Nominated Discussion: User ID group mapping, not pulling groups

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Community Team Member
No ratings

This Nominated Discussion Article is based on the post "User ID group mapping, not pulling groups" by @HSi-Salem  and answered by @dmifsud. Read on to see the solution and things to be aware of when troubleshooting group mapping. 

 

I have a problem, I'm  setting the user ID group mapping, I can pull users, but not groups, I see 0 groups, I restarted the service, no luck, I verified all server monitoring is connected, and traffic is going to DC'd, the PAN-OS is 10.1.5, I have a similar setup in a pair of firewalls that are on pan-os 9.1.13 with no issues, any advice that points me in the right direction is greatly appreciated.

Solution:

 

Server monitoring is not the same thing as group mapping. You need to configure a group mapping config under the "Group Mapping" tab.

 

Once configured, you can start with the following command to check the actual status. It might be that there's an issue connecting to the server on LDAP or something.

> show user group-mapping state all

 

The user ID log will contain the actual connection attempts to LDAP/LDAPS.

> less mp-log useridd.log

 

If you already have a group mapping configured, are you able to browse your LDAP tree from the GUI under your group mapping config -> group include list? If not, you likely have connectivity or authentication issues to LDAP.

 

If the firewall is actually connecting and you still see 0 groups, you might have the base dn in your LDAP profile set incorrectly. You need to set this either at the root, or to somewhere which is in between the root and where the users and groups are both configured.

 

Rate this article:
(1)
  • 2722 Views
  • 0 comments
  • 2 Likes
Register or Sign-in
Labels
Article Dashboard
Version history
Last Updated:
‎05-16-2023 08:50 PM
Updated by: