- Individual Applications
Protect
Filter
Perform
Connect
Add-Ons
- Software Packages
- Complete Appliances
03-17-2010, 12:28 PM
|
#1 (permalink) |
|
Master Untangler
Join Date: Jun 2009
Location: Denver, CO
Posts: 603
 |
AD Groups in 7.2 - How do they work?
I've got 7.2 now and I'm testing AD Groups. I am in a group called IT Staff. I created a policy that applies to that group and then ran the logon script. Untangle sees me as being logged in, but the policy is not working. Do I need to do something special to get group-based rules to work? I tried adding my AD username and that worked, but using group::itstaff does not work.
Any thoughts?
__________________
Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly. |
|
|
03-17-2010, 12:45 PM
|
#2 (permalink) |
|
Master Untangler
Join Date: Jun 2009
Location: Denver, CO
Posts: 603
|
Also, how does the Directory Connector know what groups I'm in? I can see that when the logon script runs, it reports my username, computer name and domain to Untangle, but how does Untangle know about my group memberships?
__________________
Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly. |
|
|
|
03-17-2010, 12:48 PM
|
#3 (permalink) |
|
Master Untangler
Join Date: Jun 2009
Location: Denver, CO
Posts: 603
|
Crud. I posted this in the wrong group. Can we move this to the Directory Connector forum?
__________________
Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly. |
|
|
|
03-17-2010, 12:49 PM
|
#4 (permalink) |
   
Join Date: Jan 2009
Location: Sweden (Eskilstuna)
URLs submitted: 57
Posts: 3,877
 |
First I Don't know how it works.
But if you where to guess the DC (Directory Connector) need to sync what Groups exists and what users are in what group. I don't think that it is realistic to have the Login script send all the groups that a user is in. (Is there even a net command to find out?)
__________________
"Of all the things I've lost, I miss my mind the most" Untangle Reseller (Sweden) WebFooL@fakenews.se http://fakenews.se/ Need space to Upload content for you forum post? http://about.me/webfool |
|
|
|
03-17-2010, 12:54 PM
|
#5 (permalink) |
|
Untangle Junkie
 
Join Date: Nov 2006
Location: San Mateo, CA
URLs submitted: 10
Posts: 10,611
|
Every five minutes it queries your AD server for the list of groups and members of the groups. This is cached locally on the Untangle Server.
When a user is authenticated it looks up the groups that the user is in a caches this information so when new sessions are created policy rules can be evaluated quickly by looking in this cache. Verify that the AD connector tests succeeds and is reading from your server.
__________________
Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com |
|
|
|
03-17-2010, 12:56 PM
|
#6 (permalink) |
|
Master Untangler
Join Date: Jun 2009
Location: Denver, CO
Posts: 603
|
I ran the test and it said it succeeded. When I looked at the list of logged in users, it showed me as logged in. A policy based on my AD user name works, but it did not work when I selected only a group that I belong to.
__________________
Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly. |
|
|
|
03-17-2010, 12:57 PM
|
#7 (permalink) | |
|
Master Untangler
Join Date: Aug 2008
URLs submitted: 1
Posts: 946
|
Quote:
|
|
|
|
|
03-17-2010, 12:58 PM
|
#8 (permalink) | |
|
Master Untangler
Join Date: Jun 2009
Location: Denver, CO
Posts: 603
|
Quote:
__________________
Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly. |
|
|
|
 |
| Thread Tools | |
|
|
