03-20-2020 02:39 PM
Hi.
I have a strange issue with LDAP groups in our PA-5220 setup.
Our setup is two HS-clusters with each containing two PA-5220. All of the devices are fully managed using Panorama. All of the firewalls are running 9.0.5 and Panorama is also of version 9.0.5.
The configuration looks like this, I have configured a LDAP server object with all of our AD domain controllers, and set the "Base DN" to be the root of the domain. I have created a "Group mapping" containing a group for testing. I have created a "LDAP Authentication Profile" targeting the LDAP server configured earlier.
The problem is that the LDAP authentication only works if I have the "Allow list" set to "All". If I specify the AD group either using the NetBIOS name/short name or the full DN name, authentication will fail.
If I from the console list, the users in the group using "show user group name" all expected users are listed. If I test the Authentication Profile using the command "test authentication authentication-profile" it works when the allow list is set to All, but not if I a LDAP group is specified. The test fails based on "Do allow list check before sending out authentication request".
I have checked all of the KB I have been able to find and made sure that I for instance have all the LDAP paths in lower cases. I have compered it with another device with a working configuration, but at another company, but except for the paths and server names, everything is more or less the same.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClizCAC
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloqCAC
What could be causing this issue? What to check next?
Best regards,
Johan Christensson
