4 Replies Latest reply: Dec 27, 2012 11:02 AM by bg2 RSS

    Custom LDAP - find user in a group

    bg2

      Hello:

       

      I have been struggling with this and not really getting anywhere.

      We are using Red Hat ldap and I need to do the following.

       

      1) I need to authenticate the user and password (this seems to work fine)

      2) If a user is in 1 of 5 predefined ldap groups they are granted access, otherwise they are blocked.

       

      I have been unsuccessful in getting #2 to work.

       

      a) ou=company.com

      b) search filter (do not filter searches)

      c) external groups=  org_1, org_2, org_3, org_4, org_5.

       

      If anyone can shine some light on this for me?

       

      Thanks

      BG

        • 1. Re: Custom LDAP - find user in a group
          sliedl

          What version of the firewall are you using?

          • 2. Re: Custom LDAP - find user in a group
            bg2

            8.3.0

            • 3. Re: Custom LDAP - find user in a group
              sliedl

              First, you go to Authenticators and click the 'User and User Groups' button in the top-right.  This is where you add these External Group names.  Then you go to your Access Control Rules and open the rule for which you want to authenticate these users.  In the 'Users and Groups' section there you select the External Group names you created in the previous step.  The LDAP authenticator you created is selected in the 'Authenticator' drop-down box in this rule also.  Now the sessions through this rule will be authenticated against your LDAP server and, if a group returned by the LDAP query matches a group in the rule, this session will be allowed.  Otherwise it will skip this rule and go through the rules below this one until it hits another matching rule or hits the Deny All rule.

              • 4. Re: Custom LDAP - find user in a group
                bg2

                Hi Sliedl:

                 

                I have had it configured as you specified. But it will still not authenticate against groups.

                I think the problem is in how the Authenticator Object has been configured??

                 

                In LDAP we have an ou=People where theuid is the userid needed to authenticate.

                Ou=People
                                uid=user1
                                                Uid=user1
                                                cn=Jones,Smith W.

                In LDAP we have an ou=Groups whereuniquemember specifies whether someone is a member of the group.

                Ou=Groups
                                cn=group1
                                                uniquemember(uid=user1, ou=People, o=company.com)

                                cn=group2
                                                uniquemember(uid=user1, ou=People, o=company.com)

                 

                IMG1.png

                 

                IMG2.png

                 

                Message was edited by: bg2 on 12/27/12 11:02:42 AM CST