CirrostratusLDAP Auth, LDAP Query with UPN fails
I have a basic policy using LDAP auth and UPN, this works fine, auth is successful. The LDAP query appears to be successful but moves to fallback.
LDAP Query and Auth Searchfilter set to (userPrincipalName=%{session.logon.last.username})
LDAP Query and Auth SearchDN set to OU=sites,DC=domain,DC=local
Branch rule set to expr {[mcget {session.ldap.last.attr.memberOf}] contains "Intune-Test"}
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_auth_ag.authresult' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_auth_ag.errmsg' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_auth_ag.errmsgext' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_auth_ag.totalEntries' set to '0'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.dn' set to 'CN=User Name,OU=Users,OU=NSC,OU=sites,DC=domain,DC=local'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.memberOf' set to '#{Session_Variable_Value}'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.objectClass' set to '| top | person | organizationalPerson | user |'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.objectSid' set to '0x01024254324540053453E679278BB1B516836C7DAE0100'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.sAMAccountName' set to 'user'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.attr.userPrincipalName' set to 'user@domain.com'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.errmsg' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.errmsgext' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.queryresult' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.EAS-Outlook.access_act_ldap_query_ag.totalEntries' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.dn' set to 'CN=User Name,OU=Users,OU=NSC,OU=sites,DC=domain,DC=local'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.memberOf' set to '#{Session_Variable_Value}'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.objectClass' set to '| top | person | organizationalPerson | user |'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.objectSid' set to '0x01024254324540053453E679278BB1B516836C7DAE0100'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.sAMAccountName' set to 'user'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.attr.userPrincipalName' set to 'user@domain.com'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.authresult' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.errmsg' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.errmsgext' set to ' '
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.queryresult' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.ldap.last.totalEntries' set to '1'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.logon.page.errorcode' set to '0'
EAS-Outlook.access:Common:6e95b221: Session variable 'session.policy.result' set to 'deny'
The problem I had here was the memberOf group I was using for testing. Tested with another group and it's good.
