An active directory group exists that contains more than 4000 groups.
When a user who is in a group checks to see if they belong to this group using the function vas_auth_check_client_membership_with_server_id the function reports the user is not in the group.
This causes authorization failure if mod_auth_vas is used.
"vastool -u attrs" shows that the user is not in the first 1500 member entries.
Use either of the following 2 commands:
1.) vas_user_is_member
2.) vas_group_has_member
Both of these query the group list from AD, without the user's PAC, thus allowing for the complete list of groups to be returned if more than 1500.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center