Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
581
Views
0
Helpful
3
Replies

User Group and LDAP in VSM 7.6.0

Go to solution
Arie --
Level 1
Level 1

‎02-11-2015 01:39 AM

Hello,

I have a customer who migrate their VSM from 6.3 to 7.6. In VSM 6.3, we can add user by using LDAP and can manage each user from the LDAP. I mean that each user in LDAP can be manually assigned to the role which create from VSOM.

In VSM 7.6, I face problem with that. I think in VSM 7.6, Cisco has disabled that feature. In VSM 7.6, I can't manage each user separately. Am I right? After Active Directory conneted into VSOM via LDAP,  I can't assign each user into one or several user group individually by using VSOM. I must group the user in the AD first and then filter it in VSOM. I think it is not efficient because it will be many duplicate user in AD if the user will be assigned more than 1 user group.

So, what is the best solution for the user in AD can be assigned in several user group but not duplicate in AD?

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Olsen
Level 6
Level 6
In response to Arie --

‎03-19-2015 05:29 AM

Hi Arie,

I think the best approach to take would be to define what your *Roles* are going to be on the VSOM side, and then create User Groups in VSOM that map to those roles.

Then, create matching Security Groups within AD (LDAP) that correlate to the VSOM User Groups.  Finally, create LDAP Search filters that link AD Security Group membership to VSOM User Groups upon LDAP authentication.

Scott Olsen Solutions Specialist Bulletproof Solutions Inc. Web: www.bulletproofsi.com

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Scott Olsen
Level 6
Level 6

‎02-11-2015 09:44 AM

I'm not *quite* following what you are running into, but luckily, I'm about to do some LDAP integration of my own for a client, so this will likely come into full focus for myself as well.

The last time I visited it was with VSM 7.2, and if I remember correctly, the LDAP search filters matched OUs/Group membership to 'Roles' within VSOM...

I think worse case, you might end up with a list of groups in AD that match your 'roles' within VSOM and LDAP search filters that define these associations.  Then it would just be a matter of ensuring that your AD accounts are members of the required respective roles?  I could be misinterpreting this though...

I'll check back in once I refresh myself some more.

 

Scott Olsen Solutions Specialist Bulletproof Solutions Inc. Web: www.bulletproofsi.com
0 Helpful

Go to solution
Arie --
Level 1
Level 1
In response to Scott Olsen

‎02-12-2015 02:53 AM

Hi,

Thanks for the reply.

I also think that I might end up with a list of groups in AD. Let's say I have 3 User Groups in VSOM with 3 different roles: Superadmin; Admin; Security.

In AD, let's say I have 5 users: User A; User B; User C; User D; User E.

For example, the mapping which I want is as below:

 

User Groups  | User

=================

Security         | User A; User B

Admin           | User B; User C; User D

Superadmin  | User B; User E

 

So, maybe I should create several OU / group in AD with replicate user (User B). Is it true?

Thank you

 

0 Helpful

Go to solution
Scott Olsen
Level 6
Level 6
In response to Arie --

‎03-19-2015 05:29 AM

Hi Arie,

I think the best approach to take would be to define what your *Roles* are going to be on the VSOM side, and then create User Groups in VSOM that map to those roles.

Then, create matching Security Groups within AD (LDAP) that correlate to the VSOM User Groups.  Finally, create LDAP Search filters that link AD Security Group membership to VSOM User Groups upon LDAP authentication.

Scott Olsen Solutions Specialist Bulletproof Solutions Inc. Web: www.bulletproofsi.com
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents