LDAP 389 Group Mapping

Reply
Highlighted
L4 Transporter

LDAP 389 Group Mapping

I am attempting to configure Global Protect to authenticate with our LDAP server. We are an all Linux shop and we are using LDAP 389, which is very similar to OpenLDAP (this is what I was told anyway, I am not much a server guy and don't manage this server). We would like just one specific group and the users assigned to that group to be allowed to authenticate. To do this we have attempted to setup a group mapping but we're having a heck of a time coming up with the right filters, object classes, etc. to get this to work completely. Does anybody have experience with this LDAP server that can throw me a bone? I've worked with Palo Alto support and they have worked diligently to help me figure it out but they haven't had much luck either. I pulled up the group (vpn) using an LDAP browser and attached a screenshot of the details.

Currently I have the following configured under Group Objects:

Search filter: (empty)

Object Class: top

Group Name: cn

Group Member: vpn

User Objects:

Search filter: (empty)

Object Class: top

User Name: uid

With these configs I am able to see the groups listed under the Group Include List and add it to the Included Groups, which allows me to add it to the allowed users list under the authentication profile, however I am unable to authenticate when testing. System logs show the user is not in the allowed user list. When I use the show user group list command in the CLI it shows me the group I want to add. When I use the show user group name "groupname" command to see all the users in the group it doesn't show me the users. It just shows me the groups short name, source type, and source. It seems like the group is queried but not the users. Any thoughts?

L5 Sessionator

Re: LDAP 389 Group Mapping

Hi ,

Run the following commands on the firewall to see if you see the group and then the users in the group

The command will show you list of all the user groups.

admin@PA-3050> show user group list

+ xmlapi   List groups from XML API

  |        Pipe through a command

  <Enter>  Finish input

Run the following command to see the users in a group

admin@PA-3050> show user group name

  <value>  Show group's members

Also what version of OS are you on ?

Hope this helps.

Thanks

L4 Transporter

Re: LDAP 389 Group Mapping

The "Group Member" value in the group mapping profile should not set to the group name.  This value should be set to the attribute returned by the LDAP server that identifies a member of the group.  In the screenshot it looks like this attribute is "uniqueMember".  If you expand the uniqueMember attribute in your browser what attribute name is listed for each user?  The attribute name used for each user that is a member of the group should be used as the "Group Member" value.

The search filter for the Group Objects should also be set to "objectClass=groupOfUniqueNames".  With the current search filters the firewall is going to query without a filter to get a list of users and groups configured. 

To configure the User Objects search filter you should query a user from the LDAP server and see what objectClass is returned which is unique to a user, then configure that as the User Objects search filter with "objectClass=xx"

L4 Transporter

Re: LDAP 389 Group Mapping

Thanks for the reply. I guess I am little confused. What are you saying should be in the Group Objects Group Member field? uniqueMember or attribute name? When I expand uniqueMember, in that same column (Attribute Description) it lists uniqueMember for each user. Under the Value column it lists each user in the following format "uid=username,ou=People,dc=company,dc=com".

Also, why would objectClass=goupOfUniqueNames go in the Search Filter field? Wouldn't it go in the Object Class field? Also, what about Group Name?

Attached is a screenshot of my user which resides in the VPN group.

Thanks again for your help.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!