Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

LDAP not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LDAP not working

Not applicable

I am trying to get my PA to talk to an LDAP server.  I set up the LDAP server as described in the documentation User Identification Tech Note - PANOS 4.1.pdf) but it never is able to connect.  I get this error:

ldap cfg mydomain failed to connect to server (10.10.10.10:389), source 10.10.252.4.

Now 10.10.252.4 is configured as my Management interface which is not connected. It should be using another interface (eth2).  When I ssh to it and run this command:

me@PA-500> netstat route yes
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
127.1.1.0         *               255.255.255.0   U         0 0          0 eth2
10.10.252.0     *               255.255.255.0   U         0 0          0 eth0
127.3.0.0       *               255.255.0.0     U         0 0          0 eth3.251
127.2.0.0       *               255.255.0.0     U         0 0          0 eth3.1
169.254.0.0     *               255.255.0.0     U         0 0          0 eth0
default         *               0.0.0.0         U         0 0          0 eth0
me@PA-500> 

I have the virtual router set correctly but none of the static routes show up here.  Policies go from one interface to another interface.  Do I need a policy to go from inside the firewall to an interface? 

Should I set the management interface with the same IP as one of the ethernet interfaces?  How do I set the management interface to one of the ethernet interfaces?  It seems to have chosen one for itself.

Or how do I set the real routes? 

1 accepted solution

Accepted Solutions

Not applicable

Found it: Device -> Services -> Service Route Configuration.  It doesn't have a service line for LDAP but it has one for radius and user ID. 


I'd still like to know if I should set my management interface to the same IP as one of my other interfaces. 

View solution in original post

4 REPLIES 4

Not applicable

Found it: Device -> Services -> Service Route Configuration.  It doesn't have a service line for LDAP but it has one for radius and user ID. 


I'd still like to know if I should set my management interface to the same IP as one of my other interfaces. 

Could you paste your interface configuration (preferly from the running-config.xml) - dont forget to obscure any sensitive ip addresses (if any)?

Currently PA supports following service route configurations:

route |

{

destination <value> source-address <value> |

service

{

crl-status source-address <value> |

dns source-address <value> |

email source-address <value> |

netflow source-address <value> |

ntp source-address <value> |

paloalto-updates source-address <value> |

panorama source-address <value> |

proxy source-address <value> |

radius source-address <value> |

snmp source-address <value> |

syslog source-address <value> |

uid-agent source-address <value> |

url-updates source-address <value> |

wildfire source-address <value>

}

}

By best guess is that LDAP is included within uid-agent setting. So if you change uid-agent to use the interface you want it should work.

Not applicable

I don't know if uid-agent is the same as ldap.  It seems to me on reading the documentation that uid agent is an agent on port 3127 or something like it and that is running a paloalto supplied program.  The documentation says to use it if ldap doesn't work.  Here is my service route fragment with IPs changed to protect the innocent.  I added the address of the ldap server on the other side of the dialog and it now appears to work.

route { 
  service { 
    paloalto-updates { 
      source-address 172.17.123.2/29; 
    } 
    ntp { 
      source-address 172.17.123.2/29; 
    } 
    panorama { 
      source-address 172.17.123.2/29; 
    } 
    url-updates { 
      source-address 172.17.123.2/29; 
    } 
    wildfire { 
      source-address 172.17.123.2/29; 
    } 
    uid-agent { 
      source-address 10.123.2.1/24; 
    } 
    dns { 
      source-address 10.123.2.1/24; 
    } 
    radius { 
      source-address 10.123.2.1/24; 
    } 
  } 
  destination { 
    10.123.2.10 { 
      source-address 10.123.2.1/24; 
    } 
  } 
} 


As you have already discovered

LDAP is not selectable as Service Route.

Only Solution for this is to put the LDAP Server IP under Destination Service Route (right Tab)

and source all requests for this IP on the selected L3-Interface

May be you would like to place a Feature Request with your SE

Regards

Marco

  • 1 accepted solution
  • 3304 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!