How can I test a ldap server that is healthy or not?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How can I test a ldap server that is healthy or not?

L2 Linker

Dear all

        We need to replace our old ldap server config to a new ldap server on PA firewall and panorama, I want to know if I add a new ldap server config on PA firewall and panorama, how can I test the healthy of the new ldap server? I try to use telnet command to connect the new ldap server's 636 or 389 port, but I found there is no telnet command on PA firewall and panorama...

        On PA firewall maybe I can use the "group include list" function in "user identification", but it doesn't work on panorama, need you give me a favor~

 

Best wishes

Cat 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @459768405 ,

 

Not only can you test the initial LDAP connection as described by @Raido_Rattameister above, but you can create a new authentication profile for the new LDAP server and test authentication to it via the CLI.  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/use-the-cli/test-the-configurat...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

6 REPLIES 6

L6 Presenter

@459768405 wrote:

Dear all

        We need to replace our old ldap server config to a new ldap server on PA firewall and panorama, I want to know if I add a new ldap server config on PA firewall and panorama, how can I test the healthy of the new ldap server? I try to use telnet command to connect the new ldap server's 636 or 389 port, but I found there is no telnet command on PA firewall and panorama...

        On PA firewall maybe I can use the "group include list" function in "user identification", but it doesn't work on panorama, need you give me a favor~

 

Best wishes

Cat 


I don't have access to the PAN or FW UI right now, but is there a "test connection" button in the GUI?  I don't know of an easy way to test, but in the system logs the firewall's ability to connect/contact a LDAP server shows up.  So if a server goes offline there will be a log for that.  Also I don't believe Panorama will "connect" to the servers in your LDAP profile, that only happens from the firewalls themselves.  So if you're already executed the group include list command from the FW and it's working, that should be enough to tell you it is.  Especially if you're not seeing any system log error messages.

Cyber Elite
Cyber Elite

In firewall add new LDAP profile.

Enter server into "Server List"

Add Bind DN and password.

 

If "Base DN" droppdown populates then connection to LDAP server is successful.

Principal Architect @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

Hi @459768405 ,

 

Not only can you test the initial LDAP connection as described by @Raido_Rattameister above, but you can create a new authentication profile for the new LDAP server and test authentication to it via the CLI.  https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/use-the-cli/test-the-configurat...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thank you for you help, I try it on firewall. it worked. But in panorama, there is not a dropdown populates in Base DN, it's strange

459768405_0-1747965274094.png

 

Yes only firewall has droppdown. Panorama don't have it.

You can just click on "Clone" button on LDAP profile pushed from Panorama and test droppdown. After test just delete cloned profile from firewall and adjust profile in Panorama as needed.

Principal Architect @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

thank you! but I mean the ldap on panorama is used on panorama's own self, it will be using on authentication

manager to login the webui or cli of panorama, but that's ok, I have tried the method that  saied, it worked

 

  • 1 accepted solution
  • 970 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!