Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Marco_Valenti
Advisor

Properly define Ldap Group

Hey expert

I know this question seems more a micr****t question but still I want to give it a try since today I was struggling with that argument , create an account unit and make the Identity Awareness went pretty fine .

Users are authenticated with ldap ,defining an ldap group in such way

-Only group in branch (dn prefix) CN=test,OU=customer,DC=customer,DC=local does not seems to match the group test in the OU customer and the remote access traffic are hitting clean up rule

while define the group in the way

-Only Sub Tree CN=Users DC=customer,DC=local match my remote access rule with as a source the defined ldap group

Triple checked the path on the domain controller , looks like I'm missing something obvious here , if someone got some hint I'll appreciate it

Cheers

6 Replies
Heath_Mote
Collaborator

Did you get this figured out? I’m seeing the same thing and following LDAP Configuration - Best Practice it looks like the example is setup to allow anyone from AD but we only want specific users.

0 Kudos
Marco_Valenti
Advisor

Really not , working with some smb appliance and founding out ( I don't know if this is relevant) that the dc did not reply to the ldap query with the attribute member of so the gateway can't match the ldap group defined in the remote access rule

Ldap group was set in this way CN=(nameofthegroup),OU=(nameoftheouu)DC=(nameoftecompany),DC=(local) 

Thanks for pointing out the sk

0 Kudos
Heath_Mote
Collaborator

The only way that I've been able to get this work is when I set the source to 'All Users@Any'...I wouldn't think that's the best solution.

0 Kudos
Johnny_Sjolund
Explorer

I have the exact same problem with my 1400 devices. Any solution to this? Just want to work with AD groups as Source in a VPN rule.

0 Kudos
Sal_Previtera
Contributor

First, you need a group defined in AD, example "my-test-group"....then user ( your case user = "test" )has to be part of the newly created group.....

Account unit = should have selected your AD domain...possible defined earlier when you enabled "Identity Awareness blade"

then choose only group in branch....

CN= my-test-group, OU=groups      .... the rest of the prefix should already be populated if already had an account unit defined.

Assuming that the 1400 devices have access available to your AD somehow...via VPN or other means.

0 Kudos
Richard_Anton_V
Explorer

Good day,

Anyone already solved this issue? Im having the same problem whereas using the group doesnt match the rulebase.

Thank you!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events