topic Re: Using LDAP groups with GlobalProtect in General Topics

Using LDAP groups with GlobalProtect

fjwcash — Tue, 24 Mar 2020 19:10:04 GMT

What's the magic incantation needed to use LDAP groups in the GlobalProtect Portal user/group list? Instead of listing all umpteen dozen individual users.

I have a working GP Portal and multiple Gateway setup, using LDAP for authentication.

I have a working Group Mapping setup using groups from LDAP. I can use "show user group list" and see all my LDAP groups. I can use "show user group name mydomain\mygroup" (the shortname for it) to view all the members of the group. And I can run "show user user-ids match-user myuser" to see which group(s) a user is in.

In the Portal config, I can add individual users to the user/group list for each individual Gateway. But, with the number of VPN users increasing the past couple of weeks, it's getting cumbersome to edit the config, commit to Panorama, and push tot he firewalls. Would be much nicer to just put an LDAP group in here, and update the member list in LDAP instead. I just can't make this work!

If I remove a test user from the Portal config, and replace it with an LDAP group (which that test user is a member of), then I get "Not authorized to access GlobalProtect Portal". Tried the shortname for the group, mydomain\shortname, and the full cn=mygroup,ou=groups... syntax. Same result for each.

What am I missing?

Edit: This is on Panorama 8.1.13, PanOS 8.1.9-h4 on the Portal, 8.1.13 on the Gateways.

Edit2: Further troubleshooting, running "test authentication" from the CLI on the portal and the gateway succeeds. But, we already knew the LDAP config worked; it's trying to use the LDAP group on the Portal Config that's failing. And there doesn't appear to be a way to test that at the CLI, or to get better logs.

Re: Using LDAP groups with GlobalProtect

VincentPresogna — Tue, 24 Mar 2020 17:37:28 GMT

What version of PAN-OS are you running. There are some versions that had a bug when using a scoped LDAP group.

Re: Using LDAP groups with GlobalProtect

fjwcash — Tue, 24 Mar 2020 18:07:47 GMT

Panorama 8.1.13

PanOS 8.1.9-h4 on the Portal

PanOS 8.1.13 on the Gateways

Using OpenLDAP on the directory servers, so the LDAP config uses "other".

Re: Using LDAP groups with GlobalProtect

VincentPresogna — Tue, 24 Mar 2020 18:09:47 GMT

Sorry, I can't help with this. I have been running 9.0 versions, wasn't until 9.0.5 that it was fixed. I am also doing LDAP auth against active directory.

Re: Using LDAP groups with GlobalProtect

fjwcash — Fri, 27 Mar 2020 21:38:56 GMT

Aha! Got it to work with the help of Palo Alto support.

With OpenLDAP, you have to match the Domain Name in the LDAP Server Profile, the Authentication Profile, and the Group Mapping (and it doesn't like . in the domain). We had it matched across them all, but using sub.sub.tld for the domain, which it doesn't like.

And, in the Portal config, when you list the group, you have to use the full LDAP cn=groupname,ou=users,dc=sub,dc=sub,dc=tld. It doesn't like using the domain\groupname short-name format.

With those two settings changed, listsing just the group in the Portal config allows users in that group in LDAP to login!