I have an AD group (AD_Large_group) based on which I have role mapping. It works well for all its members, however I now added a subgroup (AD_Small_group) within the large group.
Whenever someone from the subgroup tries to connect there's no role mapping. In user access it says "no roles" although there's a role map for the large group which contains the small one. In policy trace it tells me that there's no match on the role mapping policy. I also tried adding Large group or Small group in the rule, but I get the exact same results.
Is it actually possible to do role mapping this way? The SA can check rule matching based on sub groups?
Yes it is possible -
Can you please attach a screenshot of your configs on your LDAP server and role mapping if possible?
Also, can you take a TCP Dump from the SA while a user tries to authenticate?
We may be missing the member attribute value along with the search method.
Thank you, you were right. I realized my SA wasn't looking in nested groups. Thank you for making me check the LDAP conf