AAA Server Definition

Froydor · September 2020

I use OPENLDAP to authenticate my users in the VPN, however, while I have it working, it required me to shuffle my users around in the LDAP tree structure. Originally, I have users in subtrees based on the office they were based out of. As such, I have a branch named "Employees" with subtrees beneath for "Little Rock", "Baton Rouge", "Fayetteville", and "Chesterfield". I found out, however, that, while the LDAP search did search the subtrees fine, I could not filter the results as only authorized employees should be allowed to use the VPN. I found myself creating a new subtree called "VPN" and moving the authorized employees there as setting the baseDN to it, but that broke other item not related to the VPN. Is there a way to set a filter attribute, for example, an OU attribute as a filter. That way, only employees in the subtree with an OU=vpn would be returned?
Is the group Membership Attribute applicable here?

Zyxel_Emily · September 2020

Hi @Froydor,

You can add ext-group-user user objects to identify groups based on these group identifier values.

Go to CONFIGURATION > Object > User/Group > User and click "Add".

The user type "ext-group-user" allows you to group users by the value of the group membership attribute configured for the AD or LDAP server.

Image: https://us.v-cdn.net/6029482/uploads/editor/2h/hmlg96cp3val.jpg

ChrisGer · January 2021

@Zyxel_Emily
i found this question and i require also LDAP authentication on USG Firewalls but i found no document that show
- configure user authentication on the USG to get access to dedicated destinations
- configure admin access to the USG (like the local admin account on the USG).

Is there any document existing, how to establish user and admin authentication trough openldap (actuall version).

thx and gredards
Chris

AAA Server Definition

All Replies

Categories

Security Highlight

Security Help Center