LDAP groups not populating correctly

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LDAP groups not populating correctly

L3 Networker

PA220, PANOS 8.1.1

Working on setting up GlobalProtect using AD/LDAP auth and groups to define access. 
I have userconfigs setup by AD Group and the log is "matching config not found" 
On digging into it some more, it appears that the user, in the PA, doesn't have the appropriate groups attached. Despite that they do in AD. 

AD Group has four members. Three of the members show up in the PA. The fourth does not. 
show user user-ids match-user domain\ProblemUser  returns an empty table. While the other three users in the group return complete information as expected. 
Account is functional and has full access to what all it's supposed to from the AD side of things. 

I've done a debug user-id reset group-mapping all and I'm  still having the same issues. 

Where should I start troubleshooting from here? 

1 accepted solution

Accepted Solutions

Update. 
After banging our head on it a lot lately, we finally found that adding the Domain Users group to the GroupMapping resolved the issue. 

Unclear why this is the case, but maybe it'll help someone else in the future. 

edited to improve clarity

 

View solution in original post

21 REPLIES 21

L7 Applicator

Is the problematic user in the same OU as the other three? Or more specific: is the user in an OU that is covered by the base DN that you specified in the LDAP server profile?

All four users are in the same OU and are covered by the Base DN. 

When you do the opposite as you already did with the command "show user group name GROUPNAME", there the problem user is also missing right?

Correct, ProblemUser does not show up as a member of the group in the PA. 

Is - for whatever reason - the user in an exclude list or excluded in the LDAP filter in the Group mapping settings?

Nope, I don't have anything in the excludes.
Group Mapping is only looking at the AD Group. 

i assume you are using different AD accounts for user administration and ldap, it may be worth setting up another ldap profile with the full admin account and re test “show user group name..” . just to ensure the user is not masked somehow within AD.

The account in question isn't setup for admin rights to the PA, only auth for the GP portal. 
The LDAP Admins group is working correctly and shows up in the "show user group name" as expected. 

I'm using a single LDAP Server Profile setup in the PA. 
GroupMapping then is looking for specific groups. and then GP is limited further by group membership. 

Did I follow you correctly?

I dont think you understood me.. sorry....

 

nothing to do with pa admins...

 

your ldap profile has a bind account and password.

 

when you administer your domain i assume you are using a different account to the bind one...

 

 

try that AD admin account as your ldap bind.

Okay, I follow you now. 

I just switched to my domain admin and now the group membership shows correctly. 

Now I'll go talk to the AD admin and find out what needs to happen to make this work. 

Thanks for your input!
I'll update if/when I find the cure. 

Nice one, sorry for the confusion....

Update. 
After banging our head on it a lot lately, we finally found that adding the Domain Users group to the GroupMapping resolved the issue. 

Unclear why this is the case, but maybe it'll help someone else in the future. 

edited to improve clarity

 

@Nathan.S

So you really had to add a single user to the group mapping? ... sounds like a bug to me ...

You could try to update to 8.1.2 ... maybe your lucky and then it "magically" works.

@Remo No, I had to add the group Domain Users to the Group Mapping to get the details on the users to show correctly. 

  • 1 accepted solution
  • 10920 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!