[Freeipa-users] FreeIPA and Pulse Secure (Juniper SSLVPN)
Alexander Bokovoy
abokovoy at redhat.com
Tue Jan 12 10:57:00 UTC 2016
On Tue, 12 Jan 2016, CFMS Support wrote:
>Hi Alexander,
>
>Yes I see that as well actually, and when looking for a specific group I
>get:
>
>[12/Jan/2016:10:30:50 +0000] conn=30648 fd=114 slot=114 connection from
>172.19.6.16 to 172.20.3.6
>[12/Jan/2016:10:30:50 +0000] conn=30648 op=0 EXT
>oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>[12/Jan/2016:10:30:50 +0000] conn=30648 op=0 RESULT err=0 tag=120
>nentries=0 etime=0
>[12/Jan/2016:10:30:50 +0000] conn=30648 TLS1.2 128-bit AES-GCM
>[12/Jan/2016:10:30:50 +0000] conn=30648 op=1 BIND
>dn="uid=ldap,cn=sysaccounts,cn=etc,dc=identity,dc=cfms,dc=org,dc=uk"
>method=128 version=3
>[12/Jan/2016:10:30:50 +0000] conn=30648 op=1 RESULT err=0 tag=97 nentries=0
>etime=0 dn="uid=ldap,cn=sysaccounts,cn=etc,dc=identity,dc=cfms,dc=org,dc=uk"
>[12/Jan/2016:10:30:50 +0000] conn=30648 op=2 SRCH
>base="cn=groups,cn=accounts,dc=identity,dc=cfms,dc=org,dc=uk" scope=2
>filter="(cn=XXXXX)" attrs="memberOf"
>[12/Jan/2016:10:30:50 +0000] conn=30648 op=2 RESULT err=0 tag=101
>nentries=1 etime=0
>[12/Jan/2016:10:30:50 +0000] conn=30648 op=3 UNBIND
>[12/Jan/2016:10:30:50 +0000] conn=30648 op=3 fd=114 closed - U1
>
>And that the directory server has returned one entry, however, the VPN
>device doesn't see it and returns that the group is not found.
Can you show the result of the ldapsearch under the same credentials
from the command line to see what exactly it gets?
Looking at the setup instructions [1], I think you need to choose
between static or dynamic group selection. Right now you have static
group selection configured which assumes you have an LDAP Server catalog
configured in PSA to list all groups that can be there, and these group
DNs must match what you get as result of the searches performed.
If you have already defined those static groups in LDAP Server catalog,
then I think you need to use 'member' attribute instead of memberOf --
memberOf is used in the user (or a nested group) entry to say what group
this object is meber of, while the group itself will have member
attribute values pointing to its members.
[1] http://www.juniper.net/techpubs/software/ive/admin/j-sa-sslvpn-7.1-adminguide.pdf
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list