04-26-2024 12:38 PM
Hello,
I have an openldap server setup as well as an LDAP policy and group mapping on the Palo Alto firewall.
When I run the 'show user group name "cn=employees,ou=groups,dc=brillnet,dc=com". I can see the users in the group just fine. Refer to the output below.
I am using the UserID xml api to associate group/user to ip mappings. Calls to the api are working when a user logs into the openldap server. I know this because I can see the user-id tagging in the api log, refer to the screenshot below.
I created a policy that blocks any user in the employees group referenced in the screenshots above. Refer to the output below.
However the above deny is not working. Does anyone know why this is happening?
04-27-2024 09:11 AM
Hello,
Have you enabled User identification when you configure L3-trust security zone?
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/enable-user-id
If you don't enable user identification on source zone, then the security policy will not take into account User-ID info.
04-28-2024 05:08 AM - edited 04-29-2024 09:28 AM
Hello,
Thank you for your reply. Yes, user identification is enabled on the trust zone. Refer to the screenshot below.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
