Create access policy based on OU membership using LDAP Attributes in an LDAP Realm
Last Updated October 04, 2017
Within the VPM of a ProxySG there are Source Objects for Domain Users and Groups. However, there isn't an object that allows you to evaluate users based on their OU membership in a domain. However, there is an alternative for this case.
This article will assume that you have already configured an LDAP authentication realm and an authentication rule within the Web Authentication Layer using the desired realm.
We will use LDAP Attribute "distinguishedName" as a Source object in our VPM. In order to see a list of current available LDAP Attributes you can use, you have to use the following command in Powershell within your AD:
dsquery * "<Full DN of desired user>" -attr *
The Full DN of your user can be found using a Microsoft Sysinternals tool called AD Explorer freely available on Microsoft's website (link below).
The command above will provide a list of attributes. One of them contains the OUs the user is part of. This attribute is "distinguishedName", and in this example it looks like this:
In this case, we will block users if they belong to the OU called "Example OU":
-Go to the Management Console > Configuration > Policy > Launch
-Create a new Web Access Layer > Right click on the Source field and click Set.
-Click on New and select LDAP Attribute
-In the new window, select your Authentication realm (if necessary) > Enter the Attribute Name: distinguishedName > Mark the option "Attribute value match" > Enter Value: OU=Example OU > Change the drop-down menu from "Exact Match" to "Contains" > Click OK
-Set the Action to Deny
Alternatively, this is the CPL that can be used to accomplish this function: