Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

User ID group mapping, not pulling groups

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

User ID group mapping, not pulling groups

L1 Bithead

I have a problem, I'm  setting the user ID group mapping, I can pull users, but not groups, I see 0 groups, I restarted the service, no luck, I verified all server monitoring is connected, and traffic is going to DC'd, the PAN-OS is 10.1.5, I have a similar setup in a pair of firewalls that are on pan-os 9.1.13 with no issues, any advice that points me in the right direction is greatly appreciated.

1 accepted solution

Accepted Solutions

L3 Networker

Server monitoring is not the same thing as group mapping. You need to configure a group mapping config under the "Group Mapping" tab.

 

Once configured, you can start with the following command to check the actual status. It might be that there's an issue connecting to the server on LDAP or something.

> show user group-mapping state all

 

The useridd log will contain the actual connection attempts to LDAP/LDAPS.

> less mp-log useridd.log

 

If you already have a group mapping configured, are you able to browse your LDAP tree from the GUI under your group mapping config -> group include list? If not, you likely have connectivity or authentication issues to LDAP.

 

If the firewall is actually connecting and you still see 0 groups, you might have the base dn in your LDAP profile set incorrectly. You need to set this either at the root, or to somewhere which is in between the root and where the users and groups are both configured.

Sr. Technical Support Engineer, Strata

View solution in original post

2 REPLIES 2

L3 Networker

Server monitoring is not the same thing as group mapping. You need to configure a group mapping config under the "Group Mapping" tab.

 

Once configured, you can start with the following command to check the actual status. It might be that there's an issue connecting to the server on LDAP or something.

> show user group-mapping state all

 

The useridd log will contain the actual connection attempts to LDAP/LDAPS.

> less mp-log useridd.log

 

If you already have a group mapping configured, are you able to browse your LDAP tree from the GUI under your group mapping config -> group include list? If not, you likely have connectivity or authentication issues to LDAP.

 

If the firewall is actually connecting and you still see 0 groups, you might have the base dn in your LDAP profile set incorrectly. You need to set this either at the root, or to somewhere which is in between the root and where the users and groups are both configured.

Sr. Technical Support Engineer, Strata

L0 Member

The fix it to include the entire path eg., cn=xxxx instead of domain\groupname and that should include the groups.

  • 1 accepted solution
  • 7747 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!