LDAP and user authentication/authorization

cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP and user authentication/authorization

L1 Bithead

Hi all!

I have a problem using LDAP for user/management authentication/authorization. When I try to log in via my domain I get the following in my log (after logging in again with the admin account):

Authorization failed for user *\*via Web from *.*.*.* : Invalid user 06/06 12:41:19

User '*\*' authenticated. Profile authProfileAdmins in an authentication sequence AuthSeqDomainAdmins succeeded. From: *.*.*.*.

Any suggestions?

1 ACCEPTED SOLUTION

Accepted Solutions

Please follow the configuration steps provided in the following document: https://live.paloaltonetworks.com/docs/DOC-1989

Unless the username you are using to login is 'AllowDomainAdmins', there is a misconfiguration.

As outlined in the document, it is required to create a Device -> Administrator account for each AD account that will be used.

Hope this helps!

- Stefan

View solution in original post

9 REPLIES 9

L4 Transporter

Please check the authentication profile and Authentication sequence. Are you referring to the correct profile for authentication. The empty spaces indicate that it is having trouble with the authentication profile

Hi and thanks for the reply. Please see attached pictures of my current

setup. The LDAP has contact with the server, so this is not the problem...

Best Regards/Vennlig Hilsen,

Kåre Tragethon

IT & Automasjon

Hallingplast AS

Tlf: +47 32 09 56 85

Fax: +47 32 09 55 94

Mob: +47 95 25 14 38

www.hallingplast.no

Could it be the classical mistake of using "domain.local" instead of just the netbios name "domain"?

Described in https://live.paloaltonetworks.com/thread/5050?tstart=0

Thanks but that didn't help. By the way, I'm only using LDAP (no user

agent)..... I could also mention that I'm only trying to access the

Management Interface at the moment. Could that be a problem?? Do I have to

create any security rules to allow access?

I dont know if you can setup security rules for the management interface (if you use the physical mgmt int) - however you would need to do so if you have service rerouted your traffic to use a dataplane interface.

Please follow the configuration steps provided in the following document: https://live.paloaltonetworks.com/docs/DOC-1989

Unless the username you are using to login is 'AllowDomainAdmins', there is a misconfiguration.

As outlined in the document, it is required to create a Device -> Administrator account for each AD account that will be used.

Hope this helps!

- Stefan

In the Bind DN example, "CN=ldap,CN=users,DC=plano2003,DC=com", I'm a little confuse what to replace for CN=ldap and CN=users.

CN=ldap (should I replace with the OU of my Active Directory?)

CN=users (should I replace with the username?)

In the Bind DN example, a user named 'ldap' has been created inside of the 'CN=users,DC=plano2003,DC=com' container.

Another example of this is if you were to use the built-in 'Administrator' account. The equivalent would be:

CN=administator,CN=users,DC=plano2003,DC=com

Please know, a more simple way to specifiy the Bind DN is set username@domain. Here are some examples showing two different DN formats that are equivalent.

CN=paloalto,OU=firewalls,OU=network,DC=plano2003,DC=com

paloalto@plano2003.com

CN=ldap,CN=users,DC=plano2003,DC=com

ldap@plano2003.com

CN=administator,CN=users,DC=plano2003,DC=com

administrator@plano2003.com

Attached is example screenshot.

- Stefan

The document is based on:

Root OU being  Plano.2003.com

ldap is contained in Users, under Plano.2003.com. The corresponding Bind DN is going to be CN=ldap,CN=Users,DC=example,DC=com.

Please refer to the https://live.paloaltonetworks.com/docs/DOC-2910.

Also try authentication removing the filtered Allow List.Most probably the user in question is not authorized the query the OU.

Regards,

Ameya


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!