| Next revision | Previous revision |
| paloaltonetworks:configuration:ldap [2020/05/19 06:14] – created bstafford | paloaltonetworks:configuration:ldap [2022/11/23 12:49] (current) – external edit 127.0.0.1 |
|---|
| |
| |
| Firstly, when you edit the LDAP profile ''Web GUI->Device Tab->Server Profiles->LDAP'', in the ''Domain'' text box, ensure that you have put the NetBIOS name not the full domain (e.g. set ''domain'' and not ''domain.com''. You may also have to set this under ''Group Mapping->Server Profile->User Domain''. When I was mapping to more than one domain. I found the second domain wouldn't work with group mapping until I added the netbios name to ''Group Mapping->Server Profile->User Domain''. Unfortunatly, I also run ''debug user-id reset group-mapping NameOfGroupMapping' before commiting and testing so I don't know which fixed it. | Firstly, when you edit the LDAP profile ''Web GUI->Device Tab->Server Profiles->LDAP'', in the ''Domain'' text box, ensure that you have put the NetBIOS name not the full domain (e.g. set ''domain'' and not ''domain.com''. You may also have to set this under ''Group Mapping->Server Profile->User Domain''. When I was mapping to more than one domain. I found the second domain wouldn't work with group mapping until I added the netbios name to ''Group Mapping->Server Profile->User Domain''. Unfortunatly, I also run ''debug user-id reset group-mapping NameOfGroupMapping'' before commiting and testing so I don't know which fixed it. |
| |
| Make sure 'allow list' in the LDAP profile is set with full path. E.G. <code>cn=palo_admins,cn=service_accounts,dc=domain,dc=local</code> | Make sure ''allow list'' in the LDAP profile is set with full path. E.G. <code>cn=palo_admins,cn=service_accounts,dc=domain,dc=local</code> |
| |
| You may also have to ensure that the LDAP server profile itself has Bind DN set to <code>cn=palo_ldap,cn=service_accounts,dc=domain,dc=local</code> and not <code>palo_ldap@domain.local</code> | You may also have to ensure that the LDAP server profile itself has Bind DN set to <code>cn=palo_ldap,cn=service_accounts,dc=domain,dc=local</code> and not <code>palo_ldap@domain.local</code> |
| I found that the 'test' command for authentication profiles is dodgy. Although you can log in using ''palotestusername'' (without appending ''DOMAIN\''), I found that the test command would not work unless you append the domain like the following<code>test authentication authentication-profile AUTH_P_LDAP_Admins username domain\palotestuser password</code> | I found that the 'test' command for authentication profiles is dodgy. Although you can log in using ''palotestusername'' (without appending ''DOMAIN\''), I found that the test command would not work unless you append the domain like the following<code>test authentication authentication-profile AUTH_P_LDAP_Admins username domain\palotestuser password</code> |
| |
| If you try to authenticate and see an error about not parsing ''maxPwdAge'', check the Base DN you are using. I once left it as ''DC=domain.local,DC=local'' rather than ''DC=domain,DC=local''. Also check you are using ''sAMAccountName''. | If you try to authenticate and see an error about not parsing ''maxPwdAge'', check the Base DN you are using. I once left it as ''DC=domain.local,DC=local'' rather than ''DC=domain,DC=local''. Also check you are using ''sAMAccountName''. It could also be that the password is missing. |
| |
| |
| It is possible to lock out some accounts when using authentication sequences. | It is possible to lock out some accounts when using authentication sequences. |
| Let's say you have an authentication sequence with LDAP profile at the top and Local User DB at the bottom. Let's also say that the same user name ''john'' has password ''1234'' in LDAP but password ''abcd'' on the local user database. If you log in with ''john'' and ''abcd'' enough times, it is possible to lock out the LDAP account because that is being tested with the password each time you try to login. | Let's say you have an authentication sequence with LDAP profile at the top and Local User DB at the bottom. Let's also say that the same user name ''john'' has password ''1234'' in LDAP but password ''abcd'' on the local user database. If you log in with ''john'' and ''abcd'' enough times, it is possible to lock out the LDAP account because that is being tested with the password each time you try to login. |
| |
| |
| |
