I understand that I could add an LDAP server, but at that point, I might as well just use it for auth too and not waste my time configuring two servers.

The reason why I thought this may (should) work is because the policy trace shows the attributes/variables coming back the exact same way when I enable "Group search with LDAP" in the AD Server type:

AD Type with Group search with LDAP:

Variable userDN.OU = "OU NAME GOES HERE"

LDAP Server Type:

Variable userDN.OU = "OU NAME GOES HERE"

So the fact that I can't use a custom expression to match on that is a limitation of the software (confirmed by JTAC), not a limitation based on what information I'm getting back from the AD server.  Clearly, if the same data is being displayed in plain text, right in front of me, the software could be written to give the ability to match on it.

Per JTAC, the custom expressions won't match based on how the attributes are stored in the user record.

This is fine though now that I have a clearer understanding.  I don't mind using LDAP.  Plus JTAC informed me that LDAP is the better choice and only to use the AD server type in the following scenarios:

"when you need machine authentication without certificates or trusted domains for user and group lookup"

Thanks!

Thanks!  That would help.  I spent a few hours trying to make it work before I put in a ticket since I assumed I had to have made a mistake somewhere in my config since the traces looked the same, except no match.

Thanks for the feedback, mmartin.

I will discuss this internally to see if we can remove this from the policy trace to avoid the confusion for other customers.

Per JTAC - not supported with AD/NT type servers.  Must be LDAP, but LDAP is the better choice anyway and is more efficient per their advice.

Hi Martin,

userDn.* is an LDAP attribute. with the Ad server instance you can specify a LDAP server for User Directory/Attribute:.

Essentially it would connect to the LDAP auth server instance to fetch any attributes/group membership.

Thanks & Regards,

SVK