How to Use More than Four LDAP Servers in a Palo Alto Networks Configuration
Symptom
There is a limited number of LDAP servers that can be configured on one LDAP Profile on Palo Alto Networks assets. Four LDAP servers are supported in an LDAP Profile.
Environment
- NGFW
- LDAP
- LDAP Profile
- Authentication Profile
Cause
Usually four LDAP servers are more than enough to authenticate all the users in the domain, and to provide redundancy in case a LDAP server goes down. Sometimes, larger companies have more than four LDAP servers with distributed environments in which users connect to dedicated LDAP servers. Users may contact LDAP servers that are not one of the four servers, and will try to authenticate to them.
If adding four LDAP servers in the LDAP Profile (under Device > Server Profiles > LDAP) the "plus" button will be greyed out, and it will not be possible to add more servers in the profile.
Resolution
This limitation for authentication with only four LDAP servers can be overcome with the use of another LDAP Profile, which includes the rest of the LDAP servers. For example:
- Under Device > Authentication Profile, create authentication profiles for both of the LDAP Profiles,
NOTE:
Authentication profiles can be combined in an authentication sequence. If a user is not found on one of the LDAP servers in the first authentication profile, it will attempt the next one, which should result in a successful authentication attempt as a whole on the firewall.
This is configured under Device > Authentication Sequence:
This sequence can now be used for any purpose, such as GlobalProtect authentication: