This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Multiple Domain and domain name

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Multiple Domain and domain name

NomiosSupport
L0 Member

‎06-13-2013 01:53 AM

Hello,

I have deployed 1 cluster of PA 3020(5.0.5) and UIA on 2 servers of the domain.

The domain architecture is as following:

1 parent domain: idf.local

6 child domain: xx.idf.local, yy.idf.local, ...

UIA works well and we have good informations on the PA with NETBIOS domaine name

show user ip-user-mapping all:

IDF\user1

XX\user2

YY\user3

But with the group mapping, it's fqdn domain that appears.

show user group name "cn=ggggggg,ou=fffffffff,dc=idf,dc=local":

idf.local\user1

xx.idf.local\user2

yy.idf.local\user3

LDAP server profile configuration is done with global catalog:

admin@XXXXXX(active)# show shared server-profile ldap profile-AD-GC

profile-AD-GC {

  server {

    gtgt50.idf.local {

      port 3269;

      address 192.168.1.1;

    }

  }

  ldap-type active-directory;

  base DC=idf,DC=local;

  bind-dn "CN=login,......,DC=idf,DC=local";

  timelimit 30;

  bind-timelimit 30;

  bind-password -AQ==SdRlIx0rvZ/zcM4qhyMPexBjphE=Xce5R8I57K7Xi1MRcJdzBg==;

  ssl yes;

}

[edit]                                     

The problem is that I can't create policy based on AD group because there is a mismatch between UIA and Group Mapping information.

Any idea?

Thanks!!

Labels:
0 Likes Likes
4 REPLIES 4

UhMayYeah
L5 Sessionator

‎06-13-2013 02:53 AM

Can you try using IDF as a domain in the LDAP server profile and refresh the group-mapping :

> debug user-id refresh group-mapping <>

0 Likes Likes

NomiosSupport
L0 Member
In response to UhMayYeah

‎06-13-2013 08:05 AM

I have already tried this but it overrides all domain name:

show user group name "cn=ggggggg,ou=fffffffff,dc=idf,dc=local":

IDF\user1

IDF\user2

IDF\user3

The problem is that user2 belongs to XX domain which is the domain child(xx.idf.local).

0 Likes Likes

ACieszkowski
L3 Networker
In response to NomiosSupport

‎06-14-2013 03:05 AM

Hello,

Try creating separate LDAP Server (port 389 or 636) profiles for the parent domain and each child domain including in the configuration NetBios-style domain name and corresponding base.

In Group Mapping Settings create Group Mapping configuration using every LDAP Server Profile (8 in total).

Hope this helps! Update if it does 😉

Global Catalog is used for identifying membership in Universal Groups.

0 Likes Likes

VinceM
L5 Sessionator

‎06-14-2013 03:29 AM

As albert_C said, create one ldap profile per server and configure "Domain" in the profile then, domain name will be re-write as you want.

V.

0 Likes Likes
  • 2942 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks