Security

I have a group in AD that has a nested group as its members, very usefull when granting application privs. 

I wanted to assign this group read only access to ClearPass, but it seems that CP doesn't follow nested groups?

When I looked at the authorization attributes

Authorization:Brandeis Active Directory:memberOf: only shows the primary memberships not the memberships of the nested groups...

Is there a setting I can change to have it show that?

Edit:

Attached is a preliminary document on how to configure CPPM for nested groups..

Attachment(s)

cppm-nested-groups-v2.pdf   1.01 MB 1 version

I am also running into this problem.  Any help would be appreciated.

PM Collin and ask for the same doc he sent me. 

It was pretty easy to get it working but the doc was needed to wrap your head around reading into nested groups

I need the document also... hopefully nested groups will be fully supported in a future release.

I just use all of the levels and leaf options for each one so you always catch it.

Instead of using the OneLevelUp/Leaf method of searching nested groups is there any reason to not use something like:

(distinguishedName=%{memberOf:1.2.840.113556.1.4.1941:})

for the Groups query?  This seems to return all the nested groups in Active Directory.

The resource I used to find this was: http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx

Thanks,

  Eric

Edit: This doesn't actually work, I had the query wrong and was allowing access to all groups.  It does work if you modify the auth query, but then it's very ackward, i.e.:

(&(sAMAccountName=%{Authentication:Username})(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=NestedGroup...))

If there's a way of retrieving nested memberOf attributes from Active Directory that would be ideal.

Seems nested groups still do not work 'our of the box'.

Is there any intention to get this config into ClearPass per default?  Is that v2 document still the latest version?

I was shared an LDAP OID from support and some basic 'n-1' traversal that can deal with this better than the original pdf shared at the top of this thread.

Is this the new gospel way of dealing with this ?

Are you using generic LDAP or AD?

Microsoft.

I presume it depends if the implementation supports the OID.  That's the only way this would work ?

The screenshot you posted is the correct way to grab nested groups in an AD environment.

Is there any updated way to handle this? I implemented the described string: 

(member:1.2.840.113556.1.4.1941:=%{UserDN})

My query times were awful and I started to receive LDAP timeout failures due to the extra lookup time. Once cached, a query was fine but if the cache expired, it would take 20-30 seconds to query. Once I removed that attribute everything returned to normal. I did not yet try the original pdf solution yet.

Hi!! 

Can I have an update on this? 

I'm getting TIMEOUT's after LDAP query for Nested AD is added.

Hi!

I used this configuration on 6.9.0.130064 successfully.
The only difference I made to the config posted here before is, I called the filter All Groups.
Because initially it doesn't work (I called the filter "Nested Groups").
After renaming the filter, I cleared the cache of the AD on clearpass.
From this point, the nested groups where fetched correctly.