What Should be Configured as Domain in an LDAP Profile?

What Should be Configured as Domain in an LDAP Profile?

8145
Created On 09/25/18 17:50 PM - Last Updated 02/08/19 00:08 AM


Resolution

Up to PAN-OS 6.1, for later OS versions, see below

 

Details

10-17-2012 1-36-34 PM.png

In most cases, the NetBIOS domain should be configured in the Domain field.

Note: In most cases, the full domain should not be used (for example, use 'pantaclab' and not 'pantaclab.com').

 

Here is an example of what happens when the full domain is used:

> show user user-IDs

User Name Vsys Groups

------------------------------------------------------------------

pantaclab.com\user01 vsys1 cn=group1,cn=users,dc=pantaclab,dc=com

 

Notice that the user is pantaclab.com\user01 which is likely not to match what is configured in active directory.

 

When configuring pantaclab as domain instead of pantaclab.com, the result is very different, the user is listed as pantaclab\user01 which is what matches the active directory user.

> show user ip-user-mapping

IP Ident. By User Idle Timeout (s) Max. Timeout (s)

--------------- --------- -------------------------------- ---------------- ----------------

192.168.208.100 AD pantaclab\user01 2995 2995

 

If domain name in the LDAP profile is different with the one set in ip-user-mapping, it affects user/group name look up. For example, if a security policy is configured with source user "group1" (from above example), the user at 192.168.206.100 will not be taken as a member of "group1".

 

See Also

How to Determine the NetBIOS Domain for LDAP Server Profile in Windows 2003 and 2008 Server

 

LDAP Group Mappings in a Mixed 6.x and 7.x Environment with Panorama  

 

owner: yogihara



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClK5CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language