Group Mapping for Domains with Non-contiguous namespace

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Group Mapping for Domains with Non-contiguous namespace

L2 Linker

Hi I'm attempting to implement userID on PAN-OS 7.0.6 within a multi-domain forest.

 

All of our workstations exist on one domain and users logging into those workstations exist on another domain within the same forest. I have the UserID agent setup on a member server on the workstation domain and it can correctly map the IP address to usernames on the user domain.

 

The issue I'm having is that within the policy if I set a group name in the workstation domain, it cannot match to the username which is being correctly identified within the monitor tab

 

I've seen articles dealing with multiple domains in a single forest but they tend to assume that the domains all have a contiguous DNS name space. Our environment doesn't have that, the user domain and workstation domain names are completley different (legacy reasons, I dont like it 🙂

 

Has anyone dealt with this before in the past?

1 accepted solution

Accepted Solutions

@jezkerwin 

 

1) Do you have cross domain group memberships for users being resolved correctly (ie. you set a group in a policy from domain1 and that group has a member from domain2 in it)

 

No.  Each security group has user accounts in the respective domains

 

 

2) For each of the LDAP profiles you use for the each of the domain are you using one Bind user per domain or a single Bind user for all domains? Are you connecting to LDAP port (389) or the Global Catalog (3268)

 

1 Bind DN per domain.  LDAP/389

 

 

3) Do you have the same number of Group Mapping profiles for each of the domains? Are you setting the User Domain variable and just keeping the rest of the variables standard.

 

Yeah, just the default settings minus Base/Bind DN

 

 

4) If I understand your explanation, you have 4 servers running the UserID Agent for load sharing and they are all member servers in a single domain using the one service account and they can match IP address to Username across all domains due to the trust?

 

Yes.  Essentially domains A, B, C, D, E, F, G, H.  The UIAs are loaded on a 2012 server in domain "A" using a service account which exists in domain "A", which for all intents and purposes is the "parent" domain.  There are domain trusts with domain A and every other domain. In this contstruct we're getting user attribution from the other domains.

View solution in original post

4 REPLIES 4

L6 Presenter

While I've removed the actual domains and am not displaying the targeted DCs within the domains for enumeration, I hope you get the context

 

LDAP.JPG

 

Of the 8 domains all 8 are unique domains not following contiguous DNS name space.  We use 4 UIAs, merely for load sharing purposes, that use same same service account in a single domain.  Our UIAs can target all 8 domains because of a domain trust which we've established.

 

For LDAP profile themselves we do use specific SAs (service accounts) which exist in the respective domains.

 

Following this contruct I've had no issues matching security group policy with associated user tracking.

Here's a snippet of a user policy I'm using:

 

Policy.png

 

I'm successfully able to see these unique security groups in the different domains.  While our UIA enviornment which uses a service account in only 1 of the 8 domains can target users which exist in all 8 of the unique domains

Hey thanks for the reply, it certainly does help. I have a couple of follow up questions if you dont mind, just to help me get it clear in my head.

 

1) Do you have cross domain group memberships for users being resolved correctly (ie. you set a group in a policy from domain1 and that group has a member from domain2 in it)

2) For each of the LDAP profiles you use for the each of the domain are you using one Bind user per domain or a single Bind user for all domains? Are you connecting to LDAP port (389) or the Global Catalog (3268)

3) Do you have the same number of Group Mapping profiles for each of the domains? Are you setting the User Domain variable and just keeping the rest of the variables standard.

4) If I understand your explanation, you have 4 servers running the UserID Agent for load sharing and they are all member servers in a single domain using the one service account and they can match IP address to Username across all domains due to the trust?

 

Thanks for you help, I really appreciate it, this'll get me out of jam if I get it going.

 

Cheers.

@jezkerwin 

 

1) Do you have cross domain group memberships for users being resolved correctly (ie. you set a group in a policy from domain1 and that group has a member from domain2 in it)

 

No.  Each security group has user accounts in the respective domains

 

 

2) For each of the LDAP profiles you use for the each of the domain are you using one Bind user per domain or a single Bind user for all domains? Are you connecting to LDAP port (389) or the Global Catalog (3268)

 

1 Bind DN per domain.  LDAP/389

 

 

3) Do you have the same number of Group Mapping profiles for each of the domains? Are you setting the User Domain variable and just keeping the rest of the variables standard.

 

Yeah, just the default settings minus Base/Bind DN

 

 

4) If I understand your explanation, you have 4 servers running the UserID Agent for load sharing and they are all member servers in a single domain using the one service account and they can match IP address to Username across all domains due to the trust?

 

Yes.  Essentially domains A, B, C, D, E, F, G, H.  The UIAs are loaded on a 2012 server in domain "A" using a service account which exists in domain "A", which for all intents and purposes is the "parent" domain.  There are domain trusts with domain A and every other domain. In this contstruct we're getting user attribution from the other domains.

  • 1 accepted solution
  • 2772 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!