https://live.paloaltonetworks.com/t5/general-topics/4-1-7-ldap-lookup-unstable/m-p/34531#M25334 <HTML><HEAD></HEAD><BODY><P>I opened a case which got escalated. </P><P></P><P>Issue #1)&nbsp; Under Group Mapping Settings, I had a seperate mapping for each active directory group I wanted to use on my PA 2050.&nbsp; I have a single forest/AD.&nbsp;&nbsp; Support recommended having a single group mapping setting which included all of my active directory groups that I wanted to use within my Palo Alto rules.</P><P></P><P>Issue #2) Under Server Profiles / LDAP we modified the settings to use port 389 instead of the GC port <SPAN style="text-align: left; background-color: #ffffff; text-indent: 0px; color: #222222;">3268.&nbsp;&nbsp; We modified the Bind DN from <A href="mailto:user@domain.com">user@domain.com</A> to CN=user,OU=grouping,OU=container,DC=domain,DC=com&nbsp;&nbsp; (That's not my actual user or domain.)&nbsp;&nbsp; Support states this works better.</SPAN></P><P> </P><P><SPAN style="text-align: left; background-color: #ffffff; text-indent: 0px; color: #222222;">Issue #3)&nbsp; The command <STRONG>show user user-IDs | match joe&nbsp; </STRONG>is not showing all of joe's group membership as this is filtering out lines with joe.&nbsp; The group membership list includes lines that do not have joe in the line.&nbsp; So I was using the command incorrectly.&nbsp; The proper command is <STRONG>show user user-IDs match-user joe</STRONG></SPAN></P><P> </P><P><SPAN style="text-align: left; background-color: #ffffff; text-indent: 0px; color: #222222;">Considering I didn't have the LDAP instability for a few weeks, and then it poped up it's ugly head, only time will tell for certain if these are the fixes.</SPAN></P><P> </P><P> </P><P> </P><P> </P></BODY></HTML> Thu, 06 Sep 2012 21:51:26 GMT EdwinD 2012-09-06T21:51:26Z https://live.paloaltonetworks.com/t5/general-topics/4-1-7-ldap-lookup-unstable/m-p/34530#M25333 <HTML><HEAD></HEAD><BODY><P>I have three active directory servers configured within the LDAP settings of my Palo Alto.&nbsp; I have tried using both 389 and the GC port of 3268 as per this doc: <A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-3120">https://live.paloaltonetworks.com/docs/DOC-3120</A></P><P></P><P>I have two 2050's in an active/passive pair.&nbsp; I have AD IP agents on each DC and the PAs are set to query them.</P><P></P><P>The problem is that while I can see the users in my traffic logs, they are getting the wrong security policies applied to them.&nbsp; The user to IP is working, it is the user to LDAP group which is not.&nbsp;&nbsp; I am <STRONG>not</STRONG> using the user agents as LDAP group membership proxies.</P><P></P><P>If I do <STRONG>show user user-IDs | match joe&nbsp; </STRONG>I may get back the proper group, but I may only get back one of three groups the user is a member of.&nbsp;&nbsp; I'm talking about 1 of 3 groups I've defined to the Palo Alto, not all Active Directory groups.&nbsp;&nbsp; The results are very random.&nbsp;&nbsp; If I run the same command on the second PA in the pair, I will often see different results.&nbsp; </P><P></P><P>I have ran the command&nbsp; <STRONG>show user group-mapping state all&nbsp;&nbsp; </STRONG>and while I did have some nested groups, I do not anymore.&nbsp; Because I cannot negate user groups in a security policy, I have user groups which contain 1500+ users.&nbsp;&nbsp; I have the maximum timeout value set to 30 seconds, which is the max I can set it to in 4.1.7.&nbsp;&nbsp; Per the state all command, it is taking no more than 5 seconds to enumerate these groups.</P><P></P><P>Can anyone please shed some light on what's going on, and how to fix this?</P></BODY></HTML> Wed, 05 Sep 2012 23:23:40 GMT https://live.paloaltonetworks.com/t5/general-topics/4-1-7-ldap-lookup-unstable/m-p/34530#M25333 EdwinD 2012-09-05T23:23:40Z https://live.paloaltonetworks.com/t5/general-topics/4-1-7-ldap-lookup-unstable/m-p/34531#M25334 <HTML><HEAD></HEAD><BODY><P>I opened a case which got escalated. </P><P></P><P>Issue #1)&nbsp; Under Group Mapping Settings, I had a seperate mapping for each active directory group I wanted to use on my PA 2050.&nbsp; I have a single forest/AD.&nbsp;&nbsp; Support recommended having a single group mapping setting which included all of my active directory groups that I wanted to use within my Palo Alto rules.</P><P></P><P>Issue #2) Under Server Profiles / LDAP we modified the settings to use port 389 instead of the GC port <SPAN style="text-align: left; background-color: #ffffff; text-indent: 0px; color: #222222;">3268.&nbsp;&nbsp; We modified the Bind DN from <A href="mailto:user@domain.com">user@domain.com</A> to CN=user,OU=grouping,OU=container,DC=domain,DC=com&nbsp;&nbsp; (That's not my actual user or domain.)&nbsp;&nbsp; Support states this works better.</SPAN></P><P> </P><P><SPAN style="text-align: left; background-color: #ffffff; text-indent: 0px; color: #222222;">Issue #3)&nbsp; The command <STRONG>show user user-IDs | match joe&nbsp; </STRONG>is not showing all of joe's group membership as this is filtering out lines with joe.&nbsp; The group membership list includes lines that do not have joe in the line.&nbsp; So I was using the command incorrectly.&nbsp; The proper command is <STRONG>show user user-IDs match-user joe</STRONG></SPAN></P><P> </P><P><SPAN style="text-align: left; background-color: #ffffff; text-indent: 0px; color: #222222;">Considering I didn't have the LDAP instability for a few weeks, and then it poped up it's ugly head, only time will tell for certain if these are the fixes.</SPAN></P><P> </P><P> </P><P> </P><P> </P></BODY></HTML> Thu, 06 Sep 2012 21:51:26 GMT https://live.paloaltonetworks.com/t5/general-topics/4-1-7-ldap-lookup-unstable/m-p/34531#M25334 EdwinD 2012-09-06T21:51:26Z