Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

LDAP Lookup for Sponsor Restriction.

This thread has been viewed 4 times

  • 1.  LDAP Lookup for Sponsor Restriction.

    Posted May 07, 2014 09:21 AM

    Hi,

     

    I have CPPM setup where I am trying to accomplish following for Sponsor Restriction.

     

    1- User will manually type in the sponsor email address in the Text field. I am using Sponsor Email Field for the same.

    2- That email ID should be looked up in AD Database to verify if it is part of a specific group or not.

    3- If, Yes it should allow the email ID to be an Sponsor, else it should deny that email to be a valid sponsor.

     

    Here is my current configuration:

     

    Sponsor Email:

    I have configured Sponsor_Email Field with a email validation using the below query:

     

    array (
    'allow' =>
    array (
    0 => 'shire.com',
    ),
    'deny' =>
    array (
    0 => '*',
    ),
    )

     

    Server LDAP Filter:

    I have configured customer LDAP Filter under the Server Configuration as below:

    (&
    (objectClass=user)
    (objectCategory=person)
    (|
    # Match users in this group
    (memberOf=CN=GL-CPPM_SPONSORS,OU=Security-Groups,OU=Domain-Groups,DC=corp,DC=shire,DC=com)
    )
    (|
    # Match users by any of these criteria
    (sAMAccountName=*@SEARCH@*)
    (displayName=*@SEARCH@*)
    (cn=*@SEARCH@*)
    (mail=*@SEARCH@*)
    )
    )

     

    DO_LDAP_Lookup:

    I have enabled the Do Ldap Lookup as hidden field to perform the lookup and give the results.

     

    With this configuration, it is doing the lookup for all valid emails but not restriting to the Sponsors part of the specified group. Any help will be greatly appreciated.

     

    Regards

    Nalin



  • 2.  RE: LDAP Lookup for Sponsor Restriction.

    Posted May 12, 2014 12:23 PM

    You could do this slightly differently by using the sponsor_lookup field with a select2 interface.

    This still allows the group restriction and does an interactive lookup on the fields specified in the Operator Login server configuration.

    If you wanted to force the user to type the majority of the email address before the lookup occurred you could force x amount of characters being entered before the lookup is done.



  • 3.  RE: LDAP Lookup for Sponsor Restriction.

    EMPLOYEE
    Posted May 12, 2014 01:09 PM

    It may be a little confusing, but the custom Filter Expression is only used for the on-the-fly display results of a field (sponsor_lookup) with the 'Enable searching and advanced UI' flag set.  Our default search is a wildcard search on a few common fields but other LDAP/AD systems may use different fields, or the size may be so large a starts-with search is needed over a contains.  Either way, on save a second check is made on the field itself and the entire dataset is returned from that call and used for the attribute matching section.  That call uses the normal Server URL lookup.  That URL supports a filter within the RFC2255 syntax.  It is all best described on https://afp.arubanetworks.com/afp/index.php/How-to:_Sponsored_Self-Registration#LDAP_Sponsor_Lookups.  A couple good links on the LDAP URL syntax are given too.



  • 4.  RE: LDAP Lookup for Sponsor Restriction.
    Best Answer

    Posted May 12, 2014 02:41 PM
      |   view attached

    Hi All,

     

    Thanks a lot for your suggestions and inputs. I got this issue resolved with following solution.

     

    All configuration remains same except, in the Guest Manager => Server Config => Server URL is changed to:

     

    "ldap://<AD Server Name>/DC=corp,DC=shire,DC=com???memberOf=CN=GL-CPPM_SPONSORS,OU=Security-Groups,OU=Domain-Groups,DC=corp,DC=shire,DC=com

     

    And it worked perfectly as expected.