Solved: Re: AD group membership

BGT_ · ‎08-22-2008

I have a SA-4000 with the version 6.2R1 (build 13255).

I want to configure the LDAP search to find a user in a group.

The user entries are in: cn=user_1,ou=GROUP1,dc=domain2,dc=domain1

The groups are in: cn=group_1,ou=GROUP2,ou=GROUP1,dc=domain2,dc=domain1

The user1 is memberof Domain Users and group_1

In the SA.4000 i have the following configuration

Finding user entries

Base DN: ou=GROUP1,dc=domain2,dc=domain1

Filter: cn=<USER>

Determining group membership

Base DN: ou=GRUP2,ou=GROUP1,dc=domain2,dc=domain1

Filter: cn=group_1

(the other fields values are empry or by default)

I have a user_2 (cn=user_2,ou=GROUP1,dc=domain2,dc=domain1) defined an is not memberof the group_1 and we can access.

I don't understand what i'm doing wrong.

Best Regards

BGT_ · ‎08-25-2008

The solution is:

In autentication server fill the following text boxs:

BASE DN: dc=domain2, dc=domain1

Filter: cn=<GROUPNAME>

Member Atrribute: member

Go to Server Catalog in the tab Group add the Group (click in search to find the group in AD)

Go to the realm where this Authentication server is applied select the tab role mapping, create a new rule in the dropdownlist for Rule based on: choose Group Membership click in Update select the group and assing it to a role.

View solution in original post

kenlars_ · ‎08-22-2008

How are you using the group membership? Are you assigning a role based upon it?

You should be able to use policy trace to see what groups the user was found to belong to.

imtravis_ · ‎08-22-2008

Try doing the following for group memebership:

BASE DN: dc=domain2, dc=domain1

Filter: cn=<GROUPNAME>

Member Atrribute: member

Travis

BGT_ · ‎08-25-2008

Kentars: I use policy tracing and the search is done only in Finding user entries none register appear to Determining group membership.

imtravis: I add the member but still not working.

Any more suggestions?

BGT_ · ‎08-25-2008

The solution is:

In autentication server fill the following text boxs:

BASE DN: dc=domain2, dc=domain1

Filter: cn=<GROUPNAME>

Member Atrribute: member

Go to Server Catalog in the tab Group add the Group (click in search to find the group in AD)

Go to the realm where this Authentication server is applied select the tab role mapping, create a new rule in the dropdownlist for Rule based on: choose Group Membership click in Update select the group and assing it to a role.

Dan_Smart_ · ‎08-27-2008

Yes, the whole "server catalog" is very confusing. If you use AD authentication, this isn't necessary, but it is with LDAP. Nested groups can also be a problem.

I set Nested Group Level to 3 (three levels deep) and "Search all nested groups" so I don't have to define very nested group in the server catalog (otherwise you have to do this). JTAC suggests limiting Group Level to a max of 5 for performance reasons. Also, using the server catalog for nested groups is much faster (but not as foolproof and simple).

-=Dan=-

PS: 6.2R1 is buggy. As I've said other places, try this in 6.1 if possible.