Some Access Control policy rules with Access Role objects are not matched when the nested groups state is set to 2

Support Center > Search Results > SecureKnowledge Details

Some Access Control policy rules with Access Role objects are not matched when the nested groups state is set to 2

Technical Level

Solution ID	sk166199
Technical Level
Product	Identity Awareness
Version	R80.10 (EOL), R80.20, R80.30, R80.40, R81
OS	Gaia
Date Created	06-Apr-2020
Last Modified	01-Mar-2021

Symptoms

Some Access Control policy rules with Access Role objects are not matched.
The command "pdp monitor user <UserName>" on the Identity Awareness Gateway shows that direct groups are fetched correctly, but nested groups are not fetched.
The command "pdp nested_groups status" on the Identity Awareness Gateway shows "Enabled - mode 2".
The Identity Awareness Gateway sends the LDAP query to the LDAP server to the TCP port 389 or 636.
The PDP Debug (pdp debug set all all) on the Identity Awareness Gateway shows an empty "dn =":
[RootId = XXX] server = XXX, Search[ dn = '', Params[ scope = 2, filter = '(&(objectCategory=group) (member:XXX:=CN=XXX,CN=XXX,DC=XXX,DC=XXX) )'

Cause

When the query is done over the TCP port 389 or 636, the LDAP server expects to receive a base Distinguished Name. The Identity Awareness Gateway does not send it.

Solution

Note: To view this solution you need to Sign In .