LDAP authentication for CLI

snormoyle — Tue, 25 Sep 2012 15:58:03 GMT

I got LDAP authentication working so that when logging into the Web GUI the microsoft active directory accounts works with no problems. When a user logs into the CLI and tries using their LDAP account the system log shows invalid username/password. the username syntax is <title>.<firstname>.<lastname>.

Re: LDAP authentication for CLI

kadak — Tue, 25 Sep 2012 16:26:52 GMT

Please correct me if I am misunderstanding your issue. A user is able to login through the Web GUI not through the CLI with same login credentials?

Re: LDAP authentication for CLI

snormoyle — Tue, 25 Sep 2012 16:59:45 GMT

that is correct.

Re: LDAP authentication for CLI

sdurga — Tue, 25 Sep 2012 19:14:10 GMT

Can you please try the following -

1)Login into the cli using a local account and run this command "tail follow yes mp-log authd.log"

2)Now open web-ui session and try to login using the LDAP credentials and observe the login process ( especially the user credentials and their format ) in the cli log.

3)Now open another cli session and try to login using LDAP credentials and see how the logs are different when compared to the login using web-ui, You can also find the reason here for the authentication failure in the logs

Re: LDAP authentication for CLI

snormoyle — Wed, 26 Sep 2012 10:43:50 GMT

I did it and you can see where it has issues, just don't understand it yet.

dmin@ssca-pa-01> tail follow yes mp-log authd.log

****OUTPUT FROM CLI AUTHENTICATION***********************

Sep 26 06:17:11 pan_authd_service_req(pan_authd.c:2604): Authd:Trying to remote authenticate user: alt.steven.normoyle

Sep 26 06:17:11 pan_authd_service_auth_req(pan_authd.c:1115): AUTH Request <'','','alt.steven.normoyle'>

Sep 26 06:17:11 alt.steven.normoyle admin is being authed

Sep 26 06:17:11 pan_authd_handle_admin_auths(pan_authd.c:1968): Using auth prof mgt-auth for admin alt.steven.normoyle

Sep 26 06:17:11 pan_authd_handle_admin_auths(pan_authd.c:2022): shared/mgt-auth is auth prof is of type (auth profile)

Sep 26 06:17:11 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3527): failed to fetch: NO_MATCHES

Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1511): Authenticating user using service /etc/pam.d/pan_ldap_shared_mgt-auth_0,username alt.steven.normoyle

Sep 26 06:17:11 pan_authd_authenticate_service(pan_authd.c:663): authentication failed (6)

Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1531): Authenticating user using service /etc/pam.d/pan_ldap_shared_mgt-auth_0,username alt.steven.normoyle failed - trying other hosts

Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1511): Authenticating user using service /etc/pam.d/pan_ldap_shared_mgt-auth_1,username alt.steven.normoyle

Sep 26 06:17:11 pan_authd_authenticate_service(pan_authd.c:663): authentication failed (6)

Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1531): Authenticating user using service /etc/pam.d/pan_ldap_shared_mgt-auth_1,username alt.steven.normoyle failed - trying other hosts

Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1506): Skipping LDAP server due to missing Auth-Profile: pan_ldap_shared_mgt-auth_2

Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1506): Skipping LDAP server due to missing Auth-Profile: pan_ldap_shared_mgt-auth_3

Sep 26 06:17:11 authentication failed for user <shared,mgt-auth,alt.steven.normoyle>

Sep 26 06:17:11 pan_authd_process_authresult(pan_authd.c:1258): pan_authd_process_authresult: alt.steven.normoyle authresult not auth'ed

Sep 26 06:17:11 pan_authd_process_authresult(pan_authd.c:1282): Alarm generation set to: False.

Sep 26 06:17:11 User 'alt.steven.normoyle' failed authentication. Reason: Invalid username/password From: ssca-lt-04.nmed.ds.med.navy.mil.

