I would like to map user access to certain VLANs against membership in specific Microsoft Active Directory Security Groups (e.g. admins).
My consultant told me we had to use a generic group search attribute that would pull strings from ALL security groups as well as ALL distribution groups. Obviously this would not pass an audit.
Can anyone help with what an LDAP filter/queuy would look like (as an example) to map the authorization to a specific security group?
Got it, so its possible to drill down and make it search for a specific group name or "string" -- right?
But, is it possible to restrict that search to security groups only, rather than search fro the string across seucrity and distribution groups?
Yes, it's an exact match check.
You can also use the memberOf attribute if you want to match on the entire DN of the group.
AD stores both security and DLs in the memberOf context, so no, there is really no way to limit it. I can't imagine a DL and security group would have the same name.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.