ArubaOS and Controllers

Reply
Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

LDAP role assignment

I have an LDAP server configured and users authenticating successfully to it over L2TP both on VIA and native Mac OS client. However, I'd like to specify a server rule to assign various roles based on the gidNumber attribute.

When I turn on debug, I see the role matched (networking-vpn-role) but the user is still assigned the default role for the vpn. Why is it now assigned the role that matches the server rule? See logs below:



Jul 19 16:21:14 :109000: |authmgr| LDAP Server olds1: Authenticate User: jclingan. Authentication successful
Jul 19 16:21:14 :124003: |authmgr| Authentication result=Authentication Successful(0), method=VPN, server=olds1, user=00:25:00:4e:64:ef
Jul 19 16:21:14 :124004: |authmgr| Auth server 'olds1' response=0
Jul 19 16:21:14 :124004: |authmgr| Setting authserver 'olds1' for user 172.20.2.123, client VPN
Jul 19 16:21:14 :124004: |authmgr| auth_pap_resp_raw: user name jclingan, check_cp_single_session ret -5
Jul 19 16:21:14 :124004: |authmgr| {L3} Authenticating Server is olds1
Jul 19 16:21:14 :124004: |authmgr| Matching `vpn-auth' rules to derive role ...
Jul 19 16:21:14 :124004: |authmgr| rule: set role condition gidNumber equals "14" set-value networking-vpn-role
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match cn : XXXXXXXXXXXX
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match employeeNumber : XXXXXXXXXXXXXX
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match facsimileTelephoneNumber : XXXXXXXXXXX
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match givenName : Joshua
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match homeDirectory : /home/jclingan
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match l : BA
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match mail : jclingan@ycp.edu
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match nodisplay : TRUE
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match ou : Information Technology
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match postalCode : 17402-9224
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match roomNumber : 2A
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match sn : Clingan
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match st : PA
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match telephoneNumber : 6820
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match title : Network Engineer
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match uid : jclingan
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match uidNumber : 18490
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match employeeType : ycpadmin
Jul 19 16:21:14 :124004: |authmgr| Value Pair to match gidNumber : 14
Jul 19 16:21:14 :124004: |authmgr| Rule matched! Result string is 'networking-vpn-role'
Jul 19 16:21:14 :124004: |authmgr| derive_role2 line:4420 roleName:networking-vpn-role
Jul 19 16:21:14 :124004: |authmgr| auth_pap_resp_raw vpnflags:0
Jul 19 16:21:14 :124004: |authmgr| RX (sock) message of type 18, len 28
Jul 19 16:21:14 :124004: |authmgr| IP UP int: 192.168.21.141, ext:172.20.2.123
Jul 19 16:21:14 :124004: |authmgr| Tx message to Sibyte. Opcode = 17, msglen = 140
Jul 19 16:21:16 :124004: |authmgr| Rx message 0/67108864, length 183 from 127.0.0.1:8345
Jul 19 16:21:16 :124004: |authmgr| stm_message_handler : msg_type 3006
Regards,

Josh
___________
ACMP, ACCP
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: LDAP role assignment

Do you have the PEFV license? It is needed to assign roles to the VIA users.
Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

Re: LDAP role assignment

yes we have PEFV
Regards,

Josh
___________
ACMP, ACCP
Guru Elite
Posts: 21,515
Registered: ‎03-29-2007

Re: LDAP role assignment

Do you have a VIA connection profile assigned to that role?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

Re: LDAP role assignment

Yes, there is a via profile assigned.

I've worked with support on the issue and after about 3 hours they seem stumped too.
Regards,

Josh
___________
ACMP, ACCP
Guru Elite
Posts: 21,515
Registered: ‎03-29-2007

Re: LDAP role assignment

sounds like a bug, to me.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: