09-25-2012 08:58 AM
I got LDAP authentication working so that when logging into the Web GUI the microsoft active directory accounts works with no problems. When a user logs into the CLI and tries using their LDAP account the system log shows invalid username/password. the username syntax is <title>.<firstname>.<lastname>.
09-25-2012 12:14 PM
Can you please try the following -
1)Login into the cli using a local account and run this command "tail follow yes mp-log authd.log"
2)Now open web-ui session and try to login using the LDAP credentials and observe the login process ( especially the user credentials and their format ) in the cli log.
3)Now open another cli session and try to login using LDAP credentials and see how the logs are different when compared to the login using web-ui, You can also find the reason here for the authentication failure in the logs
09-26-2012 03:43 AM
I did it and you can see where it has issues, just don't understand it yet.
dmin@ssca-pa-01> tail follow yes mp-log authd.log
****OUTPUT FROM CLI AUTHENTICATION***********************
Sep 26 06:17:11 pan_authd_service_req(pan_authd.c:2604): Authd:Trying to remote authenticate user: alt.steven.normoyle
Sep 26 06:17:11 pan_authd_service_auth_req(pan_authd.c:1115): AUTH Request <'','','alt.steven.normoyle'>
Sep 26 06:17:11 alt.steven.normoyle admin is being authed
Sep 26 06:17:11 pan_authd_handle_admin_auths(pan_authd.c:1968): Using auth prof mgt-auth for admin alt.steven.normoyle
Sep 26 06:17:11 pan_authd_handle_admin_auths(pan_authd.c:2022): shared/mgt-auth is auth prof is of type (auth profile)
Sep 26 06:17:11 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3527): failed to fetch: NO_MATCHES
Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1511): Authenticating user using service /etc/pam.d/pan_ldap_shared_mgt-auth_0,username alt.steven.normoyle
Sep 26 06:17:11 pan_authd_authenticate_service(pan_authd.c:663): authentication failed (6)
Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1531): Authenticating user using service /etc/pam.d/pan_ldap_shared_mgt-auth_0,username alt.steven.normoyle failed - trying other hosts
Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1511): Authenticating user using service /etc/pam.d/pan_ldap_shared_mgt-auth_1,username alt.steven.normoyle
Sep 26 06:17:11 pan_authd_authenticate_service(pan_authd.c:663): authentication failed (6)
Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1531): Authenticating user using service /etc/pam.d/pan_ldap_shared_mgt-auth_1,username alt.steven.normoyle failed - trying other hosts
Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1506): Skipping LDAP server due to missing Auth-Profile: pan_ldap_shared_mgt-auth_2
Sep 26 06:17:11 pan_authd_common_authenticate(pan_authd.c:1506): Skipping LDAP server due to missing Auth-Profile: pan_ldap_shared_mgt-auth_3
Sep 26 06:17:11 authentication failed for user <shared,mgt-auth,alt.steven.normoyle>
Sep 26 06:17:11 pan_authd_process_authresult(pan_authd.c:1258): pan_authd_process_authresult: alt.steven.normoyle authresult not auth'ed
Sep 26 06:17:11 pan_authd_process_authresult(pan_authd.c:1282): Alarm generation set to: False.
Sep 26 06:17:11 User 'alt.steven.normoyle' failed authentication. Reason: Invalid username/password From: ssca-lt-04.nmed.ds.med.navy.mil.
Sep 26 06:17:11 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Sep 26 06:17:12 pan_authd_generate_system_log(pan_authd.c:844): CC Enabled=False
Sep 26 06:17:12 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
*************OUTPUT FROM WEB GUI AUTHENTICATION**************************************
Sep 26 06:17:55 pan_authd_service_req(pan_authd.c:2604): Authd:Trying to remote authenticate user: alt.steven.normoyle
Sep 26 06:17:55 pan_authd_service_auth_req(pan_authd.c:1115): AUTH Request <'','','alt.steven.normoyle'>
Sep 26 06:17:55 alt.steven.normoyle admin is being authed
Sep 26 06:17:55 pan_authd_handle_admin_auths(pan_authd.c:1968): Using auth prof mgt-auth for admin alt.steven.normoyle
Sep 26 06:17:55 pan_authd_handle_admin_auths(pan_authd.c:2022): shared/mgt-auth is auth prof is of type (auth profile)
Sep 26 06:17:55 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3527): failed to fetch: NO_MATCHES
Sep 26 06:17:55 pan_authd_common_authenticate(pan_authd.c:1511): Authenticating user using service /etc/pam.d/pan_ldap_shared_mgt-auth_0,username alt.steven.normoyle
Sep 26 06:17:55 pan_authd_authenticate_service(pan_authd.c:663): authentication succeeded (0)
Sep 26 06:17:55 pan_authd_authenticate_service(pan_authd.c:669): account is valid
Sep 26 06:17:55 pan_get_passwd_expiry(pan_authd_passwd.c:778): Using /etc/openldap/pan_ldap_shared_mgt-auth_0 to get password info
Sep 26 06:17:55 pan_get_ldap_ip(pan_authd_passwd.c:120): Reading file /etc/openldap/pan_ldap_shared_mgt-auth_0
Sep 26 06:17:55 pan_authd_bind(pan_authd_passwd.c:244): binding with binddn CN=SSCA.PA.SVC,OU=Service
Sep 26 06:17:55 Error: pan_authd_bind(pan_authd_passwd.c:271): bind failed (extracted from parsed bind result) (Invalid credentials) (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1)
Sep 26 06:17:55 pan_authd_ldap_search_result(pan_authd_passwd.c:357): searching base 'DC=nmed,DC=ds,DC=med,DC=navy,DC=mil' for (sAMAccountName=alt.steven.normoyle) (userAccountControl)
Sep 26 06:17:55 Error: pan_authd_ldap_search_result(pan_authd_passwd.c:419): search failed 1 (Operations error) (000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1)
Sep 26 06:17:55 pan_get_ad_passwd_expiry(pan_authd_passwd.c:679): failed to search userAccountControl
Sep 26 06:17:55 Error: pan_get_passwd_expiry(pan_authd_passwd.c:793): Failed to get expiry info for alt.steven.normoyle
Sep 26 06:17:55 authentication succeeded for user <shared,mgt-auth,alt.steven.normoyle>
useradd: unable to lock password file
usermod: user alt.steven.normoyle does not exist
usermod: user alt.steven.normoyle does not exist
Sep 26 06:17:56 pan_authd_process_authresult(pan_authd.c:1258): pan_authd_process_authresult: alt.steven.normoyle authresult auth'ed
Sep 26 06:17:56 Request received to unlock shared/mgt-auth/alt.steven.normoyle
Sep 26 06:17:56 User 'alt.steven.normoyle' authenticated. From: 192.207.231.8.
Sep 26 06:17:56 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Sep 26 06:17:56 pan_authd_generate_system_log(pan_authd.c:844): CC Enabled=False
Sep 26 06:17:56 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Sep 26 06:17:56 pan_authd_service_req(pan_authd.c:2610): Authd:get group request
Sep 26 06:17:56 pan_authd_handle_group_req(pan_authd.c:2561): Got user role/adomain / for user alt.steven.normoyle
09-26-2012 01:25 PM
That is weird, In both cases PA sent the same format to the LDAP server. Which software version is this ? Did you do any software upgrades and that caused this issue ?
04-02-2022 11:27 AM
Any update onnthis issue as i am also facing the same issue
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
