search cancel

How to Configure the VIP Enterprise Gateway (VIP EG) User Store Filter

book

Article ID: 163791

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

How to configure the VIP EG user store filters?

Environment

VIP Enterprise Gateway

Resolution

To Add or Modify a User Store:

  • Log into the local admin account on the local Enterprise Gateway Server.
  • Click on the User Store tab located on the top navigation bar.
  • Click User Store.
  • Click Add New, or Edit if you have existing User Stores.

     

    ‚Äč
Field Description
User Store
Type By default, this field displays LDAP.
Copy Settings From Select Create New to create a new User Store. Or select a User Store from the list of existing User Stores to copy all the settings from that User Store to the new User Store. Note: If you copy the settings from an existing User Store, you can edit or retain any of the settings for the new User Store.
Name Enter a unique name for the User Store that you want to create. This name appears in the list that displays the names of User Stores that you have added to VIP Enterprise Gateway.
Server Information
Connection Enter a unique name for the LDAP server that you want to add as a failover User Store.
Host The server ID (IP address or fully qualified domain name) of the LDAP User Store.
Port The port number for the machine hosting the User Store database. Symantec recommends that you use the default port number: 389 if you are not using a secure socket layer (SSL) connection, or 636 if you enable SSL.
Timeout The maximum number of seconds that VIP Enterprise Gateway waits for a connection to the User Store database.
Enable SSL Select whether to use SSL to secure the connection between VIP Enterprise Gateway and the User Store database. If the LDAP server is configured with SSL and if you have selected the Enable SSL option, you must ensure the following:
  • Import the root and the intermediate certificates associated with the SSL certificate that the LDAP server uses, to VIP Enterprise Gateway Trusted CA Store.
  • Adding the root and the intermediate certificates as mentioned in the previous point will make LDAP Server connection from Configuration Console, Self Service Portal, VIP Manager, IdPs, and LDAP Sync successful.
  • As the Validation Server uses Windows native LDAP client, you must add the root and the intermediate certificate to the Windows certificate store. To do this, navigate to MMC > Add/Remove Snap-in > Certificates and import the root and the intermediate certificates associated with LDAP here.
  • Subject Name in the LDAP SSL certificate must have complete FQDN, including the host name of the LDAP server.
  • Restart all the Validation Servers after these changes have been completed.
Also, if you want to enable the users to reset their expired password in an AD User Store that you add, you must enable SSL on this page.
Bind Information
User Distinguished Name The Distinguished Name (DN) of the user account that VIP Enterprise Gateway uses to bind to the User Store. For example, CN=admin,DC=acme,DC=com. This user should have the following privileges:
  • For AD-based User Stores, the user must have domain user privileges
  • For LDAP-based User Stores, the user must have search privileges on the sub tree for the given search base. For example, if the Base DN is configured as ou=vipadministrators,dc=acme,dc=com, the user must have the search privileges for the entire search base.
Password The password you use to log in to the User Store database.
Search Criteria
Base DN A string that indicates where to start searching for user information within the User Store database. For example, DC=acme,DC=com. If you use your directory root as the Base DN, searches may take longer to complete (Base DN is optional for AD Catalog-based User Stores). If you are configuring Active Directory (AD) as User Store, you can view the Domain Lookup button near to the Base DN field after you enter the string in the Base DN field. You can click Domain Lookup to check whether there are any sub-domains associated with the AD. If sub-domains are available, you can select each of the sub-domains and click Submit to create individual User Stores using each of these sub-domains.
User Filter Specify your User Store filters for the directory search. For example: (&(uid=%s)(objectclass=organizationalPerson)) Where %s is replaced by the logging user name.
Edit Default VIP User Name Attribute Select this check box if you want to edit the LDAP attribute value that is used as VIP User Name.
VIP User Name Attribute Enter the new LDAP attribute value that you want to use as VIP User Name in VIP Authentication Service. Note: The VIP Administrator needs to use these values as one time registration. For changing these values to a different one, ensure you ask the Symantec support before changing the same.
Test Settings
Test User Name An existing user ID to verify that the user specified in the User Distinguished Name field has the correct search permissions to the User Store. The test is mandatory to verify that the configuration is working.

Note: The Enterprise Gateway User Store, LDAP Sync, and Console Authentication are Java-based functions within the VIP EG, whereas the validation servers are written in C++. Java does not mandate strict certificate checking or chaining, whereas the Windows native LDAP client the VIP EG user stores does. Thus, the domain certificate(s) must be installed into the Enterprise Gateway host operating system certificate store and the operating system cert store. The Test User Name from the console uses Java and may succeed successfully despite validations or LDAP sync failing. If the validation server fails to start, test the user store connection.A 3rd-party application such as LDP.exe or Ldapsearch can be used to verify LDAP connectivity.

