How To use Group Filters when Configuring LDAP
Symptom
In large LDAP deployments it is useful to use the search filters to return specific LDAP users/groups.
Using the 'Search Filter' fields for Group and User Object in the Group Mapping will filter which groups\users to retrieve and track.
Environment
- User-ID
- LDAP
- Group Mapping
- User Mapping
Resolution
Search examples
- All groups that have a specific description: description=Marketing
- A specific distinguished name: distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org
- Specific Common Name: CN=SSLVPN
Same Common Name
More than one group can have the same common name but be in a different area of the LDAP structure.
The following distinguished named groups have the same Common Name:
- distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org
- distinguishedName=CN=SSLVPN,CN=marketing,DC=example,DC=org
Apply Multiple Filters
It is also possible to search for more than one attribute at a time. A pipe "|" can be used as an "or" operator while an ampersand "&" can be used as an "and".
The following OR searches will return the same results.
- |(distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org)(distinguishedName=CN=PanAdmins,CN=Users,DC=example,DC=org)
- |(CN=SSLVPN)(CN=PanAdmins)
These searches will return the members in both the SSLVPN and PanAdmins groups.
Wildcards
Wildcards can also be used: |(CN=SSLVP*)(CN=*anAdmins)
Additional Information
- Filters cannot use OUs
- User groups can still be added to 'Group Include List' but if the group does not match the filter the follow warning example message will be found in the useridd.log
- Warning: pan_ldap_crtl_search_single_group(pan_ladp_ctrl.c:3755): failed to get group obj for '{LDAPGroup}'