topic Re: Nested groups problem in General Topics

Nested groups problem

PanIst — Wed, 16 Sep 2015 14:17:55 GMT

Hello all,

3 domain and single forest.

(root domain) named as domainA and domainB and domainC

we created 3 LDAP profile for each domain.

we can see members from all domains.

we can see groups for each domain also.

But problem is, if we create a group named ALLVPN in root domainA and there are 3 members in this group.

member1-groupC which is member of root domainA

member2-groupD which is member of domainB

member3-groupE which is member of domainC

show user group name ALLVPN only shows member of groupC.

Does paloalto support this ?

we tried also port 3268 instead of 389 but nothing changed.

Re: Nested groups problem

lewis — Fri, 18 Sep 2015 11:45:01 GMT

We experience the same...Palo Alto does not support nesting unless it has change in 7.0 and up.

Re: Nested groups problem

reaper — Fri, 18 Sep 2015 13:23:34 GMT

Hi Panlst

Nesting should be supported if the LDAP profile is set to ActiveDirectory, some additional improvements were introduced in 7.0 that should also allow nesting if the ldap is set to "other"

You may need to verify your current ldap setting and change it to ActiveDirectory if you have not done so already, alternatively upgrading to 7.0 may help resolve the issue

regards

Tom

Re: Nested groups problem

PanIst — Fri, 18 Sep 2015 21:05:26 GMT

Hello

Already using 7.0.2.

Seems this is not supported.

Can anyone confirm that ?

Regards

Re: Nested groups problem

asilliker — Fri, 02 Oct 2015 16:17:29 GMT

It is definitely possible to achieve the results you are looking for, but it may require some reconfiguration of your underlying groups. Group nesting is supported, and will resolve to a total depth of 10 levels.

In this case, as you are wanting to include group members from multiple domains in the same forest, you will need to configure your group mapping connector against a Global Catalog.

You indicate that you made this configuration change, but it had no effect. That is likely because of the underlying group type that you were trying to include. The only groups with members that will be visible in the Global Catalog with members will be Universal Groups. The group being nested is currently probably a Domain Local group, and is not in the Global Catalog.

I have a Universal Group in the forest root domain, containing a single nested group:

The Nested Group contains users from 3 domains in the forest:

Showing the group shows members for all domains being included:

admin@PA-200> show user group name "lab\demo universal group nesting"

short name: lab\demo universal group nesting

source type: service

source: Get_Users_From_root

[1 ] acme\acmeuser

[2 ] acme\administrator

[3 ] lab\administrator

[4 ] panw\silliker

[5 ] panw\jruiz

[6 ] lab\testuser

Re: Nested groups problem

PanIst — Tue, 13 Oct 2015 13:04:03 GMT

Hello

Config is the same but did not work.Because Multidomain environment can be on same tree but also not.

Here we have multidomain with different tree but same forest.

Paloalto seems to be that is not supported