https://live.paloaltonetworks.com/t5/general-topics/group-mapping-nesting-ldap-filters/m-p/580403#M116252 <P>Hello</P> <P>I am trying to achieve the following:<BR />I would like to limit the groups the firewalls need to cache.<BR />Therefore I would like to filter only to search below certain OUs in AD. As I learned this is not possible via LDAP Searchfilter with wildcards or sth.</P> <P>Therefore I set up multiple LDAP Server Profiles where the Base DN matches the entry-OUs where I would like to search below and created multiple User ID Group Mappings without any search filters</P> <P>&nbsp;</P> <P>I assumed this would allow the nested groups to be properly resolved to the users. Unfortunately this is not the case.</P> <P>I think the problem might be the following:</P> <P>Top-Level Group is a match for UID Group Mapping A<BR />Below-Level Groups are match for UID Group Mapping B/C/D<BR />During evaluation only the UID Group Mapping A is used further for evaluation and therefore doesn't find the users</P> <P>Might this assumption be correct?</P> <P>&nbsp;</P> <P>If so: Is it problematic for a firewall not to have filters and just ingest all AD groups or will that resolve in too much traffic (in an &lt; 8k User AD with several hundrets of groups)</P> <P>&nbsp;</P> <P>Thanks for any advice</P> Thu, 14 Mar 2024 14:10:28 GMT ipohlschneider 2024-03-14T14:10:28Z https://live.paloaltonetworks.com/t5/general-topics/group-mapping-nesting-ldap-filters/m-p/580403#M116252 <P>Hello</P> <P>I am trying to achieve the following:<BR />I would like to limit the groups the firewalls need to cache.<BR />Therefore I would like to filter only to search below certain OUs in AD. As I learned this is not possible via LDAP Searchfilter with wildcards or sth.</P> <P>Therefore I set up multiple LDAP Server Profiles where the Base DN matches the entry-OUs where I would like to search below and created multiple User ID Group Mappings without any search filters</P> <P>&nbsp;</P> <P>I assumed this would allow the nested groups to be properly resolved to the users. Unfortunately this is not the case.</P> <P>I think the problem might be the following:</P> <P>Top-Level Group is a match for UID Group Mapping A<BR />Below-Level Groups are match for UID Group Mapping B/C/D<BR />During evaluation only the UID Group Mapping A is used further for evaluation and therefore doesn't find the users</P> <P>Might this assumption be correct?</P> <P>&nbsp;</P> <P>If so: Is it problematic for a firewall not to have filters and just ingest all AD groups or will that resolve in too much traffic (in an &lt; 8k User AD with several hundrets of groups)</P> <P>&nbsp;</P> <P>Thanks for any advice</P> Thu, 14 Mar 2024 14:10:28 GMT https://live.paloaltonetworks.com/t5/general-topics/group-mapping-nesting-ldap-filters/m-p/580403#M116252 ipohlschneider 2024-03-14T14:10:28Z https://live.paloaltonetworks.com/t5/general-topics/group-mapping-nesting-ldap-filters/m-p/580423#M116257 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/198122">@ipohlschneider</a>&nbsp;,</P> <P>Not using filters or the built-in group-include-list functionality isn't a&nbsp;<EM>problem&nbsp;</EM>as long as your platform(s) can sync the number of groups that you're requesting. So a PA-440 can only have 1,000 active groups used in policy, but a PA-5220 can have 10,000. If you only have hundreds of groups you shouldn't run into any issues even on the smallest platforms.</P> <P>&nbsp;</P> <P>Nested groups will sync perfectly fine, but you need to insure that you're also syncing the membership of the nested group as well. So if I have a 'All-Devices' group as an example that has the nested 'All-Laptops', 'All-Desktops', and 'All-BYOD' as a simple example you need to sync the membership of those three nested groups to get things to function properly.&nbsp;</P> Thu, 14 Mar 2024 17:35:22 GMT https://live.paloaltonetworks.com/t5/general-topics/group-mapping-nesting-ldap-filters/m-p/580423#M116257 BPry 2024-03-14T17:35:22Z