on 05-16-2023 08:50 PM
This Nominated Discussion Article is based on the post "User ID group mapping, not pulling groups" by @HSi-Salem and answered by @dmifsud. Read on to see the solution and things to be aware of when troubleshooting group mapping.
I have a problem, I'm setting the user ID group mapping, I can pull users, but not groups, I see 0 groups, I restarted the service, no luck, I verified all server monitoring is connected, and traffic is going to DC'd, the PAN-OS is 10.1.5, I have a similar setup in a pair of firewalls that are on pan-os 9.1.13 with no issues, any advice that points me in the right direction is greatly appreciated.
Server monitoring is not the same thing as group mapping. You need to configure a group mapping config under the "Group Mapping" tab.
Once configured, you can start with the following command to check the actual status. It might be that there's an issue connecting to the server on LDAP or something.
> show user group-mapping state all
The user ID log will contain the actual connection attempts to LDAP/LDAPS.
> less mp-log useridd.log
If you already have a group mapping configured, are you able to browse your LDAP tree from the GUI under your group mapping config -> group include list? If not, you likely have connectivity or authentication issues to LDAP.
If the firewall is actually connecting and you still see 0 groups, you might have the base dn in your LDAP profile set incorrectly. You need to set this either at the root, or to somewhere which is in between the root and where the users and groups are both configured.