user group mapping

mpaskevic — Tue, 21 Feb 2012 17:25:59 GMT

Using PanOS 4.1.2 on 5020

listing group mapping:

show user group name "<DOMAIN>\<GROUP NAME>"

we get something like this

[1 ] <DOMAIN>\<name>.<surname>

....

though in "user id identification->group mapping settings" under "user objects"

we discretely choose

"Object Class: person"

"User Name: sAMAccountName"

and browsing ldap shows that sAMAccountName holds no such information.

this missmatches the info which is collected by user-id agent and prevents us using user identification.

furthermore if we delete "Domain" parameter in LDAP configuration (which is`t a production environment option, just for debug puposes, because we are in multi domain environment) listing users as mentioned above - we get same info as in "userPrincipalName" attribute:

show user group name "<DOMAIN>\<GROUP NAME>"

[1 ] <userPrincipalName value>

....

Is this hardcoded(user name attribute - userPrincipalName) bug? Or we can do something about it? Install previous version of panos/something using cli?

Any help, insights into this problem - appreciated.

Re: user group mapping

mpaskevic — Wed, 22 Feb 2012 12:06:51 GMT

4.1.3 version fixes this issue:

"35907 - When a user account in Active Directory has a different value for the

userPrincipleName (UPN) name and the sAMAccountName, group mapping is not

working correctly because the user to IP mapping process uses the sAMAccountName and

user to group mapping process uses the UPN name. Update made so both processes use

the sAMAccountName."

topic user group mapping in General Topics

user group mapping

Re: user group mapping