Forum Discussion
NimbostratusAPM authenticate user to multiple AD groups
Hello All:
I hope someone can help me with this. I have recently deployed a private cloud on vCloud Director 5.5. We run a Development and Test Lab that have multiple projects running at any given time. We also have several different companies collaborating on different projects. Do to this fact, there are customers that require access to some projects but not others.
I have found that as soon as I complete an AD Query that satisfies a Group membership, APM quits searching and provides resources allowed in that Resource Assignment. Unfortunately, there may be a project that authenticates to a different group later in the APM Policy. The user never gets to see this resources displayed.
I have devised an If/Then logic that searches through each possible combination of AD Groups. We currently have only four different AD groups that a user could authenticate. This APM Policy is huge to cover all the scenarios. I believe with further growth that this will be unmanageable. Am I just missing something on how to lay out the policy to support this deployment, or does anyone have any suggestions on how to do this differently? Any help would be greatly appreciated.
Did you try to work with the option "Nested Groups" in your AD authentication ?
It will help you to avoid this kind of problems as for each group, the APM will check your conditions.You would have to define only one ressource assign box with your groups membership conditions.
Here is a solution link to use nested groups : http://support.f5.com/kb/en-us/solutions/public/12000/100/sol12193
14 Replies
Thomas_GobetHi,
Into your Visual Policy Editor (VPE) when you want to split your configuration depending on group membership, you have to do that :
- Create a macro which will give access to your applications
- Click on the "+" and choose "Empty"
- Add a branch rule with the condition : Simple, Agent Sel : AD Query, Condition : User is a member of
Into the box you have to define the LDAP filter. - Create as many branches as you have groups
- Then your clients will match resources behind only if they match your conditions.
I hope this is clear enough.
fwebb_116789Thomas, Thank you for your reply. I am tracking and have completed that design, for the most part. I have attached diagram of the macro I have created which satisfies all the current possibilities of AD group associations. It just seems as if this will become unmanageable as the infrastructure grows.
- Thomas_Gobet
On which version are you running on ?
Also, why do you use the same macro whether the result is "Success" or "Fail" ?I think you can optimize it, the problem is just to understand every scenario you can encounter.
Thomas_Gobet_91Cirrostratus
On which version are you running on ?
Also, why do you use the same macro whether the result is "Success" or "Fail" ?I think you can optimize it, the problem is just to understand every scenario you can encounter.
- fwebb_116789Thomas, I am running version 11.4.1 HF4. I use the same macro to avoid having to define the Member of for the AD Query. Each branch represents all the possible combinations of group memberships. In the example above, I have 5 groups: Admin, 3, 8, Applications and Models and Simulation. There were only be Administrators accessing Administrative assets. After that though, depending on who the user is they could be members of any combination of groups based on what they need access to.
- Thomas_Gobet
On which version are you running on ?
Also, why do you use the same macro whether the result is "Success" or "Fail" ?I think you can optimize it, the problem is just to understand every scenario you can encounter.
- fwebb_116789Thomas, I am running version 11.4.1 HF4. I use the same macro to avoid having to define the Member of for the AD Query. Each branch represents all the possible combinations of group memberships. In the example above, I have 5 groups: Admin, 3, 8, Applications and Models and Simulation. There were only be Administrators accessing Administrative assets. After that though, depending on who the user is they could be members of any combination of groups based on what they need access to.
- Thomas_Gobet_91
Did you try to work with the option "Nested Groups" in your AD authentication ?
It will help you to avoid this kind of problems as for each group, the APM will check your conditions.You would have to define only one ressource assign box with your groups membership conditions.
Here is a solution link to use nested groups : http://support.f5.com/kb/en-us/solutions/public/12000/100/sol12193- fwebb_116789Thomas, I think this is the best solution. I have been able to significantly reduce the branches off my APM policy. Thank you.
- Thomas_Gobet
Did you try to work with the option "Nested Groups" in your AD authentication ?
It will help you to avoid this kind of problems as for each group, the APM will check your conditions.You would have to define only one ressource assign box with your groups membership conditions.
Here is a solution link to use nested groups : http://support.f5.com/kb/en-us/solutions/public/12000/100/sol12193- fwebb_116789Thomas, I think this is the best solution. I have been able to significantly reduce the branches off my APM policy. Thank you.
- fwebb_116789
I just wanted to give an update. I ended up configuring an AD Group Resource Assign. This took care of any issues I had with users being part of multiple AD groups.
Thank you again for all the assistance.
Ali_KhanHi, i know this thread is old but by any chance if you get this can you please share if you had to add expressions with AD Group Resource assign option. i have same scenario as yours and was looking for some guidance. Thanks in advance
- Thomas_Gobet
You're welcome, it's a pleasure to read that everything goes fine for you!
