pdp nested_groups

Description

Configures the Security Gateway queries LDAP Nested Groups.

Shows the current configuration LDAP Nested Group queries.

Syntax

pdp nested_groups

      auto_tune {enable | disable}

      clear

      depth <options>

      disable

      enable

      show

      status

      __set_state <options>

Important:

  • In a Cluster, you must configure all the Cluster Members in the same way.

  • On Scalable Platforms (Maestro and Chassis), you must run the applicable commands in the Expert mode on the applicable Security Group.

Parameters

Parameter

Description

auto_tune {enable | disable}

Note - This feature is available only in the R81 Jumbo Hotfix Accumulator Take 42 and higher.

Enables and disables the auto-tune feature.

This feature calculates and automatically selects the state of Nested Groups based on the LDAP configuration on the Security Gateway and the Management Server.

Notes:

  • When you enable this feature, the Security Gateway automatically configures the best the state of Nested Groups it calculated.

  • When you disable this feature, the Security Gateway automatically returns to the state of Nested Groups you configured earlier with the "__set_state" parameter.

Best Practice - Enable this feature on the Policy Decision Point (PDP) to increase the performance.

clear

Clears the list of users, for which the depth was not enough.

depth <1 - 40>

Configures the nested groups depth (between 1 and 40).

disable

Disables the nested groups.

enable

Enables the nested groups.

show

Shows a list of users, for which the depth was not enough.

status

Shows the configuration status of nested groups.

__set_state {1 | 2 | 3 | 4}

Configures the nested groups state:

  • 1 - Recursive (this is the default)

    • The Security Gateway queries each user to find out its group memberships, and then queries each group recursively until it determines the nested groups.

    • We recommend this method for environments that have few nested groups or no nested groups configured on the LDAP server.

  • 2 - Per-user

    • The Security Gateway sends one LDAP query. The response includes all groups for the specified user, including the nesting levels. The response includes all groups for the given user, including nesting levels. This query shows groups from any branch in the Active Directory forest. This type of query are sent to the Global Catalog ports (TCP 3268 or 3269).

    • We recommend this method for environments that have a policy that includes access roles with nested groups in them.

    • Use this state if you work with multiple branches in the account unit, or if you use group membership cross-domain trees. For example, a user belongs to the domain tree example1.com and belongs to the different domain tree example2.com. See sk134292.

  • 3 - Multi per-group

    • The Security Gateway sends one LDAP query. This LDAP query includes a user and a group. The response shows if the user is included in this group.

    • We recommend this method for environments that have all types of users and groups and have a small number of access roles with nested groups in them.

  • 4 - Per user, if there is a single branch in each Account Unit

    • The Security Gateway sends one LDAP query. The response includes all groups for the specified user, including the nesting levels. This query shows groups from the branch specified in the LDAP account unit. This type of query can work over all LDAP ports (TCP 3268 or 3269, TCP 389 or 636).

    • Use this state if you work with a single branch on each account unit.