topic Re: I want to integrate LDAP in Panorama in Panorama Discussions

I want to integrate LDAP in Panorama

anwardurrani — Tue, 18 Oct 2022 06:00:25 GMT

I have Panorama on VM and i am trying to configure LDAP, i have setup LDAP profile and then trying to tie LDAP profile with Management interface but it looks like i am not getting any option where i can select LDAP profile from dropdown list, If LDAP tie up with Management Interface is not allowed ? Kindly help.

Re: I want to integrate LDAP in Panorama

PavelK — Tue, 18 Oct 2022 12:49:17 GMT

Hello @anwardurrani

thanks for the post!

If you are trying to set up accounts to access Panorama with LDAP authentication, then you should configure the LDAP profile directly in the account setting. Navigate to: Panorama > Administrators > Add, then select the authentication profile from drop down list:

The option under: Panorama > Setup > Management supports only: RADIUS, TACACS+ and SAML.

Kind Regards

Pavel

Re: I want to integrate LDAP in Panorama

anwardurrani — Wed, 19 Oct 2022 07:45:50 GMT

I have created as per instructions but how i can tie Panorama URL with LDAP Profile, i want users in LDAP only should be able to access Panorama.

Re: I want to integrate LDAP in Panorama

anwardurrani — Wed, 19 Oct 2022 08:16:25 GMT

As per reply above.

The option under: Panorama > Setup > Management supports only: RADIUS, TACACS+ and SAML.

Here does it mean, Panorama Authencation only can be tied up with RADIUS, TACACS+ and SAML.

Re: I want to integrate LDAP in Panorama

PavelK — Wed, 19 Oct 2022 11:59:14 GMT

Thank you for reply @anwardurrani

this is correct. The option under: Panorama > Setup > Management > Authentication Settings > Authentication profile, supports only: RADIUS, TACACS+ and SAML. You can leave it in default set to: "None". To configure LDAP for admin access, you can refer to below KB:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGuCAK

If you need to further restrict accounts using Panorama, you can use Access Domains feature.

Kind Regards

Pavel

Re: I want to integrate LDAP in Panorama

anwardurrani — Fri, 21 Oct 2022 12:42:10 GMT

Thanks for reply, i followed URL as mentioned above but

still i am not able to authenticate through LDAP users.

When i have followed same instructions for one of my Palo Alto Firewall then in User Identification > Server Monitoring Status says Connection refused. I am not sure where i am getting wrong ?

Re: I want to integrate LDAP in Panorama

PavelK — Sat, 22 Oct 2022 06:47:49 GMT

Thank you for reply @anwardurrani

if you have followed configuration steps in the KB and users are still not able to login to Panorama, I would recommend to check authd.log from cli: tail lines 500 mp-log authd.log. I would also make sure that account for bind dn has valid username and password.

Kind Regards

Pavel

Re: I want to integrate LDAP in Panorama

anwardurrani — Fri, 04 Nov 2022 04:15:26 GMT

Thanks for reply Pavel,

Here i am trying to implement LDAP on my one of Firewall ( PA-850) through Panorama, I am getting following error

log query for Pune-LDAP failed: NTSTATUS: NT_STATUS_CONNECTION_REFUSED - NT_STATUS_CONNECTION_REFUSED

Re: I want to integrate LDAP in Panorama

anwardurrani — Fri, 04 Nov 2022 04:18:09 GMT

I have one more question, what should be the template option for Panorama while i am setting up LDAP profile for Panorama ? There are few options i am getting under template drop down list as

Mobile_User_Template

Server_Conn_Template

Iron-Skillset-Template

Re: I want to integrate LDAP in Panorama

anwardurrani — Fri, 04 Nov 2022 06:06:41 GMT

I have setup LDAP profile on Panorama as well as per instruction URL above and i am getting following error our of log as

failed authentication for user 'anwar.durrani'. Reason: Internal error, e.g. network connection, DNS failure or remote server down. auth profile 'LDAP-Auth', vsys 'shared', server profile 'LDAP-Profile', server address '172.16.x.x', From: 172.24.x.x.

Re: I want to integrate LDAP in Panorama

anwardurrani — Fri, 04 Nov 2022 06:13:51 GMT

You were correct, its getting failed to bind, It says

<user-name>@<domain-name>

2022-11-04 06:04:40.693 +0000 Error: pan_auth_create_a_ldap_session(pan_auth_svr_cctxt.c:2032): Failed to bind, get out

Re: I want to integrate LDAP in Panorama

anwardurrani — Fri, 04 Nov 2022 06:25:01 GMT

Now i have updated proper bind DN and now i am getting error below. :

binding with binddn cn=internal.replication,dc=enterprisedb,dc=com

2022-11-04 06:18:48.127 +0000 Error: _start_sync_auth(pan_auth_service_handle.c:754): sync request for user "anwar.durrani" is failed or possibly timed out against 172.18.5.x.x:389 with 0th VOIDp=0x556820f49e70

Re: I want to integrate LDAP in Panorama

anwardurrani — Fri, 04 Nov 2022 13:36:14 GMT

I have resolved this issue. i will add complete steps where i have made to solve this issue.

Re: I want to integrate LDAP in Panorama

ffarooq — Mon, 22 May 2023 13:34:15 GMT

Hi @anwardurrani please advise what steps you have taken to resolve this. thanks!