Specify the login name (Distinguished Name) for your Active Directory or OpenLDAP-based directory.

Specify the password associated with the login name (DN).

To enhance security, you can optionally update the bind password at regular intervals (also known as password rotation). To automate this process, you can use a command instead of manually updating the agent configuration. To update the bind password, update the password on the LDAP server, then enter the following command on the agent host: CloudIdAgentCLI.exe ldap_bind_password:<password> (where <password> represents the password you want to use).

If the password contains any of the following non-alphanumeric characters, use an escape character to interpret it as a literal character:`*\~;(%?.:@/$%^*()!''"

The escape character depends on the shell or programming language you use to enter the command.

For example, if you are using Powershell version 7.4.2:

For example, if the new password is `*\~;(%?.:@/$%^*()!''" and you are using Powershell version 7.4.2, enter the following command: .\CloudIdAgentCLI.exe ldap_bind_password:"``*\~;(%?.:@/$%^*()!''`""

To troubleshoot any issues, check the log file (CloudIdAgentCLIDebug.log). The log file location is the same as the installation location for the agent (C:\Program Files (x86)\Palo Alto Networks\Cloud Identity Agent.

Select the protocol the agent uses to connect to the Active Directory or OpenLDAP-based directory:

Specify the time limit (in seconds) that the agent waits when connecting to the Active Directory or OpenLDAP-based directory (default is 30, range is 1-60 seconds). If the timeout occurs, the agent attempts to connect to the next domain controller in the sequence for that domain.

Specify the time limit (in seconds) when the agent stops searching the directory (default is 15, range is 1-120 seconds).