Cannot Pull Groups from Active Directory LDAP Server
Resolution
Issue
When trying to pull users and groups into the firewall from an Active Directory LDAP server, users and groups do not appear.
When configuring group mapping (Device > User Identification > Group Mapping), the Server Profile drop-down under the Server Profile tab contains no values.
Cause
In order to use the LDAP authentication for logging in admin users only, theĀ "Administrator Use Only" option for a LDAP server profile (Device > LDAP Server Profile) may have been checked. This prevents the firewall from pulling users and groups. All admin authentication requests will be forwarded to the LDAP server. Authorization, to see whether or not that user is allowed admin privileges, is determined there.
Resolution
In order to pull specific groups only and rely on an authentication profile that has specific filtered groups, uncheck the 'Administrator Use Only' option. This ensures that the relevant groups are pulled from the LDAP server. When the option is unchecked, the LDAP server profile will appear under group mappings.
Likewise, you can see them in the Group Include List tab:
You are not restricted to using "All" groups in the authentication profile because specific groups under group mapping would have been pulled correctly. The filtered groups can be applied in the Authentication Profile:
While the Administrator's log on will refer to this Authentication Profile, note that the name of the Authentication Profile is LDAP under the Administrator's page :
owner: sjamaluddin