topic Re: Panorama LDAP group mappings not updating for user-id in General Topics

Panorama LDAP group mappings not updating for user-id

Gun-Slinger — Wed, 03 Feb 2016 16:30:52 GMT

We have user-id setup and every cluster with a designated master device for user-id mappings. I have the group mapping of the new AD group showing in the gateway itself, however when I go to implement the group in a policy in panorama, it will not display the new group. I have done a forced refresh on the gateway and refreshed the panorama but with no luck. It will still not display the new AD group created....any idea?

Re: Panorama LDAP group mappings not updating for user-id

pankaku — Wed, 03 Feb 2016 18:56:12 GMT

On panorama we have to manually enter the group/users in policies automatic is not done.

Re: Panorama LDAP group mappings not updating for user-id

Gun-Slinger — Thu, 11 Feb 2016 15:32:56 GMT

The issue is as by design the panorama device is not intergrated with AD (the is a Feature Request for this).

Here is the following proceedure that needs to be done for new AD groups being added to a policy:

In the user-id tab of the policy rule, click add and paste the entire tree directory mapping to the new AD group:

Example: cn=admin,ou=stuff,ou=more_stuff,ou=even_more_stuff,ou=bigger_stuff,ou=organizational units,dc=ds,dc=company,dc=com

You will see it will map and change to the short version company\stuff…blah blah blah…

If you don’t know what the full mapping is or your too lazy to type it all out…do the following:

You will get the following output:

admin@Test-FW01(active)> show user group list | match stuff

cn=admin,ou=stuff,ou=more_stuff,ou=even_more_stuff,ou=bigger_stuff,ou=organizational units,dc=ds,dc=company,dc=com