How to Configure Active Directory Server Profile for Group Mapping and Authentication

How to Configure Active Directory Server Profile for Group Mapping and Authentication

99488
Created On 09/25/18 17:30 PM - Last Updated 07/28/20 07:35 AM


Resolution

Overview

Palo Alto Networks recommends using an LDAP browser to find the proper LDAP information.

 

Finding the Proper Bind Information

To find the Bind DN, run the following command with the example username of test1 from the command line of the AD server:

  • dsquery user -name test1
  • should receive the Bind DN "CN=test1, OU=outest2, OU=outest, DC=pantac2, DC=org"

 

Or use an LDAP browser to find the Bind DN:

ss1.png

 

  • The Base DN is where the PAN will start searching in the directory structure.
  • The Bind DN is the username that will be used to do the searching and request the authentication.

 

Note: In Active Directory, a blank folder icon represent Containers (CN) while folders with icons are Organizational Units (OU).

ss2.png

 

For example, if the admin account is in the user's container, the Bind DN information is

cn=admin,cn=users,dc=pantac2,dc=org

ss3.png

 

In the following example, the test1 account is in the OUtest2 Organizational Unit (OU), and OUtest2 is in OUtest.

ss4.png

 

Configuring LDAP

  • Device > Server Profile> LDAP

2016-09-01_14-24-19.jpg

For the above example, active directory is used and no SSL encryption is configured. the port field can be left empty for the default ports to be used: TCP port 389 is the standard port for unencrypted LDAP, port 636 is used when Require SSL/TLS secured connection is selected.

 

 

LDAP information

  • Type: active-directory
  • If the server list has been populated and the servers are reachable by the management interface, the Base DN will auto populate when you click the drop-down arrow
  • Base DN: DC=paloalto, DC=com
  • Bind DN supports ldap, UPN and down-level  
      ldap-auth@paloalto.com
      CN=ldap-auth, OU=Users, DC=paloalto, DC=com

       

      Configure Your Group-Mapping Profile

      • Device tab > User Identification> Group Mapping Settings: make sure to set the User Domain

        2016-09-01_14-28-28.jpg

      • Click the Group Include List Tab.

      2016-09-01_14-31-26.jpg

      • Click the + sign next to the Base in the Left column to drop the list of available folder to search for the groups you want to Query for
        • Click on the groups listed starting with the "cn=" that you want to have on the firewall to use in policies and click the + sign in the middle to add them to the included list of groups.
          Warning! If there are no groups in the include list to the right, all groups in AD will be queried and may cause load issues.
      • Commit.
      • Verify the connection to the LDAP server with the following CLI command
        > show user group name all

      Note: When multiple group-mappings are configured with same base dn or ldap server, each group-mapping must include non-overlapping groups i.e include group list must not have any common group.

      Configure your LDAP authentication in Device > Authentication Profile.

      • Include any groups that you are querying for that will be used in the Authentication Profile
      • This Profile can be used for Captive Portal, Global Protect, User log on, or any authentication through the firewall.
      • You can create other Authentication profiles for different functions if the groups in the allow list will be different.2016-09-01_14-38-25.jpg
      • If required, the input username can be modified to accomodate down-level or UPN username formats

       

      owner: bnitz



      Attachments
      Actions
      • Print
      • Copy Link

        https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGOCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

      Attachments
      Choose Language