Group names in allow-list of an LDAP authentication profile

Group names in allow-list of an LDAP authentication profile

34033
Created On 09/26/18 13:47 PM - Last Modified 06/07/23 20:46 PM


Symptom


Are group names case sensitive when configured in allow-list of an authentication profile case?

 

Resolution


When configuring a group name in allow-list of an authentication profile, goup names are case sensitive.

It is important as we are using allow-lists for various authentication protocols (LDAP, RADIUS, TACACS+ and so on).

 

Case might be problematic when using capital or uppercase letters in group names in allow-lists configured for an LDAP Active Directory server.

 

You may have configured your group name in Active Directory server containing capital or uppercase letters, but LDAP then converts the group name to lowercase, according to RFC 4510.

 

If you are configuring group names in allow-lists in accordance with group names configured on Active Directory server (containing uppercase letters, authentication will fail for user members of this group.

 

When the Palo Alto Networks device fetches the LDAP groups from the Active Directory server, group names will be lowercase, mismatching group names configured in an allow-list containing capital or uppercase letters.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloqCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language