Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
994
Views
0
Helpful
4
Replies

LDAP Config on VSOM

jwood.ok
Level 1
Level 1

‎09-02-2016 08:23 AM

We haven't previously used LDAP configuration on VSOM, but I worked on getting it working yesterday.  

We are on 7.5.1 right now (possibly updating later in the year), but I wasn't real crazy by the implementation.  The reason is this:

I have my users divided up by group and those groups can only access one location; however, it looks like the way LDAP is done, everyone from one LDAP server has to be in the same group.

The only way I can see around this is making a different "LDAP Server" listing for each location and splitting these up into various groups...but that kind of stinks because then they will all have to choose a different dropdown selection when logging in.

Is this how it is even in the newer versions?  In other software I've seen, essentially what happens is that you allow an LDAP connection which maps to a local user which you can put into any group, but VSOM doesn't seem to be set up that way.

Labels:
0 Helpful
4 Replies 4

SteveM
Level 1
Level 1

‎09-02-2016 09:17 AM

Hi John,

We are on 7.8 so not sure about 7.5.1

And we have Active Directory

Add user group filters to filter the LDAP group the user is in.

Search path something like DC=company,DC=local

Group Filter something like

(&(objectClass=user)(sAMAccountName=%USERID%)(memberof=CN=CCTV-Operators,OU=CCTV Groups,OU=Groups,DC=company,DC=local))

Then in your normal VSOM user group add the LDAP server search filter (Under LDAP Server)

Hope this helps?

If you want more info let me know.

Cheers,

Steve

0 Helpful

jwood.ok
Level 1
Level 1
In response to SteveM

‎09-02-2016 09:19 AM

Steve,

I have filtering in place.  My issue is that once they are on VSOM, I'd like to make use of the VSOM groups with the ldap users, but it doesn't seem there is a way to do this.  The Ldap server goes into one group.  As I said, the only alternative I can think of is to make, for instance, 5 AD groups and 5 ldap servers with different filtering options that isolate each of those AD groups so they can be split into 5 VSOM groups.

0 Helpful

SteveM
Level 1
Level 1
In response to jwood.ok

‎09-02-2016 09:30 AM

Hi John,

You should only need 1 LDAP server with 5 User Group Filters.

See attached ctv1.jpg.

Then cctv2.jpg map the VSOM user group to the LDAP Server Filter

Cheers,

Steve

Preview file
86 KB
Preview file
87 KB
0 Helpful

jwood.ok
Level 1
Level 1
In response to SteveM

‎09-02-2016 02:21 PM

Ahhh well, your information is well taken and on point...but 7.5.1 doesn't have the same screens or "group filter" as your version.  I'll investigate more to see if it is possible.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents