- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
Getting LDAP Error
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Getting LDAP Error
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
11-24-2019 09:16 PM
We are trying to configure "Group Include List" in the Group Mapping Settings in User Identification but when we click on the Base DN to browse available groups, we get "Connect error".
Group Mapping(vsys1, type: active-directory): ADMap
Bind DN : CN=svc_paloalto_auth,OU=Service Accounts,OU=Consult Cloud,OU=Hosted,DC=cloud,DC=local
Base : DC=cloud,DC=local
Group Filter: (None)
User Filter: (None)
Servers : configured 2 servers
192.168.10.21(636)
Last LDAP error: Connect error
192.168.0.25(636)
Last Action Time: 19 secs ago(took 0 secs)
Next Action Time: In 41 secs
Last LDAP error: Connect error
Number of Groups: 0
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
11-25-2019 02:21 PM
Hi @MickBall
During some further troubleshooting yesterday, I found that the Palo Alto was actually denying the SSL connection to the LDAP server and sending RST to in both directions.
All is good now.
Thanks for your help.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
11-24-2019 09:25 PM
Is this new setup or was it working before?
IS password configured on the PA correct?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
11-24-2019 09:27 PM
Hi @MP18
New setup but configuration matched with working solution in different data centre.
The service account for this setup resides in the same OU as the service account for the solution that does work.
Yes password is correct.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
11-24-2019 09:33 PM
try this command please
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
11-24-2019 09:50 PM
Hi @MP18
test authentication authentication-profile LDAP-Profile username User4-LDAP password
can be used to verify username/password once LDAP connectivity has been established.
You can’t use the command to verify the service-account, because it requires LDAP connectivity… which is failing to connect.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
11-25-2019 01:05 AM
do you have the ability to flip ssl off, go back to port 389, then capture packets to see if this is a SSL issue with version mismatch or cert expiry........
or issues with Bind itself.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
11-25-2019 02:21 PM
Hi @MickBall
During some further troubleshooting yesterday, I found that the Palo Alto was actually denying the SSL connection to the LDAP server and sending RST to in both directions.
All is good now.
Thanks for your help.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
11-25-2019 03:16 PM
was this connection via Management plane?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
11-26-2019 02:59 PM
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
11-26-2019 03:31 PM
Thanks Farzana.
- MFA - LDAP ( Active Directory ) Radius/Tacacs+ Internal Resource Access in General Topics
- Support portal login error in General Topics
- Error when commit in General Topics
- Globalprotect 6.0.1 not working with Windows 8.1 in GlobalProtect Discussions
- Issue passing traffic with Global Protect client 5.2.9 or later in GlobalProtect Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
