it might won't work if break this rule
Showing posts with label ldap. Show all posts
Showing posts with label ldap. Show all posts
Wednesday, January 30, 2013
ASA VPN LDAP authentication notes
1. beware use the group that is the user directly belongs to, avoid the recursive list of nested predecessors.
it might won't work if break this rule
2. beware the NAT rule, you need a rule for the VPN
it might won't work if break this rule
active directory (User Security Attributes)
The memberOf attribute is a multi-valued attribute that contains groups of which the user is a direct member, except for the primary group, which is represented by the primaryGroupId. Group membership is dependent on the domain controller (DC) from which this attribute is retrieved:
- At a DC for the domain that contains the user, memberOf for the user is complete with respect to membership for groups in that domain; however,memberOf does not contain the user's membership in domain local and global groups in other domains.
- At a GC server, memberOf for the user is complete with respect to all universal group memberships.
If both conditions are true for the DC, both sets of data are contained in memberOf.
Be aware that this attribute lists the groups that contain the user in their member attribute—it does not contain the recursive list of nested predecessors. For example, if user O is a member of group C and group B and group B were nested in group A, the memberOf attribute of user O would list group C and group B, but not group A.
This attribute is not stored—it is a computed back-link attribute.
Subscribe to:
Posts (Atom)