topic Re: Properly define Ldap Group in SASE and Remote Access

Properly define Ldap Group

Marco_Valenti — Thu, 05 Apr 2018 16:12:54 GMT

Hey expert

I know this question seems more a micr****t question but still I want to give it a try since today I was struggling with that argument , create an account unit and make the Identity Awareness went pretty fine .

Users are authenticated with ldap ,defining an ldap group in such way

-Only group in branch (dn prefix) CN=test,OU=customer,DC=customer,DC=local does not seems to match the group test in the OU customer and the remote access traffic are hitting clean up rule

while define the group in the way

-Only Sub Tree CN=Users DC=customer,DC=local match my remote access rule with as a source the defined ldap group

Triple checked the path on the domain controller , looks like I'm missing something obvious here , if someone got some hint I'll appreciate it

Cheers

Re: Properly define Ldap Group

Heath — Sat, 21 Apr 2018 14:57:15 GMT

Did you get this figured out? I’m seeing the same thing and following LDAP Configuration - Best Practice it looks like the example is setup to allow anyone from AD but we only want specific users.

Re: Properly define Ldap Group

Marco_Valenti — Mon, 23 Apr 2018 06:44:47 GMT

Really not , working with some smb appliance and founding out ( I don't know if this is relevant) that the dc did not reply to the ldap query with the attribute member of so the gateway can't match the ldap group defined in the remote access rule

Ldap group was set in this way CN=(nameofthegroup),OU=(nameoftheouu)DC=(nameoftecompany),DC=(local)

Thanks for pointing out the sk

Re: Properly define Ldap Group

Heath — Mon, 23 Apr 2018 22:49:45 GMT

The only way that I've been able to get this work is when I set the source to 'All Users@Any'...I wouldn't think that's the best solution.

Re: Properly define Ldap Group

Johnny_Sjolund — Wed, 28 Nov 2018 14:56:45 GMT

I have the exact same problem with my 1400 devices. Any solution to this? Just want to work with AD groups as Source in a VPN rule.

Re: Properly define Ldap Group

Sal_Previtera — Thu, 20 Dec 2018 15:47:20 GMT

First, you need a group defined in AD, example "my-test-group"....then user ( your case user = "test" )has to be part of the newly created group.....

Account unit = should have selected your AD domain...possible defined earlier when you enabled "Identity Awareness blade"

then choose only group in branch....

CN= my-test-group, OU=groups .... the rest of the prefix should already be populated if already had an account unit defined.

Assuming that the 1400 devices have access available to your AD somehow...via VPN or other means.

Re: Properly define Ldap Group

Richard_Anton_V — Tue, 13 Apr 2021 11:59:46 GMT

Good day,

Anyone already solved this issue? Im having the same problem whereas using the group doesnt match the rulebase.

Thank you!