This article discusses retrieval of groups from the Active Directory failing if the nested group level exceeds the limit.
Following log could be seen in the useridd.log stating that the nested-group-level limit has been exceeded :
2017-07-14 00:06:07.109 -0400 Warning: pan_ldap_ctrl_query_single_included_group(pan_ldap_ctrl.c:3491): nested group level (11) exceeds the limit (10) for group 'cn=testdev,ou=groups,ou=dept,dc=d2-dept,dc=com'
Workaround
The default setting for the nested groups is 10 which can be increased by configuration to 20, please see the command below:
>configure
# set group-mapping <group-mapping name> nested-group-level 20
For example:
# set group-mapping "Test" nested-group-level 20
If the workaround of incrementing the nested-group-level to 20 is used, it is recommended that the configuration of Active directory is reviewed to ensure that the limit of 20 does not breach, which may cause further issue with pulling of the groups.
Note: Since this is a configure command, no commit is needed.