This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

LDAP and trusted domains

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

LDAP and trusted domains

nthen
L3 Networker

‎06-27-2013 01:06 PM

I use Active Directory groups to control my content filter policies.  One of the groups is currently set to Domain Local as it contains a member of one of the trusted domains.  I have an agent running in this trusted domain and the PAN appliance can properly detect the username.  When I look in AD I can see the membership containing members of both domains.  LDAP is setup to use port 3268 instead of 389.  When I type the show user group name DOMAIN\unblock_craigslist all of the members of my local domain are listed, just not the members from the trusted domain.  Does anyone know how to handle group memberships that have members from a trusted domain.  Keep in mind that these trusts are completely separate forests.

0 Likes Likes
5 REPLIES 5

nthen
L3 Networker

‎06-27-2013 01:31 PM

I can query each domain pretty easy.  The issue I am running into is the Group Mapping.  It does not show the members of the trusted domain.  I can identify the user properly, just not do group based rules.

0 Likes Likes

Chatri
L3 Networker
In response to nthen

‎06-27-2013 01:35 PM

Does the output of the following command not show you all the groups a specific user is part of?

>> show user user-IDs

0 Likes Likes

nthen
L3 Networker
In response to Chatri

‎06-27-2013 01:38 PM

My trusted domain user does not show up in this list.  All other local domain users do and show the correct group.

0 Likes Likes

Chatri
L3 Networker
In response to nthen

‎06-27-2013 01:43 PM

That means that we are not pulling users or groups from the trusted user at all.

For the Palo Alto to be able to do that we need to have a group mapping setting for the trusted domain as well as the local domain.

I think that is the missing link here.

nthen
L3 Networker
In response to Chatri

‎06-27-2013 01:51 PM

All my groups are in the local domain and I just add the trusted users to it so I can keep all my groups together.  I think this is due to the ForiegnSecurityPrincipals in Active Directory.  When I put an LDAP browser on it, I can see my local users and a SID of the remote user.  I don't think the PAN can resolve trusted domain users since it doesn't come back from LDAP that way.  I was reading about a way to trick the agent on the remote end to send a different domain name.  This would work for me if anyone knows where to set it since I have the same user in both domains for the Global Protect to work correctly.

0 Likes Likes
  • 3103 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks