cancel
Showing results for 
Search instead for 
Did you mean: 

Administrator Authentication Realm based on Group Membership in 9.1R11

SOLVED
michael.l.fusco@jpl.nasa.gov
Occasional Contributor

Administrator Authentication Realm based on Group Membership in 9.1R11

Hello Community,

 

We read thru the manuals, checked the 9.1R11 Administrator Authentication Realms for Role Mapping... and do not see an option or "Group Memebership" like we do unser User Realms Role Mapping.

Also when using the Custom Expression, there is no tab for defining the groups...

So has anyone got Administrator Authentication Realm to use "memeberOf" vs. static list of "is username"

1 ACCEPTED SOLUTION

Accepted Solutions
michael.l.fusco@jpl.nasa.gov
Occasional Contributor

Re: Administrator Authentication Realm based on Group Membership in 9.1R11

Figured Out:

Admin Realms > Admin RSA > General
Define Directory/Attribute Server to be LDAP

                              

Admin Realms > Admin RSA > Role Mapping

New Rule:

Rule based on:   Group Membership (Option does not appear unless Above is done)

Add the Group(s) to the PCS
then define the MemberOf rules.



View solution in original post

3 REPLIES 3
michael.l.fusco@jpl.nasa.gov
Occasional Contributor

Re: Administrator Authentication Realm based on Group Membership in 9.1R11

Figured Out:

Admin Realms > Admin RSA > General
Define Directory/Attribute Server to be LDAP

                              

Admin Realms > Admin RSA > Role Mapping

New Rule:

Rule based on:   Group Membership (Option does not appear unless Above is done)

Add the Group(s) to the PCS
then define the MemberOf rules.



View solution in original post

tnguyendoit
Contributor

Re: Administrator Authentication Realm based on Group Membership in 9.1R11

[email protected] 

 

Just curious.  If you configured your Admin Realm to use LDAP authentication (LDAPS or StartTLS) exclusively, if for whatever reasons LDAP stops working or doesn't work correctly, won't you get yourself locked out of the appliance totally?

 

Or does your use case consist of multiple Admin Realms:

 

- one Admin Realm which uses the "Administrators" (Local Authentication) Auth Server for super admin / last resort

 

- and another LDAP-based Admin Realm which uses LDAP Auth Server for both Authentication and Directory/Attribute and checks for membership in groups whose DN are defined in the LDAP Auth Server's Server Catalog - Groups?

michael.l.fusco@jpl.nasa.gov
Occasional Contributor

Re: Administrator Authentication Realm based on Group Membership in 9.1R11

Multiple Admin URLs:
One for LDAP(S) based which uses LDAP user/pass
One for back up with a local account(s) which rotate passwords every 30 days and Source Based to specific subnets... so think Out-Of-Band.
The multiple admin Realms allow for vareity of back end AAA services.