Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SA-2000 can't find AD groups for roles

SOLVED
Go to solution
JimPhelps_
Occasional Contributor
‎06-19-2009 08:52:AM
‎06-19-2009 08:52:AM

SA-2000 can't find AD groups for roles

SA-2000, running 6.4R1.

Going to User Realms --> Internal --> Role Mapping. I then click on "group is" for my role, and then on the Groups button under Available groups (i.e. to add a new one).

I've had no problem adding groups in the past, but our developers have just buried some new groups pretty far down in the AD hierarchy. I'm now getting an error message when I try to add the new group, stating "Group "{group name}" not found."

Here's my question - is there a limit on the full path link to the group I'm trying to add? Here's an example of one I try to add, and getting the error:

CN=App_SalesHQ_SchuffInternational_Clerk,OU=SchuffInternational,OU=SchuffApplications,DC=schuff,DC=com

This is 102 characters - is there some limit below this, perhaps?

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
muttbarker_
Valued Contributor
‎06-22-2009 08:30:AM
‎06-22-2009 08:30:AM

Re: SA-2000 can't find AD groups for roles

Hey Jim - I just did a quick test. I created a multi OU long groupname -

CN=EvenLongerAndLongerandLongerVeryVeryLongGroupName1,OU=OUNested3,OU=OUNested2,OU=OUNested1,OU=OUNe...

This has 3 OU's within the base container and then one very long group name - about 125 characters in length - no problem retrieving this during role mapping lookup.

One other thing occured to me - did you check your Auth_Server settings - the nested group level setting?

Also have you tried running a packet capture to see if the problem is with the SA box or maybe with the AD box? You should see a "search request" for the whole subtree and then a series of "searchresentry" packets containing the returned groups. My very long group shows up just fine.

Message Edited by muttbarker on 06-22-2009 11:59 AM

View solution in original post

0 Kudos
5 REPLIES 5
JimPhelps_
Occasional Contributor
‎06-19-2009 08:58:AM
‎06-19-2009 08:58:AM

Re: SA-2000 can't find AD groups for roles

Whoops, the example above is the one that did work, at 102 characters. Here's one that didn't work:

CN=App_SalesHQ_Atlantic_SalesManager,OU=Atlantic,OU=SchuffInternational,OU=SchuffApplications,DC=schuff,DC=com

That's 110.

I note that's it's wrapping the text - please note that there's no spaces in the path.

0 Kudos
muttbarker_
Valued Contributor
‎06-19-2009 09:59:AM
‎06-19-2009 09:59:AM

Re: SA-2000 can't find AD groups for roles

Jim - there may be some limit but I have one string that is 125 characters in length and was able to search my domain and bring it in with no problem. Are you using AD or LDAP for your attribute lookup?
0 Kudos
JimPhelps_
Occasional Contributor
‎06-19-2009 11:15:AM
‎06-19-2009 11:15:AM

Re: SA-2000 can't find AD groups for roles

Thanks Kevin, I appreciate the response. We're using LDAP for the lookup.

Now I'm wondering if it's the depth of the lookup - for example how many objects it has to look in (e.g. my domain/SchuffApplications/SchuffInternational/Atlantic/Albany).

Anyone know?

0 Kudos
muttbarker_
Valued Contributor
‎06-22-2009 08:30:AM
‎06-22-2009 08:30:AM

Re: SA-2000 can't find AD groups for roles

Hey Jim - I just did a quick test. I created a multi OU long groupname -

CN=EvenLongerAndLongerandLongerVeryVeryLongGroupName1,OU=OUNested3,OU=OUNested2,OU=OUNested1,OU=OUNe...

This has 3 OU's within the base container and then one very long group name - about 125 characters in length - no problem retrieving this during role mapping lookup.

One other thing occured to me - did you check your Auth_Server settings - the nested group level setting?

Also have you tried running a packet capture to see if the problem is with the SA box or maybe with the AD box? You should see a "search request" for the whole subtree and then a series of "searchresentry" packets containing the returned groups. My very long group shows up just fine.

Message Edited by muttbarker on 06-22-2009 11:59 AM
0 Kudos
JimPhelps_
Occasional Contributor
‎06-24-2009 09:10:AM
‎06-24-2009 09:10:AM

Re: SA-2000 can't find AD groups for roles

Thanks for all the help Kevin, your lest email got me to the right place. When looking in the Auth. Servers, my LDAP server type was set to "Generic", rather than AD. I switched it, and it appears to be able to find the groups without problem now.
0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.