LDAP group mapping fails to retrieve some groups when using group-include-lists

LDAP group mapping fails to retrieve some groups when using group-include-lists

6584
Created On 12/16/20 22:24 PM - Last Modified 01/12/21 03:42 AM


Symptom


LDAP Group mapping configured with include List
(GUI: Device > User Identification > Group Mapping Settings > [group-mapping-configuration] > Group Include List > Included Groups)
"show user group mapping state <name>" displays only a few configured groups.
FW(active)> show user group-mapping state <name> 
Example:
FW(active)> show user group-mapping state Group-Mapping-Configuration

Group Mapping((null), type: active-directory): Group-Mapping-Configuration
        Bind DN    : svc_panldap@company.com
        Base       : DC=company,DC=com
        Group Filter: (None)
        User Filter: (None)
        Servers    : configured 1 server
                10.0.0.1(389)
                        Last Action Time: 147 secs ago(took 3 secs)
                        Next Action Time: In 3453 secs
        Number of Groups: 1
        cn=domain users,ou=group,dc=company,dc=com    <-- Only 1 group is retrieved when there are many


The system log shows that the firewall is connecting to the LDAP server successfully:
FW(active)> show log system direction equal backward subtype equal "userid"
Time Severity Subtype Object EventID ID Description
===============================================================================
xxxx  info     userid   connect 0  ldap cfg Group-Mapping-Configuration connected to server 
                                   10.0.0.1:389, initiated by: 10.0.0.2


Useridd.log shows the error "failed to get group obj":
FW(active)> less mp-log useridd.log
xxxx ldap cfg Group-Mapping-Configuration connected to 10.0.0.1:389(index 2)
xxxx Warning:  pan_ldap_ctrl_search_single_group(pan_ldap_ctrl.c:3462): failed to get group
               obj for 'cn=users,cn=group,dc=company,dc=com'


Environment
  • Palo Alto Firewall managed by Panorama.
  • Any PAN-OS
  • LDAP group-mapping configured with group-include-list
  • The group include list may have been configured and pushed from Panorama


Cause
  • The group include list may have been configured with an incorrect character or AD forest container such as accidentally swapping "CN" for "OU" in the AD path
  • Inspect the group-include-list to verify the syntax of what is currently configured:
    FW(active)> show config merged | match group-include-list
    
    group-include-list [ "cn=Domain Users,ou=group,DC=company,dc=com" "cn=users,cn=group,dc=company,dc=com"];
    
  • From the WEB-UI  browse the LDAP tree under "Available Groups" and validate the actual group names returned from the LDAP server:
ldap-tree-in-webui
  • In the above we see that the "Included Group" was configured as "cn=users,cn=group,dc=company,dc=com", but the group returned from the LDAP server is "cn=users,ou=group,dc=company,dc=com"
  • This misconfiguration is more likely to occur if the administrator configures the group-include-list on Panorama, where it is not possible to use the LDAP tree browser to find Available Groups, and instead the list must be configured by hand.


Resolution
Correct the configuration in the group-include-list to reference the group with proper syntax and naming conventions

Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA14u000000HBzp&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Attachments
Choose Language