Secure Mobile Access 12.4 Administration Guide

Creating Dynamic Groups Using a Directory

If you are using an external Microsoft Active Directory or LDAP directory, you can form AMC groups by building your own directory query or, if you’re familiar with LDAP syntax, writing your own directory query. Whenever this dynamic group is referenced in an access control rule, the external directory is queried and the results are cached for 30 minutes.

Dynamic groups are useful if you want to create a policy that applies to a group that is not already defined in the external directory. For example, you might want to create a group called Operations (Seattle). Although the external directory might already have a group called Operations, you want to narrow it down to members who are based in Seattle.

To add a dynamic group using an external directory

When conducting a multi-valued query against an LDAP or AD directory, you must specify the full DN of the group being queried.

  1. In the AMC, navigate to Security Administration > Users & Groups.

  2. On the Mapped Accounts tab, click New and then select Dynamic group.

    A separate Add Dynamic Group page displays.

    Users who match the expression that you build or write in this page are dynamically included in this group. If a user is added later and matches this expression, he or she is automatically included in this group.

  3. Select the realm to which this new group belongs from the Realm drop-down menu. Only realms that have been configured with an Active Directory or LDAP server (single or chained authentication) are available.
  4. (Optional) Type a Name for this dynamic group.

  5. Optionally, type a Description that can be used when creating access rules that apply to only certain groups.

  6. Choose between Simple and LDAP syntax. Use the one you are most familiar with so that you can edit the query (if needed) in the Expression field.
  7. Use these fields in the Expression area to build your query (see the Advanced Search Methods table for help with LDAP query syntax):

    Fields usage
    SettingDescription
    ExpressionThe query you create using the following fields is displayed here so that you can edit it (if necessary).
    AttributeAn initial query is sent to the external directory server to get a list of defined attributes. (If this list does not look correct, check the name of the realm you selected in the Realm list.)
    Filter operatorsA menu of commonly used LDAP search operators (=, !=, >=, and <=) to filter the values returned by the LDAP or Active Directory server.
    ValueA user-entered value that can contain wild cards (*). Assuming an Attribute of ZipCode, for example, you could type a Value of 98* to query for all employees living in Washington state.
    OperatorCommon logical operators (AND, OR).
    Add to ExpressionAdds the current attribute, value, and operator to the Expression text area. You can cycle back through (as many times as needed), defining an additional Attribute, Value, and Operator to further refine your query. Click Add to Expression after each addition.
    Base

    (Optional) Base of the AD/LDAP authentication server. It specifies the point in the LDAP directory from where to start the query. For example, to search users in the Microsoft Active Directory:

    CN=users, DC=engineering, DC=sonicwall, DC=com

    If a base is not entered, the query is performed at the search based of the

    authentication server.

    ScopeDepth of the query. Selecting All levels below base (default) to retrieve information from all levels below the base. Select One level below base to retrieve information from the search base itself. No containers below the search base are searched.

    You can also type a query directly in the Expression field.

  8. Test the expression you’ve created. The results are displayed in the Members section and should tell you whether you need to broaden or refine your search. To limit the number of members displayed, check the Display checkbox and typing the maximum number of items in the Display field.

    Testing an expression sends the LDAP search query displayed in the Expression area to the LDAP or AD server and displays the results (a list of users) in the right-hand pane. If the results are not what you expect, modify the query by either building the expression or editing the query directly in the Expression field and then test again.

    A new group should not be saved until the expression has been tested.

  9. Use the Show attributes as drop-down menu in the lower right corner of the page to display details in the Details section about the member selected in the Members section. Selecting Summary shows a summary of the member, and selecting All attributes shows all attributes of the member.

    Most chained authentication deployments involve an LDAP or AD server paired with another authentication server (like RADIUS). In the unlikely event that you are using chained authentication with a combination of LDAP and AD servers, keep the following in mind:

    • If you are searching for users, only search results from the first LDAP or AD authentication server in the chain are displayed. The policy server, however, will return results from both servers in the chain.

    • The same is true when searching for groups (except if an affinity server is configured for the realm: it will be searched instead of the authentication servers).

    For example, if you have a group called Accounting on both LDAP or AD servers in your chained authentication, any access control rules you create that are restricted to the Accounting group will apply to group members on both servers, even though the Search Directory page shows results from just the first server in the chain.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.