In the following example. the Test User Name (vipuser) specified in the Edit Connections window directly correlates to the demo connection in the Search Criteria tab. When the Test button is clicked on the Search Criteria tab, the filter will use the Test User Name on the Edit Connections tab:

 

 Common filters:

Filters are used to restrict the numbers of users or groups that are granted access to that connection. In essence, the filter limits what branches of the LDAP tree that connection will sync from. When constructing a filter, consider picking a common attribute of the set of users you want to allow access. This is most often the attribute that denotes group membership or an objectClass like "Person"

Default Filters:

SAM: (&(&(objectClass=user)(objectCategory=person))(|(mail=%s)(sAMAccountName=%s)))
UserPrincipalName: (&(&(objectClass=user)(objectCategory=person))(|(mail=%s)(userPrincipalName=%s)))

Filters for disabled accounts AD:

SAM: (&(&(objectClass=user)(objectCategory=person))(|(mail=%s)(sAMAccountName=%s))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
UserPrincipalName: (&(&(objectClass=user)(objectCategory=person))(|(mail=%s)(userPrincipalName=%s))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Filter for disabled Account and memberOf for AD:

SAM: (&(&(objectClass=user)(objectCategory=person))(sAMAccountName=%s)(&(memberOf=DC=demo,DC=org)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))
UserPrincipalName: (&(&(objectClass=user)(objectCategory=person))(userPrincipalName=%s)(&(memberOf=DC=demo,DC=org)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))

Filter for Nested Groups and memberOf for AD:

SAM: (&(objectCategory=Person)(sAMAccountName=%s)(memberOf:1.2.840.113556.1.4.1941:=cn=VIPUsers,ou=Groups,ou=CompanyUsers,dc=test,dc=corp))
UserPrincipalName: (&(objectCategory=Person)(userPrincipalName=%s)(memberOf:1.2.840.113556.1.4.1941:=cn=VIPUsers,ou=Groups,ou=CompanyUsers,dc=test,dc=corp))

Filter for multiple Nested Groups:

SAM: (&(&(objectClass=user)(objectCategory=person)(sAMAccountName=%s))(|(memberOf:1.2.840.113556.1.4.1941:=CN=VIP_Users,OU=VPN_Users,DC=Demo,DC=org)(memberOf:1.2.840.113556.1.4.1941:=CN=VIP_Users,OU=VIP_Users,DC=Demo,DC=org)))
UserPrincipalName: (&(&(objectClass=user)(objectCategory=person)(userPrincipalName=%s))(|(memberOf:1.2.840.113556.1.4.1941:=CN=VIP_Users,OU=VPN_Users,DC=Demo,DC=org)(memberOf:1.2.840.113556.1.4.1941:=CN=VIP_Users,OU=VIP_Users,DC=Demo,DC=org)))

Basic Filter for Two memberOf security groups:

SAM:  (&(&(objectClass=user)(objectCategory=person)(sAMAccountName=%s)(|(memberOf=CN=VIP_Users,OU=VPN_Users,DC=Demo,DC=org)(memberOf=CN=VIP_Users,OU=VIP_Users,DC=Demo,DC=org)))
UserPrincipalName: (&(&(objectClass=user)(objectCategory=person)(userPrincipalName=%s)(memberOf=CN=VIP_Users,OU=VPN_Users,DC=Demo,DC=org )(memberOf=CN=VIP_Users,OU=VIP_Users,DC=Demo,DC=org)))

Enable both SAM and UserPrincipalName:

SAM and UserPrincipalName: (&(&(objectClass=user)(objectCategory=person))(|(sAMAccountName=%s)(userprincipalname=%s)))

Enable both SAM and UserPrincipalName and memberOf remove disabled users:

SAM and UserPrincipalName: (&(&(objectClass=user)(objectCategory=person))(|(sAMAccountName=%s)(userprincipalname=%s))(&(memberOf=CN=VIP_Users,OU=VPN_Users,DC=Demo,DC=org)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))

Example of multiple memberOf groups:

(|(memberOf=CN=VIP_Helpdesk,OU=VPN_Users,DC=Demo,DC=org)(memberOf=CN=VIP_Admins,OU=VPN_Users,DC=Demo,DC=org)(memberOf=CN=VIP_Users,OU=VPN_Users,DC=Demo,DC=org))


Example of Excluding memberOf groups:

SAM: (&(&(objectClass=user)(objectCategory=person))(|(mail=%s)(sAMAccountName=%s))(!(CN=VIP_Admins,OU=VPN_Users,DC=Demo,DC=org)))
UserPrincipalName: (&(&(objectClass=user)(objectCategory=person))(|(mail=%s)(userPrincipalName=%s))(!(CN=VIP_Admins,OU=VPN_Users,DC=Demo,DC=org)))

Limit the users to a particular group:

(&(objectCategory=user)(memberOf=CN=Employees,OU=VIP Groups,DC=yourdomain,DC=com))

Allow both sAMAccountName and UPN but exclude if exists a mail attribute:

(&(&(objectClass=user)(objectCategory=person))(|(userprincipalname=%s)(sAMAccountName=%s))(!(mail=*)))

Allow all 'Domain Users':

&(objectCategory=user)(objectCategory=person)(sAMAccountName=%s)(primaryGroupID=513))

 
! means NOT
| means OR 
& all have to be true
%s means pass that string to the variable.
* Means ALL
 
Microsoft OID (Object Identifiers):
Nested Groups: OID 1.2.840.113556.1.4.1941
Disabled Users: OID 1.2.840.113556.1.4.803:=2
Enabled Users: OID: 1.2.840.113556.1.4.803:=1
 

Additional information

  • There is a maximum character limit of 512 characters for the filter.
  • Spaces are not allowed before or after the query.
  • Proper parentheses are required.

Attachments

LdapfilterDissected.pdf get_app