https://live.paloaltonetworks.com/t5/general-topics/multiple-domain-and-domain-name/m-p/21378#M15594 <HTML><HEAD></HEAD><BODY><P>Can you try using <SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">IDF</SPAN> as a domain in the LDAP server profile and refresh the group-mapping :</P><P></P><P>&gt; debug user-id refresh group-mapping &lt;&gt;</P></BODY></HTML> Thu, 13 Jun 2013 09:53:18 GMT UhMayYeah 2013-06-13T09:53:18Z https://live.paloaltonetworks.com/t5/general-topics/multiple-domain-and-domain-name/m-p/21377#M15593 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I have deployed 1 cluster of PA 3020(5.0.5) and UIA on 2 servers of the domain.</P><P>The domain architecture is as following:</P><P>1 parent domain: idf.local</P><P>6 child domain: xx.idf.local, yy.idf.local, ...</P><P></P><P>UIA works well and we have good informations on the PA with NETBIOS domaine name</P><P>show user ip-user-mapping all:</P><P>IDF\user1</P><P>XX\user2</P><P>YY\user3</P><P></P><P>But with the group mapping, it's fqdn domain that appears.</P><P>show user group name "cn=ggggggg,ou=fffffffff,dc=idf,dc=local":</P><P>idf.local\user1</P><P>xx.idf.local\user2</P><P>yy.idf.local\user3</P><P></P><P>LDAP server profile configuration is done with global catalog:</P><P></P><P>admin@XXXXXX(active)# show shared server-profile ldap profile-AD-GC</P><P>profile-AD-GC {</P><P>&nbsp; server {</P><P>&nbsp;&nbsp;&nbsp; gtgt50.idf.local {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; port 3269;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; address 192.168.1.1;</P><P>&nbsp;&nbsp;&nbsp; }</P><P>&nbsp; }</P><P>&nbsp; ldap-type active-directory;</P><P>&nbsp; base DC=idf,DC=local;</P><P>&nbsp; bind-dn "CN=login,......,DC=idf,DC=local";</P><P>&nbsp; timelimit 30;</P><P>&nbsp; bind-timelimit 30;</P><P>&nbsp; bind-password -AQ==SdRlIx0rvZ/zcM4qhyMPexBjphE=Xce5R8I57K7Xi1MRcJdzBg==;</P><P>&nbsp; ssl yes;</P><P>}</P><P>[edit]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P>The problem is that I can't create policy based on AD group because there is a mismatch between UIA and Group Mapping information.</P><P></P><P>Any idea?</P><P></P><P>Thanks!!</P></BODY></HTML> Thu, 13 Jun 2013 08:53:18 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-domain-and-domain-name/m-p/21377#M15593 NomiosSupport 2013-06-13T08:53:18Z https://live.paloaltonetworks.com/t5/general-topics/multiple-domain-and-domain-name/m-p/21378#M15594 <HTML><HEAD></HEAD><BODY><P>Can you try using <SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">IDF</SPAN> as a domain in the LDAP server profile and refresh the group-mapping :</P><P></P><P>&gt; debug user-id refresh group-mapping &lt;&gt;</P></BODY></HTML> Thu, 13 Jun 2013 09:53:18 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-domain-and-domain-name/m-p/21378#M15594 UhMayYeah 2013-06-13T09:53:18Z https://live.paloaltonetworks.com/t5/general-topics/multiple-domain-and-domain-name/m-p/21379#M15595 <HTML><HEAD></HEAD><BODY><P>I have already tried this but it overrides all domain name:</P><P></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">show user group name "cn=ggggggg,ou=fffffffff,dc=idf,dc=local":</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">IDF\user1</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">IDF\user2</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">IDF\user3</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">The problem is that user2 belongs to XX domain which is the domain child(xx.idf.local).</P></BODY></HTML> Thu, 13 Jun 2013 15:05:02 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-domain-and-domain-name/m-p/21379#M15595 NomiosSupport 2013-06-13T15:05:02Z https://live.paloaltonetworks.com/t5/general-topics/multiple-domain-and-domain-name/m-p/21380#M15596 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Try creating separate LDAP Server (port 389 or 636) profiles for the parent domain and each child domain including in the configuration NetBios-style domain name and corresponding base.</P><P>In Group Mapping Settings create Group Mapping configuration using every LDAP Server Profile (8 in total).</P><P></P><P>Hope this helps! Update if it does <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P></P><P>Global Catalog is used for identifying membership in Universal Groups.</P></BODY></HTML> Fri, 14 Jun 2013 10:05:06 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-domain-and-domain-name/m-p/21380#M15596 Retired Member 2013-06-14T10:05:06Z https://live.paloaltonetworks.com/t5/general-topics/multiple-domain-and-domain-name/m-p/21381#M15597 <HTML><HEAD></HEAD><BODY><P>As albert_C said, create one ldap profile per server and configure "Domain" in the profile then, domain name will be re-write as you want.</P><P></P><P>V.</P></BODY></HTML> Fri, 14 Jun 2013 10:29:53 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-domain-and-domain-name/m-p/21381#M15597 VinceM 2013-06-14T10:29:53Z