What Should be Configured as Domain in an LDAP Profile?

Printer Friendly Page

Up to PAN-OS 6.1, for later OS versions, see below

 

Details

10-17-2012 1-36-34 PM.png

In most cases, the NetBIOS domain should be configured in the Domain field.

Note: In most cases, the full domain should not be used (for example, use 'pantaclab' and not 'pantaclab.com').

 

Here is an example of what happens when the full domain is used:

> show user user-IDs

User Name Vsys Groups

------------------------------------------------------------------

pantaclab.com\user01 vsys1 cn=group1,cn=users,dc=pantaclab,dc=com

 

Notice that the user is pantaclab.com\user01 which is likely not to match what is configured in active directory.

 

When configuring pantaclab as domain instead of pantaclab.com, the result is very different, the user is listed as pantaclab\user01 which is what matches the active directory user.

> show user ip-user-mapping

IP Ident. By User Idle Timeout (s) Max. Timeout (s)

--------------- --------- -------------------------------- ---------------- ----------------

192.168.208.100 AD pantaclab\user01 2995 2995

 

If domain name in the LDAP profile is different with the one set in ip-user-mapping, it affects user/group name look up. For example, if a security policy is configured with source user "group1" (from above example), the user at 192.168.206.100 will not be taken as a member of "group1".

 

See Also

How to Determine the NetBIOS Domain for LDAP Server Profile in Windows 2003 and 2008 Server

 

LDAP Group Mappings in a Mixed 6.x and 7.x Environment with Panorama  

 

owner: yogihara

Tags (6)
Comments

Good tip.

yes really good, thats it what i was looking for