How to resolve get-ldap-data-failure error in system logs

How to resolve get-ldap-data-failure error in system logs

13240
Created On 09/26/18 13:48 PM - Last Modified 04/21/20 00:46 AM


Resolution

This document provides resolution for the error "get-ldap-data failure"  repeatedly in the system logs.

 

Issue

Getting the error "get-ldap-data-failure" in the system logs every few minutes.

 

ldap_kb2.PNG

 

Cause

This issue is caused when the firewall is trying to fetch the group information from the AD and the group is no longer present on the AD.

 

Resolution

In the command line, type less mp-log useridd.log. Look for the below error with the timestamp from the sytem logs

 

2016-12-23 13:47:26.117 -0800 Error: pan_ldap_ctrl_search_single_group(pan_ldap_ctrl.c:3011): failed to get group obj for 'cn=paloaltotestgroup,cn=users,dc=opxlab,dc=pan'

 

2016-12-23 13:47:26.117 -0800 Error: pan_ldap_ctrl_query_single_included_group(pan_ldap_ctrl.c:3501): pan_ldap_ctrl_search_single_group() failed for 'cn=paloaltotestgroup,cn=users,dc=opxlab,dc=pan'

 

Check under Group mapping settings in Group Include List > Included Groups for this group.

 

ldap_kb3.PNG

 

Next, check if the group is still present on the AD server. If the group is deleted from  AD, remove the group from the firewall and commit the changes.

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000Clph&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language