LDAP group mapping fails to retrieve some users who are members of the group
383
Created On 02/14/25 12:45 PM - Last Modified 12/24/25 20:51 PM
Symptom
- The AD security group "gpvpn" is configured with two members, "Test1" and "Test2":
- The firewall can only fetch the user "Test1":
admin@Lab128-14-PA-1410> show user group name cn=gpvpn,cn=users,dc=pantac-88-82,dc=local
short name: pantac-88-82\gpvpn
source type: ldap
source: GM-Test
[1 ] pantac-88-82\test1
Environment
- NGFW
- Supported PANOS versions
- Microsoft Active Directory
- LDAP Group Mapping with Group Include List
Cause
- The user "Test2" in AD doesn't have the permission "Read group membership" set to "Allow" for the "Authenticated Users" group:
- This is found by enabling user-id debug logs and refresh of the group mapping
- Thee logs confirm firewall not able to find the member "Test2":
admin@Lab128-14-PA-1410> debug user-id on debug
debug level set to debug
admin@Lab128-14-PA-1410> debug user-id set ldap all
Debug level is debug
Features:
ldap : basic detail
admin@Lab128-14-PA-1410> debug user-id refresh group-mapping all
group mapping 'GM-Test' in vsys1 is marked for refresh.
admin@Lab128-14-PA-1410> tail follow yes mp-log useridd.log
...
2025-02-14 01:45:59.276 -0800 debug: pan_ldap_ctrl_group_add_obj(pan_ldap_ctrl.c:583): can't find member 'cn=test2,cn=users,dc=pantac-88-82,dc=local' for group 'gpvpn'
Resolution
- Open Active Directory Users and Computers
- Open the Test2 user Properties
- Select the "Security" tab
- Select "Authenticated Users"
- Flag "Allow" for the permission "Read group membership"