[Freeipa-users] FreeIPA and Pulse Secure (Juniper SSLVPN)

Tue Jan 12 11:39:01 UTC 2016

Hi Alexander,

I've just had a call with Pulse Secure, and we've worked out the various
problems, thanks for your help as that really helped with Pulse Secure.

FYI, and for anyone in the future;

The User filter should be uid=<USER>, The Group filter should be
cn=<GROUPNAME> and both member attribute and query attribute should be
member not MemberOf (as you said)

This allows all groups the groups to be returned, but also allows a user
who is a part of the group to login.

Kind Regards,

Josh Cullum

On Tue, Jan 12, 2016 at 10:57 AM Alexander Bokovoy <abokovoy at redhat.com>
wrote:

> On Tue, 12 Jan 2016, CFMS Support wrote:
> >Hi Alexander,
> >
> >Yes I see that as well actually, and when looking for a specific group I
> >get:
> >
> >[12/Jan/2016:10:30:50 +0000] conn=30648 fd=114 slot=114 connection from
> >172.19.6.16 to 172.20.3.6
> >[12/Jan/2016:10:30:50 +0000] conn=30648 op=0 EXT
> >oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> >[12/Jan/2016:10:30:50 +0000] conn=30648 op=0 RESULT err=0 tag=120
> >nentries=0 etime=0
> >[12/Jan/2016:10:30:50 +0000] conn=30648 TLS1.2 128-bit AES-GCM
> >[12/Jan/2016:10:30:50 +0000] conn=30648 op=1 BIND
> >dn="uid=ldap,cn=sysaccounts,cn=etc,dc=identity,dc=cfms,dc=org,dc=uk"
> >method=128 version=3
> >[12/Jan/2016:10:30:50 +0000] conn=30648 op=1 RESULT err=0 tag=97
> nentries=0
> >etime=0
> dn="uid=ldap,cn=sysaccounts,cn=etc,dc=identity,dc=cfms,dc=org,dc=uk"
> >[12/Jan/2016:10:30:50 +0000] conn=30648 op=2 SRCH
> >base="cn=groups,cn=accounts,dc=identity,dc=cfms,dc=org,dc=uk" scope=2
> >filter="(cn=XXXXX)" attrs="memberOf"
> >[12/Jan/2016:10:30:50 +0000] conn=30648 op=2 RESULT err=0 tag=101
> >nentries=1 etime=0
> >[12/Jan/2016:10:30:50 +0000] conn=30648 op=3 UNBIND
> >[12/Jan/2016:10:30:50 +0000] conn=30648 op=3 fd=114 closed - U1
> >
> >And that the directory server has returned one entry, however, the VPN
> >device doesn't see it and returns that the group is not found.
> Can you show the result of the ldapsearch under the same credentials
> from the command line to see what exactly it gets?
>
> Looking at the setup instructions [1], I think you need to choose
> between static or dynamic group selection. Right now you have static
> group selection configured which assumes you have an LDAP Server catalog
> configured in PSA to list all groups that can be there, and these group
> DNs must match what you get as result of the searches performed.
>
> If you have already defined those static groups in LDAP Server catalog,
> then I think you need to use 'member' attribute instead of memberOf --
> memberOf is used in the user (or a nested group) entry to say what group
> this object is meber of, while the group itself will have member
> attribute values pointing to its members.
>
> [1]
> http://www.juniper.net/techpubs/software/ive/admin/j-sa-sslvpn-7.1-adminguide.pdf
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160112/f1245a89/attachment.htm>