Re: SA4500 not seeing all of AD during an LDAP loo...

rnperki_ · ‎11-21-2011

I have setup our SA4500 to check AD group membership for role mapping and it is working a treat.

I setup the AD groups searched for them under Server Catolog and they show up and add them in.

However we have now created some new AD groups but they are not showing up when doing and LDAP search.

The account has been given Domain Admin priv it appears it cannot see large chunks of our AD.

Has anyone come across an issue like this when doing LDAP lookup on the SA4500

Running Windows 2008 single domain.

Thanks

Roger

zanyterp_ · ‎11-21-2011

Are you using an LDAP or AD/NT server type? Are these security groups?

RexPGP_ · ‎11-28-2011

Only need read only account. If cross domain need to be Universal groups.

mjb_ · ‎11-28-2011

first, make a process account that is NOT a domain admin ... just a domain user or less.

My guess is that you have the base DN set up to limit where it is searching. Another possibility is the filter has some limite in it.

Check the configruation against these

> Set up your Auth server as an LDAP server

> if your domain controllers have LDAP cers, use LDAP port 636

> enter at least two DCs (if you don't have any LDAP load balancing)

> set the LDAP server type to AD

> enter username and password for your account (you may need to use LDAP format for the CN)

> base dn:

CN=yourdomain,CN=com (or use .local or whatever your domain has for the domain suffix)

> filter: samAccountName=<USER> or CN=<USER>

> basedn: dc=yourdomain,dc=com (this searches the entire directory)

> another basedn: cn=users,dc=yourdomain,dc=com (this searches just the users container)

> another basedn: ou=SomeOU,dc=yourdomain,dc=com (this searches just an ou named SomeOU)

> filter: cn=<GROUPNAME>

> Member Attribute: memberOf

> check reverse group search

> query Attribute: <memberURL>

SA4500 not seeing all of AD during an LDAP lookup