How To use Group Filters when Configuring LDAP

How To use Group Filters when Configuring LDAP

44292
Created On 09/25/18 20:34 PM - Last Modified 06/15/23 21:53 PM


Resolution


Overview

On the Device Tab, in the User Identification page, when configuring the Group Mapping, there is a Group Filter field available (GUI: Device > User Identification > Group Mapping > Server Profile). This field can be used to search and return group membership matching specific attributes. This is especially useful in very large LDAP deployments.  The Group Filter field is limited to 1024 characters.

 

Here are some search examples

  • All groups that have a specific description: description=Marketing
  • A specific distinguished name: distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org
  • Specific Common Name: CN=SSLVPN

 

Note: More than one group can have the same common name but be in a different area of the LDAP structure.

The following distinguished named groups have the same Common Name:

  • distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org
  • distinguishedName=CN=SSLVPN,CN=marketing,DC=example,DC=org

 

It is also possible to search for more than one attribute at a time. A pipe "|" can be used as an "or" operator while an ampersand "&" can be used as an "and".

 

The following OR searches will return the same results.

  • |(distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org)(distinguishedName=CN=PanAdmins,CN=Users,DC=example,DC=org)
  • |(CN=SSLVPN)(CN=PanAdmins)

These searches will return the members in both the SSLVPN and PanAdmins groups.

 

Wildcards can also be used: |(CN=SSLVP*)(CN=*anAdmins)

 

Note: You cannot filter by OU's

 

owner: rnitz
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhTCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language