Active Directory & SRX - User Groups

Question

I'm in the middle of configuring a Juniper SRX to do LDAP Authentication for users and am running into an issue in my lab. I'm sure it's my own poor AD skills at play here, but I'm seeing some strange behaviour:

I'm trying to permit any user within the group CN=german_users. Two users are assigned to it, however their path in ADSI edit does not reflect that: CN=german_user_1,OU=Germany,OU=Europe...

Should it not be CN=german_user_1,CN=german_users,OU=Germany,OU=Europe...?

I'm having difficulty referencing the specific group on the SRX. If I could figure out the absolute path to the user, I'm sure this would be simple.

How do I:

a) Validate their path

and/or

b) Modify the path of the user to be included within the group?

Thanks!

Edit: I should note that I cannot simply use any account within the 'OU'. I need to use specific groups within the same OU to allocate different access.

A users DN does not change based on what groups they belong to. The "memberOf" attribute on the user object to see the groups they belong to. However, ADSIEdit does not display "memberOf". Most other LDAP tools WILL show it. For example in powershell you could ask: get-aduser -id german_user_1 -prop memberof — Clayton, Oct 20 '15 at 19:13
That's what I thought, thank you. Seems like an SRX limitation that's causing me headaches then... They don't seem to have a way to utilize memberOf without breaking the query. — Numpty, Oct 20 '15 at 19:22

score 0 · Answer 1 · answered Oct 20 '15 at 20:01

Only your AD admin can give you actual OU path of an object. Fortunately, AD info is mostly readable for anyone in domain, so if you have any ldap client, you can just search that object and get its DN (DistinguishedName). You can search based on name, AD username(samAccountName), etc.

You don't need to change a user's OU to join a group, they are two separate thing. You just need to add the user into the group using ADUC mmc。

score 0 · Answer 2 · answered Apr 17 '17 at 10:44

0

In SRX policy config, refer to the group (or groups) by using CN ("german_users"), not DN ("CN=xxxx,..."). It's enough.

answered Apr 17 '17 at 10:44

Michał Sacharewicz

549
8
25

Active Directory & SRX - User Groups

2 Answers2