EG configuration | LDAP Group Filtering logic in VIP Enterprise Gateway for VIP Validation Server

book

Article ID: 158197

calendar_today

Updated On:

Products

VIP Enterprise Gateway

Issue/Introduction

VIP Enterprise Gateway Manager AD LDAP group filtering: Customer would like to use the same filtering logic with the VIP validation server (radius). More specifically, the configuration allows VPN validation for members of the Active Directory “VPN” group only. AD members not in the group get a VIP credential and enroll in the self-service portal but cannot use the VPN as they are not a member of the VPN group. 

Resolution

The VIP Validation Server LDAP mapping can be used for getting the group information that the user is part of for a user attempting to log in. See the example below of a screenshow showing user ‘susrinivas22’ who is part of 2 groups: gr16 and vipegtest groups.

The search attribute could be entered with the attribute “distinguishedname”, and the secondary filter could search for all objects of class group having an entry for the user’s distinguished name as a member. The successful search would return the cn of the group it was found in.

The secondary filter could be enhanced to get only the particular group search with wild char as well. For example:

(&(member=%s)(objectclass=group)(cn=vipe*)) which would return only Class=vipegtestgroup)

 

After getting this info, the VPN can be set up to login/allow access to users whose results matches successfully with the group name.

Example for configuring multiple groups.

 
(&(member=%s)(memberOf:1.2.840.113556.1.4.1941:=CN=App - VPN Access,OU=Groups,OU=Corp,OU=ABCD,DC=Efgh,DC=local))