Using LDAP groups with GlobalProtect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Using LDAP groups with GlobalProtect

L4 Transporter

What's the magic incantation needed to use LDAP groups in the GlobalProtect Portal user/group list?  Instead of listing all umpteen dozen individual users.

 

I have a working GP Portal and multiple Gateway setup, using LDAP for authentication.

 

I have a working Group Mapping setup using groups from LDAP.  I can use "show user group list" and see all my LDAP groups.  I can use "show user group name mydomain\mygroup" (the shortname for it) to view all the members of the group.  And I can run "show user user-ids match-user myuser" to see which group(s) a user is in.

 

In the Portal config, I can add individual users to the user/group list for each individual Gateway.  But, with the number of VPN users increasing the past couple of weeks, it's getting cumbersome to edit the config, commit to Panorama, and push tot he firewalls.  Would be much nicer to just put an LDAP group in here, and update the member list in LDAP instead.  I just can't make this work!

 

If I remove a test user from the Portal config, and replace it with an LDAP group (which that test user is a member of), then I get "Not authorized to access GlobalProtect Portal".  Tried the shortname for the group, mydomain\shortname, and the full cn=mygroup,ou=groups... syntax.  Same result for each.

 

What am I missing?

 

Edit:  This is on Panorama 8.1.13, PanOS 8.1.9-h4 on the Portal, 8.1.13 on the Gateways.

 

Edit2: Further troubleshooting, running "test authentication" from the CLI on the portal and the gateway succeeds.  But, we already knew the LDAP config worked; it's trying to use the LDAP group on the Portal Config that's failing.  And there doesn't appear to be a way to test that at the CLI, or to get better logs.

1 accepted solution

Accepted Solutions

Aha! Got it to work with the help of Palo Alto support.

 

With OpenLDAP, you have to match the Domain Name in the LDAP Server Profile, the Authentication Profile, and the Group Mapping (and it doesn't like . in the domain).  We had it matched across them all, but using sub.sub.tld for the domain, which it doesn't like.

 

And, in the Portal config, when you list the group, you have to use the full LDAP cn=groupname,ou=users,dc=sub,dc=sub,dc=tld.  It doesn't like using the domain\groupname short-name format.

 

With those two settings changed, listsing just the group in the Portal config allows users in that group in LDAP to login!

 

 

View solution in original post

4 REPLIES 4

L3 Networker

What version of PAN-OS are you running. There are some versions that had a bug when using a scoped LDAP group.

____________________

Just another I.T. Guy

Panorama 8.1.13

PanOS 8.1.9-h4 on the Portal

PanOS 8.1.13 on the Gateways

 

Using OpenLDAP on the directory servers, so the LDAP config uses "other".

Sorry, I can't help with this. I have been running 9.0 versions, wasn't until 9.0.5 that it was fixed. I am also doing LDAP auth against active directory.

____________________

Just another I.T. Guy

Aha! Got it to work with the help of Palo Alto support.

 

With OpenLDAP, you have to match the Domain Name in the LDAP Server Profile, the Authentication Profile, and the Group Mapping (and it doesn't like . in the domain).  We had it matched across them all, but using sub.sub.tld for the domain, which it doesn't like.

 

And, in the Portal config, when you list the group, you have to use the full LDAP cn=groupname,ou=users,dc=sub,dc=sub,dc=tld.  It doesn't like using the domain\groupname short-name format.

 

With those two settings changed, listsing just the group in the Portal config allows users in that group in LDAP to login!

 

 

  • 1 accepted solution
  • 6556 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!