I want to integrate LDAP in Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

I want to integrate LDAP in Panorama

L2 Linker

I have Panorama on VM and i am trying to configure LDAP, i have setup LDAP profile and then trying to tie LDAP profile with Management interface but it looks like i am not getting any option where i can select LDAP profile from dropdown list, If LDAP tie up with Management Interface is not allowed ? Kindly help.

13 REPLIES 13

Cyber Elite
Cyber Elite

Hello @anwardurrani

 

thanks for the post!

 

If you are trying to set up accounts to access Panorama with LDAP authentication, then you should configure the LDAP profile directly in the account setting. Navigate to: Panorama > Administrators > Add, then select the authentication profile from drop down list:

 

PavelK_0-1666097192550.png

The option under: Panorama > Setup > Management supports only: RADIUS, TACACS+ and SAML.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

I have created as per instructions but how i can tie Panorama URL with LDAP Profile, i want users in LDAP only should be able to access Panorama.

As per reply above.

The option under: Panorama > Setup > Management supports only: RADIUS, TACACS+ and SAML.

Here does it mean, Panorama Authencation only can be tied up with  RADIUS, TACACS+ and SAML.

Cyber Elite
Cyber Elite

Thank you for reply @anwardurrani

 

this is correct. The option under: Panorama > Setup  > Management > Authentication Settings > Authentication profile, supports only: RADIUS, TACACS+ and SAML. You can leave it in default set to: "None". To configure LDAP for admin access, you can refer to below KB:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGuCAK

 

If you need to further restrict accounts using Panorama, you can use Access Domains feature.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Thanks for reply, i followed URL as mentioned above but

 still i am not able to authenticate through LDAP users. 

When i have followed same instructions for one of my Palo Alto Firewall then in User Identification >  Server Monitoring Status says Connection refused. I am not sure where i am getting wrong ? 

Cyber Elite
Cyber Elite

Thank you for reply @anwardurrani

 

if you have followed configuration steps in the KB and users are still not able to login to Panorama, I would recommend to check authd.log from cli: tail lines 500 mp-log authd.log. I would also make sure that account for bind dn has valid username and password.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Thanks for reply Pavel,

Here i am trying to implement LDAP on my one of Firewall ( PA-850) through Panorama, I am getting following error 

 

log query for Pune-LDAP failed: NTSTATUS: NT_STATUS_CONNECTION_REFUSED - NT_STATUS_CONNECTION_REFUSED

I have one more question, what should be the template option for Panorama while i am setting up LDAP profile for Panorama ? There are few options i am getting under template drop down list as 

Mobile_User_Template

Server_Conn_Template

Iron-Skillset-Template

I have setup LDAP profile on Panorama as well as per instruction URL above and i am getting following error our of log as 

failed authentication for user 'anwar.durrani'.  Reason: Internal error, e.g. network connection, DNS failure or remote server down. auth profile 'LDAP-Auth', vsys 'shared', server profile 'LDAP-Profile', server address '172.16.x.x', From: 172.24.x.x.

You were correct, its getting failed to bind, It says

<user-name>@<domain-name>

2022-11-04 06:04:40.693 +0000 Error:  pan_auth_create_a_ldap_session(pan_auth_svr_cctxt.c:2032): Failed to bind, get out

Now i have updated proper bind DN and now i am getting error below. :

 binding with binddn cn=internal.replication,dc=enterprisedb,dc=com

2022-11-04 06:18:48.127 +0000 Error:  _start_sync_auth(pan_auth_service_handle.c:754): sync request for user "anwar.durrani" is failed or possibly timed out against 172.18.5.x.x:389 with 0th VOIDp=0x556820f49e70

I have resolved this issue. i will add complete steps where i have made to solve this issue. 

Hi @anwardurrani please advise what steps you have taken to resolve this. thanks!

  • 3824 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!