Authentication via LDAP server

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Authentication via LDAP server

L1 Bithead

We have a PA-3050, I have setup LDAP auth and it is working fine, however I have a question/concern.  Yesterday we had a user offsite who needed VPN access, he was not in the AD group initially, so I added him to the AD group and sent him instructions on how to download the agent, when he tried to sign in, it would not allow him, ten or so mins passed and it finally authenticated him and he was able to download the agent and get on VPN.

 

Is there some sort of sync time I can change?  My understanding is that it checks local users then passes off to the LDAP profile, so why would it take ten mins?

1 accepted solution

Accepted Solutions

6 REPLIES 6

L7 Applicator

group membership is not dynamic, the palo checks ever 20 mins or so...

 

you can force the update of group membership with the following command...

 

debug user-id refresh group mapping all

 

or replace "all" with the group name to update just one group (CN= etc)

 

Is there anyway to change that?  Sometimes last minute things happen and sure we can force it but ideally taking the refresh down to around 2mins or so would work way better.

Sure..  

 

device\user identification\group mapping settings.

open your group mapping and modify update interval on top right hand corner...

 

default is actually 3600 seconds (1 hour)

 

not sure why i calculated that for you... 

just bear in mind overheads,,, with some 15k userbase we probably wont be reducing it...

usermap.png

Yeah, I saw it right after I hit submit, thanks for following up.

  • 1 accepted solution
  • 3338 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!