4 Replies Latest reply: Dec 27, 2012 11:02 AM by bg2 RSS

    Custom LDAP - find user in a group




      I have been struggling with this and not really getting anywhere.

      We are using Red Hat ldap and I need to do the following.


      1) I need to authenticate the user and password (this seems to work fine)

      2) If a user is in 1 of 5 predefined ldap groups they are granted access, otherwise they are blocked.


      I have been unsuccessful in getting #2 to work.


      a) ou=company.com

      b) search filter (do not filter searches)

      c) external groups=  org_1, org_2, org_3, org_4, org_5.


      If anyone can shine some light on this for me?




        • 1. Re: Custom LDAP - find user in a group

          What version of the firewall are you using?

          • 2. Re: Custom LDAP - find user in a group


            • 3. Re: Custom LDAP - find user in a group

              First, you go to Authenticators and click the 'User and User Groups' button in the top-right.  This is where you add these External Group names.  Then you go to your Access Control Rules and open the rule for which you want to authenticate these users.  In the 'Users and Groups' section there you select the External Group names you created in the previous step.  The LDAP authenticator you created is selected in the 'Authenticator' drop-down box in this rule also.  Now the sessions through this rule will be authenticated against your LDAP server and, if a group returned by the LDAP query matches a group in the rule, this session will be allowed.  Otherwise it will skip this rule and go through the rules below this one until it hits another matching rule or hits the Deny All rule.

              • 4. Re: Custom LDAP - find user in a group

                Hi Sliedl:


                I have had it configured as you specified. But it will still not authenticate against groups.

                I think the problem is in how the Authenticator Object has been configured??


                In LDAP we have an ou=People where theuid is the userid needed to authenticate.

                                                cn=Jones,Smith W.

                In LDAP we have an ou=Groups whereuniquemember specifies whether someone is a member of the group.

                                                uniquemember(uid=user1, ou=People, o=company.com)

                                                uniquemember(uid=user1, ou=People, o=company.com)






                Message was edited by: bg2 on 12/27/12 11:02:42 AM CST