Error: pan_ldap_ctrl_search_device(pan_ldap_ctrl.c:1889): user_id database is not bound yet

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Error: pan_ldap_ctrl_search_device(pan_ldap_ctrl.c:1889): user_id database is not bound yet

L4 Transporter

Hi All,

 

While troubleshooting a intermittent GP issue, I have noticed the below error repeating in the useridd.log.

 

I am not sure if this part of the problem or not, but it does look a little worrying. I can still browse AD from the firewall and find groups.

 

2021-09-20 16:18:10.268 +1000 connecting to ldap://[192.168.1.1]:389 ...
2021-09-20 16:18:10.273 +1000 ldap cfg UserGroupMapping connected to 192.168.1.1:389(index 0)
2021-09-20 16:18:10.327 +1000 Error: pan_ldap_ctrl_search_device(pan_ldap_ctrl.c:1889): user_id database is not bound yet

 

I can also see groups mapped when I run the below command:

 

>show user group-mapping state all

 

Performing the below commands hasn't seemed to help either:

 

> debug user-id reset group-mapping all

>debug software restart process user-id

 

User-ID is still functioning in some respect as people are able to authenticate to GP and users are able to access resources through security policy rules where user-id is defined.

 

Any ideas on how to resolve this error?

 

Thanks in advance.

9 REPLIES 9

L4 Transporter

@BPry @reaper Any ideas here?

@Ben-Price 

 

Did this issue resolved. As iam also facing same issue.

 

L4 Transporter

@Joshan_Lakhani No sorry it was never resolved. Still pending.

L1 Bithead

I am also having this issue.

pan_ldap_ctrl_search_device(pan_ldap_ctrl.c:1889): user_id database is not bound yet

When I supply this command seems its pulling and have it in db, It appears to me that, when I created the use names its getting populated in PA, but unable t login in with username 

 

User Name Vsys Groups
------------------------------------------------------------------
ramslab.local\fwadmin vsys1 cn=administrators,cn=builtin,dc=ramslab,dc=local
cn=domain users,cn=users,dc=ramslab,dc=local
cn=users,cn=builtin,dc=ramslab,dc=local
cn=domain admins,cn=users,dc=ramslab,dc=local
cn=denied rodc password replication group,cn=users,dc=ramslab,dc=local
ramslab.local\azwinadmin vsys1 cn=administrators,cn=builtin,dc=ramslab,dc=local
cn=domain users,cn=users,dc=ramslab,dc=local
cn=users,cn=builtin,dc=ramslab,dc=local
cn=domain admins,cn=users,dc=ramslab,dc=local
cn=group policy creator owners,cn=users,dc=ramslab,dc=local
cn=schema admins,cn=users,dc=ramslab,dc=local
cn=enterprise admins,cn=users,dc=ramslab,dc=local
cn=denied rodc password replication group,cn=users,dc=ramslab,dc=local
ramslab.local\az-linx-vm-2$ vsys1 cn=domain controllers,cn=users,dc=ramslab,dc=local
cn=denied rodc password replication group,cn=users,dc=ramslab,dc=local

L1 Bithead

I'm getting a similar error. User-ID is set to LDAP (multiple Windows Domain Controllers), they all 3 show connected, but traffic logs do not show the user, causing the traffic to miss the correct security polidy and be blocked. Useridd.log shows : 
useridd.log
2022-04-05 08:52:33
2022-04-05 08:52:33.609 -0400 Error: pan_ldap_ctrl_search_device(pan_ldap_ctrl.c:1872): user_id database is not bound yet

Cheers,

Brian@securedynamics.net

Cyber Elite
Cyber Elite

Hello All,

For me it was groups that were not configured correctly after a major migration.

OtakarKlier_0-1657125650471.png

 

OtakarKlier_1-1657125677748.png

So it was a misconfiguration basically.

Regards,

Hello Brian and all,

I'm getting exactly the same error.

Did to find a fix?

Thanks!

Cheers

Yes. It got fixed. It was due to one of the Domain controllers is
communicating as expected and another reason found that bind was incorrect.
I would like to do check(re-check once)
Bind name
communication between domain controllers
Service account
Hope that would help to resolve the issue....

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!