Yash yashpal607
###################################################
In my current scenario, an ID is present only in auth directory and not in the auz directory, but the user is able to access the page.
###################################################
COMMENT : Check in Policy against which user directory you have added users. Here's how it should be configured.
- Add only AuthDir (CA Directory) object in Policy Domain level.
- Do not add AzDir (AD) object in Policy Domain level.
- At this point if you go to Policies, you'll only see AuthDir (CA Directory) within Policy.
- If you have added users OR ALL against AuthDir (CA Directory) in Policy, please remove that.
- There should be no users against CA Directory.
- Submit the changes to Policy Domain.
- At this stage I am assuming you have created the directory mapping but not added into realm.
- Now edit the Policy Domain.
- Go to Realm.
- From there in Directory Mapping select AzDir (AD).
- Now if you go to the Policy you'll see both User Directory i.e. AuthDir and AzDir.
- Select ALL or Select Users only under AzDir (AD).
- Save the changes to Policy Domain.
- At this point if you test, only Authorized users resulting from successful directory mapping would be able to access.
###################################################
I am able to login using an ID in CA Directory but not sure if it's getting authorize successfully against AD.
###################################################
COMMENT : Check the smaccess.log and smtracedefault.log.
###################################################
What I am trying to work is, if an ID is present in both the directories ie. auth directory and auz directory, only then the user should be able to access the page.
###################################################
COMMENT : Make configuration changes as suggested above. Test. Laid out your definition of "if an ID is present in both directories ie. auth directory and auz directory, only then the user should be able to access the page". So that we are on the same page of understanding. If needed and you still have doubts, please populate the below table with the actual OR sample user values in the table below which make you comfortable to understand.
UD-Auth-CA Dir (UniversalID = sAMAccountName) | UD-Az-AD (UniversalID = sAMAccountName) |
Username | sAMAccountName | cn | sAMAccountName |
User1 | 1234 | UserA | 1234 |