When you are using LDAP to determine Windows Active Directory group membership, and the group you are aiming for is the Domain Users group, than you're in for a surprise. It turns out that the LDAP interface doesn't have the Domain Users group listed for a user. It's missing the memberOf attribute for Domain Users. Just compare the following screenshots. The first screenshot shows the Active Directory user interface for the user Administrator, and the second shows the LDAP equivalent of that same user.
The LDAP output doesn't show a 'memberOf: CN=Domain Users, CN=Users, DC=testdomain, DC=local' attribute.
The reason is that Active Directory has a so-called Primary Group attribute, and this is by default the Domain Users group. With that piece of information you might see a LDAP attribute called 'primaryGroupID' with a number. That number represents the Domain Users group.
So if you need to check for Domain User membership with LDAP, you should check the value of the primaryGroupID attribute. This value is (for as far as I know) always the same (513).
So if you're using Certificate based authentication on a Juniper Pulse Access Gateway or Pulse Access Control Service, and you need to check Windows Domain User group membership the primaryGroupID is the way to go.
B.t.w., if you're looking for a good cross-platform LDAP browser, I can recommend the Apache Directory Studio. It's intuitive, has a good interface and just works (oh... and it's free).
Having the opportunity to experiment with some Juniper security products at home has its (dis)advantages. Juniper offers a (limited) virtual appliance version for both the Unified Access Control appliance (aka the Infranet Controller or Pulse Access Control Gateway), and the SSL VPN solution (aka Secure Access or Pulse Secure Access Gateway).
The limited parts are:
- SSL is limited to 3 concurrent users
- UAC is limited to 5 concurrent users
- You cannot add additional licenses
- The UAC has no IF-MAP server capabilities, since that requires at least a 50 user license (and you cannot add additionel licenses).
So yes, it's crippled, but still very nice to play with in a lab or home/study environment.
Anyway, I have both the UAC and the SSL VPN running at home. Both running in VMWare Fusion on a MAC OSX server (Mac Mini).
A couple of months ago, Juniper released a new major version for the software (v5 for the UAC, and v8 for the SSL VPN), so I wanted to upgrade the VM's to the latstes software (also because of the Heartbleed bug in OpenSSL). This was no problem for the SSL VPN. The upgrade went smooth. However, the UAC was a different story. For some reason, the upgrade package was corrupt or invalid (even though it could be used to do a clean install), so upgrading was out of the question.
So I tried to do a clean install and see if I could import the old config of the existing UAC (v4.4) in the new version 5. Something that didn't work in the older versions of both the SSL VPN and UAC. Importing a software version meant that you needed the correct software version on the device first.
Anyway, importing the system config seemed to work, because all visible settings were correct. The XML import (other configuration settings regarding authentication servers, realms, user roles, etc.) also imported correctly (or so it seemed).
I compared the two configs side by side, and everything checked out. That was until I tried to authenticate on a switch with 802.1x. That didn't work as it should.
The logging of the UAC showed numerous 'No EAP Protocol Was Agreed On' errors. This was weird, because everything worked correctly on the older version.
Since the EAP protocol relies (for a part) on the SSL certificate on the device, I swapped that one for a new certificate from my personal PKI service.
After having checked, and double checked everything (I even tried authenticating against the older UAC version... which still worked), I decided to do a clean install (back to factory settings), and reconfigure the entire UAC by hand instead of the import.
Guess what, everything worked great after I had copied everything by hand.
So I guess that the import of a XML file belonging to a earlier software version still doesn't work. Only difference is that in the old days I got a warning/error.
So if you're getting the 'No EAP Protocol Was Agreed On' error in your events logging, and you did a recent upgrade, you might want to try a fresh install and configure things by hand.
I have no idea if this is applicable to the 'normal' hardware appliances with the software.
During the time with my Nikon D300 I always used regular (thread) filters (circular polarizers, and ND filters). Since the release of the Fujifilm X-T1 I wondered if a Lee filter system might be better / more flexible (not cheaper!!!!).
The Seven5 series is cheaper since it uses smaller filters (75mm versus 100mm), and since my Fujifilm X-T1 uses relatively small lenses this could be a winner (the kit lens has a 58mm filter thread). Until I found out that the new ultra wide angle Fujinon XF 10-24mm F/4 R OIS has a 72mm filter thread. And as you might guess, I'm really interested in that lens.
Fortunately, Lee has a 75-to-72mm adapter, so technically the Seven5 system can be used with that lens.
Adaptor ring thread sizes:
The holder attaches to the lens via a screw-in adaptor ring. The adaptor ring is available in the following thread sizes: 37, 37.5, 39, 40, 40.5, 43, 46, 49, 52, 55, 58, 60, 62, 67 and 72mm.
But 72mm versus 75mm doesn't leave much room on the vignetting side of it. Chances are that you get serious vignetting on the ultra wide end of the focal range (10-14mm), because of the filter holder attached to the lens.
Just to make sure, I dropped Lee an e-mail, and this is what I got in return:
So, there yo got it; Accept additional vignetting on the ultra wide side, or invest in the more expensive 100mm filter system. But before I even invest in a filter system I need to see some independent reviews of that new lens. I might even get the Fujinon XF 14mm f/2.8 R. That lens is available at the moment and is highly recommended by several sites  / reviewers / users.
Choices, choices, choices
My interest in Fujifilm camera's was rekindled when they released the X-Pro1. When they announced and released the X-T1 this year I had to have one. Why, because it had everything that my old Nikon D300 doesn't have;
- More Mpix (16 versus 12)
- Lighter quality lenses
- Capable of mounting Leica and Nikon lenses (through the use of third party adapters).
- Electronic View Finder (EVF)