cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Properly define Ldap Group

Hey expert

I know this question seems more a micr****t question but still I want to give it a try since today I was struggling with that argument , create an account unit and make the Identity Awareness went pretty fine .

Users are authenticated with ldap ,defining an ldap group in such way

-Only group in branch (dn prefix) CN=test,OU=customer,DC=customer,DC=local does not seems to match the group test in the OU customer and the remote access traffic are hitting clean up rule

while define the group in the way

-Only Sub Tree CN=Users DC=customer,DC=local match my remote access rule with as a source the defined ldap group

Triple checked the path on the domain controller , looks like I'm missing something obvious here , if someone got some hint I'll appreciate it

Cheers

5 Replies
Heath_Mote
Copper

Re: Properly define Ldap Group

Did you get this figured out? I’m seeing the same thing and following LDAP Configuration - Best Practice it looks like the example is setup to allow anyone from AD but we only want specific users.

0 Kudos

Re: Properly define Ldap Group

Really not , working with some smb appliance and founding out ( I don't know if this is relevant) that the dc did not reply to the ldap query with the attribute member of so the gateway can't match the ldap group defined in the remote access rule

Ldap group was set in this way CN=(nameofthegroup),OU=(nameoftheouu)DC=(nameoftecompany),DC=(local) 

Thanks for pointing out the sk

0 Kudos
Heath_Mote
Copper

Re: Properly define Ldap Group

The only way that I've been able to get this work is when I set the source to 'All Users@Any'...I wouldn't think that's the best solution.

0 Kudos

Re: Properly define Ldap Group

I have the exact same problem with my 1400 devices. Any solution to this? Just want to work with AD groups as Source in a VPN rule.

0 Kudos
Highlighted

Re: Properly define Ldap Group

First, you need a group defined in AD, example "my-test-group"....then user ( your case user = "test" )has to be part of the newly created group.....

Account unit = should have selected your AD domain...possible defined earlier when you enabled "Identity Awareness blade"

then choose only group in branch....

CN= my-test-group, OU=groups      .... the rest of the prefix should already be populated if already had an account unit defined.

Assuming that the 1400 devices have access available to your AD somehow...via VPN or other means.

0 Kudos