Rule based on Group "Domain Users" does not match for LDAP users


Article ID: 166883


Updated On:


ProxySG Software - SGOS


In the VPM you have rule referencing the Domain Users group (or any other "Primary Group") but the rule is not matching when using LDAP.

Note: This also affects Windows SSO realms using LDAP for authorization.

LDAP does not reveal the membership in the primary groups.

The memberOF attribute never reveals primary group memberships.


You must create a rule based on the primaryGroupID.

In the VPM, add the following rule:

  1. Right-click Source
  2. Click Set
  3. Click New
  4. Click LDAP Attribute
  5. Set Authentication realm to your LDAP realm
    NOTE: If using LDAP for authorization for Windows SSO, set Realm to All
  6. Set attribute name to primaryGroupID
  7. Select Attribute Value match
  8. Set the value to 513 Exact Match
  9. Click OK
  10. Click OK
  11. Install the policy

Run a policy trace and you will now see this rule is now being matched.