https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7427#M5516 <HTML><HEAD></HEAD><BODY><P>In the Bind DN example, "CN=ldap,CN=users,DC=plano2003,DC=com", I'm a little confuse what to replace for CN=ldap and CN=users.</P><P></P><P><SPAN style="background-color: #f8fafd;">CN=ldap (should I replace with the OU of my Active Directory?)</SPAN></P><P><SPAN style="background-color: #f8fafd;">CN=users (should I replace with the username?)</SPAN></P></BODY></HTML> Wed, 13 Jun 2012 18:04:50 GMT vnguyen2 2012-06-13T18:04:50Z https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7420#M5509 <HTML><HEAD></HEAD><BODY><P>Hi all!</P><P>I have a problem using LDAP for user/management authentication/authorization. When I try to log in via my domain I get the following in my log (after logging in again with the admin account):</P><P></P><P><SPAN lang="EN-US" style="font-family: &amp;quot;Times New Roman&amp;quot;,&amp;quot;serif&amp;quot;; font-size: 12pt; mso-ansi-language: EN-US; mso-fareast-language: NO-BOK;">Authorization failed for user *\*via Web from *.*.*.* : Invalid user 06/06 12:41:19</SPAN></P><P><SPAN lang="EN-US" style="font-family: &amp;quot;Times New Roman&amp;quot;,&amp;quot;serif&amp;quot;; font-size: 12pt; mso-ansi-language: EN-US; mso-fareast-language: NO-BOK;">User '*\*' authenticated. Profile authProfileAdmins in an authentication sequence AuthSeqDomainAdmins succeeded. </SPAN><SPAN style="font-family: &amp;quot;Times New Roman&amp;quot;,&amp;quot;serif&amp;quot;; font-size: 12pt; mso-fareast-language: NO-BOK;">From: *.*.*.*.</SPAN></P><P></P><P>Any suggestions?</P></BODY></HTML> Wed, 06 Jun 2012 12:27:51 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7420#M5509 kaare_tragethon 2012-06-06T12:27:51Z https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7421#M5510 <HTML><HEAD></HEAD><BODY><P>Please check the authentication profile and Authentication sequence. Are you referring to the correct profile for authentication. The empty spaces indicate that it is having trouble with the authentication profile </P></BODY></HTML> Mon, 11 Jun 2012 17:24:31 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7421#M5510 sjamaluddin 2012-06-11T17:24:31Z https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7422#M5511 <HTML><HEAD></HEAD><BODY><P>Hi and thanks for the reply. Please see attached pictures of my current</P><P>setup. The LDAP has contact with the server, so this is not the problem...</P><P></P><P></P><P>Best Regards/Vennlig Hilsen,</P><P>Kåre Tragethon</P><P>IT &amp; Automasjon</P><P></P><P>Hallingplast AS</P><P>Tlf: +47 32 09 56 85</P><P>Fax: +47 32 09 55 94</P><P>Mob: +47 95 25 14 38</P><P>www.hallingplast.no</P></BODY></HTML> Tue, 12 Jun 2012 07:14:45 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7422#M5511 kaare_tragethon 2012-06-12T07:14:45Z https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7423#M5512 <HTML><HEAD></HEAD><BODY><P>Could it be the classical mistake of using "domain.local" instead of just the netbios name "domain"?</P><P></P><P><SPAN>Described in </SPAN><A class="jive-link-external-small" href="https://live.paloaltonetworks.com/thread/5050?tstart=0">https://live.paloaltonetworks.com/thread/5050?tstart=0</A></P></BODY></HTML> Tue, 12 Jun 2012 09:27:55 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7423#M5512 mikand 2012-06-12T09:27:55Z https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7424#M5513 <HTML><HEAD></HEAD><BODY><P>Thanks but that didn't help. By the way, I'm only using LDAP (no user</P><P>agent)..... I could also mention that I'm only trying to access the</P><P>Management Interface at the moment. Could that be a problem?? Do I have to</P><P>create any security rules to allow access?</P></BODY></HTML> Tue, 12 Jun 2012 10:31:45 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7424#M5513 kaare_tragethon 2012-06-12T10:31:45Z https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7425#M5514 <HTML><HEAD></HEAD><BODY><P>I dont know if you can setup security rules for the management interface (if you use the physical mgmt int) - however you would need to do so if you have service rerouted your traffic to use a dataplane interface.</P></BODY></HTML> Wed, 13 Jun 2012 06:25:11 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7425#M5514 mikand 2012-06-13T06:25:11Z https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7426#M5515 <HTML><HEAD></HEAD><BODY><P>Please follow the configuration steps provided in the following document: <A class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-1989">https://live.paloaltonetworks.com/docs/DOC-1989</A></P><P></P><P>Unless the username you are using to login is 'AllowDomainAdmins', there is a misconfiguration.