cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
fw_mon
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 3

MWG: LDAP nested groups

Jump to solution

how to configure MWG LDAP query to get all user's nested groups? We can get all groups using NTLM but not using LDAP. According to Microsoft documentation following query allows listing of nested groups:

https://docs.microsoft.com/en-gb/windows/win32/adsi/search-filter-syntax?redirectedfrom=MSDN
(member:1.2.840.113556.1.4.1941:=CN=My Name,CN=Users,DC=my,DC=domain,DC=com)

can you provide a correct filter configuration?

 

best regards

1 Solution

Accepted Solutions
asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: MWG: LDAP nested groups

Jump to solution

Hi,

thank you for the details. I understood the problem. We have a setup like this:

User: asabban

The user asabban is member of the Group "GROUP1". Then there is a group "GROUP2". The user asabban is NOT member ob the group GROUP2, but GROUP1 is member of GROUP2. Then there is a third group, GROUP3. GROUP2 is a member of GROUP3.

So GROUP3 is member of GROUP2, GROUP2 is member of GROUP1 and the user asabban is member of GROUP1. When I now lookup the groups and the "memberOf" attribute, I only see "GROUP1", since asabban is only member of this group.

It is possible to address this by making the following changes:

1.) Do not pick up any of the user attributes:

2021-11-04 14_29_16-McAfee _ Web Gateway.png

By doing so MWG sends the sAMAcountName (asabban) to the LDAP server. The "Map Username to DN" makes sure that %u (which is set to asabban) at the moment to the full DN, which is CN=Andre Sabban,CN=Users,DC=testlab,DC=local. The CN is required for the next step:

2.) Lookup the groups

2021-11-04 14_31_21-McAfee _ Web Gateway.png

By doing so MWG will query the LDAP server and asks for the "cn" (the short name) of all objects which have CN=Andre Sabban,CN=Users,DC=testlab,DC=local as "member". This would usually only return GROUP1, but by adding the numeric values (see the above MS article) the LDAP server will resolve the nested groups and return them.

Best,
Andre

View solution in original post

2 Replies
asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: MWG: LDAP nested groups

Jump to solution

Hi,

what groups are you missing? Usually you sent a search request to the DC saying

"Give me all objects of type group which have an attribute sAMAccountName='asabban'"

The DC then returns all matches. Depending on the BaseDN, all objects should be searched.

Can you let me know what groups are missing and maybe add a screenshot (or send by PM) of the group in the AD and what you get back via the LDAP authentication test (and point out what is missing)?

Thank you,
Andre

asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: MWG: LDAP nested groups

Jump to solution

Hi,

thank you for the details. I understood the problem. We have a setup like this:

User: asabban

The user asabban is member of the Group "GROUP1". Then there is a group "GROUP2". The user asabban is NOT member ob the group GROUP2, but GROUP1 is member of GROUP2. Then there is a third group, GROUP3. GROUP2 is a member of GROUP3.

So GROUP3 is member of GROUP2, GROUP2 is member of GROUP1 and the user asabban is member of GROUP1. When I now lookup the groups and the "memberOf" attribute, I only see "GROUP1", since asabban is only member of this group.

It is possible to address this by making the following changes:

1.) Do not pick up any of the user attributes:

2021-11-04 14_29_16-McAfee _ Web Gateway.png

By doing so MWG sends the sAMAcountName (asabban) to the LDAP server. The "Map Username to DN" makes sure that %u (which is set to asabban) at the moment to the full DN, which is CN=Andre Sabban,CN=Users,DC=testlab,DC=local. The CN is required for the next step:

2.) Lookup the groups

2021-11-04 14_31_21-McAfee _ Web Gateway.png

By doing so MWG will query the LDAP server and asks for the "cn" (the short name) of all objects which have CN=Andre Sabban,CN=Users,DC=testlab,DC=local as "member". This would usually only return GROUP1, but by adding the numeric values (see the above MS article) the LDAP server will resolve the nested groups and return them.

Best,
Andre

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community