https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server/m-p/238906#M68430 <P>just bear in mind overheads,,, with some 15k userbase we probably wont be reducing it...</P> Wed, 07 Nov 2018 16:34:29 GMT Mick_Ball 2018-11-07T16:34:29Z https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server/m-p/238896#M68426 <P>We have a PA-3050, I have setup LDAP auth and it is working fine, however I have a question/concern.&nbsp; Yesterday we had a user offsite who needed VPN access, he was not in the AD group initially, so I added him to the AD group and sent him instructions on how to download the agent, when he tried to sign in, it would not allow him, ten or so mins passed and it finally authenticated him and he was able to download the agent and get on VPN.</P><P>&nbsp;</P><P>Is there some sort of sync time I can change?&nbsp; My understanding is that it checks local users then passes off to the LDAP profile, so why would it take ten mins?</P> Wed, 07 Nov 2018 16:20:23 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server/m-p/238896#M68426 TommyScott 2018-11-07T16:20:23Z https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server/m-p/238903#M68427 <P>group membership is not dynamic, the palo checks ever 20 mins or so...</P><P>&nbsp;</P><P>you can force the update of group membership with the following command...</P><P>&nbsp;</P><P>debug user-id refresh group mapping all</P><P>&nbsp;</P><P>or replace "all" with the group name to update just one group (CN= etc)</P><P>&nbsp;</P> Wed, 07 Nov 2018 16:26:09 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server/m-p/238903#M68427 Mick_Ball 2018-11-07T16:26:09Z https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server/m-p/238904#M68428 <P>Is there anyway to change that?&nbsp; Sometimes last minute things happen and sure we can force it but ideally taking the refresh down to around 2mins or so would work way better.</P> Wed, 07 Nov 2018 16:27:22 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server/m-p/238904#M68428 TommyScott 2018-11-07T16:27:22Z https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server/m-p/238905#M68429 <P>Sure..&nbsp;&nbsp;</P><P>&nbsp;</P><P>device\user identification\group mapping settings.</P><P>open your group mapping and modify update interval on top right hand corner...</P><P>&nbsp;</P><P>default is actually 3600 seconds (1 hour)</P><P>&nbsp;</P><P>not sure why i calculated that for you...&nbsp;</P> Wed, 07 Nov 2018 16:33:03 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server/m-p/238905#M68429 Mick_Ball 2018-11-07T16:33:03Z https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server/m-p/238906#M68430 <P>just bear in mind overheads,,, with some 15k userbase we probably wont be reducing it...</P> Wed, 07 Nov 2018 16:34:29 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server/m-p/238906#M68430 Mick_Ball 2018-11-07T16:34:29Z https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server/m-p/238923#M68439 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="usermap.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17459i765AB109D26D8885/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="usermap.png" alt="usermap.png" /></span></P> Wed, 07 Nov 2018 17:16:42 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server/m-p/238923#M68439 Mick_Ball 2018-11-07T17:16:42Z https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server/m-p/238928#M68442 <P>Yeah, I saw it right after I hit submit, thanks for following up.</P> Wed, 07 Nov 2018 17:39:04 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server/m-p/238928#M68442 TommyScott 2018-11-07T17:39:04Z