Nested groups problem

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

Nested groups problem

Hello all,

 

3 domain and single forest.

(root domain)  named as domainA and domainB and domainC

 

we created 3 LDAP profile for each domain.

we can see members from all domains.

we can see groups for each domain also.

 

But problem is, if we create a group named ALLVPN in root domainA and there are 3 members in this group.

member1-groupC which is member of root domainA

member2-groupD which is member of domainB

member3-groupE which is member of domainC

 

show user group name ALLVPN only shows member of groupC.

Does paloalto support this ?

 

we tried also port 3268 instead of 389 but nothing changed.

 

 

 

Highlighted
L4 Transporter

We experience the same...Palo Alto does not support nesting unless it has change in 7.0 and up. 

Highlighted
L7 Applicator

Hi Panlst

 

Nesting should be supported if the LDAP profile is set to ActiveDirectory, some additional improvements were introduced in 7.0 that should also allow nesting if the ldap is set to "other"

 

You may need to verify your current ldap setting and change it to ActiveDirectory if you have not done so already, alternatively upgrading to 7.0 may help resolve the issue

 

 

regards

Tom

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374
Highlighted
L3 Networker

Hello

Already using 7.0.2.

Seems this is not supported.

Can anyone confirm that ?

 

Regards

 

Highlighted
L3 Networker

It is definitely possible to achieve the results you are looking for, but it may require some reconfiguration of your underlying groups. Group nesting is supported, and will resolve to a total depth of 10 levels. 

 

In this case, as you are wanting to include group members from multiple domains in the same forest, you will need to configure your group mapping connector against a Global Catalog. 

 

You indicate that you made this configuration change, but it had no effect. That is likely because of the underlying group type that you were trying to include. The only groups with members that will be visible in the Global Catalog with members will be Universal Groups. The group being nested is currently probably a Domain Local group, and is not in the Global Catalog.

 

I have a Universal Group in the forest root domain, containing a single nested group:

 

Screen Shot 2015-10-02 at 11.56.28 AM.png

 

The Nested Group contains users from 3 domains in the forest:

 

Screen Shot 2015-10-02 at 12.14.06 PM.png

 

 

Showing the group shows members for all domains being included:

 

admin@PA-200> show user group name "lab\demo universal group nesting"

 

short name:  lab\demo universal group nesting

 

source type: service

source:      Get_Users_From_root

 

[1     ] acme\acmeuser

[2     ] acme\administrator

[3     ] lab\administrator

[4     ] panw\silliker

[5     ] panw\jruiz

[6     ] lab\testuser

 

 

Highlighted
L3 Networker

Hello

 

Config is the same but did not work.Because Multidomain environment can be on same tree but also not.

Here we have multidomain with different tree but same forest.

 

Paloalto seems to be that is not supported

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!