Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 3 answers
  • Subscribers 27 subscribers
  • Views 17152 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows AD user auto-mapping with STAS

ClerpremSpa

Hello, I set up the STAS SSO mechanism within a WIndows AD domain. It works, but most users belong to more than one group. 

I created specific AD groups to manage access through the firewall, sothat it is would be sufficient to change user AD group membership instead of accessing the fw for the same reason. But, I'm unable to have the fw mapping the correct group. How does it work? I created some <AD groups, added the relevant AD users to it. When the STAS registers one user (who is member of a numer of AD groups), the appliance searches for the user in AD, scans group membership and finally chooses one group to import. Unfortunately it is not the intended group. I tried to reorder groups in Sophos, I renamed groups in AD sothat they would appear first in alpha order, I set the relevant group to be the primary group for the user... But it doesn't work. How do I drive the appliance in the right group selection? Maybe some AD attributes have to be set?



This thread was automatically locked due to age.
Parents
  • 0

    Hello,

    what I could see is that, within the AD authentication service of the XG firewall, ldap queries are used for both user and groups info fetching.

    I couldn't find a way to differentiate ldap queries to fetch users only or groups only. So I guess that, when searching for users or groups infos, all queries are executed.

    The fetching order we are talking about is referred to what entity?

    1. The ldap query definition listed inside the AD server authentication configuration pane; 
    2. The risults returned by the query
    3. The list of groups already configured inside the XG appliance?

    Please explain better the mechanism, because I'm unable to match users to the corrected group inside the XG. Configuration results for this process should be predictable.

    Thx

  • 0 in reply to ClerpremSpa

    Hi,

    By default, users in Active Directory are all part of the Security Group 'Domain Users'. This global security group is automatically set as the primary group in the "Member Of" settings for the user. The 'member of' attribute of the user object is not populated with the group name. Because the XG does not query Active Directory for the PrimaryGroupID attribute, and only for the Members attribute of the group, users cannot be prefetched.

    Please delete all the imported groups and re-import fresh.

    Refer the link to import Active Directory OUs and Groups.

    https://community.sophos.com/kb/en-us/123158

    Thanks

Reply
  • 0 in reply to ClerpremSpa

    Hi,

    By default, users in Active Directory are all part of the Security Group 'Domain Users'. This global security group is automatically set as the primary group in the "Member Of" settings for the user. The 'member of' attribute of the user object is not populated with the group name. Because the XG does not query Active Directory for the PrimaryGroupID attribute, and only for the Members attribute of the group, users cannot be prefetched.

    Please delete all the imported groups and re-import fresh.

    Refer the link to import Active Directory OUs and Groups.

    https://community.sophos.com/kb/en-us/123158

    Thanks

Children
No Data