How to Check Users in LDAP Groups

How to Check Users in LDAP Groups

116353
Created On 09/25/18 19:20 PM - Last Updated 04/20/20 23:38 PM


Environment
  • PAN-OS
  • User-id configured with LDAP Groups


Resolution

Overview

Palo Alto Networks devices can optionally utilize users and groups to create security policies. Checking users in LDAP groups lets administrators create access permissions based on group membership.

 

Details

Device administrators use LDAP groups to provide access based on users, not IP addresses. The User-ID agent (software or hardware) is responsible for getting the IP-user-mappings and the Palo Alto Networks firewall. Based on the LDAP profile, the User-ID agent reads groups from the LDAP server. These mappings are stored in the firewall's IP-user-mappings table, the groups and members of the groups are stored in the group-mappings list.

 

Steps

Find the groups that the Palo Alto Networks firewall is reading from using an LDAP profile by performing the steps below.

  1. The lists for every group can be read using the following CLI command :
    > show user group list

    cn=sales,cn=users,dc=al,dc=com
    cn=it_development,cn=users,dc=al,dc=com
    cn=groùpé,cn=users,dc=al,dc=com
    cn=domain admins,cn=users,dc=il,dc=al,dc=com
    cn=domain guests,cn=users,dc=al,dc=com
    cn=it,cn=users,dc=al,dc=comcn=marketing,cn=users,dc=al,dc=com
    cn=it_operations,cn=it,ou=groups,dc=al,dc=openldap,dc=com
    cn=it_operations,ou=groups,dc=al,dc=openldap,dc=com
    cn=it_operations,cn=users,dc=al,dc=com
    cn=domain users,cn=users,dc=il,dc=al,dc=com
    cn=hr,cn=users,dc=al,dc=com
    cn=it,ou=groups,dc=al,dc=openldap,dc=com
    cn=vpn_users,cn=users,dc=al,dc=com
    cn=domain users,cn=users,dc=al,dc=com
     
  2. To use the needed group in the previous step:
    > show user group name "cn=it_operations,cn=users,dc=al,dc=com"

    source type: service
    source:      AD_Group_Mapping_al.com
    [1     ] al\alex
    [2     ] al\biljanap
    [3     ] al\damem
    [4     ] al\ilija
    [5     ] al\ilijaal
    [6     ] al\ristok
    [7     ] al\jovan

    The command will not list disabled AD users.
    The example below shows the "alex" domain user on AD has been disabled:
    Screen Shot 2014-04-18 at 12.19.48 AM.png
     
  3. The group-mappings on the LDAP profile can be reset with the following CLI command:
    > debug user-id reset  group-mapping AD_Group_Mapping
    group mapping 'AD_Group_Mapping' in vsys1 is marked for reset.
     
  4. When using the CLI command below, it now displays that the user is no longer listed in the output:
    > show user group name "cn=it_operations,cn=users,dc=al,dc=com"
    short name:  al\it_operations
    source type: service
    source:      AD_Group_Mapping

    [1     ] al\biljanap
    [2     ] al\damem
    [3     ] al\ilija
    [4     ] al\ilijaal
    [5     ] al\ristok
    [6     ] al\jovan

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVcCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language