Highlighted
Super Contributor.
Super Contributor.
124 views

LDAP groups in Active Directory/E-diectory to decide on access permission for RDP sessions

Jump to solution

Hi there,

I want to assign groups inside PAM for users goups. So that only members of that can only receive permission to access RDP. 

But i dont know what regular expression I have to write there.

I did got this link but i couldnt make out make out the DN. Can anybody can write it down for me.

For both AD and eDirectory 

https://community.microfocus.com/t5/PAM-Tips-Information/Deploying-Active-Directory-as-Authentication-Domain-with-RDP/ta-p/1773821#Command%20Control%20Rule%20for%20LDAP%20Group%20Matching%20in%20Active%20Directory

0 Likes
1 Solution

Accepted Solutions
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: LDAP groups in Active Directory/E-diectory to decide on access permission for RDP sessions

Jump to solution

There will be a very much improved and streamlined approach for managing user groups in the new and improved Command Control Console that is planned for a future release. So this should help a lot I think, so keep an eye out for that.

Another helpful bit of info is that by default the field here is case-sensitive, but you could pass a case-insensitive flag ( ) with the regex if you'd prefer to have it that way.. For example:

%:=~/^[Cc][Nn]=RDP-Allow*/
%:=~/^cn=rdp-allow*/i

Both should match for the same group, while one is a bit more "greedy" and may catch more groups than you anticipate, so sometimes it's better to make it match strictly, but can be helpful when trying to implement it for the first time.

You could also provide the full FDN context of the group as well if desired, here are some examples, the more you include, the more specific or strict the match will be (most strict going down to least):

%:=~/^CN=RDP-Allow,CN=Users,DC=domain,DC=com/
%:=~/^CN=RDP-Allow,CN=Users*/
%:=~/^[Cc][Nn]=RDP-Allow,CN=Users*/
%:=~/^cn=rdp-allow,cn=users*/i

View solution in original post

0 Likes
2 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: LDAP groups in Active Directory/E-diectory to decide on access permission for RDP sessions

Jump to solution

I happen to think that is a helpful feature, just poorly integrated.

The idea is, you need to define a Regular Expression that will match a Group uniquely in your directory.

The Regex should be the same for eDIR and AD in theory, just the actual versions will be different.

The approproate page in the docs is here:

https://www.netiq.com/documentation/privileged-account-manager-37/npam_admin/data/brxvkf6.html

The syntax is:

%:=~/^[Cc][Nn]=G*/

This breaks down as %:=~ and then inside the / and / you need a regular expresion.

The example above mean ^, the value starts with, the either C or c, then either N or n (I.e. could be CN or cn) then an equal sign, then an object starting with G and then * which means any number of charaters.

 

So if you know you have a uniquely named group you could do:

%:=~/^[Cc][Nn]=GroupName*/

If you have a specific container, you coudl in theory expand it to something like:

%:=~/^[Cc][Nn]=Groupname,[Oo][Uu]=GroupOU*/ and so on to make it more specific.

Like I said, it is a good feature, just a kind awkward implementation.

 

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: LDAP groups in Active Directory/E-diectory to decide on access permission for RDP sessions

Jump to solution

There will be a very much improved and streamlined approach for managing user groups in the new and improved Command Control Console that is planned for a future release. So this should help a lot I think, so keep an eye out for that.

Another helpful bit of info is that by default the field here is case-sensitive, but you could pass a case-insensitive flag ( ) with the regex if you'd prefer to have it that way.. For example:

%:=~/^[Cc][Nn]=RDP-Allow*/
%:=~/^cn=rdp-allow*/i

Both should match for the same group, while one is a bit more "greedy" and may catch more groups than you anticipate, so sometimes it's better to make it match strictly, but can be helpful when trying to implement it for the first time.

You could also provide the full FDN context of the group as well if desired, here are some examples, the more you include, the more specific or strict the match will be (most strict going down to least):

%:=~/^CN=RDP-Allow,CN=Users,DC=domain,DC=com/
%:=~/^CN=RDP-Allow,CN=Users*/
%:=~/^[Cc][Nn]=RDP-Allow,CN=Users*/
%:=~/^cn=rdp-allow,cn=users*/i

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.