Test an LDAP Authentication Profile
The following example shows how to test a LDAP authentication profile named LDAP-Profile for a user named User4-LDAP and how to troubleshoot error conditions that arise. For details on using the test authentication command, see Run the Test Authentication Command.
LDAP Authentication Profile Test Example
On the PAN-OS firewall, Configure an LDAP Server Profile and Configure an authentication profile. In the authentication profile, you select the new LDAP server profile in the Server Profile drop-down.
Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.
(Firewalls with virtual systems configured) Define the target virtual system that the test command will access. This is required on firewalls with multiple virtual systems (vsys) configured, so the test authentication command can locate the user (Global Protect or Captive Portal, for example) in the correct vsys. To define the target vsys: admin@PA-3060> set system setting target-vsys < vsys-name> For example, if the user is defined in vsys2, run the following command: admin@PA-3060> set system setting target-vsys vsys2 The target-vsys command is per-login session, so the system clears the option when you log off.
Run the following CLI command: admin@PA-3060> test authentication authentication-profile LDAP-Profile username User4-LDAP password
When prompted, enter the password for the User4-LDAP account. The following output shows that the test failed: Do allow list check before sending out authentication request... name "User4-LDAP" is in group "all" Authentication to LDAP server at 10.5.104.99 for user "User4-LDAP" Egress: 10.5.104.98 Type of authentication: plaintext Starting LDAP connection... Succeeded to create a session with LDAP server parse error of dn and attributes for user "User4-LDAP" Authentication failed against LDAP server at 10.5.104.99:389 for user "User4-LDAP" Authentication failed for user "User4-LDAP" The output shows parse error of dn and attributes for user User4-LDAP, which indicates a BIND DN value issues in the LDAP server profile. In this case, a Domain Component (DC) value is incorrect.
To resolve this issue, modify the LDAP server profile and ensure that the Bind DN DC value is correct by comparing the DC value with the DC value of the LDAP server. On the firewall, select Device > Server Profiles > LDAP and modify the profile named LDAP-Profile. In the Server settings section, enter the correct value for the DC in the Bind DN field. In this case, the correct value for the DC is MGMT-GROUP Click OK to save the change.
Run the test command again. The following output shows that the test is successful: Do allow list check before sending out authentication request... name "User4-LDAP" is in group "all" Authentication to LDAP server at 10.5.104.99 for user "User4-LDAP" Egress: 10.5.104.98 Type of authentication: plaintext Starting LDAP connection... Succeeded to create a session with LDAP server DN sent to LDAP server: CN=User4-LDAP,CN=Users,DC=MGMT-GROUP,DC=local User expires in days: never Authentication succeeded for user "User4-LDAP"

Related Documentation