10-17-2022 11:00 PM
I have Panorama on VM and i am trying to configure LDAP, i have setup LDAP profile and then trying to tie LDAP profile with Management interface but it looks like i am not getting any option where i can select LDAP profile from dropdown list, If LDAP tie up with Management Interface is not allowed ? Kindly help.
10-18-2022 05:49 AM
Hello @anwardurrani
thanks for the post!
If you are trying to set up accounts to access Panorama with LDAP authentication, then you should configure the LDAP profile directly in the account setting. Navigate to: Panorama > Administrators > Add, then select the authentication profile from drop down list:
The option under: Panorama > Setup > Management supports only: RADIUS, TACACS+ and SAML.
Kind Regards
Pavel
10-19-2022 12:45 AM
I have created as per instructions but how i can tie Panorama URL with LDAP Profile, i want users in LDAP only should be able to access Panorama.
10-19-2022 01:16 AM
As per reply above.
The option under: Panorama > Setup > Management supports only: RADIUS, TACACS+ and SAML.
Here does it mean, Panorama Authencation only can be tied up with RADIUS, TACACS+ and SAML.
10-19-2022 04:59 AM
Thank you for reply @anwardurrani
this is correct. The option under: Panorama > Setup > Management > Authentication Settings > Authentication profile, supports only: RADIUS, TACACS+ and SAML. You can leave it in default set to: "None". To configure LDAP for admin access, you can refer to below KB:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGuCAK
If you need to further restrict accounts using Panorama, you can use Access Domains feature.
Kind Regards
Pavel
10-21-2022 05:42 AM
Thanks for reply, i followed URL as mentioned above but
still i am not able to authenticate through LDAP users.
When i have followed same instructions for one of my Palo Alto Firewall then in User Identification > Server Monitoring Status says Connection refused. I am not sure where i am getting wrong ?
10-21-2022 11:47 PM
Thank you for reply @anwardurrani
if you have followed configuration steps in the KB and users are still not able to login to Panorama, I would recommend to check authd.log from cli: tail lines 500 mp-log authd.log. I would also make sure that account for bind dn has valid username and password.
Kind Regards
Pavel
11-03-2022 09:15 PM
Thanks for reply Pavel,
Here i am trying to implement LDAP on my one of Firewall ( PA-850) through Panorama, I am getting following error
log query for Pune-LDAP failed: NTSTATUS: NT_STATUS_CONNECTION_REFUSED - NT_STATUS_CONNECTION_REFUSED
11-03-2022 09:18 PM
I have one more question, what should be the template option for Panorama while i am setting up LDAP profile for Panorama ? There are few options i am getting under template drop down list as
Mobile_User_Template
Server_Conn_Template
Iron-Skillset-Template
11-03-2022 11:06 PM
I have setup LDAP profile on Panorama as well as per instruction URL above and i am getting following error our of log as
failed authentication for user 'anwar.durrani'. Reason: Internal error, e.g. network connection, DNS failure or remote server down. auth profile 'LDAP-Auth', vsys 'shared', server profile 'LDAP-Profile', server address '172.16.x.x', From: 172.24.x.x.
11-03-2022 11:13 PM
You were correct, its getting failed to bind, It says
<user-name>@<domain-name>
2022-11-04 06:04:40.693 +0000 Error: pan_auth_create_a_ldap_session(pan_auth_svr_cctxt.c:2032): Failed to bind, get out
11-03-2022 11:25 PM
Now i have updated proper bind DN and now i am getting error below. :
binding with binddn cn=internal.replication,dc=enterprisedb,dc=com
2022-11-04 06:18:48.127 +0000 Error: _start_sync_auth(pan_auth_service_handle.c:754): sync request for user "anwar.durrani" is failed or possibly timed out against 172.18.5.x.x:389 with 0th VOIDp=0x556820f49e70
11-04-2022 06:36 AM
I have resolved this issue. i will add complete steps where i have made to solve this issue.
05-22-2023 06:34 AM
Hi @anwardurrani please advise what steps you have taken to resolve this. thanks!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
