My situation is:
- GlobalProtect VPN configurated -> user identification via GP then.
- LDAP profile configurated -> authentication works well
- Authentication profile configurated.
- User Identification, Group Mapping configuration:
- Group Objects:
- Object Class: posixGroup
- Group Name: cn
- Group Member: memberUid
- User Objects:
- Object Class: inetOrgPerson
- User Name: uid
Extract with slapcat:
I can use the created groups on OpenLDAP correctly, in firewall rules:
admin@PA-2050> show user group-mapping state all
Group Mapping(vsys1, type: other): Mapeo_Grupos_LDAP
Bind DN : cn=admin,dc=example,dc=com
Base : dc=example,dc=com
Group Filter: (None)
User Filter: (None)
Servers : configured 1 servers
Last Action Time: 1489 secs ago(took 1 secs)
Next Action Time: In 2111 secs
Number of Groups: 3
And I can connect to VPN and the user is identified:
admin@PA-2050> show user ip-user-mapping all
IP Ident. By User Idle Timeout (s) Max. Timeout (s)
--------------- --------- -------------------------------- ---------------- ----------------
192.168.46.3 GP prueba 3651 3651
Total: 1 users
But the problem is that user is not "mapped" in its group, Administradores:
admin@PA-2050> show user ip-user-mapping detail yes
IP address: 192.168.46.3
Ident. By: GP
Idle Timeout: 3529s
Max. TTL: 3529s
Groups that the user belongs to (used in policy)
So when I create a firewall rule as origin user the group Administradores, the traffic generated by the user "prueba" doesn't match with that rule.
I think it must be a problem with "User Object" configuration but I can't find doc about that, an example like AD in the document: http://live.paloaltonetworks.com/docs/DOC-3221.
Anybody with a similar configuration could help me?
Thank you very much.
To be sure, I created on my OpenLDAP server a user account that has the same name in cn, sn, and uid: test.
For your information, the configuration above is correct. The problem is that it's necessary to specify a domain in LDAP server configuration. After that, the scenario works well. I can selected users and groups on security rules... Great!!!.
Hi, I also found the problem that a user in a group can't hit a rule that set the user group.
the configuration is below, could you please help me identify what wrong with this configuration ?
=== LDAP Server ===
Domain : palo-lab
Type : other
Base : dc=palo-lab,dc=com
Bind DN : cn=ldapadm,dc=palo-lab,dc=com
=== Group Mapping ===
- Search Filter :
- Object Class : posixGroup
- Group Name : internet
- Group Member : memberUid
- Search Filter :
- Object Class : posixAccount
- User Name : uid
In group name I've specified "cn", no "internet". One important thing is that "memberUid" in Group object must match with "uid" in user object.
That is, check strings that appear in memberuid field in group objects; it must be the login name of the users, more than the complete name (jdoe vs John Doe)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!