Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Prashant_YADAV1
Contributor

Identity collector and user directory relation

Hello Experts,

 

I need clarification on identity collector and user directory relations while identity a user and mapping that user to the Right access role.

Basically, we have configured to get identity with multiple ad servers with the help of an identity collector ,,,

sometimes we have issues with the user who is configured with some user access role like identity-Facebook-user (this group is using the LDAP user inside it)

 

what I like to understand is the usage of the user directory option in each gateway.

by default all user directories are selected ..should I select the user directory which is related to each gateway and set the priority on each gateway object to make it work every time 

attaching a screenshot of user directory setting 

0 Kudos
5 Replies
_Val_
Admin
Admin

The use case is not clear. Please elaborate with more details and desired results.

0 Kudos
Prashant_YADAV1
Contributor

Hello Val,

Thanks for quick reply .

Use case is simple.

to create is user access role based on ldap group membership and then applied the user access role to FIrewall(application+url blade) to filter some traffic like facebook or allow something like Dropbox.

Access work some time and sometime end user just loose there access role while checking pdp m user info in gateway.

user shows as identified user but the access role which i has applied in past lost for some reason.

Thanks 

0 Kudos
_Val_
Admin
Admin

How do you build your rulebase? How do you configure your Identity collector? What is the version in use?

0 Kudos
Sorin_Gogean
Advisor

Do some reading in regards to AD Global Catalog (sk134292)  as you might want to use that too....

 

It can happen, that in some cases, user is identified correctly, but mapping to AD Group is not happening. This could be, because at a search of AD Groups for that particular user is not returning the proper group, either because it's not finding it or because the AD Group is chained and it can go to a certain depth.

 

Can you provide screenshots with an user identified and mapped properly and one that is not .

 

ty,

PS: we have similar behavior with identities received from ISE and with Global Catalog we should fix that. (still in PoC/tests)

 

0 Kudos

I would suggest to contact TAC ! Moved to Gateways as this hardly is a General Topic!

CCSE CCTE CCSM SMB Specialist
0 Kudos