Aha! Got it to work with the help of Palo Alto support. With OpenLDAP, you have to match the Domain Name in the LDAP Server Profile, the Authentication Profile, and the Group Mapping (and it doesn't like . in the domain). We had it matched across them all, but using sub.sub.tld for the domain, which it doesn't like. And, in the Portal config, when you list the group, you have to use the full LDAP cn=groupname,ou=users,dc=sub,dc=sub,dc=tld. It doesn't like using the domain\groupname short-name format. With those two settings changed, listsing just the group in the Portal config allows users in that group in LDAP to login!
... View more