I'm trying to role map a to a Active Directory group however when I try to search the group nothing populates in the search results.
From what I am told we have a SVC account in AD linked to each groups and I think that the permissions within that group are what are causing my problems.
The documentation recommends that you use an "Domain Admin" account so tht users can change their password through the SSL box. However for just just pulling groups when establishing role mapping rules a standard domain user account should work fine.
I use that in one of my test auth server domains with no problems. Here is a link to a Juniper knowledge base writeup on properly defining service accounts for use with the SSL box
well there are a couple of things have you defined your AD as Active directory windws NT server or LDAP? If you have done the AD than you need to define a computer name so that your appliance can join to the Domain using the credentials provided. by default it will try to put itself in the computers container and if you are using a non standard ad OU structure than the Computer OU might not even be there.
So please tell us which method are you using AD or LDAP?
Greetings thank you both for promptly replying I appreciate the quick response.
To answer your question regarding using NTserver or LDAP. We are currently using LDAP.
I looked at the knowledge base and will try what it reccomeneds.
At this point all the other realms map to their respective roles fine, it's just this particular realm wil not map to the role. In the past I had this problem and it was due to the fact that the wrong service account was linked to it.
I did not create the service account and am not really all that savy when it comes to mapping to AD groups, so I'm steadly fumbling my way through it.
Origionally I was hired to do the support for the Excec users and critical staff, and the SA4000 was already set up by one of our network architects, My only issue is that I'm comming in behiind something that was already set up and just trying to understand what the origional person did and their naming conventions throws me off.
I will keep this post updated as I come to a conclusion thanks again your feedback is invaluable.
Can you tell us what the settings are in your authentication server definition for the AD? When you look at the server catalog for this server, do you see the groups you expect?
After some toiling around I realized that the root of the problem was that the group that I was trying to role map to in AD had a space. The space was so suttle that I didn't recognize it when I was troubleshooting the issue.
I only realized it when I came back to it the next day when I had a fresh mindset.
Thank you everyone for your help.
I really appreciate your assitance.