We use Open Directory as our primary LDAP service whcih normally works pretty well.
I'm trying to get LDAP authentication profiles up and running and am only having limited success. By limited I mean I can authenticate a user against a simple config where I am looking for the "uid" login attribute in the users group using cn=users,dc=server,dc=mydomain,dc=com.
If I try to authenticate a user in a group called sslvpn (cn=sslvpn,cn=groups,dc=server,dc=mydomain,dc=com) using "memberUid" as the login attribute the session login fails with an invalid username/password error.
Just wondering if there is a limitation in PANOS when it comes to Open Directory attributes or if I'm doing something simple wrong?
Apple OpenDirectory has a custom (ie. proprietary) schema objectclass to define group membership (ie. apple-group).
Apple's OpenDirectory does NOT use objectclass=groupofuniquenames which includes the uniquemember attribute to define group membership.
Thus, the OpenLDAP support (a superset of OpenDirectory) provided by LDAP auth of Palo Alto Networks will not likely include any support for apple's group membership.
hello -- I can't post screenshots to this forum, but I have screenshot of OpenDirectory group object and similar OpenLDAP-based group object.
the membership attribute for "apple-group" is 'memberuid' and contains UID value.
the membership attribute for "groupofuniquenames" is "uniquemember" and contains user DN value (full user object address).
the value of "uniquemember" can be readily used as part of ldap_simple_bind auth validation, but the 'memberuid" value requires one extra step (ie. lookup user object to get the DN value for LDAP_simple_bind).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!