LDAP Group Membership by Organizational Unit

The LDAP Group Membership by Organizational Unit feature provides the ability to set LDAP rules and policies for users located in certain Organizational Units (OUs) on the LDAP server.

To set a user membership by LDAP location:
1
On the SonicWall Security Appliance, go to Users > Local Groups.
2
Select the check box for Memberships are set by user's location in the LDAP directory.

3
Select one of the For users options:
at or under the given location
at the given location

After a user membership is set by LDAP location, when that user logs in, that user is made a member of any groups that match its LDAP location.

You can set any local group, including default local groups (except for the Everyone group and the Trusted Users group) as a group with members that are set by their location in the LDAP directory tree.

When a user is a member of any local groups that are configured for LDAP location:
The location of those local groups in the LDAP tree is learned.
The location of the user’s local groups is checked against all other local groups. If any other groups have the same LDAP location as that of the user’s membership groups, the user is automatically set as a member of those groups for that login session.

When a user attempts to log in, whether with success or failure, the user’s distinguished name is logged in the event log. This helps with troubleshooting if a user fails to get memberships to the expected groups. The event log messages shown Event Log Messages include the user’s LDAP distinguished name:

 

Event Log Messages

Event

Message

logstrSuccessfulUserLogin

User login from an internal zone allowed

logstrWrongUserPasswd

User login denied due to bad credentials

logstrUnknownUserLoginAttempt

User login denied due to bad credentials

logstrSuccessfulUserVpnLogin

VPN zone remote user login allowed

logstrSuccessfulUserWanLogin

WAN zone remote user login allowed

logstrWlanNoGuestPrivilege

User login denied - User has no privileges for guest service

logstrUserLoginNotUnique

User login denied - user already logged in

logstrUserLoginBarredByRule

User login denied - not allowed by policy rule

logstrUserLoginNotFoundLocal

User login denied - not found locally

logstrSSOUserLogout

User logged out - logout detected by SSO

logstrUserGrpRetrievalFail

Problem occurred during user group membership retrieval

logstrUserLoginPwdExpired

User login denied - password expired

logstrSuccessfulUserSslVpnLogin

SSLVPN zone remote user login allowed

logstrUserLoginBadEmail

User login denied - Mail Address (From/to) or SMTP Server is not configured**

logstrUserLoginFromWrongLocation

User login denied - User has no privileges for login from that location

logstrUserLoginLdapFail

User login denied - LDAP authentication failure