Symptom
When using OU (organizational unit) as the LDAP Server profile Base (for example: ou=APAC,dc=sub,dc=example,dc=com), only the groups are known by the Palo Alto Networks firewall. The usernames are not retrieved.
The following is an example LDAP server profile configuration:
Cause
The issue can occur if the OU is used in the LDAP Server Profile Base settings is not at the point of the LDAP tree, where both groups and usernames are searchable.
Resolution
For the LDAP Server Profile Base settings, we recommend using the DC component of the domain (for example: dc=sub,dc=example,dc=com), so that the
entries within its tree are searchable.
The following is a sample LDAP tree:
com(dc)
|---example(dc)
|---sub(dc)
|---Users(ou)
|---APAC(ou)
| |---Singapore(cn)
|---EMEA(ou)
| |---Brussels(cn)
|---NAM(ou)
| |---Santa-Clara(cn)
If all users are defined under the Users above, the LDAP Server Profile Base setting of "ou=Users,dc=sub,dc=example,dc=com" can search and retrieve both groups and users.
The LDAP Server Profile Base Setting on the WebGUI is under Device > Server Profiles > LDAP > LDAP Server Profile > Base. If the Base is set to "ou=APAC,dc=sub,dc=example,dc=com", only the group under APAC is visible on the firewall. The users are not visible because they are defined under the OU "Users," and are not searchable by the Base setting.
Workaround
A workaround is to have the usernames defined under the OU of the Base.
Note: OU with spaces works. However, it is highly recommended to avoid LDAP items with spaces. Instead of using "Santa Clara" use "Santa-Clara" or "Santa_Clara" for uniformity.
The CLI command to list available groups:
> show user group-mapping state <group mapping name>
The CLI command to show usernames within a group:
> show user group name <domain\group>
owner: jlunario