topic Re: Group Mapping for Domains with Non-contiguous namespace in General Topics

Group Mapping for Domains with Non-contiguous namespace

jezkerwin — Wed, 11 May 2016 04:59:31 GMT

Hi I'm attempting to implement userID on PAN-OS 7.0.6 within a multi-domain forest.

All of our workstations exist on one domain and users logging into those workstations exist on another domain within the same forest. I have the UserID agent setup on a member server on the workstation domain and it can correctly map the IP address to usernames on the user domain.

The issue I'm having is that within the policy if I set a group name in the workstation domain, it cannot match to the username which is being correctly identified within the monitor tab

I've seen articles dealing with multiple domains in a single forest but they tend to assume that the domains all have a contiguous DNS name space. Our environment doesn't have that, the user domain and workstation domain names are completley different (legacy reasons, I dont like it 🙂

Has anyone dealt with this before in the past?

Re: Group Mapping for Domains with Non-contiguous namespace

Brandon_Wertz — Wed, 11 May 2016 13:09:53 GMT

While I've removed the actual domains and am not displaying the targeted DCs within the domains for enumeration, I hope you get the context

Of the 8 domains all 8 are unique domains not following contiguous DNS name space. We use 4 UIAs, merely for load sharing purposes, that use same same service account in a single domain. Our UIAs can target all 8 domains because of a domain trust which we've established.

For LDAP profile themselves we do use specific SAs (service accounts) which exist in the respective domains.

Following this contruct I've had no issues matching security group policy with associated user tracking.

Re: Group Mapping for Domains with Non-contiguous namespace

Brandon_Wertz — Wed, 11 May 2016 13:14:08 GMT

Here's a snippet of a user policy I'm using:

I'm successfully able to see these unique security groups in the different domains. While our UIA enviornment which uses a service account in only 1 of the 8 domains can target users which exist in all 8 of the unique domains

Re: Group Mapping for Domains with Non-contiguous namespace

jezkerwin — Thu, 12 May 2016 06:30:28 GMT

Hey thanks for the reply, it certainly does help. I have a couple of follow up questions if you dont mind, just to help me get it clear in my head.

1) Do you have cross domain group memberships for users being resolved correctly (ie. you set a group in a policy from domain1 and that group has a member from domain2 in it)

2) For each of the LDAP profiles you use for the each of the domain are you using one Bind user per domain or a single Bind user for all domains? Are you connecting to LDAP port (389) or the Global Catalog (3268)

3) Do you have the same number of Group Mapping profiles for each of the domains? Are you setting the User Domain variable and just keeping the rest of the variables standard.

4) If I understand your explanation, you have 4 servers running the UserID Agent for load sharing and they are all member servers in a single domain using the one service account and they can match IP address to Username across all domains due to the trust?

Thanks for you help, I really appreciate it, this'll get me out of jam if I get it going.

Cheers.

Re: Group Mapping for Domains with Non-contiguous namespace

Brandon_Wertz — Mon, 16 May 2016 12:52:42 GMT

@jezkerwin

1) Do you have cross domain group memberships for users being resolved correctly (ie. you set a group in a policy from domain1 and that group has a member from domain2 in it)

No. Each security group has user accounts in the respective domains

1 Bind DN per domain. LDAP/389

3) Do you have the same number of Group Mapping profiles for each of the domains? Are you setting the User Domain variable and just keeping the rest of the variables standard.

Yeah, just the default settings minus Base/Bind DN

Yes. Essentially domains A, B, C, D, E, F, G, H. The UIAs are loaded on a 2012 server in domain "A" using a service account which exists in domain "A", which for all intents and purposes is the "parent" domain. There are domain trusts with domain A and every other domain. In this contstruct we're getting user attribution from the other domains.