Use SpanVA to Sync the users of a specific Active Directory Group
search cancel

Use SpanVA to Sync the users of a specific Active Directory Group

book

Article ID: 268954

calendar_today

Updated On:

Products

CASB Gateway CASB Gateway Advanced CASB Advanced Threat Protection CASB Security Premium CASB Security Standard

Issue/Introduction

The use case is for SpanVA to sync only the users who are members of a specific Active Directory group, along with the AD Groups.

Environment

Gatelet with Active Directory Sync enabled via SpanVA.

Resolution

Modify the Search string of the SpanVA profile so that it matches only on the required groups and users.

 

0- LDAP Search refresh:

LDAP OR condition is a pipe for example Condition1 OR Conditions is written (|(Condition1)(Condition2))

LDAP AND condition is a ampersand for example Condition1 AND Conditions is written (&(Condition1)(Condition2))

 

1- Base DN:

Choose the base DN the closest to the AD Groups required.

 

2- AD Group(s)

LDAP Group Search string: 

(&(objectCategory=group)(objectclass=group)(|(cn=GROUP01)(cn=GROUP02))

which is logically means (or can be read as):

[ (The objectCategory equals group) AND (The objectclass eguals group) AND ( (group name is GROUP01) OR (group name is GROUP02) ) ]

 

3- Users of the AD Group(s)

LDAP Users Search String:

(&(objectCategory=person)(objectClass=user)(|(memberOf=CN=GROUP01,CN=Users,DC=Example,DC=com)(memberOf=CN=GROUP02,CN=Users,DC=Example,DC=com))

which is logically means (or can be read as):

[ (The objectCategory equals 'person' ) AND (The objectclass equals 'user') AND ( (the user is member of GROUP01) OR (the user is member of GROUP01) ) ]

 

Powered by Wolken Software