Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How To use Group Filters when Configuring LDAP - Knowledge Base - Palo Alto Networks

How To use Group Filters when Configuring LDAP

50878
Created On 09/25/18 20:34 PM - Last Modified 11/15/24 21:13 PM


Symptom


In large LDAP deployments it is useful to use the search filters to return specific LDAP users/groups.

Using the 'Search Filter' fields for Group and User Object in the Group Mapping will filter which groups\users to retrieve and track.



Environment


  • User-ID
  • LDAP
  • Group Mapping
  • User Mapping


Resolution


Search examples

  • All groups that have a specific description: description=Marketing
  • A specific distinguished name: distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org
  • Specific Common Name: CN=SSLVPN

Same Common Name

More than one group can have the same common name but be in a different area of the LDAP structure.

The following distinguished named groups have the same Common Name:

  • distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org
  • distinguishedName=CN=SSLVPN,CN=marketing,DC=example,DC=org

 

Apply Multiple Filters

It is also possible to search for more than one attribute at a time. A pipe "|" can be used as an "or" operator while an ampersand "&" can be used as an "and".

The following OR searches will return the same results.

  • |(distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org)(distinguishedName=CN=PanAdmins,CN=Users,DC=example,DC=org)
  • |(CN=SSLVPN)(CN=PanAdmins)

These searches will return the members in both the SSLVPN and PanAdmins groups.

 

Wildcards

Wildcards can also be used: |(CN=SSLVP*)(CN=*anAdmins)



Additional Information


  • Filters cannot use OUs
  • User groups can still be added to 'Group Include List' but if the group does not match the filter the follow warning example message will be found in the useridd.log
    • Warning: pan_ldap_crtl_search_single_group(pan_ladp_ctrl.c:3755): failed to get group obj for '{LDAPGroup}'


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhTCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language