topic LDAP and trusted domains in General Topics

LDAP and trusted domains

nthen — Thu, 27 Jun 2013 20:06:05 GMT

I use Active Directory groups to control my content filter policies. One of the groups is currently set to Domain Local as it contains a member of one of the trusted domains. I have an agent running in this trusted domain and the PAN appliance can properly detect the username. When I look in AD I can see the membership containing members of both domains. LDAP is setup to use port 3268 instead of 389. When I type the show user group name DOMAIN\unblock_craigslist all of the members of my local domain are listed, just not the members from the trusted domain. Does anyone know how to handle group memberships that have members from a trusted domain. Keep in mind that these trusts are completely separate forests.

Re: LDAP and trusted domains

nthen — Thu, 27 Jun 2013 20:31:07 GMT

I can query each domain pretty easy. The issue I am running into is the Group Mapping. It does not show the members of the trusted domain. I can identify the user properly, just not do group based rules.

Re: LDAP and trusted domains

Chatri — Thu, 27 Jun 2013 20:35:04 GMT

Does the output of the following command not show you all the groups a specific user is part of?

>> show user user-IDs

Re: LDAP and trusted domains

nthen — Thu, 27 Jun 2013 20:38:09 GMT

My trusted domain user does not show up in this list. All other local domain users do and show the correct group.

Re: LDAP and trusted domains

Chatri — Thu, 27 Jun 2013 20:43:16 GMT

That means that we are not pulling users or groups from the trusted user at all.

For the Palo Alto to be able to do that we need to have a group mapping setting for the trusted domain as well as the local domain.

I think that is the missing link here.

Re: LDAP and trusted domains

nthen — Thu, 27 Jun 2013 20:51:24 GMT

All my groups are in the local domain and I just add the trusted users to it so I can keep all my groups together. I think this is due to the ForiegnSecurityPrincipals in Active Directory. When I put an LDAP browser on it, I can see my local users and a SID of the remote user. I don't think the PAN can resolve trusted domain users since it doesn't come back from LDAP that way. I was reading about a way to trick the agent on the remote end to send a different domain name. This would work for me if anyone knows where to set it since I have the same user in both domains for the Global Protect to work correctly.