AAA Server Definition

Froydor
Froydor Posts: 6  Freshman Member
First Comment First Anniversary
edited April 2021 in Security
I use OPENLDAP to authenticate my users in the VPN, however, while I have it working, it required me to shuffle my users around in the LDAP tree structure.  Originally, I have users in subtrees based on the office they were based out of.  As such, I have a branch named "Employees" with subtrees beneath for "Little Rock", "Baton Rouge", "Fayetteville", and "Chesterfield".  I found out, however, that, while the LDAP search did search the subtrees fine, I could not filter the results as only authorized employees should be allowed to use the VPN.  I found myself creating a new subtree called "VPN" and moving the authorized employees there as setting the baseDN to it, but that broke other item not related to the VPN.  Is there a way to set a filter attribute, for example, an OU attribute as a filter.  That way, only employees in the subtree with an OU=vpn would be returned?
Is the group Membership Attribute applicable here?

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @Froydor,

    You can add ext-group-user user objects to identify groups based on these group identifier values.

    Go to CONFIGURATION > Object > User/Group > User and click "Add".

    The user type "ext-group-user" allows you to group users by the value of the group membership attribute configured for the AD or LDAP server.


    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    @Zyxel_Emily
    i found this question and i require also LDAP authentication on USG Firewalls but i found no document that show
    - configure user authentication on the USG to get access to dedicated destinations
    - configure admin access to the USG (like the local admin account on the USG).

    Is there any document existing, how to establish user and admin authentication trough openldap (actuall version).

    thx and gredards
    Chris

Security Highlight