Retrieving AD groups fails - nested-group-level exceeds limit

Retrieving AD groups fails - nested-group-level exceeds limit

17178
Created On 09/25/18 19:44 PM - Last Modified 04/20/20 23:58 PM


Resolution

 

This article discusses retrieval of groups from the Active Directory failing if the nested group level exceeds the limit.

 

Following log could be seen in the useridd.log stating  that the nested-group-level limit has been exceeded : 

2017-07-14 00:06:07.109 -0400 Warning: pan_ldap_ctrl_query_single_included_group(pan_ldap_ctrl.c:3491): nested group level (11) exceeds the limit (10) for group 'cn=testdev,ou=groups,ou=dept,dc=d2-dept,dc=com'

 

Workaround

The default setting for the nested groups is 10 which can be increased by configuration to 20, please see the command below:

 

>configure
# set group-mapping <group-mapping name> nested-group-level 20

 For example:

# set group-mapping "Test" nested-group-level 20

 

If the workaround of incrementing the nested-group-level to 20 is used, it is recommended that the configuration of Active directory is reviewed to ensure that the limit of 20 does not breach, which may cause further issue with pulling of the groups.

 

Note: Since this is a configure command, no commit is needed. 

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcVCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language