Authorize an LDAP User in a Group in an alternate LDAP branch than the User Object
search cancel

Authorize an LDAP User in a Group in an alternate LDAP branch than the User Object

book

Article ID: 409639

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

The LDAP User Store may have different LDAP branches for the user objects and the group objects.  However, you would like to authorize users based on those group memberships.  Using the Siteminder AdminUI when you select the USERS tab in the Policy, the lookup will not return the groups outside of the LDAP Root DN of the User Directory. 

EXAMPLE:

User DN: cn=user1,OU=users,DC=<Domain>,DC=<tLD>

Group DN: cn=group1,OU=groups,DC=<Domain>,DC=<tLD>

User Directory LDAP Root: OU=users,DC=<Domain>,DC=<tLD>

In the example (above) the users can be authenticated in the user directories LDAP Root, however the group is not contained within that same LDAP branch.  

Environment

PRODUCT: Siteminder

COMPONENT: Policy Server

VERSION: Any

OPERATING SYSTEM: Any

Cause

The Siteminder AdminUI only returns searches for Groups contained within the LDAP Root of the User Directory.  It will not return groups outside of the LDAP Root DN.   This means that to authenticate a user either an expression will need to be written, or the group needs to be validated.

Resolution

Configure the User Policy to use Validate to validate the DN of the Group

1) Logon to the Siteminder AdminUI

2) Edit the Policy

3) Goto the USER Tab.

4) Under the Directory Name 'click' the ADD ENTRY button

5) Set the following values:

Expression Editor Option: Manual Entry

Where to Search: Validate DN

Manual Entry: <DN of Group>

6) Save changes to the Policy

7) Test the users access to the resource.

 

Configure the User Policy to use an Expression

NOTE: In this example, the user is in an Active Directory user store.  The user object contains an attribute called 'memberOf' which contains the DN of the Group.  The Group object contains an attribute called 'member' which lists the DN of the users within that group.  In the example below, an expression has been configured to query the user object for the 'memberOf' attribute.  If the value of the 'memberOf' attribute matches the value in the expression, the user will be authorized.

1) Logon to the Siteminder AdminUI

2) Edit the Policy

3) Goto the USER Tab.

4) Under the Directory Name 'click' the ADD ENTRY button

5) Set the following values:

Expression Editor Option: Manual Entry

Where to Search: Search Users

Manual Entry: (memberof=<DN_of_Group>)

6) Test the users access to the resource.

Powered by Wolken Software