New Contributor

LDAP server rules with openldap


I am running successfully LDAP authentication against openldap. I am trying to use server roles to apply policy based on user group membership.

Unfortunately in this configuration the user group member ships (like in AD,Novell implementation) are not under the user entry. However opneldap 2.4 supports Reverse Group Membership via slapo-memberof overlay. See:

But, the problem with slapo-memberof is that the memberOf attribute is an operational attribute, so it must be requested explicitly.

Therefore, I cannot see memberOf attribute via "aaa query-user server user" command.

Based on my testing, the ArubaOS does not call configured server rule attributes explicitly, is that correct conclusion?

Is there any workaround in ArubaOS? Can I do user group membership lookups from the other branches (groupOfNames schema)? Or am I forced to maintain aruba related groups under the user entry?

BR, Teemu
Guru Elite

aaa query user

You can only write rules based on what is returned by the aaa query user command.

Maybe someone else has some other ideas on how to do this.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide