How To use Group Filters when Configuring LDAP

How To use Group Filters when Configuring LDAP

17746
Created On 09/25/18 20:34 PM - Last Updated 08/05/19 20:36 PM


Resolution

Overview

On the Device Tab, in the User Identification page, when configuring the LDAP Server, there is a Group Filter field available. This field can be used to search and return group membership matching specific attributes. This is especially useful in very large LDAP deployments.  The Group Filter field is limited to 1024 characters.

Here are some search examples

  • All groups that have a specific description: description=Marketing
  • A specific distinguished name: distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org
  • Specific Common Name: CN=SSLVPN

Note: More than one group can have the same common name but be in a different area of the LDAP structure.

The following distinguished named groups have the same Common Name:

  • distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org
  • distinguishedName=CN=SSLVPN,CN=marketing,DC=example,DC=org

It is also possible to search for more than one attribute at a time. A pipe "|" can be used as an "or" operator while an ampersand "&" can be used as an "and".

The following OR searches will return the same results.

  • |(distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org)(distinguishedName=CN=PanAdmins,CN=Users,DC=example,DC=org)
  • |(CN=SSLVPN)(CN=PanAdmins)

These searches will return the members in both the SSLVPN and PanAdmins groups.

Wildcards can also be used: |(CN=SSLVP*)(CN=*anAdmins)

Note: You cannot filter by OU's

owner: rnitz



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhTCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language