topic Re: GP/ LDAP authentication in General Topics

GP/ LDAP authentication

Vimz888 — Mon, 29 Nov 2021 22:10:08 GMT

Hi,

I have a test AD/PA setup.

AD and LDAP connectivity is okay so far.

My problem is that I am unable to authenticate any user against Global Protect.

The un/pw are correct.

The group are correct too, as far as I can see.

This is the output i get when trying to authenticate:

SITE1> test authentication authentication-profile AUTHPROFILE username paloeveng.local\gpuser password
Enter password :

Target vsys is not specified, user "paloeveng.local\gpuser" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
user "paloeveng.local\gpuser" is a member of allowed group "cn=paloalto,ou=firewall,dc=paloeveng,dc=local" on vsys "vsys1"
Authentication to LDAP server at 192.168.150.10 for user "paloeveng.local\gpuser"
Egress: 192.168.22.10
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
Received empty DN for user "gpuser"
Authentication failed against LDAP server at 192.168.150.10:389 for user "paloeveng.local\gpuser"

Authentication failed for user "paloeveng.local\gpuser"

===========

SITE1> show user group name "cn=paloalto,ou=firewall,dc=paloeveng,dc=local"

short name: paloeveng.local\paloalto

source type: ldap
source: Paloeveng-profile

[1 ] paloeveng.local\gpuser

===========

What am i missing within the config?

Thank you in advance.

Re: GP/ LDAP authentication

BPry — Tue, 30 Nov 2021 02:14:53 GMT

@Vimz888,

Have you verified the actual authentication profile that you're attempting to utilize? That's really where I would be focusing my attention on.

Do you have sAMAccountName for the Login Attribute? Do you specify your User Domain or Username Modifier?

Re: GP/ LDAP authentication

Vimz888 — Tue, 30 Nov 2021 20:53:14 GMT

Hi,

The authentication is against the below:

a user called "gpuser" is part of this

When I try to authenticate the user "gpuser" against AD, i get the following message:

-SITE1> test authentication authentication-profile AUTHPROFILE username gpuser password
Enter password :

Target vsys is not specified, user "gpuser" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
user "paloeveng.local\gpuser" is a member of allowed group "cn=paloalto,ou=firewall,dc=paloeveng,dc=local" on vsys "vsys1"
Authentication to LDAP server at 192.168.150.10 for user "gpuser"
Egress: 192.168.22.10
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
Received empty DN for user "gpuser"
Authentication failed against LDAP server at 192.168.150.10:389 for user "gpuser"

Authentication failed for user "gpuser"

- I am not sure what this bit means "Received empty DN for user "gpuser""

If you need anymore info, let me know.

Thanks.

Re: GP/ LDAP authentication

Vimz888 — Thu, 31 Mar 2022 20:29:46 GMT

Hi,

Does anyone know how to resolve this?

Thanks,

Re: GP/ LDAP authentication

CyberEye — Tue, 15 Apr 2025 09:34:18 GMT

May be you missed to add type under server setting of the LDAP server profile