topic Re: Assistance with LDAP Authentication in General Topics

Assistance with LDAP Authentication

DJ_1924 — Tue, 17 Feb 2026 21:32:23 GMT

Currently working on a PA-540 running 12.1.3 code. I have setup a LDAP server profile, and setup an authentication profile. If I test from the cli, the bind is successful, but the authentication fails, even if I use the same credentials I used to do the bind. I've also tried this with a domain admin account in case it was a permissions issue with respect to the service account not being able to query AD. This is what I'm getting when testing:

fwuser@firewall-01(active)> test authentication authentication-profile ldap-auth-profile username paloservice password Enter password : Target vsys is not specified, user "paloservice" is assumed to be configured with a shared auth profile. Do allow list check before sending out authentication request... name "paloservice" is in group "all" Authentication to LDAP server at 192.168.200.25 for user "paloservice" Egress: 172.27.175.23 Type of authentication: plaintext Starting LDAP connection... Succeeded to create a session with LDAP server Can not search userdn for user paloservice Authentication failed against LDAP server at 192.168.200.25:389 for user "paloservice"

I'm able to find the user group I intend to use for GP so it seems that the credentials are good and the bind seems to be working.

Re: Assistance with LDAP Authentication

PavelK — Tue, 17 Feb 2026 21:56:29 GMT

Hello @DJ_1924

thanks for posting!

Could you confirm whether the account: paloservice is in the scope of Base DN configured in LDAP profile? Reference in KB: Usernames Not Retrieved by the Firewall with OU for LDAP Server Profile Base.

Could you also check more details in the log from CLI: authd.log

Kind Regards

Pavel

Re: Assistance with LDAP Authentication

DJ_1924 — Tue, 17 Feb 2026 23:16:02 GMT

Thanks for getting back to me. The base dn in the LDAP server was set to DC=userdomain,DC=com.

I'll try to gather the logs again. When I tried a " tail follow yes mp-log authd.log" I wasn't seeing anything w/ respect to the testing. When I pulled a packet capture I do see RSTs from the server. I tested w/ the same username as I have for the actual binding, but I can retest w/ a different user tomorrow to confirm I'm actually seeing that being sent to the server.