries

Base DN: ou=GROUP1,dc=domain2,dc=domain1

Filter: cn=<USER>

Determining group membership

Base DN: ou=GRUP2,ou=GROUP1,dc=domain2,dc=domain1

Filter: cn=group_1

(the other fields values are empry or by default)

I have a user_2 (cn=user_2,ou=GROUP1,dc=domain2,dc=domain1) defined an is not memberof the group_1 and we can access.

I don't understand what i'm doing wrong.

Best Regards

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
BGT_
Occasional Contributor
‎08-25-2008 08:53:AM
‎08-25-2008 08:53:AM

Re: AD group membership

The solution is:

In autentication server fill the following text boxs:

BASE DN: dc=domain2, dc=domain1

Filter: cn=<GROUPNAME>

Member Atrribute: member

Go to Server Catalog in the tab Group add the Group (click in search to find the group in AD)

Go to the realm where this Authentication server is applied select the tab role mapping, create a new rule in the dropdownlist for Rule based on: choose Group Membership click in Update select the group and assing it to a role.

View solution in original post

0 Kudos
5 REPLIES 5
kenlars_
Super Contributor
‎08-22-2008 10:21:AM
‎08-22-2008 10:21:AM

Re: AD group membership

How are you using the group membership? Are you assigning a role based upon it?

You should be able to use policy trace to see what groups the user was found to belong to.

0 Kudos
imtravis_
Contributor
‎08-22-2008 04:03:PM
‎08-22-2008 04:03:PM

Re: AD group membership

Try doing the following for group memebership:

BASE DN: dc=domain2, dc=domain1

Filter: cn=<GROUPNAME>

Member Atrribute: member

Travis

0 Kudos
BGT_
Occasional Contributor
‎08-25-2008 01:06:AM
‎08-25-2008 01:06:AM

Re: AD group membership

Kentars: I use policy tracing and the search is done only in Finding user entries none register appear to Determining group membership.

imtravis: I add the member but still not working.

Any more suggestions?

0 Kudos
BGT_
Occasional Contributor
‎08-25-2008 08:53:AM
‎08-25-2008 08:53:AM

Re: AD group membership

The solution is:

In autentication server fill the following text boxs:

BASE DN: dc=domain2, dc=domain1

Filter: cn=<GROUPNAME>

Member Atrribute: member

Go to Server Catalog in the tab Group add the Group (click in search to find the group in AD)

Go to the realm where this Authentication server is applied select the tab role mapping, create a new rule in the dropdownlist for Rule based on: choose Group Membership click in Update select the group and assing it to a role.

0 Kudos
Dan_Smart_
Occasional Contributor
‎08-27-2008 11:48:AM
‎08-27-2008 11:48:AM

Re: AD group membership

Yes, the whole "server catalog" is very confusing. If you use AD authentication, this isn't necessary, but it is with LDAP. Nested groups can also be a problem.

I set Nested Group Level to 3 (three levels deep) and "Search all nested groups" so I don't have to define very nested group in the server catalog (otherwise you have to do this). JTAC suggests limiting Group Level to a max of 5 for performance reasons. Also, using the server catalog for nested groups is much faster (but not as foolproof and simple).

-=Dan=-

PS: 6.2R1 is buggy. As I've said other places, try this in 6.1 if possible.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.