Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-29-2012 05:04 AM
Hello.
My situation is:
- GlobalProtect VPN configurated -> user identification via GP then.
- LDAP profile configurated -> authentication works well
- Authentication profile configurated.
- User Identification, Group Mapping configuration:
- Group Objects:
- Object Class: posixGroup
- Group Name: cn
- Group Member: memberUid
- User Objects:
- Object Class: inetOrgPerson
- User Name: uid
Extract with slapcat:
----------------------
dn: cn=Administradores,ou=Grupos,dc=example,dc=com
cn: Administradores
gidNumber: 1
structuralObjectClass: posixGroup
entryUUID: 1dacb5d4-85f9-1031-95fb-b388bfd09fc7
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20120829074432Z
objectClass: posixGroup
memberUid: prueba
entryCSN: 20120829112946.273933Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20120829112946Z
dn: cn=prueba,ou=Usuarios,dc=example,dc=com
sn: prueba
cn: prueba
uid: prueba
userPassword:: e01ENX1iKzBKTmZNdFFFSnh1cVN5a3FPNWJBPT0=
uidNumber: 5
gidNumber: 1
homeDirectory: /home/users/satec1
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
structuralObjectClass: inetOrgPerson
entryUUID: a6c2f1f4-860c-1031-989f-db7857189845
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20120829100422Z
entryCSN: 20120829100422.934537Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20120829100422Z
-----------------------------
I can use the created groups on OpenLDAP correctly, in firewall rules:
admin@PA-2050> show user group-mapping state all
Group Mapping(vsys1, type: other): Mapeo_Grupos_LDAP
Bind DN : cn=admin,dc=example,dc=com
Base : dc=example,dc=com
Group Filter: (None)
User Filter: (None)
Servers : configured 1 servers
X.Y.Z.8(389)
Last Action Time: 1489 secs ago(took 1 secs)
Next Action Time: In 2111 secs
Number of Groups: 3
cn=vpn,dc=example,dc=com
cn=usuarios,ou=grupos,dc=example,dc=com
cn=administradores,ou=grupos,dc=example,dc=com
admin@PA-2050>
And I can connect to VPN and the user is identified:
admin@PA-2050> show user ip-user-mapping all
IP Ident. By User Idle Timeout (s) Max. Timeout (s)
--------------- --------- -------------------------------- ---------------- ----------------
192.168.46.3 GP prueba 3651 3651
Total: 1 users
admin@PA-2050>
But the problem is that user is not "mapped" in its group, Administradores:
admin@PA-2050> show user ip-user-mapping detail yes
IP address: 192.168.46.3
User: prueba
Ident. By: GP
Idle Timeout: 3529s
Max. TTL: 3529s
Groups that the user belongs to (used in policy)
admin@PA-2050>
So when I create a firewall rule as origin user the group Administradores, the traffic generated by the user "prueba" doesn't match with that rule.
I think it must be a problem with "User Object" configuration but I can't find doc about that, an example like AD in the document: http://live.paloaltonetworks.com/docs/DOC-3221.
Anybody with a similar configuration could help me?
Thank you very much.
To be sure, I created on my OpenLDAP server a user account that has the same name in cn, sn, and uid: test.
08-30-2012 05:01 AM
Hi everybody.
For your information, the configuration above is correct. The problem is that it's necessary to specify a domain in LDAP server configuration. After that, the scenario works well. I can selected users and groups on security rules... Great!!!.
Thank you.
09-01-2012 12:39 AM
Hi, I also found the problem that a user in a group can't hit a rule that set the user group.
the configuration is below, could you please help me identify what wrong with this configuration ?
=== LDAP Server ===
Domain : palo-lab
Type : other
Base : dc=palo-lab,dc=com
Bind DN : cn=ldapadm,dc=palo-lab,dc=com
=== Group Mapping ===
Group objects
- Search Filter :
- Object Class : posixGroup
- Group Name : internet
- Group Member : memberUid
User Objects
- Search Filter :
- Object Class : posixAccount
- User Name : uid
09-03-2012 11:36 PM
Hello mindterra.
In group name I've specified "cn", no "internet". One important thing is that "memberUid" in Group object must match with "uid" in user object.
That is, check strings that appear in memberuid field in group objects; it must be the login name of the users, more than the complete name (jdoe vs John Doe)
Bye bye.
05-19-2014 07:12 AM
I'm having the same problem as was solved
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
