Network Management

 View Only

  • 1.  Pensando Services Manager LDAPs to Windows AD

    Posted Apr 18, 2024 10:58 AM

    Hello,

    Has anyone been able to correctly set up LDAPs to a Windows AD in PSM, I'm especially looking for the required settings for "Scope" and "Attribute Mapping" fields in PSM. 

    My issue is now that any domain user seems to be able to log in regardless of what I put into those fields... They do not get any Roles so they cannot do anything, but my configured role binding policy contains the same group as configured under LDAP auth policy; and this automatic mapping does not also not work.

    As a side question: all of these users that log in are marked as "external user" under user management - is there a way to delete these from the interface?

    Any screenshots of a working setup would be greatly appreciated, since in the PSM user guide the examples are for POSIX.

    Kind regards,



    ------------------------------
    Kris
    ------------------------------


  • 2.  RE: Pensando Services Manager LDAPs to Windows AD

    Posted Apr 27, 2024 08:56 AM

    This. 
    The documentation around PSM is currently somewhere between non-existent and 'missing'.




  • 3.  RE: Pensando Services Manager LDAPs to Windows AD

    Posted May 08, 2024 09:32 AM
      |   view attached

    Hi Kris.

    In 2022 I wrote a small Tech Note how to integrate PSM and Clearpass. It is available in Airheads.

    For easier access I attach it here.

    There were a problem with version 1.54 and up to 1.62. RADIUS users were not getting the correct permissions. I believe that this problem is now resolved but didn't really test it extensively.

    Unfortunately I never test direct LDAP and AD without Clearpass.

    Best, Gorazd

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------

    Attachment(s)

    pdf
    CPPM-PensandoPSM-Technical Note-2.pdf   2.17 MB 1 version


  • 4.  RE: Pensando Services Manager LDAPs to Windows AD

    Posted Apr 16, 2026 09:07 AM

    Hi Kris,

    Since PSM doesn't seem to support the RADIUS Message-Authenticator field, I had to implement LDAP instead. I've found that PSM doesn't support LDAPS, or I don't know how to get it working. LDAP over StartTLS is available though, even if slightly less secure.

    The POSIX values mentioned in the screenshot don't work with Microsoft AD. The 1.119.1-T user guide shows a screenshot with working values:

    I've used slightly different input:

    *Bind DN: "CN=adreader-psm,OU=Service Accounts,DC=pensando,DC=local"

    *Base DN: "DC=pensando,DC=local"

    *User Object Class: "user"

    *Group Object Class: "group"

    *User: "sAMAccountName"

    *Group: "memberOf"

    Full name: "displayName"

    Email: "mail"

    Server:Port: 192.168.71.153:389

    Use TLS: Enabled

    Verify Server Certificate: Enabled

    Server Name: dc01.pensando.local

    Certificate: Root CA-cert signing the domain controller in PEM format

    -------------------------------------------



Related Content