- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-04-2022 06:50 PM - edited 06-04-2022 06:59 PM
I have a problem, I'm setting the user ID group mapping, I can pull users, but not groups, I see 0 groups, I restarted the service, no luck, I verified all server monitoring is connected, and traffic is going to DC'd, the PAN-OS is 10.1.5, I have a similar setup in a pair of firewalls that are on pan-os 9.1.13 with no issues, any advice that points me in the right direction is greatly appreciated.
06-05-2022 08:50 AM
Server monitoring is not the same thing as group mapping. You need to configure a group mapping config under the "Group Mapping" tab.
Once configured, you can start with the following command to check the actual status. It might be that there's an issue connecting to the server on LDAP or something.
> show user group-mapping state all
The useridd log will contain the actual connection attempts to LDAP/LDAPS.
> less mp-log useridd.log
If you already have a group mapping configured, are you able to browse your LDAP tree from the GUI under your group mapping config -> group include list? If not, you likely have connectivity or authentication issues to LDAP.
If the firewall is actually connecting and you still see 0 groups, you might have the base dn in your LDAP profile set incorrectly. You need to set this either at the root, or to somewhere which is in between the root and where the users and groups are both configured.
06-05-2022 08:50 AM
Server monitoring is not the same thing as group mapping. You need to configure a group mapping config under the "Group Mapping" tab.
Once configured, you can start with the following command to check the actual status. It might be that there's an issue connecting to the server on LDAP or something.
> show user group-mapping state all
The useridd log will contain the actual connection attempts to LDAP/LDAPS.
> less mp-log useridd.log
If you already have a group mapping configured, are you able to browse your LDAP tree from the GUI under your group mapping config -> group include list? If not, you likely have connectivity or authentication issues to LDAP.
If the firewall is actually connecting and you still see 0 groups, you might have the base dn in your LDAP profile set incorrectly. You need to set this either at the root, or to somewhere which is in between the root and where the users and groups are both configured.
05-30-2024 07:59 AM
The fix it to include the entire path eg., cn=xxxx instead of domain\groupname and that should include the groups.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!