User-ID Agent as LDAP Proxy for Group Mapping and Authentication

User-ID Agent as LDAP Proxy for Group Mapping and Authentication

32047
Created On 09/25/18 17:46 PM - Last Modified 06/15/23 21:26 PM


Environment


  • Palo Alto Firewall
  • PAN-OS 8.1 and above.
  • Windows-based User-ID Agent.

Resolution


The Palo Alto Networks LDAP Proxy feature sources LDAP traffic destined for the firewall's configured LDAP server addresses (Windows Active Directory, eDirectory, LDAP) from a User-ID agent installed on a Windows server. Without LDAP proxy, this traffic is sourced directly from the management interface or configured service route.

When LDAP proxy is enabled, the firewall communicates with the User-ID agent via the standard SSL connection between the User-ID agent and the Palo Alto Networks firewall. The agent then performs the LDAP queries requested by the firewall and sends the replies back to the firewall.

All the configuration for this feature is on the firewall if connecting to a Windows domain controller.  Configure both an LDAP server profile and group mapping profile just as if the firewall will be sourcing the LDAP traffic. After creating those profiles, check Use as LDAP Proxy and commit.


User ID Agent

GUI: Device > User Identification > User-ID Agents

 

After a commit, all LDAP traffic normally sourced from the firewall will be sourced from the configured User-ID agent.

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJJCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language