Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

User-ID Group Include List Error

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User-ID Group Include List Error

L4 Transporter

On PanOS 4.1.2 I am trying to perform an LDAP lookup for the 'Group Include List' element of the User Identification setup i.e. to populate the 'User' field in policies.

When I do this I get an "bind-dn is invalid" error.  I know the account configured is fine, as it is a shared object set in Panorama and pushed to multiple boxes, and it works fine on other boxes.

Does anyone know if this error message ia a "red-herring" and just saying that 'something' is wrong - maybe connectivity etc - of does it only appear if it is an authentication error?

Ta

11 REPLIES 11

L7 Applicator

One place to start is to perform a "show user ldap-server state" and double check to see if you have the full Bind DN, and not just partially listed thinking that the base is going to help cover it.

I know this is not a true answer, but it is a place to start.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Thanks for that.  Got me one stage further, but more confused now!

Used the command "show user group-mapping state all" and it actually showed that the LDAP query is working, and its pulling back *all* the groups from my AD.

However, when I try to 'connect' via the UI it still fails.  As this step is required so I can filter my groups to sync against (I don;t want all 4000 in the drop down!) it is quite important, and I can't see why it is connecting in the background, but giving me an auth error when prompting it via the UI.

Any clues gratefully received!

Of course you are getting that error because of the way that the Bind DN is listed. Yes, it might work in some instances, but still give that error on that screen. When I look through other cases, this was resolved by modifying the way that the bind-dn is listed.

I would like to be able to help you here, but you might need to open a case and work the issue that way.

Regards,

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Hi Guys,

I do have the same issue coming up.  Can you guys please let me know on what type of modifications were done to get it running because i tried doing everything i can and have nothing to do now.  I did log this case with PAN and even they seem to be lost on it.

I changed the format of the account used to query the LDAP servers from user@domain to domain\user and that seemed to fix the UI issue.

APACKARD... you genius... Thank you very much mate...!!!

Don't count your chickens yet...

I've now got a problem with User ID's being detected as domain\user, but all the imported user data is in the form user@domain, which may (or may not) be connected to this fix!

And just to be clear - they're not matching i.e. if I add a group to  a policy that contains my name in the user@domain format, I'm not being matched against traffic with domain\user as a field.

Thanks for sharing the info mate.  So far I haven't heard back from the customer yet.  Will keep you updated.

So far things are looking good with domain\user mate.

Cool.

I found that I'd incorrectly added the FQDN domain name in the Domain field, rather than the Windows domain name, in the User-ID settings which stopped my users mapping correctly, so all good for me too!

Rgds

  • 4985 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!