How to Check Users in LDAP Groups

How to Check Users in LDAP Groups

347939
Created On 09/25/18 19:20 PM - Last Modified 10/21/21 18:41 PM


Environment


  • PAN-OS
  • User-id configured with LDAP Groups


Resolution


Overview

Palo Alto Networks devices can optionally utilize users and groups to create security policies. Checking users in LDAP groups lets administrators create access permissions based on group membership.

 

Details

Device administrators use LDAP groups to provide access based on users, not IP addresses. The User-ID agent (software or hardware) is responsible for getting the IP-user-mappings and the Palo Alto Networks firewall. Based on the LDAP profile, the User-ID agent reads groups from the LDAP server. These mappings are stored in the firewall's IP-user-mappings table, the groups and members of the groups are stored in the group-mappings list.

 

Steps

Find the groups that the Palo Alto Networks firewall is reading from using an LDAP profile by performing the steps below.

  1. The lists for every group can be read using the following CLI command :
    > show user group list

    cn=sales,cn=users,dc=al,dc=com
    cn=it_development,cn=users,dc=al,dc=com
    cn=groùpé,cn=users,dc=al,dc=com
    cn=domain admins,cn=users,dc=il,dc=al,dc=com
    cn=domain guests,cn=users,dc=al,dc=com
    cn=it,cn=users,dc=al,dc=comcn=marketing,cn=users,dc=al,dc=com
    cn=it_operations,cn=it,ou=groups,dc=al,dc=openldap,dc=com
    cn=it_operations,ou=groups,dc=al,dc=openldap,dc=com
    cn=it_operations,cn=users,dc=al,dc=com
    cn=domain users,cn=users,dc=il,dc=al,dc=com
    cn=hr,cn=users,dc=al,dc=com
    cn=it,ou=groups,dc=al,dc=openldap,dc=com
    cn=vpn_users,cn=users,dc=al,dc=com
    cn=domain users,cn=users,dc=al,dc=com
     
  2. To use the needed group in the previous step:
    > show user group name "cn=it_operations,cn=users,dc=al,dc=com"

    source type: service
    source:      AD_Group_Mapping_al.com
    [1     ] al\alex
    [2     ] al\biljanap
    [3     ] al\damem
    [4     ] al\ilija
    [5     ] al\ilijaal
    [6     ] al\ristok
    [7     ] al\jovan

    The command will not list disabled AD users.
    The example below shows the "alex" domain user on AD has been disabled:
    Screen Shot 2014-04-18 at 12.19.48 AM.png

 

 



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVcCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language