Support Center > Search Results > SecureKnowledge Details
Some Access Control policy rules with Access Role objects are not matched when the nested groups state is set to 2 Technical Level
Symptoms
  • Some Access Control policy rules with Access Role objects are not matched.

  • The command "pdp monitor user <UserName>" on the Identity Awareness Gateway shows that direct groups are fetched correctly, but nested groups are not fetched.

  • The command "pdp nested_groups status" on the Identity Awareness Gateway shows "Enabled - mode 2".

  • The Identity Awareness Gateway sends the LDAP query to the LDAP server to the TCP port 389 or 636.

  • The PDP Debug (pdp debug set all all) on the Identity Awareness Gateway shows an empty "dn =":
    [RootId = XXX] server = XXX, Search[ dn = '', Params[ scope = 2, filter = '(&(objectCategory=group)
    (member:XXX:=CN=XXX,CN=XXX,DC=XXX,DC=XXX) )'

Cause

When the query is done over the TCP port 389 or 636, the LDAP server expects to receive a base Distinguished Name. The Identity Awareness Gateway does not send it.


Solution
Note: To view this solution you need to Sign In .