cancel
Showing results for 
Search instead for 
Did you mean: 

Moved AD-Groups

Highlighted
Not applicable

Moved AD-Groups

Hi,

 

Because of a reorganisation in our Active Directory, we have to move the Security Groups to another DN (OU).

How can our Juniper Gateway (MAG-2600) learn the new DN of the AD-Groups used with User Roles?

 

Thanks,
Marc

5 REPLIES 5
Highlighted
Super Contributor

Re: Moved AD-Groups

Manually.  When you set up AD auth, you have to manually select the groups to import into the device (or you can select all of them.)  Once you've done this, any new groups created have to be manually imported.   From the new rule window, if you change the rule to "based on group membership" and click Update, you'll see a Groups button, click that and it'll open a window showing you the groups that have already been imported.  if you click on the search button, it will open the group catalog.  This will list all of the groups that it sees in your AD. (so if you do this immediately after group creation, they might not show up due to replication delays, etc).   You can now choose any or all groups to add and click Add Selected.

 

I hope this answers your question.

Highlighted
Respected Contributor

Re: Moved AD-Groups

Or if you are using the LDAP server type, you will need to also update the DN to the new location for lookups & then delete the old references and create new ones
Highlighted
Frequent Contributor

Re: Moved AD-Groups

Hi,

Like marcaem, we are in a process of restructuration our AD/LDAP server. Besides we change the groups we also are changing the usernames. This will be a process of months.

As zanyterp wrote, add the new group and delete the old one is not appropriated to us, because we will have users in both groups.

Let me explain with a simple example.

Today we have the userA in the groupX

DN=userA,OU=Users,OU=Redmond,DC=contoso,DC=com

DN=groupX,OU=Groups,OU=Redmond,DC=contoso,DC=com

This user will be moved in the OU and removed from DN=groupX,OU=Groups,OU=Redmond,DC=contoso,DC=com and added to other groupX:

DN=userA,OU=Users,OU=North,OU=America,DC=contoso,DC=com

DN=groupX,OU=Groups,OU=World,DC=contoso,DC=com

 

So far it seems easy, but when I try to add the new group to the server catalog it complain about the existence of a group with the same name.

In my point of view, the best path is to have role mapping base in group membership of groupXold and groupXnew in order to add and remove groups as the are being created and removed.

As workaround, We've the expressions, but I think there are not so easy to manage neither visually informative about the changes (troubleshooting proposes).

Does anyone know a way to accomplish this?

This will be a process of months, with hundreds of groups and tousands of users.

Thanks in advance for your time.

Regards,

Highlighted
Regular Contributor

Re: Moved AD-Groups

One option could be to make the old "Redmond" group a member of the new "World" group and reconfigure your mapping to use the new group. You will also need to check the Nested Group search option are enabled.

Highlighted
Frequent Contributor

Re: Moved AD-Groups

Thank for your ideia dcvers.

 

From the point of view of technology, yes it is possible, but in practice, will transform the login time from some seconds to almost a minute. This based in my experience because I have a realm which uses nested groups (and just with one groups with tens of nested groups) and its a pain the people login Smiley Sad


Could happen my ldap admins or me have done some misconfiguration.


I would like to ear from the community if this makes sense or not (higher login time with nested groups).