Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1730
Views
0
Helpful
7
Replies

LDAP Recursion

AndrewR_ironport
Level 1
Level 1

‎01-14-2009 12:44 PM

Some of our AD groups contain other AD groups and LDAP membership checks don't appear to pick this up?

Eg, if I am a member of GroupA and GroupA is a member of GroupB - then there is an outgoing mail policy looking for the sender to be a member of GroupB, it will not trigger when I send an email. If I'm a member of GroupA and GroupB, then it works.

If this something that can be changed or will I have to unravel the groups I want to check against?

Labels:
0 Helpful
7 Replies 7

Jason Meyer
Level 1
Level 1

‎01-20-2009 09:36 PM

Great Post AndrewR. I have been working on this issue for a while now and have not found a way to accomplish this either. IronPort Support has indicated that it is not possible and that they are working on it. I can make it work from a Linux box with no problems but have not been able to make it work with IronPort. The work around that I used was in the Mail Policy just add a query for Group A and another one for Group B. I would think that this causes LDAP queries to double but thus far has worked OK.

0 Helpful

AndrewR_ironport
Level 1
Level 1

‎01-21-2009 09:21 AM

Yeah, that's basically the conclusion I came to as well - I opened a support ticket and from the output I sent they have said that we're hitting a recursion limit..! Quite why the limit is set at 1 I don't know :)

Basically we're now checking for Group A and B, like you say. Shame, but it works

0 Helpful

Rayman_Jr
Level 1
Level 1

‎09-18-2009 01:36 PM

AndrewR, JMeyer5241, this is very surprising but seems to be the reality. I have run into the same problem as well !

Group membership via LDAP browsers or Linux box is working fine but IronPort doesn't seems to be able to see membership from nested groups.

Have you got other solution to this than creating separate queries to different groups ?

A side note. I have 5 different AD groups in mail policies, those are working just fine. Each of those groups will get 5 new nested groups at Monday. After initial tests and quick calculations I'm afraid that I'll have a headache size of Universe at Monday morning :?

I'm more than thankful if you have any updated in this case !

0 Helpful

AndrewR_ironport
Level 1
Level 1

‎09-21-2009 09:27 AM

Unfortunately not - we're still doing the member of group A or group B check!

It's a pain, but it's only for this one policy fortunately, so not too bad for us.

0 Helpful

mychrislo_ironport
Level 1
Level 1

‎09-22-2009 06:17 AM

Can 'Chain Query' do the job right? (i did not try)

0 Helpful

AndrewR_ironport
Level 1
Level 1

‎09-22-2009 09:31 AM

Nope, chained queries are for different domains, rather than groups within a domain.

0 Helpful

mychrislo_ironport
Level 1
Level 1

‎09-22-2009 10:41 AM

I mean, can this be done?

Create two different ldap profile for different group ldap query. (profile1: ldap1server, groupA; profile2: ldap1server, groupB)

Then chained the query.

Will it work?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents