Security

Reply
Aruba Employee
Posts: 64
Registered: ‎04-07-2007

Nested groups in MemberOf for active directory not being followed

I have a group in AD that has a nested group as its members, very usefull when granting application privs. 

 

I wanted to assign this group read only access to ClearPass, but it seems that CP doesn't follow nested groups?

 

When I looked at the authorization attributes

 

Authorization:Brandeis Active Directory:memberOf: only shows the primary memberships not the memberships of the nested groups...

 

Is there a setting I can change to have it show that?

Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: Nested groups in MemberOf for active directory not being followed

[ Edited ]

Edit:

 

Attached is a preliminary document on how to configure CPPM for nested groups..

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 1
Registered: ‎04-07-2010

Re: Nested groups in MemberOf for active directory not being followed

I am also running into this problem.  Any help would be appreciated.

Aruba Employee
Posts: 64
Registered: ‎04-07-2007

Re: Nested groups in MemberOf for active directory not being followed

PM Collin and ask for the same doc he sent me. 

 

It was pretty easy to get it working but the doc was needed to wrap your head around reading into nested groups

Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: Nested groups in MemberOf for active directory not being followed

I need the document also... hopefully nested groups will be fully supported in a future release.

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Nested groups in MemberOf for active directory not being followed

I just use all of the levels and leaf options for each one so you always catch it.

 

ciscojabber.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 7
Registered: ‎02-13-2014

Re: Nested groups in MemberOf for active directory not being followed

[ Edited ]

Instead of using the OneLevelUp/Leaf method of searching nested groups is there any reason to not use something like:

 

(distinguishedName=%{memberOf:1.2.840.113556.1.4.1941:})

 

for the Groups query?  This seems to return all the nested groups in Active Directory.

 

The resource I used to find this was: http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx

 

Thanks,

 

  Eric

 

Edit: This doesn't actually work, I had the query wrong and was allowing access to all groups.  It does work if you modify the auth query, but then it's very ackward, i.e.:

 

(&(sAMAccountName=%{Authentication:Username})(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=NestedGroup...))

 

If there's a way of retrieving nested memberOf attributes from Active Directory that would be ideal.

MVP
Posts: 765
Registered: ‎03-25-2009

Re: Nested groups in MemberOf for active directory not being followed

Seems nested groups still do not work 'our of the box'.

Is there any intention to get this config into ClearPass per default?  Is that v2 document still the latest version?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 77
Registered: ‎03-09-2015

Re: Nested groups in MemberOf for active directory not being followed

I was shared an LDAP OID from support and some basic 'n-1' traversal that can deal with this better than the original pdf shared at the top of this thread.

 

Is this the new gospel way of dealing with this ?

 

Untitled.png

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Nested groups in MemberOf for active directory not being followed

Are you using generic LDAP or AD?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: