As of PAN-OS 5.0.x, the User-ID module can read only LDAP groups and not attributes, but there are scenarios that require the firewall to interact with some attribute. With OpenLDAP, there's an interesting workaround based upon the utilization of dynamic groups, built upon these attributes. This tech note discusses the use case and shows how to configure both the OpenLDAP server and the Palo Alto Networks firewall in order to integrate both.