topic Re: CLI command for LDAP status in 4.1.4 in General Topics

CLI command for LDAP status in 4.1.4

cschmi — Fri, 23 Mar 2012 14:53:12 GMT

Hi,

I am trying to setup a server profile for LDAP in PAN OS 4.1.4

Unfortunatelly I only see some groups of users but not the individual users themself.

Running the command "show users ldap-server" is not available in 4.1.4.

Attached is a screenshot of the current configuration. Is that okay so far?

What is the way to identify where the problem is?

Thanks
Christof

Re: CLI command for LDAP status in 4.1.4

mrsold — Fri, 23 Mar 2012 16:27:05 GMT

Are you trying to see what is happening when they are trying to authenticate? If so, would "less mp-log authd.log" help?

Re: CLI command for LDAP status in 4.1.4

cschmi — Fri, 23 Mar 2012 16:35:15 GMT

No. I am trying to setup ldap connection at all. My target is to apply

user based security rules.

Von meinem iPhone gesendet

Am 23.03.2012 um 17:27 schrieb msoldner <live@paloaltonetworks.com>:

Are you trying to see what is happening when they are trying to

authenticate? If so, would "less mp-log authd.log" help?

Re: CLI command for LDAP status in 4.1.4

jseals — Fri, 23 Mar 2012 19:15:56 GMT

Hello,

Keep in mind that with 4.1.x, the firewall directly connects to the LDAP server and queries for AD groups. The user-id agent performs the user-to-ip mappings.

If you aren't seeing users, it may be an issue with the agent connectivity or settings.

To show what users are found in the groups:

> show user group name <group name> (You can tab to list all of the available group names)

To show what users are being mapped to IPs properly:

> show user ip-user-mapping all

To show the state of your user agent (since that's what is in charge of user-to-ip mapping)

> show user user-id-agent state all

Please let us know if this helps.

Thanks,

Jason Seals

Re: CLI command for LDAP status in 4.1.4

cschmi — Fri, 23 Mar 2012 19:23:44 GMT

The uiAgent is working well.

But for user based security rules the uiAgent is not used as far as I

understood.

I see two groups in the user field in the security rules but they are

not from the Users container of the AD. These two groups are directly

under the domain level and don't reflect my domain security groups or

even better the individual users.

Will query the commands on Monday and let you know.

Von meinem iPhone gesendet

Am 23.03.2012 um 20:16 schrieb jseals <live@paloaltonetworks.com>:

Hello,

Keep in mind that with 4.1.x, the firewall directly connects to the

LDAP server and queries for AD groups. The user-id agent performs the

user-to-ip mappings.

If you aren't seeing users, it may be an issue with the agent

connectivity or settings.

To show what users are found in the groups:

show user group name <group name> (You can tab to list all of the available group names)

To show what users are being mapped to IPs properly:

show user ip-user-mapping all

To show the state of your user agent (since that's what is in charge

of user-to-ip mapping)

show user user-id-agent state all

Please let us know if this helps.

Thanks,

Jason Seals

Re: CLI command for LDAP status in 4.1.4

jseals — Fri, 23 Mar 2012 20:31:23 GMT

I see.

Have you included the groups in the group include list?

In the WebUI -> Device tab -> User Identification -> Group mapping Setting tab -> Click your defined server (define one if not already defined) -> Group Include List tab -> and ensure you've added all the groups you want to use in your policies here.

If this doesn't help and you've recently updated to 4.1.x from 4.0.x or below, it may be the case you have some older groups on the firewall that are no longer compatible. The output of those commands should let us know.

Thanks,

Jason Seals

Re: CLI command for LDAP status in 4.1.4

cschmi — Fri, 23 Mar 2012 20:55:15 GMT

That' s probably the issue. I have not assigned any groups...

The box is pretty new in our environment and was already shipped with OS 4.

Thanks a lot for your suggestions. I will report Monday!

Thanks

Christof

Von meinem iPhone gesendet

Am 23.03.2012 um 21:31 schrieb jseals <live@paloaltonetworks.com>:

I see.

Have you included the groups in the group include list?

In the WebUI -> Device tab -> User Identification -> Group mapping

Setting tab -> Click your defined server (define one if not already

defined) -> Group Include List tab -> and ensure you've added all the

groups you want to use in your policies here.

If this doesn't help and you've recently updated to 4.1.x from 4.0.x

or below, it may be the case you have some older groups on the

firewall that are no longer compatible. The output of those commands

should let us know.

Thanks,

Jason Seals

Re: CLI command for LDAP status in 4.1.4

cschmi — Mon, 26 Mar 2012 12:56:44 GMT

Hi again,

I ran the query in terminal and received only these groups back that I see

in *WebUI -> Device tab -> User Identification -> Group mapping Setting tab

-> Click your defined server (define one if not already defined) -> Group

Include List tab. *

Curiously I cannot select any group in CN=Users. It appears as empty (Which

it surely not is).

I only can select groups that are directly under the Domain names level

(see attachment) and not in any of the containers.

The Domain is a 2003 level domain. Is the PANOS only compatible with newer

domain levels?

Thanks Christof

Re: CLI command for LDAP status in 4.1.4

jseals — Mon, 26 Mar 2012 17:24:43 GMT

Hello,

I also have a Windows 2003 Domain Controller in my lab environment, and I can select groups to be added in CN=Users. I can open up any containers I have under the domain and add groups.

Are you positive that the bind dn you're using for your LDAP Server Profile has the ability to query in all of your containers?

Are you able to change the bind dn to a domain admin or something similar just for testing, so we can ensure he can open the containers?

