search cancel

EG configuration | LDAP Group Filtering logic in VIP Enterprise Gateway for VIP Validation Server


Article ID: 158197


Updated On:


VIP Service


VIP Enterprise Gateway Manager AD LDAP group filtering: Customer would like to use the same filtering logic with the VIP validation server (radius). More specifically, the configuration allows VPN validation for members of the Active Directory “VPN” group only. AD members not in the group get a VIP credential and enroll in the self-service portal but cannot use the VPN as they are not a member of the VPN group. 


VIP Enterprise Gateway


The VIP Validation Server LDAP mapping can be used for getting the group information that the user is part of for a user attempting to log in. See the example below of a screenshow showing user ‘user1’ who is part of 2 groups: gr16 and vipegtest groups.

The search attribute could be entered with the attribute “distinguishedname”, and the secondary filter could search for all objects of class group having an entry for the user’s distinguished name as a member. The successful search would return the cn of the group it was found in.

The secondary filter could be enhanced to get only the particular group search with wild char as well. For example:

(&(member=%s)(objectclass=group)(cn=vipe*)) which would return only Class=vipegtestgroup)


After getting this info, the VPN can be set up to login/allow access to users whose results matches successfully with the group name.

Example for configuring multiple groups.

(&(member=%s)(memberOf:1.2.840.113556.1.4.1941:=CN=App - VPN Access,OU=Groups,OU=Corp,OU=ABCD,DC=Efgh,DC=local))