topic Re: LDAP groups not populating correctly in General Topics

LDAP groups not populating correctly

Nathan.S — Mon, 18 Jun 2018 20:12:14 GMT

PA220, PANOS 8.1.1

Working on setting up GlobalProtect using AD/LDAP auth and groups to define access.
I have userconfigs setup by AD Group and the log is "matching config not found"
On digging into it some more, it appears that the user, in the PA, doesn't have the appropriate groups attached. Despite that they do in AD.

AD Group has four members. Three of the members show up in the PA. The fourth does not.
show user user-ids match-user domain\ProblemUser returns an empty table. While the other three users in the group return complete information as expected.
Account is functional and has full access to what all it's supposed to from the AD side of things.

I've done a debug user-id reset group-mapping all and I'm still having the same issues.

Where should I start troubleshooting from here?

Re: LDAP groups not populating correctly

Remo — Mon, 18 Jun 2018 20:32:12 GMT

Is the problematic user in the same OU as the other three? Or more specific: is the user in an OU that is covered by the base DN that you specified in the LDAP server profile?

Re: LDAP groups not populating correctly

Nathan.S — Mon, 18 Jun 2018 20:33:51 GMT

All four users are in the same OU and are covered by the Base DN.

Re: LDAP groups not populating correctly

Remo — Mon, 18 Jun 2018 20:39:20 GMT

When you do the opposite as you already did with the command "show user group name GROUPNAME", there the problem user is also missing right?

Re: LDAP groups not populating correctly

Nathan.S — Mon, 18 Jun 2018 20:43:59 GMT

Correct, ProblemUser does not show up as a member of the group in the PA.

Re: LDAP groups not populating correctly

Remo — Mon, 18 Jun 2018 20:56:48 GMT

Is - for whatever reason - the user in an exclude list or excluded in the LDAP filter in the Group mapping settings?

Re: LDAP groups not populating correctly

Nathan.S — Mon, 18 Jun 2018 20:58:55 GMT

Nope, I don't have anything in the excludes.
Group Mapping is only looking at the AD Group.

Re: LDAP groups not populating correctly

Mick_Ball — Tue, 19 Jun 2018 15:59:38 GMT

i assume you are using different AD accounts for user administration and ldap, it may be worth setting up another ldap profile with the full admin account and re test “show user group name..” . just to ensure the user is not masked somehow within AD.

Re: LDAP groups not populating correctly

Nathan.S — Tue, 19 Jun 2018 16:10:21 GMT

The account in question isn't setup for admin rights to the PA, only auth for the GP portal.
The LDAP Admins group is working correctly and shows up in the "show user group name" as expected.

I'm using a single LDAP Server Profile setup in the PA.
GroupMapping then is looking for specific groups. and then GP is limited further by group membership.

Did I follow you correctly?

Re: LDAP groups not populating correctly

Mick_Ball — Tue, 19 Jun 2018 16:15:52 GMT

I dont think you understood me.. sorry....

nothing to do with pa admins...

your ldap profile has a bind account and password.

when you administer your domain i assume you are using a different account to the bind one...

try that AD admin account as your ldap bind.

Re: LDAP groups not populating correctly

Nathan.S — Tue, 19 Jun 2018 16:22:01 GMT

Okay, I follow you now.

I just switched to my domain admin and now the group membership shows correctly.

Now I'll go talk to the AD admin and find out what needs to happen to make this work.

Thanks for your input!
I'll update if/when I find the cure.

Re: LDAP groups not populating correctly

Mick_Ball — Tue, 19 Jun 2018 16:28:09 GMT

Nice one, sorry for the confusion....

Re: LDAP groups not populating correctly

Nathan.S — Thu, 21 Jun 2018 18:42:55 GMT

Update.
After banging our head on it a lot lately, we finally found that adding the Domain Users group to the GroupMapping resolved the issue.

Unclear why this is the case, but maybe it'll help someone else in the future.

edited to improve clarity

Re: LDAP groups not populating correctly

Remo — Wed, 20 Jun 2018 21:41:22 GMT

@Nathan.S

So you really had to add a single user to the group mapping? ... sounds like a bug to me ...

You could try to update to 8.1.2 ... maybe your lucky and then it "magically" works.

Re: LDAP groups not populating correctly

Nathan.S — Thu, 21 Jun 2018 18:42:17 GMT

@Remo No, I had to add the group Domain Users to the Group Mapping to get the details on the users to show correctly.

Re: LDAP groups not populating correctly

Mick_Ball — Fri, 22 Jun 2018 13:57:01 GMT

so... to confirm...

your portal agent config is set to a certain group, but the full group only works if you add "domain users" to the group mapping "group include" list.

or...

you have just added the users individually in the portal agent config and this only works when you add "domain users" to the group mapping "group include" list..

or none of the above....

Re: LDAP groups not populating correctly

Nathan.S — Fri, 22 Jun 2018 14:20:49 GMT

Portal config is set by AD Group.
When I only put the usergroups I'm selecting into the Auth Profile, it only works for some users.
When I put the usergroups I want for GP Auth AND add the group "Domain Users" to the Auth Profile, then all the users work.

Re: LDAP groups not populating correctly

Mick_Ball — Fri, 22 Jun 2018 14:24:55 GMT

so in effect... your are granting GP access to all users, or have i missed something here...

Re: LDAP groups not populating correctly

Mick_Ball — Fri, 22 Jun 2018 14:25:58 GMT

cancel that, let me read that again....

Re: LDAP groups not populating correctly

Nathan.S — Fri, 22 Jun 2018 14:26:14 GMT

Sorta, but not really.
All users will get authenticated, but won't be allowed access because they won't have a matching config in GP.