LDAP group mapping fails to retrieve some groups when using group-include-lists
Created On 12/16/20 22:24 PM - Last Modified 01/12/21 03:42 AM
LDAP Group mapping configured with include List
(GUI: Device > User Identification > Group Mapping Settings > [group-mapping-configuration] > Group Include List > Included Groups)
"show user group mapping state <name>" displays only a few configured groups.
FW(active)> show user group-mapping state <name> Example: FW(active)> show user group-mapping state Group-Mapping-Configuration Group Mapping((null), type: active-directory): Group-Mapping-Configuration Bind DN : firstname.lastname@example.org Base : DC=company,DC=com Group Filter: (None) User Filter: (None) Servers : configured 1 server 10.0.0.1(389) Last Action Time: 147 secs ago(took 3 secs) Next Action Time: In 3453 secs Number of Groups: 1 cn=domain users,ou=group,dc=company,dc=com <-- Only 1 group is retrieved when there are many
The system log shows that the firewall is connecting to the LDAP server successfully:
FW(active)> show log system direction equal backward subtype equal "userid" Time Severity Subtype Object EventID ID Description =============================================================================== xxxx info userid connect 0 ldap cfg Group-Mapping-Configuration connected to server 10.0.0.1:389, initiated by: 10.0.0.2
Useridd.log shows the error "failed to get group obj":
FW(active)> less mp-log useridd.log xxxx ldap cfg Group-Mapping-Configuration connected to 10.0.0.1:389(index 2) xxxx Warning: pan_ldap_ctrl_search_single_group(pan_ldap_ctrl.c:3462): failed to get group obj for 'cn=users,cn=group,dc=company,dc=com'
- Palo Alto Firewall managed by Panorama.
- Any PAN-OS
- LDAP group-mapping configured with group-include-list
- The group include list may have been configured and pushed from Panorama
- The group include list may have been configured with an incorrect character or AD forest container such as accidentally swapping "CN" for "OU" in the AD path
- Inspect the group-include-list to verify the syntax of what is currently configured:
FW(active)> show config merged | match group-include-list group-include-list [ "cn=Domain Users,ou=group,DC=company,dc=com" "cn=users,cn=group,dc=company,dc=com"];
- From the WEB-UI browse the LDAP tree under "Available Groups" and validate the actual group names returned from the LDAP server:
- In the above we see that the "Included Group" was configured as "cn=users,cn=group,dc=company,dc=com", but the group returned from the LDAP server is "cn=users,ou=group,dc=company,dc=com"
- This misconfiguration is more likely to occur if the administrator configures the group-include-list on Panorama, where it is not possible to use the LDAP tree browser to find Available Groups, and instead the list must be configured by hand.
Correct the configuration in the group-include-list to reference the group with proper syntax and naming conventions