How to Pull Group Using an LDAP Proxy

How to Pull Group Using an LDAP Proxy

15802
Created On 09/25/18 17:46 PM - Last Modified 02/07/19 23:56 PM


Resolution

Overview

When implementing User-ID with agent or agentless mode the group mapping settings are generally pulled by the Palo Alto Networks firewall through the details provided by the LDAP Profile configured under the Server Profile tab. However, bypassing this additional function can be done by implementing LDAP Proxy in the User-ID agent.

Details

Shown below are the working scenarios.

Without Using LDAP Proxy:

  1. Here the Group Mapping information will be directly probed by the firewall to the Active Directory(AD) and only the User IP mapping information will happen through the agent.
  2. Configure an LDAP Server profile and a group mapping profile.

Sample.JPG

Using LDAP Proxy:

  1. Here both the group mapping information and the user IP mapping information will happen through the agent by enabling LDAP proxy.
  2. An LDAP Server profile and a group mapping profile must also be configured.

With LDAP Profile.jpg

Implementation

This can be implemented using the LDAP Proxy. Shown below are the steps in which it can be configured:

  1. Go to the Device > User Identification > User-ID Agents
    1.JPG
  2. Click on Add to create an Agent Configuration and enable the feature "Use As LDAP proxy":
    2.JPG

Now the Group Mapping information will be pulled by the firewall through the agent rather than probing the AD directly, thus ensuring that all the communications from the firewall and the AD to happen through the agent.

owner: sbabu



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClJU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language