09-27-2024 04:58 AM
Hello Team,
We have successfully integrated LDAP with the Palo Alto firewall, and user-ID mapping via the user-ID agent is functioning as expected. We are able to use LDAP users in the security policy without any issues. However, when attempting to apply LDAP groups to the policy, the policy does not seem to work as intended.
We have configured the group mapping correctly, and when we check the user list within the group via CLI, it displays accurately.
Could you please assist us with your expertise to resolve this issue.
09-27-2024 06:06 AM
Hi @Mebinbaby ,
The most common reason, by far, for group mappings not to work is that the format of the user name in the IP mapping is different from the format of the username in the group mapping. The username must match exactly. You can run the following commands to verify the format is exactly the same:
> show user ip-user-mapping all
> show user group list
> show user group name "cn=it_operations,cn=users,dc=al,dc=com"
Obviously, replace the group name above with the one in question. 😀 If there are spaces in the group name, it must be in quotes.
If the formats are different, please post and we can look at resolving it. Please also post the source of the User/IP mappings. If the source involves an authentication profile, please post the type.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
