Video Screencast Help

LDAP User Query Omits AD user's PrimaryGroup Attribute

Created: 04 Jun 2010
Joe Bagnulo's picture
1 Agree
0 Disagree
+1 1 Vote
Login to vote

I've noticed that for ALL of our AD user accounts which our SWG has imported via LDAP are missing the attribute value for that user's "Primary Group".  For 99.9% of all cases this is fine, because that group should be the "Domain Users" group anyway.

Adversely, if a user is only a member of a single group, and that group happens to be the specific LDAP Workgroup which a SWG policy is assigned to then the group is not listed under the user's list of Workgroups. The SWG is never able to match the user to the correct policy.

The problem seems to be caused by AD and how it stores the Primary group value, which is only the last part of the corresponding groups ObjectSID.  So for SWG to know the Primary Group value it would have to query LDAP twice to get this value.

However, anyone that builds thier policy keyed on the "Domain Users" LDAP Workgroup should be made aware ahead of time that none of thier accounts will ever get the correct policy