Nominated Discussion: User ID group mapping, not pulling groups

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
Community Team Member
No ratings

This Nominated Discussion Article is based on the post "User ID group mapping, not pulling groups" by @HSi-Salem  and answered by @dmifsud. Read on to see the solution and things to be aware of when troubleshooting group mapping. 


I have a problem, I'm  setting the user ID group mapping, I can pull users, but not groups, I see 0 groups, I restarted the service, no luck, I verified all server monitoring is connected, and traffic is going to DC'd, the PAN-OS is 10.1.5, I have a similar setup in a pair of firewalls that are on pan-os 9.1.13 with no issues, any advice that points me in the right direction is greatly appreciated.



Server monitoring is not the same thing as group mapping. You need to configure a group mapping config under the "Group Mapping" tab.


Once configured, you can start with the following command to check the actual status. It might be that there's an issue connecting to the server on LDAP or something.

> show user group-mapping state all


The user ID log will contain the actual connection attempts to LDAP/LDAPS.

> less mp-log useridd.log


If you already have a group mapping configured, are you able to browse your LDAP tree from the GUI under your group mapping config -> group include list? If not, you likely have connectivity or authentication issues to LDAP.


If the firewall is actually connecting and you still see 0 groups, you might have the base dn in your LDAP profile set incorrectly. You need to set this either at the root, or to somewhere which is in between the root and where the users and groups are both configured.


Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎05-16-2023 08:50 PM
Updated by: