Retrieving AD groups fails - nested-group-level exceeds limit

Retrieving AD groups fails - nested-group-level exceeds limit

Created On 09/25/18 19:44 PM - Last Modified 06/08/23 03:11 AM



This article discusses retrieval of groups from the Active Directory failing if the nested group level exceeds the limit.


Following log could be seen in the useridd.log stating  that the nested-group-level limit has been exceeded : 

2017-07-14 00:06:07.109 -0400 Warning: pan_ldap_ctrl_query_single_included_group(pan_ldap_ctrl.c:3491): nested group level (11) exceeds the limit (10) for group 'cn=testdev,ou=groups,ou=dept,dc=d2-dept,dc=com'



The default setting for the nested groups is 10 which can be increased by configuration to 20, please see the command below:


# set group-mapping <group-mapping name> nested-group-level 20

 For example:

# set group-mapping "Test" nested-group-level 20


If the workaround of incrementing the nested-group-level to 20 is used, it is recommended that the configuration of Active directory is reviewed to ensure that the limit of 20 does not breach, which may cause further issue with pulling of the groups.


Note: Since this is a configure command, no commit is needed. 



  • Print
  • Copy Link

Choose Language