Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

LDAP authentication for CLI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LDAP authentication for CLI

Not applicable

I got LDAP authentication working so that when logging into the Web GUI the microsoft active directory accounts works with no problems.  When a user logs into the CLI and tries using their LDAP account the system log shows invalid username/password.  the username syntax is <title>.<firstname>.<lastname>.

7 REPLIES 7

L5 Sessionator

Please correct me if I am misunderstanding your issue. A user is able to login through the Web GUI not through the CLI with same login credentials?

that is correct.

Can you please try the following -

1)Login into the cli using a local account and run this command "tail follow yes mp-log authd.log"

2)Now open web-ui session and try to login using the LDAP credentials and observe the login process ( especially the user credentials and their format ) in the cli log.

3)Now open another cli session and try to login using LDAP credentials and see how the logs are different when compared to the login using web-ui, You can also find the reason here for the authentication failure in the logs

Not applicable

I did it and you can see where it has issues, just don't understand it yet.

dmin@ssca-pa-01> tail follow yes mp-log authd.log

****OUTPUT FROM CLI AUTHENTICATION***********************

Sep 26 06:17:11 pan_authd_service_req(pan_authd.c:2604): Authd:Trying to remote authenticate user: alt.steven.normoyle

Sep 26 06:17:11 pan_authd_service_auth_req(pan_authd.c:1115): AUTH Request <'','','alt.steven.normoyle'>

Sep 26 06:17:11 alt.steven.normoyle admin is being authed

Sep 26 06:17:11 pan_authd_handle_admin_auths(pan_authd.c:1968): Using auth prof mgt-auth for admin alt.steven.normoyle

Sep 26 06:17:11 pan_authd_handle_admin_auths(pan_authd.c:2022): shared/mgt-auth is auth prof is of type (auth profile)

Sep 26 06:17:11 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3527): failed to fetch: NO_MATCHES

Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1511): Authenticating user using service /etc/pam.d/pan_ldap_shared_mgt-auth_0,username alt.steven.normoyle

Sep 26 06:17:11 pan_authd_authenticate_service(pan_authd.c:663): authentication failed (6)

Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1531): Authenticating user using service /etc/pam.d/pan_ldap_shared_mgt-auth_0,username alt.steven.normoyle failed - trying other hosts

Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1511): Authenticating user using service /etc/pam.d/pan_ldap_shared_mgt-auth_1,username alt.steven.normoyle

Sep 26 06:17:11 pan_authd_authenticate_service(pan_authd.c:663): authentication failed (6)

Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1531): Authenticating user using service /etc/pam.d/pan_ldap_shared_mgt-auth_1,username alt.steven.normoyle failed - trying other hosts

Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1506): Skipping LDAP server due to missing Auth-Profile: pan_ldap_shared_mgt-auth_2

Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1506): Skipping LDAP server due to missing Auth-Profile: pan_ldap_shared_mgt-auth_3

Sep 26 06:17:11 authentication failed for user <shared,mgt-auth,alt.steven.normoyle>

Sep 26 06:17:11 pan_authd_process_authresult(pan_authd.c:1258): pan_authd_process_authresult: alt.steven.normoyle authresult not auth'ed

Sep 26 06:17:11 pan_authd_process_authresult(pan_authd.c:1282): Alarm generation set to: False.

Sep 26 06:17:11 User 'alt.steven.normoyle' failed authentication.  Reason: Invalid username/password From: ssca-lt-04.nmed.ds.med.navy.mil.

Sep 26 06:17:11 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode

Sep 26 06:17:12 pan_authd_generate_system_log(pan_authd.c:844): CC Enabled=False

Sep 26 06:17:12 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode

*************OUTPUT FROM WEB GUI AUTHENTICATION**************************************

Sep 26 06:17:55 pan_authd_service_req(pan_authd.c:2604): Authd:Trying to remote authenticate user: alt.steven.normoyle

Sep 26 06:17:55 pan_authd_service_auth_req(pan_authd.c:1115): AUTH Request <'','','alt.steven.normoyle'>

Sep 26 06:17:55 alt.steven.normoyle admin is being authed

Sep 26 06:17:55 pan_authd_handle_admin_auths(pan_authd.c:1968): Using auth prof mgt-auth for admin alt.steven.normoyle

Sep 26 06:17:55 pan_authd_handle_admin_auths(pan_authd.c:2022): shared/mgt-auth is auth prof is of type (auth profile)

Sep 26 06:17:55 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3527): failed to fetch: NO_MATCHES

Sep 26 06:17:55 pan_authd_common_authenticate(pan_authd.c:1511): Authenticating user using service /etc/pam.d/pan_ldap_shared_mgt-auth_0,username alt.steven.normoyle

Sep 26 06:17:55 pan_authd_authenticate_service(pan_authd.c:663): authentication succeeded (0)

Sep 26 06:17:55 pan_authd_authenticate_service(pan_authd.c:669): account is valid

Sep 26 06:17:55 pan_get_passwd_expiry(pan_authd_passwd.c:778): Using /etc/openldap/pan_ldap_shared_mgt-auth_0 to get password info

Sep 26 06:17:55 pan_get_ldap_ip(pan_authd_passwd.c:120): Reading file /etc/openldap/pan_ldap_shared_mgt-auth_0

Sep 26 06:17:55 pan_authd_bind(pan_authd_passwd.c:244): binding with binddn CN=SSCA.PA.SVC,OU=Service

Sep 26 06:17:55 Error: pan_authd_bind(pan_authd_passwd.c:271): bind failed (extracted from parsed bind result) (Invalid credentials) (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1)

Sep 26 06:17:55 pan_authd_ldap_search_result(pan_authd_passwd.c:357): searching base 'DC=nmed,DC=ds,DC=med,DC=navy,DC=mil' for (sAMAccountName=alt.steven.normoyle) (userAccountControl)

Sep 26 06:17:55 Error: pan_authd_ldap_search_result(pan_authd_passwd.c:419): search failed 1 (Operations error) (000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1)

Sep 26 06:17:55 pan_get_ad_passwd_expiry(pan_authd_passwd.c:679): failed to search userAccountControl

Sep 26 06:17:55 Error: pan_get_passwd_expiry(pan_authd_passwd.c:793): Failed to get expiry info for alt.steven.normoyle

Sep 26 06:17:55 authentication succeeded for user <shared,mgt-auth,alt.steven.normoyle>

useradd: unable to lock password file

usermod: user alt.steven.normoyle does not exist

usermod: user alt.steven.normoyle does not exist

Sep 26 06:17:56 pan_authd_process_authresult(pan_authd.c:1258): pan_authd_process_authresult: alt.steven.normoyle authresult auth'ed

Sep 26 06:17:56 Request received to unlock shared/mgt-auth/alt.steven.normoyle

Sep 26 06:17:56 User 'alt.steven.normoyle' authenticated.   From: 192.207.231.8.

Sep 26 06:17:56 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode

Sep 26 06:17:56 pan_authd_generate_system_log(pan_authd.c:844): CC Enabled=False

Sep 26 06:17:56 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode

Sep 26 06:17:56 pan_authd_service_req(pan_authd.c:2610): Authd:get group request

Sep 26 06:17:56 pan_authd_handle_group_req(pan_authd.c:2561): Got user role/adomain / for user alt.steven.normoyle

That is weird, In both cases PA sent the same format to the LDAP server. Which software version is this ? Did you do any software upgrades and that caused this issue ?

L6 Presenter

If this issue is happening after upgrade to 4.1.8, please open a ticket with support as this looks buggy.

Any update onnthis issue as i am also facing the same issue 

  • 5144 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!