02-21-2012 09:25 AM
Using PanOS 4.1.2 on 5020
listing group mapping:
show user group name "<DOMAIN>\<GROUP NAME>"
we get something like this
[1 ] <DOMAIN>\<name>.<surname>
....
though in "user id identification->group mapping settings" under "user objects"
we discretely choose
"Object Class: person"
"User Name: sAMAccountName"
and browsing ldap shows that sAMAccountName holds no such information.
this missmatches the info which is collected by user-id agent and prevents us using user identification.
furthermore if we delete "Domain" parameter in LDAP configuration (which is`t a production environment option, just for debug puposes, because we are in multi domain environment) listing users as mentioned above - we get same info as in "userPrincipalName" attribute:
show user group name "<DOMAIN>\<GROUP NAME>"
[1 ] <userPrincipalName value>
....
Is this hardcoded(user name attribute - userPrincipalName) bug? Or we can do something about it? Install previous version of panos/something using cli?
Any help, insights into this problem - appreciated.
02-22-2012 04:06 AM
4.1.3 version fixes this issue:
"35907 - When a user account in Active Directory has a different value for the
userPrincipleName (UPN) name and the sAMAccountName, group mapping is not
working correctly because the user to IP mapping process uses the sAMAccountName and
user to group mapping process uses the UPN name. Update made so both processes use
the sAMAccountName."
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
