Panorama LDAP group mappings not updating for user-id

cancel
Showing results for 
Search instead for 
Did you mean: 

Panorama LDAP group mappings not updating for user-id

L3 Networker

We have user-id setup and every cluster with a designated master device for user-id mappings. I have the group mapping of the new AD group showing in the gateway itself, however when I go to implement the group in a policy in panorama, it will not display the new group. I have done a forced refresh on the gateway and refreshed the panorama but with no luck. It will still not display the new AD group created....any idea?

1 ACCEPTED SOLUTION

Accepted Solutions

L3 Networker

The issue is as by design the panorama device is not intergrated with AD (the is a Feature Request for this).

Here is the following proceedure that needs to be done for new AD groups being added to a policy:

 

In the user-id tab of the policy rule, click add and paste the entire tree directory mapping to the new AD group:

Example: cn=admin,ou=stuff,ou=more_stuff,ou=even_more_stuff,ou=bigger_stuff,ou=organizational units,dc=ds,dc=company,dc=com

 

You will see it will map and change to the short version company\stuff…blah blah blah…

 

If you don’t know what the full mapping is or your too lazy to type it all out…do the following:

 

Login to any gateway CLI and do the following command: show user group list | match stuff *or whatever the name is*

 

You will get the following output:

 

admin@Test-FW01(active)> show user group list  | match stuff

cn=admin,ou=stuff,ou=more_stuff,ou=even_more_stuff,ou=bigger_stuff,ou=organizational units,dc=ds,dc=company,dc=com

 

 

 

View solution in original post

2 REPLIES 2

L5 Sessionator

On panorama we have to manually enter the group/users in policies automatic is not done.

L3 Networker

The issue is as by design the panorama device is not intergrated with AD (the is a Feature Request for this).

Here is the following proceedure that needs to be done for new AD groups being added to a policy:

 

In the user-id tab of the policy rule, click add and paste the entire tree directory mapping to the new AD group:

Example: cn=admin,ou=stuff,ou=more_stuff,ou=even_more_stuff,ou=bigger_stuff,ou=organizational units,dc=ds,dc=company,dc=com

 

You will see it will map and change to the short version company\stuff…blah blah blah…

 

If you don’t know what the full mapping is or your too lazy to type it all out…do the following:

 

Login to any gateway CLI and do the following command: show user group list | match stuff *or whatever the name is*

 

You will get the following output:

 

admin@Test-FW01(active)> show user group list  | match stuff

cn=admin,ou=stuff,ou=more_stuff,ou=even_more_stuff,ou=bigger_stuff,ou=organizational units,dc=ds,dc=company,dc=com

 

 

 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!