Palo Alto Networks devices can optionally utilize users and groups to create security policies. Checking users in LDAP groups lets administrators create access permissions based on group membership.
Device administrators use LDAP groups to provide access based on users, not IP addresses. The User-ID agent (software or hardware) is responsible for getting the IP-user-mappings and the Palo Alto Networks firewall. Based on the LDAP profile, the User-ID agent reads groups from the LDAP server. These mappings are stored in the firewall's IP-user-mappings table, the groups and members of the groups are stored in the group-mappings list.
Find the groups that the Palo Alto Networks firewall is reading from using an LDAP profile by performing the steps below.
The lists for every group can be read using the following CLI command : > show user group list
The command will not list disabled AD users. The example below shows the "alex" domain user on AD has been disabled:
The group-mappings on the LDAP profile can be reset with the following CLI command: > debug user-id reset group-mapping AD_Group_Mapping group mapping 'AD_Group_Mapping' in vsys1 is marked for reset.
When using the CLI command below, it now displays that the user is no longer listed in the output: > show user group name "cn=it_operations,cn=users,dc=al,dc=com" short name: al\it_operations source type: service source: AD_Group_Mapping