06-06-2012 05:27 AM
Hi all!
I have a problem using LDAP for user/management authentication/authorization. When I try to log in via my domain I get the following in my log (after logging in again with the admin account):
Authorization failed for user *\*via Web from *.*.*.* : Invalid user 06/06 12:41:19
User '*\*' authenticated. Profile authProfileAdmins in an authentication sequence AuthSeqDomainAdmins succeeded. From: *.*.*.*.
Any suggestions?
06-13-2012 09:44 AM
Please follow the configuration steps provided in the following document: https://live.paloaltonetworks.com/docs/DOC-1989
Unless the username you are using to login is 'AllowDomainAdmins', there is a misconfiguration.
As outlined in the document, it is required to create a Device -> Administrator account for each AD account that will be used.
Hope this helps!
- Stefan
06-11-2012 10:24 AM
Please check the authentication profile and Authentication sequence. Are you referring to the correct profile for authentication. The empty spaces indicate that it is having trouble with the authentication profile
06-12-2012 12:14 AM
Hi and thanks for the reply. Please see attached pictures of my current
setup. The LDAP has contact with the server, so this is not the problem...
Best Regards/Vennlig Hilsen,
Kåre Tragethon
IT & Automasjon
Hallingplast AS
Tlf: +47 32 09 56 85
Fax: +47 32 09 55 94
Mob: +47 95 25 14 38
www.hallingplast.no
06-12-2012 02:27 AM
Could it be the classical mistake of using "domain.local" instead of just the netbios name "domain"?
Described in https://live.paloaltonetworks.com/thread/5050?tstart=0
06-12-2012 03:31 AM
Thanks but that didn't help. By the way, I'm only using LDAP (no user
agent)..... I could also mention that I'm only trying to access the
Management Interface at the moment. Could that be a problem?? Do I have to
create any security rules to allow access?
06-12-2012 11:25 PM
I dont know if you can setup security rules for the management interface (if you use the physical mgmt int) - however you would need to do so if you have service rerouted your traffic to use a dataplane interface.
06-13-2012 09:44 AM
Please follow the configuration steps provided in the following document: https://live.paloaltonetworks.com/docs/DOC-1989
Unless the username you are using to login is 'AllowDomainAdmins', there is a misconfiguration.
As outlined in the document, it is required to create a Device -> Administrator account for each AD account that will be used.
Hope this helps!
- Stefan
06-13-2012 11:04 AM
In the Bind DN example, "CN=ldap,CN=users,DC=plano2003,DC=com", I'm a little confuse what to replace for CN=ldap and CN=users.
CN=ldap (should I replace with the OU of my Active Directory?)
CN=users (should I replace with the username?)
06-13-2012 12:02 PM
In the Bind DN example, a user named 'ldap' has been created inside of the 'CN=users,DC=plano2003,DC=com' container.
Another example of this is if you were to use the built-in 'Administrator' account. The equivalent would be:
CN=administator,CN=users,DC=plano2003,DC=com
Please know, a more simple way to specifiy the Bind DN is set username@domain. Here are some examples showing two different DN formats that are equivalent.
CN=paloalto,OU=firewalls,OU=network,DC=plano2003,DC=com
CN=ldap,CN=users,DC=plano2003,DC=com
CN=administator,CN=users,DC=plano2003,DC=com
Attached is example screenshot.
- Stefan
06-13-2012 12:13 PM
The document is based on:
Root OU being Plano.2003.com
ldap is contained in Users, under Plano.2003.com. The corresponding Bind DN is going to be CN=ldap,CN=Users,DC=example,DC=com.
Please refer to the https://live.paloaltonetworks.com/docs/DOC-2910.
Also try authentication removing the filtered Allow List.Most probably the user in question is not authorized the query the OU.
Regards,
Ameya
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
