Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
LDAP 使用组包括列表时,组映射无法检索某些组 - Knowledge Base - Palo Alto Networks

LDAP 使用组包括列表时,组映射无法检索某些组

56078
Created On 12/16/20 22:24 PM - Last Modified 03/26/21 18:50 PM


Symptom




LDAP 组映射配置包括列表
GUI (:设备>用户标识>组映射设置>[组映射-配置]>组包括列表>包含组)"
显示用户组映射状态 <name></name> "仅显示几个配置的组。
FW(active)> show user group-mapping state <name> 
Example:
FW(active)> show user group-mapping state Group-Mapping-Configuration

Group Mapping((null), type: active-directory): Group-Mapping-Configuration
        Bind DN    : svc_panldap@company.com
        Base       : DC=company,DC=com
        Group Filter: (None)
        User Filter: (None)
        Servers    : configured 1 server
                10.0.0.1(389)
                        Last Action Time: 147 secs ago(took 3 secs)
                        Next Action Time: In 3453 secs
        Number of Groups: 1
        cn=domain users,ou=group,dc=company,dc=com    <-- Only 1 group is retrieved when there are many


系统日志显示 firewall 正在 LDAP 成功连接到服务器:
FW(active)> show log system direction equal backward subtype equal "userid"
Time Severity Subtype Object EventID ID Description
===============================================================================
xxxx  info     userid   connect 0  ldap cfg Group-Mapping-Configuration connected to server 
                                   10.0.0.1:389, initiated by: 10.0.0.2


Useridd.log显示错误"无法获取组 obj":
FW(active)> less mp-log useridd.log
xxxx ldap cfg Group-Mapping-Configuration connected to 10.0.0.1:389(index 2)
xxxx Warning:  pan_ldap_ctrl_search_single_group(pan_ldap_ctrl.c:3462): failed to get group
               obj for 'cn=users,cn=group,dc=company,dc=com'


Environment


  • 帕洛阿尔托 Firewall 管理 Panorama 。
  • 一个尼 PAN-OS
  • LDAP 组映射配置与组包括列表
  • 组包括列表可能已配置并从 Panorama

Cause


  • 该组包括列表可能已配置为不正确的字符或 AD 森林容器,如意外地将 CN OU 路径中的""换"换成" AD
  • 检查组包含列表以验证当前配置的语法:
    FW(active)> show config merged | match group-include-list

group-include-list [ "cn=Domain Users,ou=group,DC=company,dc=com" "cn=users,cn=group,dc=company,dc=com"];
  • 从 WEB-UI " LDAP 可用组"下浏览树并验证从服务器返回的实际组名 LDAP :
ldap 树在 webui
  • 在上面,我们看到"包括组"被配置为"cn=用户,cn=组,直流公司,直流",但从服务器返回的组 LDAP 是"cn=用户,ou=组,直流公司,直流"com
  • 如果管理员在无法 Panorama 使用树浏览器查找可用组时配置组包括列表,则此错误配置更有可能发生 LDAP ,而该列表必须手动配置。

Resolution


更正组包含列表中的配置,以引用具有正确语法和命名约定的组
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 239,690
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBzpCAG&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language