Thanks,

Jason Seals

Re: CLI command for LDAP status in 4.1.4

cschmi — Mon, 26 Mar 2012 20:33:16 GMT

I use Administrator Account für Domain bind.

Thanks for your input.

Christof

Von meinem iPhone gesendet

Am 26.03.2012 um 19:24 schrieb jseals <live@paloaltonetworks.com>:

Hello,

I also have a Windows 2003 Domain Controller in my lab environment,

and I can select groups to be added in CN=Users. I can open up any

containers I have under the domain and add groups.

Are you positive that the bind dn you're using for your LDAP Server

Profile has the ability to query in all of your containers?

Are you able to change the bind dn to a domain admin or something

similar just for testing, so we can ensure he can open the containers?

Thanks,

Jason Seals

Re: CLI command for LDAP status in 4.1.4

cschmi — Thu, 29 Mar 2012 09:00:39 GMT

Hi,

any other ideas?

As I said, the domain Administrator account is used for Bind DN.

The domain itself was a SBS 2003 domain 3 years back and has been upgraded to standard domain at that time.

I still see an OU=MyBusiness and some Exchange relics. Can this be an issue?

The groups that I can select (see my previous posts) most likely are groups from the old SBS schema, as I do not see such kind of groups on our second site ( Windows 2008R2 Standard Domain).

Thanks a lot!

Christof

Re: CLI command for LDAP status in 4.1.4

jseals — Thu, 29 Mar 2012 19:20:47 GMT

Hi Cristof,

It may be best to continue troubleshooting in a support case at this point for more direct support.

Please open up a support case and we can work to a faster resolution.

Thanks,

Jason

Re: CLI command for LDAP status in 4.1.4

ucteam — Sun, 01 Apr 2012 11:08:18 GMT

Jseals how large is your AD structure? Im suspecting its relatively small? correct?

I've been troubleshooting an issue with support regarding 4.1.3-4 direct group enumeration.. whereby the Palo Alto is only able to retrieve a small portion of our AD structure/ objects. Having similar experiences where from the Palo Alto am not able to browse the full structure and group enumeration for example shows only 26 users in "domain users" group when there is in fact over 27,000 ..

When I change back to using LDAP proxy and a 3.1x userID agent the group enumeration works correctly.

At first I suspected an issue with LDAP paging.. but packet captures indicated paging is working .. but seem to point towards some strange delays/timeouts towards the end of the session..

May be related to this discussion.. difficult to tell at this time.

For the user having problems.. If everything looks to be configured correctly and your domain structure/ permissions are good.. then try doing some packet captures from the Palo Alto monitoring tab.. filtering on LDAP communications with domain controller. Would recommend temporarily changing to unencrypted TCP 389 for the LDAP bind so you can view the full LDAP protocol interactions.

Re: CLI command for LDAP status in 4.1.4

cschmi — Sun, 01 Apr 2012 12:28:44 GMT

Our LDAP is very small, too. We have approx. 40 users in the domain

that is having this issue.

I can sometimes see the groups in security policy set up page although

I did not select (and even see them) in the group mappings page.

Applying these groups to the policies does not have any effect.

The user agent is showing connected, but I have only a couple of users

known to the device although I know that there are more online in that

moment.

At our second facility (2008 domain) everything is working fine. The

user ID agent and the group mappings are working and I can build

security rules for them.

Thanks

Christof

Von meinem iPhone gesendet

Am 01.04.2012 um 13:08 schrieb ucteam <live@paloaltonetworks.com>:

Jseals how large is your AD structure? Im suspecting its relatively

small? correct?

I've been troubleshooting an issue with support regarding 4.1.3-4

direct group enumeration.. whereby the Palo Alto is only able to

retrieve a small portion of our AD structure/ objects. Having similar

experiences where from the Palo Alto am not able to browse the full

structure and group enumeration for example shows only 26 users in

"domain users" group when there is in fact over 27,000 ..

When I change back to using LDAP proxy and a 3.1x userID agent the

group enumeration works correctly.

At first I suspected an issue with LDAP paging.. but packet captures

indicated paging is working .. but seem to point towards some strange

delays/timeouts towards the end of the session..

May be related to this discussion.. difficult to tell at this time.

For the user having problems.. If everything looks to be configured

correctly and your domain structure/ permissions are good.. then try

doing some packet captures from the Palo Alto monitoring tab..

filtering on LDAP communications with domain controller. Would

recommend temporarily changing to unencrypted TCP 389 for the LDAP

bind so you can view the full LDAP protocol interactions.

Re: CLI command for LDAP status in 4.1.4

ucteam — Mon, 02 Apr 2012 10:54:59 GMT

Any fundamental differences between the 2 deployments? ie. the one that is working and the one that isnt?

Re: CLI command for LDAP status in 4.1.4

cschmi — Mon, 02 Apr 2012 11:06:14 GMT

Only the domain levels:

Working deployment is 2008 domain.

Not working deployment is 2003 domain (that has been migrated from a Small

Business Server 2003 4 years back).

Re: CLI command for LDAP status in 4.1.4

cschmi — Thu, 05 Apr 2012 06:29:14 GMT

Hi,

finally we identified the issue.

We have 2 DC's in the concerned domain. Both had a UI-agent installed and

configured. However one of them seemed to drop his settings.

I realized that after rummage in the console. The command "show user

user-id-agent config name" then showed no configuration on one of the

UI-agents.

The group mapping is now working after configuring the second agent again

(and verifying that the config is really saved).

Thanks for all your thoughts!

Christof

On Mon, Apr 2, 2012 at 12:57 PM, Christof Schmidt