Remove Domain Name from LDAP user mapping IMPOSIBLE =(

alvaroarcaz · ‎07-14-2022

Hi

Someone know if there is a way to remove the domain name from the group mapping

The reason why is because i get from external source on palo alto the user id test1 or "test2" or "test3"

Goal is create a policy rule base on the source user that is being part of a domain group

In my case LDAP group mapping get this information:

show user group name emea.com\test

short name: emea.com\test

source type: ldap
source: test

[1 ] emea.com\test1
[2 ] emea.com\test2
[3 ] emea.com\test3

This is good but only need from the group mapping the name

"test1" or "test2" or "test3"

and not

emea.com\test1
emea.com\test2
emea.com\test3

i expend hours and there is no way to understand or found the reason why palo alto get from ldap group mapping "domain name + name"

Thanks

aleksandar.astardzhiev · ‎07-15-2022

Hi @alvaroarcaz ,

If I am not wrong, group mapping will always add domain, because it needs to cover cases where you have multiple domains or even domain forest.

So in my humble opinion you should try to append the domain to the user-ip-mapping so it can match the group mapping.

Can you share bit more information how you receive user-ip-mapping? How it is configured currently?

alvaroarcaz · ‎07-18-2022

Hi

I receive the user logs from the Pulse Secure VPN appliance to the USER ID
agent located on windows server

With the regex i was able to just get the user id from the user connected.

My surprise was that I was not unable to map the user id with the domain
group on security policy, this is really a bad situation for us.

Is it possible to just avoid the domain name on the palo alto when trying
to search on ldap group?
I can not understand why yes or yes paloalto build this:

>From LDAP group PaloAlto get:
domainname\userid

With the UserID agent after the regex i get a mapping with IP+userid, and
on the firewall logs i can see this way:

source ip: ip from user
source user: userid

The security policy will never match!! as there is a difference between

domainname\userid => LDAP PaloAlto

userid => Information from my agent

Hours and hours spent here and no answer anywhere im totally frustrated ...

aleksandar.astardzhiev · ‎08-08-2022

Hi @alvaroarcaz ,

I know there is a way to override the domain for Group Mapping, but not sure if there is a way to remove it completely.

As I mentioned for me it sound reasonable to have it as you may work in multi domain environment.

The solution for you to add the desired domain to the user-ip-mapping from the User-ID agent that is processing the Pulse Secure logs. In User-ID agent settings that is parsing the Pulse Secure syslog messages go to User Identification -> Discovery -> Servers -> Edit you Pulse Secure entry and add the domain the same way as you see it the group mapping

alvaroarcaz · ‎08-09-2022

Hi

Thanks for the answer. This worked as expected for Windows users but
problems came for MAC users or Iphone Users.

In my company the IOS devices are not part of the active directory domain
and for instance there is no way where a USERID agent can find domain
events on the active directory.

For me the solution came to avoid this domain mapping on firewall level, i
have had a case with the vendor for more than a month and am still waiting
to find the way....

jbworley · ‎12-07-2023

As @aleksandar.astardzhiev stated above, you can add in whatever domain you want. Below, I'm using a syslog filter to capture the username via syslog, no domain added.

I update the syslog sender config to include a domain (mydomain).

I trigger another syslog message, and the domain I specified is added.

Unlock your full community experience!

Remove Domain Name from LDAP user mapping IMPOSIBLE =(

Remove Domain Name from LDAP user mapping IMPOSIBLE =(

Show your appreciation!