- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-23-2012 10:16 AM
On PanOS 4.1.2 I am trying to perform an LDAP lookup for the 'Group Include List' element of the User Identification setup i.e. to populate the 'User' field in policies.
When I do this I get an "bind-dn is invalid" error. I know the account configured is fine, as it is a shared object set in Panorama and pushed to multiple boxes, and it works fine on other boxes.
Does anyone know if this error message ia a "red-herring" and just saying that 'something' is wrong - maybe connectivity etc - of does it only appear if it is an authentication error?
Ta
01-24-2012 01:53 PM
One place to start is to perform a "show user ldap-server state" and double check to see if you have the full Bind DN, and not just partially listed thinking that the base is going to help cover it.
I know this is not a true answer, but it is a place to start.
01-24-2012 02:20 PM
Thanks for that. Got me one stage further, but more confused now!
Used the command "show user group-mapping state all" and it actually showed that the LDAP query is working, and its pulling back *all* the groups from my AD.
However, when I try to 'connect' via the UI it still fails. As this step is required so I can filter my groups to sync against (I don;t want all 4000 in the drop down!) it is quite important, and I can't see why it is connecting in the background, but giving me an auth error when prompting it via the UI.
Any clues gratefully received!
01-26-2012 09:07 AM
Of course you are getting that error because of the way that the Bind DN is listed. Yes, it might work in some instances, but still give that error on that screen. When I look through other cases, this was resolved by modifying the way that the bind-dn is listed.
I would like to be able to help you here, but you might need to open a case and work the issue that way.
Regards,
02-03-2012 08:59 AM
Hi Guys,
I do have the same issue coming up. Can you guys please let me know on what type of modifications were done to get it running because i tried doing everything i can and have nothing to do now. I did log this case with PAN and even they seem to be lost on it.
02-03-2012 09:07 AM
I changed the format of the account used to query the LDAP servers from user@domain to domain\user and that seemed to fix the UI issue.
02-03-2012 09:26 AM
APACKARD... you genius... Thank you very much mate...!!!
02-03-2012 12:31 PM
Don't count your chickens yet...
I've now got a problem with User ID's being detected as domain\user, but all the imported user data is in the form user@domain, which may (or may not) be connected to this fix!
02-03-2012 12:33 PM
And just to be clear - they're not matching i.e. if I add a group to a policy that contains my name in the user@domain format, I'm not being matched against traffic with domain\user as a field.
02-06-2012 01:17 AM
Thanks for sharing the info mate. So far I haven't heard back from the customer yet. Will keep you updated.
02-06-2012 03:02 AM
So far things are looking good with domain\user mate.
02-06-2012 03:05 AM
Cool.
I found that I'd incorrectly added the FQDN domain name in the Domain field, rather than the Windows domain name, in the User-ID settings which stopped my users mapping correctly, so all good for me too!
Rgds
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!