Palo Alto Networks recommends using an LDAP browser to find the proper LDAP information.
Finding the Proper Bind Information
To find the Bind DN, run the following command with the example username of test1 from the command line of the AD server:
dsquery user -name test1
should receive the Bind DN "CN=test1, OU=outest2, OU=outest, DC=pantac2, DC=org"
Or use an LDAP browser to find the Bind DN:
The Base DN is where the PAN will start searching in the directory structure.
The Bind DN is the username that will be used to do the searching and request the authentication.
Note: In Active Directory, a blank folder icon represent Containers (CN) while folders with icons are Organizational Units (OU).
For example, if the admin account is in the user's container, the Bind DN information is
In the following example, the test1 account is in the OUtest2 Organizational Unit (OU), and OUtest2 is in OUtest.
Device > Server Profile> LDAP
For the above example, active directory is used and no SSL encryption is configured. the port field can be left empty for the default ports to be used: TCP port 389 is the standard port for unencrypted LDAP, port 636 is used when Require SSL/TLS secured connection is selected.
If the server list has been populated and the servers are reachable by the management interface, the Base DN will auto populate when you click the drop-down arrow
Base DN: DC=paloalto, DC=com
Bind DN supports ldap, UPN and down-level
CN=ldap-auth, OU=Users, DC=paloalto, DC=com
Configure Your Group-Mapping Profile
Device tab > User Identification> Group Mapping Settings: make sure to set the User Domain
Click the Group Include List Tab.
Click the + sign next to the Base in the Left column to drop the list of available folder to search for the groups you want to Query for
Click on the groups listed starting with the "cn=" that you want to have on the firewall to use in policies and click the + sign in the middle to add them to the included list of groups. Warning! If there are no groups in the include list to the right, all groups in AD will be queried and may cause load issues.
Verify the connection to the LDAP server with the following CLI command > show user group name all
Note: When multiple group-mappings are configured with same base dn or ldap server, each group-mapping must include non-overlapping groups i.e include group list must not have any common group.
Configure your LDAP authentication in Device > Authentication Profile.
Include any groups that you are querying for that will be used in the Authentication Profile
This Profile can be used for Captive Portal, Global Protect, User log on, or any authentication through the firewall.
You can create other Authentication profiles for different functions if the groups in the allow list will be different.
If required, the input username can be modified to accomodate down-level or UPN username formats