User-ID Group Mappings Not Working When Located in an OU with Comma or Ampersand

User-ID Group Mappings Not Working When Located in an OU with Comma or Ampersand

25427
Created On 09/26/18 13:55 PM - Last Modified 06/08/23 07:01 AM


Resolution


Issue

Some of your group mappings do not work on the Palo Alto Networks firewall. The mappings are in the include list. However, they do not show any members when running the show user group name <group name> command or do not appear when running the show user group list command. These groups will not function when used in any security policies.

When browsing to the group, when setting up the include list, the group will not show up:

Or when filtering on the group name, the group name will be blank and the OU hierarchy will be out of order:

Resolution

Rename the OU to remove any comma or ampersand characters. These characters are used as separators within the LDAP binding string and will cause problems.

owner: jteetsel
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000Cm1w&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Choose Language