Solved: Re: LDAP role mapping

mkosters_ · ‎02-03-2009

i configured as first authentication Radius.

The second authentication is LDAP.

On the realm the directory/attribute = LDAP

I put into the Authentication server to following settings:

user filter base dn ou=<groupname> DC=<domain name>

filter = saMAccountName=<USER>

filter= cn=<GROUPNAME>

member attribute = member

Search all groups

I make a role mapping based on a LDAP group lets take portalusers

When I log in with a user (who's member of the group portalusers) It works fine.

When I log in with an other user (who is also member of the group portaluser). I got no roles applied.

I test it with only LDAP authentication, then It works fine.

Does anyone seen this before?

When I change the user filter from filter = saMAccountName=<USER> to cn =<USER> I got the same issue

mkosters_ · ‎02-12-2009

Hi Kevin,

The problem was the following. There LDAP is realy **bleep**ed! For some users whe must do a samAccountname and for the other memberOf

What I did, with Juniper Support was to make userattributes

The problem for this was, I didn;t have a userattribute MemberOf.

We made the userattribute and configured custom expressions

With testing for a lot of users and everything works fine

Marcel

View solution in original post

muttbarker_ · ‎02-03-2009

You should use the policy trace feature and the user log to see what is really happening during the login process. Go to "Maintenance / Troubleshooting / User Sessions / Policy Tracing" - enable tracing for the user / realm in question and the login - turn it off and go back and look at the results. You should see exactly what happens.

mkosters_ · ‎02-05-2009

Hi,

When I do a policy trace, I see the user isn't a member of the AD group. But he is a member of that group.......

muttbarker_ · ‎02-05-2009

So - is the "only" role mapping rule you have the one that matches on the rule that is "member of portalusers?" - also are you sure the user is passing the 2nd authentication?

kenlars_ · ‎02-05-2009

Is the user who is being reported as not a member of the group a direct member of the group or a member of a nested group?

mkosters_ · ‎02-08-2009

When I look into the policy trace I see the Juniper tries to do the first username to authenticatie on LDAP. After it, The Juniper tries to authenticate the second username on LDAP. So yes he tries also to authenticate with the second username

The user is a direct member of the goup portalusers

muttbarker_ · ‎02-09-2009

Sent you a private message -

tabooka_ · ‎02-11-2009

I am having exactly the same issue. Did we have a solution to this?

muttbarker_ · ‎02-11-2009

What do your policy traces show? There is no reason that the SA box would work for one user and not for another without some variable, probably in the LDAP entry. Can you post them?

tabooka_ · ‎02-11-2009

So this wasnt an issue of one user can login and another can't it was that if a user is specified "usernam is" LDAP login worked great. But my issue was that I could not specify groups. Anywho, I figured out what the issue was.

Quit simple really.

In role mapping I overlooked the update button. Silly design and silly me really.

So when you creat a new role and click the drop down to select "Rule is based on:" and click "Group Memebership" you have to click update button to view available groups and from there you can create groups. : ' )

As long as your LDAP look ups are working your DN info should populate.