https://live.paloaltonetworks.com/t5/general-topics/user-identification-4-1-ldap-ad/m-p/11712#M8593 <HTML><HEAD></HEAD><BODY><P>Yes i saw the same behaviour. Support said it was a bug. To add the groups required i used the search feature above the LDAP tree. That seemed to work even though i could browse for the groups.</P><P></P><P>Also keep in mind with the LDAP config the domain name i need to use the NETBIOS domain name not the full DNS name.</P></BODY></HTML> Tue, 15 Nov 2011 00:18:20 GMT supportOCA 2011-11-15T00:18:20Z https://live.paloaltonetworks.com/t5/general-topics/user-identification-4-1-ldap-ad/m-p/11711#M8592 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I have upgraded to 4.1 and added a ldap-server profile to the config so the firewall does the query instead of the user-id-agent.</P><P>When I go to group-mappings settings ( under user-identification ) and select the tab 'Group Include List',<BR />I can see the whole AD-tree-structure, but I cannot view the last part: the group itself.</P><P>Has anybody seen this behavior ?</P><P>Kind regards,</P><P>Paul</P></BODY></HTML> Mon, 14 Nov 2011 10:57:33 GMT https://live.paloaltonetworks.com/t5/general-topics/user-identification-4-1-ldap-ad/m-p/11711#M8592 paulmeys 2011-11-14T10:57:33Z https://live.paloaltonetworks.com/t5/general-topics/user-identification-4-1-ldap-ad/m-p/11712#M8593 <HTML><HEAD></HEAD><BODY><P>Yes i saw the same behaviour. Support said it was a bug. To add the groups required i used the search feature above the LDAP tree. That seemed to work even though i could browse for the groups.</P><P></P><P>Also keep in mind with the LDAP config the domain name i need to use the NETBIOS domain name not the full DNS name.</P></BODY></HTML> Tue, 15 Nov 2011 00:18:20 GMT https://live.paloaltonetworks.com/t5/general-topics/user-identification-4-1-ldap-ad/m-p/11712#M8593 supportOCA 2011-11-15T00:18:20Z https://live.paloaltonetworks.com/t5/general-topics/user-identification-4-1-ldap-ad/m-p/11713#M8594 <HTML><HEAD></HEAD><BODY><P>Yes!</P><P></P><P>Apparantly it's working when you search for the EXACT name for the group.</P><P>but:</P><P>The normal listing works when you make your base "deep" enough in the ldap-server-profile.</P><P>so yes, I think it is a bug <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Kind regards,</P><P>Paul</P></BODY></HTML> Tue, 15 Nov 2011 10:34:16 GMT https://live.paloaltonetworks.com/t5/general-topics/user-identification-4-1-ldap-ad/m-p/11713#M8594 paulmeys 2011-11-15T10:34:16Z https://live.paloaltonetworks.com/t5/general-topics/user-identification-4-1-ldap-ad/m-p/11714#M8595 <HTML><HEAD></HEAD><BODY><P>I am seeing the exact same behaviour - I am typing in the group names exactly and I do get a match. Unfortunately when I go to the command line and do "show user group name &lt;group name&gt;" I can get all to work apart from Domain Users. This group just returns an empty list which has meant the rules previously based on that - namely web access, have failed. This has obviously upset a few people...</P><P></P><P>The group lookup issue is a dissapointing bug - surely a complete lack of testing on something quite important...</P></BODY></HTML> Mon, 23 Jan 2012 10:46:09 GMT https://live.paloaltonetworks.com/t5/general-topics/user-identification-4-1-ldap-ad/m-p/11714#M8595 UKRB 2012-01-23T10:46:09Z