- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-24-2020 10:30 AM - edited 03-24-2020 12:10 PM
What's the magic incantation needed to use LDAP groups in the GlobalProtect Portal user/group list? Instead of listing all umpteen dozen individual users.
I have a working GP Portal and multiple Gateway setup, using LDAP for authentication.
I have a working Group Mapping setup using groups from LDAP. I can use "show user group list" and see all my LDAP groups. I can use "show user group name mydomain\mygroup" (the shortname for it) to view all the members of the group. And I can run "show user user-ids match-user myuser" to see which group(s) a user is in.
In the Portal config, I can add individual users to the user/group list for each individual Gateway. But, with the number of VPN users increasing the past couple of weeks, it's getting cumbersome to edit the config, commit to Panorama, and push tot he firewalls. Would be much nicer to just put an LDAP group in here, and update the member list in LDAP instead. I just can't make this work!
If I remove a test user from the Portal config, and replace it with an LDAP group (which that test user is a member of), then I get "Not authorized to access GlobalProtect Portal". Tried the shortname for the group, mydomain\shortname, and the full cn=mygroup,ou=groups... syntax. Same result for each.
What am I missing?
Edit: This is on Panorama 8.1.13, PanOS 8.1.9-h4 on the Portal, 8.1.13 on the Gateways.
Edit2: Further troubleshooting, running "test authentication" from the CLI on the portal and the gateway succeeds. But, we already knew the LDAP config worked; it's trying to use the LDAP group on the Portal Config that's failing. And there doesn't appear to be a way to test that at the CLI, or to get better logs.
03-27-2020 02:38 PM
Aha! Got it to work with the help of Palo Alto support.
With OpenLDAP, you have to match the Domain Name in the LDAP Server Profile, the Authentication Profile, and the Group Mapping (and it doesn't like . in the domain). We had it matched across them all, but using sub.sub.tld for the domain, which it doesn't like.
And, in the Portal config, when you list the group, you have to use the full LDAP cn=groupname,ou=users,dc=sub,dc=sub,dc=tld. It doesn't like using the domain\groupname short-name format.
With those two settings changed, listsing just the group in the Portal config allows users in that group in LDAP to login!
03-24-2020 10:37 AM
What version of PAN-OS are you running. There are some versions that had a bug when using a scoped LDAP group.
Just another I.T. Guy
03-24-2020 11:07 AM
Panorama 8.1.13
PanOS 8.1.9-h4 on the Portal
PanOS 8.1.13 on the Gateways
Using OpenLDAP on the directory servers, so the LDAP config uses "other".
03-24-2020 11:09 AM
Sorry, I can't help with this. I have been running 9.0 versions, wasn't until 9.0.5 that it was fixed. I am also doing LDAP auth against active directory.
Just another I.T. Guy
03-27-2020 02:38 PM
Aha! Got it to work with the help of Palo Alto support.
With OpenLDAP, you have to match the Domain Name in the LDAP Server Profile, the Authentication Profile, and the Group Mapping (and it doesn't like . in the domain). We had it matched across them all, but using sub.sub.tld for the domain, which it doesn't like.
And, in the Portal config, when you list the group, you have to use the full LDAP cn=groupname,ou=users,dc=sub,dc=sub,dc=tld. It doesn't like using the domain\groupname short-name format.
With those two settings changed, listsing just the group in the Portal config allows users in that group in LDAP to login!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!