How to Pull Group Using an LDAP Proxy
When implementing User-ID with agent or agentless mode the group mapping settings are generally pulled by the Palo Alto Networks firewall through the details provided by the LDAP Profile configured under the Server Profile tab. However, bypassing this additional function can be done by implementing LDAP Proxy in the User-ID agent.
Shown below are the working scenarios.
Without Using LDAP Proxy:
- Here the Group Mapping information will be directly probed by the firewall to the Active Directory(AD) and only the User IP mapping information will happen through the agent.
- Configure an LDAP Server profile and a group mapping profile.
Using LDAP Proxy:
- Here both the group mapping information and the user IP mapping information will happen through the agent by enabling LDAP proxy.
- An LDAP Server profile and a group mapping profile must also be configured.
This can be implemented using the LDAP Proxy. Shown below are the steps in which it can be configured:
- Go to the Device > User Identification > User-ID Agents
- Click on Add to create an Agent Configuration and enable the feature "Use As LDAP proxy":
Now the Group Mapping information will be pulled by the firewall through the agent rather than probing the AD directly, thus ensuring that all the communications from the firewall and the AD to happen through the agent.