10-06-2017 06:10 AM
No matter how many articles I read or follow I can never get the authentication to work for LDAP. I create the LDAP server profile, create the Auth Profile, then the Auth Seq, add the user account to admins and assign the profile to that user and it never works. I also get this error when "testing":
admin@PA500-01> test authentication authentication-profile Palo_Alto_Admins username Steven.Williams.da password
Enter password :
Allow list check error:
Target vsys is not specified, user "Steven.Williams.da" is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...
User Steven.Williams.da is not allowed with authentication profile Palo_Alto_Admins
admin@PA500-01>
!
!
!
dmin@TN-19023-PA500-01> show user group-mapping state all
Group Mapping(vsys1, type: active-directory): Network_Administrators
Bind DN : ldap.read@domain.lan
Base : DC=domain,DC=lan
Group Filter: (None)
User Filter: (None)
Servers : configured 4 servers
10.100.6.205(636)
Last Action Time: 19 secs ago(took 0 secs)
Next Action Time: In 41 secs
10.100.6.210(636)
10.100.21.210(636)
10.110.6.210(636)
Number of Groups: 1
cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan
admin@PA500-01>
!
!
!
10-09-2017 12:13 PM
Do..... Show user group list
and post result.
10-09-2017 12:14 PM
admin@PA500-01> show user group list
cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan
cn=domain users,cn=users,dc=domain,dc=lan
Total: 2
* : Custom Group
admin@PA500-01>
10-09-2017 12:20 PM
sorry users not admins...
show user group name "cn=domain users,cn=users,dc=domain,dc=lan"
just to see if the members are seen by the pa.
10-09-2017 12:24 PM
admin@PA500-01> show user group name "cn=domain users,cn=users,dc=domain,dc=lan" | match steven.williams
[5510 ] domain\steven.williams
[5515 ] domain\steven.williams.da
admin@PA500-01>
I sure am.
This one too.
admin@PA500-01> show user group name "cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan"
short name: domain\paloaltoadmins
source type: ldap
source: Domain_Users_and_Groups
[1 ] domain\steven.williams.da
admin@PA500-01>
Something just isn't making sense.
10-09-2017 12:31 PM
Not making sense... Welcome to my world of re badged junipers, sorry i meant palo altos....
in the server profile try removing the authentication modifier, or set to none, cant remember the exact setting.
also.. Yo did say in your first reply that show user group came back with no results. Cant see why it does now...
10-09-2017 12:41 PM
used a different BIND account.
10-09-2017 12:50 PM
So what do you get now when you cli test authentication blah blah...?
10-10-2017 02:04 PM
The information coming back from the group mapping does not match the information you have configured in your authentication profile.
Your group members are being represented as domain\name, whereas your auth profile is domain.lan\name
Updating the User Domain to domain in your authentication profile may fix you up.
10-11-2017 03:57 AM
Are you referring to the "username modifier" in the authentication profile?
10-11-2017 04:17 AM
Still this:
Allow list check error:
Target vsys is not specified, user "steven.williams.da" is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...
User steven.williams.da is not allowed with authentication profile Palo_Alto_Admins
!
!
admin@PA500-01>
admin@PA500-01>
admin@PA500-01> show user group name cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan
short name: domain\paloaltoadmins
source type: ldap
source: Domain_Users_and_Groups
[1 ] domain\steven.williams.da
admin@PA500-01> show user group list
cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan
cn=domain users,cn=users,dc=domain,dc=lan
Total: 2
* : Custom Group
admin@PA500-01>
There has to be a deeper level debug or something to see whats wrong no?
10-11-2017 04:28 AM
ok sorry i've lost the thread here slightly...
in my authentication profile I have the following settings
user domain ( our domain name)
username modifier (%USERINPUT%)
is this similar to yours.
10-11-2017 04:32 AM
in your previous post as below
admin@PA500-01> show user group name "cn=domain users,cn=users,dc=domain,dc=lan" | match steven.williams
[5510 ] domain\steven.williams
[5515 ] domain\steven.williams.da
admin@PA500-01>
whatever it is in place of "domain", stick that in the user domain box
10-11-2017 04:37 AM
Yes I have dont those combos and still didnt work.
10-11-2017 04:57 AM
in the auth profile advanced tab,
select add and start typing your name.
it should auto populate.
save this and then test cli authentication.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
