topic Re: How can I test a ldap server that is healthy or not？ in General Topics

How can I test a ldap server that is healthy or not？

459768405 — Thu, 22 May 2025 10:10:24 GMT

Dear all

We need to replace our old ldap server config to a new ldap server on PA firewall and panorama, I want to know if I add a new ldap server config on PA firewall and panorama, how can I test the healthy of the new ldap server? I try to use telnet command to connect the new ldap server's 636 or 389 port, but I found there is no telnet command on PA firewall and panorama...

On PA firewall maybe I can use the "group include list" function in "user identification", but it doesn't work on panorama, need you give me a favor~

Best wishes

Cat

Re: How can I test a ldap server that is healthy or not？

Brandon_Wertz — Thu, 22 May 2025 13:44:05 GMT

@459768405 wrote:

Dear all

We need to replace our old ldap server config to a new ldap server on PA firewall and panorama, I want to know if I add a new ldap server config on PA firewall and panorama, how can I test the healthy of the new ldap server? I try to use telnet command to connect the new ldap server's 636 or 389 port, but I found there is no telnet command on PA firewall and panorama...

On PA firewall maybe I can use the "group include list" function in "user identification", but it doesn't work on panorama, need you give me a favor~

Best wishes

Cat

I don't have access to the PAN or FW UI right now, but is there a "test connection" button in the GUI? I don't know of an easy way to test, but in the system logs the firewall's ability to connect/contact a LDAP server shows up. So if a server goes offline there will be a log for that. Also I don't believe Panorama will "connect" to the servers in your LDAP profile, that only happens from the firewalls themselves. So if you're already executed the group include list command from the FW and it's working, that should be enough to tell you it is. Especially if you're not seeing any system log error messages.

Re: How can I test a ldap server that is healthy or not？

Raido_Rattameister — Thu, 22 May 2025 14:46:54 GMT

In firewall add new LDAP profile.

Enter server into "Server List"

Add Bind DN and password.

If "Base DN" droppdown populates then connection to LDAP server is successful.

Re: How can I test a ldap server that is healthy or not？

TomYoung — Thu, 22 May 2025 15:52:21 GMT

Hi @459768405 ,

Not only can you test the initial LDAP connection as described by @Raido_Rattameister above, but you can create a new authentication profile for the new LDAP server and test authentication to it via the CLI. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/use-the-cli/test-the-configuration/test-the-authentication-configuration

Thanks,

Tom

Re: How can I test a ldap server that is healthy or not？

459768405 — Fri, 23 May 2025 01:54:55 GMT

Thank you for you help, I try it on firewall. it worked. But in panorama, there is not a dropdown populates in Base DN, it's strange

Re: How can I test a ldap server that is healthy or not？

Raido_Rattameister — Fri, 23 May 2025 13:14:51 GMT

Yes only firewall has droppdown. Panorama don't have it.

You can just click on "Clone" button on LDAP profile pushed from Panorama and test droppdown. After test just delete cloned profile from firewall and adjust profile in Panorama as needed.

Re: How can I test a ldap server that is healthy or not？

459768405 — Mon, 26 May 2025 01:48:33 GMT

thank you! but I mean the ldap on panorama is used on panorama's own self, it will be using on authentication

manager to login the webui or cli of panorama, but that's ok, I have tried the method that TomYoung saied, it worked