08-16-2012 05:28 PM
I am running PanOS 4.1.7 on a pair of HA 2050's which use direct LDAP connectivity to multiple AD servers for group membership. I also have the UaInstall-4.1.5-1.MSI 4.1.5 user to IP agents running on my DCs. I do not have the group membership coming from the user to IP agent running on the servers. I have the 2050's enumerating group membership directly from the AD LDAP servers, using the global connection port 5007 from the Firewall to the AD servers.
I upgrade from 4.1.5 to 4.1.7 because I am aware of the known issue in 4.1.5 with "Domain Users" not being properly enumerated. However, this problem just re-occurred in 4.1.7 to some extent. The end result is that 90% of my users no longer had Internet access.
When I ran the command
show user user-IDs | match someuser
I got no results. This problem lasted for over an hour. I have group membership refresh set to 360 seconds. I had to commit the firewall policy multiple times for the group membership to work enumerate correctly. Other groups were enumerating fine.
I would like to suggest that there is still a bug in this code in 4.1.7. For the time being I have created a new active directory group that isn't special like "domain users" is, and I have added all my domain users to it.
10-29-2012 12:51 PM
Support did resolve the issue. Apparently there are multiple ways to setup the domain, and one way works better than the other. Basically, create only one LDAP mapping per domain, and then import all the groups you desire through the single mapping. Do not create a single mapping per LDAP group.
10-26-2012 05:36 PM
Hi EdwinD,
We have been able to successfully pull members of the 'Domain Users' using 4.1.7. Perhaps the issue is unique to your environment.
In order to force a full group membership refresh(as opposed to incremental), the following command can be run:
> debug user-id reset group-mapping all
Please open a case with support for further investigation if you haven't already done so.
- Stefan
10-29-2012 12:51 PM
Support did resolve the issue. Apparently there are multiple ways to setup the domain, and one way works better than the other. Basically, create only one LDAP mapping per domain, and then import all the groups you desire through the single mapping. Do not create a single mapping per LDAP group.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
