Hi Alexander, I've just had a call with Pulse Secure, and we've worked out the various problems, thanks for your help as that really helped with Pulse Secure.
FYI, and for anyone in the future; The User filter should be uid=<USER>, The Group filter should be cn=<GROUPNAME> and both member attribute and query attribute should be member not MemberOf (as you said) This allows all groups the groups to be returned, but also allows a user who is a part of the group to login. Kind Regards, Josh Cullum On Tue, Jan 12, 2016 at 10:57 AM Alexander Bokovoy <[email protected]> wrote: > On Tue, 12 Jan 2016, CFMS Support wrote: > >Hi Alexander, > > > >Yes I see that as well actually, and when looking for a specific group I > >get: > > > >[12/Jan/2016:10:30:50 +0000] conn=30648 fd=114 slot=114 connection from > >172.19.6.16 to 172.20.3.6 > >[12/Jan/2016:10:30:50 +0000] conn=30648 op=0 EXT > >oid="1.3.6.1.4.1.1466.20037" name="startTLS" > >[12/Jan/2016:10:30:50 +0000] conn=30648 op=0 RESULT err=0 tag=120 > >nentries=0 etime=0 > >[12/Jan/2016:10:30:50 +0000] conn=30648 TLS1.2 128-bit AES-GCM > >[12/Jan/2016:10:30:50 +0000] conn=30648 op=1 BIND > >dn="uid=ldap,cn=sysaccounts,cn=etc,dc=identity,dc=cfms,dc=org,dc=uk" > >method=128 version=3 > >[12/Jan/2016:10:30:50 +0000] conn=30648 op=1 RESULT err=0 tag=97 > nentries=0 > >etime=0 > dn="uid=ldap,cn=sysaccounts,cn=etc,dc=identity,dc=cfms,dc=org,dc=uk" > >[12/Jan/2016:10:30:50 +0000] conn=30648 op=2 SRCH > >base="cn=groups,cn=accounts,dc=identity,dc=cfms,dc=org,dc=uk" scope=2 > >filter="(cn=XXXXX)" attrs="memberOf" > >[12/Jan/2016:10:30:50 +0000] conn=30648 op=2 RESULT err=0 tag=101 > >nentries=1 etime=0 > >[12/Jan/2016:10:30:50 +0000] conn=30648 op=3 UNBIND > >[12/Jan/2016:10:30:50 +0000] conn=30648 op=3 fd=114 closed - U1 > > > >And that the directory server has returned one entry, however, the VPN > >device doesn't see it and returns that the group is not found. > Can you show the result of the ldapsearch under the same credentials > from the command line to see what exactly it gets? > > Looking at the setup instructions [1], I think you need to choose > between static or dynamic group selection. Right now you have static > group selection configured which assumes you have an LDAP Server catalog > configured in PSA to list all groups that can be there, and these group > DNs must match what you get as result of the searches performed. > > If you have already defined those static groups in LDAP Server catalog, > then I think you need to use 'member' attribute instead of memberOf -- > memberOf is used in the user (or a nested group) entry to say what group > this object is meber of, while the group itself will have member > attribute values pointing to its members. > > [1] > http://www.juniper.net/techpubs/software/ive/admin/j-sa-sslvpn-7.1-adminguide.pdf > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
