How to Use More than Four LDAP Servers in a Palo Alto Networks Configuration

How to Use More than Four LDAP Servers in a Palo Alto Networks Configuration

20201
Created On 09/26/18 13:49 PM - Last Modified 10/07/20 01:00 AM


Symptom

There is a limited number of LDAP servers that can be configured on one LDAP Profile on Palo Alto Networks assets. Four LDAP servers are supported in an LDAP Profile.



Environment
  • NGFW
  • LDAP
  • LDAP Profile
  • Authentication Profile


Cause
Usually four LDAP servers are more than enough to authenticate all the users in the domain, and to provide redundancy in case a LDAP server goes down. Sometimes, larger companies have more than four LDAP servers with distributed environments in which users connect to dedicated LDAP servers. Users may contact LDAP servers that are not one of the four servers, and will try to authenticate to them.

If adding four LDAP servers in the LDAP Profile (under Device > Server Profiles > LDAP) the "plus" button will be greyed out, and it will not be possible to add more servers in the profile.

If adding four LDAP servers in the LDAP Profile (under Device > Server Profiles > LDAP) the "plus" button will be greyed out, and it will not be possible to add more servers in the profile.


Resolution

This limitation for authentication with only four LDAP servers can be overcome with the use of another LDAP Profile, which includes the rest of the LDAP servers. For example:

This limitation for authentication with only four LDAP servers can be overcome with the use of another LDAP Profile, which includes the rest of the LDAP servers. For example:

User-added image

 

  1. Under Device > Authentication Profile, create authentication profiles for both of the LDAP Profiles,

Create authentication profiles for both of the LDAP Profiles, Under Device > Authentication Profile.


NOTE:
Authentication profiles can be combined in an authentication sequence. If a user is not found on one of the LDAP servers in the first authentication profile, it will attempt the next one, which should result in a successful authentication attempt as a whole on the firewall.
This is configured under Device > Authentication Sequence:

This is configured under Device > Authentication Sequence:


This sequence can now be used for any purpose, such as GlobalProtect authentication:

This sequence can now be used for any purpose, such as GlobalProtect authentication:



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClrXCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language