Showing results for 
Search instead for 
Did you mean: 

LDAP Filtering for Self-Service Guest Access Approver

New Contributor III
I'm trying to setup Self-Service Guest Access on customer's ZD but they require that select domain users can only approve Self-Service access request. Customer created a new group (sponsor/approvers) in AD and added only a few domain users as members. Also created a Role in ZD matching the new group on Group Attribute. Ruckus Support told me before to configure LDAP on ZD and set a search filter so that only the members of the AD group can login and approve Self-Service requests. Initial tests were successful and I thought that everything's OK so I left it at that.

However, I returned to the customer's office a few weeks later and saw that even non-members of the group was able to approve Self-Service requests. My question now is is it really possible to filter sponsors that can approve via LDAP? Below is the LDAP configuration I did based on customer's settings. I replaced the actual company domain name but everything else is the same.

base dn

admin dn
CN=Ruckus Service Account,OU=Service Accounts,DC=CORP,DC=COMPANY,DC=COM

key attribute

search filter
|(objectClass=Person)(memberOf=CN=Ruckus-WifiApprovers,OU=Domain Security Groups,DC=CORP,DC=COMPANY,DC=COM)

Ruckus-WifiApprovers is the Group Attribute that I configured in Roles. That is the same group in AD that customer created.

I also thought that maybe because the Self-Service Guest SSID is allowed in Default Role so I removed it from there and only allowed it on Ruckus-WifiApprovers Role but result is the same. This is driving me crazy.

New Contributor III
Turned out I have to disable guestpass generation on Default Role. Everythings working now. My problem now is you can only have one authentication server for all Self-Service profiles you create. Support said this is working as designed. Sad.