Create access policy based on OU membership using LDAP Attributes in an LDAP Realm


Article ID: 169285


Updated On:


Asset Management Solution Data Center Security Monitoring Edition Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


Within the VPM of a ProxySG there are Source Objects for Domain Users and Groups. However, there isn't an object that allows you to evaluate users based on their OU membership in a domain. However, there is an alternative for this case.

This article will assume that you have already configured an LDAP authentication realm and an authentication rule within the Web Authentication Layer using the desired realm.


We will use LDAP Attribute "distinguishedName" as a Source object in our VPM. In order to see a list of current available LDAP Attributes you can use, you have to use the following command in Powershell within your AD:

dsquery * "<Full DN of desired user>" -attr *

The Full DN of your user can be found using a Microsoft Sysinternals tool called AD Explorer freely available on Microsoft's website (link below).

The command above will provide a list of attributes. One of them contains the OUs the user is part of. This attribute is "distinguishedName", and in this example it looks like this:

distinguishedName: CN=Test User,OU=Example OU,DC=gsc,DC=lab

In this case, we will block users if they belong to the OU called "Example OU":

-Go to the Management Console > Configuration > Policy > Launch

-Create a new Web Access Layer > Right click on the Source field and click Set.

-Click on New and select LDAP Attribute

-In the new window, select your Authentication realm (if necessary) > Enter the Attribute Name: distinguishedName > Mark the option "Attribute value match" > Enter Value: OU=Example OU > Change the drop-down menu from "Exact Match" to "Contains" > Click OK

User-added image

-Set the Action to Deny

-Install Policy

Alternatively, this is the CPL that can be used to accomplish this function:


    condition="Example OU Members" Deny

define condition "Example OU Members"
    ldap.attribute.distinguishedName.substring="Example OU"
end condition "Example OU Members"