LDAP Custom Groups

LDAP Custom Groups

41731
Created On 09/25/18 17:42 PM - Last Modified 06/15/23 21:43 PM


Resolution


Understanding Custom groups in LDAP Group Mapping

Use a Custom Group subtab to create custom groups based on LDAP filters so that you can base firewall policies on user attributes that don’t match existing user groups in an LDAP-based service such as Active Directory (AD). User-ID maps all the LDAP directory users who match the filter to the custom group. If you create a custom group with the same Distinguished Name (DN) as an existing AD group domain name, the firewall uses the custom group in all references to that name.

 

 

 

Let's consider we have two groups in AD and some users in that group.

 

admin@PA-VM> show user group list

     cn=Group1,cn=users,dc=domain,dc=com

     cn=Group2,cn=users,dc=domain,dc=com

 

The above groups are already created in AD. We are now creating custom groups on the Palo Alto Networks based on user attributes.

 

 

 

Here User1 + User2 + User10 + USER20 belong to IT department,

User3 + User4 + User30 + USER40 belong to Finance department

Now we can create two separate groups using user attributes.

 

You can see a list of attributes in the Attribute Editor tab:

 

 

Or, check out this link to see an alphabetical list of user attributes. http://www.selfadsi.org/user-attributes.htm

 

The total number of groups you can add to a group mapping configuration—across the Custom Group subtab and “Group Include List Subtab”—is 640 per virtual system (vsys).

 

To create a custom group, click Add, enter a group Name (it must be unique in the group mapping configuration for the current firewall/vsys), specify an LDAP Filter of up to 2,048 characters, then click OK.

LDAP Group Mapping

 

 

After creating or cloning a custom group, you must perform a commit before the group becomes available for use in policies and objects.

 

For example, now we will create a Rule allowing only Finance users.

Security Policy Rule
 

 

Confirm that the new group exists and contains the expected members.

admin@PA-VM> show user group list

     cn=Group1,cn=users,dc=domain,dc=com

     cn=Group2,cn=users,dc=domain,dc=com

     Finance *

     IT*

Total: 4

* : Custom Group

 

admin@PA-200> show user group name finance

     source type: ldap

     Group type:Custom

     source:      domain

     [1     ] domain\rsriramo

 

 
 

LDAP Custom Groups:

Overview:

This document explains about understanding Custom groups in LDAP Group Mapping

Custom Group subtab to create custom groups based on LDAP filters so that you can base firewall policies on user attributes that don’t match existing user groups in an LDAP-based service such as Active Directory (AD). User-ID maps all the LDAP directory users who match the filter to the custom group. If you create a custom group with the same Distinguished Name (DN) as an existing AD group domain name, the firewall uses the custom group in all references to that name

Lets consider we have Two groups in AD and some users in that group.

admin@PA-VM> show user group list

cn=Group1,cn=users,dc=domain,dc=com

cn=Group2,cn=users,dc=domain,dc=com

Now The above groups are already created in AD. We are now creating Custom groups in PaloAlto based on User Attributes.

Here User1 + User2 + User10 + USER20 belongs to IT department,

User3 + User4 + User30 + USER40 belongs to Finance department

Now we can create two separate groups using user attributes.

Check below link to find out alphabetical list of user attributes

http://www.selfadsi.org/user-attributes.htm

or you can find out in Attribute Editor tab

The total number of groups you can add to a group mapping configuration—across the Custom Group subtab and “Group Include List Subtab”—is 640 per virtual system (vsys).

To create a custom group, click Add, enter a group Name (it must be unique in the group mapping configuration for the current firewall/vsys), specify an LDAP Filter of up to 2,048 characters, then click OK.

After creating or cloning a custom group, you must perform a commit before the group becomes available for use in policies and objects.

Now we created a Rule allowing only Finance users

 

 

Confirm that the new group exists and contains the expected members

admin@PA-VM> show user group list

cn=Group1,cn=users,dc=domain,dc=com

cn=Group2,cn=users,dc=domain,dc=com

Finance *

IT*

Total: 4

* : Custom Group

 

admin@PA-200> show user group name finance

source type: ldap

Group type:Custom

source:      domain

[1     ] domain\rsriramo

Overview:

This document explains about understanding Custom groups in LDAP Group Mapping

Custom Group subtab to create custom groups based on LDAP filters so that you can base firewall policies on user attributes that don’t match existing user groups in an LDAP-based service such as Active Directory (AD). User-ID maps all the LDAP directory users who match the filter to the custom group. If you create a custom group with the same Distinguished Name (DN) as an existing AD group domain name, the firewall uses the custom group in all references to that name

Lets consider we have Two groups in AD and some users in that group.

admin@PA-VM> show user group list

cn=Group1,cn=users,dc=domain,dc=com

cn=Group2,cn=users,dc=domain,dc=com

Now The above groups are already created in AD. We are now creating Custom groups in PaloAlto based on User Attributes.

