- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-04-2014 06:08 AM
We frequently face an error for fetching the group-mapping in the user-id tab. The error is normally shown up as failed to execute op command. One of the reason can be invalid credentials in the ldap configuration
Troubleshoot this error with Tail follow yes mp-log userid-log
2014-05-04 14:31:21.052 +0400 connecting to ldap://[192.168.0.199]:389 ...
2014-05-04 14:31:21.056 +0400 Error: pan_ldap_bind_simple(pan_ldap.c:393): ldap_sasl_bind result return(49) : Invalid credentials
2014-05-04 14:31:21.056 +0400 Error: pan_user_get_ldap(pan_group_selection_n.c:67): pan_ldap_bind() failed
2014-05-04 14:31:21.056 +0400 Error: cfgagent_doop_callback(pan_cfgagent.c:503): Failed to handle op command for agent:
useridd
Reconfigure the credentials in the ldap profile
After changing the credentials, the groups can be pulled.
2014-05-04 14:32:53.760 +0400 connecting to ldap://[192.168.0.199]:389 ...
2014-05-04 14:32:55.860 +0400 connecting to ldap://[192.168.0.199]:389 ..
Aamir Khan
05-05-2014 11:28 AM
Yes it is Server 2012.
05-05-2014 12:24 PM
Hello Aamir,
As TAC support for UID agent running on Windows 2012 is not available, Also for Terminal Server Agent on Windows 2012, I do see a feature request (FR ID : 3062) submitted to our development team.
Topic: Terminal Server Agent / Windows Server 2012 Support
Priority: High
FR ID: 3062
Please get in touch with your Palo Alto SE for the roadmap.
Apart from the above mentioned error, few customers confirmed the set-up running fine into their environment.
Refference : https://live.paloaltonetworks.com/message/27804#27804
Thanks
05-05-2014 12:31 PM
I am using agent less and not the user-id agent. Besides this document is used to counter the error upon fetching the group mapping so that we can use it for Ldap authentication.
08-13-2014 04:00 AM
Just for anyone interested - I had an intermittent issue with the error "Failed to execute op command" which I traced to be an issue with resolving DNS. It seems a DNS request was made each time and this was not reliable.
I changed server address from FQDN to IP addresses to resolve the problem.
Steve
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!