topic Re: LDAP - Group Mapping with Child Domain users in General Topics

LDAP - Group Mapping with Child Domain users

oschuler — Tue, 11 Jun 2013 19:37:19 GMT

Hi all,

We'd like to use an Active Directory group in our root domain (e.g. "company.com") to control GlobalProtect authentications. Let's name this AD group "VPN Access" (it's a "Universal" Security Group). It contains user objects from the root domain itself but also from other subordinate domains like "branch1.example.com". Unfortunately, our PA-2050 ignores all foreign users added to this group. All root-domain users are visible when executing the following CLI command:

show user group name "cn=vpn access,ou=usergroups,dc=example,dc=com"

The LDAP profile connects to a Global Catalog Active Directory server in the root domain ("example.com") and is configured with the following settings on the PA:

Is there any way to force the PA to recognize the sub-domain users in this parent domain group?

Thanks in advance!

Oliver

Re: LDAP - Group Mapping with Child Domain users

minow — Tue, 11 Jun 2013 20:23:30 GMT

i belive you should configure the port for the global catalog and not the regular ldap port:

if this DC is GC then configure:

3269 - for ssl connection (this i am not sure the defaults, you may try first unencrypted)

3268- for unencrypted connection

Re: LDAP - Group Mapping with Child Domain users

oschuler — Tue, 11 Jun 2013 21:00:29 GMT

That's it, thank you very much dorm! I didn't know that Global Catalog uses a different port. 3269 works with SSL by the way.