https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server-not-sending-complete-dn-name/m-p/232639#M66730 <P>Hi Team,</P><P>&nbsp;</P><P>I have configured LDAP server profile and confirmed the condition of reading group via Group mapping it works.</P><P>&nbsp;</P><P>When I try to test the LDAP username through authentication profile it succeed upto LDAP authentication but after it is sending DN name only with domain name and my user get failed to authenticate.</P><P>&nbsp;</P><P>What else I need to check.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>test authentication authentication-profile LDAP user name remesk&#8;&#27;[K&#8;&#27;[K&#8;&#27;[K&#8;&#27;[K&#8;&#27;[K&#8;&#27;[Kremeshk &#27;[K&#27;[A&#27;[Kadmin-remeshk@TH-FW-PA3060&gt; test authentication authentication-profile LDAP user name remeshk password<BR />Enter password :<BR />&#27;[?1h&#27;=&#27;[40;1H&#27;[K<BR />Target vsys is not specified, user "remeshk" is assumed to be configured with a shared auth profile.</P><P>Do allow list check before sending out authentication request...<BR />name "trojanholding.ae\remeshk" is in group "all"</P><P>Authentication to LDAP server at 10.3.4.10 for user "remeshk"<BR />Egress: 172.25.25.4<BR />Type of authentication: plaintext<BR />Starting LDAP connection...<BR />Succeeded to create a session with LDAP server<BR />DN sent to LDAP server: DC=trojanholding,DC=ae<BR />Authentication failed against LDAP server at 10.3.4.10:389 for user "remeshk"</P><P>Authentication to LDAP server at 10.3.4.11 for user "remeshk"<BR />Egress: 172.25.25.4<BR />Type of authentication: plaintext<BR />Starting LDAP connection...<BR />Succeeded to create a session with LDAP server<BR />DN sent to LDAP server: DC=trojanholding,DC=ae<BR />Authentication failed against LDAP server at 10.3.4.11:389 for user "remeshk"</P><P><BR />Authentication failed for user "remeshk"</P><P>&nbsp;</P> Thu, 27 Sep 2018 06:17:01 GMT Venkatesan_radhakrishnan 2018-09-27T06:17:01Z https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server-not-sending-complete-dn-name/m-p/232639#M66730 <P>Hi Team,</P><P>&nbsp;</P><P>I have configured LDAP server profile and confirmed the condition of reading group via Group mapping it works.</P><P>&nbsp;</P><P>When I try to test the LDAP username through authentication profile it succeed upto LDAP authentication but after it is sending DN name only with domain name and my user get failed to authenticate.</P><P>&nbsp;</P><P>What else I need to check.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>test authentication authentication-profile LDAP user name remesk&#8;&#27;[K&#8;&#27;[K&#8;&#27;[K&#8;&#27;[K&#8;&#27;[K&#8;&#27;[Kremeshk &#27;[K&#27;[A&#27;[Kadmin-remeshk@TH-FW-PA3060&gt; test authentication authentication-profile LDAP user name remeshk password<BR />Enter password :<BR />&#27;[?1h&#27;=&#27;[40;1H&#27;[K<BR />Target vsys is not specified, user "remeshk" is assumed to be configured with a shared auth profile.</P><P>Do allow list check before sending out authentication request...<BR />name "trojanholding.ae\remeshk" is in group "all"</P><P>Authentication to LDAP server at 10.3.4.10 for user "remeshk"<BR />Egress: 172.25.25.4<BR />Type of authentication: plaintext<BR />Starting LDAP connection...<BR />Succeeded to create a session with LDAP server<BR />DN sent to LDAP server: DC=trojanholding,DC=ae<BR />Authentication failed against LDAP server at 10.3.4.10:389 for user "remeshk"</P><P>Authentication to LDAP server at 10.3.4.11 for user "remeshk"<BR />Egress: 172.25.25.4<BR />Type of authentication: plaintext<BR />Starting LDAP connection...<BR />Succeeded to create a session with LDAP server<BR />DN sent to LDAP server: DC=trojanholding,DC=ae<BR />Authentication failed against LDAP server at 10.3.4.11:389 for user "remeshk"</P><P><BR />Authentication failed for user "remeshk"</P><P>&nbsp;</P> Thu, 27 Sep 2018 06:17:01 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server-not-sending-complete-dn-name/m-p/232639#M66730 Venkatesan_radhakrishnan 2018-09-27T06:17:01Z https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server-not-sending-complete-dn-name/m-p/232664#M66737 <P>when you test LDAP via the test command it does not use all configured parts of the authentication profile. it does not use any domain modifier that you have set.</P> Thu, 27 Sep 2018 12:19:34 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server-not-sending-complete-dn-name/m-p/232664#M66737 Mick_Ball 2018-09-27T12:19:34Z https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server-not-sending-complete-dn-name/m-p/232666#M66739 <P>No it is not like that way, Here I found actually the username is missing the root structure of the domain in AD.&nbsp;</P> Thu, 27 Sep 2018 12:21:54 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server-not-sending-complete-dn-name/m-p/232666#M66739 Venkatesan_radhakrishnan 2018-09-27T12:21:54Z https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server-not-sending-complete-dn-name/m-p/232668#M66741 <P>sorry i am confused, can you show me a test that does work...</P> Thu, 27 Sep 2018 12:25:24 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server-not-sending-complete-dn-name/m-p/232668#M66741 Mick_Ball 2018-09-27T12:25:24Z https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server-not-sending-complete-dn-name/m-p/232670#M66742 <P>admin@PA-VM&gt; test authentication authentication-profile Auth-GP username venkatesan password<BR />Enter password :</P><P>Target vsys is not specified, user "venkatesan" is assumed to be configured with a shared auth profile.</P><P>Do allow list check before sending out authentication request...<BR />name "venkatesan" is in group "all"</P><P>Authentication to LDAP server at 172.16.3.142 for user "venkatesan"<BR />Egress: 192.168.30.1<BR />Type of authentication: plaintext<BR />Starting LDAP connection...<BR />Succeeded to create a session with LDAP server<BR />DN sent to LDAP server: CN=venkatesan r.,CN=Users,DC=abdalla,DC=local<BR />User expires in days: never</P><P>Authentication succeeded for user "venkatesan"</P> Thu, 27 Sep 2018 12:28:01 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server-not-sending-complete-dn-name/m-p/232670#M66742 Venkatesan_radhakrishnan 2018-09-27T12:28:01Z https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server-not-sending-complete-dn-name/m-p/232680#M66743 <P>ok so now show test that doesn't work.</P> Thu, 27 Sep 2018 12:38:46 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server-not-sending-complete-dn-name/m-p/232680#M66743 Mick_Ball 2018-09-27T12:38:46Z https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server-not-sending-complete-dn-name/m-p/232681#M66744 <P>it works&nbsp;</P> Thu, 27 Sep 2018 12:40:04 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-via-ldap-server-not-sending-complete-dn-name/m-p/232681#M66744 Venkatesan_radhakrishnan 2018-09-27T12:40:04Z