How to configure LDAP Nested group validation for Microsoft Active Directory(AD) using Object Identifier(OID)

How to configure LDAP Nested group validation for Microsoft Active Directory(AD) using Object Identifier(OID)

book

Article ID: CTX237210

calendar_today

Updated On:

Description

The objective of this article is to explain configuration of nested group validation for Microsoft Active Directory(AD) using Object Identifier(OID).

Instructions

By default, NetScaler will only search for usernames that are direct members of the Active Directory group.

When communicating specifically to Microsoft Active Directory (AD) you can provide object identifier (OID) prefixes in the bind filter to instruct AD to use specific rules when searching for a match. One such rule is to walk the LDAP directory, which is needed when you are looking for nested group memberships.

First, configure your LDAP server on the NetScaler as desired, The details of the LDAP server configuration is explained in How to Configure LDAP Authentication on NetScaler or NetScaler Gateway

In order to search for groups within which the end user is a member including those groups for which membership is by nested groups, the LDAP server must be asked to recursively search through all group membership nodes by using an OID as part of the search filter.

LDAP Matching rule OID: 1.2.840.113556.1.4.1941
String Identifier: LDAP_MATCHING_RULE_IN_CHAIN. 
So your search filter would simply look like: memberOf:1.2.840.113556.1.4.1941:=CN=<DN of Group>

Example:
memberof:1.2.840.113556.1.4.1941:=cn=NEEDED_GROUP,DC=COMPANY,DC=COM

If the user is a member of group NESTED_GROUP, and the group NESTED_GROUP is nested within group NEEDED_GROUP, then an LDAP authentication profile that uses a search filter for group NEEDED_GROUP will deny logon for that user unless the LDAP_MATCHING_RULE_IN_CHAIN OID is included in the search filter so that the LDAP server can be instructed to perform recursive group nesting.

Once configured the LDAP server configuration should look like below:
User-added image


 

Issue/Introduction

This article describes how to configure LDAP nested group validation for Microsoft Active Directory(AD) using Object Identifier(OID)

Additional Information

If you wish to configure the nested group extraction on NetScaler without using OID or want to extract nested group information up to a specific level, you can refer the Article :How to Configure LDAP Nested Group Extraction on NetScaler Gateway.
For more information on other OID references please refer to MSDN - Search Filter Syntax.
Powered by Wolken Software