Layer7 API Management

The Question:

I try to add LDAP User Groups to specific Gateway Roles, for instance the LDAP Group "CA_ADIMIN" to the Gateway Role "Administrator" to be able to login with all the ldap Users which are member of  the "CA_ADMIN" LDAP Group.

How can I achive this?

The Problem:

When I try to login with an user which is member of the "CA_ADMIN" Group, I get the error "Invalid Username/Password"

What is already configured/tried:

Two Identity Providers, one with an ldap search base for the LDAP groups and one with an search Base to get users.

The providers are mapping all the attributes except the certificate from the ldap users (I removed the mapping of the certificate, else an login without client certificate was not possible anymore).

Searching both providers works and the users contain the data mapped correctly and the groups contain the specific users and also the data mapped correctly.

I add the LDAP Role "CA_ADMIN" to the CA Administrator Role through the menu:

       Task->Users and Authentification -> Manage Roles

selecting Administrator and Adding the LDAP Group (CA_ADMIN) to the Assignments.

What worked:

If I add the specific LDAP Users to the CA Administrator Role then I can login to the Gateway with the LDAP Users.

Good afternoon,

In most instances the outline that you described should work. We have seen in some cases if the user attempts to go down too many nested groups then it causes problems or if the directory is using case sensitive Groups. I would suggest changing the Maximum nesting to 1 to disable nesting and check off the use case insensitive group membership check.

Sincerely,

Stephen Hughes

Broadcom Support

Hi Stephen,

thank you for your fast feedback, but still I can't login with the users in the group to the gateway.

Let me give you some screenshots, perhaps I am missing something in the configuration.

The Identity Provier Configuration:

The default ObjectClass Mapping for LDAP group and user class:

The group options and attribute options:

Adding a specific ldap group to the CA Gateway Administrator Role:

Searching the identity provider, for specific group which was created.

Also selecting the Membership tab to see which user is included and the roles tab to check wheather this ldap group has the CA Role Administrator to be able to log in and administrate the gateway.

And the problem is still that I can't login with the user 7193 for example, which has a group membership of the specific group.

Like I wrote before, if I add another provider with a different search base to get the users like: OU=StandardUser,OU=User,OU=DE-NU,DC=corp,DC=dir

And I add the specific users directly to the Administrator Role in the Gateway, the login works.

One thing from your comments at the end is that it is possible that the search base is too low in the directory so you will see the group and the users in the group but not actually be able to see the user as it resides in another branch. Please change your search base to OU=DE-NU,DC=corp,DC=dir and see if that fixes the problem.

Sincerely,

Stephen Hughes

Broadcom Support

Thank you a lot Stephen for the fast answer, changing the search base solved the issue!