Topic
  • 2 replies
  • Latest Post - ‏2013-11-20T06:11:58Z by Amit.Gera
SystemAdmin
SystemAdmin
6772 Posts

Pinned topic AAA Authorization for UniqueID/UID

‏2013-02-04T07:05:54Z |
I am trying to validate Unique_userID with respect to AD using AAA..
With AAA Authentication is successful but Authorization(Check for Membership in an LDAP Group)is failing..
With some option at Authorization I can get response from AD where I am getting DN detail & member attribute, which gives me User detail as "LastName\, FirstName" but I couldn't get unique User ID..

I am wondering has anyone tried to validate UniqueueID? Please let me know if we can do that & how..
Below I have provided my configuration detail:

Here is detail from AAA Probe (Extension Trace)
Transform - Successful
ldap-authen - Successful
transform - Successful (Extract resource=uid12)
ldap-search - Error while searching; see log for details

---Request-----
<parameter>
<bindDN>CN=Group_ID,OU=name3,OU=name2,OU=name1,DC=Domain2,DC=Domain1,DC=com</bindDN>
<bindPassword>********</bindPassword>
<lookupDN>OU=name3,OU=name2,OU=name1,DC=Domain2,DC=Domain1,DC=com</lookupDN>
<lookupAttribute>samaccountname</lookupAttribute> -- tried with member; uniqueumember
<filter>objectClass=*</filter> -- tried with samaccountname
</parameter>
------Response-------------
<LDAP-search-results>
<result>
<DN>OU=name3,OU=name2,OU=name1,DC=Domain2,DC=Domain1,DC=com</DN>
</result>
<result>
....
.....
</LDAP-search-results>

Or (when tried with different lookupAttribute & filter parameter)
------Response---------------------------
<LDAP-search-results>
<result>
<DN>OU=name3,OU=name2,OU=name1,DC=Domain2,DC=Domain1,DC=com</DN>
<Attribute-value name="member">CN=Lastname\, firstname, OU=name2,OU=name1,DC=Domain2,DC=Domain1,DC=com</Attribute-value>
<Attribute-value name="member">CN=Lastname2\, firstname2, OU=name2,OU=name1,DC=Domain2,DC=Domain1,DC=com</Attribute-value>
<Attribute-value name="member">CN=Lastname3\, firstname3, OU=name2,OU=name1,DC=Domain2,DC=Domain1,DC=com</Attribute-value>
</result>
<result>
....
.....
</LDAP-search-results>


Log:
AAA Authorization Failure
ldap authorization failed with credential 'CN=Group_ID,OU=name3,OU=name2,OU=name1,DC=Domain2,DC=Domain1,DC=com' for resource 'uid12

Please let me know how to validate the UniqueID wrt AD..
  • Reddy.P
    Reddy.P
    7 Posts

    Re: AAA Authorization for UniqueID/UID

    ‏2013-11-19T22:43:52Z  

    Hi,

     

    Even we have similiar requirement getting same errror as Authorization Failure with similar configuration .

     

    Appreciate your help

  • Amit.Gera
    Amit.Gera
    34 Posts

    Re: AAA Authorization for UniqueID/UID

    ‏2013-11-20T06:11:58Z  
    • Reddy.P
    • ‏2013-11-19T22:43:52Z

    Hi,

     

    Even we have similiar requirement getting same errror as Authorization Failure with similar configuration .

     

    Appreciate your help

    I did a POC sometime back similar to this. I wrote a custom XSLT to connect to AD and retrieve required attribute and check against the same attribute of the outcome of ExtractIdentity step.