topic Re: User-ID Group Include List Error in General Topics

User-ID Group Include List Error

apackard — Mon, 23 Jan 2012 18:16:42 GMT

On PanOS 4.1.2 I am trying to perform an LDAP lookup for the 'Group Include List' element of the User Identification setup i.e. to populate the 'User' field in policies.

When I do this I get an "bind-dn is invalid" error. I know the account configured is fine, as it is a shared object set in Panorama and pushed to multiple boxes, and it works fine on other boxes.

Does anyone know if this error message ia a "red-herring" and just saying that 'something' is wrong - maybe connectivity etc - of does it only appear if it is an authentication error?

Re: User-ID Group Include List Error

jdelio — Tue, 24 Jan 2012 21:53:41 GMT

One place to start is to perform a "show user ldap-server state" and double check to see if you have the full Bind DN, and not just partially listed thinking that the base is going to help cover it.

I know this is not a true answer, but it is a place to start.

Re: User-ID Group Include List Error

apackard — Tue, 24 Jan 2012 22:20:17 GMT

Thanks for that. Got me one stage further, but more confused now!

Used the command "show user group-mapping state all" and it actually showed that the LDAP query is working, and its pulling back *all* the groups from my AD.

However, when I try to 'connect' via the UI it still fails. As this step is required so I can filter my groups to sync against (I don;t want all 4000 in the drop down!) it is quite important, and I can't see why it is connecting in the background, but giving me an auth error when prompting it via the UI.

Any clues gratefully received!

Re: User-ID Group Include List Error

jdelio — Thu, 26 Jan 2012 17:07:06 GMT

Of course you are getting that error because of the way that the Bind DN is listed. Yes, it might work in some instances, but still give that error on that screen. When I look through other cases, this was resolved by modifying the way that the bind-dn is listed.

I would like to be able to help you here, but you might need to open a case and work the issue that way.

Regards,

Re: User-ID Group Include List Error

kalyanram.piratla — Fri, 03 Feb 2012 16:59:25 GMT

Hi Guys,

I do have the same issue coming up. Can you guys please let me know on what type of modifications were done to get it running because i tried doing everything i can and have nothing to do now. I did log this case with PAN and even they seem to be lost on it.

Re: User-ID Group Include List Error

apackard — Fri, 03 Feb 2012 17:07:18 GMT

I changed the format of the account used to query the LDAP servers from user@domain to domain\user and that seemed to fix the UI issue.

Re: User-ID Group Include List Error

kalyanram.piratla — Fri, 03 Feb 2012 17:26:38 GMT

APACKARD... you genius... Thank you very much mate...!!!

Re: User-ID Group Include List Error

apackard — Fri, 03 Feb 2012 20:31:31 GMT

Don't count your chickens yet...

I've now got a problem with User ID's being detected as domain\user, but all the imported user data is in the form user@domain, which may (or may not) be connected to this fix!

Re: User-ID Group Include List Error

apackard — Fri, 03 Feb 2012 20:33:32 GMT

And just to be clear - they're not matching i.e. if I add a group to a policy that contains my name in the user@domain format, I'm not being matched against traffic with domain\user as a field.

Re: User-ID Group Include List Error

kalyanram.piratla — Mon, 06 Feb 2012 09:17:57 GMT

Thanks for sharing the info mate. So far I haven't heard back from the customer yet. Will keep you updated.

Re: User-ID Group Include List Error

kalyanram.piratla — Mon, 06 Feb 2012 11:02:10 GMT

So far things are looking good with domain\user mate.

Re: User-ID Group Include List Error

apackard — Mon, 06 Feb 2012 11:05:30 GMT

Cool.

I found that I'd incorrectly added the FQDN domain name in the Domain field, rather than the Windows domain name, in the User-ID settings which stopped my users mapping correctly, so all good for me too!

Rgds