03-07-2018 03:21 PM - edited 03-07-2018 03:22 PM
Group “Allow lists” no longer worked for LDAP authentications. We could no longer connect to GlobalProtect until set it to All or specified each LDAP user account.
We had to forcefully clear the ID Manager database
debug user-id reset user-id-manager type user-group
03-07-2018 06:19 PM
I don't believe that this is actually a reported issue as of yet; at least not that I saw with a quick look through the release notes. Out of curiosity did you actually report this to TAC, and did reseting the ID Manager database actually resolve the issue and allow you to utilize the allow lists?
03-08-2018 07:43 AM
Yes this resolution was via TAC and all is well now after resetting the database.
03-08-2018 07:48 AM
Also, this may not be specific to an 8.1.0 upgrade, that's just the event that caused me to experience it.
The other thing with the upgrade is it can clear out the %USERINPUT% and set it to "None" on the Auth Profile's UserName Modifier.
04-19-2019 12:02 PM
I had the same issue after upgrade to 8.1. As I had not seen this article I have not yet tried clearing the groupID db.
I decided to downgrade instead to further research. I found that even with a pre upgrade backup that was used during the downgrade, the issue persists.
I discovered that deleteing the auth profile and then re-syncing from the untocuhed HA partner returned it to expected function.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!