What username does the auth server come back with versus what you have listed in the role mapping? In AD 2003 it's just by username, but maybe it's not in 2008? Does 2008 include the domain in the name? DOMAIN.LOCAL/John.doe as opposed to john.doe?

Hi

Thanks for reply. Let me describe my problem. Actually on AD users are in nested group like abc.com->Computer departement->System Departement->Networking Departement.

Users are in Networking Department. In role mapping when I give group memebership and then update then group then search it only show me abc.com/Computer department. When I select that group and assign this group the role then through policy tracing I came to know users are succeffully authenticated but ROLE mapping fails.

Why SSL VPN doent not show the group abc.com\Computer departement\System Departement\Networking Departement.

Does authentication with AD doent not support groups in depth?

Thanks for help

It sounds to me like you have Active Directory OU's confused with Active Directory Security Groups... as far as I know Juniper only supports role mapping based on security groups, not OU.

Thanks for reply. BUT now I am trying to authenticate users via LDAP. My users are in abc.com->Computer departement->System Departement->Networking Departement. In Neworking Department there is a group Netdep. But my users are in Networking Departement.

When I search the group then It is showing me only abc.com->Computer departement->System Departement->Networking Departement->Netdep. But I need abc.com->Computer departement->System Departement->Networking Departement. I used depth option also but no luck.

Can any one explain me AD/LDAP supports users in OU? What I am missing?

Thanks

For authentication as long as the OU users are in is below what you have configured in the Base DN on the LDAP authentication server and the Filter is correctly set it should work. The group settings only relate to determining group membership for use in role mappings. If the authentication is failing it could be the Admin user ID/password is wrong or the filter is not point to the correct attribute.

---

@Tessian wrote:

It sounds to me like you have Active Directory OU's confused with Active Directory Security Groups... as far as I know Juniper only supports role mapping based on security groups, not OU.

---

As far as I know, that is correct.

Configure the Base DN in your Auth server as dc=domain,dc=com and map roles based on Groups in Active Directory.

Also, when working with LDAP, I use samAccountname=<USER> as my filter for finding user entries.