Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Configure LDAP authentication options.

You can configure user groups using ldap-options command for the user groups that are user authenticated. You can authenticate users that are assigned roles according to their LDAP group memberships. The allowed-groups attribute authenticates users that are assigned according to their group memberships. If none of the user groups match a user group, then the user cannot access the system.

Membership characteristics are queried from the LDAP server as per configuration. After firewall authentication, a user can be assigned IP addresses from the associated pools with the authenticated group.


allowed-groups Allow members of only specific groups to sign in. Group lists are limited to 255 bytes.

The order in which the membership attribute is received from the LDAP server determines how a user is associated with the configured (allowed) groups. To match the user, the first group in the list received from the LDAP server that matches any of the configured groups is used.

Any user who is a member of more than one group can obtain resources from either group, depending on the order of the LDAP server's response. To ensure that the user is assigned the intended resource with certainty, it is recommended that the user belong to only one group.

group-name Name of the group which should be allowed.
name Address pool name

The remaining options are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.

Required Privilege Level

access—To view this statement in the configuration.

access-control—To add this statement to the configuration.

Release Information

Statement introduced in Release 8.5 of Junos OS.

allowed-groups option introduced in Release 21.4R1 of Junos OS.