Question - LDAP use in Awareness Program

dpace · August 22, 2018, 3:55pm

I have LDAP properly setup for Users and they are able to authenticate. I also setup LDAP Groups and all test appear to be working as expected. When I attempt to create new security awareness training and test the LDAP connection for a given user I get the following message:

Using your LDAP Auth connector we pulled the list of groups for this user and could not find the groups you selected for this awareness program. Check your LDAP connectors and try again.

See screenshots of the error and LDAP configurations.

Awareness LDAP Error Message:

LDAP - User Auth Config

LDAP User Test

LDAP - Group Auth Config

LDAP - Group Members Test

LDAP - Group List Test

eramba · August 22, 2018, 3:55pm

Hello Dominic,

Is best if you raise a support case so you dont have to share too much info on your particular setup, but im pretty sure your problem is related to this:

have a look, if you struggle with the damn LDAP protocol we can try helping you remotely!

regards

dpace · August 22, 2018, 4:27pm

Thanks, I’ll open a support case. The guide is in need of some reconciliation. I see a lot of flip flopping between field values in the guide. For example: using the query in the image below will result in the following query being sent to LDAP since the query will be assigned to the value %GROUP%. There is also flip-flopping between distinguedName and sAMAccountName which makes this guidance difficult to replicate.

(&(objectCategory=user)(memberOf=CN=CN=Test,OU=Groups,DC=corp,DC=eramba,DC=org,OU=Groups,DC=corp,DC=eramba,DC=org))

eramba-guide-typeo

eramba · August 22, 2018, 4:29pm

Every LDAP setting is different, the guide is meant to explain the typical configuration issues! Send out a support case with the full details and we’ll try to help you out.

dpace · August 24, 2018, 6:17pm

I figured out the issue. Both the documentation and the guidance on the LDAP configuration page contains errors. Both advise you to put “CN=%GROUP%” in the “filter to get members of a group” field but this means that if you %GROUP% variable also contains a “CN” the query will end up looking like “CN=CN=USER,OU=PATH,DC=CORP”. See screenshot below.