How do I assign a LDAP group to a role?
search cancel

How do I assign a LDAP group to a role?


Article ID: 165977


Updated On:




When I configure a LDAP group to a role, it doesn't allow me access to the database?

When I configure a LDAP group to a role, it allows me access to all the databases?

My LDAP user is able to login, but when I click on more info, it shows me a blank page.

When I log into reporter, all I can do is change my password, and even that doesn't work.  The text  above this prompt is "LDAP users cannot change their password."

I am seeing this message, when I login to Bluecoat Reporter. " In order to view reports in Reporter, your system administrator must set a database for you to have access to.  Please contact your administrator." But, when I press "OK" on the above message, it looks like I'm logged in, but all I can do is change the password.

User-added image


The Role of this article:

This entire article is assuming that your LDAP configuration is successfully setup, according to this article -  000013348

This article is not a complete step by step guide fo how to configure LDAP and roles on Reporter, but meant only to address certain symptoms that users might see. 

000013348 is meant to address step by step instructions on how to configure LDAP, roles and groups.

For a deeper dive into how the configuration files work together, and how they can help in troubleshooting LDAP issues please see 000014773

How to troubleshoot the above mentioned symptoms:

 The above screenshot, regarding having a have a database setup for you, means that these things have successfully occured:

  • The Reporter's LDAP configuration is working.
  • Reporter, using LDAP, has sucessfully  authenticated your user id,  behind the scenes.
  • You can rest assured that your user ID , and password is correct.

However, what is not setup right, is  your roles configuration.  Here are some tips on what might be wrong.

There is a comon missconception that the groups, mentioned in the below screenshot, are groups that the Reporter, LDAP, service searches for in the Directory ( AD, or Edirectory) tree.

Here's a definition of each of types of groups:

  • The Groups, mentioned in the below screenshot, are those  that are already in the database. They  came from a access log that was uploaded to the Reporter server,  from a SG .  These groups were noted  as a user authenticated to a SG to gain access to the internet.
  • The Groups that reporter uses to link you to a role in Reporter, are LDAP searchable groups.  A list of groups that is a user is a member of is  collected when a user authenticates to the Reporter UI, through it's own LDAP connection. The list is then saved into the ldap_groups.cfg file-  how this is saved, and more on this whole process, is described in greater detail in 000014773

User-added image

The above configuration would restrict the user  to only being able to see the data for each of the groups you choose from the drop down list. Looking at the above screenshot,  these groups are already in  the database called "Demo  Logs".   

NOTE: Ways of making the above screen clearer, for future versions of Reporter, are being considered. 

To link your already created role to a a searchable LDAP group, you need to complete this screen: 

User-added image

To arrive at this screen, follow these steps:

  • Login into Reporter with your admin account.
  • Navigate to the adminstration section of the user interface.  ( If you can't see the adminstration tab, you haven't logged in with an admin account.)
  • Click on the General Settings tab.
  •  Click on Access control, then LDAP groups.
  • Here choose the "new" button and you will see the above screen.  (If you don't see any groups in the drop down list, your LDAP connection is probably broken.  See the above mentioned KB article for steps on how to set this up.)
  • If you cna't see the exact group you want Reporter to check for you, type on a ver letters of the groupname in the drop down list.  Reporter will then search for groupnames taht match.
  • After choosing your group, and pressing next, you will then be able to link this group to a role.

Here's a screenshot of what that screen would look like.

User-added image 

NOTE1: To be clear, the choices in the above screenshot are a list of all the already configured  roles available in Reporter. By choosing one of the "Asigned Roles" you are choosing a normal role, and allowing the chosen LDAP group access to whatever permissions this role has access too.

NOTE2: Linking this group to the Adminstrator will allow all  members of your chosen LDAP group to have full admistrator privilidges to this Reporter server.

NOTE3: For a list of what fields should be in a access log, see 000021974 

NOTE4: More information on the above symptoms see 000014489

NOTE5: For a list of what LDAP error codes you may see in the journal, and what they mean, see 000015695

NOTE6:  Some groups, in your Active Directory tree, will only be setup for Global Groups, but will need to be setup as a Universal group to to be 'seen' by Reporter, as it searches the tree for groups, with users who  have the attribute of 'member of'  linked to them.