user group mapping

Reply
Highlighted
Not applicable

user group mapping

Using PanOS 4.1.2 on 5020

listing group mapping:

show user group name "<DOMAIN>\<GROUP NAME>"

we get something like this

[1     ] <DOMAIN>\<name>.<surname>

....

though in "user id identification->group mapping settings" under "user objects"

we discretely choose

"Object Class: person"

"User Name: sAMAccountName"

and browsing ldap shows that sAMAccountName holds no such information.

this missmatches the info which is collected by user-id agent and prevents us using user identification.

furthermore if we delete "Domain" parameter in LDAP configuration (which is`t a production environment option, just for debug puposes, because we are in multi domain environment) listing users as mentioned above - we get same info as in "userPrincipalName" attribute:

show user group name "<DOMAIN>\<GROUP NAME>"

[1     ] <userPrincipalName value>

....

Is this hardcoded(user name attribute - userPrincipalName)  bug? Or we can do something about it? Install previous version of panos/something using cli?

Any help, insights into this problem - appreciated.

Not applicable

Re: user group mapping

4.1.3 version fixes this issue:

"35907 - When a user account in Active Directory has a different value for the

userPrincipleName (UPN) name and the sAMAccountName, group mapping is not

working correctly because the user to IP mapping process uses the sAMAccountName and

user to group mapping process uses the UPN name. Update made so both processes use

the sAMAccountName."

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!