Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Nested groups problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Nested groups problem

L3 Networker

Hello all,

 

3 domain and single forest.

(root domain)  named as domainA and domainB and domainC

 

we created 3 LDAP profile for each domain.

we can see members from all domains.

we can see groups for each domain also.

 

But problem is, if we create a group named ALLVPN in root domainA and there are 3 members in this group.

member1-groupC which is member of root domainA

member2-groupD which is member of domainB

member3-groupE which is member of domainC

 

show user group name ALLVPN only shows member of groupC.

Does paloalto support this ?

 

we tried also port 3268 instead of 389 but nothing changed.

 

 

 

5 REPLIES 5

L4 Transporter

We experience the same...Palo Alto does not support nesting unless it has change in 7.0 and up. 

Cyber Elite
Cyber Elite

Hi Panlst

 

Nesting should be supported if the LDAP profile is set to ActiveDirectory, some additional improvements were introduced in 7.0 that should also allow nesting if the ldap is set to "other"

 

You may need to verify your current ldap setting and change it to ActiveDirectory if you have not done so already, alternatively upgrading to 7.0 may help resolve the issue

 

 

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hello

Already using 7.0.2.

Seems this is not supported.

Can anyone confirm that ?

 

Regards

 

It is definitely possible to achieve the results you are looking for, but it may require some reconfiguration of your underlying groups. Group nesting is supported, and will resolve to a total depth of 10 levels. 

 

In this case, as you are wanting to include group members from multiple domains in the same forest, you will need to configure your group mapping connector against a Global Catalog. 

 

You indicate that you made this configuration change, but it had no effect. That is likely because of the underlying group type that you were trying to include. The only groups with members that will be visible in the Global Catalog with members will be Universal Groups. The group being nested is currently probably a Domain Local group, and is not in the Global Catalog.

 

I have a Universal Group in the forest root domain, containing a single nested group:

 

Screen Shot 2015-10-02 at 11.56.28 AM.png

 

The Nested Group contains users from 3 domains in the forest:

 

Screen Shot 2015-10-02 at 12.14.06 PM.png

 

 

Showing the group shows members for all domains being included:

 

admin@PA-200> show user group name "lab\demo universal group nesting"

 

short name:  lab\demo universal group nesting

 

source type: service

source:      Get_Users_From_root

 

[1     ] acme\acmeuser

[2     ] acme\administrator

[3     ] lab\administrator

[4     ] panw\silliker

[5     ] panw\jruiz

[6     ] lab\testuser

 

 

Hello

 

Config is the same but did not work.Because Multidomain environment can be on same tree but also not.

Here we have multidomain with different tree but same forest.

 

Paloalto seems to be that is not supported

  • 3832 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!