LDAP Server is Not Reachable Through the Management Interface
Resolution
Issue
By default, LDAP communication from a Palo Alto Networks device occurs through the Management (MGT) interface on the device. In some deployment network environments, the LDAP server may not be reachable from the MGT interface.
Note: In some cases, the Palo Alto Networks device is able to pull group mappings even though LDAP authentication fails from the same LDAP server.
Details
LDAP authentication by default uses the Management interface for authentication and there is no service route configuration option specifically for LDAP. For group mapping information, the Palo Alto Networks device uses the User-ID Agent service route or Management interface by default. Therefore, if the User-ID Agent service route is configured, then it is possible that the group mapping information is successfully retrieved.
Resolution
Configure a service route for the LDAP server with the source as one of the dataplane interfaces.
- Navigate to Device > Setup > Services
- Click on Service Route Configuration
- Click Select (if not already selected) in the Service Route Configuration dialog
- Add a new service route
- The Destination address field should be the LDAP server IP address.
- The Source address field should be the IP address assigned to the Dataplane interface, which can access the LDAP server.
Note: The address convention in Destination field is host based, ie /32. Defining a subnet (for example, 192.168.1.0/24) should be avoided.
Note: Make sure that "Administrator Use Only" is checked in the LDAP Server Profile for use as Authenticating Server PA for Admin Access.
owner: akawimandan