This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

is ssl required for 363 port for LDAP profile

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

is ssl required for 363 port for LDAP profile

HussainMohammed
L1 Bithead

‎11-13-2021 05:14 AM

Our client has LDAP configured with 363 port, ssl/tls box unchecked. having issue with GP connection, showing error as 'ldap cfg SCB_Group_7 failed to connect to server: Can\'t contact LDAP server'.

0 Likes Likes
2 REPLIES 2

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎11-14-2021 01:16 AM

Hi @HussainMohammed ,

 Do you mean port 636 - which is default for LDAPS? Or you use custom port 363?

Changing only the port in LDAP profile doesn't really enable encryption. Firewall will still try to use plaintext LDAP over 636 if you don't have enabled ssl/tls checkbox. If you want to use encrypted LDAP you need to check the box and put the ports that DC is configured to allow.

 

It is intersting to note what official documentation says about enabling the checkbox and with different ports:

Astardzhiev_0-1636881345097.png

 

 

The error you receive indicates that firewall is not able to make LDAP queries. There are few reasons, from no network connection between FW and DC, DC requires encryption, to bind credentials are incorrect or lack permissions.

 

- Have you confirm network connectivity between FW and DC? Try to ping DC from firewall.

- If you not sure if ping is allowed to DC, it probably better to set a packet capture on the FW. This will show you not only if TCP session is established, but also what reply you get from DC, when bind request is sent.

- The easiest way to test connection to LDAP (and not way for user to try to authenticate) is to try to create group mapping and try to expand the domain tree - this way FW will try to pull domain structure from DC over LDAP, which will generate traffic that you can capture.

 

 

0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎11-14-2021 07:58 PM

@HussainMohammed,

Another thing to check outside of what @aleksandar.astardzhiev mentioned is that you aren't dropping the LDAPS traffic on the firewall itself if your management interface traffic has to route through security zones. The firewall will see LDAPS traffic as standard SSL traffic, so you'll either need to create an application-override entry, a custom app-id, or just allow ssl over 636/tcp in your security rulebase.

I've seen a lot of people spend a lot of time troubleshooting LDAPS issues without verifying that the traffic is actually getting allowed.

0 Likes Likes
  • 2100 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks