Authentication via LDAP server

Reply
Highlighted
L1 Bithead

Authentication via LDAP server

We have a PA-3050, I have setup LDAP auth and it is working fine, however I have a question/concern.  Yesterday we had a user offsite who needed VPN access, he was not in the AD group initially, so I added him to the AD group and sent him instructions on how to download the agent, when he tried to sign in, it would not allow him, ten or so mins passed and it finally authenticated him and he was able to download the agent and get on VPN.

 

Is there some sort of sync time I can change?  My understanding is that it checks local users then passes off to the LDAP profile, so why would it take ten mins?

Tags (3)
L6 Presenter

Re: Authentication via LDAP server

group membership is not dynamic, the palo checks ever 20 mins or so...

 

you can force the update of group membership with the following command...

 

debug user-id refresh group mapping all

 

or replace "all" with the group name to update just one group (CN= etc)

 

L1 Bithead

Re: Authentication via LDAP server

Is there anyway to change that?  Sometimes last minute things happen and sure we can force it but ideally taking the refresh down to around 2mins or so would work way better.

L6 Presenter

Re: Authentication via LDAP server

Sure..  

 

device\user identification\group mapping settings.

open your group mapping and modify update interval on top right hand corner...

 

default is actually 3600 seconds (1 hour)

 

not sure why i calculated that for you... 

L6 Presenter

Re: Authentication via LDAP server

just bear in mind overheads,,, with some 15k userbase we probably wont be reducing it...

L6 Presenter

Re: Authentication via LDAP server

usermap.png

L1 Bithead

Re: Authentication via LDAP server

Yeah, I saw it right after I hit submit, thanks for following up.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!