Sep 26 06:17:11 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode

Sep 26 06:17:12 pan_authd_generate_system_log(pan_authd.c:844): CC Enabled=False

Sep 26 06:17:12 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode

*************OUTPUT FROM WEB GUI AUTHENTICATION**************************************

Sep 26 06:17:55 pan_authd_service_req(pan_authd.c:2604): Authd:Trying to remote authenticate user: alt.steven.normoyle

Sep 26 06:17:55 pan_authd_service_auth_req(pan_authd.c:1115): AUTH Request <'','','alt.steven.normoyle'>

Sep 26 06:17:55 alt.steven.normoyle admin is being authed

Sep 26 06:17:55 pan_authd_handle_admin_auths(pan_authd.c:1968): Using auth prof mgt-auth for admin alt.steven.normoyle

Sep 26 06:17:55 pan_authd_handle_admin_auths(pan_authd.c:2022): shared/mgt-auth is auth prof is of type (auth profile)

Sep 26 06:17:55 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3527): failed to fetch: NO_MATCHES

Sep 26 06:17:55 pan_authd_common_authenticate(pan_authd.c:1511): Authenticating user using service /etc/pam.d/pan_ldap_shared_mgt-auth_0,username alt.steven.normoyle

Sep 26 06:17:55 pan_authd_authenticate_service(pan_authd.c:663): authentication succeeded (0)

Sep 26 06:17:55 pan_authd_authenticate_service(pan_authd.c:669): account is valid

Sep 26 06:17:55 pan_get_passwd_expiry(pan_authd_passwd.c:778): Using /etc/openldap/pan_ldap_shared_mgt-auth_0 to get password info

Sep 26 06:17:55 pan_get_ldap_ip(pan_authd_passwd.c:120): Reading file /etc/openldap/pan_ldap_shared_mgt-auth_0

Sep 26 06:17:55 pan_authd_bind(pan_authd_passwd.c:244): binding with binddn CN=SSCA.PA.SVC,OU=Service

Sep 26 06:17:55 Error: pan_authd_bind(pan_authd_passwd.c:271): bind failed (extracted from parsed bind result) (Invalid credentials) (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1)

Sep 26 06:17:55 pan_authd_ldap_search_result(pan_authd_passwd.c:357): searching base 'DC=nmed,DC=ds,DC=med,DC=navy,DC=mil' for (sAMAccountName=alt.steven.normoyle) (userAccountControl)

Sep 26 06:17:55 Error: pan_authd_ldap_search_result(pan_authd_passwd.c:419): search failed 1 (Operations error) (000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1)

Sep 26 06:17:55 pan_get_ad_passwd_expiry(pan_authd_passwd.c:679): failed to search userAccountControl

Sep 26 06:17:55 Error: pan_get_passwd_expiry(pan_authd_passwd.c:793): Failed to get expiry info for alt.steven.normoyle

Sep 26 06:17:55 authentication succeeded for user <shared,mgt-auth,alt.steven.normoyle>

useradd: unable to lock password file

usermod: user alt.steven.normoyle does not exist

Sep 26 06:17:56 pan_authd_process_authresult(pan_authd.c:1258): pan_authd_process_authresult: alt.steven.normoyle authresult auth'ed

Sep 26 06:17:56 Request received to unlock shared/mgt-auth/alt.steven.normoyle

Sep 26 06:17:56 User 'alt.steven.normoyle' authenticated. From: 192.207.231.8.

Sep 26 06:17:56 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode

Sep 26 06:17:56 pan_authd_generate_system_log(pan_authd.c:844): CC Enabled=False

Sep 26 06:17:56 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode

Sep 26 06:17:56 pan_authd_service_req(pan_authd.c:2610): Authd:get group request

Sep 26 06:17:56 pan_authd_handle_group_req(pan_authd.c:2561): Got user role/adomain / for user alt.steven.normoyle

Re: LDAP authentication for CLI

sdurga — Wed, 26 Sep 2012 20:25:59 GMT

That is weird, In both cases PA sent the same format to the LDAP server. Which software version is this ? Did you do any software upgrades and that caused this issue ?

Re: LDAP authentication for CLI

sdurga — Thu, 27 Sep 2012 16:27:04 GMT

If this issue is happening after upgrade to 4.1.8, please open a ticket with support as this looks buggy.

Re: LDAP authentication for CLI

mnmeetz.singh — Sat, 02 Apr 2022 18:27:49 GMT

Any update onnthis issue as i am also facing the same issue

topic Re: LDAP authentication for CLI in General Topics

LDAP authentication for CLI

Re: LDAP authentication for CLI

Re: LDAP authentication for CLI

Re: LDAP authentication for CLI

Re: LDAP authentication for CLI

Re: LDAP authentication for CLI

Re: LDAP authentication for CLI

Re: LDAP authentication for CLI