cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP server catalog need help looking for groups

SOLVED
groque_
Occasional Contributor

LDAP server catalog need help looking for groups

Hi all,

I finally got LDAP working with my SA! but now I want to add role mappings to specific groups in Active Directory. For example I have a group VLAN 10 - E access, which is located under CN=user,DC=elab,DC=local.

So I set my Group membership like this
Base DN: DC=elab,DC=local
FIlter: CN=<groupname>

Member attribute: blank
Query attribute: blank
Nested Group Level: 0
Nested Group Search: Nexted groups in Server catalog is checked.

When I go into my Server Catalog and try to search for a group for matching DN's I get nothing. Is there something I am doing wrong here I am pretty sure everythign is setup accordingly. I installed LDAP browser and everything looks ok.


Thanks for the responses

1 ACCEPTED SOLUTION

Accepted Solutions
firewall72_
Frequent Contributor

Re: LDAP server catalog need help looking for groups

Hi,

Based on your #4 reponse, I would double check your DN settings and be sure your Server Catalog is being published before proceeding to Realm and Role mapping settings. Are your groups created at the root of your domain? I find that most times they're organized in their own OU. In the example below, they're in the "users" OU.

Edit your LDAP/AD server:

1. Try adding "CN=users,DC=elab,DC=local" to the "Finding Group Membership DN (change/remove CN=users accordingly)

2. Filter = cn=<GROUPNAME>

3. Member attribute = member

4. Save changes

5. Open your server again and click the Server Catalog link.

6. Click the search button

7. Add filter, add seleced, then add the group

8. Once the group has been added to the Server Catalog, you should be able to proceed to Role Mapping in the Realm.

Let me know how you make out.

-John

View solution in original post

7 REPLIES 7
firewall72_
Frequent Contributor

Re: LDAP server catalog need help looking for groups

Hi,

How are you searching? I had issues when entering in the full DN. We search on the common group name and that works well. Try searching on "VLAN" to see if groups with VLAN are displayed.

-John

groque_
Occasional Contributor

Re: LDAP server catalog need help looking for groups

Thanks for the advice but unfortunatley it didn't work. When I try to do a normal search with my Base DN DC=ELAB,DC=LOCAL and filter CN=* nothing comes up.

My groups are setup as Security -> Global.

I tested it with usernames for example I made a username E and mapped it to a group with no network connect and made a user with J with network connect.

When I log in with the different users the functionality with both work.

Any other suggestions?
muttbarker_
Valued Contributor

Re: LDAP server catalog need help looking for groups

When you did your auth server definition and saved it - you got no errors? Remembered to define the LDAP server as "AD"? If you go to the realm in question you are using the LDAP auth server for "Directory/Attribute"?

In role mapping, when you define a role using group membership you don't see anything under Available groups and when you then hit "Groups" and then the search button are you saying that it returns no values? or an error message?

groque_
Occasional Contributor

Re: LDAP server catalog need help looking for groups

Hi Kevin,

1. When I saved my auth server definition I get NO errors, I used to get invalid DN and filter errors but after I got an LDAP browser everything was good.
2. LDAP server is defined as AD

3. I am not to sure what you mean by going into realm question. Maybe this is what I am doing wrong can you please elaborate on this step

4. Under role mapping I don't see anything under available groups and when I go into my server catalog and search for groups I don't see anything and I don't get any error messages
muttbarker_
Valued Contributor

Re: LDAP server catalog need help looking for groups

When you setup the realm you have two parts - #1 define the Authentication and the Authorization servers - done on the "General" tab. I was trying to make sure that you defined the authorization server to be the LDAP server. This is the one labeled "Directory/Attribute" on that tab.

You can have seperate servers for authentication vs authorization. If you indeed have the LDAP server specified there then another to check is on the role mapping tab. Try and define a new role. But instead of selecting group membership, select user attribute and see if you see the various user attributes that should be pulled from your server (IE - mail, cn, dept.....)

firewall72_
Frequent Contributor

Re: LDAP server catalog need help looking for groups

Hi,

Based on your #4 reponse, I would double check your DN settings and be sure your Server Catalog is being published before proceeding to Realm and Role mapping settings. Are your groups created at the root of your domain? I find that most times they're organized in their own OU. In the example below, they're in the "users" OU.

Edit your LDAP/AD server:

1. Try adding "CN=users,DC=elab,DC=local" to the "Finding Group Membership DN (change/remove CN=users accordingly)

2. Filter = cn=<GROUPNAME>

3. Member attribute = member

4. Save changes

5. Open your server again and click the Server Catalog link.

6. Click the search button

7. Add filter, add seleced, then add the group

8. Once the group has been added to the Server Catalog, you should be able to proceed to Role Mapping in the Realm.

Let me know how you make out.

-John

groque_
Occasional Contributor

Re: LDAP server catalog need help looking for groups

Thank you I mispelled CN=users (i just had CN=user before) Thanks ALOT!