topic Re: LDAP Authentication Profile for non-local users in Next-Generation Firewall Discussions

LDAP Authentication Profile for non-local users

junghwan — Fri, 27 Oct 2023 07:43:57 GMT

Hi Team,

I am trying to use LDAP as an Authentication Profile for non-local users.
I am aware of guide on "Device > Authentication Settings > Authentication Profile" that states "Only RADIUS, TACACS+ and SAML methods are supported".

Nevertheless, I have set the LDAP server as an authentication profile, and confirmed that authentication and authorization works, even for non-local users. Below is the log that authentication has worked as intended.
pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1248): User "ldap_test" is ACCEPTED
pan_auth_response_process(pan_auth_state_engine.c:4381): auth status: auth success
pan_auth_response_process(pan_auth_state_engine.c:4402): Authentication success: <profile: "LDAP", vsys: "shared", username "ldap_test">
...
Sent PAN_AUTH_SUCCESS auth response for user 'ldap_test' (exp_in_days=-1 (-1 never; 0 within a day))

However, because user path is non-existent, Connection is closed.

Error: pan_set_admin_user_stat(pan_auth_admin_login_stat.c:274): Admin user "ldap_test" home dir "/opt/pancfg/home/ldap_test" has NOT created yet

Error: pan_auth_send_auth_resp(pan_auth_server.c:699): pan_set_admin_user_stat("ldap_test", True)

Would there be a way to resolve this issue? Or, a way use LDAP as an Authentication Profile for non-local users?

Re: LDAP Authentication Profile for non-local users

shehriyarahmed — Thu, 02 Nov 2023 17:10:52 GMT

What is the LDAP server you are using here and if you don't mind can you please share the screenshots of the configs you have done?

Re: LDAP Authentication Profile for non-local users

junghwan — Tue, 07 Nov 2023 23:51:53 GMT

To reiterate, I do not have a problem setting up the configs for the PA device to use LDAP for Authentication.
However, I found out that there must be local users setup beforehand, before I can use LDAP for Authentication.
My intention is to use LDAP for non-local users (which are users defined in LDAP only - not on PA device)

Re: LDAP Authentication Profile for non-local users

shehriyarahmed — Wed, 08 Nov 2023 17:49:10 GMT

You need not define the users locally on the PA firewall, you define on the LDAP server. Below are the sample steps,

The first step in this process is to define an LDAP Server Profile that contains specific information that the firewall can use when sending queries for authentication.

Select Device > Server Profiles > LDAP. At the bottom of the window, click Add.

For Profile Name, enter LDAP-Server-Profile.

Under the Server List section, click Add.

In the Name field, enter ldap.panw.lab.

In the LDAP Server field, enter 192.168.50.89.

Leave the Port field set to 389.

Under the Server Settings section, set the Type to other.

Enter dc=panw,dc=lab for Base DN.

Enter cn=admin,dc=panw,dc=lab for Bind DN.

Enter xxxx for Password and Confirm Password.

Uncheck the option for Require SSL/TLS secured connection.

Leave the remaining settings unchanged.

Click OK to create the LDAP Server Profile.
With your LDAP Server Profile in place, you will now create an Authentication Profile and reference the LDAP Server Profile you just created.

Select Device > Authentication Profile.

Click the Add button at the bottom of the window.

For Name, enter LDAP-Auth-Profile.

Under the Authentication tab, use the Type drop-down list to select LDAP.

Under Server Profile, use the drop-down list to select LDAP-Server-Profile.

Select the Advanced tab.

Under the Allow List section, click Add.

Select all.

Leave the remaining settings unchanged.

Click OK.

Create a new administrator by selecting Device > Administrators.

Click Add.

For Name, enter adminSally.

For Authentication Profile, use the drop-down list to select LDAP-Auth-Profile.

Leave the remaining settings unchanged.

Click OK.

Commit the Configuration.

Re: LDAP Authentication Profile for non-local users

junghwan — Thu, 09 Nov 2023 15:48:12 GMT

Hi Shehriyar Ahmed,

Thank you for the detailed guide. In the scenario above, I would have to manually set "adminSally" as administrator on the Paloalto GUI (even though the user is defined in the LDAP Directory).
The fault is mine if I weren't being clear previously, but I was looking for a solution without the task of adding "adminSally".

Your example : LDAP (create user "adminSally") -> PA (create admin with LDAP Authentication Profile"adminSally") - PA Login with "adminSally"
The solution I am looking for : LDAP (create user "adminSally") -> PA Login with "adminSally"

Key difference being, not needing to add "adminSally" as an administrator. The reason I want to do this is because the administrators and operators (users) would be dynamically changed within LDAP. If there is change in user database in LDAP - the change should also apply to PA's user database.

For instance, a new user "adminTony" is added to a "network-admin" group in LDAP. After configuration of different network devices with LDAP "adminTony" would have access to Firewall, Switch, LB devices via LDAP. I have confirmed that if a new user is added, devices such as LB, Switch allow the user to access the devices, because user "adminTony" has been added to the "network-admin" group. This is on the premise that configuration has been made so that users in "network-admin" are allowed access.