02-12-2015 03:56 PM
I setup several roles and created the role mapping policy but only some of them seem to be working. I have a combination of rules that base the role mapping on the first letter of the username and the rest check the OU membership. The OU membership rules seem to be working as expected. It appears to be ignoring the UserDN check. These are all under the same role mapping policy for the service. I have my type set to the AD auth source, the name is set to UserDN, The operator is begins_with and then the value is the first character in the username. Then I have it set to use the appropriate role. It's either getting the default role or skipping over this rule and if it also matches a OU rule it gets that value. I do have it set to match the first rule that applies. Not sure what I am missing. In access tracker it shows they are accepted but again they are getting the wrong role. I looked at the record and I can see the UserDN in the computed attributes section. Code is up to the 6.4 level.
Solved! Go to Solution.
02-12-2015 03:58 PM
Can you please post a screenshot?
Also, generally speaking, it is best to use a match any for role mapping and then do first match in your enforcement.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
02-12-2015 04:04 PM
02-12-2015 04:14 PM
One other question. If I have one where the username begins with an e, but they are also a match for one of the OU rules how do I handle that. Is that where I need to change it to match any rule?
02-15-2015 05:13 AM - edited 02-15-2015 05:14 AM
 sorry i don't quite understand what you say.
do you want to have it match on something or something else. or only have it match on something but not on something else?
02-15-2015 05:43 AM
the list are one long string not separated. i suggest you to use "contains" operand instead and use a more specific word to avoid "buggy" classification.
the parameter refers to groups in AD, what i do ussually is ask customer to make a more specific folder and link all the users of a group in that new folder to do as i want to.
CWNA | ACMP | ACCP