This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Assistance with LDAP Authentication

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Assistance with LDAP Authentication

DJ_1924
L2 Linker

‎02-17-2026 01:24 PM - edited ‎02-17-2026 01:32 PM

Currently working on a PA-540 running 12.1.3 code.  I have setup a LDAP server profile, and setup an authentication profile.  If I test from the cli, the bind is successful, but the authentication fails, even if I use the same credentials I used to do the bind.  I've also tried this with a domain admin account in case it was a permissions issue with respect to the service account not being able to query AD.  This is what I'm getting when testing:

 

fwuser@firewall-01(active)> test authentication authentication-profile ldap-auth-profile username paloservice password
Enter password : 

Target vsys is not specified, user "paloservice" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
name "paloservice" is in group "all"

Authentication to LDAP server at 192.168.200.25 for user "paloservice"
Egress: 172.27.175.23
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
Can not search userdn for user paloservice
Authentication failed against LDAP server at 192.168.200.25:389 for user "paloservice"

 

I'm able to find the user group I intend to use for GP so it seems that the credentials are good and the bind seems to be working.

 

0 Likes Likes
2 REPLIES 2

PavelK
Cyber Elite

‎02-17-2026 01:56 PM

Hello @DJ_1924

 

thanks for posting!

 

Could you confirm whether the account: paloservice is in the scope of Base DN configured in LDAP profile? Reference in KB: Usernames Not Retrieved by the Firewall with OU for LDAP Server Profile Base.

Could you also check more details in the log from CLI: authd.log

 

Kind Regards

Pavel
 

Help the community: Like helpful comments and mark solutions.

DJ_1924
L2 Linker
In response to PavelK

‎02-17-2026 03:16 PM

Thanks for getting back to me.  The base dn in the LDAP server was set to DC=userdomain,DC=com.  

 

I'll try to gather the logs again.  When I tried a " tail follow yes mp-log authd.log" I wasn't seeing anything w/ respect to the testing.  When I pulled a packet capture I do see RSTs from the server.  I tested w/ the same username as I have for the actual binding, but I can retest w/ a different user tomorrow to confirm I'm actually seeing that being sent to the server. 

0 Likes Likes
  • 83 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks