Solved: Cisco ISE LDAP query to primaryGroupID

Andrej Sumak · ‎08-17-2018

Hi experts,

I have a performance issue with my LDAP query against an rather big AD, where currently my search base DN is set to the root of the LDAP tree. The issue I have that now and then the query´s take awfully long which is somehow logical as ISE needs to rattle the whole LDAP tree each and every time.

now for the setup:

my devices are dispersed accross the whole LDAP tree in various groups, but there is a specific branch in which my groups are placed, I´m using for authorization. This also works fine. The devices primary group is also placed in this speficif branch. If i browse to this primary group and check it´s properties I see all the members in it. But the devices are not direct members of this primary group.

Now the question:

Is there a way to set the search base DN and general LDAP settings in ISE to query this specific branch, where the groups along with the devices primary group is set, but the devices itself are direct members outside this branch?

i hope i explained it in a understandable way... :)

thanks!

Andrej Sumak · ‎08-21-2018

I know I can specify different search base DN`s for groups and objects. Maybe my questions was unclear. But doesn´t matter anymore as we were able to solve our initial issue.

View solution in original post

howon · ‎08-20-2018

Yes, it can be done. On ISE LDAP settings > Directory Organization, You can configure where to start search for Subject and Groups separately.

Andrej Sumak · ‎08-21-2018

I know I can specify different search base DN`s for groups and objects. Maybe my questions was unclear. But doesn´t matter anymore as we were able to solve our initial issue.

iancresswell · ‎10-28-2019

How did you solve your issue, I have a similar problem where I cant query the primaryGroupID