LDAP user authorization works but LDAP group authorization fails

book

Article ID: 166682

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

LDAP user authorization works but LDAP group authorization fails
The user is a member of the group, but LDAP is still denying the user access to the resource

Resolution

Here are a few possible reasons this might happen:

  1. If you are using iPlanet:
    The Port 80 Security Appliance may be configured to look at the user record for the group membership information instead of the group record. To verify your Security Appliance group membership settings go to Management-Security-LDAP General and verify that it is configured for Membership Type "group" and Membership Attribute "uniquemember".
  2. If you are using Active Directory:
    The Port 80 Security Appliance may be configured to look at the group record for the group membership information instead of the user record. To verify your Port 80 Security Appliance group membership settings go to Configuration > Authentication > LDAP > LDAP Search & Groups and verify that it is configured for Membership Type "user" and Membership Attribute "memberOf". (Note: Be aware these settings are case sensative)
  3. There may be a problem with the FQDN of the group in the Policy. To verify the FQDN of the group use the LDAP Browser Tool.

You can get a packet capture (pcap) to see what shows up on the wire.  The packet capture may provide additional information as to the source of the problem.