User/Group mapping OpenLDAP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User/Group mapping OpenLDAP

L2 Linker

Hello.

My situation is:

- GlobalProtect VPN configurated -> user identification via GP then.

- LDAP profile configurated -> authentication works well

- Authentication profile configurated.

- User Identification, Group Mapping configuration:

     - Group Objects:

         - Object Class: posixGroup

         - Group Name: cn

         - Group Member: memberUid

     - User Objects:

         - Object Class: inetOrgPerson

         - User Name: uid

Extract with slapcat:

----------------------

dn: cn=Administradores,ou=Grupos,dc=example,dc=com

cn: Administradores

gidNumber: 1

structuralObjectClass: posixGroup

entryUUID: 1dacb5d4-85f9-1031-95fb-b388bfd09fc7

creatorsName: cn=admin,dc=example,dc=com

createTimestamp: 20120829074432Z

objectClass: posixGroup

memberUid: prueba

entryCSN: 20120829112946.273933Z#000000#000#000000

modifiersName: cn=admin,dc=example,dc=com

modifyTimestamp: 20120829112946Z

dn: cn=prueba,ou=Usuarios,dc=example,dc=com

sn: prueba

cn: prueba

uid: prueba

userPassword:: e01ENX1iKzBKTmZNdFFFSnh1cVN5a3FPNWJBPT0=

uidNumber: 5

gidNumber: 1

homeDirectory: /home/users/satec1

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: top

structuralObjectClass: inetOrgPerson

entryUUID: a6c2f1f4-860c-1031-989f-db7857189845

creatorsName: cn=admin,dc=example,dc=com

createTimestamp: 20120829100422Z

entryCSN: 20120829100422.934537Z#000000#000#000000

modifiersName: cn=admin,dc=example,dc=com

modifyTimestamp: 20120829100422Z

-----------------------------

I can use the created groups on OpenLDAP correctly, in firewall rules:

admin@PA-2050> show user group-mapping state all

Group Mapping(vsys1, type: other): Mapeo_Grupos_LDAP

        Bind DN    : cn=admin,dc=example,dc=com

        Base       : dc=example,dc=com

        Group Filter: (None)

        User Filter: (None)

        Servers    : configured 1 servers

                X.Y.Z.8(389)

                        Last Action Time: 1489 secs ago(took 1 secs)

                        Next Action Time: In 2111 secs

        Number of Groups: 3

        cn=vpn,dc=example,dc=com

        cn=usuarios,ou=grupos,dc=example,dc=com

        cn=administradores,ou=grupos,dc=example,dc=com

admin@PA-2050>

And I can connect to VPN and the user is identified:

admin@PA-2050> show user ip-user-mapping all

IP              Ident. By User                             Idle Timeout (s) Max. Timeout (s)

--------------- --------- -------------------------------- ---------------- ----------------

192.168.46.3    GP        prueba                           3651             3651

Total: 1 users

admin@PA-2050>

But the problem is that user is not "mapped" in its group, Administradores:

admin@PA-2050> show user ip-user-mapping detail yes

IP address:  192.168.46.3

User:        prueba

Ident. By:   GP

Idle Timeout: 3529s

Max. TTL:    3529s

Groups that the user belongs to (used in policy)

admin@PA-2050>

So when I create a firewall rule as origin user the group Administradores, the traffic generated by the user "prueba" doesn't match with that rule.

I think it must be a problem with "User Object" configuration but I can't find doc about that, an example like AD in the document: http://live.paloaltonetworks.com/docs/DOC-3221.

Anybody with a similar configuration could help me?

Thank you very much.

To be sure, I created on my OpenLDAP server a user account that has the same name in cn, sn, and uid: test.

5 REPLIES 5

L2 Linker

Hi everybody.

For your information, the configuration above is correct. The problem is that it's necessary to specify a domain in LDAP server configuration. After that, the scenario works well. I can selected users and groups on security rules... Great!!!.

Thank you.

Hi, I also found the problem that a user in a group can't hit a rule that set the user group.

the configuration is below, could you please help me identify what wrong with this configuration ?

=== LDAP Server ===

Domain : palo-lab

Type : other

Base : dc=palo-lab,dc=com

Bind DN : cn=ldapadm,dc=palo-lab,dc=com

=== Group Mapping ===

Group objects

- Search Filter :

- Object Class : posixGroup

- Group Name : internet

- Group Member : memberUid

User Objects

- Search Filter :

- Object Class : posixAccount

- User Name : uid

Hello mindterra.

In group name I've specified "cn", no "internet". One important thing is that "memberUid" in Group object must match with "uid" in user object.

That is, check strings that appear in memberuid field in group objects; it must be the login name of the users, more than the complete name (jdoe vs John Doe)

Bye bye.

Not applicable

Hello Jm,

Can I ask, What is the OS your OpenLDAP is installed?.

I have also a problem in configuring the OpenLDAP(which is installed in Linux CentOS) on PA2020.

I'm having the same problem as was solved

  • 5315 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!