Useful CLI Commands to Troubleshoot LDAP Connection

Useful CLI Commands to Troubleshoot LDAP Connection

284886
Created On 09/26/18 13:51 PM - Last Modified 01/31/24 16:55 PM


Resolution


Overview

This document describes the CLI commands that can be used to verify a successful connection to the LDAP server for pulling groups.

 

Details

During LDAP server configuration, the device automatically pulls the Base DN if the connection is successful. The Base and Bind DN are configured under  Device > Server Profiles > LDAP:
ldap_server_profile

Use the show user group-mapping state all command to view the LDAP connectivity if using the server profile for group mapping.

For example:

> show user group-mapping state all

Group Mapping (vsys1, type: active-directory) : grp_mapping

  Bind DN    : pantac2003\adminatrator

  Base       : DC=pantac2003,DC=com

  Group Filter: (None)

  User Filter: (None)

  Servers    : configured 1 servers

          10.46.48.101 (389)

                  Last Action Time: 2290 secs ago(took 71 secs)

                  Next Action Time: In 1310 secs

  Number of Groups: 121

  cn=administrators,cn=builtin,dc=pantac2003,dc=com

  cn=ras and ias servers,cn=users,dc=pantac2003,dc=com

  cn=s,cn=users,dc=pantac2003,dc=com

 

If the Bind DN entered on the Palo Alto Networks device under Device > Server Profiles > LDAP is incorrect, the output of the command will display "invalid credentials".

The example output below shows a scenario in which "cn=Administrator12" was entered, but the correct value was "cn=Administrator":

> show user group-mapping state all

Group Mapping (vsys1, type: active-directory) : grp_mapping

  Bind DN    : CN=Administrator12,CN=Users,DC=pantac2003,DC=com

  Base       : DC=pantac2003,DC=com

  Group Filter: (None)

  User Filter: (None)

  Servers    : configured 1 servers

          10.46.48.101 (389)

                  Last Action Time: 0 secs ago(took 0 secs)

                  Next Action Time: In 60 secs

                   Last LDAP error: Invalid credentials

  Number of Groups: 0

 

Errors can be pulled from the useridd log using the following command:

> less mp-log useridd.log

Dec 30 15:59:07 connecting to ldap://[10.46.48.101]:389 ...

Dec 30 15:59:07 Error: pan_ldap_bind_simple(pan_ldap.c:466): ldap_sasl_bind result return(49) : Invalid credentials

Dec 30 15:59:07 Error: pan_ldap_ctrl_connect(pan_ldap_ctrl.c:832): pan_ldap_bind()  failed

Dec 30 15:59:07 Error: pan_gm_data_connect_ctrl(pan_group_mapping.c:994): pan_ldap_ctrl_connect(grp_mapping, 10.46.48.101:389) failed

Dec 30 15:59:07 Error: pan_gm_data_connect_ctrl(pan_group_mapping.c:1061): ldap cfg grp_mapping failed connecting to server 10.46.48.101 index 0

Dec 30 15:59:07 Error: pan_gm_data_ldap_proc(pan_group_mapping.c:1942): pan_gm_data_connect_ctrl() failed

Dec 30 15:59:14 Warning: pan_ldap_ctrl_construct_groups(pan_ldap_ctrl.c:546): search aborted

Dec 30 15:59:16 Error: pan_ldap_ctrl_query_group_membership(pan_ldap_ctrl.c:2384): pan_ldap_ctrl_construct_groups() failed

Dec 30 15:59:16 Error: pan_gm_data_update(pan_group_mapping.c:1431): pan_ldap_ctrl_query_group_membership()  failed

Dec 30 15:59:16 Error: pan_gm_data_ldap_proc(pan_group_mapping.c:1976): pan_gm_data_update() failed

Dec 30 16:00:07 connecting to ldap://[10.46.48.101]:389 ...

Dec 30 16:00:07 Error: pan_ldap_bind_simple(pan_ldap.c:466): ldap_sasl_bind result return(49) : Invalid credentials

Dec 30 16:00:07 Error: pan_ldap_ctrl_connect(pan_ldap_ctrl.c:832): pan_ldap_bind()  failed

Dec 30 16:00:07 Error: pan_gm_data_connect_ctrl(pan_group_mapping.c:994): pan_ldap_ctrl_connect(grp_mapping, 10.46.48.101:389) failed

 

Command to re-establish the link to the LDAP server 

debug user-id reset group-mapping <grp_mapping_name>

Command to set LDAP to debug

debug user-id set ldap all

Command to turn on debug 

debug user-id on debug

Command to turn off debug 

debug user-id off

Command to capture LDAP traffic if using management port

tcpdump filter "port 389"

Command to capture LDAPS (SSL) traffic if using management port

tcpdump filter "port 636"

Command to view the pcap taken off the management port 

view-pcap mgmt-pcap mgmt.pcap

Command to export the pcap to an external host by scp or tftp 

scp export mgmt-pcap from mgmt.pcap to username@host:path
tftp export mgmt-pcap from mgmt.pcap to <tftp host>

 

 

 

owner: sdarapuneni



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CluWCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language