Is the Nx Cloud up? Visit our Status Page for the current health and performance of the Nx Cloud.

Status Page

LDAP user and group sync - nesting members?

Completed
Mark Court

Hi,  I've just upgraded to v6 in order to take advantage of automated group creation from LDAP.  I'm struggling with the lack of documentation around LDAP on NXW and can't make the pieces fit.

I first created a query with a baseDN of the OU my groups are in and a filter of cn=GroupName* which successfully pulled in my groups.

I also tried creating a query using memberOf to find members of each group, but as the members are nested in a subgroup had to use the OID for nested chain membership (MemberOf:1.2.840.113556.1.4.1941:=CN=<GroupCN>,<rest of DN>) which works to pull the users in that are a member of one of the groups.  Repeated this 3 times for the groups I wanted members of.  The users imported show as members of the group "LDAP Default Group" and the 3 groups I was able to create with the 1st filter all show as having 0 members.  What am I missing?  Will I need to specify enough filters to get the nested groups as well, or do I need some magic filter to pull group + membership in a single query per group to allow them to associate.

Unfortunately, I've already surpassed the reseller's depth of product knowledge in the 2 days I've been using NXW and they only suggest asking the vendor.

0

Comments

4 comments

Date Votes
  • Ruslan Zinatullin
    • Network Optix team

    Hi Mark,

    For your case, you should set up the following queries:

    • A query to the OU where all your groups are located, or separate queries for each group (including nested ones).

    • A query to the OU with all users, or separate queries to the OU of each group, using a "MemberOf=CN=<group_name><rest_of_DN>" filter (again, including nested groups).

    If you still encounter any issues, please provide screenshots for a better understanding of the problem. We can also convert your query into a ticket if you'd like us to connect to the system and assist with configuring the LDAP import.

    0
  • Mark Court

    Hi Ruslan,

    Thanks for replying.  I found what I was doing wrong and everything is working well now.  I am very impressed with the way the LDAP functionality works in v6.

    The thing causing my problems was self inflicted.  In v5 I was using an LDAP filter that only included users that were enabled by querying userAccountControl as well as memberOf.  As soon as I stripped the userAccountControl query out of the string the whole thing jumped to life.

    The end setup for 3 groups looks like this:

    • A query to pull the groups themselves: (&(objectCategory=group)(objectClass=group)(CN=ACL_NXW_*))
    • 3x individual queries to grab members and nested groups of the 3 groups I am interested in: (MemberOf:1.2.840.113556.1.4.1941:=CN=ACL_NXW_<groupName>,OU=<Rest of distinguishedName)

    After doing this, when I look in the user management of NXWitness I can see the group members show similar to this:

    Nested Group 1
           Member 1
           Member 2
    Nested Group 2
           Member 3
           Member 4

    I've then assigned the permissions to the groups being synced via LDAP and everything just works.

    0
  • Rong Fan

    Hi Ruslan,

    I want to know whether the feature you mentioned above can be implemented with version 5.1.3.38363?

    thanks in advance!

     

    Br

    Fan

    0
  • Ruslan Zinatullin
    • Network Optix team

    Hi Rong Fan,

    LDAP group support has been implemented starting from version 6.0.

    0

Post is closed for comments.

Didn't find what you were looking for?

New post