cancel
Showing results for 
Search instead for 
Did you mean: 

Role mapping AD groups without referencing distinguished names

Guido39_
New Contributor

Role mapping AD groups without referencing distinguished names

I currently have about 30 role mappings and I need to move the AD groups that are referenced to another OU. I know how to update the groups manually but to prevent having to go through all that again someday, I would like to reference AD groups without depending on the distinguished name. I logged a case with Juniper and have one possible way to do this but there must be a better way.

They had me use the attribute memberOf and I then figured out how to use wildcards. So instead of memberOf=CN=VPN-Test,OU=Groups-VPN,DC=test,DC=org, I did memberOf=*VPN-Test* and it worked. But when doing a policy trace, the memberOf attribute contains all the groups the user is a member of so I'm not sure how well that will work with multiple groups.

For the auth server, I have the following setup by default. Is there something I can change here that would make this easier?

Base DN: dc=test,dc=org
Filter: cn=<GROUPNAME>
Member Attribute: member

Reverse group search: Unchecked

Query Attribute:
Nested Group Level: 0
Nested Group Search: Nested groups in Server Catalog

I thought about changing to memberOf and checking Reverse group search but I would check here first before wasting more time. I'm not sure if I do that how the role mappings will need to be setup.

3 REPLIES 3
stine_
Super Contributor

Re: Role mapping AD groups without referencing distinguished names

If it were me, I would export the role mapping rules in XML, and make the changes there.

zanyterp_
Respected Contributor

Re: Role mapping AD groups without referencing distinguished names

If the groups move on the AD server, the references will need to be rebuilt by changing the server to the new location for groups and selecting the groups again on the role mapping page.

stine_
Super Contributor

Re: Role mapping AD groups without referencing distinguished names

Isn't that only required so that the name stored in the IVE corresponds to the correct SID on the AD? I thought that the role-mapping rules used simply the domain name and group name, not the SID to assign users to groups.

Obviously the IVE has to be looking at the right group name

I'd be interested to hear how your AD admins are going to propagate the group change across the rest of their resources.