- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-03-2017 04:17 AM
Hi,
we have a PA3050 and we are expecting a problem related to Group mapping. We have added two new groups in LDAP Group mapping profile. We can add these 2 groups using WebUIS "Included groups", we launch a refresh userid group-mapping but when we run "show user group-mapping state all", we can see all goups but not the new ones added.
Why Pa is not detecting the new groups added. We see this error in system logs "PA fetch group LDAP" but PA can connect to LDAP properly.
Its version 7.0.11, any bug related to this?
04-03-2017 11:55 AM
Hi,
Not necessarily a bug; could be something in the configuration or whatnot.
Do one thing, take a pcap on the MGMT interface (unless some other interface is being used for LDAP).
1) Open a CLI session to the firewall
admin@anuragFW> tcpdump
2) Open another CLI session to the firewall
admin@anuragFW> debug user-id refresh group-mapping all
3) verify that the last action time shows a fresh time count:
admin@anuragFW> show user group-mapping state ourgroups
Group Mapping((null), type: active-directory): ourgroups
Bind DN : anurag@xxxx.xxx
Base : DC=xxxxx,DC=xxx
Group Filter: (None)
User Filter: (None)
Servers : configured 1 servers
10.21.56.14(389)
Last Action Time: 1 secs ago(took 0 secs)
Next Action Time: In 3599 secs
4) Stop the tcpdump by pressing Ctrl+C
5) Transfer the pcap for easy viewing:
admin@anuragFW> tftp export mgmt-pcap from mgmt.pcap to x.x.x.x
Now, filter for the LDAP server and check what we are receiving from the LDAP server that's causing the error in the system logs.
Regards,
Anurag
04-03-2017 11:55 AM
Hi,
Not necessarily a bug; could be something in the configuration or whatnot.
Do one thing, take a pcap on the MGMT interface (unless some other interface is being used for LDAP).
1) Open a CLI session to the firewall
admin@anuragFW> tcpdump
2) Open another CLI session to the firewall
admin@anuragFW> debug user-id refresh group-mapping all
3) verify that the last action time shows a fresh time count:
admin@anuragFW> show user group-mapping state ourgroups
Group Mapping((null), type: active-directory): ourgroups
Bind DN : anurag@xxxx.xxx
Base : DC=xxxxx,DC=xxx
Group Filter: (None)
User Filter: (None)
Servers : configured 1 servers
10.21.56.14(389)
Last Action Time: 1 secs ago(took 0 secs)
Next Action Time: In 3599 secs
4) Stop the tcpdump by pressing Ctrl+C
5) Transfer the pcap for easy viewing:
admin@anuragFW> tftp export mgmt-pcap from mgmt.pcap to x.x.x.x
Now, filter for the LDAP server and check what we are receiving from the LDAP server that's causing the error in the system logs.
Regards,
Anurag
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!