3 domain and single forest.
(root domain) named as domainA and domainB and domainC
we created 3 LDAP profile for each domain.
we can see members from all domains.
we can see groups for each domain also.
But problem is, if we create a group named ALLVPN in root domainA and there are 3 members in this group.
member1-groupC which is member of root domainA
member2-groupD which is member of domainB
member3-groupE which is member of domainC
show user group name ALLVPN only shows member of groupC.
Does paloalto support this ?
we tried also port 3268 instead of 389 but nothing changed.
Nesting should be supported if the LDAP profile is set to ActiveDirectory, some additional improvements were introduced in 7.0 that should also allow nesting if the ldap is set to "other"
You may need to verify your current ldap setting and change it to ActiveDirectory if you have not done so already, alternatively upgrading to 7.0 may help resolve the issue
It is definitely possible to achieve the results you are looking for, but it may require some reconfiguration of your underlying groups. Group nesting is supported, and will resolve to a total depth of 10 levels.
In this case, as you are wanting to include group members from multiple domains in the same forest, you will need to configure your group mapping connector against a Global Catalog.
You indicate that you made this configuration change, but it had no effect. That is likely because of the underlying group type that you were trying to include. The only groups with members that will be visible in the Global Catalog with members will be Universal Groups. The group being nested is currently probably a Domain Local group, and is not in the Global Catalog.
I have a Universal Group in the forest root domain, containing a single nested group:
The Nested Group contains users from 3 domains in the forest:
Showing the group shows members for all domains being included:
admin@PA-200> show user group name "lab\demo universal group nesting"
short name: lab\demo universal group nesting
source type: service
[1 ] acme\acmeuser
[2 ] acme\administrator
[3 ] lab\administrator
[4 ] panw\silliker
[5 ] panw\jruiz
[6 ] lab\testuser
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!