06-19-2012 06:57 AM
There is a ton of various old and somewhat newer info on LDAP related info around, but I have not been able to find any good source on step by step and how to troubleshoot - a lot of the junk seems to reference user-id stuff, which I believe is not relevant, shouldnt I be able to configure an LDAP server profile, a authentication profile, and then use this for authentication (wether admin access or ssl vpn?).
I have been unable to find any logs or info on how to test if my LDAP server profile is even working.
I had kerberos authentication working just fine, but the bugs with Kerberos and groups makes it unusable, so I have to get LDAP configured, but so far I have not been able to.
for my testing I am doing this in panorama, for the local admin logons to Panorama (because it is so much faster to commit with than a firewall):
here is what I did - which I believe should work:
created a user in the domain named pan-admin (for sake of troubleshooting I gave it domain admin rights)
Created LDAP Server Profile
Name: adtest
Servers: Added two DC's by IP, port 389
Domain: mydom.local
Type: Active-Directory
Base: DC=mydom,DC=local (this pulled up by dropdown)
Bind DN: DN=pan-admin,OU=Service Accounts,DC=mydom,DC=local
Password: **
I unchecked SSL
the rest is default.
Created an Authentication Profile
Name: adAuthAdmin
Allow List: removed all, and added a single user like mydom\username and a group mydom\groupname by typing them in (I would think that just group should work, but for testing purposes I also added my speciifc user)
Authentication: LDAP
Server Profile: adtest
Login Attribute: (left blank, dont really get what the hell this is)
Under Administrators I added 2 users, one for the group (mydom\groupname) and also my individual user for testing, usint the "adAuthAdmin" profile and superuser...
shouldnt that work?
I cant even find out how to test if the LDAP Server profile is even working - logs show nothing at all - when trying a login the system log just shows
User 'mydom\username' failed authentication. Reason: Authentication profile not found for the user From: 10.159.14.11.' )
I tried a lot of different things but I have no luck really - the DC's are 2003's - I have 2008R2's as well but figured there be less prone to issues using the old ones...
btw - user-identification working fine with the agents and all that - I dont see how that is even relevant other than that it uses it for dropdowns on the firewalls (not in panorama since it doesnt have user-id.
any help appreciate - I might open a ticket soon,...
06-19-2012 11:47 AM
Hi,
Authentication profiles can be used with the following features:
- Captive Portal
- Global Protect
- Administrator login
Captive Portal and Global Protect will work by specifying the group in the allow list. Administrator login functions differently as it is required to add each individual user(unless VSA is setup https://live.paloaltonetworks.com/docs/DOC-1701).
A couple notes on your configuration.
1) In the LDAP Server Profile you have the FQDN defined. If left to the FQDN then there can be issues with the user mapping correctly to a group as there will be two separate references to the user
mydom.local\user1
mydom\user1
To prevent this problem instead of - Domain: mydom.local
Enter - Domain: mydom
2) In the Authentication Profile you would set the login attribute to sAMAccountName if using AD/LDAP.
For troubleshooting, you want to review system logs and authd.log. Other common issues can be solved by review the output of various 'show user' commands such as:
> show user group name <group name>
> show user user-IDs match-user <username>
> show user group-mapping state all
Hope this helps!
- Stefan
06-19-2012 07:47 AM
more searching and digging and I found this post
which lead me to the device/panorama setting, where a profile has to be chosen for the box.
so this works as long as I add each individual user to the administrators list.
Shouldnt this work by just adding a group?
and I still have no good way of debugging this crap
06-19-2012 11:47 AM
Hi,
Authentication profiles can be used with the following features:
- Captive Portal
- Global Protect
- Administrator login
Captive Portal and Global Protect will work by specifying the group in the allow list. Administrator login functions differently as it is required to add each individual user(unless VSA is setup https://live.paloaltonetworks.com/docs/DOC-1701).
A couple notes on your configuration.
1) In the LDAP Server Profile you have the FQDN defined. If left to the FQDN then there can be issues with the user mapping correctly to a group as there will be two separate references to the user
mydom.local\user1
mydom\user1
To prevent this problem instead of - Domain: mydom.local
Enter - Domain: mydom
2) In the Authentication Profile you would set the login attribute to sAMAccountName if using AD/LDAP.
For troubleshooting, you want to review system logs and authd.log. Other common issues can be solved by review the output of various 'show user' commands such as:
> show user group name <group name>
> show user user-IDs match-user <username>
> show user group-mapping state all
Hope this helps!
- Stefan
06-19-2012 12:38 PM
Thank you - i have been fiddling with this all day - and discovered its not working right when doing the LDAP stuff from panorama, or at least, it works better from the firewall itself, the FQDN versus Wintendo-netbios network name was one of the issues, I had portal working but not the gateway, removal of fqdn fixed that.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
