Solved: Re: Role Mapping by Custom Expression

vbroadwater_ · ‎01-29-2009

Hi. I'm currently doing a modified version of mapping roles by group membership by using a custom LDAP expression instead. This limits what the SSL VPN is looking for and basically takes it easy(ier?) on the AD server (and its admins!).

Everything works great so far, but now I want to set up an 'everyone else' role for users that authenticate to the AD, yet don't match one of the specific roles. The Custom Expression match doesn't have a "not" option like the username match does. Any suggestions on how I can go about this?

Thanks!

kenlars_ · ‎01-30-2009

I think the issue is your logic. If you create two expressions -

ntdomain != "domain1"

ntdomain != "domain2"

and then use both those in the role mapping configuration, then all users will match one or both of those expressions. The users in "domain1" will match the second expression and the users in "domain2" will match the first expression. Try a single expression -

(ntdomain != "domain1") AND (ntdomain != "domain2")

Ken

View solution in original post

dennish_ · ‎01-29-2009

Never tested this, but can't you just change the = statement to != maybe ?

Dennis

kenlars_ · ‎01-29-2009

That definitely works - I use it in a number of custom expressions.

vbroadwater_ · ‎01-30-2009

Brilliant! I was definitely thinking too complex... But while that should work, it doesn't appear to be working correctly. My main goal is to have everyone get this 'catch all' role except for users that match to a particular 'web only' type of access role because I don't want them to get Network Connect. So I created two new expressions to negate the ones that match to those users. The expressions look like this:

ntdomain != "domain1"

ntdomain != "domain2"

But when I made adjustments to it this morning and refreshed the roles for the realm, everyone was assgined this 'catch all' role, including the ones that I don't want to get it. Or should I be waiting for someone to re-login to see how the new role mapping actually plays out?

kenlars_ · ‎01-30-2009

I think the issue is your logic. If you create two expressions -

ntdomain != "domain1"

ntdomain != "domain2"

and then use both those in the role mapping configuration, then all users will match one or both of those expressions. The users in "domain1" will match the second expression and the users in "domain2" will match the first expression. Try a single expression -

(ntdomain != "domain1") AND (ntdomain != "domain2")

Ken

vbroadwater_ · ‎01-30-2009

Looks like that did it! Clearly I'm not too good with expressions.

Thanks for the help!!!

kenlars_ · ‎01-30-2009

One more note - the policy tracing feature is invaluable in finding out why things like this are not working. I'm guessing that the policy trace would have shown you which expression a user was matching, and you would have figured it out. Most of what I know about custom expressions I learned from the policy trace.

vbroadwater_ · ‎01-30-2009

Absolutely agree about the policy tracing. It really helped me out a TON when I was first setting up this device last year. Unfortuantely for this issue, I never know when (or who) someone is going to try to log in on order to set up the trace, plus they're overseas so we have a time difference issue going on as well.

But all's good now. Thanks again!