What Should be Configured as Domain in an LDAP Profile?

What Should be Configured as Domain in an LDAP Profile?

Created On 09/25/18 17:50 PM - Last Updated 02/08/19 00:08 AM


Up to PAN-OS 6.1, for later OS versions, see below



10-17-2012 1-36-34 PM.png

In most cases, the NetBIOS domain should be configured in the Domain field.

Note: In most cases, the full domain should not be used (for example, use 'pantaclab' and not 'pantaclab.com').


Here is an example of what happens when the full domain is used:

> show user user-IDs

User Name Vsys Groups


pantaclab.com\user01 vsys1 cn=group1,cn=users,dc=pantaclab,dc=com


Notice that the user is pantaclab.com\user01 which is likely not to match what is configured in active directory.


When configuring pantaclab as domain instead of pantaclab.com, the result is very different, the user is listed as pantaclab\user01 which is what matches the active directory user.

> show user ip-user-mapping

IP Ident. By User Idle Timeout (s) Max. Timeout (s)

--------------- --------- -------------------------------- ---------------- ---------------- AD pantaclab\user01 2995 2995


If domain name in the LDAP profile is different with the one set in ip-user-mapping, it affects user/group name look up. For example, if a security policy is configured with source user "group1" (from above example), the user at will not be taken as a member of "group1".


See Also

How to Determine the NetBIOS Domain for LDAP Server Profile in Windows 2003 and 2008 Server


LDAP Group Mappings in a Mixed 6.x and 7.x Environment with Panorama  


owner: yogihara

  • Print
  • Copy Link


Choose Language