</P><P></P><P>As outlined in the document, it is required to create a Device -&gt; Administrator account for each AD account that will be used. </P><P></P><P>Hope this helps!</P><P></P><P>- Stefan</P></BODY></HTML> Wed, 13 Jun 2012 16:44:44 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7426#M5515 sspringer 2012-06-13T16:44:44Z https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7427#M5516 <HTML><HEAD></HEAD><BODY><P>In the Bind DN example, "CN=ldap,CN=users,DC=plano2003,DC=com", I'm a little confuse what to replace for CN=ldap and CN=users.</P><P></P><P><SPAN style="background-color: #f8fafd;">CN=ldap (should I replace with the OU of my Active Directory?)</SPAN></P><P><SPAN style="background-color: #f8fafd;">CN=users (should I replace with the username?)</SPAN></P></BODY></HTML> Wed, 13 Jun 2012 18:04:50 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7427#M5516 vnguyen2 2012-06-13T18:04:50Z https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7428#M5517 <HTML><HEAD></HEAD><BODY><P>In the Bind DN example, a user named 'ldap' has been created inside of the 'CN=users,DC=plano2003,DC=com' container.</P><P></P><P>Another example of this is if you were to use the built-in 'Administrator' account. The equivalent would be:</P><P>CN=administator,CN=users,DC=plano2003,DC=com</P><P></P><P>Please know, a more simple way to specifiy the Bind DN is set username@domain. Here are some examples showing two different DN formats that are equivalent.</P><P></P><P>CN=paloalto,OU=firewalls,OU=network,DC=plano2003,DC=com</P><P><A class="jive-link-email-small" href="mailto:paloalto@plano2003.com">paloalto@plano2003.com</A></P><P></P><P>CN=ldap,CN=users,DC=plano2003,DC=com</P><P><A class="jive-link-email-small" href="mailto:ldap@plano2003.com">ldap@plano2003.com</A></P><P></P><P>CN=administator,CN=users,DC=plano2003,DC=com</P><P><A class="jive-link-email-small" href="mailto:administrator@plano2003.com">administrator@plano2003.com</A></P><P></P><P>Attached is example screenshot.</P><P></P><P>- Stefan</P></BODY></HTML> Wed, 13 Jun 2012 19:02:47 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7428#M5517 sspringer 2012-06-13T19:02:47Z https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7429#M5518 <HTML><HEAD></HEAD><BODY><P>The document is based on:</P><P>Root OU being&nbsp; Plano.2003.com</P><P></P><P><STRONG style="font-family: Arial, 'Lucida Grande', Geneva, Verdana, sans-serif; font-size: 12px; background-color: #ffffff;"><EM>ldap</EM></STRONG> is contained in <STRONG style="font-family: Arial, 'Lucida Grande', Geneva, Verdana, sans-serif; font-size: 12px; background-color: #ffffff;"><EM>Users</EM></STRONG>, under <STRONG style="font-family: Arial, 'Lucida Grande', Geneva, Verdana, sans-serif; font-size: 12px; background-color: #ffffff;"><EM>Plano.2003.com</EM></STRONG>. The corresponding Bind DN is going to be <EM style="font-family: Arial, 'Lucida Grande', Geneva, Verdana, sans-serif; font-size: 12px; background-color: #ffffff;">CN=ldap,CN=Users,DC=example,DC=com.</EM></P><P><SPAN style="font-family: Arial, 'Lucida Grande', Geneva, Verdana, sans-serif; font-size: 12px; background-color: #ffffff;">Please refer to the <A class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-2910">https://live.paloaltonetworks.com/docs/DOC-2910</A>.</SPAN></P><P><SPAN style="background-color: #ffffff; font-family: Arial, 'Lucida Grande', Geneva, Verdana, sans-serif; font-size: 12px;">Also try authentication removing the filtered Allow List.Most probably the user in question is not authorized the query the OU.</SPAN></P><P></P><P><SPAN style="background-color: #ffffff; font-family: Arial, 'Lucida Grande', Geneva, Verdana, sans-serif; font-size: 12px;">Regards,</SPAN></P><P><SPAN style="background-color: #ffffff; font-family: Arial, 'Lucida Grande', Geneva, Verdana, sans-serif; font-size: 12px;">Ameya</SPAN></P><P></P><P><SPAN style="font-family: Arial, 'Lucida Grande', Geneva, Verdana, sans-serif; font-size: 12px; background-color: #ffffff;"><BR /></SPAN></P></BODY></HTML> Wed, 13 Jun 2012 19:13:02 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-and-user-authentication-authorization/m-p/7429#M5518 UhMayYeah 2012-06-13T19:13:02Z