I have setup our SA4500 to check AD group membership for role mapping and it is working a treat.
I setup the AD groups searched for them under Server Catolog and they show up and add them in.
However we have now created some new AD groups but they are not showing up when doing and LDAP search.
The account has been given Domain Admin priv it appears it cannot see large chunks of our AD.
Has anyone come across an issue like this when doing LDAP lookup on the SA4500
Running Windows 2008 single domain.
Only need read only account. If cross domain need to be Universal groups.
first, make a process account that is NOT a domain admin ... just a domain user or less.
My guess is that you have the base DN set up to limit where it is searching. Another possibility is the filter has some limite in it.
Check the configruation against these
> Set up your Auth server as an LDAP server
> if your domain controllers have LDAP cers, use LDAP port 636
> enter at least two DCs (if you don't have any LDAP load balancing)
> set the LDAP server type to AD
> enter username and password for your account (you may need to use LDAP format for the CN)
> base dn:
CN=yourdomain,CN=com (or use .local or whatever your domain has for the domain suffix)
> filter: samAccountName=<USER> or CN=<USER>
> basedn: dc=yourdomain,dc=com (this searches the entire directory)
> another basedn: cn=users,dc=yourdomain,dc=com (this searches just the users container)
> another basedn: ou=SomeOU,dc=yourdomain,dc=com (this searches just an ou named SomeOU)
> filter: cn=<GROUPNAME>
> Member Attribute: memberOf
> check reverse group search
> query Attribute: <memberURL>