LDAP group mapping fails to retrieve some groups when using gro... - Knowledge Base - Palo Alto Networks

LDAP group mapping fails to retrieve some groups when using group-include-lists

55876

Created On 12/16/20 22:24 PM - Last Modified 02/14/25 12:51 PM

Group Mapping

User-ID

PAN-OS

Panorama

Symptom

LDAP Group mapping configured with include List
(GUI: Device > User Identification > Group Mapping Settings > [group-mapping-configuration] > Group Include List > Included Groups)
"show user group mapping state <name>" displays only a few configured groups.

FW(active)> show user group-mapping state <name> 
Example:
FW(active)> show user group-mapping state Group-Mapping-Configuration

Group Mapping((null), type: active-directory): Group-Mapping-Configuration
        Bind DN    : svc_panldap@company.com
        Base       : DC=company,DC=com
        Group Filter: (None)
        User Filter: (None)
        Servers    : configured 1 server
                10.0.0.1(389)
                        Last Action Time: 147 secs ago(took 3 secs)
                        Next Action Time: In 3453 secs
        Number of Groups: 1
        cn=domain users,ou=group,dc=company,dc=com    <-- Only 1 group is retrieved when there are many

The system log shows that the firewall is connecting to the LDAP server successfully:

FW(active)> show log system direction equal backward subtype equal "userid"
Time Severity Subtype Object EventID ID Description
===============================================================================
xxxx  info     userid   connect 0  ldap cfg Group-Mapping-Configuration connected to server 
                                   10.0.0.1:389, initiated by: 10.0.0.2

Useridd.log shows the error "failed to get group obj":

FW(active)> less mp-log useridd.log
xxxx ldap cfg Group-Mapping-Configuration connected to 10.0.0.1:389(index 2)
xxxx Warning:  pan_ldap_ctrl_search_single_group(pan_ldap_ctrl.c:3462): failed to get group
               obj for 'cn=users,cn=group,dc=company,dc=com'

Environment

Palo Alto Firewall managed by Panorama.
Any PAN-OS
LDAP group-mapping configured with group-include-list
The group include list may have been configured and pushed from Panorama

Cause

The group include list may have been configured with an incorrect character or AD forest container such as accidentally swapping "CN" for "OU" in the AD path

Inspect the group-include-list to verify the syntax of what is currently configured:

FW(active)> show config merged | match group-include-list

group-include-list [ "cn=Domain Users,ou=group,DC=company,dc=com" "cn=users,cn=group,dc=company,dc=com"];

From the WEB-UI browse the LDAP tree under "Available Groups" and validate the actual group names returned from the LDAP server:

In the above we see that the "Included Group" was configured as "cn=users,cn=group,dc=company,dc=com", but the group returned from the LDAP server is "cn=users,ou=group,dc=company,dc=com"
This misconfiguration is more likely to occur if the administrator configures the group-include-list on Panorama, where it is not possible to use the LDAP tree browser to find Available Groups, and instead the list must be configured by hand.

Resolution

Correct the configuration in the group-include-list to reference the group with proper syntax and naming conventions

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)