LDAP Authentication Profile for non-local users

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

LDAP Authentication Profile for non-local users

L1 Bithead

Hi Team,

I am trying to use LDAP as an Authentication Profile for non-local users.
I am aware of guide on "Device > Authentication Settings > Authentication Profile" that states "Only RADIUS, TACACS+ and SAML methods are supported".

Nevertheless, I have set the LDAP server as an authentication profile, and confirmed that authentication and authorization works, even for non-local users. Below is the log that authentication has worked as intended.
pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1248): User "ldap_test" is ACCEPTED
pan_auth_response_process(pan_auth_state_engine.c:4381): auth status: auth success
pan_auth_response_process(pan_auth_state_engine.c:4402): Authentication success: <profile: "LDAP", vsys: "shared", username "ldap_test">
...
Sent PAN_AUTH_SUCCESS auth response for user 'ldap_test' (exp_in_days=-1 (-1 never; 0 within a day))

However, because user path is non-existent, Connection is closed.

Error: pan_set_admin_user_stat(pan_auth_admin_login_stat.c:274): Admin user "ldap_test" home dir "/opt/pancfg/home/ldap_test" has NOT created yet

Error: pan_auth_send_auth_resp(pan_auth_server.c:699): pan_set_admin_user_stat("ldap_test", True)

 

Would there be a way to resolve this issue? Or, a way use LDAP as an Authentication Profile for non-local users?

4 REPLIES 4

L1 Bithead

What is the LDAP server you are using here and if you don't mind can you please share the screenshots of the configs you have done?

Shehriyar Ahmed

To reiterate, I do not have a problem setting up the configs for the PA device to use LDAP for Authentication. 
However, I found out that there must be local users setup beforehand, before I can use LDAP for Authentication.
My intention is to use LDAP for non-local users (which are users defined in LDAP only - not on PA device)

L1 Bithead

You need not define the users locally on the PA firewall, you define on the LDAP server. Below are the sample steps,

 The first step in this process is to define an LDAP Server Profile that contains specific information that the firewall can use when sending queries for authentication.

Select Device > Server Profiles > LDAP. At the bottom of the window, click Add.

For Profile Name, enter LDAP-Server-Profile.

Under the Server List section, click Add.

In the Name field, enter ldap.panw.lab.

In the LDAP Server field, enter 192.168.50.89.

Leave the Port field set to 389.

Under the Server Settings section, set the Type to other.

Enter dc=panw,dc=lab for Base DN.

Enter cn=admin,dc=panw,dc=lab for Bind DN.

Enter xxxx for Password and Confirm Password.

Uncheck the option for Require SSL/TLS secured connection.

Leave the remaining settings unchanged.

shehriyarahmed_0-1699465537492.png

Click OK to create the LDAP Server Profile.
With your LDAP Server Profile in place, you will now create an Authentication Profile and reference the LDAP Server Profile you just created.

Select Device > Authentication Profile.

Click the Add button at the bottom of the window.

For Name, enter LDAP-Auth-Profile.

Under the Authentication tab, use the Type drop-down list to select LDAP.

Under Server Profile, use the drop-down list to select LDAP-Server-Profile.

shehriyarahmed_1-1699465621795.png

Select the Advanced tab.

Under the Allow List section, click Add.

Select all.

Leave the remaining settings unchanged.

shehriyarahmed_2-1699465662688.png

Click OK.

Create a new administrator by selecting Device > Administrators.

Click Add.

For Name, enter adminSally.

For Authentication Profile, use the drop-down list to select LDAP-Auth-Profile.

Leave the remaining settings unchanged.

shehriyarahmed_3-1699465710232.png

Click OK.

Commit the Configuration.

Shehriyar Ahmed

Hi Shehriyar Ahmed, 

 

Thank you for the detailed guide. In the scenario above, I would have to manually set "adminSally" as administrator on the Paloalto GUI (even though the user is defined in the LDAP Directory). 
The fault is mine if I weren't being clear previously, but I was looking for a solution without the task of adding "adminSally".

Your example : LDAP (create user "adminSally") -> PA (create admin with LDAP Authentication Profile"adminSally") - PA Login with "adminSally"
The solution I am looking for : LDAP (create user "adminSally") -> PA Login with "adminSally"

Key difference being, not needing to add "adminSally" as an administrator. The reason I want to do this is because the administrators and operators (users) would be dynamically changed within LDAP. If there is change in user database in LDAP - the change should also apply to PA's user database.

For instance, a new user "adminTony" is added to a "network-admin" group in LDAP. After configuration of different network devices with LDAP "adminTony" would have access to Firewall, Switch, LB devices via LDAP. I have confirmed that if a new user is added, devices such as LB, Switch allow the user to access the devices, because user "adminTony" has been added to the "network-admin" group. This is on the premise that configuration has been made so that users in "network-admin" are allowed access.

  • 1555 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!