On Tue, 12 Jan 2016, CFMS Support wrote:
Hi Alexander,

Yes I see that as well actually, and when looking for a specific group I
get:

[12/Jan/2016:10:30:50 +0000] conn=30648 fd=114 slot=114 connection from
172.19.6.16 to 172.20.3.6
[12/Jan/2016:10:30:50 +0000] conn=30648 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[12/Jan/2016:10:30:50 +0000] conn=30648 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[12/Jan/2016:10:30:50 +0000] conn=30648 TLS1.2 128-bit AES-GCM
[12/Jan/2016:10:30:50 +0000] conn=30648 op=1 BIND
dn="uid=ldap,cn=sysaccounts,cn=etc,dc=identity,dc=cfms,dc=org,dc=uk"
method=128 version=3
[12/Jan/2016:10:30:50 +0000] conn=30648 op=1 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=ldap,cn=sysaccounts,cn=etc,dc=identity,dc=cfms,dc=org,dc=uk"
[12/Jan/2016:10:30:50 +0000] conn=30648 op=2 SRCH
base="cn=groups,cn=accounts,dc=identity,dc=cfms,dc=org,dc=uk" scope=2
filter="(cn=XXXXX)" attrs="memberOf"
[12/Jan/2016:10:30:50 +0000] conn=30648 op=2 RESULT err=0 tag=101
nentries=1 etime=0
[12/Jan/2016:10:30:50 +0000] conn=30648 op=3 UNBIND
[12/Jan/2016:10:30:50 +0000] conn=30648 op=3 fd=114 closed - U1

And that the directory server has returned one entry, however, the VPN
device doesn't see it and returns that the group is not found.
Can you show the result of the ldapsearch under the same credentials
from the command line to see what exactly it gets?

Looking at the setup instructions [1], I think you need to choose
between static or dynamic group selection. Right now you have static
group selection configured which assumes you have an LDAP Server catalog
configured in PSA to list all groups that can be there, and these group
DNs must match what you get as result of the searches performed.

If you have already defined those static groups in LDAP Server catalog,
then I think you need to use 'member' attribute instead of memberOf --
memberOf is used in the user (or a nested group) entry to say what group
this object is meber of, while the group itself will have member
attribute values pointing to its members.

[1] 
http://www.juniper.net/techpubs/software/ive/admin/j-sa-sslvpn-7.1-adminguide.pdf

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to