Using nested LDAP groups in Reporter


<< Back to Knowledge Search

Solution

Overview

Beginning with version 9.2, Reporter now supports nested LDAP groups.  How can you take advantage of this feature?

Cause
Resolution

This feature is configured by use of a check box, when you go to configure your Role  Based Services, in Reporter.

There are two places you can setup nested groups.  

1: The first location is in the LDAP group configuration wizard where we link a ROLE to LDAP group. Here we allowing everyone in this LDAP group to have the same privileges  given to this role.  Reporter, while authenticating the user using the LDAP protocol, also ensures that this user is allowed access to the database based on group membership.   To  setup this up follow these steps.

  • Login to reporter, using your admin account.
  • Navigate to the admin section of the UI.
  • Click on Access control > LDAP groups
  • Click on the 'new' button.
  • Here you'll see the option to turn on nested groups.

2: The next location you will see an option to set Nested groups is in Role configuration wizard,  where we are restricting access to parts of a database, based on LDAP group membership. Here we set a user filter up, and locate a LDAP group we want this user to be restricted to, thereby only allowing this user to see those parts of that database that contain this group information.  To set this up, follow these steps.

  • Login to reporter, using your admin account.
  • Navigate to the admin section of the UI.
  • Click on Access control > Roles
  • Click on the 'new' button.
  • Enter the name of the role you are about to create, and press Next.
  • Select a database.
  • Select 'Add Criteria'  to create your filter.
  • Select User, and then select the drop down list next to the user.
  • Select " Is in Ldap Group, or Is not in Ldap group'
  • Here, once you select the next drop down list, called groups, you'll see a list of currently available LDAP groups in your AD tree.

Note on group membership syntax:   Often your group information, as collected in the access log, will be presented in a slightly different syntax than the LDAP protocol declares it.  Here, you will need to check your database configuration, to ensure they match.  To do this,  follow these steps.

  • Login to reporter, using your admin account.
  • Navigate to the admin section of the UI.
  • Click Databases, and select your database.
  • On the right hand side of this screen,choose the drop down arrow, and select "set other options"
  • At the bottom of this screen you will see 'Username log settings'
  • Here you will choose the groupname syntax that matches your access log.

All access logs can be unzipped, and opened with a text editor, which we suggest you do,  to ensure these two match.  Look for the cs-groupname access log field.  For more information on the proper access log fields, required by Reporter, see 000021974

NOTE: Turning on this 'Nested groups  feature means that every group you look at in AD will be searched for a match to the 'member of' attribute.  And, then those groups will be searched as well.   Bluecoat recommends you talk to your AD, or eDirectory administrator first before turning on this feature.

 

 

 

 

 

Workaround
Additional Information
Bug Number
InQuira Doc IdKB3826
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/20/2016
Last Published      10/20/2016
Article Audience
Product      Reporter 9.2
Topic      Access Logging, Authentication, Reporting
Article Number      000010794
Summary      Using nested groups in Reporter
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat