Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-23-2013 10:33 AM
Hi -
We are using User-ID Agents to create user-to-IP mappings and I've got group mapping configured on the firewall itself and I can browse through my ldap groups. However, when I go to Policies > Security Policy I am unable to select either individual users OR groups to assign the policy to... Nothing populates. Am I missing something somewhere? Seems like it would be straight forward after configuring group mapping. Thanks!
05-23-2013 11:03 AM
what panos version are you using ?
if you configured user id,ldap and group mapping.and also enabled user-id on a zone
you should see users on monitor tab traffic logs.
if everythins is ok and you can't see user/group on security rule
reboot the device if you can, you'll see groups and users on security rule after that.
05-23-2013 11:03 AM
admin@UTM21-LAB-2-B(active)> show user group-mapping state all
<response status="success"><result>
Group Mapping(vsys1, type: active-directory): Group_Mapping (job 749073)
Bind DN : cn=ldap-alt-paloalto,ou=users,o=alticor
Base : ou=groups,o=alticor
Group Filter: (&(objectCategory=Group)(objectClass=group))
User Filter: (&(objectCategory=person)(objectClass=user))
Servers : configured 1 servers
ldap-adam-apps.intranet.local(389)
Proxy state: QUERY_SENT
Query agent: usnx282
Result from: usnx282
Last Action Time: 326 secs ago(took 6 secs)
Next Action Time: Now (started 156 secs ago)
Query Local Group Mapping Service:
Last Action Time: 326 secs ago(took 6 secs)
Next Action Time: Now (started 156 secs ago)
Number of Groups: 0
</result></response>
05-23-2013 11:15 AM
I don't see any groups being pulled. If you're not filtering groups, we should be able to pull all groups in your AD as shown below.
Group Mapping(vsys1, type: active-directory): amb
Bind DN : renato@amb.local
Base : DC=amb,DC=local
Group Filter: (None)
User Filter: (None)
Servers : configured 1 servers
172.16.20.23(389)
Last Action Time: 1 secs ago(took 0 secs)
Next Action Time: In 3599 secs
Number of Groups: 42
cn=administrators,cn=builtin,dc=amb,dc=local
cn=domain controllers,cn=users,dc=amb,dc=local
cn=remote desktop users,cn=builtin,dc=amb,dc=local
cn=distributed com users,cn=builtin,dc=amb,dc=local
cn=incoming forest trust builders,cn=builtin,dc=amb,dc=local
cn=certificate service dcom access,cn=builtin,dc=amb,dc=local
What does the ldap server profile look like? Grep after the output is displayed on your ssh terminal with the following: "/ldap" and "/group-mapping"
admin@PA-200> show config running
ldap {
amb {
server {
amb {
port 389;
address 172.16.20.23;
}
}
ldap-type active-directory;
base DC=amb,DC=local;
bind-dn renato@amb.local;
timelimit 30;
bind-timelimit 30;
bind-password -
ssl no;
domain amb;
group-mapping {
amb {
group-object group;
group-name name;
group-member member;
user-object person;
user-name sAMAccountName;
disabled no;
server-profile amb;
05-23-2013 11:25 AM
As pointed out in the previous comment, there are no groups being pulled.
Looks like you are using the userID agent for "LDAP Proxy" to query for groups. Does the management interface of the firewall have connectivity to the domain controllers? If so, can you please try to uncheck the "LDAP proxy" checkbox on the userID agent (Device>User identification>User ID agents) and see if groups get pulled?
05-23-2013 11:36 AM
rkalugdan I have to apologize - I'm not familiar with running the grep command from the CLI. Can you provide the syntax? I'm on 5.0.4
05-23-2013 11:37 AM
Yes, I can see groups on the group mapping tab.
05-23-2013 11:38 AM
I initially had the Use LDAP Proxy box unchecked. I checked it as a way to try to resolve this issue.
05-23-2013 11:47 AM
so you're now using the user-id agent as an ldap proxy to pull groups. possibly will need to review your ldap server profile to get a better understanding of the issue. glad you were able to get a work around implemented.
05-23-2013 11:51 AM
No, using the user-id agent as an ldap proxy does not work to pull groups. It's interesting because on the Group Mapping tab (Device > User Identification > Group Mapping Settings > Group Include List), I can see all my ldap groups, browse them, etc.. however, I cannot use any of those groups to assign policy to.
05-23-2013 11:52 AM
show us the ldap config
05-23-2013 11:53 AM
can you try to reboot your device ?
05-23-2013 12:01 PM
What CLI command will provide the output you're looking for, rkalugdan?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
