How to Check Users in LDAP Groups

Overview

Palo Alto Networks devices can optionally utilize users and groups to create security policies. Checking users in LDAP groups lets administrators create access permissions based on group membership.

Details

Device administrators use LDAP groups to provide access based on users, not IP addresses. The User-ID agent (software or hardware) is responsible for getting the IP-user-mappings and the Palo Alto Networks firewall. Based on the LDAP profile, the User-ID agent reads groups from the LDAP server. These mappings are stored in the firewall's IP-user-mappings table, the groups and members of the groups are stored in the group-mappings list.

Steps

Find the groups that the Palo Alto Networks firewall is reading from using an LDAP profile by performing the steps below.

1. The lists for every group can be read using the following CLI command :
   > show user group list
   
   cn=sales,cn=users,dc=al,dc=com
   cn=it_development,cn=users,dc=al,dc=com
   cn=groùpé,cn=users,dc=al,dc=com
   cn=domain admins,cn=users,dc=il,dc=al,dc=com
   cn=domain guests,cn=users,dc=al,dc=com
   cn=it,cn=users,dc=al,dc=comcn=marketing,cn=users,dc=al,dc=com
   cn=it_operations,cn=it,ou=groups,dc=al,dc=openldap,dc=com
   cn=it_operations,ou=groups,dc=al,dc=openldap,dc=com
   cn=it_operations,cn=users,dc=al,dc=com
   cn=domain users,cn=users,dc=il,dc=al,dc=com
   cn=hr,cn=users,dc=al,dc=com
   cn=it,ou=groups,dc=al,dc=openldap,dc=com
   cn=vpn_users,cn=users,dc=al,dc=com
   cn=domain users,cn=users,dc=al,dc=com
    
2. To use the needed group in the previous step:
   > show user group name "cn=it_operations,cn=users,dc=al,dc=com"
   
   source type: service
   source:      AD_Group_Mapping_al.com
   [1     ] al\alex
   [2     ] al\biljanap
   [3     ] al\damem
   [4     ] al\ilija
   [5     ] al\ilijaal
   [6     ] al\ristok
   [7     ] al\jovan
   
   The command will not list disabled AD users.
   The example below shows the "alex" domain user on AD has been disabled: