How To Use Group Filters When Configuring LDAP - Knowledge Base

In large LDAP deployments it is useful to use the search filters to return specific LDAP users/groups.

Using the 'Search Filter' fields for Group and User Object in the Group Mapping will filter which groups\users to retrieve and track.

• User-ID
• LDAP
• Group Mapping
• User Mapping

Search examples

• All groups that have a specific description: description=Marketing
• A specific distinguished name: distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org
• Specific Common Name: CN=SSLVPN

Same Common Name

More than one group can have the same common name but be in a different area of the LDAP structure.

The following distinguished named groups have the same Common Name:

• distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org
• distinguishedName=CN=SSLVPN,CN=marketing,DC=example,DC=org

Apply Multiple Filters

It is also possible to search for more than one attribute at a time. A pipe "|" can be used as an "or" operator while an ampersand "&" can be used as an "and".

The following OR searches will return the same results.

• |(distinguishedName=CN=SSLVPN,CN=Users,DC=example,DC=org)(distinguishedName=CN=PanAdmins,CN=Users,DC=example,DC=org)
• |(CN=SSLVPN)(CN=PanAdmins)

These searches will return the members in both the SSLVPN and PanAdmins groups.

Wildcards

Wildcards can also be used: |(CN=SSLVP*)(CN=*anAdmins)

• Filters cannot use OUs
• User groups can still be added to 'Group Include List' but if the group does not match the filter the follow warning example message will be found in the useridd.log
  • Warning: pan_ldap_crtl_search_single_group(pan_ladp_ctrl.c:3755): failed to get group obj for '{LDAPGroup}'
• Separate filters are required for parent and child/nested groups, combined with an OR condition. Setting a filter only for parent group will not return members of child/nested group.