cancel
Showing results for 
Search instead for 
Did you mean: 

Role Mapping User Role base on Group Membership from AD

Highlighted
Contributor

Role Mapping User Role base on Group Membership from AD

Hi,

I have configured SA with AD and define Role mapping with group membership.

Details in attached file.

the user group can import to role mapping, but when i try to login with user in that group, appears message like this : You are not allowed to login. please contact your administrator.

I dont understand what is that meaning?

Anyone can explain to me how to solve this?

Thank you

21 REPLIES 21
Highlighted
Contributor

Re: Role Mapping User Role base on Group Membership from AD

Hi,




Yes i use AD/Nwindows NT for auth server.

attached is an example of LDAP that i created.

I have question: In LDAP setting : Admin DN ---> is it has to configure complete include : DN, CN, OU ? or just put administrator or username on the field?

Thanks





Regards,

Andre
----------------------------------------------------------------------------------------------
JNCIA-FWV | JNCIS-FWV | JNCIS-AC | JNCIS-SSL | JNCIA-JUNOS | JNCIS-ENT | JNCIP-ENT

-Please mark "accept solution" if my post helps you-







Highlighted
Contributor

Re: Role Mapping User Role base on Group Membership from AD

you have to use the distinguishedName


Highlighted
Valued Contributor

Re: Role Mapping User Role base on Group Membership from AD

What does the user log say? Have you enabled a policy trace? That will show you what is happening under the covers with the commuications between the SA box and the AD server.

Highlighted
Contributor

Re: Role Mapping User Role base on Group Membership from AD

Hi,

attached is the log :

what is that meaning?

Highlighted
Occasional Contributor

Re: Role Mapping User Role base on Group Membership from AD

Start a policy tracing ( Troubleshooting -> User Sessions -> Policy Tracing ) and post the output. Use at least the follow options:

- Pre-Authentication
- Authentication
- Role Mapping

Highlighted
Contributor

Re: Role Mapping User Role base on Group Membership from AD

Hi,

attached is the log by policy tracing.

Could you explain what is the cause?

Thanks

Highlighted
Valued Contributor

Re: Role Mapping User Role base on Group Membership from AD

Well what the log and policy trace are both showing is that you do not have a match between the group that you have defined (SecureAccess1) and the AD settings for the user. The message you are seeing in the trace "no match on rule" reflects that fact.

Highlighted
Contributor

Re: Role Mapping User Role base on Group Membership from AD

Hi,

If i'm using role mapping by username ( auth server with AD), it's success : user can login to SA.

But when using role mapping by group, that's the problem : user cannot login to SA.

you said that there's missmatch between group and AD setting for the user, I know there's a missmatch , but still dont understand how to solve this,

Is it miss configuration in AD or in SA?. where i should start to check this in SA or AD?.

hope you can give me the way to solve this.

thanks

Highlighted
New Contributor

Re: Role Mapping User Role base on Group Membership from AD

Hi,

Same issue I am also facing. Pls. try to recreate AD Authentication server.

Thanks