Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Role mapping AD groups without referencing distinguished names

Guido39_
New Contributor
‎06-07-2010 04:25:PM
‎06-07-2010 04:25:PM

Role mapping AD groups without referencing distinguished names

I currently have about 30 role mappings and I need to move the AD groups that are referenced to another OU. I know how to update the groups manually but to prevent having to go through all that again someday, I would like to reference AD groups without depending on the distinguished name. I logged a case with Juniper and have one possible way to do this but there must be a better way.

They had me use the attribute memberOf and I then figured out how to use wildcards. So instead of memberOf=CN=VPN-Test,OU=Groups-VPN,DC=test,DC=org, I did memberOf=*VPN-Test* and it worked. But when doing a policy trace, the memberOf attribute contains all the groups the user is a member of so I'm not sure how well that will work with multiple groups.

For the auth server, I have the following setup by default. Is there something I can change here that would make this easier?

Base DN: dc=test,dc=org
Filter: cn=<GROUPNAME>
Member Attribute: member

Reverse group search: Unchecked

Query Attribute:
Nested Group Level: 0
Nested Group Search: Nested groups in Server Catalog

I thought about changing to memberOf and checking Reverse group search but I would check here first before wasting more time. I'm not sure if I do that how the role mappings will need to be setup.

0 Kudos
Reply
3 REPLIES 3
stine_
Super Contributor
‎06-14-2010 09:00:AM
‎06-14-2010 09:00:AM

Re: Role mapping AD groups without referencing distinguished names

If it were me, I would export the role mapping rules in XML, and make the changes there.

0 Kudos
Reply
zanyterp_
Respected Contributor
‎06-19-2010 11:20:PM
‎06-19-2010 11:20:PM

Re: Role mapping AD groups without referencing distinguished names

If the groups move on the AD server, the references will need to be rebuilt by changing the server to the new location for groups and selecting the groups again on the role mapping page.

0 Kudos
Reply
stine_
Super Contributor
‎06-19-2010 11:35:PM
‎06-19-2010 11:35:PM

Re: Role mapping AD groups without referencing distinguished names

Isn't that only required so that the name stored in the IVE corresponds to the correct SID on the AD? I thought that the role-mapping rules used simply the domain name and group name, not the SID to assign users to groups.

Obviously the IVE has to be looking at the right group name

I'd be interested to hear how your AD admins are going to propagate the group change across the rest of their resources.

0 Kudos
Reply
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.