cancel
Showing results for 
Search instead for 
Did you mean: 

sa6500 - role mapping based on ldap group for an user is sub-group

spanudiez_
Occasional Contributor

sa6500 - role mapping based on ldap group for an user is sub-group

Hello,

I have an AD group (AD_Large_group) based on which I have role mapping. It works well for all its members, however I now added a subgroup (AD_Small_group) within the large group.

Whenever someone from the subgroup tries to connect there's no role mapping. In user access it says "no roles" although there's a role map for the large group which contains the small one. In policy trace it tells me that there's no match on the role mapping policy. I also tried adding Large group or Small group in the rule, but I get the exact same results.

Is it actually possible to do role mapping this way? The SA can check rule matching based on sub groups?

Thanks,

Diez

2 REPLIES 2
AJA_
Frequent Contributor

Re: sa6500 - role mapping based on ldap group for an user is sub-group

Yes it is possible -

Can you please attach a screenshot of your configs on your LDAP server and role mapping if possible?

Also, can you take a TCP Dump from the SA while a user tries to authenticate?




We may be missing the member attribute value along with the search method.

spanudiez_
Occasional Contributor

Re: sa6500 - role mapping based on ldap group for an user is sub-group

Thank you, you were right. I realized my SA wasn't looking in nested groups. Thank you for making me check the LDAP conf