Here User1 + User2 + User10 + USER20 belongs to IT department,

User3 + User4 + User30 + USER40 belongs to Finance department

Now we can create two separate groups using user attributes.

Check below link to find out alphabetical list of user attributes

http://www.selfadsi.org/user-attributes.htm

or you can find out in Attribute Editor tab

The total number of groups you can add to a group mapping configuration—across the Custom Group subtab and “Group Include List Subtab”—is 640 per virtual system (vsys).

To create a custom group, click Add, enter a group Name (it must be unique in the group mapping configuration for the current firewall/vsys), specify an LDAP Filter of up to 2,048 characters, then click OK.

After creating or cloning a custom group, you must perform a commit before the group becomes available for use in policies and objects.

Now we created a Rule allowing only Finance users

 

 

Confirm that the new group exists and contains the expected members

admin@PA-VM> show user group list

cn=Group1,cn=users,dc=domain,dc=com

cn=Group2,cn=users,dc=domain,dc=com

Finance *

IT*

Total: 4

* : Custom Group

 

admin@PA-200> show user group name finance

source type: ldap

Group type:Custom

source:      domain

[1     ] domain\rsriramo

 

 

kjkjhjsjhssdd

Overview:

This document explains about understanding Custom groups in LDAP Group Mapping

Custom Group subtab to create custom groups based on LDAP filters so that you can base firewall policies on user attributes that don’t match existing user groups in an LDAP-based service such as Active Directory (AD). User-ID maps all the LDAP directory users who match the filter to the custom group. If you create a custom group with the same Distinguished Name (DN) as an existing AD group domain name, the firewall uses the custom group in all references to that name

Lets consider we have Two groups in AD and some users in that group.

admin@PA-VM> show user group list

cn=Group1,cn=users,dc=domain,dc=com

cn=Group2,cn=users,dc=domain,dc=com

Now The above groups are already created in AD. We are now creating Custom groups in PaloAlto based on User Attributes.

Here User1 + User2 + User10 + USER20 belongs to IT department,

User3 + User4 + User30 + USER40 belongs to Finance department

Now we can create two separate groups using user attributes.

Check below link to find out alphabetical list of user attributes

http://www.selfadsi.org/user-attributes.htm

or you can find out in Attribute Editor tab

The total number of groups you can add to a group mapping configuration—across the Custom Group subtab and “Group Include List Subtab”—is 640 per virtual system (vsys).

To create a custom group, click Add, enter a group Name (it must be unique in the group mapping configuration for the current firewall/vsys), specify an LDAP Filter of up to 2,048 characters, then click OK.

After creating or cloning a custom group, you must perform a commit before the group becomes available for use in policies and objects.

Now we created a Rule allowing only Finance users

 

 

Confirm that the new group exists and contains the expected members

admin@PA-VM> show user group list

cn=Group1,cn=users,dc=domain,dc=com

cn=Group2,cn=users,dc=domain,dc=com

Finance *

IT*

Total: 4

* : Custom Group

 

admin@PA-200> show user group name finance

source type: ldap

Group type:Custom

source:      domain

[1     ] domain\rsriramo

 

Overview:

This document explains about understanding Custom groups in LDAP Group Mapping

Custom Group subtab to create custom groups based on LDAP filters so that you can base firewall policies on user attributes that don’t match existing user groups in an LDAP-based service such as Active Directory (AD). User-ID maps all the LDAP directory users who match the filter to the custom group. If you create a custom group with the same Distinguished Name (DN) as an existing AD group domain name, the firewall uses the custom group in all references to that name

Lets consider we have Two groups in AD and some users in that group.

admin@PA-VM> show user group list

cn=Group1,cn=users,dc=domain,dc=com

cn=Group2,cn=users,dc=domain,dc=com

Now The above groups are already created in AD. We are now creating Custom groups in PaloAlto based on User Attributes.

Here User1 + User2 + User10 + USER20 belongs to IT department,

User3 + User4 + User30 + USER40 belongs to Finance department

Now we can create two separate groups using user attributes.

Check below link to find out alphabetical list of user attributes

http://www.selfadsi.org/user-attributes.htm

or you can find out in Attribute Editor tab

The total number of groups you can add to a group mapping configuration—across the Custom Group subtab and “Group Include List Subtab”—is 640 per virtual system (vsys).

To create a custom group, click Add, enter a group Name (it must be unique in the group mapping configuration for the current firewall/vsys), specify an LDAP Filter of up to 2,048 characters, then click OK.

After creating or cloning a custom group, you must perform a commit before the group becomes available for use in policies and objects.

Now we created a Rule allowing only Finance users

 

 

Confirm that the new group exists and contains the expected members

admin@PA-VM> show user group list

cn=Group1,cn=users,dc=domain,dc=com

cn=Group2,cn=users,dc=domain,dc=com

Finance *

IT*

Total: 4

* : Custom Group

 

admin@PA-200> show user group name finance

source type: ldap

Group type:Custom

source:      domain

[1     ] domain\rsriramo

 



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ1CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language