LDAP group member enumeration problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LDAP group member enumeration problem

L0 Member

I am running PAN OS 8.0.7 and having a problem with getting the members of a group enumerated by the firewall.

 

The group is shown by the firewall in the GUI and can be added to security policies, and the CLI if I run the "show user group list" command, I can see the group in the list that I have added to the Group-Mapping settings.

The problem is that most of the user objects in AD that are a member of the group aren't enumerated.

 

Some random users are.  With the ones that are enumerated I can remove them from the group in AD and the change is reflected in the firewall.  I have also used the Softerra LDAP browser to confirm the account in my LDAP profile is able to see the AD groups and the user objects that are members of those groups.  I have also verified that the user objects are not disabled.  I have also rebuilt by LDAP profile and Group-Mapping settings.  All with no luck.

I have contacted support, but they are taking a long time to get this issue figured out.

 

Has anyone here had any issues with LDAP and AD groups with PAN OS 8.0.5 and above?

1 accepted solution

Accepted Solutions

L0 Member

Update:

The problem was a permissions issue with the account that I use for my LDAP lookups.

It is because of the age of our Active Directory environment.  The really old user accounts still had the "Read" permission set for "Authenticated Users" under the "Security" tab.  I think that was set by default in the older (2003 and previous) AD environments.  That permission is no longer turned on automatically for users created now in our 2008 R2 Active Directory. That is why I could enumerate some users groups memberships and not others at random.

 

So the quickest way I found to get around this issue without creating groups for rights to my user container, is to make my LDAP lookup user a member of the "Pre-Windows 2000 Compatible Access" group.  I still need to do some research into the implications of this group and what rights it gives my LDAP lookup user.

 

For right now though, I am able to do what I need to do with AD users, groups, and firewall security policies.

 

 

 

 

View solution in original post

1 REPLY 1

L0 Member

Update:

The problem was a permissions issue with the account that I use for my LDAP lookups.

It is because of the age of our Active Directory environment.  The really old user accounts still had the "Read" permission set for "Authenticated Users" under the "Security" tab.  I think that was set by default in the older (2003 and previous) AD environments.  That permission is no longer turned on automatically for users created now in our 2008 R2 Active Directory. That is why I could enumerate some users groups memberships and not others at random.

 

So the quickest way I found to get around this issue without creating groups for rights to my user container, is to make my LDAP lookup user a member of the "Pre-Windows 2000 Compatible Access" group.  I still need to do some research into the implications of this group and what rights it gives my LDAP lookup user.

 

For right now though, I am able to do what I need to do with AD users, groups, and firewall security policies.

 

 

 

 

  • 1 accepted solution
  • 3473 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!