Solutions

How do you setup nested groups in Reporter, version 9.2.x?

Solutions ID:    KB3826
Version:    3.0
Status:    Published
Published date:    06/11/2010
Updated:    02/23/2011
 

Problem Description

I hear Reporter, version 9.2.x , has a new feature where you can search for nested groups. How do I use this?

Where do I set up the new 'nested group' feature.

What does the "is in LDAP group" feature mean, and how do I set it up?

 

Resolution

This new feature is configured by use of a check box, when you go to configure your Role  Based Services, in Reporter.

With reporter, version 9.2x,  there are two places you can setup nested groups.  

1: The first location is in the LDAP group configuration wizard where we link a ROLE to LDAP group. Here we allowing everyone in this LDAP group to have the same privileges  given to this role.  Reporter, while authenticating the user using the LDAP protocol, also ensures that this user is allowed access to the database based on group membership.   To  setup this up follow these steps.

  • Login to reporter, using your admin account.
  • Navigate to the admin section of the UI.
  • Click on Access control > LDAP groups
  • Click on the 'new' button.
  • Here you'll see the option to turn on nested groups.

2: The next location you will see an option to set Nested groups is in Role configuration wizard,  where we are restricting access to parts of a database, based on LDAP group membership. Here we set a user filter up, and locate a LDAP group we want this user to be restricted to, thereby only allowing this user to see those parts of that database that contain this group information.  To set this up, follow these steps.

  • Login to reporter, using your admin account.
  • Navigate to the admin section of the UI.
  • Click on Access control > Roles
  • Click on the 'new' button.
  • Enter the name of the role you are about to create, and press Next.
  • Select a database.
  • Select 'Add Criteria'  to create your filter.
  • Select User, and then select the drop down list next to the user.
  • Select " Is in Ldap Group, or Is not in Ldap group'
  • Here, once you select the next drop down list, called groups, you'll see a list of currently available LDAP groups in your AD tree.

Note on group membership syntax:   Often your group information, as collected in the access log, will be presented in a slightly different syntax than the LDAP protocol declares it.  Here, you will need to check your database configuration, to ensure they match.  To do this,  follow these steps.

  • Login to reporter, using your admin account.
  • Navigate to the admin section of the UI.
  • Click Databases, and select your database.
  • On the right hand side of this screen,choose the drop down arrow, and select "set other options"
  • At the bottom of this screen you will see 'Username log settings'
  • Here you will choose the groupname syntax that matches your access log.

All access logs can be unzipped, and opened with a text editor, which we suggest you do,  to ensure these two match.  Look for the cs-groupname access log field.  For more information on the proper access log fields, required by Reporter, see FAQ282

NOTE1: Turning on this 'Nested groups  feature means that every group you look at in AD will be searched for a match to the 'member of' attribute.  And, then those groups will be searched as well.   Bluecoat recommends you talk to your AD, or eDirectory administrator first before turning on this feature.

NOTE2: For  information on setting up the entire LDAP realm please see KB3353

NOTE3: For informatoin on troubleshooting LDAP, see FAQ383

NOTE4: For a list of the LDAP error codes you may see in the journal see FAQ813

 

 

 

 

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question